DSL reference

Field

Default value

Required

Type

Description

license

string

The encoded license.

license_file

/secret/license

string

The license file path.

remote_ip.header

Yes

string

If set, Airlock Microgateway will treat the value of this header field as the useragent IP address.
Common values are 'X-Forwarded-For' or 'X-Client-IP'.
Warning: Make sure that internal_proxies is correctly configured for your setup.

remote_ip.internal_proxies[]

Yes

array

List of hostnames, IP addresses or IP address ranges (e.g. 10.0.0.0/8) to trust as presenting a valid Remote-IP header.

apps[].virtual_host.name

microgateway

string

The logical name of the virtual host.

apps[].virtual_host.hostname

microgateway

string

The hostname of the virtual host.

apps[].virtual_host.aliases[]

array

Additional hostnames which refer to this virtual host.

apps[].virtual_host.strict_fqdn

false

boolean

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

apps[].virtual_host.http_enabled

true

boolean

Specifies whether HTTP connections are enabled for this host.

apps[].virtual_host.http_port

8080

integer

Specifies the port on which this host listens for HTTP connections.

apps[].virtual_host.https_enabled

true

boolean

Specifies whether HTTPS connections are enabled for this host.

apps[].virtual_host.https_port

8443

integer

Specifies the port on which this host listens for HTTPS connections.

apps[].virtual_host.http2_enabled

true

boolean

Specifies whether HTTP/2 connections are enabled for this host.

apps[].virtual_host.session_cookie_path

/

string

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

apps[].virtual_host.session_cookie_domain

string

Specifies the domain for Airlock’s session cookie if the cookie is created inside this virtual host.

apps[].virtual_host.encoded_slashes

false

boolean

Specifies whether encoded slashes (%2F) are allowed in URL path. Attention: combinations of client certificates per mapping and enabled encoded slashes in the same virtual host might result in configurations where client certificate evaluation might be evaded.

apps[].virtual_host.certificate.certificate

string

The certificate in PEM format.

apps[].virtual_host.certificate.certificate_file

/secret/tls/frontend-server.crt

string

The certificate file path.

apps[].virtual_host.certificate.privatekey

string

The private key for the certificate in PEM format.

apps[].virtual_host.certificate.privatekey_file

/secret/tls/frontend-server.key

string

The private key file path

apps[].virtual_host.certificate.ca_chain

string

List of certificates of the CA chain for the certificate.

apps[].virtual_host.certificate.ca_chain_file

/secret/tls/frontend-server-ca.crt

string

The CA chain file path.

apps[].virtual_host.auth.client_certificate.verification

off

string

Defines the default verification mode for client certificates on this virtual host. Possible values are 'off', 'optional' or 'required'.

apps[].virtual_host.auth.client_certificate.verification_depth

1

integer

Maximum number of intermediate certificate issuers.

apps[].virtual_host.auth.client_certificate.ca_selection

string

The concatenated certificates of the CAs which are sent to the client during the SSL handshake, in PEM format.

apps[].virtual_host.auth.client_certificate.ca_selection_file

/secret/auth/client_certificate/selection.crt

string

The file containing the selection CA certificates.

apps[].virtual_host.auth.client_certificate.ca_validation

string

The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format.

apps[].virtual_host.auth.client_certificate.ca_validation_file

/secret/auth/client_certificate/validation.crt

string

The file containing the validation CA certificates.

apps[].virtual_host.auth.client_certificate.crl

string

PEM representation of certificate revocation lists. If a client certificate is on such a list it will not be accepted. Although Airlock provides this functionality, it is recommended to check certificates against CRLs and other types of blacklists within the authentication service and not in Airlock.

apps[].virtual_host.auth.client_certificate.crl_file

/secret/auth/client_certificate/client.crl

string

The file containing the crl.

apps[].virtual_host.expert_settings.security_gate

string

Expert settings for the Security Gate.

apps[].virtual_host.expert_settings.apache

string

Expert settings for the Apache httpd.

apps[].virtual_host.redirects[].path

Yes

The absolute path starting with '/' as a regular expression from which to redirect.

apps[].virtual_host.redirects[].path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].virtual_host.redirects[].path.ignore_case

true

boolean

Whether to ignore case.

apps[].virtual_host.redirects[].dest

Yes

string

The destination can be relative to the current virtual host or an absolute URL including protocol and host. Relative redirect paths are extended with the incoming scheme and host header.

apps[].virtual_host.redirects[].status_code

303

integer

The returned status code. Must be one of: [301, 302, 303, 307, 308]

apps[].mappings[].name

root

string

The unique name of the mapping.

apps[].mappings[].mapping_template_file

/config/mapping.xml

string

The Airlock Gateway mapping template file path.

apps[].mappings[].priority

0

integer

Specifies the priority of this mapping (highest: -999, lowest: 999) when a request matches the entry path of multiple mappings.

All mappings with entry_path.type regex must have a unique priority.

apps[].mappings[].entry_path

The entry path specifies the external URL path the mapping should be available under.

apps[].mappings[].entry_path.type

directory

string

Allowed values are: directory, regex.

apps[].mappings[].entry_path.value

/

string

This specifies the external URL path.

apps[].mappings[].entry_path.ignore_case

false

boolean

Whether to ignore case.

apps[].mappings[].entry_path.enforce_trailing_slashes

false

boolean

Whether a trailing slash is mandatory at the end of the entry path or not.

apps[].mappings[].backend_path

/

string

The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.

apps[].mappings[].env_cookies

false

boolean

Specifies whether Airlock environment cookies containing useful request information are sent to the connected back-end.

apps[].mappings[].control_api

false

boolean

Specifies whether the connected back-end service is allowed to use the Airlock Microgateway Control API via the control cookie mechanism. The Control API is normally used by authentication applications to communicate with the Microgateway.

apps[].mappings[].compress_response_traffic

false

boolean

Specifies whether Airlock Microgateway should compress the output on-the-fly for the client browser if supported and requested by the browser.

apps[].mappings[].threat_handling

block

string

Allowed values are: block, terminate_session, notify.

apps[].mappings[].operational_mode

production

string

Allowed values are: production, integration.

apps[].mappings[].session_handling

ignore_session

string

Allowed values are: enforce_session, optional_session, optional_session_no_refresh, ignore_session

apps[].mappings[].access_token.mandatory

false

boolean

If disabled, requests without a token are accepted. However, if a token is present,it is extracted and validated and the configured restrictions and role extractions are applied.

apps[].mappings[].access_token.signature_mandatory

true

boolean

Enforce a signed JWT

apps[].mappings[].access_token.expiry_checked

false

boolean

If the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

apps[].mappings[].access_token.skew

10

integer

The allowed skew when checking expiry / not before in seconds.

apps[].mappings[].access_token.tech_client_id_claim

string

The claim to extract the technical client id from.

apps[].mappings[].access_token.audittoken

false

boolean

If the 'sub' claim should be extracted from the JWT and be used as audit token of the current session

apps[].mappings[].access_token.extraction

How the token should be extracted.

apps[].mappings[].access_token.extraction.mode

header

string

From which part of the request the token should be extracted. Possible values are 'header', 'parameter', 'cookie'.

apps[].mappings[].access_token.extraction.header

How the token should be extracted from the request headers.

apps[].mappings[].access_token.extraction.header.regex

The regular expression, which matches the parts which should be rewritten.

apps[].mappings[].access_token.extraction.header.regex.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].access_token.extraction.header.regex.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].access_token.extraction.header.regex.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].access_token.extraction.header.substitution

string

The rewrite expression.

apps[].mappings[].access_token.extraction.parameter

string

From which query parameter the token should be extracted.

apps[].mappings[].access_token.extraction.cookie

string

From which cookie the token should be extracted.

apps[].mappings[].access_token.jwks_providers[]

array

List of JWKS service providers referenced by their name. Can be local or remote providers.

apps[].mappings[].access_token.claims[]

array

All specified claims are checked and must match the claim's value of the decoded token. If a claim is an array, at least one entry must match the specified regex.

apps[].mappings[].access_token.claims[].claim

string

The name of the claim you want to restrict.

apps[].mappings[].access_token.claims[].regex

The regular expression that must match the value of the specified claim name.

apps[].mappings[].access_token.claims[].regex.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].access_token.claims[].regex.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].access_token.claims[].regex.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].access_token.roles[]

array

Specifies which roles should be extracted from the claims.

apps[].mappings[].access_token.roles[].claim

string

Name of the claim you want to extract a role from.

apps[].mappings[].access_token.roles[].extraction

The regular expression to match the role extraction and the rewrite expression of the role.

apps[].mappings[].access_token.roles[].extraction.regex

The regular expression, which matches the parts which should be rewritten.

