Check that the exact same *crypt text* for your [admins] users is specified on all nodes. The exact same line should appear in all 3 .ini files.
Check that all nodes have the exact same [httpd] secret value in their ini files. Check that all nodes have the exact same [couchdb] uuid specified in their ini files. http://docs.couchdb.org/en/latest/setup/cluster.html has all of this (new changes since 2.3.0 was released). ----- Original Message ----- > From: "Peter J Krawetzky" <krawetzk...@aetna.com> > To: user@couchdb.apache.org > Sent: Thursday, February 21, 2019 2:49:24 PM > Subject: Cluster Configuration > > So I successfully have a 3 node cluster set up which also includes > using the SSL configuration so I can connection using port 6984. > > I added a load balancer in front of the 3 cluster nodes using SSL > (port 6984) and noticed I'm getting some weird results. > > * the admin account is defined in the local.ini but when I > connect using the load balancer DNS some of the database are not > available to the admin account - says This database failed to load > * When I connect to an individual node using SSL (port 6984) > the admin account work fine > * when I logon using the load balancer DNS with a user that is in > the _users database and has rights to a database I cannot select > the database - says This database failed to load > * Any database that does not have security is accessible > > I can't figure out if it's something within the cluster node > configuration or if it's the load balancer DNS I'm using. FYI we > use F5 as a load balancer. > > Also does anyone have > > Below is my local.ini file > ; CouchDB Configuration Settings > > ; Custom settings should be made in this file. They will override > settings > ; in default.ini, but unlike changes made to default.ini, this file > won't be > ; overwritten on server upgrade. > > [couchdb] > ;max_document_size = 4294967296 ; bytes > ;os_process_timeout = 5000 > database_dir = /u01/couchdb > uuid = 3f50bfb9faed229837b0911265b6bb27 > > [couch_peruser] > ; If enabled, couch_peruser ensures that a private per-user database > ; exists for each document in _users. These databases are writable > only > ; by the corresponding user. Databases are in the following form: > ; userdb-{hex encoded username} > ;enable = true > ; If set to true and a user is deleted, the respective database gets > ; deleted as well. > ;delete_dbs = true > ; Set a default q value for peruser-created databases that is > different from > ; cluster / q > ;q = 1 > > [chttpd] > port = 5984 > bind_address = 0.0.0.0 > ; Options for the MochiWeb HTTP server. > ;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] > ; For more socket options, consult Erlang's module 'inet' man page. > ;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, > true}] > > [httpd] > ; NOTE that this only configures the "backend" node-local port, not > the > ; "frontend" clustered port. You probably don't want to change > anything in > ; this section. > ; Uncomment next line to trigger basic-auth popup on unauthorized > requests. > ;WWW-Authenticate = Basic realm="administrator" > > ; Uncomment next line to set the configuration modification > whitelist. Only > ; whitelisted values may be changed via the /_config URLs. To allow > the admin > ; to change this value over HTTP, remember to include > {httpd,config_whitelist} > ; itself. Excluding it from the list would require editing this file > to update > ; the whitelist. > ;config_whitelist = [{httpd,config_whitelist}, {log,level}, > {etc,etc}] > enable_cors = true > > [query_servers] > ;nodejs = /usr/local/bin/couchjs-node > /path/to/couchdb/share/server/main.js > > [couch_httpd_auth] > ; If you set this to true, you should also uncomment the > WWW-Authenticate line > ; above. If you don't configure a WWW-Authenticate header, CouchDB > will send > ; Basic realm="server" in order to prevent you getting logged out. > ; require_valid_user = false > secret = d75914a363aa5f8f28712eb2c1f280a0 > > [daemons] > ; enable SSL support by uncommenting the following line and supply > the PEM's below. > ; the default ssl port CouchDB listens on is 6984 > httpsd = {chttpd, start_link, [https]} > > [ssl] > enable = true > cert_file = /u01/instance_ssl_key/publickey.pem > key_file = /u01/instance_ssl_key/privatekey.pem > ;password = somepassword > ; set to true to validate peer certificates > ;verify_ssl_certificates = false > ; Set to true to fail if the client does not send a certificate. Only > used if verify_ssl_certificates is true. > ;fail_if_no_peer_cert = false > ; Path to file containing PEM encoded CA certificates (trusted > ; certificates used for verifying a peer certificate). May be omitted > if > ; you do not want to verify the peer. > cacert_file = /u01/instance_ssl_key/ca.pem > ; The verification fun (optional) if not specified, the default > ; verification fun will be used. > ;verify_fun = {Module, VerifyFun} > ; maximum peer certificate depth > ;ssl_certificate_max_depth = 1 > ; > ; Reject renegotiations that do not live up to RFC 5746. > ;secure_renegotiate = true > secure_renegotiate = undefined > ; The cipher suites that should be supported. > ; Can be specified in erlang format > "{ecdhe_ecdsa,aes_128_cbc,sha256}" > ; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256". > ;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"] > ciphers = undefined > ; The SSL/TLS versions to support > ;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2'] > tls_versions = undefined > > ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. > All requests to > ; the Virual Host will be redirected to the path. In the example > below all requests > ; to http://example.com/ are redirected to /database. > ; If you run CouchDB on a specific port, include the port number in > the vhost: > ; example.com:5984 = /database > [vhosts] > ;example.com = /database/ > > ; To create an admin account uncomment the '[admins]' section below > and add a > ; line in the format 'username = password'. When you next start > CouchDB, it > ; will change the password to a hash (so that your passwords don't > linger > ; around in plain-text files). You can add more admin accounts with > more > ; 'username = password' lines. Don't forget to restart CouchDB after > ; changing this. > [admins] > ;admin = mysecretpassword > admin = <encrypted-password> > replicator = <encrypted-password> > > [cors] > origins = https://github.aetna.com > credentials = true > methods = GET, PUT, POST, HEAD, DELETE > headers = accept, authorization, content-type, origin, referer > > > Proprietary > > This e-mail may contain confidential or privileged information. If > you think you have received this e-mail in error, please advise the > sender by reply e-mail and then delete this e-mail immediately. > Thank you. Aetna >
