CODEWITHSUNDEEP
solrapache-zookeepersolr6jetty-8
Swagoto
Swagoto

Reputation: 11

How to restrict IPs in a clustered Solr environment using IPAccessHandler?

We have a clustered system of Solr (two instances running in two servers) where the quorum is being maintained using zookeeper. We can access Solr by either hitting the direct server URLs or a blanket load balancer URL. We need to whitelist a few IPs accessing these three URLs

I've already tried the steps mentioned here: Restricting IP addresses for Jetty and Solr

and here: http://lucene.472066.n3.nabble.com/How-To-Secure-Solr-by-IP-Address-td4304491.html

The problem with the first approach is that I can't add multiple IPs for whitelisting

The problem with the second approach is although it allows multiple IPs in a string array to be whitelisted, when we are accessing Solr with the load balancer URL, it is not identifying the whitelisted IPs. Only if we hit individual server URLs it's working fine

Also, I tried calling the addWhite method, but that also didn't work and Solr failed to startup.


    <New id="IPAccessHandler" 
    class="org.eclipse.jetty.server.handler.IPAccessHandler"> 
                   <Set name="white"> 
                     <Array type="String"> 
                       <Item>127.0.0.1</Item> 
                       <Item>-.-.-.-|/solr/techproducts/select</Item> 
                     </Array> 
                   </Set> 
                   <Set name="whiteListByPath">false</Set> 
                   <Set name="handler"> 
                     <New id="Contexts" 
    class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/> 
                   </Set> 
                 </New>

This doesn't work with load balancer


    <New class="org.eclipse.jetty.server.handler.IPAccessHandler">
           <Call name="addWhite">
             <Arg>xxx.xxx.xxx.xxx</Arg>
           </Call>
           <Set name="handler">
             <!-- here's where you put what was there before: -->
             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
           </Set>
         </New>

This doesn't allow multiple IPs to be passed as parameter for whitelisting

Upvotes: 1

Views: 680

Answers (1)

ZacD
ZacD

Reputation: 31

Perhaps this is too late of a response, but I had the same issue with needing to whitelist multiple IP addresses, so I thought I'd share the solution I found. I am running Jetty 8.1.16.v20140903 as part of a CollabNet Subversion Edge installation and this worked for me:

         <New class="org.eclipse.jetty.server.handler.IPAccessHandler">
           <Call name="setWhite">
             <Arg>
               <Array type="java.lang.String">
                 <Item>xxx.xxx.xxx.xxx</Item>
                 <Item>yyy.yyy.yyy.yyy</Item>
               </Array>
             </Arg>
           </Call>
           <Set name="handler">
             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
           </Set>
         </New>

Notice that I changed the Call tag to use setWhite and changed the Arg to contain an Array. I made this change based on what I saw in the JavaDoc for Jetty 8.1.16: http://archive.eclipse.org/jetty/8.1.16.v20140903/apidocs/org/eclipse/jetty/server/handler/IPAccessHandler.html

The comment MatsLindh made may be a better long-term solution (controlling access via the OS firewall), but the method I did here should also get the job done.

Upvotes: 1

Related Questions