FoseFx commented on issue #11426: URL: https://github.com/apache/apisix/issues/11426#issuecomment-2289684401
Sorry for my late response, I must have missed the email. > If secrets are managed in vault, the administrators of API gateway and server cannot access secrets and have no permission to modify them. This is not entirely correct, though. The server admin is able to dump the secrets themselves, or the vault credentials, from the environment or from memory. The APISIX admin might be able to access the secrets as well, for example by setting the secrets as basic auth, or other headers for a new upstream, which they control, and dump them there. > Second, we may be running hundreds or thousands of APISIX data planes, which means we need to protect thousands of servers from hacker attacks. If one of the servers has a system vulnerability that is exploited, the secrets will be leaked. If the server is compromised, adversaries might have the same permissions as the server admin. And in the end, the server admin is able to access everything. I agree with you, that we want to prevent unauthorized access. > Software like Vault can solve the above two security issues, which is one of its values. Vault is awesome! But often a too much of a burden to manage. Another key principle of security is simplicity, however. Many other reverse proxies store their certificates on disk as well: - [traefik](https://doc.traefik.io/traefik/https/tls/) - [kong](https://support.konghq.com/support/s/article/How-to-setup-Kong-to-serve-an-SSL-certificate-for-API-requests) - [envoy](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
