On 9/27/22 02:51, Thomas Corthals wrote:
FWIW: I recently had to grant temporary access to an external developer to read from a single dev core. Mind you, this is not a production setup! Proxied it through nginx as "https://dev-solr.example.org:443"; with a Let's Encrypt certificate.
There are two exceptions to the "block access to Solr" advice. One is your applications. The other is trusted admins or developers who need it as part of their job.
I didn't think of restricting access to only a particular URL path in the proxy, that's very clever.
My proxy of choice is haproxy, and my webserver of choice is Apache. Haven't yet gotten nginx to do what I ask it to, but that might be because I was trying to do it on AlmaLinux for work, where I am not allowed to use Ubuntu on servers.
For my own little Solr install, I have it behind haproxy, which provides TLS and the ability to access it from anywhere, including the Internet, with a simple URL like "https://solr.example.com". Access is strictly controlled by IP address, so anyone who is not allowed just sees a generic 403 error from haproxy. The only application I have accessing Solr does it directly via unencrypted port 8983, not the proxy. I can envision a configuration for haproxy that uses URL path restriction plus IP address restriction for outside developers to be able to see what their code sees.
Thanks, Shawn
