Skip to main content
  • Latest version: v2.2.3
  • Compatible with Fusion version: 5.9.0 and later
The Web V2 connector for Fusion crawls and ingests content from websites over HTTP. It works best for crawling static content by retrieving data from a website starting at one or more seed URLs (the startLinks), following links up to a configurable depth, and indexing the fetched pages. For Web V2 v2.1.0 through v2.2.2, up to three Web V2 connectors can run simultaneously in a single cluster. This prevents reaching a max concurrency limit per Web V2 connector, which affects how much data can be sent to Selenium Grid at one time. For Web V2 v2.2.3 and later, multiple Web V2 datasources with JavaScript evaluation enabled can run concurrently while sharing one Selenium Grid instance. If you run multiple JavaScript-enabled datasources simultaneously, scale your Selenium Grid to handle the increased load.
Starting with Fusion 5.9.11, users of the Web V2 connector must upgrade to version 2.0.0 or later. Previous versions are incompatible due to changes introduced by the upgraded JDK in Fusion 5.9.11.
Fusion 5.6 and later uses the Open Graph Protocol as the default configuration for fields. Deviation from that standard configuration may exclude information from indexing during the crawl.
If crawls fail with a corrupted CrawlDB error, reinstall the connector.

Prerequisites

Perform these prerequisites to ensure the connector can reliably access, crawl, and index your data. Proper setup helps avoid configuration or permission errors, so use the following guidelines to keep your content available for discovery and search in Fusion. Confirm network and security configurations:
  • Egress must allow HTTP/2 traffic from your on-prem host into the Fusion gRPC endpoint.
  • You need a Fusion user account with the remote-connectors or admin role to authenticate the connector.
  • If the standalone host doesn’t trust Fusion’s TLS cert, point to your truststore file path.

Authentication

Setting up the correct authentication according to your organization’s data governance policies helps keep sensitive data secure while allowing authorized indexing. The Web V2 connector supports many crawl-time authentication methods, including OAuth token retrieval. You configure these under Crawl Authentication Properties in your datasource. The supported authentication schemes include the following:
  • Basic HTTP Authentication: Provide host, port, realm (if any), username, and password.
  • Digest HTTP Authentication: Same parameters as Basic, but using the Digest challenge/response scheme.
  • NTLM Authentication For Windows-style authentication: Provide domain, workstation, host, port, realm (if any), username, and password.
  • Form Authentication: Post to a login form URL with whatever name/value pairs the site expects, plus a TTL for the session.
  • SAML/Smart Form Authentication: For multi-step or SAML-backed form logins, submit a sequence of forms until you’re authenticated.
  • OAuth 2.0: Fetch a bearer token using client-credentials before crawling. You supply the token-endpoint URL and parameter names/values (for example, client_id, client_secret, scope, or grant_type) in the Access Token section of Crawl Authentication Properties.
Once you’ve picked your scheme, Fusion will maintain cookies and session state automatically for the duration of the crawl.

Authentication resources

The Web V2 connector retrieves data from a Web site using HTTP and starting from a specified URL.The Web connector supports Basic, Digest, Form, and NTLM authentication to websites.The credentials for a crawl are stored in a credentials file in https://FUSION_HOST:FUSION_PORT/data/connectors/container/lucid.web/datasourceName, where datasourceName is the name of the datasource. After you create a datasource, Fusion creates this directory for you. The file should be a JSON formatted file, ending with the .json file extension. When defining the datasource, use the name of the file in the Authentication credentials filename field in the UI (or for the f.credentialsFile property if using the REST API).All authentication types require the credentials file to include a property called type that defines the type of authentication to use. The other required properties vary depending on the type of authentication chosen.

