Ceptor - Get a Free Trial

Config - Listeners

Owned by Kim Rasmussen
Last updated: Aug 31, 2021 by Kim Rasmussen (Unlicensed)
7 min read

JSON Configuration for Listeners


Listener settings
{
  "listen": [
    {
      "address": "0.0.0.0",
      "scheme": "http",
      "port": 8000,
      "useproxyprotocol": true,
      "useforwardedheader": false
    },
    {
      "address": "0.0.0.0",
      "scheme": "ajp",
      "port": 8001
    },
    {
      "scheme": "https",
      "address": "0.0.0.0",
      "port": 8443,
      "sslcontext": {
        "ssl.provider": "SunJSSE",
        "ssl.protocol": "TLS",
        "wantclientauth": true,
        "needclientauth": false,
        "allowrenegotiate": false,
		"sni.requirematch": false,
        "excludeprotocols": "SSL,SSLv2,SSLv2Hello,SSLv3",
        "includeprotocols": "TLSv1.2,TLSv1.1",
        "excludeciphersuites": ".*NULL.*,.*RC4.*,.*MD5.*,.*DSS.*",
        "includeciphersuites": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
        "keystore.type": "JKS",
        "keystore.provider": "SUN",
        "keystore.file": "${portalprotect.home}/dispatcher/portalprotect.key",
        "keystore.password": "changeit",
        "useciphersuites.order": true,
        "truststore.type": "PKCS12",
        "truststore.provider": "BC",
        "truststore.file": "${portalprotect.home}/config/x509/issuer/certissuer.pfx",
        "truststore.password": "password",
        "keystores": [{
          "name": "second",
          "password.per.alias": [],
          "certificates": [],
          "entries": [
            {
              "name": "ca",
              "privatekey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADA...removed...peGYffSn9E8=\n-----END PRIVATE KEY-----\n",
              "certificates": ["-----BEGIN CERTIFICATE-----\nMIIESTCC... removed...\n-----END CERTIFICATE-----\n"]
            },
            {
              "name": "root",
              "privatekey": "-----BEGIN PRIVATE KEY-----\n...removed...DlqjF8s=\n-----END PRIVATE KEY-----\n",
              "certificates": ["-----BEGIN CERTIFICATE-----\nMIIFUDCCAz...removed...HGSDk=\n-----END CERTIFICATE-----\n"]
            }
          ]
        }],
        "truststores": [{
          "name": "secondtrust",
          "password.per.alias": [],
          "certificate": "-----BEGIN CERTIFICATE-----\nMIIDrzCCApegAwIBA...removed...40KPMbp1ZWVbd4=\n-----END CERTIFICATE-----"
        }]

      }
    }
  ]
}

Configuration via Ceptor Console

Here, you can define which ports to listen for connections on, and which protocols to use.

You can add any number of listeners here, a listener is a TCP port that the gateway listens for connections for clients on, and for each port, you select the protocol (AJP, HTTP or HTTPS) to use.

Adding a new listener

When adding a new listener, select the protocol, and optionally specify the IP address to restrict listening to, then specify the TCP port number to use.


Once created, each listener has these properties which you can edit - note that the SSL options are only used if the protocol is set to https.


Listener settings


JSON key: A listener is specified as an object within a listener array.

Scheme / Protocol

Scheme / Protocol to use when listening on the TCP port.
Must be either https, http or ajp 
If https is specified, the SSL settings must also be filled in - otherwise they are ignored.

Protocols:

  • https
    HTTP over SSL.
  • http
    Unencrypted HTTP.
  • ajp
    Apache JServ Protocol - a binary unencrypted protocol used by some proxy servers, such as Apache or nginx.
    Use of ajp is to be considered experimental and not generally recommended.

Note that for HTTP, all current versions of the HTTP protocol are supported by the gateway, meaning 0.9/1.0/1.1 and HTTP/2.

Default: none
JSON key: scheme

IP Address

IP Address specifies which interface to listen for connections on - leave blank or set to 0.0.0.0 to listen on all interfaces.

Default: 0.0.0.0
JSON key is:  address

TCP Port

TCP Port to listen for connections on

Default: none
JSON key is port 

Support Proxy Protocol

Check to enable support for the HA Proxy protocol - use this to allow a proxy in front of Ceptor to forward IP address and TCP port information using this protocol instead of in HTTP headers.

See http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

Default: false
JSON key is: useproxyprotocol

Use forwarded header

Check to enable support for the Forwarded HTTP header - use this to allow a proxy in front of Ceptor to forward IP address and TCP port information using the RFC7239 HTTP Forwarded header.

