4
UPDATE /摘要:CouchDB的權限通過HTTPS
我創建了一個博客文章在這裏關於我所經歷的過程,我的配置文件已略有更改如下:使用HTTPS https://medium.com/@silverbackdan/installing-couchdb-2-0-nosql-with-centos-7-and-certbot-lets-encrypt-f412198c3051#.216m9mk1m
主要問題:
- 如果運行HTTP和HTTPS,DBS碎片出現在HTTPS缺乏功能通過HTTPS
- Fauxton(ADM在用戶管理,配置管理,設置嚮導,芒果索引/查詢)
- 不知道他們是應該的,但數據庫通過HTTP和HTTPS是不一樣的
我希望我只是失去了一些東西真的明顯
原貼:
我試圖使用CouchDB 2.0配置HTTPS(SSL)。我正在爲其他人編寫指南,以便能夠遵循,但遇到了一些問題。
我想通過HTTPS,我沒有相同的權限,因爲我啓用HTTP並使用它。在HTTP上的Fauxton上,我可以看到配置,並且可以運行安裝過程。使用HTTPS時,我收到錯誤,它說我無法創建數據庫(它試圖自動執行),因爲它們以下劃線開頭。大多數數據庫都會被設置,但有一些數據庫在我訪問配置頁面時顯示錯誤,如「_cluster_setup」。
此外,我收到不停止CouchDB的重複錯誤消息,但它說數據庫「_users」不存在(database_does_not_exist)。當我通過HTTP啓用和連接時,它不存在,但當我通過HTTPS連接時,它確實存在。如果我同時啓用HTTP和HTTPS,然後使用HTTPS連接,則最終會產生大量的分片數據庫(我是NoSQL和CouchDB的新手,因此我不確定這是什麼,但當錯誤顯示類似於以上 - 創建以下劃線開頭的數據庫)。無論哪種方式,我通過HTTPS而不是HTTP登錄時看到這些分片數據庫(Fauxton將它們顯示爲「無法加載,然後我剛剛從數據目錄中刪除它們)
還有訪問Fauxton使用Chrome瀏覽器通過HTTPS,但我認爲這是一個已知的錯誤,現在可以使用Firefox或Safari。
任何人都可以告訴我,是否有任何設置意味着通過端口6984使用HTTPS的連接可以與5984的HTTP有相同的管理權限?......或者那裏的權限問題可能會導致HTTPS連接在表名的開頭提出關於下劃線的這些錯誤,因爲我認爲這基本上可以解決我的主要問題。
這是我這可能是一些使用(我也註釋掉local.ini文件 「的httpd = {couch_httpd,START_LINK []}」 在Default.ini中,因爲它說在這裏:https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146
; CouchDB Configuration Settings
; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.
[couchdb]
;max_document_size = 4294967296 ; bytes
;os_process_timeout = 5000
uuid = **REMOVED**
[couch_peruser]
; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
;enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
;delete_dbs = true
[chttpd]
;port = 5984
;bind_address = 0.0.0.0
; Options for the MochiWeb HTTP server.
;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
[httpd]
; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
WWW-Authenticate = Basic realm="administrator"
bind_address = 0.0.0.0
; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
[query_servers]
;nodejs = /usr/local/bin/couchjs-node /path/to/couchdb/share/server/main.js
[httpd_global_handlers]
;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
[couch_httpd_auth]
; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
require_valid_user = true
secret = **REMOVED**
[os_daemons]
; For any commands listed here, CouchDB will attempt to ensure that
; the process remains alive. Daemons should monitor their environment
; to know when to exit. This can most easily be accomplished by exiting
; when stdin is closed.
;foo = /path/to/command -with args
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /home/couchdb/couchdb/certs/cert.pem
key_file = /home/couchdb/couchdb/certs/privkey.pem
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
cacert_file = /home/couchdb/couchdb/certs/chain.pem
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
ssl_certificate_max_depth = 1
;
; Reject renegotiations that do not live up to RFC 5746.
secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
ciphers = undefined
; The SSL/TLS versions to support
tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]
REMOVEDDOMAIN.COM:* = ./database
[update_notification]
;unique notifier name=/full/path/to/exe -with "cmd line arg"
; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
;admin = mysecretpassword
**REMOVED** = **REMOVED**
[cors]
origins = *
credentials = true
headers = accept, authorization, content-type, origin, referer
methods = GET, PUT, POST, HEAD, DELETE
有沒有解釋爲什麼HTTP和HTTPS不一樣?奇怪的是,這在CouchDB 1.6中「剛剛起作用」。 – neonhomer
不幸的是,我不記得。它只是推薦使用haproxy而非工作得很好。 –