Introduction

The Airlock WAF REST API supports manipulation of virtual hosts, mappings, back-end groups and certificates. Before using the Airlock WAF REST API for the first time, an API key must be generated in the Configuration Center or using the airlock-user-manager-tool. API keys for a read-only user must be generated with the tool.

Typical Call Sequence

The call sequence of a typical REST API interaction is as follows:

  1. Creating an Airlock REST Session

    The first call must create a REST session. In this call, the generated API key must be sent as an Authorization: Bearer header. The session is identified by the JSESSIONID cookie provided in the response. This cookie must be appended to all subsequent calls of the same session.

  2. Loading a Configuration

    Handling of configurations is similar to the Configuration Center UI. A configuration must first be loaded, then edited and finally activated or saved. After activation/saving, a new configuration entry is available. Before activating/saving the edited configuration is only available in the current session context and not persisted. Note that the currently active configuration is not automatically loaded. In order to do so call Load the Active Configuration. For an overview of the available configuration actions, have a look at section Configurations.

  3. Manipulating Objects

    Once a configuration is loaded, the actual manipulation of objects may start. Arbitrary calls on virtual hosts, mappings, back-end groups or certificate resources may be sent. Each call updates the state of the configuration and subsequent calls operate on the most current state of the configuration.

    To access specific resources directly, e.g. to load a mapping by its name, use the filter parameter. Supported parameters vary depending on the accessed objects. Please refer to the corresponding call for accessing all objects, e.g. Access all Mappings, for details on the supported filter parameters.

  4. Validating Changes

    When configuration manipulation is finished, validation messages can be retrieved. Messages with severity ERROR prevent activation of the configuration.

  5. Activating or Saving the Configuration

    Finally, the modified configuration can be saved or activated.

  6. Terminating the REST Session

    After the session is finished, the session must be terminated.

Best Practices for Configuration Staging

When a service configuration is staged from development through testing into production, several processes are involved. Regarding the Airlock WAF configuration, an approach based on common configuration templates is most suitable:

Configuration Templating

While the REST API supports export and import of entire mappings (e.g. Import Mappings (New or Replace)), the JSON objects received from GET calls (e.g. virtual hosts or back-end groups) may serve as templates as well and be used in UPDATE/PATCH calls. Integration aspects of a service should be covered by these environment-agnostic template objects. For instance, the choices of adequate security levels for deny rules and possible exceptions should be made during initial (and continuous) service integration. This integration process is best supported by features of the graphical user interface, such as the policy learning dashboard.

Service Deployment

When a service is deployed, configuration templates must be enriched with environment-specific attributes (e.g., IP addresses, hostnames, certificates, paths, etc.). This process is typically fully automated and supported by the Airlock WAF REST API. Parameterization of template objects could be done by replacing placeholders in template JSON objects before calling the corresponding UPDATE or PATCH action. For mappings, which contain by far the most configuration attributes, we have added sophisticated staging features to the REST API: Source mappings and locked attributes. That is, a common source mapping may serve as the integration template for all environments and be synchronized using import/export calls. The environment-specfic parameters may be mixed in by deriving from the template mapping and overriding specific attributes. Note that Airlock system templates (e.g., the Exchange mapping templates) may also be used as source mappings.

Have a look at these calls for more information:

Reference Handling

Airlock WAF’s configuration objects hold many references to each other, e.g., mappings are linked to virtual hosts and back-end groups and certificates are linked to virtual hosts. These references are managed by separate relationship REST endpoints (see e.g. Add Virtual Host Connections).

JSON:API Format

Where applicable, the Airlock WAF REST API follows the JSON:API specification. In a nutshell, it specifies a schema for the request and response JSON objects. Top-level JSON:API documents contains at least one resource object, a collection of resource objects or a certain amount of error objects. In addition, a metadata object may be provided. Every resource object has a symbolic type and an id. Attributes are located in an attribute object.

HTTP Verbs

Verb Usage

GET

Used to retrieve a resource.

POST

Used to create a new resource.

PATCH

Used to update an existing resource, including partial updates.

DELETE

Used to delete an existing resource.

Using PATCH

When using PATCH to update an existing resource, the following attributes must be provided:

  • data[].type

  • data[].id

  • At least one element in the data[].attributes object

The data[].id attribute and the resource identifier path segment MUST be equal.

For lists and arrays within the data[].attributes object, the complete list/array must be provided.

For instance, this is how to PATCH the maintenance page flag on mapping 42:

PATCH https://${AIRLOCK}/airlock/rest/configuration/mappings/42 HTTP/1.1
Content-Type: application/json
Cookie: JSESSIONID=1810C58523C084F6ED5C237C09B70CB7
Accept: application/json
Host: $AIRLOCK

{
	"data": {
		"type": "mapping",
		"id": 42,
		"attributes": {
			"enableMaintenancePage": true
		}
	}
}

Note: The placeholder "${AIRLOCK}" in the example above must be replaced with the hostname of the targeted Airlock WAF.

HTTP Status Codes

Status code Usage

200 OK

The request completed successfully. This status code is returned e.g. by a successful GET request.

201 Created

A new resource has been successfully created with a POST request.

204 No Content

The request completed successfully. This status code is returned e.g. by a successful DELETE or PATCH request.

400 Bad Request

The request was malformed.

401 Unauthorized

Invalid or missing authentication.

403 Forbidden

Insufficient credentials or call is not allowed.

404 Not Found

The requested resource or entity did not exist.

415 Unsupported Media Type

The REST endpoint doesn’t support the payload format.

500 Internal Server Error

The service call did not succeed.

Note: The JSON:API specification describes the possible HTTP status codes for the various HTTP verbs. Generally HTTP status codes 2xx (like 200, 204, …​) indicate that the requested operation was successful.

Date Format

Timestamps retrieved via REST API conform to the format (ISO-8601):

yyyy-MM-dd'T'HH:mm:ss.SSSXXX

An example of such a timestamp is:

2011-12-03T10:15:30.000+01:00

Search and Filtering

Some endpoints allow to apply a filter. The query parameter that facilitates a search filter is called filter. A single filter has the structure:

property operator value

where

  • property is the field in the JSON structure to which the filter refers to

  • operator defines what kind of search is performed. It can either be an exact search == or a substring search =@

  • value the value that is being searched for (case sensitive!)

All of the following examples do not use URL encoding for better readability.

Note: The placeholder "${AIRLOCK}" in the following examples must be replaced with the hostname of the targeted Airlock WAF.

An example for an exact search on a back-end group’s name is:

GET https://${AIRLOCK}/airlock/rest/configuration/back-end-groups?filter=name==mySearchTerm

An example for a substring search is:

GET https://${AIRLOCK}/airlock/rest/configuration/back-end-groups?filter=name=@mySearchTerm

Filters can be combined using AND logic by providing multiple filter parameters. For example, to search for all validator messages of type WARNING for all back-end groups, the query is:

GET https://${AIRLOCK}/airlock/rest/configuration/validator-messages?filter=severity=warning&filter=type==back-end-group

Filters can also be combined using OR logic by using commas inside a filter expression. For example, to search for all virtual hosts with either name equal to 'mySearchTerm' or HTTP port equal to 88, the query is:

GET https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts?filter=name==mySearchTerm,networkInterface.http.port==88

Response Format

Responses in the Airlock WAF REST API follow the JSON:API specification as defined in JSON:API specification. JSON:API distinguishes between regular and error responses, where errors have a HTTP status code in the range 4XX or 5XX. Error responses are generic and decribed below.

Error Response

Error responses are sent to the client, if either the user provides wrong input, or if server-side errors occur. They have HTTP status codes in the range 4XX (client errors) or 5XX (server errors).

Example
{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2018-04-23T10:36:12.193+02:00"
    },
    "errors": [
        {
            "code": "ENTITY_NOT_FOUND"
        }
    ]
}
404 (NOT FOUND) response

A call will be answered with a 404 - NOT FOUND response if the requested resource cannot be found. This might be the case if

  • the requested URL contains a typo

  • the requested URL contains an identifier but no entity with this identifier exists in the context of the current request. In cases where the entity that could not be found, the error code ENTITY_NOT_FOUND is set in the response.

415 (UNSUPPORTED MEDIA TYPE) response

The HTTP status code 415 - UNSUPPORTED MEDIA TYPE indicates that the server refuses to accept the request because the payload format is in an unsupported format. The format problem might be due to the request’s indicated Content-Type or Content-Encoding, or as a result of inspecting the data directly. Where applicable the endpoint declares the accepted Content-Type which is typically application/json.

Error Codes

Error objects can contain an optional code that gives more detail about the error situation. Currently, the following generic error codes can occur:

  • CONFIGURATION_LOAD_REQUIRED: the operation requires to load a configuration.

  • ENTITY_NOT_FOUND: the specified resource could not be found.

  • INVALID_REQUEST_FORMAT: the request format is syntactically invalid (parse error).

  • INVALID_VALUE: the request contains invalid values. For more information see logs.

Examples

The following examples illustrate the typical call sequence for enabling the maintenance page on a given mapping. One example uses Python, one bash.

Python Example

#!/usr/bin/env python3

import requests
import urllib3
from urllib.parse import urlencode
from json import dumps

TOKEN = 'Bearer ...'
AIRLOCK_HOSTNAME = '...'
BASE_URL = f"https://{AIRLOCK_HOSTNAME}/airlock/rest"
HEADERS = {
    'Authorization': TOKEN,
    'Accept': 'application/json',
    'Content-Type': 'application/json'
}
urllib3.disable_warnings()
session = requests.session()
session.verify = False
session.headers.update(HEADERS)


def build_url(*res, **params):
    u = BASE_URL
    for r in res:
        u = '{}/{}'.format(u, r)
    if params:
        u = '{}?{}'.format(u, urlencode(params))
    return u


try:
    url = build_url('session/create')
    response = session.post(url)
    response.raise_for_status()

    url = build_url('configuration/configurations/load-active')
    response = session.post(url)
    response.raise_for_status()

    url = build_url('configuration/mappings', filter='name==auth')
    response = session.get(url)
    response.raise_for_status()
    mapping_id = response.json()['data'][0]['id']

    data = {
        'data': {
            'type': 'mapping',
            'id': mapping_id,
            'attributes': {
                'enableMaintenancePage': True,
            }
        }
    }
    url = build_url('configuration/mappings', mapping_id)
    response = session.patch(url, data=dumps(data))
    response.raise_for_status()

    url = build_url('configuration/validator-messages', filter='meta.severity==error')
    response = session.get(url)
    response.raise_for_status()
    error_count = len(response.json()['data'])
    if error_count != 0:
        raise RuntimeError('Configuration is invalid')

    data = {'comment': 'Enable maintenance page for mapping auth'}
    url = build_url('configuration/configurations/activate')
    response = session.post(url, data=dumps(data))
    response.raise_for_status()
    print('Maintenance page set successfully')
finally:
    url = build_url('session/terminate')
    response = session.post(url)
    response.raise_for_status()

Bash Example

#!/bin/bash
#
TOKEN="Bearer ..."
AIRLOCK_HOSTNAME="..."
BASE_URL="https://${AIRLOCK_HOSTNAME}/airlock/rest"
COOKIE=$(mktemp)
CURL="curl --insecure --silent --header 'Accept: application/json' --cookie-jar ${COOKIE} --cookie ${COOKIE}"
MAPPING_NAME='auth'

function assertHttpStatusCode2xx() {
	httpStatusCode=$1
	if [[ ! ${httpStatusCode} =~ 20[014] ]];then
		echo >&2 "Expected HTTP status codes: 200/201/204. Actual status code: ${httpStatusCode}"
		exit 1
	fi
}

trap 'rm -f -- "${COOKIE}"' INT TERM HUP EXIT

# create session
HTTP_STATUS_CODE=$(${CURL} ${BASE_URL}/session/create \
	--request POST \
	--header "Authorization: ${TOKEN}" \
	--write-out "%{http_code}")
assertHttpStatusCode2xx ${HTTP_STATUS_CODE}

# load the active configuration
HTTP_STATUS_CODE=$(${CURL} ${BASE_URL}/configuration/configurations/load-active \
	--request POST \
	--write-out "%{http_code}" \
    --output /dev/null)
assertHttpStatusCode2xx ${HTTP_STATUS_CODE}

# search mapping with name 'auth'
MAPPING_AUTH_COUNT=$(${CURL} ${BASE_URL}/configuration/mappings?filter=name%3D%3D${MAPPING_NAME} | jq ".data | length")
if [[ ${MAPPING_AUTH_COUNT} -ne 1 ]]; then
  echo >&2 "Could not find mapping '${MAPPING_NAME}'"
  exit 1
fi
MAPPING_ID=$(${CURL} ${BASE_URL}/configuration/mappings?filter=name%3D%3D${MAPPING_NAME} | jq -r '.data[].id')

# enable maintenance page
HTTP_STATUS_CODE=$(${CURL} ${BASE_URL}/configuration/mappings/${MAPPING_ID} \
	--request PATCH \
	--write-out "%{http_code}" \
    --output /dev/null \
	--header 'Content-Type: application/json' \
	--data '{ "data" : { "type" : "mapping", "attributes" : { "enableMaintenancePage" : true }}}')
assertHttpStatusCode2xx ${HTTP_STATUS_CODE}

# verify configuration
ERROR_COUNT=$(${CURL} ${BASE_URL}/configuration/validator-messages?filter=meta.severity%3D%3Derror | jq ".data | length")
if [[ ${ERROR_COUNT} -ne 0 ]]; then
  echo >&2 "Configuration is invalid"
  exit 1
fi

# activate configuration
HTTP_STATUS_CODE=$(${CURL} ${BASE_URL}/configuration/configurations/activate \
	--request POST \
	--write-out "%{http_code}" \
	--header 'Content-Type: application/json' \
	--data '{ "comment" : "Enable maintenance page for mapping auth" }')
assertHttpStatusCode2xx ${HTTP_STATUS_CODE}

# terminate session
HTTP_STATUS_CODE=$(${CURL} ${BASE_URL}/session/terminate \
	--request POST \
	--write-out "%{http_code}" \
    --output /dev/null)
assertHttpStatusCode2xx ${HTTP_STATUS_CODE}

echo "Maintenance page set successfully"

Authentication

Overview

The first REST call to create a session must be authenticated with an "Authorization: Bearer" header and a valid JWT token. The issued tokens have a validity period of 2 years. Existing tokens can be revoked or deleted at any time. If a token is invalid or expired the REST call will return the HTTP status code '403'.

Create a Token

In the Airlock Configuration Center - 'System Admin, any user with the role 'airlock-administrator' can generate or renew the token. Regeneration of a token renders any older token invalid.

Usage

Once the token is issued it can be used in scripts to authenticate the REST call. To authenticate and create a session the resource /session/create must be called. All future calls must then use the issued JSESSIONID cookie.

Create a Session

POST /session/create

The call to /session/create does not implicitly load a configuration. Please refer to Load the Active Configuration or Load a Configuration for more information.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/session/create" -i -X POST \
    -H "Authorization: Bearer ${JWT_TOKEN}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK

Terminate a Session

POST /session/terminate

This terminates the session, any unsaved or unactivated configuration changes will be lost.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/session/terminate" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK

Configurations

Access all Configurations

GET /configuration/configurations

Accept application/json

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data[].type

String

The data type of the resource. Must be "configuration" for this call.

data[].id

String

The ID of the resource to be addressed.

data[].attributes.createdBy

String

The name of the user who created the configuration.

data[].attributes.createdAt

String

The time when the configuration was created.

data[].attributes.comment

String

A comment describing the changes made.

data[].attributes.configType

String

The configuration file’s type. Allowed values are: CURRENTLY_ACTIVE, ACTIVATED, SAVED, INITIAL

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations" -i -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 622

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:25:58.397+02:00"
  },
  "data" : [ {
    "type" : "configuration",
    "id" : "87",
    "attributes" : {
      "createdBy" : "admin",
      "createdAt" : "2021-04-21T19:55:58.393+02:00",
      "comment" : "Added a new mapping",
      "configType" : "CURRENTLY_ACTIVE"
    }
  }, {
    "type" : "configuration",
    "id" : "39",
    "attributes" : {
      "createdBy" : "admin",
      "createdAt" : "2021-04-21T19:48:58.395+02:00",
      "comment" : "Saving config with new back-end group",
      "configType" : "SAVED"
    }
  } ]
}

Load a Configuration

POST /configuration/configurations/{id}/load

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/1/load" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Load the Active Configuration

POST /configuration/configurations/load-active

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/load-active" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Save a Configuration

POST /configuration/configurations/save

Content-Type application/json

Accept application/json

Allows to save a configuration.

Status Code Description

200

The configuration was successfully saved.

400

No configuration was loaded before.

Request Structure

Path Type Required Description

comment

String

no

An optional comment describing the change.

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "configuration" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.createdBy

String

The name of the user who created the configuration.

data.attributes.createdAt

String

The time when the configuration was created.

data.attributes.comment

String

A comment describing the changes made.

data.attributes.configType

String

The configuration file’s type. Allowed values are: CURRENTLY_ACTIVE, ACTIVATED, SAVED, INITIAL

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/save" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "comment" : "describing the changes made"
}'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 363

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:25:58.451+02:00"
  },
  "data" : {
    "type" : "configuration",
    "id" : "1",
    "attributes" : {
      "createdBy" : "admin",
      "createdAt" : "2021-04-21T20:25:58.449+02:00",
      "comment" : "describing the changes made",
      "configType" : "SAVED"
    }
  }
}

Delete a Configuration

DELETE /configuration/configurations/{id}

Allows to delete a configuration. Note that deletion is not allowed for the currently active and the initial configuration and will be answered with a 403 status code.

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/1" -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 204 No Content

Activate a Configuration

POST /configuration/configurations/activate

Content-Type application/json

Performing an activation. Depending on the outcome of the activation, the server responds with different HTTP status codes:

Status Code Description

200

The activation was successful.

400

The configuration has validation errors and thus cannot be activated or no configuration was loaded.

409

The activation could not be completed due to a conflict with the current state of the configuration. Possible reasons are:

  • concurrent activation from different sessions (see options.ignoreOutdatedConfiguration)

  • merge conflicts (see options.autoMerge)

  • activation of an imported configuration without specifying "options.ignoreOutdatedConfiguration": true

500

The activation fails for some reason.

Request Structure

Path Type Required Description

comment

String

no

An optional comment describing the change.

options.ignoreOutdatedConfiguration

Boolean

no

Specifies whether activation should ignore when another user changed the active configuration during your session. This flag is required for activation of imported configurations. If set to true the autoMerge flag will be ignored and any changes performed by the other user will be overwritten (default: false).

options.autoMerge

Boolean

no

Specifies whether the activation should try to merge concurrent activation attempts. The call fails in case of a unresolvable merge conflict. If set to false the activation will fail in case of concurrent modifications (default: true).

options.failoverActivation

Boolean

no

Specifies whether the activation should perform the changes also on the other host in a failover setup (default: true).

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/activate" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "comment" : "Describing my changes for this activation",
  "options" : {
    "ignoreOutdatedConfiguration" : false,
    "autoMerge" : true,
    "failoverActivation" : true
  }
}'

Example Response

HTTP/1.1 200 OK

Export the Current Configuration

GET /configuration/configurations/export

Accept application/zip

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/export" -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/zip'

Example Response

HTTP/1.1 200 OK
Content-Type: application/zip
Content-Length: 1

DATA

Export a Configuration

GET /configuration/configurations/{id}/export

Accept application/zip

Request a Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/1/export" -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/zip'

Example Response

HTTP/1.1 200 OK
Content-Type: application/zip
Content-Length: 1

DATA

Import Configuration

PUT /configuration/configurations/import

Content-Type application/zip

Note that prior to the import, a configuration must first be loaded.
After the configuration import the option "options.ignoreOutdatedConfiguration" has to be set to true in the activation call.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/configurations/import" -i -X PUT \
    -H 'Content-Type: application/zip' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d "${DATA}"

Example Response

HTTP/1.1 200 OK

Virtual Host

Access all Virtual Hosts

GET /configuration/virtual-hosts

Accept application/json

Request Structure

Parameter Description Required

filter

Optionally allows to filter by: 'name', 'hostName', 'networkInterface.http.port', 'networkInterface.https.port', 'networkInterface.http.enabled' and 'networkInterface.https.enabled'. Click here for more details about the syntax.

no

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data[].type

String

The data type of the resource. Must be "virtual-host" for this call.

data[].id

String

The ID of the resource to be addressed.

data[].attributes.name

String

The logical name of the virtual host.

data[].attributes.tenant

String

Tenant of the virtual host.

data[].attributes.hostName

String

The hostname of the virtual host.

data[].attributes.aliasNames

Array

Specifies additional server aliases for this virtual host.

data[].attributes.showMaintenancePage

Boolean

Specifies whether Airlock WAF should display a maintenance page instead of performing the request to the back-end server.

data[].attributes.strictlyMatchFullyQualifiedDomainName

Boolean

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

data[].attributes.keepAliveTimeout

Number

Specifies the HTTP keep-alive timeout in seconds for this virtual host. A value of 0 (zero) disables the HTTP keep-alive function.

data[].attributes.encodedSlashesAllowed

Boolean

Specifies whether encoded slashes (%2F) are allowed in URL path.

data[].attributes.downloadPdfsAsAttachmentsEnforced

Boolean

If this option is enabled, PDF documents (detected by their content-type application/pdf) are always downloaded as attachments (not as "inline" document within the browser).

data[].attributes.serverAdmin

String

The email address of the server administrator. It’s used as contact information for Let’s Encrypt functionality.

data[].attributes.defaultRedirect

String

Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path.

data[].attributes.pathRedirects

Array

Dynamic URL redirects of the virtual host.

data[].attributes.pathRedirects[].from

Object

Pattern for paths which shall be redirected. If a matching redirect path is detected, the client will be redirected to the redirect destination.

data[].attributes.pathRedirects[].to

String

Destination to which the client shall be redirected.

data[].attributes.pathRedirects[].redirectStatusCode

String

Status code to use in the redirect response. Allowed values are: MOVED_PERMANENTLY, FOUND, SEE_OTHER, TEMPORARY_REDIRECT, PERMANENT_REDIRECT

data[].attributes.pathRedirects[].from.pattern

String

The actual pattern.

data[].attributes.pathRedirects[].from.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.networkInterface.externalLogicalInterfaceName

String

Specifies the external network interface for this virtual host to receive requests.

data[].attributes.networkInterface.ipV4Address

String

The IPv4 address in CIDR format.

data[].attributes.networkInterface.ipV6Address

String

The IPv6 address in CIDR format.

data[].attributes.networkInterface.http.enabled

Boolean

Specifies whether HTTP connections are enabled for this host.

data[].attributes.networkInterface.http.port

Number

Specifies the port on which this host listens for HTTP connections.

data[].attributes.networkInterface.http.httpsRedirectEnforced

Boolean

Redirect all HTTP traffic to HTTPS on this virtual host.

data[].attributes.networkInterface.https.enabled

Boolean

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host.

data[].attributes.networkInterface.https.port

Number

Specifies the port on which this host listens for HTTPS (SSL/TLS) connections.

data[].attributes.networkInterface.https.http2Allowed

Boolean

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.

data[].attributes.tls.lowStrengthCiphersAllowed

Boolean

Specifies whether low strength export ciphers are allowed for SSL connections of this virtual host (not recommended).

data[].attributes.tls.ocspStaplingEnabled

Boolean

This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

data[].attributes.tls.letsEncryptEnabled

Boolean

This option enables Let’s Encrypt support on a virtual host

data[].attributes.tls.clientCertificateAuthentication

String

Specifies whether accessing this virtual host requires the client to authenticate with a valid TLS client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED

data[].attributes.tls.chainVerificationDepth

Number

The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate.

data[].attributes.tls.ocspValidationEnforced

Boolean

This option enables OCSP validation of the client certificate chain.

data[].attributes.tls.caCertificatesForClientCertificateSelection

Array

The Certificate Authorities configured in this field are sent to the client during SSL handshake. These CA names are used by the browser to show a pop-up window to the user with the appropriate client certificate out of the available client certificates.

data[].attributes.tls.caCertificatesForChainAndOcspValidation

Array

CA certificates which shall be used as "trust anchor" during chain and OCSP validation.

data[].attributes.session.cookiePath

String

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

data[].attributes.session.cookieDomain

String

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

data[].attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data[].attributes.expertSettings.apache

Object

Expert settings for the Apache web listener.

data[].attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data[].attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data[].attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data[].attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data[].relationships.mappings.data[]

Array

The mapping references.

data[].relationships.mappings.data[].type

String

The data type of the referenced resource. Must be "mapping" for this call.

data[].relationships.mappings.data[].id

String

The ID of the mapping resource.

data[].relationships.ssl-certificate.data

Object

The ssl-certificate references.

data[].relationships.ssl-certificate.data.type

String

The data type of the referenced resource. Must be "ssl-certificate" for this call.

data[].relationships.ssl-certificate.data.id

String

The ID of the ssl-certificate resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts?filter=name%3D%3DmyVirtualHost" -i -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2288

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:27:03.547+02:00"
  },
  "data" : [ {
    "type" : "virtual-host",
    "id" : "1",
    "attributes" : {
      "name" : "myVirtualHost",
      "tenant" : "",
      "hostName" : "myvirtualhost.example.com",
      "aliasNames" : [ "Alias1DemoHost", "Alias2DemoHost" ],
      "showMaintenancePage" : false,
      "strictlyMatchFullyQualifiedDomainName" : true,
      "keepAliveTimeout" : 100,
      "encodedSlashesAllowed" : true,
      "downloadPdfsAsAttachmentsEnforced" : true,
      "serverAdmin" : "admin@example.com",
      "defaultRedirect" : "/",
      "pathRedirects" : [ {
        "from" : {
          "pattern" : "/sale",
          "caseIgnored" : false
        },
        "to" : "/eshop/products.asp?id=3342",
        "redirectStatusCode" : "MOVED_PERMANENTLY"
      } ],
      "networkInterface" : {
        "externalLogicalInterfaceName" : "EXTERNAL",
        "ipV4Address" : "87.239.214.12/24",
        "ipV6Address" : "2001:500:2::c/64",
        "http" : {
          "enabled" : true,
          "port" : 80,
          "httpsRedirectEnforced" : false
        },
        "https" : {
          "enabled" : false,
          "port" : 443,
          "http2Allowed" : false
        }
      },
      "tls" : {
        "lowStrengthCiphersAllowed" : false,
        "ocspStaplingEnabled" : false,
        "letsEncryptEnabled" : false,
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "chainVerificationDepth" : 1,
        "ocspValidationEnforced" : false,
        "caCertificatesForClientCertificateSelection" : [ ],
        "caCertificatesForChainAndOcspValidation" : [ ]
      },
      "session" : {
        "cookiePath" : "/",
        "cookieDomain" : "example.com"
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      }
    },
    "relationships" : {
      "mappings" : {
        "data" : [ {
          "type" : "mapping",
          "id" : "50"
        } ]
      },
      "ssl-certificate" : {
        "data" : {
          "type" : "ssl-certificate",
          "id" : "-1000"
        }
      }
    }
  } ]
}

Access a Virtual Host

GET /configuration/virtual-hosts/{id}

Accept application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "virtual-host" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.name

String

The logical name of the virtual host.

data.attributes.tenant

String

Tenant of the virtual host.

data.attributes.hostName

String

The hostname of the virtual host.

data.attributes.aliasNames

Array

Specifies additional server aliases for this virtual host.

data.attributes.showMaintenancePage

Boolean

Specifies whether Airlock WAF should display a maintenance page instead of performing the request to the back-end server.

data.attributes.strictlyMatchFullyQualifiedDomainName

Boolean

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

data.attributes.keepAliveTimeout

Number

Specifies the HTTP keep-alive timeout in seconds for this virtual host. A value of 0 (zero) disables the HTTP keep-alive function.

data.attributes.encodedSlashesAllowed

Boolean

Specifies whether encoded slashes (%2F) are allowed in URL path.

data.attributes.downloadPdfsAsAttachmentsEnforced

Boolean

If this option is enabled, PDF documents (detected by their content-type application/pdf) are always downloaded as attachments (not as "inline" document within the browser).

data.attributes.serverAdmin

String

The email address of the server administrator. It’s used as contact information for Let’s Encrypt functionality.

data.attributes.defaultRedirect

String

Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path.

data.attributes.pathRedirects

Array

Dynamic URL redirects of the virtual host.

data.attributes.pathRedirects[].from

Object

Pattern for paths which shall be redirected. If a matching redirect path is detected, the client will be redirected to the redirect destination.

data.attributes.pathRedirects[].to

String

Destination to which the client shall be redirected.

data.attributes.pathRedirects[].redirectStatusCode

String

Status code to use in the redirect response. Allowed values are: MOVED_PERMANENTLY, FOUND, SEE_OTHER, TEMPORARY_REDIRECT, PERMANENT_REDIRECT

data.attributes.pathRedirects[].from.pattern

String

The actual pattern.

data.attributes.pathRedirects[].from.caseIgnored

Boolean

Whether to ignore case.

data.attributes.networkInterface.externalLogicalInterfaceName

String

Specifies the external network interface for this virtual host to receive requests.

data.attributes.networkInterface.ipV4Address

String

The IPv4 address in CIDR format.

data.attributes.networkInterface.ipV6Address

String

The IPv6 address in CIDR format.

data.attributes.networkInterface.http.enabled

Boolean

Specifies whether HTTP connections are enabled for this host.

data.attributes.networkInterface.http.port

Number

Specifies the port on which this host listens for HTTP connections.

data.attributes.networkInterface.http.httpsRedirectEnforced

Boolean

Redirect all HTTP traffic to HTTPS on this virtual host.

data.attributes.networkInterface.https.enabled

Boolean

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host.

data.attributes.networkInterface.https.port

Number

Specifies the port on which this host listens for HTTPS (SSL/TLS) connections.

data.attributes.networkInterface.https.http2Allowed

Boolean

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.

data.attributes.tls.lowStrengthCiphersAllowed

Boolean

Specifies whether low strength export ciphers are allowed for SSL connections of this virtual host (not recommended).

data.attributes.tls.ocspStaplingEnabled

Boolean

This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

data.attributes.tls.letsEncryptEnabled

Boolean

This option enables Let’s Encrypt support on a virtual host

data.attributes.tls.clientCertificateAuthentication

String

Specifies whether accessing this virtual host requires the client to authenticate with a valid TLS client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED

data.attributes.tls.chainVerificationDepth

Number

The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate.

data.attributes.tls.ocspValidationEnforced

Boolean

This option enables OCSP validation of the client certificate chain.

data.attributes.tls.caCertificatesForClientCertificateSelection

Array

The Certificate Authorities configured in this field are sent to the client during SSL handshake. These CA names are used by the browser to show a pop-up window to the user with the appropriate client certificate out of the available client certificates.

data.attributes.tls.caCertificatesForChainAndOcspValidation

Array

CA certificates which shall be used as "trust anchor" during chain and OCSP validation.

data.attributes.session.cookiePath

String

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.session.cookieDomain

String

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

Expert settings for the Apache web listener.

data.attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data.relationships.mappings.data[]

Array

The mapping references.

data.relationships.mappings.data[].type

String

The data type of the referenced resource. Must be "mapping" for this call.

data.relationships.mappings.data[].id

String

The ID of the mapping resource.

data.relationships.ssl-certificate.data

Object

The ssl-certificate references.

data.relationships.ssl-certificate.data.type

String

The data type of the referenced resource. Must be "ssl-certificate" for this call.

data.relationships.ssl-certificate.data.id

String

The ID of the ssl-certificate resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/2" -i -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2284

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:27:03.272+02:00"
  },
  "data" : {
    "type" : "virtual-host",
    "id" : "2",
    "attributes" : {
      "name" : "myVirtualHost",
      "tenant" : "",
      "hostName" : "myvirtualhost.example.com",
      "aliasNames" : [ "Alias1DemoHost", "Alias2DemoHost" ],
      "showMaintenancePage" : false,
      "strictlyMatchFullyQualifiedDomainName" : true,
      "keepAliveTimeout" : 100,
      "encodedSlashesAllowed" : true,
      "downloadPdfsAsAttachmentsEnforced" : true,
      "serverAdmin" : "admin@example.com",
      "defaultRedirect" : "/",
      "pathRedirects" : [ {
        "from" : {
          "pattern" : "/sale",
          "caseIgnored" : false
        },
        "to" : "/eshop/products.asp?id=3342",
        "redirectStatusCode" : "MOVED_PERMANENTLY"
      } ],
      "networkInterface" : {
        "externalLogicalInterfaceName" : "EXTERNAL",
        "ipV4Address" : "87.239.214.12/24",
        "ipV6Address" : "2001:500:2::c/64",
        "http" : {
          "enabled" : true,
          "port" : 80,
          "httpsRedirectEnforced" : false
        },
        "https" : {
          "enabled" : false,
          "port" : 443,
          "http2Allowed" : false
        }
      },
      "tls" : {
        "lowStrengthCiphersAllowed" : false,
        "ocspStaplingEnabled" : false,
        "letsEncryptEnabled" : false,
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "chainVerificationDepth" : 1,
        "ocspValidationEnforced" : false,
        "caCertificatesForClientCertificateSelection" : [ ],
        "caCertificatesForChainAndOcspValidation" : [ ]
      },
      "session" : {
        "cookiePath" : "/",
        "cookieDomain" : "example.com"
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      }
    },
    "relationships" : {
      "mappings" : {
        "data" : [ {
          "type" : "mapping",
          "id" : "50"
        } ]
      },
      "ssl-certificate" : {
        "data" : {
          "type" : "ssl-certificate",
          "id" : "-1000"
        }
      }
    }
  }
}

Create a Virtual Host

POST /configuration/virtual-hosts

Content-Type application/json

Accept application/json

Request Structure

Path Type Required Description

data.attributes.name

String

yes

The logical name of the virtual host.

data.attributes.tenant

String

yes

Tenant of the virtual host.

data.attributes.hostName

String

yes

The hostname of the virtual host.

data.attributes.aliasNames

Array

yes

Specifies additional server aliases for this virtual host.

data.attributes.showMaintenancePage

Boolean

yes

Specifies whether Airlock WAF should display a maintenance page instead of performing the request to the back-end server.

data.attributes.strictlyMatchFullyQualifiedDomainName

Boolean

yes

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

data.attributes.keepAliveTimeout

Number

yes

Specifies the HTTP keep-alive timeout in seconds for this virtual host. A value of 0 (zero) disables the HTTP keep-alive function.

data.attributes.encodedSlashesAllowed

Boolean

yes

Specifies whether encoded slashes (%2F) are allowed in URL path.

data.attributes.downloadPdfsAsAttachmentsEnforced

Boolean

yes

If this option is enabled, PDF documents (detected by their content-type application/pdf) are always downloaded as attachments (not as "inline" document within the browser).

data.attributes.serverAdmin

String

yes

The email address of the server administrator. It’s used as contact information for Let’s Encrypt functionality.

data.attributes.defaultRedirect

String

yes

Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path.

data.attributes.pathRedirects

Array

yes

Dynamic URL redirects of the virtual host.

data.attributes.pathRedirects[].from

Object

yes

Pattern for paths which shall be redirected. If a matching redirect path is detected, the client will be redirected to the redirect destination.

data.attributes.pathRedirects[].to

String

yes

Destination to which the client shall be redirected.

data.attributes.pathRedirects[].redirectStatusCode

String

yes

Status code to use in the redirect response. Allowed values are: MOVED_PERMANENTLY, FOUND, SEE_OTHER, TEMPORARY_REDIRECT, PERMANENT_REDIRECT

data.attributes.pathRedirects[].from.pattern

String

yes

The actual pattern.

data.attributes.pathRedirects[].from.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.networkInterface.externalLogicalInterfaceName

String

yes

Specifies the external network interface for this virtual host to receive requests.

data.attributes.networkInterface.ipV4Address

String

yes

The IPv4 address in CIDR format.

data.attributes.networkInterface.ipV6Address

String

yes

The IPv6 address in CIDR format.

data.attributes.networkInterface.http.enabled

Boolean

yes

Specifies whether HTTP connections are enabled for this host.

data.attributes.networkInterface.http.port

Number

yes

Specifies the port on which this host listens for HTTP connections.

data.attributes.networkInterface.http.httpsRedirectEnforced

Boolean

yes

Redirect all HTTP traffic to HTTPS on this virtual host.

data.attributes.networkInterface.https.enabled

Boolean

yes

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host.

data.attributes.networkInterface.https.port

Number

yes

Specifies the port on which this host listens for HTTPS (SSL/TLS) connections.

data.attributes.networkInterface.https.http2Allowed

Boolean

yes

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.

data.attributes.tls.lowStrengthCiphersAllowed

Boolean

yes

Specifies whether low strength export ciphers are allowed for SSL connections of this virtual host (not recommended).

data.attributes.tls.ocspStaplingEnabled

Boolean

yes

This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

data.attributes.tls.letsEncryptEnabled

Boolean

yes

This option enables Let’s Encrypt support on a virtual host

data.attributes.tls.clientCertificateAuthentication

String

yes

Specifies whether accessing this virtual host requires the client to authenticate with a valid TLS client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED

data.attributes.tls.chainVerificationDepth

Number

yes

The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate.

data.attributes.tls.ocspValidationEnforced

Boolean

yes

This option enables OCSP validation of the client certificate chain.

data.attributes.tls.caCertificatesForClientCertificateSelection

Array

yes

The Certificate Authorities configured in this field are sent to the client during SSL handshake. These CA names are used by the browser to show a pop-up window to the user with the appropriate client certificate out of the available client certificates.

data.attributes.tls.caCertificatesForChainAndOcspValidation

Array

yes

CA certificates which shall be used as "trust anchor" during chain and OCSP validation.

data.attributes.session.cookiePath

String

yes

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.session.cookieDomain

String

yes

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.expertSettings.securityGate

Object

yes

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

yes

Expert settings for the Apache web listener.

data.attributes.expertSettings.securityGate.enabled

Boolean

yes

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

yes

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

yes

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

yes

The expert settings for the Apache web listener.

data.type

String

yes

The data type sent to the server. Must be set to "virtual-host" for this call.

