CouchDB + HAProxy

Instalando o CouchDB pelo Docker

sudo docker run -d --restart unless-stopped --hostname couchdb1 --name couchdb1 -p 5984:5984 couchdb

Instalando o HAProxy via APT

sudo apt install haproxy

Configurando o HAProxy

Vamos fazer o HAProxy controlar o TLS. O HAProxy receberá as conexões via TLS e enviará sem criptografia para o CouchDB, chamamos esse modo de SSL/TLS Offloading.

Editando o arquivo de configurações do HAProxy.

# /etc/haproxy/haproxy.cfgglobal	log /dev/log	local0	log /dev/log	local1 notice	chroot /var/lib/haproxy	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners	stats timeout 30s	user haproxy	group haproxy	daemon	# Setting a secure diffie-helman key size	tune.ssl.default-dh-param 2048	# Default SSL material locations	ca-base /etc/ssl/certs	crt-base /etc/ssl/private	# Default ciphers to use on SSL-enabled listening sockets.	# For more information, see ciphers(1SSL). This list is from:	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/	# An alternative list with additional directives can be obtained from	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS	ssl-default-bind-options no-sslv3defaults	log	global	mode	http	option log-health-checks	monitor-uri /_haproxy_health_check	stats enable	stats uri /_haproxy_stats	stats auth admin:admin # Uncomment for basic auth	option	httplog	option	dontlognull        timeout connect 5000        timeout client  50000        timeout server  50000	errorfile 400 /etc/haproxy/errors/400.http	errorfile 403 /etc/haproxy/errors/403.http	errorfile 408 /etc/haproxy/errors/408.http	errorfile 500 /etc/haproxy/errors/500.http	errorfile 502 /etc/haproxy/errors/502.http	errorfile 503 /etc/haproxy/errors/503.http	errorfile 504 /etc/haproxy/errors/504.http	frontend http-in	# Must be enabled for HTTPS redirect work     bind *:80     mode http	 # Forcing HTTPS	 redirect scheme https code 301 if !{ ssl_fc }frontend https-in	bind *:443 ssl crt /etc/ssl/private/*.aleatitus.lh.pem	mode http	# Segregating backends based on request target hostname	# hdr(host) fetches the hostname from the http header, -i for insensitive case match	acl host_couchdb hdr(host) -i couchdb.aleatitus.lh	acl host_haproxy hdr(host) -i haproxy.aleatitus.lh	use_backend couchdbs if host_couchdb	#use_backend haproxy_stats if host_haproxy	#default_backend couchdbsbackend couchdbs    # the health checks will be done against /_up url    option httpchk GET /_up	# switches the server to administrative status Maintenance when the server answers the health check with a "404"    http-check disable-on-404	# Setting the servers    server couchdb1 localhost:5984 check inter 5s    # server couchdb2 x.x.x.x:5984 check inter 5s    # server couchdb3 x.x.x.x:5984 check inter 5s

O certificado .pem informado é composto por (nesta sequência): chave privada + certificado (chave pública).

Criando ACL por documento no HAProxy

Uma forma possível de fazer uma restrição de leitura e edição por cada documento no CouchDB usando o HAProxy é:

em cada documento criar campos padrão tipo:

{..."read": ["user1", "role2"],"update": ["user3"],"delete": ["user10"]}

E aí, no HAProxy, quando a request for feita, o HAProxy precisará ver se o usuário e suas roles se encaixam com as definidas no documento.

Coisas pra se pensar: implementar recursão de roles - se uma role estiver dentro de outra, como implementar isso?

Referências

Documentação Oficial - TLS + Haproxy
https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/

ServersForHackers - TLS + HAProxy
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

HTTPS + CouchDB + ReverseProxy
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48203146

HAProxy sample CouchDB config

https://docs.couchdb.org/en/stable/best-practices/reverse-proxies.html

https://github.com/apache/couchdb/blob/master/rel/haproxy.cfg

Autenticação e Autorização com HAProxy
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/

Frontend HTTP/2 com Backend HTTP 1.1 com HAProxy
https://stackoverflow.com/questions/36816849/haproxy-with-http2-frontend-and-http1-1-backend

You should also read: