Kong: How to secure access to the Admin API? [question]

yes, route it through kong and add an authentication plugin

see also https://groups.google.com/forum/#!topic/konglayer/veIk6o-UXuY

This subject is worth a documentation section but it has not been written yet. We always suggest various ways of doing so (that also combine together), including the solution you thought of:

• Configure a firewall
• Looping through Kong (the solution you proposed, maybe combine with firewalling)
• Editing the Nginx configuration available in kong.yml (in the Admin API server block) to add directives such as the auth basic module.

All 3 are described in details in the Google groups here and here.

Later this year we'll also release a new product to manage, monitor and secure your Kong cluster.

We have created a web based Kong Admin Manager. And with this manager you could secure your Kong Admin API with one click. You can check details from our blog post https://apiplug.com/blog/web-based-kong-api-gateway-manager/

That Trick to route it through kong and add an authentication plugin and also add firewall to block 8001 i was wondering if there is a possible way on how we can reduce internal breach even if someone landed into server

@sonicaghi With reference to the comment around the ability to manage / secure a kong cluster, is there any update as to what that looks like??

Many Thanks

Marty

Hi @marty2bell - I don't have a specific update for you at this time, except to say that this remains a priority here at Mashape, and we look forward to having more to share with you later this year.

Perhaps you have a wish list for me? :) What would you like

the ability to manage / secure a kong cluster

to look like?

In the near future, it will also be possible to disable the Admin API on given nodes. It might make it easier to secure your cluster if you only have to worry about one or two nodes listening on :8001.

Note that the solution suggested here:

Editing the Nginx configuration available in kong.yml (in the Admin API server block) to add directives such as the auth basic module.

Gets much easier with #2355.

i think this needs to be reopened, adding the admin api to the normal api interface seems like a sub par solution.
I have created a pull request: https://github.com/Mashape/kong/pull/2572 to allow securing the admin api with an acl and/or basic authentication. this also helps #668,

We have published a doc that highlights some of the best practices we suggest when considering securing the Admin API: https://getkong.org/docs/0.10.x/secure-admin-api/

This subject is worth a documentation section but it has not been written yet. We always suggest various ways of doing so (that also combine together), including the solution you thought of:

• Configure a firewall
• Looping through Kong (the solution you proposed, maybe combine with firewalling)
• Editing the Nginx configuration available in kong.yml (in the Admin API server block) to add directives such as the auth basic module.

All 3 are described in details in the Google groups here and here.

sloved this issue,thanks

Hi all,

A whole section of the documentation has since been written on the topic of securing the Admin API: https://docs.konghq.com/1.0.x/secure-admin-api/

Hope that is helpful to some of you or future readers.

Cheers,