Cannot access SOLR remotely

1,262 views
Skip to first unread message

Donald Bynum

unread,
Nov 7, 2016, 1:33:15 PM11/7/16
to DSpace Technical Support
I have DSpace 5.5 on Tomcat with Oracle as the DB.  I want to run some SOLR queries from a remote client, i.e. NOT running on the Tomcat server as localhost.  I need to do this in order to create some remote reporting functions.  Accessing SOLR on the Tomcat server as localhost is just fine: http://localhost:8080/solr/...

When I try the same from a remote client:  http://myserver.thing.org:8080/solr... I get a 403 error - "Access to the specified resource has been forbidden."

Any guidance here would be much appreciated.

Regards,

Don.


Bruno Nocera Zanette

unread,
Nov 7, 2016, 2:31:47 PM11/7/16
to Donald Bynum, DSpace Technical Support
Donald,
This is the expected behavior for SOLR, for security reasons.

Take a look at this wiki to learn how to bypass this restriction:
https://wiki.duraspace.org/display/DSPACE/Solr#Solr-Bypassinglocalhostrestrictiontemporarily

--
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To post to this group, send email to dspac...@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
--
Bruno Nocera Zanette
+55 41 9992-2508

Donald Bynum

unread,
Nov 8, 2016, 9:47:12 AM11/8/16
to DSpace Technical Support, byn...@gmail.com
Hi Bruno,

I am running Tomcat 8 and I have updated my server.xml as the wiki suggested.  Here is what my <Engine> container looks like now (I highlighted what I added):

    <Engine name="Catalina" defaultHost="localhost">
      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->
      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
              
        <Context path="/solr" reloadable="true"> 
         <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1|10\.84\.244\.d+|10\.175\.d+\.d+" /> 
         <Parameter name="LocalHostRestrictionFilter.localhost" value="false" override="false" /> 
        </Context>

      </Host>
    </Engine>

I have restarted Tomcat, but now the SOLR instance returns ""Access to the specified resource has been forbidden."  for all access attempts, including localhost.  Further guidance would be much appreciated.

Regards,

Don.

Chris Gray

unread,
Nov 8, 2016, 9:51:50 AM11/8/16
to DSpace Technical Support
Solr should never be exposed to the Web.  It is the full administrative interface for Solr and has no authority control.  Making it available on the Web would be huge vulnerability.

Solr is only accessible from localhost.  You can access it by setting up an SSH tunnel from your machine to the server and then access the Solr interface via the tunnel.

Bruno Nocera Zanette

unread,
Nov 8, 2016, 10:50:16 AM11/8/16
to Donald Bynum, DSpace Technical Support
Hmm.. It's a long time since i last did it and i don't remember the details anymore. But i remember that i've followed the wiki and i also struggled with this config files, and that in the end was just some minor details.

Later today i'll give it a try on my local instance to see if i get any luck.
For now, let's see if anyone have more knowledge about it.

Em ter, 8 de nov de 2016 às 13:29, Donald Bynum <byn...@gmail.com> escreveu:
Sorry, I forgot to add...

I have also tried putting the following into the  conf/Catalina/localhost/solr.xml  file and restart Tomcat:

<?xml version='1.0' encoding='utf-8'?>

<Context path="/solr" reloadable="true">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1" />

        <Parameter name="LocalHostRestrictionFilter.localhost" value="false" override="false" />
</Context>

The result is the same, no access from anywhere (including localhost)

Regards,

Don.

--


Donald E. Bynum
byn...@gmail.com
Reply all
Reply to author
Forward
0 new messages