Revert same port http -> https redirect (#10930)

- httpolyglot is removed, we no longer automatically redirect from http to https - server.ssl.redirectHttpFromPort option added to allow for http -> https redirect from one port to another - We no longer start the dev server with tls by default, it can be turned on with the --ssl flag, npm start -- --ssl, or ./bin/kibana --dev --ssl - There will currently be error log messages if you connect over the wrong protocol, we have #11209 for downgrading these
2025-04-23 17:28:26 -04:00 · 2017-07-07 16:15:56 +01:00 · 2017-07-07 16:15:56 +01:00 · c79e22386c
commit c79e22386c
parent 3000221fac
10 changed files with 77 additions and 44 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -202,19 +202,7 @@ In development mode, Kibana runs a customized version of [Webpack](http://webpac

 #### Setting Up SSL

-When Kibana runs in development mode it will automatically use bundled SSL certificates. These certificates won't be trusted by your OS by default which will likely cause your browser to complain about the certificate.
-
-If you run into this issue, visit the development server and configure your OS to trust the certificate.
-
- OSX: https://www.accuweaver.com/2014/09/19/make-chrome-accept-a-self-signed-certificate-on-osx/
- Windows: http://stackoverflow.com/a/1412118
- Linux: http://unix.stackexchange.com/a/90607
-
-There are a handful of other options, although we enthusiastically recommend that you trust our development certificate.
-
- Click through the warning and accept future warnings
- Supply your own certificate using the `config/kibana.dev.yml` file
- Disable SSL in Kibana by starting the application with `npm start -- --no-ssl`
+Kibana includes a self-signed certificate that can be used for development purposes: `npm start -- --ssl`.

 ### Linting

@ -307,7 +295,7 @@ npm run test:browser -- --dev # remove the --dev flag to run them once and close
 * Open VMWare and go to Window > Virtual Machine Library. Unzip the virtual machine and drag the .vmx file into your Virtual Machine Library.
 * Right-click on the virtual machine you just added to your library and select "Snapshots...", and then click the "Take" button in the modal that opens. You can roll back to this snapshot when the VM expires in 90 days.
 * In System Preferences > Sharing, change your computer name to be something simple, e.g. "computer".
-* Run Kibana with `npm start -- --no-ssl --host=computer.local` (substituting your computer name).
+* Run Kibana with `npm start -- --host=computer.local` (substituting your computer name).
 * Now you can run your VM, open the browser, and navigate to `http://computer.local:5601` to test Kibana.

 #### Running Browser Automation Tests
--- a/docs/migration/migrate_6_0.asciidoc
+++ b/docs/migration/migrate_6_0.asciidoc
@ -57,4 +57,11 @@ This is no longer the case. Now, only commas are a valid query separator: e.g. `
 === Time-interval based index patterns are no longer supported
 *Details:*  Starting in Kibana 6.0.0 we removed the ability to create index patterns that use a date-pattern and interval to identify Elasticsearch indices. Index patterns must now use wildcards which are more performant in most cases.

