Field | Default value | Required | Type | Description |
---|---|---|---|---|
license | string | The encoded license. | ||
license_file | /secret/license | string | The license file path. | |
remote_ip.header | Yes | string | If set, Airlock Microgateway will treat the value of this header field as the useragent IP address. | |
remote_ip.internal_proxies[] | Yes | array | List of hostnames, IP addresses or IP address ranges (e.g. 10.0.0.0/8) to trust as presenting a valid Remote-IP header. | |
apps[].virtual_host.name | microgateway | string | The logical name of the virtual host. | |
apps[].virtual_host.hostname | microgateway | string | The hostname of the virtual host. | |
apps[].virtual_host.aliases[] | array | Additional hostnames which refer to this virtual host. | ||
apps[].virtual_host.strict_fqdn | false | boolean | Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names. | |
apps[].virtual_host.http_enabled | true | boolean | Specifies whether HTTP connections are enabled for this host. | |
apps[].virtual_host.http_port | 8080 | integer | Specifies the port on which this host listens for HTTP connections. | |
apps[].virtual_host.https_enabled | true | boolean | Specifies whether HTTPS connections are enabled for this host. | |
apps[].virtual_host.https_port | 8443 | integer | Specifies the port on which this host listens for HTTPS connections. | |
apps[].virtual_host.http2_enabled | true | boolean | Specifies whether HTTP/2 connections are enabled for this host. | |
apps[].virtual_host.session_cookie_path | / | string | Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host. | |
apps[].virtual_host.session_cookie_domain | string | Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host. | ||
apps[].virtual_host.encoded_slashes | false | boolean | Specifies whether encoded slashes (%2F) are allowed in URL path. Attention: combinations of client certificates per mapping and enabled encoded slashes in the same virtual host might result in configurations where client certificate evaluation might be evaded. | |
apps[].virtual_host.certificate.certificate | string | The certificate in PEM format. | ||
apps[].virtual_host.certificate.certificate_file | /secret/tls/frontend-server.crt | string | The certificate file path. | |
apps[].virtual_host.certificate.privatekey | string | The private key for the certificate in PEM format. | ||
apps[].virtual_host.certificate.privatekey_file | /secret/tls/frontend-server.key | string | The private key file path | |
apps[].virtual_host.certificate.ca_chain | string | List of certificates of the CA chain for the certificate. | ||
apps[].virtual_host.certificate.ca_chain_file | /secret/tls/frontend-server-ca.crt | string | The CA chain file path. | |
apps[].virtual_host.auth.client_certificate.verification | off | string | Defines the default verification mode for client certificates on this virtual host. Possible values are 'off', 'optional' or 'required'. | |
apps[].virtual_host.auth.client_certificate.verification_depth | 1 | integer | Maximum number of intermediate certificate issuers. | |
apps[].virtual_host.auth.client_certificate.ca_selection | string | The concatenated certificates of the CAs which are sent to the client during the SSL handshake, in PEM format. | ||
apps[].virtual_host.auth.client_certificate.ca_selection_file | /secret/auth/client_certificate/selection.crt | string | The file containing the selection CA certificates. | |
apps[].virtual_host.auth.client_certificate.ca_validation | string | The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format. | ||
apps[].virtual_host.auth.client_certificate.ca_validation_file | /secret/auth/client_certificate/validation.crt | string | The file containing the validation CA certificates. | |
apps[].virtual_host.auth.client_certificate.crl | string | PEM representation of certificate revocation lists. If a client certificate is on such a list it will not be accepted. Although Airlock provides this functionality, it is recommended to check certificates against CRLs and other types of blacklists within the authentication service and not in Airlock. | ||
apps[].virtual_host.auth.client_certificate.crl_file | /secret/auth/client_certificate/client.crl | string | The file containing the crl. | |
apps[].virtual_host.expert_settings.security_gate | string | Expert settings for the Security Gate. | ||
apps[].virtual_host.expert_settings.apache | string | Expert settings for the Apache httpd. | ||
apps[].virtual_host.redirects[].path | Yes | The absolute path starting with '/' as a regular expression from which to redirect. | ||
apps[].virtual_host.redirects[].path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].virtual_host.redirects[].path.ignore_case | true | boolean | Whether to ignore case. | |
apps[].virtual_host.redirects[].dest | Yes | string | The destination can be relative to the current virtual host or an absolute URL including protocol and host. Relative redirect paths are extended with the incoming scheme and host header. | |
apps[].virtual_host.redirects[].status_code | 303 | integer | The returned status code. Must be one of: [301, 302, 303, 307, 308] | |
apps[].mappings[].name | root | string | The unique name of the mapping. | |
apps[].mappings[].mapping_template_file | /config/mapping.xml | string | The Airlock Gateway mapping template file path. | |
apps[].mappings[].priority | 0 | integer | Specifies the priority of this mapping (highest: -999, lowest: 999) when a request matches the entry path of multiple mappings. | |
All mappings with entry_path.type regex must have a unique priority. | ||||
apps[].mappings[].entry_path | The entry path specifies the external URL path the mapping should be available under. | |||
apps[].mappings[].entry_path.type | directory | string | Allowed values are: directory, regex. | |
