Add http2 support for Kibana server

docs/setup/settings.asciidoc

@@ -456,6 +456,14 @@ identifies this {kib} instance. *Default: `"your-hostname"`*
 {kib} is served by a back end server. This
 setting specifies the port to use. *Default: `5601`*
 
+`server.protocol`::
+experimental[] The http protocol to use, either `http1` or `http2`. Set to `http2` to enable `HTTP/2` support for the {kib} server. 
+*Default: `http1`*
++
+NOTE: By default, enabling `http2` requires a valid `h2c` configuration, meaning that TLS must be enabled via <<server-ssl-enabled, `server.ssl.enabled`>>
+and <<server-ssl-supportedProtocols, `server.ssl.supportedProtocols`>>, if specified, must contain at least `TLSv1.2` or `TLSv1.3`. Strict validation of
+the `h2c` setup can be disabled by adding `server.http2.allowUnsecure: true` to the configuration.
+
 [[server-requestId-allowFromAnyIp]] `server.requestId.allowFromAnyIp`::
 Sets whether or not the `X-Opaque-Id` header should be trusted from any IP address for identifying requests in logs and forwarded to Elasticsearch.
 

package.json

@@ -1627,6 +1627,8 @@
     "html": "1.0.0",
     "html-loader": "^1.3.2",
     "http-proxy": "^1.18.1",
+    "http2-proxy": "^5.0.53",
+    "http2-wrapper": "^2.2.1",
     "ignore": "^5.3.0",
     "jest": "^29.6.1",
     "jest-canvas-mock": "^2.5.2",

packages/core/http/core-http-router-server-internal/src/request.test.ts

@@ -217,18 +217,42 @@ describe('CoreKibanaRequest', () => {
     });
 
     describe('route.protocol property', () => {
-      it('return a static value for now as only http1 is supported', () => {
+      it('return the correct value for http/1.0 requests', () => {
         const request = hapiMocks.createRequest({
           raw: {
             req: {
-              httpVersion: '2.0',
+              httpVersion: '1.0',
+            },
+          },
+        });
+        const kibanaRequest = CoreKibanaRequest.from(request);
+
+        expect(kibanaRequest.protocol).toEqual('http1');
+      });
+      it('return the correct value for http/1.1 requests', () => {
+        const request = hapiMocks.createRequest({
+          raw: {
+            req: {
+              httpVersion: '1.1',
             },
           },
         });
         const kibanaRequest = CoreKibanaRequest.from(request);
 
         expect(kibanaRequest.protocol).toEqual('http1');
       });
+      it('return the correct value for http/2 requests', () => {
+        const request = hapiMocks.createRequest({
+          raw: {
+            req: {
+              httpVersion: '2.0',
+            },
+          },
+        });
+        const kibanaRequest = CoreKibanaRequest.from(request);
+
+        expect(kibanaRequest.protocol).toEqual('http2');
+      });
     });
 
     describe('route.options.authRequired property', () => {

packages/core/http/core-http-router-server-internal/src/request.ts

@@ -173,8 +173,7 @@ export class CoreKibanaRequest<
     });
 
     this.httpVersion = isRealReq ? request.raw.req.httpVersion : '1.0';
-    // hardcoded for now as only supporting http1
-    this.protocol = 'http1';
+    this.protocol = getProtocolFromHttpVersion(this.httpVersion);
 
     this.route = deepFreeze(this.getRouteInfo(request));
     this.socket = isRealReq
@@ -374,3 +373,7 @@ function sanitizeRequest(req: Request): { query: unknown; params: unknown; body:
     body: req.payload,
   };
 }
+
+function getProtocolFromHttpVersion(httpVersion: string): HttpProtocol {
+  return httpVersion.split('.')[0] === '2' ? 'http2' : 'http1';
+}

packages/core/http/core-http-router-server-internal/src/router.ts

@@ -35,6 +35,7 @@ import { HapiResponseAdapter } from './response_adapter';
 import { wrapErrors } from './error_wrapper';
 import { Method } from './versioned_router/types';
 import { prepareRouteConfigValidation } from './util';
+import { stripIllegalHttp2Headers } from './strip_illegal_http2_headers';
 
