Yxorp reads its configuration from an XML file at startup, and sets up it's internal representation of the configuration statements. While Yxorp is running, a new configuration file can be inserted into the running configuration; this may extend the configuration, but also replace parts of the original configuration. It is also possible to read the actual configuration from the running daemon.
The configuration statements are grouped; each group deals with a set of configuration items. These groups are:
configlistener; this group deals with the TCP interface that is used to read or update the configuration in an active yxorp daemon;
log; this group contains the statements that configure logging;
listener; this group, that may occur more than once in a configuration, controls the proxy processing and sets the TCP ports that the yxorp daemon will listen to;
rule; may occur multiple times and contains the rule programming language statements;
threads; controls the settings that the yxorp daemon will use for worker threads;
security; controls security settings;
server; controls which (virtual or real) servers yxorp can send requests to;
virtualserver; controls the groupings of servers that are used as loadbalancing or failover pools;
realserver; controls the settings of real servers that are mapped from a server definition or a virtualserver pool;
globalconfiguration; controls which settings the yxorp daemon uses for things like timers, retry limits to connect to servers, headers to process, etc;
basicauth; sets which userid/password combinations are recognized for local basic authentication processing;
debug; controls filtering of debug output messages. If yxorp is built with debugging support enabled, these filters may be used to selectively show some message types.
The configuration file should be formatted as follows:
<?xml version="1.0"?> <yxorpconfig> <log> ... logging settings </log> <configlistener> ... config listener settings </configlistener> <rule id=”name” type=”request”> ... rule code </rule </yxorpconfig>
The configuration file must start as follows:
<?xml version="1.0"?> <yxorpconfig>
and end as follows:
</yxorpconfig>
The other contents of the configuration file depend on what Yxorp functions you want to use. These are described in the next sections.
Listeners are the end point for sessions between a client and Yxorp. For Yxorp to do any useful work, at least one listener must be created.
There are two types of listener, corresponding to the two types of proxy: dissecting and tunneling. The dissecting proxy completely takes a request apart, may run all kinds of scripts on each part of the request, and then reassembles it and forwards it to a server. In contrast, a tunnel proxy does not do any processing on a request, but just forwards it as-is to a server. Which type of proxy is chosen depends on the definition in the listener; a listener may invoke either type of proxy, but not both.
A listener is created by setting a <listener> tag in the configuration. The <listener> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
Must be set on each listener, and sets the listener identifier. The id must be unique. It is used in logging and tracking, and in the reconfiguration process. |
|
type |
number |
4 means IPv4, 6 means IPv6. Default is IPv4. |
|
mode |
string |
“tunnel” creates a tunnel proxy; “dissect” creates a dissecting proxy. “dissect” is default. |
|
port |
number |
TCP port number the listener will bind to. |
|
ipaddress |
ipaddress |
IP address the listener will bind to. If type=4, then a normal dotted IP address must be set; if type=6, an IPv6 address notation must be set. The IPv4 address 0.0.0.0 has a special meaning and will bind to all local addresses of the system. |
|
rule |
string |
The name of a rule. If this listener has mode=”dissect”, the rule will be executed for requests; if mode=”tunnel”, this attribute has no meaning. |
|
resprule |
string |
The name of a rule. If this listener has mode=”dissect”, the rule will be executed for responses; if mode=”tunnel”, this attribute has no meaning. |
|
rejrule |
string |
The name of a rule. If this listener has mode=”dissect”, the rule will be executed for rejected requests; if mode=”tunnel”, this attribute has no meaning. |
|
tunneldest |
ipaddress |
If mode=”tunnel”, IPv4 address of the tunnel destination host; if mode=”dissect”, this attribute has no meaning. |
|
tunnelport |
ipaddress |
If mode=”tunnel”, TCP port number on the tunnel destination host; if mode=”dissect”, this attribute has no meaning. |
|
ssl |
string |
“yes” to enable SSL, “no” to disable. If Yxorp is built without SSL support, presence of this attribute will cause an error message. |
|
certfile |
string |
Name of a file containing the certificate to be used. The certificate must be in PEM format. |
|
certpasswd |
string |
Optional password to decrypt the certificate with |
|
sslcachedisable |
number |
Used for testing only, don't use in any kind of serious setup |
|
ssldebug |
number |
Used for testing only, don't use in any kind of serious setup |
All attributes on a listener can be reconfigured on-line. If the socket attributes (port and ipaddress) are changed, Yxorp will close the current socket and bind to a new socket with the new settings. If the new socket is in use on the operating system level, this might take an extended period of time; if sessions or programs are active on the new socket, the socket may not become available at all, causing Yxorp to keep retrying to bind to the socket.
The following example creates a dissect listener for IPv4 on the HTTP port, that will bind to the localhost interface (and thus only accept requests sent to the localhost address):
<listener id=”www” type=”4” mode=”dissect” ipaddress=”127.0.0.1” port=”80” rule=”wwwreq” resprule=”wwwresp” rejrule=”wwwrej” />
The next example will create a tunnel listener using IPv6 on the HTTPS port, and connect to an IPv4 server on address 1.2.3.4:
<listener id=”www” type=”6” mode=”tunnel” ipaddress=”fe80::210:1100:0123:4567” port=”443” tunneldest=”1.2.3.4” tunnelport=”443” />
Yxorp uses the servers listed in the configuration as an abstraction layer for servers. A server can either directly map to a real server, or map to a virtual server for load balancing. If no servers are available, a special rule type called the 'sorry rule' is executed.
A server is identified by the name taken from the Host: header, and thus, normally the same as the domain part of the URL that was requested. If rule code is used to modify the Host: header value, the changed value is used. If the value in the Host: header does not correspond to any server, the request is rejected (by executing a reject rule, if one is specified; or by the default reject actions).
A server is created by setting a <server> tag in the configuration. The <server> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
Must be set on each server. The id must be unique. The id is used to select a server based on the contents of the Host: header. |
|
virtualserver |
string |
Identifies the virtual server that will process the request. Mutually exclusive with the realserver attribute. |
|
realserver |
string |
Sets a direct mapping from server to real server. Mutually exclusive with the virtualserver attribute. |
|
sorry |
string |
Name of the rule to be executed if no real servers are available for processing the request. |
|
stickyloss |
string |
Name of the rule to be executed if the real server a sticky session was mapped to is no longer available. |
|
track |
string |
“yes” or “no” to indicate if requests to this server cause tracking to be invoked for this client. |
All attributes on a server can be reconfigured on-line.
The following example creates a server that will map requests for a domain name (Host: header value) of yxorp.sourceforge.net to a virtual server named “servergroup1”. If none of the servers in the group is available, the sorry rule “sorryrule-yxorp” is invoked.
<server id=”yxorp.sourceforge.net” virtualserver=”servergroup1” sorry=”sorryrule-yxorp” />
The following example creates a server that will map requests for a domain name (Host: header value) of yxorp.sourceforge.net to a real server named “bigserver”:
<server id=”yxorp.sourceforge.net” realserver=”bigserver” sorry=”sorryrule-yxorp” />
The configuration settings for a virtual server list which real servers may be used to process a request. The virtualserver configuration also determines the scheduling algorithm to be used for load balancing.
Real servers will be excluded from the load balancing if they are out-of-service. If one of the real servers has been set out-of-service automatically, is is possible to have the virtualserver schedule a request to it occasionally, to determine whether it has become available again. This mechanism is called “real server wakeup”. This should work without disruption; if Yxorp is not able to connect to a server, another server will be connected after a short timeout.
A virtual server is created by setting a <virtualserver> tag in the configuration. Inside the virtualserver tag , the <real> tags are used to list the real servers. The <virtualserver> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
Must be set on each server. The id must be unique. |
|
schedule |
string |
Identifies the scheduling algorithm the virtual server will use. Currently defined are “roundrobin”, “randomrobin” and “lru”. |
|
wakeup |
string |
Enables or disables waking up of mapped real serves that have been automatically set out-of-service. Valid values are “auto” for automatic wakeup and “manual” for disabling the mechanism. |
|
wakeupfrequency |
number |
Average number of requests scheduled to in-service real servers in between attempts to wakeup a real server. Do not set to a value less than 100. |
|
sticky |
string |
“yes” or “no” to set sticky load balancing for this client on this server group. |
|
mode |
string |
“add”, “delete” or “clear”; values pertain to the actions that should be taken on <real> tags enclosed in this virtual definition. If add, <real> servers will be added to the list; if clear, all <real> servers will be deleted before adding the <real> servers in the virtual definition; if delete, listed <real> in the virtual definition will be deleted. Default is clear, so that the definition you include in the virtualserver tags will completely replace all current definitions in the daemon. |
The <real> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
Must be set on each server. The id must be unique. |
All attributes on a virtualserver can be reconfigured on-line. The list of real servers will by default be replaced.
