[incubator-apisix] branch master updated: bugfix: only allow 127.0.0.1 access admin API and dashboard by default. (#1458)

wenming Wed, 15 Apr 2020 07:39:28 -0700

This is an automated email from the ASF dual-hosted git repository.

wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-apisix.git



The following commit(s) were added to refs/heads/master by this push:
     new f39dd6e  bugfix: only allow 127.0.0.1 access admin API and dashboard 
by default. (#1458)
f39dd6e is described below

commit f39dd6efa244d13a235e19d192dc9e10b216c033
Author: Wen Ming <[email protected]>
AuthorDate: Wed Apr 15 22:39:11 2020 +0800

    bugfix: only allow 127.0.0.1 access admin API and dashboard by default. 
(#1458)
---
 README.md        | 4 ++--
 README_CN.md     | 4 ++--
 conf/config.yaml | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 6148012..4164049 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ A/B testing, canary release, blue-green deployment, limit 
rate, defense against
     - [Global Rule](doc/architecture-design.md#Global-Rule): Allows to run any 
plugin for all request, eg: limit rate, IP filter etc.
     - High performance: The single-core QPS reaches 18k with an average delay 
of less than 0.2 milliseconds.
     - [Fault Injection](doc/plugins/fault-injection.md)
-    - [REST Admin API](doc/admin-api.md)
+    - [REST Admin API](doc/admin-api.md): Using the REST Admin API to control 
Apache APISIX, which only allows 127.0.0.1 access by default, you can modify 
the `allow_admin` field in `conf/config.yaml` to specify a list of IPs that are 
allowed to call the Admin API. Also note that the Admin API uses key auth to 
verify the identity of the caller. **The `admin_key` field in 
`conf/config.yaml` needs to be modified before deployment to ensure security**.
     - [Python SDK](https://github.com/api7/apache-apisix-python-sdk)
 
 - **Highly scalable**
@@ -163,7 +163,7 @@ Copy the compiled files under `/dist` directory to the 
`apisix/dashboard` direct
 open `http://127.0.0.1:9080/apisix/dashboard/` in the browser.
 Do not need to fill the user name and password, log in directly.
 
-The dashboard allows any remote IP by default, and you can modify 
`allow_admin` in `conf/config.yaml` by yourself, to list the list of IPs 
allowed to access.
+The dashboard only allows 127.0.0.1 by default, and you can modify 
`allow_admin` in `conf/config.yaml` by yourself, to list the list of IPs 
allowed to access.
 
 We provide an online dashboard [demo version](http://apisix.iresty.com), make 
it easier for you to understand APISIX.
 
diff --git a/README_CN.md b/README_CN.md
index 731fab1..fa24a62 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -104,7 +104,7 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵
     - 
[全局规则](doc/architecture-design-cn.md#Global-Rule)：允许对所有请求执行插件，比如黑白名单、限流限速等。
     - 高性能：在单核上 QPS 可以达到 18k，同时延迟只有 0.2 毫秒。
     - [故障注入](doc/plugins/fault-injection-cn.md)
-    - [REST Admin API](doc/admin-api-cn.md)
+    - [REST Admin API](doc/admin-api-cn.md): 使用 REST Admin API 来控制 Apache 
APISIX，默认只允许 127.0.0.1 访问，你可以修改 `conf/config.yaml` 中的 `allow_admin` 字段，指定允许调用 
Admin API 的 IP 列表。同时需要注意的是，Admin API 使用 key auth 来校验调用者身份，**在部署前需要修改 
`conf/config.yaml` 中的 `admin_key` 字段，来保证安全。**
     - [Python SDK](https://github.com/api7/apache-apisix-python-sdk)
 
 - **高度可扩展**
@@ -164,7 +164,7 @@ yarn && yarn build:prod
 使用浏览器打开 `http://127.0.0.1:9080/apisix/dashboard/` 即可使用，
 不用填写用户名和密码，直接登录。
 
-Dashboard 默认允许任何 IP 访问。你可以自行修改 `conf/config.yaml` 中的 `allow_admin` 字段，指定允许访问 
dashboard 的 IP 列表。
+Dashboard 默认只允许 127.0.0.1 访问。你可以自行修改 `conf/config.yaml` 中的 `allow_admin` 
字段，指定允许访问 dashboard 的 IP 列表。
 
 我们部署了一个在线的 [Dashboard](http://apisix.iresty.com) ，方便你了解 APISIX。
 
diff --git a/conf/config.yaml b/conf/config.yaml
index a3630b6..ee1d698 100644
--- a/conf/config.yaml
+++ b/conf/config.yaml
@@ -50,8 +50,8 @@ apisix:
   #    disk_path: "/tmp/disk_cache_two"
   #    cache_levels: "1:2"
 
-  # allow_admin:                  # 
http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
-  #   - 127.0.0.0/24              # If we don't set any IP list, then any IP 
access is allowed by default.
+  allow_admin:                  # 
http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
+    - 127.0.0.0/24              # If we don't set any IP list, then any IP 
access is allowed by default.
   #   - "::/64"
   # port_admin: 9180              # use a separate port

[incubator-apisix] branch master updated: bugfix: only allow 127.0.0.1 access admin API and dashboard by default. (#1458)

Reply via email to