couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joan Touzet <woh...@apache.org>
Subject Re: CouchDB Admin Local Port over https
Date Wed, 21 Nov 2018 00:23:22 GMT
Hi there Michael,

You're right, out of the box, there is no way to make port 5986 SSL
native at this time, sorry. If you need secure off-box access to it,
we recommend the use of a reverse proxy that does SSL termination for
you running on the same machine. This could be stunnel, haproxy, nginx,
etc.

If you are interested in submitting your patch for inclusion in the
future for CouchDB, we'd love a pull request at;

  https://github.com/apache/couchdb/pulls

so we can review the quality of the code and improve it before it lands.
(Your hack below is not quite up to code review levels yet.)

Note that configuration for the SSL (6984) port has CHANGED with 2.3.0,
see my recent email to the user@ and dev@ mailing lists on this topic.


HOWEVER:

We strongly recommend binding port 5986 only to localhost.

NEVER expose the node-local port (5986) on a public Internet-facing
interface.

IF you have a secondary private network to which it can be bound,
separate from your public interface, you can consider binding it to
that interface.

-Joan

----- Original Message -----
> From: "Michael Scharrer" <michael_489@hotmail.de>
> To: "CouchDB Developers" <dev@couchdb.apache.org>
> Sent: Tuesday, November 20, 2018 6:54:57 AM
> Subject: CouchDB Admin Local Port over https
> 
> Hello,
> 
> currently I am running CouchDB Version 2.2 on the following Ports,
> 5984,5986, 6984 (ssl)
> 
> But it is also required to start the port 5986 over SSL as safety
> aspects because non ssl is not allowed anymore in my usecase, but
> this seems not possible while looking upon to the Erlang Module
> couch_httpd.erl... The webserver would also start with the existing
> Port 6984..
> 
> local.ini:
> 
> [daemons]
> httpsd = {chttpd, start_link, [https]}
> admin_httpds = {couch_httpd, start_link, [https]}
> 
> 
> Here you will find my example to start the non local http port 5986
> as ssl admin port with 6986:
> 
> 
> -module(couch_httpd).
> 
> start_link() ->
>     start_link(http).
> start_link(http) ->
>     Port = config:get("httpd", "port", "5984"),
>     start_link(?MODULE, [{port, Port}]);
> start_link(https) ->
>     % Port = config:get("ssl", "port", "6984"),
>     Port = config:get("ssl", "adminport", "6986"),
>     {ok, Ciphers} = couch_util:parse_term(config:get("ssl",
>     "ciphers", undefined)),
>     {ok, Versions} = couch_util:parse_term(config:get("ssl",
>     "tls_versions", undefined)),
>     {ok, SecureRenegotiate} = couch_util:parse_term(config:get("ssl",
>     "secure_renegotiate", undefined)),
>     ServerOpts0 =
>         [{cacertfile, config:get("ssl", "cacert_file", undefined)},
>             {keyfile, config:get("ssl", "key_file", undefined)},
>             {certfile, config:get("ssl", "cert_file", undefined)},
>             {password, config:get("ssl", "password", undefined)},
>             {secure_renegotiate, SecureRenegotiate},
>             {versions, Versions},
>             {ciphers, Ciphers}],
> 
>     case (couch_util:get_value(keyfile, ServerOpts0) == undefined
>     orelse
>         couch_util:get_value(certfile, ServerOpts0) == undefined) of
>         true ->
>             couch_log:error("SSL enabled but PEM certificates are
>             missing", []),
>             throw({error, missing_certs});
>         false ->
>             ok
>     end,
> 
>     ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= undefined],
> 
>     ClientOpts = case config:get("ssl", "verify_ssl_certificates",
>     "false") of
>                      "false" ->
>                          [];
>                      "true" ->
>                          FailIfNoPeerCert = case config:get("ssl",
>                          "fail_if_no_peer_cert", "false") of
>                                                 "false" -> false;
>                                                 "true" -> true
>                                             end,
>                          [{depth, list_to_integer(config:get("ssl",
>                              "ssl_certificate_max_depth", "1"))},
>                              {fail_if_no_peer_cert,
>                              FailIfNoPeerCert},
>                              {verify, verify_peer}] ++
>                          case config:get("ssl", "verify_fun",
>                          undefined) of
>                              undefined -> [];
>                              SpecStr ->
>                                  [{verify_fun,
>                                  make_arity_3_fun(SpecStr)}]
>                          end
>                  end,
>     SslOpts = ServerOpts ++ ClientOpts,
> 
>     Options =
>         [{port, Port},
>             {ssl, true},
>             {ssl_opts, SslOpts}],
>     %start_link(https, Options).
>     start_link(admin_https, Options).
> 
> 
> 
> ------------
> 
> 
> stop() ->
>     mochiweb_http:stop(couch_httpd),
>     catch mochiweb_http:stop(https).
> 
> to the following code:
> 
> stop() ->
> mochiweb_http:stop(couch_httpd),
> catch mochiweb_http:stop(admin_https).
> 
> 
> 
> 
> 
> Best regards,
> 
> 
> Michael
> 

Mime
View raw message