{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://catalog.lintel.tools/schemas/schemastore/airlock-microgateway/versions/3.0.json", "x-lintel": { "source": "https://www.schemastore.org/airlock-microgateway-3.0.json", "sourceSha256": "ce52896adf7ba90f5b26662caee7f2d186c7e60d34466187acc31d26a5b523f3", "fileMatch": [ "microgateway-config.yaml", "microgateway-config.yml", "airlock-microgateway-config.yaml", "airlock-microgateway-config.yml" ], "parsers": [ "yaml" ] }, "type": "object", "properties": { "apps": { "type": "array", "items": { "title": "application", "type": "object", "properties": { "mappings": { "type": "array", "items": { "title": "mapping", "type": "object", "properties": { "access_token": { "type": [ "object", "null" ], "properties": { "audittoken": { "type": [ "boolean", "null" ], "description": "If the 'sub' claim should be extracted from the JWT and be used as audit token of the current session", "default": "false" }, "claims": { "description": "All specified claims are checked and must match the claim's value of the decoded token. If a claim is an array, at least one entry must match the specified regex.", "type": "array", "items": { "title": "claim", "type": "object", "properties": { "claim": { "type": [ "string", "null" ], "description": "The name of the claim you want to restrict." }, "regex": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "The regular expression that must match the value of the specified claim name." } ] } }, "additionalProperties": false } }, "expiry_checked": { "type": [ "boolean", "null" ], "description": "If the JWT standard claims expiry (exp) and not before (nbf) will be checked and must be valid.", "default": "false" }, "extraction": { "type": [ "object", "null" ], "properties": { "cookie": { "type": [ "string", "null" ], "description": "From which cookie the token should be extracted." }, "header": { "allOf": [ { "$ref": "#/$defs/PatternWithRewriteDto-nullable" }, { "description": "How the token should be extracted from the request headers." } ] }, "mode": { "type": [ "string", "null" ], "enum": [ "header", "parameter", "cookie" ], "description": "From which part of the request the token should be extracted. Possible values are 'header', 'parameter', 'cookie'.", "default": "header" }, "parameter": { "type": [ "string", "null" ], "description": "From which query parameter the token should be extracted." } }, "description": "How the token should be extracted.", "additionalProperties": false }, "jwks_providers": { "description": "List of JWKS service providers referenced by their name. Can be local or remote providers.", "type": "array", "items": { "type": "string" } }, "mandatory": { "type": [ "boolean", "null" ], "description": "If disabled, requests without a token are accepted. However, if a token is present,it is extracted and validated and the configured restrictions and role extractions are applied. ", "default": "false" }, "roles": { "description": "Specifies which roles should be extracted from the claims.", "type": "array", "items": { "title": "role", "type": "object", "properties": { "claim": { "type": [ "string", "null" ], "description": "Name of the claim you want to extract a role from." }, "extraction": { "allOf": [ { "$ref": "#/$defs/PatternWithRewriteDto-nullable" }, { "description": "The regular expression to match the role extraction and the rewrite expression of the role." } ] }, "token_lifetime": { "type": [ "boolean", "null" ], "description": "If enabled, the expiry claim (exp) of the JWT will be used as the role lifetime.", "default": "false" } }, "additionalProperties": false } }, "signature_mandatory": { "type": [ "boolean", "null" ], "description": "Enforce a signed JWT", "default": "true" }, "skew": { "type": [ "integer", "null" ], "description": "The allowed skew when checking expiry / not before in seconds.", "default": "10" }, "tech_client_id_claim": { "type": [ "string", "null" ], "description": "The claim to extract the technical client id from." } }, "additionalProperties": false }, "allow_rules": { "type": "array", "items": { "title": "rule", "type": "object", "properties": { "content_type": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern to match the content type for this allow rule." } ] }, "enabled": { "type": "boolean", "description": "Enable the allow rule.", "default": "true" }, "log_only": { "type": "boolean", "description": "Whether to log requests not matching this allow rule instead of blocking them.", "default": "false" }, "method": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern to match the http method for this allow rule." } ] }, "name": { "type": "string", "description": "Unique name for the allow rule. If omitted, a unique name will be generated. To enable/disable the default allow rule or one from a mapping_template_file, use the same name.", "default": "Allow all" }, "path": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern to match the path." } ] } }, "additionalProperties": false } }, "api_security": { "type": [ "object", "null" ], "properties": { "json_content_type": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "JSON objects are parsed only if their content-type matches the specified pattern.", "default": "json" } ] }, "openapi": { "type": [ "object", "null" ], "properties": { "log_only": { "type": [ "boolean", "null" ], "description": "If enabled, potential attack requests are only logged but not blocked.", "default": "false" }, "path_matching": { "type": [ "string", "null" ], "enum": [ "client_view", "backend_view" ], "description": "The Microgateway mapping can be configured to rewrite the incoming URL to a different back-end URL (asymmetric mappings). Due to this rewriting, the incoming URL path (client_view) will be different from the back-end URL path (backend_view).", "default": "client_view" }, "response_validation": { "type": [ "boolean", "null" ], "description": "Check responses against API specification.", "default": "false" }, "spec": { "type": [ "string", "null" ], "description": "The OpenAPI specification." }, "spec_file": { "type": [ "string", "null" ], "description": "The OpenAPI file path.", "default": "/config/openapi.json" } }, "description": "The specification to validate against.", "additionalProperties": false }, "treat_json_objects_as_parameters": { "type": [ "boolean", "null" ], "description": "If enabled, Microgateway parses JSON objects in requests and filters JSON attributes with allow rules and deny rules.", "default": "true" }, "treat_path_segments_as_parameters": { "type": [ "boolean", "null" ], "description": "If enabled, each path segment is interpreted as a separate parameter value and the deny rules for parameter values are applied to it.", "default": "true" } }, "additionalProperties": false }, "auth": { "type": [ "object", "null" ], "properties": { "access": { "description": "A list of access restrictions can be created. Each request matching the combination of HTTP method and path of a access restriction must have at least one of the specified roles to access the service. All matching restrictions must be satisfied to gain access.", "type": "array", "items": { "title": "access restriction", "type": "object", "properties": { "method": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "Can contain regular expressions that are applied when the HTTP method of a request matches one of the expressions. Use an empty pattern if all HTTP methods should match." } ] }, "path": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "Can contain regular expressions that are applied when the requested path of the query matches the expressions. Use an empty pattern if all paths should match." } ] }, "roles": { "description": "Can contain a list of roles for this service. Only sessions that have at least one of these roles will be able to access the service.", "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } }, "client_certificate": { "type": [ "object", "null" ], "properties": { "verification": { "type": "string", "enum": [ "inherit", "optional", "required" ], "description": "The client certificate verification mode to use on this mapping. This can be used to override the setting from the virtual host with a stronger verification level (e.g. off -> optional or optional -> required). Possible values are 'inherit', 'optional' or 'required'.", "default": "inherit" } }, "additionalProperties": false }, "denied_access_url": { "type": [ "string", "null" ], "description": "Defines the location of the authentication service. In case the required role for the mapping is missing on the current session, Airlock Gateway will redirect the client to this location. If this value is missing (default), the Global Denied Access URL will be used.", "default": "/auth/check-login" }, "flow": { "type": [ "string", "null" ], "enum": [ "redirect", "deny_access", "one_shot", "one_shot_with_body", "ntlm" ], "description": "The authentication flow, allowed values are: redirect, deny_access, one_shot, one_shot_with_body, ntlm", "default": "redirect" }, "logout_propagation_path": { "type": [ "string", "null" ], "description": "In order to allow clean session termination on back-end systems when an Airlock Gateway session terminates, the administrator can configure one logout path per mapping." } }, "additionalProperties": false }, "backend": { "type": [ "object", "null" ], "properties": { "expert_settings": { "type": [ "object", "null" ], "properties": { "security_gate": { "type": [ "string", "null" ], "description": "Expert settings for the Security Gate." } }, "additionalProperties": false }, "hosts": { "type": "array", "items": { "title": "host", "type": "object", "properties": { "name": { "type": "string", "description": "The hostname of the back-end host. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.", "default": "backend", "pattern": "^[A-Za-z0-9.\\-_:]+$" }, "port": { "type": "integer", "description": "Configuring a back-end port.", "default": "8080", "minimum": 1, "maximum": 65535 }, "protocol": { "type": "string", "enum": [ "https", "http" ], "description": "Allowed values are: http, https", "default": "http" } }, "additionalProperties": false } }, "name": { "type": "string", "description": "The unique name of the back-end. Only characters a-Z, numbers, and the special characters '.', ':', '-' and '_' are allowed.", "default": "backendGroup", "pattern": "^[A-Za-z0-9.\\-_:]+$" } }, "additionalProperties": false }, "backend_path": { "type": [ "string", "null" ], "description": "The back-end path specifies the internal back-end path, i.e. the path of the request sent to the application server.", "default": "/" }, "compress_response_traffic": { "type": [ "boolean", "null" ], "description": "Specifies whether Airlock Microgateway should compress the output on-the-fly for the client browser if supported and requested by the browser.", "default": "false" }, "control_api": { "type": [ "boolean", "null" ], "description": "Specifies whether the connected back-end service is allowed to use the Airlock Microgateway Control API via the control cookie mechanism. The Control API is normally used by authentication applications to communicate with the Microgateway.", "default": "false" }, "cookies": { "type": [ "object", "null" ], "properties": { "encrypted": { "allOf": [ { "$ref": "#/$defs/SimplePatternDto-nullable" }, { "description": "Cookies that should be cryptographically encrypted before being sent to the client." } ] }, "passthrough": { "allOf": [ { "$ref": "#/$defs/SimplePatternDto-nullable" }, { "description": "Cookies that should be passed in plain format to the client." } ] } }, "additionalProperties": false }, "csrf_token": { "type": [ "object", "null" ], "properties": { "enabled": { "type": [ "boolean", "null" ], "description": "Whether to enable automatic CSRF token injection and validation on this mapping.", "default": "false" }, "exceptions": { "description": "All incoming URLs that match one of these patterns are accepted by Airlock Microgateway without a valid CSRF token.", "type": [ "array", "null" ], "items": { "title": "exception", "type": "object", "properties": { "path": { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" } }, "additionalProperties": false } }, "invalid_token_redirect_location": { "type": [ "string", "null" ], "description": "Specifies the location (e.g. /index.html) to which the client is redirected if a missing or invalid CSRF token is detected.", "default": "/%ENTRYPATH%" } }, "additionalProperties": false }, "deny_rule_groups": { "type": "array", "items": { "title": "rule group", "type": "object", "properties": { "enabled": { "type": [ "boolean", "null" ], "description": "Enable deny rule group", "default": "true" }, "exceptions": { "type": "array", "items": { "title": "exception", "type": "object", "properties": { "content_type": { "$ref": "#/$defs/PatternDto-nullable" }, "header_name": { "$ref": "#/$defs/PatternDto-nullable" }, "header_value": { "$ref": "#/$defs/PatternDto-nullable" }, "method": { "$ref": "#/$defs/PatternDto-nullable" }, "parameter_name": { "$ref": "#/$defs/PatternDto-nullable" }, "parameter_value": { "$ref": "#/$defs/PatternDto-nullable" }, "path": { "$ref": "#/$defs/PatternDto-nullable" } }, "additionalProperties": false } }, "level": { "type": [ "string", "null" ], "enum": [ "basic", "standard", "strict" ], "description": "Allowed values are: basic, standard, strict.", "default": "standard" }, "log_only": { "type": [ "boolean", "null" ], "description": "If enabled, offending requests are not blocked but only logged", "default": "false" }, "rule_group_keys": { "description": "If deny rule group key is defined, the settings will only affect the specific deny rule group.", "type": "array", "items": { "type": "string" } } }, "additionalProperties": false } }, "entry_path": { "type": [ "object", "null" ], "properties": { "enforce_trailing_slashes": { "type": [ "boolean", "null" ], "description": "Whether a trailing slash is mandatory at the end of the entry path or not.", "default": "false" }, "value": { "type": [ "string", "null" ], "description": "This specifies the external URL path.", "default": "/" } }, "description": "The entry path specifies the external URL path the mapping should be available under.", "additionalProperties": false }, "env_cookies": { "type": [ "boolean", "null" ], "description": "Specifies whether Airlock environment cookies containing useful request information are sent to the connected back-end.", "default": "false" }, "expert_settings": { "$ref": "#/$defs/ExpertSettingsDto-nullable" }, "limits": { "type": [ "object", "null" ], "properties": { "http_limits": { "type": [ "object", "null" ], "properties": { "max_parameter_name_length": { "type": [ "integer", "null" ], "description": "Defines the maximum length of a parameter name in bytes.", "default": "128" }, "max_parameter_value_length": { "type": [ "integer", "null" ], "description": "Defines the maximum length for a parameter value in bytes.", "default": "1024" }, "max_parameters": { "type": [ "integer", "null" ], "description": "Defines the maximum number of parameters inside the request.", "default": "128" }, "parameter_length_exception": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A regular expression which specifies any parameters which should not be checked against these length checks." } ] } }, "description": "The limits for HTTP parameters.", "additionalProperties": false }, "json_limits": { "type": [ "object", "null" ], "properties": { "max_array_items": { "type": [ "integer", "null" ], "description": "Defines the maximum number of items in a single JSON array (non-recursive).", "default": "500" }, "max_key_length": { "type": [ "integer", "null" ], "description": "Defines the maximum length for a JSON key, also known as 'JSON property' or 'JSON object member' in bytes.", "default": "256" }, "max_keys": { "type": [ "integer", "null" ], "description": "Defines the maximum number of keys of a single JSON object (non-recursive).", "default": "250" }, "max_length_exception": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "Defines a regular expression to exclude JSON keys and the corresponding values from the length checks. The exceptions must be specified in the '#json' format for a JSON key." } ] }, "max_nesting_depth": { "type": [ "integer", "null" ], "description": "Defines the maximum depth of nesting for JSON objects and JSON arrays.", "default": "100" }, "max_total_entries": { "type": [ "integer", "null" ], "description": "Defines the maximum number of keys and array items in the whole JSON document (recursive).", "default": "150000" }, "max_value_length": { "type": [ "integer", "null" ], "description": "Defines the maximum length for a JSON value (string or numbers) in bytes.", "default": "8192" } }, "description": "The limits for JSON structures.", "additionalProperties": false }, "max_path_length": { "type": [ "integer", "null" ], "description": "Defines the maximum path length for requests to the current mapping in bytes.", "default": "1024" }, "max_request_body_size": { "type": [ "integer", "null" ], "description": "The maximum allowed total size of the request body in bytes. It specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in the request body. To restrict the size of file uploads, set this limit to the maximum combined size of all files uploaded at once.", "default": "104857600" } }, "additionalProperties": false }, "mapping_template_file": { "type": [ "string", "null" ], "description": "The