Solr with HTTP authentication
deltab - July 7, 2009 - 09:16
| Project: | Apache Solr Search Integration |
| Version: | 6.x-1.0-rc1 |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Unless I am missing something very basic here, how do I protect my Solr instance?
I have an apache solr instance running inside Tomcat, and need to make sure only my official Drupal instance can write to it, and it seems any server running apachesolr can at present write to the index. Is there a way of connecting to Solr after setting up HTTP authentication on both the Tomcat webapp and Drupal? Or a better way is recommended?
#1
Please review the documentation on Solr security on the Solr wiki and the Security FAQs on the Tomcat wiki. You can restrict access in a variety of ways, including based on host name, or using HTTP authentication.
#2
many thanks anarchivist. although i am rather familiar with solr security, my question is really about the best practice for the Drupal plugin - there are many methods to do this, so wondering which one is the best suited in a Drupal context.
#3
It really depends on your server setup. We're using a combination of firewalls to prevent outside boxes from even hitting our Solr instances directly, and using HTTP authentication as configured in Tomcat.
#4
Indeed - the module does not attempt to address this since it seems that at least basic auth works. If you are trying to be serious about security you should use/force https, or add some additional security code to tomcat in front of Solr. this is generally a topic beyond the scope of the use of the Drupal module - the basic assumption is that if you are running Solr yourself for a single site it's protected by a firewall from access by the wide world.