Configuration
Both the Management Portal and the Workers use a TOML configuration file, described in the following sections, to define their basic behaviour. For dynamic configuration of Workers, see the Management section.
Management Portal
The Management Portal must be configured through a TOML configuration file. An example of such a file, containing descriptions of all the options, is shown below.
################################################
# Manager settings #
################################################
# The 'manager' section defines some basic settings of the Mangement Portal.
[manager]
# The ip port to listen for requests on.
listen = "0.0.0.0:8443"
# If true, TLS will be enabled.
tls = true
# Paths for TLS certificate and key files, if 'manager.tls' is set to true.
certFile = "./server.crt"
keyFile = "./server.key"
# Configuration of Let's Encrypt certificates.
letsEncrypt = false
letsEncryptDomain = ""
################################################
# Manager backend settings #
################################################
# The 'manager.backend' section defines how to connect to Redis and InfluxDB.
# Multiple backends can be defines in order for one Management Portal to connect to
# several sets for workers.
[[manager.backend]]
# The name of the backend.
backendID = "default"
# Addresses of redis nodes
redisAddress = ["localhost:6379"]
# If Redis Sentinel is used, this sets the master name
redisMaster = ""
# Username for redis
redisUser = ""
# Password for redis
redisPassword = ""
# Whether to use TLS for redis connections
redisUseTLS = false
# If 'true', TLS certificate errors for Redis will be ignored.
redisIgnoreTLS = false
# Redis connect timeout specified in milliseconds. Defaults to 250 if not set.
redisConnectTimeout = 250
# Redis read timeout specified in milliseconds. Defaults to 250 if not set.
redisReadTimeout = 250
# Redis write timeout specified in milliseconds. Defaults to 250 if not set.
redisWriteTimeout = 250
# The InfluxDB configuration. These settings are optional.
influxAddress = ""
influxToken = ""
influxIgnoreTLS = false
Worker
Each Worker must be configured through a TOML configuration file. An example of such a file, containing descriptions of all the options, is shown below.
# This is a default configuration file. It is possible to load environment variables at
# runtime with the syntax `${}'. ie:
# listen = "0.0.0.0:${PORT}"
################################################
# Network settings #
################################################
# The 'network' section defines the basic server configuration of the reverse proxy.
[network]
# The IP and port to listen for requests on.
listen = "0.0.0.0:443"
# If true, TLS will be enabled.
tls = true
# Sets the minimum TLS version the reverse proxy will use. Allowed values are:
# 'TLS1.0', 'TLS1.1', 'TLS1.2', 'TLS1.3'
# If this option is not set, TLS 1.2 is used as the default.
tlsMinVersion = ""
# Paths for TLS certificate and key files that are used if 'network.tls' is set to true.
# This certificate and key will be used as fallback when *no* certificate and key is
# specified for an endpoint.
certFile = "./server.crt"
keyFile = "./server.key"
# If 'true', this Worker will be able to provision certificates via Let's Encrypt. Note
# that each endpoint where Let's Encrypt certificates are want must also have the
# 'endpoint.letsEncrypt' value set to 'true'.
letsEncrypt = false
# If 'true', TLS certificate errors from the backend server will be ignored.
# This is for example useful if self-signed or otherwise internal certificates are used.
ignoreTLS = false
# 'network.disallowPrivate' ensures that private IP addresses cannot be accessed by the
# proxy. 'network.disallowLocal' ensures that that only global unicast addresses can be
# accessed by the proxy, disallowing addresses such as loopback or multicast addresses
# (note that private addresses count as global). These options are useful to restrict
# Management Portal users from attempting to access local or private infrastructure.
# Valid values:
# - "true": Block requests
# - "false": Allow requests
# - "no-endpoint": Block unless request is for a configured endpoint
disallowLocal = false
disallowPrivate = false
# The timeout, in seconds, before giving up on requests to the backend server.
remoteTimeout = 5
# If true, the Worker will assume that the last entry in the last `X-Forwarded-For`
# header is the actual client IP for use in logs and IP allow-lists for endpoints.
# Additionally the last field in X-Forwarded-Proto will be used to:
# * Determine whether to set "Secure" on outgoing cookies.
# * What scheme to use for internal Codesealer requests, including ANP requests. Note
# that in this case it might be necessary to configure both http and https endpoints.
# Incompatible with 'network.useProxyProtocol'.
behindProxy = false
# When true, PROXY protocol will be enabled on the listening socket. Both version 1
# (text based) and version 2 (binary based) are supported. Incompatible with
# 'network.behindProxy'.
useProxyProtocol = false
################################################
# Bootloader settings #
################################################
# The 'bootloader' section contains some basic configuration of the Bootloader.
[bootloader]
# Addresses of redis nodes
redisAddress = ["localhost:6379"]
# If Redis Sentinel is used, this sets the master name
redisMaster = ""
# Username for redis
redisUser = ""
# Password for redis
redisPassword = ""
# Whether to use TLS for redis connections
redisUseTLS = false
# The maximum number of Redis connections to pool. Note that this is per Worker
# instance, so keep this in mind if you are subject to connection limitations.
redisMaxConn = 100
# If 'true', TLS certificate errors for Redis will be ignored.
redisIgnoreTLS = false
# Redis connect timeout specified in milliseconds. Defaults to 250 if not set.
redisConnectTimeout = 250
# Redis read timeout specified in milliseconds. Defaults to 250 if not set.
redisReadTimeout = 250
# Redis write timeout specified in milliseconds. Defaults to 250 if not set.
redisWriteTimeout = 250
# The InfluxDB configuration. These settings are optional.
influxAddress = ""
influxIgnoreTLS = false
influxToken = ""
# Path to a configuration file for the Web Application Firewall. The file must contain a
# set of valid SecLang rules. Since Coraza is used internally, the rule set needs to be
# compatible with Coraza. If not specified, a built in default rule set based on
# OWASP Core Rule Set will be used.
wafConf = ""
# If set to true, the WAF audit log will be output to the standard log. This can be quite verbose,
# but is useful for debugging.
wafAuditLog = false
# This option can be set to 'true' in order to run the Worker in "standalone" mode. Each
# endpoint can then be configured in this file (see the 'endpoint' section below), instead
# of configuring them through the Management Portal.
fsEndpoints = false
# Can be set to "redis" or "local". For "redis", state is shared amongst
# workers through the configured Redis instance. With "local", state is stored
# in memory in the worker. The "redis" instance is required for sharing
# sessions across multiple workers and for persistence across restarts. The
# recommended value is "redis".
sessionBackend = "redis"
################################################
# Cache settings #
################################################
# The 'cache' settings controls some basic settings of the Worker's HTTP cache.
[cache]
# A path to folder where the cached files will be stored. The path must be absolute.
# Note that *all* contents of the folder will be deleted when the Worker starts.
folder = ""
# The maximum file size to cache, in bytes.
maxFileSize = 0
# The maximum total size of the cache, in bytes.
maxSize = 0
################################################
# Endpoint settings #
################################################
# When 'bootloader.fsEndpoints' is 'true' configuration of each endpoint will be read from
# this section. Otherwise, this section has no effect. The 'bootloader.fsEndpoints' option
# is *not* recommended for production deployments.
[[endpoint]]
################################################
# Endpoint general settings #
################################################
# Disables Codesealer protection for this endpoint. Traffic is still forwarded, but new
# requests will be unprotected.
disable = false
# Disable only mobile protection for this endpoint. Mobile clients will revert back to
# sending unprotected requests. Note that the 'disable' option overrides this option.
disableMobile = false
# This URL should match the hostname of the Codesealer instance. The reverse proxy will
# only process and protect requests that match the URL defined in this option - any
# other requests will result in a `404 Not Found` response. Allowed values are URLs of
# the form '<scheme>://<hostname or IP>[:port]' The scheme must be either `http` or
# `https`. The port is optional. A single leading `*` wildcard is allowed in the
# hostname.
remoteIn = "https://localhost:8443"