Airlock Gateway mapping template file path.", "default": "/config/mapping.xml" }, "name": { "type": [ "string", "null" ], "description": "The unique name of the mapping.", "default": "root" }, "operational_mode": { "type": [ "string", "null" ], "enum": [ "production", "integration" ], "description": "Allowed values are: production, integration.", "default": "production" }, "request": { "type": [ "object", "null" ], "properties": { "custom_actions": { "description": "A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.", "type": [ "array", "null" ], "items": { "title": "custom action", "type": "object", "properties": { "add_header": { "allOf": [ { "$ref": "#/$defs/SimpleHeaderActionDto-nullable" }, { "description": "An action to add a header to all requests." } ] }, "add_missing_header": { "allOf": [ { "$ref": "#/$defs/SimpleHeaderActionDto-nullable" }, { "description": "An action to add a header to all requests if it is not already present." } ] }, "add_or_replace_header": { "allOf": [ { "$ref": "#/$defs/SimpleHeaderActionDto-nullable" }, { "description": "An action to add or replace an existing header to all requests." } ] }, "geolocation_redirect": { "type": [ "object", "null" ], "properties": { "continent_codes": { "description": "A list of alpha-2 continent codes to redirect clients from. See here: ", "default": "[]", "type": [ "array", "null" ], "items": { "type": "string", "default": "[]" } }, "country_codes": { "description": "A list of country codes to redirect clients from. See here for alpha-2 codes to use: ", "default": "[]", "type": [ "array", "null" ], "items": { "type": "string", "default": "[]" } }, "status_code": { "type": [ "integer", "null" ], "description": "The http status code to use on redirect", "default": "303" }, "target_url": { "type": [ "string", "null" ], "description": "The url to redirect to." } }, "description": "An action to redirect to a URL based on the geographic location of the request source IP.", "additionalProperties": false }, "header_redirect": { "type": [ "object", "null" ], "properties": { "name": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern for the header name." } ] }, "status_code": { "type": [ "integer", "null" ], "description": "The http status code to use on redirect", "default": "303" }, "target_url": { "type": [ "string", "null" ], "description": "The url to redirect to." }, "value": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern for the header value." } ] } }, "description": "An action to redirect to a URL based on a header name or value either matching the given name or value pattern on requests.", "additionalProperties": false }, "name": { "type": "string", "description": "A unique name for this action; if not specified, a unique name will be generated." }, "remove_header": { "allOf": [ { "$ref": "#/$defs/RemoveHeaderActionDto-nullable" }, { "description": "An action to remove a header either matching given name or value pattern on requests." } ] }, "rewrite_header_value": { "allOf": [ { "$ref": "#/$defs/RewriteHeaderValueDto-nullable" }, { "description": "An action to rewrite a header value either matching given name or value pattern on requests." } ] } }, "additionalProperties": false } }, "default_actions": { "type": [ "array", "null" ], "items": { "$ref": "#/$defs/DefaultActionDto" } } }, "additionalProperties": false }, "response": { "type": [ "object", "null" ], "properties": { "custom_actions": { "description": "A list of request custom actions executed in order of appearance. Only one action type (e.g. add_header or header_redirect) can be specified in each entry. Create multiple list positions if needed.", "type": [ "array", "null" ], "items": { "title": "custom action", "type": "object", "properties": { "add_header": { "allOf": [ { "$ref": "#/$defs/SimpleHeaderActionDto-nullable" }, { "description": "An action to add a header to all responses." } ] }, "add_missing_header": { "allOf": [ { "$ref": "#/$defs/SimpleHeaderActionDto-nullable" }, { "description": "An action to add a header to all responses if it is not already present." } ] }, "add_or_replace_header": { "allOf": [ { "$ref": "#/$defs/SimpleHeaderActionDto-nullable" }, { "description": "An action to add or replace an existing header on all responses." } ] }, "name": { "type": "string", "description": "A unique name for this action; if not specified, a unique name will be generated." }, "remove_header": { "allOf": [ { "$ref": "#/$defs/RemoveHeaderActionDto-nullable" }, { "description": "An action to remove a header either matching given name or value pattern on responses." } ] }, "rewrite_cookie": { "type": [ "object", "null" ], "properties": { "cookie": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern to match the name of the cookie to rewrite. If this is set the name of the cookie must match this pattern for the rewrite to happen." } ] }, "domain": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "A pattern to match the domain, or part of the domain of a cookie to rewrite it." } ] }, "domain_replace": { "type": [ "string", "null" ], "description": "What to replace the domain with; Can make back references to the pattern used to match." }, "http_only_mode": { "type": "string", "enum": [ "auto", "keep", "remove", "add" ], "description": "Whether to `add`, `keep` or `remove` the `HttpOnly` (see: flag on cookies. AUTO will set the flag for encrypted cookies and KEEP it for others.", "default": "auto" }, "path": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "A pattern to match the path of a response to rewrite." } ] }, "path_replace": { "type": [ "string", "null" ], "description": "What to replace the path with; Can make back references to the pattern used to match." }, "secure_mode": { "type": "string", "enum": [ "auto", "keep", "remove", "add" ], "description": "Whether