moodle 3.2+ (Build: 20161222)
OK, that's the issue: you need 3.5 AKA DEV to work with solr 7.x.
I was using moodle 3.2+ solr 5.5.3 but I do not recommend it.
My server has been hacked due to a failure in SOLR (up to version 7.1) .. but moodle up to 3.4 is not compatible with solr 7.2 correct?
""The flaw (CVE-2017–12629)  first announced October 12th 2017, affects Apache SOLR version 7.1 and below. Due to an incorrectly configured XML parser in the “queryparser” library, attackers can get access to sensitive information or execute arbitrary code on vulnerable systems.
In this moment i disable global search in my moodle.
while the statement about Moodle 3.4 compatibility is still valid, I wonder how your SOLR server has been configured: you could&should limit network visibility to let your SOLR instance be consumed only by the Moodle instance, without exposing it to others; Moodle won't damage the SOLR instance unless the server where the Moodle code has been installed will be hacked too - but you'll have other problems at that point.
Could be firewalling an option here?
I used this tutorial to install and configure SOLR : https://docs.moodle.org/32/en/Global_search#Setting_up_Solr
My Moodle code is intact.. no problem...
Do you have any indication of how to configure SOLR for localhost access only?
binding SOLR to localhost is what you need if everything runs on the same machine: none outside the machine could connect on it: unfortunately, that configuration looks like not a binding but a whitelist which is not the same thing but will work until bugs on the module implementing the whitelist.
I'd try playing w/ https://daniel.hepper.net/blog/2012/04/restricting-ip-addresses-for-solr-with-jetty/ too (http://deeb.me/20160223/bind-solr-5-5-to-localhost).
The Moodle docs covers the installation of the software not the security policies to be applied since they are specific to your environment and usually any OS starts with a basic but nice firewall configuration, enabled by default: do you have the chance to enable a local software firewall opening just HTTP/S and SSH and nothing else?