Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "SOLR-13985: Bind to localhost interface by default" 

This temporarily reverts commit 479e73 while a potentially related
networking hiccup is investigated.
This commit is contained in:
Jason Gerlowski 2020-01-07 09:05:13 -05:00
parent 9edb143efd
commit a17c486424
11 changed files with 10 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
solr/CHANGES.txt
View File

@ -77,10 +77,6 @@ Upgrade Notes
* SOLR-14092: Deprecated BlockJoinFacetComponent and BlockJoinDocSetFacetComponent are removed
Users are encouraged to migrate to uniqueBlock() in JSON Facet API. (Mikhail Khludnev)
* SOLR-13985: Solr's Jetty now binds to localhost network interface by default for better out of the box security.
Administrators that need Solr exposed more broadly can change the SOLR_JETTY_HOST property in their Solr include
(solr.in.sh/solr.in.cmd) file. (Jason Gerlowski, David Smiley, Robert Muir)
Improvements
----------------------

4
solr/bin/solr
View File

@ -1879,10 +1879,6 @@ if [ -z "$SOLR_PORT" ]; then
SOLR_PORT=8983
fi
if [ -n "$SOLR_JETTY_HOST" ]; then
SOLR_OPTS+=("-Dsolr.jetty.host=$SOLR_JETTY_HOST")
fi
if [ -z "$STOP_PORT" ]; then
STOP_PORT=`expr $SOLR_PORT - 1000`
fi

10
solr/bin/solr.cmd
View File

@ -178,7 +178,7 @@ IF NOT "%SOLR_HOST%"=="" (
set "SOLR_TOOL_HOST=localhost"
)
IF "%SOLR_JETTY_HOST%"=="" (
set "SOLR_JETTY_HOST=127.0.0.1"
set SOLR_JETTY_HOST=0.0.0.0
)
REM Verify Java is available
@ -1086,10 +1086,6 @@ IF "!IS_RESTART!"=="1" set SCRIPT_CMD=start
IF "%SOLR_PORT%"=="" set SOLR_PORT=8983
IF "%STOP_PORT%"=="" set /A STOP_PORT=%SOLR_PORT% - 1000
IF DEFINED SOLR_JETTY_HOST (
set "SOLR_OPTS=%SOLR_OPTS% -Dsolr.jetty.host=%SOLR_JETTY_HOST%"
)
IF "%SCRIPT_CMD%"=="start" (
REM see if Solr is already running using netstat
For /f "tokens=2,5" %%j in ('netstat -aon ^| find "TCP " ^| find ":0 " ^| find ":%SOLR_PORT% "') do (
@ -1325,7 +1321,7 @@ IF "%FG%"=="1" (
"%JAVA%" %SERVEROPT% %SOLR_JAVA_MEM% %START_OPTS% ^
-Dlog4j.configurationFile="%LOG4J_CONFIG%" -DSTOP.PORT=!STOP_PORT! -DSTOP.KEY=%STOP_KEY% ^
-Dsolr.solr.home="%SOLR_HOME%" -Dsolr.install.dir="%SOLR_TIP%" -Dsolr.default.confdir="%DEFAULT_CONFDIR%" ^
-Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
-Djetty.host=%SOLR_JETTY_HOST% -Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
-Djava.io.tmpdir="%SOLR_SERVER_DIR%\tmp" -jar start.jar %SOLR_JETTY_CONFIG% "%SOLR_JETTY_ADDL_CONFIG%"
) ELSE (
START /B "Solr-%SOLR_PORT%" /D "%SOLR_SERVER_DIR%" ^
@ -1333,7 +1329,7 @@ IF "%FG%"=="1" (
-Dlog4j.configurationFile="%LOG4J_CONFIG%" -DSTOP.PORT=!STOP_PORT! -DSTOP.KEY=%STOP_KEY% ^
-Dsolr.log.muteconsole ^
-Dsolr.solr.home="%SOLR_HOME%" -Dsolr.install.dir="%SOLR_TIP%" -Dsolr.default.confdir="%DEFAULT_CONFDIR%" ^
-Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
-Djetty.host=%SOLR_JETTY_HOST% -Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
-Djava.io.tmpdir="%SOLR_SERVER_DIR%\tmp" -jar start.jar %SOLR_JETTY_CONFIG% "%SOLR_JETTY_ADDL_CONFIG%" > "!SOLR_LOGS_DIR!\solr-%SOLR_PORT%-console.log"
echo %SOLR_PORT%>"%SOLR_TIP%"\bin\solr-%SOLR_PORT%.port

12
solr/bin/solr.in.cmd
View File

@ -105,17 +105,13 @@ REM set SOLR_LOG_PRESTART_ROTATION=false
REM Enables jetty request log for all requests
REM set SOLR_REQUESTLOG_ENABLED=false
REM Set the host interface to listen on. Jetty will listen on all interfaces (0.0.0.0) by default.
REM This must be an IPv4 ("a.b.c.d") or bracketed IPv6 ("[x::y]") address, not a hostname!
REM set SOLR_JETTY_HOST=0.0.0.0
REM Sets the port Solr binds to, default is 8983
REM set SOLR_PORT=8983
REM Sets the network interface the Solr binds to. To prevent administrators from
REM accidentally exposing Solr more widely than intended, this defaults to 127.0.0.1.
REM Administrators should think carefully about their deployment environment and
REM set this value as narrowly as required before going to production. In
REM environments where security is not a concern, 0.0.0.0 can be used to allow
REM Solr to accept connections on all network interfaces.
REM set SOLR_JETTY_HOST=127.0.0.1
REM Restrict access to solr by IP address.
REM Specify a comma-separated list of addresses or networks, for example:
REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64

