Hi all, In the spirit of "secure by default," would it be possible to change CouchDB's default to require_valid_user = true? I think that's more commonly what you'd want. Because it's fairly unusual that CouchDB allows anonymous users and allows them to do significant things, it's liable to surprise people and lead to misconfiguration.
Moses On Mon, Apr 23, 2018 at 10:18 AM, Joan Touzet <[email protected]> wrote: > Hi Jinmin. > > Blocking /_all_dbs currently requires a reverse proxy with block rules in > front of CouchDB. > > We recommend haproxy for this use. > > Best regards, > Joan Touzet from Toronto, Canada > > ----- Original Message ----- > From: "? ?" <[email protected]> > To: [email protected] > Sent: Monday, April 23, 2018 5:30:38 AM > Subject: How to prevent anonymous users visit couchdb ? > > Dear all, > > I want to remotely manage couchdb by curl using the administrator account, > but I found that anonymous users can also get some information , like > _all_dbs, which is not what I want. It seems that couchdb allows anonymous > users using GET and HEAD methods, so how can I prevent it? What I want is > only administrators are allowed. > > I have made the following settings in local.ini: > require_valid_user = true > WWW-Authenticate = Basic realm="administrator" > > Thanks & regards, > Jinmin from Shanghai, China > > > > >
