Solr authentication

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Solr authentication

Shay Sofer
Hi,

I want that my Solr web connection will be protected by username and password.

When someone try to get to - 1.1.1.1:8983/Solr, he can do it only after login (with known users).

Is it possible ?

Thanks,
Shay.
Reply | Threaded
Open this post in threaded view
|

Re: Solr authentication

Tim Dunphy
Hi Shay,

I'm new to using Solr myself. But what I've done to solve this problem is to run Solr via Tomcat. Then I put Apache in front of Tomcat using mod_jk and made Solr accessible via SSL on port 443. I also put basic authentication in front of Apache. That way you have to enter a username and password to log in.

Then I made port 8080 (the native port for Apache Tomcat) inaccessible using the firewall. So that the only way to access the Solr instance was through Apache and entering your password. With everything going over SSL. It's very secure.

From what I read about Solr, there are no security considerations (such as using a password for access) built in. So the only way to achieve some level of security without doing what I just did is to secure it with a firewall. Making your Solr instance accessible only from certain IPs. Please someone correct me if I'm wrong about that.

But the way I did it with running Solr with Apache and SSL and mod_jk over tomcat is pretty easy. If you google it you will find plenty of useful guides out there on how to do this. I'd recommend taking that approach.

Tim

Sent from my iPhone

> On Nov 4, 2014, at 7:53 AM, Shay Sofer <[hidden email]> wrote:
>
> Hi,
>
> I want that my Solr web connection will be protected by username and password.
>
> When someone try to get to - 1.1.1.1:8983/Solr, he can do it only after login (with known users).
>
> Is it possible ?
>
> Thanks,
> Shay.
Reply | Threaded
Open this post in threaded view
|

RE: Solr authentication

Shay Sofer
Thanks for the quick response.

        1.  I'm using Solr with Jetty.
        2. I'm using Java to access Solr, so I need a way to pass / add this authentication as well.




-----Original Message-----
From: Tim Dunphy [mailto:[hidden email]]
Sent: Tuesday, November 04, 2014 3:22 PM
To: [hidden email]
Subject: Re: Solr authentication

Hi Shay,

I'm new to using Solr myself. But what I've done to solve this problem is to run Solr via Tomcat. Then I put Apache in front of Tomcat using mod_jk and made Solr accessible via SSL on port 443. I also put basic authentication in front of Apache. That way you have to enter a username and password to log in.

Then I made port 8080 (the native port for Apache Tomcat) inaccessible using the firewall. So that the only way to access the Solr instance was through Apache and entering your password. With everything going over SSL. It's very secure.

From what I read about Solr, there are no security considerations (such as using a password for access) built in. So the only way to achieve some level of security without doing what I just did is to secure it with a firewall. Making your Solr instance accessible only from certain IPs. Please someone correct me if I'm wrong about that.

But the way I did it with running Solr with Apache and SSL and mod_jk over tomcat is pretty easy. If you google it you will find plenty of useful guides out there on how to do this. I'd recommend taking that approach.

Tim

Sent from my iPhone

> On Nov 4, 2014, at 7:53 AM, Shay Sofer <[hidden email]> wrote:
>
> Hi,
>
> I want that my Solr web connection will be protected by username and password.
>
> When someone try to get to - 1.1.1.1:8983/Solr, he can do it only after login (with known users).
>
> Is it possible ?
>
> Thanks,
> Shay.

Email secured by Check Point
Reply | Threaded
Open this post in threaded view
|

Re: Solr authentication

Tim Dunphy
Shay,



> Thanks for the quick response.


No problem.

>
>         1.  I'm using Solr with Jetty.
>

Yes. I got that from the fact that you were running Solr over port 8983.
That's the Jetty port. I just didn't mention that in the email cuz I
thought it was pretty obvious. :)

But what I am saying you should do is to get Solr to run under Tomcat
instead of Jetty. And then front it with apache. It'll be the only way to
put authentication on your Solr instance that I know of. It's also pretty
easy to do.

And I did think that was the only way to secure solr. But after googling
this question I do see there are some other ways to go about it.

http://stackoverflow.com/questions/17613835/securing-solr-in-production

But like I said the way I did this is pretty easy and that's what I'm
recommending you do.


>         2. I'm using Java to access Solr, so I need a way to pass / add
> this authentication as well.



You should have no trouble doing that with the way that I told you to set
this up. If you do what I did you'll be using SSL. Which is the most secure
you can get!

