I an not very familiar with solr. I have installed solr successfully. It is using jetty webserver. My solr version is 4.10.3. It admin page is not protected by password. Anyone can access it. I want to apply a paaword on solr admin. How I will do it?
Enable authentication in solr admin running with solr 6.1 and jetty
Pre condition:
Solr version 6.1
Solr is running successfully in the system
Solr Admin running through jetty
Process:
1. Edit jetty.xml
Edit the file “server/etc/jetty.xml”
Add following before the Configure tag ends
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
2. Edit webdefault.xml
Edit the file “server/etc/webdefault.xml”
Add following before the web-app tag ends
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Special Note:
Value used in the role-name tag need to be same used in “realm.properties” file
3. Create new file “realm.properties”
Create a file named “realm.properties” in the location “server/etc/” and put the below content
admin: admin123,core1-role
User Name: admin
Password: admin123
Role name: core1-role
(This need to be same as the name used in role-name tag in server/etc/webdefault.xml” file )
4. Final Step
Restart Solr server
Now access Solr in your browser http://localhost:8983/solr/
You will find the browser is asking for username and password. Enter the username and password.
For version below 5
If you are using solr-webapp then you need to modify web.xml file and add these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr_admin</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name>
</login-config>
For Jetty server, you need to add below lines in /example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**admin-role**</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Update /example/etc/jetty.xml file
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
/example/etc/realm.properties :
admin: s3cr3t, admin-role
Username = admin
password = s3cr3t.
Role name = admin-role
Solr version 5+
In latest Solr version folder structure got changed. You will find all files in below folder-path.
{SOLR_HOME}/server/etc/jetty.xml
{SOLR_HOME}/server/etc/webdefault.xml
Create new credential file at {SOLR_HOME}/server/etc/realm.properties:
admin: s3cr3t, admin-role
For more info you can help solr wiki docs
If you are using tomcat,
Open [Tomcat install dir]\tomcat-users.xml for editing.
Add the following lines within the <tomcat-user> element and save the changes (using your own username and password):
<role rolename="solr_admin"/><user username="your_username" password="your_password" roles="solr_admin"/>
Open Tomcat install dir\webapps\solr\WEB-INF\web.xml for editing.
"solr" in the path is the name of the instance you want to secure. Typically this is "solr," but may be different if you are running an advanced setup.
Add the following lines within the <web-app> element:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr_admin</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name></login-config>
Save the changes and restart Tomcat. Test your changes by starting a new browser session and navigating to your site, for ex. http://localhost:8080/solr/ You should be prompted for credentials.
If your Tomcat install dir tomcat-users.xml file is being modified then
go to tomcat-users.xml file under Servers in Project Explorer and add your changes there.
As setting a password to Solr is a pain in the ass (sorry, but some time you have to name it as it is) I propose an other solution: Restrict access to it using iptables.
If you install Apache Solr Server usually the Server will listen on Port 8983. Hence the servers admin interface will be available under:
http://YOUR_SERVERS_IP:8983/solr/
So we can restrict connections to port 8983 as follows:
iptables -A INPUT -p tcp -s localhost --dport 8983 -j ACCEPT
iptables -A INPUT -p tcp -s YOUR_SERVERS_IP --dport 8983 -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP
This will accept all requests from localhost (first line) and from the server's IP itself (second line), but drop all other connections (last line). The second line is not necessary but helps us to find easy access to Solr's admin interface. To access the admin interface form a local machine, we have to forward all connections to the server at first. The easiest way to do this, is using sshuttle (lazy mans VPN):
sshuttle --dns -r root#YOUR_SERVERS_IP 0/0
Performing this command on the local machine, from where we want to access the admin interface.
An other option is, to use ssh tunnelling with the open ssh client:
ssh -D 1080 root#YOUR_SERVERS_IP
Set up a socks proxy in your browser to port 1080.
I'm dealing with Solr v.4.10 too and this is really annoyingly hard. None of the so-called "solutions" works for me. I ended up installing Nginx on my Ubuntu box and proxy the :8983 port to docker, where password is required by Nginx. This works for me.
I have just to inform what was solution in my case. Actually my website was written in ajax that's why by setting passowrd also protect my website. So its not the solution in case where solr has to be used by open internet. So its best solution as guided by solr wiki is to use proxies like node.js, nginex etc. as given here
Using node.js proxy and applying iptable rules ( as guided above) solve my problem.
Related
after much pain I managed to configure firewalld so that I only allow specific services to given IP-numbers.
Now I want to give access to all IPs to https/447. But I don't know how to do that. My current configuration is listed below.
# firewall-cmd --get-active-zones
customzone
sources: ipset:Trusted_IP_all
drop
interfaces: enp0s31f6
The drop zone:
# more drop.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
<description>Unsolicited incoming network packets are dropped.</description>
<forward/>
</zone>
And the customzone:
# more customzone.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Custom Zone Configuration</short>
<description>All incomming connections are blocked by default. </description>
<service name="ssh"/>
<service name="http"/>
<service name="https"/>
<source ipset="Trusted_IP_all"/>
</zone>
The "Trusted_IP_all" contain a selected few IP-nr/ranges
I'm currently on the process of trying fix a site vulnerability, basically it is one type of the "Improper Input Handling" attack.
Let's say my website is www.mywebsite.com
and there is hacker's website www.hacker.com
whenever there is a request send to www.mywebsite.com with modified "Host" header point to www.hacker.com, my site will create a redirect to www.mywebsite.com along with whatever the url it was.
e.g.