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "virtual-host" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.name

String

The logical name of the virtual host.

data.attributes.tenant

String

Tenant of the virtual host.

data.attributes.hostName

String

The hostname of the virtual host.

data.attributes.aliasNames

Array

Specifies additional server aliases for this virtual host.

data.attributes.showMaintenancePage

Boolean

Specifies whether Airlock WAF should display a maintenance page instead of performing the request to the back-end server.

data.attributes.strictlyMatchFullyQualifiedDomainName

Boolean

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

data.attributes.keepAliveTimeout

Number

Specifies the HTTP keep-alive timeout in seconds for this virtual host. A value of 0 (zero) disables the HTTP keep-alive function.

data.attributes.encodedSlashesAllowed

Boolean

Specifies whether encoded slashes (%2F) are allowed in URL path.

data.attributes.downloadPdfsAsAttachmentsEnforced

Boolean

If this option is enabled, PDF documents (detected by their content-type application/pdf) are always downloaded as attachments (not as "inline" document within the browser).

data.attributes.serverAdmin

String

The email address of the server administrator. It’s used as contact information for Let’s Encrypt functionality.

data.attributes.defaultRedirect

String

Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path.

data.attributes.pathRedirects

Array

Dynamic URL redirects of the virtual host.

data.attributes.pathRedirects[].from

Object

Pattern for paths which shall be redirected. If a matching redirect path is detected, the client will be redirected to the redirect destination.

data.attributes.pathRedirects[].to

String

Destination to which the client shall be redirected.

data.attributes.pathRedirects[].redirectStatusCode

String

Status code to use in the redirect response. Allowed values are: MOVED_PERMANENTLY, FOUND, SEE_OTHER, TEMPORARY_REDIRECT, PERMANENT_REDIRECT

data.attributes.pathRedirects[].from.pattern

String

The actual pattern.

data.attributes.pathRedirects[].from.caseIgnored

Boolean

Whether to ignore case.

data.attributes.networkInterface.externalLogicalInterfaceName

String

Specifies the external network interface for this virtual host to receive requests.

data.attributes.networkInterface.ipV4Address

String

The IPv4 address in CIDR format.

data.attributes.networkInterface.ipV6Address

String

The IPv6 address in CIDR format.

data.attributes.networkInterface.http.enabled

Boolean

Specifies whether HTTP connections are enabled for this host.

data.attributes.networkInterface.http.port

Number

Specifies the port on which this host listens for HTTP connections.

data.attributes.networkInterface.http.httpsRedirectEnforced

Boolean

Redirect all HTTP traffic to HTTPS on this virtual host.

data.attributes.networkInterface.https.enabled

Boolean

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host.

data.attributes.networkInterface.https.port

Number

Specifies the port on which this host listens for HTTPS (SSL/TLS) connections.

data.attributes.networkInterface.https.http2Allowed

Boolean

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.

data.attributes.tls.lowStrengthCiphersAllowed

Boolean

Specifies whether low strength export ciphers are allowed for SSL connections of this virtual host (not recommended).

data.attributes.tls.ocspStaplingEnabled

Boolean

This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

data.attributes.tls.letsEncryptEnabled

Boolean

This option enables Let’s Encrypt support on a virtual host

data.attributes.tls.clientCertificateAuthentication

String

Specifies whether accessing this virtual host requires the client to authenticate with a valid TLS client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED

data.attributes.tls.chainVerificationDepth

Number

The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate.

data.attributes.tls.ocspValidationEnforced

Boolean

This option enables OCSP validation of the client certificate chain.

data.attributes.tls.caCertificatesForClientCertificateSelection

Array

The Certificate Authorities configured in this field are sent to the client during SSL handshake. These CA names are used by the browser to show a pop-up window to the user with the appropriate client certificate out of the available client certificates.

data.attributes.tls.caCertificatesForChainAndOcspValidation

Array

CA certificates which shall be used as "trust anchor" during chain and OCSP validation.

data.attributes.session.cookiePath

String

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.session.cookieDomain

String

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

Expert settings for the Apache web listener.

data.attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data.relationships.mappings.data[]

Array

The mapping references.

data.relationships.mappings.data[].type

String

The data type of the referenced resource. Must be "mapping" for this call.

data.relationships.mappings.data[].id

String

The ID of the mapping resource.

data.relationships.ssl-certificate.data

Object

The ssl-certificate references.

data.relationships.ssl-certificate.data.type

String

The data type of the referenced resource. Must be "ssl-certificate" for this call.

data.relationships.ssl-certificate.data.id

String

The ID of the ssl-certificate resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : {
    "type" : "virtual-host",
    "attributes" : {
      "name" : "myVirtualHost",
      "tenant" : "AirlockBankingCo",
      "hostName" : "myvirtualhost.example.com",
      "aliasNames" : [ ],
      "showMaintenancePage" : true,
      "strictlyMatchFullyQualifiedDomainName" : false,
      "keepAliveTimeout" : 3600,
      "encodedSlashesAllowed" : true,
      "downloadPdfsAsAttachmentsEnforced" : true,
      "serverAdmin" : "admin@example.com",
      "defaultRedirect" : "/",
      "pathRedirects" : [ {
        "from" : {
          "pattern" : "/",
          "caseIgnored" : true
        },
        "to" : "/redirect/path",
        "redirectStatusCode" : "MOVED_PERMANENTLY"
      } ],
      "networkInterface" : {
        "externalLogicalInterfaceName" : "EXT0",
        "ipV4Address" : "87.239.214.12/24",
        "ipV6Address" : "2001:500:2::c/64",
        "http" : {
          "enabled" : true,
          "port" : 80,
          "httpsRedirectEnforced" : false
        },
        "https" : {
          "enabled" : false,
          "port" : 443,
          "http2Allowed" : false
        }
      },
      "tls" : {
        "lowStrengthCiphersAllowed" : true,
        "ocspStaplingEnabled" : true,
        "letsEncryptEnabled" : false,
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "chainVerificationDepth" : 1,
        "ocspValidationEnforced" : true,
        "caCertificatesForClientCertificateSelection" : [ ],
        "caCertificatesForChainAndOcspValidation" : [ ]
      },
      "session" : {
        "cookiePath" : "/",
        "cookieDomain" : ""
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      }
    }
  }
}'

Example Response

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 1956

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:27:03.499+02:00"
  },
  "data" : {
    "type" : "virtual-host",
    "id" : "4",
    "attributes" : {
      "name" : "myVirtualHost",
      "tenant" : "AirlockBankingCo",
      "hostName" : "myvirtualhost.example.com",
      "aliasNames" : [ ],
      "showMaintenancePage" : true,
      "strictlyMatchFullyQualifiedDomainName" : false,
      "keepAliveTimeout" : 3600,
      "encodedSlashesAllowed" : true,
      "downloadPdfsAsAttachmentsEnforced" : true,
      "serverAdmin" : "admin@example.com",
      "defaultRedirect" : "/",
      "pathRedirects" : [ {
        "from" : {
          "pattern" : "/",
          "caseIgnored" : true
        },
        "to" : "/redirect/path",
        "redirectStatusCode" : "MOVED_PERMANENTLY"
      } ],
      "networkInterface" : {
        "externalLogicalInterfaceName" : "EXT0",
        "ipV4Address" : "87.239.214.12/24",
        "ipV6Address" : "2001:500:2::c/64",
        "http" : {
          "enabled" : true,
          "port" : 80,
          "httpsRedirectEnforced" : false
        },
        "https" : {
          "enabled" : false,
          "port" : 443,
          "http2Allowed" : false
        }
      },
      "tls" : {
        "lowStrengthCiphersAllowed" : true,
        "ocspStaplingEnabled" : true,
        "letsEncryptEnabled" : false,
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "chainVerificationDepth" : 1,
        "ocspValidationEnforced" : true,
        "caCertificatesForClientCertificateSelection" : [ ],
        "caCertificatesForChainAndOcspValidation" : [ ]
      },
      "session" : {
        "cookiePath" : "/",
        "cookieDomain" : ""
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      }
    }
  }
}

Update a Virtual Host

PATCH /configuration/virtual-hosts/{id}

Content-Type application/json

Accept application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Path Type Required Description

data.attributes.name

String

no

The logical name of the virtual host.

data.attributes.tenant

String

no

Tenant of the virtual host.

data.attributes.hostName

String

no

The hostname of the virtual host.

data.attributes.aliasNames

Array

no

Specifies additional server aliases for this virtual host.

data.attributes.showMaintenancePage

Boolean

no

Specifies whether Airlock WAF should display a maintenance page instead of performing the request to the back-end server.

data.attributes.strictlyMatchFullyQualifiedDomainName

Boolean

no

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

data.attributes.keepAliveTimeout

Number

no

Specifies the HTTP keep-alive timeout in seconds for this virtual host. A value of 0 (zero) disables the HTTP keep-alive function.

data.attributes.encodedSlashesAllowed

Boolean

no

Specifies whether encoded slashes (%2F) are allowed in URL path.

data.attributes.downloadPdfsAsAttachmentsEnforced

Boolean

no

If this option is enabled, PDF documents (detected by their content-type application/pdf) are always downloaded as attachments (not as "inline" document within the browser).

data.attributes.serverAdmin

String

no

The email address of the server administrator. It’s used as contact information for Let’s Encrypt functionality.

data.attributes.defaultRedirect

String

no

Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path.

data.attributes.pathRedirects

Array

no

Dynamic URL redirects of the virtual host.

data.attributes.pathRedirects[].from

Object

no

Pattern for paths which shall be redirected. If a matching redirect path is detected, the client will be redirected to the redirect destination.

data.attributes.pathRedirects[].to

String

no

Destination to which the client shall be redirected.

data.attributes.pathRedirects[].redirectStatusCode

String

no

Status code to use in the redirect response. Allowed values are: MOVED_PERMANENTLY, FOUND, SEE_OTHER, TEMPORARY_REDIRECT, PERMANENT_REDIRECT

data.attributes.pathRedirects[].from.pattern

String

no

The actual pattern.

data.attributes.pathRedirects[].from.caseIgnored

Boolean

no

Whether to ignore case.

data.attributes.networkInterface.externalLogicalInterfaceName

String

no

Specifies the external network interface for this virtual host to receive requests.

data.attributes.networkInterface.ipV4Address

String

no

The IPv4 address in CIDR format.

data.attributes.networkInterface.ipV6Address

String

no

The IPv6 address in CIDR format.

data.attributes.networkInterface.http.enabled

Boolean

no

Specifies whether HTTP connections are enabled for this host.

data.attributes.networkInterface.http.port

Number

no

Specifies the port on which this host listens for HTTP connections.

data.attributes.networkInterface.http.httpsRedirectEnforced

Boolean

no

Redirect all HTTP traffic to HTTPS on this virtual host.

data.attributes.networkInterface.https.enabled

Boolean

no

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host.

data.attributes.networkInterface.https.port

Number

no

Specifies the port on which this host listens for HTTPS (SSL/TLS) connections.

data.attributes.networkInterface.https.http2Allowed

Boolean

no

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.

data.attributes.tls.lowStrengthCiphersAllowed

Boolean

no

Specifies whether low strength export ciphers are allowed for SSL connections of this virtual host (not recommended).

data.attributes.tls.ocspStaplingEnabled

Boolean

no

This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

data.attributes.tls.letsEncryptEnabled

Boolean

no

This option enables Let’s Encrypt support on a virtual host

data.attributes.tls.clientCertificateAuthentication

String

no

Specifies whether accessing this virtual host requires the client to authenticate with a valid TLS client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED

data.attributes.tls.chainVerificationDepth

Number

no

The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate.

data.attributes.tls.ocspValidationEnforced

Boolean

no

This option enables OCSP validation of the client certificate chain.

data.attributes.tls.caCertificatesForClientCertificateSelection

Array

no

The Certificate Authorities configured in this field are sent to the client during SSL handshake. These CA names are used by the browser to show a pop-up window to the user with the appropriate client certificate out of the available client certificates.

data.attributes.tls.caCertificatesForChainAndOcspValidation

Array

no

CA certificates which shall be used as "trust anchor" during chain and OCSP validation.

data.attributes.session.cookiePath

String

no

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.session.cookieDomain

String

no

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.expertSettings.securityGate

Object

no

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

no

Expert settings for the Apache web listener.

data.attributes.expertSettings.securityGate.enabled

Boolean

no

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

no

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

no

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

no

The expert settings for the Apache web listener.

data.type

String

yes

The data type sent to the server. Must be set to "virtual-host" for this call.

data.id

String

yes

The ID of the resource to be addressed.

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "virtual-host" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.name

String

The logical name of the virtual host.

data.attributes.tenant

String

Tenant of the virtual host.

data.attributes.hostName

String

The hostname of the virtual host.

data.attributes.aliasNames

Array

Specifies additional server aliases for this virtual host.

data.attributes.showMaintenancePage

Boolean

Specifies whether Airlock WAF should display a maintenance page instead of performing the request to the back-end server.

data.attributes.strictlyMatchFullyQualifiedDomainName

Boolean

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

data.attributes.keepAliveTimeout

Number

Specifies the HTTP keep-alive timeout in seconds for this virtual host. A value of 0 (zero) disables the HTTP keep-alive function.

data.attributes.encodedSlashesAllowed

Boolean

Specifies whether encoded slashes (%2F) are allowed in URL path.

data.attributes.downloadPdfsAsAttachmentsEnforced

Boolean

If this option is enabled, PDF documents (detected by their content-type application/pdf) are always downloaded as attachments (not as "inline" document within the browser).

data.attributes.serverAdmin

String

The email address of the server administrator. It’s used as contact information for Let’s Encrypt functionality.

data.attributes.defaultRedirect

String

Specifies the URL that a client is redirected to if he accesses the root directory of the entry server without a more qualified path.

data.attributes.pathRedirects

Array

Dynamic URL redirects of the virtual host.

data.attributes.pathRedirects[].from

Object

Pattern for paths which shall be redirected. If a matching redirect path is detected, the client will be redirected to the redirect destination.

data.attributes.pathRedirects[].to

String

Destination to which the client shall be redirected.

data.attributes.pathRedirects[].redirectStatusCode

String

Status code to use in the redirect response. Allowed values are: MOVED_PERMANENTLY, FOUND, SEE_OTHER, TEMPORARY_REDIRECT, PERMANENT_REDIRECT

data.attributes.pathRedirects[].from.pattern

String

The actual pattern.

data.attributes.pathRedirects[].from.caseIgnored

Boolean

Whether to ignore case.

data.attributes.networkInterface.externalLogicalInterfaceName

String

Specifies the external network interface for this virtual host to receive requests.

data.attributes.networkInterface.ipV4Address

String

The IPv4 address in CIDR format.

data.attributes.networkInterface.ipV6Address

String

The IPv6 address in CIDR format.

data.attributes.networkInterface.http.enabled

Boolean

Specifies whether HTTP connections are enabled for this host.

data.attributes.networkInterface.http.port

Number

Specifies the port on which this host listens for HTTP connections.

data.attributes.networkInterface.http.httpsRedirectEnforced

Boolean

Redirect all HTTP traffic to HTTPS on this virtual host.

data.attributes.networkInterface.https.enabled

Boolean

Specifies whether HTTPS (SSL/TLS) connections are enabled for this host.

data.attributes.networkInterface.https.port

Number

Specifies the port on which this host listens for HTTPS (SSL/TLS) connections.

data.attributes.networkInterface.https.http2Allowed

Boolean

Specifies whether HTTP/2 connections are enabled for this host. HTTP/2 can only be enabled for hosts with enabled HTTPS.

data.attributes.tls.lowStrengthCiphersAllowed

Boolean

Specifies whether low strength export ciphers are allowed for SSL connections of this virtual host (not recommended).

data.attributes.tls.ocspStaplingEnabled

Boolean

This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS extension specified in RFC 6066.

data.attributes.tls.letsEncryptEnabled

Boolean

This option enables Let’s Encrypt support on a virtual host

data.attributes.tls.clientCertificateAuthentication

String

Specifies whether accessing this virtual host requires the client to authenticate with a valid TLS client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED

data.attributes.tls.chainVerificationDepth

Number

The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate.

data.attributes.tls.ocspValidationEnforced

Boolean

This option enables OCSP validation of the client certificate chain.

data.attributes.tls.caCertificatesForClientCertificateSelection

Array

The Certificate Authorities configured in this field are sent to the client during SSL handshake. These CA names are used by the browser to show a pop-up window to the user with the appropriate client certificate out of the available client certificates.

data.attributes.tls.caCertificatesForChainAndOcspValidation

Array

CA certificates which shall be used as "trust anchor" during chain and OCSP validation.

data.attributes.session.cookiePath

String

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.session.cookieDomain

String

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

data.attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

Expert settings for the Apache web listener.

data.attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data.relationships.mappings.data[]

Array

The mapping references.

data.relationships.mappings.data[].type

String

The data type of the referenced resource. Must be "mapping" for this call.

data.relationships.mappings.data[].id

String

The ID of the mapping resource.

data.relationships.ssl-certificate.data

Object

The ssl-certificate references.

data.relationships.ssl-certificate.data.type

String

The data type of the referenced resource. Must be "ssl-certificate" for this call.

data.relationships.ssl-certificate.data.id

String

The ID of the ssl-certificate resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1" -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : {
    "type" : "virtual-host",
    "id" : "1",
    "attributes" : {
      "name" : "myVirtualHost",
      "tenant" : "AirlockBankingCo",
      "hostName" : "myvirtualhost.example.com",
      "aliasNames" : [ ],
      "showMaintenancePage" : true,
      "strictlyMatchFullyQualifiedDomainName" : false,
      "keepAliveTimeout" : 3600,
      "encodedSlashesAllowed" : true,
      "downloadPdfsAsAttachmentsEnforced" : true,
      "serverAdmin" : "admin@example.com",
      "defaultRedirect" : "/",
      "pathRedirects" : [ {
        "from" : {
          "pattern" : "/",
          "caseIgnored" : true
        },
        "to" : "/redirect/path",
        "redirectStatusCode" : "MOVED_PERMANENTLY"
      } ],
      "networkInterface" : {
        "externalLogicalInterfaceName" : "EXT0",
        "ipV4Address" : "87.239.214.12/24",
        "ipV6Address" : "2001:500:2::c/64",
        "http" : {
          "enabled" : true,
          "port" : 80,
          "httpsRedirectEnforced" : false
        },
        "https" : {
          "enabled" : false,
          "port" : 443,
          "http2Allowed" : false
        }
      },
      "tls" : {
        "lowStrengthCiphersAllowed" : true,
        "ocspStaplingEnabled" : true,
        "letsEncryptEnabled" : false,
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "chainVerificationDepth" : 1,
        "ocspValidationEnforced" : true,
        "caCertificatesForClientCertificateSelection" : [ ],
        "caCertificatesForChainAndOcspValidation" : [ ]
      },
      "session" : {
        "cookiePath" : "/",
        "cookieDomain" : ""
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      }
    }
  }
}'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 2230

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:27:03.611+02:00"
  },
  "data" : {
    "type" : "virtual-host",
    "id" : "1",
    "attributes" : {
      "name" : "myVirtualHost",
      "tenant" : "AirlockBankingCo",
      "hostName" : "myvirtualhost.example.com",
      "aliasNames" : [ ],
      "showMaintenancePage" : true,
      "strictlyMatchFullyQualifiedDomainName" : false,
      "keepAliveTimeout" : 3600,
      "encodedSlashesAllowed" : true,
      "downloadPdfsAsAttachmentsEnforced" : true,
      "serverAdmin" : "admin@example.com",
      "defaultRedirect" : "/",
      "pathRedirects" : [ {
        "from" : {
          "pattern" : "/",
          "caseIgnored" : true
        },
        "to" : "/redirect/path",
        "redirectStatusCode" : "MOVED_PERMANENTLY"
      } ],
      "networkInterface" : {
        "externalLogicalInterfaceName" : "EXT0",
        "ipV4Address" : "87.239.214.12/24",
        "ipV6Address" : "2001:500:2::c/64",
        "http" : {
          "enabled" : true,
          "port" : 80,
          "httpsRedirectEnforced" : false
        },
        "https" : {
          "enabled" : false,
          "port" : 443,
          "http2Allowed" : false
        }
      },
      "tls" : {
        "lowStrengthCiphersAllowed" : true,
        "ocspStaplingEnabled" : true,
        "letsEncryptEnabled" : false,
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "chainVerificationDepth" : 1,
        "ocspValidationEnforced" : true,
        "caCertificatesForClientCertificateSelection" : [ ],
        "caCertificatesForChainAndOcspValidation" : [ ]
      },
      "session" : {
        "cookiePath" : "/",
        "cookieDomain" : ""
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      }
    },
    "relationships" : {
      "mappings" : {
        "data" : [ {
          "type" : "mapping",
          "id" : "50"
        } ]
      },
      "ssl-certificate" : {
        "data" : {
          "type" : "ssl-certificate",
          "id" : "-1000"
        }
      }
    }
  }
}

Delete a Virtual Host

DELETE /configuration/virtual-hosts/{id}

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1" -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 204 No Content

Enable 'Show Maintenance Page' Option of a Virtual Host

POST /configuration/virtual-hosts/{id}/maintenance

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/maintenance" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 204 No Content

Disable 'Show Maintenance Page' Option of a Virtual Host

DELETE /configuration/virtual-hosts/{id}/maintenance

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/maintenance" -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 204 No Content

Add Mapping Connections

PATCH /configuration/virtual-hosts/{id}/relationships/mappings

Content-Type application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Path Type Required Description

data[].type

String

yes

The data type of the referenced resource. Must be "mapping" for this call.

data[].id

String

yes

The ID of the referenced "mapping" resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/relationships/mappings" -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : [ {
    "type" : "mapping",
    "id" : "2"
  } ]
}'

Example Response

HTTP/1.1 204 No Content

Remove Mapping Connections

DELETE /configuration/virtual-hosts/{id}/relationships/mappings

Content-Type application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Path Type Required Description

data[].type

String

yes

The data type of the referenced resource. Must be "mapping" for this call.

data[].id

String

yes

The ID of the referenced "mapping" resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/relationships/mappings" -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : [ {
    "type" : "mapping",
    "id" : "2"
  } ]
}'

Example Response

HTTP/1.1 204 No Content

Add SSL Certificate Connection

PATCH /configuration/virtual-hosts/{id}/relationships/ssl-certificate

Content-Type application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Path Type Required Description

data.type

String

yes

The data type of the referenced resource. Must be "ssl-certificate" for this call.

data.id

String

yes

The ID of the referenced "ssl-certificate" resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/relationships/ssl-certificate" -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : {
    "type" : "ssl-certificate",
    "id" : "2"
  }
}'

Example Response

HTTP/1.1 204 No Content

Remove SSL Certificate Connection

DELETE /configuration/virtual-hosts/{id}/relationships/ssl-certificate

Content-Type application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Path Type Required Description

data.type

String

yes

The data type of the referenced resource. Must be "ssl-certificate" for this call.

data.id

String

yes

The ID of the referenced "ssl-certificate" resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/relationships/ssl-certificate" -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : {
    "type" : "ssl-certificate",
    "id" : "2"
  }
}'

Example Response

HTTP/1.1 204 No Content

Certificate Revocation List

Airlock WAF provides the possibility to upload, download and delete the PEM representation of certificate revocation lists.

Upload a Certificate Revocation List for a Virtual Host

Please note that the virtual host, for which the certificate revocation list is intended, must already exist.

PUT /configuration/virtual-hosts/{id}/crl

Content-Type application/pkix-crl

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/crl" -i -X PUT \
    -H 'Content-Type: application/pkix-crl' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '-----BEGIN X509 CRL-----
MIIBoDCCAQkwDQYJKoZIhvcNAQEFBQAwga8xCzAJBgNVBAYTAkNIMQ8wDQYDVQQI
EwZadXJpY2gxDzANBgNVBAcTBlp1cmljaDEmMCQGA1UEChMddGVzdHN1aXRlIFN1
YkNBMSAoYnkgc2x0LmNvbSkxJzAlBgNVBAMTHnRlc3RzdWl0ZVN1YkNBMS5zZWNs
dXRpb25zLmNvbTEtMCsGCSqGSIb3DQEJARYedGVzdHN1aXRlU3ViQ0ExQHNlY2x1
dGlvbnMuY29tFw0xMDAzMTgxNDQ4MDNaFw0zNzA4MDMxNDQ4MDNaMCgwEgIBAhcN
MTAwMzE4MTQ0MjEwWjASAgEDFw0xMDAzMTgxNDQ3MTRaMA0GCSqGSIb3DQEBBQUA
A4GBAC/gVFl1g/gBDxzeV8v0auMc1+W5vDG6KSHS6LcI81m0ijS2Jgzre8Tpxmi6
hBFnv8MJA4Safn06EysGK4oVb35tVOWlmG+Oyrr3BbKwcvoYosNnEeI7WjDlEwwc
6NTFOfx4o/KQnmNFyp2CHn4K5GwWsoo/AqxNqltjmlJeZ8x2
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIIBlDCB/jANBgkqhkiG9w0BAQUFADCBuDELMAkGA1UEBhMCQ0gxDzANBgNVBAgT
Blp1cmljaDEPMA0GA1UEBxMGWnVyaWNoMSkwJwYDVQQKEyB0ZXN0c3VpdGUgU3Vi
U3ViQ0ExIChieSBzbHQuY29tKTEqMCgGA1UEAxMhdGVzdHN1aXRlU3ViU3ViQ0Ex
LnNlY2x1dGlvbnMuY29tMTAwLgYJKoZIhvcNAQkBFiF0ZXN0c3VpdGVTdWJTdWJD
QTFAc2VjbHV0aW9ucy5jb20XDTEwMDMxODE0MzM0OFoXDTM3MDgwMzE0MzM0OFow
FDASAgECFw0xMDAzMTgxNDI2MjZaMA0GCSqGSIb3DQEBBQUAA4GBALdkvRMoIf0f
ZZv8XQkYwsqJKhljBqU/xBmerqVfs0sy+TGbuD8WKqtNnhehMgWWAFn7bDi68xb8
I2Hv9wbGF1z7ngWWCMaJLb0LGdkSC0b0Et/+ngnhOa3Y42NRQESN1UX3n9slo9R4
j0FkDCHLU5UeZE3VWDn1qJVmQlPWc0ve
-----END X509 CRL-----'

Example Response

HTTP/1.1 204 No Content

Example Request with invalid CRL

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/crl" -i -X PUT \
    -H 'Content-Type: application/pkix-crl' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '-----BEGIN CERTIFICATE-----
MIIDxDCCAy2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCQ0gx
DzANBgNVBAgTBlp1cmljaDEPMA0GA1UEBxMGWnVyaWNoMSIwIAYDVQQKExl0ZXN0
c3VpdGUgQ0EgKGJ5IHNsdC5jb20pMSMwIQYDVQQDExp0ZXN0c3VpdGVDQS5zZWNs
dXRpb25zLmNvbTEpMCcGCSqGSIb3DQEJARYadGVzdHN1aXRlQ0FAc2VjbHV0aW9u
cy5jb20wHhcNMDMxMDE2MTE0NDM4WhcNNDkxMDI5MDUxNjIyWjCBozELMAkGA1UE
BhMCQ0gxDzANBgNVBAgTBlp1cmljaDEPMA0GA1UEBxMGWnVyaWNoMSIwIAYDVQQK
Exl0ZXN0c3VpdGUgQ0EgKGJ5IHNsdC5jb20pMSMwIQYDVQQDExp0ZXN0c3VpdGVD
QS5zZWNsdXRpb25zLmNvbTEpMCcGCSqGSIb3DQEJARYadGVzdHN1aXRlQ0FAc2Vj
bHV0aW9ucy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOkkf37eiLbL
spQKmLa3cb60m3IPJ6MvCl9Q8EFJH4WtcxaB4/HOOwCW7K61ZnrHWiJLNZ8+gLXf
1fkJHWnlzvqlwjLlCXUqyvOdr5ZJU2KgRKd1dKSYKsLAvCES7K5OB9bJDJ4qbwKb
wT+vZKe5Kx2jmF8yvQj2/U57Su8CWfBBAgMBAAGjggEEMIIBADAdBgNVHQ4EFgQU
UD8Fqj165o0rGoMa6cJcyy1zb7cwgdAGA1UdIwSByDCBxYAUUD8Fqj165o0rGoMa
6cJcyy1zb7ehgamkgaYwgaMxCzAJBgNVBAYTAkNIMQ8wDQYDVQQIEwZadXJpY2gx
DzANBgNVBAcTBlp1cmljaDEiMCAGA1UEChMZdGVzdHN1aXRlIENBIChieSBzbHQu
Y29tKTEjMCEGA1UEAxMadGVzdHN1aXRlQ0Euc2VjbHV0aW9ucy5jb20xKTAnBgkq
hkiG9w0BCQEWGnRlc3RzdWl0ZUNBQHNlY2x1dGlvbnMuY29tggEAMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAFIoboAodI/tag5RBOnmm1sTE0piLE5NI
59v9aHFTihl+N0Mwgtq5Mz+FZleuh/kPflRBhB1CT4KvYTvwC0AqWd/X7PDC3AH+
HkWRhgqWm8ITQckIcfIVrwqaElJIhxB7raI3Bzxu2ByV0XXyOZXy6nM0+/EC32nN
kD1kLHTbrs4=
-----END CERTIFICATE-----
'

Example Response with invalid CRL

HTTP/1.1 400 Bad Request
Content-Type: application/json
Content-Length: 184

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:27:03.407+02:00",
    "rid" : "n/a"
  },
  "errors" : [ {
    "code" : "INVALID_VALUE"
  } ]
}

Download a Certificate Revocation List of a Virtual Host

GET /configuration/virtual-hosts/{id}/crl

Accept application/pkix-crl

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/2/crl" -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/pkix-crl'

Example Response

HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Content-Length: 1217

-----BEGIN X509 CRL-----
MIIBoDCCAQkwDQYJKoZIhvcNAQEFBQAwga8xCzAJBgNVBAYTAkNIMQ8wDQYDVQQI
EwZadXJpY2gxDzANBgNVBAcTBlp1cmljaDEmMCQGA1UEChMddGVzdHN1aXRlIFN1
YkNBMSAoYnkgc2x0LmNvbSkxJzAlBgNVBAMTHnRlc3RzdWl0ZVN1YkNBMS5zZWNs
dXRpb25zLmNvbTEtMCsGCSqGSIb3DQEJARYedGVzdHN1aXRlU3ViQ0ExQHNlY2x1
dGlvbnMuY29tFw0xMDAzMTgxNDQ4MDNaFw0zNzA4MDMxNDQ4MDNaMCgwEgIBAhcN
MTAwMzE4MTQ0MjEwWjASAgEDFw0xMDAzMTgxNDQ3MTRaMA0GCSqGSIb3DQEBBQUA
A4GBAC/gVFl1g/gBDxzeV8v0auMc1+W5vDG6KSHS6LcI81m0ijS2Jgzre8Tpxmi6
hBFnv8MJA4Safn06EysGK4oVb35tVOWlmG+Oyrr3BbKwcvoYosNnEeI7WjDlEwwc
6NTFOfx4o/KQnmNFyp2CHn4K5GwWsoo/AqxNqltjmlJeZ8x2
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIIBlDCB/jANBgkqhkiG9w0BAQUFADCBuDELMAkGA1UEBhMCQ0gxDzANBgNVBAgT
Blp1cmljaDEPMA0GA1UEBxMGWnVyaWNoMSkwJwYDVQQKEyB0ZXN0c3VpdGUgU3Vi
U3ViQ0ExIChieSBzbHQuY29tKTEqMCgGA1UEAxMhdGVzdHN1aXRlU3ViU3ViQ0Ex
LnNlY2x1dGlvbnMuY29tMTAwLgYJKoZIhvcNAQkBFiF0ZXN0c3VpdGVTdWJTdWJD
QTFAc2VjbHV0aW9ucy5jb20XDTEwMDMxODE0MzM0OFoXDTM3MDgwMzE0MzM0OFow
FDASAgECFw0xMDAzMTgxNDI2MjZaMA0GCSqGSIb3DQEBBQUAA4GBALdkvRMoIf0f
ZZv8XQkYwsqJKhljBqU/xBmerqVfs0sy+TGbuD8WKqtNnhehMgWWAFn7bDi68xb8
I2Hv9wbGF1z7ngWWCMaJLb0LGdkSC0b0Et/+ngnhOa3Y42NRQESN1UX3n9slo9R4
j0FkDCHLU5UeZE3VWDn1qJVmQlPWc0ve
-----END X509 CRL-----

