Hi Shawn et al, As a follow-up to this - then how would you solve the issue? I tried to use the instructions to set up basic authentication in solr (per a Stack Overflow post) and it worked to secure things, but the web app couldn't access solr. Tampering with the app code - which is the solr plug-in used for Omeka (https://github.com/scholarslab/SolrSearch) - would require a lot of extra work, so I'm wondering if there's a simpler solution. One of the developers on that told me to do a reverse proxy like the second poster on this chain more or less suggests. But from what I understand of what you wrote, this is not ideal because it only protects the admin UI panel and not everything else. So how then should I secure everything with the exception of calls coming from this web app?
Best, Amanda ------ Dr. Amanda Shuman Post-doc researcher, University of Freiburg, The Maoist Legacy Project <http://www.maoistlegacy.uni-freiburg.de/> PhD, University of California, Santa Cruz http://www.amandashuman.net/ http://www.prchistoryresources.org/ Office: +49 (0) 761 203 4925 On Mon, Mar 19, 2018 at 11:03 PM, Shawn Heisey <apa...@elyograg.org> wrote: > On 3/19/2018 11:19 AM, Jesus Olivan wrote: > > i'm trying to password protect only Solr web interface (not queries > > launched from my app). I'm currently using SolrCloud 6.6.0 with external > > zookeepers. I've read tons of Docs about it, but i couldn't find a proper > > way to secure ONLY the web admin console. Can anybody give me some light > > about it, please? =) > > When you add authentication, it's not actually the admin UI that needs > authentication. It's all the API requests (queries and the like) that > the admin UI makes which require authentication. > > The admin UI itself is completely static HTML, CSS, Javascript, and > images -- it doesn't have ANY information about your installation. > Requiring authentication for that doesn't make any sense at all -- > there's nothing sensitive in those files. > > When you access the admin UI, the UI pieces are downloaded to your > browser, and then the UI actually runs in your browser, accessing the > API endpoints. When the UI running in your browser first accesses one > of those endpoints, you get the authentication prompt. > > If we only secured the admin UI and not the API, then somebody who has > direct access to your Solr server could do whatever they wanted. The > admin UI is just a convenience. Everything it does can be done directly. > > Thanks, > Shawn > >
