[jira] [Commented] (SOLR-13985) bind to localhost by default

Tue, 10 Dec 2019 10:01:52 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16992777#comment-16992777
 ] 

Jason Gerlowski commented on SOLR-13985:
----------------------------------------

I'm assigning this to myself so I can move this forward a bit.  If I'm 
"stealing" this from you [~rcmuir], let me know and it's all yours :P

The latest patch has {{bin/solr}}, {{bin/solr.cmd}} logic to read a 
SOLR_JETTY_HOST value if set in {{solr.in.sh}}/{{solr.in.cmd}}.

It also takes a first pass at docs for this.  I've added larger blurbs about 
this on the "Taking Solr to Production" and "Securing Solr" pages.  I added a 
smaller warning-style note on the "Getting Started with SolrCloud" page that 
talks about the need to loosen this setting to allow Solr nodes to talk to each 
other.  Presumably there's a lot of other places in the docs that might benefit 
from a similar note.  I'm not sure how much is overdoing it though.  

This seems like a change that will impact a lot of deployments so maybe we 
should target 9.0 for this.  You could argue that the security benefits are 
important enough to trump our breaking-change policy - I don't think I really 
buy that yet, but I'm open to the argument if someone wants to make it.

I have _not_ tested the Windows changes yet.  Hoping to set up a VM to do so 
soon, but if anyone else has a Windows environment handy, I'd appreciate a 
double check there.

Anyone have thoughts?

> bind to localhost by default
> ----------------------------
>
>                 Key: SOLR-13985
>                 URL: https://issues.apache.org/jira/browse/SOLR-13985
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Assignee: Jason Gerlowski
>            Priority: Major
>         Attachments: SOLR-13985.patch, SOLR-13985.patch
>
>
> Currently solr binds to all interfaces by default. 
> The default should be safer, so that e.g. the user is not exposed to the 
> internet until they make an explicit step to do so.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to