apps[].mappings[].access_token.roles[].extraction.regex.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].access_token.roles[].extraction.regex.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].access_token.roles[].extraction.regex.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].access_token.roles[].extraction.substitution

string

The rewrite expression.

apps[].mappings[].access_token.roles[].token_lifetime

false

boolean

If enabled, the expiry claim (exp) of the JWT will be used as the role lifetime.

apps[].mappings[].auth.client_certificate.verification

inherit

string

The client certificate verification mode to use on this mapping. This can be used to override the setting from the virtual host with a stronger verification level (e.g. off -> optional or optional -> required). Possible values are 'inherit', 'optional' or 'required'.

apps[].mappings[].auth.flow

redirect

string

The authentication flow, allowed values are: redirect, deny_access, one_shot, one_shot_with_body, ntlm

apps[].mappings[].auth.denied_access_url

/auth/check-login

string

Defines the location of the authentication service. In case the required role for the mapping is missing on the current session, Airlock Gateway will redirect the client to this location. If this value is missing (default), the Global Denied Access URL will be used.

apps[].mappings[].auth.logout_propagation_path

string

In order to allow clean session termination on back-end systems when an Airlock Gateway session terminates, the administrator can configure one logout path per mapping.

apps[].mappings[].auth.access[]

array

A list of access restrictions can be created. Each request matching the combination of HTTP method and path of a access restriction must have at least one of the specified roles to access the service. All matching restrictions must be satisfied to gain access.

apps[].mappings[].auth.access[].method

Can contain regular expressions that are applied when the HTTP method of a request matches one of the expressions. Use an empty pattern if all HTTP methods should match.

apps[].mappings[].auth.access[].method.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].auth.access[].method.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].auth.access[].method.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].auth.access[].path

Can contain regular expressions that are applied when the requested path of the query matches the expressions. Use an empty pattern if all paths should match.

apps[].mappings[].auth.access[].path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].auth.access[].path.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].auth.access[].path.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].auth.access[].roles[]

array

Can contain a list of roles for this service. Only sessions that have at least one of these roles will be able to access the service.

apps[].mappings[].csrf_token.enabled

false

boolean

Whether to enable automatic CSRF token injection and validation on this mapping.

apps[].mappings[].csrf_token.invalid_token_redirect_location

/%ENTRYPATH%

string

Specifies the location (e.g. /index.html) to which the client is redirected if a missing or invalid CSRF token is detected.

apps[].mappings[].csrf_token.exceptions[]

array

All incoming URLs that match one of these patterns are accepted by Airlock Microgateway without a valid CSRF token.

apps[].mappings[].csrf_token.exceptions[].path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].csrf_token.exceptions[].path.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].limits.max_path_length

1024

integer

Defines the maximum path length for requests to the current mapping in bytes.

apps[].mappings[].limits.max_request_body_size

104857600

integer

The maximum allowed total size of the request body in bytes. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in the request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

apps[].mappings[].limits.http_limits

The limits for HTTP parameters.

apps[].mappings[].limits.http_limits.max_parameters

128

integer

Defines the maximum number of parameters inside the request.

apps[].mappings[].limits.http_limits.max_parameter_name_length

128

integer

Defines the maximum length of a parameter name in bytes.

apps[].mappings[].limits.http_limits.max_parameter_value_length

1024

integer

Defines the maximum length for a parameter value in bytes.

apps[].mappings[].limits.http_limits.parameter_length_exception

A regular expression which specifies any parameters which should not be checked against these length checks.

apps[].mappings[].limits.http_limits.parameter_length_exception.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].limits.http_limits.parameter_length_exception.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].limits.http_limits.parameter_length_exception.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].limits.json_limits

The limits for JSON structures.

apps[].mappings[].limits.json_limits.max_key_length

256

integer

Defines the maximum length for a JSON key, also known as 'JSON property' or 'JSON object member' in bytes.

apps[].mappings[].limits.json_limits.max_value_length

8192

integer

Defines the maximum length for a JSON value (string or numbers) in bytes.

apps[].mappings[].limits.json_limits.max_length_exception

Defines a regular expression to exclude JSON keys and the corresponding values from the length checks. The exceptions must be specified in the '#json' format for a JSON key.

apps[].mappings[].limits.json_limits.max_length_exception.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].limits.json_limits.max_length_exception.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].limits.json_limits.max_length_exception.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].limits.json_limits.max_nesting_depth

100

integer

Defines the maximum depth of nesting for JSON objects and JSON arrays.

