1

We have a clustered system of Solr (two instances running in two servers) where the quorum is being maintained using zookeeper. We can access Solr by either hitting the direct server URLs or a blanket load balancer URL. We need to whitelist a few IPs accessing these three URLs

I've already tried the steps mentioned here: Restricting IP addresses for Jetty and Solr

and here: http://lucene.472066.n3.nabble.com/How-To-Secure-Solr-by-IP-Address-td4304491.html

The problem with the first approach is that I can't add multiple IPs for whitelisting

The problem with the second approach is although it allows multiple IPs in a string array to be whitelisted, when we are accessing Solr with the load balancer URL, it is not identifying the whitelisted IPs. Only if we hit individual server URLs it's working fine

Also, I tried calling the addWhite method, but that also didn't work and Solr failed to startup.


    <New id="IPAccessHandler" 
    class="org.eclipse.jetty.server.handler.IPAccessHandler"> 
                   <Set name="white"> 
                     <Array type="String"> 
                       <Item>127.0.0.1</Item> 
                       <Item>-.-.-.-|/solr/techproducts/select</Item> 
                     </Array> 
                   </Set> 
                   <Set name="whiteListByPath">false</Set> 
                   <Set name="handler"> 
                     <New id="Contexts" 
    class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/> 
                   </Set> 
                 </New>

This doesn't work with load balancer


    <New class="org.eclipse.jetty.server.handler.IPAccessHandler">
           <Call name="addWhite">
             <Arg>xxx.xxx.xxx.xxx</Arg>
           </Call>
           <Set name="handler">
             <!-- here's where you put what was there before: -->
             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
           </Set>
         </New>

This doesn't allow multiple IPs to be passed as parameter for whitelisting

Swagoto
  • 11
  • 4
  • It's usually better to handle this on the OS level by using the available firewall instead - that way you won't have to do custom patching of Solr when upgrading. – MatsLindh Jun 18 '19 at 07:42

1 Answers1

1

Perhaps this is too late of a response, but I had the same issue with needing to whitelist multiple IP addresses, so I thought I'd share the solution I found. I am running Jetty 8.1.16.v20140903 as part of a CollabNet Subversion Edge installation and this worked for me:

         <New class="org.eclipse.jetty.server.handler.IPAccessHandler">
           <Call name="setWhite">
             <Arg>
               <Array type="java.lang.String">
                 <Item>xxx.xxx.xxx.xxx</Item>
                 <Item>yyy.yyy.yyy.yyy</Item>
               </Array>
             </Arg>
           </Call>
           <Set name="handler">
             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
           </Set>
         </New>

Notice that I changed the Call tag to use setWhite and changed the Arg to contain an Array. I made this change based on what I saw in the JavaDoc for Jetty 8.1.16: http://archive.eclipse.org/jetty/8.1.16.v20140903/apidocs/org/eclipse/jetty/server/handler/IPAccessHandler.html

The comment MatsLindh made may be a better long-term solution (controlling access via the OS firewall), but the method I did here should also get the job done.

ZacD
  • 21
  • 7
  • Thanks a lot @ZacD! I will try to explore this option. For me the issue was happening with the F5 load balancer as it was generating dynamic IPs which masks the actual IP address of the machine from where the request is originating. I had to do netstat to identify the range of IPs it is generating (I believe the range can be and is specified in the configuration settings of F5 BigIP suite) and put that range in the array of IPs inside the tag. And voila, it worked! :) – Swagoto Jun 10 '20 at 22:12