Yes, F5 (BIG-IP) or any load balancer can cause a 401 Unauthorized error in Kong, depending on how it’s configured. Here’s how:
🔍 How F5 Can Cause 401 Errors in Kong
| F5 Misconfiguration | Effect on Kong |
|---|---|
| 🔒 Strips Authorization headers | Kong never receives the token/key — authentication fails with 401. |
🚫 Overwrites headers (like Host or X-Forwarded-*) | Breaks routing or causes Kong to reject the request. |
| 🧱 SSL Termination issues | OIDC or JWT validation fails due to invalid scheme or issuer mismatch. |
| 🔁 Rewrites path incorrectly | Kong cannot match the route, plugin doesn’t apply properly, or token is invalid. |
| ⚙️ Session persistence or cookie manipulation | Disrupts OIDC or session-based auth flows. |
✅ How to Test if F5 is the Cause
- Bypass F5 (send request directly to Kong):
curl -i http://<kong-IP>:8000/<route-path> \ -H "Authorization: Bearer <your-token>"- If this works and through F5 it fails → F5 is modifying/blocking something.
- Inspect headers from F5:
- Add a logging plugin in Kong to dump all headers.
- Use
request-transformeror a custom plugin to inspect incoming headers.
- Check F5 HTTP Profile:
- Ensure
Authorizationheaders are not removed.- F5 → Virtual Server → HTTP Profile →
Request Header Eraseshould not includeAuthorization.
- F5 → Virtual Server → HTTP Profile →
- Ensure
- Enable debug logs in Kong:
- Will show missing/malformed headers.
🛠 Fix Recommendations
- Preserve Authorization headers in F5 config.
- Ensure correct SSL termination and forwarding.
- Keep route paths intact when forwarding.
- Use F5 “passthrough” mode if possible for auth-related traffic.
If you share:
- A sample request/response flow through F5
- Kong route/plugin setup
- Any header manipulation in F5
…I can provide targeted help.
Infra Cloud Solutions 