本文介绍了有关安全复制的分步说明？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述 29岁程序员，3月因学历无情被辞！ 不确定问题是否应该放在 ServerFault 上？ 我在服务器上使用 Apache凭据设置了SofaDB a>（但如果分散注意力，我可以将其关闭）。 我在各种笔记本电脑上都有本地实例。现在，我想设置安全（连续）复制。据我了解，我可以使用用户名/密码，SSL证书或OAuth。我发现了点点滴滴的信息： serverFault上的SSL问题 复制时的WIKI条目 如何在Wiki中复制 1.2复制的要旨 复制算法 所有这些文档都增加了直觉，但也造成了混乱（我只是一个简单的头脑）。 Pro and con for OAuth或SSL证书（可选讨论） 设置SSL组件的步骤说明：我并不是在寻找SSL传输安全性-这并不复杂，而且对于 Apache HTTP 和CouchDB。我正在寻找的是使用证书进行身份验证，类似于您在SSH中可以执行的操作。我看到的OAuth潜在问题是：管理员拥有对凭据的完全访问权限（？）。使用证书方法，由于私钥不受管理员控制，因此他无法模拟用户。 设置OAuth的步骤 每个用户的示例复制文档使用带有某些文档的本地副本并共享一个单行 在哪里可以找到？解决方案安全传输用户凭证是一个非常棘手的问题。 如果我们不考虑第三方，那么在大多数情况下，SSL是更好的起点，因为它可能会受到您使用的每种工具的广泛支持。 SSL证书不仅提供加密（甚至是自签名的），还可以确保用户请求了正确的资源。如果您关心服务器的安全性，那么最后一个选项也值得强调。 SSL使用的主要缺点是性能下降（取决于所使用的算法），因为服务器必须解密数据，并且客户端需要验证证书（除了常规通信例程外）。另外，您还必须花一些钱才能获得受信任的证书（并不总是正确的）。 使用OAuth可以不公开真实的用户凭据，并可以轻松地从服务器端维护其访问控制。此外，您需要一些可以正确处理OAuth 1.0规范的库，如果平台错过了此类库，则必须自己实现。另外，OAuth还提供了传输数据签名，因此其目的是在MiTM情况下保持安全。 您注意到，SSL和OAuth是关于两种不同的事物：SSL有助于在传输级别（TLS）上加密数据，而OAuth则要小心关于非安全环境中的凭证公开。它们不能互相替代，但是彼此之间可以互为补充。 要设置对CouchDB的SSL支持，请遵循文档指南。这非常简单容易。请注意，如果CouchDB前面有一些代理服务器，明智的做法是为他设置SSL并通过常规HTTP协议将代理数据代理到本地CouchDB实例。 要设置OAuth，需要执行以下步骤：0。确保 authentication_handlers {couch_httpd_oauth，oauth_authentication_handler} 处理程序 [httpd] 部分的c $ c>选项，用于 default.ini 配置文件： [httpd] authentication_handlers = {couch_httpd_oauth，oauth_authentication_handler}，{couch_httpd_auth，cookie_authentication_handler}，{couch_httpd_auth，default_authentication_handler} 之后您需要以以下方式编辑 local.ini 文件： 设置消费者机密： [oauth_consumer_secrets] example.org = sekr1t 设置令牌机密： [oauth_token_secrets] token1 = tokensekr1t 将令牌映射到现有的CouchDB用户： [oauth_token_users] token1 = joe 仅此而已！如果您具有CouchDB 1.2版或更高版本，则还可以在 _users 数据库内的用户文档中定义OAuth凭据： { _id： org.couchdb.user：joe， type： user， name： joe ， password_sha： fe95df1ca59a9b567bdca5cbaf8412abd6e06121， salt： 4e170ffeb6f34daecfd814dfb4001a73 roles：[ foo， bar]， ：{{ consumer_keys：{ example.org： sekr1t， consumerKey2： key2Secret }， tokens： { token1： tokensekr1t， token2： token2Secret } } } 现在，当我们为用户 joe 设置OAuth凭据时，让我们开始复制。要让CouchDB使用OAuth凭据，我们需要扩展 source 或 target 字段，具体取决于哪一方将授权我们的用户： {源：邮箱，目标：{ url： https://secure.example.org/mailbox， auth：{ oauth：{ consumer_secret： sekr1t， consummer_key： example.org， token_secret： tokensekr1t， token： token1 } } } } 和 POST 将此数据存储到 _replicate 资源或为 _replicator 数据库创建文档。复制将使用SSL协议加密从本地服务器开始复制到远程 secure.example.org ，所有操作将针对登录 joe 。 总结：SSL和OAuth的组合不仅可以保护传输的数据（不仅包括用户凭据），并确保目标服务器未被伪造，还可以保护实际用户登录意外泄露的用户名和密码，控制了消费者的来源（例如，如果 example.org 被盗，我们只能删除其消费者令牌，而不能强迫用户更改其密码） 更新：对于您的情况，常规SSL证书例程是可以的：您将需要创建个人由您自己签署的证书，并允许客户进行设置以进一步使用CouchDB。 CouchDB方面唯一需要做的就是在处理连接之前验证证书。但请注意，自定义个人SSL证书安装可能并非易事，尤其是对于移动客户端 就OAuth而言，CouchDB 可以使用RSA-SHA1 auth方法，该方法使用某种个人证书作为秘密。但是，您需要先修补源才能解锁此方法-默认情况下该方法处于禁用状态。 Not sure if the question should rather be on ServerFault?I have a couchDB setup on my server using Apache credentials (but I can switch that off if it is an distraction).I have local instances on various laptops. Now I want to setup secure (continuous) replication. From my understanding I could use username/password, SSL certificates or OAuth. I found bits and pieces of information:SSL Question on serverFaultthe WIKI entry on replicationhow to on replication in the wikithe gist on 1.2 replicationthe replication algorythmAll this documents added a hunch, but also confusion (I'm just a simple mind).What I'm looking for is a step by step instruction:Pro and con for OAuth or SSL certificates (optional discussion)Steps to setup the SSL components Clarification: I'm not looking for SSL transport security - that's not really complicated and documented well for both Apache HTTP and CouchDB. What I'm looking for is authentication using certificates, similar to what you can do in SSH. The potential problem I see with OAuth: a admin has full access to the credentials (?). With a certificate approach (s)he can't impersonate the user since the private key is not under admin control.Steps to setup OAuthSample replication documents for the each user uses a local replica with some documents and share one onelineWhere could I find that? 