SOLR-13985: Bind to localhost interface by default

Prior to this commit, Solr's Jetty listened for connections on all
network interfaces.  This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.

Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.

solr/CHANGES.txt

@@ -77,6 +77,10 @@ Upgrade Notes
 
 * SOLR-14092: Deprecated BlockJoinFacetComponent and BlockJoinDocSetFacetComponent are removed
   Users are encouraged to migrate to uniqueBlock() in JSON Facet API.  (Mikhail Khludnev)
+
+* SOLR-13985: Solr's Jetty now binds to localhost network interface by default for better out of the box security.
+  Administrators that need Solr exposed more broadly can change the SOLR_JETTY_HOST property in their Solr include
+  (solr.in.sh/solr.in.cmd) file. (Jason Gerlowski, David Smiley, Robert Muir)
 
 Improvements
 ----------------------

solr/bin/solr

@@ -1879,6 +1879,10 @@ if [ -z "$SOLR_PORT" ]; then
   SOLR_PORT=8983
 fi
 
+if [ -n "$SOLR_JETTY_HOST" ]; then
+  SOLR_OPTS+=("-Dsolr.jetty.host=$SOLR_JETTY_HOST")
+fi
+
 if [ -z "$STOP_PORT" ]; then
   STOP_PORT=`expr $SOLR_PORT - 1000`
 fi

solr/bin/solr.cmd

@@ -178,7 +178,7 @@ IF NOT "%SOLR_HOST%"=="" (
   set "SOLR_TOOL_HOST=localhost"
 )
 IF "%SOLR_JETTY_HOST%"=="" (
-  set SOLR_JETTY_HOST=0.0.0.0
+  set "SOLR_JETTY_HOST=127.0.0.1"
 )
 
 REM Verify Java is available
@@ -1086,6 +1086,10 @@ IF "!IS_RESTART!"=="1" set SCRIPT_CMD=start
 IF "%SOLR_PORT%"=="" set SOLR_PORT=8983
 IF "%STOP_PORT%"=="" set /A STOP_PORT=%SOLR_PORT% - 1000
 
+IF DEFINED SOLR_JETTY_HOST (
+  set "SOLR_OPTS=%SOLR_OPTS% -Dsolr.jetty.host=%SOLR_JETTY_HOST%"
+)
+
 IF "%SCRIPT_CMD%"=="start" (
   REM see if Solr is already running using netstat
   For /f "tokens=2,5" %%j in ('netstat -aon ^| find "TCP " ^| find ":0 " ^| find ":%SOLR_PORT% "') do (
@@ -1321,15 +1325,15 @@ IF "%FG%"=="1" (
   "%JAVA%" %SERVEROPT% %SOLR_JAVA_MEM% %START_OPTS% ^
     -Dlog4j.configurationFile="%LOG4J_CONFIG%" -DSTOP.PORT=!STOP_PORT! -DSTOP.KEY=%STOP_KEY% ^
     -Dsolr.solr.home="%SOLR_HOME%" -Dsolr.install.dir="%SOLR_TIP%" -Dsolr.default.confdir="%DEFAULT_CONFDIR%" ^
-    -Djetty.host=%SOLR_JETTY_HOST% -Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
+    -Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
     -Djava.io.tmpdir="%SOLR_SERVER_DIR%\tmp" -jar start.jar %SOLR_JETTY_CONFIG% "%SOLR_JETTY_ADDL_CONFIG%"
 ) ELSE (
   START /B "Solr-%SOLR_PORT%" /D "%SOLR_SERVER_DIR%" ^
     "%JAVA%" %SERVEROPT% %SOLR_JAVA_MEM% %START_OPTS% ^
     -Dlog4j.configurationFile="%LOG4J_CONFIG%" -DSTOP.PORT=!STOP_PORT! -DSTOP.KEY=%STOP_KEY% ^
     -Dsolr.log.muteconsole ^
     -Dsolr.solr.home="%SOLR_HOME%" -Dsolr.install.dir="%SOLR_TIP%" -Dsolr.default.confdir="%DEFAULT_CONFDIR%" ^
-    -Djetty.host=%SOLR_JETTY_HOST% -Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
+    -Djetty.port=%SOLR_PORT% -Djetty.home="%SOLR_SERVER_DIR%" ^
     -Djava.io.tmpdir="%SOLR_SERVER_DIR%\tmp" -jar start.jar %SOLR_JETTY_CONFIG% "%SOLR_JETTY_ADDL_CONFIG%" > "!SOLR_LOGS_DIR!\solr-%SOLR_PORT%-console.log"
   echo %SOLR_PORT%>"%SOLR_TIP%"\bin\solr-%SOLR_PORT%.port
 

