On Mon, 2019-10-07 at 10:18 -0700, Wei wrote: > /solr/mycollection/select?stats=true&stats.field=unique_ids&stats.cal > cdistinct=true ... > Is there a way to block certain solr queries based on url pattern? > i.e. ignore the stats.calcdistinct request in this case.
It sounds like it is possible for users to issue arbitrary queries against your Solr installation. As you have noticed, it makes it easy to perform a Denial Of Service (intentional or not). Filtering out stats.calcdistinct won't help with the next request for group.ngroups=true, facet.field=unique_id&facet.limit=100000000, rows=100000000 or something fifth. I recommend you flip your logic and only allow specific types of requests and put limits on those. To my knowledge that is not a build- in feature of Solr. - Toke Eskildsem, Royal Danish Library
