Control Plane and Data Plane Communication through a Forward Proxy
- Set up forward proxy connection

Control Plane and Data Plane Communication through a Forward Proxy

If your control plane and data planes run on different sides of a firewall that runs external communications through a proxy, you can configure Kong Gateway to authenticate with the proxy server and allow traffic through.

Kong Gateway only supports HTTP CONNECT proxies.

This feature does not support mTLS termination.

Set up forward proxy connection

In kong.conf, configure the following parameters:

proxy_server = http(s)://<username>:<password>@<proxy-host>:<proxy-port>
proxy_server_tls_verify = on/off
cluster_use_proxy = on
lua_ssl_trusted_certificate = system | <certificate> | <path-to-cert>

proxy_server: Proxy server defined as a URL. Kong Gateway will only use this option if any component is explicitly configured to use the proxy.
proxy_server_tls_verify: Toggles server certificate verification if proxy_server is in HTTPS. Set to on if using HTTPS (default), or off if using HTTP.
cluster_use_proxy: Tells the cluster to use HTTP CONNECT proxy support for hybrid mode connections. If turned on, Kong Gateway will use the URL defined in proxy_server to connect.
lua_ssl_trusted_certificate (Optional): If using HTTPS, you can also specify a custom certificate authority with lua_ssl_trusted_certificate. If using the system default CA, you don’t need to change this value.

Reload Kong Gateway for the connection to take effect:

kong reload

CP/DP Communication through a Forward Proxy

Control Plane and Data Plane Communication through a Forward Proxy

Set up forward proxy connection