Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
Everyone has access here serverip:port/solr/admin/
It's secure? There is a way to protect that by password? If yes - how?
Tomcat6 (manager webapp) seems to be unprotected from bruteforce attack. There is a way to protect it via fail2ban? Or I can just remove tomcat6-admin?
There is something else to protect after installing Solr and Tomcat? Sorry if my questions are stupid, some people attack my site very often...
Thanks
Comments
Comment #1
Nick_vhYou should use ip protection. A firewall in your server should protect you. Only allow your webserver to communicate with your solr server on the solr port.
Comment #2
Nick_vhComment #3
superfedya CreditAttribution: superfedya commentedThanks!
Comment #4
pwolanin CreditAttribution: pwolanin commentedTomcat itself can implement basic auth passwords, but that's beyond the scope of drupal help. Read the tomcat docs.
Comment #6
ressa CreditAttribution: ressa commentedThe easiest solution I have found is to limit access to the solr server based on ip address by putting the following in
server.xml
, in my case located at/usr/local/tomcat/conf/server.xml
.Insert this between the
<Host>
tags:<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
... and restart your java server. Now if you go to http://example.com:8983/#/solr all you get is a blank page.
From this page: http://wiki.apache.org/solr/SolrSecurity#Tomcat_Remote_Address_Valve
Comment #7
wluisi CreditAttribution: wluisi commentedI wouldn't recommend restricting access by IP address. The best way I found is to create a user/password and restrict access that way. Below are instructions for how to do this w/ Solr running on Tomcat.
Step 1.
vim /usr/local/tomcat/conf/tomcat-users.xml
Between the 'tomcat-users' tag add:
<user name="username" password="password" roles="admin, manager"></user>
Step 2:
vim /usr/local/tomcat/webapps/solr/WEB-INF/web.xml
Below the 'web-app xmlns' tag add:
Restart tomcat.
Step 3:
Your Solr admin pg is now password protected. But you'll need to change the 'Solr Server URL' value on admin/config/search/apachesolr/settings/solr/ :
http://username:password@localhost:8983/solr/drupal
This insures that the login and password are always entered when Drupal is interacting w/ your Solr server.
Comment #8
ressa CreditAttribution: ressa at Ardea commentedJust if someone else ends up here looking for ways to block acces to Solr, in version 7.7.0 (and probably previous versions) you can add this to
/etc/default/solr.in.sh
to block outside access to Solr. Restart solr to make it take effect:SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"