It is like opening a database to the Internet - you simply don’t do it and I don’t recommend it.
If you despite the anti pattern want to do it use the latest Solr versions and put a reverse proxy in front. Always use authentication and authorization. Do only allow a minimal API endpoints and no admin UI. Limit IPs that can access it. Do not use it for confidential data. If data (even public one!) gets leaked from your Solr instance it is very bad for the reputation of your Organisation. Future versions allow to disable security problematic modules. Better wait for them. Still I would not do it in the first place - you also would not open databases to the Internet. I could also not find a use case for which this is needed. > Am 08.10.2020 um 20:27 schrieb Marco Aurélio <aurelio.marco...@gmail.com>: > > Hi! > > We're looking into the option of setting up search with Solr without an > intermediary application. This would mean our backend would index data into > Solr and we would have a public Solr endpoint on the internet that would > receive search requests directly. > > Since I couldn't find an existing solution similar to ours, I would like to > know whether it's possible to secure Solr in a way that allows anyone only > read-access only to collections and how to achieve that. Specifically > because of this part of the documentation > <https://lucene.apache.org/solr/guide/8_5/securing-solr.html>: > > *No Solr API, including the Admin UI, is designed to be exposed to > non-trusted parties. Tune your firewall so that only trusted computers and > people are allowed access. Because of this, the project will not regard > e.g., Admin UI XSS issues as security vulnerabilities. However, we still > ask you to report such issues in JIRA.* > Is there a way we can restrict read-only access to Solr collections so as > to allow users to make search requests directly to it or should we always > keep our Solr instances completely private? > > Thanks in advance! > > Best regards, > Marco Godinho
