Revert same port http -> https redirect #10930
Conversation
jbudz
added
Team:Operations
|
I got to thinking about this recently. I think there may still be value in http->https redirection, I just think the current approach was too heavy handed. Doing this on a single port is kind of nuts, but if they are binding to port 443 for SSL, it certainly would be convenient to also bind to port 80 purely for the sake of redirection. This would be the obvious use case for most people, I think. Anyone thoughts? Edit: This wouldn't require third party dependencies. |
|
@epixa to accomplish that wouldn't we need to expose an additional port and provide configuration for it? |
|
I'll make an update, something like |
|
Thoughts on |
|
Would it need any other configurations? The use case is you pointing I could imagine someone wanting to disable this functionality, though. |
|
Using port 80 would require privileged permissions to start Kibana. It's possible, but it would be a large change from what we have now. In addition, we would be more prone to port conflicts. |
|
@tylersmalley As would 443 (or any other port that doesn't show up in URLs), so that should be fine. In other words, someone should only be able to trigger this behavior if they are already using privileged permissions. If someone configures Kibana to use SSL on port 5601, for example, then there's no need to do extra redirects. The idea here is that if people are exposing Kibana directly to the web, we'll handle https redirects from port 80 to ensure their browser redirects to https. But if they put Kibana behind a reverse proxy, they should handle the https redirect on their own. |
|
@epixa, I believe we are on the same page but I might have been miss-directed by your previous comment about not requiring additional configuration beyond |
|
Let's decouple the redirect discussion from the PR and leave it as-is. I will create a new issue documenting the solutions brought up thus far. |
|
Here is that issue: #10948 |
There was a problem hiding this comment.
Spoke too soon with the LGTM :)
Besides documenting the breaking change, there's another thing I just noticed running this PR:
If I make a request to http://localhost:5601, I see errors like this in the Kibana server log:
server log [18:32:52.755] [error][client][connection] Error: 140736487396288:error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request:../deps/openssl/openssl/ssl/s23_srvr.c:394:
at Error (native)
|
For the record, I really don't like the way this feels in development |
|
@spalger Perhaps this is something we could bake into the basePath proxy (and rename it to dev proxy or something). |
jbudz
force-pushed
the
revert/httpolyglot
branch
from
0e7bd10
to
b0e1482
Compare
|
@jbudz what do you think about keeping this for dev? I'm 100% for it |
|
Leaving it in dev mode minimizes any concerns I had with it, so I'm up for it. We already have the base path proxy which we of course aren't shipping either. It was frustrating me while writing this PR, but I figured once my browser autocomplete fixed on the right protocol it would be fine. |
|
Is anyone against this in dev mode only? |
|
I've been using it for a couple days and keep feeling dislike :/ |
|
I am fine keeping it only for development. We can always review down the road, but this at least removes it from builds for now. |
There was a problem hiding this comment.
The more I think about it, the more important the port 80 redirection seems to be, and I don't think we should move forward with this change without it in the same PR. The comment that I left on the breaking change is just one example of the strangeness this will have if we went forward as-is. And the error messages thing when accessed using the wrong protocol is probably worth blocking the release on, so merging this PR effectively puts the release in limbo until we address the other thing.
I actually think the error message itself is fine so long as the port redirection feature is available, though it would be awesome if we could provide a more useful error message that points people to this configuration.
docs/migration/migrate_6_0.asciidoc
Outdated
| === Removed same port http to https redirect behavior | ||
| *Details:* Kibana 5.x redirected requests from http to https on the same port if TLS was configured. This was removed. | ||
|
|
||
| *Impact:* You may need to add a redirect on a different port if a redirect is expected. |
There was a problem hiding this comment.
I know the plan here is to follow up with a different PR to handle port redirection stuff, but when this specific PR is merged, the reality is going to be that there is no way to do http -> https redirection in Kibana. We should update the breaking changes impact to mention that the only way to accomplish this would be to custom handle http -> https redirection in a reverse proxy or at the load balancer.
There was a problem hiding this comment.
The follow up PR that handles http -> https support will need to then modify this breaking change documentation, obviously.
There was a problem hiding this comment.
My overall review comment makes this feedback moot, but I'm leaving it here for posterity's sake.
docs/migration/migrate_6_0.asciidoc
Outdated
|
|
||
| [float] | ||
| === Removed same port http to https redirect behavior | ||
| *Details:* Kibana 5.x redirected requests from http to https on the same port if TLS was configured. This was removed. |
There was a problem hiding this comment.
Rather than "This was removed", let's err on the side of more information even if it seems a bit redundant. Perhaps "Kibana 5.x redirected requests from http to https on the same port if TLS was configured. Starting in Kibana 6.0.0, Kibana no longer redirects basic http traffic to https."
|
I pushed a suggestion for redirecting http to https here. @epixa can you take a look? |
This reverts commit 47030b8.
kimjoar
force-pushed
the
revert/httpolyglot
branch
from
83b6a9a
to
6e415ce
Compare
| @@ -9,11 +9,11 @@ const NODE_MODULES = resolve(__dirname, '../../../../node_modules'); | |||
| const NODE_DIR = resolve(process.execPath, '../..'); | |||
| const PACKAGES = [ | |||
| { | |||
| name: '@elastic/httpolyglot', | |||
| version: '0.1.2-elasticpatch1', | |||
| name: '@spalger/filesaver', | |||
There was a problem hiding this comment.
Let's switch this to being a controlled package that we know will always exist because we've created it specifically for this purpose. We can create an npm package under the @elastic org that does nothing except provide the license we want to verify against, and then we can depend on that package in our devDependencies. We should never need to update this test just because we decided to no longer depend on a given package in our source.
There was a problem hiding this comment.
Okey if I do it in a separate PR? (Just want to make sure this gets ready for 6.0)
| import { format as formatUrl } from 'url'; | ||
| import Hapi from 'hapi'; | ||
|
|
||
| // If a redirect port is specified, we need to start a server a non-ssl |
There was a problem hiding this comment.
we need to start a server a non-ssl server at this doesn't english good.
| const host = config.get('server.host'); | ||
| const sslPort = config.get('server.port'); | ||
|
|
||
| const redirectServer = new Hapi.Server(); |
There was a problem hiding this comment.
We shouldn't block on this, but I really wish we just used a native node http server for this. I have much greater confidence in that abstraction in general than I do in hapi, both in terms of how lightweight it is, and how stable the API is.
This works though.
There was a problem hiding this comment.
Can we provide a more useful error message before exiting when the redirect port is the same as the main port? Right now it just does a generic error:
server log [13:11:39.894] [fatal] Port 5601 is already in use. Another instance of Kibana may be running!
FATAL Port 5601 is already in use. Another instance of Kibana may be running!
But ideally we'd instead say something specific to let the user know that ssl.server.redirectHttpFromPort cannot be set to the same port as server.port, or something like that.
|
LGTM other than the generic error message |
epixa
dismissed
ycombinator’s stale review
We're going to tackle the downgrading alongside this PR, so this feedback should be addressed with that.
server.ssl.redirectHttpFromPortoption added to allow for http -> https redirect from one port to anothernpm start -- --ssl, or./bin/kibana --dev --sslCloses #10181
Release Note: Kibana 5.x redirected requests from http to https on the same port if TLS was configured. Starting in Kibana 6.0.0 Kibana no longer redirects basic http traffic to https.