I have sucessfully installed kong gateway for an API which load balance via upstream to multiple targets (application servers).
Now, I have a self-signed certificate for my application servers, the ssl handshake should fail between kong and the targets. I deduced that kong does not verify upstream certificate.
After some researches, I have found ssl_proxy on; configuration for nginx that would do it right.
I would like to find an equivalent of that in openresty in order to verify upstreams ssl certificate.
The solution could be to modify kong nginx configuration to activate ssl_proxy but crappy with different targets on the same instance.
I would have expected you to do it the other way around: Let your backend service verify that Kong has a specific SSL certificate when it contacts your services, so that in effect only Kong can connect to the services, and in consequence, any API clients must go via Kong to connect.
We did that for wicked.haufe.io, with Kong 0.11.0, and you can find a suitable nginx_conf.lua file here: https://github.com/apim-haufe-io/wicked.kong/blob/master/templates/nginx_kong.lua
The interesting bit here is:
proxy_ssl_certificate /root/proxy-cert.pem;
proxy_ssl_certificate_key /root/proxy-key.pem;
Which specifies the certificate and key which nginx uses to do proxying calls to backend services. This is heeded by Kong.
By checking what we did for the Kong docker image for wicked.haufe.io, you should be able to adapt to your own needs; the other interesting bit is startup.sh, where the certificate/key is extracted from environment variables and added to the /root/proxy-...pem files.