See https://tools.ietf.org/html/rfc7239

SSL settings for https protocol

SSL settings for the https protocol.
JSON key: All ssl settings are in the JSON object sslcontext within the individual listener object. 

JCE Provider

Name of SSL JCE Provider to use, or leave blank for default JDK provider.

Default: Default in JDK/JRE.
JSON key: ssl.provider 

Protocol

Name of SSL Protocol (e.g. TLS), or leave blank for default.

Default: TLSv1.2
JSON key: ssl.protocol 

Want client auth

Ask client to optionally present an SSL client certificate - if set, the client is asked to provide a certificate, but allowed to proceed without one. Modern browsers support this by checking the CA certificate list sent by the server - if the client has any certificates issued by one of the trusted CA certs, then it prompts the user to select one of them. If there is no match, the client continues anonymously without sending a client certificate.

Default: false
JSON key: wantclientauth

Need client auth

Require client to present an SSL client certificate. If set, the client needs to provide an SSL client certificate, or the connection will be terminated.

Default: false
JSON key: needclientauth 

Allow renegotiate

Allow unsecure renegotiation, turn off for best security

Default: false
JSON key: allowrenegotiate 

Exclude protocols

Comma/semicolon separated list of SSL/TLS protocols to exclude from the JCE default protocols list - patterns are regex expressions.

Default: SSL,SSLv2,SSLv2Hello,SSLv3
JSON key: excludeprotocols 

Include protocols

Comma/semicolon separated list of protocols to include from the JCE supported protocols list - patterns are regex expressions.

Default: none
JSON key: includeprotocols 

Require SNI hostname to match available certificates

If set, incoming SNI hostname request must match a certificate, so no default is used.

This will give an SSL error in the client, if it does not send a SNI servername this server has a certificate that matches.

In the default case, the first available certificate will be used if an exact match cannot be found to the client SNI request.

Default: false
JSON key: sni.requirematch 

Use ciphersuites order

If set, use configured cipher suites order and prefer first specified in the list.

Default: false
JSON key: useciphersuites.order 

Exclude ciphersuites

Comma/semicolon separated list of ciphersuites to exclude from the JCE default ciphersuites list - patterns are regex expressions.

Default: .*NULL.*,.*RC4.*,.*MD5.*,.*DSS.*
JSON key: excludeciphersuites 

Include ciphersuites

Comma/semicolon separated list of ciphersuites to include from the JCE supported ciphersuites list - patterns are regex expressions

Default: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
JSON key: includeciphersuites 

Keystore type

Type of keystore, e.g. PKCS12, or JKS - must be a type supported by the specified Keystore provider.

Default: PKCS12
JSON key: keystore.type 

Keystore provider

Name of JCE provider (default BC - BouncyCastle Provider)

Default: BC
JSON key: keystore.provider 

Keystore file

Name of and path to file containing keystore

Default: none
JSON key: keystore.file 

Keystore password

Password for the keystore and keys within - can optionally be encrypted/obfuscated.

Default: none
JSON key: keystore.password 

Additional keystores

This allows you to define additional keystores to load certificates from, or you can add the certificates and private keys directly to the configuration without needing to load them from external files. (Requires minimum version 6.5.0)

Ceptor Gateway combines multiple keystores into one logical keystore - so if you load keys and certificates from multiple places using multiple providers, e.g. from both files and from hardware HSMs, then both types can be used simultaneously.

 

In this example above, you can define a new keystore of a different type and provider, and you can define extra keys and certificates directly without loading them from external sources.

For more specific information about the JSON layout, refer to: Keystore configuration

Default: none
JSON key: keystores 

Truststore type

Type of truststore, e.g. PKCS12, or JKS (default PKCS12)
All certificates found in this keystore will be loaded and used as accepted CA certificates when prompting for SSL client certificates.
Note that authentication is not done solely on these certificates - authentication of SSL client certificates is done by authentication plugins in the Ceptor Session Controller which have their own set of allowed and configured root CAs.

Default: none
JSON key: truststore.type 

Truststore provider

Name of JCE provider

Default: BC
JSON key: truststore.provider 

Truststore file

Name of and path to file containing truststore

Default: none
JSON key: truststore.file 

Truststore password

Password for the truststore and keys within - can optionally be encrypted/obfuscated

Default: none
JSON key: truststore.password 

Additional truststores

This allows you to define additional keystores to load trusted certificates from, or you can add the certificates directly to the configuration without needing to load them from external files. (Requires minimum version 6.5.0)

Default: none
JSON key: keystores 


© Ceptor ApS. All Rights Reserved.