First off, use basic authentication to at least partially lock it down. Only the application server has access to the password. Second, our IT people thought Solr security insufficient to even remotely consider exposing to external web. It lives behind firewall so do a kind of proxy. External queries are passed to an internal application server which examines, modifies and add security to queries and then passes to SOLR. Results sent back up chain to external application server. I believe variations of this is what is expected. Our deconstruct/reconstruct queries are unusual but it does allow us to use a rights-based access to functionality. Ie general public can do searches against the title,author, abstract. Privileged and internal users can query against the full text of the technical reports.
-----Original Message----- From: Ryan W <rya...@gmail.com> Sent: Tuesday, 17 March 2020 03:44 To: solr-user@lucene.apache.org Subject: How do *you* restrict access to Solr? How do you, personally, do it? Do you use IPTables? Basic Authentication Plugin? Something else? I'm asking in part so I'l have something to search for. I don't know where I should begin, so I figured I would ask how others do it. I haven't been able to find anything that works, so if you can tell me what works for you, I can at least narrow it down a bit and do some Google searches. Do I need to learn Solr's plugin system? Am I starting in the right place if I follow this document: https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin Initially, the above document seems far too comprehensive for my needs. I just want to block access to the Solr admin UI, and the list of predefined permissions in that document don't seem to be relevant. Also, it seems unlikely this plugin system is necessary just to control access to the admin UI... or maybe it necessary? In any case, what is your approach? I'm using version 7.7.2 of Solr. Thanks! Notice: This email and any attachments are confidential and may not be used, published or redistributed without the prior written consent of the Institute of Geological and Nuclear Sciences Limited (GNS Science). If received in error please destroy and immediately notify GNS Science. Do not copy or disclose the contents.
