The simplest method is to only allow loopback interface(127.0.0.1) access,
this can be done in the nginx.conf:
location /apisix/admin {
allow 127.0.0.0/24;
deny all;
content_by_lua_block {
apisix.http_admin()
}
}
We may also use another port for admin only and deny admin access for
regular port, this separation is better.
But I think the best practice in production is separate the gateway host
and admin host, the apisix instance on gateway host has it's admin
interface disabled,
and the admin host only enable it's admin interface.
On Mon, Nov 18, 2019 at 10:56 AM Lang Wang <totemofw...@apache.org> wrote:
> For the plugin example:
>
> curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
> {
> "methods": ["GET"],
> "uri": "/index.html",
> "upstream": {
> "type": "roundrobin",
> "nodes": {
> "39.97.63.215:80": 1
> }
> }
> }'
>
> The api seems like without any authentication. So what is the best practice
> to protect those sensitive apis in prod env ?
>
