If I restrict access to Solr with both Apache password protection and by restricting access to the server's own IP, is there any additional security benefit in configuring my search app to send its queries over HTTPS?
I am using an IP Access Handler in jetty.xml to restrict access based on IP.
See the Caveats section for Basic Authentication:
"Credentials are sent in plain text by default. It’s recommended to use SSL for communication when Basic authentication is enabled, as described in the section Enabling SSL."
Thus, for a secure installation, SSL must be used if Basic authentication is the only way that Solr's admin UI is protected.
Related
I use CloudFlare Access as a reverse proxy for my server, to protect it against denial of service attack and other benefits. I would like to protect access with mTLS which can be configured with CloudFlare. However, the verification options there are quite limited. I can filter for common name, ask for a valid certificate.
One thing I could do is use CloudFlare Worker alone to built a custom proxy, however I lose other benefits like the authentication from CloudFlare to my server using CloudFlare-signed JWT cookies.
How can I write a custom certificate validator without loss of any other functionality?
I'm new on the world of load balancing...
I heard about HAProxy and I wonder if I can achieve this objective (not found yet over searches already done):
HAProxy receive a MQTT/HTTP connection with basic authentication
(login-password) or token based
HAProxy checks credentials from a Database (or
LDAP)
HAProxy manage the access depending on the authenticated User.
--> all of user/credential and ACL should be stored in Database.
Is this possible? Is there in HAProxy a system of custom plugin/add-on to enhance its behavior ?
I found things about settings list of ACL directly in the configuration with already existing list of login/password (but not dynamically even if cached after)
Thanks a lot for your ideas.
I think this is only supported in Enterprise Haproxy:
The HAProxy Single Sign-On solution [...] is also compatible with Microsoft Active Directory or OpenLDAP servers.
https://www.haproxy.com/documentation/hapee/1-8r1/security/using-sso/
The only plugin I found is a http request check to see if user is authenticated on an arbitrary endpoint:
https://github.com/TimWolla/haproxy-auth-request
But it requires a specialized web app responding the requests for that.
I am using apache solr server and i want to secure it by enabling Authentication and Authorization. Is there any way to authenticate solr apart from htaccess and zookeeper.
If you need to have the authentication inside Solr itself, your only existing, supported option is to use the built-in authentication and authorization through uploading a security.json file to Zookeeper. This supports Kerberos and basic http authentication.
There's also a hack based on extracting the bundled jetty and adding basic authentication to it before repackaging it again, but that will make each upgrade something that you have to handle specifically and make the same adjustments.
If you want to add any method outside of this, you're going to have to implement it yourself - either as a service in front of Solr (which is the usual way), or through extending Solr. The hard part about the last option is that if you're not going through the regular security.json configuration, you may forget to close down API endpoints.
By adding a service in front of Solr and configuring Solr to only bind to localhost - so that it's not accessible through the internet - you can customize and add any authentication and authorization you want to. But it will still require you to be careful if you want to control authorization and access to certain cores. If you want inter-node connectivity (sharding, solr cloud, etc) to still work, you'll have to account for that and allow Solr to bind to your local network ips as well.
I need to use certain software that connects with a server, that allows connections only from whitelisted IPS. To solve this, I have a droplet with fixed IP on DigitalOcean where I use Squid3 as proxy. I configure my system to work through the proxy, and I tell the central server to whitelist that proxy server IP.
Up to here all is great, but as I should have guessed, some people are using my proxy to send malicious packages, and now the server provider is telling me to get it sorted out, or they will cancel my account.
I added authentication to the proxy, and the attacks have stopped, since the attackers do not know the user/pass combination.
But now the problem I have is that I don't see any way to configure Windows to use authentication when connecting to the proxy! I am not talking just about HTTP requests, since the browsers allow for authentication. I am talking about some custom software that needs to communicate as well with this central server.
Is there any way to configure Windows so that it connects to the proxy passing the necessary username and password?
I would like to support a multi-tenant rails application with conditional support for Kerberos authentication by tenant.
The examples I've seen with mod_auth_kerb assume the apache server will reach out directly to the KDC for validating the ticket. In my case, I would like the server to have the client browser negotiate w/ the KDC and provide the appropriate ticket. I believe this is done by returning a 401 w/ www-negotiate header and the client browser will then call back with the ticket. The apache server would then just validate the ticket against the appropriate keytab. My understanding is I will need a keytab from each domain that will support Kerberos auth.
So, I think I can easily provide an "/auto_login" route that Apache then enforces Kerberos on. However, I'm not quite sure how to have Apache choose the right keytab; e.g. if I hit /auto_login?client=abc to validate against ABC's keytab.
I currently use Devise. A custom strategy: Devise ignoring custom strategy would be nice, but it seems I have the same issue in configuring the Krb5 gem (unsupported now?) to handle multiple keytabs and determine which to validate against.
How many distinct realms do you have? mod_auth_kerb works fine with multiple realms, as long as their KDCs are capable to validate trust relationship and issue cross-realm TGTs, and your krb5.conf configuration does proper mapping to those realms.
If you are able to establish cross-realm trusts between the realms, then the problem will be already solved -- just specify all accepted realms in mod_auth_kerb's configuration:
KrbAuthRealms CUSTA.COM CUSTB.COM WHATEVER.COM