DSL reference
Field
Default value
Required
Type
Description
license
string
The encoded license.
license_file
/secret/license
string
The license file path.
remote_ip.header
Yes
string
If set, Airlock Microgateway will treat the value of this header field as the useragent IP address.
Common values are 'X-Forwarded-For' or 'X-Client-IP'.
Warning: Make sure that internal_proxies is correctly configured for your setup.
remote_ip.internal_proxies[]
Yes
array
List of hostnames, IP addresses or IP address ranges (e.g. 10.0.0.0/8) to trust as presenting a valid Remote-IP header.
apps[].virtual_host.name
microgateway
string
The logical name of the virtual host.
apps[].virtual_host.hostname
microgateway
string
The hostname of the virtual host.
apps[].virtual_host.aliases[]
array
Additional hostnames which refer to this virtual host.
apps[].virtual_host.strict_fqdn
false
boolean
Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.
apps[].virtual_host.http_enabled
true
boolean
Specifies whether HTTP connections are enabled for this host.
apps[].virtual_host.http_port
8080
integer
Specifies the port on which this host listens for HTTP connections.
apps[].virtual_host.https_enabled
true
boolean
Specifies whether HTTPS connections are enabled for this host.
apps[].virtual_host.https_port
8443
integer
Specifies the port on which this host listens for HTTPS connections.
apps[].virtual_host.http2_enabled
true
boolean
Specifies whether HTTP/2 connections are enabled for this host.
apps[].virtual_host.session_cookie_path
/
string
Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.
apps[].virtual_host.session_cookie_domain
string
Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.
apps[].virtual_host.encoded_slashes
false
boolean
Specifies whether encoded slashes (%2F) are allowed in URL path. Attention: combinations of client certificates per mapping and enabled encoded slashes in the same virtual host might result in configurations where client certificate evaluation might be evaded.
apps[].virtual_host.certificate.certificate
string
The certificate in PEM format.
apps[].virtual_host.certificate.certificate_file
/secret/tls/frontend-server.crt
string
The certificate file path.
apps[].virtual_host.certificate.privatekey
string
The private key for the certificate in PEM format.
apps[].virtual_host.certificate.privatekey_file
/secret/tls/frontend-server.key
string
The private key file path
apps[].virtual_host.certificate.ca_chain
string
List of certificates of the CA chain for the certificate.
apps[].virtual_host.certificate.ca_chain_file
/secret/tls/frontend-server-ca.crt
string
The CA chain file path.
apps[].virtual_host.auth.client_certificate.verification
off
string
Defines the default verification mode for client certificates on this virtual host. Possible values are 'off', 'optional' or 'required'.
apps[].virtual_host.auth.client_certificate.verification_depth
1
integer
Maximum number of intermediate certificate issuers.
apps[].virtual_host.auth.client_certificate.ca_selection
string
The concatenated certificates of the CAs which are sent to the client during the SSL handshake, in PEM format.
apps[].virtual_host.auth.client_certificate.ca_selection_file
/secret/auth/client_certificate/selection.crt
string
The file containing the selection CA certificates.
apps[].virtual_host.auth.client_certificate.ca_validation
string
The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format.
apps[].virtual_host.auth.client_certificate.ca_validation_file
/secret/auth/client_certificate/validation.crt
string
The file containing the validation CA certificates.
apps[].virtual_host.auth.client_certificate.crl
string
PEM representation of certificate revocation lists. If a client certificate is on such a list it will not be accepted. Although Airlock provides this functionality, it is recommended to check certificates against CRLs and other types of blacklists within the authentication service and not in Airlock.
apps[].virtual_host.auth.client_certificate.crl_file
/secret/auth/client_certificate/client.crl
string
The file containing the crl.
apps[].virtual_host.expert_settings.security_gate
string
Expert settings for the Security Gate.
apps[].virtual_host.expert_settings.apache
string
Expert settings for the Apache httpd.
apps[].virtual_host.redirects[].path
Yes
The absolute path starting with '/' as a regular expression from which to redirect.
apps[].virtual_host.redirects[].path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].virtual_host.redirects[].path.ignore_case
true
boolean
Whether to ignore case.
apps[].virtual_host.redirects[].dest
Yes
string
The destination can be relative to the current virtual host or an absolute URL including protocol and host. Relative redirect paths are extended with the incoming scheme and host header.
apps[].virtual_host.redirects[].status_code
303
integer
The returned status code. Must be one of: [301, 302, 303, 307, 308]
apps[].mappings[].name
root
string
The unique name of the mapping.
apps[].mappings[].mapping_template_file
/config/mapping.xml
string
The Airlock Gateway mapping template file path.
apps[].mappings[].priority
0
integer
Specifies the priority of this mapping (highest: -999, lowest: 999) when a request matches the entry path of multiple mappings.