Tim

On Tue, Nov 4, 2014 at 8:49 AM, Shay Sofer <[hidden email]> wrote:

> Thanks for the quick response.
>
>         1.  I'm using Solr with Jetty.
>         2. I'm using Java to access Solr, so I need a way to pass / add
> this authentication as well.
>
>
>
>
> -----Original Message-----
> From: Tim Dunphy [mailto:[hidden email]]
> Sent: Tuesday, November 04, 2014 3:22 PM
> To: [hidden email]
> Subject: Re: Solr authentication
>
> Hi Shay,
>
> I'm new to using Solr myself. But what I've done to solve this problem is
> to run Solr via Tomcat. Then I put Apache in front of Tomcat using mod_jk
> and made Solr accessible via SSL on port 443. I also put basic
> authentication in front of Apache. That way you have to enter a username
> and password to log in.
>
> Then I made port 8080 (the native port for Apache Tomcat) inaccessible
> using the firewall. So that the only way to access the Solr instance was
> through Apache and entering your password. With everything going over SSL.
> It's very secure.
>
> From what I read about Solr, there are no security considerations (such as
> using a password for access) built in. So the only way to achieve some
> level of security without doing what I just did is to secure it with a
> firewall. Making your Solr instance accessible only from certain IPs.
> Please someone correct me if I'm wrong about that.
>
> But the way I did it with running Solr with Apache and SSL and mod_jk over
> tomcat is pretty easy. If you google it you will find plenty of useful
> guides out there on how to do this. I'd recommend taking that approach.
>
> Tim
>
> Sent from my iPhone
>
> > On Nov 4, 2014, at 7:53 AM, Shay Sofer <[hidden email]> wrote:
> >
> > Hi,
> >
> > I want that my Solr web connection will be protected by username and
> password.
> >
> > When someone try to get to - 1.1.1.1:8983/Solr, he can do it only after
> login (with known users).
> >
> > Is it possible ?
> >
> > Thanks,
> > Shay.
>
> Email secured by Check Point
>



--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Reply | Threaded
Open this post in threaded view
|

Re: Solr authentication

Chris Hostetter-3
In reply to this post by Shay Sofer

I am not a security expert, but in my opinion the safest way to run solr
"securely" is to forget all about usernames & passwords and instead use
SSL with client SSL certificates...

https://cwiki.apache.org/confluence/display/solr/Enabling+SSL



: Date: Tue, 4 Nov 2014 12:53:30 +0000
: From: Shay Sofer <[hidden email]>
: Reply-To: [hidden email]
: To: "[hidden email]" <[hidden email]>
: Subject: Solr authentication
:
: Hi,
:
: I want that my Solr web connection will be protected by username and password.
:
: When someone try to get to - 1.1.1.1:8983/Solr, he can do it only after login (with known users).
:
: Is it possible ?
:
: Thanks,
: Shay.
:

-Hoss
http://www.lucidworks.com/
Reply | Threaded
Open this post in threaded view
|

Re: Solr authentication

Alexandre Rafalovitch
Whichever way you run, I just want to remind people that if people
have access to Solr, they can issue delete commands and - probably -
bunch of other things.

If performance is not a critical aspect, I would look at isolating
Solr in something like Docker container.

Regards,
   Alex.
Personal: http://www.outerthoughts.com/ and @arafalov
Solr resources and newsletter: http://www.solr-start.com/ and @solrstart
Solr popularizers community: https://www.linkedin.com/groups?gid=6713853


On 4 November 2014 12:02, Chris Hostetter <[hidden email]> wrote:

>
> I am not a security expert, but in my opinion the safest way to run solr
> "securely" is to forget all about usernames & passwords and instead use
> SSL with client SSL certificates...
>
> https://cwiki.apache.org/confluence/display/solr/Enabling+SSL
>
>
>
> : Date: Tue, 4 Nov 2014 12:53:30 +0000
> : From: Shay Sofer <[hidden email]>
> : Reply-To: [hidden email]
> : To: "[hidden email]" <[hidden email]>
> : Subject: Solr authentication
> :
> : Hi,
> :
> : I want that my Solr web connection will be protected by username and password.
> :
> : When someone try to get to - 1.1.1.1:8983/Solr, he can do it only after login (with known users).
> :
> : Is it possible ?
> :
> : Thanks,
> : Shay.
> :
>
> -Hoss
> http://www.lucidworks.com/