Delete the Certificate Revocation List of a Virtual Host

DELETE /configuration/virtual-hosts/{id}/crl

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/virtual-hosts/1/crl" -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 204 No Content

Mapping

Access all Mappings

GET /configuration/mappings

Accept application/json

Request Structure

Parameter Description Required

filter

Optionally allows to filter by: 'name', 'label', 'entryPath' and 'backendPath'. Click here for more details about the syntax.

no

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data[].type

String

The data type of the resource. Must be "mapping" for this call.

data[].id

String

The ID of the resource to be addressed.

data[].attributes.name

String

The unique name of the mapping.

data[].attributes.labels

Array

Assigned Labels (freely defined textual tags). Labels allow grouping of mappings with a common aspect, e.g., all mappings belonging to the same application.

data[].attributes.tenant

String

Tenant of the mapping.

data[].attributes.backendPath

String

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.

data[].attributes.threatHandling

String

Defines how policy violations, e.g., missing allow rules, matching deny rules, URL encryption and form protection violations, are handled. Allowed values are: BLOCK, TERMINATE_SESSION, NOTIFY. Effects of the different values: BLOCK: Requests violating policies are b. The session (if available) remains valid. TERMINATE_SESSION: Requests violating policies are b. The session (if available) is terminated. NOTIFY: Requests violating policies are not b. The violation is logged and notified.

data[].attributes.operationalMode

String

Specifies whether this mapping runs in standard "Production" mode or in the so called "Integration" mode. In Integration mode Airlock WAF logs more information about all requests and responses (which may decrease Airlock WAF’s performance).Allowed values are: PRODUCTION, INTEGRATION

data[].attributes.enableMaintenancePage

Boolean

Enable maintenance page.

data[].attributes.entryPath.value

String

The entry path specifies the external URL path the mapping should be available under. For each incoming request, Airlock WAF compares the URL with the entry path to find the right mapping.

data[].attributes.entryPath.regexFormatEnforced

Boolean

"Whether the entry path (the external URL path of the mapping) should be interpreted as regular expression or not."

data[].attributes.entryPath.ignoreCase

Boolean

Whether the entry path should be case sensitive.

data[].attributes.entryPath.priority

Number

The priority is an integer number that specifies the importance (or order) of a mapping. It has been introduced to guarantee a deterministic selection of the mapping for a given request path. The value can be between -999 (highest priority) and 999 (lowest priority). The priority must be unique among all regular expression mappings. Only non regular expression mappings may share the same priority. In this case, the directories are ordered by length, i.e. the longest match wins.

data[].attributes.access.clientCertificateAuthentication

String

Specifies whether accessing this mapping requires the client to authenticate with a valid SSL client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED Description of the values: NOT_REQUIRED: The mapping uses the client certificate settings of the virtual host. OPTIONAL: The client may send a certificate if available, but access is still allowed without. The optional setting is normally used in combination with an authentication service that presents an alternative login page if no certificate is sent. You should not use the 'optional' setting without this additional authentication service check. REQUIRED: The client must send a valid certificate. If no client certificate is sent, the SSL handshake is cancelled and the browser typically presents the user with a technical error message.

data[].attributes.access.authenticationFlow

String

Allowed values are: REDIRECT, DENY_ACCESS, ONE_SHOT, ONE_SHOT_WITH_BODY, FRONT_SIDE_NTLM Description: REDIRECT: If the required role for the mapping is missing on the current session, Airlock WAF will send a redirect (HTTP 303) to either the global or the custom denied access URL. This mode is typically used in conjunction with user operated clients. DENY_ACCESS: Airlock WAF will directly send an access denied (HTTP 403) response to the client if the required role is missing. This is typically used for technical clients. ONE_SHOT: When this option is selected and Airlock WAF receives an incoming request for this mapping that needs to be authenticated, Airlock WAF implicitly (without redirect) forwards the request to the configured denied access URL for this mapping. The request headers are forwarded but no request body. After the forwarded request, Airlock WAF checks again if the session is now authenticated. If so, the original request is passed to the back-end server (successful one-shot authentication). If the session does not have the required credentials even after the one-shot request, Airlock WAF will send an access denied (HTTP 403) response to the client. ONE_SHOT_WITH_BODY: This is the same as with the "one-shot" option with two notable differences: The whole body of the request is also sent to the denied access URL for this mapping and the request method is always POST instead of GET. FRONT_SIDE_NTLM: Choose the front-side NTLM authentication flow to support authentication using NTLM. The front-side NTLM authentication flow is similar to the "one-shot" authentication flow, but also forwards all requests containing an "Authorization" header with value "NTLM .*" to the denied access URL. For successful authentication, NTLM must be supported by the authentication service.

data[].attributes.access.backendLogoutUrl

String

Whenever an Airlock WAF session terminates (either due to an explicit logout by the user or due to a session timeout), Airlock WAF will call the given, unmodified path on the currently used back-end host with all information concerning this back-end application such as cookies, headers, etc. to allow clean session termination on the backend host.

data[].attributes.access.ntlmPassthroughEnabled

Boolean

Airlock WAF is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection. NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.

data[].attributes.access.tokensEnabled

Boolean

Whether access tokens should be processed.

data[].attributes.access.restrictions[].enabled

Boolean

Controls whether access restriction is used or not.

data[].attributes.access.restrictions[].httpMethodPattern.pattern

String

The actual pattern.

data[].attributes.access.restrictions[].httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.access.restrictions[].httpMethodPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.access.restrictions[].entryPathPattern.pattern

String

The actual pattern.

data[].attributes.access.restrictions[].entryPathPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.access.restrictions[].entryPathPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.access.restrictions[].authorizedRoles[]

Array

Specifies a list of mandatory roles. Only sessions which have at least one of these roles will be able to access the service.

data[].attributes.access.restrictions[].authorizedPlans[]

Array

Specifies a list of mandatory plans. Only sessions which have at least one of these plans will be able to access the service.

data[].attributes.access.deniedUrl.value

String

Defines the location (URL) of the authentication service. In case the required role for the mapping is missing on the current session, Airlock WAF will redirect the client to this location.

data[].attributes.access.deniedUrl.mode

String

Use Global (default) will use the global denied access url as configured under the menu Application Firewall - Session - Access Control. Custom will use a mapping specific denied access url.Allowed values are: GLOBAL, CUSTOM

data[].attributes.access.credentialsPropagation.mandatory

Boolean

If true and the selected SSO credentials are missing, access to the mapping is denied and Airlock WAF will redirect to either the global or the custom denied access URL.

data[].attributes.access.credentialsPropagation.type

String

Defines if SSO credentials set by the control API will be forwarded to the back-end application or not. These credentials are typically set by the authentication service upon successful authentication.Allowed values are: NONE, BASIC_AUTH, KERBEROS, NTLM Descripton of the values: NONE : Even if Basic-Auth or NTLM credentials set by the control API are present, Airlock WAF will not forward them to the back-end application. Access to the mapping is granted without any SSO credentials. BASIC_AUTH : If Basic-Auth credentials set by the control API are present, Airlock WAF will forward them to the back-end application. KERBEROS : If a Kerberos user is set by the control API, Airlock WAF will acquire and send a service ticket to the back-end application. NTLM : If NTLM credentials set by the control API are present, Airlock WAF will forward them to the back-end application.

data[].attributes.access.tokenTransport.presenceMandatoryEnforced

Boolean

If not enforced, requests without a token are accepted. However, if a token is present, it is extracted and validated and the configured restrictions and role extractions are applied.

data[].attributes.access.tokenTransport.headerExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific header.

data[].attributes.access.tokenTransport.headerExtraction.extractionPattern.pattern

String

The actual pattern.

data[].attributes.access.tokenTransport.headerExtraction.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.access.tokenTransport.headerExtraction.replaceWith

String

The rewrite expression for the header extraction.

data[].attributes.access.tokenTransport.parameterExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific query parameter.

data[].attributes.access.tokenTransport.parameterExtraction.name

String

Specifies the name of the query parameter.

data[].attributes.access.tokenTransport.cookieExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific cookie.

data[].attributes.access.tokenTransport.cookieExtraction.name

String

Specifies name of the cookie.

data[].attributes.access.tokenVerification.type

String

Airlock supports three types of JWT tokens: Allowed values are: JWS, JWE, JWS_JWE

data[].attributes.access.tokenVerification.jwsAlgorithm

String

Supported algorithms: Allowed values are: HS_256, HS_384, HS_512, RS_256, RS_384, RS_512, PS_256, PS_384, PS_512

data[].attributes.access.tokenVerification.jwsKey

String

A public key in x509 format or the passphrase, depending on the selected algorithm.

data[].attributes.access.tokenVerification.jweAlgorithm

String

Supported algorithms: Allowed values are: A_128_CBC_HS_256, A_192_CBC_HS_384, A_256_CBC_HS_512, A_256_GCM

data[].attributes.access.tokenVerification.jweKey

String

Your secret passphrase for the symmetric encryption.

data[].attributes.access.tokenVerification.expiryCheckEnabled

Boolean

If enabled the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

data[].attributes.access.tokenVerification.expiryCheckSkew

Number

The allowed skew when checking expiry / not before in seconds. This can be used if verification fails because of time synchronization issues with the token issuer and your Airlock WAF.

data[].attributes.access.tokenVerification.claimRestrictions[].enabled

Boolean

Enable/disable this claim extraction rule.

data[].attributes.access.tokenVerification.claimRestrictions[].name

String

Name of the claim you want to restrict.

data[].attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.pattern

String

The actual pattern.

data[].attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.access.tokenVerification.roleExtractions[].enabled

Boolean

Enable/disable this claim extraction rule.

data[].attributes.access.tokenVerification.roleExtractions[].name

String

Name of the claim you want to extract a role from.

data[].attributes.access.tokenVerification.roleExtractions[].extractionPattern.pattern

String

The actual pattern.

data[].attributes.access.tokenVerification.roleExtractions[].extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.access.tokenVerification.roleExtractions[].replaceWith

String

The rewrite expression of the role.

data[].attributes.access.tokenVerification.roleExtractions[].tokenLifetimeAsRoleLifetimeEnforced

Boolean

If enforced the expiry claim (exp) of the JWT will be used as the role lifetime.

data[].attributes.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Extract a technical client ID from JWT.

data[].attributes.access.tokenVerification.extractTechnicalClientIdName

String

Name of the claim to extract as technical client ID.

data[].attributes.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Extract the 'sub' claim from the JWT and use its value as audit token of the current Airlock WAF session.

data[].attributes.ipRules.ipAddressWhitelists.logOnly

Boolean

If true requests whose source IP address is not contained in one of the configured IP Whitelists are only logged but not blocked.

data[].attributes.ipRules.ipAddressBlacklists.logOnly

Boolean

If true requests whose source IP address is contained in one of the configured IP Blacklists are only logged but not blocked.

data[].attributes.ipRules.ipAddressBlacklists.webrootThreatCategories

String

Defines which threat categories should be blocked. Allowed values are: SPAM_SOURCES, WINDOWS_EXPLOITS, WEB_ATTACKS, BOT_NETS, SCANNERS, DENIAL_OF_SERVICE, PHISHING, PROXY, MOBILE_THREATS, TOR_PROXY. Threat categories blocked through the different values: SPAM_SOURCES: The Spam Sources category includes IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. WINDOWS_EXPLOITS: The Windows Exploits category includes IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms. WEB_ATTACKS: The Web Attacks category includes IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. BOT_NETS: The Botnets category includes IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. SCANNERS: The Scanners category includes IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. DENIAL_OF_SERVICE: The Denial of Services category includes IPs addresses involved in DOS or DDOS attacks, anomalous sync flood, or anomalous traffic. PHISHING: The Phishing category includes IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. PROXY: The Proxy category includes IP addresses providing proxy services, including both VPN and open web proxy services. MOBILE_THREATS: The Mobile Threats category includes IP addresses associated with malicious and unwanted mobile applications. TOR_PROXY: The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

data[].attributes.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Enables blocking of IPs on the dynamic IP address blacklist.

data[].attributes.ipRules.dynamicIpAddressBlacklist.countMode

String

Defines the counting mode of blocks for dynamic IP blacklist. Allowed values are: OFF, ALL, DENY_RULES_ONLY. Following count modes are available: OFF: Blocks on this mapping are not counted for the dynamic IP address blacklist. ALL: All blocks on this mapping are counted for the dynamic IP address blacklist. DENY_RULES_ONLY: Only deny rule blocks on this mapping are counted for the dynamic IP address blacklist.

data[].attributes.botManagement.clientCookieSupportEnforced

Boolean

If enabled, only clients implementing a Cookie-Store will be able to access the application through this mapping. In contrast to regular browsers, most bots do not implement a Cookie-Store and will therefore be blocked if this setting is enabled.

data[].attributes.botManagement.wellKnownBots.allowed

Boolean

Check the User-Agent to determine if a bot is well-known and do not block such bots. Clients indicating one of the following User-Agent headers are treated as well-known bots: Googlebot, bingbot, MSNBot, Baiduspider, YandexBot, archive.org_bot, DuckDuckBot.

data[].attributes.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

If enabled, a reverse IP lookup for well-known bots is performed to verify that the client’s IP address belongs to the operator of a well-known bot. This prevents bots from pretending to be a well-known bot by sending a fake "User-Agent" header. The following domains are considered as domains of operators operating well-known bots: google.com, googlebot.com,search.msn.com, yahoo.net, baidu.com, baidu.jp, yandex.ru, yandex.net, yandex.com, archive.org, amazonaws.com (107.20.237.51, 23.21.226.191, 107.21.1.8, 54.208.102.37)

data[].attributes.botManagement.customBots.allowed

Boolean

If enabled custom bots are not blocked. Custom bots are identified by providing a "User-Agent" and "Domain" pattern.

data[].attributes.botManagement.customBots.sourceDomainEnforced

Boolean

Do not block bots whose source-domain matches the "domain pattern".

data[].attributes.botManagement.customBots.userAgentPattern.pattern

String

The actual pattern.

data[].attributes.botManagement.customBots.userAgentPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.botManagement.customBots.userAgentPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.botManagement.customBots.domainPattern.pattern

String

The actual pattern.

data[].attributes.botManagement.customBots.domainPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.timeouts.backend

Number

Defines the time (seconds) Airlock WAF will wait for the back-end response. In case the request runs into the timeout, Airlock WAF will send a redirect to the HTTP 503 Service unavailable error page with the corresponding HTTP 503 status code. If In-band Health Checks are configured, then such a request will be counted as a failed request, potentially leading to the back-end server being marked as bad.

data[].attributes.timeouts.sessionIdle

Number

Defines the minimum session idle time (seconds) of Airlock WAF for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.

data[].attributes.limits.general.maxRequestBodySize

Number

This field limits the total size of the request body. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

data[].attributes.limits.general.maxPathLength

Number

Defines the maximum path length for requests to the current mapping (default: max 1024 bytes).

data[].attributes.limits.http.maxParameters

Number

Defines the maximum number of parameters inside the request (default: max 128 parameters).

data[].attributes.limits.http.maxParameterNameLength

Number

Defines the maximum length for a parameter name (default: max 128 bytes).

data[].attributes.limits.http.maxParameterValueLength

Number

Defines the maximum length for a parameter value (default: max 1024 bytes).

data[].attributes.limits.json.enabled

Boolean

Whether JSON limits are enabled.

data[].attributes.limits.json.maxKeyLength

Number

Defines the maximum length for a JSON key, also known as "JSON property" or "JSON object member" (default: max 256 bytes)

data[].attributes.limits.json.maxValueLength

Number

Defines the maximum json value length for requests to the current mapping (default: max 8192 bytes).

data[].attributes.limits.json.maxNestingDepth

Number

Defines the maximum depth of nesting for JSON objects and JSON arrays (default: max 100).

data[].attributes.limits.json.maxKeys

Number

Defines the maximum number of keys of a single JSON object (non-recursive, default: max 250).

data[].attributes.limits.json.maxArrayItems

Number

Defines the maximum number of items for a single JSON array (non-recursive, default: max 500).

data[].attributes.limits.json.maxTotalEntries

Number

Defines the maximum number of keys and array items in the whole JSON document (recursive, default: max 150000).

data[].attributes.application.sessionHandling

String

Allowed values are: ENFORCE_SESSION, OPTIONAL_SESSION, OPTIONAL_SESSION_NO_REFRESH, IGNORE_SESSION The different modes have the following effects: ENFORCE_SESSION: Sessions are enforced. If no session is available a new session is created. OPTIONAL_SESSION: Sessions are optional. Existing sessions are used. If no session is available no session is used. OPTIONAL_SESSION_NO_REFRESH: Same as "OPTIONAL_SESSION" but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times. IGNORE_SESSION: Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories.

data[].attributes.application.controlApiAllowed

Boolean

Specifies whether this service is allowed to use Airlock WAF’s back-end API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock WAF.

data[].attributes.application.environmentCookiesEnabled

Boolean

Specifies whether this service should receive the Airlock WAF environment cookies that contain useful information about the connection to the client.

data[].attributes.application.loadBalancingCookieEnabled

Boolean

If enabled, load balancing information is sent to the client in a load balancing cookie. Disable if no load balancing is needed and no cookie should be generated for this purpose.

data[].attributes.application.webSocketsAllowed

Boolean

Enables support for WebSockets protocol as defined in RFC 6455.

data[].attributes.application.redirectForErrorPageEnabled

Boolean

If enabled Airlock WAF will deliver error pages by sending a HTTP redirect pointing to the error page to its clients. Otherwise the error page will be directly returned.

data[].attributes.application.encryptedCookies.enabled

Boolean

Enables encryption of cookies which are sent to the client.

data[].attributes.application.encryptedCookies.prefix

String

regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a pass phrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client’s machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user.

data[].attributes.application.passthroughCookies.enabled

Boolean

Enables 'Passthrough Cookies'. Passthrough Cookies are cookies which are sent in plain format to the client.

data[].attributes.application.passthroughCookies.prefix

String

Regular expression to select cookies that should be treated as 'Passthrough Cookies'. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.

data[].attributes.application.request.charset

String

Parameter values that are sent in HTTP requests from the client are interpreted by Airlock WAF as if they were encoded using the given charset. If Airlock WAF detects that the charset does not match it tries to use the fallback charset.

data[].attributes.application.response.compressionAllowed

Boolean

Specifies whether Airlock WAF should compress the output on-the-fly for the client browser (if supported and requested by the browser). Warning: Allowing compression for data served through SSL/TLS virtual hosts may affect the secrecy of the data.

data[].attributes.application.response.stripCommentsEnabled

Boolean

If enabled, Airlock WAF removes HTML comments.

data[].attributes.application.response.header.location.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data[].attributes.application.response.header.location.rewrites[].urlPattern.pattern

String

The actual pattern.

data[].attributes.application.response.header.location.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.application.response.header.location.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL pattern.

data[].attributes.application.response.json.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data[].attributes.application.response.json.rewrites[].path

String

A response from the back-end server is rewritten only if the JSON path matches this regular expression.

data[].attributes.application.response.json.rewrites[].contentPattern.pattern

String

The actual pattern.

data[].attributes.application.response.json.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.application.response.json.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data[].attributes.application.response.body.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data[].attributes.application.response.body.rewrites[].contentType

String

A response from the back-end server is rewritten only if the response headerContent-Type matches this regular expression.

data[].attributes.application.response.body.rewrites[].contentPattern.pattern

String

The actual pattern.

data[].attributes.application.response.body.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.application.response.body.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data[].attributes.application.response.html.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data[].attributes.application.response.html.rewrites[].urlPattern.pattern

String

The actual pattern.

data[].attributes.application.response.html.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.application.response.html.rewrites[].uris

Boolean

Apply rule to linked HTML elements like href, src, etc.

data[].attributes.application.response.html.rewrites[].events

Boolean

Apply rule to JavaScript event strings such as onsubmit, onload, etc.

data[].attributes.application.response.html.rewrites[].embedded

Boolean

Apply rule to <script> and <style> blocks embedded in the HTML page

data[].attributes.application.response.html.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL Pattern.

data[].attributes.application.response.errorPage.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data[].attributes.application.response.errorPage.rewrites[].statusContentPattern

String

The HTTP status code pattern.

data[].attributes.application.response.errorPage.rewrites[].replaceWith

String

This is the target string which will replace the string matched by HTTP status content pattern.

data[].attributes.apiSecurity.treatPathSegmentsAsParamValues

Boolean

If enabled each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

data[].attributes.apiSecurity.openApiEnforced

Boolean

Specifies whether traffic to/from this service shall be checked against an API specification provided in the OpenAPI format. If enforced traffic not conforming to the API specification will be blocked.

data[].attributes.apiSecurity.openApiCheckResponsesEnabled

Boolean

Check responses against the API specification.

data[].attributes.apiSecurity.logOnly

Boolean

If enabled potential attack requests are only logged but not blocked.

data[].attributes.apiSecurity.openApiPathMatching

String

Run OpenAPI path matching against client or server view of request/response.

data[].attributes.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Allow clients to download the API specification.

data[].attributes.apiSecurity.openApiPublishSpecificationPath

String

External path to the API specification. Note that the entry path will be added in front of it.

data[].attributes.apiSecurity.apiPolicyServiceEnabled

Boolean

Enables API policy service.

data[].attributes.apiSecurity.apiPolicyServiceId

Number

ID of the API policy service.

data[].attributes.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific header.

data[].attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.pattern

String

The actual pattern.

data[].attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

String

The rewrite expression for the header extraction.

data[].attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific query parameter.

data[].attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

String

Specifies the name of the query parameter.

data[].attributes.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific cookie.

data[].attributes.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

String

Specifies name of the cookie.

data[].attributes.apiSecurity.jsonParser.enabled

Boolean

If set to true, Airlock WAF parses JSON objects in requests and filters JSON attributes with allow rules and deny rules. JSON objects are parsed only if their content-type matches the specified pattern.

data[].attributes.apiSecurity.jsonParser.contentTypePattern.pattern

String

The actual pattern.

data[].attributes.apiSecurity.jsonParser.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.apiSecurity.jsonParser.contentTypePattern.inverted

Boolean

Whether to invert the match.

data[].attributes.dosAttackPrevention.enabled

Boolean

Enables DoS attack prevention filter.

data[].attributes.dosAttackPrevention.maxRequestsPerInterval

Number

Maximum requests allowed per IP address.

data[].attributes.dosAttackPrevention.interval

Number

Interval for measurement of allowed requests per IP address (seconds).

data[].attributes.dosAttackPrevention.whitelistIpPattern

Object

Reference to an IP pattern that acts as whitelist. All source IPs matching this pattern will be excluded from the session limit per IP restriction. This is typically used if you have many users having the same source IP (i.e. proxy).

data[].attributes.dosAttackPrevention.whitelistIpPattern.pattern

String

The actual pattern.

data[].attributes.dosAttackPrevention.whitelistIpPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.requestBodyStreaming.enabled

Boolean

Controls whether request body streaming is used or not. If set, only requests matching all three regular expression patterns will be streamed. Empty fields have the same effect as the pattern ^.*$

data[].attributes.requestBodyStreaming.httpMethodPattern

Object

Only requests whose HTTP method matches this regular expression pattern will be streamed.

data[].attributes.requestBodyStreaming.pathPattern

Object

Only requests whose path matches this regular expression pattern will be streamed.

data[].attributes.requestBodyStreaming.contentTypePattern

Object

Only requests whose content type header matches this regular expression pattern will be streamed.

data[].attributes.requestBodyStreaming.httpMethodPattern.pattern

String

The actual pattern.

data[].attributes.requestBodyStreaming.httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.requestBodyStreaming.httpMethodPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.requestBodyStreaming.pathPattern.pattern

String

The actual pattern.

data[].attributes.requestBodyStreaming.pathPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.requestBodyStreaming.pathPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.requestBodyStreaming.contentTypePattern.pattern

String

The actual pattern.

data[].attributes.requestBodyStreaming.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.requestBodyStreaming.contentTypePattern.inverted

Boolean

Whether to invert the match.

data[].attributes.httpParameterPollutionDetection.mixedTypes

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving both HTTP GET and HTTP POST parameters (thus involving parameters of different/mixed types).

data[].attributes.httpParameterPollutionDetection.sameType

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving only HTTP GET or only HTTP POST parameters (thus involving only parameters of the same type).

data[].attributes.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

If enabled requests containing HTTP GET and HTTP POST parameters of the same name are blocked to prevent HPP attacks.

data[].attributes.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

If true potential HPP attack requests are only logged but not blocked.

data[].attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Object

Parameters named with a name matching this regular expression pattern will be ignored by the HPP detection.

data[].attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.pattern

String

The actual pattern.

data[].attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.caseIgnored

Boolean

Whether to ignore case.

data[].attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.inverted

Boolean

Whether to invert the match.

data[].attributes.httpParameterPollutionDetection.sameType.enabled

Boolean

If enabled parameters named with the same name and type (HTTP GET or POST) are joined together into one parameter before filtering to prevent HPP attacks. Note: For the filtering itself a deny rule like the default deny rule '(default) HTTP Parameter Pollution' has to be configured.

data[].attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data[].attributes.expertSettings.apache

Object

Expert settings for the Apache.

data[].attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data[].attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data[].attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data[].attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data[].attributes.locking.enabled

Boolean

If true the state of the attribute locks is displayed in Airlock WAF’s Configuration Center for this mapping.

data[].attributes.locking.labels

Boolean

Lock for the corresponding member.

data[].attributes.locking.backendPath

Boolean

Lock for the corresponding member.

data[].attributes.locking.threatHandling

Boolean

Lock for the corresponding member.

data[].attributes.locking.enableMaintenancePage

Boolean

Lock for the corresponding member.

data[].attributes.locking.operationalMode

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.restrictions

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.clientCertificateAuthentication

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.authenticationFlow

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.backendLogoutUrl

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.ntlmPassthroughEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokensEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.deniedUrl.value

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.deniedUrl.mode

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.credentialsPropagation.mandatory

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.credentialsPropagation.type

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.type

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.jwsAlgorithm

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.jwsKey

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.jweAlgorithm

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.jweKey

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.expiryCheckEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.expiryCheckSkew

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.claimRestrictions

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.roleExtractions

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.extractTechnicalClientIdName

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.presenceMandatoryEnforced

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.headerExtraction.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.headerExtraction.extractionPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.headerExtraction.replaceWith

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.parameterExtraction.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.parameterExtraction.name

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.cookieExtraction.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.access.tokenTransport.cookieExtraction.name

Boolean

Lock for the corresponding member.

data[].attributes.locking.entryPath.settings

Boolean

Lock for the corresponding member. Note that this lock affects both the EntryPath’s 'value' and 'ignoreCase'.

data[].attributes.locking.entryPath.regexFormatEnforced

Boolean

Lock for the corresponding member.

data[].attributes.locking.entryPath.priority

Boolean

Lock for the corresponding member.

data[].attributes.locking.ipRules.ipAddressWhitelists.logOnly

Boolean

Lock for the corresponding member.

data[].attributes.locking.ipRules.ipAddressBlacklists.logOnly

Boolean

Lock for the corresponding member.

data[].attributes.locking.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.ipRules.dynamicIpAddressBlacklist.countMode

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.clientCookieSupportEnforced

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.wellKnownBots.allowed

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.customBots.allowed

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.customBots.sourceDomainEnforced

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.customBots.userAgentPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.botManagement.customBots.domainPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.timeouts.backend

Boolean

Lock for the corresponding member.

data[].attributes.locking.timeouts.sessionIdle

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.general.maxRequestBodySize

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.general.maxPathLength

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.http.maxParameters

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.http.maxParameterNameLength

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.http.maxParameterValueLength

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.maxKeyLength

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.maxValueLength

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.maxNestingDepth

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.maxArrayItems

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.maxKeys

Boolean

Lock for the corresponding member.

data[].attributes.locking.limits.json.maxTotalEntries

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.sessionHandling

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.controlApiAllowed

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.environmentCookiesEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.loadBalancingCookieEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.webSocketsAllowed

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.redirectForErrorPageEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.encryptedCookies.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.encryptedCookies.prefix

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.passthroughCookies.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.passthroughCookies.prefix

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.request.charset

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.compressionAllowed

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.stripCommentsEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.header.location.rewrites

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.json.rewrites

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.body.rewrites

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.html.rewrites

Boolean

Lock for the corresponding member.

data[].attributes.locking.application.response.errorPage.rewrites

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.treatPathSegmentsAsParamValues

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.openApiEnforced

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.openApiCheckResponsesEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.openApiDocumentId

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.logOnly

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.openApiPathMatching

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.openApiPublishSpecificationPath

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyServiceEnabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyServiceId

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.jsonParser.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.jsonParser.contentTypePattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

Boolean

Lock for the corresponding member.

data[].attributes.locking.dosAttackPrevention.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.dosAttackPrevention.maxRequestsPerInterval

Boolean

Lock for the corresponding member.

data[].attributes.locking.dosAttackPrevention.interval

Boolean

Lock for the corresponding member.

data[].attributes.locking.dosAttackPrevention.whitelistIpPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.requestBodyStreaming.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.requestBodyStreaming.httpMethodPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.requestBodyStreaming.pathPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.requestBodyStreaming.contentTypePattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.icap.request.clientViews

Boolean

Lock for the corresponding member.

data[].attributes.locking.icap.request.backendViews

Boolean

Lock for the corresponding member.

data[].attributes.locking.icap.response.backendViews

Boolean

Lock for the corresponding member.

data[].attributes.locking.icap.response.clientViews

Boolean

Lock for the corresponding member.

data[].attributes.locking.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

Lock for the corresponding member.

data[].attributes.locking.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

Lock for the corresponding member.

data[].attributes.locking.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Boolean

Lock for the corresponding member.

data[].attributes.locking.httpParameterPollutionDetection.sameType.enabled

Boolean

Lock for the corresponding member.

data[].relationships.virtual-hosts.data[]

Array

The virtual-host references.

data[].relationships.virtual-hosts.data[].type

String

The data type of the referenced resource. Must be "virtual-host" for this call.

data[].relationships.virtual-hosts.data[].id

String

The ID of the virtual-host resource.

data[].relationships.back-end-group.data

Object

The back-end-group references.

data[].relationships.back-end-group.data.type

String

The data type of the referenced resource. Must be "back-end-group" for this call.

data[].relationships.back-end-group.data.id

String

The ID of the back-end-group resource.

data[].relationships.openapi-document.data

Object

The openapi-document references.

data[].relationships.openapi-document.data.type

String

The data type of the referenced resource. Must be "openapi-document" for this call.

data[].relationships.openapi-document.data.id

String

The ID of the openapi-document resource.

data[].relationships.ip-address-whitelists.data[]

Array

The ip-address-list references.

data[].relationships.ip-address-whitelists.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data[].relationships.ip-address-whitelists.data[].id

String

The ID of the ip-address-list resource.

data[].relationships.ip-address-blacklists.data[]

Array

The ip-address-list references.

data[].relationships.ip-address-blacklists.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data[].relationships.ip-address-blacklists.data[].id

String

The ID of the ip-address-list resource.

data[].relationships.ip-address-blacklist-exceptions.data[]

Array

The ip-address-list references.

data[].relationships.ip-address-blacklist-exceptions.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data[].relationships.ip-address-blacklist-exceptions.data[].id

String

The ID of the ip-address-list resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/mappings?filter=label%3D%3DmyMappingLabel&filter=entryPath%3D%3D/mymapping/" -i -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 15794

