Re: SOLR 4.0 / Jetty Security Set Up
Erick, I think that should be described differently... You need to set-up protected access for some paths. /update is one of them. And you could make this protected at the jetty level or using Apache proxies and rewrites. Probably /select should be kept open but you need to evaluate if that can get you in DoS attacks if there are too big selects. If that is the case, you're left to programme an interface all by yourself which limits and fetches from solr, or which lives inside solr (a query component) and throws if things are too big. paul Le 7 sept. 2012 à 07:00, Erick Erickson a écrit : Securing Solr pretty much universally requires that you only allow trusted clients to access the machines directly, usually secured with a firewall and allowed IP addresses, the admin handler is the least of your worries. Consider if you let me ping solr directly, I can do something really annoying like: http://localhost:8983/solr/update?stream.body=deletequeryoffice:Bridgewater/query/delete Best Erick On Wed, Sep 5, 2012 at 2:51 AM, Paul Codman snoozes...@gmail.com wrote: First time Solr user and I am loving it! I have a standard Solr 4 set up running under Jetty. The instructions in the Wiki do not seem to apply to Solr 4 (eg mortbay references / section to uncomment not present in xml file / etc) - could someone please advise on steps required to secure Solr 4 and can someone confirm that security operates in relation to new Admin interface. Thanks in advance.
Re: SOLR 4.0 / Jetty Security Set Up
On Fri, Sep 07, 2012 at 08:50:58AM +0200, Paul Libbrecht wrote: Erick, I think that should be described differently... You need to set-up protected access for some paths. /update is one of them. And you could make this protected at the jetty level or using Apache proxies and rewrites. So you'd advise always putting an Apache in front of Jetty? Probably /select should be kept open As far as I understand [1], it's better to close /select (because you can easily make an admin or update out of it, by e.g. doing a /select?qt=/admin or /select?qt=/update) but you need to evaluate if that can get you in DoS attacks if there are too big selects. If that is the case, you're left to programme an interface all by yourself which limits and fetches from solr, or which lives inside solr (a query component) and throws if things are too big. [1] http://wiki.apache.org/solr/SolrSecurity#Path_Based_Authentication Regads -- Tomás Zerolo Axel Springer AG Axel Springer media Systems BILD Produktionssysteme Axel-Springer-Straße 65 10888 Berlin Tel.: +49 (30) 2591-72875 tomas.zer...@axelspringer.de www.axelspringer.de Axel Springer AG, Sitz Berlin, Amtsgericht Charlottenburg, HRB 4998 Vorsitzender des Aufsichtsrats: Dr. Giuseppe Vita Vorstand: Dr. Mathias Döpfner (Vorsitzender) Jan Bayer, Ralph Büchi, Lothar Lanz, Dr. Andreas Wiele
Re: SOLR 4.0 / Jetty Security Set Up
Hi, If like most people you have application server(s) in front of solr, the simplest and most secure option is to bind solr to a local address (192.168.* or 10.0.0.*). The app server talks to solr via the local (a.k.a blackhole) ip address that no-one from outside can ever access as it's not routable. Plus you then don't need to employ authentication which can slow down responses as you're ONLY employing access control.This is what we do for access to 5 solr servers. Cheers, Dan On Wed, Sep 5, 2012 at 10:51 AM, Paul Codman snoozes...@gmail.com wrote: First time Solr user and I am loving it! I have a standard Solr 4 set up running under Jetty. The instructions in the Wiki do not seem to apply to Solr 4 (eg mortbay references / section to uncomment not present in xml file / etc) - could someone please advise on steps required to secure Solr 4 and can someone confirm that security operates in relation to new Admin interface. Thanks in advance.
Re: SOLR 4.0 / Jetty Security Set Up
Securing Solr pretty much universally requires that you only allow trusted clients to access the machines directly, usually secured with a firewall and allowed IP addresses, the admin handler is the least of your worries. Consider if you let me ping solr directly, I can do something really annoying like: http://localhost:8983/solr/update?stream.body=deletequeryoffice:Bridgewater/query/delete Best Erick On Wed, Sep 5, 2012 at 2:51 AM, Paul Codman snoozes...@gmail.com wrote: First time Solr user and I am loving it! I have a standard Solr 4 set up running under Jetty. The instructions in the Wiki do not seem to apply to Solr 4 (eg mortbay references / section to uncomment not present in xml file / etc) - could someone please advise on steps required to secure Solr 4 and can someone confirm that security operates in relation to new Admin interface. Thanks in advance.
