Month: August 2025

kong latency

techhadoop , ,

Short answer: there isn’t a single built-in “average response time” value for Kong. You measure it from Kong’s latency telemetry and then compute the average. Kong exposes three latencies:

  • Request latency (a.k.a. total): time from first byte in to last byte out.
  • Upstream latency: time the upstream took to start responding.
  • Kong latency: time spent inside Kong (routing + plugins). (Kong Docs)

Below are the quickest ways to get the average.

Option 1 — Prometheus plugin (fastest for averages/percentiles)

Enable the Prometheus plugin with config.latency_metrics=true. It exposes histograms:

  • kong_request_latency_ms_* (total)
  • kong_upstream_latency_ms_*
  • kong_kong_latency_ms_* (Kong Docs)

PromQL examples (last 5 minutes):

# Average total response time
sum(rate(kong_request_latency_ms_sum[5m]))
/
sum(rate(kong_request_latency_ms_count[5m]))

# Average per service
sum by (service) (rate(kong_request_latency_ms_sum[5m]))
/
sum by (service) (rate(kong_request_latency_ms_count[5m]))

# p95 latency (total)
histogram_quantile(
  0.95,
  sum by (le) (rate(kong_request_latency_ms_bucket[5m]))
)

Swap request for upstream or kong in the metric names to break the average down by where time is spent. (Kong Docs)

Option 2 — ELK/Kibana (since you’re using ELK)

Use a log plugin (e.g., File Log or HTTP Log) and ship the JSON to Elasticsearch. Each log line contains:

"latencies": {
  "request": <total_ms>,
  "proxy":   <upstream_ms>,
  "kong":    <kong_ms>
}

In Kibana → Discover/Lens, set Average over latencies.request (or latencies.proxy / latencies.kong) to see the mean response time. (Kong Docs)

Option 3 — Quick curl check (headers)

Kong can add latency headers:

  • X-Kong-Proxy-Latency (≈ Kong time)
  • X-Kong-Upstream-Latency (≈ upstream time)
  • X-Kong-Total-Latency (total; with advanced tokens)

Enable with KONG_HEADERS=latency_tokens (or advanced_latency_tokens) and inspect with curl -i. (Kong Docs)

What’s a “good” number?

It’s workload-specific. Treat Kong latency as your gateway overhead (aim for low single-digit ms) and focus tuning on upstream latency (usually the dominant share). Use p95/p99 alongside the average to catch tail latency. (Kong Docs)

If you want, I can drop a Grafana panel (PromQL prewired) and a Kibana Lens example targeting latencies.request so you can paste them into your stack.

error kong

techhadoop

tail -f /usr/local/kong/logs/error.log | egrep -i ‘oidc|jwt|introspect|jwks|bearer|signature|aud|iss’
Typical log clues → fixes:

Got it—here’s a fast, practical playbook for “invalid bearer token” in a Kong + Ping Identity setup (with F5 in front).

Quick triage (60‑second checks)

  1. Header format
    • Must be exactly: Authorization: Bearer <access_token> (case‑sensitive “Bearer”, single space, no quotes).
  2. Right token type
    • Use the Access Token, not the ID token.
  3. Header delivery
    • Ensure F5/LB isn’t stripping Authorization. Hit Kong directly to compare.
# Direct to Kong (bypass F5 if you can)
curl -si https://kong.example.com/api \
  -H "Authorization: Bearer $AT"

Validate the JWT (if your AT is JWT)

1) Is it a JWT?

A JWT has two dots: xxxxx.yyyyy.zzzzz. If not, it’s likely opaque → skip to “Opaque tokens”.

