Movatterモバイル変換


[0]ホーム

URL:


Skip to content
DEV Community
Log in Create account

DEV Community

Cover image for Securing Admin access to Apache APISIX
Apache APISIX profile imageNicolas Fränkel
Nicolas Fränkel forApache APISIX

Posted on • Originally published atblog.frankel.ch

     

Securing Admin access to Apache APISIX

API Gateways are critical components in one's infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance.

In this short blog post, I'll list a couple of ways to secure your Apache APISIX admin access.

Change admin tokens

You can manage Apache APISIX configuration via its HTTP APIs. A token protects every API call. Operations require anX-API-KEY HTTP Header:

  • Use a token with theviewer role to call read operations
  • Use a token with theadmin role to call readand write operations

For example, to create a new route, I need to pass anadmin-role token, which allows calling write operations:

curl http://localhost:9180/apisix/admin/routes/1-H'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'-X PUT-d'{  "methods": ["GET"],  "uri": ["/hello"],  "upstream_id": 1}'
Enter fullscreen modeExit fullscreen mode

The first and foremost step to secure your access is to change the default token values:

deployment:admin:# Default token when use API to call for Admin API.# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.# Disabling this configuration item means that the Admin API does not# require any authentication.admin_key:-name:adminkey:edd1c9f034335f136f87ad84b625c8f1#1role:admin# admin: manage all configuration data# viewer: only can view configuration data-name:viewerkey:4054f7cf07e344346cd3f287985e76a2#1role:viewer
Enter fullscreen modeExit fullscreen mode
  1. Change it!

You may want to secure tokens even further; it depends on your platform. For example, you may want to store tokens asSecret and inject them at container startup.

Restrict binding IP(s)

A server can have multiple IPs from different network adapters. For example, an API Gateway would have at least two network adapters:

  • One public-facing adapter to be reachable from the Internet
  • One internal for inside access

By default, Apache APISIX will bind itself to all network adapters found on the server at startup. The above scenario means it will be reachablefrom the Internet. We should restrict access from the inside only.

We can set which network interface Apache APISIX can bind to in the configuration:

deployment:admin:admin_listen:ip:0.0.0.0# Specific IP, if not set, the default value is `0.0.0.0` #1
Enter fullscreen modeExit fullscreen mode
  1. Change it!

Restrict allowed IPs

Even if you restrict access to only IPs from inside your enterprise network, you want only some machines to access the API Gateway configuration. If it was the case, an attacker gaining access to the machine of an accountant could use it to try to attack the API Gateway.

You can restrict IP access with network policies - and you should. However, you can also implement this restriction on the API Gateway: it can allow finer-grained control and more agile changes - network policies are hard to change in general.

Here's the relevant snippet for Apache APISIX:

deployment:admin:allow_admin:-127.0.0.0/24# If we don't set any IP list, then any IP access is allowed by default#- "::/64"                                                                #1
Enter fullscreen modeExit fullscreen mode
  1. Change it according to your network topology

Mutual TLS

If to talk about authentication, one way is via a digital certificate. The most widespread low-level authentication mechanism today isTLS. TLS allows servers to prove their identity. Additionally, it keeps data exchanged private and prevents them from being tampered with.

Mutual TLS works on both sides so that the server proves its identity to the clientand the client proves its identity to the server.

Here's the relevant configuration snippet to set admin mTLS in Apache APISIX:

Standalone mode

Last but not least, one can completely move the configuration frometcd to a static (YAML) file. In this case, no Admin API is available to update the configuration. This deployment model is known asstandalone mode.

In standalone mode, the only way to change the configuration is to update the static file: Apache APISIX will check for changes at regular intervals and update itself accordingly. It's a great way to apply GitOps principles with Apache APISIX.

In the meanwhile, you can configure standalone mode as the following:

deployment:role:data_planerole_data_plane:config_provider:yaml
Enter fullscreen modeExit fullscreen mode

Note that standalone mode makes all other securing options moot, as there's no Admin API to secure anymore.

Conclusion

You need to secure API Gateways from unwanted access as they are valuable targets for bad actors. In this post, I've shown several non-exclusive options you should consider to secure Apache APISIX.

Finally, I've described how you could make it without the Admin API via the dedicated Standalone deployment mode. Expect a future blog post on how to use it with GitOps.

To go further:

Originally published atA Java Geek on February 5th, 2023

Top comments(0)

Subscribe
pic
Create template

Templates let you quickly answer FAQs or store snippets for re-use.

Dismiss

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment'spermalink.

For further actions, you may consider blocking this person and/orreporting abuse

More fromApache APISIX

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account

[8]ページ先頭

©2009-2025 Movatter.jp