You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Nicholas Orr <ni...@zxgen.net> on 2009/05/05 05:03:10 UTC
Re: auth using Nginx as proxy
Hmm...
I've made this mod to local.ini
[httpd]
bind_address = 209.x.76.x
So browsing to http://209.x.76.x:5984 results in this response
> {"couchdb":"Welcome","version":"0.9.0"}
No basic auth nothing. Just straight in.
Now I don't want want the world having access to couchdb... I do want access
to futon though, only for me though. So logical step is to put couch back to
127.0.0.1 and stick nginx in the middle to auth/proxy to couchdb
Changed local.ini back
[httpd]
;bind_address = 127.0.0.1
Added a server block to nginx.conf
server { listen 443; server_name futon; ssl on; ssl_certificate
/etc/nginx/ssl/futon.crt; ssl_certificate_key /etc/nginx/ssl/futon.key;
access_log /var/log/nginx/futon.access.log main; error_log
/var/log/nginx/futon.error.log; location / { proxy_pass
http://localhost:5984; proxy_redirect off; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; #auth_basic "nginx"; #auth_basic_user_file
/etc/nginx/futon_users; } }
Note I have commented out auth for now - just want to make sure it works
first.
Now browsing to https://futon/ results in
> {"couchdb":"Welcome","version":"0.9.0"}
Good stuff!! No prompts to auth to nginx or couchdb.
Uncomment the auth stuff and restart nginx
Now I get a prompt to auth in realm "nginx" - which is expected.
Auth ok then I get a prompt to auth in realm "administrator" - not
expected...
I read the wiki page and down the bottom it mentions passing more headers.
Updated nginx conf is:
server { listen 443; server_name futon; ssl on; ssl_certificate
/etc/nginx/ssl/futon.crt; ssl_certificate_key /etc/nginx/ssl/futon.key;
access_log /var/log/nginx/futon.access.log main; error_log
/var/log/nginx/futon.error.log; location / { proxy_pass
http://localhost:5984; proxy_redirect off; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; proxy_hide_header Authorization;
proxy_hide_header WWW-Authenticate; auth_basic "nginx"; auth_basic_user_file
/etc/nginx/futon_users; } }
Restart nginx. goto https://futon/ prompted to auth in realm "nginx". ok,
respons is
> {"error":"unauthorized","reason":"Name or password is incorrect."}
So what is going on here?
I don't see why I'd need to make the change in local.ini that is being
suggested as I don't want any auth at all on couchdb. I did make the change
to see what happens
[httpd] bind_address = 209.x.76.x authentication_handler = {couch_httpd,
null_authentication_handler}
response I got was: {"error":"unknown_error","reason":"undef"}
So that doesn't work anyway.
Right now the only way I see being able to connect to 127.0.0.1:5984 is via
a ssh tunnel - which works - however it is not ideal.
You guys that claim to have nginx proxy to couchdb - are you then using a
user/pass everywhere (in code running on localhost)? I don't want to do that
and seems entirely possible. Must be more nginx params to specify to achieve
it..
Nick
On Mon, Apr 13, 2009 at 9:37 AM, Samuel Wan <sa...@samuelwan.com> wrote:
> Thanks Jan, both of your suggestions work as described.
>
> In case anyone else is interested, I wasn't able to suppress the
> authentication headers with either the Nginx directives
> "set_hide_header Authorization" or "set_hide_header WWW-Authenticate".
>
> -Sam
>
> On Sun, Apr 12, 2009 at 3:32 AM, Jan Lehnardt <ja...@apache.org> wrote:
> > Hi,
> >
> > I think nginx passes on auth headers and the default auth handler
> > in CouchDB then tries to verify it which it can't because you don't
> > have any admins. What works, I think, to have the same username
> > and password combinations for CouchDB and the upstream proxy.
> >
> > If that's no feasible, I committed the `null_authentication_handler`
> > that just accepts everybody.