apps[].mappings[].entry_path.value | / | string | This specifies the external URL path. | |
apps[].mappings[].entry_path.ignore_case | false | boolean | Whether to ignore case. | |
apps[].mappings[].entry_path.enforce_trailing_slashes | false | boolean | Whether a trailing slash is mandatory at the end of the entry path or not. | |
apps[].mappings[].backend_path | / | string | The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server. | |
apps[].mappings[].env_cookies | false | boolean | Specifies whether Airlock environment cookies containing useful request information are sent to the connected back-end. | |
apps[].mappings[].control_api | false | boolean | Specifies whether the connected back-end service is allowed to use the Airlock Microgateway Control API via the control cookie mechanism. The Control API is normally used by authentication applications to communicate with the Microgateway. | |
apps[].mappings[].compress_response_traffic | false | boolean | Specifies whether Airlock Microgateway should compress the output on-the-fly for the client browser if supported and requested by the browser. | |
apps[].mappings[].threat_handling | block | string | Allowed values are: block, terminate_session, notify. | |
apps[].mappings[].operational_mode | production | string | Allowed values are: production, integration. | |
apps[].mappings[].session_handling | ignore_session | string | Allowed values are: enforce_session, optional_session, optional_session_no_refresh, ignore_session | |
apps[].mappings[].access_token.mandatory | false | boolean | If disabled, requests without a token are accepted. However, if a token is present,it is extracted and validated and the configured restrictions and role extractions are applied. | |
apps[].mappings[].access_token.signature_mandatory | true | boolean | Enforce a signed JWT | |
apps[].mappings[].access_token.expiry_checked | false | boolean | If the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid. | |
apps[].mappings[].access_token.skew | 10 | integer | The allowed skew when checking expiry / not before in seconds. | |
apps[].mappings[].access_token.tech_client_id_claim | string | The claim to extract the technical client id from. | ||
apps[].mappings[].access_token.audittoken | false | boolean | If the 'sub' claim should be extracted from the JWT and be used as audit token of the current session | |
apps[].mappings[].access_token.extraction | How the token should be extracted. | |||
apps[].mappings[].access_token.extraction.mode | header | string | From which part of the request the token should be extracted. Possible values are 'header', 'parameter', 'cookie'. | |
apps[].mappings[].access_token.extraction.header | How the token should be extracted from the request headers. | |||
apps[].mappings[].access_token.extraction.header.regex | The regular expression, which matches the parts which should be rewritten. | |||
apps[].mappings[].access_token.extraction.header.regex.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].access_token.extraction.header.regex.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].access_token.extraction.header.regex.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].access_token.extraction.header.substitution | string | The rewrite expression. | ||
apps[].mappings[].access_token.extraction.parameter | string | From which query parameter the token should be extracted. | ||
apps[].mappings[].access_token.extraction.cookie | string | From which cookie the token should be extracted. | ||
apps[].mappings[].access_token.jwks_providers[] | array | List of JWKS service providers referenced by their name. Can be local or remote providers. | ||
apps[].mappings[].access_token.claims[] | array | All specified claims are checked and must match the claim's value of the decoded token. If a claim is an array, at least one entry must match the specified regex. | ||
apps[].mappings[].access_token.claims[].claim | string | The name of the claim you want to restrict. | ||
apps[].mappings[].access_token.claims[].regex | The regular expression that must match the value of the specified claim name. | |||
apps[].mappings[].access_token.claims[].regex.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].access_token.claims[].regex.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].access_token.claims[].regex.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].access_token.roles[] | array | Specifies which roles should be extracted from the claims. | ||
apps[].mappings[].access_token.roles[].claim | string | Name of the claim you want to extract a role from. | ||
apps[].mappings[].access_token.roles[].extraction | The regular expression to match the role extraction and the rewrite expression of the role. | |||
apps[].mappings[].access_token.roles[].extraction.regex | The regular expression, which matches the parts which should be rewritten. | |||
apps[].mappings[].access_token.roles[].extraction.regex.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].access_token.roles[].extraction.regex.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].access_token.roles[].extraction.regex.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].access_token.roles[].extraction.substitution | string | The rewrite expression. | ||
apps[].mappings[].access_token.roles[].token_lifetime | false | boolean | If enabled, the expiry claim (exp) of the JWT will be used as the role lifetime. | |
apps[].mappings[].auth.client_certificate.verification | inherit | string | The client certificate verification mode to use on this mapping. This can be used to override the setting from the virtual host with a stronger verification level (e.g. off -> optional or optional -> required). Possible values are 'inherit', 'optional' or 'required'. | |
apps[].mappings[].auth.flow | redirect | string | The authentication flow, allowed values are: redirect, deny_access, one_shot, one_shot_with_body, ntlm | |
apps[].mappings[].auth.denied_access_url | /auth/check-login | string | Defines the location of the authentication service. In case the required role for the mapping is missing on the current session, Airlock Gateway will redirect the client to this location. If this value is missing (default), the Global Denied Access URL will be used. | |
apps[].mappings[].auth.logout_propagation_path | string | In order to allow clean session termination on back-end systems when an Airlock Gateway session terminates, the administrator can configure one logout path per mapping. | ||
apps[].mappings[].auth.access[] | array | A list of access restrictions can be created. Each request matching the combination of HTTP method and path of a access restriction must have at least one of the specified roles to access the service. All matching restrictions must be satisfied to gain access. | ||
apps[].mappings[].auth.access[].method | Can contain regular expressions that are applied when the HTTP method of a request matches one of the expressions. Use an empty pattern if all HTTP methods should match. | |||
apps[].mappings[].auth.access[].method.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].auth.access[].method.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].auth.access[].method.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].auth.access[].path | Can contain regular expressions that are applied when the requested path of the query matches the expressions. Use an empty pattern if all paths should match. | |||
apps[].mappings[].auth.access[].path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].auth.access[].path.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].auth.access[].path.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].auth.access[].roles[] | array | Can contain a list of roles for this service. Only sessions that have at least one of these roles will be able to access the service. | ||
apps[].mappings[].csrf_token.enabled | false | boolean | Whether to enable automatic CSRF token injection and validation on this mapping. | |
apps[].mappings[].csrf_token.invalid_token_redirect_location | /%ENTRYPATH% | string | Specifies the location (e.g. /index.html) to which the client is redirected if a missing or invalid CSRF token is detected. | |
apps[].mappings[].csrf_token.exceptions[] | array | All incoming URLs that match one of these patterns are accepted by Airlock Microgateway without a valid CSRF token. | ||
apps[].mappings[].csrf_token.exceptions[].path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].csrf_token.exceptions[].path.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].limits.max_path_length | 1024 | integer | Defines the maximum path length for requests to the current mapping in bytes. | |
apps[].mappings[].limits.max_request_body_size | 104857600 | integer | The maximum allowed total size of the request body in bytes. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in the request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once. | |
apps[].mappings[].limits.http_limits | The limits for HTTP parameters. | |||
apps[].mappings[].limits.http_limits.max_parameters | 128 | integer | Defines the maximum number of parameters inside the request. | |
apps[].mappings[].limits.http_limits.max_parameter_name_length | 128 | integer | Defines the maximum length of a parameter name in bytes. | |
apps[].mappings[].limits.http_limits.max_parameter_value_length | 1024 | integer | Defines the maximum length for a parameter value in bytes. | |
apps[].mappings[].limits.http_limits.parameter_length_exception | A regular expression which specifies any parameters which should not be checked against these length checks. | |||
apps[].mappings[].limits.http_limits.parameter_length_exception.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].limits.http_limits.parameter_length_exception.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].limits.http_limits.parameter_length_exception.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].limits.json_limits | The limits for JSON structures. | |||
apps[].mappings[].limits.json_limits.max_key_length | 256 | integer | Defines the maximum length for a JSON key, also known as 'JSON property' or 'JSON object member' in bytes. | |
apps[].mappings[].limits.json_limits.max_value_length | 8192 | integer | Defines the maximum length for a JSON value (string or numbers) in bytes. | |
apps[].mappings[].limits.json_limits.max_length_exception | Defines a regular expression to exclude JSON keys and the corresponding values from the length checks. The exceptions must be specified in the '#json' format for a JSON key. | |||
apps[].mappings[].limits.json_limits.max_length_exception.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].limits.json_limits.max_length_exception.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].limits.json_limits.max_length_exception.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].limits.json_limits.max_nesting_depth | 100 | integer | Defines the maximum depth of nesting for JSON objects and JSON arrays. | |
apps[].mappings[].limits.json_limits.max_array_items | 500 | integer | Defines the maximum number of items in a single JSON array (non-recursive). | |
apps[].mappings[].limits.json_limits.max_keys | 250 | integer | Defines the maximum number of keys of a single JSON object (non-recursive). | |
apps[].mappings[].limits.json_limits.max_total_entries | 150000 | integer | Defines the maximum number of keys and array items in the whole JSON document (recursive). | |