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:26:34.502+02:00"
  },
  "data" : [ {
    "type" : "mapping",
    "id" : "1",
    "attributes" : {
      "name" : "mymapping",
      "labels" : [ "myMappingLabel" ],
      "tenant" : "",
      "entryPath" : {
        "value" : "/mymapping/",
        "regexFormatEnforced" : false,
        "ignoreCase" : false,
        "priority" : 0
      },
      "backendPath" : "/",
      "threatHandling" : "BLOCK",
      "operationalMode" : "PRODUCTION",
      "enableMaintenancePage" : true,
      "access" : {
        "deniedUrl" : {
          "value" : "/",
          "mode" : "GLOBAL"
        },
        "restrictions" : [ {
          "enabled" : true,
          "httpMethodPattern" : {
            "pattern" : "GET",
            "caseIgnored" : true,
            "inverted" : true
          },
          "entryPathPattern" : {
            "pattern" : "/admin/",
            "caseIgnored" : true,
            "inverted" : true
          },
          "authorizedRoles" : [ "admin" ],
          "authorizedPlans" : [ "android", "ios", "browser" ]
        } ],
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "authenticationFlow" : "REDIRECT",
        "backendLogoutUrl" : "",
        "ntlmPassthroughEnabled" : false,
        "credentialsPropagation" : {
          "mandatory" : false,
          "type" : "NONE"
        },
        "tokensEnabled" : false,
        "tokenTransport" : {
          "presenceMandatoryEnforced" : false,
          "headerExtraction" : {
            "enabled" : false,
            "extractionPattern" : {
              "pattern" : "^Authorization: Bearer (.*)$",
              "caseIgnored" : true
            },
            "replaceWith" : "$1"
          },
          "parameterExtraction" : {
            "enabled" : false,
            "name" : ""
          },
          "cookieExtraction" : {
            "enabled" : false,
            "name" : ""
          }
        },
        "tokenVerification" : {
          "type" : "JWS",
          "jwsAlgorithm" : "RS256",
          "jwsKey" : "",
          "jweAlgorithm" : "A256GCM",
          "jweKey" : "",
          "expiryCheckEnabled" : false,
          "expiryCheckSkew" : 10,
          "extractTechnicalClientIdEnabled" : false,
          "extractTechnicalClientIdName" : "",
          "setAuditTokenFromSubjectEnabled" : false,
          "claimRestrictions" : [ {
            "enabled" : true,
            "name" : "myClaim",
            "restrictionPattern" : {
              "pattern" : "",
              "caseIgnored" : false,
              "inverted" : false
            }
          } ],
          "roleExtractions" : [ {
            "enabled" : true,
            "name" : "myClaim",
            "extractionPattern" : {
              "pattern" : "",
              "caseIgnored" : false
            },
            "replaceWith" : "$1",
            "tokenLifetimeAsRoleLifetimeEnforced" : true
          } ]
        }
      },
      "ipRules" : {
        "ipAddressWhitelists" : {
          "logOnly" : false
        },
        "ipAddressBlacklists" : {
          "logOnly" : false,
          "webrootThreatCategories" : "WEB_ATTACKS"
        },
        "dynamicIpAddressBlacklist" : {
          "enabled" : false,
          "countMode" : "OFF"
        }
      },
      "botManagement" : {
        "clientCookieSupportEnforced" : false,
        "wellKnownBots" : {
          "allowed" : false,
          "sourceDomainEnforced" : false
        },
        "customBots" : {
          "allowed" : false,
          "sourceDomainEnforced" : false,
          "userAgentPattern" : {
            "pattern" : "",
            "caseIgnored" : false,
            "inverted" : false
          },
          "domainPattern" : {
            "pattern" : "",
            "inverted" : false
          }
        }
      },
      "timeouts" : {
        "backend" : 120,
        "sessionIdle" : 0
      },
      "limits" : {
        "general" : {
          "maxRequestBodySize" : 1073741824,
          "maxPathLength" : 1024
        },
        "http" : {
          "maxParameters" : 128,
          "maxParameterNameLength" : 128,
          "maxParameterValueLength" : 1024
        },
        "json" : {
          "enabled" : true,
          "maxKeyLength" : 256,
          "maxValueLength" : 8192,
          "maxNestingDepth" : 100,
          "maxArrayItems" : 500,
          "maxKeys" : 250,
          "maxTotalEntries" : 150000
        }
      },
      "application" : {
        "sessionHandling" : "ENFORCE_SESSION",
        "controlApiAllowed" : false,
        "environmentCookiesEnabled" : false,
        "encryptedCookies" : {
          "enabled" : false,
          "prefix" : ""
        },
        "passthroughCookies" : {
          "enabled" : false,
          "prefix" : ""
        },
        "loadBalancingCookieEnabled" : true,
        "webSocketsAllowed" : false,
        "redirectForErrorPageEnabled" : false,
        "request" : {
          "charset" : "UTF_8_FALLBACK_WINDOWS_1252"
        },
        "response" : {
          "compressionAllowed" : false,
          "stripCommentsEnabled" : true,
          "header" : {
            "location" : {
              "rewrites" : [ {
                "enabled" : true,
                "urlPattern" : {
                  "pattern" : "/",
                  "caseIgnored" : true
                },
                "replaceWith" : "$1"
              } ]
            }
          },
          "json" : {
            "rewrites" : [ {
              "enabled" : true,
              "path" : "json#path",
              "contentPattern" : {
                "pattern" : "a",
                "caseIgnored" : true
              },
              "replaceWith" : "b"
            } ]
          },
          "body" : {
            "rewrites" : [ {
              "enabled" : true,
              "contentType" : "application/json",
              "contentPattern" : {
                "pattern" : "a",
                "caseIgnored" : true
              },
              "replaceWith" : "b"
            } ]
          },
          "html" : {
            "rewrites" : [ {
              "enabled" : true,
              "urlPattern" : {
                "pattern" : "a",
                "caseIgnored" : true
              },
              "uris" : true,
              "events" : true,
              "embedded" : true,
              "replaceWith" : "b"
            } ]
          },
          "errorPage" : {
            "rewrites" : [ {
              "enabled" : true,
              "statusContentPattern" : "^5(?!02|03)..$",
              "replaceWith" : "500.html"
            } ]
          }
        }
      },
      "apiSecurity" : {
        "treatPathSegmentsAsParamValues" : true,
        "jsonParser" : {
          "enabled" : false,
          "contentTypePattern" : {
            "pattern" : "",
            "caseIgnored" : true,
            "inverted" : false
          }
        },
        "openApiEnforced" : true,
        "openApiCheckResponsesEnabled" : false,
        "logOnly" : false,
        "openApiPathMatching" : "ClientView",
        "openApiPublishSpecificationEnabled" : true,
        "openApiPublishSpecificationPath" : "path/to/apiSpecification.json",
        "apiPolicyServiceEnabled" : true,
        "apiPolicyServiceId" : 60,
        "apiPolicyKeyExtractionHeader" : {
          "enabled" : true,
          "extractionPattern" : {
            "pattern" : "^Api-Key: (.*)$",
            "caseIgnored" : false,
            "inverted" : false
          },
          "replaceWith" : "$1"
        },
        "apiPolicyKeyExtractionQueryParameter" : {
          "enabled" : false,
          "parameterName" : "api_key"
        },
        "apiPolicyKeyExtractionCookie" : {
          "enabled" : false,
          "cookieName" : "ApiKey"
        }
      },
      "dosAttackPrevention" : {
        "enabled" : false,
        "maxRequestsPerInterval" : 500,
        "interval" : 60,
        "whitelistIpPattern" : {
          "pattern" : "^$",
          "inverted" : false
        }
      },
      "requestBodyStreaming" : {
        "enabled" : false,
        "httpMethodPattern" : {
          "pattern" : "",
          "caseIgnored" : false,
          "inverted" : false
        },
        "pathPattern" : {
          "pattern" : "",
          "caseIgnored" : false,
          "inverted" : false
        },
        "contentTypePattern" : {
          "pattern" : "",
          "caseIgnored" : true,
          "inverted" : false
        }
      },
      "httpParameterPollutionDetection" : {
        "mixedTypes" : {
          "enabled" : true,
          "logOnly" : false,
          "parameterNameExceptionPattern" : {
            "pattern" : "",
            "caseIgnored" : false,
            "inverted" : false
          }
        },
        "sameType" : {
          "enabled" : true
        }
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      },
      "locking" : {
        "enabled" : false,
        "labels" : false,
        "access" : {
          "deniedUrl" : {
            "value" : false,
            "mode" : false
          },
          "restrictions" : false,
          "clientCertificateAuthentication" : false,
          "authenticationFlow" : false,
          "backendLogoutUrl" : false,
          "ntlmPassthroughEnabled" : false,
          "credentialsPropagation" : {
            "mandatory" : false,
            "type" : false
          },
          "tokensEnabled" : false,
          "tokenVerification" : {
            "type" : false,
            "jwsAlgorithm" : false,
            "jwsKey" : false,
            "jweAlgorithm" : false,
            "jweKey" : false,
            "expiryCheckEnabled" : false,
            "expiryCheckSkew" : false,
            "claimRestrictions" : false,
            "roleExtractions" : false,
            "extractTechnicalClientIdEnabled" : false,
            "extractTechnicalClientIdName" : false,
            "setAuditTokenFromSubjectEnabled" : false
          },
          "tokenTransport" : {
            "presenceMandatoryEnforced" : false,
            "headerExtraction" : {
              "enabled" : false,
              "extractionPattern" : false,
              "replaceWith" : false
            },
            "parameterExtraction" : {
              "enabled" : false,
              "name" : false
            },
            "cookieExtraction" : {
              "enabled" : false,
              "name" : false
            }
          }
        },
        "entryPath" : {
          "settings" : true,
          "regexFormatEnforced" : true,
          "priority" : false
        },
        "backendPath" : true,
        "threatHandling" : false,
        "operationalMode" : false,
        "enableMaintenancePage" : false,
        "ipRules" : {
          "ipAddressWhitelists" : {
            "logOnly" : false
          },
          "ipAddressBlacklists" : {
            "logOnly" : false
          },
          "dynamicIpAddressBlacklist" : {
            "enabled" : false,
            "countMode" : false
          }
        },
        "botManagement" : {
          "clientCookieSupportEnforced" : false,
          "wellKnownBots" : {
            "allowed" : false,
            "sourceDomainEnforced" : false
          },
          "customBots" : {
            "allowed" : false,
            "sourceDomainEnforced" : false,
            "userAgentPattern" : false,
            "domainPattern" : false
          }
        },
        "timeouts" : {
          "backend" : false,
          "sessionIdle" : false
        },
        "limits" : {
          "general" : {
            "maxRequestBodySize" : true,
            "maxPathLength" : true
          },
          "http" : {
            "maxParameters" : false,
            "maxParameterNameLength" : false,
            "maxParameterValueLength" : false
          },
          "json" : {
            "enabled" : false,
            "maxKeyLength" : false,
            "maxValueLength" : false,
            "maxNestingDepth" : false,
            "maxArrayItems" : false,
            "maxKeys" : false,
            "maxTotalEntries" : false
          }
        },
        "application" : {
          "sessionHandling" : false,
          "controlApiAllowed" : false,
          "environmentCookiesEnabled" : false,
          "encryptedCookies" : {
            "enabled" : false,
            "prefix" : false
          },
          "passthroughCookies" : {
            "enabled" : false,
            "prefix" : false
          },
          "loadBalancingCookieEnabled" : false,
          "webSocketsAllowed" : false,
          "redirectForErrorPageEnabled" : false,
          "request" : {
            "charset" : false
          },
          "response" : {
            "compressionAllowed" : false,
            "stripCommentsEnabled" : false,
            "header" : {
              "location" : {
                "rewrites" : false
              }
            },
            "json" : {
              "rewrites" : false
            },
            "body" : {
              "rewrites" : false
            },
            "html" : {
              "rewrites" : false
            },
            "errorPage" : {
              "rewrites" : false
            }
          }
        },
        "apiSecurity" : {
          "treatPathSegmentsAsParamValues" : false,
          "jsonParser" : {
            "enabled" : false,
            "contentTypePattern" : false
          },
          "openApiEnforced" : false,
          "openApiCheckResponsesEnabled" : false,
          "openApiDocumentId" : false,
          "logOnly" : false,
          "openApiPathMatching" : false,
          "openApiPublishSpecificationEnabled" : false,
          "openApiPublishSpecificationPath" : false,
          "apiPolicyServiceEnabled" : false,
          "apiPolicyServiceId" : false,
          "apiPolicyKeyExtractionHeader" : {
            "enabled" : false,
            "extractionPattern" : false,
            "replaceWith" : false
          },
          "apiPolicyKeyExtractionQueryParameter" : {
            "enabled" : false,
            "parameterName" : false
          },
          "apiPolicyKeyExtractionCookie" : {
            "enabled" : false,
            "cookieName" : false
          }
        },
        "dosAttackPrevention" : {
          "enabled" : false,
          "maxRequestsPerInterval" : false,
          "interval" : false,
          "whitelistIpPattern" : false
        },
        "requestBodyStreaming" : {
          "enabled" : false,
          "httpMethodPattern" : false,
          "pathPattern" : false,
          "contentTypePattern" : false
        },
        "httpParameterPollutionDetection" : {
          "mixedTypes" : {
            "enabled" : false,
            "logOnly" : false,
            "parameterNameExceptionPattern" : false
          },
          "sameType" : {
            "enabled" : false
          }
        },
        "icap" : {
          "request" : {
            "clientViews" : false,
            "backendViews" : false
          },
          "response" : {
            "backendViews" : false,
            "clientViews" : false
          }
        }
      }
    },
    "relationships" : {
      "back-end-group" : {
        "data" : {
          "type" : "back-end-group",
          "id" : "30"
        }
      },
      "virtual-hosts" : {
        "data" : [ {
          "type" : "virtual-host",
          "id" : "40"
        } ]
      },
      "openapi-document" : {
        "data" : {
          "type" : "openapi-document",
          "id" : "50"
        }
      }
    }
  } ]
}

Access a Mapping

GET /configuration/mappings/{id}

Accept application/json

Request Structure

Parameter Description Required

id

The ID of the element to access.

yes

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "mapping" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.name

String

The unique name of the mapping.

data.attributes.labels

Array

Assigned Labels (freely defined textual tags). Labels allow grouping of mappings with a common aspect, e.g., all mappings belonging to the same application.

data.attributes.tenant

String

Tenant of the mapping.

data.attributes.backendPath

String

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.

data.attributes.threatHandling

String

Defines how policy violations, e.g., missing allow rules, matching deny rules, URL encryption and form protection violations, are handled. Allowed values are: BLOCK, TERMINATE_SESSION, NOTIFY. Effects of the different values: BLOCK: Requests violating policies are b. The session (if available) remains valid. TERMINATE_SESSION: Requests violating policies are b. The session (if available) is terminated. NOTIFY: Requests violating policies are not b. The violation is logged and notified.

data.attributes.operationalMode

String

Specifies whether this mapping runs in standard "Production" mode or in the so called "Integration" mode. In Integration mode Airlock WAF logs more information about all requests and responses (which may decrease Airlock WAF’s performance).Allowed values are: PRODUCTION, INTEGRATION

data.attributes.enableMaintenancePage

Boolean

Enable maintenance page.

data.attributes.entryPath.value

String

The entry path specifies the external URL path the mapping should be available under. For each incoming request, Airlock WAF compares the URL with the entry path to find the right mapping.

data.attributes.entryPath.regexFormatEnforced

Boolean

"Whether the entry path (the external URL path of the mapping) should be interpreted as regular expression or not."

data.attributes.entryPath.ignoreCase

Boolean

Whether the entry path should be case sensitive.

data.attributes.entryPath.priority

Number

The priority is an integer number that specifies the importance (or order) of a mapping. It has been introduced to guarantee a deterministic selection of the mapping for a given request path. The value can be between -999 (highest priority) and 999 (lowest priority). The priority must be unique among all regular expression mappings. Only non regular expression mappings may share the same priority. In this case, the directories are ordered by length, i.e. the longest match wins.

data.attributes.access.clientCertificateAuthentication

String

Specifies whether accessing this mapping requires the client to authenticate with a valid SSL client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED Description of the values: NOT_REQUIRED: The mapping uses the client certificate settings of the virtual host. OPTIONAL: The client may send a certificate if available, but access is still allowed without. The optional setting is normally used in combination with an authentication service that presents an alternative login page if no certificate is sent. You should not use the 'optional' setting without this additional authentication service check. REQUIRED: The client must send a valid certificate. If no client certificate is sent, the SSL handshake is cancelled and the browser typically presents the user with a technical error message.

data.attributes.access.authenticationFlow

String

Allowed values are: REDIRECT, DENY_ACCESS, ONE_SHOT, ONE_SHOT_WITH_BODY, FRONT_SIDE_NTLM Description: REDIRECT: If the required role for the mapping is missing on the current session, Airlock WAF will send a redirect (HTTP 303) to either the global or the custom denied access URL. This mode is typically used in conjunction with user operated clients. DENY_ACCESS: Airlock WAF will directly send an access denied (HTTP 403) response to the client if the required role is missing. This is typically used for technical clients. ONE_SHOT: When this option is selected and Airlock WAF receives an incoming request for this mapping that needs to be authenticated, Airlock WAF implicitly (without redirect) forwards the request to the configured denied access URL for this mapping. The request headers are forwarded but no request body. After the forwarded request, Airlock WAF checks again if the session is now authenticated. If so, the original request is passed to the back-end server (successful one-shot authentication). If the session does not have the required credentials even after the one-shot request, Airlock WAF will send an access denied (HTTP 403) response to the client. ONE_SHOT_WITH_BODY: This is the same as with the "one-shot" option with two notable differences: The whole body of the request is also sent to the denied access URL for this mapping and the request method is always POST instead of GET. FRONT_SIDE_NTLM: Choose the front-side NTLM authentication flow to support authentication using NTLM. The front-side NTLM authentication flow is similar to the "one-shot" authentication flow, but also forwards all requests containing an "Authorization" header with value "NTLM .*" to the denied access URL. For successful authentication, NTLM must be supported by the authentication service.

data.attributes.access.backendLogoutUrl

String

Whenever an Airlock WAF session terminates (either due to an explicit logout by the user or due to a session timeout), Airlock WAF will call the given, unmodified path on the currently used back-end host with all information concerning this back-end application such as cookies, headers, etc. to allow clean session termination on the backend host.

data.attributes.access.ntlmPassthroughEnabled

Boolean

Airlock WAF is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection. NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.

data.attributes.access.tokensEnabled

Boolean

Whether access tokens should be processed.

data.attributes.access.restrictions[].enabled

Boolean

Controls whether access restriction is used or not.

data.attributes.access.restrictions[].httpMethodPattern.pattern

String

The actual pattern.

data.attributes.access.restrictions[].httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.restrictions[].httpMethodPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.restrictions[].entryPathPattern.pattern

String

The actual pattern.

data.attributes.access.restrictions[].entryPathPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.restrictions[].entryPathPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.restrictions[].authorizedRoles[]

Array

Specifies a list of mandatory roles. Only sessions which have at least one of these roles will be able to access the service.

data.attributes.access.restrictions[].authorizedPlans[]

Array

Specifies a list of mandatory plans. Only sessions which have at least one of these plans will be able to access the service.

data.attributes.access.deniedUrl.value

String

Defines the location (URL) of the authentication service. In case the required role for the mapping is missing on the current session, Airlock WAF will redirect the client to this location.

data.attributes.access.deniedUrl.mode

String

Use Global (default) will use the global denied access url as configured under the menu Application Firewall - Session - Access Control. Custom will use a mapping specific denied access url.Allowed values are: GLOBAL, CUSTOM

data.attributes.access.credentialsPropagation.mandatory

Boolean

If true and the selected SSO credentials are missing, access to the mapping is denied and Airlock WAF will redirect to either the global or the custom denied access URL.

data.attributes.access.credentialsPropagation.type

String

Defines if SSO credentials set by the control API will be forwarded to the back-end application or not. These credentials are typically set by the authentication service upon successful authentication.Allowed values are: NONE, BASIC_AUTH, KERBEROS, NTLM Descripton of the values: NONE : Even if Basic-Auth or NTLM credentials set by the control API are present, Airlock WAF will not forward them to the back-end application. Access to the mapping is granted without any SSO credentials. BASIC_AUTH : If Basic-Auth credentials set by the control API are present, Airlock WAF will forward them to the back-end application. KERBEROS : If a Kerberos user is set by the control API, Airlock WAF will acquire and send a service ticket to the back-end application. NTLM : If NTLM credentials set by the control API are present, Airlock WAF will forward them to the back-end application.

data.attributes.access.tokenTransport.presenceMandatoryEnforced

Boolean

If not enforced, requests without a token are accepted. However, if a token is present, it is extracted and validated and the configured restrictions and role extractions are applied.

data.attributes.access.tokenTransport.headerExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific header.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenTransport.headerExtraction.replaceWith

String

The rewrite expression for the header extraction.

data.attributes.access.tokenTransport.parameterExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific query parameter.

data.attributes.access.tokenTransport.parameterExtraction.name

String

Specifies the name of the query parameter.

data.attributes.access.tokenTransport.cookieExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific cookie.

data.attributes.access.tokenTransport.cookieExtraction.name

String

Specifies name of the cookie.

data.attributes.access.tokenVerification.type

String

Airlock supports three types of JWT tokens: Allowed values are: JWS, JWE, JWS_JWE

data.attributes.access.tokenVerification.jwsAlgorithm

String

Supported algorithms: Allowed values are: HS_256, HS_384, HS_512, RS_256, RS_384, RS_512, PS_256, PS_384, PS_512

data.attributes.access.tokenVerification.jwsKey

String

A public key in x509 format or the passphrase, depending on the selected algorithm.

data.attributes.access.tokenVerification.jweAlgorithm

String

Supported algorithms: Allowed values are: A_128_CBC_HS_256, A_192_CBC_HS_384, A_256_CBC_HS_512, A_256_GCM

data.attributes.access.tokenVerification.jweKey

String

Your secret passphrase for the symmetric encryption.

data.attributes.access.tokenVerification.expiryCheckEnabled

Boolean

If enabled the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

data.attributes.access.tokenVerification.expiryCheckSkew

Number

The allowed skew when checking expiry / not before in seconds. This can be used if verification fails because of time synchronization issues with the token issuer and your Airlock WAF.

data.attributes.access.tokenVerification.claimRestrictions[].enabled

Boolean

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.claimRestrictions[].name

String

Name of the claim you want to restrict.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.tokenVerification.roleExtractions[].enabled

Boolean

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.roleExtractions[].name

String

Name of the claim you want to extract a role from.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenVerification.roleExtractions[].replaceWith

String

The rewrite expression of the role.

data.attributes.access.tokenVerification.roleExtractions[].tokenLifetimeAsRoleLifetimeEnforced

Boolean

If enforced the expiry claim (exp) of the JWT will be used as the role lifetime.

data.attributes.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Extract a technical client ID from JWT.

data.attributes.access.tokenVerification.extractTechnicalClientIdName

String

Name of the claim to extract as technical client ID.

data.attributes.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Extract the 'sub' claim from the JWT and use its value as audit token of the current Airlock WAF session.

data.attributes.ipRules.ipAddressWhitelists.logOnly

Boolean

If true requests whose source IP address is not contained in one of the configured IP Whitelists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.logOnly

Boolean

If true requests whose source IP address is contained in one of the configured IP Blacklists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.webrootThreatCategories

String

Defines which threat categories should be blocked. Allowed values are: SPAM_SOURCES, WINDOWS_EXPLOITS, WEB_ATTACKS, BOT_NETS, SCANNERS, DENIAL_OF_SERVICE, PHISHING, PROXY, MOBILE_THREATS, TOR_PROXY. Threat categories blocked through the different values: SPAM_SOURCES: The Spam Sources category includes IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. WINDOWS_EXPLOITS: The Windows Exploits category includes IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms. WEB_ATTACKS: The Web Attacks category includes IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. BOT_NETS: The Botnets category includes IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. SCANNERS: The Scanners category includes IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. DENIAL_OF_SERVICE: The Denial of Services category includes IPs addresses involved in DOS or DDOS attacks, anomalous sync flood, or anomalous traffic. PHISHING: The Phishing category includes IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. PROXY: The Proxy category includes IP addresses providing proxy services, including both VPN and open web proxy services. MOBILE_THREATS: The Mobile Threats category includes IP addresses associated with malicious and unwanted mobile applications. TOR_PROXY: The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

data.attributes.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Enables blocking of IPs on the dynamic IP address blacklist.

data.attributes.ipRules.dynamicIpAddressBlacklist.countMode

String

Defines the counting mode of blocks for dynamic IP blacklist. Allowed values are: OFF, ALL, DENY_RULES_ONLY. Following count modes are available: OFF: Blocks on this mapping are not counted for the dynamic IP address blacklist. ALL: All blocks on this mapping are counted for the dynamic IP address blacklist. DENY_RULES_ONLY: Only deny rule blocks on this mapping are counted for the dynamic IP address blacklist.

data.attributes.botManagement.clientCookieSupportEnforced

Boolean

If enabled, only clients implementing a Cookie-Store will be able to access the application through this mapping. In contrast to regular browsers, most bots do not implement a Cookie-Store and will therefore be blocked if this setting is enabled.

data.attributes.botManagement.wellKnownBots.allowed

Boolean

Check the User-Agent to determine if a bot is well-known and do not block such bots. Clients indicating one of the following User-Agent headers are treated as well-known bots: Googlebot, bingbot, MSNBot, Baiduspider, YandexBot, archive.org_bot, DuckDuckBot.

data.attributes.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

If enabled, a reverse IP lookup for well-known bots is performed to verify that the client’s IP address belongs to the operator of a well-known bot. This prevents bots from pretending to be a well-known bot by sending a fake "User-Agent" header. The following domains are considered as domains of operators operating well-known bots: google.com, googlebot.com,search.msn.com, yahoo.net, baidu.com, baidu.jp, yandex.ru, yandex.net, yandex.com, archive.org, amazonaws.com (107.20.237.51, 23.21.226.191, 107.21.1.8, 54.208.102.37)

data.attributes.botManagement.customBots.allowed

Boolean

If enabled custom bots are not blocked. Custom bots are identified by providing a "User-Agent" and "Domain" pattern.

data.attributes.botManagement.customBots.sourceDomainEnforced

Boolean

Do not block bots whose source-domain matches the "domain pattern".

data.attributes.botManagement.customBots.userAgentPattern.pattern

String

The actual pattern.

data.attributes.botManagement.customBots.userAgentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.botManagement.customBots.userAgentPattern.inverted

Boolean

Whether to invert the match.

data.attributes.botManagement.customBots.domainPattern.pattern

String

The actual pattern.

data.attributes.botManagement.customBots.domainPattern.inverted

Boolean

Whether to invert the match.

data.attributes.timeouts.backend

Number

Defines the time (seconds) Airlock WAF will wait for the back-end response. In case the request runs into the timeout, Airlock WAF will send a redirect to the HTTP 503 Service unavailable error page with the corresponding HTTP 503 status code. If In-band Health Checks are configured, then such a request will be counted as a failed request, potentially leading to the back-end server being marked as bad.

data.attributes.timeouts.sessionIdle

Number

Defines the minimum session idle time (seconds) of Airlock WAF for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.

data.attributes.limits.general.maxRequestBodySize

Number

This field limits the total size of the request body. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

data.attributes.limits.general.maxPathLength

Number

Defines the maximum path length for requests to the current mapping (default: max 1024 bytes).

data.attributes.limits.http.maxParameters

Number

Defines the maximum number of parameters inside the request (default: max 128 parameters).

data.attributes.limits.http.maxParameterNameLength

Number

Defines the maximum length for a parameter name (default: max 128 bytes).

data.attributes.limits.http.maxParameterValueLength

Number

Defines the maximum length for a parameter value (default: max 1024 bytes).

data.attributes.limits.json.enabled

Boolean

Whether JSON limits are enabled.

data.attributes.limits.json.maxKeyLength

Number

Defines the maximum length for a JSON key, also known as "JSON property" or "JSON object member" (default: max 256 bytes)

data.attributes.limits.json.maxValueLength

Number

Defines the maximum json value length for requests to the current mapping (default: max 8192 bytes).

data.attributes.limits.json.maxNestingDepth

Number

Defines the maximum depth of nesting for JSON objects and JSON arrays (default: max 100).

data.attributes.limits.json.maxKeys

Number

Defines the maximum number of keys of a single JSON object (non-recursive, default: max 250).

data.attributes.limits.json.maxArrayItems

Number

Defines the maximum number of items for a single JSON array (non-recursive, default: max 500).

data.attributes.limits.json.maxTotalEntries

Number

Defines the maximum number of keys and array items in the whole JSON document (recursive, default: max 150000).

data.attributes.application.sessionHandling

String

Allowed values are: ENFORCE_SESSION, OPTIONAL_SESSION, OPTIONAL_SESSION_NO_REFRESH, IGNORE_SESSION The different modes have the following effects: ENFORCE_SESSION: Sessions are enforced. If no session is available a new session is created. OPTIONAL_SESSION: Sessions are optional. Existing sessions are used. If no session is available no session is used. OPTIONAL_SESSION_NO_REFRESH: Same as "OPTIONAL_SESSION" but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times. IGNORE_SESSION: Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories.

data.attributes.application.controlApiAllowed

Boolean

Specifies whether this service is allowed to use Airlock WAF’s back-end API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock WAF.

data.attributes.application.environmentCookiesEnabled

Boolean

Specifies whether this service should receive the Airlock WAF environment cookies that contain useful information about the connection to the client.

data.attributes.application.loadBalancingCookieEnabled

Boolean

If enabled, load balancing information is sent to the client in a load balancing cookie. Disable if no load balancing is needed and no cookie should be generated for this purpose.

data.attributes.application.webSocketsAllowed

Boolean

Enables support for WebSockets protocol as defined in RFC 6455.

data.attributes.application.redirectForErrorPageEnabled

Boolean

If enabled Airlock WAF will deliver error pages by sending a HTTP redirect pointing to the error page to its clients. Otherwise the error page will be directly returned.

data.attributes.application.encryptedCookies.enabled

Boolean

Enables encryption of cookies which are sent to the client.

data.attributes.application.encryptedCookies.prefix

String

regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a pass phrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client’s machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user.

data.attributes.application.passthroughCookies.enabled

Boolean

Enables 'Passthrough Cookies'. Passthrough Cookies are cookies which are sent in plain format to the client.

data.attributes.application.passthroughCookies.prefix

String

Regular expression to select cookies that should be treated as 'Passthrough Cookies'. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.

data.attributes.application.request.charset

String

Parameter values that are sent in HTTP requests from the client are interpreted by Airlock WAF as if they were encoded using the given charset. If Airlock WAF detects that the charset does not match it tries to use the fallback charset.

data.attributes.application.response.compressionAllowed

Boolean

Specifies whether Airlock WAF should compress the output on-the-fly for the client browser (if supported and requested by the browser). Warning: Allowing compression for data served through SSL/TLS virtual hosts may affect the secrecy of the data.

data.attributes.application.response.stripCommentsEnabled

Boolean

If enabled, Airlock WAF removes HTML comments.

data.attributes.application.response.header.location.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.header.location.rewrites[].urlPattern.pattern

String

The actual pattern.

data.attributes.application.response.header.location.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.header.location.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL pattern.

data.attributes.application.response.json.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.json.rewrites[].path

String

A response from the back-end server is rewritten only if the JSON path matches this regular expression.

data.attributes.application.response.json.rewrites[].contentPattern.pattern

String

The actual pattern.

data.attributes.application.response.json.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.json.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.body.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.body.rewrites[].contentType

String

A response from the back-end server is rewritten only if the response headerContent-Type matches this regular expression.

data.attributes.application.response.body.rewrites[].contentPattern.pattern

String

The actual pattern.

data.attributes.application.response.body.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.body.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.html.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.html.rewrites[].urlPattern.pattern

String

The actual pattern.

data.attributes.application.response.html.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.html.rewrites[].uris

Boolean

Apply rule to linked HTML elements like href, src, etc.

data.attributes.application.response.html.rewrites[].events

Boolean

Apply rule to JavaScript event strings such as onsubmit, onload, etc.

data.attributes.application.response.html.rewrites[].embedded

Boolean

Apply rule to <script> and <style> blocks embedded in the HTML page

data.attributes.application.response.html.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL Pattern.

data.attributes.application.response.errorPage.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.errorPage.rewrites[].statusContentPattern

String

The HTTP status code pattern.

data.attributes.application.response.errorPage.rewrites[].replaceWith

String

This is the target string which will replace the string matched by HTTP status content pattern.

data.attributes.apiSecurity.treatPathSegmentsAsParamValues

Boolean

If enabled each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

data.attributes.apiSecurity.openApiEnforced

Boolean

Specifies whether traffic to/from this service shall be checked against an API specification provided in the OpenAPI format. If enforced traffic not conforming to the API specification will be blocked.

data.attributes.apiSecurity.openApiCheckResponsesEnabled

Boolean

Check responses against the API specification.

data.attributes.apiSecurity.logOnly

Boolean

If enabled potential attack requests are only logged but not blocked.

data.attributes.apiSecurity.openApiPathMatching

String

Run OpenAPI path matching against client or server view of request/response.

data.attributes.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Allow clients to download the API specification.

data.attributes.apiSecurity.openApiPublishSpecificationPath

String

External path to the API specification. Note that the entry path will be added in front of it.

data.attributes.apiSecurity.apiPolicyServiceEnabled

Boolean

Enables API policy service.

data.attributes.apiSecurity.apiPolicyServiceId

Number

ID of the API policy service.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific header.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.pattern

String

The actual pattern.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

String

The rewrite expression for the header extraction.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

String

Specifies the name of the query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific cookie.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

String

Specifies name of the cookie.

data.attributes.apiSecurity.jsonParser.enabled

Boolean

If set to true, Airlock WAF parses JSON objects in requests and filters JSON attributes with allow rules and deny rules. JSON objects are parsed only if their content-type matches the specified pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.pattern

String

The actual pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.apiSecurity.jsonParser.contentTypePattern.inverted

Boolean

Whether to invert the match.

data.attributes.dosAttackPrevention.enabled

Boolean

Enables DoS attack prevention filter.

data.attributes.dosAttackPrevention.maxRequestsPerInterval

Number

Maximum requests allowed per IP address.

data.attributes.dosAttackPrevention.interval

Number

Interval for measurement of allowed requests per IP address (seconds).

data.attributes.dosAttackPrevention.whitelistIpPattern

Object

Reference to an IP pattern that acts as whitelist. All source IPs matching this pattern will be excluded from the session limit per IP restriction. This is typically used if you have many users having the same source IP (i.e. proxy).

data.attributes.dosAttackPrevention.whitelistIpPattern.pattern

String

The actual pattern.

data.attributes.dosAttackPrevention.whitelistIpPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.enabled

Boolean

Controls whether request body streaming is used or not. If set, only requests matching all three regular expression patterns will be streamed. Empty fields have the same effect as the pattern ^.*$

data.attributes.requestBodyStreaming.httpMethodPattern

Object

Only requests whose HTTP method matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.pathPattern

Object

Only requests whose path matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.contentTypePattern

Object

Only requests whose content type header matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.httpMethodPattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.httpMethodPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.pathPattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.pathPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.pathPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.contentTypePattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.contentTypePattern.inverted

Boolean

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.mixedTypes

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving both HTTP GET and HTTP POST parameters (thus involving parameters of different/mixed types).

data.attributes.httpParameterPollutionDetection.sameType

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving only HTTP GET or only HTTP POST parameters (thus involving only parameters of the same type).

data.attributes.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

If enabled requests containing HTTP GET and HTTP POST parameters of the same name are blocked to prevent HPP attacks.

data.attributes.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

If true potential HPP attack requests are only logged but not blocked.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Object

Parameters named with a name matching this regular expression pattern will be ignored by the HPP detection.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.pattern

String

The actual pattern.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.sameType.enabled

Boolean

If enabled parameters named with the same name and type (HTTP GET or POST) are joined together into one parameter before filtering to prevent HPP attacks. Note: For the filtering itself a deny rule like the default deny rule '(default) HTTP Parameter Pollution' has to be configured.

data.attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

Expert settings for the Apache.

data.attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data.attributes.locking.enabled

Boolean

If true the state of the attribute locks is displayed in Airlock WAF’s Configuration Center for this mapping.

data.attributes.locking.labels

Boolean

Lock for the corresponding member.

data.attributes.locking.backendPath

Boolean

Lock for the corresponding member.

data.attributes.locking.threatHandling

Boolean

Lock for the corresponding member.

data.attributes.locking.enableMaintenancePage

Boolean

Lock for the corresponding member.

data.attributes.locking.operationalMode

Boolean

Lock for the corresponding member.

data.attributes.locking.access.restrictions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.clientCertificateAuthentication

Boolean

Lock for the corresponding member.

data.attributes.locking.access.authenticationFlow

Boolean

Lock for the corresponding member.

data.attributes.locking.access.backendLogoutUrl

Boolean

Lock for the corresponding member.

data.attributes.locking.access.ntlmPassthroughEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokensEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.value

Boolean

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.mode

Boolean

Lock for the corresponding member.

data.attributes.locking.access.credentialsPropagation.mandatory

Boolean

Lock for the corresponding member.

data.attributes.locking.access.credentialsPropagation.type

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.type

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jwsAlgorithm

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jwsKey

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jweAlgorithm

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jweKey

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.expiryCheckEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.expiryCheckSkew

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.claimRestrictions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.roleExtractions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.extractTechnicalClientIdName

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.presenceMandatoryEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.extractionPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.replaceWith

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.parameterExtraction.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.parameterExtraction.name

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.cookieExtraction.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.cookieExtraction.name

Boolean

Lock for the corresponding member.

data.attributes.locking.entryPath.settings

Boolean

Lock for the corresponding member. Note that this lock affects both the EntryPath’s 'value' and 'ignoreCase'.

