I place Apache Solr behind Apache httpd with a pure HTTP reverse proxy, since
most of the time it will be used as an API. I use mod_auth_cas to protect the
general /solr URL, requiring a login that refers to our common Jasiq CAS
server, which in turns connects to our Microsoft Active Directory.
For each core, I reverse proxy the select update handler, and any others that
are needed under what are somewhat self-descriptive URLs. In the sample
<Location ...> configuration below, please understand that I've hidden the
actual allowed IP address and mask appropriately.
<Location /search/learningresources>
ProxyPass http://127.0.0.1:8983/solr/learningresources/select
ProxyPassReverse http://127.0.0.1:8983/solr/learningresources/select
Options -MultiViews
Order allow,deny
Allow from 999.999.999.999/24 127.0.0.1
</Location>
I believe you can do all this within Jetty, but I and my system administrators
know and trust Apache httpd.
-----Original Message-----
From: Scott Derrick [mailto:sc...@tnstaafl.net]
Sent: Saturday, August 15, 2015 7:16 PM
To: solr-user@lucene.apache.org
Subject: Admin Login
I'm somewhat puzzled there is no built in security. I can't image anybody is
running a public facing solr server with the admin page wide open?
I've searched and haven't found any solutions that work out of the box.
I've tried the solutions here to no avail.
https://wiki.apache.org/solr/SolrSecurity
and here. http://wiki.eclipse.org/Jetty/Tutorial/Realms
The Solr security docs say to use the application server and if I could run it
on my tomcat server I would already be done. But I'm told I can't do that?
What solutions are people using?
Scott
--
Leave no stone unturned.
Euripides
