3

I have sucessfully installed kong gateway for an API which load balance via upstream to multiple targets (application servers).

Now, I have a self-signed certificate for my application servers, the ssl handshake should fail between kong and the targets. I deduced that kong does not verify upstream certificate.

After some researches, I have found ssl_proxy on; configuration for nginx that would do it right.

I would like to find an equivalent of that in openresty in order to verify upstreams ssl certificate.

The solution could be to modify kong nginx configuration to activate ssl_proxy but crappy with different targets on the same instance.

knotito
  • 1,382
  • 1
  • 12
  • 18

3 Answers3

3

I would have expected you to do it the other way around: Let your backend service verify that Kong has a specific SSL certificate when it contacts your services, so that in effect only Kong can connect to the services, and in consequence, any API clients must go via Kong to connect.

We did that for wicked.haufe.io, with Kong 0.11.0, and you can find a suitable nginx_conf.lua file here: https://github.com/apim-haufe-io/wicked.kong/blob/master/templates/nginx_kong.lua

The interesting bit here is:

proxy_ssl_certificate /root/proxy-cert.pem;
proxy_ssl_certificate_key /root/proxy-key.pem;

Which specifies the certificate and key which nginx uses to do proxying calls to backend services. This is heeded by Kong.

By checking what we did for the Kong docker image for wicked.haufe.io, you should be able to adapt to your own needs; the other interesting bit is startup.sh, where the certificate/key is extracted from environment variables and added to the /root/proxy-...pem files.

halfer
  • 19,824
  • 17
  • 99
  • 186
donmartin
  • 1,753
  • 2
  • 15
  • 30
1

I managed to get this to work with Kong 0.14.x by setting the following environment variables: KONG_NGINX_HTTP_PROXY_SSL_VERIFY: "on" KONG_NGINX_HTTP_PROXY_SSL_TRUSTED_CERTIFICATE: "/mnt/certs/ca.crt" (Adjust the latter to point to your custom CA certs file.)

This uses the "KONG_NGINX_HTTP_" prefix to set arbitrary nginx 'http' settings.

This doesn't seem to be working with Kong 1.0.x though. Currently trying to find a solution for that...

Mr Weasel
  • 82
  • 5
0

Notice the comment on client_ssl in kong configuration :

If 'client_ssl' is enabled, the absolute path to the client SSL certificate for the 'proxy_ssl_certificate directive. Note that this value is statically defined on the node, and currently cannot be configured on a per-API basis.

It is not currently possible.

knotito
  • 1,382
  • 1
  • 12
  • 18