# This is the address where Codesealer will proxy requests to. Allowed values are URLs
# of the form '<scheme>://<hostname or IP>[:port]' The scheme must be either `http` or
# `https`. The port is optional.
#
# All requests matching the Incoming URL will be sent to this address instead. The
# request itself will not be altered - in particular, by default the `Hostname` header
# will not be modified.
remoteOut = "http://localhost:9000"
# This list of scripts will select which scripts are protected. Only scripts that occur
# in HTML '<script>' tags will be protected this way. The entries need to match the
# 'src' attribute in corresponding '<script>' tags exactly. When 'endpoint.scriptOptOut'
# is 'true', entries in this list can be prefixed with 'optout:' to remove protection
# from selected scripts.
scriptOptIn = []
# When 'true', all scripts that occur in HTML '<script>' tags are protected by
# Codesealer Enterprise automatically. Note that scripts inserted dynamically after page
# load are not protected by this option - see instead the 'endpoint.enableXhr' section.
scriptOptOut = true
# When 'true', Codesealer will ignore any TLS errors from the backend server. This is
# for example useful if self-signed or otherwise internal certificates are used. This
# also applies to WebSocket requests.
ignoreRemoteTLS = false
# This option will only take effect if 'network.letsEncrypt' is 'true'. By enabling this
# option, you agree to the at any time applicable TOS for Let's Encrypt. Note: The DNS
# Record for the URL specified in 'endpoint.remoteIn' must point to Codesealer.
letsEncrypt = false
# Paths for TLS certificate and key files that are used if 'network.tls' is set to true.
tlsCertPath = ""
tlsKeyPath = ""
################################################
# Endpoint ANP settings #
################################################
# When 'true', all XHR and fetch calls will be automatically replaced with corresponding
# ANP variants.
autoXhr = true
# This allows ANP XHR and fetch to be accessed on the window object. The
# 'endpoint.autoXhr' option must be 'true'.
exposeXhrWindow = true
# When 'true', scripts inserted dynamically on head and body elements will be
# intercepted and independently transferred through ANP.
protectDynamicContent = true
# When 'true', all WebSocket calls will be automatically replaced with corresponding ANP
# variants.
enableWebSocket = false
# This allows ANP WebSockets to be accessed on the window object. The
# 'endpoint.enableWebSocket' option must be 'true'.
exposeWebSocketWindow = false
# A list of allowed endpoints to protect for ANP requests. If the list is empty, all
# domains are allowed.
allowedDomains = []
# A list of domains that will bypass ANP. Entries must take the exact form <scheme>://<hostname or IP>[:port].
bypassANP = []
# Session lifetime for Application Network Protection. If set to 0, the default will be
# used.
sessionLifetime = 0
################################################
# Endpoint WAF settings #
################################################
# When 'true', the Web Application Firewall is enabled. See 'bootloader.wafConf'
# for how to configure the WAF.
enableWaf = false
# When 'true', the entire payload of requests, including response headers and body, will
# be passed through the WAF.
wafFullTransaction = false
# When 'true', no requests will be blocked by the WAF, and all interventions will merely
# be logged.
wafMonitorMode = false
################################################
# Endpoint advanced settings #
################################################
# This will set the Server Name Indication (SNI) on proxied TLS requests to the provided
# value instead of the requested host. This can be useful if the installed TLS
# certificate on the remote server is issued to a different domain.
SNIOverwrite = ""
# This will set the 'Hostname' header on proxied requests to the provided value instead
# of the requested host. This can be useful if the backend server uses virtual hosting.
HostnameOverwrite = ""
