更新/摘要:
我在这里创建了一篇关于我经历的过程的博客文章,我的配置文件从下面略有改变:
https://medium.com/@silverbackdan/installing-couchdb-2-0-nosql-with-centos-7-and-certbot-lets-encrypt-f412198c3051#.216m9mk1m
HTTPS的主要问题:
>如果运行HTTP和HTTPS,则会在HTTPS上显示分片dbs
> Fauxton功能缺乏HTTPS(管理员用户管理,配置管理,设置向导,芒果索引/查询)
>不确定它们是否应该,但HTTP和HTTPS上的数据库不一样
我希望我只是遗漏了一些非常明显的东西
原始邮寄:
我正在尝试使用CouchDB 2.0配置HTTPS(SSL).我正在为其他人编写指南,以便能够遵循,但遇到了一些问题.
我认为通过HTTPS,我没有与启用HTTP时相同的权限.在Fauxton over HTTP上,我可以看到配置,我可以运行安装程序.使用HTTPS我会收到错误,它说我无法创建数据库(它会尝试自动执行),因为它们以下划线开头.大多数数据库都已设置,但有一些数据库在我访问配置页面时显示错误,例如“_cluster_setup”.
此外,我得到重复的错误消息,不会停止CouchDB,但它说数据库“_users”不存在(database_does_not_exist).当我通过HTTP启用和连接时它不存在,但是当我通过HTTPS连接时它确实存在.如果我启用了HTTP和HTTPS,那么使用我的HTTPS连接我最终会拥有大量的分片数据库(我是NoSQL和CouchDB的新手,所以我不确定那是什么,但是当错误出现时类似于上面 – 创建以下划线开头的数据库).无论哪种方式,我通过HTTPS登录时看到那些分片数据库但不是HTTP(Fauxton将它们显示为“无法加载,然后我只是暂时从数据目录中删除它们”)
使用Chrome通过HTTPS访问Fauxton也存在问题,但我认为这是一个已知的错误,目前可以使用Firefox或Safari.
任何人都可以告诉我是否有任何设置意味着使用HTTPS通过端口6984的连接可以具有与5984的HTTP相同的管理权限? …或者那里的权限问题可能会导致HTTPS连接在表名的开头出现关于下划线的这些错误,因为我认为这基本上可以解决我的主要问题.
这是我的local.ini文件,可能有一些用处(我还在default.ini中注释掉了“; httpd = {couch_httpd,start_link,[]}”,如下所示:https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146
; CouchDB Configuration Settings
; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.
[couchdb]
;max_document_size = 4294967296 ; bytes
;os_process_timeout = 5000
uuid = **REMOVED**
[couch_peruser]
; If enabled, couch_peruser ensures that a private per-user database
; exists for each document in _users. These databases are writable only
; by the corresponding user. Databases are in the following form:
; userdb-{hex encoded username}
;enable = true
; If set to true and a user is deleted, the respective database gets
; deleted as well.
;delete_dbs = true
[chttpd]
;port = 5984
;bind_address = 0.0.0.0
; Options for the MochiWeb HTTP server.
;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
; For more socket options, consult Erlang's module 'inet' man page.
;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
[httpd]
; NOTE that this only configures the "backend" node-local port, not the
; "frontend" clustered port. You probably don't want to change anything in
; this section.
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
WWW-Authenticate = Basic realm="administrator"
bind_address = 0.0.0.0
; Uncomment next line to set the configuration modification whitelist. Only
; whitelisted values may be changed via the /_config URLs. To allow the admin
; to change this value over HTTP, remember to include {httpd,config_whitelist}
; itself. Excluding it from the list would require editing this file to update
; the whitelist.
config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
[query_servers]
;nodejs = /usr/local/bin/couchjs-node /path/to/couchdb/share/server/main.js
[httpd_global_handlers]
;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
[couch_httpd_auth]
; If you set this to true, you should also uncomment the WWW-Authenticate line
; above. If you don't configure a WWW-Authenticate header, CouchDB will send
; Basic realm="server" in order to prevent you getting logged out.
require_valid_user = true
secret = **REMOVED**
[os_daemons]
; For any commands listed here, CouchDB will attempt to ensure that
; the process remains alive. Daemons should monitor their environment
; to know when to exit. This can most easily be accomplished by exiting
; when stdin is closed.
;foo = /path/to/command -with args
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {couch_httpd, start_link, [https]}
[ssl]
cert_file = /home/couchdb/couchdb/certs/cert.pem
key_file = /home/couchdb/couchdb/certs/privkey.pem
;password = somepassword
; set to true to validate peer certificates
;verify_ssl_certificates = false
; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true.
;fail_if_no_peer_cert = false
; Path to file containing PEM encoded CA certificates (trusted
; certificates used for verifying a peer certificate). May be omitted if
; you do not want to verify the peer.
cacert_file = /home/couchdb/couchdb/certs/chain.pem
; The verification fun (optional) if not specified, the default
; verification fun will be used.
;verify_fun = {Module, VerifyFun}
; maximum peer certificate depth
ssl_certificate_max_depth = 1
;
; Reject renegotiations that do not live up to RFC 5746.
secure_renegotiate = true
; The cipher suites that should be supported.
; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}"
; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256".
;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"]
ciphers = undefined
; The SSL/TLS versions to support
tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2']
; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
; the Virual Host will be redirected to the path. In the example below all requests
; to http://example.com/ are redirected to /database.
; If you run CouchDB on a specific port, include the port number in the vhost:
; example.com:5984 = /database
[vhosts]
REMOVEDDOMAIN.COM:* = ./database
[update_notification]
;unique notifier name=/full/path/to/exe -with "cmd line arg"
; To create an admin account uncomment the '[admins]' section below and add a
; line in the format 'username = password'. When you next start CouchDB, it
; will change the password to a hash (so that your passwords don't linger
; around in plain-text files). You can add more admin accounts with more
; 'username = password' lines. Don't forget to restart CouchDB after
; changing this.
[admins]
;admin = mysecretpassword
**REMOVED** = **REMOVED**
[cors]
origins = *
credentials = true
headers = accept, authorization, content-type, origin, referer
methods = GET, PUT, POST, HEAD, DELETE
最佳答案 我通过聊天与CouchDB团队保持联系. CouchDB已经使用haproxy进行了很好的测试,所以我被建议简单地使用haproxy,因为erlang很难配置SSL.一旦我完成所有工作,我将使用haproxy更新我写完的文章.
