Skip to content

Commit

Permalink
Add docs on all available console server config options
Browse files Browse the repository at this point in the history
  • Loading branch information
Bargs committed Nov 30, 2016
1 parent cd3269b commit 9caac7a
Show file tree
Hide file tree
Showing 4 changed files with 62 additions and 11 deletions.
2 changes: 1 addition & 1 deletion docs/console.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,4 @@ include::console/history.asciidoc[]

include::console/settings.asciidoc[]

include::console/disabling-console.asciidoc[]
include::console/configuring-console.asciidoc[]
57 changes: 57 additions & 0 deletions docs/console/configuring-console.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
[[configuring-console]]
== Configuring Console

You can add the following options in the `config/kibana.yml` file:

`console.enabled`:: *Default: true* Set to false to disable Console. Toggling this will cause the server to regenerate assets on the next startup, which may cause a delay before pages start being served.

`console.proxyFilter`:: *Default: `.*`* A list of regular expressions that are used to validate any outgoing request from Console. If none
of these match, the request will be rejected. See <<securing-console>> for more details.

`console.proxyConfig`:: A list of configuration options that are based on the proxy target. Use this to set custom timeouts or SSL settings for specific hosts. This is done by defining a set of `match` criteria using wildcards/globs which will be checked against each request. The configuration from all matching rules will then be merged together to configure the proxy used for that request.
+
The valid match keys are `match.protocol`, `match.host`, `match.port`, and `match.path`. All of these keys default to `*`, which means they will match any value.
+
Example:
+
[source,yaml]
--------
console.proxyConfig:
- match:
host: "*.internal.org" # allow any host that ends in .internal.org
port: "{9200..9299}" # allow any port from 9200-9299
ssl:
ca: "/opt/certs/internal.ca"
# "key" and "cert" are also valid options here
- match:
protocol: "https"
ssl:
verify: false # allows any certificate to be used, even self-signed certs
# since this rule has no "match" section it matches everything
- timeout: 180000 # 3 minutes
--------

[[securing-console]]
=== Securing Console

Console is meant to be used as a local development tool. As such, it will send requests to any host & port combination,
just as a local curl command would. To overcome the CORS limitations enforced by browsers, Console's Node.js backend
serves as a proxy to send requests on behalf of the browser. However, if put on a server and exposed to the internet
this can become a security risk. In those cases, we highly recommend you lock down the proxy by setting the
`console.proxyFilter` setting. The setting accepts a list of regular expressions that are evaluated against each URL
the proxy is requested to retrieve. If none of the regular expressions match the proxy will reject the request.

Here is an example configuration the only allows Console to connect to localhost:

[source,yaml]
--------
console.proxyFilter:
- ^https?://(localhost|127\.0\.0\.1|\[::0\]).*
--------

You will need to restart Kibana for these changes to take effect.

10 changes: 0 additions & 10 deletions docs/console/disabling-console.asciidoc

This file was deleted.

4 changes: 4 additions & 0 deletions docs/setup/settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,7 @@ The minimum value is 100.
`status.allowAnonymous`:: *Default: false* If authentication is enabled, setting this to `true` allows
unauthenticated users to access the Kibana server status API and status page.
`console.enabled`:: *Default: true* Set to false to disable Console. Toggling this will cause the server to regenerate assets on the next startup, which may cause a delay before pages start being served.
`console.proxyFilter`:: *Default: `.*`* A list of regular expressions that are used to validate any outgoing request from Console. If none of these match, the request will be rejected.
`console.proxyConfig`:: A list of configuration options that are based on the proxy target. Use this to set custom timeouts or SSL settings for specific hosts. This is done by defining a set of `match` criteria using wildcards/globs which will be checked against each request. The configuration from all matching rules will then be merged together to configure the proxy used for that request.
+
The valid match keys are `match.protocol`, `match.host`, `match.port`, and `match.path`. All of these keys default to `*`, which means they will match any value. See <<configuring-console>> for an example.

0 comments on commit 9caac7a

Please sign in to comment.