SGTM This will make APISIX more secure in production environments
tzssangglass <tzssanggl...@apache.org> 于2022年5月23日周一 14:14写道: > Hi folks, > > In both v1 and v2 versions of APISIX, the same port (9080) is reused for > both the DP and CP sides. > > Although the deployment architecture diagram of APISIX clearly > distinguishes the respective responsibilities of DP and CP. However, many > open source users are not aware of the API gateway architecture and network > security knowledge and use the APISIX default behavior - DP and CP share > the same port. > > Since these users never realize the importance of the separate deployment > of DP and CP in their usage, when the DP side and CP side share the same > security policy, such as both facing the public network, this will lead to > increased security risk on the CP side. > > Recall that several APISIX-related CVEs are related to the exposure of the > CP side. > > So here I would like to propose a breaking change: change the default > behavior of APISIX so that the DP side and CP side no longer share the same > port by default; the DP side will continue to use port 9080 by default, and > the CP side will use port 9180 by default. > > Would love to hear from you. > > *ZhengSong Tu* > My GitHub: https://github.com/tzssangglass > Apache APISIX: https://github.com/apache/apisix >
