From: anna h. <an...@gm...> - 2012-05-28 13:56:52
|
Hi vufind-tech and solrmarc-tech, Currently I have solr access blocked by the firewall. But I want to allow access to search results so that librarians can experiment with relevance ranking. And I'd like to allow access to the solr admin page (I don't think there is a form to change the index there) for anyone that wants to see the stemming information. So I want to find a way to open the solr port, but lock down access to the solr /update url so that it's accessible only from localhost. I will be looking into Tomcat configuration and the like, but if you are already doing something like this I'd appreciate any advice! And if there's anything else I should be careful to lock down, I'd appreciate that advice as well. Thanks, Anna |
From: anna h. <an...@gm...> - 2012-05-28 14:08:31
|
s/Tomcat/jetty On Mon, May 28, 2012 at 9:56 AM, anna headley <an...@gm...> wrote: > Hi vufind-tech and solrmarc-tech, > > Currently I have solr access blocked by the firewall. But I want to allow > access to search results so that librarians can experiment with relevance > ranking. And I'd like to allow access to the solr admin page (I don't > think there is a form to change the index there) for anyone that wants to > see the stemming information. > > So I want to find a way to open the solr port, but lock down access to the > solr /update url so that it's accessible only from localhost. > > I will be looking into Tomcat configuration and the like, but if you are > already doing something like this I'd appreciate any advice! And if > there's anything else I should be careful to lock down, I'd appreciate that > advice as well. > > Thanks, > Anna > > |
From: Tuan N. <tu...@yo...> - 2012-05-28 14:11:01
|
Hi Anna, If you are running solr on linux, you can try to use apache mod_proxy to pass requests to solr and use apache's Location/LocationMatch directives to control access to various URL patterns. Hope this helps. T On 2012-05-28, at 10:07 AM, anna headley wrote: > s/Tomcat/jetty > > > > On Mon, May 28, 2012 at 9:56 AM, anna headley <an...@gm...> wrote: > Hi vufind-tech and solrmarc-tech, > > Currently I have solr access blocked by the firewall. But I want to allow access to search results so that librarians can experiment with relevance ranking. And I'd like to allow access to the solr admin page (I don't think there is a form to change the index there) for anyone that wants to see the stemming information. > > So I want to find a way to open the solr port, but lock down access to the solr /update url so that it's accessible only from localhost. > > I will be looking into Tomcat configuration and the like, but if you are already doing something like this I'd appreciate any advice! And if there's anything else I should be careful to lock down, I'd appreciate that advice as well. > > Thanks, > Anna > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ > Vufind-tech mailing list > Vuf...@li... > https://lists.sourceforge.net/lists/listinfo/vufind-tech |
From: Mark T. <ma...@di...> - 2012-05-28 20:55:55
|
Hi Anna, I think you want to be a bit careful about how much of Solr you make generally available. There's a thread on the solr-user list from a while back that discusses this: http://lucene.472066.n3.nabble.com/Questions-about-Solr-s-security-td3471133.html#a3471723 and even access to the '/select' handler can be enough to inadvertently give access to the other index-modifying request handlers. A variation on Tuan's suggestion might be to use Apache + mod_proxy + mod_auth_basic/mod_authn_file to require a username/password to access Solr--assuming you only have a small number of users needing access, and that they're not actively out to get you :) If you need to provide access more broadly (or if your users *are* out to get you), you could leave Solr firewalled off and write a custom webapp to provide controlled access to the bits they need. In addition to using the usual '/select' handler for firing searches, you can use the FieldAnalysisRequestHandler to produce your own version of the "Analysis" page shown by Solr admin: http://lucene.apache.org/solr/api/org/apache/solr/handler/FieldAnalysisRequestHandler.html It might not be enabled in the VuFind solrconfig.xml, but I think you would just need to add a new solrconfig.xml entry like: <requestHandler name="/analysis/field" class="solr.FieldAnalysisRequestHandler" /> to activate it. Then something like: curl -s 'http://localhost:8080/solr/biblio/analysis/field?analysis.fieldname=title&analysis.fieldvalue=hello+world&wt=json' | python -mjson.tool Should give you more than you ever wanted to know about how queries are analysed :) Cheers, Mark anna headley <an...@gm...> writes: > Hi vufind-tech and solrmarc-tech, > > Currently I have solr access blocked by the firewall. But I want to allow > access to search results so that librarians can experiment with relevance > ranking. And I'd like to allow access to the solr admin page (I don't > think there is a form to change the index there) for anyone that wants to > see the stemming information. > > So I want to find a way to open the solr port, but lock down access to the > solr /update url so that it's accessible only from localhost. > > I will be looking into Tomcat configuration and the like, but if you are > already doing something like this I'd appreciate any advice! And if > there's anything else I should be careful to lock down, I'd appreciate that > advice as well. -- Mark Triggs <ma...@di...> |
From: anna h. <an...@gm...> - 2012-05-31 15:25:23
|
Thank you Tuan and Mark for your insight, which was / is very helpful. Another thing I'm going to do is allow the access on a slave index, so any mistakes or malicious action would have minimal repercussions. Best, Anna On Mon, May 28, 2012 at 4:55 PM, Mark Triggs <ma...@di...> wrote: > Hi Anna, > > I think you want to be a bit careful about how much of Solr you make > generally available. There's a thread on the solr-user list from a > while back that discusses this: > > > http://lucene.472066.n3.nabble.com/Questions-about-Solr-s-security-td3471133.html#a3471723 > > and even access to the '/select' handler can be enough to inadvertently > give access to the other index-modifying request handlers. > > A variation on Tuan's suggestion might be to use Apache + mod_proxy + > mod_auth_basic/mod_authn_file to require a username/password to access > Solr--assuming you only have a small number of users needing access, and > that they're not actively out to get you :) > > If you need to provide access more broadly (or if your users *are* out > to get you), you could leave Solr firewalled off and write a custom > webapp to provide controlled access to the bits they need. In addition > to using the usual '/select' handler for firing searches, you can use > the FieldAnalysisRequestHandler to produce your own version of the > "Analysis" page shown by Solr admin: > > > http://lucene.apache.org/solr/api/org/apache/solr/handler/FieldAnalysisRequestHandler.html > > It might not be enabled in the VuFind solrconfig.xml, but I think you > would just need to add a new solrconfig.xml entry like: > > <requestHandler name="/analysis/field" > class="solr.FieldAnalysisRequestHandler" /> > > to activate it. Then something like: > > curl -s ' > http://localhost:8080/solr/biblio/analysis/field?analysis.fieldname=title&analysis.fieldvalue=hello+world&wt=json' > | python -mjson.tool > > Should give you more than you ever wanted to know about how queries are > analysed :) > > Cheers, > > Mark > > > anna headley <an...@gm...> writes: > > > Hi vufind-tech and solrmarc-tech, > > > > Currently I have solr access blocked by the firewall. But I want to > allow > > access to search results so that librarians can experiment with relevance > > ranking. And I'd like to allow access to the solr admin page (I don't > > think there is a form to change the index there) for anyone that wants to > > see the stemming information. > > > > So I want to find a way to open the solr port, but lock down access to > the > > solr /update url so that it's accessible only from localhost. > > > > I will be looking into Tomcat configuration and the like, but if you are > > already doing something like this I'd appreciate any advice! And if > > there's anything else I should be careful to lock down, I'd appreciate > that > > advice as well. > > -- > Mark Triggs > <ma...@di...> > |