Hi, Ming Thanks for your PR Ming Wen <[email protected]> 于2020年4月15日周三 下午9:36写道:
> Hi, hui, > I created a PR[1] to recommend user to change `admin_key`, and only allows > 127.0.0.1 to access admin API. > > And yes, the admin API should use https by default, welcome OR. > > [1] https://github.com/apache/incubator-apisix/pull/1458 > > Thanks, > Ming Wen, Apache APISIX & Apache SkyWalking > Twitter: _WenMing > > > hui li <[email protected]> 于2020年4月15日周三 下午5:34写道: > > > Hi, the security department of Tencent recently discovered that Kong's > > Admin component has security risks. For details, please refer to this > link: > > https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw > > I read the preliminary article and think that our APISIX Admin API has > the > > same risks. > > > > 1. The old version of APISIX Admin does not use authentication > > capabilities, it is recommended: upgrade to the new version > > 2. In the new version of APISIX, many users will use the default key, and > > the protection capabilities are virtually useless. It is recommended that > > the best practice document guide users to replace the key. If possible, > > APISIX nodes that provide services to the outside need to turn off the > > Admin API capability, and only APISIX nodes that are allowed internal > > access provide APISIX Admin API > > 3. The Admin API uses https access capability by default, because https > can > > effectively prevent key leakage caused by request hijacking. > > >