The following example creates a virtual server that will load balance requests over a group of three real servers, using the roundrobin scheduling algorithm, and automatically retrying to inservice servers that may have become unavailable:
<virtualserver id=”servergroup1” schedule=”roundrobin” wakeup=”auto” wakeupfrequency=”100” > <real id=”server1” /> <real id=”server2” /> <real id=”server3” /> </virtualserver>
The configuration settings for a real server define the attributes of actual servers.
A real server may be set out-of-service automatically if it fails to respond to requests.
A real server is created by setting a <realserver> tag in the configuration. The <realserver> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
Must be set on each server. The id must be unique. |
|
ipaddress |
IPv4 address |
Numerical IPv4 address of this server. It is possible to set “dns” instead of the numerical IP address here; this will cause the value of the Host: header to be used to lookup the IP address and connect to it. This is useful for debugging and testing, but do not use this in production situations, as it might be a security risk, and it will also decrease performance. Note also that “dns” only works for requests associated with a dissecting listener, not with a tunnel. |
|
port |
number |
TCP port on the server . If not set, 80 is the default. |
|
sslport |
number |
SSL-capable TCP port on the server. |
|
available |
string |
“yes” or “no” to set the intended availability state |
|
inservice |
string |
Possible values are “yes” or “no”; automatically changed by server wakeup mechanisms (see virtualserver). |
|
reason |
string |
(display only) The source of the information in the inservice attribute; “config” if the setting was derived from configuration file or command; “auto” if the setting was caused by an automatic process. |
All attributes on a real server can be reconfigured on-line.
The following example creates a real server. The initial state of the real server is inservice, that is, the server is presumed to be able to process requests; the server is also set available, so it will immediately be scheduled.
<realserver id=”bigserver” port=”80” ipaddress=”10.1.0.117” inservice=”yes” available=”yes” />
Rules are small programs written in a special programming language. Each rule contains exactly one such program, which can deal with a request or response. The rule language itself is described in a separate chapter.
A rule begins with a <rule> tag, and ends with a </rule> tag. The text space in between these tags are assumed to be the program source. The rule program source is compiled when the configuration file is read; syntax errors will be reported. The configuration process will abort if serious errors are detected.
Since the configuration file uses XML, and the rule language uses text constructs that may not be valid in “plain” XML, it is sensible to enclose all rules in <![CDATA[ ... ]]> tags.
The <rule> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
Required; must be unique across a configuration. The listener rule and resprule attributes refer to this id. |
|
type |
string |
Value can be “request”, “response”, “reject”, or “sorry”. The value is currently used for configuration file documentation only; defaults to “request”. |
All parts of a rule may be reconfigured.
<rule id=”example” type=”request”> <![CDATA[ // rule source host: = “yxorp.sourceforge.net”; ]]> </rule>
Yxorp logs to files. Normal requests are logged to the access log; requests denied (either by a rule or by Yxorp code) are logged to the error log; and rule programs may log information to another log file, called the trace log. Debugging messages may either be logged to stdout, or to a file.
The log file names are set as attributes on the <log> tag in the configuration file.
The <log> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
accesslog |
string |
File name for the access log |
|
debuglog |
string |
File name for the debug log. Note that you only need this if Yxorp has been built with debugging enabled, and if debug settings in the configuration actually cause debugging output. If no file name has been set, and debug output is generated, it will be sent to stdout. |
|
errorlog |
string |
File name for the error log |
|
tracelog |
string |
File name for the trace log. You will only need this if you have rule programs containing the trace function. |
Log entries in the access and error logs are formatted from a printf-like format string. Any normal text in the format string is simply copied to the log; tokens starting with '%' are interpreted as field names, and substituted with the field value. The format strings are set as subtags enclosed in the log tag; the format strings are set in the text space. The format for the access log is set using the <access-fmt> subtag; the format of the error log is set using the <error-fmt> subtag.
