[jira] [Commented] (SOLR-13985) bind to localhost by default

Tue, 10 Dec 2019 10:15:10 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16992785#comment-16992785
 ] 

Jason Gerlowski commented on SOLR-13985:
----------------------------------------

Hey, review comments before I could post my description of the patch.  Thanks 
for the quick feedback Jan.

bq. you still have 0.0.0.0 set in one of the solr.in files.
Leftover from testing.  Fixed

bq. You have duplicated the same paragraphs in securing-solr.adoc and 
taking-solr-to-production.adoc.
That was intentional, but I'm not happy about it and would love any suggestions 
you had.  The information in those 2-3 paragraphs seemed relevant in both 
places.  Initially I put a link from taking-solr-to-production.adoc to the 
material in securing-solr.adoc, but it ended up that I was taking a sentence or 
two to provide a link to a sentence or two.  Seemed a little weird, so I just 
duplicated the paragraphs.  I'm happy to go back to linking to it though if you 
prefer.

 bq. Should we name the SOLR_JETTY_HOST something else, such as SOLR_BIND_HOST 
or SOLR_BIND_IP?
I chose SOLR_JETTY_HOST because it mirrored the values already in our 
jetty.xml's.  But I don't have any particular attachment to the name if there's 
consensus on one of the others.  I'm not familiar with those Elastic settings, 
but I'll take a look and get back to you.

> bind to localhost by default
> ----------------------------
>
>                 Key: SOLR-13985
>                 URL: https://issues.apache.org/jira/browse/SOLR-13985
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Assignee: Jason Gerlowski
>            Priority: Major
>         Attachments: SOLR-13985.patch, SOLR-13985.patch
>
>
> Currently solr binds to all interfaces by default. 
> The default should be safer, so that e.g. the user is not exposed to the 
> internet until they make an explicit step to do so.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to