Ceptor Gateway is a Reverse Proxy Server meant for use in a DMZ environment in front of your applications and services.

It is fully asynchronous and supports HTTP/2, WebSockets, request throttling and has Application Firewall functionality.

It fully replaces Ceptor Dispatcher which is still supported, but now deprecated.

Functionality list

Ceptor Gateway has among other, these functionalities:

Reverse Proxy Server Functionality

• HTTP 1.0, 1.1 and 2 support - both for client and servers

• HTTP/HTTPS/AJP Listeners

• SSL/TLS SNI

• WebSocket support

• HTTP/2 PUSH

• HTTP/2 Upgrade and ALPN

• Proxy Protocol support (see http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)

• OpenTelemetry support

• RFC7239 Forwarded header support

• Response compression

• Location-based configuration

  • Matching based upon host, path, cookie, query, post params, request method, scheme, headers, remote IP, attributes, GeoIP, userid, usergroup, pathparam, script

  • Response Hooks

• URL Rewriting

• Proxy forwarding

• Full access log functionality with configurable content

• Destination / Target servers

  • Authentication with servers

    • Basic Auth

    • Bearer Token

    • SPNEGO/NTLM/Kerberos

    • Forward SSL Client cert

    • SAML Web SSO

    • LTPA Tokens

  • Stickiness

  • Ping servers

    • Customize request method URI

    • Configure expected response codes

    • Response body checking script

• Request/response modification

Web Application Firewall

• URL validation

• Request parameter (query, path, post) validation

  • Define regex validations of input

  • Defend against SQL injection attacks

• HTTP Header rewriting/adding/removal

• Cookie rewriting/adding/removal

• Session cookie SameSite support

• Request validation against XML / JSON schemas

• Create custom validations using scripting

• IP Ranges, with support for IP Reputation Databases - take action on known bad IPs.

Authentication and Authorization

• Session resolvers

• Advanced IP Address change filtering

  • IP ranges

  • GeoIP information

  • Advanced scripting

• Domain redirect (share session between multiple separate domains)

• Authentication

  • SSL Client certificate

  • Basic Auth

  • Bearer Token

  • NTLM

  • SPNEGO/Kerberos

  • Forms

  • OAuth / OAuth 2.0

  • OpenID Connect

  • ADFS / Web SSO

  • LTPA Tokens

  • Advanced script-based authentication - allows you to script any form of authentication

  • Optional use of separate Login Application

• Authorization

  • Role-Based Access Control (RBAC)

  • Attribute-Based Access Control (ABAC)

  • Authorization scripts for advanced checking

OpenID Connect Provider

• OpenID Connect Discovery

• JSON Web Key Set (JWKS) URI / Metadata

• Authorize / Token endpoints

• UserInfo endpoint

• Token Introspection (RFC7662)

• Token Revocation (RFC7009)

• Token Exchange (RFC8693)

Request Throttling

• Request Queuing / Throttling

  • Limit concurrent requests

  • Max requests per second

  • Limits can be qualified, e.g. by IP address, client ID etc.

• Response Throttling

  • Max bytes per second

API Gateway Functionality

• Rate limiting for API calls

  • Multiple subscription levels

  • Multiple limits, e.g. 100 per minute, max 10 per second

  • Plugins for implementing own limits and rules

• Pipelines and Tasks

  • XML to JSON / JSON to XML conversion

  • Encoding / decoding

  • Aggregate service calls

  • Full scripting and flexibility

  • Logging / tracing

  • JSON Validation

• Serve published APIs for multiple environments

Advanced Functionality

• Java or JavaScript / Python / Groovy based plugins and scripts

• CookieSnapper - hide cookies from browsers

• Request tracing

• "Canned" responses

• Serve static resources