You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Brian Lamb <br...@journalexperts.com> on 2011/05/09 20:57:01 UTC

Solr security

Hi all,

Is it possible to set up solr so that it will only execute dataimport
commands if they come from localhost?

Right now, my application and my solr installation are on different servers
so any requests are formatted http://domain:8983 instead of
http://localhost:8983. I am concerned that when I launch my application,
there will be the potential for abuse. Is the best solution to have
everything reside on the same server?

What are some other solutions?

Thanks,

Brian Lamb

Re: Solrj Questions

Posted by Chris Hostetter <ho...@fucit.org>.

: Subject: Solrj Questions
: References: <BA...@mail.gmail.com>
:     <19...@cominvent.com>
:     <4D...@tinkertownlabs.com>
:  <BA...@mail.gmail.com>
: In-Reply-To: <BA...@mail.gmail.com>

http://people.apache.org/~hossman/#threadhijack
Thread Hijacking on Mailing Lists

When starting a new discussion on a mailing list, please do not reply to 
an existing message, instead start a fresh email.  Even if you change the 
subject line of your email, other mail headers still track which thread 
you replied to and your question is "hidden" in that thread and gets less 
attention.   It makes following discussions in the mailing list archives 
particularly difficult.


-Hoss

Solrj Questions

Posted by Rohit <ro...@in-rev.com>.

Hi,

 

I am trying to use solrj for my application, my code is given below,

 

            query.add("q", "simplify360");

            query.add("facet", "true");

            query.add("facet.range", "createdOnGMTDate");

            query.add("facet.range.start",
"2010-08-01T00:00:00Z+330MINUTES");

            query.add("facet.range.end", "2011-05-31T00:00:00Z+330MINUTES");

            query.add("facet.range.gap", "+1DAY");

            //query.add("wt","json");

            //query.add("wt.mime-type","application/json");

            

            System.err.println(query.toString());

 

The code executes fine and when i execute the url on solr server, i get the
following result for faceting,

 

<lst name="facet_counts"><lst name="facet_queries"/>

<lst name="facet_fields"/>

<lst name="facet_dates"/>

<lst name="facet_ranges">

<lst name="createdOnGMTDate">

<lst name="counts">

<int name="2010-01-01T00:00:00Z">0</int>

<int name="2010-01-02T00:00:00Z">0</int>

<int name="2010-01-03T00:00:00Z">0</int>

<int name="2010-01-04T00:00:00Z">0</int>

<int name="2010-01-05T00:00:00Z">0</int>

<int name="2010-01-06T00:00:00Z">0</int

</lst>

<str name="gap">+1DAY</str>

<date name="start">2010-01-01T00:00:00Z</date>

<date name="end">2011-05-31T00:00:00Z</date>

</lst>

</lst>

</lst>

</response>

 

 

1) How can i retrieve these values in java, 

2) Also if there is anyway i can convert the json response to the json java
object

 

 

Regards,

Rohit

Re: Solr security

Posted by Brian Lamb <br...@journalexperts.com>.

Great posts all. I will give these a look and come up with something based
on these recommendations. I'm sure as I begin implementing something, I will
have more questions arise.

On Tue, May 10, 2011 at 9:00 AM, Anthony Wlodarski <
anthony@tinkertownlabs.com> wrote:

> The WIKI has a loose interpretation of how to set-up Jetty securely.
>  Please take a look at the article I wrote here:
> http://anthonyw.net/2011/04/securing-jetty-and-solr-with-php-authentication/.
>  Even if PHP is not your language that sits on top of Solr you can still use
> the first part of the tutorial.  If you are using Tomcat I would recommend
> looking here:
> http://blog.comtaste.com/2009/02/securing_your_solr_server_on_t.html
>
> Regards,
>
> -Anthony
>
>
> On 05/09/2011 05:28 PM, Jan Høydahl wrote:
>
>> Hi,
>>
>> You can simply configure a firewall on your Solr server to only allow
>> access from your frontend server. Whether you use the built-in software
>> firewall of Linux/Windows/Whatever or use some other FW utility is a choice
>> you need to make. This is by design - you should never ever expose your
>> backend services, whether it's a search server or a database server, to the
>> public.
>>
>> Read more about Solr security on the WIKI:
>> http://wiki.apache.org/solr/SolrSecurity
>>
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>>
>> On 9. mai 2011, at 20.57, Brian Lamb wrote:
>>
>>  Hi all,
>>>
>>> Is it possible to set up solr so that it will only execute dataimport
>>> commands if they come from localhost?
>>>
>>> Right now, my application and my solr installation are on different
>>> servers
>>> so any requests are formatted http://domain:8983 instead of
>>> http://localhost:8983. I am concerned that when I launch my application,
>>> there will be the potential for abuse. Is the best solution to have
>>> everything reside on the same server?
>>>
>>> What are some other solutions?
>>>
>>> Thanks,
>>>
>>> Brian Lamb
>>>
>>
> --
> Anthony Wlodarski
> Lead Software Engineer
> Get2Know.me (http://www.get2know.me)
> Office: 646-285-0500 x217
> Fax: 646-285-0400
>
>

