Home / How-to Guides
Edit
Report

Block unauthorized requests in Kong Gateway with the OPA plugin

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Tags
#security
Minimum Version
Kong Gateway - 3.4
TL;DR

Run an OPA server and create a policy, then enable the OPA plugin and specify the config.opa_host and config.opa_path parameters.

Prerequisites

Kong Konnect

This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:

    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
    • Control Plane Name: You can use an existing Control Plane or create a new one to use for this tutorial.
    • Konnect Proxy URL: By default, a self-hosted Data Plane uses http://localhost:8000. You can set up Data Plane nodes for your Control Plane from the Gateway Manager in Konnect.

  2. Set the personal access token, the Control Plane name, the Control Plane URL, and the Konnect proxy URL as environment variables:

     export DECK_KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export DECK_KONNECT_CONTROL_PLANE_NAME='YOUR CONTROL PLANE NAME'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='KONNECT PROXY URL'

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

OPA server

This tutorial requires an OPA server. You can run a local server for testing:

  1. Install OPA.
  2. Run a local server: 
    opa run -s
  3. In a new terminal window, check that the server is running properly: 
    curl -i http://localhost:8181

Create a policy file

In this example, we want a policy that states that a request must have a header named my-secret-header with the value open-sesame. Any request without this header, or with a different value, will return an error.

Create a .rego file containing the policy:

echo 'package example

default allow_boolean := false

allow_boolean if {
	header_present
}

header_present if {
	input.request.http.headers["my-secret-header"] == "open-sesame"
}

' > example.rego

Upload the policy to the OPA server

Use the OPA Policy API to upload the policy file to the local OPA server. This will allow Kong Gateway to access it.

curl -i -XPUT localhost:8181/v1/policies/example --data-binary @example.rego

You should get a 200 OK response with an empty object in the response body.

Create decK environment variables

We’ll use decK environment variables for the opa_host and opa_path in the OPA plugin configuration. This is because these values typically can vary between environments.

In this tutorial, we’re using host.docker.internal as our host instead of the localhost that OPA is using because Kong Gateway is running in a container that has a different localhost to you.

The opa_path value is the Data API endpoint for the policy.

export DECK_OPA_HOST=host.docker.internal
export DECK_OPA_PATH=/v1/data/example/allow_boolean

Enable the OPA plugin

In this example, we’ll enable the plugin globally:

echo '
_format_version: "3.0"
plugins:
  - name: opa
    config:
      opa_host: "${{ env "DECK_OPA_HOST" }}"
      opa_path: "${{ env "DECK_OPA_PATH" }}"
' | deck gateway apply -

Note: If your OPA server doesn’t use the default 8181 port, you’ll need to specify the config.opa_port parameter too.

Validate

To validate that the policy is working, send a request without the required header:

curl -i -X GET "$KONNECT_PROXY_URL/anything"

curl -i -X GET "http://localhost:8000/anything"

Then try using the correct header with an incorrect value: 

curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -H "my-secret-header: open"

curl -i -X GET "http://localhost:8000/anything" \
     -H "my-secret-header: open"

In both cases, you should get a 403 Forbidden response.

Now, send the request with the correct header value:

curl -i -X GET "$KONNECT_PROXY_URL/anything" \
     -H "my-secret-header: open-sesame"

curl -i -X GET "http://localhost:8000/anything" \
     -H "my-secret-header: open-sesame"

You should get a 200 OK response.

Cleanup

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support