From 7cefefc688f79fa8b583e9553c36fe4255b6ef4f Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Thu, 14 Oct 2021 06:07:00 +0000 Subject: [PATCH] api: when configured securely, bind to all available interfaces by default --- config/logstash.yml | 10 +++++----- docs/static/settings-file.asciidoc | 1 + logstash-core/lib/logstash/webserver.rb | 9 ++++++++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/config/logstash.yml b/config/logstash.yml index a60621f0b34..8b938dee142 100644 --- a/config/logstash.yml +++ b/config/logstash.yml @@ -126,11 +126,11 @@ # # api.enabled: true # -# By default, the HTTP API is bound to only the host's local loopback interface, -# ensuring that it is not accessible to the rest of the network. Because the API -# includes neither authentication nor authorization and has not been hardened or -# tested for use as a publicly-reachable API, binding to publicly accessible IPs -# should be avoided where possible. +# By default, the HTTP API is not secured and is therefore bound to only the +# host's loopback interface, ensuring that it is not accessible to the rest of +# the network. +# When secured with SSL and Basic Auth, the API is bound to _all_ interfaces +# unless configured otherwise. # # api.http.host: 127.0.0.1 # diff --git a/docs/static/settings-file.asciidoc b/docs/static/settings-file.asciidoc index 724cfcdc092..7c3ac4434eb 100644 --- a/docs/static/settings-file.asciidoc +++ b/docs/static/settings-file.asciidoc @@ -246,6 +246,7 @@ Values other than `disabled` are currently considered BETA, and may produce unin | `api.http.host` | The bind address for the HTTP API endpoint. By default, the {ls} HTTP API binds only to the local loopback interface. + When configured securely (`api.ssl.enabled: true` and `api.auth.type: basic`), the HTTP API binds to _all_ available interfaces. | `"127.0.0.1"` | `api.http.port` diff --git a/logstash-core/lib/logstash/webserver.rb b/logstash-core/lib/logstash/webserver.rb index b17b2221340..d76f99daddf 100644 --- a/logstash-core/lib/logstash/webserver.rb +++ b/logstash-core/lib/logstash/webserver.rb @@ -33,7 +33,7 @@ class WebServer def self.from_settings(logger, agent, settings) options = {} - options[:http_host] = settings.get('api.http.host') + options[:http_host] = settings.get('api.http.host') # may be overridden later if API configured securely options[:http_port] = settings.get('api.http.port') options[:http_environment] = settings.get('api.environment') @@ -52,6 +52,13 @@ def self.from_settings(logger, agent, settings) options[:auth_basic] = auth_basic.freeze end + if !settings.set?('api.http.host') + if settings.get('api.ssl.enabled') && settings.get('api.auth.type') == 'basic' + logger.info("API configured securely with SSL and Basic Auth. Defaulting `api.http.host` to all available interfaces") + options[:http_host] = '0.0.0.0' + end + end + new(logger, agent, options) end