Section – Apache

Airlock Gateway allows configuration of Apache expert settings that directly affect the doorway Apache server. These settings are added to the httpd.conf file and have the same syntax as Apache directives. Apache expert settings overwrite the default directives set by Airlock Gateway.

Apache expert settings can be configured in three different places. Depending on the location, directives from different Apache contexts are allowed:

  • global: directives from Apache context “server config” are applicable. Configurable under “Expert Settings -> Security Gate / Apache”.
  • virtual host: directives from Apache context “virtual host” are applicable. Configurable in the “Expert Settings” tab of the virtual host.
  • mapping: directives from Apache context “directory” are applicable. Configurable in the “Expert Settings” tab of the mapping.
 
Notice

Apache expert settings are not validated. Syntax errors will break the httpd service start/restart.

Priority of contexts

Depending on the Apache context in which a directive is defined, it can be overwritten by other directives:

  • directives in context “virtual host” overwrite directives in context “server config”.
  • directives in context “directory” overwrite directives in context “virtual host” and in context “server config”.

Examples

Adaption of the Apache log level

The log level can be changed as follows (applicable globally and per virtual host):

 
Example
LogLevel debug

The logs can be found in the Log Viewer

SSL protocol/cipher settings

Global SSL and cipher settings for all virtual hosts could be set here. A more detailed description can be found here.

Note:
We recommend modifying these settings individually per virtual host instead of globally – see Tab – SSL.

Maintenance Window

A scheduled maintenance window e.g. between 2021-10-31 19:40:00 and 2021-11-02 16:30:00 can be introduced by adding the following settings (applicable globally or per virtual host):

 
Example
RewriteOptions InheritDownBefore
 RewriteCond expr "%{TIME} -gt 20211031194000"
 RewriteCond expr "%{TIME} -lt 20211102163000"
 RewriteRule !^/error_path /error_path/maintenance.html [QSD,R=303,L]

For a RewriteRule whose rewritten URL does not refer to the error path, the redirect flag or the passthrough flag must be set. If possible, use Path redirects instead of custom rewrite rules.

Certificate Allowlisting

To put a client certificate onto the allowlist, add the following setting (only applicable on mappings):

 
Example
SSLRequire %{SSL_CLIENT_M_SERIAL} in {"005","015","019"}