Securing Solr Deployments - SearchStax


Overview

SearchStax® takes the security of your Solr search infrastructure very seriously. We have built-in industry-standard security at the level of the cluster, network and SearchStax dashboard. Custom firewall rules enable you to lock down your search infrastructure to a whitelist of IP addresses and IP address ranges. Solr basic authentication lets you restrict search access to clients with appropriate user credentials.

Security Best Practices

Production systems are usually secured with both Basic Authentication and with IP Filtering

The Zookeeper Ensemble does not support authentication, but should be protected by IP Filtering.

Advanced Security Options

For our premium customers (Gold, Platimum, and Platinum Plus levels) who have high security requirements, we recommend a SearchStax Cloud Private environment with VPC Peering.

Premium customers may also request at-rest encryption for their data files. Send email to sales@searchstax.com to learn more about these options.

Contents:

Cluster Security

You can lock down your clusters as described below.

Connecting to the Cluster

SearchStax recommends that you situate your application infrastructure in the same local network as your hosting provider (for example, AWS or Azure). Internal network security for these hosting providers is extremely high and eliminates any chance of a hacker potentially sniffing your network traffic.

If your application is hosted elsewhere, try to host it as close to your search infrastructure as possible. This can be done by choosing the Cloud Provider Region which is closest to your application. This improves both security and performance.

Solr Basic Authentication

You can optionally enable the Solr Basic Authentication plugin on your Solr deployments. This restricts access to your Solr dashboard and demands authorization for query requests.

Note that Solr user accounts are independent of SearchStax user accounts.

Warning: Service Interruption

Enabling/Disabling this feature on a single-node deployment will restart your Solr server, interrupting service.

Enabling/Disabling this feature on a cluster will initiate a rolling restart of your servers. Service will not be interrupted, but please allow the process to finish before making any other changes to your cluster configuration.

To enable the Basic Authentication plugin:

  1. Select the desired Deployment and click the Auth link in the main menu.
  2. Click the Enable button. SearchStax Authentication Enable button
  3. Add a user, entering the username, password and role you want to acquire. Click Add.

You can edit your users as needed. SearchStax

To disable the Authentication and Authorization plugin, click on the Disable Auth button and confirm the action. (Again, Solr services will have to be restarted.)

Connecting to Solr

After enabling Solr authentication, your <Solr HTTP Endpoint> changes from https://machine... to https://user:password@machine...

Connections to Zookeeper remain unchanged.

IP Filtering

You can limit access to a deployment to a list of IP addresses using the IP Filter menu. SearchStax Security IP Filtering SearchStax can limit access to a deployment to specific IP addresses. You can configure access
for Zookeeper and Solr servers separately.

To limit access to a specific IP address or IP address range:

  1. From within a Deployment's details page, click on Security > IP filter.
  2. Click on Add Row.
  3. Add a specific IP address in the appropriate field.
  4. Select a service you need to limit access to.
  5. Click on Save changes.

To remove a filter, click on the X button and then Save changes.

Note that the default entry is 0.0.0.0/0, which allows unrestricted access. You must remove this entry to enable IP access restrictions.

Add your own IP first!

If you delete the default entry before adding a new IP address, you can lock yourself out. Send email to support@searchstax.com for assistance.

SearchStax Tenant Users

Each SearchStax account is restricted to the owner (and admin) of that account plus any SearchStax users who have been granted access to that account by the owner. The additional users may be enrolled as normal SearchStax operators or as admins at the owner's discretion. See Solr Account Setup.

SearchStax Dashboard Security

All connections to the SearchStax Dashboard use HTTPS, which encrypts your traffic in transit.

Activity Log

The activity log provides you with a list of all user actions within your tenant account, including those of the SearchStax Support team. The list consists of a User column including email of the user who performed the logged change, his/her role, Timestamp of action in UTC, Action itself, Action detail and IP address where the action originated.