Ceptor Gateway

Ceptor Gateway is a Reverse Proxy Server meant for use in a DMZ environment in front of your applications and services.

It is fully asynchronous and supports HTTP/2, WebSockets, request throttling and has Application Firewall functionality.

It fully replaces Ceptor Dispatcher which is still supported, but now deprecated.

Functionality list

Ceptor Gateway has among other, these functionalities:

Reverse Proxy Server Functionality

  • HTTP 1.0, 1.1 and 2 support - both for client and servers
  • HTTP/HTTPS/AJP Listeners
  • SSL/TLS SNI
  • WebSocket support
  • HTTP/2 PUSH
  • HTTP/2 Upgrade and ALPN
  • Proxy Protocol support (see http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
  • OpenTelemetry support
  • RFC7239 Forwarded header support
  • Response compression
  • Location-based configuration
    • Matching based upon host, path, cookie, query, post params, request method, scheme, headers, remote IP, attributes, GeoIP, userid, usergroup, pathparam, script
    • Response Hooks
  • URL Rewriting
  • Proxy forwarding
  • Full access log functionality with configurable content
  • Destination / Target servers
    • Authentication with servers
      • Basic Auth
      • Bearer Token
      • SPNEGO/NTLM/Kerberos
      • Forward SSL Client cert
      • SAML Web SSO
      • LTPA Tokens
    • Stickiness
    • Ping servers
      • Customize request method URI
      • Configure expected response codes
      • Response body checking script
  • Request/response modification

Web Application Firewall

  • URL validation
  • Request parameter (query, path, post) validation
    • Define regex validations of input
    • Defend against SQL injection attacks
  • HTTP Header rewriting/adding/removal
  • Cookie rewriting/adding/removal
  • Session cookie SameSite support
  • Request validation against XML / JSON schemas
  • Create custom validations using scripting
  • IP Ranges, with support for IP Reputation Databases - take action on known bad IPs.

Authentication and Authorization

  • Session resolvers
  • Advanced IP Address change filtering
    • IP ranges
    • GeoIP information
    • Advanced scripting
  • Domain redirect (share session between multiple separate domains)
  • Authentication
    • SSL Client certificate
    • Basic Auth
    • Bearer Token
    • NTLM
    • SPNEGO/Kerberos
    • Forms
    • OAuth / OAuth 2.0
    • OpenID Connect
    • ADFS / Web SSO
    • LTPA Tokens
    • Advanced script-based authentication - allows you to script any form of authentication
    • Optional use of separate Login Application
  • Authorization
    • Role-Based Access Control (RBAC)
    • Attribute-Based Access Control (ABAC)
    • Authorization scripts for advanced checking

OpenID Connect Provider

  • OpenID Connect Discovery
  • JSON Web Key Set (JWKS) URI / Metadata
  • Authorize / Token endpoints
  • UserInfo endpoint
  • Token Introspection (RFC7662)
  • Token Revocation (RFC7009)
  • Token Exchange (RFC8693)

Request Throttling

  • Request Queuing / Throttling
    • Limit concurrent requests
    • Max requests per second
    • Limits can be qualified, e.g. by IP address, client ID etc.
  • Response Throttling
    • Max bytes per second

API Gateway Functionality

  • Rate limiting for API calls
    • Multiple subscription levels
    • Multiple limits, e.g. 100 per minute, max 10 per second
    • Plugins for implementing own limits and rules
  • Pipelines and Tasks
    • XML to JSON / JSON to XML conversion
    • Encoding / decoding
    • Aggregate service calls
    • Full scripting and flexibility
    • Logging / tracing
    • JSON Validation
  • Serve published APIs for multiple environments

Advanced Functionality

  • Java or JavaScript / Python / Groovy based plugins and scripts
  • CookieSnapper - hide cookies from browsers
  • Request tracing
  • "Canned" responses
  • Serve static resources

© Ceptor ApS. All Rights Reserved.