data.attributes.locking.entryPath.regexFormatEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.entryPath.priority

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.ipAddressWhitelists.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.ipAddressBlacklists.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.dynamicIpAddressBlacklist.countMode

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.clientCookieSupportEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.wellKnownBots.allowed

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.allowed

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.sourceDomainEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.userAgentPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.domainPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.timeouts.backend

Boolean

Lock for the corresponding member.

data.attributes.locking.timeouts.sessionIdle

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.general.maxRequestBodySize

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.general.maxPathLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameters

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameterNameLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameterValueLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxKeyLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxValueLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxNestingDepth

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxArrayItems

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxKeys

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxTotalEntries

Boolean

Lock for the corresponding member.

data.attributes.locking.application.sessionHandling

Boolean

Lock for the corresponding member.

data.attributes.locking.application.controlApiAllowed

Boolean

Lock for the corresponding member.

data.attributes.locking.application.environmentCookiesEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.loadBalancingCookieEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.webSocketsAllowed

Boolean

Lock for the corresponding member.

data.attributes.locking.application.redirectForErrorPageEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.encryptedCookies.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.encryptedCookies.prefix

Boolean

Lock for the corresponding member.

data.attributes.locking.application.passthroughCookies.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.passthroughCookies.prefix

Boolean

Lock for the corresponding member.

data.attributes.locking.application.request.charset

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.compressionAllowed

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.stripCommentsEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.header.location.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.json.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.body.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.html.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.errorPage.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.treatPathSegmentsAsParamValues

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiCheckResponsesEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiDocumentId

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPathMatching

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPublishSpecificationPath

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyServiceEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyServiceId

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.jsonParser.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.jsonParser.contentTypePattern

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.maxRequestsPerInterval

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.interval

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.whitelistIpPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.httpMethodPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.pathPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.contentTypePattern

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.request.clientViews

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.request.backendViews

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.response.backendViews

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.response.clientViews

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.sameType.enabled

Boolean

Lock for the corresponding member.

data.relationships.virtual-hosts.data[]

Array

The virtual-host references.

data.relationships.virtual-hosts.data[].type

String

The data type of the referenced resource. Must be "virtual-host" for this call.

data.relationships.virtual-hosts.data[].id

String

The ID of the virtual-host resource.

data.relationships.back-end-group.data

Object

The back-end-group references.

data.relationships.back-end-group.data.type

String

The data type of the referenced resource. Must be "back-end-group" for this call.

data.relationships.back-end-group.data.id

String

The ID of the back-end-group resource.

data.relationships.openapi-document.data

Object

The openapi-document references.

data.relationships.openapi-document.data.type

String

The data type of the referenced resource. Must be "openapi-document" for this call.

data.relationships.openapi-document.data.id

String

The ID of the openapi-document resource.

data.relationships.ip-address-whitelists.data[]

Array

The ip-address-list references.

data.relationships.ip-address-whitelists.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data.relationships.ip-address-whitelists.data[].id

String

The ID of the ip-address-list resource.

data.relationships.ip-address-blacklists.data[]

Array

The ip-address-list references.

data.relationships.ip-address-blacklists.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data.relationships.ip-address-blacklists.data[].id

String

The ID of the ip-address-list resource.

data[].relationships.ip-address-blacklist-exceptions.data[]

Array

The ip-address-list references.

data[].relationships.ip-address-blacklist-exceptions.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data[].relationships.ip-address-blacklist-exceptions.data[].id

String

The ID of the ip-address-list resource.

data.relationships.bot-management-source-ip-address-whitelist.data

Object

The ip-address-list references.

data.relationships.bot-management-source-ip-address-whitelist.data.type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data.relationships.bot-management-source-ip-address-whitelist.data.id

String

The ID of the ip-address-list resource.

data.relationships.icap-request-client-views.data[]

Array

The icap-environment references.

data.relationships.icap-request-client-views.data[].type

String

The data type of the referenced resource. Must be "icap-environment" for this call.

data.relationships.icap-request-client-views.data[].id

String

The ID of the icap-environment resource.

data.relationships.icap-request-client-views.data[].meta.type

String

The JSON API meta type, which is: "jsonapi.meta"

data.relationships.icap-request-client-views.data[].meta.usage..enabled

Boolean

Determines if to use the icap server.

data.relationships.icap-request-client-views.data[].meta.usage..httpMethodPattern.pattern

String

The actual pattern.

data.relationships.icap-request-client-views.data[].meta.usage..httpMethodPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-client-views.data[].meta.usage..httpMethodPattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-client-views.data[].meta.usage..pathPattern.pattern

String

The actual pattern.

data.relationships.icap-request-client-views.data[].meta.usage..pathPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-client-views.data[].meta.usage..pathPattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-client-views.data[].meta.usage..requestHeaderNamePattern.pattern

String

The actual pattern.

data.relationships.icap-request-client-views.data[].meta.usage..requestHeaderNamePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-client-views.data[].meta.usage..requestHeaderNamePattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-client-views.data[].meta.usage..requestHeaderValuePattern.pattern

String

The actual pattern.

data.relationships.icap-request-client-views.data[].meta.usage..requestHeaderValuePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-client-views.data[].meta.usage..requestHeaderValuePattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-backend-views.data[]

Array

The icap-environment references.

data.relationships.icap-request-backend-views.data[].type

String

The data type of the referenced resource. Must be "icap-environment" for this call.

data.relationships.icap-request-backend-views.data[].id

String

The ID of the icap-environment resource.

data.relationships.icap-request-backend-views.data[].meta.type

String

The JSON API meta type, which is: "jsonapi.meta"

data.relationships.icap-request-backend-views.data[].meta.usage..enabled

Boolean

Determines if to use the icap server.

data.relationships.icap-request-backend-views.data[].meta.usage..httpMethodPattern.pattern

String

The actual pattern.

data.relationships.icap-request-backend-views.data[].meta.usage..httpMethodPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-backend-views.data[].meta.usage..httpMethodPattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-backend-views.data[].meta.usage..pathPattern.pattern

String

The actual pattern.

data.relationships.icap-request-backend-views.data[].meta.usage..pathPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-backend-views.data[].meta.usage..pathPattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-backend-views.data[].meta.usage..requestHeaderNamePattern.pattern

String

The actual pattern.

data.relationships.icap-request-backend-views.data[].meta.usage..requestHeaderNamePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-backend-views.data[].meta.usage..requestHeaderNamePattern.inverted

String

Whether to invert the match.

data.relationships.icap-request-backend-views.data[].meta.usage..requestHeaderValuePattern.pattern

String

The actual pattern.

data.relationships.icap-request-backend-views.data[].meta.usage..requestHeaderValuePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-request-backend-views.data[].meta.usage..requestHeaderValuePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-backend-views.data[]

Array

The icap-environment references.

data.relationships.icap-response-backend-views.data[].type

String

The data type of the referenced resource. Must be "icap-environment" for this call.

data.relationships.icap-response-backend-views.data[].id

String

The ID of the icap-environment resource.

data.relationships.icap-response-backend-views.data[].meta.type

String

The JSON API meta type, which is: "jsonapi.meta"

data.relationships.icap-response-backend-views.data[].meta.usage..enabled

Boolean

Determines if to use the icap server.

data.relationships.icap-response-backend-views.data[].meta.usage..httpMethodPattern.pattern

String

The actual pattern.

data.relationships.icap-response-backend-views.data[].meta.usage..httpMethodPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-backend-views.data[].meta.usage..httpMethodPattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-backend-views.data[].meta.usage..pathPattern.pattern

String

The actual pattern.

data.relationships.icap-response-backend-views.data[].meta.usage..pathPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-backend-views.data[].meta.usage..pathPattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-backend-views.data[].meta.usage..requestHeaderNamePattern.pattern

String

The actual pattern.

data.relationships.icap-response-backend-views.data[].meta.usage..requestHeaderNamePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-backend-views.data[].meta.usage..requestHeaderNamePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-backend-views.data[].meta.usage..requestHeaderValuePattern.pattern

String

The actual pattern.

data.relationships.icap-response-backend-views.data[].meta.usage..requestHeaderValuePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-backend-views.data[].meta.usage..requestHeaderValuePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-backend-views.data[].meta.usage..responseHeaderNamePattern.pattern

String

The actual pattern.

data.relationships.icap-response-backend-views.data[].meta.usage..responseHeaderNamePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-backend-views.data[].meta.usage..responseHeaderNamePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-backend-views.data[].meta.usage..responseHeaderValuePattern.pattern

String

The actual pattern.

data.relationships.icap-response-backend-views.data[].meta.usage..responseHeaderValuePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-backend-views.data[].meta.usage..responseHeaderValuePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-client-views.data[]

Array

The icap-environment references.

data.relationships.icap-response-client-views.data[].type

String

The data type of the referenced resource. Must be "icap-environment" for this call.

data.relationships.icap-response-client-views.data[].id

String

The ID of the icap-environment resource.

data.relationships.icap-response-client-views.data[].meta.type

String

The JSON API meta type, which is: "jsonapi.meta"

data.relationships.icap-response-client-views.data[].meta.usage..enabled

Boolean

Determines if to use the icap server.

data.relationships.icap-response-client-views.data[].meta.usage..httpMethodPattern.pattern

String

The actual pattern.

data.relationships.icap-response-client-views.data[].meta.usage..httpMethodPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-client-views.data[].meta.usage..httpMethodPattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-client-views.data[].meta.usage..pathPattern.pattern

String

The actual pattern.

data.relationships.icap-response-client-views.data[].meta.usage..pathPattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-client-views.data[].meta.usage..pathPattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-client-views.data[].meta.usage..requestHeaderNamePattern.pattern

String

The actual pattern.

data.relationships.icap-response-client-views.data[].meta.usage..requestHeaderNamePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-client-views.data[].meta.usage..requestHeaderNamePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-client-views.data[].meta.usage..requestHeaderValuePattern.pattern

String

The actual pattern.

data.relationships.icap-response-client-views.data[].meta.usage..requestHeaderValuePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-client-views.data[].meta.usage..requestHeaderValuePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-client-views.data[].meta.usage..responseHeaderNamePattern.pattern

String

The actual pattern.

data.relationships.icap-response-client-views.data[].meta.usage..responseHeaderNamePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-client-views.data[].meta.usage..responseHeaderNamePattern.inverted

String

Whether to invert the match.

data.relationships.icap-response-client-views.data[].meta.usage..responseHeaderValuePattern.pattern

String

The actual pattern.

data.relationships.icap-response-client-views.data[].meta.usage..responseHeaderValuePattern.caseIgnored

String

Whether to ignore case.

data.relationships.icap-response-client-views.data[].meta.usage..responseHeaderValuePattern.inverted

String

Whether to invert the match.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/mappings/1" -i -X GET \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json'

Example Response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 20434

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:26:31.158+02:00"
  },
  "data" : {
    "type" : "mapping",
    "id" : "1",
    "attributes" : {
      "name" : "mymapping",
      "labels" : [ "myMappingLabel" ],
      "tenant" : "",
      "entryPath" : {
        "value" : "/mymapping/",
        "regexFormatEnforced" : false,
        "ignoreCase" : false,
        "priority" : 0
      },
      "backendPath" : "/",
      "threatHandling" : "BLOCK",
      "operationalMode" : "PRODUCTION",
      "enableMaintenancePage" : true,
      "access" : {
        "deniedUrl" : {
          "value" : "/",
          "mode" : "GLOBAL"
        },
        "restrictions" : [ {
          "enabled" : true,
          "httpMethodPattern" : {
            "pattern" : "GET",
            "caseIgnored" : true,
            "inverted" : true
          },
          "entryPathPattern" : {
            "pattern" : "/admin/",
            "caseIgnored" : true,
            "inverted" : true
          },
          "authorizedRoles" : [ "admin" ],
          "authorizedPlans" : [ "android", "ios", "browser" ]
        } ],
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "authenticationFlow" : "REDIRECT",
        "backendLogoutUrl" : "",
        "ntlmPassthroughEnabled" : false,
        "credentialsPropagation" : {
          "mandatory" : false,
          "type" : "NONE"
        },
        "tokensEnabled" : false,
        "tokenTransport" : {
          "presenceMandatoryEnforced" : false,
          "headerExtraction" : {
            "enabled" : false,
            "extractionPattern" : {
              "pattern" : "^Authorization: Bearer (.*)$",
              "caseIgnored" : true
            },
            "replaceWith" : "$1"
          },
          "parameterExtraction" : {
            "enabled" : false,
            "name" : ""
          },
          "cookieExtraction" : {
            "enabled" : false,
            "name" : ""
          }
        },
        "tokenVerification" : {
          "type" : "JWS",
          "jwsAlgorithm" : "RS256",
          "jwsKey" : "",
          "jweAlgorithm" : "A256GCM",
          "jweKey" : "",
          "expiryCheckEnabled" : false,
          "expiryCheckSkew" : 10,
          "extractTechnicalClientIdEnabled" : false,
          "extractTechnicalClientIdName" : "",
          "setAuditTokenFromSubjectEnabled" : false,
          "claimRestrictions" : [ {
            "enabled" : true,
            "name" : "myClaim",
            "restrictionPattern" : {
              "pattern" : "",
              "caseIgnored" : false,
              "inverted" : false
            }
          } ],
          "roleExtractions" : [ {
            "enabled" : true,
            "name" : "myClaim",
            "extractionPattern" : {
              "pattern" : "",
              "caseIgnored" : false
            },
            "replaceWith" : "$1",
            "tokenLifetimeAsRoleLifetimeEnforced" : true
          } ]
        }
      },
      "ipRules" : {
        "ipAddressWhitelists" : {
          "logOnly" : false
        },
        "ipAddressBlacklists" : {
          "logOnly" : false,
          "webrootThreatCategories" : "WEB_ATTACKS"
        },
        "dynamicIpAddressBlacklist" : {
          "enabled" : false,
          "countMode" : "OFF"
        }
      },
      "botManagement" : {
        "clientCookieSupportEnforced" : false,
        "wellKnownBots" : {
          "allowed" : false,
          "sourceDomainEnforced" : false
        },
        "customBots" : {
          "allowed" : false,
          "sourceDomainEnforced" : false,
          "userAgentPattern" : {
            "pattern" : "",
            "caseIgnored" : false,
            "inverted" : false
          },
          "domainPattern" : {
            "pattern" : "",
            "inverted" : false
          }
        }
      },
      "timeouts" : {
        "backend" : 120,
        "sessionIdle" : 0
      },
      "limits" : {
        "general" : {
          "maxRequestBodySize" : 1073741824,
          "maxPathLength" : 1024
        },
        "http" : {
          "maxParameters" : 128,
          "maxParameterNameLength" : 128,
          "maxParameterValueLength" : 1024
        },
        "json" : {
          "enabled" : true,
          "maxKeyLength" : 256,
          "maxValueLength" : 8192,
          "maxNestingDepth" : 100,
          "maxArrayItems" : 500,
          "maxKeys" : 250,
          "maxTotalEntries" : 150000
        }
      },
      "application" : {
        "sessionHandling" : "ENFORCE_SESSION",
        "controlApiAllowed" : false,
        "environmentCookiesEnabled" : false,
        "encryptedCookies" : {
          "enabled" : false,
          "prefix" : ""
        },
        "passthroughCookies" : {
          "enabled" : false,
          "prefix" : ""
        },
        "loadBalancingCookieEnabled" : true,
        "webSocketsAllowed" : false,
        "redirectForErrorPageEnabled" : false,
        "request" : {
          "charset" : "UTF_8_FALLBACK_WINDOWS_1252"
        },
        "response" : {
          "compressionAllowed" : false,
          "stripCommentsEnabled" : true,
          "header" : {
            "location" : {
              "rewrites" : [ {
                "enabled" : true,
                "urlPattern" : {
                  "pattern" : "/",
                  "caseIgnored" : true
                },
                "replaceWith" : "$1"
              } ]
            }
          },
          "json" : {
            "rewrites" : [ {
              "enabled" : true,
              "path" : "json#path",
              "contentPattern" : {
                "pattern" : "a",
                "caseIgnored" : true
              },
              "replaceWith" : "b"
            } ]
          },
          "body" : {
            "rewrites" : [ {
              "enabled" : true,
              "contentType" : "application/json",
              "contentPattern" : {
                "pattern" : "a",
                "caseIgnored" : true
              },
              "replaceWith" : "b"
            } ]
          },
          "html" : {
            "rewrites" : [ {
              "enabled" : true,
              "urlPattern" : {
                "pattern" : "a",
                "caseIgnored" : true
              },
              "uris" : true,
              "events" : true,
              "embedded" : true,
              "replaceWith" : "b"
            } ]
          },
          "errorPage" : {
            "rewrites" : [ {
              "enabled" : true,
              "statusContentPattern" : "^5(?!02|03)..$",
              "replaceWith" : "500.html"
            } ]
          }
        }
      },
      "apiSecurity" : {
        "treatPathSegmentsAsParamValues" : true,
        "jsonParser" : {
          "enabled" : false,
          "contentTypePattern" : {
            "pattern" : "",
            "caseIgnored" : true,
            "inverted" : false
          }
        },
        "openApiEnforced" : true,
        "openApiCheckResponsesEnabled" : false,
        "logOnly" : false,
        "openApiPathMatching" : "ClientView",
        "openApiPublishSpecificationEnabled" : true,
        "openApiPublishSpecificationPath" : "path/to/apiSpecification.json",
        "apiPolicyServiceEnabled" : true,
        "apiPolicyServiceId" : 60,
        "apiPolicyKeyExtractionHeader" : {
          "enabled" : true,
          "extractionPattern" : {
            "pattern" : "^Api-Key: (.*)$",
            "caseIgnored" : false,
            "inverted" : false
          },
          "replaceWith" : "$1"
        },
        "apiPolicyKeyExtractionQueryParameter" : {
          "enabled" : false,
          "parameterName" : "api_key"
        },
        "apiPolicyKeyExtractionCookie" : {
          "enabled" : false,
          "cookieName" : "ApiKey"
        }
      },
      "dosAttackPrevention" : {
        "enabled" : false,
        "maxRequestsPerInterval" : 500,
        "interval" : 60,
        "whitelistIpPattern" : {
          "pattern" : "^$",
          "inverted" : false
        }
      },
      "requestBodyStreaming" : {
        "enabled" : false,
        "httpMethodPattern" : {
          "pattern" : "",
          "caseIgnored" : false,
          "inverted" : false
        },
        "pathPattern" : {
          "pattern" : "",
          "caseIgnored" : false,
          "inverted" : false
        },
        "contentTypePattern" : {
          "pattern" : "",
          "caseIgnored" : true,
          "inverted" : false
        }
      },
      "httpParameterPollutionDetection" : {
        "mixedTypes" : {
          "enabled" : true,
          "logOnly" : false,
          "parameterNameExceptionPattern" : {
            "pattern" : "",
            "caseIgnored" : false,
            "inverted" : false
          }
        },
        "sameType" : {
          "enabled" : true
        }
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      },
      "locking" : {
        "enabled" : false,
        "labels" : false,
        "access" : {
          "deniedUrl" : {
            "value" : false,
            "mode" : false
          },
          "restrictions" : false,
          "clientCertificateAuthentication" : false,
          "authenticationFlow" : false,
          "backendLogoutUrl" : false,
          "ntlmPassthroughEnabled" : false,
          "credentialsPropagation" : {
            "mandatory" : false,
            "type" : false
          },
          "tokensEnabled" : false,
          "tokenVerification" : {
            "type" : false,
            "jwsAlgorithm" : false,
            "jwsKey" : false,
            "jweAlgorithm" : false,
            "jweKey" : false,
            "expiryCheckEnabled" : false,
            "expiryCheckSkew" : false,
            "claimRestrictions" : false,
            "roleExtractions" : false,
            "extractTechnicalClientIdEnabled" : false,
            "extractTechnicalClientIdName" : false,
            "setAuditTokenFromSubjectEnabled" : false
          },
          "tokenTransport" : {
            "presenceMandatoryEnforced" : false,
            "headerExtraction" : {
              "enabled" : false,
              "extractionPattern" : false,
              "replaceWith" : false
            },
            "parameterExtraction" : {
              "enabled" : false,
              "name" : false
            },
            "cookieExtraction" : {
              "enabled" : false,
              "name" : false
            }
          }
        },
        "entryPath" : {
          "settings" : true,
          "regexFormatEnforced" : true,
          "priority" : false
        },
        "backendPath" : true,
        "threatHandling" : false,
        "operationalMode" : false,
        "enableMaintenancePage" : false,
        "ipRules" : {
          "ipAddressWhitelists" : {
            "logOnly" : false
          },
          "ipAddressBlacklists" : {
            "logOnly" : false
          },
          "dynamicIpAddressBlacklist" : {
            "enabled" : false,
            "countMode" : false
          }
        },
        "botManagement" : {
          "clientCookieSupportEnforced" : false,
          "wellKnownBots" : {
            "allowed" : false,
            "sourceDomainEnforced" : false
          },
          "customBots" : {
            "allowed" : false,
            "sourceDomainEnforced" : false,
            "userAgentPattern" : false,
            "domainPattern" : false
          }
        },
        "timeouts" : {
          "backend" : false,
          "sessionIdle" : false
        },
        "limits" : {
          "general" : {
            "maxRequestBodySize" : true,
            "maxPathLength" : true
          },
          "http" : {
            "maxParameters" : false,
            "maxParameterNameLength" : false,
            "maxParameterValueLength" : false
          },
          "json" : {
            "enabled" : false,
            "maxKeyLength" : false,
            "maxValueLength" : false,
            "maxNestingDepth" : false,
            "maxArrayItems" : false,
            "maxKeys" : false,
            "maxTotalEntries" : false
          }
        },
        "application" : {
          "sessionHandling" : false,
          "controlApiAllowed" : false,
          "environmentCookiesEnabled" : false,
          "encryptedCookies" : {
            "enabled" : false,
            "prefix" : false
          },
          "passthroughCookies" : {
            "enabled" : false,
            "prefix" : false
          },
          "loadBalancingCookieEnabled" : false,
          "webSocketsAllowed" : false,
          "redirectForErrorPageEnabled" : false,
          "request" : {
            "charset" : false
          },
          "response" : {
            "compressionAllowed" : false,
            "stripCommentsEnabled" : false,
            "header" : {
              "location" : {
                "rewrites" : false
              }
            },
            "json" : {
              "rewrites" : false
            },
            "body" : {
              "rewrites" : false
            },
            "html" : {
              "rewrites" : false
            },
            "errorPage" : {
              "rewrites" : false
            }
          }
        },
        "apiSecurity" : {
          "treatPathSegmentsAsParamValues" : false,
          "jsonParser" : {
            "enabled" : false,
            "contentTypePattern" : false
          },
          "openApiEnforced" : false,
          "openApiCheckResponsesEnabled" : false,
          "openApiDocumentId" : false,
          "logOnly" : false,
          "openApiPathMatching" : false,
          "openApiPublishSpecificationEnabled" : false,
          "openApiPublishSpecificationPath" : false,
          "apiPolicyServiceEnabled" : false,
          "apiPolicyServiceId" : false,
          "apiPolicyKeyExtractionHeader" : {
            "enabled" : false,
            "extractionPattern" : false,
            "replaceWith" : false
          },
          "apiPolicyKeyExtractionQueryParameter" : {
            "enabled" : false,
            "parameterName" : false
          },
          "apiPolicyKeyExtractionCookie" : {
            "enabled" : false,
            "cookieName" : false
          }
        },
        "dosAttackPrevention" : {
          "enabled" : false,
          "maxRequestsPerInterval" : false,
          "interval" : false,
          "whitelistIpPattern" : false
        },
        "requestBodyStreaming" : {
          "enabled" : false,
          "httpMethodPattern" : false,
          "pathPattern" : false,
          "contentTypePattern" : false
        },
        "httpParameterPollutionDetection" : {
          "mixedTypes" : {
            "enabled" : false,
            "logOnly" : false,
            "parameterNameExceptionPattern" : false
          },
          "sameType" : {
            "enabled" : false
          }
        },
        "icap" : {
          "request" : {
            "clientViews" : false,
            "backendViews" : false
          },
          "response" : {
            "backendViews" : false,
            "clientViews" : false
          }
        }
      }
    },
    "relationships" : {
      "back-end-group" : {
        "data" : {
          "type" : "back-end-group",
          "id" : "30"
        }
      },
      "virtual-hosts" : {
        "data" : [ {
          "type" : "virtual-host",
          "id" : "40"
        } ]
      },
      "openapi-document" : {
        "data" : {
          "type" : "openapi-document",
          "id" : "50"
        }
      },
      "icap-request-client-views" : {
        "data" : [ {
          "type" : "icap-environment",
          "id" : "42",
          "meta" : {
            "type" : "jsonapi.meta",
            "usage" : {
              "httpMethodPattern" : {
                "caseIgnored" : "true",
                "pattern" : "GET",
                "inverted" : "true"
              },
              "pathPattern" : {
                "caseIgnored" : "true",
                "pattern" : "/entity-path",
                "inverted" : "true"
              },
              "requestHeaderNamePattern" : {
                "caseIgnored" : "true",
                "pattern" : "^X-Entity",
                "inverted" : "true"
              },
              "requestHeaderValuePattern" : {
                "caseIgnored" : "true",
                "pattern" : "EntityValue",
                "inverted" : "true"
              },
              "enabled" : true
            }
          }
        } ]
      },
      "icap-request-backend-views" : {
        "data" : [ {
          "type" : "icap-environment",
          "id" : "43",
          "meta" : {
            "type" : "jsonapi.meta",
            "usage" : {
              "httpMethodPattern" : {
                "caseIgnored" : "true",
                "pattern" : "GET",
                "inverted" : "true"
              },
              "pathPattern" : {
                "caseIgnored" : "true",
                "pattern" : "/entity-path",
                "inverted" : "true"
              },
              "requestHeaderNamePattern" : {
                "caseIgnored" : "true",
                "pattern" : "^X-Entity",
                "inverted" : "true"
              },
              "requestHeaderValuePattern" : {
                "caseIgnored" : "true",
                "pattern" : "EntityValue",
                "inverted" : "true"
              },
              "enabled" : true
            }
          }
        } ]
      },
      "icap-response-backend-views" : {
        "data" : [ {
          "type" : "icap-environment",
          "id" : "44",
          "meta" : {
            "type" : "jsonapi.meta",
            "usage" : {
              "httpMethodPattern" : {
                "caseIgnored" : "true",
                "pattern" : "GET",
                "inverted" : "true"
              },
              "pathPattern" : {
                "caseIgnored" : "true",
                "pattern" : "/entity-path",
                "inverted" : "true"
              },
              "requestHeaderNamePattern" : {
                "caseIgnored" : "true",
                "pattern" : "^X-Entity",
                "inverted" : "true"
              },
              "requestHeaderValuePattern" : {
                "caseIgnored" : "true",
                "pattern" : "EntityValue",
                "inverted" : "true"
              },
              "responseHeaderNamePattern" : {
                "caseIgnored" : "true",
                "pattern" : "X-Response",
                "inverted" : "true"
              },
              "responseHeaderValuePattern" : {
                "caseIgnored" : "true",
                "pattern" : "responsevalue",
                "inverted" : "true"
              },
              "enabled" : true
            }
          }
        } ]
      },
      "icap-response-client-views" : {
        "data" : [ {
          "type" : "icap-environment",
          "id" : "45",
          "meta" : {
            "type" : "jsonapi.meta",
            "usage" : {
              "httpMethodPattern" : {
                "caseIgnored" : "true",
                "pattern" : "GET",
                "inverted" : "true"
              },
              "pathPattern" : {
                "caseIgnored" : "true",
                "pattern" : "/entity-path",
                "inverted" : "true"
              },
              "requestHeaderNamePattern" : {
                "caseIgnored" : "true",
                "pattern" : "^X-Entity",
                "inverted" : "true"
              },
              "requestHeaderValuePattern" : {
                "caseIgnored" : "true",
                "pattern" : "EntityValue",
                "inverted" : "true"
              },
              "responseHeaderNamePattern" : {
                "caseIgnored" : "true",
                "pattern" : "X-Response",
                "inverted" : "true"
              },
              "responseHeaderValuePattern" : {
                "caseIgnored" : "true",
                "pattern" : "responsevalue",
                "inverted" : "true"
              },
              "enabled" : true
            }
          }
        } ]
      }
    }
  }
}

Create a Mapping

POST /configuration/mappings

Content-Type application/json

Accept application/json

Request Structure

Path Type Required Description

data.attributes.name

String

yes

The unique name of the mapping.

data.attributes.labels

Array

yes

Assigned Labels (freely defined textual tags). Labels allow grouping of mappings with a common aspect, e.g., all mappings belonging to the same application.

data.attributes.tenant

String

yes

Tenant of the mapping.

data.attributes.backendPath

String

yes

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.

data.attributes.threatHandling

String

yes

Defines how policy violations, e.g., missing allow rules, matching deny rules, URL encryption and form protection violations, are handled. Allowed values are: BLOCK, TERMINATE_SESSION, NOTIFY. Effects of the different values: BLOCK: Requests violating policies are b. The session (if available) remains valid. TERMINATE_SESSION: Requests violating policies are b. The session (if available) is terminated. NOTIFY: Requests violating policies are not b. The violation is logged and notified.

data.attributes.operationalMode

String

yes

Specifies whether this mapping runs in standard "Production" mode or in the so called "Integration" mode. In Integration mode Airlock WAF logs more information about all requests and responses (which may decrease Airlock WAF’s performance).Allowed values are: PRODUCTION, INTEGRATION

data.attributes.enableMaintenancePage

Boolean

yes

Enable maintenance page.

data.attributes.entryPath.value

String

yes

The entry path specifies the external URL path the mapping should be available under. For each incoming request, Airlock WAF compares the URL with the entry path to find the right mapping.

data.attributes.entryPath.regexFormatEnforced

Boolean

yes

"Whether the entry path (the external URL path of the mapping) should be interpreted as regular expression or not."

data.attributes.entryPath.ignoreCase

Boolean

yes

Whether the entry path should be case sensitive.

data.attributes.entryPath.priority

Number

yes

The priority is an integer number that specifies the importance (or order) of a mapping. It has been introduced to guarantee a deterministic selection of the mapping for a given request path. The value can be between -999 (highest priority) and 999 (lowest priority). The priority must be unique among all regular expression mappings. Only non regular expression mappings may share the same priority. In this case, the directories are ordered by length, i.e. the longest match wins.

data.attributes.access.clientCertificateAuthentication

String

yes

Specifies whether accessing this mapping requires the client to authenticate with a valid SSL client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED Description of the values: NOT_REQUIRED: The mapping uses the client certificate settings of the virtual host. OPTIONAL: The client may send a certificate if available, but access is still allowed without. The optional setting is normally used in combination with an authentication service that presents an alternative login page if no certificate is sent. You should not use the 'optional' setting without this additional authentication service check. REQUIRED: The client must send a valid certificate. If no client certificate is sent, the SSL handshake is cancelled and the browser typically presents the user with a technical error message.

data.attributes.access.authenticationFlow

String

yes

Allowed values are: REDIRECT, DENY_ACCESS, ONE_SHOT, ONE_SHOT_WITH_BODY, FRONT_SIDE_NTLM Description: REDIRECT: If the required role for the mapping is missing on the current session, Airlock WAF will send a redirect (HTTP 303) to either the global or the custom denied access URL. This mode is typically used in conjunction with user operated clients. DENY_ACCESS: Airlock WAF will directly send an access denied (HTTP 403) response to the client if the required role is missing. This is typically used for technical clients. ONE_SHOT: When this option is selected and Airlock WAF receives an incoming request for this mapping that needs to be authenticated, Airlock WAF implicitly (without redirect) forwards the request to the configured denied access URL for this mapping. The request headers are forwarded but no request body. After the forwarded request, Airlock WAF checks again if the session is now authenticated. If so, the original request is passed to the back-end server (successful one-shot authentication). If the session does not have the required credentials even after the one-shot request, Airlock WAF will send an access denied (HTTP 403) response to the client. ONE_SHOT_WITH_BODY: This is the same as with the "one-shot" option with two notable differences: The whole body of the request is also sent to the denied access URL for this mapping and the request method is always POST instead of GET. FRONT_SIDE_NTLM: Choose the front-side NTLM authentication flow to support authentication using NTLM. The front-side NTLM authentication flow is similar to the "one-shot" authentication flow, but also forwards all requests containing an "Authorization" header with value "NTLM .*" to the denied access URL. For successful authentication, NTLM must be supported by the authentication service.

data.attributes.access.backendLogoutUrl

String

yes

Whenever an Airlock WAF session terminates (either due to an explicit logout by the user or due to a session timeout), Airlock WAF will call the given, unmodified path on the currently used back-end host with all information concerning this back-end application such as cookies, headers, etc. to allow clean session termination on the backend host.

data.attributes.access.ntlmPassthroughEnabled

Boolean

yes

Airlock WAF is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection. NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.

data.attributes.access.tokensEnabled

Boolean

yes

Whether access tokens should be processed.

data.attributes.access.restrictions[].enabled

Boolean

yes

Controls whether access restriction is used or not.

data.attributes.access.restrictions[].httpMethodPattern.pattern

String

yes

The actual pattern.

data.attributes.access.restrictions[].httpMethodPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.access.restrictions[].httpMethodPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.access.restrictions[].entryPathPattern.pattern

String

yes

The actual pattern.

data.attributes.access.restrictions[].entryPathPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.access.restrictions[].entryPathPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.access.restrictions[].authorizedRoles[]

Array

yes

Specifies a list of mandatory roles. Only sessions which have at least one of these roles will be able to access the service.

data.attributes.access.restrictions[].authorizedPlans[]

Array

yes

Specifies a list of mandatory plans. Only sessions which have at least one of these plans will be able to access the service.

data.attributes.access.deniedUrl.value

String

yes

Defines the location (URL) of the authentication service. In case the required role for the mapping is missing on the current session, Airlock WAF will redirect the client to this location.

data.attributes.access.deniedUrl.mode

String

yes

Use Global (default) will use the global denied access url as configured under the menu Application Firewall - Session - Access Control. Custom will use a mapping specific denied access url.Allowed values are: GLOBAL, CUSTOM

data.attributes.access.credentialsPropagation.mandatory

Boolean

yes

If true and the selected SSO credentials are missing, access to the mapping is denied and Airlock WAF will redirect to either the global or the custom denied access URL.

data.attributes.access.credentialsPropagation.type

String

yes

Defines if SSO credentials set by the control API will be forwarded to the back-end application or not. These credentials are typically set by the authentication service upon successful authentication.Allowed values are: NONE, BASIC_AUTH, KERBEROS, NTLM Descripton of the values: NONE : Even if Basic-Auth or NTLM credentials set by the control API are present, Airlock WAF will not forward them to the back-end application. Access to the mapping is granted without any SSO credentials. BASIC_AUTH : If Basic-Auth credentials set by the control API are present, Airlock WAF will forward them to the back-end application. KERBEROS : If a Kerberos user is set by the control API, Airlock WAF will acquire and send a service ticket to the back-end application. NTLM : If NTLM credentials set by the control API are present, Airlock WAF will forward them to the back-end application.

