You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Michael Scharrer <mi...@hotmail.de> on 2018/11/20 11:54:57 UTC
CouchDB Admin Local Port over https
Hello,
currently I am running CouchDB Version 2.2 on the following Ports, 5984,5986, 6984 (ssl)
But it is also required to start the port 5986 over SSL as safety aspects because non ssl is not allowed anymore in my usecase, but this seems not possible while looking upon to the Erlang Module couch_httpd.erl... The webserver would also start with the existing Port 6984..
local.ini:
[daemons]
httpsd = {chttpd, start_link, [https]}
admin_httpds = {couch_httpd, start_link, [https]}
Here you will find my example to start the non local http port 5986 as ssl admin port with 6986:
-module(couch_httpd).
start_link() ->
start_link(http).
start_link(http) ->
Port = config:get("httpd", "port", "5984"),
start_link(?MODULE, [{port, Port}]);
start_link(https) ->
% Port = config:get("ssl", "port", "6984"),
Port = config:get("ssl", "adminport", "6986"),
{ok, Ciphers} = couch_util:parse_term(config:get("ssl", "ciphers", undefined)),
{ok, Versions} = couch_util:parse_term(config:get("ssl", "tls_versions", undefined)),
{ok, SecureRenegotiate} = couch_util:parse_term(config:get("ssl", "secure_renegotiate", undefined)),
ServerOpts0 =
[{cacertfile, config:get("ssl", "cacert_file", undefined)},
{keyfile, config:get("ssl", "key_file", undefined)},
{certfile, config:get("ssl", "cert_file", undefined)},
{password, config:get("ssl", "password", undefined)},
{secure_renegotiate, SecureRenegotiate},
{versions, Versions},
{ciphers, Ciphers}],
case (couch_util:get_value(keyfile, ServerOpts0) == undefined orelse
couch_util:get_value(certfile, ServerOpts0) == undefined) of
true ->
couch_log:error("SSL enabled but PEM certificates are missing", []),
throw({error, missing_certs});
false ->
ok
end,
ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= undefined],
ClientOpts = case config:get("ssl", "verify_ssl_certificates", "false") of
"false" ->
[];
"true" ->
FailIfNoPeerCert = case config:get("ssl", "fail_if_no_peer_cert", "false") of
"false" -> false;
"true" -> true
end,
[{depth, list_to_integer(config:get("ssl",
"ssl_certificate_max_depth", "1"))},
{fail_if_no_peer_cert, FailIfNoPeerCert},
{verify, verify_peer}] ++
case config:get("ssl", "verify_fun", undefined) of
undefined -> [];
SpecStr ->
[{verify_fun, make_arity_3_fun(SpecStr)}]
end
end,
SslOpts = ServerOpts ++ ClientOpts,
Options =
[{port, Port},
{ssl, true},
{ssl_opts, SslOpts}],
%start_link(https, Options).
start_link(admin_https, Options).
------------
stop() ->
mochiweb_http:stop(couch_httpd),
catch mochiweb_http:stop(https).
to the following code:
stop() ->
mochiweb_http:stop(couch_httpd),
catch mochiweb_http:stop(admin_https).
Best regards,
Michael
Re: CouchDB Admin Local Port over https
Posted by Joan Touzet <wo...@apache.org>.
Hi there Michael,
You're right, out of the box, there is no way to make port 5986 SSL
native at this time, sorry. If you need secure off-box access to it,
we recommend the use of a reverse proxy that does SSL termination for
you running on the same machine. This could be stunnel, haproxy, nginx,
etc.
If you are interested in submitting your patch for inclusion in the
future for CouchDB, we'd love a pull request at;
https://github.com/apache/couchdb/pulls
so we can review the quality of the code and improve it before it lands.
(Your hack below is not quite up to code review levels yet.)
Note that configuration for the SSL (6984) port has CHANGED with 2.3.0,
see my recent email to the user@ and dev@ mailing lists on this topic.
HOWEVER:
We strongly recommend binding port 5986 only to localhost.
