I have an instance of Solr (not Solrcloud) installed on my server, Apache/2.4.7 (Ubuntu), and would like to use with a php web application. I have password protected the admin page, but queries can still be run remotely. I want to restrict my Solr app so that it can only be queried (both read and write) by a web application (php, with Solarium) stored on the same server. What is the best way to do this?
This is more of a server administration question, so it would be better suited on Superuser. That being said, you have a few options:
Make Solr listen to connections on the internal or loopback interface only. This would be 127.0.0.1 or 192.168/16 etc. In solr.in.sh, you can send a parameter to Solr to tell it which IP it should bind to: SOLR_OPTS="$SOLR_OPTS -Djetty.host=127.0.0.1"
Configure your firewall to only allow connections from IPs that should be able to access Solr.
Configure Solr Authentication and Authorization. Zookeeper is required to make this work (you'll have to be running in SolrCloud mode).
Unpack the bundled jetty and set up authentication there. This is not really a good idea, as it will make it harder to upgrade.
The methods suggested in 1 & 2 can also be combined with a proxying / forwarding web server that performs authentication in front of the service (using mod_proxy and friends on other httpds) if you need the service to be exposed through a non-trusted interface.
Related
I have a nodeJS web application with Express running on a Digital Ocean droplet.The nodeJs application provides back-end API's. I have two react front-ends that utilise the API's with different domains. The front-ends can be hosted on the same server, but my developer tells me I should use another server to host the front-ends, such as cloudflare.
I have read that nginX can enable hosting multiple sites on the same server (i.e. host my front-ends on same server) but unsure if this is good practice as I then may not be able to use cloudflare.
In terms of security could someone tell me If I need nginx, and my options please?
Thanks
This is a way too open-ended question but I will try to answer it:
In terms of security could someone tell me If I need nginx, and my
options please?
You will need Nginx (or Apache) on any scenario. With one server or multiple. Using Express or not. Express is only an application framework to build routes. But you still need a service that will respond to network requests. This is what Nginx and Apache do. You could avoid using Nginx but then your users would have to make the request directly to the port where you started Express. For example: http://my-site.com:3000/welcome. In terms of security you would better hide the port number and use a Nginx's reverse proxy so that your users will only need to go to http://my-site.com/welcome.
my developer tells me I should use another server to host the
front-ends, such as cloudflare
Cloudflare does not offer hosting services as far as I know. It does offer CDN to host a few files but not a full site. You would need another Digial Ocean instance to do so. In a Cloudflare's forum post I found: "Cloudflare is not a host. Cloudflare’s basic service is a DNS provider, where you simply point to your existing host.".
I have read that nginX can enable hosting multiple sites on the same
server
Yes, Nginx (and Apache too) can host multiple sites. With different names or the same. As domains (www.my-backend.com, www.my-frontend.com) or subdomains (www.backend.my-site.com, www.my-site.com) in the same server.
... but unsure if this is good practice
Besides if it is a good or bad practice, I think it is very common. A few valid reasons to keep them in separated servers would be:
Because you want that if the front-end fails the back-end API continues to work.
Because you want to balance network traffic.
Because you want to keep them separated.
It is definitively not a bad practice if both applications are highly related.
I have Solr 6.6 running via Jetty.
I have successfully enabled basic authentication by modifying the etc/jetty.xml and etc/webdefault.xml . This question
I could also restrict access to Solr based on IP address by adding IPAccessHandler around the ContextHandlerCollection . This question
But what I want to achieve is to have authentication needed for requests coming from all external IPs except requests coming from localhost(127.0.0.1) . Localhost should be able to access Solr REST APIs without any authentication needed.
I think that I need to setup jetty to run 2 servers or 2 virtual hosts but I can't figure it out how exactly. Obviously the 2 servers (or virtual hosts) should be connected to the same Solr instance.
P.S.: It's acceptable if the requests from Localhost that need to be served without authentication, should be sent on a different port.
We are currently running a PHP application on apache httpd with mod_auth_kerb for SSO. We'd like to scale it to multiple hosts and make it highly available while we are at it.
Generally, HAproxy seems to be the recommended tool for this task, so i'll refer to this for the rest of the post - am open to alternatives here though. I haven't been able to find a way to combine HAproxy with Kerberos-based SSO - this seems to only be available for comercial load balancers (F5 for example).
We do not need the actual Kerberos ticket on the Webservers, it's literally just for authentication - is there a way to have HAproxy authenticate users via Kerberos and just pass the sAMAccountName as Header to the webservers? Alternatively full passthrough would work aswell of course.
I would like to setup mod_security as a stand alone instance protecting Tomcat instances against web application attacks. Would anyone know the pros and cons of doing this via installing mod_security as an Apache module versus installing mod_security on a reverse proxy? Has anyone implemented mod_security in either of these fashions? And if so is one preferred over the other?
There's really no difference in your two options. What non reverse proxy would you install the module on to protect Tomcat?
The question doesn't really make sense as they are both the same to you.
If you already have an Apache server, then you install ModSecurity in one of two ways:
In embedded mode by installing ModSecurity as module in the existing Apache instance you already have. The advantages are that you won't have to set up a separate Apache instance, and that the ModSecurity will have access to the environment that Apache runs under (so can see environment variables for example or log to same log files).
In a reverse proxy mode. This involves setting up a separate Apache instance, with ModSecurity on it only, and funnel all requests through it, before sending on the requests to your normal Apache. The advantages here are a dedicated web server just for ModSecurity, so you will not share resources with your existing version of Apache, if it is already resource hungry. Disadvantages are that it doubles your infrastructure and the complications that brings.
Personally I prefer option 1.
However, as you want to set up a dedicated web server in front of TomCat, the two options are identical for you. The new instance of Apache (or Nginx) that you set up will be running it in embedded mode and will act as a reverse proxy to your Tomcat server.
Personally I always think it's best to run a dedicated web server like Apache in front of any app server like Tomcat - especially on a public facing website. Granted Tomcat does include a pretty good web server (called Coyote), which may serve most of your web server needs, but a dedicated web server like Apache is more geared towards serving static content and contains other features for performance and security which make it a better end point server (including the ability to run ModSecurity for example!).
And just in case there is any confusion, Apache is actually short for Apache HTTP Server, and is sometimes called Apache httpd after the process that it runs. It is Apache's most popular bit of software hence why the name gets shortened, but Apache actually have lots of bits of software (including Apache Tomcat - usually shortened just to Tomcat).
I have to configure SVN server. I am evaluating two approaches
With Apache.
Without Apache as a OS(Windows) service.
If I go with Apache, I will have browser level access too, which I consider an added advantage.
What approach should I take ?
You want apache - your flexibility and options for logging, authentication and authorization are way richer.