Secure API Gateway Setup with Kong

Last updated: March 22, 2026

Kong is an open-source API gateway that sits in front of your services and enforces authentication, rate limiting, logging, and TLS. without touching application code. This guide covers a production-grade setup using Kong Gateway (OSS) 3.x on Ubuntu 24.04 with PostgreSQL, deployed behind Nginx for TLS termination.

Architecture Overview

Client → Nginx (TLS) → Kong (8000) → Upstream Services
                   ↓
            Kong Admin (8001, localhost-only)

Kong handles - JWT validation, rate limiting, IP allowlisting, request logging. Nginx handles: certificate renewal, HTTPS, and hiding Kong’s admin port.

Install Kong and PostgreSQL

Add Kong repository
curl -fsSL https://packages.konghq.com/public/gateway-38/gpg.asc \
  | sudo gpg --dearmor -o /usr/share/keyrings/kong-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/kong-archive-keyring.gpg] \
  https://packages.konghq.com/public/gateway-38/deb/ubuntu \
  $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/kong.list

sudo apt update && sudo apt install -y kong-enterprise-edition || \
sudo apt install -y kong

Install PostgreSQL
sudo apt install -y postgresql postgresql-contrib

Configure PostgreSQL

sudo -u postgres psql <<'SQL'
CREATE USER kong WITH PASSWORD 'StrongPassHere42!';
CREATE DATABASE kong OWNER kong;
SQL

Configure Kong

sudo cp /etc/kong/kong.conf.default /etc/kong/kong.conf
sudo tee /etc/kong/kong.conf > /dev/null <<'EOF'
Database
database = postgres
pg_host = 127.0.0.1
pg_port = 5432
pg_user = kong
pg_password = StrongPassHere42!
pg_database = kong

Proxy (public)
proxy_listen = 0.0.0.0:8000
Admin (local only. NEVER expose to internet)
admin_listen = 127.0.0.1:8001

TLS. Kong itself can do TLS, but we'll use Nginx in front
proxy_ssl = off

Log level
log_level = warn
EOF

Initialize database
sudo kong migrations bootstrap -c /etc/kong/kong.conf

Start Kong
sudo systemctl enable --now kong
sudo systemctl status kong

Test Kong is running:

curl -s http://127.0.0.1:8001/ | python3 -m json.tool | grep version

Add a Service and Route

Services represent upstream APIs. Routes define what paths/hosts map to a service.

ADMIN="http://127.0.0.1:8001"

Create a service pointing to your backend
curl -s -X POST $ADMIN/services \
  -d name=my-api \
  -d url=http://127.0.0.1:3000

Create a route for that service
curl -s -X POST $ADMIN/services/my-api/routes \
  -d 'paths[]=/api' \
  -d strip_path=false

Verify
curl -s $ADMIN/services | python3 -m json.tool

Enable Rate Limiting

Protect backend services from brute-force and DoS:

Global rate limiting - 100 requests per minute per IP
curl -s -X POST $ADMIN/plugins \
  -d name=rate-limiting \
  -d config.minute=100 \
  -d config.policy=local \
  -d config.hide_client_headers=false

Per-service rate limiting - stricter limit for sensitive endpoint
curl -s -X POST $ADMIN/services/my-api/plugins \
  -d name=rate-limiting \
  -d config.minute=30 \
  -d config.hour=500 \
  -d config.policy=redis \
  -d config.redis_host=127.0.0.1 \
  -d config.redis_port=6379

Use Redis-backed policy in multi-node deployments to share rate limit state across Kong instances.

Enable JWT Authentication

Enable the JWT plugin on your service
curl -s -X POST $ADMIN/services/my-api/plugins \
  -d name=jwt

Create a consumer
curl -s -X POST $ADMIN/consumers \
  -d username=api-client-1

Generate a JWT credential
curl -s -X POST $ADMIN/consumers/api-client-1/jwt

Response includes:
{
  "key": "rsa_key_or_hs256_key",
  "secret": "your_shared_secret",
  "algorithm": "HS256"
}

Clients must include the JWT in the Authorization - Bearer <token> header. Generate tokens in your application:

import jwt, time

payload = {
    "iss": "rsa_key_from_kong",   # must match the 'key' field from Kong
    "sub": "api-client-1",
    "iat": int(time.time()),
    "exp": int(time.time()) + 3600,
}
token = jwt.encode(payload, "your_shared_secret", algorithm="HS256")
print(token)

Enable IP Restriction

Block or allow specific IP ranges:

Allow only your office IP and VPN exit node
curl -s -X POST $ADMIN/services/my-api/plugins \
  -d name=ip-restriction \
  -d 'config.allow[]=203.0.113.10' \
  -d 'config.allow[]=10.0.0.0/8'

Block a known bad actor IP range
curl -s -X POST $ADMIN/plugins \
  -d name=ip-restriction \
  -d 'config.deny[]=198.51.100.0/24'

Enable Request Logging

Log to file (for local ELK or Splunk ingest)
curl -s -X POST $ADMIN/plugins \
  -d name=file-log \
  -d config.path=/var/log/kong/access.log \
  -d config.reopen=true

Or HTTP log (forward to logging service)
curl -s -X POST $ADMIN/plugins \
  -d name=http-log \
  -d config.http_endpoint=http://log-aggregator:9200/kong-logs \
  -d config.method=POST \
  -d config.timeout=10000 \
  -d config.keepalive=60000

TLS Termination with Nginx

/etc/nginx/sites-available/api-gateway
server {
    listen 443 ssl http2;
    server_name api.example.com;

    ssl_certificate     /etc/letsencrypt/live/api.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_session_cache   shared:SSL:10m;

    # Forward to Kong proxy
    location / {
        proxy_pass         http://127.0.0.1:8000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto https;
        proxy_read_timeout 60s;
    }
}

server {
    listen 80;
    server_name api.example.com;
    return 301 https://$host$request_uri;
}

sudo certbot --nginx -d api.example.com
sudo nginx -t && sudo systemctl reload nginx

Harden Kong Admin

The admin API must never be internet-accessible. Restrict it further:

Bind to Unix socket instead of TCP (if single-node)
In kong.conf:
admin_listen = unix:/run/kong/kong_admin.sock

If using TCP, add firewall rule
sudo ufw deny 8001
sudo ufw allow from 127.0.0.1 to any port 8001

Add basic auth to admin via Nginx proxy (optional)
Only expose admin behind VPN or bastion host

Monitor with Prometheus

Enable Prometheus plugin globally
curl -s -X POST $ADMIN/plugins \
  -d name=prometheus

Kong exposes metrics at :8001/metrics
Add to prometheus.yml:
- job_name: kong
  static_configs:
    - targets: ['127.0.0.1:8001']
  metrics_path: /metrics

Key metrics - kong_http_requests_total, kong_latency_bucket, kong_bandwidth_bytes_total.

Security Checklist

Admin API bound to 127.0.0.1 only. never 0.0.0.0
Rate limiting enabled globally with tighter per-service limits
JWT plugin enforced on all authenticated routes
TLS 1.2+ with strong cipher suites at the Nginx layer
IP restriction applied to admin and internal routes
File or HTTP logging forwarded to a SIEM
Kong version pinned; apt-mark hold kong to prevent accidental upgrades

How to Secure PostgreSQL for Production
Nextcloud Setup Guide Raspberry Pi 2026
How to Set Up Caddy with Automatic HTTPS
How to Set Up a Tor Relay
How to Set Up Snort IDS on Linux
AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one