You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2021/07/27 22:08:28 UTC

[GitHub] [couchdb-documentation] jiahuili430 opened a new pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

jiahuili430 opened a new pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673


   ## Overview
   Documents related to CouchDB's custom Erlang network protocol.
   
   ## Testing recommendations
   
   ## GitHub issue number
   
   
   ## Related Pull Requests
   [#3643](https://github.com/apache/couchdb/pull/3643)
   
   ## Checklist
   
   - [ ] Update [rebar.config.script](https://github.com/apache/couchdb/blob/main/rebar.config.script) with the commit hash once this PR is rebased and merged
   <!-- Before opening the PR, consider running `make check` locally for a faster turnaround time -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679380009



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:

Review comment:
       Minor nit: so it's not confused with a CouchDB package distribution or something like that, perhaps call it `tls_erlang_distribution`




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679378522



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol

Review comment:
       Not sure the network protocol itself would be custom? It's either TCP or TLS. Perhaps we can re-word to indicate that this is specifically to allow using TLS for Erlang distribution between nodes, with the ability to connect to some nodes using TCP as well.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679470272



##########
File path: src/cluster/tls_erlang_distribution.rst
##########
@@ -0,0 +1,122 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/tls_erlang_distribution:
+
+=======================
+TLS Erlang Distribution
+=======================
+The main purpose is specifically to allow using TLS for Erlang distribution
+between nodes, with the ability to connect to some nodes using TCP as well.
+TLS distribution will enhance data security during data migration between
+nodes.
+
+This section describes how to enable TLS distribution for additional
+verification and security.
+
+Reference: `Using TLS for Erlang Distribution`_
+
+.. _Using TLS for Erlang Distribution: https://erlang.org/doc/apps/ssl/ssl_distribution.html
+
+Generate Certificate
+====================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem && rm key.pem cert.pem
+
+    .. note::
+       This is **not** an endorsement of a specific expiration limit,
+       key size or algorithm.
+
+Config Settings
+===============
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       * The default value of ``no_tls`` is ``false``. If the user does not
+         set any ``no_tls`` flag, all nodes will use ``TCP``.
+       * To ensure "search" works, make sure to set ``no_tls`` option for the
+         ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".

Review comment:
       Use ``"clouseau@127.0.0.1"`` to avoid it being rendered as a link




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679392656



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.

Review comment:
       It might be nice, just like in the vm.args file, to leave a link to https://erlang.org/doc/apps/ssl/ssl_distribution.html so users can read more about some of the TLS options they can set in the .conf file




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679390863



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:
+
+#. Use TCP only, set to ``true``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls true
+
+#. Use TLS only, set to ``false``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls false
+
+#. Specify the node that uses TCP, others will use TLS, such as:

Review comment:
       `Specify some nodes to use TCP, others ...` since it could be more than one node




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679451712



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:
+
+#. Use TCP only, set to ``true``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls true
+
+#. Use TLS only, set to ``false``, such as:

Review comment:
       Add to the previous note with the default node `Clouseau`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679449532



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol

Review comment:
       Changed to `TLS Erlang Distribution`

##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:

Review comment:
       Changed




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva merged pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva merged pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679453957



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.

Review comment:
       Add a reference at the beginning of the page.
   Thanks for the review.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679449532



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol

Review comment:
       How about `TLS Erlang Distribution`?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679451537



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:
+
+#. Use TCP only, set to ``true``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls true
+
+#. Use TLS only, set to ``false``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls false
+
+#. Specify the node that uses TCP, others will use TLS, such as:

Review comment:
       changed




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679388114



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:

Review comment:
       I think the only value we'd recommend is to let `clouseau` connect with TCP when using search, otherwise it won't work. Then we'd just say perhaps that  ``` The `no_tls` setting can have these values: ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679450136



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:

Review comment:
       changed




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] nickva commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

nickva commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679388844



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:
+
+#. Use TCP only, set to ``true``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls true
+
+#. Use TLS only, set to ``false``, such as:

Review comment:
       This is also the default if the user doesn't set any `no_tls` flags? We should note that in the documentation too.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [couchdb-documentation] jiahuili430 commented on a change in pull request #673: Contribute Custom Erlang Network Protocol to CouchDB

Posted by GitBox <gi...@apache.org>.

jiahuili430 commented on a change in pull request #673:
URL: https://github.com/apache/couchdb-documentation/pull/673#discussion_r679451339



##########
File path: src/cluster/distribution.rst
##########
@@ -0,0 +1,111 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cluster/distribution:
+
+==============================
+Custom Erlang Network Protocol
+==============================
+The main purpose is to allow users to specify network protocols for CouchDB
+nodes, which enhanced data security during data migration between nodes.
+
+This section will explain how to enable TCP/TLS distribution for additional
+verification and security.
+
+Generate Certificate
+====================================
+For TLS to work properly, at least one public key and one certificate must be
+specified. In the following example (couch_ssl_dist.conf), the PEM file contains
+the ``certificate`` and its ``private key``.
+
+    .. code-block:: text
+
+        [{server,
+          [{certfile, "</path/to/erlserver.pem>"},
+           {secure_renegotiate, true}]},
+         {client,
+          [{secure_renegotiate, true}]}].
+
+The following command is an example of generating a certificate (PEM) file.
+
+    .. code-block:: bash
+
+        $ openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+        $ cat key.pem cert.pem > erlserver.pem
+        $ rm key.pem cert.pem
+
+    .. note::
+       This is not an endorsement of a specific expiration limit, key size or algorithm.
+
+Config Settings
+====================================
+To enable TLS distribution, make sure to set custom parameters in ``vm.args``.
+
+    .. code-block:: text
+
+        # Don't forget to override the paths to point to your cert and conf file!
+        -proto_dist couch
+        -couch_dist no_tls \"clouseau@127.0.0.1\"
+        -ssl_dist_optfile <path/to/couch_ssl_dist.conf>
+
+    .. note::
+       To ensure "search" works, make sure to set ``no_tls`` option for the
+       ``clouseau`` node. By default, this will be "clouseau@127.0.0.1".
+
+CouchDB recommends the following values for the ``no_tls`` flag:
+
+#. Use TCP only, set to ``true``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls true
+
+#. Use TLS only, set to ``false``, such as:
+
+    .. code-block:: text
+
+        -couch_dist no_tls false
+
+#. Specify the node that uses TCP, others will use TLS, such as:

Review comment:
       Add to the previous note with the default node `Clouseau`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org