All mappings with entry_path.type regex must have a unique priority.
apps[].mappings[].entry_path
The entry path specifies the external URL path the mapping should be available under.
apps[].mappings[].entry_path.type
directory
string
Allowed values are: directory, regex.
apps[].mappings[].entry_path.value
/
string
This specifies the external URL path.
apps[].mappings[].entry_path.ignore_case
false
boolean
Whether to ignore case.
apps[].mappings[].entry_path.enforce_trailing_slashes
false
boolean
Whether a trailing slash is mandatory at the end of the entry path or not.
apps[].mappings[].backend_path
/
string
The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.
apps[].mappings[].env_cookies
false
boolean
Specifies whether Airlock environment cookies containing useful request information are sent to the connected back-end.
apps[].mappings[].control_api
false
boolean
Specifies whether the connected back-end service is allowed to use the Airlock Microgateway Control API via the control cookie mechanism. The Control API is normally used by authentication applications to communicate with the Microgateway.
apps[].mappings[].compress_response_traffic
false
boolean
Specifies whether Airlock Microgateway should compress the output on-the-fly for the client browser if supported and requested by the browser.
apps[].mappings[].threat_handling
block
string
Allowed values are: block, terminate_session, notify.
apps[].mappings[].operational_mode
production
string
Allowed values are: production, integration.
apps[].mappings[].session_handling
ignore_session
string
Allowed values are: enforce_session, optional_session, optional_session_no_refresh, ignore_session
apps[].mappings[].access_token.mandatory
false
boolean
If disabled, requests without a token are accepted. However, if a token is present,it is extracted and validated and the configured restrictions and role extractions are applied.
apps[].mappings[].access_token.signature_mandatory
true
boolean
Enforce a signed JWT
apps[].mappings[].access_token.expiry_checked
false
boolean
If the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.
apps[].mappings[].access_token.skew
10
integer
The allowed skew when checking expiry / not before in seconds.
apps[].mappings[].access_token.tech_client_id_claim
string
The claim to extract the technical client id from.
apps[].mappings[].access_token.audittoken
false
boolean
If the 'sub' claim should be extracted from the JWT and be used as audit token of the current session
apps[].mappings[].access_token.extraction
How the token should be extracted.
apps[].mappings[].access_token.extraction.mode
header
string
From which part of the request the token should be extracted. Possible values are 'header', 'parameter', 'cookie'.
apps[].mappings[].access_token.extraction.header
How the token should be extracted from the request headers.
apps[].mappings[].access_token.extraction.header.regex
The regular expression, which matches the parts which should be rewritten.
apps[].mappings[].access_token.extraction.header.regex.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].access_token.extraction.header.regex.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].access_token.extraction.header.regex.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].access_token.extraction.header.substitution
string
The rewrite expression.
apps[].mappings[].access_token.extraction.parameter
string
From which query parameter the token should be extracted.
apps[].mappings[].access_token.extraction.cookie
string
From which cookie the token should be extracted.
apps[].mappings[].access_token.jwks_providers[]
array
List of JWKS service providers referenced by their name. Can be local or remote providers.
apps[].mappings[].access_token.claims[]
array
All specified claims are checked and must match the claim's value of the decoded token. If a claim is an array, at least one entry must match the specified regex.
apps[].mappings[].access_token.claims[].claim
string
The name of the claim you want to restrict.
apps[].mappings[].access_token.claims[].regex
The regular expression that must match the value of the specified claim name.
apps[].mappings[].access_token.claims[].regex.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].access_token.claims[].regex.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].access_token.claims[].regex.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].access_token.roles[]
array
Specifies which roles should be extracted from the claims.
apps[].mappings[].access_token.roles[].claim
string
Name of the claim you want to extract a role from.
apps[].mappings[].access_token.roles[].extraction
The regular expression to match the role extraction and the rewrite expression of the role.
apps[].mappings[].access_token.roles[].extraction.regex
The regular expression, which matches the parts which should be rewritten.
