You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by David Ahia <Da...@dpss.lacounty.gov> on 2022/09/13 20:08:31 UTC
Configure Jetty custom error page under Solr
As a result of a security scan of Solr, I am being asked to block the display of error messages. Is there a recommended guide for configuring Jetty with a custom error page to ensure error messages are not displayed through the web UI?
David Ahia,
Principal Application Developer
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any unauthorized disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
Re: Configure Jetty custom error page under Solr
Posted by Shawn Heisey <ap...@elyograg.org.INVALID>.
On 9/13/22 14:08, David Ahia wrote:
> As a result of a security scan of Solr, I am being asked to block the display of error messages. Is there a recommended guide for configuring Jetty with a custom error page to ensure error messages are not displayed through the web UI?
If anything other than allowed applications and trusted admins is able
to make a connection to your Solr install, then you've already lost the
security battle. The fact that Solr returns error messages shouldn't be
an issue, because attackers should not be allowed to even make a network
connection to Solr.
If somebody manages to compromise your front-end systems and get access
to anything those have access to, then there are far more interesting
and damaging systems at their disposal than your search engine. Search
engines normally do not contain super-sensitive information, but
databases do.
Thanks,
Shawn