Basic form-based Authentication

To use basic form-based authentication, use form for the type. The other properties are:
  • ttl. The “time to live” for the session created after authentication. After the specified time, the crawler logs in again to keep the crawl activity from failing due to an expired session. This value is defined in seconds.
  • action. The action to take to log in. That is, the URL for the login form.
  • params. The parameters for the form, likely the username and password, but could be other required properties. In the example below, we pass two parameters, os_username and os_password, which are expected by the system we crawl.
Here is an example using form-based authentication:

Complex Form-based Authentication

Some websites do not manage their own authentication, but rather trust a third-party authority to authenticate the user. An example of this is websites that use SAML to log in a user via a central single-signon authority. To configure fusion to log in to a website like this, use smartForm for the type. The other properties are:
  • ttl. The “time to live” for the session created after authentication. After the specified time, the crawler logs in again to keep the crawl activity from failing due to an expired session. This value is defined in seconds.
  • loginUrl. The URL on which the first page that initializes the login chain is located
  • params. A list of parameters to use for the form logins, likely the username and password, but could be other required properties. In the example below, we pass two parameters, os_username and os_password, which are expected by the system we crawl. Additionally we expect that once that login has happened, a new form is presented to the user which then posts back to where we came from. No data need to be entered in this form, which is why we include an empty { } in the params list.
Here is an example using form-based authentication:
To figure out what parameters you need to specify, turn off JavaScript in your browser and go through the login work flow. Though you normally see only a single login form on your screen, you might find many more forms you need to submit before you get logged in when JavaScript is not available to perform those form submissions automatically. Each form in that login chain needs to be represented in the list of params. If no user input is required, simply include an empty { }.

Basic and Digest Authentication

Basic and Digest authentication are simple HTTP authentication methods still in use in some places. To use either of these types, in the credentials file, for the type property use “basic” or “digest”. The other properties are:
  • host. The host of the site.
  • port. The port, if any.
  • userName. The username to use for authentication.
  • password. The password for the userName.
  • realm. The security realm for the site, if any.
Example basic auth configuration:

NTLM Authentication

To use NTLM authentication, in the credentials file, for the type property, use ntlm. The other properties available are:
  • host. The host of the site.
  • port. The port, if any.
  • userName. The username to use for authentication.
  • password. The password for the userName.
  • realm. The security realm for the site, if any.
  • domain. The domain.
  • workstation. The workstation, as needed.
Example NTLM credential configuration:
The Web V2 connector v1.4.0 added the ability to authenticate using OAuth.

Example with PingFederate

This example uses Client Credentials Grant Type and a basic configuration.
  1. Create new app in PingIdentity.
  2. Edit the app configuration:
    1. Check Client Credentials Grant Type.
    2. Set Token Endpoint Authentication Method to Client Secret Post.
  3. Enable the app by clicking on the toggle button to the right of the app name.
  4. Go to the Configuration tab and click Get Access Token. At this point it will probably show an error about scope. Fix it by adding a scope, such as testScope.
  5. Click the Get Access Token button again under the Configuration tab. It should generate and display your access token.
  6. Go to the Configuration tab and click URLs. Copy the Token Endpoint URL for further use.
  7. You can view a sample of Client Credentials Grant Type access token request in the PingIdentity documentation. In this example the access token request is:
  8. In Fusion, go to CRAWL AUTHENTICATION PROPERTIES in the datasource configuration and fill in the ACCESS TOKEN section by adding the URL and parameters of the request. Replace CLIENT_ID with your own client ID.
    • ACCESS TOKEN REQUEST URL: https://auth.pingone.com/ENV_ID/as/token
    • PARAMETER NAME | PARAMETER VALUE: grant_type | client_credentials
    • PARAMETER NAME | PARAMETER VALUE: client_id | CLIENT_ID
    • PARAMETER NAME | PARAMETER VALUE: scope | testScope

