bzp2010 commented on code in PR #12276:
URL: https://github.com/apache/apisix/pull/12276#discussion_r2122773422
##########
apisix/cli/ngx_tpl.lua:
##########
@@ -646,6 +646,21 @@ http {
apisix.http_admin()
}
}
+
+ {% if enable_admin_ui then %}
+ location = /ui {
+ return 301 /ui/;
+ }
+ location ^~ /ui/ {
Review Comment:
There are no security concerns about unauthorized access as you understand
it.
Even if that ui endpoint is exposed on the Internet, the user still needs to
be able to access the Admin API (/apisix/admin/xx) and have the proper
credentials. And this part will undoubtedly be IP-restricted depending on the
configuration.
Separate access to the UI makes no sense; that thing will be built in CI and
will not contain any data about the user's environment. Without credentials and
permissions, that UI will always just report errors and not display any data.
However, I recognize that this does carry some risk, mainly from the fact
that if the endpoint is unintentionally exposed, it may cause bandwidth
consumption on the server, but not face any potential data leakage or illegal
operations.
For that reason, I'll be introducing the IP restrictions that are currently
in place on the Admin API to the new endpoint at the same time to alleviate
that concern.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
