Apache as Reverse Proxy for CouchDB - http

I'm thinking of a web app that uses CouchDB extensively, to the point where there would be great gains from serving with the native erlang HTTP API as much as possible.
Can you configure Apache as a reverse proxy to allow outside GETs to be proxied directly to CouchDB, whereas PUT/POST are sent to the application internal logic (for sanitation, authentication...)? Or is this unwise -- the CouchDB built-in authentication options just seem a little weak for a Web App.
Thanks

You can use mod_rewrite to selectively proxy requests based on the HTTP method.
For example:
# Send all GET and HEAD requests to CouchDB
RewriteCond %{REQUEST_METHOD} GET|HEAD
RewriteRule /db/(.*) http://localhost:5984/mydb/_design/myapp/$1 [P]
# Correct all outgoing Location headers
ProxyPassReverse /db/ http://localhost:5984/mydb/_design/myapp/
Any POST, PUT, or DELETE requests will be handled by Apache as usual, so you can wire up your application tier however you usually would.

Your question is aging without answers, so I'll add this "almost answer".
Nginx can definitely redirect differently based on requests.
This is, if you are ready to place nginx in the front as the revproxy and place apache and couchdb both as backends.

Did you see this? OAuth and cookie authentication were checked in on the 4th:
http://github.com/halorgium/couchdb/commit/335af7d2a9ce986f0fafa4ddac7fc1a9d43a8678
Also, if you're at all interested in using Erlang as the server language, you could proxy couchdb through webmachine:
http://blog.beerriot.com/2009/05/18/couchdb-proxy-webmachine-resource/

I would consider using the reverse proxy feature of Apache mod_proxy. Create a virtual host configuraton that forwards certain HTTP requests of the web server to CouchDB. You can setup rules on which URI paths that should be forwarded etc.
See this guide for inspiration: http://macgyverdev.blogspot.se/2014/02/apache-web-server-as-reverse-proxy-and.html

Related

filter requests on nginx server when it serves as both http server and reverse proxy

I have an nginx server serving both as an http server (frontend) on / and reverse proxy on /api, where it forwards the requests to a node server (backend) on the same machine (localhost).
I am using authentication only on the frontend. The backend accepts all incoming requests and does not authenticate again the requests.
I would like to allow all requests coming from the frontend to the backend. I would like to block all requests coming to the backend from other sources (via the reverse proxy of course).
For example, the frontend will try to login the user using the user third-party auth id via https://domain/api/login/id. The reverse proxy will forward it to the backend. This is fine.
I can also access the backend directly from any other machine via https://domain/api/login/id.
My question is the following. I would like to block all requests not originating by the frontend. I have tried figuring out how to find the information but it seems that the X-Real-IP header always refers to the browser originating the request (either by using the frontend or directly). I am wondering if there is any header I can set in the reverse proxy which will tell the backend that this is an allowed call, or even use nginx own allow/deny rules. Right now, I do not manage to make a distinction between the two types of requests.
Thank you very much!

Forced to use wss:// when behind proxy from https to http

I have setup a nginx proxy to pass https url to internal http neo4j web. I can reach the neo4j login page without any issue, but I am forced to use the neo4j+s/bolt+s interface.
Just wondering how I can configure nginx to remove any ssl related info via proxypass module, in order to login in neo4j with ws, no wss?
Thanks,
Chance
I managed to get rid of wss by adding another nginx proxy to set the https url as upstream server in location.proxy_pass. It won't show wss/neo4j+s/bolt+s any more once you visit the web by the http url. Hopefully it will help for anyone has the similar issue as me.

Cloud foundry / XSA how to make http only service

We are working on SAP XS Advanced that is based on Cloud foundry and we got into a funny situation, we need an app to be HTTP only (I know it's not secure...but our situation requires it to be HTTP).
Does anyone know how to disable default deployment to HTTPS?
You can have your application check if the connection came in over HTTP or HTTPS and if it's the latter, you can redirect the user to HTTP. Normally, you'd do the opposite, but it should work this way too.
On Cloud Foundry, you can check if the connection is HTTP or HTTPS by examining the X-Forwarded-Proto header. That will tell you either http or https. Alternatively, you could look at X-Forwarded-Port which would tell you 80 or 443.
How you do this and how you issue the redirect depends entirely on the application, language and frameworks you're using. Some may handle this automatically, some may require manual configuration or code changes.
Hope that helps!

Nginx - Allow requests from IP range with no header set

I'm trying to use nginx behind a Compute Engine http load balancer. I would like to allow Health Check requests to come through a port unauthorized and all other requests to be authorized with basic auth.
The Health Check requests come from IP block: 130.211.0.0/22. If I see requests coming from this IP block with no X-forwarded-for header, then it is a health check from the load balancer.
I'm confused on how to set this up with nginx.
Have you tried using Nginx header modules? Googling around I found these:
HttpHeadersMoreModule
Headers
There's also a similar question here.
Alternative. In the past I worked with a software (RT), which had thought of this possibility in the software itself, providing a subdirectory for unauthorized access (/noauth/). Maybe your software might have the same, and you could configure GCE health check to point to something like /noauth/mycheck.html.
Please remember that headers can be easily forged, so an attacker who knows your vulnerability could access your server without auth.

HTTPS Proxy for existing HTTP application

I have a running HTTP web application and I am facing problems to make it run over HTTPS.
I am thinking of bringing some HTTPS Proxy that accepts user requests and forward it to the HTTP web app.
What do you think of that? and How can I accomplish that?
Setting up stunnel is a no-brainer - and its available for Unix/Linux/Posix/MSWindows (you might have mentioned what OS you are using).
(Also you can run the program to encrypt or decrpyt, at the server or at the client side)
It's possible to run Apache Httpd (for example) using HTTPS and use mod_proxy_http as a reverse proxy to forward the requests to your existing HTTP server. Of course, for this to be of any use, you'd need the reverse proxy and the target server to be connected in such a way that connections cannot be sniffed or altered.
You may find that the existing server needs certain extra settings for it to be aware it's using HTTPS (for example, special Valves in Apache Tomcat to set the HTTPS flag to true).
Apache httpd reverse-proxy?

Resources