Calls to Kong cluster should be made from server not browser

[BrianHutchison]

For background, see this: Kong/kong#133

The Kong admin API has no authentication built into it, which means that anyone that has port access can make unfettered changes. The solution, as stated in the Kong issue above, is to firewall protect that server, typically port 8001.

However, kong-dashboard makes direct calls to that port, which won't work with a firewall in place.

I'd recommend having the browser call the kong-dashboard node server via a route that passes along the request to the defined Kong server (config.url) on port 8001. That way the server that kong-dashboard runs on can is all that needs access to the Kong cluster, and not the machine that the browser is running from. So, instead of the Angular service in browser going direct to Kong cluster, it goes Angular service to node, and then from node to Kong.

Further extensions to kong-dashboard might include login authentication and authorization I presume, and then UI access can be protected, changes logged, etc.

I'm just evaluating Kong & kong-dashboard but if time allows and it would be welcome, might generate a supporting PR.

[DonMartin76]

As a workaround, I usually open up an ssh tunnel to the kong instance (e.g. using PuTTY) and use some local port for communication over kong-dashboard, like so http://localhost:8001, with a tunnel from local port 8001 to kong server port 8001.

[PGBI]

@BrianHutchison I see your point. But that would be a big code refactoring I cannot afford right now.

As suggested @DonMartin76 , you can ssh tunnel. An other option, which is what I personally do is to have Kong Admin API being protected by Kong gateway itself.

Let's say your kong node is hosted on x.x.x.x:

• create an API in Kong with the following options:
  • request_path = "/kong"
  • upstream_url = "127.0.0.1:8001"
  • strip_request_path = true
• protect this API with the basic-auth plugin,
• enable the CORS plugin for this API
• create a consumer with basic-auth credentials.

You can now protect the port 8001, and access kong admin API with kong dashboard at the address http://x.x.x.x:8000/kong using basic authentication.

[BrianHutchison]

@DonMartin76 Thanks for the work-around, its a good idea but doesn't work really for what I'm trying to do. The goal is to enable employees from wherever their offices are to onboard API consumers (business partners), and they're not really setup for doing that. It would work for me personally as a dev for sure though.

@PGBI I think that could work for many use cases, I appreciate the suggestion.

[kamoljan]

+1

[bjcooper]

@PGBI, that's a really nifty solution. Would you consider adding it the project wiki or to the README? I dare say I wouldn't have come up with it myself—dug around for several hours before running across it in this issue.