Questions about Solr's security

[Alireza Salimi <al...@gmail.com>]

Hi,

I was wondering if it's a good idea to expose Solr to the outside world,
so that our clients running on smart phones will be able to use Solr.

If we decide to do this, what's the security concerns about it?

For example, someone suggested we should limit the number of
rows requested in order to mitigate the attach of huge result set,
but I personally don't think it's a great idea, because a hacker
can run multiple queries simultaneously.

Is there any good reference for this purpose?

Regards

-- 
Alireza Salimi
Java EE Developer

Re: Questions about Solr's security

[Erick Erickson <er...@gmail.com>]

Well, one of the values of having people come at this from all different
angles is that the documentation can be customized as each person
sees in from a unique angle.

The Wiki pages are freely-editable, it'd be great if you were to go ahead
and add your perspective.

Best
Erick

On Thu, Nov 3, 2011 at 4:38 PM, Robert Petersen <ro...@buy.com> wrote:
> Me too!
>
> -----Original Message-----
> From: Walter Underwood [mailto:wunder@wunderwood.org]
> Sent: Tuesday, November 01, 2011 1:02 PM
> To: solr-user@lucene.apache.org
> Subject: Re: Questions about Solr's security
>
> I once had to deal with a severe performance problem caused by a bot
> that was requesting results starting at 5000. We disallowed requests
> over a certain number of pages in the front end to fix it.
>
> wunder
>
> On Nov 1, 2011, at 12:57 PM, Erik Hatcher wrote:
>
>> Be aware that even /select could have some harmful effects, see
> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
>>
>> Even disregarding that issue, /select is a potential gateway to any
> request handler defined via /select?qt=/req_handler
>>
>> Again, in general it's not a good idea to expose Solr to anything but
> a controlled app server.
>>
>>       Erik
>>
>> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
>>
>>> What if we just expose '/select' paths - by firewalls and load
> balancers -
>>> and
>>> also use SSL and HTTP basic or digest access control?
>>>
>>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter
> <ho...@fucit.org>wrote:
>>>
>>>>
>>>> : I was wondering if it's a good idea to expose Solr to the outside
> world,
>>>> : so that our clients running on smart phones will be able to use
> Solr.
>>>>
>>>> As a general rule of thumb, i would say that it is not a good idea
> to
>>>> expose solr directly to the public internet.
>>>>
>>>> there are exceptions to this rule -- AOL hosted some live solr
> instances
>>>> of the Sarah Palin emails for HufPo -- but it is definitely an
> expert
>>>> level type thing for people who are so familiar with solr they know
>>>> exactly what to lock down to make it "safe"
>>>>
>>>> for typical users: put an application between your untrusted users
> and
>>>> solr and only let that application generate "safe" welformed
> requests to
>>>> Solr...
>>>>
>>>> https://wiki.apache.org/solr/SolrSecurity
>>>>
>>>>
>>>> -Hoss
>>>>
>>>
>>>
>>>
>>> --
>>> Alireza Salimi
>>> Java EE Developer
>>
>
> --
> Walter Underwood
> Venture Asst. Scoutmaster
> Troop 14, Palo Alto, CA
>
>
>
>

RE: Questions about Solr's security

[Robert Petersen <ro...@buy.com>]

Me too!

-----Original Message-----
From: Walter Underwood [mailto:wunder@wunderwood.org] 
Sent: Tuesday, November 01, 2011 1:02 PM
To: solr-user@lucene.apache.org
Subject: Re: Questions about Solr's security

I once had to deal with a severe performance problem caused by a bot
that was requesting results starting at 5000. We disallowed requests
over a certain number of pages in the front end to fix it.

wunder

On Nov 1, 2011, at 12:57 PM, Erik Hatcher wrote:

> Be aware that even /select could have some harmful effects, see
https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
> 
> Even disregarding that issue, /select is a potential gateway to any
request handler defined via /select?qt=/req_handler
> 
> Again, in general it's not a good idea to expose Solr to anything but
a controlled app server.  
> 
> 	Erik
> 
> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
> 
>> What if we just expose '/select' paths - by firewalls and load
balancers -
>> and
>> also use SSL and HTTP basic or digest access control?
>> 
>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter
<ho...@fucit.org>wrote:
>> 
>>> 
>>> : I was wondering if it's a good idea to expose Solr to the outside
world,
>>> : so that our clients running on smart phones will be able to use
Solr.
>>> 
>>> As a general rule of thumb, i would say that it is not a good idea
to
>>> expose solr directly to the public internet.
>>> 
>>> there are exceptions to this rule -- AOL hosted some live solr
instances
>>> of the Sarah Palin emails for HufPo -- but it is definitely an
expert
>>> level type thing for people who are so familiar with solr they know
>>> exactly what to lock down to make it "safe"
>>> 
>>> for typical users: put an application between your untrusted users
and
>>> solr and only let that application generate "safe" welformed
requests to
>>> Solr...
>>> 
>>> https://wiki.apache.org/solr/SolrSecurity
>>> 
>>> 
>>> -Hoss
>>> 
>> 
>> 
>> 
>> -- 
>> Alireza Salimi
>> Java EE Developer
> 

--
Walter Underwood
Venture Asst. Scoutmaster
Troop 14, Palo Alto, CA

Re: Questions about Solr's security

[Walter Underwood <wu...@wunderwood.org>]

I once had to deal with a severe performance problem caused by a bot that was requesting results starting at 5000. We disallowed requests over a certain number of pages in the front end to fix it.

wunder

On Nov 1, 2011, at 12:57 PM, Erik Hatcher wrote:

> Be aware that even /select could have some harmful effects, see https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
> 
> Even disregarding that issue, /select is a potential gateway to any request handler defined via /select?qt=/req_handler
> 
> Again, in general it's not a good idea to expose Solr to anything but a controlled app server.  
> 
> 	Erik
> 
> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
> 
>> What if we just expose '/select' paths - by firewalls and load balancers -
>> and
>> also use SSL and HTTP basic or digest access control?
>> 
>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <ho...@fucit.org>wrote:
>> 
>>> 
>>> : I was wondering if it's a good idea to expose Solr to the outside world,
>>> : so that our clients running on smart phones will be able to use Solr.
>>> 
>>> As a general rule of thumb, i would say that it is not a good idea to
>>> expose solr directly to the public internet.
>>> 
>>> there are exceptions to this rule -- AOL hosted some live solr instances
>>> of the Sarah Palin emails for HufPo -- but it is definitely an expert
>>> level type thing for people who are so familiar with solr they know
>>> exactly what to lock down to make it "safe"
>>> 
>>> for typical users: put an application between your untrusted users and
>>> solr and only let that application generate "safe" welformed requests to
>>> Solr...
>>> 
>>> https://wiki.apache.org/solr/SolrSecurity
>>> 
>>> 
>>> -Hoss
>>> 
>> 
>> 
>> 
>> -- 
>> Alireza Salimi
>> Java EE Developer
> 

--
Walter Underwood
Venture Asst. Scoutmaster
Troop 14, Palo Alto, CA

Re: Questions about Solr's security

[Alireza Salimi <al...@gmail.com>]

Yeah, actually our firewalls/loadbalancers can handle these issues.
If they don't, then I'll use HAProxy.

Thanks for all info :-)

On Tue, Nov 1, 2011 at 5:42 PM, Robert Stewart <bs...@gmail.com>wrote:

> I think you can address a lot of these concerns by running some proxy in
> front of SOLR, such as HAProxy.  You should be able to limit only certain
> URIs (so you can prevent /select queries).    HAProxy is a free software
> load-balancer, and it is very configurable and fairly easy to setup.
>
>
> On Nov 1, 2011, at 4:54 PM, Alireza Salimi wrote:
>
> > sorry, I didn't explain that part. We are the developers of client codes
> > too.
> > Meaning that just we know the credentials to access the web container,
> > and we won't run such queries.
> >
> > Right now, I'm writing a subclass of SearchHandler which changes the
> > SolrParams
> > to remove 'qt' parameter and limit the 'rows'. It must not be needed,
> > because
> > we are assuming that all requests will come from authenticated users, but
> > just
> > in case.
> >
> > Thanks
> >
> > On Tue, Nov 1, 2011 at 4:50 PM, Erik Hatcher <er...@gmail.com>
> wrote:
> >
> >> SSL and auth doesn't address that /select can hit any request handler
> >> defined
> >>
> (/select?qt=/update&stream.body=<delete><query>*:*</query></delete>&commit=true).
> >> Be careful!
> >>
> >> But certainly knowing all the issues mentioned on this thread, it is
> >> possible to lock Solr down and make it safe to hit directly.  But not
> out
> >> of the box or trivially.
> >>
> >>       Erik
> >>
> >>
> >>
> >> On Nov 1, 2011, at 16:09 , Alireza Salimi wrote:
> >>
> >>> I'm not sure if anybody has asked these questions before or not.
> >>> Sorry if they are duplicates.
> >>>
> >>> The problem is that the clients (smart phones) of our Solr machines
> >>> are outside the network in which solr machines are located. So, we
> >>> need to somehow expose their service to the outside word.
> >>>
> >>> What's the safest way to do that?
> >>> If we implement just a controlled app sitting between those clients
> >>> we gonna waste lots of processing power because of proxying between
> >>> Solr and clients.
> >>>
> >>> We might also ignore some HTTP headers that Solr would generate
> >>> such as HTTP Cache headers. Anyways, creating such an application
> >>> seems to be a lot of work which is not that needed.
> >>>
> >>> Erik, do you think even if we use SSL and HTTP Authentication, still
> >>> it's not a good idea to expose Solr services?
> >>>
> >>>
> >>>
> >>> On Tue, Nov 1, 2011 at 3:57 PM, Erik Hatcher <er...@gmail.com>
> >> wrote:
> >>>
> >>>> Be aware that even /select could have some harmful effects, see
> >>>> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
> >>>>
> >>>> Even disregarding that issue, /select is a potential gateway to any
> >>>> request handler defined via /select?qt=/req_handler
> >>>>
> >>>> Again, in general it's not a good idea to expose Solr to anything but
> a
> >>>> controlled app server.
> >>>>
> >>>>      Erik
> >>>>
> >>>> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
> >>>>
> >>>>> What if we just expose '/select' paths - by firewalls and load
> >> balancers
> >>>> -
> >>>>> and
> >>>>> also use SSL and HTTP basic or digest access control?
> >>>>>
> >>>>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <
> >>>> hossman_lucene@fucit.org>wrote:
> >>>>>
> >>>>>>
> >>>>>> : I was wondering if it's a good idea to expose Solr to the outside
> >>>> world,
> >>>>>> : so that our clients running on smart phones will be able to use
> >> Solr.
> >>>>>>
> >>>>>> As a general rule of thumb, i would say that it is not a good idea
> to
> >>>>>> expose solr directly to the public internet.
> >>>>>>
> >>>>>> there are exceptions to this rule -- AOL hosted some live solr
> >> instances
> >>>>>> of the Sarah Palin emails for HufPo -- but it is definitely an
> expert
> >>>>>> level type thing for people who are so familiar with solr they know
> >>>>>> exactly what to lock down to make it "safe"
> >>>>>>
> >>>>>> for typical users: put an application between your untrusted users
> and
> >>>>>> solr and only let that application generate "safe" welformed
> requests
> >> to
> >>>>>> Solr...
> >>>>>>
> >>>>>> https://wiki.apache.org/solr/SolrSecurity
> >>>>>>
> >>>>>>
> >>>>>> -Hoss
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Alireza Salimi
> >>>>> Java EE Developer
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Alireza Salimi
> >>> Java EE Developer
> >>
> >>
> >
> >
> > --
> > Alireza Salimi
> > Java EE Developer
>
>


-- 
Alireza Salimi
Java EE Developer

Re: Questions about Solr's security

[Robert Stewart <bs...@gmail.com>]

I think you can address a lot of these concerns by running some proxy in front of SOLR, such as HAProxy.  You should be able to limit only certain URIs (so you can prevent /select queries).    HAProxy is a free software load-balancer, and it is very configurable and fairly easy to setup.