apps[].mappings[].api_security.treat_path_segments_as_parameters | true | boolean | If enabled, each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it. | |
apps[].mappings[].api_security.treat_json_objects_as_parameters | true | boolean | If enabled, Microgateway parses JSON objects in requests and filters JSON attributes with allow rules and deny rules. | |
apps[].mappings[].api_security.json_content_type | json | JSON objects are parsed only if their content-type matches the specified pattern. | ||
apps[].mappings[].api_security.json_content_type.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].api_security.json_content_type.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].api_security.json_content_type.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].api_security.openapi | The specification to validate against. | |||
apps[].mappings[].api_security.openapi.spec | string | The OpenAPI specification. | ||
apps[].mappings[].api_security.openapi.spec_file | /config/openapi.json | string | The OpenAPI file path. | |
apps[].mappings[].api_security.openapi.log_only | false | boolean | If enabled, potential attack requests are only logged but not blocked. | |
apps[].mappings[].api_security.openapi.response_validation | false | boolean | Check responses against API specification. | |
apps[].mappings[].api_security.openapi.path_matching | client_view | string | The Microgateway mapping can be configured to rewrite the incoming URL to a different back-end URL (asymmetric mappings). Due to this rewriting, the incoming URL path (client_view) will be different from the back-end URL path (backend_view). | |
apps[].mappings[].parameter_pollution.same_type.join_duplicates | true | boolean | If enabled, all the different values of a repeated parameter are joined by comma (in order of appearance). The aggregate value is then checked against deny rules (instead of the individual values). | |
apps[].mappings[].parameter_pollution.mixed_type.block_duplicates | true | boolean | If enabled, requests are blocked if they contain the same parameter names with different parameter types (e.g. "id" is present as a POST parameter and as a query parameter simultaneously). | |
apps[].mappings[].parameter_pollution.mixed_type.log_only | false | boolean | If enabled, offending requests are not blocked but only logged. | |
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception | Exception pattern to exclude parameters from the parameter pollution detection. | |||
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].expert_settings.security_gate | string | Expert settings for the Security Gate. | ||
apps[].mappings[].expert_settings.apache | string | Expert settings for the Apache httpd. | ||
apps[].mappings[].backend.name | backendGroup | string | The unique name of the back-end. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed. | |
apps[].mappings[].backend.hosts[].name | backend | string | The hostname of the back-end host. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed. | |
apps[].mappings[].backend.hosts[].protocol | http | string | Allowed values are: http, https | |
apps[].mappings[].backend.hosts[].port | 8080 | integer | Configuring a back-end port. | |
apps[].mappings[].backend.expert_settings.security_gate | string | Expert settings for the Security Gate. | ||
apps[].mappings[].request.default_actions[].name | string | Name of the default header action | ||
apps[].mappings[].request.default_actions[].enabled | boolean | Enable this default header action | ||
apps[].mappings[].request.custom_actions[] | array | A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed. | ||
apps[].mappings[].request.custom_actions[].name | string | A unique name for this action; if not specified, a unique name will be generated. | ||
apps[].mappings[].request.custom_actions[].add_header | An action to add a header to all requests. | |||
apps[].mappings[].request.custom_actions[].add_header.name | string | The name of the header to add. | ||
apps[].mappings[].request.custom_actions[].add_header.value | string | The value of the header to add. | ||
apps[].mappings[].request.custom_actions[].add_missing_header | An action to add a header to all requests if it is not already present. | |||
apps[].mappings[].request.custom_actions[].add_missing_header.name | string | The name of the header to add. | ||
apps[].mappings[].request.custom_actions[].add_missing_header.value | string | The value of the header to add. | ||
apps[].mappings[].request.custom_actions[].add_or_replace_header | An action to add or replace an existing header to all requests. | |||
apps[].mappings[].request.custom_actions[].add_or_replace_header.name | string | The name of the header to add. | ||
apps[].mappings[].request.custom_actions[].add_or_replace_header.value | string | The value of the header to add. | ||
apps[].mappings[].request.custom_actions[].remove_header | An action to remove a header either matching given name or value pattern on requests. | |||
apps[].mappings[].request.custom_actions[].remove_header.name | A pattern for the header name. | |||
apps[].mappings[].request.custom_actions[].remove_header.name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].request.custom_actions[].remove_header.name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].request.custom_actions[].remove_header.name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].request.custom_actions[].remove_header.value | A pattern for the header value. | |||
apps[].mappings[].request.custom_actions[].remove_header.value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].request.custom_actions[].remove_header.value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].request.custom_actions[].remove_header.value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].request.custom_actions[].rewrite_header_value | An action to rewrite a header value either matching given name or value pattern on requests. | |||
