I think there were past discussions about people doing but they really really knew what they were doing from a security perspective, not just Solr one.
You are increasing your risk factor a lot, so you need to think through this. What are you protecting and what are you exposing. Are you trying to protect the updates? You may be able to do it with - for example - read-only docker container, or with embedded Solr or/and with reverse proxy. Are you trying to protect some of the data from being read? Even harder. There are implicit handlers, admin handlers, 'qt' to select query parser, etc. Lots of things to think about. It just may not be worth it. Regards, Alex. On Thu, 8 Oct 2020 at 14:27, Marco Aurélio <aurelio.marco...@gmail.com> wrote: > > Hi! > > We're looking into the option of setting up search with Solr without an > intermediary application. This would mean our backend would index data into > Solr and we would have a public Solr endpoint on the internet that would > receive search requests directly. > > Since I couldn't find an existing solution similar to ours, I would like to > know whether it's possible to secure Solr in a way that allows anyone only > read-access only to collections and how to achieve that. Specifically > because of this part of the documentation > <https://lucene.apache.org/solr/guide/8_5/securing-solr.html>: > > *No Solr API, including the Admin UI, is designed to be exposed to > non-trusted parties. Tune your firewall so that only trusted computers and > people are allowed access. Because of this, the project will not regard > e.g., Admin UI XSS issues as security vulnerabilities. However, we still > ask you to report such issues in JIRA.* > Is there a way we can restrict read-only access to Solr collections so as > to allow users to make search requests directly to it or should we always > keep our Solr instances completely private? > > Thanks in advance! > > Best regards, > Marco Godinho
