incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephan Wissel <step...@wissel.net>
Subject CouchDB behind Apache HTTP including authentication
Date Fri, 04 Jan 2013 02:58:09 GMT
We figured out how to use a sucessful login into Apache HTTP to
authenticate against CouchDB. Here is what we did:

in the couch configuration (local.ini) activated the
proxy_authentification_handler (don't stumble about the non-English
spelling)

[httpd]
port = 5984
bind_address = 127.0.0.1
authentication_handlers = {couch_httpd_auth,
proxy_authentification_handler},  {couch_httpd_auth,
default_authentication_handler}


In the Apache configuration we use a redirect to connect to CouchDB (the
Apache also serves static content):

 # Redirection for CouchDB
    ProxyPass /mycouchapp http://localhost:5984 nocanon
    ProxyPassReverse /mycouchapp http://localhost:5984

    # Role mapping for couch
    RewriteMap role-map dbm:/var/couchdb/rolemapping.map

    <Location /mycouchapp>
        # This example uses basic, but any Apache supported Auth should do
        AuthType Basic
        AuthName mycouchapp
        AuthUserFile /var/www/passwd/users
        AuthGroupFile /var/www/passwd/groups

        #Here we enforce authentication
        Order allow,deny
        Allow from all
        Require valid-user
        # Request headers for CouchDB from authenticated user
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        RewriteRule . - [E=CUSER:%1]
        #Never figured why I need the condition again ;-)
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        # Role lookup in the map file - needs to be maintained somehow
        RewriteRule . - [E=CROLE:${role-map:%1|guest}] env=CUSER
        RequestHeader set X-Auth-CouchDB-UserName "%{CUSER}e" env=CUSER
        RequestHeader set X-Auth-CouchDB-Roles "%{CROLE}e" env=CROLE
     </Location>

In the Apache defaults we also made sure that the CouchHeaders were purges
from requests, so
users can't spoof them:

    # Removal of eventually spoofed request headers
    RequestHeader unset X-Auth-CouchDB-UserName
    RequestHeader unset X-Auth-CouchDB-Roles
    RequestHeader unset X-Auth-CouchDB-Token

It might help someone struggling with that



Phone: +65 96673269
Blog <http://www.wissel.net/blog> Twitter <http://twitter.com/notessensei>
Google+ <https://plus.google.com/114116118906495091782/about>
Facebook<http://www.facebook.com/stephan.wissel>
 LinkedIn <http://sg.linkedin.com/in/notessensei>
Xing<https://www.xing.com/profile/StephanH_Wissel>
 Sametime <http://www.wissel.net/blog/d6plinks/SHWL-84KE8U> *Skype

*
P.S. If  someone adds me to the contributors group I can update the
respective Wiki page*
*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message