Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
      Docs Contribution Guidelines
      Want to help out, or found an issue in the docs and want to let us know?
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
3.4.x (latest)
  • Home icon
  • Kong Gateway
  • Kong Manager
  • Networking Configuration for Kong Manager
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.4.x (latest)
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Archive (pre-2.6)
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Default configuration
  • Custom configuration
    • Serving Kong Manager from a dedicated Kong node
    • Securing Kong Manager through an authentication plugin
    • Securing Kong Manager and serving it from a dedicated node
    • Connecting to the Admin API
    • Enable authentication
  • TLS Certificates
    • Using https://localhost

Networking Configuration for Kong Manager

Default configuration

By default, Kong Manager starts up without authentication (see admin_gui_auth), and it assumes that the Admin API is available on port 8001 (see Default Ports of the same host that serves Kong Manager.

Custom configuration

Here are some common configuration scenarios for Kong Manager.

Serving Kong Manager from a dedicated Kong node

When Kong Manager is on a dedicated Kong node, it must make external calls to the Admin API. Set admin_api_uri to the location of your Admin API.

Securing Kong Manager through an authentication plugin

When Kong Manager is secured through an authentication plugin and is not on a dedicated node, it makes calls to the Admin API on the same host. By default, the Admin API listens on ports 8001 and 8444 on localhost. Change admin_listen if necessary, or set admin_api_uri.

Important: If you need to expose the admin_listen port to the internet in a production environment,

secure it with authentication.

Securing Kong Manager and serving it from a dedicated node

When Kong Manager is secured and served from a dedicated node, set admin_api_uri to the location of the Admin API.

Connecting to the Admin API

The table below summarizes which properties to set (or defaults to verify) when configuring Kong Manager connectivity to the Admin API.

authentication enabled local API remote API auth settings
yes admin_listen admin_api_uri admin_gui_auth, enforce_rbac, admin_gui_auth_conf, admin_gui_session_conf
no admin_listen admin_api_uri n/a

Enable authentication

To enable authentication, configure the following properties:

  • admin_gui_auth set to the desired plugin
  • admin_gui_auth_conf (optional)
  • admin_gui_session_conf set to the desired configuration
  • enforce_rbac set to on

Important: When Kong Manager authentication is enabled, RBAC must be turned on to enforce authorization rules. Otherwise, whoever can log in to Kong Manager can perform any operation available on the Admin API.

TLS Certificates

By default, if Kong Manager’s URL is accessed over HTTPS without a certificate issued by a CA, it will receive a self-signed certificate that modern web browsers will not trust, preventing the application from accessing the Admin API.

In order to serve Kong Manager over HTTPS, use a trusted certificate authority to issue TLS certificates, and have the resulting .crt and .key files ready for the next step.

1) Move .crt and .key files into the desired directory of the Kong node.

2) Point admin_gui_ssl_cert and admin_gui_ssl_cert_key at the absolute paths of the certificate and key.

admin_gui_ssl_cert = /path/to/test.crt
admin_gui_ssl_cert_key = /path/to/test.key

3) Ensure that admin_gui_url is prefixed with https to use TLS, e.g.,

admin_gui_url = https://test.com:8445

Using https://localhost

If serving Kong Manager on localhost, it may be preferable to use HTTP as the protocol. If also using RBAC, set cookie_secure=false in admin_gui_session_conf. The reason to use HTTP for localhost is that creating TLS certificates for localhost requires more effort and configuration, and there may not be any reason to use it. The adequate use cases for TLS are (1) when data is in transit between hosts, or (2) when testing an application with mixed content (which Kong Manager does not use).

External CAs cannot provide a certificate since no one uniquely owns localhost, nor is it rooted in a top-level domain (e.g., .com, .org). Likewise, self-signed certificates will not be trusted in modern browsers. Instead, it is necessary to use a private CA that allows you to issue your own certificates. Also ensure that the SSL state is cleared from the browser after testing to prevent stale certificates from interfering with future access to localhost.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023