Hi Joan Can you please provide a little bit more details about 'nginx not correctly reverse proxying chunked/multipart/etags/etc'? Can you also please provide stunnel configuration file example.
Btw I've taken idea of using nginx at apache wiki(https://cwiki.apache.org/confluence/display/COUCHDB/Configuring+CouchDB <https://cwiki.apache.org/confluence/display/COUCHDB/Securing+CouchDB>), it suggests using either apache or nginx http server as a reverse proxy. thanks, --Vovan > On Jun 26, 2017, at 9:20 PM, Joan Touzet <woh...@apache.org> wrote: > > I'd recommend stunnel instead of nginx. We used to use it at Cloudant > and it worked fine. Gets you away from any worries about nginx not > correctly reverse proxying chunked/multipart/etags/etc correctly. > > -Joan > > ----- Original Message ----- > From: "Vladimir Kuznetsov" <vova...@gmail.com> > To: user@couchdb.apache.org > Sent: Monday, 26 June, 2017 8:29:00 PM > Subject: Running CouchDB 2.0 cluster in EC2 > > > Hi guys > > I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances. > > I want clients to use SSL certificate to authenticate so I want to run Nginx > on every CouchDB instance which will do SSL termination and forward > connection to the backend CouchDB instance running plain HTTP. The reasons I > want to terminate SSL on Nginx: > > 1) I'm planning to refresh server certs periodically and I don't really want > CouchDB nodes to restart, I'd rather restarted Nginx frontend. > 2) I want to check CRL to reject client certificates that were revoked > 3) Performance is another reason as I expect Nginx to be better in SSL > decryption than CouchDB itself. > > I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load > balancer), probably in TCP mode which would load balance client connections > between instances. > > Does my deployment make sense? Anything specific to take into consideration > In the above deployment model? is there anything I have to be aware of? > > thanks, > --Vovan