apps[].mappings[].access_token.roles[].extraction.regex.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].access_token.roles[].extraction.regex.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].access_token.roles[].extraction.regex.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].access_token.roles[].extraction.substitution
string
The rewrite expression.
apps[].mappings[].access_token.roles[].token_lifetime
false
boolean
If enabled, the expiry claim (exp) of the JWT will be used as the role lifetime.
apps[].mappings[].auth.client_certificate.verification
inherit
string
The client certificate verification mode to use on this mapping. This can be used to override the setting from the virtual host with a stronger verification level (e.g. off -> optional or optional -> required). Possible values are 'inherit', 'optional' or 'required'.
apps[].mappings[].auth.flow
redirect
string
The authentication flow, allowed values are: redirect, deny_access, one_shot, one_shot_with_body, ntlm
apps[].mappings[].auth.denied_access_url
/auth/check-login
string
Defines the location of the authentication service. In case the required role for the mapping is missing on the current session, Airlock Gateway will redirect the client to this location. If this value is missing (default), the Global Denied Access URL will be used.
apps[].mappings[].auth.logout_propagation_path
string
In order to allow clean session termination on back-end systems when an Airlock Gateway session terminates, the administrator can configure one logout path per mapping.
apps[].mappings[].auth.access[]
array
A list of access restrictions can be created. Each request matching the combination of HTTP method and path of a access restriction must have at least one of the specified roles to access the service. All matching restrictions must be satisfied to gain access.
apps[].mappings[].auth.access[].method
Can contain regular expressions that are applied when the HTTP method of a request matches one of the expressions. Use an empty pattern if all HTTP methods should match.
apps[].mappings[].auth.access[].method.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].auth.access[].method.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].auth.access[].method.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].auth.access[].path
Can contain regular expressions that are applied when the requested path of the query matches the expressions. Use an empty pattern if all paths should match.
apps[].mappings[].auth.access[].path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].auth.access[].path.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].auth.access[].path.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].auth.access[].roles[]
array
Can contain a list of roles for this service. Only sessions that have at least one of these roles will be able to access the service.
apps[].mappings[].csrf_token.enabled
false
boolean
Whether to enable automatic CSRF token injection and validation on this mapping.
apps[].mappings[].csrf_token.invalid_token_redirect_location
/%ENTRYPATH%
string
Specifies the location (e.g. /index.html) to which the client is redirected if a missing or invalid CSRF token is detected.
apps[].mappings[].csrf_token.exceptions[]
array
All incoming URLs that match one of these patterns are accepted by Airlock Microgateway without a valid CSRF token.
apps[].mappings[].csrf_token.exceptions[].path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].csrf_token.exceptions[].path.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].limits.max_path_length
1024
integer
Defines the maximum path length for requests to the current mapping in bytes.
apps[].mappings[].limits.max_request_body_size
104857600
integer
The maximum allowed total size of the request body in bytes. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in the request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.
apps[].mappings[].limits.http_limits
The limits for HTTP parameters.
apps[].mappings[].limits.http_limits.max_parameters
128
integer
Defines the maximum number of parameters inside the request.
apps[].mappings[].limits.http_limits.max_parameter_name_length
128
integer
Defines the maximum length of a parameter name in bytes.
apps[].mappings[].limits.http_limits.max_parameter_value_length
1024
integer
Defines the maximum length for a parameter value in bytes.
apps[].mappings[].limits.http_limits.parameter_length_exception
A regular expression which specifies any parameters which should not be checked against these length checks.
apps[].mappings[].limits.http_limits.parameter_length_exception.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].limits.http_limits.parameter_length_exception.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].limits.http_limits.parameter_length_exception.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].limits.json_limits
The limits for JSON structures.
apps[].mappings[].limits.json_limits.max_key_length
256
integer
Defines the maximum length for a JSON key, also known as 'JSON property' or 'JSON object member' in bytes.
apps[].mappings[].limits.json_limits.max_value_length
8192
integer
Defines the maximum length for a JSON value (string or numbers) in bytes.
apps[].mappings[].limits.json_limits.max_length_exception
Defines a regular expression to exclude JSON keys and the corresponding values from the length checks. The exceptions must be specified in the '#json' format for a JSON key.
apps[].mappings[].limits.json_limits.max_length_exception.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].limits.json_limits.max_length_exception.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].limits.json_limits.max_length_exception.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].limits.json_limits.max_nesting_depth
100
integer
Defines the maximum depth of nesting for JSON objects and JSON arrays.