The default access log format is as follows:
%clientip %clientport %nsstart %realserver \"%method %protocol%host%uri\" %statuscode %fromclient %toclient %toserver %fromserver %clientreqhdr %clientrsphdr %serverreqhdr %serverrsphdr %elapsed
The default error log format:
%requestnumber %clientip %clientiplookup %clientport %nsstart %realserver \"%method http://%host%uri\" %statuscode %fromclient %toclient %toserver %fromserver %clientreqhdr %clientrsphdr %serverreqhdr %serverrsphdr %elapsed %rejectreason
The following tokens are available for formatting:
|
Token |
Field value |
|---|---|
|
%clientip |
Client IP number |
|
%clientiplookup |
Resolved name of client IP number |
|
%clientport |
TCP port number on client |
|
%method |
Method name |
|
%uri |
Uri (after translation by rule programs) |
|
%host |
Host name of server (after translation by rule programs) |
|
%nsstart |
Time stamp at start of request |
|
%nsend |
Time stamp at end of request |
|
%logi |
Ordinal number of log entry as counted by request logging module |
|
%requestnumber |
Ordinal number of request, as counted by listener at start of the request |
|
%protocol |
Returns “http://” or “https://” according to the current protocol |
|
%statuscode |
HTTP status code |
|
%fromclient |
Total bytes received from client |
|
%toclient |
Total bytes sent to client |
|
%fromserver |
Total bytes received from server |
|
%toserver |
Total bytes sent to server |
|
%clientreqhdr |
Number of bytes in headers received from client |
|
%clientrsphdr |
Number of bytes in headers sent to client |
|
%serverreqhdr |
Number of bytes in headers sent to server |
|
%serverrsphdr |
Number of bytes in headers received from server |
|
%elapsed |
Wall clock time it took to process the request, in milliseconds |
|
%rejectreason |
Text string containing the reason why a request was rejected |
|
%realserver |
The real server that the request was forwarded to |
All of the log settings may be reconfigured. If the log file names are changed in the new configuration, the active log file will be closed, and a new file with the changed name will be created (as yxorp tries to log a message, so using this mechanism to rotate logfiles must be used with caution since yxorp may not have closed the logfiles immediately upon reconfiguring).
The following example will create three log files, and set the formatting for the access log and the error log:
<log accesslog=”/var/log/yxorpaccess” errorlog=”/var/log/yxorperror” tracelog=”/var/log/yxorptrace”> <access-fmt>%clientip %nsend %method %host %uri %statuscode </access-fmt> <error-fmt>%clientip %rejectreason”</error-fmt> </log>
The following example, assuming a config snippet generated by a script running from cron, will “rotate” the access log file to a new, daily log file:
<log accesslog=”/var/log/yxorpaccess.2004-Feb-29” />
The configuration listener is a special interface into an active Yxorp daemon. It allows the configuration of Yxorp to be changed while Yxorp is active.
Normally, the configuration listener should be bound to IP address 127.0.0.1 and port 7780. This is done by setting the <configlistener> tag in the configuration file. Setting the IP address to 127.0.0.1 is recommended, because of security reasons; only change this if you are sure you know all the consequences.
You can also choose not to run a configuration listener; this is inherently more secure, but also less flexible. If no configuration listener is active, the yxorpconfig command can not be used to reconfigure Yxorp, or to read the current configuration; also, all other commands like yxorpclientstate and yxorprealserver will not work without a configuration listener.
Disable the configuration listener by omitting the <configlistener> tag, or by explicitly setting the port number to zero.
There can only be one configlistener in an Yxorp daemon; any attempt to define more than one configlistener will overwrite the previous configuration attributes.
The <configlistener> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
port |
number |
port to bind to; default is 0. Setting the port number to 0 disables the configuration listener. |
|
ipaddress |
ipaddress |
IPv4 address to listen on; default is 127.0.0.1 |
It is not possible to reconfigure the configlistener.
The followin example shows how to configure the configuration listener to use IP address 127.0.0.1 and port number 7780:
<configlistener ipaddress=”127.0.0.1” port=”7780” />
Yxorp uses a thread pool for processing the requests. The behaviour and size of the thread pool can be configured by the <thread> tag.
The <thread> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
initial |
number |
The number of threads that Yxorp will create at start |
|
minfree |
number |
If less than this number of threads are free to process a request, Yxorp attempts to create a new thread. |
|
max |
number |
Upper limit to the size of the thread pool. |
Not all threads in an Yxorp process are counted for the thread pool size: the debug/log system, and each listener have their own dedicated thread that is not part of the thread pool.
It is possible to reconfigure threads; however, reducing 'max' will not lower the number of active threads.
