DSL reference

The license file path.

List of hostnames, IP addresses or IP address ranges (e.g. 10.0.0.0/8) to trust as presenting a valid Remote-IP header.

The hostname of the virtual host.

Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.

Specifies the port on which this host listens for HTTP connections.

Specifies the port on which this host listens for HTTPS connections.

Specifies the cookie path for Airlock’s session cookie if the cookie is created inside this virtual host.

Specifies whether encoded slashes (%2F) are allowed in URL path. Attention: combinations of client certificates per mapping and enabled encoded slashes in the same virtual host might result in configurations where client certificate evaluation might be evaded.

The certificate file path.

The private key file path

The CA chain file path.

Maximum number of intermediate certificate issuers.

The file containing the selection CA certificates.

The file containing the validation CA certificates.

The file containing the crl.

Expert settings for the Apache httpd.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

The destination can be relative to the current virtual host or an absolute URL including protocol and host. Relative redirect paths are extended with the incoming scheme and host header.

The unique name of the mapping.

Specifies the priority of this mapping (highest: -999, lowest: 999) when a request matches the entry path of multiple mappings.

The entry path specifies the external URL path the mapping should be available under.

This specifies the external URL path.

Whether a trailing slash is mandatory at the end of the entry path or not.

Specifies whether Airlock environment cookies containing useful request information are sent to the connected back-end.

Specifies whether Airlock Microgateway should compress the output on-the-fly for the client browser if supported and requested by the browser.

Allowed values are: production, integration.

If disabled, requests without a token are accepted. However, if a token is present,it is extracted and validated and the configured restrictions and role extractions are applied.

If the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.

The claim to extract the technical client id from.

How the token should be extracted.

How the token should be extracted from the request headers.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

From which query parameter the token should be extracted.

List of JWKS service providers referenced by their name. Can be local or remote providers.

The name of the claim you want to restrict.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Name of the claim you want to extract a role from.

The regular expression, which matches the parts which should be rewritten.

Whether to ignore case.

The rewrite expression.

The client certificate verification mode to use on this mapping. This can be used to override the setting from the virtual host with a stronger verification level (e.g. off -> optional or optional -> required). Possible values are 'inherit', 'optional' or 'required'.

Defines the location of the authentication service. In case the required role for the mapping is missing on the current session, Airlock Gateway will redirect the client to this location. If this value is missing (default), the Global Denied Access URL will be used.

A list of access restrictions can be created. Each request matching the combination of HTTP method and path of a access restriction must have at least one of the specified roles to access the service. All matching restrictions must be satisfied to gain access.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to enable automatic CSRF token injection and validation on this mapping.

All incoming URLs that match one of these patterns are accepted by Airlock Microgateway without a valid CSRF token.

Whether to ignore case.

The maximum allowed total size of the request body in bytes. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in the request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.

Defines the maximum number of parameters inside the request.

Defines the maximum length for a parameter value in bytes.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Defines the maximum length for a JSON key, also known as 'JSON property' or 'JSON object member' in bytes.

Defines a regular expression to exclude JSON keys and the corresponding values from the length checks. The exceptions must be specified in the '#json' format for a JSON key.

Whether to ignore case.

Defines the maximum depth of nesting for JSON objects and JSON arrays.

Defines the maximum number of keys of a single JSON object (non-recursive).

If enabled, each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.

JSON objects are parsed only if their content-type matches the specified pattern.

Whether to ignore case.

The specification to validate against.

The OpenAPI file path.

Check responses against API specification.

If enabled, all the different values of a repeated parameter are joined by comma (in order of appearance). The aggregate value is then checked against deny rules (instead of the individual values).

If enabled, offending requests are not blocked but only logged.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Expert settings for the Apache httpd.

The hostname of the back-end host. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.

Configuring a back-end port.

Name of the default header action

A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.

An action to add a header to all requests.

The value of the header to add.

The name of the header to add.

An action to add or replace an existing header to all requests.

The value of the header to add.