apps[].mappings[].request.custom_actions[].rewrite_header_value.name | A pattern for the header name. | |||
apps[].mappings[].request.custom_actions[].rewrite_header_value.name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].request.custom_actions[].rewrite_header_value.name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].request.custom_actions[].rewrite_header_value.name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].request.custom_actions[].rewrite_header_value.value | A pattern for the header value. | |||
apps[].mappings[].request.custom_actions[].rewrite_header_value.value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].request.custom_actions[].rewrite_header_value.value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].request.custom_actions[].rewrite_header_value.value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].request.custom_actions[].rewrite_header_value.replace | string | A string to rewrite the header value with. Can make back-references to the header value pattern. | ||
apps[].mappings[].request.custom_actions[].header_redirect | An action to redirect to a URL based on a header name or value either matching the given name or value pattern on requests. | |||
apps[].mappings[].request.custom_actions[].header_redirect.name | A pattern for the header name. | |||
apps[].mappings[].request.custom_actions[].header_redirect.name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].request.custom_actions[].header_redirect.name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].request.custom_actions[].header_redirect.name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].request.custom_actions[].header_redirect.value | A pattern for the header value. | |||
apps[].mappings[].request.custom_actions[].header_redirect.value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].request.custom_actions[].header_redirect.value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].request.custom_actions[].header_redirect.value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].request.custom_actions[].header_redirect.target_url | string | The url to redirect to. | ||
apps[].mappings[].request.custom_actions[].header_redirect.status_code | 303 | integer | The http status code to use on redirect | |
apps[].mappings[].request.custom_actions[].geolocation_redirect | An action to redirect to a URL based on the geographic location of the request source IP. | |||
apps[].mappings[].request.custom_actions[].geolocation_redirect.continent_codes[] | [] | array | A list of alpha-2 continent codes to redirect clients from. See here: https://en.wikipedia.org/wiki/List\_of\_sovereign\_states\_and\_dependent\_territories\_by\_continent\_(data\_file) | |
apps[].mappings[].request.custom_actions[].geolocation_redirect.country_codes[] | [] | array | A list of country codes to redirect clients from. See here for alpha-2 codes to use: https://en.wikipedia.org/wiki/ISO\_3166-1\_alpha-2 | |
apps[].mappings[].request.custom_actions[].geolocation_redirect.target_url | string | The url to redirect to. | ||
apps[].mappings[].request.custom_actions[].geolocation_redirect.status_code | 303 | integer | The http status code to use on redirect | |
apps[].mappings[].response.default_actions[].name | string | Name of the default header action | ||
apps[].mappings[].response.default_actions[].enabled | boolean | Enable this default header action | ||
apps[].mappings[].response.rewrites.location_header[] | array | Rewrite option to modify the HTTP redirect location header sent from the back-end server before it is sent to the client. | ||
apps[].mappings[].response.rewrites.location_header[].url | The redirect URL pattern. | |||
apps[].mappings[].response.rewrites.location_header[].url.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.rewrites.location_header[].url.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.rewrites.location_header[].to | string | This is the target string which will replace the string matched by URL Pattern | ||
apps[].mappings[].response.rewrites.html[] | array | Rewriting HTML content may be necessary to modify URLs in the HTML content if the application creates absolute or incorrect links because it is not reverse proxy compatible | ||
apps[].mappings[].response.rewrites.html[].url | The URL pattern. | |||
apps[].mappings[].response.rewrites.html[].url.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.rewrites.html[].url.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.rewrites.html[].options[] | [ url ] | array | This list defines the content to rewrite. Possible values are 'url', event', 'embedded'. | |
apps[].mappings[].response.rewrites.html[].to | string | This is the target string which will replace the string matched by URL Pattern | ||
apps[].mappings[].response.rewrites.any[] | array | Rewrite the body of HTTP response. | ||
apps[].mappings[].response.rewrites.any[].content_type | ^(?:text|application)/(?:html|xhtml) | string | A response from the back-end server is rewritten only if the response header «Content-Type» matches this regular expression. | |
apps[].mappings[].response.rewrites.any[].content | This regular expression pattern defines the content to rewrite. | |||
apps[].mappings[].response.rewrites.any[].content.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.rewrites.any[].content.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.rewrites.any[].to | string | This is the target string which will replace the string matched by Content Pattern | ||
apps[].mappings[].response.rewrites.json[] | array | Rewrite the json body of http responses. | ||
apps[].mappings[].response.rewrites.json[].path | string | The json path of the the property to rewrite. | ||
