You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/22 15:30:05 UTC
[lucene-solr] 01/01: SOLR-14136: ip whitelist/blacklist via env vars
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch jira/SOLR-14136
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
commit 7b061c270c81677c07a254c9e2ea9eafbdf73ec9
Author: Robert Muir <rm...@apache.org>
AuthorDate: Sun Dec 22 07:29:51 2019 -0800
SOLR-14136: ip whitelist/blacklist via env vars
---
solr/bin/solr | 6 +++++-
solr/bin/solr.cmd | 5 +++++
solr/bin/solr.in.cmd | 10 ++++++++++
solr/bin/solr.in.sh | 10 ++++++++++
solr/server/etc/jetty.xml | 20 +++++++++++++++++++-
5 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/solr/bin/solr b/solr/bin/solr
index 8a3a3ac..bac41c9 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -2045,6 +2045,10 @@ else
fi
fi
+# IP-based access control
+IP_ACL_OPTS=("-Dsolr.jetty.inetaccess.includes=${SOLR_IP_WHITELIST}" \
+ "-Dsolr.jetty.inetaccess.excludes=${SOLR_IP_BLACKLIST}")
+
# These are useful for attaching remote profilers like VisualVM/JConsole
if [ "$ENABLE_REMOTE_JMX_OPTS" == "true" ]; then
@@ -2175,7 +2179,7 @@ function start_solr() {
exit 1
fi
- SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" \
+ SOLR_START_OPTS=('-server' "${JAVA_MEM_OPTS[@]}" "${GC_TUNE[@]}" "${GC_LOG_OPTS[@]}" "${IP_ACL_OPTS[@]}" \
"${REMOTE_JMX_OPTS[@]}" "${CLOUD_MODE_OPTS[@]}" $SOLR_LOG_LEVEL_OPT -Dsolr.log.dir="$SOLR_LOGS_DIR" \
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 974d7e1..3236257 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -1151,6 +1151,10 @@ IF "%SOLR_MODE%"=="solrcloud" (
)
)
+REM IP-based access control
+set IP_ACL_OPTS=-Dsolr.jetty.inetaccess.includes="%SOLR_IP_WHITELIST%" ^
+-Dsolr.jetty.inetaccess.excludes="%SOLR_IP_BLACKLIST%"
+
REM These are useful for attaching remove profilers like VisualVM/JConsole
IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
IF "!RMI_PORT!"=="" set RMI_PORT=1%SOLR_PORT%
@@ -1253,6 +1257,7 @@ IF "%verbose%"=="1" (
set START_OPTS=-Duser.timezone=%SOLR_TIMEZONE%
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
+IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index e462336..4a5e2f2 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -109,6 +109,16 @@ REM set SOLR_JETTY_HOST=0.0.0.0
REM Sets the port Solr binds to, default is 8983
REM set SOLR_PORT=8983
+REM Restrict access to solr by IP address.
+REM Specify a comma-separated list of addresses or networks, for example:
+REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+REM set SOLR_IP_WHITELIST=
+
+REM Block access to solr from specific IP addresses.
+REM Specify a comma-separated list of addresses or networks, for example:
+REM 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+REM set SOLR_IP_BLACKLIST=
+
REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
REM to enable https module with custom jetty configuration.
REM set SOLR_SSL_ENABLED=true
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index d4e6b7b..8743436 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -126,6 +126,16 @@
# Sets the port Solr binds to, default is 8983
#SOLR_PORT=8983
+# Restrict access to solr by IP address.
+# Specify a comma-separated list of addresses or networks, for example:
+# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+#SOLR_IP_WHITELIST=
+
+# Block access to solr from specific IP addresses.
+# Specify a comma-separated list of addresses or networks, for example:
+# 127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
+#SOLR_IP_BLACKLIST=
+
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index ea13be0..a2d7034 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -157,7 +157,25 @@
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
- <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+ <New class="org.eclipse.jetty.server.handler.InetAccessHandler">
+ <Call name="include">
+ <Arg>
+ <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+ <Arg><Property name="solr.jetty.inetaccess.includes" default=""/></Arg>
+ </Call>
+ </Arg>
+ </Call>
+ <Call name="exclude">
+ <Arg>
+ <Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
+ <Arg><Property name="solr.jetty.inetaccess.excludes" default=""/></Arg>
+ </Call>
+ </Arg>
+ </Call>
+ <Set name="handler">
+ <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
+ </Set>
+ </New>
</Item>
<Item>
<New id="InstrumentedHandler" class="com.codahale.metrics.jetty9.InstrumentedHandler">