Skip to content
This repository was archived by the owner on May 20, 2025. It is now read-only.

Securing Solr

Jump to bottom
Brian Tingle edited this page Aug 9, 2016 · 7 revisions

Securing Solr - UCSD

Running solr 4 on tomcat on redhat 6.

DAMS adds field discover_access_group_ssim with value public.

The search handler includes a filter query for that field and value.

     <lst name="invariants">
       <str name="fq">discover_access_group_ssim:public</str>
     </lst>

The filter query is an invariant, so users can’t override it.

Additionally, the tomcat contains a security_constraint to restrict requests from outside of the library subnets to select.

    <filter>
      <filter-name>Allow world solr select</filter-name>
      <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>Allow world solr select</filter-name>
      <url-pattern>/blacklight/select/*</url-pattern>
    </filter-mapping>
 
    <filter>
      <filter-name>Allow server subnet all</filter-name>
      <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
      <init-param>
        <param-name>allow</param-name>
        <param-value>128.0.0.*|128.0.1.*</param-value><!-- example IP addresses, fill in local campus -->
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>Allow server subnet all</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

Securing Solr - CDL

Shutting off requestHandlers in solrconfig.xml

Shutdown all request handlers that aren't readonly by adding enable="false" to the tag. The "select" and "query" handlers are probably all you'll want to leave active. e.g

  <requestHandler name="/update" class="solr.UpdateRequestHandler" enable="false">

See SolrConfigXml - enable/disable

This should make the index read only.

Proxying through nginx

In additions to the above, we proxy access to the Solr index. We are running on elasticbeanstalk and the load balancer provides the ssl connection. nginx then proxies to the Solr http endpoint and adds access control by api key.

The relevant portions of the nginx.conf :

      map $http_upgrade $connection_upgrade {
      	default		"upgrade";
      	""			"";
      }
      
      server {
      	listen 80;
              
        include token_auth;
      
      	location /solr/select {
      		proxy_pass			<private url to solr index>/select;
      		proxy_http_version	1.1;
      		proxy_set_header	Connection			$connection_upgrade;
      		proxy_set_header	Upgrade				$http_upgrade;
      		proxy_set_header	Host				$host;
      		proxy_set_header	X-Real-IP			$remote_addr;
      		proxy_set_header	X-Forwarded-For		$proxy_add_x_forwarded_for;
      
      	}

      	location /solr/query {
      		proxy_pass			<private url to solr index>/query;
      		proxy_http_version	1.1;
      		proxy_set_header	Connection			$connection_upgrade;
      		proxy_set_header	Upgrade				$http_upgrade;
      		proxy_set_header	Host				$host;
      		proxy_set_header	X-Real-IP			$remote_addr;
      		proxy_set_header	X-Forwarded-For		$proxy_add_x_forwarded_for;
      
      	}

      }

The token_auth included file controls access to index by submitting an api key by passing in a request header "X-Authentication-Token" with the user's api key.

token_auth:

set $not_authed  1;
if ($http_x_api_key = "user1_token") {
    set $not_authed 0;
}
if ($http_x_api_key = "user2_token") {
    set $not_authed 0;
}
# sections for other users

if ($not_authed) {
    return 403;
}

Clone this wiki locally