Ceptor Gateway
Ceptor Gateway is a Reverse Proxy Server meant for use in a DMZ environment in front of your applications and services.
It is fully asynchronous and supports HTTP/2, WebSockets, request throttling and has Application Firewall functionality.
It fully replaces Ceptor Dispatcher which is still supported, but now deprecated.
Functionality list
Ceptor Gateway has among other, these functionalities:
Reverse Proxy Server Functionality
- HTTP 1.0, 1.1 and 2 support - both for client and servers
- HTTP/HTTPS/AJP Listeners
- SSL/TLS SNI
- WebSocket support
- HTTP/2 PUSH
- HTTP/2 Upgrade and ALPN
- Proxy Protocol support (see http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
- OpenTelemetry support
- RFC7239 Forwarded header support
- Response compression
- Location-based configuration
- Matching based upon host, path, cookie, query, post params, request method, scheme, headers, remote IP, attributes, GeoIP, userid, usergroup, pathparam, script
- Response Hooks
- URL Rewriting
- Proxy forwarding
- Full access log functionality with configurable content
- Destination / Target servers
- Authentication with servers
- Basic Auth
- Bearer Token
- SPNEGO/NTLM/Kerberos
- Forward SSL Client cert
- SAML Web SSO
- LTPA Tokens
- Stickiness
- Ping servers
- Customize request method URI
- Configure expected response codes
- Response body checking script
- Authentication with servers
- Request/response modification
Web Application Firewall
- URL validation
- Request parameter (query, path, post) validation
- Define regex validations of input
- Defend against SQL injection attacks
- HTTP Header rewriting/adding/removal
- Cookie rewriting/adding/removal
- Session cookie SameSite support
- Request validation against XML / JSON schemas
- Create custom validations using scripting
- IP Ranges, with support for IP Reputation Databases - take action on known bad IPs.
Authentication and Authorization
- Session resolvers
- Advanced IP Address change filtering
- IP ranges
- GeoIP information
- Advanced scripting
- Domain redirect (share session between multiple separate domains)
- Authentication
- SSL Client certificate
- Basic Auth
- Bearer Token
- NTLM
- SPNEGO/Kerberos
- Forms
- OAuth / OAuth 2.0
- OpenID Connect
- ADFS / Web SSO
- LTPA Tokens
- Advanced script-based authentication - allows you to script any form of authentication
- Optional use of separate Login Application
- Authorization
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Authorization scripts for advanced checking
OpenID Connect Provider
- OpenID Connect Discovery
- JSON Web Key Set (JWKS) URI / Metadata
- Authorize / Token endpoints
- UserInfo endpoint
- Token Introspection (RFC7662)
- Token Revocation (RFC7009)
- Token Exchange (RFC8693)
Request Throttling
- Request Queuing / Throttling
- Limit concurrent requests
- Max requests per second
- Limits can be qualified, e.g. by IP address, client ID etc.
- Response Throttling
- Max bytes per second
API Gateway Functionality
- Rate limiting for API calls
- Multiple subscription levels
- Multiple limits, e.g. 100 per minute, max 10 per second
- Plugins for implementing own limits and rules
- Pipelines and Tasks
- XML to JSON / JSON to XML conversion
- Encoding / decoding
- Aggregate service calls
- Full scripting and flexibility
- Logging / tracing
- JSON Validation
- Serve published APIs for multiple environments
Advanced Functionality
- Java or JavaScript / Python / Groovy based plugins and scripts
- CookieSnapper - hide cookies from browsers
- Request tracing
- "Canned" responses
- Serve static resources
© Ceptor ApS. All Rights Reserved.