Section – Service and Mode

Mapping-Basic Section Service and Mode

Mapping name

Each back-end application is identified by a unique mapping name. This name is used in the control API to execute certain commands on specific back-end services (e.g. setting the on-behalf login information).

The mapping name must not contain any white-space characters or other special characters.

Labels

Labels are freely defined textual tags that can be assigned to one or more mappings. Multiple labels can be assigned to each mapping.

The labels can be used to tag mappings of a common aspect, e.g. of the same application or the same staging environment. In the Reverse Proxy View mappings can be filtered by labels.

Labels are merely used to simplify configuration management and have no effect on the filtering policy.

Tenant

The tenant of this mapping.

Airlock Gateway offers a multi-client mapping functionality for tenants. When an element is allocated to a tenant, it will be visible for this tenant via REST API documentation.

For more information see Multitenancy feature.

Entry path

The entry path specifies the external URL path the mapping should be available under. For each incoming request, Airlock Gateway compares the URL with the entry path to find the right mapping.

  • Choice:
  • Directory
  • Regular expression

Back-end path

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server. Entry path and back-end path may be different, but this only works if the application only uses relative URLs or if Airlock Gateway rewrites these URLs (response body rewriting).

Enforce trailing slashes

Enabling/disabling toggles the validator to either enforce or not enforce trailing slashes.

The default is disabled.

See Entry path to back-end path settings for more information and examples.

Priority

The priority is an integer number that specifies the importance (or order) of a mapping. It has been introduced to guarantee a deterministic selection of the mapping for a given request path. The value can be between -999 (highest priority) and 9999 (lowest priority).

The priority must be unique among all regular expression mappings. Only mappings with a directory entry path may share the same priority. In this case, the directories are ordered by length, i.e. the longest match wins.

Show maintenance page

Specifies whether Airlock Gateway should display a maintenance page instead of performing the request to the back-end server on this mapping. Using this flag makes it possible to temporarily disable access to a mapping without having to delete or disconnect the mapping. If the flag is set, Airlock Gateway will redirect requests to the maintenance error page (see error page configuration).

Threat handling

Defines how policy violations, e.g., missing allow rules, matching deny rules, URL encryption, and form protection violations, are handled:

  • Block Request – Requests violating policies are blocked. The session (if available) remains valid.
  • Terminate Session – Requests violating policies are blocked. The session (if available) is terminated.
  • Log only (sometimes also called passive mode) – Requests that violate the following policies will not be blocked, only logged.
    • Affected by Log only:
    • Allow rules
    • Client fingerprinting – no block action.
    • CSRF tokens by Airlock Gateway
    • Deny rules
    • Dynamic value endorsement (DyVE)
    • Form protection
    • Limits – except Apache Max request body size handling and JSON Limits.
    • Multipart deny rules
    • Request and response actions – the remove header action is disabled but occurrences will be logged.
    • URL encryption – accept and log is enabled for URL encryption.
    • Not affected by Log only:
    • Cookies
    • DoS attack prevention – session and mapping settings.
    • ICAP
    • JSON Limits
    • Max request body size – body size is handled by Apache.
    • Others:
    • HTTP Parameter Pollution Detection – duplicate detection has its own Log only mode.
    • IP Blacklists – IP blacklisting has its own Log only mode.

    Temporarily choose Log only for quick and seamless integration of any web application and use the log viewer while testing the application.

Operational mode

Specifies whether this mapping runs in standard "Production" mode or in the so-called "Integration" mode. In Integration mode, Airlock Gateway logs more information about all requests and responses. This allows easier integration of back-end applications (thus the name "Integration mode"). Due to the increased amount of logging information, the performance of your Airlock Gateway installation may decrease.

  • Choice
  • Production
  • Integration