SSL configuration possibilites

[Thiago Alencar]

Hello there,

I'm having doubts about the possible ways to add SSL to the connection between CBLReplication and the Sync gateway, please clarify:

- In the case of using a proxy in front of the sync gateway (e.g.: nginx), do I need to specify "secure": NO to the CBLReplication's setCookie method, or is a https:// url is enough? 

- How does the secure parameter look like for the situation where the sync gateway itself has SSL enabled? 

- And finally, using certificate pinning has any effect regarding the questions above?

Thanks in advance,

Thiago

[Jens Alfke]

On Oct 31, 2014, at 1:21 AM, Thiago Alencar <thia...@gmail.com> wrote:

- In the case of using a proxy in front of the sync gateway (e.g.: nginx), do I need to specify "secure": NO to the CBLReplication's setCookie method, or is a https:// url is enough? 

This doesn't have anything to do with using a proxy. The 'secure' flag is the same as the 'secure' property of a cookie itself (as defined by whatever RFC.) It specifies that the cookie should only be sent over a secure connection (SSL/TLS). So its only effect would be if you set secure:YES but used an http: URL, in which case the cookie would not be sent.

We are working on official documentation of how to configure nginx for use with the Sync Gateway. In the meantime, there have been several threads here very recently discussing it, that may be helpful. (You'll see a lot of references to a problem with WebSockets. We've figured this out; the workaround is to make sure to specify an explicit port number in the replication URL, even if it's the default SSL port 443; e.g. "https://example.com:443/db/".)

—Jens

[Thiago Alencar]

Thanks Jens!

[Marcus Roberts]

I've written up my experiences with setting up and testing Couchbase Lite being proxied over SSL by nginx here:

http://www.marcusr.com

Hopefully there's some useful information in there.