If the Noma plugin isn’t behaving as expected, use the following sections to identify and resolve common issues.
Look for [noma-runtime-protection] prefixes to identify specific Lua errors or HTTP handshake failures.
Symptoms: You see the Noma plugin in Konnect, but requests fail
with a 500 Internal Server Error, or the data plane logs show plugin 'noma-runtime-protection' not found.
Possible solutions:
-
Hybrid sync check: Ensure the
.rock file was installed on every data plane node.
If you have a cluster of 5 nodes, all 5 must have the plugin code.
-
Environment variable check: If you are using Docker or Kubernetes, ensure
KONG_PLUGINS environment variable includes noma-runtime-protection. For example:
PLUGINS=bundled,noma-runtime-protection
-
Lua Path: Verify the plugin is in Kong Gateway’s search path by running:
luarocks list | grep noma
Symptoms: Requests are delayed, or Noma’s console isn’t showing any new inferences.
Possible solutions:
-
Egress rules: Ensure your Kong Gateway nodes have outbound HTTPS access (port 443) to
api.noma.security.
-
Credential validation: Double-check your client ID and client secret. If these are incorrect, the plugin will fail to authenticate with the Noma API.
-
Timeout settings: If you are using blocking mode (synchronous), ensure your
proxy_timeout settings in kong.conf aren’t too aggressive, as the plugin
must wait for a verdict from Noma.
Symptoms: Traffic is appearing in the Noma Console, but it’s all grouped under a
generic name.
Possible solutions:
-
Consumer identification: By default, Noma uses the Kong Gateway application ID.
If you haven’t assigned a Consumer to the request (for example, you applied the plugin
globally without auth), you’ll get a generic 'kong' application ID.
-
Explicit ID: If you want specific grouping, manually enter a unique string in the
Application ID field within the Noma plugin configuration in Kong Gateway.
Symptoms: Malicious prompts are being flagged in the Noma Console but are not being blocked at the Gateway.
Possible solutions:
-
Mode check: Verify that
config.monitor_mode is off (false).
- Monitor mode ON: asynchronous (log only).
- Monitor mode OFF: synchronous (enforce/block).