Couchbase, at least as of Couchbase 2.0, pretty much expects to be hidden away in some back bone infrastructure network, and hence doesn’t provide much in the sense of encryption of network traffic out of the box.
Those of us who aren’t quite fortunate enough to be able to hide everything behind firewalls need to resort to other measures to secure our environments. For us that particularly applies to development and testing environments.
Couchbase provides a nice administration interface on localhost, port 8091 by default, which in development I needed to be able to access remotely over the Internet. Turns out that it works just fine proxied, as long at is proxied into a root context.
Not going into details about how to set up certificates, here is the Apache httpd conf file I use on my Fedora 18 workstation to serve the admin interface over https on port 8443. It assumes that mod_ssl and mod_proxy are installed and enabled. It should work in most standard Linux boxes, at least RedHat derivatives where you can just drop it in as /etc/httpd/conf.d/couchbase.conf, and should be possible to adapt to other environments that can run Apache httpd. Obviously, you additionally need to open up the port you select in any firewall.
# # Couchbase proxy configuration to encrypt admin interface. # # Assumes mod_ssl is installed and configured (generally # /etc/httpd/conf.d/ssl.conf). These are just amendments # for the Couchbase interface. # Listen 8443 https <VirtualHost _default_:8443> LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ProxyPass / http://localhost:8091/ ProxyPassReverse / http://localhost:8091/ </VirtualHost>
I have to say I’m impressed that the feature rich Couchbase interface is robust enough to handle this and hope their developers keep it that way.