-*Impact:* Existing index patterns and saved objects will continue to function without issue, and in a subsequent release we will provide utilities to migrate your index patterns/saved objects.
+*Impact:* Existing index patterns and saved objects will continue to function without issue, and in a subsequent release we will provide utilities to migrate your index patterns/saved objects.
+
+
+[float]
+=== Removed same port http to https redirect behavior
+*Details:* Kibana 5.x redirected requests from http to https on the same port if TLS was configured. Starting in Kibana 6.0.0, Kibana no longer redirects basic http traffic to https.
+
+*Impact:* With the new configuration setting `server.ssl.redirectHttpFromPort` you can specify a port that will redirect from http to https. This cannot be the same port as the https port.
--- a/package.json
+++ b/package.json
@ -72,7 +72,6 @@
  "dependencies": {
    "@bigfunger/jsondiffpatch": "0.1.38-webpack",
    "@elastic/datemath": "2.3.0",
-    "@elastic/httpolyglot": "0.1.2-elasticpatch1",
    "@elastic/webpack-directory-name-as-main": "2.0.2",
    "@spalger/filesaver": "1.1.2",
    "@spalger/leaflet-draw": "0.2.3",
--- a/src/cli/serve/serve.js
+++ b/src/cli/serve/serve.js
@ -114,7 +114,7 @@ export default function (program) {
  if (canCluster) {
    command
    .option('--dev', 'Run the server with development mode defaults')
-    .option('--no-ssl', 'Don\'t run the dev server using HTTPS')
+    .option('--ssl', 'Run the dev server using HTTPS')
    .option('--no-base-path', 'Don\'t put a proxy in front of the dev server, which adds a random basePath')
    .option('--no-watch', 'Prevents automatic restarts of the server in --dev mode');
  }
--- a/src/server/config/schema.js
+++ b/src/server/config/schema.js
@ -55,6 +55,7 @@ export default () => Joi.object({
    basePath: Joi.string().default('').allow('').regex(/(^$|^\/.*[^\/]$)/, `start with a slash, don't end with one`),
    ssl: Joi.object({
      enabled: Joi.boolean().default(false),
+      redirectHttpFromPort: Joi.number(),
      certificate: Joi.string().when('enabled', {
        is: true,
        then: Joi.required(),
--- a/src/server/http/index.js
+++ b/src/server/http/index.js
@ -9,6 +9,7 @@ import { handleShortUrlError } from './short_url_error';
 import { shortUrlAssertValid } from './short_url_assert_valid';
 import shortUrlLookupProvider from './short_url_lookup';
 import setupConnectionMixin from './setup_connection';
+import setupRedirectMixin from './setup_redirect_server';
 import registerHapiPluginsMixin from './register_hapi_plugins';
 import xsrfMixin from './xsrf';

@ -17,6 +18,7 @@ export default async function (kbnServer, server, config) {

  const shortUrlLookup = shortUrlLookupProvider(server);
  await kbnServer.mixin(setupConnectionMixin);
+  await kbnServer.mixin(setupRedirectMixin);
  await kbnServer.mixin(registerHapiPluginsMixin);

  // provide a simple way to expose static directories
--- a/src/server/http/setup_connection.js
+++ b/src/server/http/setup_connection.js
@ -1,6 +1,4 @@
 import { readFileSync } from 'fs';
-import { format as formatUrl } from 'url';
-import httpolyglot from '@elastic/httpolyglot';
 import { map } from 'lodash';
 import secureOptions from './secure_options';