solr/bin/solr.in.cmd

@@ -105,13 +105,17 @@ REM set SOLR_LOG_PRESTART_ROTATION=false
 REM Enables jetty request log for all requests
 REM set SOLR_REQUESTLOG_ENABLED=false
 
-REM Set the host interface to listen on. Jetty will listen on all interfaces (0.0.0.0) by default.
-REM This must be an IPv4 ("a.b.c.d") or bracketed IPv6 ("[x::y]") address, not a hostname!
-REM set SOLR_JETTY_HOST=0.0.0.0
-
 REM Sets the port Solr binds to, default is 8983
 REM set SOLR_PORT=8983
 
+REM Sets the network interface the Solr binds to. To prevent administrators from
+REM accidentally exposing Solr more widely than intended, this defaults to 127.0.0.1.
+REM Administrators should think carefully about their deployment environment and
+REM set this value as narrowly as required before going to production. In
+REM environments where security is not a concern, 0.0.0.0 can be used to allow
+REM Solr to accept connections on all network interfaces.
+REM set SOLR_JETTY_HOST=127.0.0.1
+
 REM Restrict access to solr by IP address.
 REM Specify a comma-separated list of addresses or networks, for example:
 REM   127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64

solr/bin/solr.in.sh

@@ -139,6 +139,14 @@
 #   127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64
 #SOLR_IP_BLACKLIST=
 
+# Sets the network interface the Solr binds to. To prevent administrators from
+# accidentally exposing Solr more widely than intended, this defaults to 127.0.0.1.
+# Administrators should think carefully about their deployment environment and
+# set this value as narrowly as required before going to production. In
+# environments where security is not a concern, 0.0.0.0 can be used to allow
+# Solr to accept connections on all network interfaces.
+#SOLR_JETTY_HOST="127.0.0.1"
+
 # Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
 # to enable https module with custom jetty configuration.
 #SOLR_SSL_ENABLED=true

solr/server/etc/jetty-http.xml

@@ -38,7 +38,7 @@
             </Item>
           </Array>
         </Arg>
-        <Set name="host"><Property name="jetty.host" /></Set>
+        <Set name="host"><Property name="solr.jetty.host" default="127.0.0.1"/></Set>
         <Set name="port"><Property name="jetty.port" default="8983" /></Set>
         <Set name="idleTimeout"><Property name="solr.jetty.http.idleTimeout" default="120000"/></Set>
         <Set name="acceptorPriorityDelta"><Property name="solr.jetty.http.acceptorPriorityDelta" default="0"/></Set>

solr/server/etc/jetty-https.xml

@@ -63,7 +63,7 @@
             </Item>
           </Array>
         </Arg>
-        <Set name="host"><Property name="solr.jetty.host" /></Set>
+        <Set name="host"><Property name="solr.jetty.host" default="127.0.0.1"/></Set>
         <Set name="port"><Property name="solr.jetty.https.port" default="8983" /></Set>
         <Set name="idleTimeout"><Property name="solr.jetty.https.timeout" default="120000"/></Set>
         <Set name="acceptorPriorityDelta"><Property name="solr.jetty.ssl.acceptorPriorityDelta" default="0"/></Set>

