Return-Path: 
 <user-return-17340-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6A07578B0
	for <apmail-couchdb-user-archive@www.apache.org>;
 Wed,  3 Aug 2011 21:22:52 +0000 (UTC)
Received: (qmail 5259 invoked by uid 500); 3 Aug 2011 21:22:50 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 5206 invoked by uid 500); 3 Aug 2011 21:22:49 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 5198 invoked by uid 99); 3 Aug 2011 21:22:49 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Aug 2011 21:22:49 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of randall.leeds@gmail.com
 designates 209.85.161.180 as permitted sender)
Received: from [209.85.161.180] (HELO mail-gx0-f180.google.com)
 (209.85.161.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Aug 2011 21:22:43 +0000
Received: by gxk10 with SMTP id 10so1051095gxk.11
        for <user@couchdb.apache.org>; Wed, 03 Aug 2011 14:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=7Mz0MIsXCv77GqlSuvlQ6dDuL5DNFro+QtpT3aswTY4=;
        b=IqZxhq3I9XG/e1md+D59h2a1LZVz2+HwiJW8wXl4En6GdccLuEDyRo62yRzAf9ageC
         ZsO5yYvv1ijcnHtVqCLrRJRuho8Un1QFM68VVhbac8vmaD5mEC5+9O0XUZSfaMN/MRcL
         Iv/8dwnNBlrE0/MCwTZ9QUqheC8OCqWDVe168=
MIME-Version: 1.0
Received: by 10.142.180.3 with SMTP id c3mr5133375wff.211.1312406542303; Wed,
 03 Aug 2011 14:22:22 -0700 (PDT)
Received: by 10.68.49.97 with HTTP; Wed, 3 Aug 2011 14:22:22 -0700 (PDT)
In-Reply-To: 
 <CAAL6JQhytD90Jn3f7LT-HUMVH=T5GgTEMXWzaR6kQ5BgqZGRSw@mail.gmail.com>
References: 
 <CA+5KyPSE3BULUc7KONgx8ZqfNKW++_r8vgdhh7HLxLr0JgfM0A@mail.gmail.com>
	<CAONf+LQKjE6NVCsLKWb3wzmWOwrS2ej+_PCJS4Z=uV3hj0OtOg@mail.gmail.com>
	<CAOHkvcP0XMAFvvFhaw3azEyqBxPMhNxFwkYX+5_x52ScSaxEbg@mail.gmail.com>
	<CAMkGvyNO4GC8e+PWu8u7BpV6b4OUvXZ3v37y5kpnXdrYgn_nBA@mail.gmail.com>
	<4E371B93.8060303@kearns.net.au>
	<CAAL6JQj_u0RgDhQG95oFrQfJ3MUeRXHb+Q6d1Cc6DEBUwaE_vA@mail.gmail.com>
	<CAONf+LTt0Hmuhx8PTs_LdzzX-fHQDAhQg_kJabTQAnfnBdxZqQ@mail.gmail.com>
	<CAOHkvcNutCimOggckR3ivc2=DCAP1ZhPTC2XpnP1o_E82_Pvaw@mail.gmail.com>
	<CA+5KyPR56FpKXiQ6Zyxu0V2jwaKbOghbTZyJ10Ou=YXyyk6zhA@mail.gmail.com>
	<CAONf+LTd+qQtLBb7iXb-H_HJs4Xm+t+Bw0G4CMLCC8X=bYwdFQ@mail.gmail.com>
	<CAAL6JQhytD90Jn3f7LT-HUMVH=T5GgTEMXWzaR6kQ5BgqZGRSw@mail.gmail.com>
Date: Wed, 3 Aug 2011 14:22:22 -0700
Message-ID: 
 <CAAL6JQjbpOD9GOu-dDDf7-1-44pANT3U=ZKaNYEBXPcX11C8pA@mail.gmail.com>
Subject: Re: to CouchApp or not to CouchApp
From: Randall Leeds <randall.leeds@gmail.com>
To: user@couchdb.apache.org
Content-Type: text/plain; charset=UTF-8
X-Virus-Checked: Checked by ClamAV on apache.org

On Wed, Aug 3, 2011 at 14:19, Randall Leeds <randall.leeds@gmail.com> wrote:
> On Tue, Aug 2, 2011 at 16:55, Max Ogden <max@maxogden.com> wrote:
>> My point with vhosts and security was that if you arent exposing couch to
>> the world you can route requests for certain couch-hosted domains to your
>> couch and let vhosts limit the exposed API.
>>
>> this means you need to run something like nginx in front of couch and
>> register couch as an nginx upstream. then when people hit your domain they
>> will be routed directly to the _rewrite handler and you can expose whatever
>> you want from there
>>
>> if you expose the root api of couch over the internet there aren't built in
>> ways to lock down everything. the solution would be to not expose the couch
>> root api.
>
> To add to this, when you create a vhost configuration on iriscouch, I
> believe iriscouch actually sees that configuration change and changes
> a downstream proxy. Submitting a request without a Host header will
> make it so that iriscouch does not know where to route your request
> and it returns an error.
>
> Now there's still the problem that if someone knows your
> username.iriscouch.com address they can bypass that. It would be a
> valid question for iriscouch support to ask whether that can be locked
> down by requiring a valid user, at which point you could use vhosts
> pretty securely.

Here I mean to say that require_valid_user=true is great for locking
down your couch, but one might want to only lock down the raw couch
interface and not require a valid user when going through a vhost, so
you could still have a logged out public landing page for your
couchapp.

>
> Security on CouchDB is evolving slowly, and so is the power of
> CouchApps. Keep the comments and questions rolling because it keeps
> the devs mulling, and, as always...
>
> ...patches welcome. :)
>