diff options
author | Robert Newson <rnewson@apache.org> | 2016-04-29 22:57:01 +0100 |
---|---|---|
committer | Robert Newson <rnewson@apache.org> | 2016-04-29 23:12:07 +0100 |
commit | c08961e3540f3ecf4ec2e6f99089b8d2133114df (patch) | |
tree | f3257c923821a18a7443375cbe6c656fcb26a980 | |
parent | 9f4103f5b5765e9154bdd2210ce98d3cd95b9d3d (diff) | |
download | couchdb-c08961e3540f3ecf4ec2e6f99089b8d2133114df.tar.gz |
Configure CouchDB for encrypted traffic all over
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Makefile | 14 | ||||
-rw-r--r-- | rel/overlay/etc/vm.args | 6 |
3 files changed, 21 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore index 77ae5209f..0c901efa6 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,5 @@ src/couch/priv/couchspawnkillable .rebar bin/ apache-couchdb-*/ + +*.pem @@ -63,7 +63,7 @@ help: .PHONY: couch # target: couch - Build CouchDB core -couch: config.erl +couch: certs config.erl @COUCHDB_VERSION=$(COUCHDB_VERSION) $(REBAR) compile @cp src/couch/priv/couchjs bin/ @@ -299,6 +299,7 @@ clean: @rm -f src/couch/priv/couchspawnkillable @rm -f src/couch/priv/couch_js/config.h @rm -f dev/boot_node.beam dev/pbkdf2.pyc log/crash.log + @rm -r *.pem .PHONY: distclean @@ -362,3 +363,14 @@ ifeq ($(with_fauxton), 1) @echo "Building Fauxton" @cd src/fauxton && npm install --production && ./node_modules/grunt-cli/bin/grunt couchdb endif + +certs: ecc_cert.pem + +%_cert.pem: %_key.pem %_csr.pem + @openssl req -x509 -days 99999 -key $*_key.pem -in $*_csr.pem -out $@ + +%_csr.pem: %_key.pem + @openssl req -new -key $< -out $@ -subj "/O=Apache Software Foundation/OU=Apache CouchDB" + +ecc_key.pem: + @openssl ecparam -genkey -name prime256v1 -out ecc_key.pem diff --git a/rel/overlay/etc/vm.args b/rel/overlay/etc/vm.args index b69ad829b..462195e3a 100644 --- a/rel/overlay/etc/vm.args +++ b/rel/overlay/etc/vm.args @@ -31,5 +31,11 @@ # Start a pool of asynchronous IO threads +A 16 +# Encrypt the RPC traffic +-proto_dist inet_tls +-ssl_dist_opt server_certfile "ecc_cert.pem" +-ssl_dist_opt server_keyfile "ecc_key.pem" +-ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true + # Comment this line out to enable the interactive Erlang shell on startup +Bd -noinput |