Big Data/Analytics Zone is brought to you in partnership with:

Doug has been engrossed in programming since his parents first bought him an Apple IIe computer in 4th grade. Throughout his early career, Doug proved his flexibility and ingenuity in crafting solutions in a variety of environments. Doug’s most recent work has been in the telecom industry developing tools to analyze large amounts of network traffic using C++ and Python. Doug loves learning and synthesizing this knowledge into code and blog articles. Doug is a DZone MVB and is not an employee of DZone and has posted 36 posts at DZone. You can read more from them at their website. View Full User Profile

Lockdown Solr with IIS as a Reverse Proxy

06.20.2013
| 2300 views |
  • submit to reddit

We’ve been developing rich client-side applications that talk directly to Solr’s HTTP interface from Javascript — requiring a publicly accessible Solr. One concern that you’ll naturally have with Solr is that by default Solr’s HTTP API has no concept of security. For example, after standing up Solr, anyone, from anywhere can browse to your index and delete everything.

At this point you could go and hack up the Jetty or configs to block dangerous Solr request handlers. You’re likely to make life hard on yourself.

Alternatively, you could simply put Solr behind a reverse proxy. By proxying Solr, you move the outside world to their own HTTP endpoint, blocking direct access Solr with a firewall. Internal users behind the firewall have full access to Solr to do the everyday work of deleting and updating the index. External users coming through the proxy have an extremely limited set of actions they can perform, based on the HTTP requests that the proxy forwards.

Turns out this is the recommended approach to take if public Solr access is needed.

If hosting on Windows, IIS provides a very straight-forward and easy to maintain method for creating a reverse proxy. It’s a nice solution, as IIS will be updated automatically and fits in seamlessly in with the Windows ecosystem. The steps are fairly straightforward.

Assuming you have a Windows Server 2012 box with a running Solr and Solr’s port (i.e. 8983) is blocked to the outside world but accessible over localhost:

  1. Install IIS on the Server
  2. Install Application Request Routing and URL Rewrite Modules
  3. Open IIS Manager, selecting the server find Application Request Routingvectors are fun

    Step 3

  4. Double click, and select “Proxy”. Click the checkbox to enable the proxy.vectors are fun

    Step 4

  5. Browse to the config directory for the default web pagevectors are fun

    Step 5

  6. For the default web page, modify or add the web config with this rewrite rule:
    <configuration><system.webServer><rewrite><rules><rulename="Proxy To Solr Search"stopProcessing="true"><!-- capture solr args for select and fwd --><matchurl="^solr/select(.*)"/><actiontype="Rewrite"url="http://127.0.0.1:8983/solr/select{R:1}"/></rule></rules></rewrite></system.webServer></configuration>
  7. Back in IIS Manager, restart your the default webpage and, browse to http://yoursolr/solr/select?q=*:* and confirm you can query Solr. Browse anywhere else, and you’ll get IIS’s 404. Nice!

Note, to help define your rules, you can use the “URL Rewrite” UI in IIS manager under “Default Web Page”.

Now go have fun and tell us about your rich (and now secure) Javascript Solr apps!

- See more at: http://www.opensourceconnections.com/2013/06/17/lockdown-solr-with-iis-as-a-reverse-proxy/#sthash.NgMGyg56.dpuf

Published at DZone with permission of Doug Turnbull, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)