[jira] [Commented] (SOLR-10202) Auto resolve urlScheme, remove cluster property

Mon, 19 Oct 2020 12:12:13 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-10202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17217034#comment-17217034
 ] 

Timothy Potter commented on SOLR-10202:
---------------------------------------

Agree with Jan and am tackling this along with SOLR-12182 for master / 9.x

> Auto resolve urlScheme, remove cluster property
> -----------------------------------------------
>
>                 Key: SOLR-10202
>                 URL: https://issues.apache.org/jira/browse/SOLR-10202
>             Project: Solr
>          Issue Type: Improvement
>          Components: SolrCloud
>            Reporter: Jan Høydahl
>            Assignee: Timothy Potter
>            Priority: Major
>
> Spinoff from SOLR-9640.
> Today we need to explicitly set {{urlScheme}} cluster property to enable SSL, 
> at the same time as we need to set all the SSL env variables on each node. As 
> discussed in SOLR-9640, we could be smarter about this so an admin only need 
> to setup {{solr.in.sh}} with keystore to enable SSL.
> h3. How
> Perhaps simplified a bit, but in principle, at node start, if 
> {{solr.jetty.keystore}} (one out of several possiilities) is defined then use 
> https, else http :-) Then, if the administrator has mixed it up and failed to 
> configure {{solr.jetty.keystore}} on one of the nodes, then that node will 
> not be able to communicate with the others over {{http}}, it will get {{curl: 
> (52) Empty reply from server}}. Opposite, an SSL enabled node trying to talk 
> to a Solr node that is not SSL enabled over {{https}}, will get {{curl: (35) 
> Unknown SSL protocol error in connection to localhost:-9847}} (not the curl 
> error of course, but similar).
> I don't think the nodes need to tell ZK about SSL at all?
> So my claim is that this will not give bigger risk of misconfiguration, cause 
> if you add a new node to the cluster without SSL, it will generate a lot of 
> BUZZ in the logs and it will never receive any unencrypted data from the 
> other nodes since connections will fail. Agree?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to