Limit the SolR acces from the web for one user-agent?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Limit the SolR acces from the web for one user-agent?

Bruno Mannina
Dear All,

I'm using an external program (my own client) to access to my
Apache-SolR database.
I would like to restrict the SOLR access to a specific User-Agent
(defined in my program).

I would like to know if it's possible to do that directly in SolR config
or I must
process that in the Apache server?

My program do only requests like this (i.e.):
<a href="http://xxx.xxx.xxx.xxx:pp/solr/select/?q=ap%3Afuelcell&version=2.2&start=0&rows=10&indent=on">http://xxx.xxx.xxx.xxx:pp/solr/select/?q=ap%3Afuelcell&version=2.2&start=0&rows=10&indent=on 


I can add on my HTTP component properties an User-Agent, Log, Pass,
etc... like a standard Http connection.

To complete: my soft is distribued to several users and I would like to
limit the SOLR access to these users and with my program.
FireFox, Chrome, I.E. will be unauthorized.

thanks for your comment or help,
Bruno

Ubuntu 12.04LTS
SolR 3.6
Reply | Threaded
Open this post in threaded view
|

Re: Limit the SolR acces from the web for one user-agent?

Alexandre Rafalovitch
It is very easy to do this on Apache, but you need to be aware that
User-Agent is extremely easy to both sniff and spoof.

Have you thought of perhaps using Client and Server Certificates to protect
the connection and embedding those certificates into clients?

Regards,
   Alex.

Personal blog: http://blog.outerthoughts.com/
LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
- Time is the quality of nature that keeps events from happening all at
once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)


On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <[hidden email]> wrote:

> Dear All,
>
> I'm using an external program (my own client) to access to my Apache-SolR
> database.
> I would like to restrict the SOLR access to a specific User-Agent (defined
> in my program).
>
> I would like to know if it's possible to do that directly in SolR config
> or I must
> process that in the Apache server?
>
> My program do only requests like this (i.e.):
> <a href="http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**">http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
> version=2.2&start=0&rows=10&**indent=on
>
> I can add on my HTTP component properties an User-Agent, Log, Pass, etc...
> like a standard Http connection.
>
> To complete: my soft is distribued to several users and I would like to
> limit the SOLR access to these users and with my program.
> FireFox, Chrome, I.E. will be unauthorized.
>
> thanks for your comment or help,
> Bruno
>
> Ubuntu 12.04LTS
> SolR 3.6
>
Reply | Threaded
Open this post in threaded view
|

Re: Limit the SolR acces from the web for one user-agent?

Floyd Wu
Hi Alex, I'd like to know how to "using Client and Server Certificates to
protect
the connection and embedding those certificates into clients?"

Please kindly share your experience.

Floyd


2012/11/8 Alexandre Rafalovitch <[hidden email]>

> It is very easy to do this on Apache, but you need to be aware that
> User-Agent is extremely easy to both sniff and spoof.
>
> Have you thought of perhaps using Client and Server Certificates to protect
> the connection and embedding those certificates into clients?
>
> Regards,
>    Alex.
>
> Personal blog: http://blog.outerthoughts.com/
> LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
> - Time is the quality of nature that keeps events from happening all at
> once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)
>
>
> On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <[hidden email]> wrote:
>
> > Dear All,
> >
> > I'm using an external program (my own client) to access to my Apache-SolR
> > database.
> > I would like to restrict the SOLR access to a specific User-Agent
> (defined
> > in my program).
> >
> > I would like to know if it's possible to do that directly in SolR config
> > or I must
> > process that in the Apache server?
> >
> > My program do only requests like this (i.e.):
> > <a href="http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**">http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
> > version=2.2&start=0&rows=10&**indent=on
> >
> > I can add on my HTTP component properties an User-Agent, Log, Pass,
> etc...
> > like a standard Http connection.
> >
> > To complete: my soft is distribued to several users and I would like to
> > limit the SOLR access to these users and with my program.
> > FireFox, Chrome, I.E. will be unauthorized.
> >
> > thanks for your comment or help,
> > Bruno
> >
> > Ubuntu 12.04LTS
> > SolR 3.6
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Limit the SolR acces from the web for one user-agent?

Alexandre Rafalovitch
I haven't _done_ this myself, but I believe it is a well supported
scenario. See, for example,
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol
and
http://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication

Basically, you create a set of self-signed certificates and then your
client has to encrypt the connection and provide the certificate. Somebody
with access to the client can probably still break it and get the
certificates out, but it is quite a bit harder than just running a
Wireshark on the same (or even other) machine and checking what custom
header is being used.

This is no longer a SOLR question, but I am sure StackOverflow can help
with more specific issues, if needed.

Regards,
   Alex.