On Nov 1, 2011, at 4:54 PM, Alireza Salimi wrote:

> sorry, I didn't explain that part. We are the developers of client codes
> too.
> Meaning that just we know the credentials to access the web container,
> and we won't run such queries.
> 
> Right now, I'm writing a subclass of SearchHandler which changes the
> SolrParams
> to remove 'qt' parameter and limit the 'rows'. It must not be needed,
> because
> we are assuming that all requests will come from authenticated users, but
> just
> in case.
> 
> Thanks
> 
> On Tue, Nov 1, 2011 at 4:50 PM, Erik Hatcher <er...@gmail.com> wrote:
> 
>> SSL and auth doesn't address that /select can hit any request handler
>> defined
>> (/select?qt=/update&stream.body=<delete><query>*:*</query></delete>&commit=true).
>> Be careful!
>> 
>> But certainly knowing all the issues mentioned on this thread, it is
>> possible to lock Solr down and make it safe to hit directly.  But not out
>> of the box or trivially.
>> 
>>       Erik
>> 
>> 
>> 
>> On Nov 1, 2011, at 16:09 , Alireza Salimi wrote:
>> 
>>> I'm not sure if anybody has asked these questions before or not.
>>> Sorry if they are duplicates.
>>> 
>>> The problem is that the clients (smart phones) of our Solr machines
>>> are outside the network in which solr machines are located. So, we
>>> need to somehow expose their service to the outside word.
>>> 
>>> What's the safest way to do that?
>>> If we implement just a controlled app sitting between those clients
>>> we gonna waste lots of processing power because of proxying between
>>> Solr and clients.
>>> 
>>> We might also ignore some HTTP headers that Solr would generate
>>> such as HTTP Cache headers. Anyways, creating such an application
>>> seems to be a lot of work which is not that needed.
>>> 
>>> Erik, do you think even if we use SSL and HTTP Authentication, still
>>> it's not a good idea to expose Solr services?
>>> 
>>> 
>>> 
>>> On Tue, Nov 1, 2011 at 3:57 PM, Erik Hatcher <er...@gmail.com>
>> wrote:
>>> 
>>>> Be aware that even /select could have some harmful effects, see
>>>> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
>>>> 
>>>> Even disregarding that issue, /select is a potential gateway to any
>>>> request handler defined via /select?qt=/req_handler
>>>> 
>>>> Again, in general it's not a good idea to expose Solr to anything but a
>>>> controlled app server.
>>>> 
>>>>      Erik
>>>> 
>>>> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
>>>> 
>>>>> What if we just expose '/select' paths - by firewalls and load
>> balancers
>>>> -
>>>>> and
>>>>> also use SSL and HTTP basic or digest access control?
>>>>> 
>>>>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <
>>>> hossman_lucene@fucit.org>wrote:
>>>>> 
>>>>>> 
>>>>>> : I was wondering if it's a good idea to expose Solr to the outside
>>>> world,
>>>>>> : so that our clients running on smart phones will be able to use
>> Solr.
>>>>>> 
>>>>>> As a general rule of thumb, i would say that it is not a good idea to
>>>>>> expose solr directly to the public internet.
>>>>>> 
>>>>>> there are exceptions to this rule -- AOL hosted some live solr
>> instances
>>>>>> of the Sarah Palin emails for HufPo -- but it is definitely an expert
>>>>>> level type thing for people who are so familiar with solr they know
>>>>>> exactly what to lock down to make it "safe"
>>>>>> 
>>>>>> for typical users: put an application between your untrusted users and
>>>>>> solr and only let that application generate "safe" welformed requests
>> to
>>>>>> Solr...
>>>>>> 
>>>>>> https://wiki.apache.org/solr/SolrSecurity
>>>>>> 
>>>>>> 
>>>>>> -Hoss
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Alireza Salimi
>>>>> Java EE Developer
>>>> 
>>>> 
>>> 
>>> 
>>> --
>>> Alireza Salimi
>>> Java EE Developer
>> 
>> 
> 
> 
> -- 
> Alireza Salimi
> Java EE Developer

Re: Questions about Solr's security

[Alireza Salimi <al...@gmail.com>]

sorry, I didn't explain that part. We are the developers of client codes
too.
Meaning that just we know the credentials to access the web container,
and we won't run such queries.

Right now, I'm writing a subclass of SearchHandler which changes the
SolrParams
to remove 'qt' parameter and limit the 'rows'. It must not be needed,
because
we are assuming that all requests will come from authenticated users, but
just
in case.

Thanks

On Tue, Nov 1, 2011 at 4:50 PM, Erik Hatcher <er...@gmail.com> wrote:

> SSL and auth doesn't address that /select can hit any request handler
> defined
> (/select?qt=/update&stream.body=<delete><query>*:*</query></delete>&commit=true).
>  Be careful!
>
> But certainly knowing all the issues mentioned on this thread, it is
> possible to lock Solr down and make it safe to hit directly.  But not out
> of the box or trivially.
>
>        Erik
>
>
>
> On Nov 1, 2011, at 16:09 , Alireza Salimi wrote:
>
> > I'm not sure if anybody has asked these questions before or not.
> > Sorry if they are duplicates.
> >
> > The problem is that the clients (smart phones) of our Solr machines
> > are outside the network in which solr machines are located. So, we
> > need to somehow expose their service to the outside word.
> >
> > What's the safest way to do that?
> > If we implement just a controlled app sitting between those clients
> > we gonna waste lots of processing power because of proxying between
> > Solr and clients.
> >
> > We might also ignore some HTTP headers that Solr would generate
> > such as HTTP Cache headers. Anyways, creating such an application
> > seems to be a lot of work which is not that needed.
> >
> > Erik, do you think even if we use SSL and HTTP Authentication, still
> > it's not a good idea to expose Solr services?
> >
> >
> >
> > On Tue, Nov 1, 2011 at 3:57 PM, Erik Hatcher <er...@gmail.com>
> wrote:
> >
> >> Be aware that even /select could have some harmful effects, see
> >> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
> >>
> >> Even disregarding that issue, /select is a potential gateway to any
> >> request handler defined via /select?qt=/req_handler
> >>
> >> Again, in general it's not a good idea to expose Solr to anything but a
> >> controlled app server.
> >>
> >>       Erik
> >>
> >> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
> >>
> >>> What if we just expose '/select' paths - by firewalls and load
> balancers
> >> -
> >>> and
> >>> also use SSL and HTTP basic or digest access control?
> >>>
> >>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <
> >> hossman_lucene@fucit.org>wrote:
> >>>
> >>>>
> >>>> : I was wondering if it's a good idea to expose Solr to the outside
> >> world,
> >>>> : so that our clients running on smart phones will be able to use
> Solr.
> >>>>
> >>>> As a general rule of thumb, i would say that it is not a good idea to
> >>>> expose solr directly to the public internet.
> >>>>
> >>>> there are exceptions to this rule -- AOL hosted some live solr
> instances
> >>>> of the Sarah Palin emails for HufPo -- but it is definitely an expert
> >>>> level type thing for people who are so familiar with solr they know
> >>>> exactly what to lock down to make it "safe"
> >>>>
> >>>> for typical users: put an application between your untrusted users and
> >>>> solr and only let that application generate "safe" welformed requests
> to
> >>>> Solr...
> >>>>
> >>>> https://wiki.apache.org/solr/SolrSecurity
> >>>>
> >>>>
> >>>> -Hoss
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Alireza Salimi
> >>> Java EE Developer
> >>
> >>
> >
> >
> > --
> > Alireza Salimi
> > Java EE Developer
>
>


-- 
Alireza Salimi
Java EE Developer

RE: Questions about Solr's security

["Jaeger, Jay - DOT" <Ja...@dot.wi.gov>]

It seems to me that this issue needs to be addressed in the FAQ and in the tutorial, and that somewhere there should be a /select lock-down "how to".   This is not obvious to many (most?) users of Solr.  It certainly wasn't obvious to me before I read this.

JRJ

-----Original Message-----
From: Erik Hatcher [mailto:erik.hatcher@gmail.com] 
Sent: Tuesday, November 01, 2011 3:50 PM
To: solr-user@lucene.apache.org
Subject: Re: Questions about Solr's security

SSL and auth doesn't address that /select can hit any request handler defined (/select?qt=/update&stream.body=<delete><query>*:*</query></delete>&commit=true).  Be careful!

But certainly knowing all the issues mentioned on this thread, it is possible to lock Solr down and make it safe to hit directly.  But not out of the box or trivially.

	Erik



On Nov 1, 2011, at 16:09 , Alireza Salimi wrote:

