About Features Downloads Getting Started Documentation Events Support GitHub

Love VuFind®? Consider becoming a financial supporter. Your support helps build a better VuFind®!

Site Tools


Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security

This is an old revision of the document!


Security

Using SSL

If your VuFind system takes sensitive information as input (for example, if you use a shared authentication method and want to protect passwords from being sent in plain text), you may want to consider putting it behind SSL so that communications are encrypted.

SSL configuration is beyond the scope of this document, but a lot of helpful resources exist on the web. For example, the Building a Secure RedHat Apache Server HOWTO is a good starting point (and relevant beyond just RedHat).

Once you have SSL configured, if you want to force VuFind to always run behind SSL, you can add these lines above the other RewriteRules in your Apache configuration in httpd-vufind.conf to force a redirect of non-SSL traffic to SSL URLs:

    # Ensure that we are under SSL:
    RewriteCond   %{SERVER_PORT} !^443$
    RewriteRule   ^.*$                          https://%{SERVER_NAME}%{REQUEST_URI}  [L,R]

IMPORTANT: If you change VuFind to run under SSL, don't forget to adjust your base URL in config.ini accordingly.

Locking Down Solr

To ensure that your data is secure, it is advised that you lock down the Solr server to only be accessible from your local webserver. The default port is 8983 in VuFind 7 and newer, 8080 in 6.x and earlier. This port should be locked down to eliminate security threats to your data.

Changing the Solr Port Number

1. Reconfigure Solr

If using VuFind 3.0 or newer, the Solr port number is controlled by the SOLR_PORT environment variable; just set this before starting Solr (e.g. with “export SOLR_PORT=xxxx”) and the server will run on the desired port.

If using VuFind 2.x or earlier, you can change the port number used by Solr by editing the file solr/jetty/etc/jetty.xml under your VuFind installation and changing the jetty.port SystemProperty.

2. Reconfigure VuFind

You will need to adjust a few configuration files to reflect the new port number you have chosen.

A. SolrMarc Import Configuration

If you use SolrMarc to import MARC records, you must edit the solr.hosturl setting in the import/import.properties file (and also import/import_auth.properties, if you plan on importing authority records). Be sure to edit the versions in your local settings directory if using VuFind 2.x or newer.

solr.hosturl = http://localhost:xxxx/solr/biblio/update
B. VuFind Configuration

To ensure that VuFind can perform Solr searches, edit the [Index] section of the config.ini file as appropriate:

[Index]
...
url             = http://localhost:xxxx/solr
C. Other Configuration Files

Some advanced features (such as website searching) can be configured to connect to a different index from the one specified in config.ini. If you have customized this, you may need to adjust additional settings. Searching the $VUFIND_LOCAL_DIR/config/vufind directory for the old port number is a good way to be sure you haven't missed anything.

3. Restart Solr

Restart the Solr process so the changes can take effect.

Locking Down the Admin Panel

VuFind includes an administration module (accessible through http://your_vufind_url/Admin/Home). This is useful, but it should not be exposed to the general public. The access.AdminModule permission can be used to grant granular control to the module. The entire module can still be disabled using the System/admin_enabled setting if desired.

Securing User Credentials

VuFind stores some user information in its database. Starting with VuFind 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in config.ini, but they can be enabled through VuFind's auto-configuration pages. Enabling security is highly recommended.

Using a Content Security Policy

Starting with VuFind 7.0, you can configure a content security policy to protect against cross-site scripting and other vulnerabilities. See the content security policy page for more details.

administration/security.1593432691.txt.gz · Last modified: 2020/06/29 12:11 by demiankatz