Commit Graph

43 Commits

Author SHA1 Message Date
Noble Paul 5154b6008f
SOLR-14634: Limit the HTTP security headers to "/solr" end point (#1655) 2020-07-07 23:16:32 +10:00
Ishan Chattopadhyaya 20f39b9c62 Revert "SOLR-14598: Granting reflection access for using annotations in SOLR-14404"
This reverts commit e6ffa8e9e2.
2020-06-27 17:59:16 +05:30
Ishan Chattopadhyaya e6ffa8e9e2 SOLR-14598: Granting reflection access for using annotations in SOLR-14404 2020-06-27 15:59:49 +05:30
Jason Gerlowski 5377742a62
SOLR-13985: Bind to localhost interface by default (#1154)
Prior to this commit, Solr's Jetty listened for connections on all
network interfaces. This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.

Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.

A version of this commit was previously reverted due to inconsistency
between SOLR_HOST and SOLR_JETTY_HOST.  This commit fixes this issue.
2020-01-13 09:42:30 -05:00
Kevin Risden 22155bf7a7
SOLR-14163: SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts
Closes #1147

Signed-off-by: Kevin Risden <krisden@apache.org>
2020-01-09 10:28:35 -05:00
Jason Gerlowski a17c486424 Revert "SOLR-13985: Bind to localhost interface by default"
This temporarily reverts commit 479e73 while a potentially related
networking hiccup is investigated.
2020-01-07 09:05:13 -05:00
Jason Gerlowski 479e736469 SOLR-13985: Bind to localhost interface by default
Prior to this commit, Solr's Jetty listened for connections on all
network interfaces.  This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.

Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.
2020-01-03 15:17:24 -05:00
Robert Muir 1cb6e35058 SOLR-14141: eliminate JKS keystore from solr ssl docs.
Currently the documentation pretends to create a JKS keystore. It is
only actually a JKS keystore on java 8: on java9+ it is a PKCS12
keystore with a .jks extension (because PKCS12 is the new java default).
It works even though solr explicitly tells the JDK
(SOLR_SSL_KEY_STORE_TYPE=JKS) that its JKS when it is in fact not, due
to how keystore backwards compatibility was implemented.

Fix docs to explicitly create a PKCS12 keystore with .p12 extension and
so on instead of a PKCS12 keystore masquerading as a JKS one. This
simplifies the SSL steps since the "conversion" step (which was doing
nothing) from .JKS -> .P12 can be removed.
2019-12-29 09:34:00 -05:00
Dawid Weiss 7350f03cd1 Reordered some lines and comments to make it easier to manually diff/ merge with gradle branch. 2019-12-25 13:29:11 +01:00
Robert Muir 126d6b7767
SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
* SOLR-13984: add (experimental, disabled by default) security manager support.

User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at runtime.

The current policy file used by tests is moved to solr/server
Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.

This takes advantage of the fact that permission entries are ignored if properties are not defined:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
2019-12-24 06:30:31 -08:00
Robert Muir 72c99e921c
SOLR-14136: ip whitelist/blacklist via env vars (#1111)
SOLR-14136: ip whitelist/blacklist via env vars

This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response.

Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr.
2019-12-23 19:26:11 -05:00
Robert Muir 1425d6cbf8
SOLR-14138: enable request log via environ var, remove deprecated jetty class usage, respect SOLR_LOGS_DIR (#1110)
User can now set SOLR_REQUESTLOG_ENABLED=true to enable the jetty request log, instead of editing XML. The location of the request logs will respect SOLR_LOGS_DIR if that is set. The deprecated NCSARequestLog is no longer used, instead it uses CustomRequestLog with NCSA_FORMAT.
2019-12-23 10:37:31 -05:00
Kevin Risden aab3c5faa3
SOLR-14106: Cleanup Jetty SslContextFactory usage
Jetty 9.4.16.v20190411 and up introduced separate
client and server SslContextFactory implementations.
This split requires the proper use of of
SslContextFactory in clients and server configs.

This fixes the following
* SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0
* Http2SolrClient SSL not working in branch_8x

Signed-off-by: Kevin Risden <krisden@apache.org>
2019-12-19 23:05:47 -05:00
Matthias Krueger 1e5100d5a5
SOLR-14091: Removing deprecated configuration of Jetty's soLingerTime option
Signed-off-by: Kevin Risden <krisden@apache.org>
2019-12-18 17:24:43 -05:00
Kevin Risden 12825f3642
SOLR-14039: SOLR-13987 broke multiple node /select handler due to jetty.xml whitespace
Signed-off-by: Kevin Risden <krisden@apache.org>
2019-12-09 19:29:37 -05:00
Kevin Risden f9e15839bf
SOLR-13987: Admin UI should not rely on javascript eval()
* Removes `'unsafe-eval'` from CSP `script-src`
* Enables Angular CSP mode
* Removes `eval()` JSON parsing in `cloud.js`
* Removes `jstree` themes error

