Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Spinoff from SOLR-9640.
Today we need to explicitly set urlScheme cluster property to enable SSL, at the same time as we need to set all the SSL env variables on each node. As discussed in SOLR-9640, we could be smarter about this so an admin only need to setup solr.in.sh with keystore to enable SSL.
How
Perhaps simplified a bit, but in principle, at node start, if solr.jetty.keystore (one out of several possiilities) is defined then use https, else http 
Then, if the administrator has mixed it up and failed to configure solr.jetty.keystore on one of the nodes, then that node will not be able to communicate with the others over http, it will get curl: (52) Empty reply from server. Opposite, an SSL enabled node trying to talk to a Solr node that is not SSL enabled over https, will get curl: (35) Unknown SSL protocol error in connection to localhost:-9847 (not the curl error of course, but similar).
I don't think the nodes need to tell ZK about SSL at all?
So my claim is that this will not give bigger risk of misconfiguration, cause if you add a new node to the cluster without SSL, it will generate a lot of BUZZ in the logs and it will never receive any unencrypted data from the other nodes since connections will fail. Agree?
Attachments
Issue Links
- is related to
-
SOLR-12182 Can not switch urlScheme in 7x if there are any cores in the cluster
-
- Reopened
-