npm promotes metadefinitions
    Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »



    Node.js based reverse proxy to make a solr instance read-only, rejecting requests that have the potential to modify the solr index.

    Intended for use with the AJAX-Solr library and similar applications.

    Build Status

    Installation and usage

    To install solr-security-proxy via npm:

    npm install solr-security-proxy

    To start the proxy directly via command-line, run

    `npm bin`/solr-security-proxy --port 9090 --backend.port 8983
    # solr-security-proxy: localhost:9090 -->

    The valid command-line options are as follows:

        Usage: node ./node_modules/.bin/solr-security-proxy
          --port            Listen on this port                         [default: 8008]
          --backend.port    Solr backend port                           [default: 8080]
    Solr backend host                           [default: "localhost"]
          --validPaths      Only allow these paths (comma separated)    [default: "/solr/select"]
          --invalidParams   Block these query params (comma separated)  [default: "qt,stream"]
          --invalidMethods  Block these HTTP methods (comma separated)  [default: "POST"]
          --help, -h        Show usage

    To start the server from your own app, potentially overriding some default options:

    var SolrSecurityProxy = require('solr-security-proxy');
    SolrSecurityProxy.start(8008, {validPaths: ['/solr/core1/select']);

    Here are the default options:

    var defaultOptions = {
      invalidHttpMethods: ['POST'],     // all other HTTP methods (eg GET, HEAD, PUT, etc) will be allowed 
      validPaths: ['/solr/select'],     // all other paths will be denied 
      invalidParams: ['qt', 'stream'],  // blocks requests with params qt or stream.* (all other params are allowed) 
      validator: function(){},          // customized validator function; receives (request, options) as arguments 
      backend: {                        // proxy to solr at this location 
        host: 'localhost',
        port: 8080


    For notes on how to setup daemontools to automatically start/restart the proxy, see

    How it works

    Without this proxy, the following requests can cause trouble:

    # access to /solr/admin
    # addition of a new document, via POST to /solr/update
      -H "Content-Type: text/xml"
      --data-binary '<add><doc><field name="id">testdoc</field></doc></add>'
    # deleting of all documents, via POST to /solr/update
      -H "Content-Type: text/xml"
      --data-binary '<delete><query>*:*</query></delete>'
    # deleting all the documents, via GET to /update?stream.body=<delete><query>*:*</query></delete>&commit=true
    # Triggering remote streaming via GET to /solr/selec
    #   ?stream.url=
    #   &stream.body=<delete><query>*:*</query></delete>
    # See
    # deleting of all documents, via GET to
    #   /solr/select?qt=/update&stream.body=<delete><query>*:*</query></delete>
    # See
    # See

    Currently, solr-security-proxy addresses these holes by applying the following rules:

    • Reject any POST requests
    • Only accept other requests (GET, HEAD, etc...) at "/solr/select"
    • Block requests with the following query params: qt, stream.*

    If there are other types of requests that should be blocked, please open an issue.


    This proxy will not do anything unless you actually ensure that your Solr container is only being served at If you're using Tomcat with the proxy on the same machine, then add the following to your solr instance's server.xml:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>

    Even with the proxy, the entirety of your solr index is world accessible. If you need to lock it down further, consider maintaining a second core with only public data, or implementing additional Solr request handlers (via solr-config.xml) that specify certain query invariants.

    At the moment, the proxy blacklists the parameters qt and stream.*. It's likely considerably safer instead whitelist only the parameters your application uses, instead.

    Furthermore, this proxy does not guard against simple D.O.S. attacks agains solr, for example see this post on Solr DOS by David Smiley.

    Solr Security Resources

    For more info about solr security issues, see:

    For other solr security proxies, see


    To work on solr-security-proxy, install it as follows:

    git clone
    cd solr-security-proxy
    sudo npm link # installs this version via global symlink

    Now you can reference your cloned version in a node app:

    cd ~/my-node-app
    npm link solr-security-proxy

    To run the tests, simply run npm test.

    If you want to run test-with-solr-instance.js, you need to set the TEST_SOLR environment variable with the URL to your solr server, as follows:

    TEST_SOLR= npm test

    The format is PROTOCOL://ADDRESS:PORT/SOLR_PATH/ and must be followed exactly. If solr is on a remote machine, the following will set up an SSH tunnel for 30 seconds and then run the tests:

    ssh solrmachine -L 8081: -f sleep 30 && TEST_SOLR= npm test


    The accompanying Vagrantfile sets up an ubuntu-based node.js stack. To use it to develop the solr-security-proxy:

    vagrant up
    vagrant ssh
    cd /vagrant
    npm test


    For automatic restarting of the server upon code changes, install and run nodemon:

    sudo npm install -g nodemon # install it globally
    # runs the proxy (restarting upon file changes)
    nodemon -L solr-security-proxy.js
    # runs the tests (re-running upon code changes)
    nodemon -L test/test-solr-security-proxy.js

    Note that for nodemon to work under Vagrant, "-L" (--legacy) is required.

    On VM suspend, nodemon annoyingly goes into the background. Kill it via pkill -f nodemon

    For my notes on learning node.js development while building this module, see




    npm i solr-security-proxy

    Downloadslast 7 days







    last publish


    • avatar