-
Notifications
You must be signed in to change notification settings - Fork 90
Setting up a reverse proxy
Due to the limitation of the native CouchDB user management, unless you use Cloudant hosting there is no way for setting up a user which can write and only write to the acra-storage database. This means that anybody with the reporter credentials can have a full read acces to your whole crash reports database. These credentials can be hacked by decompiling the Android application package (.apk file).
One workaround for this is to avoid including your reporter user directly in your application by setting up a reverse proxy. This requires having access to an http server with advanced configuration rights. This should not be an issue if you're hosting CouchDB on your own servers.
We propose here 3 configurations, for Apache Httpd and Nginx or through a PHP script.
This requires mod_rewrite, mod_proxy and mod_headers.
The report user and password have to be base64 encoded before being added to the Apache configuration. You can use online services to encode a string composed like username:password.
For example, with a username acra and a password r3p0rts, you have to encode the string acra:r3p0rts. The encoded value for this specific example is YWNyYTpyM3AwcnRz.
On your webserver, create a directory in your document root which will be used as a path to post reports to.
For example in the document root of the server www.acme.com, let's create an acra directory.
In this acra directory, let's create an .htaccess file, where you write the following configuration:
SetEnvIf Request_URI acraproxy acraproxy
RequestHeader set Authorization "Basic YWNyYTpyM3AwcnRz" env=acraproxy
RewriteEngine On
RewriteRule ^acraproxy/(.*)$ http://acra.iriscouch.com/acra-storage/_design/acra-storage/_update/report/$1 [P]
Don't forget to replace YWNyYTpyM3AwcnRz with your own base64-encoded credentials.
In your ACRA configuration, just set the formUri to http://www.acme.com/acra/acraproxy.
If you prefer using a configuration inside a virtualhost then you would have to add the following configuration:
SetEnvIf Request_URI acraproxy acraproxy
RequestHeader set Authorization "Basic YWNyYTpyM3AwcnRz" env=acraproxy
RewriteEngine On
RewriteRule ^/acraproxy/(.*)$ http://acra.iriscouch.com/acra-storage/_design/acra-storage/_update/report/$1 [P]
Don't forget to replace YWNyYTpyM3AwcnRz with your own base64-encoded credentials.
Your formUri would be http://www.acme.com/acraproxy
Thanks to Andy from Stonekick
server {
server_name MYDOMAIN.COM
listen *:80;
[ any other nginx config here ]
location /crash_report {
rewrite /crash_report/(.*)/(.*) /$1/_design/acra-storage/_update/report/$2 break;
proxy_pass http://MYACCOUNT.IRISCOUCH.COM;
# This is the couchdb reporter user and password base64 encoded (reporter:mypassword in this case, you'll need to change it to match yours)
proxy_set_header Authorization "Basic cmVwb3J0ZXI6bXlwYXNzd29yZA=="
# This rewrites the location header line in the response so it doesn't reveal http://myaccount.iriscouch.com
proxy_redirect default;
# Only PUT requests are allowed - everything else will return 403 forbidden
limit_except PUT {
deny all;
}
}
}
With such a configuration, you then just need to configure ACRA with https://mydomain.com/crash_report/acra-myapp as the formUri.
TODO