Here my notes from configuring CouchDB to face the big wide web.

First the version off, version of CouchDB in the Ubuntu repos was quite out of date so I decided it was best to compile from source, which is pretty straight forward. I followed the instructions from CouchDB, The Definitive Guide. but the guide in the wiki is just as good and contains some vital troubleshooting tips.

First off install the dependencies:

sudo apt-get install build-essential erlang libicu-dev libmozjs-dev libcurl4-openssl-dev

Next download the souce:

cd /tmp
sudo wget http://apache.is.co.za/couchdb/releases/1.2.0/apache-couchdb-1.2.0.tar.gz

Instal!

cd apache-couchdb-1.2.0.tar.gz
sudo ./configure
sudo make && sudo make install

Now to secure the installation, first lets create a user to run it from

adduser --system --home /usr/local/var/lib/couchdb --no-create-home --shell /bin/bash --group --gecos "CouchDB" couchdb

Then change the ownership and permissions of the Couchdb files

sudo chown -R couchdb:couchdb /usr/local/etc/couchdb
sudo chown -R couchdb:couchdb /usr/local/var/lib/couchdb
sudo chown -R couchdb:couchdb /usr/local/var/log/couchdb
sudo chown -R couchdb:couchdb /usr/local/var/run/couchdb
sudo chmod -R 0770 /usr/local/etc/couchdb
sudo chmod -R 0770 /usr/local/var/lib/couchdb
sudo chmod -R 0770 /usr/local/var/log/couchdb
sudo chmod -R 0770 /usr/local/var/run/couchdb

Next install logrotate and initd scripts

sudo ln -s /usr/local/etc/logrotate.d/couchdb /etc/logrotate.d/couchdb
sudo ln -s /usr/local/etc/init.d/couchdb /etc/init.d
sudo update-rc.d couchdb defaults

I spent a fair bit of time trying to configure CouchDB to use the built in SSL webserver, but in the end was unsuccessfull. Along the way I found out the built server has difficulty handling high loads and it is been actively patched to try resolve this issue.

Nginx it is, installing nginx is outside the scope of this post, so I’m just going to assume you already have it installed. Here is my nginx config which I saved in /etc/nginx/conf.d/couchdb.conf:

server {
    listen 80;
    server_name couch.domain.com;
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    listen 443;
    server_name couch.domain.com;

    ssl on;
    ssl_certificate /etc/ssl/certs/cert.pem;
    ssl_certificate_key /etc/ssl/private/key.pem;

    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://localhost:5984;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "";
        proxy_set_header X-Forwarded-Ssl on;
    }
}

I scrapped my config together by using various parts of the wiki until I had a working configuration.

I’m using self signed certificates so we’ll have to generate them and put them in the correct place

cd /tmp
openssl genrsa -out couch_key.pem 4096
openssl req -new -x509 -key couch_key.pem -out couch_cert.pem -days 1095
sudo mv couch_key.pem /etc/ssl/private
sudo mv couch_cert.pem /etc/ssl/certs

Finally lets setup basic_auth for CouchDB, it’s just to lines you need change in /usr/local/etc/couchdb/local.ini. First find uncomment

; Uncomment next line to trigger basic-auth popup on unauthorized requests.
WWW-Authenticate = Basic realm="administrator"

Next add an admin user 

[admins]
admin = secret

Lastly, see that it is all working

curl -L -k https://admin:secret@couch.domain.com/
{"couchdb":"Welcome","version":"1.2.0"}

That’s it, please feel free to leave any suggestions for improvement/ask for help in the comments.