Nova Kong Plugin

Nova can be deployed as a plugin to the Kong API Gateway, functioning as a full Layer 7 web application firewall for any services defined in Kong. This allows you to protect your APIs easily and efficiently.

Core Concepts

Deploying Nova as a plugin for Kong uses the Kong Nova Plugin.

This allows you to add the "nova" plugin to any service causing requests to be checked by the WAF, and causes Nova to reject any dangerous or malicious requests, DoS attacks and more.

You will need deploy one (or more) Nova instances to point the Kong Nova Plugin to, and can then run the plugin on your Kong Nodes.

Plugin Repository

The kong-plugin-nova repository is public and can be accessed on our GitHubopen in new window.

Installing

The first step is to create a Kong ADC on Nova. Head to your ADC create pageopen in new window, and choose the Kong WAF type. The defaults are fine on the configuration page, but make sure to go to the Security tab and Enable the Nova WAF!

Once you Save your new ADC, attach it to a Node to provision the Kong WAF on that server. Nodes can be containers, virtual machines, or cloud instances.

Install the plugin

Run the below as root on your Kong installation.

git clone https://github.com/snapt/kong-plugin-nova.git
cd kong-plugin-nova
luarocks make
luarocks pack kong-plugin-nova 0.1.0
luarocks install kong-plugin-nova-0.1.0-1.all.rock

Add plugin to kong.conf

Edit your kong.conf file and add nova to the plugins list, then restart Kong.

plugins = bundled, nova
kong restart

Create a test service

curl -i -X POST \
  --url http://localhost:8001/services/ \
  --data 'name=novatest-service' \
  --data 'url=http://mockbin.org'

Add route for test service

curl -i -X POST \
  --url http://localhost:8001/services/novatest-service/routes \
  --data 'hosts[]=novatest.com'

Configure Nova plugin for novatest-service

Important: set the config.novaService URL to point to a Nova Kong WAF!

curl -i -XPOST \
    --url http://localhost:8001/services/novatest-service/plugins/ \
    --data 'name=nova&config.novaService=http://YOUR_NOVA_WAF_IP'

Test a legitimate request

curl -i -X GET \
  --url http://localhost:8000/ \
  --header 'Host: novatest.com'

Test a blocked request

curl -i -X GET \
  --url "http://localhost:8000/?test=/etc/passwd" \
  --header 'Host: novatest.com'

If everything is working you will see:

$ curl -i -X GET \
  --url "http://localhost:8000/?test=/etc/passwd" \
  --header 'Host: novatest.com'

HTTP/1.1 403 Forbidden
Date: Thu, 09 Jun 2022 08:20:53 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 70
x-nova-response: YES
X-Kong-Response-Latency: 80
Server: kong/2.8.1.1-enterprise-edition

{
  "message":"Your request has been blocked by the Snapt Nova WAF."
}

Using the Nova Plugin

You can now configure the "nova" plugin on any services as shown above. Remember that you must configure the novaService config option to point to a Nova Kong ADC deployment on a Nova node.

Nova UI Example

You should now be able to see your test blocks in your Nova ADC Security tab: