mirror of https://github.com/apache/lucene.git
SOLR-14136: ip whitelist/blacklist via env vars (#1111)
SOLR-14136: ip whitelist/blacklist via env vars This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response. Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr.
This commit is contained in:
parent
1be5b68964
commit
72c99e921c
|
@ -166,6 +166,10 @@ Improvements
|
|||
* SOLR-14138: Jetty's NCSA-formatted RequestLog can be enabled via environment variable,
|
||||
SOLR_REQUESTLOG_ENABLED=true. This will respect SOLR_LOGS_DIR if it is set. (rmuir)
|
||||
|
||||
* SOLR-14136: Jetty's InetAccessHandler can be enabled via environment variables,
|
||||
SOLR_IP_WHITELIST and SOLR_IP_BLACKLIST. These variables can restrict access to
|
||||
Solr based on IP addresses/networks. (rmuir)
|
||||
|
||||
Optimizations
|
||||
---------------------
|
||||
(No changes)
|
||||
|
|
|
@ -2050,6 +2050,10 @@ else
|
|||
fi
|
||||
fi
|
||||
|
||||
# IP-based access control
|
||||
IP_ACL_OPTS=("-Dsolr.jetty.inetaccess.includes=${SOLR_IP_WHITELIST}" \
|
||||
"-Dsolr.jetty.inetaccess.excludes=${SOLR_IP_BLACKLIST}")
|
||||
|
||||
# These are useful for attaching remote profilers like VisualVM/JConsole
|
||||
if [ "$ENABLE_REMOTE_JMX_OPTS" == "true" ]; then
|
||||
|
||||
|
@ -2180,7 +2184,7 @@ function start_solr() {
|
|||
exit 1
|
||||
fi
|
||||
|
||||
SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" \
|
||||
SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" "${IP_ACL_OPTS[@]}" \
|
||||
"${REMOTE_JMX_OPTS[@]}" "${CLOUD_MODE_OPTS[@]}" $SOLR_LOG_LEVEL_OPT -Dsolr.log.dir="$SOLR_LOGS_DIR" \
|
||||
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
|
||||
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
|
||||
|
|
|
@ -1156,6 +1156,10 @@ IF "%SOLR_MODE%"=="solrcloud" (
|
|||
)
|
||||
)
|
||||
|
||||
REM IP-based access control
|
||||
set IP_ACL_OPTS=-Dsolr.jetty.inetaccess.includes="%SOLR_IP_WHITELIST%" ^
|
||||
-Dsolr.jetty.inetaccess.excludes="%SOLR_IP_BLACKLIST%"
|
||||
|
||||
REM These are useful for attaching remove profilers like VisualVM/JConsole
|
||||
IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
|
||||
IF "!RMI_PORT!"=="" set RMI_PORT=1%SOLR_PORT%
|
||||
|
@ -1258,6 +1262,7 @@ IF "%verbose%"=="1" (
|
|||
set START_OPTS=-Duser.timezone=%SOLR_TIMEZONE%
|
||||
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
|
||||
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
|
||||
IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
|
||||
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
|
||||
IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
|
||||
IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
|
||||
|
|
|
@ -112,6 +112,16 @@ REM set SOLR_JETTY_HOST=0.0.0.0
|
|||
REM Sets the port Solr binds to, default is 8983
|
||||
REM set SOLR_PORT=8983
|
||||
|
||||
REM Restrict access to solr by IP address.
|
||||
REM Specify a comma-separated list of addresses or networks, for example:
|
||||
REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
|
||||
REM set SOLR_IP_WHITELIST=
|
||||
|
||||
REM Block access to solr from specific IP addresses.
|
||||
REM Specify a comma-separated list of addresses or networks, for example:
|
||||
REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
|
||||
REM set SOLR_IP_BLACKLIST=
|
||||
|
||||
REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
|
||||
REM to enable https module with custom jetty configuration.
|
||||
REM set SOLR_SSL_ENABLED=true
|
||||
|
|
|
@ -129,6 +129,16 @@
|
|||
# Sets the port Solr binds to, default is 8983
|
||||
#SOLR_PORT=8983
|
||||
|
||||
# Restrict access to solr by IP address.
|
||||
# Specify a comma-separated list of addresses or networks, for example:
|
||||
# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
|
||||
#SOLR_IP_WHITELIST=
|
||||
|
||||
# Block access to solr from specific IP addresses.
|
||||
# Specify a comma-separated list of addresses or networks, for example:
|
||||
# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
|
||||
#SOLR_IP_BLACKLIST=
|
||||
|
||||
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
|
||||
# to enable https module with custom jetty configuration.
|
||||
#SOLR_SSL_ENABLED=true
|
||||
|
|
|
@ -157,7 +157,25 @@
|
|||
<Set name="handlers">
|
||||
<Array type="org.eclipse.jetty.server.Handler">
|
||||
<Item>
|
||||
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
|
||||
<New class="org.eclipse.jetty.server.handler.InetAccessHandler">
|
||||
<Call name="include">
|
||||
<Arg>
|
||||
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
|
||||
<Arg><Property name="solr.jetty.inetaccess.includes" default=""/></Arg>
|
||||
</Call>
|
||||
</Arg>
|
||||
</Call>
|
||||
<Call name="exclude">
|
||||
<Arg>
|
||||
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
|
||||
<Arg><Property name="solr.jetty.inetaccess.excludes" default=""/></Arg>
|
||||
</Call>
|
||||
</Arg>
|
||||
</Call>
|
||||
<Set name="handler">
|
||||
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
|
||||
</Set>
|
||||
</New>
|
||||
</Item>
|
||||
<Item>
|
||||
<New id="InstrumentedHandler" class="com.codahale.metrics.jetty9.InstrumentedHandler">
|
||||
|
|
Loading…
Reference in New Issue