CouchDB + HTTPS + CORS
435 views
Skip to first unread message
Conor Mac Aoidh
Sep 15, 2015, 10:46:26 AM9/15/15
to us...@couchdb.apache.org
Hi All,
I am trying to setup CouchDB with HTTPS support and CORS. Having read
the docs, I set up the couch configuration as follows:
➜ curl -X GET https://example.com:6984/_config/cors
{"credentials":"true","origins":"https://example.com","methods":"GET,
PUT, POST, HEAD, DELETE, OPTIONS","headers":"accept, authorization,
content-type, origin, referer, x-csrf-token,
access-control-request-method, access-control-request-headers,
x-requested-with"}
This looks ok. And options requests with CURL work too:
/➜ curl -i -X OPTIONS -H 'Origin: https://example.com' -H
'Access-Control-Request-Method: POST' https://example.com:6984/templates//
//HTTP/1.1 204 No Content//
//Server: CouchDB/1.6.1 (Erlang OTP/R16B03)//
//Date: Tue, 15 Sep 2015 14:21:18 GMT//
//Content-Length: 0//
//Access-Control-Max-Age: 12345//
//Access-Control-Allow-Origin: https://example.com//
//Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS//
//Access-Control-Allow-Headers: //
//Access-Control-Allow-Credentials: true/
/➜ curl -i -X OPTIONS -H 'Origin: https://example.com' -H
'Access-Control-Request-Method: POST' -H
'Access-Control-Request-Headers: X-Requested-With'
https://example.com:6984/templates//
//HTTP/1.1 204 No Content//
//Server: CouchDB/1.6.1 (Erlang OTP/R16B03)//
//Date: Tue, 15 Sep 2015 14:21:34 GMT//
//Content-Length: 0//
//Access-Control-Max-Age: 12345//
//Access-Control-Allow-Origin: https://example.com//
//Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS//
//Access-Control-Allow-Headers: X-Requested-With//
//Access-Control-Allow-Credentials: true/
However, in the browser, I get strange results. In Chrome, requests to
couchdb fail with the following error:
/net::ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED/
No response data is logged, and the request does not even make it to
couchdb as far as I can tell from the logs.
In Firefox, I get the following error:
/Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at
https://example.com:6984/templates/_design/templates/_view/all. (Reason:
CORS request failed)./
I'm not sure why this is happening, as the CURL request works and the
configuration seems to be correct. Has anyone got any suggestions for
debugging this?
Thanks
Conor
I am trying to setup CouchDB with HTTPS support and CORS. Having read
the docs, I set up the couch configuration as follows:
➜ curl -X GET https://example.com:6984/_config/cors
{"credentials":"true","origins":"https://example.com","methods":"GET,
PUT, POST, HEAD, DELETE, OPTIONS","headers":"accept, authorization,
content-type, origin, referer, x-csrf-token,
access-control-request-method, access-control-request-headers,
x-requested-with"}
This looks ok. And options requests with CURL work too:
/➜ curl -i -X OPTIONS -H 'Origin: https://example.com' -H
'Access-Control-Request-Method: POST' https://example.com:6984/templates//
//HTTP/1.1 204 No Content//
//Server: CouchDB/1.6.1 (Erlang OTP/R16B03)//
//Date: Tue, 15 Sep 2015 14:21:18 GMT//
//Content-Length: 0//
//Access-Control-Max-Age: 12345//
//Access-Control-Allow-Origin: https://example.com//
//Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS//
//Access-Control-Allow-Headers: //
//Access-Control-Allow-Credentials: true/
/➜ curl -i -X OPTIONS -H 'Origin: https://example.com' -H
'Access-Control-Request-Method: POST' -H
'Access-Control-Request-Headers: X-Requested-With'
https://example.com:6984/templates//
//HTTP/1.1 204 No Content//
//Server: CouchDB/1.6.1 (Erlang OTP/R16B03)//
//Date: Tue, 15 Sep 2015 14:21:34 GMT//
//Content-Length: 0//
//Access-Control-Max-Age: 12345//
//Access-Control-Allow-Origin: https://example.com//
//Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE, OPTIONS//
//Access-Control-Allow-Headers: X-Requested-With//
//Access-Control-Allow-Credentials: true/
However, in the browser, I get strange results. In Chrome, requests to
couchdb fail with the following error:
/net::ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED/
No response data is logged, and the request does not even make it to
couchdb as far as I can tell from the logs.
