Ceptor Gateway is a Reverse Proxy Server meant for use in a DMZ environment in front of your applications and services.

It is fully asynchronous and supports HTTP/2, WebSockets, request throttling and has Application Firewall functionality.

It fully replaces Ceptor Dispatcher which is still supported, but now deprecated.

Functionality list

Ceptor Gateway has among other, these functionalities:

Reverse Proxy Server Functionality

• HTTP 1.0, 1.1 and 2 support - both for client and servers
• HTTP/HTTPS/AJP Listeners
• SSL/TLS SNI
• WebSocket support
• HTTP/2 PUSH
• HTTP/2 Upgrade and ALPN
• Proxy Protocol support (see http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
• OpenTelemetry support
• RFC7239 Forwarded header support
• Response compression
• Location-based configuration
  • Matching based upon host, path, cookie, query, post params, request method, scheme, headers, remote IP, attributes, GeoIP, userid, usergroup, pathparam, script
  • Response Hooks
• URL Rewriting
• Proxy forwarding
• Full access log functionality with configurable content
• Destination / Target servers
  
  • Authentication with servers
    • Basic Auth
    • Bearer Token
    • SPNEGO/NTLM/Kerberos
    • Forward SSL Client cert
    • SAML Web SSO
    • LTPA Tokens
  • Stickiness
  • Ping servers
    • Customize request method URI
    • Configure expected response codes
    • Response body checking script
• Request/response modification

Web Application Firewall

• URL validation
• Request parameter (query, path, post) validation
  
  • Define regex validations of input
  • Defend against SQL injection attacks
• HTTP Header rewriting/adding/removal
• Cookie rewriting/adding/removal
• Session cookie SameSite support
• Request validation against XML / JSON schemas
• Create custom validations using scripting
• IP Ranges, with support for IP Reputation Databases - take action on known bad IPs.

Authentication and Authorization

• Session resolvers
• Advanced IP Address change filtering
  • IP ranges
  • GeoIP information
  • Advanced scripting
• Domain redirect (share session between multiple separate domains)
• Authentication
  • SSL Client certificate
  • Basic Auth
  • Bearer Token
  • NTLM
  • SPNEGO/Kerberos
  • Forms
  • OAuth / OAuth 2.0
  • OpenID Connect
  • ADFS / Web SSO
  • LTPA Tokens
  • Advanced script-based authentication - allows you to script any form of authentication
  • Optional use of separate Login Application
• Authorization
  • Role-Based Access Control (RBAC)
  • Attribute-Based Access Control (ABAC)
  • Authorization scripts for advanced checking

OpenID Connect Provider

• OpenID Connect Discovery
• JSON Web Key Set (JWKS) URI / Metadata
• Authorize / Token endpoints
• UserInfo endpoint
• Token Introspection (RFC7662)
• Token Revocation (RFC7009)
• Token Exchange (RFC8693)

Request Throttling

• Request Queuing / Throttling
  • Limit concurrent requests
  • Max requests per second
  • Limits can be qualified, e.g. by IP address, client ID etc.
• Response Throttling
  • Max bytes per second

API Gateway Functionality

• Rate limiting for API calls
  • Multiple subscription levels
  • Multiple limits, e.g. 100 per minute, max 10 per second
  • Plugins for implementing own limits and rules
• Pipelines and Tasks
  • XML to JSON / JSON to XML conversion
  • Encoding / decoding
  • Aggregate service calls
  • Full scripting and flexibility
  • Logging / tracing
  • JSON Validation
• Serve published APIs for multiple environments

Advanced Functionality

• Java or JavaScript / Python / Groovy based plugins and scripts
• CookieSnapper - hide cookies from browsers
• Request tracing
• "Canned" responses
• Serve static resources