data.attributes.access.tokenTransport.presenceMandatoryEnforced

Boolean

yes

If not enforced, requests without a token are accepted. However, if a token is present, it is extracted and validated and the configured restrictions and role extractions are applied.

data.attributes.access.tokenTransport.headerExtraction.enabled

Boolean

yes

If enabled Airlock WAF will extract the token from the specific header.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.pattern

String

yes

The actual pattern.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.access.tokenTransport.headerExtraction.replaceWith

String

yes

The rewrite expression for the header extraction.

data.attributes.access.tokenTransport.parameterExtraction.enabled

Boolean

yes

If enabled Airlock WAF will extract the token from the specific query parameter.

data.attributes.access.tokenTransport.parameterExtraction.name

String

yes

Specifies the name of the query parameter.

data.attributes.access.tokenTransport.cookieExtraction.enabled

Boolean

yes

If enabled Airlock WAF will extract the token from the specific cookie.

data.attributes.access.tokenTransport.cookieExtraction.name

String

yes

Specifies name of the cookie.

data.attributes.access.tokenVerification.type

String

yes

Airlock supports three types of JWT tokens: Allowed values are: JWS, JWE, JWS_JWE

data.attributes.access.tokenVerification.jwsAlgorithm

String

yes

Supported algorithms: Allowed values are: HS_256, HS_384, HS_512, RS_256, RS_384, RS_512, PS_256, PS_384, PS_512

data.attributes.access.tokenVerification.jwsKey

String

yes

A public key in x509 format or the passphrase, depending on the selected algorithm.

data.attributes.access.tokenVerification.jweAlgorithm

String

yes

Supported algorithms: Allowed values are: A_128_CBC_HS_256, A_192_CBC_HS_384, A_256_CBC_HS_512, A_256_GCM

data.attributes.access.tokenVerification.jweKey

String

yes

Your secret passphrase for the symmetric encryption.

data.attributes.access.tokenVerification.expiryCheckEnabled

Boolean

yes

If enabled the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

data.attributes.access.tokenVerification.expiryCheckSkew

Number

yes

The allowed skew when checking expiry / not before in seconds. This can be used if verification fails because of time synchronization issues with the token issuer and your Airlock WAF.

data.attributes.access.tokenVerification.claimRestrictions[].enabled

Boolean

yes

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.claimRestrictions[].name

String

yes

Name of the claim you want to restrict.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.pattern

String

yes

The actual pattern.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.access.tokenVerification.roleExtractions[].enabled

Boolean

yes

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.roleExtractions[].name

String

yes

Name of the claim you want to extract a role from.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.pattern

String

yes

The actual pattern.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.access.tokenVerification.roleExtractions[].replaceWith

String

yes

The rewrite expression of the role.

data.attributes.access.tokenVerification.roleExtractions[].tokenLifetimeAsRoleLifetimeEnforced

Boolean

yes

If enforced the expiry claim (exp) of the JWT will be used as the role lifetime.

data.attributes.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

yes

Extract a technical client ID from JWT.

data.attributes.access.tokenVerification.extractTechnicalClientIdName

String

yes

Name of the claim to extract as technical client ID.

data.attributes.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

yes

Extract the 'sub' claim from the JWT and use its value as audit token of the current Airlock WAF session.

data.attributes.ipRules.ipAddressWhitelists.logOnly

Boolean

yes

If true requests whose source IP address is not contained in one of the configured IP Whitelists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.logOnly

Boolean

yes

If true requests whose source IP address is contained in one of the configured IP Blacklists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.webrootThreatCategories

String

yes

Defines which threat categories should be blocked. Allowed values are: SPAM_SOURCES, WINDOWS_EXPLOITS, WEB_ATTACKS, BOT_NETS, SCANNERS, DENIAL_OF_SERVICE, PHISHING, PROXY, MOBILE_THREATS, TOR_PROXY. Threat categories blocked through the different values: SPAM_SOURCES: The Spam Sources category includes IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. WINDOWS_EXPLOITS: The Windows Exploits category includes IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms. WEB_ATTACKS: The Web Attacks category includes IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. BOT_NETS: The Botnets category includes IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. SCANNERS: The Scanners category includes IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. DENIAL_OF_SERVICE: The Denial of Services category includes IPs addresses involved in DOS or DDOS attacks, anomalous sync flood, or anomalous traffic. PHISHING: The Phishing category includes IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. PROXY: The Proxy category includes IP addresses providing proxy services, including both VPN and open web proxy services. MOBILE_THREATS: The Mobile Threats category includes IP addresses associated with malicious and unwanted mobile applications. TOR_PROXY: The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

data.attributes.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

yes

Enables blocking of IPs on the dynamic IP address blacklist.

data.attributes.ipRules.dynamicIpAddressBlacklist.countMode

String

yes

Defines the counting mode of blocks for dynamic IP blacklist. Allowed values are: OFF, ALL, DENY_RULES_ONLY. Following count modes are available: OFF: Blocks on this mapping are not counted for the dynamic IP address blacklist. ALL: All blocks on this mapping are counted for the dynamic IP address blacklist. DENY_RULES_ONLY: Only deny rule blocks on this mapping are counted for the dynamic IP address blacklist.

data.attributes.botManagement.clientCookieSupportEnforced

Boolean

yes

If enabled, only clients implementing a Cookie-Store will be able to access the application through this mapping. In contrast to regular browsers, most bots do not implement a Cookie-Store and will therefore be blocked if this setting is enabled.

data.attributes.botManagement.wellKnownBots.allowed

Boolean

yes

Check the User-Agent to determine if a bot is well-known and do not block such bots. Clients indicating one of the following User-Agent headers are treated as well-known bots: Googlebot, bingbot, MSNBot, Baiduspider, YandexBot, archive.org_bot, DuckDuckBot.

data.attributes.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

yes

If enabled, a reverse IP lookup for well-known bots is performed to verify that the client’s IP address belongs to the operator of a well-known bot. This prevents bots from pretending to be a well-known bot by sending a fake "User-Agent" header. The following domains are considered as domains of operators operating well-known bots: google.com, googlebot.com,search.msn.com, yahoo.net, baidu.com, baidu.jp, yandex.ru, yandex.net, yandex.com, archive.org, amazonaws.com (107.20.237.51, 23.21.226.191, 107.21.1.8, 54.208.102.37)

data.attributes.botManagement.customBots.allowed

Boolean

yes

If enabled custom bots are not blocked. Custom bots are identified by providing a "User-Agent" and "Domain" pattern.

data.attributes.botManagement.customBots.sourceDomainEnforced

Boolean

yes

Do not block bots whose source-domain matches the "domain pattern".

data.attributes.botManagement.customBots.userAgentPattern.pattern

String

yes

The actual pattern.

data.attributes.botManagement.customBots.userAgentPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.botManagement.customBots.userAgentPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.botManagement.customBots.domainPattern.pattern

String

yes

The actual pattern.

data.attributes.botManagement.customBots.domainPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.timeouts.backend

Number

yes

Defines the time (seconds) Airlock WAF will wait for the back-end response. In case the request runs into the timeout, Airlock WAF will send a redirect to the HTTP 503 Service unavailable error page with the corresponding HTTP 503 status code. If In-band Health Checks are configured, then such a request will be counted as a failed request, potentially leading to the back-end server being marked as bad.

data.attributes.timeouts.sessionIdle

Number

yes

Defines the minimum session idle time (seconds) of Airlock WAF for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.

data.attributes.limits.general.maxRequestBodySize

Number

yes

This field limits the total size of the request body. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

data.attributes.limits.general.maxPathLength

Number

yes

Defines the maximum path length for requests to the current mapping (default: max 1024 bytes).

data.attributes.limits.http.maxParameters

Number

yes

Defines the maximum number of parameters inside the request (default: max 128 parameters).

data.attributes.limits.http.maxParameterNameLength

Number

yes

Defines the maximum length for a parameter name (default: max 128 bytes).

data.attributes.limits.http.maxParameterValueLength

Number

yes

Defines the maximum length for a parameter value (default: max 1024 bytes).

data.attributes.limits.json.enabled

Boolean

yes

Whether JSON limits are enabled.

data.attributes.limits.json.maxKeyLength

Number

yes

Defines the maximum length for a JSON key, also known as "JSON property" or "JSON object member" (default: max 256 bytes)

data.attributes.limits.json.maxValueLength

Number

yes

Defines the maximum json value length for requests to the current mapping (default: max 8192 bytes).

data.attributes.limits.json.maxNestingDepth

Number

yes

Defines the maximum depth of nesting for JSON objects and JSON arrays (default: max 100).

data.attributes.limits.json.maxKeys

Number

yes

Defines the maximum number of keys of a single JSON object (non-recursive, default: max 250).

data.attributes.limits.json.maxArrayItems

Number

yes

Defines the maximum number of items for a single JSON array (non-recursive, default: max 500).

data.attributes.limits.json.maxTotalEntries

Number

yes

Defines the maximum number of keys and array items in the whole JSON document (recursive, default: max 150000).

data.attributes.application.sessionHandling

String

yes

Allowed values are: ENFORCE_SESSION, OPTIONAL_SESSION, OPTIONAL_SESSION_NO_REFRESH, IGNORE_SESSION The different modes have the following effects: ENFORCE_SESSION: Sessions are enforced. If no session is available a new session is created. OPTIONAL_SESSION: Sessions are optional. Existing sessions are used. If no session is available no session is used. OPTIONAL_SESSION_NO_REFRESH: Same as "OPTIONAL_SESSION" but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times. IGNORE_SESSION: Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories.

data.attributes.application.controlApiAllowed

Boolean

yes

Specifies whether this service is allowed to use Airlock WAF’s back-end API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock WAF.

data.attributes.application.environmentCookiesEnabled

Boolean

yes

Specifies whether this service should receive the Airlock WAF environment cookies that contain useful information about the connection to the client.

data.attributes.application.loadBalancingCookieEnabled

Boolean

yes

If enabled, load balancing information is sent to the client in a load balancing cookie. Disable if no load balancing is needed and no cookie should be generated for this purpose.

data.attributes.application.webSocketsAllowed

Boolean

yes

Enables support for WebSockets protocol as defined in RFC 6455.

data.attributes.application.redirectForErrorPageEnabled

Boolean

yes

If enabled Airlock WAF will deliver error pages by sending a HTTP redirect pointing to the error page to its clients. Otherwise the error page will be directly returned.

data.attributes.application.encryptedCookies.enabled

Boolean

yes

Enables encryption of cookies which are sent to the client.

data.attributes.application.encryptedCookies.prefix

String

yes

regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a pass phrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client’s machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user.

data.attributes.application.passthroughCookies.enabled

Boolean

yes

Enables 'Passthrough Cookies'. Passthrough Cookies are cookies which are sent in plain format to the client.

data.attributes.application.passthroughCookies.prefix

String

yes

Regular expression to select cookies that should be treated as 'Passthrough Cookies'. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.

data.attributes.application.request.charset

String

yes

Parameter values that are sent in HTTP requests from the client are interpreted by Airlock WAF as if they were encoded using the given charset. If Airlock WAF detects that the charset does not match it tries to use the fallback charset.

data.attributes.application.response.compressionAllowed

Boolean

yes

Specifies whether Airlock WAF should compress the output on-the-fly for the client browser (if supported and requested by the browser). Warning: Allowing compression for data served through SSL/TLS virtual hosts may affect the secrecy of the data.

data.attributes.application.response.stripCommentsEnabled

Boolean

yes

If enabled, Airlock WAF removes HTML comments.

data.attributes.application.response.header.location.rewrites[].enabled

Boolean

yes

Whether rewrites are enabled.

data.attributes.application.response.header.location.rewrites[].urlPattern.pattern

String

yes

The actual pattern.

data.attributes.application.response.header.location.rewrites[].urlPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.application.response.header.location.rewrites[].replaceWith

String

yes

This is the target string which will replace the string matched by URL pattern.

data.attributes.application.response.json.rewrites[].enabled

Boolean

yes

Whether rewrites are enabled.

data.attributes.application.response.json.rewrites[].path

String

yes

A response from the back-end server is rewritten only if the JSON path matches this regular expression.

data.attributes.application.response.json.rewrites[].contentPattern.pattern

String

yes

The actual pattern.

data.attributes.application.response.json.rewrites[].contentPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.application.response.json.rewrites[].replaceWith

String

yes

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.body.rewrites[].enabled

Boolean

yes

Whether rewrites are enabled.

data.attributes.application.response.body.rewrites[].contentType

String

yes

A response from the back-end server is rewritten only if the response headerContent-Type matches this regular expression.

data.attributes.application.response.body.rewrites[].contentPattern.pattern

String

yes

The actual pattern.

data.attributes.application.response.body.rewrites[].contentPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.application.response.body.rewrites[].replaceWith

String

yes

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.html.rewrites[].enabled

Boolean

yes

Whether rewrites are enabled.

data.attributes.application.response.html.rewrites[].urlPattern.pattern

String

yes

The actual pattern.

data.attributes.application.response.html.rewrites[].urlPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.application.response.html.rewrites[].uris

Boolean

yes

Apply rule to linked HTML elements like href, src, etc.

data.attributes.application.response.html.rewrites[].events

Boolean

yes

Apply rule to JavaScript event strings such as onsubmit, onload, etc.

data.attributes.application.response.html.rewrites[].embedded

Boolean

yes

Apply rule to <script> and <style> blocks embedded in the HTML page

data.attributes.application.response.html.rewrites[].replaceWith

String

yes

This is the target string which will replace the string matched by URL Pattern.

data.attributes.application.response.errorPage.rewrites[].enabled

Boolean

yes

Whether rewrites are enabled.

data.attributes.application.response.errorPage.rewrites[].statusContentPattern

String

yes

The HTTP status code pattern.

data.attributes.application.response.errorPage.rewrites[].replaceWith

String

yes

This is the target string which will replace the string matched by HTTP status content pattern.

data.attributes.apiSecurity.treatPathSegmentsAsParamValues

Boolean

yes

If enabled each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

data.attributes.apiSecurity.openApiEnforced

Boolean

yes

Specifies whether traffic to/from this service shall be checked against an API specification provided in the OpenAPI format. If enforced traffic not conforming to the API specification will be blocked.

data.attributes.apiSecurity.openApiCheckResponsesEnabled

Boolean

yes

Check responses against the API specification.

data.attributes.apiSecurity.logOnly

Boolean

yes

If enabled potential attack requests are only logged but not blocked.

data.attributes.apiSecurity.openApiPathMatching

String

yes

Run OpenAPI path matching against client or server view of request/response.

data.attributes.apiSecurity.openApiPublishSpecificationEnabled

Boolean

yes

Allow clients to download the API specification.

data.attributes.apiSecurity.openApiPublishSpecificationPath

String

yes

External path to the API specification. Note that the entry path will be added in front of it.

data.attributes.apiSecurity.apiPolicyServiceEnabled

Boolean

yes

Enables API policy service.

data.attributes.apiSecurity.apiPolicyServiceId

Number

yes

ID of the API policy service.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

yes

If enabled Airlock WAF will extract the API key from the specific header.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.pattern

String

yes

The actual pattern.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

String

yes

The rewrite expression for the header extraction.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

yes

If enabled Airlock WAF will extract the API key from the specific query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

String

yes

Specifies the name of the query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

yes

If enabled Airlock WAF will extract the API key from the specific cookie.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

String

yes

Specifies name of the cookie.

data.attributes.apiSecurity.jsonParser.enabled

Boolean

yes

If set to true, Airlock WAF parses JSON objects in requests and filters JSON attributes with allow rules and deny rules. JSON objects are parsed only if their content-type matches the specified pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.pattern

String

yes

The actual pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.apiSecurity.jsonParser.contentTypePattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.dosAttackPrevention.enabled

Boolean

yes

Enables DoS attack prevention filter.

data.attributes.dosAttackPrevention.maxRequestsPerInterval

Number

yes

Maximum requests allowed per IP address.

data.attributes.dosAttackPrevention.interval

Number

yes

Interval for measurement of allowed requests per IP address (seconds).

data.attributes.dosAttackPrevention.whitelistIpPattern

Object

yes

Reference to an IP pattern that acts as whitelist. All source IPs matching this pattern will be excluded from the session limit per IP restriction. This is typically used if you have many users having the same source IP (i.e. proxy).

data.attributes.dosAttackPrevention.whitelistIpPattern.pattern

String

yes

The actual pattern.

data.attributes.dosAttackPrevention.whitelistIpPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.requestBodyStreaming.enabled

Boolean

yes

Controls whether request body streaming is used or not. If set, only requests matching all three regular expression patterns will be streamed. Empty fields have the same effect as the pattern ^.*$

data.attributes.requestBodyStreaming.httpMethodPattern

Object

yes

Only requests whose HTTP method matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.pathPattern

Object

yes

Only requests whose path matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.contentTypePattern

Object

yes

Only requests whose content type header matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.httpMethodPattern.pattern

String

yes

The actual pattern.

data.attributes.requestBodyStreaming.httpMethodPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.requestBodyStreaming.httpMethodPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.requestBodyStreaming.pathPattern.pattern

String

yes

The actual pattern.

data.attributes.requestBodyStreaming.pathPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.requestBodyStreaming.pathPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.requestBodyStreaming.contentTypePattern.pattern

String

yes

The actual pattern.

data.attributes.requestBodyStreaming.contentTypePattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.requestBodyStreaming.contentTypePattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.mixedTypes

Object

yes

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving both HTTP GET and HTTP POST parameters (thus involving parameters of different/mixed types).

data.attributes.httpParameterPollutionDetection.sameType

Object

yes

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving only HTTP GET or only HTTP POST parameters (thus involving only parameters of the same type).

data.attributes.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

yes

If enabled requests containing HTTP GET and HTTP POST parameters of the same name are blocked to prevent HPP attacks.

data.attributes.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

yes

If true potential HPP attack requests are only logged but not blocked.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Object

yes

Parameters named with a name matching this regular expression pattern will be ignored by the HPP detection.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.pattern

String

yes

The actual pattern.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.caseIgnored

Boolean

yes

Whether to ignore case.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.inverted

Boolean

yes

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.sameType.enabled

Boolean

yes

If enabled parameters named with the same name and type (HTTP GET or POST) are joined together into one parameter before filtering to prevent HPP attacks. Note: For the filtering itself a deny rule like the default deny rule '(default) HTTP Parameter Pollution' has to be configured.

data.attributes.expertSettings.securityGate

Object

yes

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

yes

Expert settings for the Apache.

data.attributes.expertSettings.securityGate.enabled

Boolean

yes

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

yes

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

yes

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

yes

The expert settings for the Apache web listener.

data.attributes.locking.enabled

Boolean

yes

If true the state of the attribute locks is displayed in Airlock WAF’s Configuration Center for this mapping.

data.attributes.locking.labels

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.backendPath

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.threatHandling

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.enableMaintenancePage

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.operationalMode

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.restrictions

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.clientCertificateAuthentication

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.authenticationFlow

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.backendLogoutUrl

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.ntlmPassthroughEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokensEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.value

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.mode

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.credentialsPropagation.mandatory

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.credentialsPropagation.type

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.type

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jwsAlgorithm

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jwsKey

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jweAlgorithm

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jweKey

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.expiryCheckEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.expiryCheckSkew

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.claimRestrictions

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.roleExtractions

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.extractTechnicalClientIdName

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.presenceMandatoryEnforced

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.extractionPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.replaceWith

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.parameterExtraction.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.parameterExtraction.name

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.cookieExtraction.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.cookieExtraction.name

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.entryPath.settings

Boolean

yes

Lock for the corresponding member. Note that this lock affects both the EntryPath’s 'value' and 'ignoreCase'.

data.attributes.locking.entryPath.regexFormatEnforced

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.entryPath.priority

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.ipRules.ipAddressWhitelists.logOnly

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.ipRules.ipAddressBlacklists.logOnly

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.ipRules.dynamicIpAddressBlacklist.countMode

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.clientCookieSupportEnforced

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.wellKnownBots.allowed

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.allowed

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.sourceDomainEnforced

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.userAgentPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.domainPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.timeouts.backend

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.timeouts.sessionIdle

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.general.maxRequestBodySize

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.general.maxPathLength

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameters

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameterNameLength

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameterValueLength

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.maxKeyLength

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.maxValueLength

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.maxNestingDepth

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.maxArrayItems

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.maxKeys

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.limits.json.maxTotalEntries

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.sessionHandling

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.controlApiAllowed

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.environmentCookiesEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.loadBalancingCookieEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.webSocketsAllowed

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.redirectForErrorPageEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.encryptedCookies.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.encryptedCookies.prefix

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.passthroughCookies.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.passthroughCookies.prefix

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.request.charset

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.compressionAllowed

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.stripCommentsEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.header.location.rewrites

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.json.rewrites

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.body.rewrites

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.html.rewrites

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.application.response.errorPage.rewrites

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.treatPathSegmentsAsParamValues

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiEnforced

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiCheckResponsesEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiDocumentId

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.logOnly

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPathMatching

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPublishSpecificationEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPublishSpecificationPath

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyServiceEnabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyServiceId

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.jsonParser.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.jsonParser.contentTypePattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.maxRequestsPerInterval

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.interval

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.whitelistIpPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.httpMethodPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.pathPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.contentTypePattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.icap.request.clientViews

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.icap.request.backendViews

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.icap.response.backendViews

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.icap.response.clientViews

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Boolean

yes

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.sameType.enabled

Boolean

yes

Lock for the corresponding member.

data.type

String

yes

The data type sent to the server. Must be set to "mapping" for this call.

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "mapping" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.name

String

The unique name of the mapping.

data.attributes.labels

Array

Assigned Labels (freely defined textual tags). Labels allow grouping of mappings with a common aspect, e.g., all mappings belonging to the same application.

data.attributes.tenant

String

Tenant of the mapping.

data.attributes.backendPath

String

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.

data.attributes.threatHandling

String

Defines how policy violations, e.g., missing allow rules, matching deny rules, URL encryption and form protection violations, are handled. Allowed values are: BLOCK, TERMINATE_SESSION, NOTIFY. Effects of the different values: BLOCK: Requests violating policies are b. The session (if available) remains valid. TERMINATE_SESSION: Requests violating policies are b. The session (if available) is terminated. NOTIFY: Requests violating policies are not b. The violation is logged and notified.

data.attributes.operationalMode

String

Specifies whether this mapping runs in standard "Production" mode or in the so called "Integration" mode. In Integration mode Airlock WAF logs more information about all requests and responses (which may decrease Airlock WAF’s performance).Allowed values are: PRODUCTION, INTEGRATION

data.attributes.enableMaintenancePage

Boolean

Enable maintenance page.

data.attributes.entryPath.value

String

The entry path specifies the external URL path the mapping should be available under. For each incoming request, Airlock WAF compares the URL with the entry path to find the right mapping.

data.attributes.entryPath.regexFormatEnforced

Boolean

"Whether the entry path (the external URL path of the mapping) should be interpreted as regular expression or not."

data.attributes.entryPath.ignoreCase

Boolean

Whether the entry path should be case sensitive.

data.attributes.entryPath.priority

Number

The priority is an integer number that specifies the importance (or order) of a mapping. It has been introduced to guarantee a deterministic selection of the mapping for a given request path. The value can be between -999 (highest priority) and 999 (lowest priority). The priority must be unique among all regular expression mappings. Only non regular expression mappings may share the same priority. In this case, the directories are ordered by length, i.e. the longest match wins.

data.attributes.access.clientCertificateAuthentication

String

Specifies whether accessing this mapping requires the client to authenticate with a valid SSL client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED Description of the values: NOT_REQUIRED: The mapping uses the client certificate settings of the virtual host. OPTIONAL: The client may send a certificate if available, but access is still allowed without. The optional setting is normally used in combination with an authentication service that presents an alternative login page if no certificate is sent. You should not use the 'optional' setting without this additional authentication service check. REQUIRED: The client must send a valid certificate. If no client certificate is sent, the SSL handshake is cancelled and the browser typically presents the user with a technical error message.

data.attributes.access.authenticationFlow

String

Allowed values are: REDIRECT, DENY_ACCESS, ONE_SHOT, ONE_SHOT_WITH_BODY, FRONT_SIDE_NTLM Description: REDIRECT: If the required role for the mapping is missing on the current session, Airlock WAF will send a redirect (HTTP 303) to either the global or the custom denied access URL. This mode is typically used in conjunction with user operated clients. DENY_ACCESS: Airlock WAF will directly send an access denied (HTTP 403) response to the client if the required role is missing. This is typically used for technical clients. ONE_SHOT: When this option is selected and Airlock WAF receives an incoming request for this mapping that needs to be authenticated, Airlock WAF implicitly (without redirect) forwards the request to the configured denied access URL for this mapping. The request headers are forwarded but no request body. After the forwarded request, Airlock WAF checks again if the session is now authenticated. If so, the original request is passed to the back-end server (successful one-shot authentication). If the session does not have the required credentials even after the one-shot request, Airlock WAF will send an access denied (HTTP 403) response to the client. ONE_SHOT_WITH_BODY: This is the same as with the "one-shot" option with two notable differences: The whole body of the request is also sent to the denied access URL for this mapping and the request method is always POST instead of GET. FRONT_SIDE_NTLM: Choose the front-side NTLM authentication flow to support authentication using NTLM. The front-side NTLM authentication flow is similar to the "one-shot" authentication flow, but also forwards all requests containing an "Authorization" header with value "NTLM .*" to the denied access URL. For successful authentication, NTLM must be supported by the authentication service.

data.attributes.access.backendLogoutUrl

String

Whenever an Airlock WAF session terminates (either due to an explicit logout by the user or due to a session timeout), Airlock WAF will call the given, unmodified path on the currently used back-end host with all information concerning this back-end application such as cookies, headers, etc. to allow clean session termination on the backend host.

data.attributes.access.ntlmPassthroughEnabled

Boolean

Airlock WAF is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection. NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.

data.attributes.access.tokensEnabled

Boolean

Whether access tokens should be processed.

data.attributes.access.restrictions[].enabled

Boolean

Controls whether access restriction is used or not.

data.attributes.access.restrictions[].httpMethodPattern.pattern

String

The actual pattern.

data.attributes.access.restrictions[].httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.restrictions[].httpMethodPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.restrictions[].entryPathPattern.pattern

String

The actual pattern.

data.attributes.access.restrictions[].entryPathPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.restrictions[].entryPathPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.restrictions[].authorizedRoles[]

Array

Specifies a list of mandatory roles. Only sessions which have at least one of these roles will be able to access the service.

data.attributes.access.restrictions[].authorizedPlans[]

Array

Specifies a list of mandatory plans. Only sessions which have at least one of these plans will be able to access the service.

data.attributes.access.deniedUrl.value

String

Defines the location (URL) of the authentication service. In case the required role for the mapping is missing on the current session, Airlock WAF will redirect the client to this location.

data.attributes.access.deniedUrl.mode

String

Use Global (default) will use the global denied access url as configured under the menu Application Firewall - Session - Access Control. Custom will use a mapping specific denied access url.Allowed values are: GLOBAL, CUSTOM

data.attributes.access.credentialsPropagation.mandatory

Boolean

If true and the selected SSO credentials are missing, access to the mapping is denied and Airlock WAF will redirect to either the global or the custom denied access URL.

data.attributes.access.credentialsPropagation.type

String

Defines if SSO credentials set by the control API will be forwarded to the back-end application or not. These credentials are typically set by the authentication service upon successful authentication.Allowed values are: NONE, BASIC_AUTH, KERBEROS, NTLM Descripton of the values: NONE : Even if Basic-Auth or NTLM credentials set by the control API are present, Airlock WAF will not forward them to the back-end application. Access to the mapping is granted without any SSO credentials. BASIC_AUTH : If Basic-Auth credentials set by the control API are present, Airlock WAF will forward them to the back-end application. KERBEROS : If a Kerberos user is set by the control API, Airlock WAF will acquire and send a service ticket to the back-end application. NTLM : If NTLM credentials set by the control API are present, Airlock WAF will forward them to the back-end application.

data.attributes.access.tokenTransport.presenceMandatoryEnforced

Boolean

If not enforced, requests without a token are accepted. However, if a token is present, it is extracted and validated and the configured restrictions and role extractions are applied.

data.attributes.access.tokenTransport.headerExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific header.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenTransport.headerExtraction.replaceWith

String

The rewrite expression for the header extraction.

data.attributes.access.tokenTransport.parameterExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific query parameter.

data.attributes.access.tokenTransport.parameterExtraction.name

String

Specifies the name of the query parameter.

data.attributes.access.tokenTransport.cookieExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific cookie.

data.attributes.access.tokenTransport.cookieExtraction.name

String

Specifies name of the cookie.

data.attributes.access.tokenVerification.type

String

Airlock supports three types of JWT tokens: Allowed values are: JWS, JWE, JWS_JWE

data.attributes.access.tokenVerification.jwsAlgorithm

String

Supported algorithms: Allowed values are: HS_256, HS_384, HS_512, RS_256, RS_384, RS_512, PS_256, PS_384, PS_512

data.attributes.access.tokenVerification.jwsKey

String

A public key in x509 format or the passphrase, depending on the selected algorithm.

data.attributes.access.tokenVerification.jweAlgorithm

String

Supported algorithms: Allowed values are: A_128_CBC_HS_256, A_192_CBC_HS_384, A_256_CBC_HS_512, A_256_GCM

data.attributes.access.tokenVerification.jweKey

String

Your secret passphrase for the symmetric encryption.

data.attributes.access.tokenVerification.expiryCheckEnabled

Boolean

If enabled the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

data.attributes.access.tokenVerification.expiryCheckSkew

Number

The allowed skew when checking expiry / not before in seconds. This can be used if verification fails because of time synchronization issues with the token issuer and your Airlock WAF.

data.attributes.access.tokenVerification.claimRestrictions[].enabled

Boolean

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.claimRestrictions[].name

String

Name of the claim you want to restrict.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.tokenVerification.roleExtractions[].enabled

Boolean

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.roleExtractions[].name

String

Name of the claim you want to extract a role from.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenVerification.roleExtractions[].replaceWith

String

The rewrite expression of the role.

data.attributes.access.tokenVerification.roleExtractions[].tokenLifetimeAsRoleLifetimeEnforced

Boolean

If enforced the expiry claim (exp) of the JWT will be used as the role lifetime.

data.attributes.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Extract a technical client ID from JWT.

data.attributes.access.tokenVerification.extractTechnicalClientIdName

String

Name of the claim to extract as technical client ID.

data.attributes.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Extract the 'sub' claim from the JWT and use its value as audit token of the current Airlock WAF session.

data.attributes.ipRules.ipAddressWhitelists.logOnly

Boolean

If true requests whose source IP address is not contained in one of the configured IP Whitelists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.logOnly

Boolean

If true requests whose source IP address is contained in one of the configured IP Blacklists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.webrootThreatCategories

String

Defines which threat categories should be blocked. Allowed values are: SPAM_SOURCES, WINDOWS_EXPLOITS, WEB_ATTACKS, BOT_NETS, SCANNERS, DENIAL_OF_SERVICE, PHISHING, PROXY, MOBILE_THREATS, TOR_PROXY. Threat categories blocked through the different values: SPAM_SOURCES: The Spam Sources category includes IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. WINDOWS_EXPLOITS: The Windows Exploits category includes IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms. WEB_ATTACKS: The Web Attacks category includes IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. BOT_NETS: The Botnets category includes IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. SCANNERS: The Scanners category includes IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. DENIAL_OF_SERVICE: The Denial of Services category includes IPs addresses involved in DOS or DDOS attacks, anomalous sync flood, or anomalous traffic. PHISHING: The Phishing category includes IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. PROXY: The Proxy category includes IP addresses providing proxy services, including both VPN and open web proxy services. MOBILE_THREATS: The Mobile Threats category includes IP addresses associated with malicious and unwanted mobile applications. TOR_PROXY: The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

data.attributes.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Enables blocking of IPs on the dynamic IP address blacklist.

data.attributes.ipRules.dynamicIpAddressBlacklist.countMode

String

Defines the counting mode of blocks for dynamic IP blacklist. Allowed values are: OFF, ALL, DENY_RULES_ONLY. Following count modes are available: OFF: Blocks on this mapping are not counted for the dynamic IP address blacklist. ALL: All blocks on this mapping are counted for the dynamic IP address blacklist. DENY_RULES_ONLY: Only deny rule blocks on this mapping are counted for the dynamic IP address blacklist.

data.attributes.botManagement.clientCookieSupportEnforced

Boolean

If enabled, only clients implementing a Cookie-Store will be able to access the application through this mapping. In contrast to regular browsers, most bots do not implement a Cookie-Store and will therefore be blocked if this setting is enabled.

data.attributes.botManagement.wellKnownBots.allowed

Boolean

Check the User-Agent to determine if a bot is well-known and do not block such bots. Clients indicating one of the following User-Agent headers are treated as well-known bots: Googlebot, bingbot, MSNBot, Baiduspider, YandexBot, archive.org_bot, DuckDuckBot.

data.attributes.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

If enabled, a reverse IP lookup for well-known bots is performed to verify that the client’s IP address belongs to the operator of a well-known bot. This prevents bots from pretending to be a well-known bot by sending a fake "User-Agent" header. The following domains are considered as domains of operators operating well-known bots: google.com, googlebot.com,search.msn.com, yahoo.net, baidu.com, baidu.jp, yandex.ru, yandex.net, yandex.com, archive.org, amazonaws.com (107.20.237.51, 23.21.226.191, 107.21.1.8, 54.208.102.37)

data.attributes.botManagement.customBots.allowed

Boolean

If enabled custom bots are not blocked. Custom bots are identified by providing a "User-Agent" and "Domain" pattern.

data.attributes.botManagement.customBots.sourceDomainEnforced

Boolean

Do not block bots whose source-domain matches the "domain pattern".

data.attributes.botManagement.customBots.userAgentPattern.pattern

String

The actual pattern.

data.attributes.botManagement.customBots.userAgentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.botManagement.customBots.userAgentPattern.inverted

Boolean

Whether to invert the match.

data.attributes.botManagement.customBots.domainPattern.pattern

String

The actual pattern.

data.attributes.botManagement.customBots.domainPattern.inverted

Boolean

Whether to invert the match.

data.attributes.timeouts.backend

Number

Defines the time (seconds) Airlock WAF will wait for the back-end response. In case the request runs into the timeout, Airlock WAF will send a redirect to the HTTP 503 Service unavailable error page with the corresponding HTTP 503 status code. If In-band Health Checks are configured, then such a request will be counted as a failed request, potentially leading to the back-end server being marked as bad.

data.attributes.timeouts.sessionIdle

Number

Defines the minimum session idle time (seconds) of Airlock WAF for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.

data.attributes.limits.general.maxRequestBodySize

Number

This field limits the total size of the request body. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

data.attributes.limits.general.maxPathLength

Number

Defines the maximum path length for requests to the current mapping (default: max 1024 bytes).

