solr-proxy

Reverse proxy to secure Solr, rejecting requests that might modify the Solr index.

Usage no npm install needed!

<script type="module">
  import solrProxy from 'https://cdn.skypack.dev/solr-proxy';
</script>

README

solr-proxy

Reverse proxy to make a Solr instance read-only, rejecting requests that have the potential to modify the Solr index.

This is a rewrite of solr-security-proxy with some bug fixes and additional features.

Build Status

Installation

For use from the command line:

npm install -g solr-proxy

For use in another application:

npm install solr-proxy

Usage

From the command-line:

solr-proxy

Options are:

Options:
  --port          Listen on this port         [default: 8008]
  --upstream      Solr backend                [default: "http://localhost:8983"]
  --validPaths    Allowed paths (comma        [default: "/solr/select"]
                  delimited)
  --invalidParams Blocked parameters (comma   [default: "qt,stream"]
                  delimited)
  --validMethods  Allowed HTTP methods (comma [default: "GET"]
                  delimited)
  --maxRows       Maximum rows permitted in a [default: 200]
                  request
  --maxStart      Maximum start offset        [default: 1000]
                  permitted in a request
  --quiet, -q     Do not write messages to STDOUT
  --version, -v   Show version
  --help, -h      Show this message

To start the server from your application:

const SolrProxy = require('solr-proxy')
await SolrProxy.start()

You can pass a port number as the first argument to start(). You may pass a falsy value (such as null or undefined) if you wish to use the port number specified specified in the listenPort property in the options object (second argument). If the port is not specified in either argument, the default value of 8008 is used.

You can pass an options object as the second argument to start().

const defaultOptions = {
  validHttpMethods: ['GET'],        // all other HTTP methods will be disallowed
  validPaths: ['/solr/select'],     // all other paths will be denied
  invalidParams: ['qt', 'stream'],  // blocks requests with params qt or stream.* (all other params are allowed)
  upstream: 'http://localhost:8008' // proxy to solr at this location
}

To enable TLS for your proxy, include an ssl object within the options object.

const options = {
  ssl: {
    key: fs.readFileSync('key.pem'),
    cert: fs.readFileSync('cert.pem'),
  }
}
const proxy = await SolrProxy.start(null, options);

Default Rules

solr-proxy has the following default rules:

  • Reject any request methods other than GET
  • Only allow the /solr/select path
  • Block requests with qt and stream.* query parameters.
  • Reject requests with rows set to more than 200.
  • Reject requests with start set to more than 1000.

License

MIT

Related Reading