c3b1b17916
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
71 lines
3.2 KiB
Text
71 lines
3.2 KiB
Text
[role="xpack"]
|
|
[[reporting-network-policy]]
|
|
=== Restrict requests with a Reporting network policy
|
|
|
|
When Reporting generates PDF reports, it uses the Chromium browser to fully load the {kib} page on the server. This
|
|
potentially involves sending requests to external hosts. For example, a request might go to an external image server to show a
|
|
field formatted as an image, or to show an image in a Markdown visualization.
|
|
|
|
If the Chromium browser is asked to send a request that violates the network policy, Reporting stops processing the page
|
|
before the request goes out, and the report is marked as a failure. Additional information about the event is in
|
|
the Kibana server logs.
|
|
|
|
[NOTE]
|
|
============
|
|
{kib} installations are not designed to be publicly accessible over the Internet. The Reporting network policy and other capabilities
|
|
of the Elastic Stack security features do not change this condition.
|
|
============
|
|
|
|
==== Configure a Reporting network policy
|
|
|
|
You configure the network policy by specifying the `xpack.reporting.capture.networkPolicy.rules` setting in `kibana.yml`. A policy is specified as
|
|
an array of objects that describe what to allow or deny based on a host or protocol. If a host or protocol
|
|
is not specified, the rule matches any host or protocol.
|
|
|
|
The rule objects are evaluated sequentially from the beginning to the end of the array, and continue until there is a matching rule.
|
|
If no rules allow a request, the request is denied.
|
|
|
|
[source,yaml]
|
|
-------------------------------------------------------
|
|
# Only allow requests to placeholder.com
|
|
xpack.reporting.capture.networkPolicy:
|
|
rules: [ { allow: true, host: "placeholder.com" } ]
|
|
-------------------------------------------------------
|
|
|
|
[source,yaml]
|
|
-------------------------------------------------------
|
|
# Only allow requests to https://placeholder.com
|
|
xpack.reporting.capture.networkPolicy:
|
|
rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ]
|
|
-------------------------------------------------------
|
|
|
|
A final `allow` rule with no host or protocol will allow all requests that are not explicitly denied.
|
|
|
|
[source,yaml]
|
|
-------------------------------------------------------
|
|
# Denies requests from http://placeholder.com, but anything else is allowed.
|
|
xpack.reporting.capture.networkPolicy:
|
|
rules: [{ allow: false, host: "placeholder.com", protocol: "http:" }, { allow: true }];
|
|
-------------------------------------------------------
|
|
|
|
A network policy can be composed of multiple rules.
|
|
|
|
[source,yaml]
|
|
-------------------------------------------------------
|
|
# Allow any request to http://placeholder.com but for any other host, https is required
|
|
xpack.reporting.capture.networkPolicy
|
|
rules: [
|
|
{ allow: true, host: "placeholder.com", protocol: "http:" },
|
|
{ allow: true, protocol: "https:" },
|
|
]
|
|
-------------------------------------------------------
|
|
|
|
[NOTE]
|
|
============
|
|
The `file:` protocol is always denied, even if no network policy is configured.
|
|
============
|
|
|
|
==== Disable a Reporting network policy
|
|
|
|
You can use the `xpack.reporting.capture.networkPolicy.enabled: false` setting to disable the network policy feature. The default for
|
|
this configuration property is `true`, so it is not necessary to explicitly enable it.
|