solr/server/etc/jetty-https8.xml

@@ -57,7 +57,7 @@
             </Item>
           </Array>
         </Arg>
-        <Set name="host"><Property name="solr.jetty.host" /></Set>
+        <Set name="host"><Property name="solr.jetty.host" default="127.0.0.1" /></Set>
         <Set name="port"><Property name="solr.jetty.https.port" default="8983" /></Set>
         <Set name="idleTimeout"><Property name="solr.jetty.https.timeout" default="120000"/></Set>
         <Set name="acceptorPriorityDelta"><Property name="solr.jetty.ssl.acceptorPriorityDelta" default="0"/></Set>

solr/solr-ref-guide/src/getting-started-with-solrcloud.adoc

@@ -31,6 +31,11 @@ In this section you will learn how to start a SolrCloud cluster using startup sc
 This tutorial assumes that you're already familiar with the basics of using Solr. If you need a refresher, please see the <<getting-started.adoc#getting-started,Getting Started section>> to get a grounding in Solr concepts. If you load documents as part of that exercise, you should start over with a fresh Solr installation for these SolrCloud tutorials.
 ====
 
+[WARNING]
+====
+For security reasons, Solr nodes only accept connections from localhost by default.  Administrators setting up SolrCloud deployments with multiple nodes must override this setting.  For more details see <<securing-solr.adoc#network-configuration,here>>.
+====
+
 == SolrCloud Example
 
 === Interactive Startup

solr/solr-ref-guide/src/securing-solr.adoc

@@ -79,6 +79,22 @@ SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4"
 ZooKeeper is a central and important part of a SolrCloud cluster and understanding how to secure
 its content is covered in the <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>> page.
 
+
+== Network Configuration
+
+// tag::security-network-binding-1[]
+Administrators should consider their security setup carefully as an important step in moving to production.  Solr provides a number of features out of the box to meet the security needs of users: authentication and authorization can be configured using a range of security plugins, privacy can be bolstered by enabling SSL/TLS, and (in SolrCloud) ZooKeeper data can be protected with ACL rules to prevent unauthorized reads and writes.
+
+Even if these measures or others are taken, it is strongly recommended that Solr always be protected by a firewall.  Solr is not designed to be exposed on the open internet.
+
+It is also strongly recommended that Solr listen to only those network interfaces that are strictly required.  To prevent administrators from unintentionally exposing Solr more broadly, Solr only listens on the loopback interface ("127.0.0.1") by default.  Most deployments will need to change this value to something less restrictive so that it can be reached from other boxes.  This can be done by setting a `SOLR_JETTY_HOST` value in your environment's "include script" (`solr.in.sh` or `solr.in.cmd`):
+
+[source,bash]
+ ----
+ SOLR_JETTY_HOST="0.0.0.0"
+ ----
+// end::security-network-binding-1[]
+
 == Enable Security Manager
 
 Solr can run in a Java Security Manager sandbox by setting `SOLR_SECURITY_MANAGER_ENABLED=true` via environment variable or in `solr.in.sh`/`solr.in.cmd`. This feature is incompatible with Hadoop.

solr/solr-ref-guide/src/taking-solr-to-production.adoc

@@ -302,6 +302,10 @@ Check these limits every time you upgrade your kernel or operating system. These
 If these limits are exceeded, the problems reported by Solr vary depending on the specific operation responsible for exceeding the limit. Errors such as "too many open files", "connection error", and "max processes exceeded" have been reported, as well as SolrCloud recovery failures.
 ====
 
+== Security Considerations
+
+include::securing-solr.adoc[tag=security-network-binding-1]
+
 == Running Multiple Solr Nodes per Host
 
 The `bin/solr` script is capable of running multiple instances on one machine, but for a *typical* installation, this is not a recommended setup. Extra CPU and memory resources are required for each additional instance. A single instance is easily capable of handling multiple indexes.