You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2023/05/02 21:49:00 UTC

[jira] [Updated] (SOLR-14148) enable IP access control by default

     [ https://issues.apache.org/jira/browse/SOLR-14148?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Høydahl updated SOLR-14148:
-------------------------------
    Description: 
Currently network access is wide-open to the world and the user has to "secure" it through steps on the [securing solr page|https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html]. Instead the user is asked to explicitly "tune a firewall"... these are not good defaults.

It would be much better if access was restricted by default via ACL (e.g. to {{{}127.0.0.0/8, [::1]{}}}), and the user instead explicitly grants access to hosts/networks that should have it. Similar to PostgreSQL's {{{}pg_hba.conf{}}}. Just like {{{}pg_hba.conf{}}}, this is separate from what interfaces are bound to by default.

We could remove the IP-based ACL step from securing solr page, and even change or remove the "firewall" wording at the top.

  was:
Currently network access is wide-open to the world and the user has to "secure" it through steps on the securing solr page. Instead the user is asked to explicitly "tune a firewall"... these are not good defaults.

It would be much better if access was restricted by default via ACL (e.g. to {{127.0.0.0/8, [::1]}}), and the user instead explicitly grants access to hosts/networks that should have it. Similar to PostgreSQL's {{pg_hba.conf}}. Just like {{pg_hba.conf}}, this is separate from what interfaces are bound to by default.

We could remove the IP-based ACL step from securing solr page, and even change or remove the "firewall" wording at the top.


> enable IP access control by default
> -----------------------------------
>
>                 Key: SOLR-14148
>                 URL: https://issues.apache.org/jira/browse/SOLR-14148
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Robert Muir
>            Priority: Major
>
> Currently network access is wide-open to the world and the user has to "secure" it through steps on the [securing solr page|https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html]. Instead the user is asked to explicitly "tune a firewall"... these are not good defaults.
> It would be much better if access was restricted by default via ACL (e.g. to {{{}127.0.0.0/8, [::1]{}}}), and the user instead explicitly grants access to hosts/networks that should have it. Similar to PostgreSQL's {{{}pg_hba.conf{}}}. Just like {{{}pg_hba.conf{}}}, this is separate from what interfaces are bound to by default.
> We could remove the IP-based ACL step from securing solr page, and even change or remove the "firewall" wording at the top.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org