api: when configured securely, bind to all available interfaces by de…

…fault
elastic · Oct 18, 2021 · a9ae89c · a9ae89c
1 parent 6be9ed4
commit a9ae89c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/config/logstash.yml b/config/logstash.yml
@@ -126,11 +126,11 @@
 #
 # api.enabled: true
 #
-# By default, the HTTP API is bound to only the host's local loopback interface,
-# ensuring that it is not accessible to the rest of the network. Because the API
-# includes neither authentication nor authorization and has not been hardened or
-# tested for use as a publicly-reachable API, binding to publicly accessible IPs
-# should be avoided where possible.
+# By default, the HTTP API is not secured and is therefore bound to only the
+# host's loopback interface, ensuring that it is not accessible to the rest of
+# the network.
+# When secured with SSL and Basic Auth, the API is bound to _all_ interfaces
+# unless configured otherwise.
 #
 # api.http.host: 127.0.0.1
 #

diff --git a/docs/static/settings-file.asciidoc b/docs/static/settings-file.asciidoc
@@ -246,6 +246,7 @@ Values other than `disabled` are currently considered BETA, and may produce unin
 | `api.http.host`
 | The bind address for the HTTP API endpoint.
   By default, the {ls} HTTP API binds only to the local loopback interface.
+  When configured securely (`api.ssl.enabled: true` and `api.auth.type: basic`), the HTTP API binds to _all_ available interfaces.
 | `"127.0.0.1"`
 
 | `api.http.port`

diff --git a/logstash-core/lib/logstash/webserver.rb b/logstash-core/lib/logstash/webserver.rb
@@ -33,7 +33,7 @@ class WebServer
 
     def self.from_settings(logger, agent, settings)
       options = {}
-      options[:http_host] = settings.get('api.http.host')
+      options[:http_host] = settings.get('api.http.host') # may be overridden later if API configured securely
       options[:http_ports] = settings.get('api.http.port')
       options[:http_environment] = settings.get('api.environment')
 
@@ -57,8 +57,15 @@ def self.from_settings(logger, agent, settings)
         warn_ignored(logger, settings, "api.auth.basic.", "api.auth.type")
       end
 
+      if !settings.set?('api.http.host')
+        if settings.get('api.ssl.enabled') && settings.get('api.auth.type') == 'basic'
+          logger.info("API configured securely with SSL and Basic Auth. Defaulting `api.http.host` to all available interfaces")
+          options[:http_host] = '0.0.0.0'
+        end
+      end
+
       logger.debug("Initializing API WebServer",
-                   "api.http.host"        => settings.get("api.http.host"),
+                   "api.http.host"        => options[:http_host],
                    "api.http.port"        => settings.get("api.http.port"),
                    "api.ssl.enabled"      => settings.get("api.ssl.enabled"),
                    "api.auth.type"        => settings.get("api.auth.type"),