Just a follow-up to say that I never have resolved this issue satisfactorily.
------ Dr. Amanda Shuman Post-doc researcher, University of Freiburg, The Maoist Legacy Project <http://www.maoistlegacy.uni-freiburg.de/> PhD, University of California, Santa Cruz http://www.amandashuman.net/ http://www.prchistoryresources.org/ Office: +49 (0) 761 203 4925 On Mon, Jun 18, 2018 at 6:00 PM Amanda Shuman <amanda.shu...@gmail.com> wrote: > Hi Shawn et al, > > As a follow-up to this - then how would you solve the issue? I tried to > use the instructions to set up basic authentication in solr (per a Stack > Overflow post) and it worked to secure things, but the web app couldn't > access solr. Tampering with the app code - which is the solr plug-in used > for Omeka (https://github.com/scholarslab/SolrSearch) - would require a > lot of extra work, so I'm wondering if there's a simpler solution. One of > the developers on that told me to do a reverse proxy like the second poster > on this chain more or less suggests. But from what I understand of what you > wrote, this is not ideal because it only protects the admin UI panel and > not everything else. So how then should I secure everything with the > exception of calls coming from this web app? > > Best, > Amanda > > > ------ > Dr. Amanda Shuman > Post-doc researcher, University of Freiburg, The Maoist Legacy Project > <http://www.maoistlegacy.uni-freiburg.de/> > PhD, University of California, Santa Cruz > http://www.amandashuman.net/ > http://www.prchistoryresources.org/ > Office: +49 (0) 761 203 4925 > > > On Mon, Mar 19, 2018 at 11:03 PM, Shawn Heisey <apa...@elyograg.org> > wrote: > >> On 3/19/2018 11:19 AM, Jesus Olivan wrote: >> > i'm trying to password protect only Solr web interface (not queries >> > launched from my app). I'm currently using SolrCloud 6.6.0 with external >> > zookeepers. I've read tons of Docs about it, but i couldn't find a >> proper >> > way to secure ONLY the web admin console. Can anybody give me some light >> > about it, please? =) >> >> When you add authentication, it's not actually the admin UI that needs >> authentication. It's all the API requests (queries and the like) that >> the admin UI makes which require authentication. >> >> The admin UI itself is completely static HTML, CSS, Javascript, and >> images -- it doesn't have ANY information about your installation. >> Requiring authentication for that doesn't make any sense at all -- >> there's nothing sensitive in those files. >> >> When you access the admin UI, the UI pieces are downloaded to your >> browser, and then the UI actually runs in your browser, accessing the >> API endpoints. When the UI running in your browser first accesses one >> of those endpoints, you get the authentication prompt. >> >> If we only secured the admin UI and not the API, then somebody who has >> direct access to your Solr server could do whatever they wanted. The >> admin UI is just a convenience. Everything it does can be done directly. >> >> Thanks, >> Shawn >> >> >
