Securing Solr Deployments - SearchStax
SearchStax® takes the security of your Solr search infrastructure very seriously. We have built-in industry-standard security at the level of the cluster, network and SearchStax dashboard. Custom firewall rules enable you to lock down your search infrastructure to a whitelist of IP addresses and IP address ranges. Solr basic authentication lets you restrict search access to clients with appropriate user credentials.
The SearchStax dashboard and all communications between SearchStax and your search engine use Secure-Sockets Layer encryption (SSL). This is the system's default behavior out of the box.
Security Best Practices
For production systems, secure Solr using Basic Authentication
and an appropriate range of IP addresses.
The Zookeeper Ensemble does not support authentication, so we suggest locking it down to a short list of IP addresses, or even to just one.
Advanced Security Options
Premium customers may also request at-rest encryption for their data files. Send email to email@example.com to learn more about these options.
- Cluster Security
- SearchStax Dashboard Security
Connecting to the Cluster
SearchStax recommends that you situate your application infrastructure in the same local network as your hosting provider (for example, AWS or Azure). Internal network security for these hosting providers is extremely high and eliminates any chance of a hacker potentially sniffing your network traffic.
If your application is hosted elsewhere, try to host it as close to your search infrastructure as possible. This can be done by choosing the Cloud Provider Region which is closest to your application. This improves both security and performance.
Solr Basic Authentication
You can optionally enable the Solr Basic Authentication plugin on your Solr deployments. This restricts access to your Solr dashboard and demands authorization for query requests and index updates.
Note that Solr user accounts are independent of SearchStax user accounts.
Warning: Service Interruption
Enabling/Disabling this feature on a single-node deployment will restart your Solr server, interrupting service.
Enabling/Disabling this feature on a cluster will initiate a rolling restart of your servers. Service will not be interrupted, but please allow the process to finish before making any other changes to your cluster configuration.
To enable the Basic Authentication plugin:
- Select the desired Deployment and click the Security > Auth command in the menu bar.
- Click the Enable button.
- Add a user, entering the username, password and role (see below). Click Add.
To disable the Authentication and Authorization plugin, click on the Disable Auth button and confirm the action. (Again, Solr services will be restarted.)
Solr Basic Authentication provides three user roles:
- Admin users have full access to the Solr Dashboard. They can query the index from an external location using a /select command, and they can load new records into the index using a /update command.
- Read users can query the index using /select.
- Write users can add new records to the index using /update.
Using /select and /update
After enabling Solr authentication, your cURL /select and /update interactions with
Solr must include the
-u 'username:password' parameter.
Connections to Zookeeper remain unchanged.
You can limit access to a Solr deployment to a list of IP addresses using the Security > IP Filter
You can configure access for Solr+Zookeeper, Solr, Zookeeper, and Silk endpoints separately.
The addresses are expressed in IPv4 format, using the familiar dot-decimal notation. Ranges are specified using Classless Inter-Domain Routing (CIDR) format.
CIDR notation can be daunting, but note the following three examples of typical CIDR rules:
- 0.0.0.0/0 This rule permits unrestricted access. Any IP address whatsoever may connect to Solr.
- 18.104.22.168/32 This rule permits a connection from exactly one IP address.
- 22.214.171.124/24 This rule allows Solr access from any of the 256 IP addresses on a subnet.
The /n at the end of each rule is called the prefix length.
To limit access to a specific IP address or IP address range:
- From within a Deployment's details page, click on the Security > IP filter menu.
- Click on Add Row.
- Add a specific IP address in the appropriate field. Note that SearchStax can detect your computer's IP address. Click My current IP to enter it automatically.
- Select a service you need to limit access to (Solr+Zookeeper, Solr, or Zookeeper).
- Click Save changes.
To remove a filter, click on the X button and then Save changes.
IP Filtering by Cloud Provider
Each of our Cloud Providers handles IP filtering a little differently.
- For Google Cloud Provider (GCP) and Microsoft Azure, removing all of the IP filters allows unrestricted access.
- For Amazon Web Services (AWS), removing all of the IP filters makes the deployment unreachable.
- For AWS and Azure, new filters take effect immediately.
- For GCP, new filters can take a few minutes to become active.
Each SearchStax account is restricted to the owner (and admin) of that account plus
any SearchStax users who have been granted access to that account by the owner. The
additional users may be enrolled as normal SearchStax operators or as admins at the
owner's discretion. See Solr Account Setup.
SearchStax Dashboard Security
The SearchStax activity log provides you with a list of all user actions within your tenant account, including those of the SearchStax Support team. The list consists of a User column including email of the user who performed the logged change, his/her role, Timestamp of action in UTC, Action itself, Action detail and IP address where the action originated.
Do not hesitate to contact the SearchStax Support Desk.