I think generally it might be true that it's too difficult for an admin without very specific knowledge of Solr internals to utilize simple URL rewriting to prevent exploits. To show what I mean, here's a story where someone was able to exploit a Solr server through a custom webapp, which in theory is many times more obfuscated than a simple rewrite.
http://www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html I know that some of the vulnerabilities used in this writeup have been fixed, but the potential for other vulnerabilities such as these to appear in the future is likely. That's just how software development works. It would be hard for a casual user to maintain a rewriting scheme that both secured the current release of Solr in any configuration, while also preventing any new features from being exploited. Just my two cents. Michael Della Bitta Applications Developer o: +1 646 532 3062 | c: +1 917 477 7906 appinions inc. “The Science of Influence Marketing” 18 East 41st Street New York, NY 10017 t: @appinions <https://twitter.com/Appinions> | g+: plus.google.com/appinions<https://plus.google.com/u/0/b/112002776285509593336/112002776285509593336/posts> w: appinions.com <http://www.appinions.com/> On Tue, Jan 7, 2014 at 3:45 AM, Raymond Wiker <rwi...@gmail.com> wrote: > Indeed it is - but you'll also need mod_proxy ("just" rewriting will not be > sufficient). > > > On Tue, Jan 7, 2014 at 3:42 AM, Otis Gospodnetic < > otis.gospodne...@gmail.com > > wrote: > > > Apache url_rewrite can help with this and it's only a few minutes to set > > up. > > > > Otis > > -- > > Performance Monitoring * Log Analytics * Search Analytics > > Solr & Elasticsearch Support * http://sematext.com/ > > > > > > On Mon, Jan 6, 2014 at 12:55 PM, Developer <bbar...@gmail.com> wrote: > > > > > Hi, > > > > > > We are currently showing the SOLR endpoints to the public when using > our > > > application (public users would be able to view the SOLR endpoints > > > (/select) > > > and the query in debugging console). > > > > > > I am trying to figure out if there is any security threat in terms of > > > displaying the endpoints directly in internet. We have disabled the > > update > > > handler in production so I assume writes / updates are not possible. > > > > > > The below URL mentions a point 'Solr does not concern itself with > > security > > > either at the document level or the communication level. It is strongly > > > recommended that the application server containing Solr be firewalled > > such > > > the only clients with access to Solr are your own.' > > > > > > Is the above statement true even if we just display the read-only > > endpoints > > > to the public users? Can someone please advise? > > > > > > http://wiki.apache.org/solr/SolrSecurity > > > > > > > > > > > > -- > > > View this message in context: > > > > > > http://lucene.472066.n3.nabble.com/SOLR-Security-Displaying-endpoints-to-public-tp4109792.html > > > Sent from the Solr - User mailing list archive at Nabble.com. > > > > > >
