From d7ff40f53fea84a8e628b4a87d42cb6579161615 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Mon, 23 Dec 2019 19:26:11 -0500 Subject: [PATCH] SOLR-14136: ip whitelist/blacklist via env vars (#1111) SOLR-14136: ip whitelist/blacklist via env vars This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response. Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr. --- solr/CHANGES.txt | 6 +++++- solr/bin/solr | 6 +++++- solr/bin/solr.cmd | 5 +++++ solr/bin/solr.in.cmd | 10 ++++++++++ solr/bin/solr.in.sh | 10 ++++++++++ solr/server/etc/jetty.xml | 20 +++++++++++++++++++- 6 files changed, 54 insertions(+), 3 deletions(-) diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 3da44da4bcb..8b5989d7fe2 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -79,12 +79,16 @@ Improvements --------------------- * SOLR-14042: Fix varargs precommit warnings (Andraas Salamon via Jason Gerlowski) +* SOLR-14095: Replace Java serialization with Javabin in the Overseer queues (Tomás Fernández Löbbe) + * SOLR-14125: Make plugins work with packages (noble) * SOLR-14138: Jetty's NCSA-formatted RequestLog can be enabled via environment variable, SOLR_REQUESTLOG_ENABLED=true. This will respect SOLR_LOGS_DIR if it is set. (rmuir) -* SOLR-14095: Replace Java serialization with Javabin in the Overseer queues (Tomás Fernández Löbbe) +* SOLR-14136: Jetty's InetAccessHandler can be enabled via environment variables, + SOLR_IP_WHITELIST and SOLR_IP_BLACKLIST. These variables can restrict access to + Solr based on IP addresses/networks. (rmuir) Optimizations --------------------- diff --git a/solr/bin/solr b/solr/bin/solr index 8cdd1145057..5e11b695707 100755 --- a/solr/bin/solr +++ b/solr/bin/solr @@ -2050,6 +2050,10 @@ else fi fi +# IP-based access control +IP_ACL_OPTS=("-Dsolr.jetty.inetaccess.includes=${SOLR_IP_WHITELIST}" \ + "-Dsolr.jetty.inetaccess.excludes=${SOLR_IP_BLACKLIST}") + # These are useful for attaching remote profilers like VisualVM/JConsole if [ "$ENABLE_REMOTE_JMX_OPTS" == "true" ]; then @@ -2180,7 +2184,7 @@ function start_solr() { exit 1 fi - SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" \ + SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" "${IP_ACL_OPTS[@]}" \ "${REMOTE_JMX_OPTS[@]}" "${CLOUD_MODE_OPTS[@]}" $SOLR_LOG_LEVEL_OPT -Dsolr.log.dir="$SOLR_LOGS_DIR" \ "-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \ "${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \ diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd index c94f3c16b61..48311ca5edd 100755 --- a/solr/bin/solr.cmd +++ b/solr/bin/solr.cmd @@ -1156,6 +1156,10 @@ IF "%SOLR_MODE%"=="solrcloud" ( ) ) +REM IP-based access control +set IP_ACL_OPTS=-Dsolr.jetty.inetaccess.includes="%SOLR_IP_WHITELIST%" ^ +-Dsolr.jetty.inetaccess.excludes="%SOLR_IP_BLACKLIST%" + REM These are useful for attaching remove profilers like VisualVM/JConsole IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" ( IF "!RMI_PORT!"=="" set RMI_PORT=1%SOLR_PORT% @@ -1258,6 +1262,7 @@ IF "%verbose%"=="1" ( set START_OPTS=-Duser.timezone=%SOLR_TIMEZONE% set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS% IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!" +IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!" IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%" IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%" IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%" diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd index c6cc5b99707..61524c18a8e 100755 --- a/solr/bin/solr.in.cmd +++ b/solr/bin/solr.in.cmd @@ -112,6 +112,16 @@ REM set SOLR_JETTY_HOST=0.0.0.0 REM Sets the port Solr binds to, default is 8983 REM set SOLR_PORT=8983 +REM Restrict access to solr by IP address. +REM Specify a comma-separated list of addresses or networks, for example: +REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64 +REM set SOLR_IP_WHITELIST= + +REM Block access to solr from specific IP addresses. +REM Specify a comma-separated list of addresses or networks, for example: +REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64 +REM set SOLR_IP_BLACKLIST= + REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config REM to enable https module with custom jetty configuration. REM set SOLR_SSL_ENABLED=true diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh index c47afc47978..d1a921f4f9f 100644 --- a/solr/bin/solr.in.sh +++ b/solr/bin/solr.in.sh @@ -129,6 +129,16 @@ # Sets the port Solr binds to, default is 8983 #SOLR_PORT=8983 +# Restrict access to solr by IP address. +# Specify a comma-separated list of addresses or networks, for example: +# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64 +#SOLR_IP_WHITELIST= + +# Block access to solr from specific IP addresses. +# Specify a comma-separated list of addresses or networks, for example: +# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64 +#SOLR_IP_BLACKLIST= + # Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config # to enable https module with custom jetty configuration. #SOLR_SSL_ENABLED=true diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml index e8c8dd2bd40..ecd4f220fe6 100644 --- a/solr/server/etc/jetty.xml +++ b/solr/server/etc/jetty.xml @@ -157,7 +157,25 @@ - + + + + + + + + + + + + + + + + + + +