Use Nginx basic auth to protect HTTP services like Solr
Sometimes it might be useful to add simple permissions layer on top of unprotected HTTP services ( especially if you would like to open those to the public! ). Recently we had to secure our Solrcloud install to be able to provide read only access to our FTS index to a partner, so they could develop their custom app using our data but without the option to accidentally (or intentionally) break the index.
I hear some of you saying something like “You should expose REST API endpoint, with proper access token!” and well, you are right! Unfortunately reality is not perfect and sometimes in order to move forward you need to come up with backup/temp solution.
Here is our backup solution for protecting our Solr install with basic read/write permissions using Nginx magic and Basic Auth:
I think the idea should be pretty clear, the key is to discover which url you want to protect ( hint: analyze access logs with Logstash ). It’s also a good idea to put your Nginx endpoint behind SSL, especially if it’s open to public.
Note: If condition in Nginx location evaluates to true ( if you don’t have write or admin permission for example ), it returns 403 without processing Basic Auth, so you may need to send Basic Auth credentials with the request, or land on / url to authenticate in the browser.
Note 2: The approach described here will most likely require a change to the application, since all requests to Solr will need to include Authorization header.
P.S. If you are going to use Nginx in front of your Solr service, then you may benefit from simplified logging as well. Read Improve and simplify Solr logging with Nginx proxy.
Some popular ones
- Story behind X-Forwarded-For and X-Real-IP headers (23 Apr 2014)
- Internal redirect to another domain with proxy_pass and Nginx (14 Oct 2013)
- Secure data bag items with chef solo (04 Aug 2013)
My books recommendations
Great book for operations people. Helped me to design and build solid deployment pipelines. Awesome advices on automated testing as well. The author advocates against feature branches, every commit goes to master! Scary? I know, but it actually makes sense once you get the idea. Read the book to find out more.
One of those rare books where every word counts!
Classics from John Allspaw who is SVP of Infrastructure and Operations at Etsy (and used to work for Flickr). The book covers very important topics like metrics collection, continuous deployment, monitoring, dealing with unexpected traffic spikes, dev and ops collaboration and much more. Def recommend if you are starting out in the operations field or been doing it for a while ( in latter case you probably read this book already :).
This book is must read for every software engineer, no matter which language you use! It will change your perspective on writing code. I was amazed by the quality of material - very detailed and up to the point.
"The only way to make the deadline -- the only way to go fast -- is to keep the code as clean as possible at all times."
blog comments powered by Disqus