Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
administration:security [2022/10/18 17:05] – demiankatz | administration:security [2024/02/20 13:09] (current) – [Security] demiankatz | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Security ====== | + | ====== Security |
+ | |||
+ | ===== Unix Accounts and Permissions ===== | ||
+ | |||
+ | Since VuFind® has a variety of command-line utilities for maintenance, | ||
+ | |||
+ | ==== Creating a System Account for VuFind® ==== | ||
+ | |||
+ | First, decide on a name for your VuFind user. For the example below, we will use " | ||
+ | |||
+ | <code bash> | ||
+ | sudo useradd -r -s / | ||
+ | </ | ||
+ | |||
+ | The -r switch designates this as a system account, the -s switch sets the login shell to prevent users from logging into the account, and the -U switch creates a group to match the username. | ||
+ | |||
+ | ==== Changing File Ownership ==== | ||
+ | |||
+ | Once the account is created, you can change the ownership of your VuFind® files to belong to the new user. However, you need to be careful not to interfere with Apache-related permissions in the cache directory while making sure that the separate cache for command-line utilities is owned by the new user. The easiest way to do this, if you're modifying a working installation of VuFind®, is to follow these steps: | ||
+ | |||
+ | 1.) Look up the current owner of the Apache cache by doing a detailed listing of the cache directory: | ||
+ | |||
+ | <code bash> | ||
+ | ls -l $VUFIND_LOCAL_DIR/ | ||
+ | </ | ||
+ | |||
+ | The username is most likely '' | ||
+ | |||
+ | 2.) Change ownership of the entire VuFind® directory to your new service user, then change the cache back to the appropriate ownership, then adjust the command-line cache. This requires three commands, but you should run them in rapid sequence to avoid disruption to your system: | ||
+ | |||
+ | <code bash> | ||
+ | sudo chown -R vufind: | ||
+ | sudo chown -R apache: | ||
+ | sudo chown -R vufind: | ||
+ | </ | ||
+ | |||
+ | :!: Note that this example assumes an Apache user of " | ||
+ | |||
+ | ==== Setting Up Cron Jobs ==== | ||
+ | |||
+ | In most Unix-based systems, every user can potentially be configured to run its own cron jobs. Assuming that you have this configured correctly, you can simply switch to the user you wish to modify, and run the '' | ||
+ | |||
+ | <code bash> | ||
+ | sudo su vufind -s / | ||
+ | crontab -e | ||
+ | </ | ||
+ | |||
+ | Note that in this example, we specify which shell to use when switching to the vufind user, since in the example above, we set a " | ||
===== Using SSL ===== | ===== Using SSL ===== | ||
Line 19: | Line 66: | ||
===== Locking Down Solr ===== | ===== Locking Down Solr ===== | ||
- | To ensure that your data is secure, it is advised that you lock down the Solr server to only be accessible from your local webserver. The default port is 8983 in VuFind® 7 and newer, 8080 in 6.x and earlier. This port should be locked down to eliminate security threats to your data. | + | To ensure that your data is secure, it is advised that you configure your firewall to lock down the Solr server to only be accessible from your local webserver. The default port is 8983 in VuFind® 7 and newer, 8080 in 6.x and earlier. This port should be locked down to eliminate security threats to your data. |
+ | It is also strongly recommended that you use a dedicated user account to run Solr, to limit the Solr application' | ||
+ | |||
+ | Instructions for creating a dedicated Solr account and changing the Solr port number can be found below. | ||
+ | |||
+ | ==== Creating a Dedicated Solr User ==== | ||
+ | |||
+ | === 1. Create the user account === | ||
+ | |||
+ | First, decide on a name for your Solr user. If you have already [[# | ||
+ | |||
+ | If you want to fully isolate Solr by creating a user named solr, just repeat the useradd command described under [[# | ||
+ | |||
+ | === 2. Change the ownership of the Solr directories === | ||
+ | |||
+ | If you are going to run Solr using the new user account, you need to make sure that the Solr files have appropriate ownership: | ||
+ | |||
+ | <code bash> | ||
+ | sudo chown -R solr:solr $VUFIND_HOME/ | ||
+ | </ | ||
+ | |||
+ | === 3. Use the new user account to run Solr === | ||
+ | |||
+ | If you are manually starting Solr, you can switch to the new account to start the system: | ||
+ | |||
+ | <code bash> | ||
+ | sudo su solr -s / | ||
+ | cd $VUFIND_HOME | ||
+ | ./solr.sh start | ||
+ | </ | ||
+ | |||
+ | See the note under [[administration: | ||
+ | |||
+ | If you are automatically starting Solr, make sure that your configuration includes the appropriate username. See the [[/ | ||
==== Changing the Solr Port Number ==== | ==== Changing the Solr Port Number ==== | ||
Line 59: | Line 139: | ||
[[administration: | [[administration: | ||
+ | ==== Allowing Access to the Solr Host ==== | ||
+ | |||
+ | Starting with Solr 9 (and thus affecting VuFind® releases 9.0 and later), Solr will only allow " | ||
+ | |||
+ | === Option 1: Reconfigure SOLR_JETTY_HOST === | ||
+ | |||
+ | If you want to permanently allow Solr to accept connections using a hostname other than " | ||
+ | |||
+ | === Option 2: Use SSH Tunneling === | ||
+ | |||
+ | If you only want to temporarily access Solr from another location, you can do so without loosening security by opening an SSH tunnel to expose the Solr port on another machine, effectively allowing " | ||
===== Locking Down the Admin Panel ===== | ===== Locking Down the Admin Panel ===== | ||
Line 78: | Line 169: | ||
VuFind® stores some user information in its database. | VuFind® stores some user information in its database. | ||
+ | |||
+ | VuFind® also supports configuration settings to enforce length and content restrictions on usernames and passwords. Review the settings in the [Authentication] section of [[configuration: | ||
When using some [[configuration: | When using some [[configuration: | ||
Line 84: | Line 177: | ||
Starting with VuFind® 7.0, you can configure a [[administration: | Starting with VuFind® 7.0, you can configure a [[administration: | ||
+ | |||
+ | ===== General Best Practices ===== | ||
+ | |||
+ | ==== Stay Up to Date ==== | ||
+ | |||
+ | VuFind® generally puts out one major and one minor release each year, plus patch releases as necessary. Maintaining your VuFind® instance ensures that you receive the latest security fixes and that your instance remains compatible with the latest versions of all of its dependencies. | ||
+ | |||
+ | You should also be sure to keep your dependencies up to date through necessary operating system patching and upgrading. Make sure that you are running VuFind® in combination with up-to-date and supported versions of Linux, Apache, PHP, etc. | ||
+ | |||
+ | ==== Don't Leave Autoconfiguration Turned On ==== | ||
+ | |||
+ | It's necessary to put VuFind® into " | ||
+ | |||
+ | On a related note, while it is sometimes necessary to give Apache ownership of your configuration files to allow it to write updates to disk during autoconfiguration, | ||
---- struct data ---- | ---- struct data ---- | ||
properties.Page Owner : | properties.Page Owner : | ||
---- | ---- | ||
administration/security.1666112709.txt.gz · Last modified: 2022/10/18 17:05 by demiankatz