Newbie dev setup, what ports should be open to the internet?


#1

Sorry for the title, but I didn’t know how to explain my doubts in a few words.
I’ve always used RDBMS to develop web services, and I’m approaching Couchbase for the first time, so please treat me like a newbie :smile:

I’ve successfully installed Couchbase Server Community Edition on a single Linux AWS EC2 instance. Atm, I’m not interested in replication, load balancing and so. I simply need a basic setup to do some experimenting. However I’m very careful about security issues, so I have some questions.

On EC2 I opened the following ports to the world:

  • 8091, and I can use it to log in the web admin console, using credential chosen in the setup wizard;
  • 8092, and I can use it to query views with the REST API;
  • 11210, which I’m not sure if it is needed considering I’m on a single cluster.

Now, question time:

  1. As I said, when I access 8091 from my browser, I have to type in my credential to gain access to the web console. But if I use the REST API it all seems to work without authentication. Is it ok? Should I close port 8091 except from my office IP address? Or these are only generic information that can be public? For example, from my PC, with no auth, I can see: http://pastebin.com/raw.php?i=LN2JiMvR

  2. On 8092 I can access all views/documents. Let’s say in the future I will use Couchbase Lite Sync Manager on a dedicated TCP port. Then, can I close 8092 so my DB will be accessed only through Sync Manager, with all its checks on users auth, roles and channels?

  3. Is 11210 really needed for my setup? What’s exactly for? Doc says “Used by smart client libraries or Moxi to directly connect to the data nodes”, but that’s not very clear to me. Can I close that port?

Thank you all.


#2

Welcome to the world of Couchbase :smile:

The REST API should require HTTP auth but /pools appears to be work without auth. I’m not sure why but I’ll find out.

You’ll need to leave 8092 open to allow SyncGateway to communicate with CB Server.

11210 11211 should stay open for normal key-value access (gets and sets, basically non-view related access).

The list of ports you need open are here:

http://docs.couchbase.com/admin/admin/Install/install-networkPorts.html


#3

Thank you Matthew for those precious info.
So, in case I install Sync Gateway on the same machine I bet I should close all doors except the Sync Gateway one’s, so access to my DB is secured and data only available through the sync function. Right?