I don't have this consideration at present, the requirement comes from the APISIX Ingress controller project. And I am also designing this function based on the APISIX Ingress project.
In addition, if this requirement is for APISIX, it has been completed. No need for such an implementation path. zhixiongdu027 <r...@libssl.com> 于2022年3月23日周三 16:20写道: > maybe we can combine it with apisix's discovery module ? > > 在 3/23/22 14:16, wei jin 写道: > > But I think APISIX need to do something to avoid proxying traffic to > itself. > > > > Jintao Zhang <zhangjin...@apache.org> 于2022年3月22日周二 20:29写道: > > > >> Yes, this is something we need to fully consider. > >> I was exposed to this type of vulnerability in Kubernetes ingress-nginx > >> last year. > >> > >> Chao Zhang <zchao1...@gmail.com> 于2022年3月22日周二 11:41写道: > >> > >>> Hi Community, > >>> > >>> What I care about is if this will cause some security vulnerabilities > >> such > >>> as: > >>> > >>> I just write 127.0.0.1:9090 (APISIX Control API Address) in the > >>> ExternalName service, and the privacy data of APISIX will be exposed. > >>> > >>> If we really want to implement this feature, security is the most > >> important > >>> step. > >>> > >>> Chao Zhang > >>> https://github.com/tokers > >>> > >>> On March 21, 2022 at 09:34:21, Jintao Zhang (zhangjin...@apache.org) > >>> wrote: > >>> > >>> I have seen some voices in the community, hoping that APISIX Ingress > can > >>> proxy external services e.g: [1], [2] > >>> > >>> For these two types of requirements, it is a relatively simple > >> requirement > >>> for [1], we only need to add the corresponding External name type > service > >>> to complete. > >>> > >>> But for [2], I found a very interesting situation. No other Ingress > >>> controller implements similar functionality yet, and I think this would > >> be > >>> a huge feature. > >>> > >>> APISIX actually supports setting the domain name to nodes in the > >> upstream. > >>> But APISIX Ingress is not yet supported. > >>> > >>> To achieve the above function, we can set a special resolveGranularity > to > >>> directly convert the record of external name to Node. > >>> > >>> To achieve the above function, we can set a special resolveGranularity > to > >>> directly convert the record of external name to Node. > >>> > >>> > >>> WDYT? > >>> > >>> > >>> [1]: [ > >>> > >>> > >> > https://github.com/apache/apisix-ingress-controller/issues/813](https://github.com/apache/apisix-ingress-controller/issues/813) > >>> [2]: [ > >>> > >>> > >> > https://github.com/apache/apisix-ingress-controller/issues/645](https://github.com/apache/apisix-ingress-controller/issues/645) > >
