On my company we need to use TLSv1.3 with kong, we were using the 0.12.1 version of kong which dosn't support the TLSv1.3 protocol itself, so we updated to 0.14.1 that looks like it supports it. Also if we manage to make it work, we will look to keep upgrading to latest versions.
We using docker to make it work also with konga. This is our full docker-compose.yml file
version: "2.1"
services:
########
# datebase used by kong
########
kong-database-admon:
container_name: kong-database-admon
image: postgres:10.7
restart: always
ports:
- "5432:5432"
environment:
POSTGRES_USER: kong
POSTGRES_PASSWORD: kong
POSTGRES_DB: kong
volumes:
- "kong-data:/var/lib/postgresql/data"
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
networks:
admon-network:
aliases:
- kong-database
########
# kong: datebase migration
########
kong-migration-admon:
#image: kong:1.4.0
image: kong:0.14.1
restart: on-failure
container_name: kong-migration-admon
depends_on:
kong-database-admon:
condition: service_healthy
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PORT: 5432
KONG_PG_DATABASE: kong
KONG_PG_PASSWORD: kong
KONG_PG_USER: kong
#command: sh -c "kong migrations bootstrap && kong migrations up && kong migrations finish"
command: kong migrations up
networks:
admon-network:
aliases:
- kong-migration
########
# kong: the api gateway
########
kong-admon:
container_name: kong-admon
# image: kong:1.4.0
image: kong:0.14.1
# restart: on-failure
depends_on:
kong-database-admon:
condition: service_healthy
environment:
KONG_DATABASE: postgres
KONG_PG_HOST: kong-database
KONG_PG_PORT: 5432
KONG_PG_PASSWORD: kong
KONG_PG_DATABASE: kong
KONG_PG_USER: kong
KONG_LOG_LEVEL: debug
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 http2 ssl
KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 http2 ssl
KONG_SSL_PROTOCOLS: TLSv1.3
KONG_SSL_CIPHER_SUITE : modern
KONG_SSL_CIPHERS: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
volumes:
- "kong-data:/usr/local/kong"
- ${HOME}/git/admon/deployment/nginx/config/pfs-certificates:/usr/local/kong/ssl
- ${HOME}/git/admon/deployment/nginx/config/kong-configuration:/etc/kong
ports:
- "8000:8000"
- "8443:8443"
- "8001:8001"
- "8444:8444"
healthcheck:
test: ["CMD-SHELL", "curl -I -s -L http://kong:8443 || exit 1"]
interval: 5s
retries: 10
networks:
admon-network:
aliases:
- kong
########
# konga interface
########
konga-admon:
container_name: konga-admon
image: pantsel/konga:0.12.0
restart: always
depends_on:
kong-admon:
condition: service_healthy
ports:
- "1337:1337"
environment:
NODE_ENV: development
DB_ADAPTER: postgres
DB_HOST: kong-database
DB_PORT: 5432
DB_USER: kong
DB_PASSWORD: kong
DB_DATABASE: kong
KONG_ADMIN_URL: 'http://kong:8444'
NO_AUTH: 'false'
KONGA_HOOK_TIMEOUT: 600000
healthcheck:
test: ["CMD-SHELL", "curl -I -s -L http://localhost:1337 || exit 1"]
interval: 10s
retries: 10
volumes:
- "kong-data:/app/konga"
networks:
admon-network:
aliases:
- konga
volumes:
kong-data:
name: admon-kong-development
networks:
admon-network:
name: admon-network
ipam:
driver: default
config:
- subnet: 172.22.4.0/24
gateway: 172.22.4.1
And our kong.conf is like the following:
ssl = on # Determines if Nginx should be listening for
# HTTPS traffic on the `proxy_listen_ssl`
ssl_protocols = TLSv1.3
ssl_cipher_suite = custom # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`, `intermediate`,
# `old`, or `custom`.
# Note: See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed
# descriptions of each cipher suite.
ssl_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `ssl` is enabled, the absolute path to
# the SSL certificate for the
# `proxy_listen_ssl` address.
ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `ssl` is enabled, the absolute path to
# the SSL key for the `proxy_listen_ssl`
# address.
http2 = on # Enables HTTP2 support for HTTPS traffic on
# the `proxy_listen_ssl` address.
client_ssl = on # Determines if Nginx should send client-side
# SSL certificates when proxying requests.
client_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `client_ssl` is enabled, the absolute path
# to the client SSL certificate for the
# `proxy_ssl_certificate` directive. Note that
# this value is statically defined on the node,
# and currently cannot be configured on a
# per-API basis.
client_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `client_ssl` is enabled, the absolute path
# to the client SSL key for the
# `proxy_ssl_certificate_key` address. Note
# this value is statically defined on the node,
# and currently cannot be configured on a
# per-API basis.
admin_ssl = on # Determines if Nginx should be listening for
# HTTPS traffic on the `admin_listen_ssl`
# address. If disabled, Nginx will only bind
# itself on `admin_listen`, and all SSL
# settings will be ignored.
admin_ssl_cert = /usr/local/kong/ssl/wildCard_PFS.crt # If `admin_ssl` is enabled, the absolute path
# to the SSL certificate for the
# `admin_listen_ssl` address.
admin_ssl_cert_key = /usr/local/kong/ssl/wildCard_PFS.key # If `admin_ssl` is enabled, the absolute path
# to the SSL key for the `admin_listen_ssl`
# address.
admin_http2 = on # Enables HTTP2 support for HTTPS traffic on
# the `admin_listen_ssl` address.
client_max_body_size = 0 # Defines the maximum request body size allowed
# by requests proxied by Kong, specified in the
# Content-Length request header. If a request
# exceeds this limit, Kong will respond with a
# 413 (Request Entity Too Large). Setting this
# value to 0 disables checking the request body
# size.
# Note: See
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
# for further description of this parameter. Numeric values may be suffixed with
# 'k' or 'm' to denote limits in terms of kilobytes or megabytes.
client_body_buffer_size = 10m # Defines the buffer size for reading the
# request body. If the client request body is
We have the SSL certificates and we arent able to make it work. Also the command we using to test the TLS v1.3 connection is the following:
curl -I -v --tlsv1.3 --tls-max 1.3 https://192.168.70.20:8443/alpha/people
What are we doing wrong?