apps[].mappings[].response.rewrites.json[].content | This regular expression pattern defines the content to rewrite. | |||
apps[].mappings[].response.rewrites.json[].content.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.rewrites.json[].content.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.rewrites.json[].replace | string | This is the target content to replace the matched part with. | ||
apps[].mappings[].response.custom_actions[] | array | A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed. | ||
apps[].mappings[].response.custom_actions[].name | string | A unique name for this action; if not specified, a unique name will be generated. | ||
apps[].mappings[].response.custom_actions[].add_header | An action to add a header to all responses. | |||
apps[].mappings[].response.custom_actions[].add_header.name | string | The name of the header to add. | ||
apps[].mappings[].response.custom_actions[].add_header.value | string | The value of the header to add. | ||
apps[].mappings[].response.custom_actions[].add_missing_header | An action to add a header to all responses if it is not already present. | |||
apps[].mappings[].response.custom_actions[].add_missing_header.name | string | The name of the header to add. | ||
apps[].mappings[].response.custom_actions[].add_missing_header.value | string | The value of the header to add. | ||
apps[].mappings[].response.custom_actions[].add_or_replace_header | An action to add or replace an existing header on all responses. | |||
apps[].mappings[].response.custom_actions[].add_or_replace_header.name | string | The name of the header to add. | ||
apps[].mappings[].response.custom_actions[].add_or_replace_header.value | string | The value of the header to add. | ||
apps[].mappings[].response.custom_actions[].remove_header | An action to remove a header either matching given name or value pattern on responses. | |||
apps[].mappings[].response.custom_actions[].remove_header.name | A pattern for the header name. | |||
apps[].mappings[].response.custom_actions[].remove_header.name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].remove_header.name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].remove_header.name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].response.custom_actions[].remove_header.value | A pattern for the header value. | |||
apps[].mappings[].response.custom_actions[].remove_header.value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].remove_header.value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].remove_header.value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].response.custom_actions[].rewrite_header_value | An action to rewrite a header value either matching given name or value pattern on responses. | |||
apps[].mappings[].response.custom_actions[].rewrite_header_value.name | A pattern for the header name. | |||
apps[].mappings[].response.custom_actions[].rewrite_header_value.name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].rewrite_header_value.name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].rewrite_header_value.name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].response.custom_actions[].rewrite_header_value.value | A pattern for the header value. | |||
apps[].mappings[].response.custom_actions[].rewrite_header_value.value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].rewrite_header_value.value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].rewrite_header_value.value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].response.custom_actions[].rewrite_header_value.replace | string | A string to rewrite the header value with. Can make back-references to the header value pattern. | ||
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie | An action to rewrite the raw value of a cookie matching the given pattern. | |||
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value | A pattern for the cookie value to apply for matching. | |||
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.replace | string | A string to rewrite value pattern matches in the cookie value. Can make back references to the pattern used for matching. | ||
apps[].mappings[].response.custom_actions[].rewrite_cookie | An action to rewrite a cookie based on patterns for cookie name, domain etc. | |||
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie | A pattern to match the name of the cookie to rewrite. If this is set the name of the cookie must match this pattern for the rewrite to happen. | |||
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain | A pattern to match the domain, or part of the domain of a cookie to rewrite it. | |||
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.domain_replace | string | What to replace the domain with; Can make back references to the pattern used to match. | ||
apps[].mappings[].response.custom_actions[].rewrite_cookie.path | A pattern to match the path of a response to rewrite. | |||
apps[].mappings[].response.custom_actions[].rewrite_cookie.path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.path.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.path_replace | string | What to replace the path with; Can make back references to the pattern used to match. | ||
apps[].mappings[].response.custom_actions[].rewrite_cookie.secure_mode | auto | string | Whether to add, keep or remove the Secure (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Secure) flag on cookies. AUTO will set the flag on all connections that use HTTPS and remove it on others. | |
apps[].mappings[].response.custom_actions[].rewrite_cookie.http_only_mode | auto | string | Whether to add, keep or remove the HttpOnly (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#HttpOnly) flag on cookies. AUTO will set the flag for encrypted cookies and KEEP it for others. | |