data.attributes.limits.http.maxParameters

Number

Defines the maximum number of parameters inside the request (default: max 128 parameters).

data.attributes.limits.http.maxParameterNameLength

Number

Defines the maximum length for a parameter name (default: max 128 bytes).

data.attributes.limits.http.maxParameterValueLength

Number

Defines the maximum length for a parameter value (default: max 1024 bytes).

data.attributes.limits.json.enabled

Boolean

Whether JSON limits are enabled.

data.attributes.limits.json.maxKeyLength

Number

Defines the maximum length for a JSON key, also known as "JSON property" or "JSON object member" (default: max 256 bytes)

data.attributes.limits.json.maxValueLength

Number

Defines the maximum json value length for requests to the current mapping (default: max 8192 bytes).

data.attributes.limits.json.maxNestingDepth

Number

Defines the maximum depth of nesting for JSON objects and JSON arrays (default: max 100).

data.attributes.limits.json.maxKeys

Number

Defines the maximum number of keys of a single JSON object (non-recursive, default: max 250).

data.attributes.limits.json.maxArrayItems

Number

Defines the maximum number of items for a single JSON array (non-recursive, default: max 500).

data.attributes.limits.json.maxTotalEntries

Number

Defines the maximum number of keys and array items in the whole JSON document (recursive, default: max 150000).

data.attributes.application.sessionHandling

String

Allowed values are: ENFORCE_SESSION, OPTIONAL_SESSION, OPTIONAL_SESSION_NO_REFRESH, IGNORE_SESSION The different modes have the following effects: ENFORCE_SESSION: Sessions are enforced. If no session is available a new session is created. OPTIONAL_SESSION: Sessions are optional. Existing sessions are used. If no session is available no session is used. OPTIONAL_SESSION_NO_REFRESH: Same as "OPTIONAL_SESSION" but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times. IGNORE_SESSION: Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories.

data.attributes.application.controlApiAllowed

Boolean

Specifies whether this service is allowed to use Airlock WAF’s back-end API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock WAF.

data.attributes.application.environmentCookiesEnabled

Boolean

Specifies whether this service should receive the Airlock WAF environment cookies that contain useful information about the connection to the client.

data.attributes.application.loadBalancingCookieEnabled

Boolean

If enabled, load balancing information is sent to the client in a load balancing cookie. Disable if no load balancing is needed and no cookie should be generated for this purpose.

data.attributes.application.webSocketsAllowed

Boolean

Enables support for WebSockets protocol as defined in RFC 6455.

data.attributes.application.redirectForErrorPageEnabled

Boolean

If enabled Airlock WAF will deliver error pages by sending a HTTP redirect pointing to the error page to its clients. Otherwise the error page will be directly returned.

data.attributes.application.encryptedCookies.enabled

Boolean

Enables encryption of cookies which are sent to the client.

data.attributes.application.encryptedCookies.prefix

String

regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a pass phrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client’s machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user.

data.attributes.application.passthroughCookies.enabled

Boolean

Enables 'Passthrough Cookies'. Passthrough Cookies are cookies which are sent in plain format to the client.

data.attributes.application.passthroughCookies.prefix

String

Regular expression to select cookies that should be treated as 'Passthrough Cookies'. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.

data.attributes.application.request.charset

String

Parameter values that are sent in HTTP requests from the client are interpreted by Airlock WAF as if they were encoded using the given charset. If Airlock WAF detects that the charset does not match it tries to use the fallback charset.

data.attributes.application.response.compressionAllowed

Boolean

Specifies whether Airlock WAF should compress the output on-the-fly for the client browser (if supported and requested by the browser). Warning: Allowing compression for data served through SSL/TLS virtual hosts may affect the secrecy of the data.

data.attributes.application.response.stripCommentsEnabled

Boolean

If enabled, Airlock WAF removes HTML comments.

data.attributes.application.response.header.location.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.header.location.rewrites[].urlPattern.pattern

String

The actual pattern.

data.attributes.application.response.header.location.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.header.location.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL pattern.

data.attributes.application.response.json.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.json.rewrites[].path

String

A response from the back-end server is rewritten only if the JSON path matches this regular expression.

data.attributes.application.response.json.rewrites[].contentPattern.pattern

String

The actual pattern.

data.attributes.application.response.json.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.json.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.body.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.body.rewrites[].contentType

String

A response from the back-end server is rewritten only if the response headerContent-Type matches this regular expression.

data.attributes.application.response.body.rewrites[].contentPattern.pattern

String

The actual pattern.

data.attributes.application.response.body.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.body.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.html.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.html.rewrites[].urlPattern.pattern

String

The actual pattern.

data.attributes.application.response.html.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.html.rewrites[].uris

Boolean

Apply rule to linked HTML elements like href, src, etc.

data.attributes.application.response.html.rewrites[].events

Boolean

Apply rule to JavaScript event strings such as onsubmit, onload, etc.

data.attributes.application.response.html.rewrites[].embedded

Boolean

Apply rule to <script> and <style> blocks embedded in the HTML page

data.attributes.application.response.html.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL Pattern.

data.attributes.application.response.errorPage.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.errorPage.rewrites[].statusContentPattern

String

The HTTP status code pattern.

data.attributes.application.response.errorPage.rewrites[].replaceWith

String

This is the target string which will replace the string matched by HTTP status content pattern.

data.attributes.apiSecurity.treatPathSegmentsAsParamValues

Boolean

If enabled each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

data.attributes.apiSecurity.openApiEnforced

Boolean

Specifies whether traffic to/from this service shall be checked against an API specification provided in the OpenAPI format. If enforced traffic not conforming to the API specification will be blocked.

data.attributes.apiSecurity.openApiCheckResponsesEnabled

Boolean

Check responses against the API specification.

data.attributes.apiSecurity.logOnly

Boolean

If enabled potential attack requests are only logged but not blocked.

data.attributes.apiSecurity.openApiPathMatching

String

Run OpenAPI path matching against client or server view of request/response.

data.attributes.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Allow clients to download the API specification.

data.attributes.apiSecurity.openApiPublishSpecificationPath

String

External path to the API specification. Note that the entry path will be added in front of it.

data.attributes.apiSecurity.apiPolicyServiceEnabled

Boolean

Enables API policy service.

data.attributes.apiSecurity.apiPolicyServiceId

Number

ID of the API policy service.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific header.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.pattern

String

The actual pattern.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

String

The rewrite expression for the header extraction.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

String

Specifies the name of the query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific cookie.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

String

Specifies name of the cookie.

data.attributes.apiSecurity.jsonParser.enabled

Boolean

If set to true, Airlock WAF parses JSON objects in requests and filters JSON attributes with allow rules and deny rules. JSON objects are parsed only if their content-type matches the specified pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.pattern

String

The actual pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.apiSecurity.jsonParser.contentTypePattern.inverted

Boolean

Whether to invert the match.

data.attributes.dosAttackPrevention.enabled

Boolean

Enables DoS attack prevention filter.

data.attributes.dosAttackPrevention.maxRequestsPerInterval

Number

Maximum requests allowed per IP address.

data.attributes.dosAttackPrevention.interval

Number

Interval for measurement of allowed requests per IP address (seconds).

data.attributes.dosAttackPrevention.whitelistIpPattern

Object

Reference to an IP pattern that acts as whitelist. All source IPs matching this pattern will be excluded from the session limit per IP restriction. This is typically used if you have many users having the same source IP (i.e. proxy).

data.attributes.dosAttackPrevention.whitelistIpPattern.pattern

String

The actual pattern.

data.attributes.dosAttackPrevention.whitelistIpPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.enabled

Boolean

Controls whether request body streaming is used or not. If set, only requests matching all three regular expression patterns will be streamed. Empty fields have the same effect as the pattern ^.*$

data.attributes.requestBodyStreaming.httpMethodPattern

Object

Only requests whose HTTP method matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.pathPattern

Object

Only requests whose path matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.contentTypePattern

Object

Only requests whose content type header matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.httpMethodPattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.httpMethodPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.pathPattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.pathPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.pathPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.contentTypePattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.contentTypePattern.inverted

Boolean

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.mixedTypes

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving both HTTP GET and HTTP POST parameters (thus involving parameters of different/mixed types).

data.attributes.httpParameterPollutionDetection.sameType

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving only HTTP GET or only HTTP POST parameters (thus involving only parameters of the same type).

data.attributes.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

If enabled requests containing HTTP GET and HTTP POST parameters of the same name are blocked to prevent HPP attacks.

data.attributes.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

If true potential HPP attack requests are only logged but not blocked.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Object

Parameters named with a name matching this regular expression pattern will be ignored by the HPP detection.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.pattern

String

The actual pattern.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.sameType.enabled

Boolean

If enabled parameters named with the same name and type (HTTP GET or POST) are joined together into one parameter before filtering to prevent HPP attacks. Note: For the filtering itself a deny rule like the default deny rule '(default) HTTP Parameter Pollution' has to be configured.

data.attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

Expert settings for the Apache.

data.attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data.attributes.locking.enabled

Boolean

If true the state of the attribute locks is displayed in Airlock WAF’s Configuration Center for this mapping.

data.attributes.locking.labels

Boolean

Lock for the corresponding member.

data.attributes.locking.backendPath

Boolean

Lock for the corresponding member.

data.attributes.locking.threatHandling

Boolean

Lock for the corresponding member.

data.attributes.locking.enableMaintenancePage

Boolean

Lock for the corresponding member.

data.attributes.locking.operationalMode

Boolean

Lock for the corresponding member.

data.attributes.locking.access.restrictions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.clientCertificateAuthentication

Boolean

Lock for the corresponding member.

data.attributes.locking.access.authenticationFlow

Boolean

Lock for the corresponding member.

data.attributes.locking.access.backendLogoutUrl

Boolean

Lock for the corresponding member.

data.attributes.locking.access.ntlmPassthroughEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokensEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.value

Boolean

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.mode

Boolean

Lock for the corresponding member.

data.attributes.locking.access.credentialsPropagation.mandatory

Boolean

Lock for the corresponding member.

data.attributes.locking.access.credentialsPropagation.type

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.type

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jwsAlgorithm

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jwsKey

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jweAlgorithm

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.jweKey

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.expiryCheckEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.expiryCheckSkew

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.claimRestrictions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.roleExtractions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.extractTechnicalClientIdName

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.presenceMandatoryEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.extractionPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.headerExtraction.replaceWith

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.parameterExtraction.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.parameterExtraction.name

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.cookieExtraction.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokenTransport.cookieExtraction.name

Boolean

Lock for the corresponding member.

data.attributes.locking.entryPath.settings

Boolean

Lock for the corresponding member. Note that this lock affects both the EntryPath’s 'value' and 'ignoreCase'.

data.attributes.locking.entryPath.regexFormatEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.entryPath.priority

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.ipAddressWhitelists.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.ipAddressBlacklists.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.ipRules.dynamicIpAddressBlacklist.countMode

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.clientCookieSupportEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.wellKnownBots.allowed

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.allowed

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.sourceDomainEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.userAgentPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.botManagement.customBots.domainPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.timeouts.backend

Boolean

Lock for the corresponding member.

data.attributes.locking.timeouts.sessionIdle

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.general.maxRequestBodySize

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.general.maxPathLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameters

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameterNameLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.http.maxParameterValueLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxKeyLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxValueLength

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxNestingDepth

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxArrayItems

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxKeys

Boolean

Lock for the corresponding member.

data.attributes.locking.limits.json.maxTotalEntries

Boolean

Lock for the corresponding member.

data.attributes.locking.application.sessionHandling

Boolean

Lock for the corresponding member.

data.attributes.locking.application.controlApiAllowed

Boolean

Lock for the corresponding member.

data.attributes.locking.application.environmentCookiesEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.loadBalancingCookieEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.webSocketsAllowed

Boolean

Lock for the corresponding member.

data.attributes.locking.application.redirectForErrorPageEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.encryptedCookies.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.encryptedCookies.prefix

Boolean

Lock for the corresponding member.

data.attributes.locking.application.passthroughCookies.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.passthroughCookies.prefix

Boolean

Lock for the corresponding member.

data.attributes.locking.application.request.charset

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.compressionAllowed

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.stripCommentsEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.header.location.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.json.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.body.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.html.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.application.response.errorPage.rewrites

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.treatPathSegmentsAsParamValues

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiEnforced

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiCheckResponsesEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiDocumentId

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPathMatching

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.openApiPublishSpecificationPath

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyServiceEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyServiceId

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.jsonParser.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.jsonParser.contentTypePattern

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.maxRequestsPerInterval

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.interval

Boolean

Lock for the corresponding member.

data.attributes.locking.dosAttackPrevention.whitelistIpPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.httpMethodPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.pathPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.requestBodyStreaming.contentTypePattern

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.request.clientViews

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.request.backendViews

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.response.backendViews

Boolean

Lock for the corresponding member.

data.attributes.locking.icap.response.clientViews

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Boolean

Lock for the corresponding member.

data.attributes.locking.httpParameterPollutionDetection.sameType.enabled

Boolean

Lock for the corresponding member.

data.relationships.virtual-hosts.data[]

Array

The virtual-host references.

data.relationships.virtual-hosts.data[].type

String

The data type of the referenced resource. Must be "virtual-host" for this call.

data.relationships.virtual-hosts.data[].id

String

The ID of the virtual-host resource.

data.relationships.back-end-group.data

Object

The back-end-group references.

data.relationships.back-end-group.data.type

String

The data type of the referenced resource. Must be "back-end-group" for this call.

data.relationships.back-end-group.data.id

String

The ID of the back-end-group resource.

data.relationships.template.data

Object

The mapping-template references.

data.relationships.template.data.type

String

The data type of the referenced resource. Must be "mapping-template" for this call.

data.relationships.template.data.id

String

The ID of the mapping-template resource.

data.relationships.ip-address-whitelists.data[]

Array

The ip-address-list references.

data.relationships.ip-address-whitelists.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data.relationships.ip-address-whitelists.data[].id

String

The ID of the ip-address-list resource.

data.relationships.ip-address-blacklists.data[]

Array

The ip-address-list references.

data.relationships.ip-address-blacklists.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data.relationships.ip-address-blacklists.data[].id

String

The ID of the ip-address-list resource.

data[].relationships.ip-address-blacklist-exceptions.data[]

Array

The ip-address-list references.

data[].relationships.ip-address-blacklist-exceptions.data[].type

String

The data type of the referenced resource. Must be "ip-address-list" for this call.

data[].relationships.ip-address-blacklist-exceptions.data[].id

String

The ID of the ip-address-list resource.

Example Request

$ curl "https://${AIRLOCK}/airlock/rest/configuration/mappings" -i -X POST \
    -H 'Content-Type: application/json' \
    -H "Cookie: JSESSIONID=${JSESSIONID}" \
    -H 'Accept: application/json' \
    -d '{
  "data" : {
    "type" : "mapping",
    "attributes" : {
      "name" : "mymapping",
      "labels" : [ "labelA", "labelB" ],
      "tenant" : "AirlockBankingCo",
      "entryPath" : {
        "value" : "/entryPathA/",
        "regexFormatEnforced" : true,
        "ignoreCase" : true,
        "priority" : 0
      },
      "backendPath" : "/backendA/",
      "threatHandling" : "BLOCK",
      "operationalMode" : "PRODUCTION",
      "enableMaintenancePage" : true,
      "access" : {
        "deniedUrl" : {
          "value" : "/auth/login",
          "mode" : "GLOBAL"
        },
        "restrictions" : [ {
          "enabled" : true,
          "httpMethodPattern" : {
            "pattern" : "[GET|POST|DELETE]",
            "caseIgnored" : true,
            "inverted" : true
          },
          "entryPathPattern" : {
            "pattern" : "/admin/",
            "caseIgnored" : true,
            "inverted" : true
          },
          "authorizedRoles" : [ "admin" ],
          "authorizedPlans" : [ "android", "ios", "browser" ]
        } ],
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "authenticationFlow" : "REDIRECT",
        "backendLogoutUrl" : "/backendA/logout",
        "ntlmPassthroughEnabled" : true,
        "credentialsPropagation" : {
          "mandatory" : true,
          "type" : "BASIC_AUTH"
        },
        "tokensEnabled" : true,
        "tokenTransport" : {
          "presenceMandatoryEnforced" : true,
          "headerExtraction" : {
            "enabled" : true,
            "extractionPattern" : {
              "pattern" : "mypattern",
              "caseIgnored" : true
            },
            "replaceWith" : "$1"
          },
          "parameterExtraction" : {
            "enabled" : true,
            "name" : "paramExtraction"
          },
          "cookieExtraction" : {
            "enabled" : true,
            "name" : "EXTRACTION_COOKIE"
          }
        },
        "tokenVerification" : {
          "type" : "JWS_JWE",
          "jwsAlgorithm" : "HS512",
          "jwsKey" : "HS_KEY",
          "jweAlgorithm" : "A128CBC_HS256",
          "jweKey" : "AES_KEY",
          "expiryCheckEnabled" : true,
          "expiryCheckSkew" : 42,
          "extractTechnicalClientIdEnabled" : true,
          "extractTechnicalClientIdName" : "TechnicalClientID",
          "setAuditTokenFromSubjectEnabled" : true,
          "claimRestrictions" : [ {
            "enabled" : true,
            "name" : "myrestriction",
            "restrictionPattern" : {
              "pattern" : "myRestriction",
              "caseIgnored" : true,
              "inverted" : true
            }
          } ],
          "roleExtractions" : [ {
            "enabled" : true,
            "name" : "myextraction",
            "extractionPattern" : {
              "pattern" : "extractionPattern",
              "caseIgnored" : true
            },
            "replaceWith" : "$1",
            "tokenLifetimeAsRoleLifetimeEnforced" : true
          } ]
        }
      },
      "ipRules" : {
        "ipAddressWhitelists" : {
          "logOnly" : true
        },
        "ipAddressBlacklists" : {
          "logOnly" : true,
          "webrootThreatCategories" : ""
        },
        "dynamicIpAddressBlacklist" : {
          "enabled" : true,
          "countMode" : "ALL"
        }
      },
      "botManagement" : {
        "clientCookieSupportEnforced" : true,
        "wellKnownBots" : {
          "allowed" : true,
          "sourceDomainEnforced" : true
        },
        "customBots" : {
          "allowed" : true,
          "sourceDomainEnforced" : true,
          "userAgentPattern" : {
            "pattern" : "",
            "caseIgnored" : false,
            "inverted" : false
          },
          "domainPattern" : {
            "pattern" : "",
            "inverted" : false
          }
        }
      },
      "timeouts" : {
        "backend" : 120,
        "sessionIdle" : 0
      },
      "limits" : {
        "general" : {
          "maxRequestBodySize" : 222,
          "maxPathLength" : 111
        },
        "http" : {
          "maxParameters" : 2222,
          "maxParameterNameLength" : 1111,
          "maxParameterValueLength" : 3333
        },
        "json" : {
          "enabled" : true,
          "maxKeyLength" : 48,
          "maxValueLength" : 42,
          "maxNestingDepth" : 2000,
          "maxArrayItems" : 1000,
          "maxKeys" : 4000,
          "maxTotalEntries" : 3000
        }
      },
      "application" : {
        "sessionHandling" : "ENFORCE_SESSION",
        "controlApiAllowed" : true,
        "environmentCookiesEnabled" : true,
        "encryptedCookies" : {
          "enabled" : true,
          "prefix" : "ENCRYPT.*"
        },
        "passthroughCookies" : {
          "enabled" : true,
          "prefix" : "PASSTHROUGH.*"
        },
        "loadBalancingCookieEnabled" : true,
        "webSocketsAllowed" : true,
        "redirectForErrorPageEnabled" : true,
        "request" : {
          "charset" : "UTF_8_FALLBACK_WINDOWS_1252"
        },
        "response" : {
          "compressionAllowed" : true,
          "stripCommentsEnabled" : true,
          "header" : {
            "location" : {
              "rewrites" : [ {
                "enabled" : true,
                "urlPattern" : {
                  "pattern" : "/test/",
                  "caseIgnored" : true
                },
                "replaceWith" : "$1"
              } ]
            }
          },
          "json" : {
            "rewrites" : [ {
              "enabled" : true,
              "path" : "$.address.city",
              "contentPattern" : {
                "pattern" : "Basel",
                "caseIgnored" : true
              },
              "replaceWith" : "Zurich"
            } ]
          },
          "body" : {
            "rewrites" : [ {
              "enabled" : true,
              "contentType" : "application/json",
              "contentPattern" : {
                "pattern" : "test",
                "caseIgnored" : true
              },
              "replaceWith" : "test2"
            } ]
          },
          "html" : {
            "rewrites" : [ {
              "enabled" : true,
              "urlPattern" : {
                "pattern" : "^https?://www.mydomain.com(/[^'\"]*)$",
                "caseIgnored" : true
              },
              "uris" : true,
              "events" : true,
              "embedded" : true,
              "replaceWith" : "$1"
            } ]
          },
          "errorPage" : {
            "rewrites" : [ {
              "enabled" : true,
              "statusContentPattern" : "^5(?!02|03)..$",
              "replaceWith" : "500.html"
            } ]
          }
        }
      },
      "apiSecurity" : {
        "treatPathSegmentsAsParamValues" : true,
        "jsonParser" : {
          "enabled" : true,
          "contentTypePattern" : {
            "pattern" : "application/json",
            "caseIgnored" : true,
            "inverted" : true
          }
        },
        "openApiEnforced" : true,
        "openApiCheckResponsesEnabled" : true,
        "logOnly" : true,
        "openApiPathMatching" : "ClientView",
        "openApiPublishSpecificationEnabled" : true,
        "openApiPublishSpecificationPath" : "path/to/apiSpecification.json",
        "apiPolicyServiceEnabled" : true,
        "apiPolicyServiceId" : 60,
        "apiPolicyKeyExtractionHeader" : {
          "enabled" : true,
          "extractionPattern" : {
            "pattern" : "^Api-Key: (.*)$",
            "caseIgnored" : false,
            "inverted" : false
          },
          "replaceWith" : "$1"
        },
        "apiPolicyKeyExtractionQueryParameter" : {
          "enabled" : true,
          "parameterName" : "api_key"
        },
        "apiPolicyKeyExtractionCookie" : {
          "enabled" : true,
          "cookieName" : "ApiKey"
        }
      },
      "dosAttackPrevention" : {
        "enabled" : true,
        "maxRequestsPerInterval" : 500,
        "interval" : 60,
        "whitelistIpPattern" : {
          "pattern" : "^$",
          "inverted" : true
        }
      },
      "requestBodyStreaming" : {
        "enabled" : true,
        "httpMethodPattern" : {
          "pattern" : "^GET$",
          "caseIgnored" : true,
          "inverted" : false
        },
        "pathPattern" : {
          "pattern" : "/path/",
          "caseIgnored" : false,
          "inverted" : false
        },
        "contentTypePattern" : {
          "pattern" : "video/mpeg",
          "caseIgnored" : false,
          "inverted" : false
        }
      },
      "httpParameterPollutionDetection" : {
        "mixedTypes" : {
          "enabled" : false,
          "logOnly" : true,
          "parameterNameExceptionPattern" : {
            "pattern" : "",
            "caseIgnored" : true,
            "inverted" : true
          }
        },
        "sameType" : {
          "enabled" : false
        }
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      },
      "locking" : {
        "enabled" : true,
        "labels" : true,
        "access" : {
          "deniedUrl" : {
            "value" : true,
            "mode" : true
          },
          "restrictions" : true,
          "clientCertificateAuthentication" : true,
          "authenticationFlow" : true,
          "backendLogoutUrl" : true,
          "ntlmPassthroughEnabled" : true,
          "credentialsPropagation" : {
            "mandatory" : true,
            "type" : true
          },
          "tokensEnabled" : true,
          "tokenVerification" : {
            "type" : true,
            "jwsAlgorithm" : true,
            "jwsKey" : true,
            "jweAlgorithm" : true,
            "jweKey" : true,
            "expiryCheckEnabled" : true,
            "expiryCheckSkew" : true,
            "claimRestrictions" : true,
            "roleExtractions" : true,
            "extractTechnicalClientIdEnabled" : true,
            "extractTechnicalClientIdName" : true,
            "setAuditTokenFromSubjectEnabled" : true
          },
          "tokenTransport" : {
            "presenceMandatoryEnforced" : true,
            "headerExtraction" : {
              "enabled" : true,
              "extractionPattern" : true,
              "replaceWith" : true
            },
            "parameterExtraction" : {
              "enabled" : true,
              "name" : true
            },
            "cookieExtraction" : {
              "enabled" : true,
              "name" : true
            }
          }
        },
        "entryPath" : {
          "settings" : true,
          "regexFormatEnforced" : true,
          "priority" : true
        },
        "backendPath" : true,
        "threatHandling" : true,
        "operationalMode" : true,
        "enableMaintenancePage" : true,
        "ipRules" : {
          "ipAddressWhitelists" : {
            "logOnly" : true
          },
          "ipAddressBlacklists" : {
            "logOnly" : true
          },
          "dynamicIpAddressBlacklist" : {
            "enabled" : true,
            "countMode" : true
          }
        },
        "botManagement" : {
          "clientCookieSupportEnforced" : true,
          "wellKnownBots" : {
            "allowed" : true,
            "sourceDomainEnforced" : true
          },
          "customBots" : {
            "allowed" : true,
            "sourceDomainEnforced" : true,
            "userAgentPattern" : true,
            "domainPattern" : true
          }
        },
        "timeouts" : {
          "backend" : true,
          "sessionIdle" : true
        },
        "limits" : {
          "general" : {
            "maxRequestBodySize" : true,
            "maxPathLength" : true
          },
          "http" : {
            "maxParameters" : true,
            "maxParameterNameLength" : true,
            "maxParameterValueLength" : true
          },
          "json" : {
            "enabled" : true,
            "maxKeyLength" : true,
            "maxValueLength" : true,
            "maxNestingDepth" : true,
            "maxArrayItems" : true,
            "maxKeys" : true,
            "maxTotalEntries" : true
          }
        },
        "application" : {
          "sessionHandling" : true,
          "controlApiAllowed" : true,
          "environmentCookiesEnabled" : true,
          "encryptedCookies" : {
            "enabled" : true,
            "prefix" : true
          },
          "passthroughCookies" : {
            "enabled" : true,
            "prefix" : true
          },
          "loadBalancingCookieEnabled" : true,
          "webSocketsAllowed" : true,
          "redirectForErrorPageEnabled" : true,
          "request" : {
            "charset" : true
          },
          "response" : {
            "compressionAllowed" : true,
            "stripCommentsEnabled" : true,
            "header" : {
              "location" : {
                "rewrites" : true
              }
            },
            "json" : {
              "rewrites" : true
            },
            "body" : {
              "rewrites" : true
            },
            "html" : {
              "rewrites" : true
            },
            "errorPage" : {
              "rewrites" : true
            }
          }
        },
        "apiSecurity" : {
          "treatPathSegmentsAsParamValues" : true,
          "jsonParser" : {
            "enabled" : true,
            "contentTypePattern" : true
          },
          "openApiEnforced" : true,
          "openApiCheckResponsesEnabled" : true,
          "openApiDocumentId" : true,
          "logOnly" : true,
          "openApiPathMatching" : true,
          "openApiPublishSpecificationEnabled" : true,
          "openApiPublishSpecificationPath" : true,
          "apiPolicyServiceEnabled" : true,
          "apiPolicyServiceId" : true,
          "apiPolicyKeyExtractionHeader" : {
            "enabled" : true,
            "extractionPattern" : true,
            "replaceWith" : true
          },
          "apiPolicyKeyExtractionQueryParameter" : {
            "enabled" : true,
            "parameterName" : true
          },
          "apiPolicyKeyExtractionCookie" : {
            "enabled" : true,
            "cookieName" : true
          }
        },
        "dosAttackPrevention" : {
          "enabled" : true,
          "maxRequestsPerInterval" : true,
          "interval" : true,
          "whitelistIpPattern" : true
        },
        "requestBodyStreaming" : {
          "enabled" : true,
          "httpMethodPattern" : true,
          "pathPattern" : true,
          "contentTypePattern" : true
        },
        "httpParameterPollutionDetection" : {
          "mixedTypes" : {
            "enabled" : true,
            "logOnly" : true,
            "parameterNameExceptionPattern" : true
          },
          "sameType" : {
            "enabled" : true
          }
        },
        "icap" : {
          "request" : {
            "clientViews" : true,
            "backendViews" : true
          },
          "response" : {
            "backendViews" : true,
            "clientViews" : true
          }
        }
      }
    }
  }
}'

