d2fong
commented
2 years ago https://stackoverflow.com/questions/65234385/how-to-disable-fauxton-interface
Looks like there is a config entry that can be edited in the couchdb.ini file
Closed d2fong closed 2 years ago
d2fong
commented
2 years ago https://stackoverflow.com/questions/65234385/how-to-disable-fauxton-interface
Looks like there is a config entry that can be edited in the couchdb.ini file
maxkfranz
commented
2 years ago There's just middleware here for proxying:
You can see here that documents without the secret header are rejected:
So you Couch can be configured to not expose certain routes in the first place and/or middleware can be used to forbid certain routes.
maxkfranz
commented
2 years ago Eventually, you'd apply the middleware approach to ensure that auth is applied correctly w.r.t. NDEX ACLs, so it would be good to familiarise yourselves with how the middleware works in any case, if you haven't already -- @jingjingbic @keiono @d2fong
jingjingbic
commented
2 years ago @maxkfranz we are not familiar with the configuration of couchDB, could you tell us how should we config it? We are using the middleware approach in NDEx, non of our database servers are exposed to the client directly, all data operations are through the application REST servers's DAO functions. Exposing database port through proxy is a risky practice in production environment from my experience.
maxkfranz
commented
2 years ago You can set the configuration file options to disable utils: https://docs.couchdb.org/en/stable/config-ref.html https://docs.couchdb.org/en/stable/config-ref.html
Or you can add another middleware function before proxying, like app.use(‘/db’, forbidUtils). Maybe that’s simpler since you don’t have to worry about configuring things away from the defaults?
On Nov 16, 2021, at 14:08, Jing Chen @.***> wrote:
@maxkfranz https://github.com/maxkfranz we are not familiar with the configuration of couchDB, could you tell us how should we config it? We are using the middleware approach in NDEx, non of our database servers are exposed to the client directly, all data operations are through the application REST servers's DAO functions. Exposing database port through proxy is a risky practice in production environment from my experience.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cytoscape/cytoscape-explore/issues/95#issuecomment-970583973, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHRO46GLPNN3XKOI4PRB7DUMKT4TANCNFSM5HWGWQEQ.
jingjingbic
commented
2 years ago This sounds like a good step forward. Could you make the change in the code so we can deploy it and try it out? With this change can can client still send general queries through the Couchdb rest API, for example as for all databases on the server?
maxkfranz
commented
2 years ago In retrospect, making blacklists for particular routes wouldn't be as simple and robust as ensuring that Couch is configured with auth. See #107
maxkfranz
commented
2 years ago Closed by #107
Describe the bug The node server exposes a route /db/_utils/ that any client can access. Is there a way to configure couchDB to not expose this route?
To Reproduce Steps to reproduce the behavior:
Expected behavior This route may have some value when developing locally, but it should probably be restricted in a production environment.