#1. This is a HORRIBLE IDEA #2 If I was going to do this I would destroy the update request handler as well as the entire admin ui from the solr instance, set up a replication from a secure solr instance on an interval. This way no one could send an update /delete command, you could still update the index, and still be readable. Just remove any request handler that isn’t a search or replicate, and put the replication only on a port shared between the master and slave,
> On Oct 8, 2020, at 2:27 PM, Marco Aurélio <aurelio.marco...@gmail.com> wrote: > > Hi! > > We're looking into the option of setting up search with Solr without an > intermediary application. This would mean our backend would index data into > Solr and we would have a public Solr endpoint on the internet that would > receive search requests directly. > > Since I couldn't find an existing solution similar to ours, I would like to > know whether it's possible to secure Solr in a way that allows anyone only > read-access only to collections and how to achieve that. Specifically > because of this part of the documentation > <https://lucene.apache.org/solr/guide/8_5/securing-solr.html>: > > *No Solr API, including the Admin UI, is designed to be exposed to > non-trusted parties. Tune your firewall so that only trusted computers and > people are allowed access. Because of this, the project will not regard > e.g., Admin UI XSS issues as security vulnerabilities. However, we still > ask you to report such issues in JIRA.* > Is there a way we can restrict read-only access to Solr collections so as > to allow users to make search requests directly to it or should we always > keep our Solr instances completely private? > > Thanks in advance! > > Best regards, > Marco Godinho