apps[].mappings[].limits.json_limits.max_array_items

500

integer

Defines the maximum number of items in a single JSON array (non-recursive).

apps[].mappings[].limits.json_limits.max_keys

250

integer

Defines the maximum number of keys of a single JSON object (non-recursive).

apps[].mappings[].limits.json_limits.max_total_entries

150000

integer

Defines the maximum number of keys and array items in the whole JSON document (recursive).

apps[].mappings[].api_security.treat_path_segments_as_parameters

true

boolean

If enabled, each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

apps[].mappings[].api_security.treat_json_objects_as_parameters

true

boolean

If enabled, Microgateway parses JSON objects in requests and filters JSON attributes with allow rules and deny rules.

apps[].mappings[].api_security.json_content_type

json

JSON objects are parsed only if their content-type matches the specified pattern.

apps[].mappings[].api_security.json_content_type.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].api_security.json_content_type.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].api_security.json_content_type.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].api_security.openapi

The specification to validate against.

apps[].mappings[].api_security.openapi.spec

string

The OpenAPI specification.

apps[].mappings[].api_security.openapi.spec_file

/config/openapi.json

string

The OpenAPI file path.

apps[].mappings[].api_security.openapi.log_only

false

boolean

If enabled, potential attack requests are only logged but not blocked.

apps[].mappings[].api_security.openapi.response_validation

false

boolean

Check responses against API specification.

apps[].mappings[].api_security.openapi.path_matching

client_view

string

The Microgateway mapping can be configured to rewrite the incoming URL to a different back-end URL (asymmetric mappings). Due to this rewriting, the incoming URL path (client_view) will be different from the back-end URL path (backend_view).

apps[].mappings[].parameter_pollution.same_type.join_duplicates

true

boolean

If enabled, all the different values of a repeated parameter are joined by comma (in order of appearance). The aggregate value is then checked against deny rules (instead of the individual values).

apps[].mappings[].parameter_pollution.mixed_type.block_duplicates

true

boolean

If enabled, requests are blocked if they contain the same parameter names with different parameter types (e.g. "id" is present as a POST parameter and as a query parameter simultaneously).

apps[].mappings[].parameter_pollution.mixed_type.log_only

false

boolean

If enabled, offending requests are not blocked but only logged.

apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception

Exception pattern to exclude parameters from the parameter pollution detection.

apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].parameter_pollution.mixed_type.parameter_name_exception.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].expert_settings.security_gate

string

Expert settings for the Security Gate.

apps[].mappings[].expert_settings.apache

string

Expert settings for the Apache httpd.

apps[].mappings[].backend.name

backendGroup

string

The unique name of the back-end. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.

apps[].mappings[].backend.hosts[].name

backend

string

The hostname of the back-end host. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.

apps[].mappings[].backend.hosts[].protocol

http

string

Allowed values are: http, https

apps[].mappings[].backend.hosts[].port

8080

integer

Configuring a back-end port.

apps[].mappings[].backend.expert_settings.security_gate

string

Expert settings for the Security Gate.

apps[].mappings[].request.default_actions[].name

string

Name of the default header action

apps[].mappings[].request.default_actions[].enabled

boolean

Enable this default header action

apps[].mappings[].request.custom_actions[]

array

A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.

apps[].mappings[].request.custom_actions[].name

string

A unique name for this action; if not specified, a unique name will be generated.

apps[].mappings[].request.custom_actions[].add_header

An action to add a header to all requests.

apps[].mappings[].request.custom_actions[].add_header.name

string

The name of the header to add.

apps[].mappings[].request.custom_actions[].add_header.value

string

The value of the header to add.

apps[].mappings[].request.custom_actions[].add_missing_header

An action to add a header to all requests if it is not already present.

apps[].mappings[].request.custom_actions[].add_missing_header.name

string

The name of the header to add.

apps[].mappings[].request.custom_actions[].add_missing_header.value

string

The value of the header to add.

apps[].mappings[].request.custom_actions[].add_or_replace_header

An action to add or replace an existing header to all requests.

apps[].mappings[].request.custom_actions[].add_or_replace_header.name

string

The name of the header to add.

apps[].mappings[].request.custom_actions[].add_or_replace_header.value

string

The value of the header to add.

apps[].mappings[].request.custom_actions[].remove_header

An action to remove a header either matching given name or value pattern on requests.

apps[].mappings[].request.custom_actions[].remove_header.name

A pattern for the header name.