apps[].mappings[].limits.json_limits.max_array_items
500
integer
Defines the maximum number of items in a single JSON array (non-recursive).
apps[].mappings[].limits.json_limits.max_keys
250
integer
Defines the maximum number of keys of a single JSON object (non-recursive).
apps[].mappings[].limits.json_limits.max_total_entries
150000
integer
Defines the maximum number of keys and array items in the whole JSON document (recursive).
apps[].mappings[].api_security.treat_path_segments_as_parameters
true
boolean
If enabled, each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.
apps[].mappings[].api_security.treat_json_objects_as_parameters
true
boolean
If enabled, Microgateway parses JSON objects in requests and filters JSON attributes with allow rules and deny rules.
apps[].mappings[].api_security.json_content_type
json
JSON objects are parsed only if their content-type matches the specified pattern.
apps[].mappings[].api_security.json_content_type.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].api_security.json_content_type.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].api_security.json_content_type.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].api_security.openapi
The specification to validate against.
apps[].mappings[].api_security.openapi.spec
string
The OpenAPI specification.
apps[].mappings[].api_security.openapi.spec_file
/config/openapi.json
string
The OpenAPI file path.
apps[].mappings[].api_security.openapi.log_only
false
boolean
If enabled, potential attack requests are only logged but not blocked.
apps[].mappings[].api_security.openapi.response_validation
false
boolean
Check responses against API specification.
apps[].mappings[].api_security.openapi.path_matching
client_view
string
The Microgateway mapping can be configured to rewrite the incoming URL to a different back-end URL (asymmetric mappings). Due to this rewriting, the incoming URL path (client_view) will be different from the back-end URL path (backend_view).
apps[].mappings[].parameter_pollution.same_type.join_duplicates
true
boolean
If enabled, all the different values of a repeated parameter are joined by comma (in order of appearance). The aggregate value is then checked against deny rules (instead of the individual values).
apps[].mappings[].parameter_pollution.mixed_type.block_duplicates
true
boolean
If enabled, requests are blocked if they contain the same parameter names with different parameter types (e.g. "id" is present as a POST parameter and as a query parameter simultaneously).
apps[].mappings[].parameter_pollution.mixed_type.log_only
false
boolean
If enabled, offending requests are not blocked but only logged.
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception
Exception pattern to exclude parameters from the parameter pollution detection.
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].expert_settings.security_gate
string
Expert settings for the Security Gate.
apps[].mappings[].expert_settings.apache
string
Expert settings for the Apache httpd.
apps[].mappings[].backend.name
backendGroup
string
The unique name of the back-end. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.
apps[].mappings[].backend.hosts[].name
backend
string
The hostname of the back-end host. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.
apps[].mappings[].backend.hosts[].protocol
http
string
Allowed values are: http, https
apps[].mappings[].backend.hosts[].port
8080
integer
Configuring a back-end port.
apps[].mappings[].backend.expert_settings.security_gate
string
Expert settings for the Security Gate.
apps[].mappings[].request.default_actions[].name
string
Name of the default header action
apps[].mappings[].request.default_actions[].enabled
boolean
Enable this default header action
apps[].mappings[].request.custom_actions[]
array
A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.
apps[].mappings[].request.custom_actions[].name
string
A unique name for this action; if not specified, a unique name will be generated.
apps[].mappings[].request.custom_actions[].add_header
An action to add a header to all requests.
apps[].mappings[].request.custom_actions[].add_header.name
string
The name of the header to add.
apps[].mappings[].request.custom_actions[].add_header.value
string
The value of the header to add.
apps[].mappings[].request.custom_actions[].add_missing_header
An action to add a header to all requests if it is not already present.
apps[].mappings[].request.custom_actions[].add_missing_header.name
string
The name of the header to add.
apps[].mappings[].request.custom_actions[].add_missing_header.value
string
The value of the header to add.
apps[].mappings[].request.custom_actions[].add_or_replace_header
An action to add or replace an existing header to all requests.
apps[].mappings[].request.custom_actions[].add_or_replace_header.name
string
The name of the header to add.
apps[].mappings[].request.custom_actions[].add_or_replace_header.value
string
The value of the header to add.
apps[].mappings[].request.custom_actions[].remove_header
An action to remove a header either matching given name or value pattern on requests.
apps[].mappings[].request.custom_actions[].remove_header.name
A pattern for the header name.
