Apache Solr access control

The method to increase Solr's access rights in Tomcat6 is as follows:

Edit tomcat6/Catalina/localhost/solr.xml

<Context docBase="/var/solr/solr.war" debug="0" privileged="true" allowLinking="true" crossContext="true">

<Environment name="solr/home" type="java.lang.String" value="/var/solr" override="true"/>

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.100,localhost,192.168.1.103,127.0.0.1"/>

<Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="192.168.1.105"/>

</Context>

Refer to the Tomcat configuration documentation: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter

To make the above configuration take effect, you also need to restart the security mechanism of tomcat

Edit sudo vi /etc/default/tomcat6

Comment out the last sentence TOMCAT6_SECURITY=no

To learn more about security mechanisms, check out the Solr Wiki: http://wiki.apache.org/solr/SolrSecurity

 

 

Solr's management background function can be described as powerful, but in real online, if the management background address can be publicly accessed, not only the core structure will be exposed, but the index library can even be modified or deleted.

The recommended practice is to set it on apache or other servers, usually disable the external access address, and the project accesses the internal network address of solr (such as: http://localhost:8080/solr/collection1); usually use local for offline debugging solr, if you need to debug online, you can temporarily open the external address, and then close it after use.

If you are using ajp to connect apache and tomcat, please refer to the following red part settings. When you need to open it, comment it out with a # sign in front, and then restart apache ( /etc/httpd/conf/httpd.conf )

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName www.devnote.cn

    ProxyPass /solr/ !
    ProxyPass / ajp://localhost:8009/
    ErrorLog logs/www.devnote.cn-error_log
    CustomLog logs/www.devnote.cn-access_log common
</VirtualHost>

Note: If you use the ajp connection method, you cannot use http://localhost: 8009 /solr/collection1  for intranet access, you need to use the default 8080 or your own defined tomcat port.

 

 

============= Implementing IP Access Restriction in Tomcat ===============

 

 Configure ip access restrictions for Tomcat

      Original: http://www.jdiy.org/read.jd?id=y0h1rx981y

The ip access restriction in Tomcat, that is, the setting allows a (or some) client to be able to access the tomcat server, or not to access the tomcat server.

Restricting tomcat's IP access is actually a very easy thing, just edit tomcat's server.xml and add appropriate code.

Modify as follows:

For example we have a virtual directory called myapp. Open tomcat's server.xml configuration file with a text editor and find its configuration code as follows:

1	< context path=”/myapp” reloadable=”true” docBase=”/var/www/myapp” />

Change it to the following code:

1 2 3 4

< context path=”/myapp” reloadable=”true” docBase=”/var/www/myapp”>      < value className=”org.apache.catalina.values.RemoteAddrValue”          allow=”127.0.0.1” deny=”″ /> </ context >

After this setting, only this machine will be allowed to access Tomcat.

To limit only 192.168.1.0-192.168.5.255 and 192.168.10.0-192.168.15.255 IP ranges, you can write like this:

1 2 3 4

< context path=”/myapp” reloadable=”true” docBase=”/var/www/myapp”>      < value className=”org.apache.catalina.values.RemoteAddrValue”          allow=”192.168.[1-5].*,192.168.[10-15].*” deny=”″ /> </ context >

After setting, restart Tomcat and it will take effect

Implementing IP Access Restriction in Tomcat  

原文：http://zhumeng8337797.blog.163.com/blog/static/10076891420129231118360/

效果：只有指定的主机或IP地址才可以访问部署在Tomcat下的应用。

Tomcat供了两个参数供你配置：RemoteHostValve 和RemoteAddrValve，前者用于限

制主机名，后者用于限制IP地址。
通过配置这两个参数，可以让你过滤来自请求的主机或IP地址，并允许或拒绝哪些主机/IP。

一、全局设置，对Tomcat下所有应用生效
server.xml中添加下面一行，重启服务器即可：
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" deny=""/> 
此行放在</Host>之前。
例：
1，只允许192.168.1.10访问：

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.10" deny=""/>
2，只允许192.168.1.*网段访问：

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" deny=""/>
3，只允许192.168.1.10、192.168.1.30访问：

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.10,192.168.1.30" deny=""/>
4，根据主机名进行限制：

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="abc.com" deny=""/>

二、局部设置，仅对具体的应用生效
根据项目配置情况进行设置：
1，使用conf目录下xml文件进行配置${tomcat_root}\conf\proj_1.xml
2，直接在server.xml中进行设置${tomcat_root}\conf\server.xml
在上述文件对应项目的</Context>前增加下面一行：

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" deny=""/>

特别需求：测试版本不想提供别人访问

打开tomcat6\conf\server.xml文件

如果是要限制整个站点别人不能访问，则要将

<Valve className="org.apache.catalina.valves.RemoteAddrValve"  allow="192.168.1.*,192.168.2.*,*.mysite.com" deny=""/> 
加入到<HOST></HOST>标签中

如果是要限制某个站点不能被访问，则要加入到<Context>里面就可以。

<Context path="/myweb" reloadable="true" docBase="E:\tomcat6\webapps\myweb">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.13.110,192.168.1.*,220.250.13.21" deny=""/> 
</Context>

 

RemoteHostValve

根据主机名进行限制：

<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="tmachine1" deny=""/>

修改文件：

tomcat/conf/server.xml

通过tomcat限制ip访问

<Engine name="Standalone" ...>
<Valve className="org.apache.catalina.valves.RemoteHostValve"
         allow="*.mycompany.com,*.a.com"/> 域名限制
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         deny="192.168.1.*"/> IP限制
</Engine>

Restart tomcat

 

Another reference: http://blog.csdn.net/zhongweijian/article/details/9004395