Cleafy protects online services against today’s targeted attacks. Cleafy patented real-time threat detection and protection technology is effective in detecting account takeover and transaction tampering leveraging Man-In-The-Browser (MITB), Man-In-The-Middle (MITM), Mobile Overlay, SIM Swap, API Abuse, and others advanced techniques.
Cleafy real-time continuous risk assessment prevents sensitive data loss and payment fraud while minimizing false positives and operational impact. Cleafy threat visibility also makes possible to implement automated threat responses and an adaptive security posture.
Cleafy is client-less and does not require any change to the monitored applications. Cleafy passively monitors application traffic by integrating into any application delivery architecture, typically at ADC or API Gateway level. Cleafy plugin for Kong allows Cleafy to smoothly integrate into any Kong-powered architecture.
For more details visit https://cleafy.com/resources.
Terminology
plugin: a plugin executing actions inside Kong before or after a request has been proxied to the upstream API.Service: the Kong entity representing an external upstream API or microservice.Route: the Kong entity representing a way to map downstream requests to upstream services.Upstream service: this refers to your own API/service sitting behind Kong, to which client requests are forwarded.
Configuration
Enabling the plugin on a Route
Configure this plugin on a Route with:
$ curl -X POST http://kong:8001/routes/{route}/plugins \
--data "name=cleafy-plugin-for-kong" \
--data "config.api_address=http://cleafy.com"
{route} is the id or name of the Route that this plugin configuration will target.
Global plugins
A plugin which is not associated to any Service, Route, or Consumer (or API, if you are using an older version of Kong) is considered "global", and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.
Plugins can be configured using the http://kong:8001/plugins/ endpoint.
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
| Form Parameter | Description |
|---|---|
name | The name of the plugin to use, in this case cleafy-plugin-for-kong |
route.id | The ID of the Route the plugin targets. |
enableddefault value: true | Whether this plugin will be applied. |
config.api_address
|
Specifies the URL pointing to the Cleafy API. |
config.accept_encoding
optional |
Specifies the type of encoding accepted from the backend server. This plugin does not support gzip-encoded requests. |
Cleafy-Stream Kong plugin
Installation
Plugin installation mainly depends on where your Kong installation runs:
Standalone Installation
Once the .rock file has been obtained from your Cleafy distributor it can be installed using the luarocks package manager.
luarocks install cleafy-plugin-for-kong-VERSION.rock
Typical configuration (via curl)
Register Cleafy backend as a Kong service:
$ curl -i -X POST --url http://url-to-kong-api:8001/services/ --data 'name=cleafy' --data 'url=<url-to-cleafy-api>'
Moreover, each application you want to manage via Kong must be registered as a service:
$ curl -i -X POST --url http://url-to-kong-api:8001/services/ --data 'name=app1' --data 'url=<url-to-app1-application-server>'
For each application registered (Cleafy excluded) you must define two Kong routes: the first routing traffic to the application server and the second routing traffic to the Cleafy backend:
$ curl -i -X POST --url http://url-to-kong-api:8001/routes/ --data 'hosts[]=<hostname>' --data 'service.id=<cleafy-service-id>' --data 'paths[]=/<ingestion-prefix>'
$ curl -i -X POST --url http://url-to-kong-api:8001/routes/ --data 'hosts[]=<hostname>' --data 'service.id=<app-service-id>'
Then you must activate the stream plugin over each app-related route:
$ curl -i -X POST --url http://url-to-kong-api:8001/plugins/ --data 'name=stream' --data 'route_id=<app-route-id' --data 'config.api_address=<cleafy-api-address>' --data 'config.api_token=<ingestion-token>'