# This option must be 'true' if the backend serves HTML where '<script>' tags occur
# after the '</body>' or '</html>' tags.
invalidHTMLCompat = false
# When 'true', window scope compatibility mode will be activated.
windowScopeCompat = false
# When 'true', document.write compatibility mode will be activated.
documentWriteCompat = false
# When 'true', publicPath compatibility mode will be activated.
publicPathCompat = false
# When 'true' Codesealer will only allow GET, HEAD and OPTIONS request methods from
# clients that do not have an active Codesealer session, blocking all other methods.
strictSession = false
# When 'true' Codesealer will block requests from clients with malicious user agents.
blockUserAgents = false
# (BETA) If set to true, the Bootloader will perform thorough tamper checks of the
# JavaScript runtime environment before allowing any code to run. This can detect
# attacks such as prototype pollution. This incurs an overhead of about 50ms to
# application startup time. This feature is experimental.
tamperChecks = false
# (BETA) If set to true, the Bootloader will harden the JavaScript runtime environment,
# preventing any tampering with JavaScript built-ins, effectively preventing attacks
# like prototype pollution. This is likely to break most applications. This feature is
# experimental.
hardenRuntime = false
# When 'true' requests will be redirected to a non-interactive validation page before
# being redirected to the requested URL. Once the session is validated, the validation
# page will not be shown again, unless the session hits a rate limit. This feature can
# reduce the effects of Layer 7 DDoS attacks.
appThrottling = false
# When app throttling is enabled this value will determine the maximum sustained number
# of requests per second allowed for each client.
appThrottlingRate = 10
# When app throttling is enabled this value will determine the maximum burst of requests
# allowed for each client.
appThrottlingBurst = 20
# When app throttling is enabled this value will determine the amount of iterations
# performed in the PoW challenge.
appThrottlingIterations = 256
# When 'true' Codesealer will not set the 'X-Forwarded-For' and 'X-Forwarded-Host'
# headers.
#
# This option is meant for testing scenarios, where adding the headers may confuse
# existing infrastructure. This should not be used in production scenarios.
omitProxyHeaders = false
# When 'true', the 'Content-Security-Policy' HTTP Header will be stripped from all
# requests that have scripts protected. A better solution is to allow 'eval' by setting
# the header "Content-Security-Policy: script-src 'unsafe-eval'".
stripContentSecurity = false
# Setting this to 'true' will ensure that absolute `Location` header redirects for the
# Outgoing URL are changed to relative URLs instead.
redirectCompat = false
# When 'true', extra cookies will not be attached to responses. This can cause some
# cookies to not be set on protected requests.
disableCSCookies = false
# When 'true', all requests to this endpoint will be terminated as early as possible. This can be used
# to mitigate smaller DoS attacks on multi-endpoint deployments.
killSwitch = false
# When 'true' protected script tags will not have their attributes removed. Note that
# some standard attributes are always removed.
scriptRetainAttributes = false
# The IP addresses listed here will bypass Codesealer protection. Please note that
# additional configuration is needed for Codesealer to see client IPs when using proxy
# servers or load balancing in front of Codesealer.
ipBypassList = []
# If 'true', the behavior of 'ipBypassList' is inverted. This means that only the IPs
# in the bypass list will be protected.
invertIPBypassList = false
# If non-empty, only traffic originating from IP addresses in this list will be allowed
# to access the endpoint.
ipAccessList = []
# The given JavaScript code will be injected into the beginning protected scripts. This
# can be used in debugging scenarios, where it is not feasible to modify certain aspects
# of a protected application.
scriptPreamble = ""
# The given JavaScript code will be injected at the end of all protected scripts. This
# can be used in debugging scenarios, where it is not feasible to modify certain aspects
# of a protected application.
scriptPostamble = ""
# ES6 modules are bundled into a single file by the worker. This option determines
# wheter the resulting bundle should also be minified.
minifyBundles = true
# When set to 'true' this option enables the HTTP cache feature for this endpoint. See
# the the 'cache' section for Worker specific settings and the 'endpoint.cacheRule'
# section for configuration of the cache rules.
cacheEnabled = false
# The 'endpoint.proxyPathFilter' section defines a set of rules for selectively blocking
# requests from being proxied. The rules are processed in order, such that firewall-like
# behavior can be achieved. The first rule to match will take effect. The path matching
# is case insensitive.
[[endpoint.proxyPathFilter]]
block = true
path = "/"
# The 'endpoint.protectionPathFilter' section defines a set of rules for selectively
# bypassing script protection. The rules are processed in order, such that firewall-like
# behavior can be achieved. The first rule to match will take effect. The path
# matching is case insensitive.
[[endpoint.protectionPathFilter]]
bypass = true
path = "/"
# The 'endpoint.scriptReplace' section defines a set of rules for simple search and
# replace in all scripts protected by Codesealer.
[[endpoint.scriptReplace]]
to = ""
from = ""
################################################
# Endpoint cache settings #
################################################
# The 'endpoint.cacheRule' section defines a set of rules for Codesealer's internal HTTP
# cache. See also the 'cache' section for Worker specific settings.
[[endpoint.cacheRule]]
# The value of the Content-Type header to match on. Both 'contentType' and 'path' has to
# match for the resource to be cached. The special wildcard value '*' can be used to
# match all content types.
contentType = ""
# The path of the request to match on. Both 'contentType' and 'path' has to match for
# the resource to be cached. The special wildcard value '*' can be used to match all
# paths.
path = ""
# If this value is not zero, the expiry of the cached resource will be overriden.
overrideMaxAge = 0
# When 'true', resources are cached despite 'no-store' directives.
ignoreNoStore = false
# When 'true', resources are cached despite 'no-cache' directives.
ignoreNoCache = false
Web Application Firewall
Codesealer Enterprise's built in WAF comes pre-loaded with a rule set based on OWASP
Core Ruleset (CRS). It is possible to load a customized rule set providing the path to a
configuration file in the Worker's bootloader.wafConf
configuration option. The file
must contain a set SecLang rules, compatible with OWASP Coraza. See the Coraza
documentation for more information.