yzeng25 commented on code in PR #1495: URL: https://github.com/apache/apisix-website/pull/1495#discussion_r1101348589
########## blog/en/blog/2023/02/09/secure-apisix-admin.md: ########## @@ -0,0 +1,152 @@ +--- +title: Securing Admin Access to Apache APISIX +authors: + - name: Nicolas Fränkel + title: Author + url: https://github.com/nfrankel + image_url: https://avatars.githubusercontent.com/u/752258 +keywords: + - API gateway security + - Admin API + - how to secure API gateway +description: > + API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance Review Comment: I think this is good enough, just need to follow the pattern. ```suggestion description: API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance ``` ########## blog/en/blog/2023/02/09/secure-apisix-admin.md: ########## @@ -0,0 +1,152 @@ +--- +title: Securing Admin Access to Apache APISIX +authors: + - name: Nicolas Fränkel + title: Author + url: https://github.com/nfrankel + image_url: https://avatars.githubusercontent.com/u/752258 +keywords: + - API gateway security + - Admin API + - how to secure API gateway +description: > + API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance +tags: [Ecosystem] +image: https://blog.frankel.ch/assets/resources/secure-apisix-admin/security-g85f9e284f.jpg Review Comment: Could you use a different link for the cover pic? Since the current one does not show up properly on the summary page. <img width="1728" alt="image" src="https://user-images.githubusercontent.com/36651058/217803305-c2fde64d-3f9e-43a1-8df7-75eade76bce7.png";> ########## blog/en/blog/2023/02/09/secure-apisix-admin.md: ########## @@ -0,0 +1,152 @@ +--- +title: Securing Admin Access to Apache APISIX +authors: + - name: Nicolas Fränkel + title: Author + url: https://github.com/nfrankel + image_url: https://avatars.githubusercontent.com/u/752258 +keywords: + - API gateway security + - Admin API + - how to secure API gateway +description: > + API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance +tags: [Ecosystem] +image: https://blog.frankel.ch/assets/resources/secure-apisix-admin/security-g85f9e284f.jpg +--- + +>API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance. Review Comment: The quote shows up properly, but it violates markdown syntax, you should add a space between > and quoted texts, see https://www.markdownguide.org/basic-syntax/#blockquotes-1 ```suggestion > API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance. ``` ########## blog/en/blog/2023/02/09/secure-apisix-admin.md: ########## @@ -0,0 +1,152 @@ +--- +title: Securing Admin Access to Apache APISIX +authors: + - name: Nicolas Fränkel + title: Author + url: https://github.com/nfrankel + image_url: https://avatars.githubusercontent.com/u/752258 +keywords: + - API gateway security + - Admin API + - how to secure API gateway +description: > + API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance +tags: [Ecosystem] +image: https://blog.frankel.ch/assets/resources/secure-apisix-admin/security-g85f9e284f.jpg +--- + +>API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance. + +<!--truncate--> + +<head> + <link rel="canonical" href="https://blog.frankel.ch/secure-apisix-admin/"; /> +</head> + +In this short blog post, I'll list a couple of ways to secure your [Apache APISIX](https://apisix.apache.org/) admin access. + +## Change admin tokens + +You can manage Apache APISIX configuration via its HTTP APIs. A token protects every API call. Operations require an `X-API-KEY` HTTP Header: + +* Use a token with the _viewer_ role to call read operations +* Use a token with the _admin_ role to call read *and* write operations + +For example, to create a new route, I need to pass an _admin_-role token, which allows calling write operations: + +```bash +curl http://localhost:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "methods": ["GET"], + "uri": ["/hello"], + "upstream_id": 1 +}' +``` + +The first and foremost step to secure your access is to change the default token values: + +```yaml +deployment: + admin: + # Default token when use API to call for Admin API. + # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. + # Disabling this configuration item means that the Admin API does not + # require any authentication. + admin_key: + - name: admin + key: edd1c9f034335f136f87ad84b625c8f1 #1 + role: admin # admin: manage all configuration data + # viewer: only can view configuration data + - name: viewer + key: 4054f7cf07e344346cd3f287985e76a2 #1 + role: viewer +``` + +1. Change it! + +You may want to secure tokens even further; it depends on your platform. For example, you may want to store tokens as `Secret` and inject them at container startup. + +## Restrict binding IP(s) + +A server can have multiple IPs from different network adapters. For example, an API Gateway would have at least two network adapters: + +* One public-facing adapter to be reachable from the Internet +* One internal for inside access + +By default, [Apache APISIX](https://github.com/apache/apisix) will bind itself to all network adapters found on the server at startup. The above scenario means it will be reachable **from the Internet**. We should restrict access from the inside only. + +We can set which network interface Apache APISIX can bind to in the configuration: + +```yaml +deployment: + admin: + admin_listen: + ip: 0.0.0.0 # Specific IP, if not set, the default value is `0.0.0.0` #1 +``` + +1. Change it! + +## Restrict allowed IPs + +Even if you restrict access to only IPs from inside your enterprise network, you want only some machines to access the API Gateway configuration. If it was the case, an attacker gaining access to the machine of an accountant could use it to try to attack the API Gateway. + +You can restrict IP access with network policies - and you should. However, you can also implement this restriction on the API Gateway: it can allow finer-grained control and more agile changes - network policies are hard to change in general. + +Here's the relevant snippet for Apache APISIX: + +```yaml +deployment: + admin: + allow_admin: + - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default + #- "::/64" #1 +``` + +1. Change it according to your network topology Review Comment: Missed a `.` symbol here. ```suggestion 1. Change it according to your network topology. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
![https://user-images.githubusercontent.com/36651058/217803305-c2fde64d-3f9e-43a1-8df7-75eade76bce7.png"](https://user-images.githubusercontent.com/36651058/217803305-c2fde64d-3f9e-43a1-8df7-75eade76bce7.png"){kind=link}