Blog

Lockdown Solr with IIS as a Reverse Proxy

We’ve been developing rich client-side applications that talk directly to Solr’s HTTP interface from Javascript – requiring a publicly accessible Solr. One concern that you’ll naturally have with Solr is that by default Solr’s HTTP API has no concept of security. For example, after standing up Solr, anyone, from anywhere can browse to your index and delete everything.

At this point you could go and hack up the Jetty or configs to block dangerous Solr request handlers. You’re likely to make life hard on yourself.

Alternatively, you could simply put Solr behind a reverse proxy. By proxying Solr, you move the outside world to their own HTTP endpoint, blocking direct access Solr with a firewall. Internal users behind the firewall have full access to Solr to do the everyday work of deleting and updating the index. External users coming through the proxy have an extremely limited set of actions they can perform, based on the HTTP requests that the proxy forwards.

Turns out this is the recommended approach to take if public Solr access is needed.

If hosting on Windows, IIS provides a very straight-forward and easy to maintain method for creating a reverse proxy. It’s a nice solution, as IIS will be updated automatically and fits in seamlessly in with the Windows ecosystem. The steps are fairly straightforward.

Assuming you have a Windows Server 2012 box with a running Solr and Solr’s port (i.e. 8983) is blocked to the outside world but accessible over localhost:

  1. Install IIS on the Server
  2. Install Application Request Routing and URL Rewrite Modules
  3. Open IIS Manager, selecting the server find Application Request Routing

    vectors are fun Step 3
  4. Double click, and select “Proxy”. Click the checkbox to enable the proxy.

    vectors are fun Step 4
  5. Browse to the config directory for the default web page

    vectors are fun Step 5
  6. For the default web page, modify or add the web config with this rewrite rule:

                         name="Proxy To Solr Search" stopProcessing="true">                     url="^solr/select(.*)" />           type="Rewrite" url="http://127.0.0.1:8983/solr/select{R:1}" />                    
  7. Back in IIS Manager, restart your the default webpage and, browse to http://yoursolr/solr/select?q=*:* and confirm you can query Solr. Browse anywhere else, and youll get IISs 404. Nice!

Note, to help define your rules, you can use the “URL Rewrite” UI in IIS manager under “Default Web Page”.

Now go have fun and tell us about your rich (and now secure) Javascript Solr apps!