2) Decode & inspect claims

# header
cut -d. -f1 <<<"$AT" | base64 -d 2>/dev/null | jq
# payload
cut -d. -f2 <<<"$AT" | base64 -d 2>/dev/null | jq

Check:

  • iss equals your Ping issuer in Kong config
  • aud includes your API audience expected by Kong
  • exp is in the future; nbf is not in the future (watch clock skew)
  • scope / roles include what your route requires

3) Signature / key material

From the JWT header (kid, alg) confirm Kong can fetch the matching JWKS:

  • Kong must reach Ping’s /.well-known/openid-configurationjwks_uri
  • No corporate proxy/DNS blocking
  • alg matches what the IdP issues (e.g., RS256)

Validate with Kong

Turn on debug temporarily and reproduce once:

KONG_LOG_LEVEL=debug kong restart
tail -f /usr/local/kong/logs/error.log | egrep -i 'oidc|jwt|introspect|jwks|bearer|signature|aud|iss'

Typical log clues → fixes:

  • signature verification failed → wrong JWKS, stale kid, or mismatched alg.
  • token expiredexp passed; consider small clock_skew_leeway.
  • audience not allowed / aud mismatch → adjust audience in IdP or audience_claim/allowed_audiences in plugin.
  • issuer not allowed → fix issuer (exact string match).
  • could not get jwks → networking/proxy or TLS trust to Ping.

Common F5/LB gotchas

  • Missing Authorization header forwarding. On F5, ensure policies/iRules preserve it.
  • Rewriting to lower/upper case header names is fine; removing isn’t.

Opaque tokens (non‑JWT access tokens)

If the access token looks random (no dots), enable introspection:

  • Kong openid-connect plugin must have introspection_endpoint, client_id, client_secret.
  • Kong needs network access to Ping’s introspection endpoint.
  • Expect log lines: introspection active / token active:false if invalid or revoked.

Kong plugin configuration — key items to review

# For openid-connect plugin (per service/route)
config:
  issuer: "https://ping.example.com/as"
  discovery: "https://ping.example.com/as/.well-known/openid-configuration"
  # If using opaque tokens:
  introspection_endpoint: "https://ping.example.com/as/introspect.oauth2"
  client_id: "<kong-oidc-client>"
  client_secret: "<secret>"
  # Validation:
  verify_signature: true
  verify_claims: true
  allowed_audiences:
    - "api://my-api"
  scopes_required:
    - "api.read"
  # Optional:
  clock_skew_leeway: 60
  bearer_only: true   # if you don’t want redirects (API-only)

Upstream expectations (post‑auth)

Decide what the upstream needs:

  • Forward original token: config.upstream_access_token_header = "Authorization" (default)
  • Or forward derived identity headers (customize via config.upstream_headers_claims).
    Ensure your upstream checks the same audience/scope semantics (or trusts Kong’s verdict and uses headers only).

Quick curl matrix

# Good: Access token with proper prefix
curl -H "Authorization: Bearer $AT" https://api.example.com/orders

# Bad: ID token by mistake
curl -H "Authorization: Bearer $IDT" https://api.example.com/orders   # expect 401

# Test over F5 vs direct Kong
curl -si -H "Authorization: Bearer $AT" https://edge.example.com/orders
curl -si -H "Authorization: Bearer $AT" https://kong.example.com/orders

Frequent root causes & fixes

  • Typo / missing “Bearer ” → fix header format.
  • Using ID token → request AT (auth code or client credentials).
  • Expired token → renew; verify system clocks (NTP) on F5, Kong, and upstream.
  • Issuer/audience mismatch → align Ping client + API resources with Kong allowed_audiences and issuer.
  • JWKS fetch failure → open egress, fix proxy/TLS trust, or pin jwks_uri.
  • Opaque token with no introspection configured → enable introspection_endpoint + client creds.
  • F5 stripped header → preserve Authorization.
  • Scope missing → include required scopes in token request or relax scopes_required (if appropriate).

If you paste a redacted sample token header/payload (no signature needed) and your current openid-connect plugin snippet, I’ll pinpoint exactly which check is failing and provide the minimal config change or Ping policy tweak.

