Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
administration:security [2020/06/29 12:11] – demiankatz | administration:security [2023/03/08 19:00] – demiankatz | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Security ====== | ====== Security ====== | ||
+ | |||
+ | ===== Unix Accounts and Permissions ===== | ||
+ | |||
+ | Since VuFind® has a variety of command-line utilities for maintenance, | ||
+ | |||
+ | ==== Creating a System Account for VuFind® ==== | ||
+ | |||
+ | First, decide on a name for your VuFind user. For the example below, we will use " | ||
+ | |||
+ | <code bash> | ||
+ | sudo useradd -r -s / | ||
+ | </ | ||
+ | |||
+ | The -r switch designates this as a system account, the -s switch sets the login shell to prevent users from logging into the account, and the -U switch creates a group to match the username. | ||
+ | |||
+ | ==== Changing File Ownership ==== | ||
+ | |||
+ | Once the account is created, you can change the ownership of your VuFind® files to belong to the new user. However, you need to be careful not to interfere with Apache-related permissions in the cache directory while making sure that the separate cache for command-line utilities is owned by the new user. The easiest way to do this, if you're modifying a working installation of VuFind®, is to follow these steps: | ||
+ | |||
+ | 1.) Look up the current owner of the Apache cache by doing a detailed listing of the cache directory: | ||
+ | |||
+ | <code bash> | ||
+ | ls -l $VUFIND_LOCAL_DIR/ | ||
+ | </ | ||
+ | |||
+ | The username is most likely '' | ||
+ | |||
+ | 2.) Change ownership of the entire VuFind® directory to your new service user, then change the cache back to the appropriate ownership, then adjust the command-line cache. This requires three commands, but you should run them in rapid sequence to avoid disruption to your system: | ||
+ | |||
+ | <code bash> | ||
+ | sudo chown -R vufind: | ||
+ | sudo chown -R apache: | ||
+ | sudo chown -R vufind: | ||
+ | </ | ||
+ | |||
+ | Note that this example assumes an Apache user of " | ||
+ | |||
+ | ==== Setting Up Cron Jobs ==== | ||
+ | |||
+ | In most Unix-based systems, every user can potentially be configured to run its own cron jobs. Assuming that you have this configured correctly, you can simply switch to the user you wish to modify, and run the '' | ||
+ | |||
+ | <code bash> | ||
+ | sudo su vufind | ||
+ | crontab -e | ||
+ | </ | ||
===== Using SSL ===== | ===== Using SSL ===== | ||
- | If your VuFind | + | If your VuFind® |
SSL configuration is beyond the scope of this document, but a lot of helpful resources exist on the web. For example, the [[http:// | SSL configuration is beyond the scope of this document, but a lot of helpful resources exist on the web. For example, the [[http:// | ||
- | Once you have SSL configured, if you want to force VuFind | + | Once you have SSL configured, if you want to force VuFind® |
< | < | ||
Line 15: | Line 60: | ||
</ | </ | ||
- | IMPORTANT: If you change | + | IMPORTANT: If you change |
===== Locking Down Solr ===== | ===== Locking Down Solr ===== | ||
- | To ensure that your data is secure, it is advised that you lock down the Solr server to only be accessible from your local webserver. The default port is 8983 in VuFind | + | To ensure that your data is secure, it is advised that you configure your firewall to lock down the Solr server to only be accessible from your local webserver. The default port is 8983 in VuFind® |
+ | It is also strongly recommended that you use a dedicated user account to run Solr, to limit the Solr application' | ||
+ | |||
+ | Instructions for creating a dedicated Solr account and changing the Solr port number can be found below. | ||
+ | |||
+ | ==== Creating a Dedicated Solr User ==== | ||
+ | |||
+ | === 1. Create the user account === | ||
+ | |||
