secure-access-configure-admin-api-loopback-with-ssl

This is Bonus Exercise. Using the previous exercise configurations, you should be able to Secure Access to the Admin API lookback address over HTTPs.

Reference previous exercises.

• Create Certificate and Key
• Secure Access to an API
• Protect and Rate Limit Your API

Overview:

There are 4 potential scenarios where you want to use SSL Certificates to secure access.

1. Kong Admin API
2. Client to Kong API
3. Kong to Upstream API
4. Database Certificate

Scenario

In this execise, you will configure the Kong Admin API loopback with SSL (scenario 1 above)

You now want to allow access to the Admin port from the internet, but only allow authenticated administrators from a specific IP address that belong to an ACL over HTTPs only.

High Level Tasks

1. Provision Kong API loopback address
2. Configure Authentication only an admin user (e.g Basic Authentication instead of key-auth)
3. Secure it with an ACL (Admin_group)
4. Secure with IP restriction
5. Create a self signed certificate
6. Secure the ADMIN API
7. Allow only access over HTTPs. (HTTPS_ONLY)

Important Note: As of Kong version 0.11.0 - The API Object property http_if_terminated is now set to false by default. For Kong to evaluate the client X-Forwarded-Proto header, you must now configure Kong to trust the client IP and you must explicitly set this value to true. This affects you if you are doing SSL termination somewhere before your requests hit Kong, and if you have configured https_only on the API, or if you use a plugin that requires HTTPS traffic (e.g. OAuth2).

Back

Edit this page