incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nestor Urquiza <nestor.urqu...@gmail.com>
Subject Re: Disable default unsecure plain HTTP 5984
Date Wed, 12 Dec 2012 01:02:43 GMT
Adam,

Thank you very much. Too much bash recently so I completely miss the
fact I was using the wrong comment syntax.

Cheers,
-Nestor

On Tue, Dec 11, 2012 at 3:04 PM, Adam Kocoloski <kocolosk@apache.org> wrote:
> I think that may be the wrong syntax for .ini file comments.  Can you try a leading ";"
instead?
>
> Adam
>
> On Dec 11, 2012, at 3:02 PM, Nestor Urquiza <nestor.urquiza@gmail.com> wrote:
>
>> This is an old thread but the issue is back in version 1.2.0
>>
>> Commenting out the suggested line from default.ini ...
>> [daemons]
>> #httpd={couch_httpd, start_link, []}
>>
>> ... does not stop couchdb from listening in the unsecure plain HTTP 5984:
>> dev@udesktop2:~$ sudo /etc/init.d/couchdb restart
>> * Restarting database server couchdb
>>
>>
>>
>>                                                                   [
>> OK ]
>> dev@udesktop2:~$ curl -X GET http://localhost:5984
>> {"couchdb":"Welcome","version":"1.2.0"}
>> dev@udesktop2:~$ curl -k -X GET https://localhost:6984
>> {"couchdb":"Welcome","version":"1.2.0"}
>> dev@udesktop2:~$
>>
>> Any ideas other than using iptables?
>>
>> On Fri, Oct 21, 2011 at 11:59 AM, Jan Lehnardt <jan@apache.org> wrote:
>>>
>>> On Oct 21, 2011, at 15:21 , Dave Cottlehuber wrote:
>>>
>>>> On 21 October 2011 15:16, Nestor Urquiza <nestor.urquiza@gmail.com>
wrote:
>>>>> That was it: I did the change in default,ini and that did the trick.
>>>>> Thanks!
>>>>> -Nestor
>>>>>
>>>>> On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau <bchesneau@gmail.com>
wrote:
>>>>>> On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
>>>>>> <nestor.urquiza@gmail.com> wrote:
>>>>>>> Thanks for the fast responses.
>>>>>>>
>>>>>>> Here is what I have in daemons section:
>>>>>>> [daemons]
>>>>>>> ; enable SSL support by uncommenting the following line and supply
the
>>>>>>> PEM's below.
>>>>>>> ; the default ssl port CouchDB listens on is 6984
>>>>>>> httpsd = {couch_httpd, start_link, [https]}
>>>>>>>
>>>>>>> Still I get the below:
>>>>>>> $ ./utils/run
>>>>>>> Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
>>>>>>> [info] [<0.97.0>] Attempting to start replication
>>>>>>> `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
>>>>>>> `by_clientId`).
>>>>>>> Apache CouchDB has started. Time to relax.
>>>>>>> [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
>>>>>>> [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/
>>>>>>>
>>>>>>> Not sure what I am missing.
>>>>>>> Best,
>>>>>>> -Nestor
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson <rnewson@apache.org>
wrote:
>>>>>>>> Fairly sure you can do as Benoit suggests. It was certainly
my
>>>>>>>> intention to allow one or other or both, and that was the
case when I
>>>>>>>> did the original work.
>>>>>>>>
>>>>>>>> B.
>>>>>>>>
>>>>>>>> On 21 October 2011 12:24, Benoit Chesneau <bchesneau@gmail.com>
wrote:
>>>>>>>>> On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese <N.Breunese@vpro.nl>
wrote:
>>>>>>>>>> Nestor Urquiza wrote:
>>>>>>>>>>
>>>>>>>>>>> Is it possible to leave just SSL (6984) listening?
I have enabled SSL
>>>>>>>>>>> but requests are still accepted via plain HTTP
5984.
>>>>>>>>>>
>>>>>>>>>> I don't know if CouchDB has a configuration setting
that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP
port?
>>>>>>>>>>
>>>>>>>>>> Nils.
>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>> VPRO   www.vpro.nl
>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>> You can probably comment the httpd line in [daemons]
and only use the https one.
>>>>>>>>>
>>>>>>>>> - benoit
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> did you comment the line in default.ini?
>>>>>>
>>>>>> - benoit
>>>>>>
>>>>>
>>>>
>>>> Is there a sensible way to do this in local.ini to avoid advising
>>>> users to fiddle with default.ini, which gets over-written each
>>>> release?
>>>
>>> Good catch, currently not.
>>>
>>> Cheers
>>> Jan
>>> --
>>>
>

Mime
View raw message