A pattern for the header name.

Whether to ignore case.

A pattern for the header value.

Whether to ignore case.

An action to rewrite a header value either matching given name or value pattern on requests.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

An action to redirect to a URL based on a header name or value either matching the given name or value pattern on requests.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

The http status code to use on redirect

A list of alpha-2 continent codes to redirect clients from. See here: https://en.wikipedia.org/wiki/List\_of\_sovereign\_states\_and\_dependent\_territories\_by\_continent\_(data\_file)

The url to redirect to.

Name of the default header action

Rewrite option to modify the HTTP redirect location header sent from the back-end server before it is sent to the client.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

This is the target string which will replace the string matched by URL Pattern

The URL pattern.

Whether to ignore case.

This is the target string which will replace the string matched by URL Pattern

A response from the back-end server is rewritten only if the response header «Content-Type» matches this regular expression.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

This is the target string which will replace the string matched by Content Pattern

The json path of the the property to rewrite.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

This is the target content to replace the matched part with.

A unique name for this action; if not specified, a unique name will be generated.

The name of the header to add.

An action to add a header to all responses if it is not already present.

The value of the header to add.

The name of the header to add.

An action to remove a header either matching given name or value pattern on responses.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

A pattern for the header name.

Whether to ignore case.

A pattern for the header value.

Whether to ignore case.

A string to rewrite the header value with. Can make back-references to the header value pattern.

A pattern for the cookie value to apply for matching.

Whether to ignore case.

An action to rewrite a cookie based on patterns for cookie name, domain etc.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

What to replace the domain with; Can make back references to the pattern used to match.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

What to replace the path with; Can make back references to the pattern used to match.

Whether to add, keep or remove the HttpOnly (see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#HttpOnly) flag on cookies. AUTO will set the flag for encrypted cookies and KEEP it for others.

The http response with the matching status code that should be replaced.

Error page file name that will be delivered to the client. (eg. 400.html)

The actual pattern.

The actual pattern.

Defines the time in seconds Airlock Microgateway will wait for the back-end HTTP response. In case the request runs into the timeout, Airlock Microgateway will deliver an error page with the corresponding HTTP 503 status code.

If enabled, offending requests are not blocked but only logged

If deny rule group key is defined, the settings will only affect the specific deny rule group.

Whether to ignore case.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to ignore case.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to ignore case.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to ignore case.

Unique name for the allow rule. If omitted, a unique name will be generated. To enable/disable the default allow rule or one from a mapping_template_file, use the same name.

A pattern to match the path.

Whether to ignore case.

A pattern to match the http method for this allow rule.

Whether to ignore case.

A pattern to match the content type for this allow rule.

Whether to ignore case.

Whether to log requests not matching this allow rule instead of blocking them.

Expert settings for the Apache httpd.

Specifies the passphrase for the passphrase based encryption mechanism (PBE).

Name of the hosts running the Redis Server.

Specifies the absolute lifetime of an Airlock Microgateway session in seconds. After this time a session will be terminated.

Configuration for metrics sending.

Enable sending of statsd metrics. Default is 'true'

Unique short name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.

Filter rule that blocks requests based on the evaluation of different request attributes.

Unique name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.

Whether to ignore case.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to ignore case.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to ignore case.

A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use ".*"

Whether to invert the match.

Whether to ignore case.

JWKS Providers which can be referenced in apps[].mappings[].access_token.

JWKS providers that are configured statically.

JSON Object that represents the set of JWKS.

Name of JWKS issuer. Corresponds to the 'Issuer' field in JWT.

Name by which provider is referenced. Must be unique.

Name of JWKS issuer. This value is used to restrict the usage of the JWKS to JWTs with a matching issuer (claim 'iss').

The TLS cipher suite to use. For documentation visit www.openssl.org and search for 'ciphers'.

The certificate in PEM format.

The private key for the certificate in PEM format.

List of certificates of the CA chain for the certificate.

Verification which involves a server identity check to mitigate man-in-the-middle attacks.