Because it is such a large and backwards-incompatible change, we are intending to remove admin party and anonymous access with the 3.0 release. That release is not yet scheduled.
-Joan ----- Original Message ----- From: "Moses Hohman" <mo...@humanpractice.com> To: user@couchdb.apache.org, "Joan Touzet" <woh...@apache.org> Sent: Monday, April 23, 2018 11:39:11 AM Subject: Re: How to prevent anonymous users visit couchdb ? Hi all, In the spirit of "secure by default," would it be possible to change CouchDB's default to require_valid_user = true? I think that's more commonly what you'd want. Because it's fairly unusual that CouchDB allows anonymous users and allows them to do significant things, it's liable to surprise people and lead to misconfiguration. Moses On Mon, Apr 23, 2018 at 10:18 AM, Joan Touzet < woh...@apache.org > wrote: Hi Jinmin. Blocking /_all_dbs currently requires a reverse proxy with block rules in front of CouchDB. We recommend haproxy for this use. Best regards, Joan Touzet from Toronto, Canada ----- Original Message ----- From: "? ?" < jinmin...@outlook.com > To: user@couchdb.apache.org Sent: Monday, April 23, 2018 5:30:38 AM Subject: How to prevent anonymous users visit couchdb ? Dear all, I want to remotely manage couchdb by curl using the administrator account, but I found that anonymous users can also get some information , like _all_dbs, which is not what I want. It seems that couchdb allows anonymous users using GET and HEAD methods, so how can I prevent it? What I want is only administrators are allowed. I have made the following settings in local.ini: require_valid_user = true WWW-Authenticate = Basic realm="administrator" Thanks & regards, Jinmin from Shanghai, China
