Network and Firewall

    Kong uses multiple connections for different purposes.

    • proxy
    • admin api

    The proxy ports is where Kong receives its incoming traffic. There are two ports with the following defaults:

    • for proxying HTTP traffic, and
    • 8443 for proxying HTTPS traffic

    Kong can also proxy TCP/TLS streams. The stream proxying is disabled by default. See stream_listen for additional details on stream proxy listen options, and how to enable it (if you plan to proxy anything other than HTTP/HTTPS traffic).

    In general the proxy ports are the only ports that should be made available to your clients.

    Admin API

    • 8444 provides the same Kong Admin API but using HTTPS. See admin_listen and the ssl suffix.

    Firewall

    • The upstream Services behind Kong will be available via the proxy_listen interface/port values. Configure these values according to the access level you wish to grant to the upstream Services.
    • If you are binding the Admin API to a public-facing interface (via ), then protect it to only allow trusted clients to access the Admin API. See also Securing the Admin API.
    • Your proxy will need have rules added for any HTTP/HTTPS and TCP/TLS stream listeners that you configure. For example, if you want Kong to manage traffic on port , your firewall will need to allow traffic on said port.

    Transparent Proxying

    It is worth mentioning that the transparent listen option may be applied to proxy_listen and configuration. With packet filtering such as iptables (Linux) or pf (macOS/BSDs) or with hardware routers/switches, you can specify pre-routing or redirection rules for TCP packets that allow you to mangle the original destination address and port. For example a HTTP request with a destination address of 10.0.0.1, and a destination port of 80 can be redirected to 127.0.0.1 at port . To make this work, you need (with Linux) to add the transparent listen option to Kong proxy, proxy_listen=8000 transparent. This allows Kong to see the original destination for the request (10.0.0.1:80) even when Kong didn’t actually listen to it directly. With this information, Kong can route the request correctly. The transparent listen option should only be used with Linux. macOS/BSDs allow transparent proxying without transparent listen option. With Linux you may also need to start Kong as a root user or set the needed capabilities for the executable.