> > One thing that I’d like to confirm is that if APIs provided by plugins > (e.g., jet-auth) will be left on the DP side?
My idea is to keep it first, because some control APIs are external services, such as the jwt sign API. After the CP and DP ports are separated, we should then consider whether to put it in DP or CP depending on whether the API registered by the plugin needs to be served externally. For plugin registration API. We should even give the plugin registration API the option to register on DP or CP. *ZhengSong Tu* My GitHub: https://github.com/tzssangglass Apache APISIX: https://github.com/apache/apisix 在 2022年5月23日 19:48:33 上,Chao Zhang <zchao1...@gmail.com> 写道: > Hi, > > One thing that I’d like to confirm is that if APIs provided by plugins > (e.g., jet-auth) will be left on the DP side? > > Chao Zhang > https://github.com/tokers > > On May 23, 2022 at 14:14:21, tzssangglass (tzssanggl...@apache.org) wrote: > > Hi folks, > > In both v1 and v2 versions of APISIX, the same port (9080) is reused for > both the DP and CP sides. > > Although the deployment architecture diagram of APISIX clearly > distinguishes the respective responsibilities of DP and CP. However, many > open source users are not aware of the API gateway architecture and network > security knowledge and use the APISIX default behavior - DP and CP share > the same port. > > Since these users never realize the importance of the separate deployment > of DP and CP in their usage, when the DP side and CP side share the same > security policy, such as both facing the public network, this will lead to > increased security risk on the CP side. > > Recall that several APISIX-related CVEs are related to the exposure of the > CP side. > > So here I would like to propose a breaking change: change the default > behavior of APISIX so that the DP side and CP side no longer share the same > port by default; the DP side will continue to use port 9080 by default, and > the CP side will use port 9180 by default. > > Would love to hear from you. > > *ZhengSong Tu* > My GitHub: https://github.com/tzssangglass > Apache APISIX: https://github.com/apache/apisix >
