Protect SOLR access from outside Docker network

Alfresco REST API urls return 403 SOLR Web Console requires Basic Auth
keensoft · Sep 14, 2018 · 5aecf92 · 5aecf92
1 parent c36c5af
commit 5aecf92
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -93,6 +93,20 @@ PG_MAX_PARALLEL_WORKERS_PER_GATHER=1
 PG_MAX_PARALLEL_WORKERS=1
 ```
 
+## SOLR Considerations
+
+Alfresco SOLR API has been protected to be accessed from outside Docker network. You can enable this URLs removing following lines at [nginx.conf](https://github.com/keensoft/docker-alfresco/blob/master/volumes/config/nginx.conf)
+
+```
+    # Protect access to SOLR APIs
+    location ~ ^(/.*/service/api/solr/.*)$ {return 403;}
+    location ~ ^(/.*/s/api/solr/.*)$ {return 403;}
+    location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;}
+    location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;}    
+```
+
+SOLR Web Console (http://localhost/solr) access has been protected with Basic Auth. Default user/password is `admin/admin`, but it can be customised modifying the content of the file [nginx.htpasswd](https://github.com/keensoft/docker-alfresco/blob/master/volumes/config/nginx.htpasswd)
+
 # How to use this composition
 
 ## Start Docker

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -105,7 +105,7 @@ services:
             - content-app
             - share
         volumes:
-            - ./volumes/config/nginx.conf:/etc/nginx/conf.d/default.conf
+            - ./volumes/config:/etc/nginx/conf.d
             - ./volumes/logs/nginx:/var/log/nginx
         networks:
             - internal

diff --git a/volumes/config/nginx.conf b/volumes/config/nginx.conf
@@ -5,8 +5,10 @@ server {
     proxy_pass_request_headers on;
     proxy_pass_header Set-Cookie;
 
+    # Upload size unlimited
     client_max_body_size 0;
 
+    # SharePoint URLs for Office clients
     location  ~ (^/spp|^/_vti_bin/|^/_vti_history/|^/_vti_inf.html$) {
         proxy_pass http://alfresco:8080;
 
@@ -19,6 +21,13 @@ server {
         proxy_pass_header Set-Cookie;
     }
 
+    # Protect access to SOLR APIs
+    location ~ ^(/.*/service/api/solr/.*)$ {return 403;}
+    location ~ ^(/.*/s/api/solr/.*)$ {return 403;}
+    location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;}
+    location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;}    
+
+    # Alfresco Content Application
     location / {
         proxy_pass http://content-app;
 
@@ -31,6 +40,7 @@ server {
         proxy_pass_header Set-Cookie;
     }
 
+    # Alfresco Repository
     location /alfresco/ {
         proxy_pass http://alfresco:8080;
 
@@ -43,6 +53,7 @@ server {
         proxy_pass_header Set-Cookie;
     }
 
+    # Alfresco Share Web App
     location /share/ {
         proxy_pass http://share:8080;
 
@@ -55,9 +66,14 @@ server {
         proxy_pass_header Set-Cookie;
     }
 
+    # SOLR Web Console 
     location /solr/ {
         proxy_pass http://solr6:8983;
 
+        # Basic authentication
+        auth_basic "Solr web console";
+        auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
+
         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
         proxy_redirect off;
         proxy_buffering off;

diff --git a/volumes/config/nginx.htpasswd b/volumes/config/nginx.htpasswd
@@ -0,0 +1 @@
+admin:YWG41BPzVAkN6