HTTPS/SSL Web UI


#1

I’d like to secure the Couchbase UI with an SSL certificate. How would I go about doing this? I can only find information on how to setup SSL for the actual queries.


#2

I’d still like to do this. Anybody know how?


#3

I used this page to help me configure SSL on my Couchbase server.


#4

Hi EdanBrooke -

Here is the link that you might be looking for - http://developer.couchbase.com/documentation/server/4.5/security/security-x509certsintro.html

Hope this helps!

Thanks,
Don


#5

I think y’all may have misunderstood, or I’m just looking at the wrong bits.
I’d like to configure an SSL on the actual user interface (port 8091).


#6

8091 is a non-https port.
18091 is the HTTPS port.

You can refer to the list of TLSified ports here - http://developer.couchbase.com/documentation/server/current/security/security-iptables.html

After setting up TLS, you can access your admin console over port 18091

Thanks,


#7

Documentation states that it’s Internal REST HTTPS for SSL, rather than Web interface?


#8

@EdanBrooke - Did you manage to get any further?

I’ve implemented a self signed cert between the sync_gateway and the app. It works really well, so i am happy with that.

Turning my mind to the couchbase admin interface my first thought was maybe a simple reverse proxy that provided an SSL interface to the world. I implemented an Nginx reverse proxy and promptly broke the sync_gateway <> app connection. I have a feeling figuring out the configuration of Nginx is going to be beyond me.

I have also thought about using a firewall, restricting general access to the Couchbase admin interface ports. This would be much simpler to implement and you might do this as well as a reverse proxy.

Anyhow. If you make progress. Please think of me and let me know.


#9

Just found this in the CB blog…

http://blog.couchbase.com/2016/may/securing-couchbase-using-let’s-encrypt-x.509-certificates

EDITED :: Scratch that. This is only for 4.5 Enterprise.


#10

So Couchbase deliberately revoked SSL support for the community edition???


#11

Not revoked anything. See the full list of capabilities comparing CE and EE.
http://developer.couchbase.com/documentation/server/current/introduction/editions.html


#12

There are a few corners of the product where enterprise edition provides added capabilities and advanced security features is one of those. We keep it to corners where the app logic would not have to change when moving from CE to EE or visa versa.


#13

They withheld it though even if they didn’t revoke it. I thought SSL was important when handling data so cutting encryption, which I see as virtually essential to managing the DB, out of the equation is a little bit silly imo.


#14

It is disappointing.

The recommendation appears to be - use a reverse proxy.


#15

How’re you going to go about it? nginx?


#16

I’ve set it up on mine. With nginx…

sudo nano /etc/nginx/sites-available/couchbase.conf

In this new file, put the following, replacing as required.

server {
  listen 80;
  server_name couchbase.mydomain.tld;
  rewrite ^/(.*)$ https://couchbase.mydomain.tld/$1 permanent; # Forces SSL
}
server {
  listen 443;
  ssl on;
  ssl_certificate /path/to/cert/full;
  ssl_certificate_key /path/to/cert/key;
  fastcgi_param HTTPS on;
  fastcgi_param HTTP_SCHEME https;

  server_name couchbase.mydomain.tld;

  location / {
    proxy_pass http://couchbase-ui-address.mydomain.tld:8091;
  }
}

Save it (Ctrl+O and RETURN in Nano).

Then put the new server block into production with the following command:

ln -s /etc/nginx/sites-available/couchbase.conf /etc/nginx/sites-enabled/couchbase.conf

Check the nginx configuration is okay, and if it is then restart the service:

sudo nginx -t
sudo service nginx restart

Then all you should do, if you don’t want Couchbase UI being accessed on the original port 8091 anymore, is block that port in IPTables or whatever firewall you’re using.

/sbin/iptables -A INPUT -p tcp --dport 8091 -s 127.0.0.1 -j ACCEPT # Allow from localhost so nginx can still proxy to it
/sbin/iptables -A INPUT -p tcp --dport 8091 -j DROP # Drop from elsewhere

A potential alternative to this is to use CloudFlare as a proxy with Flexible SSL mode enabled but I’ve not tested this and I’m not sure if it’d work without Couchbase UI listening with an SSL certificate.

I got my SSL certificate for this for free from Let’s Encrypt. Thanks!


#17

Excellent - I’ll try your rules.

This will save me from figuring out the rule set. (Which is not one of my strong areas)


#18

I ended up using these rules.

My goal - any request to the couch base server is redirected to SSL + any requests to the root of the server are redirected to my general web site.

server {
  listen 80;
  server_name couchbase.domain.com;

  return 301 https://$server_name$request_uri;

}


server {
  listen 443;
  ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  
  server_name couchbase.domain.com;

  location = / {
    return 301 http://web.domain.com;
  }

  location / {
    proxy_pass http://couchbase.domain.com:8091;
  }
}

#19

Was it a success for you?


#20

Yes.

I now have the couchbase admin interface behind SSL.
I now have the sync_gateway admin interface behind SSL.
I now have mobile app to sync_gateway communications behind SSL.

Good Work!