Me too! -----Original Message----- From: Walter Underwood [mailto:wun...@wunderwood.org] Sent: Tuesday, November 01, 2011 1:02 PM To: solr-user@lucene.apache.org Subject: Re: Questions about Solr's security
I once had to deal with a severe performance problem caused by a bot that was requesting results starting at 5000. We disallowed requests over a certain number of pages in the front end to fix it. wunder On Nov 1, 2011, at 12:57 PM, Erik Hatcher wrote: > Be aware that even /select could have some harmful effects, see https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk). > > Even disregarding that issue, /select is a potential gateway to any request handler defined via /select?qt=/req_handler > > Again, in general it's not a good idea to expose Solr to anything but a controlled app server. > > Erik > > On Nov 1, 2011, at 15:51 , Alireza Salimi wrote: > >> What if we just expose '/select' paths - by firewalls and load balancers - >> and >> also use SSL and HTTP basic or digest access control? >> >> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <hossman_luc...@fucit.org>wrote: >> >>> >>> : I was wondering if it's a good idea to expose Solr to the outside world, >>> : so that our clients running on smart phones will be able to use Solr. >>> >>> As a general rule of thumb, i would say that it is not a good idea to >>> expose solr directly to the public internet. >>> >>> there are exceptions to this rule -- AOL hosted some live solr instances >>> of the Sarah Palin emails for HufPo -- but it is definitely an expert >>> level type thing for people who are so familiar with solr they know >>> exactly what to lock down to make it "safe" >>> >>> for typical users: put an application between your untrusted users and >>> solr and only let that application generate "safe" welformed requests to >>> Solr... >>> >>> https://wiki.apache.org/solr/SolrSecurity >>> >>> >>> -Hoss >>> >> >> >> >> -- >> Alireza Salimi >> Java EE Developer > -- Walter Underwood Venture Asst. Scoutmaster Troop 14, Palo Alto, CA