NEVER expose the node-local port (5986) on a public Internet-facing
interface.
IF you have a secondary private network to which it can be bound,
separate from your public interface, you can consider binding it to
that interface.
-Joan
----- Original Message -----
> From: "Michael Scharrer" <mi...@hotmail.de>
> To: "CouchDB Developers" <de...@couchdb.apache.org>
> Sent: Tuesday, November 20, 2018 6:54:57 AM
> Subject: CouchDB Admin Local Port over https
>
> Hello,
>
> currently I am running CouchDB Version 2.2 on the following Ports,
> 5984,5986, 6984 (ssl)
>
> But it is also required to start the port 5986 over SSL as safety
> aspects because non ssl is not allowed anymore in my usecase, but
> this seems not possible while looking upon to the Erlang Module
> couch_httpd.erl... The webserver would also start with the existing
> Port 6984..
>
> local.ini:
>
> [daemons]
> httpsd = {chttpd, start_link, [https]}
> admin_httpds = {couch_httpd, start_link, [https]}
>
>
> Here you will find my example to start the non local http port 5986
> as ssl admin port with 6986:
>
>
> -module(couch_httpd).
>
> start_link() ->
> start_link(http).
> start_link(http) ->
> Port = config:get("httpd", "port", "5984"),
> start_link(?MODULE, [{port, Port}]);
> start_link(https) ->
> % Port = config:get("ssl", "port", "6984"),
> Port = config:get("ssl", "adminport", "6986"),
> {ok, Ciphers} = couch_util:parse_term(config:get("ssl",
> "ciphers", undefined)),
> {ok, Versions} = couch_util:parse_term(config:get("ssl",
> "tls_versions", undefined)),
> {ok, SecureRenegotiate} = couch_util:parse_term(config:get("ssl",
> "secure_renegotiate", undefined)),
> ServerOpts0 =
> [{cacertfile, config:get("ssl", "cacert_file", undefined)},
> {keyfile, config:get("ssl", "key_file", undefined)},
> {certfile, config:get("ssl", "cert_file", undefined)},
> {password, config:get("ssl", "password", undefined)},
> {secure_renegotiate, SecureRenegotiate},
> {versions, Versions},
> {ciphers, Ciphers}],
>
> case (couch_util:get_value(keyfile, ServerOpts0) == undefined
> orelse
> couch_util:get_value(certfile, ServerOpts0) == undefined) of
> true ->
> couch_log:error("SSL enabled but PEM certificates are
> missing", []),
> throw({error, missing_certs});
> false ->
> ok
> end,
>
> ServerOpts = [Opt || {_, V}=Opt <- ServerOpts0, V /= undefined],
>
> ClientOpts = case config:get("ssl", "verify_ssl_certificates",
> "false") of
> "false" ->
> [];
> "true" ->
> FailIfNoPeerCert = case config:get("ssl",
> "fail_if_no_peer_cert", "false") of
> "false" -> false;
> "true" -> true
> end,
> [{depth, list_to_integer(config:get("ssl",
> "ssl_certificate_max_depth", "1"))},
> {fail_if_no_peer_cert,
> FailIfNoPeerCert},
> {verify, verify_peer}] ++
> case config:get("ssl", "verify_fun",
> undefined) of
> undefined -> [];
> SpecStr ->
> [{verify_fun,
> make_arity_3_fun(SpecStr)}]
> end
> end,
> SslOpts = ServerOpts ++ ClientOpts,
>
> Options =
> [{port, Port},
> {ssl, true},
> {ssl_opts, SslOpts}],
> %start_link(https, Options).
> start_link(admin_https, Options).
>
>
>
> ------------
>
>
> stop() ->
> mochiweb_http:stop(couch_httpd),
> catch mochiweb_http:stop(https).
>
> to the following code:
>
> stop() ->
> mochiweb_http:stop(couch_httpd),
> catch mochiweb_http:stop(admin_https).
>
>
>
>
>
> Best regards,
>
>
> Michael
>