On 11/9/2015 6:38 PM, 马柏樟 wrote: > After I configure Authentication with Basic Authentication Plugin and > Authorization with Rule-Based Authorization Plugin, How can I prevent the > strangers from visiting my solr by browser? For example, if the stranger > visit the http://(my host):8983, the browser will pop up a window and says > "the server http://(my host):8983 requires a username and password...."
Don't expose Solr directly to the Internet or other end users, even with authentication. It's just a bad idea. The best security you can provide for Solr is to make sure it is only accessible by your client applications and trusted administrators. If you do this, you won't need any more security. With proper configuration, a proxy server can harden Solr so it is less open to attack, but it would likely still be vulnerable to denial of service queries. A proper proxy configuration would not be a trivial task. The authentication that Solr 5.3 provides will only protect the API endpoints that Solr exposes. It will *not* block access to the actual admin UI itself -- that is nothing but nearly static HTML, images, CSS, and javascript. The authentication does protect Solr, because the admin UI cannot do anything to Solr without accessing the API endpoints, which would need authentication. Thanks, Shawn
