My favorite "other external firewall'ish technology" is just an apache front-end reverse proxying to the Java servlet (such as Solr), with access controls in apache.
I haven't actually done it with Solr myself though, my Solr is behind a firewall accessed by trusted apps only. Be careful making your Solr viewable to the world, even behind an "other external firewall'ish technology." There are several features in Solr you do NOT to expose to the world (the ability to change the index in general, of which there are a variety of ways to do it in addition to the /update/csv handler, the straight /update handler. Also consider the replication commands -- the example Solr solrconfig.xml, at least, will allow an HTTP request that tells Solr to replicate from arbitrarily specified 'master', definitely not something you'd want open to the world either! There may be other examples too you might not think of at first.). My impression is that Solr is written assuming it will be safely ensconced behind a firewall and accessed by trusted applications only. If you're not going to do this, you're going to have to be careful to make sure to lock down or remove a lot of things, /update/csv is just barely a start. I don't know if anyone has analyzed and written up secure ways to do this -- it sounds like there would be interest for such since it keeps coming up on the list. Kind of personally curious _why_ it keeps coming up on the list so much. Is everyone trying to go into business vending Solr in the cloud to customers who will write their own apps, or are there some other less obvious (to me) use cases? ________________________________________ From: Erik Hatcher [erik.hatc...@gmail.com] Sent: Sunday, January 23, 2011 1:47 PM To: solr-user@lucene.apache.org Subject: Re: filter update by IP No. SolrQueryRequest doesn't (currently) have access to the actual HTTP request coming in. You'll need to do this either with a servlet filter and register it into web.xml or restrict it from some other external firewall'ish technology. Erik On Jan 23, 2011, at 13:21 , Teebo wrote: > Hi > > I would like to restrict access to /update/csv request handler > > Is there a ready to use UpdateRequestProcessor for that ? > > > My first idea was to heritate from CSVRequestHandler and to overload > public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) { > ... > restrict by IP code > ... > super(req, rsp); > } > > What do you think ? > > Regards, > t.