Example with Microsoft Azure AD

  1. In Microsoft Entra ID, go to App Registrations and register a new app.
  2. Go to your app and click Certificates & secrets and add a client secret.
  3. Copy the client secret Value for further use.
  4. View the Microsoft documentation for a request to get access token. In this example, we use the client credentials grant type:
  5. Copy the endpoint URL and the parameters to the CRAWL AUTHENTICATION PROPERTIES > ACCESS TOKEN section in the datasource configuration in Fusion. Replace CLIENT_ID with your own client ID.
    • ACCESS TOKEN REQUEST URL: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
    • PARAMETER NAME | PARAMETER VALUE: grant_type | client_credentials
    • PARAMETER NAME | PARAMETER VALUE: client_id | CLIENT_ID
    • PARAMETER NAME | PARAMETER VALUE: scope | https://graph.microsoft.com/.default

Remote connectors

V2 connectors support running remotely in Fusion versions 5.7.1 and later.
If you need to index data from behind a firewall, you can configure a V2 connector to run remotely on-premises using TLS-enabled gRPC.

Prerequisites

Before you can set up an on-prem V2 connector, you must configure the egress from your network to allow HTTP/2 communication into the Fusion cloud. You can use a forward proxy server to act as an intermediary between the connector and Fusion.The following is required to run V2 connectors remotely:
  • The plugin zip file and the connector-plugin-standalone JAR.
  • A configured connector backend gRPC endpoint.
  • Username and password of a user with a remote-connectors or admin role.
  • If the host where the remote connector is running is not configured to trust the server’s TLS certificate, you must configure the file path of the trust certificate collection.
If your version of Fusion doesn’t have the remote-connectors role by default, you can create one. No API or UI permissions are required for the role.

Connector compatibility

Only V2 connectors are able to run remotely on-premises. You also need the remote connector client JAR file that matches your Fusion version. You can download the latest files at V2 Connectors Downloads.
Whenever you upgrade Fusion, you must also update your remote connectors to match the new version of Fusion.
The gRPC connector backend is not supported in Fusion environments deployed on AWS.

System requirements

The following is required for the on-prem host of the remote connector:
  • (Fusion 5.9.0-5.9.10) JVM version 11
  • (Fusion 5.9.11) JVM version 17
  • Minimum of 2 CPUs
  • 4GB Memory
Note that memory requirements depend on the number and size of ingested documents.

Enable backend ingress

In your values.yaml file, configure this section as needed:
  • Set enabled to true to enable the backend ingress.
  • Set pathtype to Prefix or Exact.
  • Set path to the path where the backend will be available.
  • Set host to the host where the backend will be available.
  • In Fusion 5.9.6 only, you can set ingressClassName to one of the following:
    • nginx for Nginx Ingress Controller
    • alb for AWS Application Load Balancer (ALB)
  • Configure TLS and certificates according to your CA’s procedures and policies.
    TLS must be enabled in order to use AWS ALB for ingress.

Connector configuration example

Minimal example

Logback XML configuration file example

Run the remote connector

The logging.config property is optional. If not set, logging messages are sent to the console.

Test communication

You can run the connector in communication testing mode. This mode tests the communication with the backend without running the plugin, reports the result, and exits.

Encryption

In a deployment, communication to the connector’s backend server is encrypted using TLS. You should only run this configuration without TLS in a testing scenario. To disable TLS, set plain-text to true.

Egress and proxy server configuration

One of the methods you can use to allow outbound communication from behind a firewall is a proxy server. You can configure a proxy server to allow certain communication traffic while blocking unauthorized communication. If you use a proxy server at the site where the connector is running, you must configure the following properties:
  • Host. The hosts where the proxy server is running.
  • Port. The port the proxy server is listening to for communication requests.
  • Credentials. Optional proxy server user and password.
When you configure egress, it is important to disable any connection or activity timeouts because the connector uses long running gRPC calls.

Password encryption

If you use a login name and password in your configuration, run the following utility to encrypt the password:
  1. Enter a user name and password in the connector configuration YAML.
  2. Run the standalone JAR with this property:
  3. Retrieve the encrypted passwords from the log that is created.
  4. Replace the clear password in the configuration YAML with the encrypted password.

