[9.0] Log warning on startup if TLS / http2 is not configured #194065
Assignees
Comments
lukeelmers
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
We log a similar TLS warning for session cookies today: We could rephrase this to be more generic and actionable, explaining that TLS is not enabled, and that we recommend enabling this for improved security, and to take advantage of http2. |
|
Adding |
legrego
added
Team:Core
5 tasks
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Jan 13, 2025
… is not enabled or protocol is set to HTTP1 (elastic#204384) ## Summary resolves elastic#194067 Set HTTP2 as default if ssl is enabled. resolves elastic#194065 Add deprecation log if ssl is not enabled or if protocol is set to http1 <img width="1665" alt="Screenshot 2024-12-17 at 17 06 50" src="https://github.com/user-attachments/assets/3bc7ff57-1079-4a27-90d2-88f3e09093d6" /> <img width="1727" alt="Screenshot 2024-12-17 at 17 06 22" src="https://github.com/user-attachments/assets/d5489705-6cd6-4e09-8327-fdd0f54292ea" /> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Rudolf Meijering <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Starting in 9.0, we want to start recommending that folks use http2 as the default configuration for Kibana due to the performance benefits it brings, especially for Dashboards.
As TLS is a requirement for using http2, it would be nice to log a one-time warning on startup if we see that someone is running Kibana without TLS configured, and without http2 configured. This could be something we just do in production (non-dev) mode, and could link to the documentation for setting these up with an explanation that they are recommended configurations for production use.
I'm not sure whether this would make more sense as a single combined log, or two separate logs (one warning for TLS, one for http2), but thought I'd start with a security issue 🙂
cc @timductive @rayafratkina @thomasneirynck @elastic/kibana-core
The text was updated successfully, but these errors were encountered: