Sorry, it's been many years since I configured stunnel for use with CouchDB, and I no longer have access to those configurations. I remember it wasn't that complex from reading the stunnel docs.
My feeling is: the simpler the solution, the better. There is simply less to go wrong with a tool that *only* manages SSL termination than a tool that is trying to be a fully-fledged reverse proxy - especially if all you are trying to do is terminate an SSL connection and pass it on. -Joan ----- Original Message ----- From: "Vladimir Kuznetsov" <[email protected]> To: [email protected], "Joan Touzet" <[email protected]> Sent: Tuesday, 27 June, 2017 12:59:08 AM Subject: Re: Running CouchDB 2.0 cluster in EC2 Hi Joan Can you please provide a little bit more details about 'nginx not correctly reverse proxying chunked/multipart/etags/etc'? Can you also please provide stunnel configuration file example. Btw I've taken idea of using nginx at apache wiki( https://cwiki.apache.org/confluence/display/COUCHDB/Configuring+CouchDB ), it suggests using either apache or nginx http server as a reverse proxy. thanks, --Vovan On Jun 26, 2017, at 9:20 PM, Joan Touzet < [email protected] > wrote: I'd recommend stunnel instead of nginx. We used to use it at Cloudant and it worked fine. Gets you away from any worries about nginx not correctly reverse proxying chunked/multipart/etags/etc correctly. -Joan ----- Original Message ----- From: "Vladimir Kuznetsov" < [email protected] > To: [email protected] Sent: Monday, 26 June, 2017 8:29:00 PM Subject: Running CouchDB 2.0 cluster in EC2 Hi guys I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances. I want clients to use SSL certificate to authenticate so I want to run Nginx on every CouchDB instance which will do SSL termination and forward connection to the backend CouchDB instance running plain HTTP. The reasons I want to terminate SSL on Nginx: 1) I'm planning to refresh server certs periodically and I don't really want CouchDB nodes to restart, I'd rather restarted Nginx frontend. 2) I want to check CRL to reject client certificates that were revoked 3) Performance is another reason as I expect Nginx to be better in SSL decryption than CouchDB itself. I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load balancer), probably in TCP mode which would load balance client connections between instances. Does my deployment make sense? Anything specific to take into consideration In the above deployment model? is there anything I have to be aware of? thanks, --Vovan
