[DISCUSS]APISIX Admin API security risks

[hui li <yo...@apache.org>]

Hi, the security department of Tencent recently discovered that Kong's
Admin component has security risks. For details, please refer to this link:
https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw
I read the preliminary article and think that our APISIX Admin API has the
same risks.

1. The old version of APISIX Admin does not use authentication
capabilities, it is recommended: upgrade to the new version
2. In the new version of APISIX, many users will use the default key, and
the protection capabilities are virtually useless. It is recommended that
the best practice document guide users to replace the key. If possible,
APISIX nodes that provide services to the outside need to turn off the
Admin API capability, and only APISIX nodes that are allowed internal
access provide APISIX Admin API
3. The Admin API uses https access capability by default, because https can
effectively prevent key leakage caused by request hijacking.

Re: [DISCUSS]APISIX Admin API security risks

[hui li <yo...@apache.org>]

Hi, Ming
Thanks for your PR

Ming Wen <we...@apache.org> 于2020年4月15日周三 下午9:36写道：

> Hi, hui,
> I created a PR[1] to recommend user to change `admin_key`, and only allows
> 127.0.0.1 to access admin API.
>
> And yes, the admin API should use https by default, welcome OR.
>
> [1] https://github.com/apache/incubator-apisix/pull/1458
>
> Thanks,
> Ming Wen, Apache APISIX & Apache SkyWalking
> Twitter: _WenMing
>
>
> hui li <yo...@apache.org> 于2020年4月15日周三 下午5:34写道：
>
> > Hi, the security department of Tencent recently discovered that Kong's
> > Admin component has security risks. For details, please refer to this
> link:
> > https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw
> > I read the preliminary article and think that our APISIX Admin API has
> the
> > same risks.
> >
> > 1. The old version of APISIX Admin does not use authentication
> > capabilities, it is recommended: upgrade to the new version
> > 2. In the new version of APISIX, many users will use the default key, and
> > the protection capabilities are virtually useless. It is recommended that
> > the best practice document guide users to replace the key. If possible,
> > APISIX nodes that provide services to the outside need to turn off the
> > Admin API capability, and only APISIX nodes that are allowed internal
> > access provide APISIX Admin API
> > 3. The Admin API uses https access capability by default, because https
> can
> > effectively prevent key leakage caused by request hijacking.
> >
>

Re: [DISCUSS]APISIX Admin API security risks

[Ming Wen <we...@apache.org>]

Hi, hui,
I created a PR[1] to recommend user to change `admin_key`, and only allows
127.0.0.1 to access admin API.

And yes, the admin API should use https by default, welcome OR.

[1] https://github.com/apache/incubator-apisix/pull/1458

Thanks,
Ming Wen, Apache APISIX & Apache SkyWalking
Twitter: _WenMing


hui li <yo...@apache.org> 于2020年4月15日周三 下午5:34写道：

> Hi, the security department of Tencent recently discovered that Kong's
> Admin component has security risks. For details, please refer to this link:
> https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw
> I read the preliminary article and think that our APISIX Admin API has the
> same risks.
>
> 1. The old version of APISIX Admin does not use authentication
> capabilities, it is recommended: upgrade to the new version
> 2. In the new version of APISIX, many users will use the default key, and
> the protection capabilities are virtually useless. It is recommended that
> the best practice document guide users to replace the key. If possible,
> APISIX nodes that provide services to the outside need to turn off the
> Admin API capability, and only APISIX nodes that are allowed internal
> access provide APISIX Admin API
> 3. The Admin API uses https access capability by default, because https can
> effectively prevent key leakage caused by request hijacking.
>