This self mod nginx.conf maybe flushed by` apisix init`.
在 2019年11月18日星期一,liyong <chnliy...@gmail.com> 写道:
> The simplest method is to only allow loopback interface(127.0.0.1) access,
> this can be done in the nginx.conf:
> location /apisix/admin {
> allow 127.0.0.0/24;
> deny all;
>
> content_by_lua_block {
> apisix.http_admin()
> }
> }
> We may also use another port for admin only and deny admin access for
> regular port, this separation is better.
> But I think the best practice in production is separate the gateway host
> and admin host, the apisix instance on gateway host has it's admin
> interface disabled,
> and the admin host only enable it's admin interface.
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Nov 18, 2019 at 10:56 AM Lang Wang <totemofw...@apache.org> wrote:
>
> > For the plugin example:
> >
> > curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
> > {
> > "methods": ["GET"],
> > "uri": "/index.html",
> > "upstream": {
> > "type": "roundrobin",
> > "nodes": {
> > "39.97.63.215:80": 1
> > }
> > }
> > }'
> >
> > The api seems like without any authentication. So what is the best
> practice
> > to protect those sensitive apis in prod env ?
> >
>
