Upstream TLS with Kong

TLS is pervasive on the public Internet, but TLS within a local network, much less. That is changing with easier, better tooling around TLS and PKI. Kong Gateway provides support for TLS between Kong and Upstream servers out of the box for Open-Source as well as Enterprise versions.

The basics

To enable TLS between Kong and upstream Service, you need to do a few things:

  1. Ensure that service.port within a Kong Service is set to the appropriate port. This is usually 443 for HTTPS traffic. The Upstream service may be listening on a different port.
  2. Ensure that the service.protocol is set to ‘https’. If Kong is proxying non-HTTP traffic, set this field to ‘tls’.

This will ensure that any traffic between Kong and the upstream ‘Service’ is secured with TLS.

TLS verification

Kong can verify if the Upstream server’s certificate is signed by a trusted CA and if the certificate provided is valid or not.
This is controlled by a few knobs on the Service entity:

  1. tls_verify: This knob controls if Kong is going to verify the upstream server’s certificate or not.
  2. tls_verify_depth: This knob controls how many certificates in a chain Kong will validate. This can be used to verify the entire chain of trust or only the first n certificates in the chain.
  3. ca_certificates: Specify the CA certificate to use to verify the Upstream server certificate. You can use this setting to define a CA on a per-Service basis. The CAs themselves are defined using another Admin API entity called CA-certificates. If you would like Kong to use a set of CAs across all Services, you can use the proxy_ssl_trusted_certificate nginx directive for that purpose. Please refer to nginx directive injection in Kong.

If you are using TLS between Kong and Upstream Server, please always verify the Upstream Server’s certificate, or else Kong will be prone to MITM attacks.

Mutual TLS

Kong supports Mutual TLS, popularly referred to as mTLS.
Use the ‘client_certificate’ field on the Service or Upstream (if you are using Upstreams in Kong) to specify the client Certificate that Kong must use to authenticate with the Upstream Service. The client certificate and key pair can be managed via Certificates entity on the Kong Admin API.

Please reach out on Github Discussions or Kong Nation if you need further help.