Thanks Joan, it makes sense. I'll have a look at stunnel, it may work if it has normal support for CRL check.
thanks, --Vovan > On Jun 26, 2017, at 10:41 PM, Joan Touzet <[email protected]> wrote: > > Sorry, it's been many years since I configured stunnel for use with > CouchDB, and I no longer have access to those configurations. I > remember it wasn't that complex from reading the stunnel docs. > > My feeling is: the simpler the solution, the better. There is > simply less to go wrong with a tool that *only* manages SSL > termination than a tool that is trying to be a fully-fledged > reverse proxy - especially if all you are trying to do is terminate > an SSL connection and pass it on. > > -Joan > > ----- Original Message ----- > From: "Vladimir Kuznetsov" <[email protected]> > To: [email protected], "Joan Touzet" <[email protected]> > Sent: Tuesday, 27 June, 2017 12:59:08 AM > Subject: Re: Running CouchDB 2.0 cluster in EC2 > > > Hi Joan > > > Can you please provide a little bit more details about 'nginx not correctly > reverse proxying chunked/multipart/etags/etc'? Can you also please provide > stunnel configuration file example. > > > Btw I've taken idea of using nginx at apache wiki( > https://cwiki.apache.org/confluence/display/COUCHDB/Configuring+CouchDB ), it > suggests using either apache or nginx http server as a reverse proxy. > > > thanks, > --Vovan > > > > > > > > > On Jun 26, 2017, at 9:20 PM, Joan Touzet < [email protected] > wrote: > > > I'd recommend stunnel instead of nginx. We used to use it at Cloudant > and it worked fine. Gets you away from any worries about nginx not > correctly reverse proxying chunked/multipart/etags/etc correctly. > > -Joan > > ----- Original Message ----- > From: "Vladimir Kuznetsov" < [email protected] > > To: [email protected] > Sent: Monday, 26 June, 2017 8:29:00 PM > Subject: Running CouchDB 2.0 cluster in EC2 > > > Hi guys > > I'm planning to run CouchDB 2.0 cluster in EC2, probably 4 or 8 instances. > > I want clients to use SSL certificate to authenticate so I want to run Nginx > on every CouchDB instance which will do SSL termination and forward > connection to the backend CouchDB instance running plain HTTP. The reasons I > want to terminate SSL on Nginx: > > 1) I'm planning to refresh server certs periodically and I don't really want > CouchDB nodes to restart, I'd rather restarted Nginx frontend. > 2) I want to check CRL to reject client certificates that were revoked > 3) Performance is another reason as I expect Nginx to be better in SSL > decryption than CouchDB itself. > > I'm planning to deploy CouchDb cluster instances behind AWS ELB(elastic load > balancer), probably in TCP mode which would load balance client connections > between instances. > > Does my deployment make sense? Anything specific to take into consideration > In the above deployment model? is there anything I have to be aware of? > > thanks, > --Vovan >
