0

I have setup Solr (v 4.2.1) for one of my websites and I am having trouble securing the admin panel I am running Solr with Jetty. I did not use tomcat I have edited example/etc/jetty.xml and modified the host value to read

<Call name="addConnector">
      <Arg>
          <New class="org.eclipse.jetty.server.bio.SocketConnector">
            <Set name="host"><SystemProperty name="jetty.host" default="10.100.202.42"/></Set>
            <Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set>
            <Set name="maxIdleTime">50000</Set>
            <Set name="lowResourceMaxIdleTime">1500</Set>
            <Set name="statsOn">false</Set>
          </New>
      </Arg>
    </Call>

I start the server and it binds to

::ffff:10.100.202.42:8983

However, I am able to access the admin panel by using the site's external IP. Am I missing something?

output of ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:50:56:84:00:02  
          inet addr:10.100.202.42  Bcast:10.255.255.255  Mask:255.255.0.0
          inet6 addr: fe80::250:56ff:fe84:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:546942285 errors:0 dropped:0 overruns:0 frame:0
          TX packets:482684266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:80045331498 (74.5 GiB)  TX bytes:184397661148 (171.7 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:230200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:230200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:335195301 (319.6 MiB)  TX bytes:335195301 (319.6 MiB)

and

netstat -apn|grep 8983
tcp        0      0 ::ffff:10.100.202.42:8983   :::*                        LISTEN      17133/java          
tcp        0      0 ::ffff:10.100.202.42:8983   ::ffff:10.100.202.44:36223  TIME_WAIT   -                   
tcp        0      0 ::ffff:10.100.202.42:8983   ::ffff:10.100.202.44:35096  TIME_WAIT   -

Thanks

Thomas
  • 177
  • 1
  • 4
  • 13
  • Could you paste into your question the output from `ifconfig -a` on your server? It's OK to blank a couple of the octets of any real address, but please don't obscure the whole thing. Also, that of `netstat -apn|grep 8983`. – MadHatter Apr 17 '13 at 08:06

1 Answers1

2

From the ifconfig output, it's clear that your server has no real (ie, publicly-routable, non-RFC1918) addresses at all. But your question makes reference to a public address by which this server can be accessed. That means there's something in front of your server NATting the private address to a real address (might this be an amazon cloud server, by any chance?).

That given, you can't achieve what you want by binding to the private address and assuming noone can get there via the public address. You will need to address this either locally, with some iptables logic, to prevent "non-local" addresses (and you'll need to define "non-local") from connecting to port 8983, or on the NAT device that's doing the public-private mapping.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thanks for the response. The server is indeed NATed. I am no network expert but what is puzzling me is that I have other services (memcached ie) running which are bound to the internal IP and you cannot access them via the public IP (ie telneting to the port). Why is that? I would have expected the same behavior for solr also – Thomas Apr 17 '13 at 15:25
  • The NATting device will be running some kind of firewall (very likely, or in the case of amazon cloud servers, definitely). You'll have to chase it down there. – MadHatter Apr 17 '13 at 15:29
  • So the firewall rules are responsible for the behavior I am experiencing right? – Thomas Apr 17 '13 at 15:37
  • I think that very likely indeed (or, in case I haven't yet made it clear enough, if you're running on amazon cloud servers, definite). – MadHatter Apr 17 '13 at 15:49