[
https://issues.apache.org/jira/browse/SOLR-13985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Gerlowski updated SOLR-13985:
-----------------------------------
Attachment: SOLR-13985.patch
Status: Open (was: Open)
Uploading a patch to address some of the feedback given so far. This mostly
fixes some duplication in the docs and some bugs in the Windows batch script.
bq. [re: docs duplication] Alternatively it should be possible to tag the
paragraphs in securing-solr in some way so that you can include them with a
reference in taking-solr-to-production
This is the path I ended up going down. Worked out pretty nicely.
bq. should it be instead IF DEFINED
Yep, fixed.
*On Naming*
Jan pointed out that we could come up with a better name than
{{SOLR_JETTY_HOST}}. David pointed out that we have a smattering of other
properties with at least some overlap ("host" in solr.xml, for one), and that
we should aim for consistency in how these are set, and better documentation
around what each does.
These are both good points, and confusing pieces of config that could benefit
from straightening out. I straightened out the "jetty.host" vs
"solr.jetty.host" http/https inconsistency. But in the interest of not letting
the perfect get in the way of the good, I'd rather move that
investigation/untangling for a separate jira. I'll file a follow-up jira to
re-examine the names and documentation around these host/port config values,
and try to make progress on it over the holidays. I'm not sure I have enough
time to fully untangle these additional settings and put together fixes, but
I'll try to put together at least a good writeup so someone else can tackle it
if I'm not able to.
*Moving Forward*
I just finished testing this. It looks good on both Windows and Linux. Any
last qualms or votes against merging this? It's a pretty high impact change
for users, but it addresses a real security need and the documentation makes it
pretty clear how to change the default when necessary. I'll aim to commit
after the holidays if there's no additional concerns/feedback. I might send
out a dev mail to let others know this is happening as well.
> bind to localhost by default
> ----------------------------
>
> Key: SOLR-13985
> URL: https://issues.apache.org/jira/browse/SOLR-13985
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Robert Muir
> Assignee: Jason Gerlowski
> Priority: Major
> Attachments: SOLR-13985.patch, SOLR-13985.patch, SOLR-13985.patch,
> SOLR-13985.patch
>
>
> Currently solr binds to all interfaces by default.
> The default should be safer, so that e.g. the user is not exposed to the
> internet until they make an explicit step to do so.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
