Limit access to the Admin REST API of SyncGateway

Asked 27/1, 2016 at 11:41 Answered 5/2, 2016 at 8:18

Solved google-app-engine couchbase couchbase-lite couchbase-sync-gateway

According to the documentation the Admin REST API of the SyncGateway shouldn't be exposed.

Quote:

By default, the Admin REST API runs on port 4985 (unless you change the adminInterface configuration parameter). Do not expose this port—It belongs behind your firewall. Anyone who can reach this port has free access to and control over your databases and user accounts.

This makes sense but I'm wondering how I can grant my Application Server which runs on Google AppEngine and which handles the sign-up / creation of sessions access to the API without exposing it? Is there an option to expose the Admin REST API but limit the access to a specific server sending the request or requiring a username / password combination like the GUI on the :8091 port?

Edit

Just for clarification I'm adding my comment to the question:

The app server (running on GAE) and the Couchbase server (running on DigitalOcean) are two different physical devices and thus have different IP addresses. Means: I can't change the adminInterface configuration parameter in my syncgateway_config.json to a loop-back address since a connection from my GAE Server to the Couchbase Server won't have any effect afterwards. The server would be unreachable from the outside if I'm not mistaken?!

Entablement answered 27/1, 2016 at 11:41 Comment(0)

The usual expectation is that your database server and other servers that need admin-level access will be either on the same host, or on an internal network that's behind a firewall. In the latter case you can safely bind the admin port to the internal net. Then of course your firewall rules will allow external connections only to the Sync Gateway (SG) public port.

If you have an auth server that's on an entirely different network, things get a bit more complex.

One possibility is to use fancier options on the firewall so it can allow external access to the admin port, but only from the external auth server. A few ways I can imagine doing this are (a) hardcode only the auth server's IP address, (b) use an SSL connection with a client cert, or (c) open an SSH tunnel from the auth server to the SG server.

Another possibility is to use a distributed auth system like OAuth, which is designed to do exactly this kind of thing. So your mobile app would talk to the auth server to obtain a token, then present the token to SG, which then shows the token to the auth server to validate it. IIRC we don't have general purpose OAuth support in SG yet so you would need to write a small OAuth handler to run on the SG server that would do this work.

[Disclaimer: I'm an architect at Couchbase and have worked on Sync Gateway but I only work on Couchbase Lite these days so I'm not an expert on SG's current capabilities!]

Category answered 1/2, 2016 at 17:13 Comment(2)

BTW, there is an existing Sync Gateway Issue requesting authentication for the admin API, for exactly situations like yours. Feel free to add a brief "+1" / "thumbs-up" comment. – Category 1/2, 2016 at 17:15

Thank you for your comprehensive answer. After checking the options you've have mentioned it seems like the best idea is to move my app server to the same host as the couchbase server. SSH-Tunneling on GAE doesn't seem to be possible and harcoding the IP-Address isn't an option since it's dynamic on GAE. I'll definitely +1 the Github issue - thanks for mentioning it. – Entablement 5/2, 2016 at 12:21

Well the new piece of info in your comments needs to be addressed. I'm not an expert in this area, but I think the assumption is that the auth service and sync gateway run on the same server. If not things get slightly more complicated, but I think it might be doable by changing the adminInterface section of your Sync Gateway configuration to be the internal IP address and port (e.g. 192.168.3.2:4985).

Villasenor answered 31/1, 2016 at 6:51 Comment(5)

Thanks for your answer. I've just added my comment to the question. Additional question: 192.168.3.2:4985 is a loop-back address, isn't it? This would make the Admin REST API unreachable from the outside. – Entablement 31/1, 2016 at 11:41

It's not a "loopback" address, it's a LAN address (an example one at that). You aren't supposed to access the server from outside the local network on the admin port. For example, when you set up an amazon instance you get an external address and internal address so you can keep communications open between your amazon instances but not allow that same communication to the public. – Villasenor 31/1, 2016 at 12:49

Ok. So in conclusion this means that it's not possible to run the AppServer and the Couchbase Server on two different providers / server? – Entablement 31/1, 2016 at 14:9

I didn't realize these were two different independent providers entirely. In that case I don't think there is much you can do. They can be on different servers, different hardware, but the requirement is that they are on the same network. There is no built in way to authenticate requests to the admin port. You might be able to set up a proxy to authenticate and forward requests to Sync Gateway but I think it might be easier to move everything to the same provider. I'll check with people in the know to ensure what I'm saying is correct though. – Villasenor 1/2, 2016 at 11:8

Thanks for your effort. I think "Jense Alfke" outlined every option I have in his answer. Seems like moving everything to the same provider is the best option indeed. – Entablement 5/2, 2016 at 12:24

You could install an http proxy on the same local network as Sync Gateway e.g. nginx.

You would configure nginx to accept public facing SSL connections authenticated using client side certificates.

Configure Sync Gateway to only accept admin connection from the local network shared with nginx.

Configure your App Server to use the client side certificate when connecting to Sync Gateway via nginx.

There is a good blog covering nginx client certificate setup here: http://nategood.com/client-side-certificate-authentication-in-ngi

Casaba answered 1/2, 2016 at 17:11 Comment(0)

The recommendation is to wrap what you need in an authentication service. This blog post explains very well how to do this: http://ti.eng.br/configuring-your-very-first-couchbase-mobile-sync-backend/

Scepter answered 27/1, 2016 at 13:54 Comment(1)

Well I already got the authentication service or app server (whatever you wanna call it). The problem: The app server (running on GAE) and the Couchbase server (running on DigitalOcean) are two different physical devices and thus have different ip addresses. Means: Connecting to "localhost:4985/syncgateway" won't have any effect on my GAE server. Maybe I just don't get it, but maybe you can elaborate on the fact how this should / could work? Thanks. – Entablement 27/1, 2016 at 14:55

This point is mentioned in the documentation (If I correctly understood the question). In Managing API Access section of page Administering the REST APIs.

Quoting that section which contain answer your question:

The APIs are accessed on different TCP ports, which makes it easy to expose the Sync REST API on port 4984 to endpoints while keeping the Admin REST API on port 4985 secure behind your firewall.

If you want to change the ports, you can do that in the configuration file.

To change the Sync REST API port, set the interface property in the configuration file.

To change the Admin REST API port, set the adminInterface property in the configuration file.

The value of the property is a string consisting of a colon followed by a port number (for example, :4985). You can also prepend a host name or numeric IP address before the colon to bind only to the network interface with that address.

As a useful special case, the IP address 127.0.0.1 binds to the loopback interface, making the port unreachable from any other host. This is the default setting for the admin interface.

The bold letters says you can specify the IP and Port to bind it to specific network.

I think this is what you need.

Viscountess answered 5/2, 2016 at 8:18 Comment(3)

Thanks. I've read that already. As far as I know this basically means I can change the address on which the REST API is listening (e.g. on port 1337 instead of 4985) but I don't think this will enable me to bind it to any other external network. – Entablement 5/2, 2016 at 12:28

I think you can mention the host name before the port. – Viscountess 5/2, 2016 at 14:26

yep, but afaik only internal ip addresses - see borrrden's answer. – Entablement 6/2, 2016 at 9:20

Edit

Recommended topics

Hot tags