FAQ
Hello,

Is it possible to leave just SSL (6984) listening? I have enabled SSL
but requests are still accepted via plain HTTP 5984.

Best,

-Nestor

Search Discussions

  • Nils Breunese at Oct 21, 2011 at 10:57 am

    Nestor Urquiza wrote:

    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO www.vpro.nl
    ------------------------------------------------------------------------
  • Benoit Chesneau at Oct 21, 2011 at 11:24 am

    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO   www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
  • Robert Newson at Oct 21, 2011 at 11:32 am
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO   www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
  • Nestor Urquiza at Oct 21, 2011 at 12:38 pm
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO   www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
  • Benoit Chesneau at Oct 21, 2011 at 12:53 pm

    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO   www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
  • Nestor Urquiza at Oct 21, 2011 at 1:16 pm
    That was it: I did the change in default,ini and that did the trick.
    Thanks!
    -Nestor
    On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
    wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO   www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
  • Dave Cottlehuber at Oct 21, 2011 at 1:22 pm

    On 21 October 2011 15:16, Nestor Urquiza wrote:
    That was it: I did the change in default,ini and that did the trick.
    Thanks!
    -Nestor
    On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
    wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO   www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
    Is there a sensible way to do this in local.ini to avoid advising
    users to fiddle with default.ini, which gets over-written each
    release?

    A+
    Dave
  • Nestor Urquiza at Oct 21, 2011 at 1:29 pm
    Also I forgot to mention this worked in my production server where I
    start couchdb using:
    sudo /usr/local/etc/init.d//couchdb start

    However this did not work when running ./utils/run in my local
    environment. I kept having the two ports available there.
  • Benoit Chesneau at Oct 21, 2011 at 1:31 pm

    On Friday, October 21, 2011, Nestor Urquiza wrote:
    Also I forgot to mention this worked in my production server where I
    start couchdb using:
    sudo /usr/local/etc/init.d//couchdb start

    However this did not work when running ./utils/run in my local
    environment. I kept having the two ports available there.
    default_dev.ini
  • Nestor Urquiza at Oct 21, 2011 at 1:38 pm
    Great! Working now in local environment as well.
    On Fri, Oct 21, 2011 at 9:30 AM, Benoit Chesneau wrote:
    On Friday, October 21, 2011, Nestor Urquiza wrote:
    Also I forgot to mention this worked in my production server where I
    start couchdb using:
    sudo /usr/local/etc/init.d//couchdb start

    However this did not work when running ./utils/run in my local
    environment. I kept having the two ports available there.
    default_dev.ini
  • Jan Lehnardt at Oct 21, 2011 at 4:00 pm

    On Oct 21, 2011, at 15:21 , Dave Cottlehuber wrote:
    On 21 October 2011 15:16, Nestor Urquiza wrote:
    That was it: I did the change in default,ini and that did the trick.
    Thanks!
    -Nestor
    On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
    wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
    Is there a sensible way to do this in local.ini to avoid advising
    users to fiddle with default.ini, which gets over-written each
    release?
    Good catch, currently not.

    Cheers
    Jan
    --
  • Nestor Urquiza at Dec 11, 2012 at 8:02 pm
    This is an old thread but the issue is back in version 1.2.0

    Commenting out the suggested line from default.ini ...
    [daemons]
    #httpd={couch_httpd, start_link, []}

    ... does not stop couchdb from listening in the unsecure plain HTTP 5984:
    dev@udesktop2:~$ sudo /etc/init.d/couchdb restart
    * Restarting database server couchdb



    [
    OK ]
    dev@udesktop2:~$ curl -X GET http://localhost:5984
    {"couchdb":"Welcome","version":"1.2.0"}
    dev@udesktop2:~$ curl -k -X GET https://localhost:6984
    {"couchdb":"Welcome","version":"1.2.0"}
    dev@udesktop2:~$

    Any ideas other than using iptables?
    On Fri, Oct 21, 2011 at 11:59 AM, Jan Lehnardt wrote:
    On Oct 21, 2011, at 15:21 , Dave Cottlehuber wrote:
    On 21 October 2011 15:16, Nestor Urquiza wrote:
    That was it: I did the change in default,ini and that did the trick.
    Thanks!
    -Nestor
    On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
    wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
    Is there a sensible way to do this in local.ini to avoid advising
    users to fiddle with default.ini, which gets over-written each
    release?
    Good catch, currently not.

    Cheers
    Jan
    --
  • Adam Kocoloski at Dec 11, 2012 at 8:05 pm
    I think that may be the wrong syntax for .ini file comments. Can you try a leading ";" instead?

