views:

68

answers:

2

Currently anybody can access the solr admin page by going to my_ip:8983/solr

I can't have it like that, so how can I make it prompt for password or something?

I have setup my servers apache2.conf file to prompt for password whenever my site is accessed by www.mydomain.com.

But when using another port, the "require password" wont show up.

Any ideas how to secure this?

Don't point me to the SolrSecurity wiki because it's simply too outdated. I have tried it without luck.

Thanks

+2  A: 

Okay, this might be a bit long winded since the original poster doesn't know about network interfaces, so here we go...


Network interfaces

Computers which are connected to a network usually feature a concept of a network interface, which is an abstraction that combines IP configuration data (address, netmask, DNS servers, etc) to a hardware device that talks to the network (your ethernet card, your wifi card, whatever).

Additionally, you would have something called a loopback interface - a virtual interface that is something like your computer's ability to talk to itself :) Modern systems usually come with a loopback interface that is configured with an IP address of 127.0.0.1. This allows your computer to pretend to be networked even if it isn't, making some internal operations more generic.

Now, when you start a networked application, you usually need to tell it which interface to use, or in some applications' lingo "which address to bind to." Apache, for example, uses the listen directive for this. Go read up on it.

How interfaces relate to availabiliy

Let's say that your Apache server is listening on an interface which is configured with a public, Internet IP address... anyone in the world will be able to reach whatever that Apache is serving via the IP address, or via a DNS name which resolves to that addres...

That's generally what is currently happening to your solr instance.

Now, the important point about the loopback interface is that the stuff that is bound to the local interface is only reachable from that computer. I think you can see where we are going.

The solution

The solution would be as follows:

  1. Configure solr to accept requests (or whatever it does) only via the loopback interface. You'll probably need to change some parameter such as "listen to," "bind" or something of the kind.

  2. Configure Apache to reverse proxy the requests it receives on the public interface to solr.

  3. Make Apache authorize requests by something like basic HTTP authentication.

If you are still stuck after this, ask on, and I can go into details, though I don't have any solr experience.

ivans
solr is a web application running in a tomcat or jetty. Do you know how to do step 1 with a tomcat? Any links or sth.?
Karussell
ok, found a link: http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/TomcatSecurity.html => <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/> Is that what you meant?
Karussell
+1  A: 

I am not an expert in this area. I only needed this for myself. In the web.xml of the app or of tomcat/conf/web.xml do what is described here:

http://www.alexxoid.com/blog/linux/restrict-access-tomcat-web-app.html

While doing this, I found the following links useful to set it up:

http://oreilly.com/java/archive/tomcat-tips.html

http://www.unidata.ucar.edu/projects/THREDDS/tech/reference/RestrictedAccess.html

http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

Tip: Instead of Proxy one can use mod_jk which should be faster

Karussell