lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Libbrecht <p...@hoplahup.net>
Subject Re: SOLR 4.0 / Jetty Security Set Up
Date Fri, 07 Sep 2012 06:50:58 GMT
Erick,

I think that should be described differently...
You need to set-up protected access for some paths.
/update is one of them.
And you could make this protected at the jetty level or using Apache proxies and rewrites.

Probably /select should be kept open but you need to evaluate if that can get you in DoS attacks
if there are too big selects. If that is the case, you're left to programme an interface all
by yourself which limits and fetches from solr, or which lives inside solr (a query component)
and throws if things are too big.

paul


Le 7 sept. 2012 à 07:00, Erick Erickson a écrit :

> Securing Solr pretty much universally requires that you only allow trusted
> clients to access the machines directly, usually secured with a firewall
> and allowed IP addresses, the admin handler is the least of your worries.
> 
> Consider if you let me ping solr directly, I can do something really
> annoying like:
> http://localhost:8983/solr/update?stream.body=<delete><query>office:Bridgewater</query></delete>
> 
> Best
> Erick
> 
> On Wed, Sep 5, 2012 at 2:51 AM, Paul Codman <snoozeshop@gmail.com> wrote:
>> First time Solr user and I am loving it! I have a standard Solr 4 set up
>> running under Jetty. The instructions in the Wiki do not seem to apply to
>> Solr 4 (eg mortbay references / section to uncomment not present in xml
>> file / etc) - could someone please advise on steps required to secure Solr
>> 4 and can someone confirm that security operates in relation to new Admin
>> interface. Thanks in advance.


Mime
View raw message