Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What's the best practice let the other people forbidden admin api? #1593

Closed
seedotlee opened this issue Sep 4, 2016 · 7 comments
Closed

Comments

@seedotlee
Copy link

What's the best practice let the other people forbidden admin api?

@WALL-E
Copy link
Contributor

WALL-E commented Sep 4, 2016

The ngx_http_access_module module allows limiting access to certain client addresses, doc

@Tieske
Copy link
Member

Tieske commented Sep 5, 2016

route admin api through Kong itself and then apply whatever plugins you want to secure it

@Tieske Tieske closed this as completed Sep 5, 2016
@seedotlee
Copy link
Author

@Tieske It's cool! Could you give an example for route?

Rewirte the location in nginx-kong.conf ?

POST http://localhost:8001/apis/ 

request body:

name:admin
upstream_url:http://localhost:8001
strip_request_path:true
request_path:/gateway

@Tieske
Copy link
Member

Tieske commented Sep 7, 2016

yep, something like that ought to do it. But don't forget to add plugins and security!

@seedotlee
Copy link
Author

Let Linxu iptables closed the admin port what is the best simple work.

@mdan1eli
Copy link

Apply IP restrictions in nginx conf (new releases eases it), firewall
configurations and reroute through kong are all valid and work, but still
it is a bit hard to explain to corporate IT security where every admin
layer must adopt RBAC and everything must be logged and auditable. I think
this is related to #133 and #380.

I was wondering if nodes could have roles, so that admin role could be
granted to a different non-dmz node. Then network isolation, ip restriction
and routing through kong would be easier. Simpler topologies could share
admin and runtime roles.
On gio 8 set 2016 at 05:09, seedotlee [email protected] wrote:

Let Linxu iptables closed the admin port what is the best simple work.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#1593 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AOSbC9D3QbsWTrMMLQajO5FCyRfJWidTks5qn3x4gaJpZM4J0fj6
.

@p0pr0ck5
Copy link
Contributor

p0pr0ck5 commented Jun 2, 2017

We have published a doc that highlights some of the best practices we suggest when considering securing the Admin API: https://getkong.org/docs/0.10.x/secure-admin-api/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants