Lockdown Solr with IIS as a Reverse Proxy

Doug TurnbullJune 17, 2013

We’ve been developing rich client-side applications that talk directly to Solr’s HTTP interface from Javascript — requiring a publicly accessible Solr. One concern that you’ll naturally have with Solr is that by default Solr’s HTTP API has no concept of security. For example, after standing up Solr, anyone, from anywhere can browse to your index and delete everything.

At this point you could go and hack up the Jetty or <insert servlet container> configs to block dangerous Solr request handlers. You’re likely to make life hard on yourself.

Alternatively, you could simply put Solr behind a reverse proxy. By proxying Solr, you move the outside world to their own HTTP endpoint, blocking direct access Solr with a firewall. Internal users behind the firewall have full access to Solr to do the everyday work of deleting and updating the index. External users coming through the proxy have an extremely limited set of actions they can perform, based on the HTTP requests that the proxy forwards.

Turns out this is the recommended approach to take if public Solr access is needed.

If hosting on Windows, IIS provides a very straight-forward and easy to maintain method for creating a reverse proxy. It’s a nice solution, as IIS will be updated automatically and fits in seamlessly in with the Windows ecosystem. The steps are fairly straightforward.

Assuming you have a Windows Server 2012 box with a running Solr and Solr’s port (i.e. 8983) is blocked to the outside world but accessible over localhost:

  1. Install IIS on the Server
  2. Install Application Request Routing and URL Rewrite Modules
  3. Open IIS Manager, selecting the server find Application Request Routing

    vectors are fun Step 3
  4. Double click, and select “Proxy”. Click the checkbox to enable the proxy.

    vectors are fun Step 4
  5. Browse to the config directory for the default web page

    vectors are fun Step 5
  6. For the default web page, modify or add the web config with this rewrite rule:

    <configuration>
      <system.webServer>
        <rewrite>
          <rules>
            <rule name="Proxy To Solr Search" stopProcessing="true">
              <!-- capture solr args for select and fwd -->
              <match url="^solr/select(.*)" />
              <action type="Rewrite" url="http://127.0.0.1:8983/solr/select{R:1}" />
            </rule>
          </rules>
        </rewrite>
      </system.webServer>
    </configuration>
    
  7. Back in IIS Manager, restart your the default webpage and, browse to http://yoursolr/solr/select?q=*:* and confirm you can query Solr. Browse anywhere else, and you’ll get IIS’s 404. Nice!

Note, to help define your rules, you can use the “URL Rewrite” UI in IIS manager under “Default Web Page”.

Now go have fun and tell us about your rich (and now secure) Javascript Solr apps!




More blog articles:


We've been Solr-istas since day one!

Our founder wrote the first book on Solr, now in 3rd edition. We've helped organizations from the US Patent and Trademark Office to Cisco build smarter search solutions with Solr.

Learn More about our Solr services.