A more complex configuration file

To get you started quickly, this section provides a more complex boilerplate configuration file.

Example config.yaml

copy
session: 
  redis_hosts: 
  - 'redis-service:6379' 
  encryption_passphrase_file: /secret/config/passphrase 
 
remote_ip:
  header: X-Forwarded-For 
  internal_proxies:
    - 10.1.0.0/32 
 
apps: 
  #  
  # Website, member portal, API back-ends 
  #  
  - virtual_host: 
      name: webapp 
      hostname: webapp.virtinc.com 
      http_enabled: false 
      https_port: 8443 
      certificate:  
        certificate_file: /secret/tls/frontend-server.crt  
        privatekey_file: /secret/tls/frontend-server.key  
        ca_chain_file: /secret/tls/frontend-server-ca.crt 
      session_cookie_domain:  virtinc.com 
    mappings: 
      #  
      # Public website 
      #  
      - name: webapp_public 
        entry_path:  
          value: / 
        session_handling: enforce_session 
        threat_handling: block 
        deny_rule_groups: 
          - enabled: true 
            log_only: false 
            level: standard 
        backend: 
          name: webapp-service 
          hosts:  
            - name: webapp.intra.svc 
              protocol: https 
              port: 8443              
        #  
        # Member portal 
        #  
      - name: webapp_member 
        entry_path:  
          value: /member/ 
        session_handling: enforce_session 
        threat_handling: block 
        auth: 
          access: 
            - roles: 
                - member 
          denied_access_url: /auth/login 
          flow: redirect 
        api_security: 
          treat_path_segments_as_parameters: false 
          treat_json_objects_as_parameters: true 
          json_content_type: 
            pattern: json 
        deny_rule_groups: 
          - enabled: true 
            log_only: false 
            level: standard 
            # Deny rule exception for chat messages 
            exceptions: 
              - parameter_name: 
                  pattern: ^message$ 
                path: 
                  pattern: ^/member/chat/ 
                  ignore_case: true 
        backend: 
          name: webapp-service 
          hosts:  
            - name: webapp.intra.svc 
              protocol: https 
              port: 8443            
        #  
        # API endpoints - still being integrated!  
        # Change operational_mode to production when finished! 
        #  
      - name: webapp_api 
        entry_path:  
          value: /api/ 
        operational_mode: integration   
        session_handling: ignore_session 
        threat_handling: block 
        api_security: 
          treat_path_segments_as_parameters: true 
          treat_json_objects_as_parameters: true 
          json_content_type: 
            pattern: json 
          openapi: 
            spec_file: /config/webapp_api_openapi.json 
        backend: 
          name: webapp-service 
          hosts:  
            - name: webapp.intra.svc 
              protocol: https 
              port: 8443   
  #  
  # Airlock IAM 
  #  
  - virtual_host: 
      name: sso 
      hostname: sso.virtinc.com 
      http_enabled: false 
      https_port: 8443 
      certificate:  
        certificate_file: /secret/tls/frontend-server.crt  
        privatekey_file: /secret/tls/frontend-server.key  
        ca_chain_file: /secret/tls/frontend-server-ca.crt 
      session_cookie_domain:  virtinc.com 
    mappings: 
      #  
      # Hint: Use Ergon's mapping template 
      #  
      - mapping_template_file: /config/templates/loginapp-7.3.xml
        allow_rules:
          - name: "Loginapp Single Page Application"
            enabled: true
        backend: 
          name: iam-service 
          hosts: 
            - name: iam.intra.svc 
              protocol: https  
              port: 8443 
          expert_settings: 
            security_gate: | 
              BackendSSLConnectTimeout "13" 
              #  
              # Configure mutual TLS towards backend 
              #  
              BackendSSLServerCA /secret/tls/backend-server-validation-ca.crt 
              BackendSSLClientCert /secret/tls/backend-client.crt  
              BackendSSLClientCertKey /secret/tls/backend-client.key 
              BackendSSLVerifyHost "true"