> I'm not sure if anybody has asked these questions before or not.
> Sorry if they are duplicates.
> 
> The problem is that the clients (smart phones) of our Solr machines
> are outside the network in which solr machines are located. So, we
> need to somehow expose their service to the outside word.
> 
> What's the safest way to do that?
> If we implement just a controlled app sitting between those clients
> we gonna waste lots of processing power because of proxying between
> Solr and clients.
> 
> We might also ignore some HTTP headers that Solr would generate
> such as HTTP Cache headers. Anyways, creating such an application
> seems to be a lot of work which is not that needed.
> 
> Erik, do you think even if we use SSL and HTTP Authentication, still
> it's not a good idea to expose Solr services?
> 
> 
> 
> On Tue, Nov 1, 2011 at 3:57 PM, Erik Hatcher <er...@gmail.com> wrote:
> 
>> Be aware that even /select could have some harmful effects, see
>> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
>> 
>> Even disregarding that issue, /select is a potential gateway to any
>> request handler defined via /select?qt=/req_handler
>> 
>> Again, in general it's not a good idea to expose Solr to anything but a
>> controlled app server.
>> 
>>       Erik
>> 
>> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
>> 
>>> What if we just expose '/select' paths - by firewalls and load balancers
>> -
>>> and
>>> also use SSL and HTTP basic or digest access control?
>>> 
>>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <
>> hossman_lucene@fucit.org>wrote:
>>> 
>>>> 
>>>> : I was wondering if it's a good idea to expose Solr to the outside
>> world,
>>>> : so that our clients running on smart phones will be able to use Solr.
>>>> 
>>>> As a general rule of thumb, i would say that it is not a good idea to
>>>> expose solr directly to the public internet.
>>>> 
>>>> there are exceptions to this rule -- AOL hosted some live solr instances
>>>> of the Sarah Palin emails for HufPo -- but it is definitely an expert
>>>> level type thing for people who are so familiar with solr they know
>>>> exactly what to lock down to make it "safe"
>>>> 
>>>> for typical users: put an application between your untrusted users and
>>>> solr and only let that application generate "safe" welformed requests to
>>>> Solr...
>>>> 
>>>> https://wiki.apache.org/solr/SolrSecurity
>>>> 
>>>> 
>>>> -Hoss
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> Alireza Salimi
>>> Java EE Developer
>> 
>> 
> 
> 
> -- 
> Alireza Salimi
> Java EE Developer

Re: Questions about Solr's security

[Erik Hatcher <er...@gmail.com>]

SSL and auth doesn't address that /select can hit any request handler defined (/select?qt=/update&stream.body=<delete><query>*:*</query></delete>&commit=true).  Be careful!

But certainly knowing all the issues mentioned on this thread, it is possible to lock Solr down and make it safe to hit directly.  But not out of the box or trivially.

	Erik



On Nov 1, 2011, at 16:09 , Alireza Salimi wrote:

> I'm not sure if anybody has asked these questions before or not.
> Sorry if they are duplicates.
> 
> The problem is that the clients (smart phones) of our Solr machines
> are outside the network in which solr machines are located. So, we
> need to somehow expose their service to the outside word.
> 
> What's the safest way to do that?
> If we implement just a controlled app sitting between those clients
> we gonna waste lots of processing power because of proxying between
> Solr and clients.
> 
> We might also ignore some HTTP headers that Solr would generate
> such as HTTP Cache headers. Anyways, creating such an application
> seems to be a lot of work which is not that needed.
> 
> Erik, do you think even if we use SSL and HTTP Authentication, still
> it's not a good idea to expose Solr services?
> 
> 
> 
> On Tue, Nov 1, 2011 at 3:57 PM, Erik Hatcher <er...@gmail.com> wrote:
> 
>> Be aware that even /select could have some harmful effects, see
>> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
>> 
>> Even disregarding that issue, /select is a potential gateway to any
>> request handler defined via /select?qt=/req_handler
>> 
>> Again, in general it's not a good idea to expose Solr to anything but a
>> controlled app server.
>> 
>>       Erik
>> 
>> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
>> 
>>> What if we just expose '/select' paths - by firewalls and load balancers
>> -
>>> and
>>> also use SSL and HTTP basic or digest access control?
>>> 
>>> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <
>> hossman_lucene@fucit.org>wrote:
>>> 
>>>> 
>>>> : I was wondering if it's a good idea to expose Solr to the outside
>> world,
>>>> : so that our clients running on smart phones will be able to use Solr.
>>>> 
>>>> As a general rule of thumb, i would say that it is not a good idea to
>>>> expose solr directly to the public internet.
>>>> 
>>>> there are exceptions to this rule -- AOL hosted some live solr instances
>>>> of the Sarah Palin emails for HufPo -- but it is definitely an expert
>>>> level type thing for people who are so familiar with solr they know
>>>> exactly what to lock down to make it "safe"
>>>> 
>>>> for typical users: put an application between your untrusted users and
>>>> solr and only let that application generate "safe" welformed requests to
>>>> Solr...
>>>> 
>>>> https://wiki.apache.org/solr/SolrSecurity
>>>> 
>>>> 
>>>> -Hoss
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> Alireza Salimi
>>> Java EE Developer
>> 
>> 
> 
> 
> -- 
> Alireza Salimi
> Java EE Developer

Re: Questions about Solr's security

[Alireza Salimi <al...@gmail.com>]

I'm not sure if anybody has asked these questions before or not.
Sorry if they are duplicates.

