You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It should not be assumed that CouchDB listen directly to incoming traffic. There can be for example Nginx on the same machine for SSL termination or other reasons - in this case CouchDB node can bind to 127.0.0.1:5984 and Nginx can bind to 0.0.0.0:443 (or other network address) and act as a proxy.
Current Behavior
Cookbook fails if couchdb_node is of type "clustered" and bind_address is "127.0.0.1".
It says it's not allowed to bind to 127.0.0.1 in clustered mode.
Possible Solution
Drop the restriction of 127.0.0.1 in clustered mode.
Steps to Reproduce (for bugs)
Use resource "couchdb_node" with attributes:
type "clustered"
bind_address "127.0.0.1"
Context
In our setup we are using OpenResty Nginx in front of CouchDB for a couple of reasons.
We require that all network traffic is encrypted - even internal. SSL termination provided by Nginx is stable while recently there were problems with SSL directly on CouchDB and even Jan Lehnardt suggested to use proper SSL termination solution.
We are using OAuth 2.0 to authenticate access to any resources. CouchDB doesn't support it but we have found a way to use it with CouchDB. OpenResty Nginx provides auth_request directive allowing request headers to be sent to a different web service. So we have created such a service and based on OAuth token it decides if Nginx should let the request go to CouchDB or deny it.
So in this setup CouchDB, Nginx and OAuth verification service work as one logical web service - secured CouchDB exposed to client apps.
Your Environment
Version used: 3.0.3
Chef version: 12.21.26
Operating System and version: Ubuntu 14.04
The text was updated successfully, but these errors were encountered:
Expected Behavior
It should not be assumed that CouchDB listen directly to incoming traffic. There can be for example Nginx on the same machine for SSL termination or other reasons - in this case CouchDB node can bind to 127.0.0.1:5984 and Nginx can bind to 0.0.0.0:443 (or other network address) and act as a proxy.
Current Behavior
Cookbook fails if couchdb_node is of type "clustered" and bind_address is "127.0.0.1".
It says it's not allowed to bind to 127.0.0.1 in clustered mode.
Possible Solution
Drop the restriction of 127.0.0.1 in clustered mode.
Steps to Reproduce (for bugs)
Use resource "couchdb_node" with attributes:
type "clustered"
bind_address "127.0.0.1"
Context
In our setup we are using OpenResty Nginx in front of CouchDB for a couple of reasons.
We require that all network traffic is encrypted - even internal. SSL termination provided by Nginx is stable while recently there were problems with SSL directly on CouchDB and even Jan Lehnardt suggested to use proper SSL termination solution.
We are using OAuth 2.0 to authenticate access to any resources. CouchDB doesn't support it but we have found a way to use it with CouchDB. OpenResty Nginx provides
auth_requestdirective allowing request headers to be sent to a different web service. So we have created such a service and based on OAuth token it decides if Nginx should let the request go to CouchDB or deny it.So in this setup CouchDB, Nginx and OAuth verification service work as one logical web service - secured CouchDB exposed to client apps.
Your Environment
The text was updated successfully, but these errors were encountered: