In order to better understand the way the IP restrictions work, you need to get familiar with the Solr RequestHandlers
By default, most applications, will use the /update request handler to write into the index, and /select to read from the index (I’m assuming your own as well, as long as you haven’t defined any other custom request handlers in your solrconfig.xml file)
Now, long story short, since you can define your own RequestHandlers inside your solrconfig.xml file as you saw in the documentation above, in order to apply read-only access to a certain index, all you have to do is:
- Remove any wildcard access “all” from “/“ which implicitly overrides everything and grants full access to any IP on ALL request handlers.
- Add client’s specific IP address access to /select, /search, /admin/ping or any other handlers that the client’s application may be using.
That way, you have NO IPs reaching /update (to write data), and you only have granted access to certain IPs to /select or otherwise to read from the index.
However, I will stress that it sometimes may not be enough for an application to have access to /select or /search alone (unless of course it’s a custom application where the developers know exactly those are the only endpoints being used).
However, I’ll give you the example of Drupal.
If you want to make a Drupal website read-only from a SOLR index, you’d also have to provide access to /admin/ping (because drupal uses that to determine if the solr server is UP or DOWN).
But, again, for a custom application (aka: if you know what you’re doing), your approach is very much OK:
- Simply remove all existing rules
- Add specific IP rules to the READ request handlers that you have created (AND/OR, of course, the built-in solr read handler, which is /select).
Hope this helps.