Setting up replication to CouchDB

133 views
Skip to first unread message

Oliver Frommel

unread,
Sep 18, 2015, 11:08:47 AM9/18/15
to PouchDB
Hi,

I have a working PouchDB app with replication to CouchDB, but now that I am deploying it to the Internet I want to set things up a bit more securely, so I am accessing the CouchDB only through TLS behind a HAProxy. This seems to work so far, as I can access Futon with HTTPS. 

Unfortunatly I can't get authenticated replication to work. I tried both logging in with 

    dbremote.login('admin', 'xyz1234').then(function (arg) {
       console.log("Admin logged in.");
       console.log(arg);


and providing username/password in the db URL like this:


    var dbremote = new PouchDB('https://admin:xyz...@couch.mydomain.org/todo');


The last of these approaches leeds to a CORS preflight error, because afaik providing authentication with an OPTIONS call isn't valid or something along these lines. I couldn't find a way around this, though. Both the webserver and the CouchDB server are running in the same domain, so there wouldn't be a need for CORS anyway, but I couldn't find a way to disable it, either. 


What can I do to get authenticated replication over HTTPS working?


Thanks

Oliver


Nolan Lawson

unread,
Oct 2, 2015, 1:21:21 PM10/2/15
to PouchDB
CouchDB behind a proxy is somewhat difficult to set up. In my experience I've only ever gotten Nginx to work (works with TLS as well): https://wiki.apache.org/couchdb/Nginx_As_a_Reverse_Proxy#Reverse_proxy_for_a_subdirectory

Not sure about Haproxy, although if you provide more details, someone might be able to help...

- Nolan
Message has been deleted

Oliver Frommel

unread,
Dec 8, 2015, 3:46:36 PM12/8/15
to PouchDB
Thanks for the hints. I finally got this thing to work, and as a bonus I was using Let's Encrypt certificates, so here it goes:

- get certificates from Let's Encrypt, e.g.
./letsencrypt-auto certonly --standalone -d mydomain
(this only works if you have no other process running on port 80)

- concatenate the relevant server cert, intermediate cert and private key into a single pem file:
cd /etc/letsencrypt/live/mydomain/
cat cert.pem fullchain.pem privkey.pem > all.pem

 
- configure HAProxy in SSL termination mode:
  frontend https-in
        bind 123.123.123.123:443 ssl crt /etc/letsencrypt/live/mydomain/all.pem
        use_backend bk_ssl_couchdb if { hdr_end(host) -i mydomain }
        default_backend bk_ssl_default

  backend bk_ssl_couchdb
        server couchdb 127.0.0.1:5984 check
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }


Be sure to bind CouchDB to localhost only (default.ini):
[httpd]
port = 5984
bind_address = 127.0.0.1

Reply all
Reply to author
Forward
0 new messages