I would like to verify client certificates on certain endpoints… is this possible with kong?
I understand that you can inject any nginx directives you want into the top-level nginx configuration using the nginx-injection (which is super cool btw), but this applies globally… What if I only wanted to verify tls certificates on specific endpoints?
If I were using the nginx ingress controller i would add this annotation on the ingress resource:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
doc: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication
My guess here is that kong’s ingress controller just doesn’t have this functionality yet? How would one accomplish this in vanilla kong?
Anyone out there working on adding this kind of annotation? I would be happy to help.
Our implementation of this is the Enterprise-only mtls-auth plugin.
Community releases can use the standard NGINX implementation by injecting directives:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate
For example, setting KONG_NGINX_PROXY_SSL_VERIFY_CLIENT=on in your environment variables would enable the first of those on the proxy.
Note that you’ll also need to mount your CA certificate or build a custom image that includes it for the ssl_client_certificate directive.
While that can verify certificates, it cannot identify consumers based on the certificate contents and cannot be configured per-route (the mtls-auth plugin can).