解决方案 Secure transfer of user credentials is a very delicate question.If we wouldn't look on third-party, in most cases, SSL is better way to start from since it has wide support by every tool you might used. SSL certificate, provides not only encryption (even self-signed ones), but insurance that user had requested right resource. Last option also worth to be highlighted if you're care about server security. The main drawback of SSL usage is performance degradation (vary on used algorithm) since server have to decrypt data and client need to validate certificate in additional to common communication routines. Also you have to pay some money for trusted certificate (not always true).Using OAuth allows to not disclose real user credentials and easily maintain their access control from server side. Also, you need some library that handle OAuth 1.0 specification properly and if your platform miss such - you have to implement it by your own. In additional OAuth provides transfer data signing, so it aims to be safe for MiTM case. That's actually all that he does.As you note, SSL and OAuth are about two different things: SSL helps to encrypt data on transport level (TLS) while OAuth take care about credentials disclosure in non secure environment. They are not replacement for each other, but each of them may stand as good additional to other.To setup SSL support for CouchDB just follow the documentation guide. It's quite simple and easy to do. Note, that if there is some proxy server in front of CouchDB, it might be wise to setup SSL for him and proxy data to local CouchDB instance via regular HTTP protocol.To setup OAuth there need to make next steps:0. Ensure that {couch_httpd_oauth, oauth_authentication_handler} handler is exists for authentication_handlers option of [httpd] section for default.ini config file:[httpd] authentication_handlers = {couch_httpd_oauth, oauth_authentication_handler}, {couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}After that you need to edit your local.ini file in next way:Setup consumer secret:[oauth_consumer_secrets]example.org = sekr1tSetup token secrets:[oauth_token_secrets]token1 = tokensekr1tMap tokens to existed CouchDB user:[oauth_token_users]token1 = joeThat's all! If you have CouchDB version 1.2 or higher, you may also define OAuth credentials within user document inside _users database:{ "_id": "org.couchdb.user:joe", "type": "user", "name": "joe", "password_sha": "fe95df1ca59a9b567bdca5cbaf8412abd6e06121", "salt": "4e170ffeb6f34daecfd814dfb4001a73" "roles": ["foo", "bar"], "oauth": { "consumer_keys": { "example.org": "sekr1t", "consumerKey2": "key2Secret" }, "tokens": { "token1": "tokensekr1t", "token2": "token2Secret" } }}Now, when we'd setup OAuth credentials for our user joe, let's start our replication. To let CouchDB use OAuth credentials, we need to extend source or target fields, depending on which side will authorize our user:{ "source": "mailbox", "target": { "url": "https://secure.example.org/mailbox", "auth": { "oauth": { "consumer_secret": "sekr1t", "consumer_key": "example.org", "token_secret": "tokensekr1t", "token": "token1" } } }}and POST this data to _replicate resource or create document for _replicator database. Replication will start from local server to remote secure.example.org using SSL protocol encryption and all operations will goes for remote user with login joe.Summarizing: combination of SSL and OAuth allows you not only protect transfered data (not only user credentials) and insure that target server was not faked, but also protects real user login name and password from accidental disclosure, control consumer sources (e.g. if example.org will be compromised, we can only remove his consumer token, but not force user to change his password) and signing requests for additional protection against MiTM attacks.UPDATE: For your case regular SSL certificate routines are ok: you will need to create personal certificates signed by your own and let clients to setup for further work with your CouchDB. The only thing required from CouchDB side is to validate certificates before process the connection. But note, that custom personal SSL certificate installation may be not trivial especially for mobile clients.Speaking for OAuth side, CouchDB may use RSA-SHA1 auth method that uses some kind of personal certificate for secret. However, you need to patch sources first to unlock this method - it's disabled by default. 这篇关于有关安全复制的分步说明？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！