TCP ingress with mTLS?

Is it possible to configure a TCPIngress for mutual TLS?

I tried adding the mtls-auth plugin to the TCPIngress but that doesn’t seem to do much. I think that only works with HTTPS? Felt like a bit of a long shot anyway.

Our Kong Ingress sits in front of a multi-tenant environment. If possible I’d like to combine client certificate authentication with TLS SNI based routing.

I hope this makes any sense at all. If not, please tell me :slightly_smiling_face:

Hi @erikhh,

In upstream Kong the mTLS plugin is currently HTTP only, L4 is not yet supported so consequently, it’s not possible to configure this plugin for TCPIngress types currently.

Would you like to put in a feature request to get support for this?

Hi @shane,

At the time I asked this question I was kind of hoping I could do VPN connections without the need for a separate server side VPN deamon. When I figured that wasn’t going to work, I just added a simple stunnel proxy at the receiving end of the TCPIngress.

But since then my project has evolved, I essentially ran into a wall a bit further down the road (totally unrelated to Kong btw, I love Kong to bits). I had to reconsider my options. This has led to a new set of infrastructure components that happen have built in support for mTLS.

For now it seems that my need for external mTLS support has gone away.


Alright thanks for the context :vulcan_salute:

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