SOLR-14136: ip whitelist/blacklist via env vars (#1111)

SOLR-14136: ip whitelist/blacklist via env vars

This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response.

Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr.
This commit is contained in:
Robert Muir 2019-12-23 19:26:11 -05:00 committed by GitHub
parent 1be5b68964
commit 72c99e921c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 53 additions and 2 deletions

View File

@ -166,6 +166,10 @@ Improvements
* SOLR-14138: Jetty's NCSA-formatted RequestLog can be enabled via environment variable,
SOLR_REQUESTLOG_ENABLED=true. This will respect SOLR_LOGS_DIR if it is set. (rmuir)
* SOLR-14136: Jetty's InetAccessHandler can be enabled via environment variables,
SOLR_IP_WHITELIST and SOLR_IP_BLACKLIST. These variables can restrict access to
Solr based on IP addresses/networks. (rmuir)
Optimizations
---------------------
(No changes)

View File

@ -2050,6 +2050,10 @@ else
fi
fi
# IP-based access control
IP_ACL_OPTS=("-Dsolr.jetty.inetaccess.includes=${SOLR_IP_WHITELIST}" \
"-Dsolr.jetty.inetaccess.excludes=${SOLR_IP_BLACKLIST}")
# These are useful for attaching remote profilers like VisualVM/JConsole
if [ "$ENABLE_REMOTE_JMX_OPTS" == "true" ]; then
@ -2180,7 +2184,7 @@ function start_solr() {
exit 1
fi
SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" \
SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" "${IP_ACL_OPTS[@]}" \
"${REMOTE_JMX_OPTS[@]}" "${CLOUD_MODE_OPTS[@]}" $SOLR_LOG_LEVEL_OPT -Dsolr.log.dir="$SOLR_LOGS_DIR" \
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \

View File

@ -1156,6 +1156,10 @@ IF "%SOLR_MODE%"=="solrcloud" (
)
)
REM IP-based access control
set IP_ACL_OPTS=-Dsolr.jetty.inetaccess.includes="%SOLR_IP_WHITELIST%" ^
-Dsolr.jetty.inetaccess.excludes="%SOLR_IP_BLACKLIST%"
REM These are useful for attaching remove profilers like VisualVM/JConsole
IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
IF "!RMI_PORT!"=="" set RMI_PORT=1%SOLR_PORT%
@ -1258,6 +1262,7 @@ IF "%verbose%"=="1" (
set START_OPTS=-Duser.timezone=%SOLR_TIMEZONE%
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"

View File

@ -112,6 +112,16 @@ REM set SOLR_JETTY_HOST=0.0.0.0
REM Sets the port Solr binds to, default is 8983
REM set SOLR_PORT=8983
REM Restrict access to solr by IP address.
REM Specify a comma-separated list of addresses or networks, for example:
REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
REM set SOLR_IP_WHITELIST=
REM Block access to solr from specific IP addresses.
REM Specify a comma-separated list of addresses or networks, for example:
REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
REM set SOLR_IP_BLACKLIST=
REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
REM to enable https module with custom jetty configuration.
REM set SOLR_SSL_ENABLED=true

View File

@ -129,6 +129,16 @@
# Sets the port Solr binds to, default is 8983
#SOLR_PORT=8983
# Restrict access to solr by IP address.
# Specify a comma-separated list of addresses or networks, for example:
# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
#SOLR_IP_WHITELIST=
# Block access to solr from specific IP addresses.
# Specify a comma-separated list of addresses or networks, for example:
# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
#SOLR_IP_BLACKLIST=
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true

View File

@ -157,7 +157,25 @@
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
<New class="org.eclipse.jetty.server.handler.InetAccessHandler">
<Call name="include">
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="solr.jetty.inetaccess.includes" default=""/></Arg>
</Call>
</Arg>
</Call>
<Call name="exclude">
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="solr.jetty.inetaccess.excludes" default=""/></Arg>
</Call>
</Arg>
</Call>
<Set name="handler">
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
</Set>
</New>
</Item>
<Item>
<New id="InstrumentedHandler" class="com.codahale.metrics.jetty9.InstrumentedHandler">