You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Vladimir Kuznetsov <vo...@gmail.com> on 2017/06/27 00:29:00 UTC
Running CouchDB 2.0 cluster in EC2
Hi guys
I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances.
I want clients to use SSL certificate to authenticate so I want to run Nginx on every CouchDB instance which will do SSL termination and forward connection to the backend CouchDB instance running plain HTTP. The reasons I want to terminate SSL on Nginx:
1) I'm planning to refresh server certs periodically and I don't really want CouchDB nodes to restart, I'd rather restarted Nginx frontend.
2) I want to check CRL to reject client certificates that were revoked
3) Performance is another reason as I expect Nginx to be better in SSL decryption than CouchDB itself.
I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load balancer), probably in TCP mode which would load balance client connections between instances.
Does my deployment make sense? Anything specific to take into consideration In the above deployment model? is there anything I have to be aware of?
thanks,
--Vovan
Re: Running CouchDB 2.0 cluster in EC2
Posted by Vladimir Kuznetsov <vo...@gmail.com>.
Thanks Joan, it makes sense. I'll have a look at stunnel, it may work if it has normal support for CRL check.
thanks,
--Vovan
> On Jun 26, 2017, at 10:41 PM, Joan Touzet <wo...@apache.org> wrote:
>
> Sorry, it's been many years since I configured stunnel for use with
> CouchDB, and I no longer have access to those configurations. I
> remember it wasn't that complex from reading the stunnel docs.
>
> My feeling is: the simpler the solution, the better. There is
> simply less to go wrong with a tool that *only* manages SSL
> termination than a tool that is trying to be a fully-fledged
> reverse proxy - especially if all you are trying to do is terminate
> an SSL connection and pass it on.
>
> -Joan
>
> ----- Original Message -----
> From: "Vladimir Kuznetsov" <vo...@gmail.com>
> To: user@couchdb.apache.org, "Joan Touzet" <wo...@apache.org>
> Sent: Tuesday, 27 June, 2017 12:59:08 AM
> Subject: Re: Running CouchDB 2.0 cluster in EC2
>
>
> Hi Joan
>
>
> Can you please provide a little bit more details about 'nginx not correctly reverse proxying chunked/multipart/etags/etc'? Can you also please provide stunnel configuration file example.
>
>
> Btw I've taken idea of using nginx at apache wiki( https://cwiki.apache.org/confluence/display/COUCHDB/Configuring+CouchDB ), it suggests using either apache or nginx http server as a reverse proxy.
>
>
> thanks,
> --Vovan
>
>
>
>
>
>
>
>
> On Jun 26, 2017, at 9:20 PM, Joan Touzet < wohali@apache.org > wrote:
>
>
> I'd recommend stunnel instead of nginx. We used to use it at Cloudant
> and it worked fine. Gets you away from any worries about nginx not
> correctly reverse proxying chunked/multipart/etags/etc correctly.
>
> -Joan
>
> ----- Original Message -----
> From: "Vladimir Kuznetsov" < vovanec@gmail.com >
> To: user@couchdb.apache.org
> Sent: Monday, 26 June, 2017 8:29:00 PM
> Subject: Running CouchDB 2.0 cluster in EC2
>
>
> Hi guys
>
> I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances.
>
> I want clients to use SSL certificate to authenticate so I want to run Nginx on every CouchDB instance which will do SSL termination and forward connection to the backend CouchDB instance running plain HTTP. The reasons I want to terminate SSL on Nginx:
>
> 1) I'm planning to refresh server certs periodically and I don't really want CouchDB nodes to restart, I'd rather restarted Nginx frontend.
> 2) I want to check CRL to reject client certificates that were revoked
> 3) Performance is another reason as I expect Nginx to be better in SSL decryption than CouchDB itself.
>
> I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load balancer), probably in TCP mode which would load balance client connections between instances.
>
> Does my deployment make sense? Anything specific to take into consideration In the above deployment model? is there anything I have to be aware of?
>
> thanks,
> --Vovan
>
Re: Running CouchDB 2.0 cluster in EC2
Posted by Joan Touzet <wo...@apache.org>.
Sorry, it's been many years since I configured stunnel for use with
CouchDB, and I no longer have access to those configurations. I
remember it wasn't that complex from reading the stunnel docs.
My feeling is: the simpler the solution, the better. There is
simply less to go wrong with a tool that *only* manages SSL
termination than a tool that is trying to be a fully-fledged
reverse proxy - especially if all you are trying to do is terminate
an SSL connection and pass it on.
-Joan
----- Original Message -----
From: "Vladimir Kuznetsov" <vo...@gmail.com>
To: user@couchdb.apache.org, "Joan Touzet" <wo...@apache.org>
Sent: Tuesday, 27 June, 2017 12:59:08 AM
Subject: Re: Running CouchDB 2.0 cluster in EC2
Hi Joan
Can you please provide a little bit more details about 'nginx not correctly reverse proxying chunked/multipart/etags/etc'? Can you also please provide stunnel configuration file example.
