Set HTTP2 as default is SSL is enabled and add deprecation log if SSL…

… is not enabled or protocol is set to HTTP1 (#204384) ## Summary resolves #194067 Set HTTP2 as default if ssl is enabled. resolves #194065 Add deprecation log if ssl is not enabled or if protocol is set to http1 <img width="1665" alt="Screenshot 2024-12-17 at 17 06 50" src="https://github.com/user-attachments/assets/3bc7ff57-1079-4a27-90d2-88f3e09093d6" /> <img width="1727" alt="Screenshot 2024-12-17 at 17 06 22" src="https://github.com/user-attachments/assets/d5489705-6cd6-4e09-8327-fdd0f54292ea" /> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Rudolf Meijering <[email protected]>
elastic · Jan 3, 2025 · 1b1d64b · 1b1d64b
1 parent 2e92018
commit 1b1d64b
Show file tree

Hide file tree

Showing 8 changed files with 102 additions and 9 deletions.
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -472,9 +472,9 @@ identifies this {kib} instance. *Default: `"your-hostname"`*
 {kib} is served by a back end server. This
 setting specifies the port to use. *Default: `5601`*
 
-`server.protocol`::
-experimental[] The http protocol to use, either `http1` or `http2`. Set to `http2` to enable `HTTP/2` support for the {kib} server.
-*Default: `http1`*
+[[server-protocol]] `server.protocol`::
+experimental[] The http protocol to use, either `http1` or `http2`. Set to `http1` to opt out of `HTTP/2` support when TLS is enabled. Use of `http1` may impact browser loading performance especially for dashboards with many panels.
+*Default*: `http2` if TLS is enabled, otherwise `http1`.
 +
 NOTE: By default, enabling `http2` requires a valid `h2c` configuration, meaning that TLS must be enabled via <<server-ssl-enabled, `server.ssl.enabled`>>
 and <<server-ssl-supportedProtocols, `server.ssl.supportedProtocols`>>, if specified, must contain at least `TLSv1.2` or `TLSv1.3`. Strict validation of

diff --git a/docs/upgrade-notes.asciidoc b/docs/upgrade-notes.asciidoc
@@ -179,4 +179,25 @@ It will no longer be possible to create new scripted fields directly from the *D
 
 *Action* +
 Migrate to runtime fields or ES|QL instead of creating new scripted fields. Existing scripted fields can still be edited or deleted.
+====
+
+
+[discrete]
+[[known-issue-204384]]
+.Now HTTP/2 is the default protocol when TLS is enabled and a deprecation warning appears if HTTP/2 is not enabled or TLS is not configured (9.0.0)
+[%collapsible]
+====
+*Details* +
+Starting from version 9.0.0, HTTP/2 is the default protocol when TLS is enabled. This ensures improved performance and security. However, if HTTP/2 is not enabled or TLS is not configured, a deprecation warning will be added.
+
+For more information, refer to {kibana-pull}204384[#204384].
+
+*Impact* +
+Systems that have TLS enabled but don't specify a protocol will start using HTTP/2 in 9.0.0.
+Systems that use HTTP/1 or don't have TLS configured will get a deprecation warning.
+
+*Action* +
+Verify that TLS is properly configured by enabling it and providing valid certificates in the settings. Test your system to ensure that connections are established securely over HTTP/2.
+
+If your Kibana server is hosted behind a load balancer or reverse proxy we recommend testing your deployment configuration before upgrading to 9.0. 
 ====
diff --git a/packages/core/http/core-http-server-internal/src/http_config.test.ts b/packages/core/http/core-http-server-internal/src/http_config.test.ts
@@ -577,6 +577,22 @@ describe('cdn', () => {
   });
 });
 
+describe('http1 protocol', () => {
+  it('uses http1 as default if protocol is empty and ssl is not enabled', () => {
+    expect(
+      config.schema.validate({
+        ssl: {
+          enabled: false,
+        },
+      })
+    ).toEqual(
+      expect.objectContaining({
+        protocol: 'http1',
+      })
+    );
+  });
+});
+
 describe('http2 protocol', () => {
   it('throws if http2 is enabled but TLS is not', () => {
     expect(() =>
@@ -642,6 +658,22 @@ describe('http2 protocol', () => {
       })
     );
   });
+  it('uses http2 as default if protocol is empty and ssl is enabled', () => {
+    expect(
+      config.schema.validate({
+        ssl: {
+          enabled: true,
+          supportedProtocols: ['TLSv1.2'],
+          certificate: '/path/to/certificate',
+          key: '/path/to/key',
+        },
+      })
+    ).toEqual(
+      expect.objectContaining({
+        protocol: 'http2',
+      })
+    );
+  });
 });
 
 describe('HttpConfig', () => {

diff --git a/packages/core/http/core-http-server-internal/src/http_config.ts b/packages/core/http/core-http-server-internal/src/http_config.ts
@@ -17,6 +17,7 @@ import { uuidRegexp } from '@kbn/core-base-server-internal';
 import type { HttpProtocol, ICspConfig, IExternalUrlConfig } from '@kbn/core-http-server';
 import type { IHttpEluMonitorConfig } from '@kbn/core-http-server/src/elu_monitor';
 import type { HandlerResolutionStrategy } from '@kbn/core-http-router-server-internal';
+import { get } from 'lodash';
 import { CspConfig, CspConfigType } from './csp';
 import { ExternalUrlConfig } from './external_url';
 import {
@@ -123,9 +124,16 @@ const configSchema = schema.object(
         }
       },
     }),
-    protocol: schema.oneOf([schema.literal('http1'), schema.literal('http2')], {
-      defaultValue: 'http1',
-    }),
+    protocol: schema.conditional(
+      schema.siblingRef('ssl.enabled'),
+      schema.literal(true),
+      schema.oneOf([schema.literal('http1'), schema.literal('http2')], {
+        defaultValue: 'http2',
+      }),
+      schema.oneOf([schema.literal('http1'), schema.literal('http2')], {
+        defaultValue: 'http1',
+      })
+    ),
     host: schema.string({
       defaultValue: 'localhost',
       hostname: true,
@@ -290,7 +298,27 @@ export type HttpConfigType = TypeOf<typeof configSchema>;
 export const config: ServiceConfigDescriptor<HttpConfigType> = {
   path: 'server' as const,
   schema: configSchema,
-  deprecations: ({ rename }) => [rename('maxPayloadBytes', 'maxPayload', { level: 'warning' })],
+  deprecations: ({ rename }) => [
+    rename('maxPayloadBytes', 'maxPayload', { level: 'warning' }),
+    (settings, fromPath, addDeprecation, { docLinks }) => {
+      const cfg = get(settings, fromPath);
+      if (!cfg?.ssl?.enabled || cfg?.protocol === 'http1') {
+        addDeprecation({
+          level: 'warning',
+          title: `Consider enabling TLS and using HTTP/2 to improve security and performance.`,
+          configPath: `${fromPath}.protocol,${fromPath}.ssl.enabled`,
+          message: `TLS is not enabled, or the HTTP protocol is set to HTTP/1. Enabling TLS and using HTTP/2 improves security and performance.`,
+          correctiveActions: {
+            manualSteps: [
+              `Set up TLS by configuring ${fromPath}.ssl.`,
+              `Set the protocol to 'http2' by updating ${fromPath}.protocol to 'http2' in your configuration.`,
+            ],
+          },
+          documentationUrl: docLinks.server.protocol,
+        });
+      }
+    },
+  ],
 };
 
 export class HttpConfig implements IHttpConfig {

diff --git a/src/core/server/integration_tests/config/config_deprecation.test.ts b/src/core/server/integration_tests/config/config_deprecation.test.ts
@@ -26,14 +26,17 @@ describe('configuration deprecations', () => {
   });
 
   if (getFips() === 0) {
-    it('should not log deprecation warnings for default configuration', async () => {
+    it('should log one warning for default configuration, the http/tls deprecation warning', async () => {
       root = createRoot();
 
       await root.preboot();
       await root.setup();
 
       const logs = loggingSystemMock.collect(mockLoggingSystem);
-      expect(logs.warn.flat()).toHaveLength(0);
+      expect(logs.warn.flat()).toHaveLength(1);
+      expect(logs.warn.flat()[0]).toEqual(
+        'TLS is not enabled, or the HTTP protocol is set to HTTP/1. Enabling TLS and using HTTP/2 improves security and performance.'
+      );
     });
   } else {
     it('fips is enabled and the default configuration has been overridden', () => {

diff --git a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts
@@ -469,6 +469,9 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
       ruleApiOverview: `${SECURITY_SOLUTION_DOCS}rule-api-overview.html`,
       configureAlertSuppression: `${SECURITY_SOLUTION_DOCS}alert-suppression.html#_configure_alert_suppression`,
     },
+    server: {
+      protocol: `${KIBANA_DOCS}settings.html#server-protocol`,
+    },
     securitySolution: {
       artifactControl: `${SECURITY_SOLUTION_DOCS}artifact-control.html`,
       avcResults: `${ELASTIC_WEBSITE_URL}blog/elastic-av-comparatives-business-security-test`,

diff --git a/src/platform/packages/shared/kbn-doc-links/src/types.ts b/src/platform/packages/shared/kbn-doc-links/src/types.ts
@@ -337,6 +337,9 @@ export interface DocLinks {
     readonly ruleApiOverview: string;
     readonly configureAlertSuppression: string;
   };
+  readonly server: {
+    readonly protocol: string;
+  };
   readonly securitySolution: {
     readonly aiAssistant: string;
     readonly artifactControl: string;

diff --git a/test/server_integration/http/ssl_redirect/config.ts b/test/server_integration/http/ssl_redirect/config.ts
@@ -58,6 +58,9 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
         `--server.ssl.key=${KBN_KEY_PATH}`,
         `--server.ssl.certificate=${KBN_CERT_PATH}`,
         `--server.ssl.redirectHttpFromPort=${redirectPort}`,
+        // supertest is configured with http1 so it fails when redirecting
+        // to an http2 server
+        `--server.protocol=http1`,
       ],
     },
   };