Re: Solr Security and XSRF

Thu, 26 Jun 2008 23:33:17 -0700 

On Fri, Jun 27, 2008 at 1:54 AM, Chris Hostetter
<[EMAIL PROTECTED]> wrote:
> A basic technique that can be used to mitigate the risk of a possible CSRF
> attack like this is to configure your Servlet Container so that access to
> paths which can modify the index (ie: /update, /update/csv, etc...) are
> restricted either to specific client IPs, or using HTTP Authentication.

My understanding is that HTTP authentication is useless against XSRF,
because browsers cache the authentication tokens. Once you have
authenticated, you are still vulnerable to attacks.

Restricting access to the servlet container by IP is probably safer.
To access the admin pages, I proxy the servlet container via Apache,
similar to this snippet given below.

This requires the user to authenticate via SSL for all SOLR-related
pages, and additionally blocks all update queries. If one also would
like to block specific admin pages, one could conceivably do so by
adding <Location> + Deny directives.

Comments, anyone? This configuration is container-agnostic, so if no
serious problems are found with my setup, which Wiki page would be
most appropriate for this snippet?

<VirtualHost *:443>
        ServerName your.server.name
        ServerAdmin [EMAIL PROTECTED]

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/your_cert.pem
        SSLCertificateKeyFile /etc/ssl/private/your_key.pem

        DocumentRoot /var/webroot/www/webadmin/html

       ErrorLog /var/webroot/www/webadmin/logs/error_ssl.log
       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/webroot/www/webadmin/logs/access_ssl.log combined

        # SOLR admin pages
        <Proxy *>
                Order deny,allow
                Allow from all # change this to restrict to specific
IP addresses
        </Proxy>

        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass /solr/admin http://127.0.0.1:9000/solr/admin
        ProxyPassReverse /solr/admin http://127.0.0.1:9000/solr/admin
        ProxyPass /solr/select http://127.0.0.1:9000/solr/select
        ProxyPassReverse /solr/select http://127.0.0.1:9000/solr/select

        <Location /solr>
                AuthType Basic
                AuthName "SOLR Admin Pages"
                AuthUserFile /var/webroot/www/webadmin/auth/solr-auth
                Require valid-user
        </Location>
</VirtualHost>

Best regards
- Christian

Reply via email to