apps[].mappings[].request.custom_actions[].remove_header.name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].request.custom_actions[].remove_header.name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].request.custom_actions[].remove_header.name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].request.custom_actions[].remove_header.value
A pattern for the header value.
apps[].mappings[].request.custom_actions[].remove_header.value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].request.custom_actions[].remove_header.value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].request.custom_actions[].remove_header.value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].request.custom_actions[].rewrite_header_value
An action to rewrite a header value either matching given name or value pattern on requests.
apps[].mappings[].request.custom_actions[].rewrite_header_value.name
A pattern for the header name.
apps[].mappings[].request.custom_actions[].rewrite_header_value.name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].request.custom_actions[].rewrite_header_value.name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].request.custom_actions[].rewrite_header_value.name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].request.custom_actions[].rewrite_header_value.value
A pattern for the header value.
apps[].mappings[].request.custom_actions[].rewrite_header_value.value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].request.custom_actions[].rewrite_header_value.value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].request.custom_actions[].rewrite_header_value.value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].request.custom_actions[].rewrite_header_value.replace
string
A string to rewrite the header value with. Can make back-references to the header value pattern.
apps[].mappings[].request.custom_actions[].header_redirect
An action to redirect to a URL based on a header name or value either matching the given name or value pattern on requests.
apps[].mappings[].request.custom_actions[].header_redirect.name
A pattern for the header name.
apps[].mappings[].request.custom_actions[].header_redirect.name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].request.custom_actions[].header_redirect.name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].request.custom_actions[].header_redirect.name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].request.custom_actions[].header_redirect.value
A pattern for the header value.
apps[].mappings[].request.custom_actions[].header_redirect.value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].request.custom_actions[].header_redirect.value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].request.custom_actions[].header_redirect.value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].request.custom_actions[].header_redirect.target_url
string
The url to redirect to.
apps[].mappings[].request.custom_actions[].header_redirect.status_code
303
integer
The http status code to use on redirect
apps[].mappings[].request.custom_actions[].geolocation_redirect
An action to redirect to a URL based on the geographic location of the request source IP.
apps[].mappings[].request.custom_actions[].geolocation_redirect.continent_codes[]
[]
array
A list of alpha-2 continent codes to redirect clients from. See here: https://en.wikipedia.org/wiki/List\_of\_sovereign\_states\_and\_dependent\_territories\_by\_continent\_(data\_file)
apps[].mappings[].request.custom_actions[].geolocation_redirect.country_codes[]
[]
array
A list of country codes to redirect clients from. See here for alpha-2 codes to use: https://en.wikipedia.org/wiki/ISO\_3166-1\_alpha-2
apps[].mappings[].request.custom_actions[].geolocation_redirect.target_url
string
The url to redirect to.
apps[].mappings[].request.custom_actions[].geolocation_redirect.status_code
303
integer
The http status code to use on redirect
apps[].mappings[].response.default_actions[].name
string
Name of the default header action
apps[].mappings[].response.default_actions[].enabled
boolean
Enable this default header action
apps[].mappings[].response.rewrites.location_header[]
array
Rewrite option to modify the HTTP redirect location header sent from the back-end server before it is sent to the client.
apps[].mappings[].response.rewrites.location_header[].url
The redirect URL pattern.
apps[].mappings[].response.rewrites.location_header[].url.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.rewrites.location_header[].url.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.rewrites.location_header[].to
string
This is the target string which will replace the string matched by URL Pattern
apps[].mappings[].response.rewrites.html[]
array
Rewriting HTML content may be necessary to modify URLs in the HTML content if the application creates absolute or incorrect links because it is not reverse proxy compatible
apps[].mappings[].response.rewrites.html[].url
The URL pattern.
apps[].mappings[].response.rewrites.html[].url.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.rewrites.html[].url.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.rewrites.html[].options[]
[ url ]
array
This list defines the content to rewrite. Possible values are 'url', event', 'embedded'.
apps[].mappings[].response.rewrites.html[].to
string
This is the target string which will replace the string matched by URL Pattern
apps[].mappings[].response.rewrites.any[]
array
Rewrite the body of HTTP response.
apps[].mappings[].response.rewrites.any[].content_type
^(?:text|application)/(?:html|xhtml)
string
A response from the back-end server is rewritten only if the response header «Content-Type» matches this regular expression.