The problem is that the clients (smart phones) of our Solr machines
are outside the network in which solr machines are located. So, we
need to somehow expose their service to the outside word.

What's the safest way to do that?
If we implement just a controlled app sitting between those clients
we gonna waste lots of processing power because of proxying between
Solr and clients.

We might also ignore some HTTP headers that Solr would generate
such as HTTP Cache headers. Anyways, creating such an application
seems to be a lot of work which is not that needed.

Erik, do you think even if we use SSL and HTTP Authentication, still
it's not a good idea to expose Solr services?



On Tue, Nov 1, 2011 at 3:57 PM, Erik Hatcher <er...@gmail.com> wrote:

> Be aware that even /select could have some harmful effects, see
> https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).
>
> Even disregarding that issue, /select is a potential gateway to any
> request handler defined via /select?qt=/req_handler
>
> Again, in general it's not a good idea to expose Solr to anything but a
> controlled app server.
>
>        Erik
>
> On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:
>
> > What if we just expose '/select' paths - by firewalls and load balancers
> -
> > and
> > also use SSL and HTTP basic or digest access control?
> >
> > On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <
> hossman_lucene@fucit.org>wrote:
> >
> >>
> >> : I was wondering if it's a good idea to expose Solr to the outside
> world,
> >> : so that our clients running on smart phones will be able to use Solr.
> >>
> >> As a general rule of thumb, i would say that it is not a good idea to
> >> expose solr directly to the public internet.
> >>
> >> there are exceptions to this rule -- AOL hosted some live solr instances
> >> of the Sarah Palin emails for HufPo -- but it is definitely an expert
> >> level type thing for people who are so familiar with solr they know
> >> exactly what to lock down to make it "safe"
> >>
> >> for typical users: put an application between your untrusted users and
> >> solr and only let that application generate "safe" welformed requests to
> >> Solr...
> >>
> >> https://wiki.apache.org/solr/SolrSecurity
> >>
> >>
> >> -Hoss
> >>
> >
> >
> >
> > --
> > Alireza Salimi
> > Java EE Developer
>
>


-- 
Alireza Salimi
Java EE Developer

Re: Questions about Solr's security

[Erik Hatcher <er...@gmail.com>]

Be aware that even /select could have some harmful effects, see https://issues.apache.org/jira/browse/SOLR-2854 (addressed on trunk).

Even disregarding that issue, /select is a potential gateway to any request handler defined via /select?qt=/req_handler

Again, in general it's not a good idea to expose Solr to anything but a controlled app server.  

	Erik

On Nov 1, 2011, at 15:51 , Alireza Salimi wrote:

> What if we just expose '/select' paths - by firewalls and load balancers -
> and
> also use SSL and HTTP basic or digest access control?
> 
> On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <ho...@fucit.org>wrote:
> 
>> 
>> : I was wondering if it's a good idea to expose Solr to the outside world,
>> : so that our clients running on smart phones will be able to use Solr.
>> 
>> As a general rule of thumb, i would say that it is not a good idea to
>> expose solr directly to the public internet.
>> 
>> there are exceptions to this rule -- AOL hosted some live solr instances
>> of the Sarah Palin emails for HufPo -- but it is definitely an expert
>> level type thing for people who are so familiar with solr they know
>> exactly what to lock down to make it "safe"
>> 
>> for typical users: put an application between your untrusted users and
>> solr and only let that application generate "safe" welformed requests to
>> Solr...
>> 
>> https://wiki.apache.org/solr/SolrSecurity
>> 
>> 
>> -Hoss
>> 
> 
> 
> 
> -- 
> Alireza Salimi
> Java EE Developer

Re: Questions about Solr's security

[Alireza Salimi <al...@gmail.com>]

What if we just expose '/select' paths - by firewalls and load balancers -
 and
also use SSL and HTTP basic or digest access control?

On Tue, Nov 1, 2011 at 2:20 PM, Chris Hostetter <ho...@fucit.org>wrote:

>
> : I was wondering if it's a good idea to expose Solr to the outside world,
> : so that our clients running on smart phones will be able to use Solr.
>
> As a general rule of thumb, i would say that it is not a good idea to
> expose solr directly to the public internet.
>
> there are exceptions to this rule -- AOL hosted some live solr instances
> of the Sarah Palin emails for HufPo -- but it is definitely an expert
> level type thing for people who are so familiar with solr they know
> exactly what to lock down to make it "safe"
>
> for typical users: put an application between your untrusted users and
> solr and only let that application generate "safe" welformed requests to
> Solr...
>
> https://wiki.apache.org/solr/SolrSecurity
>
>
> -Hoss
>



-- 
Alireza Salimi
Java EE Developer

Re: Questions about Solr's security

[Chris Hostetter <ho...@fucit.org>]

: I was wondering if it's a good idea to expose Solr to the outside world,
: so that our clients running on smart phones will be able to use Solr.

As a general rule of thumb, i would say that it is not a good idea to 
expose solr directly to the public internet.

there are exceptions to this rule -- AOL hosted some live solr instances 
of the Sarah Palin emails for HufPo -- but it is definitely an expert 
level type thing for people who are so familiar with solr they know 
exactly what to lock down to make it "safe"

for typical users: put an application between your untrusted users and 
solr and only let that application generate "safe" welformed requests to 
Solr...

https://wiki.apache.org/solr/SolrSecurity


-Hoss

Re: Questions about Solr's security

[Alireza Salimi <al...@gmail.com>]

Thanks Robert,

But do you also think limiting the page size inside a request handler is a
good
solution for attackers? Honestly, I'm not sure if it's a good solution,
that doesn't
save a server from attackers at all. Do you agree with me?

We are not security experts, just developers, but any suggestion from you
guys
is appreciated.

thanks


On Tue, Nov 1, 2011 at 12:43 PM, Robert Stewart <bs...@gmail.com>wrote:

> You would need to setup request handlers in solrconfig.xml to limit what
> types of queries people can send to SOLR (and define things like max page
> size, etc).  You need to restrict people from sending update/delete
> commands as well.
>
> Then at the minimum, setup some proxy in front of SOLR that you actually
> expose to outside world, something like HAProxy, which you can probably
> configure for things like max concurrent requests, etc. in order to
> mitigate denial of service attacks.
>
>
> On Nov 1, 2011, at 12:22 PM, Alireza Salimi wrote:
>
> > Hi,
> >
> > I was wondering if it's a good idea to expose Solr to the outside world,
> > so that our clients running on smart phones will be able to use Solr.
> >
> > If we decide to do this, what's the security concerns about it?
> >
> > For example, someone suggested we should limit the number of
> > rows requested in order to mitigate the attach of huge result set,
> > but I personally don't think it's a great idea, because a hacker
> > can run multiple queries simultaneously.
> >
> > Is there any good reference for this purpose?
> >
> > Regards
> >
> > --
> > Alireza Salimi
> > Java EE Developer
>
>


-- 
Alireza Salimi
Java EE Developer

Re: Questions about Solr's security

[Robert Stewart <bs...@gmail.com>]

You would need to setup request handlers in solrconfig.xml to limit what types of queries people can send to SOLR (and define things like max page size, etc).  You need to restrict people from sending update/delete commands as well.  

Then at the minimum, setup some proxy in front of SOLR that you actually expose to outside world, something like HAProxy, which you can probably configure for things like max concurrent requests, etc. in order to mitigate denial of service attacks.


On Nov 1, 2011, at 12:22 PM, Alireza Salimi wrote:

> Hi,
> 
> I was wondering if it's a good idea to expose Solr to the outside world,
> so that our clients running on smart phones will be able to use Solr.
> 
> If we decide to do this, what's the security concerns about it?
> 
> For example, someone suggested we should limit the number of
> rows requested in order to mitigate the attach of huge result set,
> but I personally don't think it's a great idea, because a hacker
> can run multiple queries simultaneously.
> 
> Is there any good reference for this purpose?
> 
> Regards
> 
> -- 
> Alireza Salimi
> Java EE Developer