google app engine - Limit access to the Admin REST API of SyncGateway -
according documentation admin rest api of syncgateway
shouldn't exposed.
quote:
by default, admin rest api runs on port 4985 (unless change admininterface configuration parameter). do not expose port—it belongs behind firewall. can reach port has free access , control on databases , user accounts.
this makes sense i'm wondering how can grant application server runs on google appengine , handles sign-up / creation of sessions access api without exposing it? there option expose admin rest api limit access specific server sending request or requiring username / password combination gui on :8091
port?
edit
just clarification i'm adding comment question:
the app server (running on gae) , couchbase server (running on digitalocean) 2 different physical devices , have different ip addresses. means: can't change admininterface configuration parameter in syncgateway_config.json
loop-back address since connection gae server couchbase server won't have effect afterwards. server unreachable outside if i'm not mistaken?!
the usual expectation database server , other servers need admin-level access either on same host, or on internal network that's behind firewall. in latter case can safely bind admin port internal net. of course firewall rules allow external connections sync gateway (sg) public port.
if have auth server that's on entirely different network, things bit more complex.
one possibility use fancier options on firewall can allow external access admin port, only external auth server. few ways can imagine doing (a) hardcode auth server's ip address, (b) use ssl connection client cert, or (c) open ssh tunnel auth server sg server.
another possibility use distributed auth system oauth, designed kind of thing. mobile app talk auth server obtain token, present token sg, shows token auth server validate it. iirc don't have general purpose oauth support in sg yet need write small oauth handler run on sg server work.
[disclaimer: i'm architect @ couchbase , have worked on sync gateway work on couchbase lite these days i'm not expert on sg's current capabilities!]
Comments
Post a Comment