Couchdb and proxy authentication

Question

I have been using couchdb for a long time and we authenticate through cookies auth. Now we would like to start testing proxy authentication but I don't quite understand how it works.

I already have it activated including the value "chttpd_auth, proxy_authentication_handler" in the section "chttpd / authentication_handlers:" but how do I indicate that the token x is for the user y?

I can't understand how it works

I hope someone can help me with an example. Thank you.

Answer 1

In proxy_authentication, you are doing authentication somewhere else. That somewhere else is a proxy, or to be more specific a reverse proxy.

For example, if you're just using a single user and using nginx as a proxy to couchdb, you set the required headers before request is passed to couchdb like:

location / {
    # pass to couchdb
    proxy_pass http://localhost:5984;

    # ... other configurations.

    # authentication header
    proxy_set_header    X-Auth-CouchDB-UserName 'someone';
    proxy_set_header    X-Auth-CouchDB-Roles    '_admin,staff';
    proxy_set_header    X-Auth-CouchDB-Token    'auth-token';
}

Couchdb will accept request with given username and roles. X-Auth-CouchDB-Token should be a hex encoded hmac of X-Auth-CouchDB-UserName using secret in couch_httpd_auth section in your configuration. It is not required unless proxy_use_secret is true, which is not the case by default (although it should it should be used in production).

In practice, you will need to create a proxy server that validates username (maybe with password). Only after the user is valid the request will be passed to couchdb with those headers attached.