Nov 3, 2011 at 4:38 PM, Robert Petersen wrote:
> Me too!
>
> -Original Message-
> From: Walter Underwood [mailto:wun...@wunderwood.org]
> Sent: Tuesday, November 01, 2011 1:02 PM
> To: solr-user@lucene.apache.org
> Subject: Re: Questions about Solr's security
>
Me too!
-Original Message-
From: Walter Underwood [mailto:wun...@wunderwood.org]
Sent: Tuesday, November 01, 2011 1:02 PM
To: solr-user@lucene.apache.org
Subject: Re: Questions about Solr's security
I once had to deal with a severe performance problem caused by a bot
that was reque
ssage-
From: Erik Hatcher [mailto:erik.hatc...@gmail.com]
Sent: Tuesday, November 01, 2011 3:50 PM
To: solr-user@lucene.apache.org
Subject: Re: Questions about Solr's security
SSL and auth doesn't address that /select can hit any request handler defined
(/select?qt=/update&strea
Yeah, actually our firewalls/loadbalancers can handle these issues.
If they don't, then I'll use HAProxy.
Thanks for all info :-)
On Tue, Nov 1, 2011 at 5:42 PM, Robert Stewart wrote:
> I think you can address a lot of these concerns by running some proxy in
> front of SOLR, such as HAProxy. Yo
I think you can address a lot of these concerns by running some proxy in front
of SOLR, such as HAProxy. You should be able to limit only certain URIs (so
you can prevent /select queries).HAProxy is a free software load-balancer,
and it is very configurable and fairly easy to setup.
On No
sorry, I didn't explain that part. We are the developers of client codes
too.
Meaning that just we know the credentials to access the web container,
and we won't run such queries.
Right now, I'm writing a subclass of SearchHandler which changes the
SolrParams
to remove 'qt' parameter and limit the
SSL and auth doesn't address that /select can hit any request handler defined
(/select?qt=/update&stream.body=*:*&commit=true).
Be careful!
But certainly knowing all the issues mentioned on this thread, it is possible
to lock Solr down and make it safe to hit directly. But not out of the box
I'm not sure if anybody has asked these questions before or not.
Sorry if they are duplicates.
The problem is that the clients (smart phones) of our Solr machines
are outside the network in which solr machines are located. So, we
need to somehow expose their service to the outside word.
What's th
I once had to deal with a severe performance problem caused by a bot that was
requesting results starting at 5000. We disallowed requests over a certain
number of pages in the front end to fix it.
wunder
On Nov 1, 2011, at 12:57 PM, Erik Hatcher wrote:
> Be aware that even /select could have s
Be aware that even /select could have some harmful effects, see
https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
Even disregarding that issue, /select is a potential gateway to any request
handler defined via /select?qt=/req_handler
Again, in general it's not a good idea to
What if we just expose '/select' paths - by firewalls and load balancers -
and
also use SSL and HTTP basic or digest access control?
On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter wrote:
>
> : I was wondering if it's a good idea to expose Solr to the outside world,
> : so that our clients runni
: I was wondering if it's a good idea to expose Solr to the outside world,
: so that our clients running on smart phones will be able to use Solr.
As a general rule of thumb, i would say that it is not a good idea to
expose solr directly to the public internet.
there are exceptions to this rule
Thanks Robert,
But do you also think limiting the page size inside a request handler is a
good
solution for attackers? Honestly, I'm not sure if it's a good solution,
that doesn't
save a server from attackers at all. Do you agree with me?
We are not security experts, just developers, but any sugg
You would need to setup request handlers in solrconfig.xml to limit what types
of queries people can send to SOLR (and define things like max page size, etc).
You need to restrict people from sending update/delete commands as well.
Then at the minimum, setup some proxy in front of SOLR that y
Hi,
I was wondering if it's a good idea to expose Solr to the outside world,
so that our clients running on smart phones will be able to use Solr.
If we decide to do this, what's the security concerns about it?
For example, someone suggested we should limit the number of
rows requested in order
15 matches
Mail list logo