<threads initial=”20” minfree=”2” max=”100” />
Yxorp runs with reduced privileges on Solaris and Linux. Normally, binding to a port number lower than 1024 requires the process to run as root. Yxorp can release the root privileges and set parts of the process to run as a lower-privileged user. The way this works has significantly changed since version 0.19, it is now implemented using capabilities (Linux) and privileges (Solaris). For other platforms, you will either have to run Yxorp as root, or use non-privileged ports only.
For both Linux and Solaris, all privileges except the ones necessary for Yxorp are released. For Linux, the only remaining privilege is “cap_net_bind_service”; for Solaris, it is “PRIV_NET_PRIVADDR”.
Besides this, it is also possible to change the userid and group that Yxorp will run as; this has the added effect of securing access to the file system.
Another security setting is “chroot”; if this is set, yxorp will change root to the specified directory.
The <security> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
user |
number |
The numerical userid that will be set |
|
group |
number |
The numerical group that will be set |
|
chroot |
string |
chroot to the specified directory just after reading the configuration file. The path must be complete (i.e. start in the root of the file system). |
It is not possible to reconfigure security settings.
<security user=”65535” group=”65535” />
Yxorp can store a table of basic authentication credentials in its configuration. Currently this is the only way, but it is foreseen that other tables may be available in a future version.
Note that basic authentication is not very secure. To recover userid and password from the encoded form is trivial. Don't use userid's and passwords you also use for other systems.
The <basicauth> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
realm |
string |
The realm. See also the first parameter on the basic_auth_check function. |
|
userid |
string |
The user name |
|
passwd |
string |
The password |
|
base64 |
string |
The encrypted form of userid and password (set either base64 or userid/passwd). Generated configurations from yxorp will always contain the base64 form. |
|
remove |
number |
If nonzero, remove this base64 credential from the table. |
It is possible to reconfigure all basic authentication settings.
<basicauth realm=”mystuff” userid=”baas” passwd=”notsosecure” />
Global configuration settings are (as the name implies) global within a daemon (and thus govern all processing for all listeners).
The <globalconfiguration> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
maxchunksize |
number |
In chunked content processing, the maximum size of a chunk that will be accepted. A larger chunk will lead to the request being rejected. |
|
maxserverconnectionattempts |
number |
The maximum number of times connection to a server will be retried. If applicable, load balancing is applied, so the first connection attempt may be to server A, the next attempt to server B. Setting this to a higher number may lead to high response times if servers are unavailable. Also see connectservertimeout. |
|
writetoclienttimeout |
number |
The time (in milliseconds) yxorp will wait for a write to a client to succeed. Note that normally a write will succeed almost instantaneously, since Unix processes the writes asynchronously; the actual meaning of this timer is more along the lines of “wait this long for buffer space to become available”. If this timer expires, the request will be rejected. |
|
readfromclienttimeout |
number |
The time (in milliseconds) yxorp will wait for data to arrive from a client. If the timer expires, the request will be rejected. |
|
maxrealserverconnectfailuresbeforeoutservice |
number |
When this many subsequent failures occurred connecting a server, it is set out of service. If part of a virtualserver load balancing group, it will thereafter be considered out of service (and only be scheduled if the wakeup algorithm is active). For servers that are directly mapped to real servers, the out of service attribute is ignored. |
|
connectservertimeout |
number |
(milliseconds) Wait this long for a connection to a server to complete. |
|
writetoservertimeout |
number |
(milliseconds) Wait this long for a write to a server connection to succeed. See writetoclienttimeout above. If this timer expires, the request will be rejected. |
|
readfromservertimeout |
number |
(milliseconds) Wait this long for data to arrive from a server connection. If this timer expires, the request will be rejected. |
|
tunnelwritetoservertimeout |
number |
(milliseconds) Wait this long for a tunnel buffer to be written to the server connection. |
|
tunnelwritetoclienttimeout |
number |
(milliseconds) Wait this long for a tunnel buffer to be written to the client connection. |
|
tunnelconnecttimeout |
number |
(milliseconds) Wait this long for a tunnel connection to be established. |
|
clientstatecleanupinterval |
number |
(seconds) Time between runs of the client state cleanup process. Don't set too short, because the cleanup process locks the client state table, and frequent locking decreases throughput. Also don't set too long, because then the amount of work increases and the table is locked longer. |
|
clientstatecleanupmaxage |
number |
(seconds) Time a client state is maintained, counting from the last request referencing this state. |
|
requestdvarvectorsize |
