github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

Set HTTP2 as default is SSL is enabled and add deprecation log if SSL is not enabled or protocol is set to HTTP1 (#204384)

Browse source 
## Summary

resolves https://github.com/elastic/kibana/issues/194067

Set HTTP2 as default if ssl is enabled. 

resolves https://github.com/elastic/kibana/issues/194065

Add deprecation log if ssl is not enabled or if protocol is set to http1

<img width="1665" alt="Screenshot 2024-12-17 at 17 06 50"
src="https://github.com/user-attachments/assets/3bc7ff57-1079-4a27-90d2-88f3e09093d6"
/>

<img width="1727" alt="Screenshot 2024-12-17 at 17 06 22"
src="https://github.com/user-attachments/assets/d5489705-6cd6-4e09-8327-fdd0f54292ea"
/>


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Rudolf Meijering <skaapgif@gmail.com>
This commit is contained in:
Jesus Wahrman 2025-01-03 10:21:32 +01:00 committed by GitHub
parent 2e92018553
commit 1b1d64b0a5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 102 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/setup/settings.asciidoc
View file

@ -472,9 +472,9 @@ identifies this {kib} instance. *Default: `"your-hostname"`*
{kib} is served by a back end server. This
setting specifies the port to use. *Default: `5601`*
`server.protocol`::
experimental[] The http protocol to use, either `http1` or `http2`. Set to `http2` to enable `HTTP/2` support for the {kib} server.
*Default: `http1`*
[[server-protocol]] `server.protocol`::
experimental[] The http protocol to use, either `http1` or `http2`. Set to `http1` to opt out of `HTTP/2` support when TLS is enabled. Use of `http1` may impact browser loading performance especially for dashboards with many panels.
*Default*: `http2` if TLS is enabled, otherwise `http1`.
+
NOTE: By default, enabling `http2` requires a valid `h2c` configuration, meaning that TLS must be enabled via <<server-ssl-enabled, `server.ssl.enabled`>>
and <<server-ssl-supportedProtocols, `server.ssl.supportedProtocols`>>, if specified, must contain at least `TLSv1.2` or `TLSv1.3`. Strict validation of

21
docs/upgrade-notes.asciidoc
View file

@ -179,4 +179,25 @@ It will no longer be possible to create new scripted fields directly from the *D
*Action* +
Migrate to runtime fields or ES|QL instead of creating new scripted fields. Existing scripted fields can still be edited or deleted.
====
[discrete]
[[known-issue-204384]]
.Now HTTP/2 is the default protocol when TLS is enabled and a deprecation warning appears if HTTP/2 is not enabled or TLS is not configured (9.0.0)
[%collapsible]
====
*Details* +
Starting from version 9.0.0, HTTP/2 is the default protocol when TLS is enabled. This ensures improved performance and security. However, if HTTP/2 is not enabled or TLS is not configured, a deprecation warning will be added.
For more information, refer to {kibana-pull}204384[#204384].
*Impact* +
Systems that have TLS enabled but don't specify a protocol will start using HTTP/2 in 9.0.0.
Systems that use HTTP/1 or don't have TLS configured will get a deprecation warning.
*Action* +
Verify that TLS is properly configured by enabling it and providing valid certificates in the settings. Test your system to ensure that connections are established securely over HTTP/2.
If your Kibana server is hosted behind a load balancer or reverse proxy we recommend testing your deployment configuration before upgrading to 9.0.
====

32
packages/core/http/core-http-server-internal/src/http_config.test.ts
View file

@ -577,6 +577,22 @@ describe('cdn', () => {
});
});
describe('http1 protocol', () => {
it('uses http1 as default if protocol is empty and ssl is not enabled', () => {
expect(
config.schema.validate({
ssl: {
enabled: false,
},
})
).toEqual(
expect.objectContaining({
protocol: 'http1',
})
);
});
});
describe('http2 protocol', () => {
it('throws if http2 is enabled but TLS is not', () => {
expect(() =>
@ -642,6 +658,22 @@ describe('http2 protocol', () => {
})
);
});
it('uses http2 as default if protocol is empty and ssl is enabled', () => {
expect(
config.schema.validate({
ssl: {
enabled: true,
supportedProtocols: ['TLSv1.2'],
certificate: '/path/to/certificate',
key: '/path/to/key',
},
})
).toEqual(
expect.objectContaining({
protocol: 'http2',
})
);
});
});
describe('HttpConfig', () => {