Btw I've taken idea of using nginx at apache wiki( https://cwiki.apache.org/confluence/display/COUCHDB/Configuring+CouchDB ), it suggests using either apache or nginx http server as a reverse proxy.
thanks,
--Vovan
On Jun 26, 2017, at 9:20 PM, Joan Touzet < wohali@apache.org > wrote:
I'd recommend stunnel instead of nginx. We used to use it at Cloudant
and it worked fine. Gets you away from any worries about nginx not
correctly reverse proxying chunked/multipart/etags/etc correctly.
-Joan
----- Original Message -----
From: "Vladimir Kuznetsov" < vovanec@gmail.com >
To: user@couchdb.apache.org
Sent: Monday, 26 June, 2017 8:29:00 PM
Subject: Running CouchDB 2.0 cluster in EC2
Hi guys
I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances.
I want clients to use SSL certificate to authenticate so I want to run Nginx on every CouchDB instance which will do SSL termination and forward connection to the backend CouchDB instance running plain HTTP. The reasons I want to terminate SSL on Nginx:
1) I'm planning to refresh server certs periodically and I don't really want CouchDB nodes to restart, I'd rather restarted Nginx frontend.
2) I want to check CRL to reject client certificates that were revoked
3) Performance is another reason as I expect Nginx to be better in SSL decryption than CouchDB itself.
I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load balancer), probably in TCP mode which would load balance client connections between instances.
Does my deployment make sense? Anything specific to take into consideration In the above deployment model? is there anything I have to be aware of?
thanks,
--Vovan
Re: Running CouchDB 2.0 cluster in EC2
Posted by Vladimir Kuznetsov <vo...@gmail.com>.
Hi Joan
Can you please provide a little bit more details about 'nginx not correctly reverse proxying chunked/multipart/etags/etc'? Can you also please provide stunnel configuration file example.
Btw I've taken idea of using nginx at apache wiki(https://cwiki.apache.org/confluence/display/COUCHDB/Configuring+CouchDB <https://cwiki.apache.org/confluence/display/COUCHDB/Securing+CouchDB>), it suggests using either apache or nginx http server as a reverse proxy.
thanks,
--Vovan
> On Jun 26, 2017, at 9:20 PM, Joan Touzet <wo...@apache.org> wrote:
>
> I'd recommend stunnel instead of nginx. We used to use it at Cloudant
> and it worked fine. Gets you away from any worries about nginx not
> correctly reverse proxying chunked/multipart/etags/etc correctly.
>
> -Joan
>
> ----- Original Message -----
> From: "Vladimir Kuznetsov" <vo...@gmail.com>
> To: user@couchdb.apache.org
> Sent: Monday, 26 June, 2017 8:29:00 PM
> Subject: Running CouchDB 2.0 cluster in EC2
>
>
> Hi guys
>
> I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances.
>
> I want clients to use SSL certificate to authenticate so I want to run Nginx on every CouchDB instance which will do SSL termination and forward connection to the backend CouchDB instance running plain HTTP. The reasons I want to terminate SSL on Nginx:
>
> 1) I'm planning to refresh server certs periodically and I don't really want CouchDB nodes to restart, I'd rather restarted Nginx frontend.
> 2) I want to check CRL to reject client certificates that were revoked
> 3) Performance is another reason as I expect Nginx to be better in SSL decryption than CouchDB itself.
>
> I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load balancer), probably in TCP mode which would load balance client connections between instances.
>
> Does my deployment make sense? Anything specific to take into consideration In the above deployment model? is there anything I have to be aware of?
>
> thanks,
> --Vovan
Re: Running CouchDB 2.0 cluster in EC2
Posted by Joan Touzet <wo...@apache.org>.
I'd recommend stunnel instead of nginx. We used to use it at Cloudant
and it worked fine. Gets you away from any worries about nginx not
correctly reverse proxying chunked/multipart/etags/etc correctly.
-Joan
----- Original Message -----
From: "Vladimir Kuznetsov" <vo...@gmail.com>
To: user@couchdb.apache.org
Sent: Monday, 26 June, 2017 8:29:00 PM
Subject: Running CouchDB 2.0 cluster in EC2
Hi guys
I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances.
I want clients to use SSL certificate to authenticate so I want to run Nginx on every CouchDB instance which will do SSL termination and forward connection to the backend CouchDB instance running plain HTTP. The reasons I want to terminate SSL on Nginx:
1) I'm planning to refresh server certs periodically and I don't really want CouchDB nodes to restart, I'd rather restarted Nginx frontend.
2) I want to check CRL to reject client certificates that were revoked
3) Performance is another reason as I expect Nginx to be better in SSL decryption than CouchDB itself.
I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load balancer), probably in TCP mode which would load balance client connections between instances.
Does my deployment make sense? Anything specific to take into consideration In the above deployment model? is there anything I have to be aware of?
thanks,
--Vovan