1

Previously I configured api/services on Kong as HTTP and it was working fine. Now I made api/services as HTTPS in back end and I changed protocol http to https for all api/services on Kong. But after changing http to https protocol i unable to access api's.

Can you please tell me what I have to do? Here is my services configuration on kong enter image description here

Route enter image description here

Please help me.

Anil Jagtap
  • 1,740
  • 4
  • 27
  • 44

1 Answers1

2

HTTPS is used to protect data exchanges from anyone looking into them.

You are configuring data exchange between your gateway and upstream servers.

Your microservices are most likely deployed into the same closed virtual private network where kong gateway is located.

It is unlikely that anyone could sniff on data traffic which goes between API gateway and your microservices.

Setup of encryption in your virtual private network will just waste computational resources which you could allocate to extra workers which do usefull things.

What you probably need is to configure SSL certificate at kong gateway public interface. To do this you can add your SSL certificate in Konga GUI in CERTIFICATES section. enter image description here

Maxim Sagaydachny
  • 2,098
  • 3
  • 11
  • 22
  • Thank you for your response. You means enabling certificate is mandatory for https api's calls? – Anil Jagtap Dec 04 '19 at 08:37
  • @AnilJagtap Sure. you need to use proper certificate for your clients to use your api in a secure way. Nowadays everyone is concerned about privacy so it makes sense to not give your clients any concerns. You can start with LetsEncrypt for free ( https://discuss.konghq.com/t/how-to-use-letsencrypt-for-kong/354/2 ) and later decide whether you need another certificate which provides extra verification of identity. – Maxim Sagaydachny Dec 04 '19 at 09:03
  • without enabling certificate can I access https api? – Anil Jagtap Dec 04 '19 at 09:13
  • @AnilJagtap, Try and see. If you can connect and see no warnings then you are already set. If you see warnings but still could connect with warnings disabled (like curl --insecure **) then you need to setup proper certificate because your clients will not trust such connection. You can use SO chat or contact me via skype(see my profile) to continue further questions. – Maxim Sagaydachny Dec 04 '19 at 09:23
  • 2
    This doesn't answer the question. Neither it's correct. No HTTPS within a private network means anyone who ever gets inside your network can spoof any traffic and completely take over your network. Zero trust architectures where even internal services communicate over https over authenticated connections is the new standard. – pijemcolu Jan 17 '20 at 10:26