api: when configured securely, bind to all available interfaces by de…

…fault
elastic · Oct 14, 2021 · 909e65b · 909e65b
1 parent 77c3053
commit 909e65b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/docs/static/settings-file.asciidoc b/docs/static/settings-file.asciidoc
@@ -246,6 +246,7 @@ Values other than `disabled` are currently considered BETA, and may produce unin
 | `api.http.host`
 | The bind address for the HTTP API endpoint.
   By default, the {ls} HTTP API binds only to the local loopback interface.
+  When configured securely (`api.ssl.enabled: true` and `api.auth.type: basic`), the HTTP API binds to _all_ available interfaces.
 | `"127.0.0.1"`
 
 | `api.http.port`

diff --git a/logstash-core/lib/logstash/webserver.rb b/logstash-core/lib/logstash/webserver.rb
@@ -33,7 +33,7 @@ class WebServer
 
     def self.from_settings(logger, agent, settings)
       options = {}
-      options[:http_host] = settings.get('api.http.host')
+      options[:http_host] = settings.get('api.http.host') # may be overridden later if API configured securely
       options[:http_port] = settings.get('api.http.port')
       options[:http_environment] = settings.get('api.environment')
 
@@ -52,6 +52,13 @@ def self.from_settings(logger, agent, settings)
         options[:auth_basic] = auth_basic.freeze
       end
 
+      if !settings.set?('api.http.host')
+        if settings.get('api.ssl.enabled') && settings.get('api.auth.type') == 'basic'
+          logger.info("API configured securely with SSL and Basic Auth. Defaulting `api.http.host` to all available interfaces")
+          options[:http_host] = '0.0.0.0'
+        end
+      end
+
       new(logger, agent, options)
     end