Security Hardening Guide?

[eric-kinsley74]

Hello,

 Is there a comprehensive security hardening guide for an apisix prod deployment? I am aware of mTLS with etcd, and locking down the IPs that can connect to the mgmt ports, but finding that information required some digging. What other things should we look out for? TIA!

[Baoyuantop]

Here's some documentation I hope you find helpful https://docs.api7.ai/apisix/production/security/mtls/configure-mtls-between-apisix-and-etcd

[eric-kinsley74]

Thanks @Baoyuantop ! Yes I did read through that and other articles such as https://apisix.apache.org/blog/2024/02/20/secure-api-practices-apisix-1/ and https://apisix.apache.org/blog/2024/02/27/secure-api-practices-apisix-2/ . All very helpful. Finding guidance, however, for the actual deployment is challenging. I was able to get mTLS working with etcd, apisix, and the apisix-dashboard (and maybe I should write an article about that adventure). There is just not a lot of documentation on the conf.yaml files themselves and custom deployments. Quick-Start works great, but injecting secrets via Azure or even GitHub actions have proven to be challenging. If these containers were compromised, the secrets are right there in the conf files for an attacker to see. When I have more time soon, I'll write up something about my experience. This is a great project and I am very excited to get everything working!