{"id":12585,"date":"2021-12-14T13:00:52","date_gmt":"2021-12-14T21:00:52","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=12585"},"modified":"2025-06-13T23:06:12","modified_gmt":"2025-06-14T06:06:12","slug":"couchbase-server-7-0-2-enforce-tls-hsts-enforce-ip-address-family","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/couchbase-server-7-0-2-enforce-tls-hsts-enforce-ip-address-family\/","title":{"rendered":"Couchbase Server 7.0.2 Enforce TLS, HSTS & Enforce IP Address Family"},"content":{"rendered":"

In this blog post, I will introduce three new features in Couchbase Server 7.0.2 (“Server”) to help administrators deploy Couchbase Server in a secure manner: Enforce TLS, HSTS, and Enforce IP Address Family.\u00a0<\/span><\/em><\/p>\n

When deploying a Couchbase Server cluster, a best practice is to avoid having a Server node directly connected to the Internet.\u00a0 We advise that customers deploy a firewall on their cluster\u2019s network perimeter as well as a firewall on each Server node. These firewalls should be configured to block all insecure ports, ports for services that are not in use, and entire IP address families that are not in use.<\/span><\/p>\n

This is where these three new features come into play. Administrators should deploy firewalls and only allow specific ports as needed. The new\u00a0 settings provide additional protections that achieve the same goal, in what some might refer to as a compensating control.<\/span><\/p>\n

Enforce TLS<\/span><\/h4>\n

The first new feature is Enforcement of TLS network encryption. In Couchbase Server 6.5.0, we introduced <\/span>Node To Node Encryption<\/span><\/a>.\u00a0 With Node To Node Encryption enabled, we allowed for the configuration of how data is handled between Couchbase Server nodes.\u00a0\u00a0<\/span><\/p>\n

Optionally, either control data is configured to be encrypted or all data between nodes is encrypted.\u00a0 This ensures that the inter-node cluster network traffic is secure and if administrators deploy applications to only connect to the cluster using encrypted network connections, all the database data across the network is encrypted.\u00a0 At this point the administrator would deploy a firewall to block the network ports which handle unencrypted or plaintext network traffic.\u00a0<\/span><\/p>\n

With the new Enforce TLS feature we\u2019ve added a third option to the cluster encryption setting, to be strict.\u00a0 When this is enabled, the only network traffic allowed across the cluster is secure and encrypted.\u00a0 This applies to everything from the Web UI, the command line tools, the application access and the network traffic between nodes in the cluster, but it doesn\u2019t apply to the local loopback interfaces.<\/span><\/p>\n

Enforce TLS can easily be implemented using the CLI command:<\/span><\/p>\n

couchbase-cli setting-security –cluster-encryption-level strict<\/span><\/em><\/p>\n

HTTP Secure Transport Header (HSTS)<\/span><\/h4>\n

Along with the Enforce TLS setting, there is also a new setting to also optionally enable a HTTP Secure Transport Header (HSTS).\u00a0 The HTTP Strict Transport Security header informs a user\u2019s web-browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.\u00a0 This is useful if you want all UI access to only happen over HTTPS.<\/span><\/p>\n

When a browser knows that a domain has enabled HSTS, it does two things:<\/span><\/p>\n

    \n
  1. It always uses an <\/span>https:\/\/<\/span> connection, even when clicking on an <\/span>https:\/\/<\/span> link or after typing a domain into the location bar without specifying a protocol.\u00a0\u00a0<\/span><\/li>\n
  2. It removes the ability for users to click through warnings about invalid certificates.<\/span><\/li>\n<\/ol>\n

    One thing to remember about Couchbase Server: by default the UI\u2019s non-TLS port is <\/span>8091<\/span><\/em> while the TLS port is <\/span>18091<\/span><\/em>.\u00a0 With HSTS enabled, any requests to <\/span>https:\/\/cluster:8091<\/span><\/em> will automatically attempt to access <\/span>https:\/\/cluster:8091<\/span><\/em>, not the correct <\/span>18091<\/span><\/em> port.<\/span><\/p>\n

    HSTS can be enabled with the CLI command:<\/span><\/p>\n

    \u00a0<\/span>couchbase-cli setting-security –hsts-max-age <seconds>\u00a0\u00a0\u00a0\u00a0<\/span><\/em><\/p>\n

    Configure the <\/span>max-age<\/span> setting to the amount of time, in seconds, that the browser should remember to access the Couchbase UI only using HTTPS.<\/span><\/p>\n

    You can also optionally select to enable\/disable HSTS <\/span>preload<\/span><\/em> and <\/span>includeSubDomains<\/span><\/em> directives.<\/span><\/p>\n

    Enforce IP Address Family<\/span><\/h4>\n

    We also advise customers to use a firewall and block all network traffic for ports and protocols that are not needed, including entire IP Address families.\u00a0 For example, if your organization uses IPv4 addresses only, you should block at the firewall level all access to IPv6 addresses on your Couchbase Server nodes.\u00a0 To add some compensating controls, we\u2019ve added options to the IP Address Family settings.\u00a0<\/span><\/p>\n

    In the previous example, if an organization only ever uses IPv4 addresses and used the CLI command:<\/span><\/p>\n

    couchbase-cli ip-family –set –ipv4<\/span><\/em><\/p>\n

    …the cluster would use IPv4 for communication between the nodes, but it would still be possible for traffic to go over IPv6 from clients unless a firewall was in place to prevent it.\u00a0 If the IPv4 address couldn\u2019t bind, then the node would be automatically failed over.\u00a0 The new <\/span>–ipv4only<\/span><\/em> option will instruct the cluster to only ever attempt to bind to IPv4 interfaces, and never allow IPv6 network communications.\u00a0<\/span><\/p>\n

    Alternatively there are also <\/span>–ipv6 <\/span><\/em>and <\/span>–ipv6only<\/span><\/em> options which achieve the same result but for the IPv6 address family instead of the IPv4 address family.\u00a0 If <\/span>–ipv4<\/span><\/em> and <\/span>–ipv6<\/span><\/em> are both set, both interfaces should be binded to and if either is available, the system should use it and start.\u00a0\u00a0\u00a0<\/span><\/p>\n

    Conclusion<\/span><\/h4>\n

    In this article, I\u2019ve shown you Enforce TLS, HSTS and Enforce IP Address Family.\u00a0 All of these security features are about making a robust barrier for attackers who try to compromise your systems. If security is important to you, I recommend reading a few additional blog posts about our security features that help keep your Couchbase data protected.\u00a0<\/span><\/p>\n