| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| administration:security [2018/05/21 15:53] – [Changing the Solr Port Number] demiankatz | administration:security [2020/03/23 11:00] – [Changing the Solr Port Number] demiankatz |
|---|
| === 1. Reconfigure Solr === | === 1. Reconfigure Solr === |
| |
| :!: If using VuFind 3.0 or newer, the Solr port number is controlled by the SOLR_PORT environment variable; just set this before [[administration:starting_and_stopping_solr|starting Solr]] (e.g. with "export SOLR_PORT=xxxx") and the server will run on the desired port. | If using VuFind 3.0 or newer, the Solr port number is controlled by the SOLR_PORT environment variable; just set this before [[administration:starting_and_stopping_solr|starting Solr]] (e.g. with "export SOLR_PORT=xxxx") and the server will run on the desired port. |
| |
| If using VuFind 2.x or earlier, you can change the port number used by Solr by editing the file solr/jetty/etc/jetty.xml under your VuFind installation and changing this line: | If using VuFind 2.x or earlier, you can change the port number used by Solr by editing the file solr/jetty/etc/jetty.xml under your VuFind installation and changing the jetty.port SystemProperty. |
| | |
| <code xml> | |
| <Set name="port"><SystemProperty name="jetty.port" default="8080"/></Set> | |
| </code> | |
| |
| === 2. Reconfigure VuFind === | === 2. Reconfigure VuFind === |
| [[administration:starting_and_stopping_solr#restarting_solr_manually|Restart the Solr process]] so the changes can take effect. | [[administration:starting_and_stopping_solr#restarting_solr_manually|Restart the Solr process]] so the changes can take effect. |
| |
| ===== Locking Down the Admin Panel (VuFind 1.x) ===== | ===== Locking Down the Admin Panel ===== |
| | |
| VuFind 1.x includes an administration module (accessible through http://your_vufind_url/Admin/Home). This is useful, but it can be dangerous in the wrong hands. To protect yourself, consider these points: | |
| | |
| * By default, this has an administrative password of "admin." The username is also "admin." You should change this by modifying the web/services/Admin/.htpasswd file (see this [[http://httpd.apache.org/docs/2.0/programs/htpasswd.html|Apache documentation page]] for more details on htpasswd). | |
| * There is a rule in the http-vufind.conf Apache configuration file in the root of your VuFind installation which specifies which directory needs to be password-protected. If you have installed VuFind at a path other than "/vufind", you will need to change this rule to reflect the correct path in order to avoid security gaps! The section to change begins with: <Location ~ "/vufind/Admin/.+"> or <Location ~ "/[Vv][Uu][Ff][Ii][Nn][Dd]/[Aa][Dd][Mm][Ii][Nn]/.+">. Simply change the regular expression here to match your layout; more details on the Location directive can be found in the [[http://httpd.apache.org/docs/2.0/mod/core.html#location|Apache manual]]. In a Windows or other environment with case-insensitive filenames, be sure to make your regular expression case-insensitive (i.e. like the second of the two example <Location> settings above). | |
| * The Admin module is a good candidate for SSL protection (to prevent your access password from being guessed). See the SSL section earlier in this document for details. | |
| * If you do not plan on using the Admin module, you can disable it completely by removing the code in web/services/Admin from your server. This is the safest option by far! | |
| * Starting with VuFind version 1.1, it is possible to disable the Admin module from within config.ini, and the module is disabled by default. | |
| | |
| ===== Locking Down the Admin Panel (VuFind 2.x) ===== | |
| |
| The admin module in VuFind 2.x is less dangerous than the one found in VuFind 1.x. It no longer uses the Apache-based password protection scheme. Instead, a new [AdminAuth] section in [[configuration:files:config.ini]] allows access to be restricted by IP range and/or VuFind username. The entire module can still be disabled using the System/admin_enabled setting if desired. | VuFind includes an administration module (accessible through <nowiki>http://your_vufind_url/Admin/Home</nowiki>). This is useful, but it should not be exposed to the general public. The access.AdminModule [[configuration:permission_options|permission]] can be used to grant granular control to the module. The entire module can still be disabled using the System/admin_enabled setting if desired. |
| |
| ===== Securing User Credentials ===== | ===== Securing User Credentials ===== |
| |
| VuFind stores some user information in its database. Starting with VuFind 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind's auto-configuration pages. Enabling security is highly recommended, but since it breaks backward-compatibility with VuFind 1.x, it should only be done after you are committed to moving forward permanently to 2.x. | VuFind stores some user information in its database. Starting with VuFind 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind's auto-configuration pages. Enabling security is highly recommended. |
| ---- struct data ---- | ---- struct data ---- |
| ---- | ---- |
| |