apps[].mappings[].response.rewrites.any[].content
This regular expression pattern defines the content to rewrite.
apps[].mappings[].response.rewrites.any[].content.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.rewrites.any[].content.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.rewrites.any[].to
string
This is the target string which will replace the string matched by Content Pattern
apps[].mappings[].response.rewrites.json[]
array
Rewrite the json body of http responses.
apps[].mappings[].response.rewrites.json[].path
string
The json path of the the property to rewrite.
apps[].mappings[].response.rewrites.json[].content
This regular expression pattern defines the content to rewrite.
apps[].mappings[].response.rewrites.json[].content.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.rewrites.json[].content.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.rewrites.json[].replace
string
This is the target content to replace the matched part with.
apps[].mappings[].response.custom_actions[]
array
A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.
apps[].mappings[].response.custom_actions[].name
string
A unique name for this action; if not specified, a unique name will be generated.
apps[].mappings[].response.custom_actions[].add_header
An action to add a header to all responses.
apps[].mappings[].response.custom_actions[].add_header.name
string
The name of the header to add.
apps[].mappings[].response.custom_actions[].add_header.value
string
The value of the header to add.
apps[].mappings[].response.custom_actions[].add_missing_header
An action to add a header to all responses if it is not already present.
apps[].mappings[].response.custom_actions[].add_missing_header.name
string
The name of the header to add.
apps[].mappings[].response.custom_actions[].add_missing_header.value
string
The value of the header to add.
apps[].mappings[].response.custom_actions[].add_or_replace_header
An action to add or replace an existing header on all responses.
apps[].mappings[].response.custom_actions[].add_or_replace_header.name
string
The name of the header to add.
apps[].mappings[].response.custom_actions[].add_or_replace_header.value
string
The value of the header to add.
apps[].mappings[].response.custom_actions[].remove_header
An action to remove a header either matching given name or value pattern on responses.
apps[].mappings[].response.custom_actions[].remove_header.name
A pattern for the header name.
apps[].mappings[].response.custom_actions[].remove_header.name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].remove_header.name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].remove_header.name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].response.custom_actions[].remove_header.value
A pattern for the header value.
apps[].mappings[].response.custom_actions[].remove_header.value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].remove_header.value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].remove_header.value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].response.custom_actions[].rewrite_header_value
An action to rewrite a header value either matching given name or value pattern on responses.
apps[].mappings[].response.custom_actions[].rewrite_header_value.name
A pattern for the header name.
apps[].mappings[].response.custom_actions[].rewrite_header_value.name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].rewrite_header_value.name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].rewrite_header_value.name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].response.custom_actions[].rewrite_header_value.value
A pattern for the header value.
apps[].mappings[].response.custom_actions[].rewrite_header_value.value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].rewrite_header_value.value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].rewrite_header_value.value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].response.custom_actions[].rewrite_header_value.replace
string
A string to rewrite the header value with. Can make back-references to the header value pattern.
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie
An action to rewrite the raw value of a cookie matching the given pattern.
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value
A pattern for the cookie value to apply for matching.
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.replace
string
A string to rewrite value pattern matches in the cookie value. Can make back references to the pattern used for matching.
apps[].mappings[].response.custom_actions[].rewrite_cookie
An action to rewrite a cookie based on patterns for cookie name, domain etc.
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie
A pattern to match the name of the cookie to rewrite. If this is set the name of the cookie must match this pattern for the rewrite to happen.
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain
A pattern to match the domain, or part of the domain of a cookie to rewrite it.
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain_replace
string
What to replace the domain with; Can make back references to the pattern used to match.
apps[].mappings[].response.custom_actions[].rewrite_cookie.path
A pattern to match the path of a response to rewrite.
apps[].mappings[].response.custom_actions[].rewrite_cookie.path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].response.custom_actions[].rewrite_cookie.path.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].response.custom_actions[].rewrite_cookie.path_replace
string
What to replace the path with; Can make back references to the pattern used to match.
apps[].mappings[].response.custom_actions[].rewrite_cookie.secure_mode
auto
string
Whether to add, keep or remove the Secure (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Secure) flag on cookies. AUTO will set the flag on all connections that use HTTPS and remove it on others.
apps[].mappings[].response.custom_actions[].rewrite_cookie.http_only_mode
auto
string
Whether to add, keep or remove the HttpOnly (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#HttpOnly) flag on cookies. AUTO will set the flag for encrypted cookies and KEEP it for others.