Kong – no suitable authorization credentials were provided

techhadoop , , ,

The error “no suitable authorization credentials were provided” usually means Kong (or an upstream service) expected authentication information, but it either:

  • Didn’t receive it at all
  • Received it in the wrong format
  • Received it in the wrong location (header vs. query parameter)
  • Couldn’t match it to any configured credentials

Here’s how to troubleshoot it step-by-step:

1. Identify which plugin or service is throwing the error

  • Kong Plugin Layer – Often caused by key-auth, jwt, or openid-connect plugin when no valid credential is passed.
  • Upstream Service Layer – Could be from the API/backend if Kong passed the request without credentials.
  • Load Balancer / F5 – Sometimes strips or alters headers, so credentials never reach Kong.

2. Check the authentication type you’re using

  • API Key (key-auth plugin)
    • Expected: apikey in ?query or apikey in header (apikey: <key>).
    • Verify: curl -H "apikey: YOUR_API_KEY" https://your-kong-endpoint/your-api
  • JWT Plugin
    • Expected: Authorization: Bearer <jwt_token> header.
    • Token must be valid and match a configured consumer.
  • OpenID Connect (openid-connect plugin)
    • Expected: Valid ID/Access token, usually Authorization: Bearer <access_token>.
    • Token must be signed by a trusted issuer in plugin config.

3. Verify headers are not stripped

If you have F5 / Nginx / Apache in front of Kong:

  • Check that Authorization headers are forwarded.
  • In F5, enable HTTP::header Authorization forwarding.
  • In Nginx, ensure: proxy_set_header Authorization $http_authorization;

4. Check Kong logs for details

Run Kong in debug mode temporarily:

KONG_LOG_LEVEL=debug kong restart
tail -f /usr/local/kong/logs/error.log

Look for:

  • plugin=... lines showing missing credentials
  • no credentials found for given consumer/issuer

5. Confirm consumer mapping

For jwt or oidc:

  • The public key / JWKS URL must be correct.
  • The iss (issuer) in token must match plugin config.
  • The consumer must be linked to the credential.

💡 Common causes I’ve seen in your past scenarios with F5 + Kong + Ping Identity:

  • F5 stripping Authorization header before reaching Kong.
  • Wrong token type (ID token instead of Access token) in OIDC flow.
  • Consumer not mapped in Kong for the provided JWT/OIDC token.
  • client_id and client_secret missing in a token request.

If you want, I can draw you a flow diagram for Kong + Ping Identity showing exactly where the credential might be getting lost in your setup with F5 in the middle. That would make pinpointing the issue much faster.

Kong / our app is build using Java Spring Boot

techhadoop , , ,

Yes — when integrating certificates into Spring Boot, especially for mTLS, HTTPS, or secure inter-service communication, there are several important certificate handling considerations you should account for:

✅ 1. Keystore / Truststore Formats

StorePurposeCommon Format
KeystoreHolds your application’s private key + certJKS, PKCS12 (.p12 / .pfx)
TruststoreHolds trusted CA certs to verify clients or serversJKS, PKCS12

🟡 JKS is Java-native, but PKCS12 is preferred for modern apps (more portable + supports OpenSSL).

🔧 Example Spring Boot Config:

server.ssl.key-store=classpath:server.p12
server.ssl.key-store-password=changeit
server.ssl.key-store-type=PKCS12
server.ssl.trust-store=classpath:truststore.p12
server.ssl.trust-store-password=changeit
server.ssl.trust-store-type=PKCS12

✅ 2. Certificate Chain Requirements

Spring Boot expects:

  • Full certificate chain in the keystore if issued by an intermediate CA
  • Trusted root CA in the truststore (for mTLS)

🔸 Failure to include the full chain often results in handshake errors or “unable to find valid certification path” errors.

✅ 3. Protocol Configuration (TLS)

Spring Boot (via embedded Tomcat) uses TLS 1.2+ by default.

