Solr is a tool that can be accessed using direct URLs. If we miss blocking the UI access, it can be a vulnerability threat to the application. Also, we should block queries with <delete> for a tension-free operation.
How rules are created in dispatchers for security?
There are some default security rules enabled for dispatcher and some may be as below,
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\*|;|<|>|'|"|\)|%0A|%0D|%27|%3C|%3E||%7C|%26|%24|%25|%2B).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
We need to re-write them in such a way the query is not blocked except update/delete operations.
How delete by id and delete all should be prevented from dispatcher?
Delete by id from Solr core en_US
If id is ‘/content/project/us/en/Home/testarticle.html’
Invoking below URL will deleted the id and all its records from index.
http://localhost:8983/solr/en_US/update?stream.body=<delete><query>id:"/content/project/us/en/home/testarticle.html"</query></delete>&commit=true
Delete All from a Solr core en_US
Invoke below url so that all data will be deleted from the index for specific core en_US. But think twice before executing this command, because it deletes *ALL*.
http://localhost:8983/solr/en_US/update?stream.body=%3Cdelete%3E%3Cquery%3E*:*%3C/query%3E%3C/delete%3E&commit=true
How publish avoid listing of full solr server url?
Use '/solr' in page/component which uses solr query for dispatcher and there must be some rewrite rule which appends dispatcher url to /solr. Thus we can hide the solr server url from the dispatcher.
No comments:
Post a Comment
If you have any doubts or questions, please let us know.