Andrew, I don't know if this is what you're getting at, but my
solution is kind of naive but seems to work well. I have solr running
on a given port, say :8983. I have my firewall (iptables) set up so
that the outside world cannot connect to :8983. However, my httpd
server, running on port 80, can connect to solr because they are
running on the same box. Therefore all access to solr is mediated
through whatever applications I choose to run through httpd. This is
the same approach we've always used for mySQL, and it has served us
well. When you start talking about JNDI it makes me think you're
thinking of a more sophisticated system, but it seems like the same
principles would apply.
Is that what you were asking about?
Bess
On Mar 15, 2007, at 12:26 PM, Gunther, Andrew wrote:
I'm trying to get my head around the architecture where Solr sits
behind a firewall. Can someone tease this out for me. Is a jndi
context establishing the connection to the app server? I'm naïve
in thinking how one talks to the solr servlet behing a firewall.
I apologize up front for the naivety.
-Andrew
-----Original Message-----
From: Erik Hatcher [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 14, 2007 11:18 AM
To: solr-user@lucene.apache.org
Subject: Re: Restrict Servlet Access
On Mar 14, 2007, at 11:09 AM, Brian Whitman wrote:
The recommendation is to firewall off Solr so only your
application server can access it. Solr is not at all designed
for direct client (browser, etc) access.
Assuming you lock down update properly, what's the problem? We are
currently using select directly through the XSLTResponseWriter
right into a <div> via Ajax.Updater. Do you predict pain?
I don't predict pain really, but I don't want to see Solr get bogged
down in having a lot of security-related code added to it. I do
think it would be good for there to be some sort of capability to
make Solr read-only in some form or another, such that an indexer
could still work from an authorized environment.
Exposing Solr directly to a client does have appeal in the way you're
doing it, but it also allows the possibility of hackers tinkering
with it and perhaps requesting things they shouldn't. For example,
we index tags and annotations, and only a logged in user can see
their own annotations, so exposing Solr directly would subvert that
protection.
Erik