> >
> > in your `local.ini` set:
> >
> > [httpd]
> > authentication_handler = {couch_httpd, null_authentication_handler}
> >
> > Note that this is available only in trunk since r762574
> >
> > Cheers
> > Jan
> > --
> >
> >
> > On 12 Apr 2009, at 07:29, Samuel Wan wrote:
> >
> >> I have also set up nginx as a reverse proxy to couchdb, and also
> >> encountered the second login prompt mentioned by Alex Rudyk in his
> >> email quoted below. The second authentication prompt looks like this:
> >>
> >> A username and password are being requested by http://<ip
> >> address>. The site says: "administrator"
> >>
> >> I've confirmed that the proxy works without the auth turned on (except
> >> for the known couch.js subdirectory URL issue). I've also confirmed
> >> that the default.ini and couchdb.ini files don't have admin
> >> username/passwords activated.
> >>
> >> Here is my nginx configuration.
> >>
> >> location /couchdb {
> >> rewrite /couchdb/(.*) /$1 break;
> >> proxy_pass http://localhost:5984;
> >> proxy_redirect off;
> >> proxy_set_header Host $host;
> >> proxy_set_header X-Real-IP $remote_addr;
> >> proxy_set_header X-Forwarded-For
> >> $proxy_add_x_forwarded_fo$
> >> auth_basic "Restricted";
> >> auth_basic_user_file htpasswd;
> >> }
> >>
> >> Does the auth_basic directive pass along some kind of authentication
> >> request to the proxied CouchDB server? It seems that the CouchDB
> >> authentication is getting triggered even though I haven't modified the
> >> local.ini or default.ini files.
> >>
> >> -Sam
> >>
> >> ---------------------
> >> From "Alex Rudyk" <al...@gmail.com>
> >> Subject Basic auth using Nginx as proxy
> >> Date Mon, 12 Jan 2009 03:13:06 GMT
> >>
> >> I am trying to setup basic auth for couchdb that is proxied by Nginx.
> >> I setuped nginx proxy and it works very well but when I am adding basic
> >> auth
> >> for nginx it pass Nginx basic auth module, but browser show "enter user
> >> name
> >> and password" dialog once again with real "administrator" that I think
> is
> >> goes from couchdb new default_authentication_handler. My nginx realm
> name
> >> is
> >> "Restricted".
> >> Here is nginx config file:
> >>
> >> server {
> >> listen 8088;
> >> server_name couchdb;
> >> location / {
> >> proxy_pass http://127.0.0.1:5984;
> >> proxy_redirect off;
> >> proxy_set_header Port $proxy_port;
> >> proxy_set_header X-Real-IP $remote_addr;
> >> proxy_set_header X-Forwarded-For
> >> $proxy_add_x_forwarded_for;
> >>
> >> auth_basic "Restricted";
> >> auth_basic_user_file htpasswd;
> >>
> >> }
> >> }
> >>
> >> Does any body have some ideas how to fix this?
> >>
> >
> >
>
Re: auth using Nginx as proxy
Posted by Chris Anderson <jc...@apache.org>.
On Tue, May 5, 2009 at 7:46 PM, Curt Arnold <ca...@apache.org> wrote:
>
> On May 5, 2009, at 12:37 AM, Nicholas Orr wrote:
>
>> Well that makes sense. I have a ebuild here for getting the trunk version
>> installed.Think I'll just wait for 0.10 and use ssh tunnels for now.
>>
>> Thanks Chris :)
>>
>
> I was running into the same thing using Apache httpd was a reverse proxy and
> was excited to learn about null_authentication_handler. I upgraded to SVN
> HEAD and switched (I so I thought) to null_authentication_handler and but
> was still prompted for credentials. I didn't get an configuration error as
> like I would expect if I was running 0.9.0, but didn't see any change of
> behavior.
>
sometimes this happens if the browser sends old credentials to a
CouchDB that no longer needs them. Often clicking cancel is all it
takes to get back to normal.
> Unfortunately, I haven't had a chance to confirm the behavior on a fresh
> install with no previous couchdb, but will try that tomorrow.
>
--
Chris Anderson
http://jchrisa.net
http://couch.io
Re: auth using Nginx as proxy
Posted by Curt Arnold <ca...@apache.org>.
