Configuring TLS for a Route
Kong provides a way to dynamically serve TLS certificates on a per-connection basis. TLS certificates are directly handled by the core, and configurable via the Admin API. Clients connecting to Kong over TLS must support the Server Name Indication extension to make use of this feature.
TLS certificates are handled by two resources in the Kong Admin API:
/certificates, which stores your keys and certificates./snis, which associates a registered certificate with a Server Name Indication.
You can find the documentation for those two resources in the Admin API Reference.
Here is how to configure a TLS certificate on a given Route: first, upload your TLS certificate and key via the Admin API:
$ curl -i -X POST http://localhost:8001/certificates
-F "cert=@/path/to/cert.pem"
-F "key=@/path/to/cert.key"
-F "snis=*.tls-example.com,other-tls-example.com"
HTTP/1.1 201 Created
...
The snis form parameter is a sugar parameter, directly inserting an SNI and associating the uploaded certificate to it.
Note that one of the SNI names defined in snis above contains a wildcard (*.tls-example.com). An SNI may contain a single wildcard in the leftmost (prefix) or rightmost (suffix) postion. This can be useful when maintaining multiple subdomains. A single sni configured with a wildcard name can be used to match multiple subdomains, instead of creating an SNI for each.
Valid wildcard positions are mydomain.*, *.mydomain.com, and *.www.mydomain.com.
Matching of snis respects the following priority:
- plain (no wildcard)
- prefix
- suffix
You must now register the following Route within Kong. We will match requests to this Route using only the Host header for convenience:
$ curl -i -X POST http://localhost:8001/routes
-d 'hosts=prefix.tls-example.com,other-tls-example.com'
-d 'service.id=d54da06c-d69f-4910-8896-915c63c270cd'
HTTP/1.1 201 Created
...
You can now expect the Route to be served over HTTPS by Kong:
$ curl -i https://localhost:8443/
-H "Host: prefix.tls-example.com"
HTTP/1.1 200 OK
...
When establishing the connection and negotiating the TLS handshake, if your client sends prefix.tls-example.com as part of the SNI extension, Kong will serve the cert.pem certificate previously configured. This is the same for both HTTPS and TLS connections.