number |
The size of the dvar vector that is allocated for each request. This number should be set carefully, since the dvar table will not expand. The number should be large enough to accommodate all rule programs, built-in variables, and headers, but it should also be small enough not to waste memory. Also consider that due to the way the dvar table works, a certain amount of free space increases the likelyhood that a dvar entry will be found quickly, whereas setting the vector size small will increase the likelyhood that a partial table scan will be necessary to locate a dvar entry. To improve efficiency, the number you set here will be rounded up to the next higher prime number. Note that if this number is set too small Yxorp will not be able to store information about the request; this may cause the request to be rejected. A suggested minimum is 67; when tuning, set to at least 2 times the actual dvars you need (counting built-ins, headers, and variables you use in rule programs, including results from capturing regexpses). |
|
clientstatedvarvectorsize |
number |
The size of the dvar vector associated with a client state. In this dvar vector, the mapping between virtual and real servers is kept for sticky load balancing. The dvar vector can also be accessed from rule programs. To improve efficiency, the number you set here will be rounded up to the next higher prime number. Note that if this number is set too small Yxorp will not be able to store information in the client state; this may cause Yxorp to be unable to do sticky load balancing. A suggested minimum is 1; when tuning, set to at least 2 times the actual dvars you need (counting sticky-enabled virtualservers in the same cookie domain, and clientstate variables you use in rule programs). |
|
pidfilename |
string |
The filename for the pid file, as a complete path starting in the root of the filesystem. Yxorp needs to have its own directory to put the pid file in, and the name of that directory must end in “yxorp”, otherwise, Yxorp will refuse to start. Default is “/var/run/yxorp/yxorp.pid”. Yxorp will attempt to create the last directory in the path if it does not exist. Also, Yxorp takes care of setting file ownerships to the user and group configured in the <security> tags. |
Also in the globalconfiguration section is the table of accepted headers. Only headers that appear in this table are processed by yxorp, or made available in the rule language. The standard headers in RFC2616 are included by default. The header table can be changed by including “<header>” tags in the globalconfiguration section.
The <header> tag takes the following attributes:
|
Attribute |
Format |
|
|---|---|---|
|
id |
string |
The name of the header, as it would appear in a request. Yxorp processes this value case-insensitively. |
|
xlateid |
string |
The name of the header as it would appear in the rule language. Normally, the only difference between the id and xlateid are that '-' is changed to '_'. |
|
client |
number |
If non-zero, this header is accepted from a client connection. If zero, it is discarded, or the request is rejected according to the reject setting. |
|
server |
number |
If non-zero, this header is accepted from a server connection. If zero, it is discarded, or the request is rejected according to the reject setting. |
|
maxlen |
number |
The maximum length of this header line (so including the header name itself). If this length is exceeded, action is based on the reject setting for this header. |
|
reject |
number |
If non-zero, this request is rejected. If zero, the header line not conforming to one of the specifications (currently client, server, maxlen and check) is discarded. Rejected headers are listed in the special variable 'rejectedheaders'. |
|
check |
string |
Takes the values “none”, “rfc2616-text”, and “reduced”; this sets the character set that the header will be checked against. If characters exist in the header that are not in the character set, the header will either be discarded or the request will be rejected, according to the reject setting for the header. “none” means no checking will be performed; “rfc2616-text” sets the character set to the set described in RFC2616 (i.e. 7-bit ASCII without the control characters); “reduced” is a subset of rfc2616-text, in which most non-alphanumerical characters have been removed. |
All global settings can be reconfigured. However, header entries, once they are created, may be modified but not completely removed (you can still set that the header will not be accepted though).
The example below sets global configuration values, and updates the header table with the (custom) header “Example:”, which will be called “bad_example:” in the scripting language, is accepted from a client but not from a server; the maximum length is 1 byte, and nonconformance will lead to the request being rejected.
<globalconfiguration
maxchunksize="16777216"
maxserverconnectionattempts="3"
writetoclienttimeout="15000"
readfromclienttimeout="15000"
maxrealserverconnectfailuresbeforeoutservice="4"
connectservertimeout="5000"
readfromservertimeout="15000"
writetoservertimeout="15000"
tunnelwritetoservertimeout="5000"
tunnelwritetoclienttimeout="5000"
tunnelconnecttimeout="5000"
clientstatecleanupinterval="30"
clientstatecleanupmaxage="900"
>
<header id=”Example”
xlateid=”bad_example”
maxlen=”1”
client=”1”
server=”0”
reject=”1”
check=”reduced”
/>
</globalconfiguration>