bugfix: only allow 127.0.0.1 access admin API and dashboard by defaul…

…t. (apache#1458)

README.md

@@ -104,7 +104,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against
     - [Global Rule](doc/architecture-design.md#Global-Rule): Allows to run any plugin for all request, eg: limit rate, IP filter etc.
     - High performance: The single-core QPS reaches 18k with an average delay of less than 0.2 milliseconds.
     - [Fault Injection](doc/plugins/fault-injection.md)
-    - [REST Admin API](doc/admin-api.md)
+    - [REST Admin API](doc/admin-api.md): Using the REST Admin API to control Apache APISIX, which only allows 127.0.0.1 access by default, you can modify the `allow_admin` field in `conf/config.yaml` to specify a list of IPs that are allowed to call the Admin API. Also note that the Admin API uses key auth to verify the identity of the caller. **The `admin_key` field in `conf/config.yaml` needs to be modified before deployment to ensure security**.
     - [Python SDK](https://github.com/api7/apache-apisix-python-sdk)
 
 - **Highly scalable**
@@ -163,7 +163,7 @@ Copy the compiled files under `/dist` directory to the `apisix/dashboard` direct
 open `http://127.0.0.1:9080/apisix/dashboard/` in the browser.
 Do not need to fill the user name and password, log in directly.
 
-The dashboard allows any remote IP by default, and you can modify `allow_admin` in `conf/config.yaml` by yourself, to list the list of IPs allowed to access.
+The dashboard only allows 127.0.0.1 by default, and you can modify `allow_admin` in `conf/config.yaml` by yourself, to list the list of IPs allowed to access.
 
 We provide an online dashboard [demo version](http://apisix.iresty.com), make it easier for you to understand APISIX.
 

README_CN.md

@@ -104,7 +104,7 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵
     - [全局规则](doc/architecture-design-cn.md#Global-Rule)：允许对所有请求执行插件，比如黑白名单、限流限速等。
     - 高性能：在单核上 QPS 可以达到 18k，同时延迟只有 0.2 毫秒。
     - [故障注入](doc/plugins/fault-injection-cn.md)
-    - [REST Admin API](doc/admin-api-cn.md)
+    - [REST Admin API](doc/admin-api-cn.md): 使用 REST Admin API 来控制 Apache APISIX，默认只允许 127.0.0.1 访问，你可以修改 `conf/config.yaml` 中的 `allow_admin` 字段，指定允许调用 Admin API 的 IP 列表。同时需要注意的是，Admin API 使用 key auth 来校验调用者身份，**在部署前需要修改 `conf/config.yaml` 中的 `admin_key` 字段，来保证安全。**
     - [Python SDK](https://github.com/api7/apache-apisix-python-sdk)
 
 - **高度可扩展**
@@ -164,7 +164,7 @@ yarn && yarn build:prod
 使用浏览器打开 `http://127.0.0.1:9080/apisix/dashboard/` 即可使用，
 不用填写用户名和密码，直接登录。
 
-Dashboard 默认允许任何 IP 访问。你可以自行修改 `conf/config.yaml` 中的 `allow_admin` 字段，指定允许访问 dashboard 的 IP 列表。
+Dashboard 默认只允许 127.0.0.1 访问。你可以自行修改 `conf/config.yaml` 中的 `allow_admin` 字段，指定允许访问 dashboard 的 IP 列表。
 
 我们部署了一个在线的 [Dashboard](http://apisix.iresty.com) ，方便你了解 APISIX。
 

conf/config.yaml

@@ -50,8 +50,8 @@ apisix:
   #    disk_path: "/tmp/disk_cache_two"
   #    cache_levels: "1:2"
 
-  # allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
-  #   - 127.0.0.0/24              # If we don't set any IP list, then any IP access is allowed by default.
+  allow_admin:                  # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
+    - 127.0.0.0/24              # If we don't set any IP list, then any IP access is allowed by default.
   #   - "::/64"
   # port_admin: 9180              # use a separate port