|
| 1 | +[[configuring-console]] |
| 2 | +== Configuring Console |
| 3 | + |
| 4 | +You can add the following options in the `config/kibana.yml` file: |
| 5 | + |
| 6 | +`console.enabled`:: *Default: true* Set to false to disable Console. Toggling this will cause the server to regenerate assets on the next startup, which may cause a delay before pages start being served. |
| 7 | + |
| 8 | +`console.proxyFilter`:: *Default: `.*`* A list of regular expressions that are used to validate any outgoing request from Console. If none |
| 9 | + of these match, the request will be rejected. See <<securing-console>> for more details. |
| 10 | + |
| 11 | +`console.proxyConfig`:: A list of configuration options that are based on the proxy target. Use this to set custom timeouts or SSL settings for specific hosts. This is done by defining a set of `match` criteria using wildcards/globs which will be checked against each request. The configuration from all matching rules will then be merged together to configure the proxy used for that request. |
| 12 | ++ |
| 13 | +The valid match keys are `match.protocol`, `match.host`, `match.port`, and `match.path`. All of these keys default to `*`, which means they will match any value. |
| 14 | ++ |
| 15 | +Example: |
| 16 | ++ |
| 17 | +[source,yaml] |
| 18 | +-------- |
| 19 | +console.proxyConfig: |
| 20 | + - match: |
| 21 | + host: "*.internal.org" # allow any host that ends in .internal.org |
| 22 | + port: "{9200..9299}" # allow any port from 9200-9299 |
| 23 | +
|
| 24 | + ssl: |
| 25 | + ca: "/opt/certs/internal.ca" |
| 26 | + # "key" and "cert" are also valid options here |
| 27 | +
|
| 28 | + - match: |
| 29 | + protocol: "https" |
| 30 | +
|
| 31 | + ssl: |
| 32 | + verify: false # allows any certificate to be used, even self-signed certs |
| 33 | +
|
| 34 | + # since this rule has no "match" section it matches everything |
| 35 | + - timeout: 180000 # 3 minutes |
| 36 | +-------- |
| 37 | + |
| 38 | +[[securing-console]] |
| 39 | +=== Securing Console |
| 40 | + |
| 41 | +Console is meant to be used as a local development tool. As such, it will send requests to any host & port combination, |
| 42 | +just as a local curl command would. To overcome the CORS limitations enforced by browsers, Console's Node.js backend |
| 43 | +serves as a proxy to send requests on behalf of the browser. However, if put on a server and exposed to the internet |
| 44 | +this can become a security risk. In those cases, we highly recommend you lock down the proxy by setting the |
| 45 | +`console.proxyFilter` setting. The setting accepts a list of regular expressions that are evaluated against each URL |
| 46 | + the proxy is requested to retrieve. If none of the regular expressions match the proxy will reject the request. |
| 47 | + |
| 48 | +Here is an example configuration the only allows Console to connect to localhost: |
| 49 | + |
| 50 | +[source,yaml] |
| 51 | +-------- |
| 52 | +console.proxyFilter: |
| 53 | + - ^https?://(localhost|127\.0\.0\.1|\[::0\]).* |
| 54 | +-------- |
| 55 | + |
| 56 | +You will need to restart Kibana for these changes to take effect. |
| 57 | + |
0 commit comments