I have a standalone Solr install on my Ubuntu box which powers a number of Drupal sites. Out of the box the Solr admin panel is unsecured giving attackers the ability to delete, corrupt, or empty out my indexes.
To do this, I need to find my $SOLR_HOME folder (you can find these in the variable dump at the bottom of your Solr admin dashboard ).
For me, with Solr 7.7.2, that is in the /var/solr/data folder. I then create a file called security.json with the following:
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"<MY HASH>"}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}}
This is the basic authentication plugin from the [Solr documentation])https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.html) but that documentation only includes a single user / pass (solr / SolrRocks) without any more explanation as how to generate a unique password and new hash. A little digging and I found this helpful Java file:
https://www.planetcobalt.net/sdb/solr_password_hash.shtml
Which lets me create a new password and get a working hash.
java -jar SolrPasswordHash.jar NewPassword
Which I then replace in my security.json file and reload my Solr service to get it to work.
The final step is to load this authentication back into my search index which is easy using the search_api_solr module. Edit your server and turn on the basic authentication method (this is the solr authentication plugin you defined in security.json above):
Finally, add the username and password you created below in the new authentication section:
Now your Solr service will only authenticate using this password, helping secure your indexes.