Limit access to the Admin REST API of SyncGateway

Question

According to the documentation the Admin REST API of the SyncGateway shouldn't be exposed.

Quote:

By default, the Admin REST API runs on port 4985 (unless you change the adminInterface configuration parameter). Do not expose this port—It belongs behind your firewall. Anyone who can reach this port has free access to and control over your databases and user accounts.

This makes sense but I'm wondering how I can grant my Application Server which runs on Google AppEngine and which handles the sign-up / creation of sessions access to the API without exposing it? Is there an option to expose the Admin REST API but limit the access to a specific server sending the request or requiring a username / password combination like the GUI on the :8091 port?

Edit

Just for clarification I'm adding my comment to the question:

The app server (running on GAE) and the Couchbase server (running on DigitalOcean) are two different physical devices and thus have different IP addresses. Means: I can't change the adminInterface configuration parameter in my syncgateway_config.json to a loop-back address since a connection from my GAE Server to the Couchbase Server won't have any effect afterwards. The server would be unreachable from the outside if I'm not mistaken?!

Answer 1

The usual expectation is that your database server and other servers that need admin-level access will be either on the same host, or on an internal network that's behind a firewall. In the latter case you can safely bind the admin port to the internal net. Then of course your firewall rules will allow external connections only to the Sync Gateway (SG) public port.

If you have an auth server that's on an entirely different network, things get a bit more complex.

One possibility is to use fancier options on the firewall so it can allow external access to the admin port, but only from the external auth server. A few ways I can imagine doing this are (a) hardcode only the auth server's IP address, (b) use an SSL connection with a client cert, or (c) open an SSH tunnel from the auth server to the SG server.

Another possibility is to use a distributed auth system like OAuth, which is designed to do exactly this kind of thing. So your mobile app would talk to the auth server to obtain a token, then present the token to SG, which then shows the token to the auth server to validate it. IIRC we don't have general purpose OAuth support in SG yet so you would need to write a small OAuth handler to run on the SG server that would do this work.

[Disclaimer: I'm an architect at Couchbase and have worked on Sync Gateway but I only work on Couchbase Lite these days so I'm not an expert on SG's current capabilities!]

Answer 2

Well the new piece of info in your comments needs to be addressed. I'm not an expert in this area, but I think the assumption is that the auth service and sync gateway run on the same server. If not things get slightly more complicated, but I think it might be doable by changing the adminInterface section of your Sync Gateway configuration to be the internal IP address and port (e.g. 192.168.3.2:4985).