Personal blog: http://blog.outerthoughts.com/
LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
- Time is the quality of nature that keeps events from happening all at
once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)


On Thu, Nov 8, 2012 at 10:08 PM, Floyd Wu <[hidden email]> wrote:

> Hi Alex, I'd like to know how to "using Client and Server Certificates to
> protect
> the connection and embedding those certificates into clients?"
>
> Please kindly share your experience.
>
> Floyd
>
>
> 2012/11/8 Alexandre Rafalovitch <[hidden email]>
>
> > It is very easy to do this on Apache, but you need to be aware that
> > User-Agent is extremely easy to both sniff and spoof.
> >
> > Have you thought of perhaps using Client and Server Certificates to
> protect
> > the connection and embedding those certificates into clients?
> >
> > Regards,
> >    Alex.
> >
> > Personal blog: http://blog.outerthoughts.com/
> > LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
> > - Time is the quality of nature that keeps events from happening all at
> > once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)
> >
> >
> > On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <[hidden email]> wrote:
> >
> > > Dear All,
> > >
> > > I'm using an external program (my own client) to access to my
> Apache-SolR
> > > database.
> > > I would like to restrict the SOLR access to a specific User-Agent
> > (defined
> > > in my program).
> > >
> > > I would like to know if it's possible to do that directly in SolR
> config
> > > or I must
> > > process that in the Apache server?
> > >
> > > My program do only requests like this (i.e.):
> > > <a href="http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**">http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
> > > version=2.2&start=0&rows=10&**indent=on
> > >
> > > I can add on my HTTP component properties an User-Agent, Log, Pass,
> > etc...
> > > like a standard Http connection.
> > >
> > > To complete: my soft is distribued to several users and I would like to
> > > limit the SOLR access to these users and with my program.
> > > FireFox, Chrome, I.E. will be unauthorized.
> > >
> > > thanks for your comment or help,
> > > Bruno
> > >
> > > Ubuntu 12.04LTS
> > > SolR 3.6
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Limit the SolR acces from the web for one user-agent?

Michael Della Bitta-2
Another option is to use HTTP auth, which would involve modifying
web.xml in the Solr WAR and configuring a user in your container.

Unfortunately, this won't work with distributed queries.

Michael Della Bitta

------------------------------------------------
Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271

www.appinions.com

Where Influence Isn’t a Game


On Thu, Nov 8, 2012 at 11:23 PM, Alexandre Rafalovitch
<[hidden email]> wrote:

> I haven't _done_ this myself, but I believe it is a well supported
> scenario. See, for example,
> http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol
> and
> http://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication
>
> Basically, you create a set of self-signed certificates and then your
> client has to encrypt the connection and provide the certificate. Somebody
> with access to the client can probably still break it and get the
> certificates out, but it is quite a bit harder than just running a
> Wireshark on the same (or even other) machine and checking what custom
> header is being used.
>
> This is no longer a SOLR question, but I am sure StackOverflow can help
> with more specific issues, if needed.
>
> Regards,
>    Alex.
>
> Personal blog: http://blog.outerthoughts.com/
> LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
> - Time is the quality of nature that keeps events from happening all at
> once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)
>
>
> On Thu, Nov 8, 2012 at 10:08 PM, Floyd Wu <[hidden email]> wrote:
>
>> Hi Alex, I'd like to know how to "using Client and Server Certificates to
>> protect
>> the connection and embedding those certificates into clients?"
>>
>> Please kindly share your experience.
>>
>> Floyd
>>
>>
>> 2012/11/8 Alexandre Rafalovitch <[hidden email]>
>>
>> > It is very easy to do this on Apache, but you need to be aware that
>> > User-Agent is extremely easy to both sniff and spoof.
>> >
>> > Have you thought of perhaps using Client and Server Certificates to
>> protect
>> > the connection and embedding those certificates into clients?
>> >
>> > Regards,
>> >    Alex.
>> >
>> > Personal blog: http://blog.outerthoughts.com/
>> > LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
>> > - Time is the quality of nature that keeps events from happening all at
>> > once. Lately, it doesn't seem to be working.  (Anonymous  - via GTD book)
>> >
>> >
>> > On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <[hidden email]> wrote:
>> >
>> > > Dear All,
>> > >
>> > > I'm using an external program (my own client) to access to my
>> Apache-SolR
>> > > database.
>> > > I would like to restrict the SOLR access to a specific User-Agent
>> > (defined
>> > > in my program).
>> > >
>> > > I would like to know if it's possible to do that directly in SolR
>> config
>> > > or I must
>> > > process that in the Apache server?
>> > >
>> > > My program do only requests like this (i.e.):
>> > > <a href="http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**">http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
>> > > version=2.2&start=0&rows=10&**indent=on
>> > >
>> > > I can add on my HTTP component properties an User-Agent, Log, Pass,
>> > etc...
>> > > like a standard Http connection.
>> > >
>> > > To complete: my soft is distribued to several users and I would like to
>> > > limit the SOLR access to these users and with my program.
>> > > FireFox, Chrome, I.E. will be unauthorized.
>> > >
>> > > thanks for your comment or help,
>> > > Bruno
>> > >
>> > > Ubuntu 12.04LTS
>> > > SolR 3.6
>> > >
>> >
>>