lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <karl.wri...@nokia.com>
Subject RE: Security Questions on Solr & Tomcat 6
Date Tue, 04 May 2010 16:43:03 GMT
>>>>>>
Can you explain this localhost restriction thing? If I restrict it to localhost only would
users on the internet still be able to access the solr instance? Would the application have
to make the request and pass back the results to the external user?
<<<<<<

Hi Matt,

This connection binding restriction makes it impossible for users requesting connection via
any adapter other than the loopback adapter (127.0.0.1) to connect to the SOLR port.  You
are binding the Solr port solely to localhost.  Yes, the application would have to make the
Solr request and pass back the results to the external user.

Karl

-----Original Message-----
From: ext Matthew Mauriello [mailto:mm578679@albany.edu] 
Sent: Tuesday, May 04, 2010 12:34 PM
To: dev@lucene.apache.org
Subject: RE: Security Questions on Solr & Tomcat 6

Karl/ALL,

Thanks for the response, my comments are inline below.

> How low-tech do you want to go?

The system does not really have to do much, there might be a total of 12 users and we just
want to keep things as simple as possible because the next people to do any work on the system
will just be following the manual I write and likely won't have much in the way of technical
skills.

> For example, you can run solr under an entirely different instance of 
> tomcat, listening on a different port.  You can configure (via 
> server.xml) the instance to only accept connections from the local 
> machine.  Your application, which is happily running on a different 
> port on a different tomcat instance, can be thus open and session 
> protected.  Your application will have no trouble communicating with 
> SOLR via http if it runs on the same physical machine as your SOLR tomcat instance.

Can you explain this localhost restriction thing? If I restrict it to localhost only would
users on the internet still be able to access the solr instance? Would the application have
to make the request and pass back the results to the external user?

Thanks again,

~Matt

> How low-tech do you want to go?
>
> For example, you can run solr under an entirely different instance of 
> tomcat, listening on a different port.  You can configure (via 
> server.xml) the instance to only accept connections from the local 
> machine.  Your application, which is happily running on a different 
> port on a different tomcat instance, can be thus open and session 
> protected.  Your application will have no trouble communicating with 
> SOLR via http if it runs on the same physical machine as your SOLR tomcat instance.
>
> It's even possible that a single tomcat instance can be configured to 
> listen on both (differently configured) ports simultaneously - but 
> that's not really good practice anyhow.
>
> If I recall, the place where you restrict what the sources of your 
> allowed connections are is the tag in server.xml that describes the 
> port that tomcat listens on.  There's an optional "source" attribute, which if "*"
> means everyone, but if "127.0.0.1" means only localhost.
>
> Karl
>
> ________________________________________
> From: ext Matthew Mauriello [mm578679@albany.edu]
> Sent: Monday, May 03, 2010 10:03 PM
> To: dev@lucene.apache.org
> Subject: Security Questions on Solr & Tomcat 6
>
> Hello All,
>
> I am really hoping for a little help on securing my SOLR instance in 
> Tomcat 6. I am not really having any luck using BASIC authorization on 
> Tomcat as everything seems to shut down with a 404 when I implement 
> it. I have looked into the SOLR wiki about securing the application 
> but I can't seem to make sense of anything for my situation. The 
> tutorials I have found on Google usual result in the 404 error or the server not starting.
>
> Essentially I have a Tomcat 6 server running on Windows in its most 
> basic settings. I created a self signed certificate and setup SSL. In 
> the webapps/ROOT web folder I do a redirect to my webapps/SOLR folder. 
> In this folder I have all of my web application files and I have 
> considered moving non-solr files out of there but I haven't been able 
> to come up with a solution yet so I haven't done it but I am thinking it might be required.
>
> In the SOLR folder I am using JavaBridge software so that I can write 
> in PHP. So I have jsp pages and php pages running together just fine 
> and I went through the solr jsp pages and added session security 
> checks there without a problem. I setup the web application so that it 
> communicates with MySQL. My application is secured using java session variables.
> Everything work as expected when not using SOLR. The application 
> handles user and uploaded document management.
>
> The problem is Solr is not secure, so without logging in a user can 
> browse to the solr directory and then execute select, update, admin, 
> etc... I would like to be able to have SOLR check session variables 
> before processing the request. I looked at creating a custom request 
> handler but I could not find a very good example of how that works.
>
> If anyone has any suggestions, tutorials, or general information that 
> might help I would be very appreciative.
>
> Thank you for your time,
>
> ~Matt Mauriello
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For 
> additional commands, e-mail: dev-help@lucene.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For 
> additional commands, e-mail: dev-help@lucene.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional commands, e-mail:
dev-help@lucene.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message