lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Mauriello" <mm578...@albany.edu>
Subject RE: Security Questions on Solr & Tomcat 6
Date Tue, 04 May 2010 20:06:48 GMT
I think the localhost solution you're talking about might be similar to
this example:

http://blog.comtaste.com/2009/02/securing_your_solr_server_on_t.html

However, I was not able to get it to work yesterday. Is this the right
idea though?

Thanks,

~Matt


>>>>>>
> Can you explain this localhost restriction thing? If I restrict it to
> localhost only would users on the internet still be able to access the
> solr instance? Would the application have to make the request and pass
> back the results to the external user?
> <<<<<<
>
> Hi Matt,
>
> This connection binding restriction makes it impossible for users
> requesting connection via any adapter other than the loopback adapter
> (127.0.0.1) to connect to the SOLR port.  You are binding the Solr port
> solely to localhost.  Yes, the application would have to make the Solr
> request and pass back the results to the external user.
>
> Karl
>
> -----Original Message-----
> From: ext Matthew Mauriello [mailto:mm578679@albany.edu]
> Sent: Tuesday, May 04, 2010 12:34 PM
> To: dev@lucene.apache.org
> Subject: RE: Security Questions on Solr & Tomcat 6
>
> Karl/ALL,
>
> Thanks for the response, my comments are inline below.
>
>> How low-tech do you want to go?
>
> The system does not really have to do much, there might be a total of 12
> users and we just want to keep things as simple as possible because the
> next people to do any work on the system will just be following the manual
> I write and likely won't have much in the way of technical skills.
>
>> For example, you can run solr under an entirely different instance of
>> tomcat, listening on a different port.  You can configure (via
>> server.xml) the instance to only accept connections from the local
>> machine.  Your application, which is happily running on a different
>> port on a different tomcat instance, can be thus open and session
>> protected.  Your application will have no trouble communicating with
>> SOLR via http if it runs on the same physical machine as your SOLR
>> tomcat instance.
>
> Can you explain this localhost restriction thing? If I restrict it to
> localhost only would users on the internet still be able to access the
> solr instance? Would the application have to make the request and pass
> back the results to the external user?
>
> Thanks again,
>
> ~Matt
>
>> How low-tech do you want to go?
>>
>> For example, you can run solr under an entirely different instance of
>> tomcat, listening on a different port.  You can configure (via
>> server.xml) the instance to only accept connections from the local
>> machine.  Your application, which is happily running on a different
>> port on a different tomcat instance, can be thus open and session
>> protected.  Your application will have no trouble communicating with
>> SOLR via http if it runs on the same physical machine as your SOLR
>> tomcat instance.
>>
>> It's even possible that a single tomcat instance can be configured to
>> listen on both (differently configured) ports simultaneously - but
>> that's not really good practice anyhow.
>>
>> If I recall, the place where you restrict what the sources of your
>> allowed connections are is the tag in server.xml that describes the
>> port that tomcat listens on.  There's an optional "source" attribute,
>> which if "*"
>> means everyone, but if "127.0.0.1" means only localhost.
>>
>> Karl
>>
>> ________________________________________
>> From: ext Matthew Mauriello [mm578679@albany.edu]
>> Sent: Monday, May 03, 2010 10:03 PM
>> To: dev@lucene.apache.org
>> Subject: Security Questions on Solr & Tomcat 6
>>
>> Hello All,
>>
>> I am really hoping for a little help on securing my SOLR instance in
>> Tomcat 6. I am not really having any luck using BASIC authorization on
>> Tomcat as everything seems to shut down with a 404 when I implement
>> it. I have looked into the SOLR wiki about securing the application
>> but I can't seem to make sense of anything for my situation. The
>> tutorials I have found on Google usual result in the 404 error or the
>> server not starting.
>>
>> Essentially I have a Tomcat 6 server running on Windows in its most
>> basic settings. I created a self signed certificate and setup SSL. In
>> the webapps/ROOT web folder I do a redirect to my webapps/SOLR folder.
>> In this folder I have all of my web application files and I have
>> considered moving non-solr files out of there but I haven't been able
>> to come up with a solution yet so I haven't done it but I am thinking it
>> might be required.
>>
>> In the SOLR folder I am using JavaBridge software so that I can write
>> in PHP. So I have jsp pages and php pages running together just fine
>> and I went through the solr jsp pages and added session security
>> checks there without a problem. I setup the web application so that it
>> communicates with MySQL. My application is secured using java session
>> variables.
>> Everything work as expected when not using SOLR. The application
>> handles user and uploaded document management.
>>
>> The problem is Solr is not secure, so without logging in a user can
>> browse to the solr directory and then execute select, update, admin,
>> etc... I would like to be able to have SOLR check session variables
>> before processing the request. I looked at creating a custom request
>> handler but I could not find a very good example of how that works.
>>
>> If anyone has any suggestions, tutorials, or general information that
>> might help I would be very appreciative.
>>
>> Thank you for your time,
>>
>> ~Matt Mauriello
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For
>> additional commands, e-mail: dev-help@lucene.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For
>> additional commands, e-mail: dev-help@lucene.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
> commands, e-mail: dev-help@lucene.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: dev-help@lucene.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message