On May 5, 2009, at 12:37 AM, Nicholas Orr wrote:
> Well that makes sense. I have a ebuild here for getting the trunk
> version
> installed.Think I'll just wait for 0.10 and use ssh tunnels for now.
>
> Thanks Chris :)
>
I was running into the same thing using Apache httpd was a reverse
proxy and was excited to learn about null_authentication_handler. I
upgraded to SVN HEAD and switched (I so I thought) to
null_authentication_handler and but was still prompted for
credentials. I didn't get an configuration error as like I would
expect if I was running 0.9.0, but didn't see any change of behavior.
Unfortunately, I haven't had a chance to confirm the behavior on a
fresh install with no previous couchdb, but will try that tomorrow.
Re: auth using Nginx as proxy
Posted by Nicholas Orr <ni...@zxgen.net>.
Well that makes sense. I have a ebuild here for getting the trunk version
installed.Think I'll just wait for 0.10 and use ssh tunnels for now.
Thanks Chris :)
On Tue, May 5, 2009 at 1:39 PM, Chris Anderson <jc...@apache.org> wrote:
> On Mon, May 4, 2009 at 8:03 PM, Nicholas Orr <ni...@zxgen.net>
> wrote:
>
> > I don't see why I'd need to make the change in local.ini that is being
> > suggested as I don't want any auth at all on couchdb. I did make the
> change
> > to see what happens
> >
> > [httpd] bind_address = 209.x.76.x authentication_handler = {couch_httpd,
> > null_authentication_handler}
> >
> > response I got was: {"error":"unknown_error","reason":"undef"}
>
> This looks like you are using a version of CouchDB prior to the
> addition of the null_authentication_handler.
>
> null_authentication_handler is designed for use with nginx in this
> configuration. the simplest option is to upgrade couchdb to latest
> trunk.
>
> if you can't do that for some reason you'll need to try something
> else, like perhaps preventing nginx from forwarding the headers.
>
> good luck!
>
> >
> > So that doesn't work anyway.
> >
> > Right now the only way I see being able to connect to 127.0.0.1:5984 is
> via
> > a ssh tunnel - which works - however it is not ideal.
> >
> > You guys that claim to have nginx proxy to couchdb - are you then using a
> > user/pass everywhere (in code running on localhost)? I don't want to do
> that
> > and seems entirely possible. Must be more nginx params to specify to
> achieve
> > it..
> >
> > Nick
> >
> > On Mon, Apr 13, 2009 at 9:37 AM, Samuel Wan <sa...@samuelwan.com> wrote:
> >
> >> Thanks Jan, both of your suggestions work as described.
> >>
> >> In case anyone else is interested, I wasn't able to suppress the
> >> authentication headers with either the Nginx directives
> >> "set_hide_header Authorization" or "set_hide_header WWW-Authenticate".
> >>
> >> -Sam
> >>
> >> On Sun, Apr 12, 2009 at 3:32 AM, Jan Lehnardt <ja...@apache.org> wrote:
> >> > Hi,
> >> >
> >> > I think nginx passes on auth headers and the default auth handler
> >> > in CouchDB then tries to verify it which it can't because you don't
> >> > have any admins. What works, I think, to have the same username
> >> > and password combinations for CouchDB and the upstream proxy.
> >> >
> >> > If that's no feasible, I committed the `null_authentication_handler`
> >> > that just accepts everybody.
> >> >
> >> > in your `local.ini` set:
> >> >
> >> > [httpd]
> >> > authentication_handler = {couch_httpd, null_authentication_handler}
> >> >
> >> > Note that this is available only in trunk since r762574
> >> >
> >> > Cheers
> >> > Jan
> >> > --
> >> >
> >> >
> >> > On 12 Apr 2009, at 07:29, Samuel Wan wrote:
> >> >
> >> >> I have also set up nginx as a reverse proxy to couchdb, and also
> >> >> encountered the second login prompt mentioned by Alex Rudyk in his
> >> >> email quoted below. The second authentication prompt looks like this:
> >> >>
> >> >> A username and password are being requested by http://<ip
> >> >> address>. The site says: "administrator"
> >> >>
> >> >> I've confirmed that the proxy works without the auth turned on
> (except
> >> >> for the known couch.js subdirectory URL issue). I've also confirmed
> >> >> that the default.ini and couchdb.ini files don't have admin
> >> >> username/passwords activated.