+ | First, decide on a name for your Solr user. For the example below, we will use " | ||
+ | |||
+ | <code bash> | ||
+ | sudo useradd -r -s / | ||
+ | </ | ||
+ | |||
+ | The -r switch designates this as a system account, the -s switch sets the login shell to prevent users from logging into the account, and the -U switch creates a group to match the username. | ||
+ | |||
+ | === 2. Change the ownership of the Solr directories === | ||
+ | |||
+ | If you are going to run Solr using the new user account, you need to make sure that the Solr files have appropriate ownership: | ||
+ | |||
+ | <code bash> | ||
+ | sudo chown -R solr:solr $VUFIND_HOME/ | ||
+ | </ | ||
+ | |||
+ | === 3. Use the new user account to run Solr === | ||
+ | |||
+ | If you are manually starting Solr, you can switch to the new account to start the system: | ||
+ | |||
+ | <code bash> | ||
+ | sudo su solr | ||
+ | cd $VUFIND_HOME | ||
+ | ./solr.sh start | ||
+ | </ | ||
+ | |||
+ | If you are automatically starting Solr, make sure that your configuration includes the appropriate username. See the [[/ | ||
==== Changing the Solr Port Number ==== | ==== Changing the Solr Port Number ==== | ||
Line 26: | Line 106: | ||
=== 1. Reconfigure Solr === | === 1. Reconfigure Solr === | ||
- | If using VuFind | + | If using VuFind® |
- | If using VuFind | + | If using VuFind® |
- | === 2. Reconfigure | + | === 2. Reconfigure |
You will need to adjust a few configuration files to reflect the new port number you have chosen. | You will need to adjust a few configuration files to reflect the new port number you have chosen. | ||
Line 36: | Line 116: | ||
== A. SolrMarc Import Configuration == | == A. SolrMarc Import Configuration == | ||
- | If you use SolrMarc to import MARC records, you must edit the solr.hosturl setting in the import/ | + | If you use SolrMarc to import MARC records, you must edit the solr.hosturl setting in the import/ |
< | < | ||
Line 42: | Line 122: | ||
</ | </ | ||
- | == B. VuFind | + | == B. VuFind® |
- | To ensure that VuFind | + | To ensure that VuFind® |
< | < | ||
[Index] | [Index] | ||
Line 61: | Line 141: | ||
===== Locking Down the Admin Panel ===== | ===== Locking Down the Admin Panel ===== | ||
- | VuFind | + | VuFind® |
+ | |||
+ | ===== Proxies and IP Authentication ===== | ||
+ | |||
+ | If you rely on IP authentication for setting VuFind® permissions, | ||
+ | |||
+ | It may be possible to work around this problem through careful configuration of your proxy (e.g. by making it filter out these headers from incoming requests) and use of the [[https:// | ||
+ | |||
+ | In case this approach is not possible, starting with VuFind® 7.0.1, the config.ini [Proxy] section contains allow_forwarded_ips and forwarded_ip_filter settings which can be used to control how VuFind® identifies IP addresses based on HTTP headers. The full details on configuration options can be found in the comments in that file. | ||
+ | |||
+ | By default, all IP-forwarding headers are ignored, but by turning on allow_forwarded_ips, | ||
+ | |||
+ | If you plan to use this feature, you should install one of the many available browser plugins for editing HTTP headers, and determine exactly how your proxy behaves when receiving falsified headers. (A quick way to do to this is to var_dump the $_SERVER superglobal in a PHP script that you can access through your proxy). Based on this information, | ||
===== Securing User Credentials ===== | ===== Securing User Credentials ===== | ||
- | VuFind | + | VuFind® |
+ | |||
+ | When using some [[configuration: | ||
===== Using a Content Security Policy ===== | ===== Using a Content Security Policy ===== | ||
- | Starting with VuFind | + | Starting with VuFind® |
---- struct data ---- | ---- struct data ---- | ||
+ | properties.Page Owner : | ||
---- | ---- | ||
administration/security.txt · Last modified: 2024/05/22 17:27 by demiankatz