Lâm @lam14 - Tumblr Blog

if you knew what everyone else was going to do, it would be easy to pick your own action

Game Theory

Securing Kong Admin API

By default, Kong listens on *:8001 for communication with Admin API and *:8000 to proxy your apis. All ports are public on internet, everyone can control your Kong. So, you should protect Kong Admin API.

There is a trick to secure Admin API by routing it back to proxy.

Installing Kong (with Docker)

docker pull docker-registry.vccloud.vn/lamdt/cassandra:2.2.5

docker pull docker-registry.vccloud.vn/lamdt/kong

docker run -p 9042:9042 -d --name cassandra docker-registry.vccloud.vn/lamdt/cassandra:2.2.5

# waiting for cassandra online

docker run -d --name kong \

--link cassandra:kong-database \

-p 8000:8000 \

-p 8443:8443 \

-p 8001:8001 \

-p 7946:7946 \

-p 7946:7946/udp \

--security-opt seccomp:unconfined \

docker-registry.vccloud.vn/lamdt/kong

Add Kong Admin API as an API:

curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 30c13c7e-ed20-e12b-b239-cca96da80f36" -d '{

"name": "KongAdmin",

"strip_request_path": true,

"request_path": "/kongadmin",

"upstream_url": "http://127.0.0.1:8001"

}' "http://123.31.11.128:8001/apis"

Now, Admin API was routed through Kong proxy.

curl http://123.31.11.128:8000/kongadmin/apis

{"data":[{"upstream_url":"http:\/\/127.0.0.1:8001","strip_request_path":true,"request_path":"\/kongadmin","id":"934498d6-97fa-4da1-9445-9cb7d24afee4","created_at":1461056884000,"preserve_host":false,"name":"KongAdmin"}],"total":1}

Add Key Authentication to KongAdmin:

curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 8ccbda34-bad6-ebde-c763-723b6b884c76" -d '{

"name": "key-auth"

}' "http://123.31.11.128:8001/apis/KongAdmin/plugins/"

Create a consumer for KongAdmin:

curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 9477377c-bf9b-53cb-c32f-32959142c887" -d '{

"username": "kongadmin",

"custom_id": "1"

}' "http://123.31.11.128:8001/consumers"

Create a API key for this consumer:

curl -X POST http://123.31.11.128:8001/consumers/kongadmin/key-auth

{"key":"08b88fb5173f4cdd947591ba2cdfe4cf","consumer_id":"aa789e77-5e37-41de-b334-998a70c53578","created_at":1461060556000,"id":"5f08ec7f-f9ac-495c-a67a-074b26087a6a"}

Kong Admin API was protected by key-auth plugin:

curl http://123.31.11.128:8000/kongadmin/status?apikey=6ffde8d4-40c2-4b31-bf58-ae281f15d7e1

{"message":"Invalid authentication credentials"}

Last step, disable public access to Admin API on port :8001:

Inside Kong instance, add following line to the top of /etc/kong/kong.yml:

admin_api_listen: "127.0.0.1:8001"

Then run:

kong restart

Result:

$ curl http://123.31.11.128:8001/status

curl: (7) Failed to connect to 123.31.11.128 port 8001: Connection refused

$ curl http://123.31.11.128:8000/kongadmin/status?apikey=08b88fb5173f4cdd947591ba2cdfe4cf

{"server":{"connections_handled":6,"connections_reading":0,"connections_active":2,"connections_waiting":0,"connections_writing":2,"total_requests":6,"connections_accepted":6},"database":{"oauth2_tokens":0,"jwt_secrets":0,"response_ratelimiting_metrics":0,"keyauth_credentials":3,"oauth2_authorization_codes":0,"acls":0,"apis":1,"hmacauth_credentials":0,"consumers":2,"plugins":2,"oauth2_credentials":0,"nodes":1,"basicauth_credentials":0,"ratelimiting_metrics":0}}

#kong #kongapi #api #proxy

How to encrypt and decrypt files and messages with a password from the Linux command line, using OpenSSL.

#openssl #encryption

Placeholder Images for every case. Webdesign or Print. Just put a custom url in your html and you receive a proper placeholder picture

and also http://avatars.adorable.io/ cute avatar auto-generated

Happy new year #2016

#2016 #git

#icon set

#game design

Rails 5 is a new major version of Ruby On Rails, this implicates that the Rails API and requirements can change to deprecate, add new, and/or improve existing APIs, but also to take advantage of important changes in the Ruby language as well.

Nice to meet you #rubyonrails #rails5

#ruby on rails #ruby

the-ultimate-guide-to-ruby-timeouts - :clock4:

Adding timeout for various Ruby gems #ruby #rubylang

#ruby

URL vs URI vs URN

#url #uri #urn

Create new association object #rubyonrails

For a has_one association the method to create a new associated object would be user.create_post.

For a has_many association the method to create a new associated object would be user.posts.create.

#ruby on rails #ruby

Explains how to use redirection function which is common to most command line interpreters such as the various Unix shells. It allow standard streams to be redirected to user-specified locations such as stderr to a file.

#devops #sysadmin

While other languages would require us to catch/handle exceptions, in Elixir we are actually fine with letting processes fail because we expect supervisors to properly restart our systems. “Failing fast” is a common philosophy when writing Elixir software!

http://elixir-lang.org/

#elixirlang

#elixir

#programming

Case (or switch) statements don't seem very exciting. When you're using a language like Ruby that lets you do things like metaprogramming, why bother...

#ruby #programming

The other day somebody asked if there is a way to blindly assign nested valuesto Ruby Hash without creating each key. Turns out there is, and it has anintere...

#ruby #ruby on rails #programming

Hi, Rails 5

AB is grossly misunderstood, learn the REAL way to use Apache Bench and get meaningful results by understanding what your're looking for

some misunderstand thing abou Apache Bench

#DevOps #Apache #web server

Trending Blogs

Recently Viewed Blogs

Lâm