Skip to main content

TLS lives at the edge, not in the gateway

A natural instinct is to give Kong a certificate and let it serve HTTPS. I did that first — and then remembered the lab already terminates TLS at the edge (pfSense/HAProxy, with a wildcard cert). Doing it in both places is redundant and causes a redirect loop: HAProxy forwards plain HTTP to Kong, Kong sees HTTP and tries to redirect to HTTPS, which goes back to HAProxy…

So the final design is clean and single-purpose:

browser --HTTPS--> HAProxy (terminates TLS) --HTTP--> Kong :80 --> service

Kong serves plain HTTP on port 80. Its routes are even pinned to the http protocol only, so there's no stray https entry and no redirect to loop on. HAProxy owns certificates; Kong owns routing and plugins. Each layer does exactly one thing.

Lesson learned: decide where TLS terminates once, and don't let any layer behind it think about certificates. Terminating in two places isn't "extra secure" — it's extra moving parts and a redirect loop waiting to happen. On this lab, the edge owns HTTPS; everything internal speaks HTTP on a trusted network. (More on the edge itself in Edge Networking with pfSense.)

No comments to display

Back to top