Exactly. This is a serious security loophole you would be opening up. What if I just ask for *:* and 500000000 rows to just, take all of your data, while crashing your server, and just keep doing it in 20 simultaneous calls until it dies, and even if you wake it up I’ll just turn it back on and wreck it again to the point you just, won’t have a search server by the time I’m done? At the very least no one else will get results unless you have some really good metal, at which point I up the simultaneous count until it just can’t serve.
Just a thought, > On Sep 2, 2022, at 12:30 PM, Shawn Heisey <[email protected]> wrote: > > On 9/1/22 19:06, Victoria Stuart (VictoriasJourney.com) wrote: >> I am moving from client-side (my personal local host environment; Linux) to >> Solr running as a standalone backend server on a cloud VPS. >> >> The web domain (mine) is SSL-only, and Solr is SSL-enabled with a signed >> (Let's Encrypt) certificate. My domain index.html page includes a search >> interface (input element) to Solr. >> >> I am largely unfamiliar with deployment of Solr to the web. >> >> SSL etc. is enabled in "solr.in.sh", as is Basic Authentication. >> "security.json" is present in "$SOLR_HOME". Access to the Admin UI is >> password-protected (my Solr administrator username, password) with "admin" >> role / privileges in Solr. >> >> I want to allow anonymous (i.e. any) users to be able search the site; >> however they are being required to log in to Solr. >> >> How do I enable this - either in the Admin UI Security pane, or >> manually-editing "security.json"? > > You should NOT allow any IP address get to Solr's port other than your > applications and trusted admins. If you follow that advice, then you > probably don't even need authentication, just a restriction of source IP > addresses. If somebody compromises your application(s), then they would be > able to get to Solr ... but that would also be the case even if you have > authentication. > > End users should be using your application to do their searches, not a direct > connection to Solr. > > Thanks, > Shawn >
