Breaking Down Kong API Gateway Plugins

We are spending more time thinking about the Kong API management gateway, and the plugin infrastructure that exists within the open source/enterprise solution. We are interested in the type of API plugins that are available, but also the infrastructure that supports the plugin layer of the solution. We are exploring the different approaches from each of the API management providers, and want to understand the opportunity for to offer its services here, but also consider delivering APIs that we are profiling as part of our API Gallery work.kong

To begin, we wanted to look at what types of plugins were already available in the Kong directory-we found 313plugins broken down into 4 categories:


Basic Authentication – Add basic Authentication to your APIs
Key Authentication – Add a key authentication to your APIs
OpenID Connect 1.0 RP – Integrate Kong with a third-party OpenID Connect 1.0 Provider
OAuth 2.0 Authentication – Add an OAuth 2.0 authentication to your APIs
OAuth 2.0 Introspection – Integrate Kong with a third-party OAuth 2.0 Authorization Server
HMAC Authentication – Add HMAC Authentication to your APIs
JWT – Verify and authenticate JSON Web Tokens
LDAP Authentication – Integrate Kong with a LDAP server
Security – Protect your services with additional security layers:
ACL – Control which consumers can access APIs
CORS – Allow developers to make requests from the browser
Dynamic SSL – Add an SSL certificate for an underlying service
IP Restriction – Whitelist or blacklist IPs that can make requests
Bot Detection – Detect and clock bots or custom clients

Traffic Control

Canary Release – Slowly roll out software changes to a subset of users
Forward Proxy – Allows Kong to connect to intermediary transparent HTTP proxies
Proxy Caching – Cache and serve commonly requested responses in Kong
Request Size Limiting – Block requests with bodies greater than a specific size
Rate Limiting – Upgrades Kong Community Edition rate limiting with more flexibility and higher performance
Rate Limiting – Rate-limit how many HTTP requests a developer can make
Response Rate Limiting – Rate-Limiting based on a custom response header value
Request Termination – Terminates all requests with a specific response


Request Transformer – Modify the request before hitting the upstream server
Request Transformer – Use powerful regular expressions, variables, and templates to transform API requests
Response Transformer – Modify the upstream response before returning it to the client
Correlation ID – Correlate requests and responses using a unique ID


TCP – Send request and response logs to a TCP server
UDP – Send request and response logs to a UDP server
HTTP – Send request and response logs to an HTTP server
File – Append a request and response data to a log file on disk
StatsD – Send request and response logs to StatsD
Syslog – Send request and response logs to Syslog
Loggly – Send request and response logs to Loggly

Providing a pretty interesting stack of plugins that can be implemented at the API management layer. Demonstrating what users have been asking for, and what plugins were prioritized by the platform, and the 3rd party developers delivering plugins at this layer. Additionally, we spent some time looking at the suggested plugins on the Kong forum, learning about what has been asked for, but not developed and published as part of the Kong plugin directory. Showing what types of open source and enterprise grade plugins the community is interested in.

After looking at the existing plugins, and learning about the suggested plugins from the community, we wanted to learn more about how Kong plugins can be developed. Building on what we’ve learned from doing our earlier Kong, Hello World plugin, and taking a fresh look at what is possible. The Kong plugin environment is a Lua Nginx environment, allowing developers to create Lua modules that deliver the expected plugin functionality and inject different features and functionality at the API management layer. The Lua Nginx environment allows for the interaction with Nginx, which is the Kong engine, allowing for the retrieval of the request or response, accessing Nginx’s shared memory zone, and allowing for interaction with the data store holding the Kong environment.

As we were researching the subject, we found a couple of interesting stories, including our own previous post on creating a hello world plugin:

– 10 Tips for Developing Your First Kong Plugin
Developing A Hello World Kong Plugin
Configuring Kong Plugins

We are working our way through each of the leading API management platforms out there, understanding the different approaches to allowing providers and developers to extend the platform–allowing for customized functionality at the API management layer. Opening up a world of possibility at the intersection of API deployment and integration, making Kong and other platforms much more powerful than they can ever achieve on their own. Which we also see as an opportunity for API service providers like us to help deliver more value to API providers and consumers within the existing platforms they depend on.

**Original source: blog