This might belong on serverfault, so please move if it does.
We just discovered that you can get to a list of SOLR indexes by going to: http://example.com:8983/solr/
this then allows you access to the SOLR admin for each index. This strikes us as... a bad thing. Luckily though, this is locked down to only be accessbile from a certain IP (our office IP via the firewall), but still means the janitor can get access to our SOLR collections. not ideal.
One way to circumvent it has been to remove the admin folder, however this still allows people access to http://example.com:8983/solr/
which isn't ideal.
I've read through the SOLR documentation on security, but can't seem to fully lock down access to /solr/*
. It might be very well a case of looking at the wrong part of the documentation.
Using the code from the documentation:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/core1/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
and replacing <url-pattern>/core1/*</url-pattern>
with an actual solr collection name does mean that when visiting http://example.com:8983/solr/collection_name/
it will ask me for a login and password, however, when just trying to lock down /solr/*
or even *
I get no such luck.
I'm using the built in solr that came with CF9
Is this a remote Solr server or is it on the same server as CF9, if on the same server as CF9 then you can just tell Solr to listen on 127.0.0.1. There was a patch for this for CF 9.0.0 back in 2010: http://www.adobe.com/support/security/bulletins/apsb10-04.html
If it is a remote solr server, then you can use your network firewall, or a local firewall (windows firewall or iptables) to limit access to this port (and possibly this server) to only the CF server.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With