    Adam
    On Dec 11, 2012, at 3:02 PM, Nestor Urquiza wrote:

    This is an old thread but the issue is back in version 1.2.0

    Commenting out the suggested line from default.ini ...
    [daemons]
    #httpd={couch_httpd, start_link, []}

    ... does not stop couchdb from listening in the unsecure plain HTTP 5984:
    dev@udesktop2:~$ sudo /etc/init.d/couchdb restart
    * Restarting database server couchdb



    [
    OK ]
    dev@udesktop2:~$ curl -X GET http://localhost:5984
    {"couchdb":"Welcome","version":"1.2.0"}
    dev@udesktop2:~$ curl -k -X GET https://localhost:6984
    {"couchdb":"Welcome","version":"1.2.0"}
    dev@udesktop2:~$

    Any ideas other than using iptables?
    On Fri, Oct 21, 2011 at 11:59 AM, Jan Lehnardt wrote:
    On Oct 21, 2011, at 15:21 , Dave Cottlehuber wrote:
    On 21 October 2011 15:16, Nestor Urquiza wrote:
    That was it: I did the change in default,ini and that did the trick.
    Thanks!
    -Nestor
    On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
    wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
    Is there a sensible way to do this in local.ini to avoid advising
    users to fiddle with default.ini, which gets over-written each
    release?
    Good catch, currently not.

    Cheers
    Jan
    --
  • Nestor Urquiza at Dec 12, 2012 at 1:03 am
    Adam,

    Thank you very much. Too much bash recently so I completely miss the
    fact I was using the wrong comment syntax.

    Cheers,
    -Nestor
    On Tue, Dec 11, 2012 at 3:04 PM, Adam Kocoloski wrote:
    I think that may be the wrong syntax for .ini file comments. Can you try a leading ";" instead?

    Adam
    On Dec 11, 2012, at 3:02 PM, Nestor Urquiza wrote:

    This is an old thread but the issue is back in version 1.2.0

    Commenting out the suggested line from default.ini ...
    [daemons]
    #httpd={couch_httpd, start_link, []}

    ... does not stop couchdb from listening in the unsecure plain HTTP 5984:
    dev@udesktop2:~$ sudo /etc/init.d/couchdb restart
    * Restarting database server couchdb



    [
    OK ]
    dev@udesktop2:~$ curl -X GET http://localhost:5984
    {"couchdb":"Welcome","version":"1.2.0"}
    dev@udesktop2:~$ curl -k -X GET https://localhost:6984
    {"couchdb":"Welcome","version":"1.2.0"}
    dev@udesktop2:~$

    Any ideas other than using iptables?
    On Fri, Oct 21, 2011 at 11:59 AM, Jan Lehnardt wrote:
    On Oct 21, 2011, at 15:21 , Dave Cottlehuber wrote:
    On 21 October 2011 15:16, Nestor Urquiza wrote:
    That was it: I did the change in default,ini and that did the trick.
    Thanks!
    -Nestor
    On Fri, Oct 21, 2011 at 8:53 AM, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 2:37 PM, Nestor Urquiza
    wrote:
    Thanks for the fast responses.

    Here is what I have in daemons section:
    [daemons]
    ; enable SSL support by uncommenting the following line and supply the
    PEM's below.
    ; the default ssl port CouchDB listens on is 6984
    httpsd = {couch_httpd, start_link, [https]}

    Still I get the below:
    $ ./utils/run
    Apache CouchDB 1.1.1a1186848 (LogLevel=info) is starting.
    [info] [<0.97.0>] Attempting to start replication
    `d30383157f3a29c1356051d04c7a5ed8+continuous+create_target` (document
    `by_clientId`).
    Apache CouchDB has started. Time to relax.
    [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
    [info] [<0.31.0>] Apache CouchDB has started on https://127.0.0.1:6984/

    Not sure what I am missing.
    Best,
    -Nestor

    On Fri, Oct 21, 2011 at 7:32 AM, Robert Newson wrote:
    Fairly sure you can do as Benoit suggests. It was certainly my
    intention to allow one or other or both, and that was the case when I
    did the original work.

    B.
    On 21 October 2011 12:24, Benoit Chesneau wrote:
    On Fri, Oct 21, 2011 at 12:56 PM, Nils Breunese wrote:
    Nestor Urquiza wrote:
    Is it possible to leave just SSL (6984) listening? I have enabled SSL
    but requests are still accepted via plain HTTP 5984.
    I don't know if CouchDB has a configuration setting that lets you disable HTTP, but I guess you could use a firewall to block access to the HTTP port?

    Nils.
    ------------------------------------------------------------------------
    VPRO www.vpro.nl
    ------------------------------------------------------------------------
    You can probably comment the httpd line in [daemons] and only use the https one.

    - benoit
    did you comment the line in default.ini?

    - benoit
    Is there a sensible way to do this in local.ini to avoid advising
    users to fiddle with default.ini, which gets over-written each
    release?
    Good catch, currently not.

    Cheers
    Jan
    --

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupuser @
categoriescouchdb
postedOct 21, '11 at 10:30a
activeDec 12, '12 at 1:03a
posts15
users7
websitecouchdb.apache.org
irc#couchdb

People

Translate

site design / logo © 2021 Grokbase