You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/22 15:30:04 UTC
[lucene-solr] branch jira/SOLR-14136 created (now 7b061c2)
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a change to branch jira/SOLR-14136
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git.
at 7b061c2 SOLR-14136: ip whitelist/blacklist via env vars
This branch includes the following new commits:
new 7b061c2 SOLR-14136: ip whitelist/blacklist via env vars
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[lucene-solr] 01/01: SOLR-14136: ip whitelist/blacklist via env vars
Posted by rm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch jira/SOLR-14136
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
commit 7b061c270c81677c07a254c9e2ea9eafbdf73ec9
Author: Robert Muir <rm...@apache.org>
AuthorDate: Sun Dec 22 07:29:51 2019 -0800
SOLR-14136: ip whitelist/blacklist via env vars
---
solr/bin/solr | 6 +++++-
solr/bin/solr.cmd | 5 +++++
solr/bin/solr.in.cmd | 10 ++++++++++
solr/bin/solr.in.sh | 10 ++++++++++
solr/server/etc/jetty.xml | 20 +++++++++++++++++++-
5 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/solr/bin/solr b/solr/bin/solr
index 8a3a3ac..bac41c9 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -2045,6 +2045,10 @@ else
fi
fi
+# IP-based access control
+IP_ACL_OPTS=("-Dsolr.jetty.inetaccess.includes=${SOLR_IP_WHITELIST}" \
+ "-Dsolr.jetty.inetaccess.excludes=${SOLR_IP_BLACKLIST}")
+
# These are useful for attaching remote profilers like VisualVM/JConsole
if [ "$ENABLE_REMOTE_JMX_OPTS" == "true" ]; then
@@ -2175,7 +2179,7 @@ function start_solr() {
exit 1
fi
- SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" \
+ SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" "${IP_ACL_OPTS[@]}" \
"${REMOTE_JMX_OPTS[@]}" "${CLOUD_MODE_OPTS[@]}" $SOLR_LOG_LEVEL_OPT -Dsolr.log.dir="$SOLR_LOGS_DIR" \
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 974d7e1..3236257 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -1151,6 +1151,10 @@ IF "%SOLR_MODE%"=="solrcloud" (
)
)
+REM IP-based access control
+set IP_ACL_OPTS=-Dsolr.jetty.inetaccess.includes="%SOLR_IP_WHITELIST%" ^
+-Dsolr.jetty.inetaccess.excludes="%SOLR_IP_BLACKLIST%"
+
REM These are useful for attaching remove profilers like VisualVM/JConsole
IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
IF "!RMI_PORT!"=="" set RMI_PORT=1%SOLR_PORT%
@@ -1253,6 +1257,7 @@ IF "%verbose%"=="1" (
set START_OPTS=-Duser.timezone=%SOLR_TIMEZONE%
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
+IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index e462336..4a5e2f2 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -109,6 +109,16 @@ REM set SOLR_JETTY_HOST=0.0.0.0
REM Sets the port Solr binds to, default is 8983
REM set SOLR_PORT=8983
+REM Restrict access to solr by IP address.
+REM Specify a comma-separated list of addresses or networks, for example:
+REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+REM set SOLR_IP_WHITELIST=
+
+REM Block access to solr from specific IP addresses.
+REM Specify a comma-separated list of addresses or networks, for example:
+REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+REM set SOLR_IP_BLACKLIST=
+
REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
REM to enable https module with custom jetty configuration.
REM set SOLR_SSL_ENABLED=true
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index d4e6b7b..8743436 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -126,6 +126,16 @@
# Sets the port Solr binds to, default is 8983
#SOLR_PORT=8983
+# Restrict access to solr by IP address.
+# Specify a comma-separated list of addresses or networks, for example:
+# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+#SOLR_IP_WHITELIST=
+
+# Block access to solr from specific IP addresses.
+# Specify a comma-separated list of addresses or networks, for example:
+# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+#SOLR_IP_BLACKLIST=
+
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index ea13be0..a2d7034 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -157,7 +157,25 @@
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
- <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+ <New class="org.eclipse.jetty.server.handler.InetAccessHandler">
+ <Call name="include">
+ <Arg>
+ <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+ <Arg><Property name="solr.jetty.inetaccess.includes" default=""/></Arg>
+ </Call>
+ </Arg>
+ </Call>
+ <Call name="exclude">
+ <Arg>
+ <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+ <Arg><Property name="solr.jetty.inetaccess.excludes" default=""/></Arg>
+ </Call>
+ </Arg>
+ </Call>
+ <Set name="handler">
+ <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+ </Set>
+ </New>
</Item>
<Item>
<New id="InstrumentedHandler" class="com.codahale.metrics.jetty9.InstrumentedHandler">