Control Plane and Data Plane Communication through a Forward Proxy
If your control plane and data planes run on different sides of a firewall that runs external communications through a proxy, you can configure Kong Gateway to authenticate with the proxy server and allow traffic through.
Kong Gateway only supports HTTP CONNECT proxies.
This feature does not support mTLS termination.
Set up forward proxy connection
In kong.conf
,
configure the following parameters:
proxy_server = http(s)://<username>:<password>@<proxy-host>:<proxy-port>
proxy_server_tls_verify = on/off
cluster_use_proxy = on
lua_ssl_trusted_certificate = system | <certificate> | <path-to-cert>
-
proxy_server
: Proxy server defined as a URL. Kong Gateway will only use this option if any component is explicitly configured to use the proxy. -
proxy_server_tls_verify
: Toggles server certificate verification ifproxy_server
is in HTTPS. Set toon
if using HTTPS (default), oroff
if using HTTP. -
cluster_use_proxy
: Tells the cluster to use HTTP CONNECT proxy support for hybrid mode connections. If turned on, Kong Gateway will use the URL defined inproxy_server
to connect. -
lua_ssl_trusted_certificate
(Optional): If using HTTPS, you can also specify a custom certificate authority withlua_ssl_trusted_certificate
. If using the system default CA, you don’t need to change this value.
Reload Kong Gateway for the connection to take effect:
kong reload