...
Disabling CouchDB HTTP layer
It is not possible to disable the existing HTTP layer completely in CouchDB 2.3.1, so only allowing HTTPS access - albeit not cleanly, requires a firewall rule.
In some older versions of CouchDB 2.x (that have OTHER security issues, and we do NOT recommend you run these) you can disable port 5984 by amending /usr/local/etc/couchdb/default.ini [daemons ] section accordingly:
...
Currently it is not possible to disable it in the more common /usr/local/etc/couchdb/local.ini [daemons ] file.
Please watch this ticket for progress on restoring this functionality: https://github.com/apache/couchdb/issues/2106
Accessing and Verifying SSL
...
The webpage at https://mydomainname.example.com:6984/ might be temporarily down or it may have moved permanently to a new web address.Error code: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED
This SSL problem does not occur in CouchDB 1.6.1 on Ubuntu 14.10.