Connector restart (5.7 and earlier)

The connector will shut down automatically whenever the connection to the server is disrupted, to prevent it from getting into a bad state. Communication disruption can happen, for example, when the server running in the connectors-backend pod shuts down and is replaced by a new pod. Once the connector shuts down, connector configuration and job execution are disabled. To prevent that from happening, you should restart the connector as soon as possible.You can use Linux scripts and utilities to restart the connector automatically, such as Monit.

Recoverable bridge (5.8 and later)

If communication to the remote connector is disrupted, the connector will try to recover communication and gRPC calls. By default, six attempts will be made to recover each gRPC call. The number of attempts can be configured with the max-grpc-retries bridge parameters.

Job expiration duration (5.9.5 only)

The timeout value for irresponsive backend jobs can be configured with the job-expiration-duration-seconds parameter. The default value is 120 seconds.

Use the remote connector

Once the connector is running, it is available in the Datasources dropdown. If the standalone connector terminates, it disappears from the list of available connectors. Once it is re-run, it is available again and configured connector instances will not get lost.

Enable asynchronous parsing (5.9 and later)

To separate document crawling from document parsing, enable Tika Asynchronous Parsing on remote V2 connectors.
Below is an example configuration showing how to specify the file system to index under the connector-plugins entry in your values.yaml file:
You may also need to specify the user that is authorized to access the file system, as in this example:

Selenium Grid setup

If you are using Web V2 v2.1.0 or later, you must also use Selenium Grid as part of your Web V2 connector setup.
When using Web V2 v2.2.1 or later on Fusion 5.9.15 or later, you do not need to perform any Selenium setup. Selenium is installed automatically with the connector and removed automatically when the connector is removed.Manual installation of Selenium is still required in Fusion 5.9.14 or earlier, even if you use Web V2 v2.2.1.
For hosted connectors, Selenium Grid support is available through Kubernetes. For remote connectors, Selenium Grid support is avialable through Docker Compose. See the Web V2 remote support repository for full setup instructions and YAML files. Before you set up Selenium Grid, install the connector standalone plugin file for the version of Fusion that you are using and the most recent version of the Web V2 connector. Verify that you have the correct files at the Lucidworks plugins site.
The Selenium services require an x86 architecture to run properly. Running the Selenium services on an ARM-based system such as Apple Silicon is not supported.

Set up Selenium Grid in Kubernetes

If you are using a hosted connector, use Kubernetes to set up Selenium Grid. These steps explain how to deploy the Selenium Hub component and the two Chrome browser nodes that connect to Selenium Hub. The referenced YAML files are available in the k8s directory of the Web V2 remote support repository. To set up Selenium Grid:
  1. In a terminal, apply the Kubernetes YAML configurations:
  2. Verify that the deployments are successful. Replace NAMESPACE with your namespace.
  3. Adjust the network policy to allow port 4444. Enter the following command in a terminal:
  4. Add the following snippet to the file:
  5. Save the file.

Set up Selenium Grid in Docker Compose

If you are using a remote connector, use Docker Compose to set up Selenium Grid. The referenced YAML files are available in the Web V2 remote support repository. Before setting up Selenium Grid in Docker Compose, you must know what version of JDK your Fusion connectors are using. If you are using Fusion 5.9.10 or earlier, you are using JDK 11. If you are using Fusion 5.9.11 or later, you are using JDK 17. To set up Selenium Grid in Docker Compose:
  1. Visit the the Web V2 remote support repository and select the folder corresponding to your JDK version. Download the contents of that folder.
  2. Edit the bin/conf/connector-config.yaml file to configure the Kafka bridge settings, the proxy settings, and the plugin path. The following snippet shows an example configuration. Quotation marks are required around the password.
  3. Save the configuration file.
Now you can start the Docker Compose environment, which uses standard Docker Compose commands. You can start the environment in background mode or with live logs. To start Docker Compose in background mode, navigate to the directory for your environment and enter the following command in a terminal:
To start Docker Compose in live mode, navigate to the directory for your environment and enter the following command in a terminal:
When you’ve started Docker Compose, verify that the services are running. You can access the Selenium Grid console at http://localhost:4444/ui. Verify that the Selenium Hub is running and the Chrome nodes are connected. The Lucidworks connector is available on port 8764. Run docker-compose logs lucidworks-connector in a terminal to verify that the service is up. To check the container status, run docker-compose ps in a terminal and verify that all containers are up. Press Ctrl-C to stop the services when viewing logs in real-time. To stop all services, run docker-compose down in a terminal. If you want to remove all volumes when stopping all services, run docker-compose down -v.