to `add`, `keep` or `remove` the `Secure` (see: flag on cookies. AUTO will set the flag on all connections that use HTTPS and remove it on others.", "default": "auto" } }, "description": "An action to rewrite a cookie based on patterns for cookie name, domain etc.", "additionalProperties": false }, "rewrite_header_value": { "allOf": [ { "$ref": "#/$defs/RewriteHeaderValueDto-nullable" }, { "description": "An action to rewrite a header value either matching given name or value pattern on responses." } ] }, "rewrite_raw_cookie": { "type": [ "object", "null" ], "properties": { "replace": { "type": [ "string", "null" ], "description": "A string to rewrite value pattern matches in the cookie value. Can make back references to the pattern used for matching." }, "value": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "A pattern for the cookie value to apply for matching." } ] } }, "description": "An action to rewrite the raw value of a cookie matching the given pattern.", "additionalProperties": false } }, "additionalProperties": false } }, "default_actions": { "type": [ "array", "null" ], "items": { "$ref": "#/$defs/DefaultActionDto" } }, "error_page_replacements": { "description": "Replacement rules for error responses returned by backend systems.", "type": [ "array", "null" ], "items": { "title": "page replacement", "type": "object", "properties": { "page": { "type": [ "string", "null" ], "description": "Error page file name that will be delivered to the client. (eg. 400.html)" }, "status_code": { "allOf": [ { "$ref": "#/$defs/SimplePatternDto-nullable" }, { "description": "The http response with the matching status code that should be replaced." } ] } }, "additionalProperties": false } }, "rewrites": { "type": [ "object", "null" ], "properties": { "any": { "description": "Rewrite the body of HTTP response.", "type": "array", "items": { "title": "rewrite", "type": "object", "properties": { "content": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "This regular expression pattern defines the content to rewrite." } ] }, "content_type": { "type": "string", "description": "A response from the back-end server is rewritten only if the response header «Content-Type» matches this regular expression.", "default": "^(?:text|application)/(?:html|xhtml)" }, "to": { "type": [ "string", "null" ], "description": "This is the target string which will replace the string matched by Content Pattern" } }, "additionalProperties": false } }, "html": { "description": "Rewriting HTML content may be necessary to modify URLs in the HTML content if the application creates absolute or incorrect links because it is not reverse proxy compatible", "type": "array", "items": { "title": "html", "type": "object", "properties": { "options": { "description": "This list defines the content to rewrite. Possible values are 'url', event', 'embedded'.", "default": "[ url ]", "type": "array", "items": { "type": "string", "enum": [ "url", "event", "embedded" ], "default": "[ url ]" } }, "to": { "type": [ "string", "null" ], "description": "This is the target string which will replace the string matched by URL Pattern" }, "url": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "The URL pattern." } ] } }, "additionalProperties": false } }, "json": { "description": "Rewrite the json body of http responses.", "type": "array", "items": { "title": "json", "type": "object", "properties": { "content": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "This regular expression pattern defines the content to rewrite." } ] }, "path": { "type": "string", "description": "The json path of the the property to rewrite." }, "replace": { "type": "string", "description": "This is the target content to replace the matched part with." } }, "additionalProperties": false } }, "location_header": { "description": "Rewrite option to modify the HTTP redirect location header sent from the back-end server before it is sent to the client.", "type": "array", "items": { "title": "location header", "type": "object", "properties": { "to": { "type": [ "string", "null" ], "description": "This is the target string which will replace the string matched by URL Pattern" }, "url": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto-nullable" }, { "description": "The redirect URL pattern." } ] } }, "additionalProperties": false } } }, "additionalProperties": false } }, "additionalProperties": false }, "session_handling": { "type": [ "string", "null" ], "enum": [ "enforce_session", "optional_session", "optional_session_no_refresh", "ignore_session" ], "description": "Allowed values are: enforce_session, optional_session, optional_session_no_refresh, ignore_session", "default": "ignore_session" }, "threat_handling": { "type": [ "string", "null" ], "enum": [ "terminate_session", "block", "notify" ], "description": "Allowed values are: block, terminate_session, notify.", "default": "block" }, "timeouts": { "type": [ "object", "null" ], "properties": { "backend_http_response": { "type": [ "integer", "null" ], "description": "Defines the time in seconds Airlock Microgateway will wait for the back-end HTTP response. In case the request runs into the timeout, Airlock Microgateway will deliver an error page with the corresponding HTTP 503 status code.", "default": "120" }, "idle_session": { "type": [ "integer", "null" ], "description": "Defines the minimum session idle time in seconds for this mapping. The value will be ignored if minimum session idle timeout is smaller or equal to the global session idle timeout setting.", "default": "0" } }, "additionalProperties": false } }, "additionalProperties": false } }, "virtual_host": { "type": [ "object", "null" ], "properties": { "aliases": { "description": "Additional hostnames which refer to this virtual host.", "type": "array", "items": { "type": "string" } }, "auth": { "type": [ "object", "null" ], "properties": { "client_certificate": { "type": [ "object", "null" ], "properties": { "ca_selection": { "type": [ "string", "null" ], "description": "The concatenated certificates of the CAs which are sent to the client during the SSL handshake, in PEM format." }, "ca_selection_file": { "type": [ "string", "null" ], "description": "The file containing the selection CA certificates.", "default": "/secret/auth/client_certificate/selection.crt" }, "ca_validation": { "type": [ "string", "null" ], "description": "The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format." }, "ca_validation_file": { "type": [ "string", "null" ], "description": "The file containing the validation CA certificates.", "default": "/secret/auth/client_certificate/validation.crt" }, "crl": { "type": [ "string", "null" ], "description": "PEM representation of certificate revocation lists. If a client certificate is on such a list it will not be accepted. Although Airlock provides this functionality, it is recommended to check certificates against CRLs and other types of blacklists within the authentication service and not in Airlock." }, "crl_file": { "type": [ "string", "null" ], "description": "The file containing the crl.", "default": "/secret/auth/client_certificate/client.crl" }, "verification": { "type": "string", "enum": [ "off", "optional", "required" ], "description": "Defines the default verification mode for client certificates on this virtual host. Possible values are 'off', 'optional' or 'required'.", "default": "off" }, "verification_depth": { "type": "integer", "description": "Maximum number of intermediate certificate issuers.", "default": "1" } }, "additionalProperties": false } }, "additionalProperties": false }, "certificate": { "type": [ "object", "null" ], "properties": { "ca_chain": { "type": [ "string", "null" ], "description": "List of certificates of the CA chain for the certificate." }, "ca_chain_file": { "type": [ "string", "null" ], "description": "The CA chain file path.", "default": "/secret/tls/frontend-server-ca.crt" }, "certificate": { "type": [ "string", "null" ], "description": "The certificate in PEM format." }, "certificate_file": { "type": [ "string", "null" ], "description": "The certificate file path.", "default": "/secret/tls/frontend-server.crt" }, "privatekey": { "type": [ "string", "null" ], "description": "The private key for the certificate in PEM format." }, "privatekey_file": { "type": [ "string", "null" ], "description": "The private key file path", "default": "/secret/tls/frontend-server.key" } }, "additionalProperties": false }, "encoded_slashes": { "type": "boolean", "description": "Specifies whether encoded slashes (%2F) are allowed in URL path. Attention: combinations of client certificates per mapping and enabled encoded slashes in the same virtual host might result in configurations where client certificate evaluation might be evaded.", "default": "false" }, "expert_settings": { "$ref": "#/$defs/ExpertSettingsDto-nullable" }, "hostname": { "type": "string", "description": "The hostname of the virtual host.", "default": "microgateway" }, "http2_enabled": { "type": "boolean", "description": "Specifies whether HTTP/2 connections are enabled for this host.", "default": "true" }, "http_enabled": { "type": "boolean", "description": "Specifies whether HTTP connections are enabled for this host.", "default": "true" }, "http_port": { "type": "integer", "description": "Specifies the port on which this host listens for HTTP connections.", "default": "8080", "minimum": 1, "maximum": 65535 }, "https_enabled": { "type": "boolean", "description": "Specifies whether HTTPS connections are enabled for this host.", "default": "true" }, "https_port": { "type": "integer", "description": "Specifies the port on which this host listens for HTTPS connections.", "default": "8443", "minimum": 1, "maximum": 65535 }, "name": { "type": "string", "description": "The logical name of the virtual host.", "default": "microgateway" }, "redirects": { "type": [ "array", "null" ], "items": { "title": "redirect", "type": "object", "properties": { "dest": { "type": "string", "description": "The destination can be relative to the current virtual host or an absolute URL including protocol and host. Relative redirect paths are extended with the incoming scheme and host header.", "minLength": 1, "pattern": "^(http://|https://|ftp://|/)\\S*?$" }, "path": { "allOf": [ { "$ref": "#/$defs/PatternWithoutInvertDto" }, { "description": "The absolute path starting with '/' as a regular expression from which to redirect." } ] }, "status_code": { "type": "integer", "description": "The returned status code. Must be one of: [301, 302, 303, 307, 308]", "default": "303", "minimum": 301, "maximum": 308 } }, "required": [ "dest", "path" ], "additionalProperties": false } }, "session_cookie_domain": { "type": [ "string", "null" ], "description": "Specifies the domain for Airlock's session cookie if the cookie is created inside this virtual host." }, "session_cookie_path": { "type": "string", "description": "Specifies the cookie path for Airlock's session cookie if the cookie is created inside this virtual host.", "default": "/" }, "strict_fqdn": { "type": "boolean", "description": "Specifies whether a virtual host should reply only to requests that match the hostname or any of its server alias names.", "default": "false" } }, "additionalProperties": false } }, "additionalProperties": false } }, "deny_rule_groups": { "description": "Custom deny rule groups that can be referenced in mappings on top of the built in Airlock deny rules.", "type": "array", "items": { "title": "rule group", "type": "object", "properties": { "deny_rules": { "description": "Filter rule that blocks requests based on the evaluation of different request attributes.", "type": "array", "items": { "title": "deny group", "type": "object", "properties": { "content_type": { "$ref": "#/$defs/PatternDto-nullable" }, "header_name": { "$ref": "#/$defs/PatternDto-nullable" }, "header_value": { "$ref": "#/$defs/PatternDto-nullable" }, "method": { "$ref": "#/$defs/PatternDto-nullable" }, "name": { "type": "string", "description": "Unique name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.", "pattern": "^(?![ \\t\\n]*\\(default(.