8
solr/bin/solr.in.sh
View File

@ -139,14 +139,6 @@
# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
#SOLR_IP_BLACKLIST=
# Sets the network interface the Solr binds to. To prevent administrators from
# accidentally exposing Solr more widely than intended, this defaults to 127.0.0.1.
# Administrators should think carefully about their deployment environment and
# set this value as narrowly as required before going to production. In
# environments where security is not a concern, 0.0.0.0 can be used to allow
# Solr to accept connections on all network interfaces.
#SOLR_JETTY_HOST="127.0.0.1"
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true

2
solr/server/etc/jetty-http.xml
View File

@ -38,7 +38,7 @@
</Item>
</Array>
</Arg>
<Set name="host"><Property name="solr.jetty.host" default="127.0.0.1"/></Set>
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="port"><Property name="jetty.port" default="8983" /></Set>
<Set name="idleTimeout"><Property name="solr.jetty.http.idleTimeout" default="120000"/></Set>
<Set name="acceptorPriorityDelta"><Property name="solr.jetty.http.acceptorPriorityDelta" default="0"/></Set>

2
solr/server/etc/jetty-https.xml
View File

@ -63,7 +63,7 @@
</Item>
</Array>
</Arg>
<Set name="host"><Property name="solr.jetty.host" default="127.0.0.1"/></Set>
<Set name="host"><Property name="solr.jetty.host" /></Set>
<Set name="port"><Property name="solr.jetty.https.port" default="8983" /></Set>
<Set name="idleTimeout"><Property name="solr.jetty.https.timeout" default="120000"/></Set>
<Set name="acceptorPriorityDelta"><Property name="solr.jetty.ssl.acceptorPriorityDelta" default="0"/></Set>

2
solr/server/etc/jetty-https8.xml
View File

@ -57,7 +57,7 @@
</Item>
</Array>
</Arg>
<Set name="host"><Property name="solr.jetty.host" default="127.0.0.1" /></Set>
<Set name="host"><Property name="solr.jetty.host" /></Set>
<Set name="port"><Property name="solr.jetty.https.port" default="8983" /></Set>
<Set name="idleTimeout"><Property name="solr.jetty.https.timeout" default="120000"/></Set>
<Set name="acceptorPriorityDelta"><Property name="solr.jetty.ssl.acceptorPriorityDelta" default="0"/></Set>

5
solr/solr-ref-guide/src/getting-started-with-solrcloud.adoc
View File

@ -31,11 +31,6 @@ In this section you will learn how to start a SolrCloud cluster using startup sc
This tutorial assumes that you're already familiar with the basics of using Solr. If you need a refresher, please see the <<getting-started.adoc#getting-started,Getting Started section>> to get a grounding in Solr concepts. If you load documents as part of that exercise, you should start over with a fresh Solr installation for these SolrCloud tutorials.
====
[WARNING]
====
For security reasons, Solr nodes only accept connections from localhost by default. Administrators setting up SolrCloud deployments with multiple nodes must override this setting. For more details see <<securing-solr.adoc#network-configuration,here>>.
====
== SolrCloud Example
=== Interactive Startup

16
solr/solr-ref-guide/src/securing-solr.adoc
View File

@ -79,22 +79,6 @@ SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4"
ZooKeeper is a central and important part of a SolrCloud cluster and understanding how to secure
its content is covered in the <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>> page.
== Network Configuration
// tag::security-network-binding-1[]
Administrators should consider their security setup carefully as an important step in moving to production. Solr provides a number of features out of the box to meet the security needs of users: authentication and authorization can be configured using a range of security plugins, privacy can be bolstered by enabling SSL/TLS, and (in SolrCloud) ZooKeeper data can be protected with ACL rules to prevent unauthorized reads and writes.
Even if these measures or others are taken, it is strongly recommended that Solr always be protected by a firewall. Solr is not designed to be exposed on the open internet.
It is also strongly recommended that Solr listen to only those network interfaces that are strictly required. To prevent administrators from unintentionally exposing Solr more broadly, Solr only listens on the loopback interface ("127.0.0.1") by default. Most deployments will need to change this value to something less restrictive so that it can be reached from other boxes. This can be done by setting a `SOLR_JETTY_HOST` value in your environment's "include script" (`solr.in.sh` or `solr.in.cmd`):
[source,bash]
----
SOLR_JETTY_HOST="0.0.0.0"
----
// end::security-network-binding-1[]
== Enable Security Manager
Solr can run in a Java Security Manager sandbox by setting `SOLR_SECURITY_MANAGER_ENABLED=true` via environment variable or in `solr.in.sh`/`solr.in.cmd`. This feature is incompatible with Hadoop.

4
solr/solr-ref-guide/src/taking-solr-to-production.adoc
View File

@ -302,10 +302,6 @@ Check these limits every time you upgrade your kernel or operating system. These
If these limits are exceeded, the problems reported by Solr vary depending on the specific operation responsible for exceeding the limit. Errors such as "too many open files", "connection error", and "max processes exceeded" have been reported, as well as SolrCloud recovery failures.
====
== Security Considerations
include::securing-solr.adoc[tag=security-network-binding-1]
== Running Multiple Solr Nodes per Host
The `bin/solr` script is capable of running multiple instances on one machine, but for a *typical* installation, this is not a recommended setup. Extra CPU and memory resources are required for each additional instance. A single instance is easily capable of handling multiple indexes.