apps[].mappings[].response.error_page_replacements[] | array | Replacement rules for error responses returned by backend systems. | ||
apps[].mappings[].response.error_page_replacements[].status_code | The http response with the matching status code that should be replaced. | |||
apps[].mappings[].response.error_page_replacements[].status_code.pattern | string | The actual pattern. | ||
apps[].mappings[].response.error_page_replacements[].page | string | Error page file name that will be delivered to the client. (eg. 400.html) | ||
apps[].mappings[].cookies.encrypted | Cookies that should be cryptographically encrypted before being sent to the client. | |||
apps[].mappings[].cookies.encrypted.pattern | string | The actual pattern. | ||
apps[].mappings[].cookies.passthrough | Cookies that should be passed in plain format to the client. | |||
apps[].mappings[].cookies.passthrough.pattern | string | The actual pattern. | ||
apps[].mappings[].timeouts.idle_session | 0 | integer | Defines the minimum session idle time in seconds for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting. | |
apps[].mappings[].timeouts.backend_http_response | 120 | integer | Defines the time in seconds Airlock Microgateway will wait for the back-end HTTP response. In case the request runs into the timeout, Airlock Microgateway will deliver an error page with the corresponding HTTP 503 status code. | |
apps[].mappings[].deny_rule_groups[].enabled | true | boolean | Enable deny rule group | |
apps[].mappings[].deny_rule_groups[].log_only | false | boolean | If enabled, offending requests are not blocked but only logged | |
apps[].mappings[].deny_rule_groups[].level | standard | string | Allowed values are: basic, standard, strict. | |
apps[].mappings[].deny_rule_groups[].rule_group_keys[] | array | If deny rule group key is defined, the settings will only affect the specific deny rule group. | ||
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].deny_rule_groups[].exceptions[].header_name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].header_name.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].header_name.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].deny_rule_groups[].exceptions[].header_value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].header_value.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].header_value.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].deny_rule_groups[].exceptions[].path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].path.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].path.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].deny_rule_groups[].exceptions[].method.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].method.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].method.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].deny_rule_groups[].exceptions[].content_type.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].deny_rule_groups[].exceptions[].content_type.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].deny_rule_groups[].exceptions[].content_type.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].allow_rules[].name | Allow all | string | Unique name for the allow rule. If omitted, a unique name will be generated. To enable/disable the default allow rule or one from a mapping_template_file, use the same name. | |
apps[].mappings[].allow_rules[].enabled | true | boolean | Enable the allow rule. | |
apps[].mappings[].allow_rules[].path | A pattern to match the path. | |||
apps[].mappings[].allow_rules[].path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].allow_rules[].path.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].allow_rules[].path.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].allow_rules[].method | A pattern to match the http method for this allow rule. | |||
apps[].mappings[].allow_rules[].method.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].allow_rules[].method.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].allow_rules[].method.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].allow_rules[].content_type | A pattern to match the content type for this allow rule. | |||
apps[].mappings[].allow_rules[].content_type.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
apps[].mappings[].allow_rules[].content_type.ignore_case | true | boolean | Whether to ignore case. | |
apps[].mappings[].allow_rules[].content_type.inverted | false | boolean | Whether to invert the match. | |
apps[].mappings[].allow_rules[].log_only | false | boolean | Whether to log requests not matching this allow rule instead of blocking them. | |
expert_settings.security_gate | string | Expert settings for the Security Gate. | ||
expert_settings.apache | string | Expert settings for the Apache httpd. | ||
log.level | info | string | Allowed values are: info, trace | |
session.encryption_passphrase | string | Specifies the passphrase for the passphrase based encryption mechanism (PBE). | ||
session.encryption_passphrase_file | /secret/passphrase | string | The path of the passphrase file. | |
session.redis_hosts[] | [] | array | Name of the hosts running the Redis Server. | |
session.store_mode | string | Defines the redis session store connection mode. By default, the Microgateway tries to determine the connection mode depending on the number of redis hosts configured: | ||
session.lifetime | 28800 | integer | Specifies the absolute lifetime of an Airlock Microgateway session in seconds. After this time a session will be terminated. | |