> >> >>
> >> >> Here is my nginx configuration.
> >> >>
> >> >> location /couchdb {
> >> >> rewrite /couchdb/(.*) /$1 break;
> >> >> proxy_pass http://localhost:5984;
> >> >> proxy_redirect off;
> >> >> proxy_set_header Host $host;
> >> >> proxy_set_header X-Real-IP $remote_addr;
> >> >> proxy_set_header X-Forwarded-For
> >> >> $proxy_add_x_forwarded_fo$
> >> >> auth_basic "Restricted";
> >> >> auth_basic_user_file htpasswd;
> >> >> }
> >> >>
> >> >> Does the auth_basic directive pass along some kind of authentication
> >> >> request to the proxied CouchDB server? It seems that the CouchDB
> >> >> authentication is getting triggered even though I haven't modified
> the
> >> >> local.ini or default.ini files.
> >> >>
> >> >> -Sam
> >> >>
> >> >> ---------------------
> >> >> From "Alex Rudyk" <al...@gmail.com>
> >> >> Subject Basic auth using Nginx as proxy
> >> >> Date Mon, 12 Jan 2009 03:13:06 GMT
> >> >>
> >> >> I am trying to setup basic auth for couchdb that is proxied by Nginx.
> >> >> I setuped nginx proxy and it works very well but when I am adding
> basic
> >> >> auth
> >> >> for nginx it pass Nginx basic auth module, but browser show "enter
> user
> >> >> name
> >> >> and password" dialog once again with real "administrator" that I
> think
> >> is
> >> >> goes from couchdb new default_authentication_handler. My nginx realm
> >> name
> >> >> is
> >> >> "Restricted".
> >> >> Here is nginx config file:
> >> >>
> >> >> server {
> >> >> listen 8088;
> >> >> server_name couchdb;
> >> >> location / {
> >> >> proxy_pass http://127.0.0.1:5984;
> >> >> proxy_redirect off;
> >> >> proxy_set_header Port $proxy_port;
> >> >> proxy_set_header X-Real-IP $remote_addr;
> >> >> proxy_set_header X-Forwarded-For
> >> >> $proxy_add_x_forwarded_for;
> >> >>
> >> >> auth_basic "Restricted";
> >> >> auth_basic_user_file htpasswd;
> >> >>
> >> >> }
> >> >> }
> >> >>
> >> >> Does any body have some ideas how to fix this?
> >> >>
> >> >
> >> >
> >>
> >
>
>
>
> --
> Chris Anderson
> http://jchrisa.net
> http://couch.io
>
Re: auth using Nginx as proxy
Posted by Chris Anderson <jc...@apache.org>.
On Mon, May 4, 2009 at 8:03 PM, Nicholas Orr <ni...@zxgen.net> wrote:
> I don't see why I'd need to make the change in local.ini that is being
> suggested as I don't want any auth at all on couchdb. I did make the change
> to see what happens
>
> [httpd] bind_address = 209.x.76.x authentication_handler = {couch_httpd,
> null_authentication_handler}
>
> response I got was: {"error":"unknown_error","reason":"undef"}
This looks like you are using a version of CouchDB prior to the
addition of the null_authentication_handler.
null_authentication_handler is designed for use with nginx in this
configuration. the simplest option is to upgrade couchdb to latest
trunk.
if you can't do that for some reason you'll need to try something
else, like perhaps preventing nginx from forwarding the headers.
good luck!
>
> So that doesn't work anyway.
>
> Right now the only way I see being able to connect to 127.0.0.1:5984 is via
> a ssh tunnel - which works - however it is not ideal.
>
> You guys that claim to have nginx proxy to couchdb - are you then using a
> user/pass everywhere (in code running on localhost)? I don't want to do that
> and seems entirely possible. Must be more nginx params to specify to achieve
> it..
