Skip to content
Kong Gateway 2.8 Increases Security and Simplifies API Management.  —Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Konnect Cloud
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Kong Konnect Platform

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Request Demo
  • Kong Gateway
  • Konnect Cloud
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Kong Konnect Platform

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • Older Enterprise versions (0.31-2.5)
  • Older OSS versions (0.13-2.5)
  • Archive (pre-0.13)
    • Version Support Policy
    • Changelog
    • Kubernetes
    • Helm
    • OpenShift with Helm
    • Docker
    • Amazon Linux
    • CentOS
    • macOS
    • Debian
    • RHEL
    • Ubuntu
    • Migrating from OSS to EE
    • Upgrade Kong Gateway
    • Upgrade Kong Gateway OSS
      • Configuring a Service
      • Configuring a gRPC Service
      • Enabling Plugins
      • Adding Consumers
      • Prepare to Administer
      • Expose your Services
      • Protect your Services
      • Improve Performance
      • Secure Services
      • Set Up Intelligent Load Balancing
      • Manage Administrative Teams
      • Publish, Locate, and Consume Services
    • Running Kong as a Non-Root User
    • Resource Sizing Guidelines
      • Deploy Kong Gateway in Hybrid Mode
    • Kubernetes Deployment Options
    • Control Kong Gateway through systemd
    • Performance Testing Framework
    • DNS Considerations
    • Default Ports
      • Access Your License
      • Deploy Your License
      • Monitor License Usage
      • Start Kong Gateway Securely
      • Keyring and Data Encryption
      • Kong Security Update Process
        • Getting Started
        • Advanced Usage
          • Environment Variables
          • AWS Secrets Manager
          • Hashicorp Vault
        • Reference Format
      • Authentication Reference
        • OpenID Connect with Curity
        • OpenID Connect with Azure AD
        • OpenID Connect with Google
        • OpenID Connect with Okta
        • OpenID Connect with Auth0
        • OpenID Connect with Cognito
        • OpenID Connect Plugin Reference
      • Allowing Multiple Authentication Methods
        • Create a Super Admin
        • Configure Networking
        • Configure Kong Manager to Send Email
        • Reset Passwords and RBAC Tokens
        • Configure Workspaces
        • Basic Auth
        • LDAP
        • OIDC
        • Sessions
        • Add a Role
        • Add a User
        • Add an Admin
      • Mapping LDAP Service Directory Groups to Kong Roles
      • Enable the Dev Portal
      • Structure and File Types
      • Portal API
      • Working with Templates
      • Using the Editor
          • Basic Auth
          • Key Auth
          • OIDC
          • Sessions
          • Adding Custom Registration Fields
        • SMTP
        • Workspaces
        • Manage Developers
        • Developer Roles and Content Permissions
          • Authorization Provider Strategy
          • Enable Application Registration
          • Enable Key Authentication for Application Registration
          • External OAuth2 Support
          • Set up Okta and Kong for external OAuth
          • Set Up Azure AD and Kong for External Authentication
          • Manage Applications
        • Easy Theme Editing
        • Migrating Templates Between Workspaces
        • Markdown Rendering Module
        • Customizing Portal Emails
        • Adding and Using JavaScript Assets
        • Single Page App in Dev Portal
        • Alternate OpenAPI Renderer
      • Helpers CLI
    • Configure gRPC Plugins
    • GraphQL Quickstart
    • Logging Reference
    • Network and Firewall
      • Metrics
      • Reports
      • Vitals with InfluxDB
      • Vitals with Prometheus
      • Estimate Vitals Storage in PostgreSQL
    • Prometheus plugin
    • Zipkin plugin
      • DB-less Mode
      • Declarative Configuration
      • Supported Content Types
      • Information Routes
      • Health Routes
      • Tags
      • Service Object
      • Route Object
      • Consumer Object
      • Plugin Object
      • Certificate Object
      • CA Certificate Object
      • SNI Object
      • Upstream Object
      • Target Object
      • Vaults Beta
        • Licenses Reference
        • Licenses Examples
        • Workspaces Reference
        • Workspace Examples
        • RBAC Reference
        • RBAC Examples
        • API Reference
        • Examples
      • Developers
        • API Reference
        • Examples
        • Event Hooks Reference
        • Examples
      • Audit Logging
      • Keyring and Data Encryption
      • Securing the Admin API
    • DB-less and Declarative Configuration
    • Configuration Reference
    • CLI Reference
    • Load Balancing Reference
    • Proxy Reference
    • Rate Limiting Library
    • Health Checks and Circuit Breakers Reference
    • Clustering Reference
      • kong.client
      • kong.client.tls
      • kong.cluster
      • kong.ctx
      • kong.ip
      • kong.log
      • kong.nginx
      • kong.node
      • kong.request
      • kong.response
      • kong.router
      • kong.service
      • kong.service.request
      • kong.service.response
      • kong.table
      • kong.vault
      • Introduction
      • File structure
      • Implementing custom logic
      • Plugin configuration
      • Accessing the datastore
      • Storing custom entities
      • Caching custom entities
      • Extending the Admin API
      • Writing tests
      • (un)Installing your plugin
    • Plugins in Other Languages

