CODEWITHSUNDEEP
amazon-ec2api-gatewayaws-application-load-balancerkongkong-plugin
Gowtham Raj
Gowtham Raj

Reputation: 111

Kong API Gateway - You must use HTTPS

Kong API Gateway - You must use HTTPS

  1. I have installed Kong OSS V2.x in the ec2(centos)
  2. Added plugin oAuth2
  3. Get the access token using POST Method

Getting the below error

{
    "error": "access_denied",
    "error_description": "You must use HTTPS"
}

NOTE: The ssl termination happening in the ALB, and the request is forwarded to ec2.

Upvotes: 1

Views: 1269

Answers (2)

ldipotet
ldipotet

Reputation: 41

A solution tested in prod environment:

"environment": [
            {
                "name": "KONG_REAL_IP_HEADER",
                "value": "X-Forwarded-For"
            },
            {
                "name": "KONG_ADMIN_ACCESS_LOG",
                "value": "/dev/stdout"
            },
            {
                "name": "KONG_ADMIN_ERROR_LOG",
                "value": "/dev/stderr"
            },
            {
                "name": "KONG_PROXY_ERROR_LOG",
                "value": "/dev/stderr"
            },
            {
                "name": "KONG_DATABASE",
                "value": "postgres"
            },
            {
                "name": "KONG_REAL_IP_RECURSIVE",
                "value": "on"
            },
            {
                "name": "KONG_TRUSTED_IPS",
                "value": "0.0.0.0/0,::/0"
            },
            {
                "name": "KONG_PG_HOST",
                "value": ".....rds.amazonaws.com"
            },
            {
                "name": "KONG_PG_PASSWORD",
                "value": "......"
            },
            {
                "name": "KONG_PROXY_ACCESS_LOG",
                "value": "/dev/stdout"
            },
            {
                "name": "KONG_PG_USER",
                "value": "kong"
            },
            {
                "name": "KONG_PROXY_LISTEN",
                "value": "0.0.0.0:8000"
            },
            {
                "name": "KONG_ADMIN_LISTEN",
                "value": "0.0.0.0:8001, 0.0.0.0:8444 ssl"
            }]

pay attention to the values:

  1. KONG_REAL_IP_HEADER
  2. KONG_REAL_IP_RECURSIVE
  3. KONG_TRUSTED_IPS

In any case, after some years i reckon, if you are in aws there are better cost–effective solutions.

Upvotes: 0

Ôrel
Ôrel

Reputation: 7642

You should use the parameters accept_http_if_already_terminated

Accepts HTTPs requests that have already been terminated by a proxy or load balancer and the x-forwarded-proto: https header has been added to the request. Only enable this option if the Kong server cannot be publicly accessed and the only entry point is such proxy or load balancer.

Your config should be like:

config: 
  scopes:
  - foo
  - bar
  mandatory_scope: true
[...]
  accept_http_if_already_terminated: true

Upvotes: 0

Related Questions