Over a million developers have joined DZone.

Lockdown Solr with IIS as a Reverse Proxy

· Big Data Zone

We’ve been developing rich client-side applications that talk directly to Solr’s HTTP interface from Javascript — requiring a publicly accessible Solr. One concern that you’ll naturally have with Solr is that by default Solr’s HTTP API has no concept of security. For example, after standing up Solr, anyone, from anywhere can browse to your index and delete everything.

At this point you could go and hack up the Jetty or configs to block dangerous Solr request handlers. You’re likely to make life hard on yourself.

Alternatively, you could simply put Solr behind a reverse proxy. By proxying Solr, you move the outside world to their own HTTP endpoint, blocking direct access Solr with a firewall. Internal users behind the firewall have full access to Solr to do the everyday work of deleting and updating the index. External users coming through the proxy have an extremely limited set of actions they can perform, based on the HTTP requests that the proxy forwards.

Turns out this is the recommended approach to take if public Solr access is needed.

If hosting on Windows, IIS provides a very straight-forward and easy to maintain method for creating a reverse proxy. It’s a nice solution, as IIS will be updated automatically and fits in seamlessly in with the Windows ecosystem. The steps are fairly straightforward.

Assuming you have a Windows Server 2012 box with a running Solr and Solr’s port (i.e. 8983) is blocked to the outside world but accessible over localhost:

  1. Install IIS on the Server
  2. Install Application Request Routing and URL Rewrite Modules
  3. Open IIS Manager, selecting the server find Application Request Routing
    vectors are fun

    Step 3

  4. Double click, and select “Proxy”. Click the checkbox to enable the proxy.
    vectors are fun

    Step 4

  5. Browse to the config directory for the default web page
    vectors are fun

    Step 5

  6. For the default web page, modify or add the web config with this rewrite rule:
    <configuration><system.webServer><rewrite><rules><rulename="Proxy To Solr Search"stopProcessing="true"><!-- capture solr args for select and fwd --><matchurl="^solr/select(.*)"/><actiontype="Rewrite"url="{R:1}"/></rule></rules></rewrite></system.webServer></configuration>
  7. Back in IIS Manager, restart your the default webpage and, browse to http://yoursolr/solr/select?q=*:* and confirm you can query Solr. Browse anywhere else, and you’ll get IIS’s 404. Nice!

Note, to help define your rules, you can use the “URL Rewrite” UI in IIS manager under “Default Web Page”.

Now go have fun and tell us about your rich (and now secure) Javascript Solr apps!

- See more at: http://www.opensourceconnections.com/2013/06/17/lockdown-solr-with-iis-as-a-reverse-proxy/#sthash.NgMGyg56.dpuf


Published at DZone with permission of Doug Turnbull , DZone MVB .

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}