>
> Nick
>
> On Mon, Apr 13, 2009 at 9:37 AM, Samuel Wan <sa...@samuelwan.com> wrote:
>
>> Thanks Jan, both of your suggestions work as described.
>>
>> In case anyone else is interested, I wasn't able to suppress the
>> authentication headers with either the Nginx directives
>> "set_hide_header Authorization" or "set_hide_header WWW-Authenticate".
>>
>> -Sam
>>
>> On Sun, Apr 12, 2009 at 3:32 AM, Jan Lehnardt <ja...@apache.org> wrote:
>> > Hi,
>> >
>> > I think nginx passes on auth headers and the default auth handler
>> > in CouchDB then tries to verify it which it can't because you don't
>> > have any admins. What works, I think, to have the same username
>> > and password combinations for CouchDB and the upstream proxy.
>> >
>> > If that's no feasible, I committed the `null_authentication_handler`
>> > that just accepts everybody.
>> >
>> > in your `local.ini` set:
>> >
>> > [httpd]
>> > authentication_handler = {couch_httpd, null_authentication_handler}
>> >
>> > Note that this is available only in trunk since r762574
>> >
>> > Cheers
>> > Jan
>> > --
>> >
>> >
>> > On 12 Apr 2009, at 07:29, Samuel Wan wrote:
>> >
>> >> I have also set up nginx as a reverse proxy to couchdb, and also
>> >> encountered the second login prompt mentioned by Alex Rudyk in his
>> >> email quoted below. The second authentication prompt looks like this:
>> >>
>> >> A username and password are being requested by http://<ip
>> >> address>. The site says: "administrator"
>> >>
>> >> I've confirmed that the proxy works without the auth turned on (except
>> >> for the known couch.js subdirectory URL issue). I've also confirmed
>> >> that the default.ini and couchdb.ini files don't have admin
>> >> username/passwords activated.
>> >>
>> >> Here is my nginx configuration.
>> >>
>> >> location /couchdb {
>> >> rewrite /couchdb/(.*) /$1 break;
>> >> proxy_pass http://localhost:5984;
>> >> proxy_redirect off;
>> >> proxy_set_header Host $host;
>> >> proxy_set_header X-Real-IP $remote_addr;
>> >> proxy_set_header X-Forwarded-For
>> >> $proxy_add_x_forwarded_fo$
>> >> auth_basic "Restricted";
>> >> auth_basic_user_file htpasswd;
>> >> }
>> >>
>> >> Does the auth_basic directive pass along some kind of authentication
>> >> request to the proxied CouchDB server? It seems that the CouchDB
>> >> authentication is getting triggered even though I haven't modified the
>> >> local.ini or default.ini files.
>> >>
>> >> -Sam
>> >>
>> >> ---------------------
>> >> From "Alex Rudyk" <al...@gmail.com>
>> >> Subject Basic auth using Nginx as proxy
>> >> Date Mon, 12 Jan 2009 03:13:06 GMT
>> >>
>> >> I am trying to setup basic auth for couchdb that is proxied by Nginx.
>> >> I setuped nginx proxy and it works very well but when I am adding basic
>> >> auth
>> >> for nginx it pass Nginx basic auth module, but browser show "enter user
>> >> name
>> >> and password" dialog once again with real "administrator" that I think
>> is
>> >> goes from couchdb new default_authentication_handler. My nginx realm
>> name
>> >> is
>> >> "Restricted".
>> >> Here is nginx config file:
>> >>
>> >> server {
>> >> listen 8088;
>> >> server_name couchdb;
>> >> location / {
>> >> proxy_pass http://127.0.0.1:5984;
>> >> proxy_redirect off;
>> >> proxy_set_header Port $proxy_port;
>> >> proxy_set_header X-Real-IP $remote_addr;
>> >> proxy_set_header X-Forwarded-For
>> >> $proxy_add_x_forwarded_for;
>> >>
>> >> auth_basic "Restricted";
>> >> auth_basic_user_file htpasswd;
>> >>
>> >> }
>> >> }
>> >>
>> >> Does any body have some ideas how to fix this?
>> >>
>> >
>> >
>>
>
--
Chris Anderson
http://jchrisa.net
http://couch.io