Maybe the best practices we talked can apply back to apisix like dev mode
and prod mode.
On Mon, Nov 18, 2019 at 8:40 PM Lang Wang <totemofw...@apache.org> wrote:
> This self mod nginx.conf maybe flushed by` apisix init`.
>
>
> 在 2019年11月18日星期一,liyong <chnliy...@gmail.com> 写道:
>
> > The simplest method is to only allow loopback interface(127.0.0.1)
> access,
> > this can be done in the nginx.conf:
> > location /apisix/admin {
> > allow 127.0.0.0/24;
> > deny all;
> >
> > content_by_lua_block {
> > apisix.http_admin()
> > }
> > }
> > We may also use another port for admin only and deny admin access for
> > regular port, this separation is better.
> > But I think the best practice in production is separate the gateway host
> > and admin host, the apisix instance on gateway host has it's admin
> > interface disabled,
> > and the admin host only enable it's admin interface.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Nov 18, 2019 at 10:56 AM Lang Wang <totemofw...@apache.org>
> wrote:
> >
> > > For the plugin example:
> > >
> > > curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
> > > {
> > > "methods": ["GET"],
> > > "uri": "/index.html",
> > > "upstream": {
> > > "type": "roundrobin",
> > > "nodes": {
> > > "39.97.63.215:80": 1
> > > }
> > > }
> > > }'
> > >
> > > The api seems like without any authentication. So what is the best
> > practice
> > > to protect those sensitive apis in prod env ?
> > >
> >
>
