Why the browser on macOS system can penetrate the Whitelist IP Restriction of Kong on CentOS7 system

My Testing Environment :

VMware® Workstation 12 Pro  on Windows 10 64 bit (192.168.43.131)
192.168.10.10 CentOS 7.2 PHP MySQL  ---  Restful api data interface
192.168.10.50 macOS 10.12.6         ---  The browser on the client side on macOS system
192.168.10.60 CentOS 7.2 Kong Gateway Server
192.168.43.131 Windows 10 64 bit    ---  The browser on the client side on Windows 10 system

a). VMware® Workstation 12 Pro
VMnet1 NAT Mode
Sub IP(I):192.168.10.0  Subnet Mask:255.255.255.0

DHCP Setup
Start IP Address(S):192.168.10.2
End IP Address(S):192.168.10.254


b). 192.168.43.131 Windows 10 64 bit    ---  The browser on the client side on Windows 10 system
VMware Network Adapter VMnet1 on Windows 10 (192.168.43.131)
IP Address(I):192.168.10.1
Subnet Mask:255.255.255.0
Default Gateway:192.168.10.2

C:\Windows\System32\drivers\etc\hosts

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost
192.168.10.60 contoso.org


c). 192.168.10.50 macOS
myths-Mac:~ myth$ cat /etc/hosts    
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost
192.168.10.60  contoso.org
myths-Mac:~ myth$ 

Ethernet Network(192.168.10.50 macOS)
Configure IPv4: Manually
IP Address:192.168.10.50
Subnet Mask:255.255.255.0
Router:192.168.10.2
DNS Server:192.168.10.2


d). 192.168.10.60 CentOS 7.2 Kong Gateway Server
[myth@contoso ~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.10 contoso.com
192.168.10.60 contoso.org
[myth@contoso ~]$ hostname
contoso.org
[myth@contoso ~]$ cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=13aa5a1d-ea4a-49bd-847d-b4cfdd2552b4
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.10.60
PREFIX=24
GATEWAY=192.168.10.2
DNS1=192.168.10.2
IPV6_PRIVACY=no
[root@contoso ~]# systemctl disable firewalld && systemctl stop firewalld


e). 192.168.10.10 CentOS 7.2 PHP MySQL --- Restful api data interface
[myth@contoso ~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.10 contoso.com
[myth@contoso ~]$ hostname
contoso.com
[myth@contoso ~]$ cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=26593caa-5870-4590-a80a-acca0a210508
DEVICE=ens33
ONBOOT=yes
DNS1=192.168.10.2
IPADDR=192.168.10.10
PREFIX=24
GATEWAY=192.168.10.2
[myth@contoso ~]$ cat /etc/httpd/conf.d/httpd-vhosts.conf
<Directory "/home/myth/www/bookstore">
        Options +Indexes +FollowSymLinks
        Order allow,deny
        Allow from all
        AllowOverride All
        Require all granted
</Directory>
<VirtualHost *:80>
    ServerAdmin zhengzizhi@126.com
    DocumentRoot "/home/myth/www/bookstore/public"
    ServerName contoso.com
    ServerAlias contoso.com
    ErrorLog "/home/myth/log/httpd/contoso-com-error_log"
    CustomLog "/home/myth/log/httpd/contoso-com-access_log" common
</VirtualHost>
 
192.168.10.10 CentOS 7.2 PHP MySQL --- Restful api data interface
using ThinkPHP 5.1 framework to create project bookstore

[myth@contoso ~]$ cd /home/myth/www && composer create-project topthink/think bookstore --prefer-dist 

CREATE DATABASE bookstrore;  
CREATE TABLE `books` (  
  `id` bigint(20) NOT NULL AUTO_INCREMENT,  
  `title` varchar(80) DEFAULT NULL,  
  `author` text DEFAULT NULL,  
  PRIMARY KEY (`id`)  
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;  
insert into `books` (`id`, `title`, `author`) values('1','Fashion That Changed the World','Jennifer Croll');  
insert into `books` (`id`, `title`, `author`) values('2','Brigitte Bardot - My Life in Fashion','Henry-Jean Servat and Brigitte Bardot');  
insert into `books` (`id`, `title`, `author`) values('3','The Fashion Image','Thomas Werner'); 

[myth@contoso ~]$ cat /home/myth/www/bookstore/application/api/controller/v1/Book.php
<?php
namespace app\api\controller\v1;
use think\Controller;
use think\Request;
use think\Db;
class Book extends Controller {
    public function getBooks() {
        $books = Db::table('books')->select();
        return json($books);
    }

    public function getBookById($id) {
        $book = Db::name('books')->where('id', $id)->select();
        return json($book);
    }

    public function addBook(Request $request) {
        $title = $request->param('title');
        $author = $request->param('author');
        $book = ['title' => $title, 'author' => $author];
        Db::startTrans();
        try {
            Db::name('books')->insert($book);
            Db::commit();
        } catch (Exception $ex) {
            Db::rollback();
            return json(['message' => 'inserting not successfully']);
        }
        return json(['message' => 'inserted successfully']);
    }

    public function deleteBookById($id) {
        Db::startTrans();
        try {
            Db::name('books')->where('id', $id)->delete();
            Db::commit();
        } catch (Exception $ex) {
            Db::rollback();
            return json(['message' => 'deleting not successfully']);
        }
        return json(['message' => 'deleted successfully']);
    }

    public function updateBookById(Request $request) {
        $id = $request->param('id');
        $title = $request->param('title');
        $author = $request->param('author');
        $book = ['title' => $title, 'author' => $author];
        Db::startTrans();
        try {
            Db::table('books')->where('id', $id)->update($book);
            Db::commit();
        } catch (Exception $ex) {
            Db::rollback();
             return json(['message' => 'updating not successfully']);
        }
        return json(['message' => 'updated successfully']);
    }
}
[myth@contoso ~]$ cat /home/myth/www/bookstore/application/api/exception/Http.php
<?php
namespace app\api\exception;
use think\Request;
use think\exception\Handle;
use think\exception\HttpException;

class Http extends Handle {

    public function render(\Exception $e) {
        $request = new Request();
        if ($e instanceof HttpException) {
            $statusCode = $e->getStatusCode();
        }
        if (!isset($statusCode)) {
            $statusCode = 500;
        }
        $result = [
            'code' => $statusCode,
            'method' => $request->method(),
            'message' => $e->getMessage(),
            'url' => $request->url(true),
            'time' => $_SERVER['REQUEST_TIME']
        ];
        return json($result, $statusCode);
    }

}
[myth@contoso ~]$ cat /home/myth/www/bookstore/route/route.php
<?php

// GET    http://contoso.com/v1/books/2
Route::get(':version/books/:id', 'api/:version.Book/getBookById'); 
// POST   http://contoso.com/v1/books
Route::post(':version/books', 'api/:version.Book/addBook');  
// DELETE http://contoso.com/v1/books/2
Route::delete(':version/books/:id', 'api/:version.Book/deleteBookById'); 
// PUT    http://contoso.com/v1/books
Route::put(':version/books', 'api/:version.Book/updateBookById'); 
// GET    http://contoso.com/v1/books
Route::get(':version/books', 'api/:version.Book/getBooks');           
// GET    http://contoso.com/v1
Route::get(':version', 'api/Info/index');        
return [

];
[root@contoso ~]# systemctl disable firewalld && systemctl stop firewalld  


01). Install kong-community-edition On CentOS 7(192.168.10.60)

[root@contoso ~]# cat > /etc/yum.repos.d/kong-community-edition.repo  
[kong-community-edition]   
name=kong-community-edition   
baseurl=https://kong.bintray.com/kong-community-edition-rpm/centos/7   
gpgcheck=0   
repo_gpgcheck=0   
enabled=1 

[root@contoso ~]# yum install epel-release
[root@contoso ~]# yum install kong-community-edition

02). Install PostgreSQL Database(192.168.10.60)

[root@contoso ~]# yum install https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm

Install the client packages:
[root@contoso ~]# yum install postgresql10

Install the server packages:
[root@contoso ~]# yum install postgresql10-server

Initialize the database and enable automatic start:
[root@contoso ~]# /usr/pgsql-10/bin/postgresql-10-setup initdb  
Initializing database ... OK 

[root@contoso ~]# systemctl enable postgresql-10  
[root@contoso ~]# systemctl start postgresql-10  
[root@contoso ~]# systemctl status postgresql-10

03). Initialize kong database about Kong Gateway(192.168.10.60)
[root@contoso ~]# adduser kong     # add a user named kong on CentOS7 
[root@contoso ~]# su - postgres    # switch to postgres user
-bash-4.2$ psql      # entering the PostgreSQL console using the psql command
psql (10.3)
Type "help" for help.

postgres=# \password postgres     # Set a password for the Postgres user
Enter new password: 123456
Enter it again: 123456
postgres=# CREATE USER kong WITH PASSWORD '123456';      # Set a password=123456 for the Postgres user named kong
CREATE ROLE
postgres=# CREATE DATABASE kong OWNER kong;       # create the kong database owner 
CREATE DATABASE
postgres=# GRANT ALL PRIVILEGES ON DATABASE kong to kong;   
GRANT
postgres=# \q      # or ctrl+D
-bash-4.2$ exit 

logout


[root@contoso ~]# vi  /var/lib/pgsql/10/data/postgresql.conf

using vi command to find the below line:   
#listen_addresses = 'localhost'         # what IP address(es) to listen on;

and then change it to 
listen_addresses = '*'                  # what IP address(es) to listen on;


[root@contoso ~]# cat > /var/lib/pgsql/10/data/pg_hba.conf  
# PostgreSQL Client Authentication Configuration File  
# ===================================================  
#  
# Refer to the "Client Authentication" section in the PostgreSQL  
# documentation for a complete description of this file.  A short  
# synopsis follows.  
#  
# This file controls: which hosts are allowed to connect, how clients  
# are authenticated, which PostgreSQL user names they can use, which  
# databases they can access.  Records take one of these forms:  
#  
# local      DATABASE  USER  METHOD  [OPTIONS]  
# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]  
# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]  
# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]  
#  
# (The uppercase items must be replaced by actual values.)  
#  
# The first field is the connection type: "local" is a Unix-domain  
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,  
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a  
# plain TCP/IP socket.  
#  
# DATABASE can be "all", "sameuser", "samerole", "replication", a  
# database name, or a comma-separated list thereof. The "all"  
# keyword does not match "replication". Access to replication  
# must be enabled in a separate record (see example below).  
#  
# USER can be "all", a user name, a group name prefixed with "+", or a  
# comma-separated list thereof.  In both the DATABASE and USER fields  
# you can also write a file name prefixed with "@" to include names  
# from a separate file.  
#  
# ADDRESS specifies the set of hosts the record matches.  It can be a  
# host name, or it is made up of an IP address and a CIDR mask that is  
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that  
# specifies the number of significant bits in the mask.  A host name  
# that starts with a dot (.) matches a suffix of the actual host name.  
# Alternatively, you can write an IP address and netmask in separate  
# columns to specify the set of hosts.  Instead of a CIDR-address, you  
# can write "samehost" to match any of the server's own IP addresses,  
# or "samenet" to match any address in any subnet that the server is  
# directly connected to.  
#  
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",  
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".  
# Note that "password" sends passwords in clear text; "md5" or  
# "scram-sha-256" are preferred since they send encrypted passwords.  
#  
# OPTIONS are a set of options for the authentication in the format  
# NAME=VALUE.  The available options depend on the different  
# authentication methods -- refer to the "Client Authentication"  
# section in the documentation for a list of which options are  
# available for which authentication methods.  
#  
# Database and user names containing spaces, commas, quotes and other  
# special characters must be quoted.  Quoting one of the keywords  
# "all", "sameuser", "samerole" or "replication" makes the name lose  
# its special character, and just match a database or username with  
# that name.  
#  
# This file is read on server startup and when the server receives a  
# SIGHUP signal.  If you edit the file on a running system, you have to  
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",  
# or execute "SELECT pg_reload_conf()".  
#  
# Put your actual configuration here  
# ----------------------------------  
#  
# If you want to allow non-local connections, you need to add more  
# "host" records.  In that case you will also need to make PostgreSQL  
# listen on a non-local interface via the listen_addresses  
# configuration parameter, or via the -i or -h command line switches.  
  
  
  
# TYPE  DATABASE        USER            ADDRESS                 METHOD  
  
# "local" is for Unix domain socket connections only  
local   all             all                                     md5  
# IPv4 local connections:  
host    all             all             127.0.0.1/32            md5  
host    all             all             0.0.0.0/0               md5  
# IPv6 local connections:  
host    all             all             ::1/128                 ident  
# Allow replication connections from localhost, by a user with the  
# replication privilege.  
local   replication     all                                     md5  
host    replication     all             127.0.0.1/32            ident  
host    replication     all             ::1/128                 ident 

[root@contoso ~]# systemctl restart postgresql-10


[root@contoso ~]# cat > /etc/kong/kong.conf
# -----------------------  
# Kong configuration file  
# -----------------------  
#  
# The commented-out settings shown in this file represent the default values.  
#  
# This file is read when `kong start` or `kong prepare` are used. Kong  
# generates the Nginx configuration with the settings specified in this file.  
#  
# All environment variables prefixed with `KONG_` and capitalized will override  
# the settings specified in this file.  
# Example:  
#   `log_level` setting -> `KONG_LOG_LEVEL` env variable  
#  
# Boolean values can be specified as `on`/`off` or `true`/`false`.  
# Lists must be specified as comma-separated strings.  
#  
# All comments in this file can be removed safely, including the  
# commented-out properties.  
# You can verify the integrity of your settings with `kong check <conf>`.  
  
#------------------------------------------------------------------------------  
# GENERAL  
#------------------------------------------------------------------------------  
  
prefix = /usr/local/kong/       # Working directory. Equivalent to Nginx's  
                                 # prefix path, containing temporary files  
                                 # and logs.  
                                 # Each Kong process must have a separate  
                                 # working directory.  
  
#log_level = notice              # Log level of the Nginx server. Logs are  
                                 # found at <prefix>/logs/error.log.  
  
# Note: see http://nginx.org/en/docs/ngx_core_module.html#error_log for a list  
# of accepted values.  
  
#proxy_access_log = logs/access.log       # Path for proxy port request access  
                                          # logs. Set this value to `off` to  
                                          # disable logging proxy requests.  
                                          # If this value is a relative path,  
                                          # it will be placed under the  
                                          # `prefix` location.  
  
#proxy_error_log = logs/error.log         # Path for proxy port request error  
                                          # logs. Granularity of these logs is  
                                          # adjusted by the `log_level`  
                                          # directive.  
  
#admin_access_log = logs/admin_access.log # Path for Admin API request access  
                                          # logs. Set this value to `off` to  
                                          # disable logging Admin API requests.  
                                          # If this value is a relative path,  
                                          # it will be placed under the  
                                          # `prefix` location.  
  
#admin_error_log = logs/error.log         # Path for Admin API request error  
                                          # logs. Granularity of these logs is  
                                          # adjusted by the `log_level`  
                                          # directive.  
  
#custom_plugins =                # Comma-separated list of additional plugins  
                                 # this node should load.  
                                 # Use this property to load custom plugins  
                                 # that are not bundled with Kong.  
                                 # Plugins will be loaded from the  
                                 # `kong.plugins.{name}.*` namespace.  
  
#anonymous_reports = on          # Send anonymous usage data such as error  
                                 # stack traces to help improve Kong.  
  
#------------------------------------------------------------------------------  
# NGINX  
#------------------------------------------------------------------------------  
  
#proxy_listen = 0.0.0.0:8000, 0.0.0.0:8443 ssl  
                         # Comma-separated list of addresses and ports on  
                         # which the proxy server should listen.  
                         # The proxy server is the public entrypoint of Kong,  
                         # which proxies traffic from your consumers to your  
                         # backend services. This value accepts IPv4, IPv6, and  
                         # hostnames.  
                         # Some suffixes can be specified for each pair:  
                         # - `ssl` will require that all connections made  
                         #   through a particular address/port be made with TLS  
                         #   enabled.  
                         # - `http2` will allow for clients to open HTTP/2  
                         #   connections to Kong's proxy server.  
                         # - Finally, `proxy_protocol` will enable usage of the  
                         #   PROXY protocol for a given address/port.  
                         #  
                         # This value can be set to `off`, thus disabling  
                         # the proxy port for this node, enabling a  
                         # 'control-plane' mode (without traffic proxying  
                         # capabilities) which can configure a cluster of  
                         # nodes connected to the same database.  
  
# Note: see http://nginx.org/en/docs/http/ngx_http_core_module.html#listen for  
# a description of the accepted formats for this and other *_listen values.  
  
# Note bis: see https://www.nginx.com/resources/admin-guide/proxy-protocol/  
# for more details about the `proxy_protocol` parameter.  
  
#admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 ssl  
                         # Comma-separated list of addresses and ports on  
                         # which the Admin interface should listen.  
                         # The Admin interface is the API allowing you to  
                         # configure and manage Kong.  
                         # Access to this interface should be *restricted*  
                         # to Kong administrators *only*. This value accepts  
                         # IPv4, IPv6, and hostnames.  
                         # Some suffixes can be specified for each pair:  
                         # - `ssl` will require that all connections made  
                         #   through a particular address/port be made with TLS  
                         #   enabled.  
                         # - `http2` will allow for clients to open HTTP/2  
                         #   connections to Kong's proxy server.  
                         # - Finally, `proxy_protocol` will enable usage of the  
                         #   PROXY protocol for a given address/port.  
                         #  
                         # This value can be set to `off`, thus disabling  
                         # the Admin interface for this node, enabling a  
                         # 'data-plane' mode (without configuration  
                         # capabilities) pulling its configuration changes  
                         # from the database.  
  
#nginx_user = nobody nobody      # Defines user and group credentials used by  
                                 # worker processes. If group is omitted, a  
                                 # group whose name equals that of user is  
                                 # used. Ex: [user] [group].  
  
#nginx_worker_processes = auto   # Determines the number of worker processes  
                                 # spawned by Nginx.  
  
#nginx_daemon = on               # Determines wether Nginx will run as a daemon  
                                 # or as a foreground process. Mainly useful  
                                 # for development or when running Kong inside  
                                 # a Docker environment.  
  
#mem_cache_size = 128m           # Size of the in-memory cache for database  
                                 # entities. The accepted units are `k` and  
                                 # `m`, with a minimum recommended value of  
                                 # a few MBs.  
  
#ssl_cipher_suite = modern       # Defines the TLS ciphers served by Nginx.  
                                 # Accepted values are `modern`,  
                                 # `intermediate`, `old`, or `custom`.  
  
# Note: see https://wiki.mozilla.org/Security/Server_Side_TLS for detailed  
# descriptions of each cipher suite.  
  
#ssl_ciphers =                   # Defines a custom list of TLS ciphers to be  
                                 # served by Nginx. This list must conform to  
                                 # the pattern defined by `openssl ciphers`.  
                                 # This value is ignored if `ssl_cipher_suite`  
                                 # is not `custom`.  
  
#ssl_cert =                      # The absolute path to the SSL certificate for  
                                 # `proxy_listen` values with SSL enabled.  
  
#ssl_cert_key =                  # The absolute path to the SSL key for  
                                 # `proxy_listen` values with SSL enabled.  
  
#client_ssl = off                # Determines if Nginx should send client-side  
                                 # SSL certificates when proxying requests.  
  
#client_ssl_cert =               # If `client_ssl` is enabled, the absolute  
                                 # path to the client SSL certificate for the  
                                 # `proxy_ssl_certificate` directive. Note that  
                                 # this value is statically defined on the  
                                 # node, and currently cannot be configured on  
                                 # a per-API basis.  
  
#client_ssl_cert_key =           # If `client_ssl` is enabled, the absolute  
                                 # path to the client SSL key for the  
                                 # `proxy_ssl_certificate_key` address. Note  
                                 # this value is statically defined on the  
                                 # node, and currently cannot be configured on  
                                 # a per-API basis.  
  
#admin_ssl_cert =                # The absolute path to the SSL certificate for  
                                 # `admin_listen` values with SSL enabled.  
  
#admin_ssl_cert_key =            # The absolute path to the SSL key for  
                                 # `admin_listen` values with SSL enabled.  
  
#upstream_keepalive = 60         # Sets the maximum number of idle keepalive  
                                 # connections to upstream servers that are  
                                 # preserved in the cache of each worker  
                                 # process. When this number is exceeded, the  
                                 # least recently used connections are closed.  
  
#server_tokens = on              # Enables or disables emitting Kong version on  
                                 # error pages and in the "Server" or "Via"  
                                 # (in case the request was proxied) response  
                                 # header field.  
  
#latency_tokens = on             # Enables or disables emitting Kong latency  
                                 # information in the "X-Kong-Proxy-Latency"  
                                 # and "X-Kong-Upstream-Latency" response  
                                 # header fields.  
  
#trusted_ips =                   # Defines trusted IP addresses blocks that are  
                                 # known to send correct X-Forwarded-* headers.  
                                 # Requests from trusted IPs make Kong forward  
                                 # their X-Forwarded-* headers upstream.  
                                 # Non-trusted requests make Kong insert its  
                                 # own X-Forwarded-* headers.  
                                 #  
                                 # This property also sets the  
                                 # `set_real_ip_from` directive(s) in the Nginx  
                                 # configuration. It accepts the same type of  
                                 # values (CIDR blocks) but as a  
                                 # comma-separated list.  
                                 #  
                                 # To trust *all* /!\ IPs, set this value to  
                                 # `0.0.0.0/0,::/0`.  
                                 #  
                                 # If the special value `unix:` is specified,  
                                 # all UNIX-domain sockets will be trusted.  
  
# Note: see http://nginx.org/en/docs/http/ngx_http_realip_module.html for  
# examples of accepted values.  
  
#real_ip_header = X-Real-IP      # Defines the request header field whose value  
                                 # will be used to replace the client address.  
                                 # This value sets the ngx_http_realip_module  
                                 # directive of the same name in the Nginx  
                                 # configuration.  
                                 # If set to `proxy_protocol`, then at least  
                                 # one of the `proxy_listen` entries must  
                                 # have the `proxy_protocol` flag enabled.  
  
# Note: see http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header  
# for a description of this directive.  
  
#real_ip_recursive = off         # This value sets the ngx_http_realip_module  
                                 # directive of the same name in the Nginx  
                                 # configuration.  
  
# Note: see http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive  
# for a description of this directive.  
  
#client_max_body_size = 0        # Defines the maximum request body size allowed  
                                 # by requests proxied by Kong, specified in  
                                 # the Content-Length request header. If a  
                                 # request exceeds this limit, Kong will  
                                 # respond with a 413 (Request Entity Too  
                                 # Large). Setting this value to 0 disables  
                                 # checking the request body size.  
  
# Note: see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size  
# for further description of this parameter. Numeric values may be suffixed  
# with 'k' or 'm' to denote limits in terms of kilobytes or megabytes.  
  
#client_body_buffer_size = 8k    # Defines the buffer size for reading the  
                                 # request body. If the client request body is  
                                 # larger than this value, the body will be  
                                 # buffered to disk. Note that when the body is  
                                 # buffered to disk Kong plugins that access or  
                                 # manipulate the request body may not work, so  
                                 # it is advisable to set this value as high as  
                                 # possible (e.g., set it as high as  
                                 # `client_max_body_size` to force request  
                                 # bodies to be kept in memory). Do note that  
                                 # high-concurrency environments will require  
                                 # significant memory allocations to process  
                                 # many concurrent large request bodies.  
  
# Note: see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size  
# for further description of this parameter. Numeric values may be suffixed  
# with 'k' or 'm' to denote limits in terms of kilobytes or megabytes.  
  
#error_default_type = text/plain  # Default MIME type to use when the request  
                                  # `Accept` header is missing and Nginx  
                                  # is returning an error for the request.  
                                  # Accepted values are `text/plain`,  
                                  # `text/html`, `application/json`, and  
                                  # `application/xml`.  
  
#------------------------------------------------------------------------------  
# DATASTORE  
#------------------------------------------------------------------------------  
  
# Kong will store all of its data (such as APIs, consumers and plugins) in  
# either Cassandra or PostgreSQL.  
#  
# All Kong nodes belonging to the same cluster must connect themselves to the  
# same database.  
  
database = postgres             # Determines which of PostgreSQL or Cassandra  
                                 # this node will use as its datastore.  
                                 # Accepted values are `postgres` and  
                                 # `cassandra`.  
  
pg_host = 127.0.0.1             # The PostgreSQL host to connect to.  
pg_port = 5432                  # The port to connect to.  
pg_user = kong                  # The username to authenticate if required.  
pg_password = 123456            # The password to authenticate if required.  
pg_database = kong              # The database name to connect to.  
  
#pg_ssl = off                    # Toggles client-server TLS connections  
                                 # between Kong and PostgreSQL.  
  
#pg_ssl_verify = off             # Toggles server certificate verification if  
                                 # `pg_ssl` is enabled.  
                                 # See the `lua_ssl_trusted_certificate`  
                                 # setting to specify a certificate authority.  
  
#cassandra_contact_points = 127.0.0.1  # A comma-separated list of contact  
                                       # points to your cluster.  
  
#cassandra_port = 9042           # The port on which your nodes are listening  
                                 # on. All your nodes and contact points must  
                                 # listen on the same port.  
  
#cassandra_keyspace = kong       # The keyspace to use in your cluster.  
  
#cassandra_timeout = 5000        # Defines the timeout (in ms), for reading  
                                 # and writing.  
  
#cassandra_ssl = off             # Toggles client-to-node TLS connections  
                                 # between Kong and Cassandra.  
  
#cassandra_ssl_verify = off      # Toggles server certificate verification if  
                                 # `cassandra_ssl` is enabled.  
                                 # See the `lua_ssl_trusted_certificate`  
                                 # setting to specify a certificate authority.  
  
#cassandra_username = kong       # Username when using the  
                                 # `PasswordAuthenticator` scheme.  
  
#cassandra_password =            # Password when using the  
                                 # `PasswordAuthenticator` scheme.  
  
#cassandra_consistency = ONE     # Consistency setting to use when reading/  
                                 # writing to the Cassandra cluster.  
  
#cassandra_lb_policy = RoundRobin  # Load balancing policy to use when  
                                   # distributing queries across your Cassandra  
                                   # cluster.  
                                   # Accepted values are `RoundRobin` and  
                                   # `DCAwareRoundRobin`.  
                                   # Prefer the later if and only if you are  
                                   # using a multi-datacenter cluster.  
  
#cassandra_local_datacenter =    # When using the `DCAwareRoundRobin` load  
                                 # balancing policy, you must specify the name  
                                 # of the local (closest) datacenter for this  
                                 # Kong node.  
  
#cassandra_repl_strategy = SimpleStrategy  # When migrating for the first time,  
                                           # Kong will use this setting to  
                                           # create your keyspace.  
                                           # Accepted values are  
                                           # `SimpleStrategy` and  
                                           # `NetworkTopologyStrategy`.  
  
#cassandra_repl_factor = 1       # When migrating for the first time, Kong  
                                 # will create the keyspace with this  
                                 # replication factor when using the  
                                 # `SimpleStrategy`.  
  
#cassandra_data_centers = dc1:2,dc2:3  # When migrating for the first time,  
                                       # will use this setting when using the  
                                       # `NetworkTopologyStrategy`.  
                                       # The format is a comma-separated list  
                                       # made of <dc_name>:<repl_factor>.  
  
#cassandra_schema_consensus_timeout = 10000  # Defines the timeout (in ms) for  
                                             # the waiting period to reach a  
                                             # schema consensus between your  
                                             # Cassandra nodes.  
                                             # This value is only used during  
                                             # migrations.  
  
#------------------------------------------------------------------------------  
# DATASTORE CACHE  
#------------------------------------------------------------------------------  
  
# In order to avoid unecessary communication with the datastore, Kong caches  
# entities (such as APIs, Consumers, Credentials...) for a configurable period  
# of time. It also handles invalidations if such an entity is updated.  
#  
# This section allows for configuring the behavior of Kong regarding the  
# caching of such configuration entities.  
  
#db_update_frequency = 5         # Frequency (in seconds) at which to check for  
                                 # updated entities with the datastore.  
                                 # When a node creates, updates, or deletes an  
                                 # entity via the Admin API, other nodes need  
                                 # to wait for the next poll (configured by  
                                 # this value) to eventually purge the old  
                                 # cached entity and start using the new one.  
  
#db_update_propagation = 0       # Time (in seconds) taken for an entity in the  
                                 # datastore to be propagated to replica nodes  
                                 # of another datacenter.  
                                 # When in a distributed environment such as  
                                 # a multi-datacenter Cassandra cluster, this  
                                 # value should be the maximum number of  
                                 # seconds taken by Cassandra to propagate a  
                                 # row to other datacenters.  
                                 # When set, this property will increase the  
                                 # time taken by Kong to propagate the change  
                                 # of an entity.  
                                 # Single-datacenter setups or PostgreSQL  
                                 # servers should suffer no such delays, and  
                                 # this value can be safely set to 0.  
  
#db_cache_ttl = 3600             # Time-to-live (in seconds) of an entity from  
                                 # the datastore when cached by this node.  
                                 # Database misses (no entity) are also cached  
                                 # according to this setting.  
                                 # If set to 0, such cached entities/misses  
                                 # never expire.  
  
#------------------------------------------------------------------------------  
# DNS RESOLVER  
#------------------------------------------------------------------------------  
  
# By default the DNS resolver will use the standard configuration files  
# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be  
# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if  
# they have been set.  
  
#dns_resolver =                  # Comma separated list of nameservers, each  
                                 # entry in `ip[:port]` format to be used by  
                                 # Kong. If not specified the nameservers in  
                                 # the local `resolv.conf` file will be used.  
                                 # Port defaults to 53 if omitted. Accepts  
                                 # both IPv4 and IPv6 addresses.  
  
#dns_hostsfile = /etc/hosts      # The hosts file to use. This file is read  
                                 # once and its content is static in memory.  
                                 # To read the file again after modifying it,  
                                 # Kong must be reloaded.  
  
#dns_order = LAST,SRV,A,CNAME    # The order in which to resolve different  
                                 # record types. The `LAST` type means the  
                                 # type of the last successful lookup (for the  
                                 # specified name). The format is a (case  
                                 # insensitive) comma separated list.  
  
#dns_stale_ttl = 4               # Defines, in seconds, how long a record will  
                                 # remain in cache past its TTL. This value  
                                 # will be used while the new DNS record is  
                                 # fetched in the background.  
                                 # Stale data will be used from expiry of a  
                                 # record until either the refresh query  
                                 # completes, or the `dns_stale_ttl` number of  
                                 # seconds have passed.  
  
#dns_not_found_ttl = 30          # TTL in seconds for empty DNS responses and  
                                 # "(3) name error" responses.  
  
#dns_error_ttl = 1               # TTL in seconds for error responses.  
  
#dns_no_sync = off               # If enabled, then upon a cache-miss every  
                                 # request will trigger its own dns query.  
                                 # When disabled multiple requests for the  
                                 # same name/type will be synchronised to a  
                                 # single query.  
  
#------------------------------------------------------------------------------  
# DEVELOPMENT & MISCELLANEOUS  
#------------------------------------------------------------------------------  
  
# Additional settings inherited from lua-nginx-module allowing for more  
# flexibility and advanced usage.  
#  
# See the lua-nginx-module documentation for more informations:  
# https://github.com/openresty/lua-nginx-module  
  
#lua_ssl_trusted_certificate =   # Absolute path to the certificate  
                                 # authority file for Lua cosockets in PEM  
                                 # format. This certificate will be the one  
                                 # used for verifying Kong's database  
                                 # connections, when `pg_ssl_verify` or  
                                 # `cassandra_ssl_verify` are enabled.  
  
#lua_ssl_verify_depth = 1        # Sets the verification depth in the server  
                                 # certificates chain used by Lua cosockets,  
                                 # set by `lua_ssl_trusted_certificate`.  
                                 # This includes the certificates configured  
                                 # for Kong's database connections.  
  
#lua_package_path =              # Sets the Lua module search path (LUA_PATH).  
                                 # Useful when developing or using custom  
                                 # plugins not stored in the default search  
                                 # path.  
  
#lua_package_cpath =             # Sets the Lua C module search path  
                                 # (LUA_CPATH).  
  
#lua_socket_pool_size = 30       # Specifies the size limit for every cosocket  
                                 # connection pool associated with every remote  
                                 # server.  

[root@contoso ~]# systemctl restart postgresql-10


[root@contoso ~]# ulimit -n  
1024  
[root@contoso ~]# cat >> /etc/security/limits.conf  
* soft nofile 65536  
* hard nofile 65536  
  
[root@contoso ~]# ulimit -n 65536  
[root@contoso ~]# ulimit -n  
65536 


[root@contoso ~]# kong migrations up  
migrating core for database kong  
core migrated up to: 2015-01-12-175310_skeleton  
core migrated up to: 2015-01-12-175310_init_schema  
core migrated up to: 2015-11-23-817313_nodes  
core migrated up to: 2016-02-29-142793_ttls  
core migrated up to: 2016-09-05-212515_retries  
core migrated up to: 2016-09-16-141423_upstreams  
core migrated up to: 2016-12-14-172100_move_ssl_certs_to_core  
core migrated up to: 2016-11-11-151900_new_apis_router_1  
core migrated up to: 2016-11-11-151900_new_apis_router_2  
core migrated up to: 2016-11-11-151900_new_apis_router_3  
core migrated up to: 2016-01-25-103600_unique_custom_id  
core migrated up to: 2017-01-24-132600_upstream_timeouts  
core migrated up to: 2017-01-24-132600_upstream_timeouts_2  
core migrated up to: 2017-03-27-132300_anonymous  
core migrated up to: 2017-04-18-153000_unique_plugins_id  
core migrated up to: 2017-04-18-153000_unique_plugins_id_2  
core migrated up to: 2017-05-19-180200_cluster_events  
core migrated up to: 2017-05-19-173100_remove_nodes_table  
core migrated up to: 2017-06-16-283123_ttl_indexes  
core migrated up to: 2017-07-28-225000_balancer_orderlist_remove  
core migrated up to: 2017-10-02-173400_apis_created_at_ms_precision  
core migrated up to: 2017-11-07-192000_upstream_healthchecks  
core migrated up to: 2017-10-27-134100_consistent_hashing_1  
core migrated up to: 2017-11-07-192100_upstream_healthchecks_2  
core migrated up to: 2017-10-27-134100_consistent_hashing_2  
core migrated up to: 2017-09-14-121200_routes_and_services  
core migrated up to: 2017-10-25-180700_plugins_routes_and_services  
migrating response-transformer for database kong  
response-transformer migrated up to: 2016-05-04-160000_resp_trans_schema_changes  
migrating ip-restriction for database kong  
ip-restriction migrated up to: 2016-05-24-remove-cache  
migrating statsd for database kong  
statsd migrated up to: 2017-06-09-160000_statsd_schema_changes  
migrating jwt for database kong  
jwt migrated up to: 2015-06-09-jwt-auth  
jwt migrated up to: 2016-03-07-jwt-alg  
jwt migrated up to: 2017-05-22-jwt_secret_not_unique  
jwt migrated up to: 2017-07-31-120200_jwt-auth_preflight_default  
jwt migrated up to: 2017-10-25-211200_jwt_cookie_names_default  
migrating cors for database kong  
cors migrated up to: 2017-03-14_multiple_orgins  
migrating basic-auth for database kong  
basic-auth migrated up to: 2015-08-03-132400_init_basicauth  
basic-auth migrated up to: 2017-01-25-180400_unique_username  
migrating key-auth for database kong  
key-auth migrated up to: 2015-07-31-172400_init_keyauth  
key-auth migrated up to: 2017-07-31-120200_key-auth_preflight_default  
migrating ldap-auth for database kong  
ldap-auth migrated up to: 2017-10-23-150900_header_type_default  
migrating hmac-auth for database kong  
hmac-auth migrated up to: 2015-09-16-132400_init_hmacauth  
hmac-auth migrated up to: 2017-06-21-132400_init_hmacauth  
migrating datadog for database kong  
datadog migrated up to: 2017-06-09-160000_datadog_schema_changes  
migrating tcp-log for database kong  
tcp-log migrated up to: 2017-12-13-120000_tcp-log_tls  
migrating acl for database kong  
acl migrated up to: 2015-08-25-841841_init_acl  
migrating response-ratelimiting for database kong  
response-ratelimiting migrated up to: 2015-08-03-132400_init_response_ratelimiting  
response-ratelimiting migrated up to: 2016-08-04-321512_response-rate-limiting_policies  
response-ratelimiting migrated up to: 2017-12-19-120000_add_route_and_service_id_to_response_ratelimiting  
migrating request-transformer for database kong  
request-transformer migrated up to: 2016-05-04-160000_req_trans_schema_changes  
migrating rate-limiting for database kong  
rate-limiting migrated up to: 2015-08-03-132400_init_ratelimiting  
rate-limiting migrated up to: 2016-07-25-471385_ratelimiting_policies  
rate-limiting migrated up to: 2017-11-30-120000_add_route_and_service_id  
migrating oauth2 for database kong  
oauth2 migrated up to: 2015-08-03-132400_init_oauth2  
oauth2 migrated up to: 2016-07-15-oauth2_code_credential_id  
oauth2 migrated up to: 2016-12-22-283949_serialize_redirect_uri  
oauth2 migrated up to: 2016-09-19-oauth2_api_id  
oauth2 migrated up to: 2016-12-15-set_global_credentials  
oauth2 migrated up to: 2017-04-24-oauth2_client_secret_not_unique  
oauth2 migrated up to: 2017-10-19-set_auth_header_name_default  
oauth2 migrated up to: 2017-10-11-oauth2_new_refresh_token_ttl_config_value  
oauth2 migrated up to: 2018-01-09-oauth2_pg_add_service_id  
62 migrations ran   

Come here,all the preparatory work has been ready and get into my question.

Configuring a book service with Kong
After installing and starting Kong, use the Kong management API port 8001 to add a service named book.
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:32:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "host": "contoso.com", 
    "created_at": 1526329936, 
    "connect_timeout": 60000, 
    "id": "dc04cc57-84f2-4750-9374-51212fb7d4d9", 
    "protocol": "http", 
    "name": "book", 
    "read_timeout": 60000, 
    "port": 80, 
    "path": "/v1/books", 
    "updated_at": 1526329936, 
    "retries": 5, 
    "write_timeout": 60000
}
[root@contoso ~]# 

Add a route (the value of paths[] must be consistent with the /v1/books in the book service)
Exposing book service for user access, book service do not need to add multiple routes.
Attention, attention, attention, important parameters I repeat 3 times.
Service routing in cross source resource sharing (CORS) is not allowed 
to configure --data'hosts[]=contoso.com'parameter values.
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:32:41 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526329961, 
    "strip_path": true, 
    "hosts": null, 
    "preserve_host": false, 
    "regex_priority": 0, 
    "updated_at": 1526329961, 
    "paths": [
        "/v1/books"
    ], 
    "service": {
        "id": "dc04cc57-84f2-4750-9374-51212fb7d4d9"
    }, 
    "methods": null, 
    "protocols": [
        "http", 
        "https"
    ], 
    "id": "e3f55181-46ed-4054-97af-655011382b5f"
}
[root@contoso ~]# 

We can check the correctness of the book service and its routing configuration
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Tue, 15 May 2018 04:48:27 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 35
X-Kong-Proxy-Latency: 56
Via: kong/0.13.1

[
    {
        "id": 1, 
        "title": "Fashion That Changed the World", 
        "author": "Jennifer Croll"
    }, 
    {
        "id": 2, 
        "title": "Brigitte Bardot - My Life in Fashion", 
        "author": "Henry-Jean Servat and Brigitte Bardot"
    }, 
    {
        "id": 3, 
        "title": "The Fashion Image", 
        "author": "Thomas Werner"
    }
]
[root@contoso ~]#


Parameters configuration for cross source resource sharing (CORS) plugins for the book Service
URL format:http://localhost:8001/services/{name of servie}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=cors"  \
--data "config.origins=http://contoso.org" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:49:58 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526359799000, 
    "config": {
        "methods": [
            "GET", 
            "POST"
        ], 
        "exposed_headers": [
            "X-Auth-Token"
        ], 
        "max_age": 3600, 
        "headers": [
            "Accept", 
            "Accept-Version", 
            "Content-Length", 
            "Content-MD5", 
            "Content-Type", 
            "Date", 
            "X-Auth-Token"
        ], 
        "credentials": true, 
        "origins": [
            "http://contoso.org"
        ], 
        "preflight_continue": false
    }, 
    "id": "4535300f-9a2d-4c06-bad1-a6a237dacb9c", 
    "enabled": true, 
    "service_id": "dc04cc57-84f2-4750-9374-51212fb7d4d9", 
    "name": "cors"
}
[root@contoso ~]#

Make the route {route_id} for the book service to enable cross source 
resource sharing (CORS) plugin parameters configuration.
The value of the {route_id} parameter is the id value created 
by using the --data'hosts[]=contoso.com'without parameter.
URL format:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/e3f55181-46ed-4054-97af-655011382b5f/plugins \
--data "name=cors"  \
--data "config.origins=http://contoso.org" \
--data "config.methods=GET, POST" \
--data "config.headers=Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Auth-Token" \
--data "config.exposed_headers=X-Auth-Token" \
--data "config.credentials=true" \
--data "config.max_age=3600"
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:50:26 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526359827000, 
    "config": {
        "methods": [
            "GET", 
            "POST"
        ], 
        "exposed_headers": [
            "X-Auth-Token"
        ], 
        "max_age": 3600, 
        "headers": [
            "Accept", 
            "Accept-Version", 
            "Content-Length", 
            "Content-MD5", 
            "Content-Type", 
            "Date", 
            "X-Auth-Token"
        ], 
        "credentials": true, 
        "origins": [
            "http://contoso.org"
        ], 
        "preflight_continue": false
    }, 
    "id": "f050287f-e5b0-457c-acb9-19c417e9d888", 
    "enabled": true, 
    "route_id": "e3f55181-46ed-4054-97af-655011382b5f", 
    "name": "cors"
}
[root@contoso ~]# 

Make the route {route_id} for the book service to enable the Basic Authentication plugin. 
We can replace basic-auth with other 8 kinds of Authentication Type.

The other 8 kinds of Authentication Type are not given out 8 examples, 
If I want to give 9 examples, I guess I can write a book about Kong authentication.
The book is estimated to have many pages, so I will not play my practical skills.
 
URL format:http://localhost:8001/routes/{route_id}/plugins  
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/e3f55181-46ed-4054-97af-655011382b5f/plugins \
--data "name=basic-auth" \
--data "config.hide_credentials=true"
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:51:21 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526359881000, 
    "config": {
        "hide_credentials": true, 
        "anonymous": ""
    }, 
    "id": "f7b31c03-516e-4630-a6a1-adb1a0b943a0", 
    "enabled": true, 
    "route_id": "e3f55181-46ed-4054-97af-655011382b5f", 
    "name": "basic-auth"
}
[root@contoso ~]#

Add first username equal to jack consumer, {custom_id} parameter can be omitted, 
this parameter is a custom unique identifier.
{custom_id} purpose is to map the consumer jack to another database.
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:51:48 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526359909000, 
    "username": "jack", 
    "id": "54c7c9fc-8f17-4450-808c-3dc6f599f313"
}
[root@contoso ~]#

Enable the Basic Authentication plugin for first user jack  
URL format:http://localhost:8001/consumers/{username or consumer_id}/basic-auth  
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/basic-auth \
--data "username=jack@hotmail.com" \
--data "password=123456"
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:52:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526359945000, 
    "id": "35bfcf16-22da-4e13-a492-4dd01181a224", 
    "username": "jack@hotmail.com", 
    "password": "cbc6a55af01741fa3e63fbc9f7172a18635b6703", 
    "consumer_id": "54c7c9fc-8f17-4450-808c-3dc6f599f313"
}
[root@contoso ~]#

on line base64 tool address is http://tool.oschina.net/encrypt?type=3  
Key-Value about jack@hotmail.com:123456,its base64 value is :  
amFja0Bob3RtYWlsLmNvbToxMjM0NTY=  
for user jack sign in to pass Basic Authenctiaction,we'll get a book record(id = 3)
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/3 \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbToxMjM0NTY="
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Tue, 15 May 2018 04:52:52 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
Vary: Origin
Access-Control-Allow-Origin: http://contoso.org
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Auth-Token
X-Kong-Upstream-Latency: 30
X-Kong-Proxy-Latency: 41
Via: kong/0.13.1

[
    {
        "id": 3, 
        "title": "The Fashion Image", 
        "author": "Thomas Werner"
    }
]
[root@contoso ~]#

Enable IP Whitelist to restrict access to the service named book.
At this moment, all user types appear to be on the blacklist 
(It's like a blacklist classify, but it doesn't define a blacklist), 
because all users are not associated with Whitelist.

A command format that defines a user's whitelist and blacklist is a wrong command format.

URL format:http://contoso.org:8001/services/{service}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=ip-restriction"  \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"
HTTP/1.1 201 Created
Date: Tue, 15 May 2018 04:54:00 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526360040000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "ce6b4673-bbe3-4ede-8844-5d5302054a20", 
    "enabled": true, 
    "service_id": "dc04cc57-84f2-4750-9374-51212fb7d4d9", 
    "name": "ip-restriction"
}

After executing the terminal command above, then next step,
all kinds of browsers on the client side on Windows 10 system (192.168.43.131) 
to access the below web address:
http://contoso.org:8000/v1/books   

webpage is show : {"message":"Your IP address is not allowed"},
jack'Basic Authentication is passed sucessfully,this is ok!

But,all kinds of browsers on the client side on macOS system (192.168.10.50) 
to access the below web address:
http://contoso.org:8000/v1/books 
[
    {
        "id": 1, 
        "title": "Fashion That Changed the World", 
        "author": "Jennifer Croll"
    }, 
    {
        "id": 2, 
        "title": "Brigitte Bardot - My Life in Fashion", 
        "author": "Henry-Jean Servat and Brigitte Bardot"
    }, 
    {
        "id": 3, 
        "title": "The Fashion Image", 
        "author": "Thomas Werner"
    }
]

Browser is also correct to return to{"message":"Your IP address is not allowed"}, 
but it is obvious that it is wrong to penetrate Kong Gateway to return books data.

[root@contoso ~]# 


Enable IP Whitelist to restrict access to the route named book service .

at this moment, all user types appear to be on the blacklist 
(It's like a blacklist classify, but it doesn't define a blacklist), 
because all users are not associated with Whitelist.

A command format that defines a user's whitelist and blacklist is a wrong command format.

URL format:http://localhost:8001/routes/{route_id}/plugins
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/routes/e3f55181-46ed-4054-97af-655011382b5f/plugins \
--data "name=ip-restriction"  \
--data "config.whitelist=192.168.10.50, 192.168.43.0/24"

HTTP/1.1 201 Created
Date: Tue, 15 May 2018 05:14:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1526361296000, 
    "config": {
        "whitelist": [
            "192.168.10.50", 
            "192.168.43.0/24"
        ]
    }, 
    "id": "d96eb2d5-0a8d-470a-b253-a78d14773bc1", 
    "enabled": true, 
    "route_id": "e3f55181-46ed-4054-97af-655011382b5f", 
    "name": "ip-restriction"
}

Execute the terminal commands above,
Once again, test http://contoso.org:8000/v1/books on the browser of the macOS system,
webpage is show :
[
    {
        "id": 1, 
        "title": "Fashion That Changed the World", 
        "author": "Jennifer Croll"
    }, 
    {
        "id": 2, 
        "title": "Brigitte Bardot - My Life in Fashion", 
        "author": "Henry-Jean Servat and Brigitte Bardot"
    }, 
    {
        "id": 3, 
        "title": "The Fashion Image", 
        "author": "Thomas Werner"
    }
]

I can affirm the conclusion:
the browser on the client side on macOS system(192.168.10.50) can penetrate 
the Whitelist IP Restriction of Kong on CentOS7 system(192.168.10.60)

[root@contoso ~]# 

Why is this, please tell me, I didn't eat lunch to translate my Chinese problem into English, 
and I began to admire the spirit of my own study of technology.






https://github.com/Kong/kong/issues/3455
阅读更多
文章标签: IP Whitelist Restriction
上一篇How to install lua & VSCode on CentOS 7
下一篇Kong Gateway - 16 基于网关服务的速率限制(Rate Limiting)
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