Replication and security advice sought

[Robert Johnson <ro...@rowanshire.net>]

Hello

I am creating an application in which individual Company sites input data into individual CouchDB databases running on site specific servers which is then replicated to a single central system at head office (running on a separate server). The central system holds configuration data for each sites local system.

I therefore need to replicate data between the site databases and the central database and the Company has no internal secure network and so it will have to do all this via the public internet. Replication will always be initiated from the site based systems.

For the applications to function, Couch only needs to listen on localhost (nice and private) but in order to replicate, unless I have missed something, the central system will have to listen on its public IP address or they will not receive the replication requests. By contrast the site based systems can listen only on localhost because the application is on the local server and they will initiate the replication with the remote database.

I am not a proxy or firewall expert by any means, so I am looking for some fairly detailed advice and guidance as to how to make the process secure in the simplest fashion.

I have scoured the internet and I have found basic advice that would have me use a proxy or a firewall to control access but there is a comment that Couch 1.0.1 enhanced replication to run over https which lead me to wonder if you could simply use Couch security and pass the replication commands with the necessary login information over https.

If the proxy is the best route, then the central system application is web based and users access that over the public internet on port 80, the central couchdb runs on the same server as the application and is currently listening on its default port 5984. Each site has a technically identical set up on separate servers. To me this means I will need to set up a proxy n the central server that will allow http requests on port 5984 from localhost and forward http requests on port 5984 from a defined set of other ip addresses to localhost:5984. It must also allow http requests on port 80 from any incoming ip address.

All servers are Ubuntu Linux 10.04.1 LTS, web servers are apache 2.2.14, couchdb is 1.0.1.

Advice and guidance would be very gratefully received, but please bear in mind that whilst I am a pretty good application developer, my networking knowledge generally and proxy / firewall knowledge specifically is limited to principals and not practice so if you could explain the details of any suggestions in detail at a "put this line in this file" type level I would be eternally grateful.

Many thanks to you all in advance.

Bob Johnson

Re: Replication and security advice sought

[Christian Polzer <ch...@hai-fai.de>]

Yes, 

I was just writing an answer when the vpn suggestion came up. I think using Tink would be a nice approach: http://tinc-vpn.org/

You can also build a meshed VPN with tink, so you get failover as well. Tink does automatically restart, the virtual nics can be bridged to inside networks if needed.


Kind regards,

Christian Polzer

On 07.02.2011, at 16:51, Dirkjan Ochtman wrote:

> On Mon, Feb 7, 2011 at 16:44, Robert Johnson <ro...@rowanshire.net> wrote:
>> Advice and guidance would be very gratefully received, but please bear in mind that whilst I am a pretty good application developer, my networking knowledge generally and proxy / firewall knowledge specifically is limited to principals and not practice so if you could explain the details of any suggestions in detail at a "put this line in this file" type level I would be eternally grateful.
> 
> Or you could use a VPN (virtual private network; an encrypted channel
> tunneled over the internet). We use OpenVPN to do CouchDB replications
> over the internet at work. It's free and fairly easy to set up.
> 
> Cheers,
> 
> Dirkjan

Re: Replication and security advice sought

[Dirkjan Ochtman <di...@ochtman.nl>]

On Mon, Feb 7, 2011 at 16:44, Robert Johnson <ro...@rowanshire.net> wrote:
> Advice and guidance would be very gratefully received, but please bear in mind that whilst I am a pretty good application developer, my networking knowledge generally and proxy / firewall knowledge specifically is limited to principals and not practice so if you could explain the details of any suggestions in detail at a "put this line in this file" type level I would be eternally grateful.

Or you could use a VPN (virtual private network; an encrypted channel
tunneled over the internet). We use OpenVPN to do CouchDB replications
over the internet at work. It's free and fairly easy to set up.

Cheers,

Dirkjan