To restrict or specify:

server.ssl.enabled-protocols=TLSv1.2,TLSv1.3

🔐 Disable TLS 1.0/1.1 — they are deprecated and insecure.

✅ 4. Cipher Suites

Spring Boot (via Tomcat) negotiates secure ciphers by default.
You can explicitly define them:

server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,...

Use modern ciphers like ECDHE + AES_GCM.
Avoid RC4, 3DES, NULL, or EXPORT ciphers.

✅ 5. Mutual TLS (mTLS)

To require client certs:

server.ssl.client-auth=need

Modes:

  • none: default (no client cert)
  • want: optional client cert
  • need: mandatory client cert (for mTLS)

✅ 6. Generating Keystore & Truststore

Convert PEM to PKCS12:

openssl pkcs12 -export \
  -in client.crt \
  -inkey client.key \
  -certfile ca.crt \
  -out client-keystore.p12 \
  -name client

Then import trusted CA into truststore (if using JKS):

keytool -import -alias myca -file ca.crt -keystore truststore.jks

✅ 7. Spring Boot with Reverse Proxies (e.g., Kong, F5)

If TLS termination is done by Kong/F5 and Spring Boot sits behind it:

  • Use X-Forwarded headers: server.forward-headers-strategy=framework
  • Do not terminate TLS inside Spring unless you need end-to-end TLS.

✅ Summary: What to Account For

AreaKey Considerations
🔐 FormatUse PKCS12 for best compatibility
🧾 TrustTruststore must contain root CA or intermediate
🔄 ChainInclude full cert chain in keystore
🌐 ProtocolEnable TLSv1.2+ only
🔐 CiphersUse strong, modern suites
🔁 mTLSSet client-auth=need + configure truststore
🔀 ProxyHandle X-Forwarded-* if behind Kong/F5

Would you like:

  • A working Spring Boot + mTLS project example?
  • An OpenSSL script to prepare the .p12 files?
  • A Kong + Spring Boot mTLS walkthrough?

Let me know your setup.

KONG 401 error caused by F5

techhadoop

Yes, F5 (BIG-IP) or any load balancer can cause a 401 Unauthorized error in Kong, depending on how it’s configured. Here’s how:

🔍 How F5 Can Cause 401 Errors in Kong

F5 MisconfigurationEffect on Kong
🔒 Strips Authorization headersKong never receives the token/key — authentication fails with 401.
🚫 Overwrites headers (like Host or X-Forwarded-*)Breaks routing or causes Kong to reject the request.
🧱 SSL Termination issuesOIDC or JWT validation fails due to invalid scheme or issuer mismatch.
🔁 Rewrites path incorrectlyKong cannot match the route, plugin doesn’t apply properly, or token is invalid.
⚙️ Session persistence or cookie manipulationDisrupts OIDC or session-based auth flows.

✅ How to Test if F5 is the Cause

  1. Bypass F5 (send request directly to Kong): curl -i http://<kong-IP>:8000/<route-path> \ -H "Authorization: Bearer <your-token>"
    • If this works and through F5 it fails → F5 is modifying/blocking something.
  2. Inspect headers from F5:
    • Add a logging plugin in Kong to dump all headers.
    • Use request-transformer or a custom plugin to inspect incoming headers.
  3. Check F5 HTTP Profile:
    • Ensure Authorization headers are not removed.
      • F5 → Virtual Server → HTTP Profile → Request Header Erase should not include Authorization.
  4. Enable debug logs in Kong:
    • Will show missing/malformed headers.

🛠 Fix Recommendations

  • Preserve Authorization headers in F5 config.
  • Ensure correct SSL termination and forwarding.
  • Keep route paths intact when forwarding.
  • Use F5 “passthrough” mode if possible for auth-related traffic.

If you share:

  • A sample request/response flow through F5
  • Kong route/plugin setup
  • Any header manipulation in F5

…I can provide targeted help.