apps[].mappings[].request.custom_actions[].remove_header.name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].request.custom_actions[].remove_header.name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].request.custom_actions[].remove_header.name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].request.custom_actions[].remove_header.value

A pattern for the header value.

apps[].mappings[].request.custom_actions[].remove_header.value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].request.custom_actions[].remove_header.value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].request.custom_actions[].remove_header.value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].request.custom_actions[].rewrite_header_value

An action to rewrite a header value either matching given name or value pattern on requests.

apps[].mappings[].request.custom_actions[].rewrite_header_value.name

A pattern for the header name.

apps[].mappings[].request.custom_actions[].rewrite_header_value.name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].request.custom_actions[].rewrite_header_value.name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].request.custom_actions[].rewrite_header_value.name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].request.custom_actions[].rewrite_header_value.value

A pattern for the header value.

apps[].mappings[].request.custom_actions[].rewrite_header_value.value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].request.custom_actions[].rewrite_header_value.value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].request.custom_actions[].rewrite_header_value.value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].request.custom_actions[].rewrite_header_value.replace

string

A string to rewrite the header value with. Can make back-references to the header value pattern.

apps[].mappings[].request.custom_actions[].header_redirect

An action to redirect to a URL based on a header name or value either matching the given name or value pattern on requests.

apps[].mappings[].request.custom_actions[].header_redirect.name

A pattern for the header name.

apps[].mappings[].request.custom_actions[].header_redirect.name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].request.custom_actions[].header_redirect.name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].request.custom_actions[].header_redirect.name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].request.custom_actions[].header_redirect.value

A pattern for the header value.

apps[].mappings[].request.custom_actions[].header_redirect.value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].request.custom_actions[].header_redirect.value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].request.custom_actions[].header_redirect.value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].request.custom_actions[].header_redirect.target_url

string

The url to redirect to.

apps[].mappings[].request.custom_actions[].header_redirect.status_code

303

integer

The http status code to use on redirect

apps[].mappings[].request.custom_actions[].geolocation_redirect

An action to redirect to a URL based on the geographic location of the request source IP.

apps[].mappings[].request.custom_actions[].geolocation_redirect.continent_codes[]

[]

array

A list of alpha-2 continent codes to redirect clients from. See here: https://en.wikipedia.org/wiki/List\_of\_sovereign\_states\_and\_dependent\_territories\_by\_continent\_(data\_file)

apps[].mappings[].request.custom_actions[].geolocation_redirect.country_codes[]

[]

array

A list of country codes to redirect clients from. See here for alpha-2 codes to use: https://en.wikipedia.org/wiki/ISO\_3166-1\_alpha-2

apps[].mappings[].request.custom_actions[].geolocation_redirect.target_url

string

The url to redirect to.

apps[].mappings[].request.custom_actions[].geolocation_redirect.status_code

303

integer

The http status code to use on redirect

apps[].mappings[].response.default_actions[].name

string

Name of the default header action

apps[].mappings[].response.default_actions[].enabled

boolean

Enable this default header action

apps[].mappings[].response.rewrites.location_header[]

array

Rewrite option to modify the HTTP redirect location header sent from the back-end server before it is sent to the client.

apps[].mappings[].response.rewrites.location_header[].url

The redirect URL pattern.

apps[].mappings[].response.rewrites.location_header[].url.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.rewrites.location_header[].url.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.rewrites.location_header[].to

string

This is the target string which will replace the string matched by URL Pattern

apps[].mappings[].response.rewrites.html[]

array

Rewriting HTML content may be necessary to modify URLs in the HTML content if the application creates absolute or incorrect links because it is not reverse proxy compatible

apps[].mappings[].response.rewrites.html[].url

The URL pattern.

apps[].mappings[].response.rewrites.html[].url.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.rewrites.html[].url.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.rewrites.html[].options[]

[ url ]

array

This list defines the content to rewrite. Possible values are 'url', event', 'embedded'.

apps[].mappings[].response.rewrites.html[].to

string

This is the target string which will replace the string matched by URL Pattern

apps[].mappings[].response.rewrites.any[]

array

Rewrite the body of HTTP response.

apps[].mappings[].response.rewrites.any[].content_type

^(?:text|application)/(?:html|xhtml)

string

A response from the back-end server is rewritten only if the response header «Content-Type» matches this regular expression.

apps[].mappings[].response.rewrites.any[].content

This regular expression pattern defines the content to rewrite.

