Just put my solr on a private subnet. Nobody can reach it unless I will it.
I am just a bit concerned whether the solr requesthandler checks against pen test logic. Thank you for the support everyone. Appreciate it. On Mon, Oct 5, 2015 at 2:43 PM, Upayavira <u...@odoko.co.uk> wrote: > Well, there's a difference between disabling the UI and disabling the > API. The UI can be disabled (I think) by deleting the contents of > server/solr-webapp/webapp (leaving behind the WEB-INF directory). But > really, all that is doing is hiding a heap of code that is public > already. > > As has been said, it is the APIs that that UI (which is just > HTML/CSS/JS) uses that really need to be protected. Without these, they > don't really tell the user much (except, perhaps, if they really look > and changes have been made to the UI, which version of Solr is in use). > > Personally, I'd rather the authentication framework be able to prevent > access to the HTML/CSS/JS, as this is what users expect of a UI. Hiding > the API is needed for security, hiding the UI is valuable in terms of > user experience - e.g. what does a user see if the API is blocked? > Probably a heap of nasty exceptions. > > Upayavira > > On Mon, Oct 5, 2015, at 07:38 PM, Walter Underwood wrote: > > You understand that disabling the admin API will leave you with an > > unmaintainable Solr installation, right? You might not even be able to > > diagnose the problem. > > > > wunder > > Walter Underwood > > wun...@wunderwood.org > > http://observer.wunderwood.org/ (my blog) > > > > > On Oct 5, 2015, at 11:34 AM, Siddhartha Singh Sandhu < > sandhus...@gmail.com> wrote: > > > > > > Help please? > > > > > > On Sun, Oct 4, 2015 at 5:07 PM, Siddhartha Singh Sandhu < > > > sandhus...@gmail.com> wrote: > > > > > >> Hi Shawn and Andrew, > > >> > > >> I am on page with you guys about the ssh authentication and > communicating > > >> with the API's that SOLR has to provide. I simply don't want the GUI > as it > > >> is nobody will be able to access it once I set the policy on my server > > >> except for servers in the same network. Also, now that we are on that > > >> issue, does SOLR URL's have checks to guard against penetration > attacks as > > >> the "prod setup" guide is so openly available? > > >> > > >> Regards, > > >> Sid. > > >> > > >> On Sun, Oct 4, 2015 at 4:55 AM, Andrea Open Source < > > >> andrearoggerone.o...@gmail.com> wrote: > > >> > > >>> Hi, > > >>> As Shawn is saying, disabling the Admin interface is not the right > way to > > >>> go. If you just disable the admin interface users could still run > queries > > >>> and you don't want that. The solution that you're looking for, is > enabling > > >>> the ssh authentication so only the users with the right certificate > can > > >>> query Solr or reach the admin. > > >>> > > >>> > > >>> King Regards, > > >>> Andrea Roggerone > > >>> > > >>>> On 04/ott/2015, at 08:11, Shawn Heisey <apa...@elyograg.org> wrote: > > >>>> > > >>>>> On 10/3/2015 9:17 PM, Siddhartha Singh Sandhu wrote: > > >>>>> I want to disable the admin interface in SOLR. I understand that > > >>>>> authentication is available in the solrcloud mode but until that > > >>> happens I > > >>>>> want to disable the admin interface in my prod environment. > > >>>>> > > >>>>> How can I do this? > > >>>> > > >>>> Why do you need to disable the admin interface? The admin > interface is > > >>>> just a bunch of HTML, CSS, and Javascript. It downloads code that > runs > > >>>> inside your browser and turns it into a tool that can manipulate > Solr. > > >>>> > > >>>> The parts of Solr that need protecting are the APIs that the admin > > >>>> interface calls. When authentication is enabled in the newest Solr > > >>>> versions, it is not the admin interface that is protected, it is > those > > >>>> APIs called by the admin interface. Anyone can use those APIs > directly, > > >>>> completely independent of the interface. > > >>>> > > >>>> Thanks > > >>>> Shawn > > >>>> > > >>> > > >> > > >> > > >
