You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by Apache Wiki <wi...@apache.org> on 2010/05/25 14:37:57 UTC

[Couchdb Wiki] Update of "Nginx_As_a_Reverse_Proxy" by DanielTruemper

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Couchdb Wiki" for change notification.

The "Nginx_As_a_Reverse_Proxy" page has been changed by DanielTruemper.
The comment on this change is: Nicer Continuous Replication config and SSL configuration.
http://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy?action=diff&rev1=7&rev2=8

--------------------------------------------------

  = nginx as a Reverse Proxy =
  <<TableOfContents()>>
  
- Nginx can serve as a reverse proxy to CouchDB for scenarios such as URL rewriting, load-balancing, access restriction, etc. 
+ Nginx can serve as a reverse proxy to CouchDB for scenarios such as URL rewriting, load-balancing, access restriction, etc.
  
  Here's a basic excerpt from an nginx config file in <nginx config directory>/sites-available/default. This will proxy all requests from http://domain.com/... to http://localhost:5984/...
  
@@ -11, +11 @@

  location / {
      proxy_pass http://localhost:5984;
      proxy_redirect off;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+ }}}
+ == Continuous Replication through nginx ==
+ The above configuration will break the continuous replication. By adding the following snippet the replication will work again:
+ 
+ {{{
+ location ~ ^/(.*)/_changes {
+     proxy_pass http://localhost:5984;
+     proxy_redirect off;
      proxy_buffering off;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }  
+ }
  }}}
- 
- 
  == Reverse proxy for a subdirectory ==
  Here's an excerpt of a basic nginx configuration that proxies the URL "http://domain.com/couchdb" to "http://localhost:5984" so that requests appended to the subdirectory, such as "http://domain.com/couchdb/db1/doc1" are proxied to "http://localhost:5984/db1/doc1".
  
@@ -30, +40 @@

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }   
+ }
  }}}
- 
  === Known Test Suite issue with reverse proxy from subdirectory URL ===
  If the reverse proxy configuration also rewrites the URL for a subdirectory, the test suite will fail because it relies on the absolute root path for HTTP requests. This is a known issue and a patch has been submitted by Jack Moffitt at https://issues.apache.org/jira/browse/COUCHDB-321.
  
@@ -49, +58 @@

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }  
+ }
  }}}
- 
  === Issues with reverse proxy authentication ===
- Enabling basic authentication in Nginx will pass the HTTP authentication header to CouchDB, invoking its authentication handler as well. This configuration causes the Nginx basic authentication prompt to appear in the browser, followed by a second authentication prompt from Couchdb, even if CouchDB authentication is not enabled. 
+ Enabling basic authentication in Nginx will pass the HTTP authentication header to CouchDB, invoking its authentication handler as well. This configuration causes the Nginx basic authentication prompt to appear in the browser, followed by a second authentication prompt from Couchdb, even if CouchDB authentication is not enabled.
  
  You can either use the same username and password combinations for both Nginx and CouchDb, or set CouchDB to use the null_authentication_handler. In the local.ini file:
+ 
  {{{
  [httpd]
  authentication_handler = {couch_httpd, null_authentication_handler}
  }}}
- 
  Note: As an Nginx newbie, it's probable that the original author of this wiki post just didn't know which headers to suppress or how to suppress them :-) I tried "proxy_hide_header Authorization" and "proxy_hide_header WWW-Authenticate".
- 
  
  Note 2: While "proxy_hide_header" does not work, setting the header Authorization to "" seems to work.
  
@@ -76, +83 @@

      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Authorization "";
- }        
+ }
  }}}
+ == SSL with nginx ==
+ In order to enable a SSL connection to your Couch you need to do two things: enable the nginx SSL module and add another proxy header:
  
+ {{{
+ ssl on;
+ ssl_certificate PATH_TO_YOUR_PUBLIC_KEY.pem;
+ ssl_certificate_key PATH_TO_YOUR_PRIVATE_KEY.key;
+ ssl_protocols SSLv3;
+ ssl_session_cache shared:SSL:1m;
+ 
+ location / {
+     proxy_pass http://localhost:5984;
+     proxy_redirect off;
+     proxy_set_header Host $host;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_set_header X-Forwarded-Ssl on;
+ }
+ }}}
+ The X-Forwarded-Ssl header tells CouchDB that it should use the '''https''' scheme instead of the '''http''' scheme. Otherwise redirects (trailing slashes etc.) will fail.
+