0

My primary issue is with a HelioSearch Solr instance, but I've included Tomcat as its possible that's all I need to change, I'm a Tomcat NOOB too.

Solr has a pretty full fledged REST API, possibly too expansive- it's a known issue(SOLR1523) that you can delete an entire Solr Collection via an non authenticated HTTP GET request. http://localhost:8983/solr/update?commitWithin=10&stream.body=%3Cdelete%3E%3Cquery%3E*:*%3C/query%3E%3C/delete%3E"

Until a fix is released, can't I change some configuration on the Solr or Tomcat side to either:(from best case to worst)

  1. Establish a filter for each endpoint/HTTP verb pointing to AuthN/AuthZ provider (ZooKeeper/CXF? i'm not sure how they work yet either)
  2. Specify an IP whitelist filter with environment variables
  3. Specify an IP whitelist filter hardcoded

I need the update? endpoint for feeding new data into the collection, but I only need to POST that data so there's a 4th option: Remove/Block the GET endpoint(even if it was via some hacky routing/overloading/eclipsing method). Or even grosser, can the Coyote part of Tomcat look for the string "delete".. yuk, but I'm desperate.

I know the Solr project doesn't concern itself with security, but even with a behind the firewall solution there are too many users that are foolish or silly.

David
  • 437
  • 4
  • 12

2 Answers2

0

Unless you are a system administrator with experience for this, your best bet is to not expose Solr at all. Use a client instead. Something like Spring-Data-Solr is quite simple.

You can see an example of it as used for auto-complete functionality on the Solr Start resource website for JavaDoc search.

You still want to protect Solr, of course, but now you can co-host it with the app and make Tomcat/Jetty listen on localhost only. Or you can setup a separate firewall rule between Solr and the Client app.

Alexandre Rafalovitch
  • 9,709
  • 1
  • 24
  • 27
  • Any WAN access will definitely be protected via a proxy, but how do I not expose Solr within the LAN environment? How do I tell Tomcat to only listen to localhost only? thanks! – David Dec 03 '14 at 19:24
  • If you bind Tomcat on 127.0.0.1/localhost, it will listen to that special address only and not on anything public. http://stackoverflow.com/questions/6809968/how-to-block-access-to-tomcat-listening-port-and-allow-localhost-only – Alexandre Rafalovitch Dec 04 '14 at 20:34
0

if you are using linux, iptables can take care of this for you. In the iptable, allow traffic to the tomcat port from your local ip, and drop everything else connecting to that port.

adamM
  • 1,116
  • 10
  • 29