Security

If your VuFind system takes sensitive information as input (for example, if you use a shared authentication method and want to protect passwords from being sent in plain text), you may want to consider putting it behind SSL so that communications are encrypted.

SSL configuration is beyond the scope of this document, but a lot of helpful resources exist on the web. For example, the Building a Secure RedHat Apache Server HOWTO is a good starting point (and relevant beyond just RedHat).

Once you have SSL configured, if you want to force VuFind to always run behind SSL, you can add these lines above the other RewriteRules in your Apache configuration in httpd-vufind.conf to force a redirect of non-SSL traffic to SSL URLs:

    # Ensure that we are under SSL:
    RewriteCond   %{SERVER_PORT} !^443$
    RewriteRule   ^.*$                          https://%{SERVER_NAME}%{REQUEST_URI}  [L,R]

To ensure that your data is secure, it is advised that you lock down the solr server to only be accessible from your local webserver. The default port is 8080. This port should be locked down to eliminate security threats to your data.

If necessary, you can change the port number used by Solr by following these steps:

Edit the file solr/jetty/etc/jetty.xml under your VuFind installation and change this line:

<Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set>

Edit the solr.hosturl setting in the import/import.properties file (and also import/import_auth.properties, if you plan on importing authority records):

solr.hosturl = http://localhost:8080/solr/biblio/update

Edit the [Statistics] and/or [Index] sections of the web/conf/config.ini files as appropriate:

[Statistics]
...
solr            = http://localhost:8080/solr
...
[Index]
...
url             = http://localhost:8080/solr

Restart the VuFind process so the changes can take effect; i.e., in Linux, switch to the VuFind directory and run:

./vufind.sh restart

VuFind includes an administration module (accessible through http://your_vufind_url/Admin/Home). This is useful, but it can be dangerous in the wrong hands. To protect yourself, consider these points:

• By default, this has an administrative password of “admin.” You should change this by modifying the web/services/Admin/.htpasswd file (see this Apache documentation page for more details on htpasswd).
• There is a rule in the http-vufind.conf Apache configuration file in the root of your VuFind installation which specifies which directory needs to be password-protected. If you have installed VuFind at a path other than ”/vufind”, you will need to change this rule to reflect the correct path in order to avoid security gaps! The section to change begins with: <Location ~ ”/vufind/Admin/.+”> or <Location ~ ”/[Vv][Uu][Ff][Ii][Nn][Dd]/[Aa][Dd][Mm][Ii][Nn]/.+”>. Simply change the regular expression here to match your layout; more details on the Location directive can be found in the Apache manual. In a Windows or other environment with case-insensitive filenames, be sure to make your regular expression case-insensitive (i.e. like the second of the two example <Location> settings above).
• The Admin module is a good candidate for SSL protection (to prevent your access password from being guessed). See the SSL section earlier in this document for details.
• If you do not plan on using the Admin module, you can disable it completely by removing the code in web/services/Admin from your server. This is the safest option by far!
• Starting with VuFind version 1.1, it is possible to disable the Admin module from within config.ini, and the module is disabled by default.