apps[].mappings[].response.error_page_replacements[]
array
Replacement rules for error responses returned by backend systems.
apps[].mappings[].response.error_page_replacements[].status_code
The http response with the matching status code that should be replaced.
apps[].mappings[].response.error_page_replacements[].status_code.pattern
string
The actual pattern.
apps[].mappings[].response.error_page_replacements[].page
string
Error page file name that will be delivered to the client. (eg. 400.html)
apps[].mappings[].cookies.encrypted
Cookies that should be cryptographically encrypted before being sent to the client.
apps[].mappings[].cookies.encrypted.pattern
string
The actual pattern.
apps[].mappings[].cookies.passthrough
Cookies that should be passed in plain format to the client.
apps[].mappings[].cookies.passthrough.pattern
string
The actual pattern.
apps[].mappings[].timeouts.idle_session
0
integer
Defines the minimum session idle time in seconds for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.
apps[].mappings[].timeouts.backend_http_response
120
integer
Defines the time in seconds Airlock Microgateway will wait for the back-end HTTP response. In case the request runs into the timeout, Airlock Microgateway will deliver an error page with the corresponding HTTP 503 status code.
apps[].mappings[].deny_rule_groups[].enabled
true
boolean
Enable deny rule group
apps[].mappings[].deny_rule_groups[].log_only
false
boolean
If enabled, offending requests are not blocked but only logged
apps[].mappings[].deny_rule_groups[].level
standard
string
Allowed values are: basic, standard, strict.
apps[].mappings[].deny_rule_groups[].rule_group_keys[]
array
If deny rule group key is defined, the settings will only affect the specific deny rule group.
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].deny_rule_groups[].exceptions[].header_name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].header_name.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].header_name.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].deny_rule_groups[].exceptions[].header_value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].header_value.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].header_value.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].deny_rule_groups[].exceptions[].path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].path.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].path.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].deny_rule_groups[].exceptions[].method.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].method.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].method.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].deny_rule_groups[].exceptions[].content_type.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].deny_rule_groups[].exceptions[].content_type.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].deny_rule_groups[].exceptions[].content_type.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].allow_rules[].name
Allow all
string
Unique name for the allow rule. If omitted, a unique name will be generated. To enable/disable the default allow rule or one from a mapping_template_file, use the same name.
apps[].mappings[].allow_rules[].enabled
true
boolean
Enable the allow rule.
apps[].mappings[].allow_rules[].path
A pattern to match the path.
apps[].mappings[].allow_rules[].path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].allow_rules[].path.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].allow_rules[].path.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].allow_rules[].method
A pattern to match the http method for this allow rule.
apps[].mappings[].allow_rules[].method.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].allow_rules[].method.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].allow_rules[].method.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].allow_rules[].content_type
A pattern to match the content type for this allow rule.
apps[].mappings[].allow_rules[].content_type.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
apps[].mappings[].allow_rules[].content_type.ignore_case
true
boolean
Whether to ignore case.
apps[].mappings[].allow_rules[].content_type.inverted
false
boolean
Whether to invert the match.
apps[].mappings[].allow_rules[].log_only
false
boolean
Whether to log requests not matching this allow rule instead of blocking them.
expert_settings.security_gate
string
Expert settings for the Security Gate.
expert_settings.apache
string
Expert settings for the Apache httpd.
log.level
info
string
Allowed values are: info, trace
session.encryption_passphrase
string
Specifies the passphrase for the passphrase based encryption mechanism (PBE).
session.encryption_passphrase_file
/secret/passphrase
string
The path of the passphrase file.
session.redis_hosts[]
[]
array
Name of the hosts running the Redis Server.
session.store_mode
string
Defines the redis session store connection mode. By default, the Microgateway tries to determine the connection mode depending on the number of redis hosts configured:
- server mode if only one host is configured
- cluster mode if several hosts are configured

Allowed values are: server, cluster and disabled.
session.lifetime
28800
integer
Specifies the absolute lifetime of an Airlock Microgateway session in seconds. After this time a session will be terminated.
session.idle_timeout
600
integer
Specifies the amount of idle time in seconds, after which an Airlock Microgateway session is terminated. This timeout should be smaller than all other session timeouts of your back-end applications. Even if the timeout can be configured in seconds, per default the resolution of the idle session timeout check is 5 seconds only.
metrics
Configuration for metrics sending.
