Configuring CouchDB for HTTPS only

November 18, 2015

Getting CouchDB to work via HTTPS is fairly well documented. Disabling HTTP turned out to be the harder part to figure out.

Enabling HTTPS

The official documentation (here is actually incomplete (or more likely, simply outdated). But it’s still a pretty straight forward process. Edit your local.ini to include the following:

[daemons]
httpsd = {couch_httpd, start_link, [https]}

[ssl]
cert_file = /etc/ssl/private/server.crt
key_file = /etc/ssl/private/server.key
cacert_file = /etc/ssl/private/cacert.pem

Of course you’ll need valid certificate, key, and CA cert files, signed by an official certificate authority, or a self-signed certificate. How to obtain these is beyond the scope of this document, but Google will give you countless versions of the necessary instructions appropriate for your operating system.

Disabling HTTP

I spent a while Googling this one, and finally stumbled upon an obscure mailing list post with the answer. Edit default.ini and comment out the following line, found in the [daemons] section:

;httpd={couch_httpd, start_link, []}

Restart, test

Restart the server, and test:

$ curl http://localhost:5984/
curl: (7) Failed to connect to localhost port 5984: Connection refused

Good, HTTP is disabled.

$ curl https://localhost:6984/
curl: (51) SSL: no alternative certificate subject name matches target host name 'localhost'

And HTTPS is working, although with a certificate that doesn’t identify itself as ‘localhost’. If I substitute the proper domain name, I get full success:

$ curl https://realhostname.com:6984/
{"couchdb":"Welcome","uuid":"a176f89954c3ddba7aa592d712c25140","version":"1.6.1","vendor":{"name":"The Apache Software Foundation","version":"1.6.1"}}

comments powered by Disqus