Example Response

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 15694

{
  "meta" : {
    "type" : "jsonapi.metadata.document",
    "timestamp" : "2021-04-21T20:26:34.216+02:00"
  },
  "data" : {
    "type" : "mapping",
    "id" : "4",
    "attributes" : {
      "name" : "mymapping",
      "labels" : [ "labelA", "labelB" ],
      "tenant" : "AirlockBankingCo",
      "entryPath" : {
        "value" : "/entryPathA/",
        "regexFormatEnforced" : true,
        "ignoreCase" : true,
        "priority" : 0
      },
      "backendPath" : "/backendA/",
      "threatHandling" : "BLOCK",
      "operationalMode" : "PRODUCTION",
      "enableMaintenancePage" : true,
      "access" : {
        "deniedUrl" : {
          "value" : "/auth/login",
          "mode" : "GLOBAL"
        },
        "restrictions" : [ {
          "enabled" : true,
          "httpMethodPattern" : {
            "pattern" : "[GET|POST|DELETE]",
            "caseIgnored" : true,
            "inverted" : true
          },
          "entryPathPattern" : {
            "pattern" : "/admin/",
            "caseIgnored" : true,
            "inverted" : true
          },
          "authorizedRoles" : [ "admin" ],
          "authorizedPlans" : [ "android", "ios", "browser" ]
        } ],
        "clientCertificateAuthentication" : "NOT_REQUIRED",
        "authenticationFlow" : "REDIRECT",
        "backendLogoutUrl" : "/backendA/logout",
        "ntlmPassthroughEnabled" : true,
        "credentialsPropagation" : {
          "mandatory" : true,
          "type" : "BASIC_AUTH"
        },
        "tokensEnabled" : true,
        "tokenTransport" : {
          "presenceMandatoryEnforced" : true,
          "headerExtraction" : {
            "enabled" : true,
            "extractionPattern" : {
              "pattern" : "mypattern",
              "caseIgnored" : true
            },
            "replaceWith" : "$1"
          },
          "parameterExtraction" : {
            "enabled" : true,
            "name" : "paramExtraction"
          },
          "cookieExtraction" : {
            "enabled" : true,
            "name" : "EXTRACTION_COOKIE"
          }
        },
        "tokenVerification" : {
          "type" : "JWS_JWE",
          "jwsAlgorithm" : "HS512",
          "jwsKey" : "HS_KEY",
          "jweAlgorithm" : "A128CBC_HS256",
          "jweKey" : "AES_KEY",
          "expiryCheckEnabled" : true,
          "expiryCheckSkew" : 42,
          "extractTechnicalClientIdEnabled" : true,
          "extractTechnicalClientIdName" : "TechnicalClientID",
          "setAuditTokenFromSubjectEnabled" : true,
          "claimRestrictions" : [ {
            "enabled" : true,
            "name" : "myrestriction",
            "restrictionPattern" : {
              "pattern" : "myRestriction",
              "caseIgnored" : true,
              "inverted" : true
            }
          } ],
          "roleExtractions" : [ {
            "enabled" : true,
            "name" : "myextraction",
            "extractionPattern" : {
              "pattern" : "extractionPattern",
              "caseIgnored" : true
            },
            "replaceWith" : "$1",
            "tokenLifetimeAsRoleLifetimeEnforced" : true
          } ]
        }
      },
      "ipRules" : {
        "ipAddressWhitelists" : {
          "logOnly" : true
        },
        "ipAddressBlacklists" : {
          "logOnly" : true,
          "webrootThreatCategories" : ""
        },
        "dynamicIpAddressBlacklist" : {
          "enabled" : true,
          "countMode" : "ALL"
        }
      },
      "botManagement" : {
        "clientCookieSupportEnforced" : true,
        "wellKnownBots" : {
          "allowed" : true,
          "sourceDomainEnforced" : true
        },
        "customBots" : {
          "allowed" : true,
          "sourceDomainEnforced" : true,
          "userAgentPattern" : {
            "pattern" : "",
            "caseIgnored" : false,
            "inverted" : false
          },
          "domainPattern" : {
            "pattern" : "",
            "inverted" : false
          }
        }
      },
      "timeouts" : {
        "backend" : 120,
        "sessionIdle" : 0
      },
      "limits" : {
        "general" : {
          "maxRequestBodySize" : 222,
          "maxPathLength" : 111
        },
        "http" : {
          "maxParameters" : 2222,
          "maxParameterNameLength" : 1111,
          "maxParameterValueLength" : 3333
        },
        "json" : {
          "enabled" : true,
          "maxKeyLength" : 48,
          "maxValueLength" : 42,
          "maxNestingDepth" : 2000,
          "maxArrayItems" : 1000,
          "maxKeys" : 4000,
          "maxTotalEntries" : 3000
        }
      },
      "application" : {
        "sessionHandling" : "ENFORCE_SESSION",
        "controlApiAllowed" : true,
        "environmentCookiesEnabled" : true,
        "encryptedCookies" : {
          "enabled" : true,
          "prefix" : "ENCRYPT.*"
        },
        "passthroughCookies" : {
          "enabled" : true,
          "prefix" : "PASSTHROUGH.*"
        },
        "loadBalancingCookieEnabled" : true,
        "webSocketsAllowed" : true,
        "redirectForErrorPageEnabled" : true,
        "request" : {
          "charset" : "UTF_8_FALLBACK_WINDOWS_1252"
        },
        "response" : {
          "compressionAllowed" : true,
          "stripCommentsEnabled" : true,
          "header" : {
            "location" : {
              "rewrites" : [ {
                "enabled" : true,
                "urlPattern" : {
                  "pattern" : "/test/",
                  "caseIgnored" : true
                },
                "replaceWith" : "$1"
              } ]
            }
          },
          "json" : {
            "rewrites" : [ {
              "enabled" : true,
              "path" : "$.address.city",
              "contentPattern" : {
                "pattern" : "Basel",
                "caseIgnored" : true
              },
              "replaceWith" : "Zurich"
            } ]
          },
          "body" : {
            "rewrites" : [ {
              "enabled" : true,
              "contentType" : "application/json",
              "contentPattern" : {
                "pattern" : "test",
                "caseIgnored" : true
              },
              "replaceWith" : "test2"
            } ]
          },
          "html" : {
            "rewrites" : [ {
              "enabled" : true,
              "urlPattern" : {
                "pattern" : "^https?://www.mydomain.com(/[^'\"]*)$",
                "caseIgnored" : true
              },
              "uris" : true,
              "events" : true,
              "embedded" : true,
              "replaceWith" : "$1"
            } ]
          },
          "errorPage" : {
            "rewrites" : [ {
              "enabled" : true,
              "statusContentPattern" : "^5(?!02|03)..$",
              "replaceWith" : "500.html"
            } ]
          }
        }
      },
      "apiSecurity" : {
        "treatPathSegmentsAsParamValues" : true,
        "jsonParser" : {
          "enabled" : true,
          "contentTypePattern" : {
            "pattern" : "application/json",
            "caseIgnored" : true,
            "inverted" : true
          }
        },
        "openApiEnforced" : true,
        "openApiCheckResponsesEnabled" : true,
        "logOnly" : true,
        "openApiPathMatching" : "ClientView",
        "openApiPublishSpecificationEnabled" : true,
        "openApiPublishSpecificationPath" : "path/to/apiSpecification.json",
        "apiPolicyServiceEnabled" : true,
        "apiPolicyServiceId" : 60,
        "apiPolicyKeyExtractionHeader" : {
          "enabled" : true,
          "extractionPattern" : {
            "pattern" : "^Api-Key: (.*)$",
            "caseIgnored" : false,
            "inverted" : false
          },
          "replaceWith" : "$1"
        },
        "apiPolicyKeyExtractionQueryParameter" : {
          "enabled" : true,
          "parameterName" : "api_key"
        },
        "apiPolicyKeyExtractionCookie" : {
          "enabled" : true,
          "cookieName" : "ApiKey"
        }
      },
      "dosAttackPrevention" : {
        "enabled" : true,
        "maxRequestsPerInterval" : 500,
        "interval" : 60,
        "whitelistIpPattern" : {
          "pattern" : "^$",
          "inverted" : true
        }
      },
      "requestBodyStreaming" : {
        "enabled" : true,
        "httpMethodPattern" : {
          "pattern" : "^GET$",
          "caseIgnored" : true,
          "inverted" : false
        },
        "pathPattern" : {
          "pattern" : "/path/",
          "caseIgnored" : false,
          "inverted" : false
        },
        "contentTypePattern" : {
          "pattern" : "video/mpeg",
          "caseIgnored" : false,
          "inverted" : false
        }
      },
      "httpParameterPollutionDetection" : {
        "mixedTypes" : {
          "enabled" : false,
          "logOnly" : true,
          "parameterNameExceptionPattern" : {
            "pattern" : "",
            "caseIgnored" : true,
            "inverted" : true
          }
        },
        "sameType" : {
          "enabled" : false
        }
      },
      "expertSettings" : {
        "securityGate" : {
          "enabled" : false,
          "settings" : ""
        },
        "apache" : {
          "enabled" : false,
          "settings" : ""
        }
      },
      "locking" : {
        "enabled" : true,
        "labels" : true,
        "access" : {
          "deniedUrl" : {
            "value" : true,
            "mode" : true
          },
          "restrictions" : true,
          "clientCertificateAuthentication" : true,
          "authenticationFlow" : true,
          "backendLogoutUrl" : true,
          "ntlmPassthroughEnabled" : true,
          "credentialsPropagation" : {
            "mandatory" : true,
            "type" : true
          },
          "tokensEnabled" : true,
          "tokenVerification" : {
            "type" : true,
            "jwsAlgorithm" : true,
            "jwsKey" : true,
            "jweAlgorithm" : true,
            "jweKey" : true,
            "expiryCheckEnabled" : true,
            "expiryCheckSkew" : true,
            "claimRestrictions" : true,
            "roleExtractions" : true,
            "extractTechnicalClientIdEnabled" : true,
            "extractTechnicalClientIdName" : true,
            "setAuditTokenFromSubjectEnabled" : true
          },
          "tokenTransport" : {
            "presenceMandatoryEnforced" : true,
            "headerExtraction" : {
              "enabled" : true,
              "extractionPattern" : true,
              "replaceWith" : true
            },
            "parameterExtraction" : {
              "enabled" : true,
              "name" : true
            },
            "cookieExtraction" : {
              "enabled" : true,
              "name" : true
            }
          }
        },
        "entryPath" : {
          "settings" : true,
          "regexFormatEnforced" : true,
          "priority" : true
        },
        "backendPath" : true,
        "threatHandling" : true,
        "operationalMode" : true,
        "enableMaintenancePage" : true,
        "ipRules" : {
          "ipAddressWhitelists" : {
            "logOnly" : true
          },
          "ipAddressBlacklists" : {
            "logOnly" : true
          },
          "dynamicIpAddressBlacklist" : {
            "enabled" : true,
            "countMode" : true
          }
        },
        "botManagement" : {
          "clientCookieSupportEnforced" : true,
          "wellKnownBots" : {
            "allowed" : true,
            "sourceDomainEnforced" : true
          },
          "customBots" : {
            "allowed" : true,
            "sourceDomainEnforced" : true,
            "userAgentPattern" : true,
            "domainPattern" : true
          }
        },
        "timeouts" : {
          "backend" : true,
          "sessionIdle" : true
        },
        "limits" : {
          "general" : {
            "maxRequestBodySize" : true,
            "maxPathLength" : true
          },
          "http" : {
            "maxParameters" : true,
            "maxParameterNameLength" : true,
            "maxParameterValueLength" : true
          },
          "json" : {
            "enabled" : true,
            "maxKeyLength" : true,
            "maxValueLength" : true,
            "maxNestingDepth" : true,
            "maxArrayItems" : true,
            "maxKeys" : true,
            "maxTotalEntries" : true
          }
        },
        "application" : {
          "sessionHandling" : true,
          "controlApiAllowed" : true,
          "environmentCookiesEnabled" : true,
          "encryptedCookies" : {
            "enabled" : true,
            "prefix" : true
          },
          "passthroughCookies" : {
            "enabled" : true,
            "prefix" : true
          },
          "loadBalancingCookieEnabled" : true,
          "webSocketsAllowed" : true,
          "redirectForErrorPageEnabled" : true,
          "request" : {
            "charset" : true
          },
          "response" : {
            "compressionAllowed" : true,
            "stripCommentsEnabled" : true,
            "header" : {
              "location" : {
                "rewrites" : true
              }
            },
            "json" : {
              "rewrites" : true
            },
            "body" : {
              "rewrites" : true
            },
            "html" : {
              "rewrites" : true
            },
            "errorPage" : {
              "rewrites" : true
            }
          }
        },
        "apiSecurity" : {
          "treatPathSegmentsAsParamValues" : true,
          "jsonParser" : {
            "enabled" : true,
            "contentTypePattern" : true
          },
          "openApiEnforced" : true,
          "openApiCheckResponsesEnabled" : true,
          "openApiDocumentId" : true,
          "logOnly" : true,
          "openApiPathMatching" : true,
          "openApiPublishSpecificationEnabled" : true,
          "openApiPublishSpecificationPath" : true,
          "apiPolicyServiceEnabled" : true,
          "apiPolicyServiceId" : true,
          "apiPolicyKeyExtractionHeader" : {
            "enabled" : true,
            "extractionPattern" : true,
            "replaceWith" : true
          },
          "apiPolicyKeyExtractionQueryParameter" : {
            "enabled" : true,
            "parameterName" : true
          },
          "apiPolicyKeyExtractionCookie" : {
            "enabled" : true,
            "cookieName" : true
          }
        },
        "dosAttackPrevention" : {
          "enabled" : true,
          "maxRequestsPerInterval" : true,
          "interval" : true,
          "whitelistIpPattern" : true
        },
        "requestBodyStreaming" : {
          "enabled" : true,
          "httpMethodPattern" : true,
          "pathPattern" : true,
          "contentTypePattern" : true
        },
        "httpParameterPollutionDetection" : {
          "mixedTypes" : {
            "enabled" : true,
            "logOnly" : true,
            "parameterNameExceptionPattern" : true
          },
          "sameType" : {
            "enabled" : true
          }
        },
        "icap" : {
          "request" : {
            "clientViews" : true,
            "backendViews" : true
          },
          "response" : {
            "backendViews" : true,
            "clientViews" : true
          }
        }
      }
    },
    "relationships" : {
      "template" : {
        "data" : {
          "type" : "mapping-template",
          "id" : "jwaxsKQ9IURXc/B+GE4KAZcjj2KmIofyWmX2OHF21Gw="
        }
      }
    }
  }
}

Create a Mapping from a Template

POST /configuration/mappings/create-from-template

Content-Type application/json

Accept application/json

Request Structure

Path Type Required Description

data.attributes.id

String

yes

The id of the system mapping template

data.type

String

yes

The data type sent to the server. Must be set to "create-mapping-from-template" for this call.

Response structure

Path Type Description

meta.type

String

The JSON API meta type, which is: "jsonapi.metadata.document"

meta.timestamp

String

The current server time as a timestamp.

data.type

String

The data type of the resource. Must be "mapping" for this call.

data.id

String

The ID of the resource to be addressed.

data.attributes.name

String

The unique name of the mapping.

data.attributes.labels

Array

Assigned Labels (freely defined textual tags). Labels allow grouping of mappings with a common aspect, e.g., all mappings belonging to the same application.

data.attributes.tenant

String

Tenant of the mapping.

data.attributes.backendPath

String

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.

data.attributes.threatHandling

String

Defines how policy violations, e.g., missing allow rules, matching deny rules, URL encryption and form protection violations, are handled. Allowed values are: BLOCK, TERMINATE_SESSION, NOTIFY. Effects of the different values: BLOCK: Requests violating policies are b. The session (if available) remains valid. TERMINATE_SESSION: Requests violating policies are b. The session (if available) is terminated. NOTIFY: Requests violating policies are not b. The violation is logged and notified.

data.attributes.operationalMode

String

Specifies whether this mapping runs in standard "Production" mode or in the so called "Integration" mode. In Integration mode Airlock WAF logs more information about all requests and responses (which may decrease Airlock WAF’s performance).Allowed values are: PRODUCTION, INTEGRATION

data.attributes.enableMaintenancePage

Boolean

Enable maintenance page.

data.attributes.entryPath.value

String

The entry path specifies the external URL path the mapping should be available under. For each incoming request, Airlock WAF compares the URL with the entry path to find the right mapping.

data.attributes.entryPath.regexFormatEnforced

Boolean

"Whether the entry path (the external URL path of the mapping) should be interpreted as regular expression or not."

data.attributes.entryPath.ignoreCase

Boolean

Whether the entry path should be case sensitive.

data.attributes.entryPath.priority

Number

The priority is an integer number that specifies the importance (or order) of a mapping. It has been introduced to guarantee a deterministic selection of the mapping for a given request path. The value can be between -999 (highest priority) and 999 (lowest priority). The priority must be unique among all regular expression mappings. Only non regular expression mappings may share the same priority. In this case, the directories are ordered by length, i.e. the longest match wins.

data.attributes.access.clientCertificateAuthentication

String

Specifies whether accessing this mapping requires the client to authenticate with a valid SSL client certificate. Allowed values are: NOT_REQUIRED, OPTIONAL, REQUIRED Description of the values: NOT_REQUIRED: The mapping uses the client certificate settings of the virtual host. OPTIONAL: The client may send a certificate if available, but access is still allowed without. The optional setting is normally used in combination with an authentication service that presents an alternative login page if no certificate is sent. You should not use the 'optional' setting without this additional authentication service check. REQUIRED: The client must send a valid certificate. If no client certificate is sent, the SSL handshake is cancelled and the browser typically presents the user with a technical error message.

data.attributes.access.authenticationFlow

String

Allowed values are: REDIRECT, DENY_ACCESS, ONE_SHOT, ONE_SHOT_WITH_BODY, FRONT_SIDE_NTLM Description: REDIRECT: If the required role for the mapping is missing on the current session, Airlock WAF will send a redirect (HTTP 303) to either the global or the custom denied access URL. This mode is typically used in conjunction with user operated clients. DENY_ACCESS: Airlock WAF will directly send an access denied (HTTP 403) response to the client if the required role is missing. This is typically used for technical clients. ONE_SHOT: When this option is selected and Airlock WAF receives an incoming request for this mapping that needs to be authenticated, Airlock WAF implicitly (without redirect) forwards the request to the configured denied access URL for this mapping. The request headers are forwarded but no request body. After the forwarded request, Airlock WAF checks again if the session is now authenticated. If so, the original request is passed to the back-end server (successful one-shot authentication). If the session does not have the required credentials even after the one-shot request, Airlock WAF will send an access denied (HTTP 403) response to the client. ONE_SHOT_WITH_BODY: This is the same as with the "one-shot" option with two notable differences: The whole body of the request is also sent to the denied access URL for this mapping and the request method is always POST instead of GET. FRONT_SIDE_NTLM: Choose the front-side NTLM authentication flow to support authentication using NTLM. The front-side NTLM authentication flow is similar to the "one-shot" authentication flow, but also forwards all requests containing an "Authorization" header with value "NTLM .*" to the denied access URL. For successful authentication, NTLM must be supported by the authentication service.

data.attributes.access.backendLogoutUrl

String

Whenever an Airlock WAF session terminates (either due to an explicit logout by the user or due to a session timeout), Airlock WAF will call the given, unmodified path on the currently used back-end host with all information concerning this back-end application such as cookies, headers, etc. to allow clean session termination on the backend host.

data.attributes.access.ntlmPassthroughEnabled

Boolean

Airlock WAF is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection. NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.

data.attributes.access.tokensEnabled

Boolean

Whether access tokens should be processed.

data.attributes.access.restrictions[].enabled

Boolean

Controls whether access restriction is used or not.

data.attributes.access.restrictions[].httpMethodPattern.pattern

String

The actual pattern.

data.attributes.access.restrictions[].httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.restrictions[].httpMethodPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.restrictions[].entryPathPattern.pattern

String

The actual pattern.

data.attributes.access.restrictions[].entryPathPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.restrictions[].entryPathPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.restrictions[].authorizedRoles[]

Array

Specifies a list of mandatory roles. Only sessions which have at least one of these roles will be able to access the service.

data.attributes.access.restrictions[].authorizedPlans[]

Array

Specifies a list of mandatory plans. Only sessions which have at least one of these plans will be able to access the service.

data.attributes.access.deniedUrl.value

String

Defines the location (URL) of the authentication service. In case the required role for the mapping is missing on the current session, Airlock WAF will redirect the client to this location.

data.attributes.access.deniedUrl.mode

String

Use Global (default) will use the global denied access url as configured under the menu Application Firewall - Session - Access Control. Custom will use a mapping specific denied access url.Allowed values are: GLOBAL, CUSTOM

data.attributes.access.credentialsPropagation.mandatory

Boolean

If true and the selected SSO credentials are missing, access to the mapping is denied and Airlock WAF will redirect to either the global or the custom denied access URL.

data.attributes.access.credentialsPropagation.type

String

Defines if SSO credentials set by the control API will be forwarded to the back-end application or not. These credentials are typically set by the authentication service upon successful authentication.Allowed values are: NONE, BASIC_AUTH, KERBEROS, NTLM Descripton of the values: NONE : Even if Basic-Auth or NTLM credentials set by the control API are present, Airlock WAF will not forward them to the back-end application. Access to the mapping is granted without any SSO credentials. BASIC_AUTH : If Basic-Auth credentials set by the control API are present, Airlock WAF will forward them to the back-end application. KERBEROS : If a Kerberos user is set by the control API, Airlock WAF will acquire and send a service ticket to the back-end application. NTLM : If NTLM credentials set by the control API are present, Airlock WAF will forward them to the back-end application.

data.attributes.access.tokenTransport.presenceMandatoryEnforced

Boolean

If not enforced, requests without a token are accepted. However, if a token is present, it is extracted and validated and the configured restrictions and role extractions are applied.

data.attributes.access.tokenTransport.headerExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific header.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenTransport.headerExtraction.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenTransport.headerExtraction.replaceWith

String

The rewrite expression for the header extraction.

data.attributes.access.tokenTransport.parameterExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific query parameter.

data.attributes.access.tokenTransport.parameterExtraction.name

String

Specifies the name of the query parameter.

data.attributes.access.tokenTransport.cookieExtraction.enabled

Boolean

If enabled Airlock WAF will extract the token from the specific cookie.

data.attributes.access.tokenTransport.cookieExtraction.name

String

Specifies name of the cookie.

data.attributes.access.tokenVerification.type

String

Airlock supports three types of JWT tokens: Allowed values are: JWS, JWE, JWS_JWE

data.attributes.access.tokenVerification.jwsAlgorithm

String

Supported algorithms: Allowed values are: HS_256, HS_384, HS_512, RS_256, RS_384, RS_512, PS_256, PS_384, PS_512

data.attributes.access.tokenVerification.jwsKey

String

A public key in x509 format or the passphrase, depending on the selected algorithm.

data.attributes.access.tokenVerification.jweAlgorithm

String

Supported algorithms: Allowed values are: A_128_CBC_HS_256, A_192_CBC_HS_384, A_256_CBC_HS_512, A_256_GCM

data.attributes.access.tokenVerification.jweKey

String

Your secret passphrase for the symmetric encryption.

data.attributes.access.tokenVerification.expiryCheckEnabled

Boolean

If enabled the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

data.attributes.access.tokenVerification.expiryCheckSkew

Number

The allowed skew when checking expiry / not before in seconds. This can be used if verification fails because of time synchronization issues with the token issuer and your Airlock WAF.

data.attributes.access.tokenVerification.claimRestrictions[].enabled

Boolean

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.claimRestrictions[].name

String

Name of the claim you want to restrict.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenVerification.claimRestrictions[].restrictionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.access.tokenVerification.roleExtractions[].enabled

Boolean

Enable/disable this claim extraction rule.

data.attributes.access.tokenVerification.roleExtractions[].name

String

Name of the claim you want to extract a role from.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.pattern

String

The actual pattern.

data.attributes.access.tokenVerification.roleExtractions[].extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.access.tokenVerification.roleExtractions[].replaceWith

String

The rewrite expression of the role.

data.attributes.access.tokenVerification.roleExtractions[].tokenLifetimeAsRoleLifetimeEnforced

Boolean

If enforced the expiry claim (exp) of the JWT will be used as the role lifetime.

data.attributes.access.tokenVerification.extractTechnicalClientIdEnabled

Boolean

Extract a technical client ID from JWT.

data.attributes.access.tokenVerification.extractTechnicalClientIdName

String

Name of the claim to extract as technical client ID.

data.attributes.access.tokenVerification.setAuditTokenFromSubjectEnabled

Boolean

Extract the 'sub' claim from the JWT and use its value as audit token of the current Airlock WAF session.

data.attributes.ipRules.ipAddressWhitelists.logOnly

Boolean

If true requests whose source IP address is not contained in one of the configured IP Whitelists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.logOnly

Boolean

If true requests whose source IP address is contained in one of the configured IP Blacklists are only logged but not blocked.

data.attributes.ipRules.ipAddressBlacklists.webrootThreatCategories

String

Defines which threat categories should be blocked. Allowed values are: SPAM_SOURCES, WINDOWS_EXPLOITS, WEB_ATTACKS, BOT_NETS, SCANNERS, DENIAL_OF_SERVICE, PHISHING, PROXY, MOBILE_THREATS, TOR_PROXY. Threat categories blocked through the different values: SPAM_SOURCES: The Spam Sources category includes IP addresses involved in tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities. WINDOWS_EXPLOITS: The Windows Exploits category includes IP addresses participating in the distribution of malware, shell code, rootkits, worms or viruses for Windows platforms. WEB_ATTACKS: The Web Attacks category includes IP addresses using cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attacks to target vulnerabilities on a web server. BOT_NETS: The Botnets category includes IP addresses acting as Botnet Command and Control (C&C) centers, and infected zombie machines controlled by the C&C servers. SCANNERS: The Scanners category includes IP addresses involved in unauthorized reconnaissance activities such as probing, host scanning, port scanning and brute force login attempts. DENIAL_OF_SERVICE: The Denial of Services category includes IPs addresses involved in DOS or DDOS attacks, anomalous sync flood, or anomalous traffic. PHISHING: The Phishing category includes IP addresses hosting phishing sites and sites related to other kinds of fraudulent activities. PROXY: The Proxy category includes IP addresses providing proxy services, including both VPN and open web proxy services. MOBILE_THREATS: The Mobile Threats category includes IP addresses associated with malicious and unwanted mobile applications. TOR_PROXY: The Tor Proxy category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.

data.attributes.ipRules.dynamicIpAddressBlacklist.enabled

Boolean

Enables blocking of IPs on the dynamic IP address blacklist.

data.attributes.ipRules.dynamicIpAddressBlacklist.countMode

String

Defines the counting mode of blocks for dynamic IP blacklist. Allowed values are: OFF, ALL, DENY_RULES_ONLY. Following count modes are available: OFF: Blocks on this mapping are not counted for the dynamic IP address blacklist. ALL: All blocks on this mapping are counted for the dynamic IP address blacklist. DENY_RULES_ONLY: Only deny rule blocks on this mapping are counted for the dynamic IP address blacklist.

data.attributes.botManagement.clientCookieSupportEnforced

Boolean

If enabled, only clients implementing a Cookie-Store will be able to access the application through this mapping. In contrast to regular browsers, most bots do not implement a Cookie-Store and will therefore be blocked if this setting is enabled.

data.attributes.botManagement.wellKnownBots.allowed

Boolean

Check the User-Agent to determine if a bot is well-known and do not block such bots. Clients indicating one of the following User-Agent headers are treated as well-known bots: Googlebot, bingbot, MSNBot, Baiduspider, YandexBot, archive.org_bot, DuckDuckBot.

data.attributes.botManagement.wellKnownBots.sourceDomainEnforced

Boolean

If enabled, a reverse IP lookup for well-known bots is performed to verify that the client’s IP address belongs to the operator of a well-known bot. This prevents bots from pretending to be a well-known bot by sending a fake "User-Agent" header. The following domains are considered as domains of operators operating well-known bots: google.com, googlebot.com,search.msn.com, yahoo.net, baidu.com, baidu.jp, yandex.ru, yandex.net, yandex.com, archive.org, amazonaws.com (107.20.237.51, 23.21.226.191, 107.21.1.8, 54.208.102.37)

data.attributes.botManagement.customBots.allowed

Boolean

If enabled custom bots are not blocked. Custom bots are identified by providing a "User-Agent" and "Domain" pattern.

data.attributes.botManagement.customBots.sourceDomainEnforced

Boolean

Do not block bots whose source-domain matches the "domain pattern".

data.attributes.botManagement.customBots.userAgentPattern.pattern

String

The actual pattern.

data.attributes.botManagement.customBots.userAgentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.botManagement.customBots.userAgentPattern.inverted

Boolean

Whether to invert the match.

data.attributes.botManagement.customBots.domainPattern.pattern

String

The actual pattern.

data.attributes.botManagement.customBots.domainPattern.inverted

Boolean

Whether to invert the match.

data.attributes.timeouts.backend

Number

Defines the time (seconds) Airlock WAF will wait for the back-end response. In case the request runs into the timeout, Airlock WAF will send a redirect to the HTTP 503 Service unavailable error page with the corresponding HTTP 503 status code. If In-band Health Checks are configured, then such a request will be counted as a failed request, potentially leading to the back-end server being marked as bad.

data.attributes.timeouts.sessionIdle

Number

Defines the minimum session idle time (seconds) of Airlock WAF for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.

data.attributes.limits.general.maxRequestBodySize

Number

This field limits the total size of the request body. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

data.attributes.limits.general.maxPathLength

Number

Defines the maximum path length for requests to the current mapping (default: max 1024 bytes).

data.attributes.limits.http.maxParameters

Number

Defines the maximum number of parameters inside the request (default: max 128 parameters).

data.attributes.limits.http.maxParameterNameLength

Number

Defines the maximum length for a parameter name (default: max 128 bytes).

data.attributes.limits.http.maxParameterValueLength

Number

Defines the maximum length for a parameter value (default: max 1024 bytes).

data.attributes.limits.json.enabled

Boolean

Whether JSON limits are enabled.

data.attributes.limits.json.maxKeyLength

Number

Defines the maximum length for a JSON key, also known as "JSON property" or "JSON object member" (default: max 256 bytes)

data.attributes.limits.json.maxValueLength

Number

Defines the maximum json value length for requests to the current mapping (default: max 8192 bytes).

data.attributes.limits.json.maxNestingDepth

Number

Defines the maximum depth of nesting for JSON objects and JSON arrays (default: max 100).

data.attributes.limits.json.maxKeys

Number

Defines the maximum number of keys of a single JSON object (non-recursive, default: max 250).

data.attributes.limits.json.maxArrayItems

Number

Defines the maximum number of items for a single JSON array (non-recursive, default: max 500).

data.attributes.limits.json.maxTotalEntries

Number

Defines the maximum number of keys and array items in the whole JSON document (recursive, default: max 150000).

data.attributes.application.sessionHandling

String

Allowed values are: ENFORCE_SESSION, OPTIONAL_SESSION, OPTIONAL_SESSION_NO_REFRESH, IGNORE_SESSION The different modes have the following effects: ENFORCE_SESSION: Sessions are enforced. If no session is available a new session is created. OPTIONAL_SESSION: Sessions are optional. Existing sessions are used. If no session is available no session is used. OPTIONAL_SESSION_NO_REFRESH: Same as "OPTIONAL_SESSION" but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times. IGNORE_SESSION: Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories.

data.attributes.application.controlApiAllowed

Boolean

Specifies whether this service is allowed to use Airlock WAF’s back-end API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock WAF.

data.attributes.application.environmentCookiesEnabled

Boolean

Specifies whether this service should receive the Airlock WAF environment cookies that contain useful information about the connection to the client.

data.attributes.application.loadBalancingCookieEnabled

Boolean

If enabled, load balancing information is sent to the client in a load balancing cookie. Disable if no load balancing is needed and no cookie should be generated for this purpose.

data.attributes.application.webSocketsAllowed

Boolean

Enables support for WebSockets protocol as defined in RFC 6455.

data.attributes.application.redirectForErrorPageEnabled

Boolean

If enabled Airlock WAF will deliver error pages by sending a HTTP redirect pointing to the error page to its clients. Otherwise the error page will be directly returned.

data.attributes.application.encryptedCookies.enabled

Boolean

Enables encryption of cookies which are sent to the client.

data.attributes.application.encryptedCookies.prefix

String

regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a pass phrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client’s machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user.

data.attributes.application.passthroughCookies.enabled

Boolean

Enables 'Passthrough Cookies'. Passthrough Cookies are cookies which are sent in plain format to the client.

data.attributes.application.passthroughCookies.prefix

String

Regular expression to select cookies that should be treated as 'Passthrough Cookies'. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.

data.attributes.application.request.charset

String

Parameter values that are sent in HTTP requests from the client are interpreted by Airlock WAF as if they were encoded using the given charset. If Airlock WAF detects that the charset does not match it tries to use the fallback charset.

data.attributes.application.response.compressionAllowed

Boolean

Specifies whether Airlock WAF should compress the output on-the-fly for the client browser (if supported and requested by the browser). Warning: Allowing compression for data served through SSL/TLS virtual hosts may affect the secrecy of the data.

data.attributes.application.response.stripCommentsEnabled

Boolean

If enabled, Airlock WAF removes HTML comments.

data.attributes.application.response.header.location.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.header.location.rewrites[].urlPattern.pattern

String

The actual pattern.

data.attributes.application.response.header.location.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.header.location.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL pattern.

data.attributes.application.response.json.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.json.rewrites[].path

String

A response from the back-end server is rewritten only if the JSON path matches this regular expression.

data.attributes.application.response.json.rewrites[].contentPattern.pattern

String

The actual pattern.

data.attributes.application.response.json.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.json.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.body.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.body.rewrites[].contentType

String

A response from the back-end server is rewritten only if the response headerContent-Type matches this regular expression.

data.attributes.application.response.body.rewrites[].contentPattern.pattern

String

The actual pattern.

data.attributes.application.response.body.rewrites[].contentPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.body.rewrites[].replaceWith

String

This is the target string which will replace the string matched by Content Pattern.

data.attributes.application.response.html.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.html.rewrites[].urlPattern.pattern

String

The actual pattern.

data.attributes.application.response.html.rewrites[].urlPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.application.response.html.rewrites[].uris

Boolean

Apply rule to linked HTML elements like href, src, etc.

data.attributes.application.response.html.rewrites[].events

Boolean

Apply rule to JavaScript event strings such as onsubmit, onload, etc.

data.attributes.application.response.html.rewrites[].embedded

Boolean

Apply rule to <script> and <style> blocks embedded in the HTML page

data.attributes.application.response.html.rewrites[].replaceWith

String

This is the target string which will replace the string matched by URL Pattern.

data.attributes.application.response.errorPage.rewrites[].enabled

Boolean

Whether rewrites are enabled.

data.attributes.application.response.errorPage.rewrites[].statusContentPattern

String

The HTTP status code pattern.

data.attributes.application.response.errorPage.rewrites[].replaceWith

String

This is the target string which will replace the string matched by HTTP status content pattern.

data.attributes.apiSecurity.treatPathSegmentsAsParamValues

Boolean

If enabled each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

data.attributes.apiSecurity.openApiEnforced

Boolean

Specifies whether traffic to/from this service shall be checked against an API specification provided in the OpenAPI format. If enforced traffic not conforming to the API specification will be blocked.

data.attributes.apiSecurity.openApiCheckResponsesEnabled

Boolean

Check responses against the API specification.

data.attributes.apiSecurity.logOnly

Boolean

If enabled potential attack requests are only logged but not blocked.

data.attributes.apiSecurity.openApiPathMatching

String

Run OpenAPI path matching against client or server view of request/response.

data.attributes.apiSecurity.openApiPublishSpecificationEnabled

Boolean

Allow clients to download the API specification.

data.attributes.apiSecurity.openApiPublishSpecificationPath

String

External path to the API specification. Note that the entry path will be added in front of it.

data.attributes.apiSecurity.apiPolicyServiceEnabled

Boolean

Enables API policy service.

data.attributes.apiSecurity.apiPolicyServiceId

Number

ID of the API policy service.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific header.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.pattern

String

The actual pattern.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.extractionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.apiSecurity.apiPolicyKeyExtractionHeader.replaceWith

String

The rewrite expression for the header extraction.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionQueryParameter.parameterName

String

Specifies the name of the query parameter.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.enabled

Boolean

If enabled Airlock WAF will extract the API key from the specific cookie.

data.attributes.apiSecurity.apiPolicyKeyExtractionCookie.cookieName

String

Specifies name of the cookie.

data.attributes.apiSecurity.jsonParser.enabled

Boolean

If set to true, Airlock WAF parses JSON objects in requests and filters JSON attributes with allow rules and deny rules. JSON objects are parsed only if their content-type matches the specified pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.pattern

String

The actual pattern.

data.attributes.apiSecurity.jsonParser.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.apiSecurity.jsonParser.contentTypePattern.inverted

Boolean

Whether to invert the match.

data.attributes.dosAttackPrevention.enabled

Boolean

Enables DoS attack prevention filter.

data.attributes.dosAttackPrevention.maxRequestsPerInterval

Number

Maximum requests allowed per IP address.

data.attributes.dosAttackPrevention.interval

Number

Interval for measurement of allowed requests per IP address (seconds).

data.attributes.dosAttackPrevention.whitelistIpPattern

Object

Reference to an IP pattern that acts as whitelist. All source IPs matching this pattern will be excluded from the session limit per IP restriction. This is typically used if you have many users having the same source IP (i.e. proxy).

data.attributes.dosAttackPrevention.whitelistIpPattern.pattern

String

The actual pattern.

data.attributes.dosAttackPrevention.whitelistIpPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.enabled

Boolean

Controls whether request body streaming is used or not. If set, only requests matching all three regular expression patterns will be streamed. Empty fields have the same effect as the pattern ^.*$

data.attributes.requestBodyStreaming.httpMethodPattern

Object

Only requests whose HTTP method matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.pathPattern

Object

Only requests whose path matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.contentTypePattern

Object

Only requests whose content type header matches this regular expression pattern will be streamed.

data.attributes.requestBodyStreaming.httpMethodPattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.httpMethodPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.httpMethodPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.pathPattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.pathPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.pathPattern.inverted

Boolean

Whether to invert the match.

data.attributes.requestBodyStreaming.contentTypePattern.pattern

String

The actual pattern.

data.attributes.requestBodyStreaming.contentTypePattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.requestBodyStreaming.contentTypePattern.inverted

Boolean

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.mixedTypes

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving both HTTP GET and HTTP POST parameters (thus involving parameters of different/mixed types).

data.attributes.httpParameterPollutionDetection.sameType

Object

Allows the detection of HTTP Parameter Pollution (HPP) attacks involving only HTTP GET or only HTTP POST parameters (thus involving only parameters of the same type).

data.attributes.httpParameterPollutionDetection.mixedTypes.enabled

Boolean

If enabled requests containing HTTP GET and HTTP POST parameters of the same name are blocked to prevent HPP attacks.

data.attributes.httpParameterPollutionDetection.mixedTypes.logOnly

Boolean

If true potential HPP attack requests are only logged but not blocked.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern

Object

Parameters named with a name matching this regular expression pattern will be ignored by the HPP detection.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.pattern

String

The actual pattern.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.caseIgnored

Boolean

Whether to ignore case.

data.attributes.httpParameterPollutionDetection.mixedTypes.parameterNameExceptionPattern.inverted

Boolean

Whether to invert the match.

data.attributes.httpParameterPollutionDetection.sameType.enabled

Boolean

If enabled parameters named with the same name and type (HTTP GET or POST) are joined together into one parameter before filtering to prevent HPP attacks. Note: For the filtering itself a deny rule like the default deny rule '(default) HTTP Parameter Pollution' has to be configured.

data.attributes.expertSettings.securityGate

Object

Expert settings for the Security Gate.

data.attributes.expertSettings.apache

Object

Expert settings for the Apache.

data.attributes.expertSettings.securityGate.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.securityGate.settings

String

The expert settings for the Security Gate.

data.attributes.expertSettings.apache.enabled

Boolean

Whether the expert settings are enabled.

data.attributes.expertSettings.apache.settings

String

The expert settings for the Apache web listener.

data.attributes.locking.enabled

Boolean

If true the state of the attribute locks is displayed in Airlock WAF’s Configuration Center for this mapping.

data.attributes.locking.labels

Boolean

Lock for the corresponding member.

data.attributes.locking.backendPath

Boolean

Lock for the corresponding member.

data.attributes.locking.threatHandling

Boolean

Lock for the corresponding member.

data.attributes.locking.enableMaintenancePage

Boolean

Lock for the corresponding member.

data.attributes.locking.operationalMode

Boolean

Lock for the corresponding member.

data.attributes.locking.access.restrictions

Boolean

Lock for the corresponding member.

data.attributes.locking.access.clientCertificateAuthentication

Boolean

Lock for the corresponding member.

data.attributes.locking.access.authenticationFlow

Boolean

Lock for the corresponding member.

data.attributes.locking.access.backendLogoutUrl

Boolean

Lock for the corresponding member.

data.attributes.locking.access.ntlmPassthroughEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.tokensEnabled

Boolean

Lock for the corresponding member.

data.attributes.locking.access.deniedUrl.value

Boolean

Lock for the corresponding member.

data.attributes