Restrict requests with a Reporting network policy
editRestrict requests with a Reporting network policy
editWhen Reporting generates PDF reports, it uses the Chromium browser to fully load the Kibana page on the server. This potentially involves sending requests to external hosts. For example, a request might go to an external image server to show a field formatted as an image, or to show an image in a Markdown visualization.
If the Chromium browser is asked to send a request that violates the network policy, Reporting stops processing the page before the request goes out, and the report is marked as a failure. Additional information about the event is in the Kibana server logs.
Kibana installations are not designed to be publicly accessible over the Internet. The Reporting network policy and other capabilities of the Elastic Stack security features do not change this condition.
Configure a Reporting network policy
editYou configure the network policy by specifying the xpack.reporting.capture.networkPolicy.rules
setting in kibana.yml
. A policy is specified as
an array of objects that describe what to allow or deny based on a host or protocol. If a host or protocol
is not specified, the rule matches any host or protocol.
The rule objects are evaluated sequentially from the beginning to the end of the array, and continue until there is a matching rule. If no rules allow a request, the request is denied.
# Only allow requests to placeholder.com xpack.reporting.capture.networkPolicy: rules: [ { allow: true, host: "placeholder.com" } ]
# Only allow requests to https://placeholder.com xpack.reporting.capture.networkPolicy: rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ]
A final allow
rule with no host or protocol will allow all requests that are not explicitly denied.
# Denies requests from http://placeholder.com, but anything else is allowed. xpack.reporting.capture.networkPolicy: rules: [{ allow: false, host: "placeholder.com", protocol: "http:" }, { allow: true }];
A network policy can be composed of multiple rules.
# Allow any request to http://placeholder.com but for any other host, https is required xpack.reporting.capture.networkPolicy rules: [ { allow: true, host: "placeholder.com", protocol: "http:" }, { allow: true, protocol: "https:" }, ]
The file:
protocol is always denied, even if no network policy is configured.
Disable a Reporting network policy
editYou can use the xpack.reporting.capture.networkPolicy.enabled: false
setting to disable the network policy feature. The default for
this configuration property is true
, so it is not necessary to explicitly enable it.