Normal:
Host: www.mywebsite.com
GET www.mywebsite.com/get/some/resources/
Reponse 200 ok
Hack:
Host: www.hacker.com (#been manually modified)
GET www.mywebsite.com/get/some/resources/
Response 302
Send another Redirect to www.hacker.com/get/some/resources
My website is running on Tomcat 7, I tried some solution with set up the virtual host by point the unknown host to a defaultlocalhost which suppose to do nothing. but it still send the redirect for some reason.
Here attached is my server.xml host configure:
<Engine name="Catalina" defaultHost="defaultlocalhost" jvmRoute="jvm1">
<Host name="www.mywebsite.com" appBase="webapps"
unpackWARs="true" autoDeploy="false" deployOnStartup="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="defaultlocalhost" >
</Host>
So, my question is, Am I on the right track to prevent this kind of attack ? If yes, what I did wrong that still not working? (The ultimate goal is, if it is not the legit Host that been passed in, the request should be discard/ignored/return 404 but not redirect with 302)
Thank you in advance.
More references about the attack here :
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling
Oh well, end up answer my own question.
After join the Tomcat user mailing list (subscribe email address: users#tomcat.apache.org).
There is the guy named Andre helped me get this resolved:
basically what I did wrong is missing appBase in my defaultlocalhost
<Host name="defaultlocalhost" appbase="whatever" >
</Host>
The above configure successfully returned 404 status whenever a illegal request was been send. the reason is that whenever you don't set the appbase it always default to webapps so it essentially didn't do anything with my original configure.
Hope this can help anyone who had similar issue.
Update 7/10/2020
A 403 can be returned by adding in a RemoteAddrValve and blocking all ip's. The example is based on Tomcat 9.
http://tomcat.apache.org/tomcat-9.0-doc/config/host.html#Request_Filters
<Host name="defaultlocalhost" appbase="whatever">
<!-- deny all remote addresses to this host -->
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
deny="\d+\.\d+\.\d+\.\d+"/>
</Host>
Although it didn't exist at the time this question was asked, Tomcat 7.0.87 introduced a new property allowHostHeaderMismatch on the connector (cf. documentation). If you set it to false (default since Tomcat 9.0), Tomcat will return a 400 Bad Request error whenever the Host header does not match the request line:
<Connector port="8080" allowHostHeaderMismatch="false" />
I'm using ubuntu, and I'm in a need of some command, using which I can change the server port configurations.
Therefore, my question is...
Is there any linux command, to update the Tomcat server connection port, as well as server shutdown port?
maksim_khokhlov answer looks promising if you want to change it at the start (it is taken from here)
Basicly you have to change the config in your server.xml.
But I dont think you can change the port at runtime without restarting.
Another way would be to write a script which first changes the server.xml and then starts tomcat.
for example with python
python updateserverxml.py 8888
(and in this file you replace the port and start the server.)
Or another way could be using docker and map the exposed port from your standardport to your desired port.
maksim_khokhlov answer below:
Change your server.xml so that it will use port numbers expanded from properties instead of hardcoded ones:
<Server port="${port.shutdown}" shutdown="SHUTDOWN">
...
<Connector port="${port.http}" protocol="HTTP/1.1"/>
...
</Server>
Here's how you can start in Linux (assuming your current directory is CATALINA_HOME):
JAVA_OPTS="-Dport.shutdown=8005 -Dport.http=8080" bin/startup.sh
1) Go to conf folder in tomcat installation directory
2) Edit connection properties in server.xml file
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
I'm using Wildfly 8 for my server, in my server I use Infinispan (which use Jgroups) for cluster cache. I want to know which ports that Jgroups/Infinispan uses, so I can open these ports for communicating between server nodes without disable my Linux firewall.
Thank you.
You may find these answers in your wildfly/standalone/configuration/ directory. I assume you are using standalone-full-ha.xml configuration:
<!-- By default you are using UDP stack -->
<subsystem xmlns="urn:jboss:domain:jgroups:2.0" default-stack="udp">
<!-- Those ports are used for communication -->
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="jgroups-udp-fd" port="54200"/>
Have you checked with basic network command such us
$ netstat -a
you can find more examples in binarytides
I want to remove switch from port 8080 on my Apache Tomcat on Linux server CentOS 6.5 to the default. On My hosted Apache Tomcat server is running on port 8080 on url vmx15978.hosting24.com.au:8080. After I have installed the Geoserver software on the Apache server the url for it is http://vmx15978.hosting24.com.au:8080/geoserver/web/.
My website domain is links-map.com. Currently I can access Geoserver by this URL: links-map.com:8080/geoserver/web; However, I want to access Geoserver without 8080 using this URL instead: http://links-map.com/geoserver/web/
I had the same problem. It means I need to change port number from 8080 to 80 so that I can access my url (e.g www.mydomain.com) without appending 8080. But I found a different way to solve the problem.
Instead of changing port number in server.xml. I redirected port number 80 to 8080 using the following script. This works perfectly fine for me.
[root#myroot ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
[root#myroot ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080
Please find more at this link
taken from here
in your tomcat install dir, look for server.xml file.
change
<Connector port="8080" ...
to
<Connector port="80" ....
or any other port (80 is the default without specifying port)
don't forget to restart tomcat to apply changes
sudo service tomcat7 restart
Even after changing port 8080 to 80 we won't be able to access tomcat with it, as 80 is a privileged port, so it should be run by root,
Hence we can change Tomcat user to root as below and issue will be resolved, now we will be able to open tomcat site without 8080.
$ cat /etc/tomcat6/tomcat6.conf |grep USER
TOMCAT_USER="root"
Note: It is not recommended to run tomcat with root user.