[
https://issues.apache.org/jira/browse/SOLR-14148?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-14148:
-------------------------------
Description:
Currently network access is wide-open to the world and the user has to "secure"
it through steps on the [securing solr
page|https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html].
Instead the user is asked to explicitly "tune a firewall"... these are not
good defaults.
It would be much better if access was restricted by default via ACL (e.g. to
{{{}127.0.0.0/8, [::1]{}}}), and the user instead explicitly grants access to
hosts/networks that should have it. Similar to PostgreSQL's
{{{}pg_hba.conf{}}}. Just like {{{}pg_hba.conf{}}}, this is separate from what
interfaces are bound to by default.
We could remove the IP-based ACL step from securing solr page, and even change
or remove the "firewall" wording at the top.
was:
Currently network access is wide-open to the world and the user has to "secure"
it through steps on the securing solr page. Instead the user is asked to
explicitly "tune a firewall"... these are not good defaults.
It would be much better if access was restricted by default via ACL (e.g. to
{{127.0.0.0/8, [::1]}}), and the user instead explicitly grants access to
hosts/networks that should have it. Similar to PostgreSQL's {{pg_hba.conf}}.
Just like {{pg_hba.conf}}, this is separate from what interfaces are bound to
by default.
We could remove the IP-based ACL step from securing solr page, and even change
or remove the "firewall" wording at the top.
> enable IP access control by default
> -----------------------------------
>
> Key: SOLR-14148
> URL: https://issues.apache.org/jira/browse/SOLR-14148
> Project: Solr
> Issue Type: Improvement
> Reporter: Robert Muir
> Priority: Major
>
> Currently network access is wide-open to the world and the user has to
> "secure" it through steps on the [securing solr
> page|https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html].
> Instead the user is asked to explicitly "tune a firewall"... these are not
> good defaults.
> It would be much better if access was restricted by default via ACL (e.g. to
> {{{}127.0.0.0/8, [::1]{}}}), and the user instead explicitly grants access to
> hosts/networks that should have it. Similar to PostgreSQL's
> {{{}pg_hba.conf{}}}. Just like {{{}pg_hba.conf{}}}, this is separate from
> what interfaces are bound to by default.
> We could remove the IP-based ACL step from securing solr page, and even
> change or remove the "firewall" wording at the top.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
