Jan Høydahl created SOLR-10202:
----------------------------------
Summary: Auto resolve urlScheme, remove cluster property
Key: SOLR-10202
URL: https://issues.apache.org/jira/browse/SOLR-10202
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Components: SolrCloud
Reporter: Jan Høydahl
Spinoff from SOLR-9640.
Today we need to explicitly set {{urlScheme}} cluster property to enable SSL,
at the same time as we need to set all the SSL env variables on each node. As
discussed in SOLR-9640, we could be smarter about this so an admin only need to
setup {{solr.in.sh}} with keystore to enable SSL.
h3. How
Perhaps simplified a bit, but in principle, at node start, if
{{solr.jetty.keystore}} (one out of several possiilities) is defined then use
https, else http :-) Then, if the administrator has mixed it up and failed to
configure {{solr.jetty.keystore}} on one of the nodes, then that node will not
be able to communicate with the others over {{http}}, it will get {{curl: (52)
Empty reply from server}}. Opposite, an SSL enabled node trying to talk to a
Solr node that is not SSL enabled over {{https}}, will get {{curl: (35) Unknown
SSL protocol error in connection to localhost:-9847}} (not the curl error of
course, but similar).
I don't think the nodes need to tell ZK about SSL at all?
So my claim is that this will not give bigger risk of misconfiguration, cause
if you add a new node to the cluster without SSL, it will generate a lot of
BUZZ in the logs and it will never receive any unencrypted data from the other
nodes since connections will fail. Agree?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
