Server
The server node defines configuration for the gateway daemon front-end.
Specifies the protocols which will be supported by the server. The server will listen on a different port for each protocol: http/8080 and https/8443. If no protocols are specified, the server will listen for https requests only.
Additionally, the server can be configured to expect the PROXY Protocol header by using the *_proxy values.
Note that if the proxy protocol is enabled for a given protocol, all traffic for that protocol will be expected to contain the PROXY protocol headers. That is, the following entries are exclusive:
httpandhttp_proxyhttpsandhttps_proxy
| protocol | Port | Description |
|---|---|---|
| http | 8080 | HTTP |
| https | 8443 | HTTPS |
| http_proxy | 8080 | HTTP with Proxy Protocol |
| https_proxy | 8443 | HTTPS with Proxy Protocol |
The rules which define whether a client is allowed to connect to this server. The rule is of the format:
[+|-]<client-ip>
where:
| Element | Description |
|---|---|
| + | Indicates that the client is permitted access. |
| - | Indicates that the client is not permitted access. |
| <client-ip> | The IP address of the client, which can also contain the pattern matching characters * and ?. |
The client IP address of a request will be evaluated against each rule in sequence until a match is found. The corresponding code (+|-) will then be used to determine whether the client connection is accepted. If the client IP matches no configured rules the client connection will be accepted.
Specifies the configuration the gateway server will use when securely communicating with clients. This configuration includes:
-
The certificate to be used for secure communication with clients. If a certificate is not provided, the gateway will generate a self-signed certificate during bootstrapping.
-
The TLS protocols that are enabled for client communication.
-
Any additional server certificates which should be used for specific hosts using the
server name indication(SNI) TLS extension.
Enables or disables the TLS protocols that are used for communication between the gateway daemon and the protected application.
Specifies the ciphers and cipher suites which will be permitted for all secure communications.
The following tables show the list of available ciphers.
PEM based signer certificates or signer certificate chains which should be added to IAG's trust store. These can be signer certificates which are required for secure communication with resource servers or external services.
Specifies the configuration related to failover support for the IBM Application Gateway.
Specifies the configuration for client sessions.
The number of configured worker threads specifies the number of concurrent incoming requests that can be serviced by this gateway instance. Choosing the optimal number depends on the quantity and type of traffic on your network. Modifying this value should be done carefully to ensure optimal performance.
A boolean which indicates whether or not to enable support for HTTP/2 clients. HTTP/2 supports a reduced set of cipher suites. The minimum cipher is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 which should be added to the server/ssl/ciphers[] entry.
Specifies the configuration for WebSocket support.
Defines static assets which are served from the default / path of the reverse proxy. This entry must be either a zip file or a path which is relative to the /var/iag/config directory of the container. The provided contents will completely replace the default set of pages served from the / path of the IAG.
This entry overloads the server generated management response pages.
This entry must be either a zip file or a path which is relative to the /var/iag/config directory of the container.
The provided contents will completely replace the default set of management pages served by the IAG.
The pages which are provided should conform to the directory structure and file name syntax explained below.
The directory structure is:
<language_code>/<page_name>.<response_code>.<mime_type>
This entry overloads the server generated error response pages.
This entry must be either a zip file or a path which is relative to the /var/iag/config directory of the container.
The provided contents will completely replace the default set of error pages served by the IAG.
The pages which are provided should conform to the directory structure and file name syntax explained below.
The directory structure is:
<language_code>/<error_code>.<response_code>.<mime_type>
This entry overloads the default assets used in server generated error and management response pages.
These assets are served by the application gateway on the configured path segment (default pkmspublic) and are suitable for embedding in server generated responses such as error or management pages.
The language(s) which will be permitted when the application gateway generates error and management response pages. The accept-language HTTP header from the request is used to determine the language used when generating responses.
The first language in the list will be treated as the default language. The default language will be used if none of the languages contained in the accept-language HTTP header have been enabled.
If this entry is not defined, all languages will be enabled with English (C) set as the default.
Specifies the configuration for the credential service cache. When the cache is enabled, IAG will cache the encrypted credentials received from the external credential service. If the cache is not enabled, IAG will request credentials from the credential service for every request requiring single sign-on.
Specifies the configuration information related to the embedded credential viewer application.
The credential viewer application can be used to display information about the credential associated with the current user session.
Specifies the configuration information related to the embedded authorization decision application. The authorization decision application provides a Web service for making remote authorization decisions.
Specifies the configuration information related to the embedded jwks application. The jwks application returns the public keys contained in the key database used for junction communication. The response data will conform to RFC 7517.
Specifies the global configuration related to rate limiting. Rate limiting policies are defined using the policies/rate_limiting[] entry.
Additional rate limiting headers can also be enabled. The rate limiting response headers include:
| header | value |
|---|---|
| X-Rate-Limit-Policy | The name of the rate limiting policy which is closest to being hit. |
| X-Rate-Limit-Remaining | The number of requests left for the rate limiting policy in the current rate limit window. |
| X-Rate-Limit-Reset | The time (UTC Epoch time) at which the rate limiting policy resets. |
Specifies whether or not the gateway will use the default content security policy.
The default policy inserts the following HTTP headers into all responses:
| header | value |
|---|---|
| x-frame-options | DENY |
| x-xss-protection | 1 |
| content-security-policy | default-src 'self'; frame-ancestors 'self'; form-action 'self'; |
| x-content-type-options | nosniff |
This entry can be used to set HTTP headers which are always present in all responses which are returned to clients.
For each entry, only one of macro, attribute or text can be specified.
Updated about 1 month ago