Restricting IP addresses for Jetty and Solr

Solution 1

Solr 4.2.1 uses Jetty 8.1.8. Jetty 8 (as noted by jonas789) doesn't support .htaccess. Instead, it uses IPAccessHandler, which doesn't have great documentation available. I had to play with it quite a bit to get it work, so I'm posting an updated solution here.

IPAccessHandler manages a blacklist and a whitelist, accepts arbitrary ranges of IPs, and supports attaching specific URI paths to each white/black -list entry. IPAccessHandler also subclasses HandlerWrapper, which turns out to be important.

The solr app still lives in a WebAppContext (as in Lyndsay's solution), but a WebAppContext is now governed by a ContextHandler, which resides in a ContextHandlerCollection occupying the first handler slot in the server. To stop requests from the wrong IP from getting to the app, we need to wrap it inside an IPAccessHandler somewhere along that path. IPAccessHandler behaves oddly if it's in the wrong spot: I tried inserting it before the context handlers and it gave 403 Forbidden to the wrong machines, threw NullPointerException tantrums with no additional error messages, all sorts of nonsense. I finally got it to work by wrapping the ContextHandlerCollection itself, at the server level.

Go to etc/jetty.xml and scroll to the handlers section. Then wrap the existing ContextHandlerCollection item as follows:

<!-- =========================================================== -->
<!-- Set handler Collection Structure                            --> 
<!-- =========================================================== -->
<Set name="handler">
  <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
    <Set name="handlers">
     <Array type="org.eclipse.jetty.server.Handler">
   <Item>

     <!-- here begins the new stuff -->
     <New class="org.eclipse.jetty.server.handler.IPAccessHandler">
       <Call name="addWhite">
         <Arg>xxx.xxx.xxx.xxx</Arg>
       </Call>
       <Set name="handler">
         <!-- here's where you put what was there before: -->
         <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
       </Set>
     </New>
     <!-- here ends the new stuff -->

   </Item>
       <Item>
         <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"/>
       </Item>
       <Item>
         <New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler"/>
       </Item>
     </Array>
    </Set>
  </New>
</Set>

Resources:

• http://comments.gmane.org/gmane.comp.java.jetty.support/6066
• http://wiki.eclipse.org/Jetty#Configuration_Reference
• http://wiki.eclipse.org/Jetty/Reference/jetty.xml_syntax
• http://download.eclipse.org/jetty/stable-8/apidocs/org/eclipse/jetty/server/handler/IPAccessHandler.html

Solution 2

I found the solution.

Firstly, extract the contents of solr.war in the example/webapps folder. Then create a file called .htaccess and place it in the example/webapps/solr folder (the one you just extracted) containing the following:

<Limit>
    satisfy all
    order deny,allow
    deny from all
    allow from xxx.xxx.xxx.xxx
</Limit>

In example/etc/ edit the jetty.xml file and comment out the org.mortbay.jetty.deployer.WebAppDeployer part. Then finally create a folder in example/ called contexts (if one does not yet exist) and add a file called solr.xml to it containing:

<Configure id="solr" class="org.mortbay.jetty.webapp.WebAppContext">
    <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/solr</Set>
    <Set name="contextPath">/solr</Set>
    <Call name="setSecurityHandler">
        <Arg>
            <New class="org.mortbay.jetty.security.HTAccessHandler">
                <Set name="protegee">
                    <Ref id="solr"/>
                </Set>
            </New>
        </Arg>
    </Call>
</Configure>

Then start up your new secure solr!

Author by

Lyndsay

Updated on June 04, 2022