SOLR-14136: ip whitelist/blacklist via env vars (#1111)

SOLR-14136: ip whitelist/blacklist via env vars This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response. Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr.
2019-12-23 19:26:11 -05:00 · 2019-12-23 19:26:11 -05:00 · 72c99e921c
parent 1be5b68964
commit 72c99e921c
6 changed files with 53 additions and 2 deletions
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@ -166,6 +166,10 @@ Improvements
 * SOLR-14138: Jetty's NCSA-formatted RequestLog can be enabled via environment variable,
  SOLR_REQUESTLOG_ENABLED=true. This will respect SOLR_LOGS_DIR if it is set. (rmuir)

+* SOLR-14136: Jetty's InetAccessHandler can be enabled via environment variables,
+  SOLR_IP_WHITELIST and SOLR_IP_BLACKLIST. These variables can restrict access to
+  Solr based on IP addresses/networks. (rmuir)
+
 Optimizations
 ---------------------
 (No changes)
--- a/solr/bin/solr
+++ b/solr/bin/solr
@ -2050,6 +2050,10 @@ else
  fi
 fi

+# IP-based access control
+IP_ACL_OPTS=("-Dsolr.jetty.inetaccess.includes=${SOLR_IP_WHITELIST}" \
+             "-Dsolr.jetty.inetaccess.excludes=${SOLR_IP_BLACKLIST}")
+
 # These are useful for attaching remote profilers like VisualVM/JConsole
 if [ "$ENABLE_REMOTE_JMX_OPTS" == "true" ]; then

@ -2180,7 +2184,7 @@ function start_solr() {
    exit 1
  fi

-  SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" \
+  SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" "${IP_ACL_OPTS[@]}" \
    "${REMOTE_JMX_OPTS[@]}" "${CLOUD_MODE_OPTS[@]}" $SOLR_LOG_LEVEL_OPT -Dsolr.log.dir="$SOLR_LOGS_DIR" \
    "-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
    "${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@ -1156,6 +1156,10 @@ IF "%SOLR_MODE%"=="solrcloud" (
  )
 )

+REM IP-based access control
+set IP_ACL_OPTS=-Dsolr.jetty.inetaccess.includes="%SOLR_IP_WHITELIST%" ^
+-Dsolr.jetty.inetaccess.excludes="%SOLR_IP_BLACKLIST%"
+
 REM These are useful for attaching remove profilers like VisualVM/JConsole
 IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
  IF "!RMI_PORT!"=="" set RMI_PORT=1%SOLR_PORT%
@ -1258,6 +1262,7 @@ IF "%verbose%"=="1" (
 set START_OPTS=-Duser.timezone=%SOLR_TIMEZONE%
 set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
 IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
+IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
 IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
 IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
 IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@ -112,6 +112,16 @@ REM set SOLR_JETTY_HOST=0.0.0.0
 REM Sets the port Solr binds to, default is 8983
 REM set SOLR_PORT=8983

+REM Restrict access to solr by IP address.
+REM Specify a comma-separated list of addresses or networks, for example:
+REM   127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+REM set SOLR_IP_WHITELIST=
+
+REM Block access to solr from specific IP addresses.
+REM Specify a comma-separated list of addresses or networks, for example:
+REM   127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+REM set SOLR_IP_BLACKLIST=
+
 REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
 REM to enable https module with custom jetty configuration.
 REM set SOLR_SSL_ENABLED=true
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@ -129,6 +129,16 @@
 # Sets the port Solr binds to, default is 8983
 #SOLR_PORT=8983

+# Restrict access to solr by IP address.
+# Specify a comma-separated list of addresses or networks, for example:
+#   127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+#SOLR_IP_WHITELIST=
+
+# Block access to solr from specific IP addresses.
+# Specify a comma-separated list of addresses or networks, for example:
+#   127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+#SOLR_IP_BLACKLIST=
+
 # Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
 # to enable https module with custom jetty configuration.
 #SOLR_SSL_ENABLED=true
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@ -157,7 +157,25 @@
           <Set name="handlers">
             <Array type="org.eclipse.jetty.server.Handler">
               <Item>
-                 <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+                 <New class="org.eclipse.jetty.server.handler.InetAccessHandler">
+                   <Call name="include">
+                     <Arg>
+                       <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+                         <Arg><Property name="solr.jetty.inetaccess.includes" default=""/></Arg>
+                       </Call>
+                     </Arg>
+                   </Call>
+                   <Call name="exclude">
+                     <Arg>
+                       <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+                         <Arg><Property name="solr.jetty.inetaccess.excludes" default=""/></Arg>
+                       </Call>
+                     </Arg>
+                   </Call>
+                   <Set name="handler">
+                     <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+                   </Set>
+                 </New>
               </Item>
               <Item>
                 <New id="InstrumentedHandler" class="com.codahale.metrics.jetty9.InstrumentedHandler">