diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc index e6923d95fad7f..aba0eb3a6bab5 100644 --- a/docs/setup/settings.asciidoc +++ b/docs/setup/settings.asciidoc @@ -472,9 +472,9 @@ identifies this {kib} instance. *Default: `"your-hostname"`* {kib} is served by a back end server. This setting specifies the port to use. *Default: `5601`* -`server.protocol`:: -experimental[] The http protocol to use, either `http1` or `http2`. Set to `http2` to enable `HTTP/2` support for the {kib} server. -*Default: `http1`* +[[server-protocol]] `server.protocol`:: +experimental[] The http protocol to use, either `http1` or `http2`. Set to `http1` to opt out of `HTTP/2` support when TLS is enabled. Use of `http1` may impact browser loading performance especially for dashboards with many panels. +*Default*: `http2` if TLS is enabled, otherwise `http1`. + NOTE: By default, enabling `http2` requires a valid `h2c` configuration, meaning that TLS must be enabled via <> and <>, if specified, must contain at least `TLSv1.2` or `TLSv1.3`. Strict validation of diff --git a/docs/upgrade-notes.asciidoc b/docs/upgrade-notes.asciidoc index 20ffef01b9b01..efad12e457b1d 100644 --- a/docs/upgrade-notes.asciidoc +++ b/docs/upgrade-notes.asciidoc @@ -179,4 +179,25 @@ It will no longer be possible to create new scripted fields directly from the *D *Action* + Migrate to runtime fields or ES|QL instead of creating new scripted fields. Existing scripted fields can still be edited or deleted. +==== + + +[discrete] +[[known-issue-204384]] +.Now HTTP/2 is the default protocol when TLS is enabled and a deprecation warning appears if HTTP/2 is not enabled or TLS is not configured (9.0.0) +[%collapsible] +==== +*Details* + +Starting from version 9.0.0, HTTP/2 is the default protocol when TLS is enabled. This ensures improved performance and security. However, if HTTP/2 is not enabled or TLS is not configured, a deprecation warning will be added. + +For more information, refer to {kibana-pull}204384[#204384]. + +*Impact* + +Systems that have TLS enabled but don't specify a protocol will start using HTTP/2 in 9.0.0. +Systems that use HTTP/1 or don't have TLS configured will get a deprecation warning. + +*Action* + +Verify that TLS is properly configured by enabling it and providing valid certificates in the settings. Test your system to ensure that connections are established securely over HTTP/2. + +If your Kibana server is hosted behind a load balancer or reverse proxy we recommend testing your deployment configuration before upgrading to 9.0. ==== \ No newline at end of file diff --git a/packages/core/http/core-http-server-internal/src/http_config.test.ts b/packages/core/http/core-http-server-internal/src/http_config.test.ts index fa2fbe7ad9f36..d81e25fa364d1 100644 --- a/packages/core/http/core-http-server-internal/src/http_config.test.ts +++ b/packages/core/http/core-http-server-internal/src/http_config.test.ts @@ -577,6 +577,22 @@ describe('cdn', () => { }); }); +describe('http1 protocol', () => { + it('uses http1 as default if protocol is empty and ssl is not enabled', () => { + expect( + config.schema.validate({ + ssl: { + enabled: false, + }, + }) + ).toEqual( + expect.objectContaining({ + protocol: 'http1', + }) + ); + }); +}); + describe('http2 protocol', () => { it('throws if http2 is enabled but TLS is not', () => { expect(() => @@ -642,6 +658,22 @@ describe('http2 protocol', () => { }) ); }); + it('uses http2 as default if protocol is empty and ssl is enabled', () => { + expect( + config.schema.validate({ + ssl: { + enabled: true, + supportedProtocols: ['TLSv1.2'], + certificate: '/path/to/certificate', + key: '/path/to/key', + }, + }) + ).toEqual( + expect.objectContaining({ + protocol: 'http2', + }) + ); + }); }); describe('HttpConfig', () => { diff --git a/packages/core/http/core-http-server-internal/src/http_config.ts b/packages/core/http/core-http-server-internal/src/http_config.ts index 4ba9bcb9e88be..6503bd2c87dde 100644 --- a/packages/core/http/core-http-server-internal/src/http_config.ts +++ b/packages/core/http/core-http-server-internal/src/http_config.ts @@ -17,6 +17,7 @@ import { uuidRegexp } from '@kbn/core-base-server-internal'; import type { HttpProtocol, ICspConfig, IExternalUrlConfig } from '@kbn/core-http-server'; import type { IHttpEluMonitorConfig } from '@kbn/core-http-server/src/elu_monitor'; import type { HandlerResolutionStrategy } from '@kbn/core-http-router-server-internal'; +import { get } from 'lodash'; import { CspConfig, CspConfigType } from './csp'; import { ExternalUrlConfig } from './external_url'; import { @@ -123,9 +124,16 @@ const configSchema = schema.object( } }, }), - protocol: schema.oneOf([schema.literal('http1'), schema.literal('http2')], { - defaultValue: 'http1', - }), + protocol: schema.conditional( + schema.siblingRef('ssl.enabled'), + schema.literal(true), + schema.oneOf([schema.literal('http1'), schema.literal('http2')], { + defaultValue: 'http2', + }), + schema.oneOf([schema.literal('http1'), schema.literal('http2')], { + defaultValue: 'http1', + }) + ), host: schema.string({ defaultValue: 'localhost', hostname: true, @@ -290,7 +298,27 @@ export type HttpConfigType = TypeOf; export const config: ServiceConfigDescriptor = { path: 'server' as const, schema: configSchema, - deprecations: ({ rename }) => [rename('maxPayloadBytes', 'maxPayload', { level: 'warning' })], + deprecations: ({ rename }) => [ + rename('maxPayloadBytes', 'maxPayload', { level: 'warning' }), + (settings, fromPath, addDeprecation, { docLinks }) => { + const cfg = get(settings, fromPath); + if (!cfg?.ssl?.enabled || cfg?.protocol === 'http1') { + addDeprecation({ + level: 'warning', + title: `Consider enabling TLS and using HTTP/2 to improve security and performance.`, + configPath: `${fromPath}.protocol,${fromPath}.ssl.enabled`, + message: `TLS is not enabled, or the HTTP protocol is set to HTTP/1. Enabling TLS and using HTTP/2 improves security and performance.`, + correctiveActions: { + manualSteps: [ + `Set up TLS by configuring ${fromPath}.ssl.`, + `Set the protocol to 'http2' by updating ${fromPath}.protocol to 'http2' in your configuration.`, + ], + }, + documentationUrl: docLinks.server.protocol, + }); + } + }, + ], }; export class HttpConfig implements IHttpConfig { diff --git a/src/core/server/integration_tests/config/config_deprecation.test.ts b/src/core/server/integration_tests/config/config_deprecation.test.ts index 42425f10a4c97..bdc9e3442c0f0 100644 --- a/src/core/server/integration_tests/config/config_deprecation.test.ts +++ b/src/core/server/integration_tests/config/config_deprecation.test.ts @@ -26,14 +26,17 @@ describe('configuration deprecations', () => { }); if (getFips() === 0) { - it('should not log deprecation warnings for default configuration', async () => { + it('should log one warning for default configuration, the http/tls deprecation warning', async () => { root = createRoot(); await root.preboot(); await root.setup(); const logs = loggingSystemMock.collect(mockLoggingSystem); - expect(logs.warn.flat()).toHaveLength(0); + expect(logs.warn.flat()).toHaveLength(1); + expect(logs.warn.flat()[0]).toEqual( + 'TLS is not enabled, or the HTTP protocol is set to HTTP/1. Enabling TLS and using HTTP/2 improves security and performance.' + ); }); } else { it('fips is enabled and the default configuration has been overridden', () => { diff --git a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts index 881dbf2069c60..f391114a85f26 100644 --- a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts +++ b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts @@ -469,6 +469,9 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D ruleApiOverview: `${SECURITY_SOLUTION_DOCS}rule-api-overview.html`, configureAlertSuppression: `${SECURITY_SOLUTION_DOCS}alert-suppression.html#_configure_alert_suppression`, }, + server: { + protocol: `${KIBANA_DOCS}settings.html#server-protocol`, + }, securitySolution: { artifactControl: `${SECURITY_SOLUTION_DOCS}artifact-control.html`, avcResults: `${ELASTIC_WEBSITE_URL}blog/elastic-av-comparatives-business-security-test`, diff --git a/src/platform/packages/shared/kbn-doc-links/src/types.ts b/src/platform/packages/shared/kbn-doc-links/src/types.ts index fd1c2cf8fe3ca..d561c8b214fb1 100644 --- a/src/platform/packages/shared/kbn-doc-links/src/types.ts +++ b/src/platform/packages/shared/kbn-doc-links/src/types.ts @@ -337,6 +337,9 @@ export interface DocLinks { readonly ruleApiOverview: string; readonly configureAlertSuppression: string; }; + readonly server: { + readonly protocol: string; + }; readonly securitySolution: { readonly aiAssistant: string; readonly artifactControl: string; diff --git a/test/server_integration/http/ssl_redirect/config.ts b/test/server_integration/http/ssl_redirect/config.ts index 4bf1c09e57ba8..558ab873ba2a6 100644 --- a/test/server_integration/http/ssl_redirect/config.ts +++ b/test/server_integration/http/ssl_redirect/config.ts @@ -58,6 +58,9 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { `--server.ssl.key=${KBN_KEY_PATH}`, `--server.ssl.certificate=${KBN_CERT_PATH}`, `--server.ssl.redirectHttpFromPort=${redirectPort}`, + // supertest is configured with http1 so it fails when redirecting + // to an http2 server + `--server.protocol=http1`, ], }, };