bug: APISIX Admin API security risks

[Miss-you]

Hi, the security department of Tencent recently discovered that Kong's Admin component has security risks. For details, please refer to this link: https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw
I read the preliminary article and think that our APISIX Admin API has the same risks.

1. The old version of APISIX Admin does not use authentication capabilities, it is recommended: upgrade to the new version
2. In the new version of APISIX, many users will use the default key, and the protection capabilities are virtually useless. It is recommended that the best practice document guide users to replace the key. If possible, APISIX nodes that provide services to the outside need to turn off the Admin API capability, and only APISIX nodes that are allowed internal access provide APISIX Admin API
3. The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking.

[moonming]

welcome PR to fix 3

[membphis]

note: This PR has fixed the second point here.

#1458

[membphis]

The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking.

Is it enough to enable self-signed certificate?

[moonming]

yes, it's enough. Thanks, Ming Wen Twitter: _WenMing YuanSheng Wang <notifications@github.com> 于2020年4月16日周四 上午9:29写道：

…

The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking. Is it enough to enable self-signed certificate? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1455 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGJZBKYLZH47Z2NHV37N53TRMZNOFANCNFSM4MINORBQ> .

[Miss-you]

The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking.

Is it enough to enable self-signed certificate?

Yes, that's enough

[Miss-you]

The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking.

Is it enough to enable self-signed certificate?

How to enable the self-signed certificate function here?
I will add it to the documentation.

[Miss-you]

hi, after a previous high-availability solution design, I found it more reasonable to recommend users to use the Admin API and Dashboard as APISIX routing services.

First, Kubernetes is the case. If the dashboard wants to be accessed, you need to configure an Ingress (corresponding to the APISIX route)
Second, the default security limit of the Admin API can no longer be just 127.0.0.1, but can also be a common intranet address: such as 10.0.0.0/8, etc.
Third, the security limit of 127.0.0.1 of Admin API is not simple enough. Many people found that Admin API is not available after upgrading APISIX to 1.2, because the default configuration is only accessible through 127.0.0.1

[membphis]

fixed already.