Joan your info below was spot on. Seems to have resolved all of my issues. All of the nodes are communicating correctly along with the load balancer in place.
Thanks so much for pointing out what I missed. Proprietary -----Original Message----- From: Krawetzky, Peter J Sent: Monday, February 25, 2019 7:27 AM To: [email protected]; '[email protected]' <[email protected]> Subject: RE: Cluster Configuration Thanks Joan I will check this out. I actually installed 2.2 but thinking I should move to 2.3. Proprietary -----Original Message----- From: Joan Touzet <[email protected]> Sent: Friday, February 22, 2019 6:27 PM To: [email protected] Subject: [EXTERNAL] Re: Cluster Configuration **** External Email - Use Caution **** Check that the exact same *crypt text* for your [admins] users is specified on all nodes. The exact same line should appear in all 3 .ini files. Check that all nodes have the exact same [httpd] secret value in their ini files. Check that all nodes have the exact same [couchdb] uuid specified in their ini files. https://urldefense.proofpoint.com/v2/url?u=http-3A__docs.couchdb.org_en_latest_setup_cluster.html&d=DwICaQ&c=wluqKIiwffOpZ6k5sqMWMBOn0vyYnlulRJmmvOXCFpM&r=Ulso89q-0BjB0ggqmYLyceHKDmVY5dIGOZNJfmTKCwE&m=eITudak7ew8yTjDuDUuKLP5yiHt1Ta8BvCt3UvYJ390&s=Meh6op1PPNelFxVOixKPwOi-xhZC641HXTjm8eVyJA8&e= has all of this (new changes since 2.3.0 was released). ----- Original Message ----- > From: "Peter J Krawetzky" <[email protected]> > To: [email protected] > Sent: Thursday, February 21, 2019 2:49:24 PM > Subject: Cluster Configuration > > So I successfully have a 3 node cluster set up which also includes > using the SSL configuration so I can connection using port 6984. > > I added a load balancer in front of the 3 cluster nodes using SSL > (port 6984) and noticed I'm getting some weird results. > > * the admin account is defined in the local.ini but when I > connect using the load balancer DNS some of the database are not > available to the admin account - says This database failed to load > * When I connect to an individual node using SSL (port 6984) > the admin account work fine > * when I logon using the load balancer DNS with a user that is in > the _users database and has rights to a database I cannot select > the database - says This database failed to load > * Any database that does not have security is accessible > > I can't figure out if it's something within the cluster node > configuration or if it's the load balancer DNS I'm using. FYI we > use F5 as a load balancer. > > Also does anyone have > > Below is my local.ini file > ; CouchDB Configuration Settings > > ; Custom settings should be made in this file. They will override > settings > ; in default.ini, but unlike changes made to default.ini, this file > won't be > ; overwritten on server upgrade. > > [couchdb] > ;max_document_size = 4294967296 ; bytes > ;os_process_timeout = 5000 > database_dir = /u01/couchdb > uuid = 3f50bfb9faed229837b0911265b6bb27 > > [couch_peruser] > ; If enabled, couch_peruser ensures that a private per-user database > ; exists for each document in _users. These databases are writable > only > ; by the corresponding user. Databases are in the following form: > ; userdb-{hex encoded username} > ;enable = true > ; If set to true and a user is deleted, the respective database gets > ; deleted as well. > ;delete_dbs = true > ; Set a default q value for peruser-created databases that is > different from > ; cluster / q > ;q = 1 > > [chttpd] > port = 5984 > bind_address = 0.0.0.0 > ; Options for the MochiWeb HTTP server. > ;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] > ; For more socket options, consult Erlang's module 'inet' man page. > ;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, > true}] > > [httpd] > ; NOTE that this only configures the "backend" node-local port, not > the > ; "frontend" clustered port. You probably don't want to change > anything in > ; this section. > ; Uncomment next line to trigger basic-auth popup on unauthorized > requests. > ;WWW-Authenticate = Basic realm="administrator" > > ; Uncomment next line to set the configuration modification > whitelist. Only > ; whitelisted values may be changed via the /_config URLs. To allow > the admin > ; to change this value over HTTP, remember to include > {httpd,config_whitelist} > ; itself. Excluding it from the list would require editing this file > to update > ; the whitelist. > ;config_whitelist = [{httpd,config_whitelist}, {log,level}, > {etc,etc}] > enable_cors = true > > [query_servers] > ;nodejs = /usr/local/bin/couchjs-node > /path/to/couchdb/share/server/main.js > > [couch_httpd_auth] > ; If you set this to true, you should also uncomment the > WWW-Authenticate line > ; above. If you don't configure a WWW-Authenticate header, CouchDB > will send > ; Basic realm="server" in order to prevent you getting logged out. > ; require_valid_user = false > secret = d75914a363aa5f8f28712eb2c1f280a0 > > [daemons] > ; enable SSL support by uncommenting the following line and supply > the PEM's below. > ; the default ssl port CouchDB listens on is 6984 > httpsd = {chttpd, start_link, [https]} > > [ssl] > enable = true > cert_file = /u01/instance_ssl_key/publickey.pem > key_file = /u01/instance_ssl_key/privatekey.pem > ;password = somepassword > ; set to true to validate peer certificates > ;verify_ssl_certificates = false > ; Set to true to fail if the client does not send a certificate. Only > used if verify_ssl_certificates is true. > ;fail_if_no_peer_cert = false > ; Path to file containing PEM encoded CA certificates (trusted > ; certificates used for verifying a peer certificate). May be omitted > if > ; you do not want to verify the peer. > cacert_file = /u01/instance_ssl_key/ca.pem > ; The verification fun (optional) if not specified, the default > ; verification fun will be used. > ;verify_fun = {Module, VerifyFun} > ; maximum peer certificate depth > ;ssl_certificate_max_depth = 1 > ; > ; Reject renegotiations that do not live up to RFC 5746. > ;secure_renegotiate = true > secure_renegotiate = undefined > ; The cipher suites that should be supported. > ; Can be specified in erlang format > "{ecdhe_ecdsa,aes_128_cbc,sha256}" > ; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256". > ;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"] > ciphers = undefined > ; The SSL/TLS versions to support > ;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2'] > tls_versions = undefined > > ; To enable Virtual Hosts in CouchDB, add a vhost = path directive. > All requests to > ; the Virual Host will be redirected to the path. In the example > below all requests > ; to > https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com_&d=DwICaQ&c=wluqKIiwffOpZ6k5sqMWMBOn0vyYnlulRJmmvOXCFpM&r=Ulso89q-0BjB0ggqmYLyceHKDmVY5dIGOZNJfmTKCwE&m=eITudak7ew8yTjDuDUuKLP5yiHt1Ta8BvCt3UvYJ390&s=2vkVvqJn5iZAhZ3BZjqiUHfXhAVfOeaibTeaufKFCXI&e= > are redirected to /database. > ; If you run CouchDB on a specific port, include the port number in > the vhost: > ; example.com:5984 = /database > [vhosts] > ;example.com = /database/ > > ; To create an admin account uncomment the '[admins]' section below > and add a > ; line in the format 'username = password'. When you next start > CouchDB, it > ; will change the password to a hash (so that your passwords don't > linger > ; around in plain-text files). You can add more admin accounts with > more > ; 'username = password' lines. Don't forget to restart CouchDB after > ; changing this. > [admins] > ;admin = mysecretpassword > admin = <encrypted-password> > replicator = <encrypted-password> > > [cors] > origins = https://github.aetna.com > credentials = true > methods = GET, PUT, POST, HEAD, DELETE > headers = accept, authorization, content-type, origin, referer > > > Proprietary > > This e-mail may contain confidential or privileged information. If > you think you have received this e-mail in error, please advise the > sender by reply e-mail and then delete this e-mail immediately. > Thank you. Aetna > This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna
