You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by vincixu <vi...@apache.org> on 2020/08/06 02:04:16 UTC

Re: [discuss] How do we protect the dashboard?

  I think should not expose dashboard to external internet ,if we must
expose, we should add a complete authentication for APISIX, such as
"jwt+RBAC", key-auth is a weak security.

Zhiyuan Ju <ju...@apache.org> 于2020年7月25日周六 上午9:02写道：

> 🤔
>
> Because there has one Manager API between Admin API and Dashboard, and the
> API is fixed stored in Manager API currently, so not sure how to use manual
> TLS to protect the dashboard usage.
>
> Ming Wen <we...@apache.org>于2020年7月25日 周六上午8:37写道：
>
> > For the production environment, it is recommended to use mTLS to
> > communicate between the admin API and the dashboard.
> >
> > Zhiyuan Ju <ju...@apache.org> 于 2020年7月23日周四 上午11:27写道：
> >
> > > Hi,
> > >
> > > One user just reminded me that the API Key is stored in manager-api
> > > directly, we may store it in frontend or have an OAuth policy.
> > >
> > > So how could we protect our dashboard from being accessed by attackers?
> > >
> > > Best regards!
> > > --
> > > 来自 琚致远
> > >
> >
> --
> 来自 琚致远
>

Re: [discuss] How do we protect the dashboard?

Posted by Zhiyuan Ju <ju...@apache.org>.

Ya, there[1] has 1 PR working on this issue.

[1] https://github.com/apache/apisix-dashboard/pull/330

Best Regards!
@ Zhiyuan Ju <https://www.shaoyaoju.org/>


vincixu <vi...@apache.org> 于2020年8月6日周四 上午10:04写道：

>   I think should not expose dashboard to external internet ,if we must
> expose, we should add a complete authentication for APISIX, such as
> "jwt+RBAC", key-auth is a weak security.
>
> Zhiyuan Ju <ju...@apache.org> 于2020年7月25日周六 上午9:02写道：
>
> > 🤔
> >
> > Because there has one Manager API between Admin API and Dashboard, and
> the
> > API is fixed stored in Manager API currently, so not sure how to use
> manual
> > TLS to protect the dashboard usage.
> >
> > Ming Wen <we...@apache.org>于2020年7月25日 周六上午8:37写道：
> >
> > > For the production environment, it is recommended to use mTLS to
> > > communicate between the admin API and the dashboard.
> > >
> > > Zhiyuan Ju <ju...@apache.org> 于 2020年7月23日周四 上午11:27写道：
> > >
> > > > Hi,
> > > >
> > > > One user just reminded me that the API Key is stored in manager-api
> > > > directly, we may store it in frontend or have an OAuth policy.
> > > >
> > > > So how could we protect our dashboard from being accessed by
> attackers?
> > > >
> > > > Best regards!
> > > > --
> > > > 来自 琚致远
> > > >
> > >
> > --
> > 来自 琚致远
> >
>