Scale Selenium Grid for concurrent JavaScript-evaluation datasources

Starting with Web V2 v2.2.3, multiple datasources with JavaScript evaluation enabled can run simultaneously and share one Selenium Grid instance. The default Selenium Grid configuration targets light-to-moderate JavaScript workloads and provides only two concurrent browser slots. If you run more than one JavaScript-enabled datasource at a time, you may need to scale your Selenium Grid to avoid slot exhaustion. If you are using this connector with Lucidworks Search, contact Lucidworks Support.

Shipped defaults

The Helm chart ships with the following conservative defaults: These default values give Selenium Grid two total slots: two replicas and one session. The total Selenium Grid capacity is calculated as:

Scaling strategies

You can increase Selenium Grid capacity in two ways: horizontal scaling or vertical scaling. Start with horizontal scaling. Use vertical scaling only when cluster scheduling constraints make adding more pods impractical.
Horizontal scaling
You can increase replicas on the selenium-node-chrome deployment to add more Chrome node pods. Each new pod runs independently with its own memory and CPU allocation, providing fault isolation between sessions. This is the recommended method.
Vertical scaling
Alternately, you can create more sessions per node. To do this, increase SE_NODE_MAX_SESSIONS to run multiple concurrent browser sessions within a single Chrome node pod. This requires proportionally more pod memory, CPU, and /dev/shm, and sessions on the same pod compete for resources.
SE_NODE_OVERRIDE_MAX_SESSIONS=true must be set when SE_NODE_MAX_SESSIONS is greater than 1. Without it, Selenium silently caps the session count at its auto-detected value, regardless of what SE_NODE_MAX_SESSIONS is set to. To verify the setting is present:

Pod memory sizing

Each concurrent Chrome session requires memory for the browser process, renderer processes, and the JavaScript heap. Use the following per-session budgets as a starting point based on your target sites: Use this formula to calculate the pod memory limit:
Example: 2 sessions on typical modern web pages:
Set pod_memory_limit to 6Gi.

/dev/shm sizing

Chrome uses /dev/shm (POSIX shared memory) for communication between the browser process and its renderer processes. When /dev/shm runs out, the kernel ends Chrome renderer processes, which causes tab crashes. Because the pod stays healthy, the crashes appear random. Crawls succeed on some pages and fail on others with no clear pattern. Use these per-session budgets: The dshm volume in the Chrome node Deployment controls this limit:
Formula: dshm_sizeLimit = sessions * per_session_shm_budget For four sessions on typical pages: 4 * 512 MB = 2 Gi.

Session timeouts

Two environment variables control how long an idle session holds its resources: Always set both to the same value. If they differ, the component with the shorter timeout releases its resources first while the other holds on, either silently blocking a slot or leaving Chrome processes running after a connector failure. The default of 60 seconds provides fast crash recovery. If you crawl websites where page load and JavaScript execution routinely take longer than 60 seconds (large enterprise portals, sites with heavy client-side rendering), raise both timeouts together:
Do not raise timeouts above 180 seconds (3 minutes) without a specific reason. Higher values delay crash recovery and slow resource reclamation.

Validate your configuration

After scaling, confirm your configuration supports concurrent load matching your production workload.
  1. Start multiple JavaScript-enabled datasource crawls simultaneously.
  2. Confirm all of the following:
    • All crawls start without SELENIUM_HUB_UNAVAILABLE or SELENIUM_CHROME_NODES_UNAVAILABLE errors.
    • Crawls complete without renderer crashes (Tab crashed, Aw, Snap!) or pod OOMKilled events.
    • Pod memory stays under the limit throughout the crawl cycle (kubectl top pod).
    • Documents from all crawls are indexed successfully.
If any check fails, increase replicas, raise pod memory, or reduce SE_NODE_MAX_SESSIONS per node.

