On 2022-09-02 11:38 AM, Dave wrote: ...
What if I just ask for *:* and 500000000 rows to just, take all of your data, while crashing your server, and just keep doing it
In all fairness, you can DDoS the application front-end too, that problem is not specific to Solr. Opening up admin i/face opens you up for password-guessing attacks *on top*.
IP limiting can be a pain with some ISPs and/or "mobile" admins, I'd go for a client SSL cert myself (a self-signed one can be made for 10 years), but that's a different discussion.
Dima
