4 Steps to Improve Your CouchDB Security

Leave your reply

CouchDB has no access restrictions by default, as it is designed to initially only be accessed from localhost. If you plan to expose CouchDB to the internet by binding it to your server's public IP address, we recommend you follow these easy steps to secure your CouchDB installation.

Requirements

  • A Servidor Cloud (Ubuntu 16.04) with CouchDB and Futon installed.

To install CouchDB, follow the instructions in our article Install and Use CouchDB on Ubuntu 16.04. To set up and use Futon, see our article Use Futon to Manage CouchDB.

Step 1: Create an Admin User

A new installation of CouchDB will allow any anonymous user to make any change to any database or record. CouchDB calls this the "Admin Party." The first step to improving CouchDB security is to create an admin user.

Log in to the Futon admin panel. Click Fix this in the security prompt in the lower right-hand corner.

Improve CouchDB security

Enter the desired admin username and password. Then click Create.

Improve CouchDB security

Step 2: Enable SSL

Enabling SSL will allow you to send command-line Curl requests via an SSL-secured connection. This is valuable for requests which involve passing sensitive data like passwords.

First, install an SSL certificate on your server. Related articles:

  • Set Up a IONOS SSL Certificate
  • Install a Let's Encrypt SSL Certificate on a Servidor Cloud with Linux

If you have a firewall, you will need to allow access to port 6984.

For more information about using a firewall on a Servidor Cloud, consult our documentation on the topic.

After the SSL certificates and firewall rules have been configured, connect to the server with SSH. Open the CouchDB configuration file for editing:

sudo nano /etc/couchdb/default.ini

Find the line which reads:

[daemons]

Add httpsd = {couch_httpd, start_link, [https]} below this line:

[daemons]
httpsd = {couch_httpd, start_link, [https]}

Next, find the lines which read:

[ssl]
port = 6984

Add the paths for the SSL cert and key files:

[ssl]
port = 6984
cert_file = /path/to/server_cert.pem
key_file = /path/to/server_key.pem

Save and exit the file. Restart CouchDB for the changes to take effect:

sudo systemctl restart couchdb

HTTPS requests will be served on port 6984 while standard HTTP requests will be served on port 5984.

To verify that HTTP and HTTPS requests are working from the command line, use the commands:

curl http://192.168.0.1:5984/
curl https://192.168.0.1:6984/

You can also verify that Futon is secured with SSL by visiting https://192.168.0.1:6984 in a browser.

Step 3: Define Users for Your Database(s)

If no user is defined for a database, its access is public by default. To define a user for a database in Futon, select the database, then click Security...

Improve CouchDB security

Fill out at least one Admin Name and one Member Name. The names must be put in JSON string format: ["name"]. For example, to add the user jdoe as an admin and a member for this database, you would put ["jdoe"] into both fields.

Improve CouchDB security

Click Update to add the user.

From the command line, you will need to create a _security document in the database, then add the user to this document:

curl -X PUT https://192.168.0.1:6984/mydatabase/_security \
     -u [admin username]:[admin password] \
     -H "Content-Type: application/json" \
     -d '{"admins": { "names": [], "roles": [] }, "members": { "names": ["jdoe"], "roles": [] } }

Repeat these steps for each CouchDB database.

Step 4: Disable Futon if You Don't Plan to Use It

Futon is a useful and convenient tool for performing administrative tasks with CouchDB. However, some people prefer to use Curl from the command line. If you do not plan to use the Futon interface, we recommend you disable this feature.

Open the CouchDB configuration file for editing:

sudo nano /etc/couchdb/default.ini

Find the line which reads:

_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}

Disable Futon by putting a semicolon at the beginning of this line, so that it reads:

;_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}

Save and exit the file. Restart CouchDB for the changes to take effect:

sudo systemctl restart couchdb