You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Bruno Mannina <bm...@free.fr> on 2012/11/08 15:39:39 UTC
Limit the SolR acces from the web for one user-agent?
Dear All,
I'm using an external program (my own client) to access to my
Apache-SolR database.
I would like to restrict the SOLR access to a specific User-Agent
(defined in my program).
I would like to know if it's possible to do that directly in SolR config
or I must
process that in the Apache server?
My program do only requests like this (i.e.):
http://xxx.xxx.xxx.xxx:pp/solr/select/?q=ap%3Afuelcell&version=2.2&start=0&rows=10&indent=on
I can add on my HTTP component properties an User-Agent, Log, Pass,
etc... like a standard Http connection.
To complete: my soft is distribued to several users and I would like to
limit the SOLR access to these users and with my program.
FireFox, Chrome, I.E. will be unauthorized.
thanks for your comment or help,
Bruno
Ubuntu 12.04LTS
SolR 3.6
Re: Limit the SolR acces from the web for one user-agent?
Posted by Michael Della Bitta <mi...@appinions.com>.
Another option is to use HTTP auth, which would involve modifying
web.xml in the Solr WAR and configuring a user in your container.
Unfortunately, this won't work with distributed queries.
Michael Della Bitta
------------------------------------------------
Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271
www.appinions.com
Where Influence Isn’t a Game
On Thu, Nov 8, 2012 at 11:23 PM, Alexandre Rafalovitch
<ar...@gmail.com> wrote:
> I haven't _done_ this myself, but I believe it is a well supported
> scenario. See, for example,
> http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol
> and
> http://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication
>
> Basically, you create a set of self-signed certificates and then your
> client has to encrypt the connection and provide the certificate. Somebody
> with access to the client can probably still break it and get the
> certificates out, but it is quite a bit harder than just running a
> Wireshark on the same (or even other) machine and checking what custom
> header is being used.
>
> This is no longer a SOLR question, but I am sure StackOverflow can help
> with more specific issues, if needed.
>
> Regards,
> Alex.
>
> Personal blog: http://blog.outerthoughts.com/
> LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
> - Time is the quality of nature that keeps events from happening all at
> once. Lately, it doesn't seem to be working. (Anonymous - via GTD book)
>
>
> On Thu, Nov 8, 2012 at 10:08 PM, Floyd Wu <fl...@gmail.com> wrote:
>
>> Hi Alex, I'd like to know how to "using Client and Server Certificates to
>> protect
>> the connection and embedding those certificates into clients?"
>>
>> Please kindly share your experience.
>>
>> Floyd
>>
>>
>> 2012/11/8 Alexandre Rafalovitch <ar...@gmail.com>
>>
>> > It is very easy to do this on Apache, but you need to be aware that
>> > User-Agent is extremely easy to both sniff and spoof.
>> >
>> > Have you thought of perhaps using Client and Server Certificates to
>> protect
>> > the connection and embedding those certificates into clients?
>> >
>> > Regards,
>> > Alex.
>> >
>> > Personal blog: http://blog.outerthoughts.com/
>> > LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
>> > - Time is the quality of nature that keeps events from happening all at
>> > once. Lately, it doesn't seem to be working. (Anonymous - via GTD book)
>> >
>> >
>> > On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <bm...@free.fr> wrote:
>> >
>> > > Dear All,
>> > >
>> > > I'm using an external program (my own client) to access to my
>> Apache-SolR
>> > > database.
>> > > I would like to restrict the SOLR access to a specific User-Agent
>> > (defined
>> > > in my program).
>> > >
>> > > I would like to know if it's possible to do that directly in SolR
>> config
>> > > or I must
>> > > process that in the Apache server?
>> > >
>> > > My program do only requests like this (i.e.):
>> > > http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
>> > > version=2.2&start=0&rows=10&**indent=on
>> > >
>> > > I can add on my HTTP component properties an User-Agent, Log, Pass,
>> > etc...
>> > > like a standard Http connection.
>> > >
>> > > To complete: my soft is distribued to several users and I would like to
>> > > limit the SOLR access to these users and with my program.
>> > > FireFox, Chrome, I.E. will be unauthorized.
>> > >
>> > > thanks for your comment or help,
>> > > Bruno
>> > >
>> > > Ubuntu 12.04LTS
>> > > SolR 3.6
>> > >
>> >
>>
Re: Limit the SolR acces from the web for one user-agent?
Posted by Alexandre Rafalovitch <ar...@gmail.com>.
I haven't _done_ this myself, but I believe it is a well supported
scenario. See, for example,
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol
and
http://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication
Basically, you create a set of self-signed certificates and then your
client has to encrypt the connection and provide the certificate. Somebody
with access to the client can probably still break it and get the
certificates out, but it is quite a bit harder than just running a
Wireshark on the same (or even other) machine and checking what custom
header is being used.
This is no longer a SOLR question, but I am sure StackOverflow can help
with more specific issues, if needed.
Regards,
Alex.
Personal blog: http://blog.outerthoughts.com/
LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
- Time is the quality of nature that keeps events from happening all at
once. Lately, it doesn't seem to be working. (Anonymous - via GTD book)
On Thu, Nov 8, 2012 at 10:08 PM, Floyd Wu <fl...@gmail.com> wrote:
> Hi Alex, I'd like to know how to "using Client and Server Certificates to
> protect
> the connection and embedding those certificates into clients?"
