Hi,

Everyone has access here serverip:port/solr/admin/

It's secure? There is a way to protect that by password? If yes - how?

Tomcat6 (manager webapp) seems to be unprotected from bruteforce attack. There is a way to protect it via fail2ban? Or I can just remove tomcat6-admin?

There is something else to protect after installing Solr and Tomcat? Sorry if my questions are stupid, some people attack my site very often...

Thanks

Comments

Nick_vh’s picture

You should use ip protection. A firewall in your server should protect you. Only allow your webserver to communicate with your solr server on the solr port.

Nick_vh’s picture

Status: Active » Fixed
superfedya’s picture

Thanks!

pwolanin’s picture

Tomcat itself can implement basic auth passwords, but that's beyond the scope of drupal help. Read the tomcat docs.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

ressa’s picture

Version: 6.x-1.5 » 7.x-1.5

The easiest solution I have found is to limit access to the solr server based on ip address by putting the following in server.xml, in my case located at /usr/local/tomcat/conf/server.xml.

Insert this between the <Host> tags:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>

... and restart your java server. Now if you go to http://example.com:8983/#/solr all you get is a blank page.

From this page: http://wiki.apache.org/solr/SolrSecurity#Tomcat_Remote_Address_Valve

wluisi’s picture

Issue summary: View changes

I wouldn't recommend restricting access by IP address. The best way I found is to create a user/password and restrict access that way. Below are instructions for how to do this w/ Solr running on Tomcat.

Step 1.

vim /usr/local/tomcat/conf/tomcat-users.xml

Between the 'tomcat-users' tag add:

<user name="username" password="password" roles="admin, manager"></user>

Step 2:

vim /usr/local/tomcat/webapps/solr/WEB-INF/web.xml

Below the 'web-app xmlns' tag add:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restrict access to Solr admin</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    <http-method>DELETE</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>manager</role-name> 
  </auth-constraint> 
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
</login-config>

Restart tomcat.

Step 3:

Your Solr admin pg is now password protected. But you'll need to change the 'Solr Server URL' value on admin/config/search/apachesolr/settings/solr/ :

http://username:password@localhost:8983/solr/drupal

This insures that the login and password are always entered when Drupal is interacting w/ your Solr server.

ressa’s picture

Just if someone else ends up here looking for ways to block acces to Solr, in version 7.7.0 (and probably previous versions) you can add this to /etc/default/solr.in.sh to block outside access to Solr. Restart solr to make it take effect:
SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"