Security Plugins
Lab Environment
This lab tests a Kong API Gateway deployment using a FastAPI endpoint. To simplify, both the containerized Kong API Gateway and the FastAPI endpoint are installed locally on a Windows 10 machine. A Docker Compose file is used to deploy Kong, along with other applications like Prometheus, Zipkin, the ELK Stack, and more.
Make sure that you have installed Docker Desktop.
Simply installing Docker in WSL2 without Docker Desktop may introduce some issue when configuring the communication between the containerized Kong API Gateway and the FastAPI application that is installed on the local host.
Pre-requisites
- Postman
- Setup the Kong API Gateway
- Setup the FastAPI Endpoint
- Kong Manager OSS Access
- Create the Routes and Services
- Create the Consumer
Bot-Detection Plugin
The Bot-Detection plugin helps identify and block unwanted bots based on their user-agent headers.
- Blocks known bots automatically.
- Uses a predefined or custom list of bot signatures.
Enable the Bot-Detection Plugin
To enable the plugin, go to Kong Manager > Plugins > New Plugin > Security > Select Bot Detection.
Configure the following settings under Advanced Parameters..
| Field | value |
|---|---|
| Instance Name | bot-detection |
For the Allow and Deny list, we can specify an array of regular expression. For more information, please see the following:
- Bot Detection
- Basic config examples for Bot Detection
- How to configure an allowed exception for the bot-detection plugin?
As an example, we can block any Postman agent by specifying this regex in the Deny field. Click Save afterwards.
^Postman
Testing Bot Detection Plugin via Postman
To setup Postman, please see Testing with Postman
When we try to send an API request through Postman, we'll get a Forbidden error.
This is because we denied any Postman user agent from sending a request to the API endpoint.
IP Restriction Plugin
The IP Restriction plugin controls access to services based on client IP addresses.
- Allows or denies access using whitelist or blacklist IPs.
- Supports CIDR notation for IP ranges.
Enable the IP Restriction Plugin
To enable the plugin, go to Kong Manager > Plugins > New Plugin > Security > Select IP Restriction.
For the Allow and Deny list, we can specify the IP Addresses. As an example, we can deny all IP addresses from sending requests to the API endpoint. Click Save.
Testing IP Restriction Plugin via Postman
To setup Postman, please see Testing with Postman
When we try to send an API request through Postman, we'll get the following error:
