Differences

This shows you the differences between two versions of the page.

--- administration:security [2023/03/08 19:03] – [Creating a Dedicated Solr User] demiankatz
+++ administration:security [2023/06/30 11:02] – [Allowing Access to the Solr Host] demiankatz
@@ Line 25: / Line 25: @@
 </code>
-The username is most likely ''apache'' or ''www-data''. Make note of it.
+The username is most likely ''apache'' (if you are using an RPM-based Linux flavor) or ''www-data'' (for Debian-based Linux flavors). Make note of it.
 .) Change ownership of the entire VuFind® directory to your new service user, then change the cache back to the appropriate ownership, then adjust the command-line cache. This requires three commands, but you should run them in rapid sequence to avoid disruption to your system:
@@ Line 35: / Line 35: @@
 </code>
-Note that this example assumes an Apache user of "apache" but you should replace "apache" with the username you noted in step 1.
+:!: Note that this example assumes an Apache user of "apache" but you should replace "apache" with the username you noted in step 1.
 ==== Setting Up Cron Jobs ====
@@ Line 42: / Line 42: @@
 <code bash>
-sudo su vufind
+sudo su vufind -s /usr/bin/bash
 crontab -e
 </code>
+Note that in this example, we specify which shell to use when switching to the vufind user, since in the example above, we set a "nologin" shell as the default. We need to override that to avoid an error message about the account being unavailable. If you set up the user with a different default shell, you can skip this parameter (but the account may be less secure under certain circumstances).
 ===== Using SSL =====
@@ Line 91: / Line 93: @@
 <code bash>
-sudo su solr
+sudo su solr -s /usr/bin/bash
 cd $VUFIND_HOME
 ./solr.sh start
 </code>
+See the note under [[administration:security#setting_up_cron_jobs|setting up cron jobs]] above for an explanation of the -s switch on su.
 If you are automatically starting Solr, make sure that your configuration includes the appropriate username. See the [[/administration:starting_and_stopping_solr|Starting and Stopping Solr]] page for more details.
@@ Line 135: / Line 139: @@
 [[administration:starting_and_stopping_solr#restarting_solr_manually|Restart the Solr process]] so the changes can take effect.
+==== Allowing Access to the Solr Host ====
+Starting with Solr 9 (and thus affecting VuFind® releases 9.0 and later), Solr will only allow "localhost" connections by default. If you wish to access Solr from another server or workstation, you will need to choose one of these solutions:
+=== Option 1: Reconfigure SOLR_JETTY_HOST ===
+If you want to permanently allow Solr to accept connections using a hostname other than "localhost," you can set the SOLR_JETTY_HOST environment variable to control this behavior. If you set the variable to "0.0.0.0" it will accept connections using any name. If you set the variable to a specific hostname, then ONLY that hostname will be allowed (e.g. if you set SOLR_JETTY_HOST to "myserver.myuniversity.edu" then "localhost" connections will stop working, and all Solr traffic must use the hostname). See [[https://solr.apache.org/guide/solr/latest/deployment-guide/taking-solr-to-production.html#security-considerations|Taking Solr to Production]] for more details.
+=== Option 2: Use SSH Tunneling ===
+If you only want to temporarily access Solr from another location, you can do so without loosening security by opening an SSH tunnel to expose the Solr port on another machine, effectively allowing "localhost" access remotely. SSH tunneling is available through the standard Unix ssh command line tool and through graphical clients like PuTTY. It is beyond the scope of this documentation to explain SSH tunneling in detail, but if you use a search engine to look for "SSH tunnel" and your client or operating system of choice, you should be able to find a wealth of tutorials on the subject.
 ===== Locking Down the Admin Panel =====