Restrict requests with a Reporting network policyedit

When Reporting generates PDF reports, it uses the Chromium browser to fully load the Kibana page on the server. This potentially involves sending requests to external hosts. For example, a request might go to an external image server to show a field formatted as an image, or to show an image in a Markdown visualization.

If the Chromium browser is asked to send a request that violates the network policy, Reporting stops processing the page before the request goes out, and the report is marked as a failure. Additional information about the event is in the Kibana server logs.

Kibana installations are not designed to be publicly accessible over the Internet. The Reporting network policy and other capabilities of the Elastic Stack security features do not change this condition.

Configure a Reporting network policyedit

You configure the network policy by specifying the xpack.reporting.capture.networkPolicy.rules setting in kibana.yml. A policy is specified as an array of objects that describe what to allow or deny based on a host or protocol. If a host or protocol is not specified, the rule matches any host or protocol.

The rule objects are evaluated sequentially from the beginning to the end of the array, and continue until there is a matching rule. If no rules allow a request, the request is denied.

# Only allow requests to placeholder.com
xpack.reporting.capture.networkPolicy:
  rules: [ { allow: true, host: "placeholder.com" } ]
# Only allow requests to https://placeholder.com
xpack.reporting.capture.networkPolicy:
  rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ]

A final allow rule with no host or protocol will allow all requests that are not explicitly denied.

# Denies requests from http://placeholder.com, but anything else is allowed.
xpack.reporting.capture.networkPolicy:
  rules: [{ allow: false, host: "placeholder.com", protocol: "http:" }, { allow: true }];

A network policy can be composed of multiple rules.

# Allow any request to http://placeholder.com but for any other host, https is required
xpack.reporting.capture.networkPolicy
  rules: [
    { allow: true, host: "placeholder.com", protocol: "http:" },
    { allow: true, protocol: "https:" },
  ]

The file: protocol is always denied, even if no network policy is configured.

Disable a Reporting network policyedit

You can use the xpack.reporting.capture.networkPolicy.enabled: false setting to disable the network policy feature. The default for this configuration property is true, so it is not necessary to explicitly enable it.