Errors: nginx proxy for web admin ui
Hi everybody,
we have a running couchbase cluster in a private network. In order to expose the Admin UI to the public network we decided to setup a web proxy with nginx.
location / {
proxy_pass http://cb_node1:8091/;
}
We are facing two problems here:
PROBLEM #1
If we are using a "auth_basic" to protect our web proxy (even before couchbase login screen) we are able to login and see the login screen. If we now try to login with couchbase credentials, our HTTP Auth is thrown away and we need to login AGAIN at the nginx. It seems that couchbase is influencing the basic auth. We never were able to login.
PROBLEM #2
In case we remove the "auth_basic" couchbase seems to work. We can see and manage everything.
Unfortunately there is still one big issue: If we want to view a document, there is an AJAX call which fails with this error message:
{"error":"bad_request","reason":"attachments not supported in Couchbase"}
The exact same call is working, when not running behind a proxy.
Any ideas to one of my problems?
Hi again,
for some reasons, which I really can not explain, the second problem is gone. It works now, magic :)
As for the for the first problem, it still exists. I tried to pass http-authentication headers, but this was not working.
I do not understand why couchbase is working with http basic auth, although you are using a form. The actual system with couchbase is unfortunately not reachable via the internet, that's why we need to proxy it.
Can we write a feature request somewhere?
Sure, we have jira for that.
Because our UI is single page JS application we're sending basic auth with all XHR requests we do. And XHR is all we do. So it's pretty important to pass this through. By passing correct basic auth down from nginx you should get a working UI.
Looks like nginx strips basic auth headers. Then when our server looks for them it fails auth. If that's not the case then fix would be to have same credentials for nginx and couchbase.
If this is the case (nginx stips auth) then you'll need to force couchbase to work without auth. Unfortunately, our code is built to expect non-empty password. I.e. see https://github.com/couchbase/ns_server/blob/master/src/menelaus_web.erl#... You can also check callers of is_system_provisioned function and see that we'll send "empty" pools reply and then you can see on core-data.js function loginSuccess that we're using emptyness of that reply to see if setup wizard is required or not.
As for documents viewing stuff, it either goes through port 8092 or (because browsers don't like cross-domain requests much) via special proxying API at 8091. Logic that detects if proxying is required is comparing host in UI url and in couchApiBase field of node details. So most likely they don't match if you're reaching it via proxy.
In short, our software is not built for that. At least as of now. I suggest some sort of VPN instead of proxying.