TitelTable of contents1. Airlock Secure Access Hub1.1. Semantic versioning scheme for Airlock Secure Access Hub components2. About this document2.1. Leveled prerequisites2.2. General warnings and recommendations2.3. Warning tiers in this document2.4. Additional panel types2.5. Advanced Lucene searches within this online help3. General warnings and recommendations4. Overview4.1. Introduction4.2. Features and support5. Release notes5.1. Release notes 3.25.1.1. Airlock Microgateway Changelog 3.26. Requirements7. Getting Started7.1. Docker Hub repository7.2. Deploy a minimal setup7.2.1. Deploy with kubectl in Kubernetes7.2.2. Deploy with kubectl in OpenShift7.2.3. Deploy with Helm in Kubernetes7.2.4. Deploy with Helm in OpenShift8. System architecture8.1. Cascaded services8.2. Airlock Microgateway protecting Airlock IAM8.2.1. Protecting Airlock IAM with a single Microgateway8.2.2. Protecting Airlock IAM with separate Microgateways and shared session store8.2.3. Protecting Airlock IAM with separate Microgateways and JWT access tokens9. Basic concepts9.1. Microgateway architecture and interfaces9.2. Microgateway configuration concepts9.3. Microgateway request processing steps9.4. Cookie handling and cookie types9.5. Microgateway filtering rules9.5.1. Basic concepts: Allow rules9.5.2. Basic concepts: Deny rules9.5.3. Basic concepts: JSON filtering9.6. JWKS access tokens9.6.1. JWKS and JWK selection by filtering9.7. Cross-Site Request Forgery (CSRF) protection9.8. Entry path to back-end path settings9.8.1. Entry path as Directory or Regular expression9.8.2. Option Enforce trailing slashes10. Configuration10.1. Airlock Microgateway DSL10.1.1. Automatic YAML validation during editing10.1.2. Workarounds for options that are not available as DSL option10.2. External files in dedicated folders10.3. Custom error pages10.4. Environment variables10.5. Migrating from an appliance setup11. Guides11.1. Integration11.1.1. Configuration of allow rules11.1.2. Configuration of deny rules11.1.3. Configuration of request and response actions11.1.4. Content rewriting11.1.5. Session handling11.1.6. Replacement of back-end error pages11.1.7. OpenAPI specification validation11.1.8. Configure Cross-Side Request Forgery (CSRF) protection for SPAs11.2. Access control11.2.1. Access management with Airlock IAM11.2.2. Access control with JWKS11.3. Operation11.3.1. Readiness and Liveness probes11.3.2. Logging and reporting11.3.3. Microgateway as a data source for Prometheus metrics11.3.4. Premium Edition: Licensing11.3.5. Limitations of the Community Edition11.4. Best Practices11.4.1. Use Microgateway for all stages12. Examples12.1. A more complex configuration file12.2. Airlock Minikube example13. Tutorials13.1. Exercises13.1.1. Getting started 13.1.2. Protecting a backend service13.1.3. Readiness and Liveness Probes13.1.4. OpenAPI13.1.5. Deny rules13.1.6. Metrics13.1.7. Session handling13.1.8. Access control with Airlock IAM13.2. Tutorial FAQ13.2.1. Deploy the solution13.2.2. Delete previously deployed Kubernetes resources14. Troubleshooting14.1. KB - Configbuilder errors during startup14.2. KB - Secure flag of cookies14.3. KB - Protocol mismatch causes service unavailability14.4. KB - Max body size causes status code 41314.5. KB – Cookie parsing according to RFC 626515. Appendix15.1. DSL reference15.2. Default mapping template15.3. Default deny rule groups15.3.1. Deny Rule Group – (default) SQL Injection (SQLi) in Parameter Value15.3.2. Deny Rule Group – (default) SQL Injection (SQLi) in Header Value15.3.3. Deny Rule Group – (default) Cross-Site Scripting (XSS) in Parameter Value15.3.4. Deny Rule Group – (default) Cross-Site Scripting (XSS) in Header Value15.3.5. Deny Rule Group – (default) Cross-Site Scripting (XSS) in Path15.3.6. Deny Rule Group – (default) Template Injection15.3.7. Deny Rule Group – (default) HTML Injection in Parameter Value15.3.8. Deny Rule Group – (default) HTML Injection in Header Value15.3.9. Deny Rule Group – (default) HTML Injection in Path15.3.10. Deny Rule Group – (default) UNIX Command Injection in Parameter Value15.3.11. Deny Rule Group – (default) UNIX Command Injection in Header Value15.3.12. Deny Rule Group – (default) Windows Command Injection in Parameter Value15.3.13. Deny Rule Group – (default) Windows Command Injection in Header Value15.3.14. Deny Rule Group – (default) LDAP Injection in Parameter Value15.3.15. Deny Rule Group – (default) LDAP Injection in Header Value15.3.16. Deny Rule Group – (default) PHP Injection in Parameter Value15.3.17. Deny Rule Group – (default) PHP Injection in Header Value15.3.18. Deny Rule Group – (default) Object Graph Navigation Library injection 15.3.19. Deny Rule Group – (default) Insecure Direct Object Reference in Parameter Value15.3.20. Deny Rule Group – (default) Insecure Direct Object Reference in Path15.3.21. Deny Rule Group - (default) NoSQL Injection in Parameter Name15.3.22. Deny Rule Group - (default) NoSQL Injection in Parameter Value15.3.23. Deny Rule Group - (default) NoSQL Injection in Header Value15.3.24. Deny Rule Group – (default) Parameter Name Sanity15.3.25. Deny Rule Group – (default) Parameter Value Sanity15.3.26. Deny Rule Group – (default) Header Name Sanity15.3.27. Deny Rule Group – (default) Header Value Sanity15.3.28. Deny Rule Group – (default) Path Sanity15.3.29. Deny Rule Group – (default) Encoding and Conversion Exploits in Parameter Value15.3.30. Deny Rule Group – (default) Encoding and Conversion Exploits in Header Value15.3.31. Deny Rule Group – (default) HTTP Response Splitting15.3.32. Deny Rule Group – (default) HTTP Parameter Pollution15.3.33. Deny Rule Group – (default) Automated Scanning15.4. Default request actions reference list15.5. Default response actions reference list15.6. Environment cookies15.7. Rewrite variables15.8. YAML – Basics page15.9. Regular Expressions - Basics page15.10. Regular Expressions - Experts Page15.11. Cookie security attributes15.12. Supported SSL/TLS versions15.13. Reference lists of log messages15.13.1. Log Fields15.13.2. Request Summary15.13.3. Block Summary15.13.4. Reject Summary15.13.5. Back messages15.13.6. Session Start and End Messages15.14. Where to find 3rd-party licenses15.15. Reference lists of supported JWKS algorithms16. Glossary