Signed-off-by: Kevin Risden <krisden@apache.org>
2019-12-07 16:40:04 -05:00
Robert Muir c8c9c10023 SOLR-13982: set security-related http response headers by default
Unfortunately, as a first start this is very weak protection against
e.g. XSS.  This is because some 'unsafe-xxx' rules must be present due
to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are
still easy.
2019-12-03 06:12:33 -05:00
Dawid Weiss 063c82ebd6 SOLR-13952: reverting Erick's commit (with permission). 2019-11-25 17:56:20 +01:00
Erick Erickson 4b34d726ab SOLR-13952: Separate out Gradle-specific code from other (mostly test) changes and commit separately 2019-11-24 13:24:40 -05:00
Cao Manh Dat 7350c50316 SOLR-13798: SSL: Adding Enabling/Disabling client's hostname verification config 2019-09-30 16:29:43 +01:00
Uwe Schindler df27ccf01d SOLR-13409: Disable HTML directory listings in admin interface to prevent possible security issues 2019-04-17 11:04:13 +02:00
Cao Manh Dat f80e8e1167 Merge jira/http2 branch to master 2018-12-16 16:58:20 +00:00
Jan Høydahl a3fc31e5d2 Remove unnecessary XML exclusions as Jetty handles these by default (janhoy) 2018-10-18 16:38:52 +02:00
Mark Miller 5e2a5a5b8c SOLR-10783: Add support for Hadoop Credential Provider as SSL/TLS store password source. 2018-04-09 21:57:56 -05:00
Erick Erickson 2900bb597d SOLR-11810: Upgrade Jetty to 9.4.8 2018-01-17 11:33:22 -08:00
Ishan Chattopadhyaya c8e0e939e4 SOLR-11183: V2 APIs are now available at /api endpoint 2017-08-20 21:00:15 +05:30
Chris Hostetter fb3d3f1c92 SOLR-10791: Remove deprecated options in SSLTestConfig 2017-06-01 10:50:58 -07:00
Mark Miller 0fb89f17e1 SOLR-10307: Allow Passing SSL passwords through environment variables. 2017-05-16 14:19:16 -03:00
Cao Manh Dat 0fb386a864 SOLR-8045: Deploy V2 API at /v2 instead of /solr/v2 2017-03-11 10:30:52 +07:00
Andrzej Bialecki 8bbdb6248c Squashed commit of branch 'feature/metrics', containing:
SOLR-4735: Improve Solr metrics reporting
    SOLR-9812: Implement /admin/metrics API
    SOLR-9805: Use metrics-jvm library to instrument jvm internals
    SOLR-9788: Use instrumented jetty classes
2016-12-20 09:31:24 +01:00
Kevin Risden bf424d1ec1 SOLR-9728: Ability to specify Key Store type in solr.in file for SSL 2016-11-28 09:52:02 -06:00
markrmiller ce172acb8f SOLR-4509: Move to non deprecated HttpClient impl classes to remove stale connection check on every request and move connection lifecycle management towards the client. 2016-04-01 12:21:59 -04:00
Shalin Shekhar Mangar 093d86901b SOLR-4839: Disable SSLv3 (POODLE) by default from our SSL config. Also added credits for Steve Rowe and Steve Davids.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1676354 13f79535-47bb-0310-9956-ffa450edef68
2015-04-27 18:09:51 +00:00
Shalin Shekhar Mangar c3185b5489 SOLR-4839: Separate jetty and client specific SSL properties
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1676102 13f79535-47bb-0310-9956-ffa450edef68
2015-04-26 12:44:20 +00:00
Shalin Shekhar Mangar 299ddc5abe SOLR-4839: SSL support with Jetty 9. Also fixes SOLR-7449 on trunk.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1675619 13f79535-47bb-0310-9956-ffa450edef68
2015-04-23 14:17:35 +00:00
Shalin Shekhar Mangar 9464d2afb7 SOLR-4839: Make our jetty configs resemble stock Jetty 9.3 configs more closely. Thread pool and common config goes to jetty.xml. All property names are prefixed with solr.jetty. SSL keystore paths are now absolute.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1675337 13f79535-47bb-0310-9956-ffa450edef68
2015-04-22 11:35:31 +00:00
Chris M. Hostetter b17ed54025 SOLR-7240: '/' redirects to '/solr/' for convinience
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1669431 13f79535-47bb-0310-9956-ffa450edef68
2015-03-26 20:51:23 +00:00
Steven Rowe ab8d012df6 SOLR-7008: Exclude server/etc/solrtest.keystore and create-solrtest.keystore.sh from the binary release packages
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1653551 13f79535-47bb-0310-9956-ffa450edef68
2015-01-21 15:11:39 +00:00
Shalin Shekhar Mangar 27b5e4988f SOLR-4839: Remove jetty.port from start.ini and add default inside jetty-http.xml
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1649584 13f79535-47bb-0310-9956-ffa450edef68
2015-01-05 16:43:46 +00:00
Shalin Shekhar Mangar 0d2c19d505 SOLR-4839: Removing extra license text from jetty xml and module files
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1649571 13f79535-47bb-0310-9956-ffa450edef68
2015-01-05 16:23:02 +00:00
Shalin Shekhar Mangar a41b9954d1 SOLR-4839: Upgrade to Jetty 9
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1649552 13f79535-47bb-0310-9956-ffa450edef68
2015-01-05 15:45:58 +00:00
Steven Rowe 2189b7a761 LUCENE-6134: fix typos: it's->its, its->it's, etc.
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1647735 13f79535-47bb-0310-9956-ffa450edef68
2014-12-24 05:48:58 +00:00
Timothy Potter 05ad610074 SOLR-3619: Rename 'example' dir to 'server'
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1635666 13f79535-47bb-0310-9956-ffa450edef68
2014-10-31 04:30:52 +00:00