apps[].mappings[].response.rewrites.any[].content.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.rewrites.any[].content.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.rewrites.any[].to

string

This is the target string which will replace the string matched by Content Pattern

apps[].mappings[].response.rewrites.json[]

array

Rewrite the json body of http responses.

apps[].mappings[].response.rewrites.json[].path

string

The json path of the the property to rewrite.

apps[].mappings[].response.rewrites.json[].content

This regular expression pattern defines the content to rewrite.

apps[].mappings[].response.rewrites.json[].content.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.rewrites.json[].content.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.rewrites.json[].replace

string

This is the target content to replace the matched part with.

apps[].mappings[].response.custom_actions[]

array

A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.

apps[].mappings[].response.custom_actions[].name

string

A unique name for this action; if not specified, a unique name will be generated.

apps[].mappings[].response.custom_actions[].add_header

An action to add a header to all responses.

apps[].mappings[].response.custom_actions[].add_header.name

string

The name of the header to add.

apps[].mappings[].response.custom_actions[].add_header.value

string

The value of the header to add.

apps[].mappings[].response.custom_actions[].add_missing_header

An action to add a header to all responses if it is not already present.

apps[].mappings[].response.custom_actions[].add_missing_header.name

string

The name of the header to add.

apps[].mappings[].response.custom_actions[].add_missing_header.value

string

The value of the header to add.

apps[].mappings[].response.custom_actions[].add_or_replace_header

An action to add or replace an existing header on all responses.

apps[].mappings[].response.custom_actions[].add_or_replace_header.name

string

The name of the header to add.

apps[].mappings[].response.custom_actions[].add_or_replace_header.value

string

The value of the header to add.

apps[].mappings[].response.custom_actions[].remove_header

An action to remove a header either matching given name or value pattern on responses.

apps[].mappings[].response.custom_actions[].remove_header.name

A pattern for the header name.

apps[].mappings[].response.custom_actions[].remove_header.name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].remove_header.name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].remove_header.name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].response.custom_actions[].remove_header.value

A pattern for the header value.

apps[].mappings[].response.custom_actions[].remove_header.value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].remove_header.value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].remove_header.value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].response.custom_actions[].rewrite_header_value

An action to rewrite a header value either matching given name or value pattern on responses.

apps[].mappings[].response.custom_actions[].rewrite_header_value.name

A pattern for the header name.

apps[].mappings[].response.custom_actions[].rewrite_header_value.name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].rewrite_header_value.name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].rewrite_header_value.name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].response.custom_actions[].rewrite_header_value.value

A pattern for the header value.

apps[].mappings[].response.custom_actions[].rewrite_header_value.value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].rewrite_header_value.value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].rewrite_header_value.value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].response.custom_actions[].rewrite_header_value.replace

string

A string to rewrite the header value with. Can make back-references to the header value pattern.

apps[].mappings[].response.custom_actions[].rewrite_raw_cookie

An action to rewrite the raw value of a cookie matching the given pattern.

apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value

A pattern for the cookie value to apply for matching.

apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].rewrite_raw_cookie.replace

string

A string to rewrite value pattern matches in the cookie value. Can make back references to the pattern used for matching.

apps[].mappings[].response.custom_actions[].rewrite_cookie

An action to rewrite a cookie based on patterns for cookie name, domain etc.

apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie

A pattern to match the name of the cookie to rewrite. If this is set the name of the cookie must match this pattern for the rewrite to happen.

apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].rewrite_cookie.cookie.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].response.custom_actions[].rewrite_cookie.domain

A pattern to match the domain, or part of the domain of a cookie to rewrite it.

apps[].mappings[].response.custom_actions[].rewrite_cookie.domain.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].rewrite_cookie.domain.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].rewrite_cookie.domain_replace

string

What to replace the domain with; Can make back references to the pattern used to match.

apps[].mappings[].response.custom_actions[].rewrite_cookie.path

A pattern to match the path of a response to rewrite.

apps[].mappings[].response.custom_actions[].rewrite_cookie.path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].response.custom_actions[].rewrite_cookie.path.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].response.custom_actions[].rewrite_cookie.path_replace

string

What to replace the path with; Can make back references to the pattern used to match.

apps[].mappings[].response.custom_actions[].rewrite_cookie.secure_mode

auto

string

Whether to add, keep or remove the Secure (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Secure) flag on cookies. AUTO will set the flag on all connections that use HTTPS and remove it on others.

apps[].mappings[].response.custom_actions[].rewrite_cookie.http_only_mode

auto

string

Whether to add, keep or remove the HttpOnly (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#HttpOnly) flag on cookies. AUTO will set the flag for encrypted cookies and KEEP it for others.

