0

I setup an ArangoDB on a webserver (Windows with IIS) and intend to expose it with a reverse proxy via IIS to the web, but I want the client to be forced to use authentication. I cannot find a way of accessing FOXX services with required authentication.

I have added a database 'common' and installed a FOXX service in

versioning/version/{project}/{client}/{version}

I can use the service fine from the browser with a URL like

http://127.0.0.1:8529/_db/common/versioning/version/myproject/aclient/4.9.3

and it returns me the JSON i have request. But it NEVER asks me for the credentials. So if I expose this service through IIS, e.g.:

https://myiisserver.com/_db/common/versioning/version/myproject/aclient/4.9.3

there's no restriction on accessing the service!

The arangod.conf looks like this (unchanged actually)

endpoint = tcp://127.0.0.1:8529
...
authentication = true

So what am I doing wrong? Am I using an internal endpoint only? Is there a public one? I have tried various combinations:

https://myiisserver.com/_db/common/_api/versioning/version/myproject/aclient/4.9.3
https://myiisserver.com/versioning/version/myproject/aclient/4.9.3

but cannot figure it out. Am I trying the impossible, or missing the obvious?

Anytoe
  • 1,605
  • 1
  • 20
  • 26

2 Answers2

0

You need to adjust the endpoint to include the ip which is myiisserver.com. If you would like to expose arangodb on all interfaces and addresses of the server, then try endpoint = tcp://0.0.0.0:8529/ or endpoint = tcp://[::]:8529/. The latter will include also the ipv6 addresses. If you only want to add myiisserver.com, just add an additional line for the ip address of myiisserver.com. So something like

endpoint = tcp://127.0.0.1:8529
endpoint = tcp://<ip-address-of-myiisserver.com>:8529
...
authentication = true

If you would like to use the FQDN make sure, that nslookup myiisserver.com on the server and the outside world resolve to the same ip address. In other words, make sure that myiisserver.com does not resolve to 127.0.0.1, 127.0.1.1, [::1] and vice versa.

Kaveh Vahedipour
  • 3,412
  • 1
  • 14
  • 22
  • Hi, thank you for your answer. Adding the extra line does not work for me (it works, but still no authentication). ArangoDB and the IIS are on the same server. Either, the built in authentication for FOXX works only for accessing the API from the outside, but not from the same server, or there's another way to access the API No matter how I set up the reverse proxy, and no matter what IP address I put into the arangod.conf it always works without authentication – Anytoe Apr 26 '17 at 10:46
0

I have figured out what the problem is. The ArangoDB 3.1 documentation for Authentication says

Turn on authentication

...

If you want to run Foxx apps without HTTP authentcation, but activate HTTP authentication for the built-in server APIs, you can add the following line in the server section of the configuration:

authentication-system-only = true

...

So I made it work after editing my 'arangod.conf' in the following way:

authentication = true

authentication-system-only = false
Anytoe
  • 1,605
  • 1
  • 20
  • 26