Commit Graph

51 Commits

Author SHA1 Message Date
Jason Gerlowski 5377742a62
SOLR-13985: Bind to localhost interface by default (#1154)
Prior to this commit, Solr's Jetty listened for connections on all
network interfaces. This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.

Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.

A version of this commit was previously reverted due to inconsistency
between SOLR_HOST and SOLR_JETTY_HOST.  This commit fixes this issue.
2020-01-13 09:42:30 -05:00
Jason Gerlowski a17c486424 Revert "SOLR-13985: Bind to localhost interface by default"
This temporarily reverts commit 479e73 while a potentially related
networking hiccup is investigated.
2020-01-07 09:05:13 -05:00
Jason Gerlowski 479e736469 SOLR-13985: Bind to localhost interface by default
Prior to this commit, Solr's Jetty listened for connections on all
network interfaces.  This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.

Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.
2020-01-03 15:17:24 -05:00
Robert Muir 1cb6e35058 SOLR-14141: eliminate JKS keystore from solr ssl docs.
Currently the documentation pretends to create a JKS keystore. It is
only actually a JKS keystore on java 8: on java9+ it is a PKCS12
keystore with a .jks extension (because PKCS12 is the new java default).
It works even though solr explicitly tells the JDK
(SOLR_SSL_KEY_STORE_TYPE=JKS) that its JKS when it is in fact not, due
to how keystore backwards compatibility was implemented.

Fix docs to explicitly create a PKCS12 keystore with .p12 extension and
so on instead of a PKCS12 keystore masquerading as a JKS one. This
simplifies the SSL steps since the "conversion" step (which was doing
nothing) from .JKS -> .P12 can be removed.
2019-12-29 09:34:00 -05:00
Robert Muir 126d6b7767
SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
* SOLR-13984: add (experimental, disabled by default) security manager support.

User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at runtime.

The current policy file used by tests is moved to solr/server
Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.

This takes advantage of the fact that permission entries are ignored if properties are not defined:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
2019-12-24 06:30:31 -08:00
Robert Muir 72c99e921c
SOLR-14136: ip whitelist/blacklist via env vars (#1111)
SOLR-14136: ip whitelist/blacklist via env vars

This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response.

Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr.
2019-12-23 19:26:11 -05:00
Robert Muir 1425d6cbf8
SOLR-14138: enable request log via environ var, remove deprecated jetty class usage, respect SOLR_LOGS_DIR (#1110)
User can now set SOLR_REQUESTLOG_ENABLED=true to enable the jetty request log, instead of editing XML. The location of the request logs will respect SOLR_LOGS_DIR if that is set. The deprecated NCSARequestLog is no longer used, instead it uses CustomRequestLog with NCSA_FORMAT.
2019-12-23 10:37:31 -05:00
Cao Manh Dat 7350c50316 SOLR-13798: SSL: Adding Enabling/Disabling client's hostname verification config 2019-09-30 16:29:43 +01:00
Jan Høydahl d468d71c03 SOLR-13647: Default solr.in.sh contains incorrect default value 2019-08-12 13:56:35 +02:00
Jan Høydahl b54126169b SOLR-13569: AdminUI visual indication of prod/test/dev environment 2019-06-26 12:09:02 +02:00
Ishan Chattopadhyaya 9c77889217 SOLR-13394: Switch default GC from CMS to G1 2019-04-25 13:58:43 +05:30
Andrzej Bialecki bd8905150d SOLR-12461: Upgrade Dropwizard Metrics to 4.0.5 release. 2019-04-18 19:08:20 +02:00
Tomas Fernandez Lobbe 8b54b20fc4 SOLR-12770: Make it possible to configure a host whitelist for distributed search 2019-01-15 11:44:57 -08:00
Cassandra Targett df5540acc9 SOLR-12497: Add documentation for Hadoop credential provider-based keystore/truststore 2018-11-15 00:35:25 -06:00
Chris Hostetter 4e0e8e979b SOLR-9304: Fix Solr's HTTP handling to respect '-Dsolr.ssl.checkPeerName=false' aka SOLR_SSL_CHECK_PEER_NAME 2018-04-22 13:38:37 -07:00
Mark Miller 5e2a5a5b8c SOLR-10783: Add support for Hadoop Credential Provider as SSL/TLS store password source. 2018-04-09 21:57:56 -05:00
Jan Høydahl 0989e5874a SOLR-12144: SOLR_LOG_PRESTART_ROTATION now defaults to false, we leverage log4j2 for log rotation on startup 2018-04-03 13:10:20 +02:00
Erick Erickson 624d128b5e SOLR-7887: Upgrade Solr to use log4j2 -- log4j 1 now officially end of life 2018-03-25 19:16:09 -07:00
Erick Erickson e82e029406 SOLR-11703: Solr Should Send Log Notifications if Ulimits are too low 2017-12-25 13:22:19 -08:00
Cao Manh Dat 2bc2759bf4 SOLR-5129: Add support for changing flag in bin/solr 2017-10-21 22:05:30 +07:00
Uwe Schindler 86f7d6779a SOLR-8689: Fix bin/solr.cmd so it can run properly on Java 9 2017-08-21 22:30:53 +02:00
Jan Høydahl 39dfb7808a SOLR-6671: Possible to set solr.data.home property as root dir for all data 2017-06-20 13:21:14 +02:00
Mark Miller 0fb89f17e1 SOLR-10307: Allow Passing SSL passwords through environment variables. 2017-05-16 14:19:16 -03:00
Chris Hostetter 09bd8612ce SOLR-10184: Fix bin/solr so it can run properly on java9 2017-03-14 10:23:49 -07:00
markrmiller e1a5776457 SOLR-9997: Enable configuring SolrHttpClientBuilder via java system property. 2017-02-07 13:15:51 -05:00
markrmiller 075aec91cd SOLR-9885: Allow pre-startup Solr log management in Solr bin scripts to be disabled. 2017-01-19 03:07:09 -05:00
Kevin Risden bf424d1ec1 SOLR-9728: Ability to specify Key Store type in solr.in file for SSL 2016-11-28 09:52:02 -06:00
Erick Erickson 1344d895f9 SOLR-9371: Fix bin/solr script calculations - start/stop wait time and RMI_PORT 2016-10-27 17:54:34 -07:00
Jan Høydahl 61e180b7ef SOLR-9255: Rename SOLR_AUTHENTICATION_CLIENT_CONFIGURER -> SOLR_AUTHENTICATION_CLIENT_BUILDER 2016-10-24 14:18:21 +02:00
David Smiley 8ae3304c86 SOLR-7580: Move defaults in bin/solr.in.sh into bin/solr (incl. Windows) 2016-10-19 16:38:06 -04:00
Jan Høydahl 33db4de4d7 SOLR-9325: solr.log is now written to $SOLR_LOGS_DIR without changing log4j.properties 2016-10-14 23:19:09 +02:00
Jan Høydahl eba3939a04 SOLR-7436: Solr stops printing stacktraces in log and output (add -XX:-OmitStackTraceInFastThrow to solr.in.{sh|cmd)) 2016-09-28 10:06:15 +02:00
Jan Høydahl 73c2edddf0 SOLR-9534: You can now set Solr's log level through environment variable SOLR_LOG_LEVEL and -q and -v options to bin/solr 2016-09-22 21:05:28 +02:00
Steve Rowe 5d4cd44b6d SOLR-8792: ZooKeeper ACL support fixed 2016-05-03 18:57:59 -04:00
Mark Robert Miller af2bce9ee1 SOLR-7831: Start Scripts: Allow a configurable stack size [-Xss]
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1694523 13f79535-47bb-0310-9956-ffa450edef68
2015-08-06 15:26:11 +00:00
Jan Høydahl 2d5f162bb8 SOLR-7735: Look for solr.xml in Zookeeper by default
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1692673 13f79535-47bb-0310-9956-ffa450edef68
2015-07-26 00:15:27 +00:00
Anshum Gupta 8936a16554 SOLR-7274: Pluggable authentication module in Solr. This defines an interface and a mechanism to create, load, and use an Authentication plugin.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1680391 13f79535-47bb-0310-9956-ffa450edef68
2015-05-19 21:10:16 +00:00
Shalin Shekhar Mangar c3185b5489 SOLR-4839: Separate jetty and client specific SSL properties
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1676102 13f79535-47bb-0310-9956-ffa450edef68
2015-04-26 12:44:20 +00:00
Shalin Shekhar Mangar 299ddc5abe SOLR-4839: SSL support with Jetty 9. Also fixes SOLR-7449 on trunk.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1675619 13f79535-47bb-0310-9956-ffa450edef68
2015-04-23 14:17:35 +00:00
Ramkumar Aiyengar 19e25c78b6 SOLR-7392: Fix SOLR_JAVA_MEM and SOLR_OPTS customizations in solr.in.sh being ignored
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1674565 13f79535-47bb-0310-9956-ffa450edef68
2015-04-18 19:13:00 +00:00
Shawn Heisey 5f5814ce27 SOLR-7319: Revert previous patch, return to discussion.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1670370 13f79535-47bb-0310-9956-ffa450edef68
2015-03-31 15:54:05 +00:00
Shawn Heisey 421897ea3c SOLR-7319: Workaround for the "Four Month Bug" GC pause problem
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1669731 13f79535-47bb-0310-9956-ffa450edef68
2015-03-28 04:07:18 +00:00
Timothy Potter 7401236745 SOLR-6982: bin/solr and SolrCLI should support SSL-related Java System Properties
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1652208 13f79535-47bb-0310-9956-ffa450edef68
2015-01-15 18:24:48 +00:00
Timothy Potter 4e65c4d1e0 SOLR-6851: Scripts to help install and run Solr as a service on Linux
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1647700 13f79535-47bb-0310-9956-ffa450edef68
2014-12-23 23:20:42 +00:00
Timothy Potter 3a5438ec1f SOLR-6843: JMX RMI connector should be disabled by default but can be activated by setting ENABLE_REMOTE_JMX_OPTS to true in solr.in.(sh|cmd).
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1644978 13f79535-47bb-0310-9956-ffa450edef68
2014-12-12 17:07:06 +00:00
Timothy Potter 9806b86719 SOLR-6726: better strategy for selecting the JMX RMI port based on SOLR_PORT in bin/solr
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1642745 13f79535-47bb-0310-9956-ffa450edef68
2014-12-01 19:50:30 +00:00
Jan Høydahl 5240a5ac8a SOLR-6697: bin/solr start scripts allow setting SOLR_OPTS in solr.in.*
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1638423 13f79535-47bb-0310-9956-ffa450edef68
2014-11-11 21:20:56 +00:00
Timothy Potter 83a04af6fb SOLR-6705: better handling of JVM version specific options
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1638022 13f79535-47bb-0310-9956-ffa450edef68
2014-11-11 04:21:44 +00:00
Timothy Potter 3f566e6e91 SOLR-6549: add a -s option to set the -Dsolr.solr.home property, thus allowing multiple Solr nodes on the same host to share the same server directory -d but with different Solr home directories
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1630550 13f79535-47bb-0310-9956-ffa450edef68
2014-10-09 18:42:21 +00:00
Timothy Potter 7223a40b6d SOLR-3617: hardening command-line parsing and a few minor bug fixes found by QA testing.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1619025 13f79535-47bb-0310-9956-ffa450edef68
2014-08-20 02:56:18 +00:00