 export type ContextEnhancer<
   P,
@@ -265,6 +266,14 @@ export class Router<Context extends RequestHandlerContextBase = RequestHandlerCo
 
     try {
       const kibanaResponse = await handler(kibanaRequest, kibanaResponseFactory);
+      if (kibanaRequest.protocol === 'http2' && kibanaResponse.options.headers) {
+        kibanaResponse.options.headers = stripIllegalHttp2Headers({
+          headers: kibanaResponse.options.headers,
+          isDev: this.options.isDev ?? false,
+          logger: this.log,
+          requestContext: `${request.route.method} ${request.route.path}`,
+        });
+      }
       return hapiResponseAdapter.handle(kibanaResponse);
     } catch (error) {
       // capture error

packages/core/http/core-http-router-server-internal/src/strip_illegal_http2_headers.test.ts

@@ -0,0 +1,114 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { stripIllegalHttp2Headers } from './strip_illegal_http2_headers';
+import { loggerMock, MockedLogger } from '@kbn/logging-mocks';
+
+describe('stripIllegalHttp2Headers', () => {
+  let logger: MockedLogger;
+
+  beforeEach(() => {
+    logger = loggerMock.create();
+  });
+
+  it('removes illegal http2 headers', () => {
+    const headers = {
+      'x-foo': 'bar',
+      'x-hello': 'dolly',
+      connection: 'keep-alive',
+      'proxy-connection': 'keep-alive',
+      'keep-alive': 'true',
+      upgrade: 'probably',
+      'transfer-encoding': 'chunked',
+      'http2-settings': 'yeah',
+    };
+    const output = stripIllegalHttp2Headers({
+      headers,
+      isDev: false,
+      logger,
+      requestContext: 'requestContext',
+    });
+
+    expect(output).toEqual({
+      'x-foo': 'bar',
+      'x-hello': 'dolly',
+    });
+  });
+
+  it('ignores case when detecting headers', () => {
+    const headers = {
+      'x-foo': 'bar',
+      'x-hello': 'dolly',
+      Connection: 'keep-alive',
+      'Proxy-Connection': 'keep-alive',
+      'kEeP-AlIvE': 'true',
+    };
+    const output = stripIllegalHttp2Headers({
+      headers,
+      isDev: false,
+      logger,
+      requestContext: 'requestContext',
+    });
+
+    expect(output).toEqual({
+      'x-foo': 'bar',
+      'x-hello': 'dolly',
+    });
+  });
+
+  it('logs a warning about the illegal header when in dev mode', () => {
+    const headers = {
+      'x-foo': 'bar',
+      Connection: 'keep-alive',
+    };
+    stripIllegalHttp2Headers({
+      headers,
+      isDev: true,
+      logger,
+      requestContext: 'requestContext',
+    });
+
+    expect(logger.warn).toHaveBeenCalledTimes(1);
+    expect(logger.warn).toHaveBeenCalledWith(
+      `Handler for "requestContext" returned an illegal http2 header: Connection. Please check "request.protocol" in handlers before assigning connection headers`
+    );
+  });
+
+  it('does not log a warning about the illegal header when not in dev mode', () => {
+    const headers = {
+      'x-foo': 'bar',
+      Connection: 'keep-alive',
+    };
+    stripIllegalHttp2Headers({
+      headers,
+      isDev: false,
+      logger,
+      requestContext: 'requestContext',
+    });
+
+    expect(logger.warn).not.toHaveBeenCalled();
+  });
+
+  it('does not mutate the original headers', () => {
+    const headers = {
+      'x-foo': 'bar',
+      Connection: 'keep-alive',
+    };
+    stripIllegalHttp2Headers({
+      headers,
+      isDev: true,
+      logger,
+      requestContext: 'requestContext',
+    });
+
+    expect(headers).toEqual({
+      'x-foo': 'bar',
+      Connection: 'keep-alive',
+    });
+  });
+});

packages/core/http/core-http-router-server-internal/src/strip_illegal_http2_headers.ts

