Thomas has the right idea, but even so I would go external request->custom code->nginx->Solr and back again. The custom code lets you have absolute control over what the external user can see, you don’t want them to know it’s Solr on the back end at all. And yeah that nginx config would work well unless there are some documents you want to keep secure from one client to the next. Like you don’t want a school accessing government documents maybe. Having the custom code allows you to add a filter query based on the client authentication. For example I have no business accessing a medical record from someone else but a doctor sure does when needed. The customer code in between is a cya if you have anything close to sensitive -david
> On Dec 1, 2025, at 16:59, Thomas Corthals <[email protected]> wrote: > > When I had to grant temporary access to an external developer to read from > a single core. I proxied it through nginx as https://solr.example.org:443 with > a Let's Encrypt certificate and basic authentication. > > Config looked something like this. I only exposed the select handler. This > effectively blocks everything that isn't select. You could replace this > with a script running on nginx that sanitises queries, adds specific > filters based on the auth username … and the client wouldn't notice a > functional difference. > > auth_basic "My Solr"; > auth_basic_user_file /path/to/.htpasswd; > > location /solr/my_core/select { > proxy_pass http://10.0.0.1:8983/solr/my_core/select; > proxy_http_version 1.1; > > } > > > Op ma 1 dec 2025, 21:43 schreef Dave <[email protected]>: > >> Use an nginx proxy server instead of jetty to go from external to >> internal. Don’t ever expose solr to the public, block any update and >> delete commands, it should all be done inside the vpn and through secondary >> code. If anyone sees raw solr commands it can be exploited easily. >> >>> On Dec 1, 2025, at 15:20, Shaun Campbell <[email protected]> >> wrote: >>> >>> Hi >>> >>> I'm updating a Solr 6 server to the latest 9.10 on a Windows server. >> It's a >>> simple stand-alone instance and not cloud or anything. Solr starts but I >>> can only access it via localhost or 127.0.0.1. My aim is to access Solr >>> from another server where my application is running. This is how it used >> to >>> work and there was no problems. >>> >>> I have a development Linux laptop and changed SOLR_JETTY_HOST in the solr >>> include file on that to 0.0.0.0 and I can now access Solr on my laptop's >> ip >>> address. I tried to do the same on the Windows server and I can't get >>> anything to work apart from localhost. I want eventually to be able to >>> access it by the server name which I can ping. >>> >>> I'm also trying to run Solr as a Windows service which I used to do, but >>> now the service just tries to start and then stops. I can't see any >> errors. >>> I wonder if the above issue is stopping it starting. >>> >>> Any ideas what I'm doing wrong? >>> >>> Many thanks >>> Shaun >>
