Table of contents
Titel
Table of contents
Airlock Secure Access Hub
Semantic versioning scheme for Airlock Secure Access Hub components
About this document
Leveled prerequisites
General warnings and recommendations
Warning tiers in this document
Additional panel types
Advanced Lucene searches within this online help
General warnings and recommendations
Overview
Introduction
Features and support
Release notes
Release notes 3.1
Airlock Microgateway Changelog 3.1
Requirements
Getting Started
Docker Hub repository
Deploy a minimal setup
Deploy with kubectl in Kubernetes
Deploy with kubectl in OpenShift
Deploy with Helm in Kubernetes
Deploy with Helm in OpenShift
System architecture
Cascaded services
Airlock Microgateway protecting Airlock IAM
Protecting Airlock IAM with a single Microgateway
Protecting Airlock IAM with separate Microgateways and shared session store
Protecting Airlock IAM with separate Microgateways and JWT access tokens
Basic concepts
Microgateway architecture and interfaces
Microgateway configuration concepts
Microgateway request processing steps
Cookie handling and cookie types
Microgateway filtering rules
Basic concepts: Allow rules
Basic concepts: Deny rules
Basic concepts: JSON filtering
JWKS access tokens
JWKS and JWK selection by filtering
Cross-Site Request Forgery (CSRF) protection
Entry path to back-end path settings
Entry path as Directory or Regular expression
Option Enforce trailing slashes
Configuration
Airlock Microgateway DSL
Automatic YAML validation during editing
Workarounds for options that are not available as DSL option
External files in dedicated folders
Custom error pages
Environment variables
Migrating from an appliance setup
Guides
Integration
Configuration of allow rules
Configuration of deny rules
Configuration of request and response actions
Content rewriting
Session handling
Replacement of back-end error pages
OpenAPI specification validation
Configure Cross-Side Request Forgery (CSRF) protection for SPAs
Access control
Access management with Airlock IAM
Access control with JWKS
Operation
Readiness and Liveness probes
Logging and reporting
Microgateway as a data source for Prometheus metrics
Premium Edition: Licensing
Limitations of the Community Edition
Best Practices
Use Microgateway for all stages
Examples
A more complex configuration file
Airlock Minikube example
Tutorials
Exercises
Getting started
Protecting a backend service
Readiness and Liveness Probes
OpenAPI
Deny rules
Metrics
Session handling
Access control with Airlock IAM
Tutorial FAQ
Deploy the solution
Delete previously deployed Kubernetes resources
Troubleshooting
KB - Configbuilder errors during startup
KB - Secure flag of cookies
KB - Protocol mismatch causes service unavailability
KB - Max body size causes status code 413
KB – Cookie parsing according to RFC 6265
Appendix
DSL reference
Default mapping template
Default deny rule groups
Deny Rule Group – (default) SQL Injection (SQLi) in Parameter Value
Deny Rule Group – (default) SQL Injection (SQLi) in Header Value
Deny Rule Group – (default) Cross-Site Scripting (XSS) in Parameter Value
Deny Rule Group – (default) Cross-Site Scripting (XSS) in Header Value
Deny Rule Group – (default) Cross-Site Scripting (XSS) in Path
Deny Rule Group – (default) Template Injection
Deny Rule Group – (default) HTML Injection in Parameter Value
Deny Rule Group – (default) HTML Injection in Header Value
Deny Rule Group – (default) HTML Injection in Path
Deny Rule Group – (default) UNIX Command Injection in Parameter Value
Deny Rule Group – (default) UNIX Command Injection in Header Value
Deny Rule Group – (default) Windows Command Injection in Parameter Value
Deny Rule Group – (default) Windows Command Injection in Header Value
Deny Rule Group – (default) LDAP Injection in Parameter Value
Deny Rule Group – (default) LDAP Injection in Header Value
Deny Rule Group – (default) PHP Injection in Parameter Value
Deny Rule Group – (default) PHP Injection in Header Value
Deny Rule Group – (default) Object Graph Navigation Library injection
Deny Rule Group – (default) Insecure Direct Object Reference in Parameter Value
Deny Rule Group – (default) Insecure Direct Object Reference in Path
Deny Rule Group - (default) NoSQL Injection in Parameter Name
Deny Rule Group - (default) NoSQL Injection in Parameter Value
Deny Rule Group - (default) NoSQL Injection in Header Value
Deny Rule Group – (default) Parameter Name Sanity
Deny Rule Group – (default) Parameter Value Sanity
Deny Rule Group – (default) Header Name Sanity
Deny Rule Group – (default) Header Value Sanity
Deny Rule Group – (default) Path Sanity
Deny Rule Group – (default) Encoding and Conversion Exploits in Parameter Value
Deny Rule Group – (default) Encoding and Conversion Exploits in Header Value
Deny Rule Group – (default) HTTP Response Splitting
Deny Rule Group – (default) HTTP Parameter Pollution
Deny Rule Group – (default) Automated Scanning
Default request actions
Default response actions
Environment cookies
Rewrite variables
YAML – Basics page
Regular Expressions - Basics page
Regular Expressions - Experts Page
Cookie security attributes
Supported SSL/TLS versions
Reference lists of log messages
Log Fields
Request Summary
Block Summary
Reject Summary
Back messages
Session Start and End Messages
Where to find 3rd-party licenses
Reference lists of supported JWKS algorithms
Glossary