Secure your LA infrastructure

Draft

Basic measures

Firewall

Allow basic input traffic 22/80/443 (tcp) from the outside. Restrict external access to solr web interface (port 8983) but allow access to port 8983 from your server's IPs that uses solr.

If you want to restring the internal traffic is more complex. Initially you can open all ports between your VMs and internal IP address as a start while you discover which ports use each services and adapt it to your infrastructure.

ufw

If you don't need a complicated firewall configuration you can use this ansible ufw role to quickly configure the iptables in your machines.

Protect you SOLR admin interface

ssh port redirection

When you need to access to the solr admin interface (or similarly to mongo mysql or postgresql ports) from your computer, you can temporarily use ssh port redirection with something like:

ssh -L 8983:127.0.0.1:8983 ubuntu@your-solr-server -N -f

• -L means: my port 8983 is equals to 127.0.0.1:8983 in my remote solr server
• -N -f brings this port redirection to the background

but this redirection is only maintained while that ssh connection is running, so it's temporary. (For many use-cases, this is adequate - you create an SSH tunnel for the brief duration of your SOLR administration tasks, then shut it down.) If you like this way to connect to your server's admin ports, you can also use other tools like autossh or sshuttle.

solr admin with apache

If you need something more permanent you can configure a vhost with basic auth like:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName index.example.org
ServerAdmin sysadmins@example.org
DocumentRoot /srv/index.example.org/www/
<Directory />
Require all granted
</Directory>
<Directory /srv/index.example.org/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Location />
  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile /etc/apache2/passwdfile
  <RequireAny>
    Require env noauth
    Require env REDIRECT_noauth
    Require valid-user
  </RequireAny>
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
ProxyPass / http://YOUR_INTERNAL_SOLR_SERVER:8983/
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/index.example.org/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/index.example.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/index.example.org/chain.pem
</VirtualHost>
</IfModule>

Other recommendations

Use fail2ban for prevent brute force in those services (http/s and ssh authentication). If you use wordpress in your node, there is also a good fail2ban wordpress plugin that integrates well with fail2ban.

Other resources

• Basic Auth in your LA node without CAS
• this ansell comment about a solr6 security issue