-
Notifications
You must be signed in to change notification settings - Fork 100
Troubleshooting Solr and Quepid
Here's a blog written for Quepid beginners, explaining how to set up a connection to a Solr index (ignore the bits about the free trial and single Case, this was written before Quepid was free to use): https://www.flax.co.uk/index.html@p=3316.html
Quepid talks to Solr using the JSONP method, which basically means sending a big JSON request wrapped in some Ajax. It's not as reliable as using CORS, but avoids having to enable CORS in Solr. Your Solr should be ready out of the box!
Note: As of Solr 8.4.1, JSONP may also require additional configuration. Please review the Connectivity section for more information.
If you are using Basic Authentication, ie a URL in the format of [http|https]://[username:password@][host][:port]/solr/[collectionName]/select then you will be prompted by your browser to authenticate. Otherwise there isn't anything in Quepid to be done to support this.
We now have a number of different versions of Solr deployed with the same TMDB dataset, as well as some others, which is useful if you have a new feature that you want to make sure is backwards compatible.
- http://quepid-solr.dev.o19s.com:8985/solr/tmdb/select?q=goonies is Solr 8.2
- http://quepid-solr.dev.o19s.com:8985/solr/statedecoded/select?q=legal is Solr 8.2
- http://quepid-solr.dev.o19s.com:8985/solr/icecat/select?q=samsung is Solr 8.2 + Querqy
- http://quepid-solr.dev.o19s.com:8983/solr/tmdb/select?q=goonies is Solr 7.2
- http://quepid-solr.dev.o19s.com:8983/solr/statedecoded/select?q=legal is Solr 7.2
- http://quepid-solr.dev.o19s.com:8983/solr/icecat/select?q=samsung is Solr 7.2 + Querqy
- http://quepid-solr.dev.o19s.com:8984/solr/tmdb/select?q=goonies is Solr 6.6.5
- http://quepid-solr.dev.o19s.com:8984/solr/statedecoded/select?q=legal is Solr 6.6.5
Quepid by default tries to be smart with how it handles the fields returned. If you are searching on a field, then it automatically creates a snippet of the field using highlighting. If you aren't searching on the field, then it returns the entire field. You can pass in hl parameters as part of your query to tweak the behaviors.
As of Solr 8.4.1, Solr ships with more restrictive security options by default. This interferes with outside websites accessing a Solr instance directly. The default configuration that ships with 8.4.1 now only allows such requests to originate from the Solr host itself.
The latest configuration in Solr as of 8.4.1 has the following settings that may affect compatibility with Quepid as users upgrade their instances.
etc/jetty.xml
<!-- security-related headers -->
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Content-Security-Policy</Set>
<Set name="value">default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe- inline'; script-src 'self'; worker-src 'self';</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Content-Type-Options</Set>
<Set name="value">nosniff</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Frame-Options</Set>
<Set name="value">SAMEORIGIN</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-XSS-Protection</Set>
<Set name="value">1; mode=block</Set>
</New>
</Arg>
</Call>
Previous versions of Quepid and Splainer relied on using JSONP requests to communicate
with Solr. The new default of nosniff for X-Content-Type-Options appears to be breaking this functionality.
The following workarounds are recommended to establish connectivity between Quepid and your Solr instances.
Configure the json response writer to use a Content-Type of text/javascript:
<queryResponseWriter name="json" class="solr.JSONResponseWriter">
<str name="content-type">text/javascript; charset=UTF-8</str>
</queryResponseWriter>
This will satisfy the nosniff header as the Content-Type will match the expected content for the request.
There are numerous proxy solutions that can customize the headers to be compatible with Quepid. We are working to supply such an option with Quepid itself.
This is a tricky option because the CORS specification provides for allowing all hosts via a wildcard or only allowing a specific host. Specifying multiple hosts is not supported within the header itself, however it can be supported by custom code that generates the header on the fly by checking a whitelist of domains.
It is generally not recommended to permit a wildcard as that will enable any website with malicious Javascript to
access your Solr instances. If you're able to whitelist a domain via configuration, try adding the app.quepid.com domain.
Web browsers and best security practices are always evolving. With Quepid, we strive to keep up with these security policies while maintaining compatibility with the application.
It is never recommended to have a Solr instance exposed to the public web. It is also never recommended to "loosen" security on private instances unless it is a last resort. Practicing safe practices with your sandbox instances will lead to better practices with your production instances.
As always, Happy (and safe) searching!