[
https://issues.apache.org/jira/browse/SOLR-14148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718847#comment-17718847
]
Jan Høydahl commented on SOLR-14148:
------------------------------------
Yea, but that's a whole different thing. This is about Jetty's IP access
control where you can limit what IP ranges can access Solr, when Solr binds to
some external network interface.
The feature is documented and easy to set up, so not sure how much we gain by
enabling it by default?
If we do more on -Dsolr.environment=dev/test/prod front, we could perahps let
Solr complain in prod mode if IP filter is not enabled etc.
> enable IP access control by default
> -----------------------------------
>
> Key: SOLR-14148
> URL: https://issues.apache.org/jira/browse/SOLR-14148
> Project: Solr
> Issue Type: Improvement
> Reporter: Robert Muir
> Priority: Major
>
> Currently network access is wide-open to the world and the user has to
> "secure" it through steps on the [securing solr
> page|https://solr.apache.org/guide/solr/latest/deployment-guide/securing-solr.html].
> Instead the user is asked to explicitly "tune a firewall"... these are not
> good defaults.
> It would be much better if access was restricted by default via ACL (e.g. to
> {{{}127.0.0.0/8, [::1]{}}}), and the user instead explicitly grants access to
> hosts/networks that should have it. Similar to PostgreSQL's
> {{{}pg_hba.conf{}}}. Just like {{{}pg_hba.conf{}}}, this is separate from
> what interfaces are bound to by default.
> We could remove the IP-based ACL step from securing solr page, and even
> change or remove the "firewall" wording at the top.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
