Whitelist IP Ranges in Fusion Services

To whitelist services in Lucidworks Fusion, you first must enable the InetAccessHandler in Jetty. In our examples we will make changes to Fusion Proxy, but these same steps apply to the other Fusion services.

FUSION_HOME=/home/user/Downloads/fusion/version
SERVICE_NAME="proxy"
cd "${FUSION_HOME}/apps/jetty/${SERVICE_NAME}"
java -jar "${FUSION_HOME}/apps/jetty/home/start.jar" --add-to-start=inetaccess

InetAccessHandler Template

Edit ${FUSION_HOME}/apps/jetty/${SERVICE_NAME}/inetaccess.ini.

This template shows how you can use the inetaccess handler:

# ---------------------------------------
# Module: inetaccess
# Enable the InetAccessHandler to apply a include/exclude
# control of the remote IP of requests.
# ---------------------------------------
--module=inetaccess

## List of InetAddress patterns to include
#jetty.inetaccess.include=127.0.0.1,127.0.0.2

## List of InetAddress patterns to exclude
#jetty.inetaccess.exclude=127.0.0.1,127.0.0.2

## List of Connector names to include
#jetty.inetaccess.includeConnectors=http

## List of Connector names to exclude
#jetty.inetaccess.excludeConnectors=tls

Uncomment the appropriate filters.

For example, to whitelist all IPs from 10.0.0.1-10.255.255.255 then uncomment jetty.inetaccess.include and set it to that range.

jetty.inetaccess.include=10.0.0.1-10.255.255.255

Having the InetAccessHandler apply to only one of the connectors

Starting in Fusion 5.0, you can use includeConnectors and excludeConnectors to limit the InetAccessHandler policy to only HTTP or HTTPS. This lets you use InetAccessHandler to disable HTTP while leaving HTTPS open.

Set a name for the HTTP and HTTPS connectors:

Edit ${FUSION_HOME}/apps/jetty/${SERVICE_NAME}/http.ini and add a name property to the bottom of the file for HTTP.

name=http

Edit ${FUSION_HOME}/apps/jetty/${SERVICE_NAME}/https.ini and add a name property to the bottom of the file for HTTPS.

name=tls

Uncomment excludeConnectors

Many Fusion services such as AppStudio cannot use the HTTPS connector and rely on the HTTP connector. Uncomment jetty.inetaccess.excludeConnectors.

jetty.inetaccess.excludeConnectors=tls

InetAccessHandler jetty.inetaccess.include now only applies to the HTTP connector. The TLS connector is open for use.