In Firefox, I get the following error:
/Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at
https://example.com:6984/templates/_design/templates/_view/all. (Reason:
CORS request failed)./
I'm not sure why this is happening, as the CURL request works and the
configuration seems to be correct. Has anyone got any suggestions for
debugging this?
Thanks
Conor
Aurélien Bénel
Sep 15, 2015, 12:26:17 PM9/15/15
to us...@couchdb.apache.org
Hi Conor,
Should we assume you also set `enable_cors`?
[httpd]
enable_cors = true
Regards,
Aurélien
Should we assume you also set `enable_cors`?
[httpd]
enable_cors = true
Regards,
Aurélien
Conor Mac Aoidh
Sep 16, 2015, 5:51:50 AM9/16/15
to us...@couchdb.apache.org
Hi yes, 'enable_cors' is set to true. I think it could be a server
configuration problem as couchdb config looks ok.
Thanks
Conor
configuration problem as couchdb config looks ok.
Thanks
Conor
Foucauld Degeorges
Sep 16, 2015, 6:04:13 AM9/16/15
to us...@couchdb.apache.org
Hi Conor,
I've had issues with CouchDB's HTTPS in general. Same type of symptoms :
curl works OK, browsers don't. I thought it might be specific to
self-signed SSL certificates, but I never tried with a regular certificate.
Anyway, a previous email on this mailing list hinted that CouchDB's Erlang
implementation of SSL may be buggy. The suggestion was to use a
HTTP<->HTTPS proxy in front of the CouchDB, such as stunnel.
Here's a "self-solved" issue on StackOverflow :
http://stackoverflow.com/questions/30939983/couchdb-over-https-and-self-certified-certificate-browsers-reject-it
Regards
Foucauld
I've had issues with CouchDB's HTTPS in general. Same type of symptoms :
curl works OK, browsers don't. I thought it might be specific to
self-signed SSL certificates, but I never tried with a regular certificate.
Anyway, a previous email on this mailing list hinted that CouchDB's Erlang
implementation of SSL may be buggy. The suggestion was to use a
HTTP<->HTTPS proxy in front of the CouchDB, such as stunnel.
Here's a "self-solved" issue on StackOverflow :
http://stackoverflow.com/questions/30939983/couchdb-over-https-and-self-certified-certificate-browsers-reject-it
Regards
Foucauld
Conor Mac Aoidh
Sep 16, 2015, 6:22:40 AM9/16/15
to us...@couchdb.apache.org
Hi Foucauld,
Thanks for the useful link.
However, I'm not using a self-signed cert. Also, I already have a proxy
that implements SSL + JWT authentication for couchdb. I'm currently
trying to remove that proxy (due to the recent creation of a JWT
authentication plugin for couch), and connect directly to couch. If I
can't get this working, I might end up using stunnel as it is a minimal,
efficient proxy. But I had hoped to do everything with couch, so that
the it would scale up easily.
Thanks
Conor
Thanks for the useful link.
However, I'm not using a self-signed cert. Also, I already have a proxy
that implements SSL + JWT authentication for couchdb. I'm currently
trying to remove that proxy (due to the recent creation of a JWT
authentication plugin for couch), and connect directly to couch. If I
can't get this working, I might end up using stunnel as it is a minimal,
efficient proxy. But I had hoped to do everything with couch, so that
the it would scale up easily.
Thanks
Conor
max
Oct 1, 2015, 8:34:00 AM10/1/15
to us...@couchdb.apache.org
Hi,
I got similar issue some months ago and I fixed it by adding headers
configuration in CORS section:
*credentials*false
x <http://cloudbatiscript.scriptandgo.com/_utils/config.html#remove>
*headers*Authorization,Content-Type,Accept
x <http://cloudbatiscript.scriptandgo.com/_utils/config.html#remove>
*methods*GET, POST, PUT, DELETE
x <http://cloudbatiscript.scriptandgo.com/_utils/config.html#remove>
*origins**
Hop it'll help you.
Max.
I got similar issue some months ago and I fixed it by adding headers
configuration in CORS section:
*credentials*false
x <http://cloudbatiscript.scriptandgo.com/_utils/config.html#remove>
*headers*Authorization,Content-Type,Accept
x <http://cloudbatiscript.scriptandgo.com/_utils/config.html#remove>
*methods*GET, POST, PUT, DELETE
x <http://cloudbatiscript.scriptandgo.com/_utils/config.html#remove>
*origins**
Hop it'll help you.
Max.
Reply all
Reply to author
Forward
0 new messages