A reminder that the security sensitive discussion with Vivek is happening elsewhere. We don't want to reveal any issue that might be found until we have a fix, if it turns out to be an avoidable fault in couchdb. The discussion of improved 3.0 defaults can continue here or in a new thread.
Sent from my iPhone > On 20 Jan 2017, at 14:09, Thomas Guillet <[email protected]> wrote: > > @Paul: I agree, it is pretty straightforward to have some basic settings on. > > Could we rely on the cluster_setup endpoint to secure the instance? > If that is considered to be the first 'mandatory step' of a live > instance, it would be nice as an almost out-of-the-box secure set up. > (Plus, you can always "curl" the endpoint instead of "perl" the local.ini) > > SSL-only is tricky as the http server can't be deactivated in > local.ini but in default.ini (from memory). > > @All: What do you consider a same/secure set up? What are the known > unsecured features/weaknesses of CouchDB. > > @Vivek: You issue worries me quite a lot. Do you have a better idea of > what happened? > I saw you are using HTTP instead of HTTPS, were you using in encrypted > connection to exchange your credentials and session? > Is your instance behind a proxy? (nginx or alike) They may have other > logs to help us investigate. > > > > > > > 2017-01-20 12:49 GMT+01:00 Paul Hammant <[email protected]>: >>> >>> tee-hee, that was my wishful thinking, less actual planning :) >>> >>> As usual, there is no estimate for now. >>> >> >> Don't worry - my open source commitments slip by five years at a time, but >> I thought I'd ask just in case. >> >> It might be better to focus on a series of post-install scripts for 2.x >> that lock down a couch. >> >> I was *very* excited by my first (and more or less only) exposure to >> CouchDB for - http://paulhammant.com/2015/12/21/angular-and-svg-and-couchdb. >> As part of that I wanted to make it easy for the reader to turn on CORS: >> >> perl -p -i -e 's/;enable_cors/enable_cors/' >> /usr/local/etc/couchdb/default.ini >> perl -p -i -e 's/enable_cors = false/enable_cors = true/' >> /usr/local/etc/couchdb/default.ini >> perl -p -i -e 's/;origins/origins/' /usr/local/etc/couchdb/default.ini >> perl -p -i -e 's/origins = /origins = */' /usr/local/etc/couchdb/default.ini >> perl -p -i -e 's/origins = \*\*/origins = */' >> /usr/local/etc/couchdb/default.ini >> >> >> That's to turn on CORS (CouchDB v1.6.x), for the blog entry. >> >> I'll bet that it's only another eight "one-liners" (Perl or not) to go >> SSL-only, cancel the AdminParty, and generate a unique admin password. >> >> - Paul
