Solr security in 2014?
74 views
Skip to first unread message
Alexander Lvov
Aug 6, 2014, 6:14:02 AM8/6/14
to ajax...@googlegroups.com
All of the security problems that i found here (https://groups.google.com/forum/#!searchin/ajax-solr/security) are dated 2012 and back. I wonder what would be the current (mid-2014) best practice for using ajax-solr and solr in general for web? Also, i am about to configure an nginx proxy limiting POST and 'q' parameters to a limited set of predefined parameters. Maybe somebody already done that? That would be helpfull! Thanks in advance!
/Alexander
/Alexander
James McKinney
Aug 6, 2014, 1:16:57 PM8/6/14
to ajax...@googlegroups.com
Hi Alex,
There are some proxies at https://github.com/evolvingweb/ajax-solr/wiki/Solr-proxies
Cheers,
James
On Aug 6, 2014, at 3:14 AM, Alexander Lvov <alexand...@gmail.com> wrote:
All of the security problems that i found here (https://groups.google.com/forum/#!searchin/ajax-solr/security) are dated 2012 and back. I wonder what would be the current (mid-2014) best practice for using ajax-solr and solr in general for web? Also, i am about to configure an nginx proxy limiting POST and 'q' parameters to a limited set of predefined parameters. Maybe somebody already done that? That would be helpfull! Thanks in advance!
/Alexander
--
You received this message because you are subscribed to the Google Groups "ajax-solr" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ajax-solr+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alexander Lvov
Aug 8, 2014, 5:04:17 AM8/8/14
to ajax...@googlegroups.com
Hi James! Thank you, actually i was looking for a way to configure it in nginx since it e.g. Node.js proxy for solr seems to be about limiting Paths, invalid methods (POST) and two invalid params ('qt', 'stream'). I will now try to come upp with the sample config for NGINX and mail it here then.
Also what i am more interested is weather these actions are satisifactory for a decent level of security and if somebody have done some penetrations tests or similar proving no new security risks have come up in some 4.X versions.--
You received this message because you are subscribed to a topic in the Google Groups "ajax-solr" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ajax-solr/-mUOcGFgSqA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ajax-solr+...@googlegroups.com.
Alexander Lvov
Aug 8, 2014, 7:51:14 AM8/8/14
to ajax...@googlegroups.com
Hi everyone! These is what i came up with as a an Nginx alternative to Node.js proxy config with default options for solr. Any feedback is appreciated. It is still not reasonbly safe in case somebody would decide to retrieve the whole index using options like &start=0&rows=1.
location ^~ /site/solr/collection2/select {
if ($arg_qt) {
return 406; #Not acceptable
}
if ($arg_stream) {
return 406; #Not acceptable
}
if ($request_method = POST ) {
return 405; #method not allowed
}
proxy_pass http://localhost:8983/solr/collection2/select;
# TODO prepend &start=0&rows=1
}
location ^~ /site/solr/collection2/select {
if ($arg_qt) {
return 406; #Not acceptable
}
if ($arg_stream) {
return 406; #Not acceptable
}
if ($request_method = POST ) {
return 405; #method not allowed
}
proxy_pass http://localhost:8983/solr/collection2/select;
# TODO prepend &start=0&rows=1
}
Reply all
Reply to author
Forward
0 new messages