session.idle_timeout | 600 | integer | Specifies the amount of idle time in seconds, after which an Airlock Microgateway session is terminated. This timeout should be smaller than all other session timeouts of your back-end applications. Even if the timeout can be configured in seconds, per default the resolution of the idle session timeout check is 5 seconds only. | |
metrics | Configuration for metrics sending. | |||
metrics.statsd | Use this to enable sending metrics using the statsd protocol. | |||
metrics.statsd.enabled | true | boolean | Enable sending of statsd metrics. Default is 'true' | |
deny_rule_groups[] | array | Custom deny rule groups that can be referenced in mappings on top of the built in Airlock deny rules. | ||
deny_rule_groups[].rule_group_key | string | Unique short name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'. | ||
deny_rule_groups[].name | string | Unique name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'. | ||
deny_rule_groups[].deny_rules[] | array | Filter rule that blocks requests based on the evaluation of different request attributes. | ||
deny_rule_groups[].deny_rules[].rule_key | string | Unique short name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'. | ||
deny_rule_groups[].deny_rules[].name | string | Unique name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'. | ||
deny_rule_groups[].deny_rules[].parameter_name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].parameter_name.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].parameter_name.inverted | false | boolean | Whether to invert the match. | |
deny_rule_groups[].deny_rules[].parameter_value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].parameter_value.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].parameter_value.inverted | false | boolean | Whether to invert the match. | |
deny_rule_groups[].deny_rules[].header_name.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].header_name.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].header_name.inverted | false | boolean | Whether to invert the match. | |
deny_rule_groups[].deny_rules[].header_value.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].header_value.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].header_value.inverted | false | boolean | Whether to invert the match. | |
deny_rule_groups[].deny_rules[].path.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].path.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].path.inverted | false | boolean | Whether to invert the match. | |
deny_rule_groups[].deny_rules[].method.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].method.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].method.inverted | false | boolean | Whether to invert the match. | |
deny_rule_groups[].deny_rules[].content_type.pattern | Yes | string | A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*" | |
deny_rule_groups[].deny_rules[].content_type.ignore_case | true | boolean | Whether to ignore case. | |
deny_rule_groups[].deny_rules[].content_type.inverted | false | boolean | Whether to invert the match. | |
jwks_providers | JWKS Providers which can be referenced in apps[].mappings[].access_token. | |||
jwks_providers.refresh_interval | 86400 | integer | Refresh interval for fetching from remote JWKS providers in seconds. | |
jwks_providers.local[] | [] | array | JWKS providers that are configured statically. | |
jwks_providers.local[].name | Yes | string | Name by which provider is referenced. Must be unique. | |
jwks_providers.local[].jwks | string | JSON Object that represents the set of JWKS. | ||
jwks_providers.local[].jwks_file | string | JSON file with the definitions of JWKS. | ||
jwks_providers.local[].issuer | string | Name of JWKS issuer. Corresponds to the 'Issuer' field in JWT. | ||
jwks_providers.remote[] | [] | array | Remote JWKS providers which are fetched according to the jwks_providers.refresh_interval. | |
jwks_providers.remote[].name | Yes | string | Name by which provider is referenced. Must be unique. | |
jwks_providers.remote[].service_url | Yes | string | URL of JWKS service provider. | |
jwks_providers.remote[].issuer | string | Name of JWKS issuer. This value is used to restrict the usage of the JWKS to JWTs with a matching issuer (claim 'iss'). | ||
jwks_providers.remote[].tls.protocol | DEFAULT | string | The TLS protocol to use. For the description of the default values see the Gateway documentation for 'Supported SSL/TLS versions'. | |
jwks_providers.remote[].tls.cipher_suite | DEFAULT | string | The TLS cipher suite to use. For documentation visit www.openssl.org and search for 'ciphers'. | |
jwks_providers.remote[].tls.force_new_session | false | boolean | Force new session for each request. | |
jwks_providers.remote[].tls.client.certificate | string | The certificate in PEM format. | ||
jwks_providers.remote[].tls.client.certificate_file | /secret/auth/jwks/tls/client/client.crt | string | The certificate file path. | |
jwks_providers.remote[].tls.client.privatekey | string | The private key for the certificate in PEM format. | ||
jwks_providers.remote[].tls.client.privatekey_file | /secret/auth/jwks/tls/client/client.key | string | The private key file path | |
jwks_providers.remote[].tls.client.ca_chain | string | List of certificates of the CA chain for the certificate. | ||
jwks_providers.remote[].tls.client.ca_chain_file | /secret/auth/jwks/tls/client/client-ca.crt | string | The CA chain file path. | |
jwks_providers.remote[].tls.server.host_name_verification | false | boolean | Verification which involves a server identity check to mitigate man-in-the-middle attacks. | |
jwks_providers.remote[].tls.server.ca_validation | string | The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format. | ||
jwks_providers.remote[].tls.server.ca_validation_file | /secret/auth/jwks/tls/server/server-validation.crt | string | The file containing the validation CA certificates. |