*)\\))[\\s\\S]*" }, "parameter_name": { "$ref": "#/$defs/PatternDto-nullable" }, "parameter_value": { "$ref": "#/$defs/PatternDto-nullable" }, "path": { "$ref": "#/$defs/PatternDto-nullable" }, "rule_key": { "type": "string", "description": "Unique short name. In order to prevent overriding built-in deny rules, the name may not start with '(default)'.", "pattern": "^(?![ \\t\\n]*\\(default(.*)\\))[\\s\\S]*" } }, "additionalProperties": false } }, "name": { "type": "string", "description": "Unique name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.", "pattern": "^(?![ \\t\\n]*\\(default(.*)\\))[\\s\\S]*" }, "rule_group_key": { "type": "string", "description": "Unique short name. In order to prevent overriding built-in deny rule group, the name may not start with '(default)'.", "pattern": "^(?![ \\t\\n]*\\(default(.*)\\))[\\s\\S]*" } }, "additionalProperties": false } }, "expert_settings": { "$ref": "#/$defs/ExpertSettingsDto-nullable" }, "jwks_providers": { "type": [ "object", "null" ], "properties": { "local": { "description": "JWKS providers that are configured statically.", "default": "[]", "type": "array", "items": { "title": "provider", "type": "object", "properties": { "issuer": { "type": [ "string", "null" ], "description": "Name of JWKS issuer. Corresponds to the 'Issuer' field in JWT." }, "jwks": { "type": [ "string", "null" ], "description": "JSON Object that represents the set of JWKS." }, "jwks_file": { "type": [ "string", "null" ], "description": "JSON file with the definitions of JWKS." }, "name": { "type": "string", "description": "Name by which provider is referenced. Must be unique." } }, "required": [ "name" ], "default": "[]", "additionalProperties": false } }, "refresh_interval": { "type": "integer", "description": "Refresh interval for fetching from remote JWKS providers in seconds.", "default": "86400" }, "remote": { "description": "Remote JWKS providers which are fetched according to the jwks_providers.refresh_interval.", "default": "[]", "type": "array", "items": { "title": "remote", "type": "object", "properties": { "issuer": { "type": [ "string", "null" ], "description": "Name of JWKS issuer. This value is used to restrict the usage of the JWKS to JWTs with a matching issuer (claim 'iss')." }, "name": { "type": "string", "description": "Name by which provider is referenced. Must be unique." }, "service_url": { "type": "string", "description": "URL of JWKS service provider." }, "tls": { "title": "tls", "type": "object", "properties": { "cipher_suite": { "type": "string", "description": "The TLS cipher suite to use. For documentation visit www.openssl.org and search for 'ciphers'.", "default": "DEFAULT" }, "client": { "type": [ "object", "null" ], "properties": { "ca_chain": { "type": [ "string", "null" ], "description": "List of certificates of the CA chain for the certificate." }, "ca_chain_file": { "type": [ "string", "null" ], "description": "The CA chain file path.", "default": "/secret/auth/jwks/tls/client/client-ca.crt" }, "certificate": { "type": [ "string", "null" ], "description": "The certificate in PEM format." }, "certificate_file": { "type": [ "string", "null" ], "description": "The certificate file path.", "default": "/secret/auth/jwks/tls/client/client.crt" }, "privatekey": { "type": [ "string", "null" ], "description": "The private key for the certificate in PEM format." }, "privatekey_file": { "type": [ "string", "null" ], "description": "The private key file path", "default": "/secret/auth/jwks/tls/client/client.key" } }, "additionalProperties": false }, "force_new_session": { "type": "boolean", "description": "Force new session for each request.", "default": "false" }, "protocol": { "type": "string", "enum": [ "DEFAULT", "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3" ], "description": "The TLS protocol to use. For the description of the default values see the Gateway documentation for 'Supported SSL/TLS versions'.", "default": "DEFAULT" }, "server": { "type": [ "object", "null" ], "properties": { "ca_validation": { "type": [ "string", "null" ], "description": "The concatenated certificates of the CAs which are used as trust anchor during chain validation, in PEM format." }, "ca_validation_file": { "type": [ "string", "null" ], "description": "The file containing the validation CA certificates.", "default": "/secret/auth/jwks/tls/server/server-validation.crt" }, "host_name_verification": { "type": "boolean", "description": "Verification which involves a server identity check to mitigate man in the middle attacks.", "default": "false" } }, "additionalProperties": false } }, "additionalProperties": false } }, "required": [ "name", "service_url" ], "default": "[]", "additionalProperties": false } } }, "description": "JWKS Providers which can be referenced in apps[].mappings[].access_token.", "additionalProperties": false }, "license": { "type": [ "string", "null" ], "description": "The encoded license." }, "license_file": { "type": [ "string", "null" ], "description": "The license file path.", "default": "/secret/license" }, "log": { "type": [ "object", "null" ], "properties": { "level": { "type": "string", "enum": [ "info", "trace" ], "description": "Allowed values are: info, trace", "default": "info" } }, "additionalProperties": false }, "metrics": { "title": "metrics", "type": "object", "properties": { "statsd": { "title": "statsd", "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Enable sending of statsd metrics. Default is 'true'", "default": "true" } }, "description": "Use this to enable sending metrics using the statsd protocol.", "additionalProperties": false } }, "description": "Configuration for metrics sending.", "additionalProperties": false }, "remote_ip": { "type": [ "object", "null" ], "properties": { "header": { "type": "string", "description": "If set, Airlock Microgateway will treat the value of this header field as the useragent IP address.
