Ceptor Docs

Page tree
Skip to end of metadata
Go to start of metadata

A destination target server is stored within the JSON property targets which is an array of JSON objects - each target server is an object within it.

      "targets": [{
        "sslcontext": {
          "excludeprotocols": "SSL,SSLv2,SSLv2Hello,SSLv3",
          "allowrenegotiate": false,
          "excludeciphersuites": "SSL,SSLv2,SSLv2Hello,SSLv3",
          "useciphersuites.order": true,
          "includeciphersuites": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
          "truststore.type": "JKS",
          "truststore.provider": "BC"
        },
        "scheme": "http",
        "port": 8080,
        "unavailable": false,
        "name": "demoapp1",
        "host": "127.0.0.1",
        "disabled": false,
        "bindaddress": "",
        "bindport": 0
        "limits": {
          "queue.length": 100,
          "max.idle.connections.hard": 20,
          "idle.ttl": 10,
          "max.idle.connections.soft": 5,
          "max.concurrent.requests": 20
        }
      }],

Within the individual target, sslcontext and limits are optional - if not specified, the relevant settings for the destination itself will be used.

Often, these limits are used to allow more concurrent requests towards one server than toward another in case one have more resources than the other.

Target Settings

Name

Target name - used to identify the target server selected, and a hash of the name is stored in a cookie, if the server is sticky.

Default: none
JSON key: name 

Scheme / Protocol

Scheme / Protocol to use when connecting to the server, use http or https

Default: http
JSON key: scheme 

IP Address / Hostname

IP Address or hostname of server to connect to.

Default: none, must be specified
JSON key: host 

TCP Port

TCP Port to connect to, usually 80 for http and 443 for https.

Default: none
JSON key: port 

TCP Binding

Bind Address

If specified, this is the address to bind to when making the connection to the target server - leave blank to autoassing. This is useful when you want to select a particular network interface.

You can specify either an IP address or a hostname, which will then be resolved to the IP address - this address needs to match a network interface on your machine.


Default: Uses setting for destination
JSON key: bindaddress 
Minimum Version: 5.61 

Bind Port

TCP port to bind to when connecting to target server. Set to 0 to autoassign port. Only used when also specifying the bind address

Default: 0
JSON key: bindport 
Minimum Version: 5.61  

Override destination configuration

Override SSL from destination settings

Check to override SSL settings

Default: none
JSON key: If sslcontext JSON Object is present, then override is enabled.

Override Limits from destination settings

Check to override limits

JSON key: if limits JSON Object is present, then override is enabled.

Availability settings

Unavailable for new users

Check if unavailable for new users - in this case, no new users will be assigned to this destination server.

Default: false
JSON key: unavailable 

Disabled

Check if disabled and no connections should be sent to this target, existing users will failover to other targets

Default: false
JSON key: disabled 

SSL Settings

If override SSL is enabled, you can specify the SSL settings.

They are saved in the JSON key sslcontext within the targets JSON Object.

SSL Settings

JCE Provider

Name of SSL JCE Provider to use, or leave blank for default JDK

Default: blank, meaning JDK default.
JSON key: ssl.provider 

Protocol

Name of SSL Protocol (e.g. TLS), or leave blank for default. Note that some SSL protocols are insecure - but old server implementations might require you to use an older protocol - typical protocols are TLS, TLSv1.1, TLSv1.2

Default: blank, meaning JDK default.
JSON key: ssl.protocol

Allow renegotiate 

Allow unsecure renegotiation, turn off for best security.

Default: false
JSON key: allowrenegotiate 

Exclude protocols

Comma/semicolon separated list of SSL protocols to exclude from the JCE default protocols list - patterns are regex expressions.

Default: SSL,SSLv2,SSLv2Hello,SSLv3
JSON key: excludeprotocols 

Include protocols

Comma/semicolon separated list of protocols to include from the JCE supported protocols list - patterns are regex expressions

Default: none, meaning JDK default
JSON key:includeprotocols 

Use ciphersuites order

If set, use configured cipher suites order and prefer first, if not set order does not matter when selecting which cipher suite to use.

Default: true
JSON key: useciphersuites.order 

Exclude ciphersuites

Comma/semicolon separated list of ciphersuites to exclude from the JCE default ciphersuites list - patterns are regex expressions.

Default: .*NULL.*,.*RC4.*,.*MD5.*,.*DSS.*
JSON key: excludeciphersuites 

Include ciphersuites

Comma/semicolon separated list of ciphersuites to include from the JCE supported ciphersuites list - patterns are regex expressions

Default: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
JSON key:includeciphersuites 

Truststore type

Type of truststore, e.g. PKCS12, or JKS (default PKCS12

Default: PKCS12
JSON key: truststore.type 

Truststore provider

Name of JCE provider (default BC)

Default: BC
JSON key: truststore.provider 

Truststore file

Name of and path to file containing truststore

Default: none
JSON key: truststore.file 

Truststore password

Password for the truststore and keys within - can optionally be encrypted/obfuscated

Default: none
JSON key: truststore.password 

Limits

If override is enable, the limits can be specified for the specific target server.

Limits are stored in the limits JSON Object inside the specific targets JSON Object.

Limits on connections and queues

Max concurrent per IO thread

Maximum number of concurrent requests (PER IO THREAD) for a target server, requests above this limit will be queued (default is 20). See the settings for number of IO threads here: Config - Gateway Settings

Default: 20
JSON key: max.concurrent.requests 

Queue size

Number of connections that can be queued waiting for an available connection

Default: 500
JSON key: queue.length 

Timeout in seconds

Request timeout in seconds - maximum number of seconds to wait for a reply from the server.

Default: 30
JSON key: timeout.seconds 

Max idle connections

Maximum number of idle connections to a target server - connections exceeding this count will be closed instead of being pooled for new requests.

Default: 20
JSON key: max.idle.connections.hard 

Minimum idle connections 

The minimum number of connections that this proxy connection pool will try and keep established. Once the pool is down to this number of connections no more connections will be timed out.

This value is per IO thread, so to get the actual value this must be multiplied by the number of IO threads

Default: 5
JSON key: max.idle.connections.soft 

Idle timeout (milliseconds)

Number of milliseconds until timing out idle connections above the minimum limit, set to 0 or -1 to disable

Default: -1
JSON key: idle.ttl

  • No labels