HTTP Proxy Server Properties

Property

Value

proxyplugins

<List of classnames, separated by ; or ,> - Default empty.

List of classes which implement the dk.itp.security.proxy.IProxyPlugin interface, and preferably extend the class dk.itp.security.proxy.AbstractProxyPlugin.

The plugins can modify the request/response content if they wish, and can e.g. be used to transform the requests and do such things as add WS-Security signing to outgoing webservice calls, and/or verify/decrypt the responses.

The plugin dk.itp.portalprotect.wss.proxy.WSSPlugin does just that.

httpProxyHost

<hostname> - Default blank.

If specified, the HTTP proxy will forward all requests to the defined httpProxyHost:httpProxyPort optionally using the httpProxyUser/httpProxyPassword as proxy-authentication.

This can be used if the HTTP Proxy Server is deployed internally and requests to the outside world have to pass through another proxy server.

httpProxyPort

<TCPIP port number> - Default: 8080

Used together with httpProxyHost, specifies the port number.

httpProxyUser

<userid> - Default blank

Userid for proxy authentication, if required by the proxy server spedified in httpProxyHost.

httpProxyPassword

<password> - Default blank.

Password, can optionally be encrypted.

noproxyfor

<List of hostnames> - Default blank.

If specified, this is a list (separated by comma or semicolon) of hostnames or IP addresses for which a forwarding proxy should not be used.

httpTimeoutSecs

<Timeout in seconds> - Default 120

Timeout, maximum time waiting for reply from backend server.

httpIdleTimeoutSecs

<Idle timeout in seconds> - Default 10

Maximum amount of seconds a http connection is kept alive without being used. This is also known as http keep-alive timeout – this timeout should be set to a lower value than the http server's idle timeout to avoid errors where the server closes the connection at the same time as the client sends the next request.
Do not confuse this setting with httpTimeoutSecs which is the maximum waiting for a response for an active request.
The cost of setting httpIdleTimeoutSecs to a low value, is that connections will be closed and reopened and e.g. SSL negotiations will again take place. But don't set this too high either or you risk getting exceptions if the server has closed the connection.

forceConnectionClose

<true | false> - Default is false

If set to true, a "Connection: close" header is sent with each request, asking the server to close the connection, and thus not reuse a connection but force a new socket connection.

accessloggingenabled

<true |false> - Default is false

If set to true, all HTTP requests will be logged to a log4j appender called "accesslog", with the same format as displayed in the PP admin GUI, "UserId IP-Address URL ResponseCode ContentLength ReplySize zippedReplySize TimeInMiliseconds".
If an exception occured, it will also be logged, just like it is shown in the admin GUI.

When using it, it is recommended to configure log4j to dump those log entries to different appender - preferably a
dk.itp.peer2peer.log.BufferedRollingFileAppender since it performs quite better than log4j's default file appenders.

Also, you do not want to send the access log to the logserver because of the number of log events it will generate on busy systems.

ssl.certAlias
ssl.crlPath
ssl.enableCRLDP
ssl.enableOCSP
ssl.endpointIdentificationAlgorithm
ssl.excludeCipherSuites
ssl.includeCipherSuites
ssl.includeProtocols
ssl.excludeProtocols
ssl.keyManagerPassword
ssl.keyStorePassword
ssl.keyStorePath
ssl.keyStoreProvider
ssl.keyStoreType
ssl.maxCertPathLength
ssl.needClientAuth
ssl.ocspResponderURL
ssl.protocol
ssl.provider
ssl.renegotiationAllowed
ssl.secureRandomAlgorithm
ssl.enableSessionCaching
ssl.sslKeyManagerFactoryAlgorithm
ssl.sslSessionCacheSize
ssl.sslSessionTimeout
ssl.stopTimeout
ssl.trustAll
ssl.trustManagerFactoryAlgorithm
ssl.trustStorePassword
ssl.trustStorePath
ssl.trustStoreProvider
ssl.trustStoreType
ssl.validateCerts
ssl.validatePeerCerts
ssl.wantClientAuth

The settings all control the SslContextFactory settings which is used when the proxy server establishes SSL connections to a remote server.

Please refer to Jetty HTTP Client's documentation for full details.

The default for ssl.excludeProtocols is "SSLv3" and for ssl.includeProtocols it is TLSv1. The defaults for the remaining settings is blank.