Enable TLS on upstream traffic by providing Kong with a list of trusted
This plugin is deprecated in Kong Enterprise version 1.3, and removed in version 1.5.
Starting with Kong 18.104.22.168:
To configure Upstream TLS, use the NGINX directives
proxy_ssl_verify_depth instead of the Upstream TLS plugin. Instructions on how to inject NGINX directives to Kong can be found here. This plugin is only functional for Kong Enterprise versions 0.35 and 0.36.
You can configure this plugin using the
Kong Admin API
or through declarative configuration, which involves directly editing
the Kong configuration file.
Enabling the plugin globally
A plugin which is not associated to any Service, Route, or Consumer is
considered global, and will be run on every request. Read the
Plugin Reference and the Plugin Precedence
sections for more information.
Here's a list of all the parameters which can be used in this plugin's configuration:
|The name of the plugin to use, in this case |
|Whether this plugin will be applied.|
Sets the certification verification mode flags.
peer enables client
none disables client peer validation.
Set the maximum validation chain depth
PEM-encoded public certificate authorities of the upstream
In Enterprise versions 0.35 and 0.36, Upstream TLS can be added on top of an existing Service by executing the
following request on your Kong server:
$ curl -X POST http://kong:8001/services/1e6507e9-5c72-4dc2-9a3a-5131c4c5bea6/plugins \
--form "name=upstream-tls" \
--form "config.verify_mode=peer" \
--form "config.trusted_certificates=@path_to_cert.pem" \
name of the Service that this plugin configuration will target.
It can also be applied globally (for every Route, Service, or API) using the
PATCH requests to the
trust_certificates configuration will not take affect until Kong is reloaded. This can be accomplished with the
kong reload command.