Configuring (and securing) a remote solr-tomcat server for SolrPlugin

  • Tip Category - Using Extensions
  • Tip Added By - PaulHarvey - 02 Mar 2011 - 04:15
  • Extensions Used - SolrPlugin
  • Useful To - Experts
  • Tip Status - Outdated
  • Related Topics -
ALERT! WARNING: This best practice is outdated. Please rework.

Problem

You want to use SolrPlugin with a solr instance running on a remote server in tomcat

Context

Solr itself does not offer any security or access controls. SolrPlugin reproduces Foswiki access controls by maintaining ACL metadata in the solr schema. To avoid leaking sensitive information that may be held in Foswiki, when running solr on a remote server, ensure that tomcat is configured to only allow only Foswiki (via the SolrPlugin rest handler) to make queries.

You should implement several strategies to avoid your remote solr installation leaking data:
  • firewall the tomcat port (Eg. 8080 so that only a minimum list (perhaps, only your foswiki server) may access it)
  • introduce a security role & tomcat user that foswiki will authenticate itself as
  • configure tomcat to only allow connections from the foswiki server
  • configure SolrPlugin & tomcat to run solr over SSL

Solution

This is written from memory for an Ubuntu 10.04 environment
  • sudo apt-get install solr-tomcat
  • Added to /etc/tomcat6/tomcat-users.xml
    <role rolename="foswikiservice"/>
    <user username="wiki" password="secret" roles="foswikiservice"/>
  • sudo mkdir /etc/tomcat6/Catalina/solrserver.org
  • sudo cp /etc/tomcat6/Catalina/localhost/ROOT.xml /etc/tomcat6/Catalina/solrserver.org/
  • sudo rm /etc/tomcat6/Catalina/localhost/solr.xml
  • sudo ln -s /etc/solr/solr-tomcat.xml /etc/tomcat6/Catalina/solrserver.org/solr.xml
  • sudo cp /path/to/SolrPlugin/.../schema.xml /etc/solr/conf/ ALERT! - back up this file if you wish
  • sudo cp /path/to/SolrPlugin/.../solrconfig.xml /etc/solr/conf/ ALERT! - back up this file if you wish
  • sudo cp /path/to/SolrPlugin/.../typemap.txt /etc/solr/conf/
  • sudo mkdir -p /var/lib/tomcat6/solr/data && sudo chown -R tomcat6:tomcat6 /var/lib/tomcat6/solr
  • Added to /etc/solr/web.xml
    ...
            <security-constraint>
                    <web-resource-collection>
                            <web-resource-name>solr</web-resource-name>
                            <url-pattern>/*</url-pattern>
                            <http-method>GET</http-method>
                            <http-method>POST</http-method>
                    </web-resource-collection>
                    <auth-constraint>
                            <role-name>foswikiservice</role-name>
                    </auth-constraint>
                    <user-data-constraint>
                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                    </user-data-constraint>
            </security-constraint>
            <login-config>
                    <auth-method>BASIC</auth-method>
                    <realm-name>ROBOTS ONLY</realm-name>
            </login-config>
            <security-role>
                    <description>foswiki service droid</description>
                    <role-name>foswikiservice</role-name>
            </security-role>
      </web-app>
      
  • keytool --genkey --alias foswikisolr --keyalg RSA -keystore ~/.keystore -storepass keysecret -validity 1000 -keysize 2048 && sudo cp ~/.keystore /usr/share/tomcat6/
  • Added to /etc/tomcat6/server.xml
          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8"
             clientAuth="false" sslProtocol="TLS" keyAlias="foswikisolr"
             keystorePass="keysecret" />
          ...
          <Engine ...
          ...
             <Host name="solrserver.org"  appBase="webapps"
                   unpackWARs="true" autoDeploy="true"
                   xmlValidation="false" xmlNamespaceAware="false">
                   <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
                      prefix="solrserver_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
                   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
                    allow="123.123.123.123"/> <!-- ip address of Foswiki server -->
             </Host>
    
  • Use https://wiki:secret@solrserver.org:8443/solr as solr url in SolrPlugin config

Trusting the self-signed cert created with keytool

Current LWP versions (which means anyone running perl 5.12 or later) will suffer "cannot ping solr server" when the solr server is using a self-signed cert.

The cert must be trusted by the client.

  • Export the cert as .pem: keytool -exportcert -rfc -alias foswikisolr -file ~/solrserver.org.crt -keystore /usr/share/tomcat6/.keystore
  • Copy the .crt file to the solr client (Foswiki server)
  • Install the .crt so that it is trusted by the solr client (Foswiki server)
    • On Debian/Ubuntu:
      sudo cp ~/solrserver.org.crt /usr/local/share/ca-certificates && sudo update-ca-certificates
  • If you get "can't ping solr" errors, and hitting the solr server with curl yields an error like
    curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
    you may have run into this openssl 1.0.0 bug. A work-around is to restrict tomcat's allowed ciphers.

Known Uses

Known Limitations

  • This needs re-writing to something more legible for infrequent/beginner tomcat users
  • Can put the RemoteAddrValve in the solr app's <Context...> directive
  • LWP 6 (libwww-perl) can't cope with self-signed certificates, out-of-the-box. See instructions above for trusting your self-signed cert

See Also

BestPracticeTipsForm edit

Category Using Extensions
Related Topics
Topic revision: r9 - 20 Apr 2015, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy