I am using SG version 2.5 in my company internally. The SG is in the DMZ and providing a public WebSocket over the internet for the mobile devices. The public admin api is available for other BE services.
My security officer asked me if the SG public admin API requires authentication? according to this: https://docs.couchbase.com/sync-gateway/current/admin-rest-api.html there is no authentication in the public admin api.
My security officer has concerns! cause if someone knows the endpunkt he can simply use the public admin api internally
Is there a way to secure the access to SG? what are the best practices here?
You are correct that the admin API has no built-in authentication mechanism. As described in the docs, the intention is that the admin API is never bound to a public network interface.
We usually suggest using SSH tunnels to be able to perform operations on the admin API which is only bound to localhost. That way, a user must have a valid login to the server running Sync Gateway to be able to perform admin requests.
If you want to selectively control access internally without SSH tunnels, it might be worth looking at setting up something like an nginx proxy that can provide the authentication you require, which can then proxy traffic to localhost:4985.