To get you started quickly, this section provides a more complex boilerplate configuration file.
Example config.yaml
copy
session:
redis_hosts:
- 'redis-service:6379'
encryption_passphrase_file: /secret/config/passphrase
remote_ip:
header: X-Forwarded-For
internal_proxies:
- 10.1.0.0/32
apps:
#
# Website, member portal, API back-ends
#
- virtual_host:
name: webapp
hostname: webapp.virtinc.com
http_enabled: false
https_port: 8443
certificate:
certificate_file: /secret/tls/frontend-server.crt
privatekey_file: /secret/tls/frontend-server.key
ca_chain_file: /secret/tls/frontend-server-ca.crt
session_cookie_domain: virtinc.com
mappings:
#
# Public website
#
- name: webapp_public
entry_path:
value: /
session_handling: enforce_session
threat_handling: block
deny_rule_groups:
- enabled: true
log_only: false
level: standard
backend:
name: webapp-service
hosts:
- name: webapp.intra.svc
protocol: https
port: 8443
#
# Member portal
#
- name: webapp_member
entry_path:
value: /member/
session_handling: enforce_session
threat_handling: block
auth:
access:
- roles:
- member
denied_access_url: /auth/login
flow: redirect
api_security:
treat_path_segments_as_parameters: false
treat_json_objects_as_parameters: true
json_content_type:
pattern: json
deny_rule_groups:
- enabled: true
log_only: false
level: standard
# Deny rule exception for chat messages
exceptions:
- parameter_name:
pattern: ^message$
path:
pattern: ^/member/chat/
ignore_case: true
backend:
name: webapp-service
hosts:
- name: webapp.intra.svc
protocol: https
port: 8443
#
# API endpoints - still being integrated!
# Change operational_mode to production when finished!
#
- name: webapp_api
entry_path:
value: /api/
operational_mode: integration
session_handling: ignore_session
threat_handling: block
api_security:
treat_path_segments_as_parameters: true
treat_json_objects_as_parameters: true
json_content_type:
pattern: json
openapi:
spec_file: /config/webapp_api_openapi.json
backend:
name: webapp-service
hosts:
- name: webapp.intra.svc
protocol: https
port: 8443
#
# Airlock IAM
#
- virtual_host:
name: sso
hostname: sso.virtinc.com
http_enabled: false
https_port: 8443
certificate:
certificate_file: /secret/tls/frontend-server.crt
privatekey_file: /secret/tls/frontend-server.key
ca_chain_file: /secret/tls/frontend-server-ca.crt
session_cookie_domain: virtinc.com
mappings:
#
# Hint: Use Ergon's mapping template
#
- mapping_template_file: /config/templates/loginapp-7.3.xml
allow_rules:
- name: "Loginapp Single Page Application"
enabled: true
backend:
name: iam-service
hosts:
- name: iam.intra.svc
protocol: https
port: 8443
expert_settings:
security_gate: |
BackendSSLConnectTimeout "13"
#
# Configure mutual TLS towards backend
#
BackendSSLServerCA /secret/tls/backend-server-validation-ca.crt
BackendSSLClientCert /secret/tls/backend-client.crt
BackendSSLClientCertKey /secret/tls/backend-client.key
BackendSSLVerifyHost "true"