Common values are 'X-Forwarded-For' or 'X-Client-IP'.
Warning: Make sure that internal_proxies is correctly configured for your setup." }, "internal_proxies": { "description": "List of hostnames, IP addresses or IP address ranges (e.g. 10.0.0.0/8) to trust as presenting a valid Remote-IP header.", "type": "array", "items": { "type": "string" } } }, "required": [ "header", "internal_proxies" ], "additionalProperties": false }, "session": { "type": [ "object", "null" ], "properties": { "encryption_passphrase": { "type": [ "string", "null" ], "description": "Specifies the passphrase for the passphrase based encryption mechanism (PBE)." }, "encryption_passphrase_file": { "type": [ "string", "null" ], "description": "The path of the passphrase file.", "default": "/secret/passphrase" }, "idle_timeout": { "type": "integer", "description": "Specifies the amount of idle time in seconds, after which an Airlock Microgateway session is terminated. This timeout should be smaller than all other session timeouts of your back-end applications. Even if the timeout can be configured in seconds, per default the resolution of the idle session timeout check is 5 seconds only.", "default": "600" }, "lifetime": { "type": "integer", "description": "Specifies the absolute lifetime of an Airlock Microgateway session in seconds. After this time a session will be terminated.", "default": "28800" }, "redis_hosts": { "description": "Name of the hosts running the Redis Server.", "default": "[]", "type": "array", "items": { "type": "string", "default": "[]" } }, "store_mode": { "type": "string", "enum": [ "server", "cluster", "disabled" ], "description": "Defines the redis session store connection mode. By default, the Microgateway tries to determine the connection mode depending on the number of redis hosts configured:
- server mode if only one host is configured
- cluster mode if several hosts are configured

Allowed values are: server, cluster and disabled." } }, "additionalProperties": false } }, "$defs": { "DefaultActionDto": { "title": "action", "type": "object", "properties": { "enabled": { "type": [ "boolean", "null" ], "description": "Enable this default header action" }, "name": { "type": [ "string", "null" ], "description": "Name of the default header action" } }, "additionalProperties": false }, "ExpertSettingsDto-nullable": { "type": [ "object", "null" ], "properties": { "apache": { "type": [ "string", "null" ], "description": "Expert settings for the Apache httpd." }, "security_gate": { "type": [ "string", "null" ], "description": "Expert settings for the Security Gate." } }, "additionalProperties": false }, "PatternDto-nullable": { "type": [ "object", "null" ], "properties": { "ignore_case": { "type": "boolean", "description": "Whether to ignore case.", "default": "true" }, "inverted": { "type": "boolean", "description": "Whether to invert the match.", "default": "false" }, "pattern": { "type": "string", "description": "A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use \".*\"" } }, "required": [ "pattern" ], "additionalProperties": false }, "PatternWithRewriteDto-nullable": { "type": [ "object", "null" ], "properties": { "regex": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "The regular expression, which matches the parts which should be rewritten." } ] }, "substitution": { "type": [ "string", "null" ], "description": "The rewrite expression." } }, "additionalProperties": false }, "PatternWithoutInvertDto": { "title": "pattern", "type": "object", "properties": { "ignore_case": { "type": "boolean", "description": "Whether to ignore case.", "default": "true" }, "pattern": { "type": "string", "description": "A regex pattern used to match, cannot be empty. If you need a pattern that matches every string use \".*\"" } }, "required": [ "pattern" ], "additionalProperties": false }, "PatternWithoutInvertDto-nullable": { "anyOf": [ { "type": "null" }, { "$ref": "#/$defs/PatternWithoutInvertDto" } ] }, "RemoveHeaderActionDto-nullable": { "type": [ "object", "null" ], "properties": { "name": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern for the header name." } ] }, "value": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern for the header value." } ] } }, "additionalProperties": false }, "RewriteHeaderValueDto-nullable": { "type": [ "object", "null" ], "properties": { "name": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern for the header name." } ] }, "replace": { "type": [ "string", "null" ], "description": "A string to rewrite the header value with. Can make back-references to the header value pattern." }, "value": { "allOf": [ { "$ref": "#/$defs/PatternDto-nullable" }, { "description": "A pattern for the header value." } ] } }, "additionalProperties": false }, "SimpleHeaderActionDto-nullable": { "type": [ "object", "null" ], "properties": { "name": { "type": [ "string", "null" ], "description": "The name of the header to add." }, "value": { "type": [ "string", "null" ], "description": "The value of the header to add." } }, "additionalProperties": false }, "SimplePatternDto-nullable": { "type": [ "object", "null" ], "properties": { "pattern": { "type": [ "string", "null" ], "description": "The actual pattern." } }, "additionalProperties": false } }, "additionalProperties": false }