>
> Please kindly share your experience.
>
> Floyd
>
>
> 2012/11/8 Alexandre Rafalovitch <ar...@gmail.com>
>
> > It is very easy to do this on Apache, but you need to be aware that
> > User-Agent is extremely easy to both sniff and spoof.
> >
> > Have you thought of perhaps using Client and Server Certificates to
> protect
> > the connection and embedding those certificates into clients?
> >
> > Regards,
> > Alex.
> >
> > Personal blog: http://blog.outerthoughts.com/
> > LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
> > - Time is the quality of nature that keeps events from happening all at
> > once. Lately, it doesn't seem to be working. (Anonymous - via GTD book)
> >
> >
> > On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <bm...@free.fr> wrote:
> >
> > > Dear All,
> > >
> > > I'm using an external program (my own client) to access to my
> Apache-SolR
> > > database.
> > > I would like to restrict the SOLR access to a specific User-Agent
> > (defined
> > > in my program).
> > >
> > > I would like to know if it's possible to do that directly in SolR
> config
> > > or I must
> > > process that in the Apache server?
> > >
> > > My program do only requests like this (i.e.):
> > > http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
> > > version=2.2&start=0&rows=10&**indent=on
> > >
> > > I can add on my HTTP component properties an User-Agent, Log, Pass,
> > etc...
> > > like a standard Http connection.
> > >
> > > To complete: my soft is distribued to several users and I would like to
> > > limit the SOLR access to these users and with my program.
> > > FireFox, Chrome, I.E. will be unauthorized.
> > >
> > > thanks for your comment or help,
> > > Bruno
> > >
> > > Ubuntu 12.04LTS
> > > SolR 3.6
> > >
> >
>
Re: Limit the SolR acces from the web for one user-agent?
Posted by Floyd Wu <fl...@gmail.com>.
Hi Alex, I'd like to know how to "using Client and Server Certificates to
protect
the connection and embedding those certificates into clients?"
Please kindly share your experience.
Floyd
2012/11/8 Alexandre Rafalovitch <ar...@gmail.com>
> It is very easy to do this on Apache, but you need to be aware that
> User-Agent is extremely easy to both sniff and spoof.
>
> Have you thought of perhaps using Client and Server Certificates to protect
> the connection and embedding those certificates into clients?
>
> Regards,
> Alex.
>
> Personal blog: http://blog.outerthoughts.com/
> LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
> - Time is the quality of nature that keeps events from happening all at
> once. Lately, it doesn't seem to be working. (Anonymous - via GTD book)
>
>
> On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <bm...@free.fr> wrote:
>
> > Dear All,
> >
> > I'm using an external program (my own client) to access to my Apache-SolR
> > database.
> > I would like to restrict the SOLR access to a specific User-Agent
> (defined
> > in my program).
> >
> > I would like to know if it's possible to do that directly in SolR config
> > or I must
> > process that in the Apache server?
> >
> > My program do only requests like this (i.e.):
> > http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
> > version=2.2&start=0&rows=10&**indent=on
> >
> > I can add on my HTTP component properties an User-Agent, Log, Pass,
> etc...
> > like a standard Http connection.
> >
> > To complete: my soft is distribued to several users and I would like to
> > limit the SOLR access to these users and with my program.
> > FireFox, Chrome, I.E. will be unauthorized.
> >
> > thanks for your comment or help,
> > Bruno
> >
> > Ubuntu 12.04LTS
> > SolR 3.6
> >
>
Re: Limit the SolR acces from the web for one user-agent?
Posted by Alexandre Rafalovitch <ar...@gmail.com>.
It is very easy to do this on Apache, but you need to be aware that
User-Agent is extremely easy to both sniff and spoof.
Have you thought of perhaps using Client and Server Certificates to protect
the connection and embedding those certificates into clients?
Regards,
Alex.
Personal blog: http://blog.outerthoughts.com/
LinkedIn: http://www.linkedin.com/in/alexandrerafalovitch
- Time is the quality of nature that keeps events from happening all at
once. Lately, it doesn't seem to be working. (Anonymous - via GTD book)
On Thu, Nov 8, 2012 at 9:39 AM, Bruno Mannina <bm...@free.fr> wrote:
> Dear All,
>
> I'm using an external program (my own client) to access to my Apache-SolR
> database.
> I would like to restrict the SOLR access to a specific User-Agent (defined
> in my program).
>
> I would like to know if it's possible to do that directly in SolR config
> or I must
> process that in the Apache server?
>
> My program do only requests like this (i.e.):
> http://xxx.xxx.xxx.xxx:pp/**solr/select/?q=ap%3Afuelcell&**
> version=2.2&start=0&rows=10&**indent=on
>
> I can add on my HTTP component properties an User-Agent, Log, Pass, etc...
> like a standard Http connection.
>
> To complete: my soft is distribued to several users and I would like to
> limit the SOLR access to these users and with my program.
> FireFox, Chrome, I.E. will be unauthorized.
>
> thanks for your comment or help,
> Bruno
>
> Ubuntu 12.04LTS
> SolR 3.6
>