I have been using couchdb for a long time and we authenticate through cookies auth. Now we would like to start testing proxy authentication but I don't quite understand how it works.
I already have it activated including the value "chttpd_auth, proxy_authentication_handler" in the section "chttpd / authentication_handlers:" but how do I indicate that the token x is for the user y?
I can't understand how it works
I hope someone can help me with an example. Thank you.
1 Answer 1
In proxy_authentication, you are doing authentication somewhere else. That
somewhere else is a proxy, or to be more specific a reverse proxy.
For example, if you're just using a single user and using nginx as a proxy to
couchdb, you set the required headers before request is passed to couchdb
like:
location / {
# pass to couchdb
proxy_pass http://localhost:5984;
# ... other configurations.
# authentication header
proxy_set_header X-Auth-CouchDB-UserName 'someone';
proxy_set_header X-Auth-CouchDB-Roles '_admin,staff';
proxy_set_header X-Auth-CouchDB-Token 'auth-token';
}
Couchdb will accept request with given username and roles. X-Auth-CouchDB-Token should be a hex encoded hmac of X-Auth-CouchDB-UserName using secret in couch_httpd_auth section in your configuration. It is not required unless proxy_use_secret is true, which is not the case by default (although it should it should be used in production).
In practice, you will need to create a proxy server that validates username
(maybe with password). Only after the user is valid the request will be passed
to couchdb with those headers attached.