On 1/7/2018 1:30 PM, Rick Leir wrote:
The easy solution is to put something like solr-security-proxy [1] in front of a Solr/Velocity app, and this is working for me. However, this has a blacklist for Solr parms and I think it should have a whitelist instead. Also, it does not check ranges or filter chars. Is this proxy adequate for use on the open internet? In particular, what character filtering should I add to it?
I don't have information like that readily available. I would be worried with any proxy software that something important had been forgotten and would open the door to either changing the index or not blocking denial of service requests.
My recommendation is to never expose Solr to the Internet, or to anybody who is not responsible for its care. There should always be some kind of front end server-side software that handles searching on behalf of the user.
Even with those precautions, clever users will probably be able to figure out how to send denial of service queries, but without direct access to Solr's API, it would not be as vulnerable.
Thanks, Shawn