36
packages/core/http/core-http-server-internal/src/http_config.ts
View file

@ -17,6 +17,7 @@ import { uuidRegexp } from '@kbn/core-base-server-internal';
import type { HttpProtocol, ICspConfig, IExternalUrlConfig } from '@kbn/core-http-server';
import type { IHttpEluMonitorConfig } from '@kbn/core-http-server/src/elu_monitor';
import type { HandlerResolutionStrategy } from '@kbn/core-http-router-server-internal';
import { get } from 'lodash';
import { CspConfig, CspConfigType } from './csp';
import { ExternalUrlConfig } from './external_url';
import {
@ -123,9 +124,16 @@ const configSchema = schema.object(
}
},
}),
protocol: schema.oneOf([schema.literal('http1'), schema.literal('http2')], {
defaultValue: 'http1',
}),
protocol: schema.conditional(
schema.siblingRef('ssl.enabled'),
schema.literal(true),
schema.oneOf([schema.literal('http1'), schema.literal('http2')], {
defaultValue: 'http2',
}),
schema.oneOf([schema.literal('http1'), schema.literal('http2')], {
defaultValue: 'http1',
})
),
host: schema.string({
defaultValue: 'localhost',
hostname: true,
@ -290,7 +298,27 @@ export type HttpConfigType = TypeOf<typeof configSchema>;
export const config: ServiceConfigDescriptor<HttpConfigType> = {
path: 'server' as const,
schema: configSchema,
deprecations: ({ rename }) => [rename('maxPayloadBytes', 'maxPayload', { level: 'warning' })],
deprecations: ({ rename }) => [
rename('maxPayloadBytes', 'maxPayload', { level: 'warning' }),
(settings, fromPath, addDeprecation, { docLinks }) => {
const cfg = get(settings, fromPath);
if (!cfg?.ssl?.enabled || cfg?.protocol === 'http1') {
addDeprecation({
level: 'warning',
title: `Consider enabling TLS and using HTTP/2 to improve security and performance.`,
configPath: `${fromPath}.protocol,${fromPath}.ssl.enabled`,
message: `TLS is not enabled, or the HTTP protocol is set to HTTP/1. Enabling TLS and using HTTP/2 improves security and performance.`,
correctiveActions: {
manualSteps: [
`Set up TLS by configuring ${fromPath}.ssl.`,
`Set the protocol to 'http2' by updating ${fromPath}.protocol to 'http2' in your configuration.`,
],
},
documentationUrl: docLinks.server.protocol,
});
}
},
],
};
export class HttpConfig implements IHttpConfig {

7
src/core/server/integration_tests/config/config_deprecation.test.ts
View file

@ -26,14 +26,17 @@ describe('configuration deprecations', () => {
});
if (getFips() === 0) {
it('should not log deprecation warnings for default configuration', async () => {
it('should log one warning for default configuration, the http/tls deprecation warning', async () => {
root = createRoot();
await root.preboot();
await root.setup();
const logs = loggingSystemMock.collect(mockLoggingSystem);
expect(logs.warn.flat()).toHaveLength(0);
expect(logs.warn.flat()).toHaveLength(1);
expect(logs.warn.flat()[0]).toEqual(
'TLS is not enabled, or the HTTP protocol is set to HTTP/1. Enabling TLS and using HTTP/2 improves security and performance.'
);
});
} else {
it('fips is enabled and the default configuration has been overridden', () => {

3
src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts
View file

@ -469,6 +469,9 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
ruleApiOverview: `${SECURITY_SOLUTION_DOCS}rule-api-overview.html`,
configureAlertSuppression: `${SECURITY_SOLUTION_DOCS}alert-suppression.html#_configure_alert_suppression`,
},
server: {
protocol: `${KIBANA_DOCS}settings.html#server-protocol`,
},
securitySolution: {
artifactControl: `${SECURITY_SOLUTION_DOCS}artifact-control.html`,
avcResults: `${ELASTIC_WEBSITE_URL}blog/elastic-av-comparatives-business-security-test`,

3
src/platform/packages/shared/kbn-doc-links/src/types.ts
View file

@ -337,6 +337,9 @@ export interface DocLinks {
readonly ruleApiOverview: string;
readonly configureAlertSuppression: string;
};
readonly server: {
readonly protocol: string;
};
readonly securitySolution: {
readonly aiAssistant: string;
readonly artifactControl: string;

3
test/server_integration/http/ssl_redirect/config.ts
View file

@ -58,6 +58,9 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
`--server.ssl.key=${KBN_KEY_PATH}`,
`--server.ssl.certificate=${KBN_CERT_PATH}`,
`--server.ssl.redirectHttpFromPort=${redirectPort}`,
// supertest is configured with http1 so it fails when redirecting
// to an http2 server
`--server.protocol=http1`,
],
},
};