On 9/27/22 10:50, dmitri maziuk wrote:
On 2022-09-27 9:38 AM, Shawn Heisey wrote:
... I can
envision a configuration for haproxy that uses URL path restriction
plus IP address restriction for outside developers to be able to see
what their code sees.
You could firewall port 8983 off at the perimeter and let the devs VPN
(or `ssh -L8983:...`) into your intranet, too.
Nothing can get to port 8983 from outside the machine. I used to use
SSH port forwarding and connect my browser to localhost:8983 to access
the Solr install in AWS.
As far as VPN, setting that up on AWS is a bit painful. The https URL
through haproxy is much cleaner, and in the event I need somebody to get
to my Solr install, I just add their public IP to an ACL in haproxy, and
they have access via https. Remove the IP, and they don't have access.
For a business, a VPN would be a decent solution. My way means I do not
have to create anyone an account on any system, just add their public
IP. Which is a great option considering that this Solr install is
purely for my personal email infrastructure. Haproxy has really good
logging, so between that and Solr's logging, I have an audit trail if I
need it.
Thanks,
Shawn
