Differences between revisions 6 and 7
Revision 6 as of 2012-11-14 08:48:47
Size: 1870
Editor: chello084112019176
Comment: note on realworld couch
Revision 7 as of 2018-12-17 22:52:42
Size: 0
Editor: JoanTouzet
Comment: Outdated; see https://docs.couchdb.org/en/stable/config/http.html?highlight=ssl#https-ssl-tls-options
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
<<Include(EditTheWiki)>>

CouchDB now natively supports SSL from version 1.1.0 and onwards, assuming your underlying Erlang/OTP install supports it.

To enable it;

1) Enable the httpsd daemon by adding the following line to your local.ini or local_dev.ini (newly generated files include this setting but commented out);

{{{
[daemons]
httpsd = {couch_httpd, start_link, [https]}
}}}

2) tell CouchDB about your SSL server keys (PEM encoded);

{{{
[ssl]
cert_file = /full/path/to/server_cert.pem
key_file = /full/path/to/server_key.pem
;port = 6984
}}}

On windows, the path format needs to be one of the following:

 * fully specified windows path with slashes inverted, and spaces escaped: c:/program\ files/couchdb/etc/config/couchdb/<your.pem>
 * unix-style path, assuming that the root / will be the root of the drive that couchdb is installed to: /program\ files/couchdb/etc/config/couchdb/<your.pem>
 * relative path, to the %COUCH%/bin folder: ../etc/couchdb/<your.pem>

3) Restart CouchDB.

CouchDB should now accept SSL connections on, by default, port 6984.

== Troubleshooting ==

To ensure that the issue is not with your certificates, use the test ones from [[https://github.com/mochi/mochiweb/tree/master/examples/https|MochiWeb]], and test from the command line using
{{{
curl -k -v https://127.0.0.1:6984/
}}}

You can test your certificates separately using:
{{{
openssl s_server -key <keyfile> -cert <certfile> -www
curl -k -v https://localhost:4433/
}}}

== Notes ==

Current Erlang/OTP releases at R15B02 or earlier have a variety of minor issues cropping up with SSL. If your usage is expected to be heavy, you may wish to consider using an SSL wrapper, e.g. [[https://www.stunnel.org/|stunnel]] or [[http://haproxy.1wt.eu/|haproxy]] or reverse / front-end proxies such as nginx or apache2 in place.