apps[].mappings[].response.error_page_replacements[]

array

Replacement rules for error responses returned by backend systems.

apps[].mappings[].response.error_page_replacements[].status_code

The http response with the matching status code that should be replaced.

apps[].mappings[].response.error_page_replacements[].status_code.pattern

string

The actual pattern.

apps[].mappings[].response.error_page_replacements[].page

string

Error page file name that will be delivered to the client. (eg. 400.html)

apps[].mappings[].cookies.encrypted

Cookies that should be cryptographically encrypted before being sent to the client.

apps[].mappings[].cookies.encrypted.pattern

string

The actual pattern.

apps[].mappings[].cookies.passthrough

Cookies that should be passed in plain format to the client.

apps[].mappings[].cookies.passthrough.pattern

string

The actual pattern.

apps[].mappings[].timeouts.idle_session

0

integer

Defines the minimum session idle time in seconds for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.

apps[].mappings[].timeouts.backend_http_response

120

integer

Defines the time in seconds Airlock Microgateway will wait for the back-end HTTP response. In case the request runs into the timeout, Airlock Microgateway will deliver an error page with the corresponding HTTP 503 status code.

apps[].mappings[].deny_rule_groups[].enabled

true

boolean

Enable deny rule group

apps[].mappings[].deny_rule_groups[].log_only

false

boolean

If enabled, offending requests are not blocked but only logged

apps[].mappings[].deny_rule_groups[].level

standard

string

Allowed values are: basic, standard, strict.

apps[].mappings[].deny_rule_groups[].rule_group_keys[]

array

If deny rule group key is defined, the settings will only affect the specific deny rule group.

apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].parameter_name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].parameter_value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].deny_rule_groups[].exceptions[].header_name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].header_name.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].header_name.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].deny_rule_groups[].exceptions[].header_value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].header_value.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].header_value.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].deny_rule_groups[].exceptions[].path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].path.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].path.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].deny_rule_groups[].exceptions[].method.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].method.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].method.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].deny_rule_groups[].exceptions[].content_type.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].deny_rule_groups[].exceptions[].content_type.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].deny_rule_groups[].exceptions[].content_type.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].allow_rules[].name

Allow all

string

Unique name for the allow rule. If omitted, a unique name will be generated. To enable/disable the default allow rule or one from a mapping_template_file, use the same name.

apps[].mappings[].allow_rules[].enabled

true

boolean

Enable the allow rule.

apps[].mappings[].allow_rules[].path

A pattern to match the path.

apps[].mappings[].allow_rules[].path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].allow_rules[].path.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].allow_rules[].path.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].allow_rules[].method

A pattern to match the http method for this allow rule.

apps[].mappings[].allow_rules[].method.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].allow_rules[].method.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].allow_rules[].method.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].allow_rules[].content_type

A pattern to match the content type for this allow rule.

apps[].mappings[].allow_rules[].content_type.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

apps[].mappings[].allow_rules[].content_type.ignore_case

true

boolean

Whether to ignore case.

apps[].mappings[].allow_rules[].content_type.inverted

false

boolean

Whether to invert the match.

apps[].mappings[].allow_rules[].log_only

false

boolean

Whether to log requests not matching this allow rule instead of blocking them.

expert_settings.security_gate

string

Expert settings for the Security Gate.

expert_settings.apache

string

Expert settings for the Apache httpd.

log.level

info

string

Allowed values are: info, trace

session.encryption_passphrase

string

Specifies the passphrase for the passphrase based encryption mechanism (PBE).

session.encryption_passphrase_file

/secret/passphrase

string

The path of the passphrase file.

session.redis_hosts[]

[]

array

Name of the hosts running the Redis Server.

session.store_mode

string

Defines the redis session store connection mode. By default, the Microgateway tries to determine the connection mode depending on the number of redis hosts configured:
- server mode if only one host is configured
- cluster mode if several hosts are configured

Allowed values are: server, cluster and disabled.

session.lifetime

28800

integer

Specifies the absolute lifetime of an Airlock Microgateway session in seconds. After this time a session will be terminated.

session.idle_timeout

600

integer

Specifies the amount of idle time in seconds, after which an Airlock Microgateway session is terminated. This timeout should be smaller than all other session timeouts of your back-end applications. Even if the timeout can be configured in seconds, per default the resolution of the idle session timeout check is 5 seconds only.