@ -40,8 +38,7 @@ export default function (kbnServer, server, config) {

  server.connection({
    ...connectionOptions,
-    tls: true,
-    listener: httpolyglot.createServer({
+    tls: {
      key: readFileSync(config.get('server.ssl.key')),
      cert: readFileSync(config.get('server.ssl.certificate')),
      ca: map(config.get('server.ssl.certificateAuthorities'), readFileSync),
@ -51,22 +48,6 @@ export default function (kbnServer, server, config) {
      // We use the server's cipher order rather than the client's to prevent the BEAST attack
      honorCipherOrder: true,
      secureOptions: secureOptions(config.get('server.ssl.supportedProtocols'))
-    })
-  });
-
-  server.ext('onRequest', function (req, reply) {
-    // A request sent through a HapiJS .inject() doesn't have a socket associated with the request
-    // which causes a failure.
-    if (!req.raw.req.socket || req.raw.req.socket.encrypted) {
-      reply.continue();
-    } else {
-      reply.redirect(formatUrl({
-        port,
-        protocol: 'https',
-        hostname: host,
-        pathname: req.url.pathname,
-        search: req.url.search,
-      }));
    }
  });
 }
--- a/src/server/http/setup_redirect_server.js
+++ b/src/server/http/setup_redirect_server.js
@ -0,0 +1,57 @@
+import { format as formatUrl } from 'url';
+import { fromNode } from 'bluebird';
+import Hapi from 'hapi';
+
+// If a redirect port is specified, we start an http server at this port and
+// redirect all requests to the ssl port.
+export default async function (kbnServer, server, config) {
+  const isSslEnabled = config.get('server.ssl.enabled');
+  const portToRedirectFrom = config.get('server.ssl.redirectHttpFromPort');
+
+  // Both ssl and port to redirect from must be specified
+  if (!isSslEnabled || portToRedirectFrom === undefined) {
+    return;
+  }
+
+  const host = config.get('server.host');
+  const sslPort = config.get('server.port');
+
+  if (portToRedirectFrom === sslPort) {
+    throw new Error(
+      'Kibana does not accept http traffic to `server.port` when ssl is ' +
+      'enabled (only https is allowed), so `server.ssl.redirectHttpFromPort` ' +
+      `cannot be configured to the same value. Both are [${sslPort}].`
+    );
+  }
+
+  const redirectServer = new Hapi.Server();
+
+  redirectServer.connection({
+    host,
+    port: portToRedirectFrom
+  });
+
+  redirectServer.ext('onRequest', (req, reply) => {
+    reply.redirect(formatUrl({
+      protocol: 'https',
+      hostname: host,
+      port: sslPort,
+      pathname: req.url.pathname,
+      search: req.url.search,
+    }));
+  });
+
+  try {
+    await fromNode(cb => redirectServer.start(cb));
+  } catch (err) {
+    if (err.code === 'EADDRINUSE') {
+      throw new Error(
+        'The redirect server failed to start up because port ' +
+        `${portToRedirectFrom} is already in use. Ensure the port specified ` +
+        'in `server.ssl.redirectHttpFromPort` is available.'
+      );
+    } else {
+      throw err;
+    }
+  }
+}
--- a/tasks/config/run.js
+++ b/tasks/config/run.js
@ -129,7 +129,6 @@ module.exports = function (grunt) {
        '--elasticsearch.url=' + format(esTestServerUrlParts),
        '--dev',
        '--no-base-path',
-        '--no-ssl',
        '--optimize.lazyPort=5611',
        '--optimize.lazyPrebuild=true',
        '--optimize.bundleDir=optimize/testUiServer',
@ -165,7 +164,6 @@ module.exports = function (grunt) {
        ...buildTestsArgs,
        '--dev',
        '--no-watch',
-        '--no-ssl',
        '--no-base-path',
        '--server.port=5610',
        '--optimize.lazyPort=5611',
--- a/tasks/lib/notice/tests/notice.js
+++ b/tasks/lib/notice/tests/notice.js
@ -9,11 +9,11 @@ const NODE_MODULES = resolve(__dirname, '../../../../node_modules');
 const NODE_DIR = resolve(process.execPath, '../..');
 const PACKAGES = [
  {
-    name: '@elastic/httpolyglot',
-    version: '0.1.2-elasticpatch1',
+    name: '@spalger/filesaver',
+    version: '1.1.2',
    licenses: ['MIT'],
-    directory: resolve(NODE_MODULES, '@elastic/httpolyglot'),
-    relative: 'node_modules/@elastic/httpolyglot',
+    directory: resolve(NODE_MODULES, '@spalger/filesaver'),
+    relative: 'node_modules/@spalger/filesaver',
  },
  {
    name: 'aws-sdk',
@ -41,7 +41,7 @@ describe('tasks/lib/notice', () => {
    });

    it('includes *LICENSE* files from packages', () => {
-      expect(notice).to.contain(readFileSync(resolve(NODE_MODULES, '@elastic/httpolyglot/LICENSE'), 'utf8'));
+      expect(notice).to.contain(readFileSync(resolve(NODE_MODULES, '@spalger/filesaver/LICENSE.md'), 'utf8'));
    });

    it('includes the LICENSE file from node', () => {