Control the web connector’s crawl depth

The Max Crawling Depth setting controls how many levels the Web V2 connector follows from your starting URL. You can think of these crawl levels as link hops or navigation levels from a starting URL. Setting the crawl depth ensures you are crawling the appropriate pages for your search experience. As you increase the Max Crawling Depth value, the Web V2 connector may crawl exponentially more pages. For example, if the start link contains links to ten pages, and each of those pages links to ten different pages, then a crawl depth of 2 can grow to 100 pages. As the number of pages crawled increases, the time to complete the crawl also increases. Deeper crawl depths consume more memory, use more HTTP requests and bandwidth, and may cause your website to limit the number of pages the web connector can crawl or time out before completing the crawl. Without strict limits, it’s possible for the Web V2 connector to crawl extremely large websites indefinitely if the website contains dynamic content or circular links. A start link can be a page of your website or a webpage with a list of HTML links. The Web V2 connector starts the crawl from this page and crawls the page to the specified depth. You may specify multiple start URLs in the Bulk Start Links field. A simple example is starting a crawl from a company’s home page with the following layout:
If you set the Max Crawling Depth field to a different value, the Web V2 connector crawls a different set of pages. For example: If you set the max crawling depth to 0, the web connector crawls only your start page if you are using a start URL. This setting is recommended for testing basic connectivity or troubleshooting. A max crawling depth of 2 or 3 is sufficient for most business needs, especially when combined with URL filters and page limits. Very large websites may need a max crawling depth of 4. If you need comprehensive coverage, set the max crawling depth to -1.
If you set the max crawling depth to -1, set strict document limits and URL filters so your crawls complete successfully.

Use a sitemap file

The Web V2 connector supports XML sitemap files. These files must be in XML format and are typically named sitemap.xml or similar. To use a sitemap instead of a start link, select Link Discovery, enter a sitemap URL in the Sitemap URLs field, and click Add. You may add multiple sitemap URLs. Unlike using a start link, setting the max crawling depth to 0 when using a sitemap crawls the URLs listed in the sitemap. Setting the max crawling depth to 1 crawls the URLs listed in the sitemap and the links included in those pages.

Configure the timeout

The connector timeout can be configured as infinite to handle large files. Configure the timeout by enabling Crawl performance properties and setting the Connection timeout (ms). Connector flow
The Connection timeout (ms) option becomes visible only after selecting the Advanced checkbox.
Use the following guidelines when setting the timeout:
  • To enable an infinite timeout for large file downloads, set the timeout configuration to 0.
  • For standard timeout behavior, use any positive value. For example, a timeout of 30000 gives a 30-second timeout with clean connection termination.

Enable Javascript Evaluation in Fusion

JavaScript evaluation allows the Web V2 connector to extract content from a website that is only available after JavaScript has rendered the document. It is available for Web V2 v2.1.0 and later on hosted and remote connectors. To enable JavaScript evaluation in the Web V2 connector:
  1. Navigate to your Web V2 datasource in Fusion.
  2. Select Javascript Evaluation Properties. A variety of settings displays. In this section you can customize your JavaScript evaluation settings.
  3. Select Evaluate JavaScript. This is required for using JavaScript evaluation.
  4. If you specified a SmartForms or SAML element in the Crawl Authentication Properties area, select Evaluate JavaScript during SmartForms/SAML Login.
  5. Headless browser mode is selected by default, which runs the browser performing the website crawl in the background without being visible. If your website renders pages on the server side, the Headless browser field must be unchecked for the crawl to work correctly and retrieve links. If your website renders pages on the client side, the Headless browser field should be checked.
  6. Click Apply.
For the full JavaScript evaluation settings, see javascriptEvaluationConfig under Properties in the configuration specifications.

Configuration

When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.