Re: Solr security

Posted by Anthony Wlodarski <an...@tinkertownlabs.com>.

The WIKI has a loose interpretation of how to set-up Jetty securely.  
Please take a look at the article I wrote here:  
http://anthonyw.net/2011/04/securing-jetty-and-solr-with-php-authentication/.  
Even if PHP is not your language that sits on top of Solr you can still 
use the first part of the tutorial.  If you are using Tomcat I would 
recommend looking here: 
http://blog.comtaste.com/2009/02/securing_your_solr_server_on_t.html

Regards,

-Anthony

On 05/09/2011 05:28 PM, Jan Høydahl wrote:
> Hi,
>
> You can simply configure a firewall on your Solr server to only allow access from your frontend server. Whether you use the built-in software firewall of Linux/Windows/Whatever or use some other FW utility is a choice you need to make. This is by design - you should never ever expose your backend services, whether it's a search server or a database server, to the public.
>
> Read more about Solr security on the WIKI: http://wiki.apache.org/solr/SolrSecurity
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> On 9. mai 2011, at 20.57, Brian Lamb wrote:
>
>> Hi all,
>>
>> Is it possible to set up solr so that it will only execute dataimport
>> commands if they come from localhost?
>>
>> Right now, my application and my solr installation are on different servers
>> so any requests are formatted http://domain:8983 instead of
>> http://localhost:8983. I am concerned that when I launch my application,
>> there will be the potential for abuse. Is the best solution to have
>> everything reside on the same server?
>>
>> What are some other solutions?
>>
>> Thanks,
>>
>> Brian Lamb

-- 
Anthony Wlodarski
Lead Software Engineer
Get2Know.me (http://www.get2know.me)
Office: 646-285-0500 x217
Fax: 646-285-0400

Re: Solr security

Posted by Jan Høydahl <ja...@cominvent.com>.

Hi,

You can simply configure a firewall on your Solr server to only allow access from your frontend server. Whether you use the built-in software firewall of Linux/Windows/Whatever or use some other FW utility is a choice you need to make. This is by design - you should never ever expose your backend services, whether it's a search server or a database server, to the public.

Read more about Solr security on the WIKI: http://wiki.apache.org/solr/SolrSecurity

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

On 9. mai 2011, at 20.57, Brian Lamb wrote:

> Hi all,
> 
> Is it possible to set up solr so that it will only execute dataimport
> commands if they come from localhost?
> 
> Right now, my application and my solr installation are on different servers
> so any requests are formatted http://domain:8983 instead of
> http://localhost:8983. I am concerned that when I launch my application,
> there will be the potential for abuse. Is the best solution to have
> everything reside on the same server?
> 
> What are some other solutions?
> 
> Thanks,
> 
> Brian Lamb

Re: Solr security

Posted by Upayavira <uv...@odoko.co.uk>.

Solr does not provide security (I believe Lucid EnterpriseWorks has
something there).

You should keep Solr itself secure behind a firewall, and pass all
requests through some intermediary that only allows sensible stuff
through to Solr itself. That way, the DataImportHandler is accessible
inside your firewall, and your search functionality is available
outside.

Upayavira

On Mon, 09 May 2011 14:57 -0400, "Brian Lamb"
<br...@journalexperts.com> wrote:
> Hi all,
> 
> Is it possible to set up solr so that it will only execute dataimport
> commands if they come from localhost?
> 
> Right now, my application and my solr installation are on different
> servers
> so any requests are formatted http://domain:8983 instead of
> http://localhost:8983. I am concerned that when I launch my application,
> there will be the potential for abuse. Is the best solution to have
> everything reside on the same server?
> 
> What are some other solutions?
> 
> Thanks,
> 
> Brian Lamb
> 
--- 
Enterprise Search Consultant at Sourcesense UK, 
Making Sense of Open Source