https花太多时间,这个帖子解决的分毫不差,留存,以防失联。
https://medium.com/hacking-info-sec/how-to-install-couchdb-with-ssl-f0040bebb6d9
How to install CouchDB with SSL
Philippe Delteil Hacking/Security Philippe Delteil Jan 19, 2021
Awful official documentation led me to spend many hours to properly install CouchDB with SSL . If you care about privacy and security, it’s always better to use HTTPS instead of HTTP. This process was tested (many times let me tell you) on Ubuntu 18.04/20.04 and CouchDB 3.1.1. Installing CouchDB Default HTTP port is 5984 and HTTPS port is 6984. Retrieve and add the GPG Public Keys
curl -L https://couchdb.apache.org/repo/bintray-pubkey.asc | sudo apt-key add -
Add the CouchDB repository to the Sources List: Ubuntu 18.04
echo "deb https://apache.bintray.com/couchdb-deb bionic main" | sudo tee -a /etc/apt/sources.list
Ubuntu 20.04/22.04
sudo apt update && sudo apt install -y curl apt-transport-https gnupg
curl https://couchdb.apache.org/repo/keys.asc | gpg --dearmor | sudo tee /usr/share/keyrings/couchdb-archive-keyring.gpg >/dev/null 2>&1
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/couchdb-archive-keyring.gpg] https://apache.jfrog.io/artifactory/couchdb-deb/ ${VERSION_CODENAME} main" \
| sudo tee /etc/apt/sources.list.d/couchdb.list >/dev/null
Install the CouchDB Package
sudo apt update ; sudo apt install couchdb
Test if the installation was correct
curl http://127.0.0.1:5984/
{"couchdb":"Welcome","version":"3.1.1","git_sha":"ce596xxx","uuid":"806c9e5cadxxxyyycbce","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
This of course, is only reachable from the VM. In order to make it accessible from the Internet then you’ll have to:
- Open ports 5984 and 6984 (for HTTP/HTTPS) in your Cloud provider. If you want to change the default ports edit the file /opt/couchdb/etc/default.ini
- Change bind address (to 0.0.0.0) in file /opt/couchdb/etc/default.d/10-bind-address.ini.
sudo nano /opt/couchdb/etc/default.d/10-bind-address.ini
# Package-introduced bind address
[chttpd]
bind_address = 0.0.0.0
-
Restart CouchDB sudo /etc/init.d/couchdb restart Note: changes in files locale.ini or default.ini didn’t change the bind address. The last step was tricky because is not documented on installation guides nor tutorials.
-
Test it! (from outside/Internet)
curl http://yourip:5984/
{"couchdb":"Welcome","version":"3.1.1","git_sha":"ce596xxx","uuid":"806c9e5cadxxxyyycbce","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
If you got the same output, jump to the next part. Setting SSL In order to use SSL (therefor https) we need to set up 3 files: server.key, server.csr and server.crt. Create folder to store the generated files
mkdir ~/certs
cd ~/certs
Generate Key with OpenSSL
openssl genrsa -out server.key 2048
Generate Certificate Signing Request with OpenSSL
openssl req -new -key server.key -out server.csr
Self Signed Certificates
openssl x509 -req -sha256 -days 1095 -in server.csr -signkey server.key -out server.crt
Pay attention while setting Common Name, it should be something like this: Common Name (e.g. server FQDN or YOUR name) subdomain.domain.tld (This step might not really matter) Now, you need to include these 3 files on CouchDB’s config file local.ini (add to the end of the file)
sudo nano /opt/couchdb/etc/local.ini #this path might vary
[ssl]
enable = true
cert_file = /home/ubuntu/certs/server.crt ;paths might vary
key_file = /home/ubuntu/certs/server.key ;paths might vary
cacert_file = /home/ubuntu/certs/server.csr ;paths might vary
Note: If one of the three files is not properly referenced, is not accessible or correctly created, you’ll get the following error:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX
Verify that all files above have the right permissions, just run the following command to be sure:
sudo chown -R couchdb:couchdb ~/certs
Restart again:
sudo /etc/init.d/couchdb restart
Now, let’s test it again
curl -k https://yourip:6984/
{"couchdb":"Welcome","version":"3.1.1","git_sha":"ce596xxx","uuid":"806c9e5cadxxxyyycbce","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
Tip: Disable access to HTTP Port 5984. Since you disabled the HTTP access. That’s it! Give me some claps if this article helped you!