Workarounds for missing DSL options
Workarounds for options that are not available as DSL option

Airlock Microgateway shares its technical core with the Airlock Gateway appliance. Most settings are available in the DSL and will be extended in future versions. However, some features are not directly accessible with DSL, but are still available under the hood. To use these settings, the following workarounds could be applied.

We recommend sticking to the DSL attributes whenever possible. The workaround with the Expert-Settings should be preferred over the one with the mapping template file.

Workaround with Expert-Settings

The required DSL options are currently not available for the illustrated example use cases. Nevertheless, with Apache and/or Security Gate Expert Settings, these use cases can be resolved.

expert_settings:
  security_gate: |
    # log an external request id in the logs
    CorrelationId.Extraction.0.Request.Header.Pattern       "^X-Request-ID: ([[:graph:]]+)$"
    CorrelationId.Extraction.0.Request.Header.IgnoreCase    "TRUE"
    CorrelationId.Extraction.0.Request.Header.Template      "$1"

apps:
  - virtual_host:
      name: wordpress.virtinc.com
      expert_settings:
        apache: |
          # redirect HTTP to HTTPS
          RewriteCond %{HTTPS} off  
          RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,NE]  
     mappings:
      - name: wordpress
        entry_path:
          value: /wordpress/
        backend_path: /wordpress/
        ...
        expert_settings:
          security_gate: |
            # logout propagation path
            LogoutPropagation.Backend.LogoutUrl   "/wp-login.php?action=logout"
        backend:
          name: wordpress
          hosts:
            - name: wordpress
              protocol: https
              port: 8443
          expert_settings:
            security_gate: |
              # back-end connect timeout for http and https
              BackendConnectTimeout    "7"
              BackendSSLConnectTimeout "13"
…Show more…Show less

Workaround with mapping_template_file

Some settings are not available as DSL options and configuring it with Expert Settings could be tedious or impossible.

For such use cases, do the following:

  • 1.
    Import the Default Mapping in the Configuration Center of Airlock Gateway
  • Check the compatibility between the Airlock Gateway and the Airlock Microgateway in the Release notes.

  • 2.
    Adapt the Mapping to the specific needs in the Configuration Center.
  • 3.
    Export the Mapping from the Configuration Center.
  • 4.
    Extract the alec_table.xml file from the zip file and rename it to a more descriptive name.
  • 5.
    Copy or mount the xml file into the configbuilder container.
  • 6.
    Configure in the config.yaml file the DSL option mapping_template_file and point to the location of the xml file.
  • When starting the container, a log message from the configbuilder should tell that the xml file has been read.
  • Preference of settings
  • Settings read from the mapping template are used as a default configuration for the mapping.
  • DSL options can be used to overwrite the settings in the mapping template file.
  • Example use cases
    • The workaround with the mapping template file might be a good choice for the following example use cases:
    • Simple and easy migration from an appliance setup:
    • Migrating from an appliance setup

    • Use the Airlock IAM mapping templates for their integration.
    • Access management with Airlock IAM

    • To configure settings that are not available in DSL such as:
      • URL Encryption
      • Smart Form Protection

Limitations

Although it is possible to configure more features with the workarounds (mapping_template_file or Expert-Settings) than available in DSL, not all Airlock Gateway settings are also available for Airlock Microgateway.

  • The list shows examples that could be configured with the workarounds but are not supported for Airlock Microgateway:
  • Webroot Threat Intelligence
  • IP Address Lists
  • Let's Encrypt
  • OCSP
  • HSM integration
  • ICAP services
  • Back-side Kerberos SSO