Skip to content
|
search
Plugin Hub
header icon

Cleafy plugin for Kong

Cleafy protects online services against today’s targeted attacks. Cleafy patented real-time threat detection and protection technology is effective in detecting account takeover and transaction tampering leveraging Man-In-The-Browser (MITB), Man-In-The-Middle (MITM), Mobile Overlay, SIM Swap, API Abuse, and others advanced techniques.

Cleafy real-time continuous risk assessment prevents sensitive data loss and payment fraud while minimizing false positives and operational impact. Cleafy threat visibility also makes possible to implement automated threat responses and an adaptive security posture.

Cleafy is client-less and does not require any change to the monitored applications. Cleafy passively monitors application traffic by integrating into any application delivery architecture, typically at ADC or API Gateway level. Cleafy plugin for Kong allows Cleafy to smoothly integrate into any Kong-powered architecture.

For more details visit the Cleafy resources page.

Cleafy-Stream Kong plugin

Installation

Plugin installation mainly depends on where your Kong installation runs:

Standalone Installation

Once the .rock file has been obtained from your Cleafy distributor it can be installed using the luarocks package manager.

luarocks install cleafy-plugin-for-kong-VERSION.rock

Typical configuration (via curl)

Register Cleafy backend as a Kong service:

$ curl -i -X POST --url http://url-to-kong-api:8001/services/ --data 'name=cleafy'  --data 'url=<url-to-cleafy-api>'

Moreover, each application you want to manage via Kong must be registered as a service:

$ curl -i -X POST --url http://url-to-kong-api:8001/services/ --data 'name=app1'  --data 'url=<url-to-app1-application-server>'

For each application registered (Cleafy excluded) you must define two Kong routes: the first routing traffic to the application server and the second routing traffic to the Cleafy backend:

$ curl -i -X POST --url http://url-to-kong-api:8001/routes/ --data 'hosts[]=<hostname>' --data 'service.id=<cleafy-service-id>' --data 'paths[]=/<ingestion-prefix>'

$ curl -i -X POST --url http://url-to-kong-api:8001/routes/ --data 'hosts[]=<hostname>' --data 'service.id=<app-service-id>'

Then you must activate the stream plugin over each app-related route:

$ curl -i -X POST --url http://url-to-kong-api:8001/plugins/ --data 'name=stream' --data 'route_id=<app-route-id' --data 'config.api_address=<cleafy-api-address>' --data 'config.api_token=<ingestion-token>'

Configuration Reference

This plugin is compatible with DB-less mode.

Example plugin configuration

The following examples provide some typical configurations for enabling the cleafy-plugin-for-kong plugin on a route.

Make the following request:

curl -X POST http://localhost:8001/routes/ROUTE_NAME|ROUTE_ID/plugins \
  --data "name=cleafy-plugin-for-kong"  \
    --data "config.api_address=http://cleafy.com"

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: cleafy-plugin-for-kong-example
config: 
  api_address: http://cleafy.com
plugin: cleafy-plugin-for-kong

Then, apply it to an ingress (route or routes) by annotating the ingress as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ROUTE_NAME|ROUTE_ID
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: cleafy-plugin-for-kong-example
spec:
  rules:
  - host: examplehostname.com
    http:
      paths:
      - path: /bar
        backend:
          service:
            name: echo
            port:
              number: 80

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: cleafy-plugin-for-kong
  route: ROUTE_NAME
  config: 
    api_address: http://cleafy.com

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the cleafy-plugin-for-kong plugin globally.

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
  --data "name=cleafy-plugin-for-kong"  \
    --data "config.api_address=http://cleafy.com"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-cleafy-plugin-for-kong>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  api_address: http://cleafy.com
plugin: cleafy-plugin-for-kong

Add a plugins entry in the declarative configuration file:

plugins:
- name: cleafy-plugin-for-kong
  config: 
    api_address: http://cleafy.com

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter Description
name
required

Type: string		 The name of the plugin, in this case cleafy-plugin-for-kong.
route.name or route.id

Type: string		 The name or ID of the route the plugin targets.

Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint.

Not required if using /routes/ROUTE_NAME|ROUTE_ID/plugins.
enabled

Type: boolean

Default value: true		 Whether this plugin will be applied.
config.api_address
required

Specifies the URL pointing to the Cleafy API.
config.accept_encoding
optional

Specifies the type of encoding accepted from the backend server. This plugin does not support gzip-encoded requests.