Re: AJAX access to Solr Server

True though you could also query an API in front of Solr to a stand still pretty easily. DoSing is a pretty easy thing to do to anything that needs to be open to the public. The biggest issue with the proxy approach is an attacker with Solr knowledge that doesn't need to DoS, just send a handful

Re: AJAX access to Solr Server

Yes, your proxy seems to work. The only thing that bothers me is anyone can query your Solr installation. The world is not a nice place and I can't tell you how many DOS attacks I've fended off in the last 30 years. If I thought you were an a-hole I could set up a few machines and query your

Re: AJAX access to Solr Server

What are you using for a client? I generally use a REST client written in PHP or Perl and then prevent cross scripting so only the client can do the work. My Solr cluster is running behind OpenVPN on 172.16.0.0/24 I use a jquery in the following to get an infinite scroll

Re: AJAX access to Solr Server

We do this all the time, whitelisting only the readonly search end points we want to support and disallowing excessively large paging. Here is a template for an nginx solr proxy. The read me describes more of our philosophy https://github.com/o19s/solr_nginx On Friday, December 25, 2015, Eric

AJAX access to Solr Server

Hi all, Does allowing javascript direct access to SolrCloud raise security concern? should I build a REST service in between? I need to provide async search capability to web pages. the pages will be public with no authentication. Happy searching, Eric

Re: AJAX access to Solr Server

On 12/25/2015 12:17 PM, Eric Dain wrote: > Does allowing javascript direct access to SolrCloud raise security concern? > should I build a REST service in between? > > I need to provide async search capability to web pages. the pages will be > public with no authentication. End users should never

Re: AJAX access to Solr Server

If you are using Linux a simple one liner in IP tables iptables -I INPUT \! --src www.yourwebserver.com -m tcp -p tcp --dport 8983 -j DROP If windows, you can do something similar otherwise it is very easy for anyone to delete all your documents with

Re: AJAX access to Solr Server

I would put in a basic iptables statement to allow only your webserver to prevent http://172.16.0.22:8983/solr/products/update?stream.body=%3Cdelete%3E%3Cquery%3E*:*%3C/query%3E%3C/delete%3E=true On 25 December 2015 at 14:58, Eric Dain wrote: > Thanks, that is very

Re: AJAX access to Solr Server

Thanks, that is very helpful. Have you tried denying access to some fields in the documents? On Fri, Dec 25, 2015 at 11:31 AM, Doug Turnbull < dturnb...@opensourceconnections.com> wrote: > We do this all the time, whitelisting only the readonly search end points > we want to support and

Re: AJAX access to Solr Server

Hi Shawn Maybe I should have qualified the parameters of scenarios this make me comfortable just proxying Solr directly w/o an API These situations include: 1. I've got no qualms about giving the whole world access to every document in the index. There's nothing protected about anything. 2. The

Re: AJAX access to Solr Server

Yeah I prefer a whitelist of locked down query request handlers via a proxy that are reasonably well protected. I would never expose update to the web or allow any updating over a public interface. If you want an example, you can checkout