metrics

Configuration for metrics sending.

metrics.statsd

Use this to enable sending metrics using the statsd protocol.

metrics.statsd.enabled

true

boolean

Enable sending of statsd metrics. Default is 'true'

deny_rule_groups[]

array

Custom deny rule groups that can be referenced in mappings on top of the built in Airlock deny rules.

deny_rule_groups[].rule_group_key

string

Unique short name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.

deny_rule_groups[].name

string

Unique name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.

deny_rule_groups[].deny_rules[]

array

Filter rule that blocks requests based on the evaluation of different request attributes.

deny_rule_groups[].deny_rules[].rule_key

string

Unique short name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.

deny_rule_groups[].deny_rules[].name

string

Unique name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.

deny_rule_groups[].deny_rules[].parameter_name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].parameter_name.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].parameter_name.inverted

false

boolean

Whether to invert the match.

deny_rule_groups[].deny_rules[].parameter_value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].parameter_value.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].parameter_value.inverted

false

boolean

Whether to invert the match.

deny_rule_groups[].deny_rules[].header_name.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].header_name.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].header_name.inverted

false

boolean

Whether to invert the match.

deny_rule_groups[].deny_rules[].header_value.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].header_value.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].header_value.inverted

false

boolean

Whether to invert the match.

deny_rule_groups[].deny_rules[].path.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].path.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].path.inverted

false

boolean

Whether to invert the match.

deny_rule_groups[].deny_rules[].method.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].method.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].method.inverted

false

boolean

Whether to invert the match.

deny_rule_groups[].deny_rules[].content_type.pattern

Yes

string

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

deny_rule_groups[].deny_rules[].content_type.ignore_case

true

boolean

Whether to ignore case.

deny_rule_groups[].deny_rules[].content_type.inverted

false

boolean

Whether to invert the match.

jwks_providers

JWKS Providers which can be referenced in apps[].mappings[].access_token.

jwks_providers.refresh_interval

86400

integer

Refresh interval for fetching from remote JWKS providers in seconds.

jwks_providers.local[]

[]

array

JWKS providers that are configured statically.

jwks_providers.local[].name

Yes

string

Name by which provider is referenced. Must be unique.

jwks_providers.local[].jwks

string

JSON Object that represents the set of JWKS.

jwks_providers.local[].jwks_file

string

JSON file with the definitions of JWKS.

jwks_providers.local[].issuer

string

Name of JWKS issuer. Corresponds to the 'Issuer' field in JWT.

jwks_providers.remote[]

[]

array

Remote JWKS providers which are fetched according to the jwks_providers.refresh_interval.

jwks_providers.remote[].name

Yes

string

Name by which provider is referenced. Must be unique.

jwks_providers.remote[].service_url

Yes

string

URL of JWKS service provider.

jwks_providers.remote[].issuer

string

Name of JWKS issuer. This value is used to restrict the usage of the JWKS to JWTs with a matching issuer (claim 'iss').

jwks_providers.remote[].tls.protocol

DEFAULT

string

The TLS protocol to use. For the description of the default values see the Gateway documentation for 'Supported SSL/TLS versions'.

jwks_providers.remote[].tls.cipher_suite

DEFAULT

string

The TLS cipher suite to use. For documentation visit www.openssl.org and search for 'ciphers'.

jwks_providers.remote[].tls.force_new_session

false

boolean

Force new session for each request.

jwks_providers.remote[].tls.client.certificate

string

The certificate in PEM format.

jwks_providers.remote[].tls.client.certificate_file

/secret/auth/jwks/tls/client/client.crt

string

The certificate file path.

jwks_providers.remote[].tls.client.privatekey

string

The private key for the certificate in PEM format.

jwks_providers.remote[].tls.client.privatekey_file

/secret/auth/jwks/tls/client/client.key

string

The private key file path

jwks_providers.remote[].tls.client.ca_chain

string

List of certificates of the CA chain for the certificate.

jwks_providers.remote[].tls.client.ca_chain_file

/secret/auth/jwks/tls/client/client-ca.crt

string

The CA chain file path.

jwks_providers.remote[].tls.server.host_name_verification

false

boolean

Verification which involves a server identity check to mitigate man-in-the-middle attacks.

jwks_providers.remote[].tls.server.ca_validation

string

The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format.

jwks_providers.remote[].tls.server.ca_validation_file

/secret/auth/jwks/tls/server/server-validation.crt

string

The file containing the validation CA certificates.