0

I set up a Solr server on my Debian 10 VPS to do Full Text Search in my email archiv with email clients. I use Dovecot as IMAP server on the same host.

Everythings works fine so far.

But what I don't understand is: How to secure Solr?

By default everybody can reach my admin panel (and probably the API) by http://example.com:8983

To close the door I enabled Basic Authentication by creating a security.json file according to Solr reference guide https://solr.apache.org/guide/8_8/basic-authentication-plugin.html

{
    "authentication":{ 
    "blockUnknown": true, 
    "class":"solr.BasicAuthPlugin",
    "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}, 
    "realm":"My Solr users", 
    "forwardCredentials": false 
    },
    "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "permissions":[{"name":"security-edit",
        "role":"admin"}], 
    "user-role":{"solr":"admin"} 
    }
}

The Good: This works great, now people have to authenticate, The Ugly:

  1. Dovecot can't login to Solr anymore, no more search in my email archive
  2. The rest of the world can login with standard credentials user "solr" and passwort "SolrRocks".

How stupid is that? Is that securing?

So, who can help me to configure my Solr and Dovecot servers that only me is able to log in the admin panel AND Dovecot keeps working with Solr.

I know I could just turn off authentication and simply block port 8983 by firewall but this can't be the way to get it done. Moreover, I won't be able to log in the admin panel either.

Thanks for any hint.

My Dovecot "90-plugins.conf":

plugin {
  fts = solr
  fts_autoindex = yes
  fts_solr = break-imap-search url=http://127.0.0.1:8983/solr/dovecot/ 
}
alf-on
  • 1
  • 1
  • 3
  • Just in case that you wanted someone to spell out the almost-obvious: You *can* change those credentials in solr. You do not need to stick with the default credentials! – anx May 18 '21 at 23:00

1 Answers1

0

Dovecot supports TLS and HTTP Basic auth just fine.

That does not have to be the HBA implementation integrated with solr, you could also apply it to all http access to the solr instance. If your method of running solr (used to be a java web app, standalone application nowadays) does not give you the options you want, proxy it through nginx and configure HBA there.

Put the credentials into the url in your Dovecot conf:

url=https://user:password@hostname.example:8983/solr/dovecot/

Hosting that on an IP address firewalled to be only accessible by Dovecot still makes sense.

For local deployments, you do not need to (and typically should not) host solr on an routable interface. Instead, bind you server to ::1 / 127.0.0.1

anx
  • 6,875
  • 4
  • 22
  • 45