Securing Kong Admin API
By default, Kong listens on *:8001 for communication with Admin API and *:8000 to proxy your apis. All ports are public on internet, everyone can control your Kong. So, you should protect Kong Admin API.
There is a trick to secure Admin API by routing it back to proxy.
Installing Kong (with Docker)
docker pull docker-registry.vccloud.vn/lamdt/cassandra:2.2.5
docker pull docker-registry.vccloud.vn/lamdt/kong
docker run -p 9042:9042 -d --name cassandra docker-registry.vccloud.vn/lamdt/cassandra:2.2.5
# waiting for cassandra online
docker run -d --name kong \
--link cassandra:kong-database \
-p 8000:8000 \
-p 8443:8443 \
-p 8001:8001 \
-p 7946:7946 \
-p 7946:7946/udp \
--security-opt seccomp:unconfined \
docker-registry.vccloud.vn/lamdt/kong
Add Kong Admin API as an API:
curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 30c13c7e-ed20-e12b-b239-cca96da80f36" -d '{
"name": "KongAdmin",
"strip_request_path": true,
"request_path": "/kongadmin",
"upstream_url": "http://127.0.0.1:8001"
}' "http://123.31.11.128:8001/apis"
Now, Admin API was routed through Kong proxy.
curl http://123.31.11.128:8000/kongadmin/apis
{"data":[{"upstream_url":"http:\/\/127.0.0.1:8001","strip_request_path":true,"request_path":"\/kongadmin","id":"934498d6-97fa-4da1-9445-9cb7d24afee4","created_at":1461056884000,"preserve_host":false,"name":"KongAdmin"}],"total":1}
Add Key Authentication to KongAdmin:
curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 8ccbda34-bad6-ebde-c763-723b6b884c76" -d '{
"name": "key-auth"
}' "http://123.31.11.128:8001/apis/KongAdmin/plugins/"
Create a consumer for KongAdmin:
curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 9477377c-bf9b-53cb-c32f-32959142c887" -d '{
"username": "kongadmin",
"custom_id": "1"
}' "http://123.31.11.128:8001/consumers"
Create a API key for this consumer:
curl -X POST http://123.31.11.128:8001/consumers/kongadmin/key-auth
{"key":"08b88fb5173f4cdd947591ba2cdfe4cf","consumer_id":"aa789e77-5e37-41de-b334-998a70c53578","created_at":1461060556000,"id":"5f08ec7f-f9ac-495c-a67a-074b26087a6a"}
Kong Admin API was protected by key-auth plugin:
curl http://123.31.11.128:8000/kongadmin/status?apikey=6ffde8d4-40c2-4b31-bf58-ae281f15d7e1
{"message":"Invalid authentication credentials"}
Last step, disable public access to Admin API on port :8001:
Inside Kong instance, add following line to the top of /etc/kong/kong.yml:
admin_api_listen: "127.0.0.1:8001"
Then run:
kong restart
Result:
$ curl http://123.31.11.128:8001/status
curl: (7) Failed to connect to 123.31.11.128 port 8001: Connection refused
$ curl http://123.31.11.128:8000/kongadmin/status?apikey=08b88fb5173f4cdd947591ba2cdfe4cf
{"server":{"connections_handled":6,"connections_reading":0,"connections_active":2,"connections_waiting":0,"connections_writing":2,"total_requests":6,"connections_accepted":6},"database":{"oauth2_tokens":0,"jwt_secrets":0,"response_ratelimiting_metrics":0,"keyauth_credentials":3,"oauth2_authorization_codes":0,"acls":0,"apis":1,"hmacauth_credentials":0,"consumers":2,"plugins":2,"oauth2_credentials":0,"nodes":1,"basicauth_credentials":0,"ratelimiting_metrics":0}}