-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert same port http -> https redirect #10930
Conversation
I got to thinking about this recently. I think there may still be value in http->https redirection, I just think the current approach was too heavy handed. Doing this on a single port is kind of nuts, but if they are binding to port 443 for SSL, it certainly would be convenient to also bind to port 80 purely for the sake of redirection. This would be the obvious use case for most people, I think. Anyone thoughts? Edit: This wouldn't require third party dependencies. |
@epixa to accomplish that wouldn't we need to expose an additional port and provide configuration for it? |
I'll make an update, something like |
Thoughts on |
Would it need any other configurations? The use case is you pointing I could imagine someone wanting to disable this functionality, though. |
Using port 80 would require privileged permissions to start Kibana. It's possible, but it would be a large change from what we have now. In addition, we would be more prone to port conflicts. |
@tylersmalley As would 443 (or any other port that doesn't show up in URLs), so that should be fine. In other words, someone should only be able to trigger this behavior if they are already using privileged permissions. If someone configures Kibana to use SSL on port 5601, for example, then there's no need to do extra redirects. The idea here is that if people are exposing Kibana directly to the web, we'll handle https redirects from port 80 to ensure their browser redirects to https. But if they put Kibana behind a reverse proxy, they should handle the https redirect on their own. |
@epixa, I believe we are on the same page but I might have been miss-directed by your previous comment about not requiring additional configuration beyond |
Let's decouple the redirect discussion from the PR and leave it as-is. I will create a new issue documenting the solutions brought up thus far. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM - I have created a new issue to track the discussion on how to handle the redirection.
Here is that issue: #10948 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. This seems like a breaking change - links to http://... would now no longer automagically work. Should this be documented somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spoke too soon with the LGTM :)
Besides documenting the breaking change, there's another thing I just noticed running this PR:
If I make a request to http://localhost:5601
, I see errors like this in the Kibana server log:
server log [18:32:52.755] [error][client][connection] Error: 140736487396288:error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request:../deps/openssl/openssl/ssl/s23_srvr.c:394:
at Error (native)
For the record, I really don't like the way this feels in development |
@spalger Perhaps this is something we could bake into the basePath proxy (and rename it to dev proxy or something). |
0e7bd10
to
b0e1482
Compare
@jbudz what do you think about keeping this for dev? I'm 100% for it |
Leaving it in dev mode minimizes any concerns I had with it, so I'm up for it. We already have the base path proxy which we of course aren't shipping either. It was frustrating me while writing this PR, but I figured once my browser autocomplete fixed on the right protocol it would be fine. |
Is anyone against this in dev mode only? |
I've been using it for a couple days and keep feeling dislike :/ |
I am fine keeping it only for development. We can always review down the road, but this at least removes it from builds for now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more I think about it, the more important the port 80 redirection seems to be, and I don't think we should move forward with this change without it in the same PR. The comment that I left on the breaking change is just one example of the strangeness this will have if we went forward as-is. And the error messages thing when accessed using the wrong protocol is probably worth blocking the release on, so merging this PR effectively puts the release in limbo until we address the other thing.
I actually think the error message itself is fine so long as the port redirection feature is available, though it would be awesome if we could provide a more useful error message that points people to this configuration.
docs/migration/migrate_6_0.asciidoc
Outdated
=== Removed same port http to https redirect behavior | ||
*Details:* Kibana 5.x redirected requests from http to https on the same port if TLS was configured. This was removed. | ||
|
||
*Impact:* You may need to add a redirect on a different port if a redirect is expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know the plan here is to follow up with a different PR to handle port redirection stuff, but when this specific PR is merged, the reality is going to be that there is no way to do http -> https redirection in Kibana. We should update the breaking changes impact to mention that the only way to accomplish this would be to custom handle http -> https redirection in a reverse proxy or at the load balancer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The follow up PR that handles http -> https support will need to then modify this breaking change documentation, obviously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My overall review comment makes this feedback moot, but I'm leaving it here for posterity's sake.
docs/migration/migrate_6_0.asciidoc
Outdated
|
||
[float] | ||
=== Removed same port http to https redirect behavior | ||
*Details:* Kibana 5.x redirected requests from http to https on the same port if TLS was configured. This was removed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than "This was removed", let's err on the side of more information even if it seems a bit redundant. Perhaps "Kibana 5.x redirected requests from http to https on the same port if TLS was configured. Starting in Kibana 6.0.0, Kibana no longer redirects basic http traffic to https."
I pushed a suggestion for redirecting http to https here. @epixa can you take a look? |
This reverts commit 47030b8.
83b6a9a
to
6e415ce
Compare
@@ -9,11 +9,11 @@ const NODE_MODULES = resolve(__dirname, '../../../../node_modules'); | |||
const NODE_DIR = resolve(process.execPath, '../..'); | |||
const PACKAGES = [ | |||
{ | |||
name: '@elastic/httpolyglot', | |||
version: '0.1.2-elasticpatch1', | |||
name: '@spalger/filesaver', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's switch this to being a controlled package that we know will always exist because we've created it specifically for this purpose. We can create an npm package under the @elastic org that does nothing except provide the license we want to verify against, and then we can depend on that package in our devDependencies. We should never need to update this test just because we decided to no longer depend on a given package in our source.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okey if I do it in a separate PR? (Just want to make sure this gets ready for 6.0)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah
import { format as formatUrl } from 'url'; | ||
import Hapi from 'hapi'; | ||
|
||
// If a redirect port is specified, we need to start a server a non-ssl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to start a server a non-ssl server at this
doesn't english good.
const host = config.get('server.host'); | ||
const sslPort = config.get('server.port'); | ||
|
||
const redirectServer = new Hapi.Server(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't block on this, but I really wish we just used a native node http server for this. I have much greater confidence in that abstraction in general than I do in hapi, both in terms of how lightweight it is, and how stable the API is.
This works though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we provide a more useful error message before exiting when the redirect port is the same as the main port? Right now it just does a generic error:
server log [13:11:39.894] [fatal] Port 5601 is already in use. Another instance of Kibana may be running!
FATAL Port 5601 is already in use. Another instance of Kibana may be running!
But ideally we'd instead say something specific to let the user know that ssl.server.redirectHttpFromPort cannot be set to the same port as server.port, or something like that.
LGTM other than the generic error message |
We're going to tackle the downgrading alongside this PR, so this feedback should be addressed with that.
server.ssl.redirectHttpFromPort
option added to allow for http -> https redirect from one port to anothernpm start -- --ssl
, or./bin/kibana --dev --ssl
Closes #10181
Release Note: Kibana 5.x redirected requests from http to https on the same port if TLS was configured. Starting in Kibana 6.0.0 Kibana no longer redirects basic http traffic to https.