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Default Configuration
  • Custom Configuration
  • TLS Certificates
    • Using https://localhost
Kong Gateway
2.8.x (latest)
  • Kong Konnect Platform
  • Kong Gateway
  • Configure
  • Auth
  • Kong manager

Default and Custom Networking Configuration for Kong Manager

Default Configuration

By default, Kong Manager starts up without authentication (see admin_gui_auth), and it assumes that the Admin API is available on port 8001 (see Default Ports of the same host that serves Kong Manager.

Custom Configuration

Common configurations to enable are

  • Serving Kong Manager from a dedicated Kong node

    When Kong Manager is on a dedicated Kong node, it must make external calls to the Admin API. Set admin_api_uri to the location of your Admin API.

  • Securing Kong Manager through a Kong Authentication Plugin

    When Kong Manager is secured through an Authentication Plugin and not on a dedicated node, it makes calls to the Admin API on the same host. By default, the Admin API listens on ports 8001 and 8444 on localhost. Change admin_listen if necessary, or set admin_api_uri.

    Important: If you need to expose the admin_listen port to the internet in a production environment, secure it with authentication.

  • Securing Kong Manager and serving it from a dedicated node

    When Kong Manager is secured and served from a dedicated node, set admin_api_uri to the location of the Admin API.

The table below summarizes which properties to set (or defaults to verify) when configuring Kong Manager connectivity to the Admin API.

authentication enabled local API remote API auth settings
yes admin_listen admin_api_uri admin_gui_auth, enforce_rbac, admin_gui_auth_conf, admin_gui_session_conf
no admin_listen admin_api_uri n/a

To enable authentication, configure the following properties:

  • admin_gui_auth set to the desired plugin
  • admin_gui_auth_conf (optional)
  • admin_gui_session_conf set to the desired configuration
  • enforce_rbac set to on

Important: When Kong Manager authentication is enabled, RBAC must be turned on to enforce authorization rules. Otherwise, whoever can log in to Kong Manager can perform any operation available on the Admin API.

TLS Certificates

By default, if Kong Manager’s URL is accessed over HTTPS without a certificate issued by a CA, it will receive a self-signed certificate that modern web browsers will not trust, preventing the application from accessing the Admin API.

In order to serve Kong Manager over HTTPS, use a trusted certificate authority to issue TLS certificates, and have the resulting .crt and .key files ready for the next step.

1) Move .crt and .key files into the desired directory of the Kong node.

2) Point admin_gui_ssl_cert and admin_gui_ssl_cert_key at the absolute paths of the certificate and key.

admin_gui_ssl_cert = /path/to/test.crt
admin_gui_ssl_cert_key = /path/to/test.key

3) Ensure that admin_gui_url is prefixed with https to use TLS, e.g.,

admin_gui_url = https://test.com:8445

Using https://localhost

If serving Kong Manager on localhost, it may be preferable to use HTTP as the protocol. If also using RBAC, set cookie_secure=false in admin_gui_session_conf. The reason to use HTTP for localhost is that creating TLS certificates for localhost requires more effort and configuration, and there may not be any reason to use it. The adequate use cases for TLS are (1) when data is in transit between hosts, or (2) when testing an application with mixed content (which Kong Manager does not use).

External CAs cannot provide a certificate since no one uniquely owns localhost, nor is it rooted in a top-level domain (e.g., .com, .org). Likewise, self-signed certificates will not be trusted in modern browsers. Instead, it is necessary to use a private CA that allows you to issue your own certificates. Also ensure that the SSL state is cleared from the browser after testing to prevent stale certificates from interfering with future access to localhost.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2022