Apache Solr 5.1 Securing Web Administration Interface

Question

Trying to secure Apache Solr 5.1 on my Ubuntu 14.04 server.

Mainly I am trying to figure out the best way to secure the web admin interface access to port 8983 (and any other ports I configure Solr on) with a user and password. But I may very well be missing some other important security measures, as my knowledge of Solr in general is still low, let alone for Solr 5.1.

I can secure the ports using iptables easily, but I still want to be able to have secure password access to the web admin portion whenever I need (as was done with previous solr versions running with Tomcat or Jetty). Perhaps I simply need to configure the web.xml file or something?...

There are many examples out there for earlier Solr versions - these will not work as this version of Solr 5.1 does not rely on Jetty or Tomcat. There are also a lot of suggestions and questions out there that don't seem to be very helpful with this version so please be mindful of this when posting references and make sure you at least have some knowledge of Solr 5 before posting.

Thank you for your help! (I'm sure it will help others a well)

Answer 1

In Solr 5.2.1 simply adding the following line to "/var/solr/solr.in.sh":

SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"

blocks all access to Solr from outside localhost. As I'm using Solr from within PHP code, this is exactly the behaviour I want.

You can always securely access the admin pages through an SSH tunnel, as was mentioned before!

Answer 2

Blocking the Solr port in firewall is a good practice.

A secure method for accessing the web admin interface from a remote machine is by creating SSH tunnel between the machines. You can then just point your browser at the tunnel port on the working machine to access the admin ui. In my opinion it is the preferable method over whitelisting of IP addresses in firewalls.

Second method is configuring a web server proxy that acts as a authenticator and then relays to the admin port on the Solr server once the proper access credentials have been provided. Basic auth is a robust technology and the authenticator can then also be configured to use other backends such as LDAP etc.

Answer 3

It seems that I am able to do this with iptables after all and just skip the password for now.

Here's what I did... (of course you'll do this for any port Solr is using and not just 8983)

sudo iptables -A INPUT -p tcp -s 127.0.0.0/8 --dport 8983 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8983 -j DROP

(Order is important in iptables - if you were to flip this around nothing would get through 8983)

Please don't ▲ this answer unless you're well schooled in Solr/Solr5 and can confirm that this is a secure option for the web interface. Though I can confirm that this works and has gotten me to stop pulling my hair out for now, I can not yet confirm that it is secure enough.

If you have a good password option for the web interface please post it.