Securing Your Public Solr Server

I use Solr for searching on NixMashupLinks.com, so I needed to make the http://solr.site.com server available on my Linode Public Server. I created a subdomain for it, which is cool, but there's an ittie-bittie problem. Anyone in the world could load-up my Solr Administration Control Panel. First thing to do was lock down my public facing Solr Server so only me and my apps could access it.

We'll first deal with access to http://solr.site.com from applications on the server. That's easy. Since we're accessing Solr via a localhost there isn't anything we need in our applications other than change the Solr server address to the public url. External access to http://solr.site.com is the issue at hand.

Since we're accessing Solr through Tomcat we'll use a combination of Tomcat security and Solr security. We add an authorization role-name constraint in our Solr's Tomcat root/WEB-INF/web.xml. About half-way down we've added <role-name>manager</role-name>.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restrict access to Solr admin</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>manager</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
</login-config>

Now we add our Solr “manager” role in Tomcat's conf/tomcat-users.xml file.

<role rolename="manager"/>
<user username="mysolruser" password="mysolrpassword" roles="manager" />

Restart Tomcat and next time you go to your Solr public facing server you'll see this.

Posted July 15, 2014 01:04 PM EDT

More Like This Post