Why kong access non configured regex route?

Question

I'm using Kong v2.1.2

On my upstream server I have APIs

GET /v1/country
GET /v1/country/{country_code}/brands
GET /v1/country/{country_code}/brands/{brand_code}/types

I have configured path 1 and 2 on kong routes with host header "example.com" I can able to access 1 and 2 APIs using Kong. But the interesting thing is, I can access 3rd API too with same host header even though it is not configured in Kong.

So the question is how Kong can access those APIs which are not configured and how can I disallow the requests which are not configured on kong but present in upstream server.

Please help me to understand this.

Thank you!

Answer 1

You can refer to the priority of regex expresion following the link

https://docs.konghq.com/gateway/latest/how-kong-works/routing-traffic/ -> Evaluation order

Answer 2

The trick here is that, in the Route configuration path parameter is a regex.

If the Route is defined with path: /api/v1/resources then /api/v1/resources/10/private-subresource is valid for a request to match.

Now imagine /api/v1/resources/{id}/private-subresource is an endpoint of your ms that should not be exposed by kong but /api/v1/resources is; then you can without knowing it expose private data to the internet.

To avoid this, you can limit the scope of the Route path in the definition using $:

- name: get-resources
    methods:
    - GET
    paths:    
    - /api/v1/resources$

/api/v1/resources/{id}/private-subresource is no longer valid to match the Route