Problem
You want to use
SolrPlugin with a solr instance running on a remote server in tomcat
Context
Solr itself does not offer any security or access controls.
SolrPlugin reproduces Foswiki access controls by maintaining ACL metadata in the solr schema. To avoid leaking sensitive information that may be held in Foswiki, when running solr on a remote server, ensure that tomcat is configured to only allow only Foswiki (via the
SolrPlugin rest handler) to make queries.
You should implement several strategies to avoid your remote solr installation leaking data:
- firewall the tomcat port (Eg. 8080 so that only a minimum list (perhaps, only your foswiki server) may access it)
- introduce a security role & tomcat user that foswiki will authenticate itself as
- configure tomcat to only allow connections from the foswiki server
- configure SolrPlugin & tomcat to run solr over SSL
Solution
This is written from memory for an Ubuntu 10.04 environment
-
sudo apt-get install solr-tomcat
- Added to
/etc/tomcat6/tomcat-users.xml
<role rolename="foswikiservice"/>
<user username="wiki" password="secret" roles="foswikiservice"/>
-
sudo mkdir /etc/tomcat6/Catalina/solrserver.org
-
sudo cp /etc/tomcat6/Catalina/localhost/ROOT.xml /etc/tomcat6/Catalina/solrserver.org/
-
sudo rm /etc/tomcat6/Catalina/localhost/solr.xml
-
sudo ln -s /etc/solr/solr-tomcat.xml /etc/tomcat6/Catalina/solrserver.org/solr.xml
-
sudo cp /path/to/SolrPlugin/.../schema.xml /etc/solr/conf/
- back up this file if you wish
-
sudo cp /path/to/SolrPlugin/.../solrconfig.xml /etc/solr/conf/
- back up this file if you wish
-
sudo cp /path/to/SolrPlugin/.../typemap.txt /etc/solr/conf/
-
sudo mkdir -p /var/lib/tomcat6/solr/data && sudo chown -R tomcat6:tomcat6 /var/lib/tomcat6/solr
- Added to
/etc/solr/web.xml
...
<security-constraint>
<web-resource-collection>
<web-resource-name>solr</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>foswikiservice</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ROBOTS ONLY</realm-name>
</login-config>
<security-role>
<description>foswiki service droid</description>
<role-name>foswikiservice</role-name>
</security-role>
</web-app>
-
keytool --genkey --alias foswikisolr --keyalg RSA -keystore ~/.keystore -storepass keysecret -validity 1000 -keysize 2048 && sudo cp ~/.keystore /usr/share/tomcat6/
- Added to
/etc/tomcat6/server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8"
clientAuth="false" sslProtocol="TLS" keyAlias="foswikisolr"
keystorePass="keysecret" />
...
<Engine ...
...
<Host name="solrserver.org" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="solrserver_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="123.123.123.123"/> <!-- ip address of Foswiki server -->
</Host>
- Use
https://wiki:secret@solrserver.org:8443/solr
as solr url in SolrPlugin config
Current LWP versions (which means anyone running perl 5.12 or later) will suffer "cannot ping solr server" when the solr server is using a self-signed cert.
The cert must be trusted by the client.
Known Uses
Known Limitations
- This needs re-writing to something more legible for infrequent/beginner tomcat users
- Can put the
RemoteAddrValve
in the solr app's <Context...>
directive
- LWP 6 (libwww-perl) can't cope with self-signed certificates, out-of-the-box. See instructions above for trusting your self-signed cert
See Also