metrics.statsd
Use this to enable sending metrics using the statsd protocol.
metrics.statsd.enabled
true
boolean
Enable sending of statsd metrics. Default is 'true'
deny_rule_groups[]
array
Custom deny rule groups that can be referenced in mappings on top of the built in Airlock deny rules.
deny_rule_groups[].rule_group_key
string
Unique short name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.
deny_rule_groups[].name
string
Unique name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.
deny_rule_groups[].deny_rules[]
array
Filter rule that blocks requests based on the evaluation of different request attributes.
deny_rule_groups[].deny_rules[].rule_key
string
Unique short name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.
deny_rule_groups[].deny_rules[].name
string
Unique name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.
deny_rule_groups[].deny_rules[].parameter_name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].parameter_name.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].parameter_name.inverted
false
boolean
Whether to invert the match.
deny_rule_groups[].deny_rules[].parameter_value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].parameter_value.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].parameter_value.inverted
false
boolean
Whether to invert the match.
deny_rule_groups[].deny_rules[].header_name.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].header_name.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].header_name.inverted
false
boolean
Whether to invert the match.
deny_rule_groups[].deny_rules[].header_value.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].header_value.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].header_value.inverted
false
boolean
Whether to invert the match.
deny_rule_groups[].deny_rules[].path.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].path.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].path.inverted
false
boolean
Whether to invert the match.
deny_rule_groups[].deny_rules[].method.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].method.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].method.inverted
false
boolean
Whether to invert the match.
deny_rule_groups[].deny_rules[].content_type.pattern
Yes
string
A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"
deny_rule_groups[].deny_rules[].content_type.ignore_case
true
boolean
Whether to ignore case.
deny_rule_groups[].deny_rules[].content_type.inverted
false
boolean
Whether to invert the match.
jwks_providers
JWKS Providers which can be referenced in apps[].mappings[].access_token.
jwks_providers.refresh_interval
86400
integer
Refresh interval for fetching from remote JWKS providers in seconds.
jwks_providers.local[]
[]
array
JWKS providers that are configured statically.
jwks_providers.local[].name
Yes
string
Name by which provider is referenced. Must be unique.
jwks_providers.local[].jwks
string
JSON Object that represents the set of JWKS.
jwks_providers.local[].jwks_file
string
JSON file with the definitions of JWKS.
jwks_providers.local[].issuer
string
Name of JWKS issuer. Corresponds to the 'Issuer' field in JWT.
jwks_providers.remote[]
[]
array
Remote JWKS providers which are fetched according to the jwks_providers.refresh_interval.
jwks_providers.remote[].name
Yes
string
Name by which provider is referenced. Must be unique.
jwks_providers.remote[].service_url
Yes
string
URL of JWKS service provider.
jwks_providers.remote[].issuer
string
Name of JWKS issuer. This value is used to restrict the usage of the JWKS to JWTs with a matching issuer (claim 'iss').
jwks_providers.remote[].tls.protocol
DEFAULT
string
The TLS protocol to use. For the description of the default values see the Gateway documentation for 'Supported SSL/TLS versions'.
jwks_providers.remote[].tls.cipher_suite
DEFAULT
string
The TLS cipher suite to use. For documentation visit www.openssl.org and search for 'ciphers'.
jwks_providers.remote[].tls.force_new_session
false
boolean
Force new session for each request.
jwks_providers.remote[].tls.client.certificate
string
The certificate in PEM format.
jwks_providers.remote[].tls.client.certificate_file
/secret/auth/jwks/tls/client/client.crt
string
The certificate file path.
jwks_providers.remote[].tls.client.privatekey
string
The private key for the certificate in PEM format.
jwks_providers.remote[].tls.client.privatekey_file
/secret/auth/jwks/tls/client/client.key
string
The private key file path
jwks_providers.remote[].tls.client.ca_chain
string
List of certificates of the CA chain for the certificate.
jwks_providers.remote[].tls.client.ca_chain_file
/secret/auth/jwks/tls/client/client-ca.crt
string
The CA chain file path.
jwks_providers.remote[].tls.server.host_name_verification
false
boolean
Verification which involves a server identity check to mitigate man-in-the-middle attacks.
jwks_providers.remote[].tls.server.ca_validation
string
The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format.
jwks_providers.remote[].tls.server.ca_validation_file
/secret/auth/jwks/tls/server/server-validation.crt
string
The file containing the validation CA certificates.