@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import type { Logger } from '@kbn/logging';
+import type { ResponseHeaders } from '@kbn/core-http-server';
+
+// from https://github.com/nodejs/node/blob/v22.2.0/lib/internal/http2/util.js#L557
+const ILLEGAL_HTTP2_CONNECTION_HEADERS = new Set([
+  'connection',
+  'proxy-connection',
+  'keep-alive',
+  'upgrade',
+  'transfer-encoding',
+  'http2-settings',
+]);
+
+/**
+ * Return a new version of the provided headers, with all illegal http2 headers removed.
+ * If `isDev` is `true`, will also log a warning if such header is encountered.
+ */
+export const stripIllegalHttp2Headers = ({
+  headers,
+  isDev,
+  logger,
+  requestContext,
+}: {
+  headers: ResponseHeaders;
+  isDev: boolean;
+  logger: Logger;
+  requestContext: string;
+}): ResponseHeaders => {
+  return Object.entries(headers).reduce((output, [headerName, headerValue]) => {
+    if (ILLEGAL_HTTP2_CONNECTION_HEADERS.has(headerName.toLowerCase())) {
+      if (isDev) {
+        logger.warn(
+          `Handler for "${requestContext}" returned an illegal http2 header: ${headerName}. Please check "request.protocol" in handlers before assigning connection headers`
+        );
+      }
+    } else {
+      output[headerName as keyof ResponseHeaders] = headerValue;
+    }
+    return output;
+  }, {} as ResponseHeaders);
+};

packages/core/http/core-http-router-server-internal/tsconfig.json

@@ -17,7 +17,8 @@
     "@kbn/hapi-mocks",
     "@kbn/core-logging-server-mocks",
     "@kbn/logging",
-    "@kbn/core-http-common"
+    "@kbn/core-http-common",
+    "@kbn/logging-mocks"
   ],
   "exclude": [
     "target/**/*",

packages/core/http/core-http-server-internal/src/http_config.test.ts

@@ -571,6 +571,73 @@ describe('cdn', () => {
   });
 });
 
+describe('http2 protocol', () => {
+  it('throws if http2 is enabled but TLS is not', () => {
+    expect(() =>
+      config.schema.validate({
+        protocol: 'http2',
+        ssl: {
+          enabled: false,
+        },
+      })
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"http2 requires TLS to be enabled. Use 'http2.allowUnsecure: true' to allow running http2 without a valid h2c setup"`
+    );
+  });
+  it('throws if http2 is enabled but TLS has no suitable versions', () => {
+    expect(() =>
+      config.schema.validate({
+        protocol: 'http2',
+        ssl: {
+          enabled: true,
+          supportedProtocols: ['TLSv1.1'],
+          certificate: '/path/to/certificate',
+          key: '/path/to/key',
+        },
+      })
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"http2 requires 'ssl.supportedProtocols' to include TLSv1.2 or TLSv1.3. Use 'http2.allowUnsecure: true' to allow running http2 without a valid h2c setup"`
+    );
+  });
+  it('does not throws if http2 is enabled and TLS is not if http2.allowUnsecure is true', () => {
+    expect(
+      config.schema.validate({
+        protocol: 'http2',
+        http2: {
+          allowUnsecure: true,
+        },
+        ssl: {
+          enabled: false,
+        },
+      })
+    ).toEqual(
+      expect.objectContaining({
+        protocol: 'http2',
+      })
+    );
+  });
+  it('does not throws if supportedProtocols are not valid for h2c if http2.allowUnsecure is true', () => {
+    expect(
+      config.schema.validate({
+        protocol: 'http2',
+        http2: {
+          allowUnsecure: true,
+        },
+        ssl: {
+          enabled: true,
+          supportedProtocols: ['TLSv1.1'],
+          certificate: '/path/to/certificate',
+          key: '/path/to/key',
+        },
+      })
+    ).toEqual(
+      expect.objectContaining({
+        protocol: 'http2',
+      })
+    );
+  });
+});
+
 describe('HttpConfig', () => {
   it('converts customResponseHeaders to strings or arrays of strings', () => {
     const httpSchema = config.schema;