I am trying to proxy a request to HTTPS upstream via kong. How can I configure the upstream certificate into kong.
Then configure your Service with
protocol = https, as documented in the Admin API reference: Admin API - v1.0.x | Kong Docs
Note that specifying
url=https://... during the creation of the Service is a shorthand notation that will have the same result.
You do not need to configure anything else if you want a regular server-side TLS encryption, as the client (Kong) will request the upstream’s certificate during the TLS handshake. However if by that you meant configuring a client certificate for Kong to establish mutual TLS with the upstream, then be aware that Kong does not yet support configuring dynamic mTLS in its Gateway deployment. You’ll have to develop a custom plugin or define a custom Nginx template for the moment.
Thanks Thibault, it worked.
I have a service configured with “protocoal=https” as the upstream only accepts https traffic. However, I am getting “502 bad gateway upstream prematurely closed connection” when I test the service.
I have set log level=debug. I noticed that in error.log, the upstream url it’s routing to has still “http” in it instead of “https” as defined in service configuration.
What I could be doing wrong here ? Please advise. Thank you!
Hi @thibaultcha, Please do you have any news regarding dynamic mTLS to upstreams ? I need that functionnality for my company. If that feature is not yet available can you please be more specific about “custom Nginx template” and “custom plugin” for that ? Thanks a lot for your support.
Kong supports dynamic client certificates to upstream from Kong 1.3 onwards.
client_certificate property of
Service entity in Kong.
Hi @hbagdi, thank you for your support, I have tested and indeed that is working. I stumbled on the solution while reading the admin API. Your answer confirms