Skip to content

Define Application: Proxy

Define Application: Proxy

The Identity-Aware Web Application Firewall acts as an HTTP-proxy. In doing to, it can inject an identity-flow (authentication on behalf of) as well as rewrite/rework various HTTP constructs to make them accurate relative to an external environment.

Typically there is no configuration required in this section, however, you may use it to tweak for individual applications as needed.

Include User Context Headers

If the ‘Include User Context Headers’ is set, several headers are added to the request, allowing the upstream web server to infer user and role. these include:

{
"headers": {
"Remote-Org-Id": "5kX8JJdQ3CzXXXXXXXX",
"Remote-User": "user@agilicus.com",
"Remote-User-Id": "XGMKWs5SXXXXXX",
"X-Agilicus-External-Id": "-",
"X-Agilicus-Member-Of": "[\"wiki-editors\"]",
"X-Gateway-Org": "5kX8JJdQ3CzXXXXXXXX",
"X-Gateway-Primary-Role": "self",
"X-Gateway-Roles": "{\"httpbin\":[\"self\"],\"urn:api:agilicus:users\":[\"self\"]}",
"X-Gateway-Tokenid": "Hwx6vUZPXXXXXXXX",
"X-Gateway-User": "XGMKWs5SXXXXXX",
"X-Gateway-User-Email": "user@agilicus.com",
"X-Roles-Matched": "true",
"X-Token-Valid": "true"
}
}

HTTP Media Type Rewrite

It is common for certain body documents to have embedded components linking to the internal name of the host. This could include a JSON search result, showing http://internal instead of https://external.example.com, it could include XML, HTML, CSV, etc.

In this section, we can add specific Media (MIME) types. If they are set, the contents will be rewritten to match the external coordinates.

HTTP (Host) Names Rewrite

The internal host may have multiple names. This can occur with e.g. virtual machines (‘intranet’ is also ‘vweb01’) and these names internally might be used interchangeably. In this section we add a set of hosts that, if present, will be rewritten to the external name.

HTTP Response Header Overrides

Set Header

This allows setting an arbitrary header to an arbitrary value.

Append Header

This allows appending a value to an existing response header.

Remove Header

This will remove a header from the response. It may be used to e.g. remove private internal information or version leakage.

Remove Match

This feature allows removing entire header lines matching some criteria. If your response included:

Host: foobar
Host: foo

Then, if we put in ‘Name’: ‘Host’ and value ‘foo’, both lines are removed. If we put in value ‘bar’ only the first line is removed. A regex is allowed here, so we could put in e.g. ‘fo.*’.

Parameter Rewrite Filter

This feature allows overwriting specific GET parameters. E.g. if the URL is https://www?foo=bar, you can rewrite this to foo=baz. It also allows deflate (e.g. decompress) and base64-encoded.

HTTP Request Header Overrides

The Request Overrides operate in the same fashion as the Response Overrides.

Proxied Service Configuration

This field should not be used in normal circumstances. It allows proxying to an external host (e.g. for demonstration purposes).