Global config
The global config, named Danger zone
in Otoroshi, is the place to configure Otoroshi globally.
Warning: In this page, the configuration is really sensitive and affects the global behaviour of Otoroshi.
Misc. Settings
Maintenance mode
: It passes every single service in maintenance mode. If a user calls a service, the maintenance page will be displayedNo OAuth login for BackOffice
: Forces admins to login only with user/password or user/password/u2F deviceAPI Read Only
: Freeze Otoroshi datastore in read only mode. Only people with access to the actual underlying datastore will be able to disable this.Auto link default
: When no group is specified on a service, it will be assigned to default oneUse circuit breakers
: Use circuit breaker on all servicesUse new http client as the default Http client
: All http calls will use the new http client by defaultEnable live metrics
: Enable live metrics in the Otoroshi cluster. Performs a lot of writes in the datastoreDigitus medius
: Use middle finger emoji as a response character for endless HTTP responses (see IP address filtering settings).Limit conc. req.
: Limit the number of concurrent request processed by Otoroshi to a certain amount. Highly recommended for resilienceUse X-Forwarded-* headers for routing
: When evaluating routing of a request, X-Forwarded-* headers will be used if presentsMax conc. req.
: Maximum number of concurrent requests processed by otoroshi.Max HTTP/1.0 resp. size
: Maximum size of an HTTP/1.0 response in bytes. After this limit, response will be cut and sent as is. The best value here should satisfy (maxConcurrentRequests * maxHttp10ResponseSize) < process.memory for worst case scenario.Max local events
: Maximum number of events stored.Lines
: deprecated
IP address filtering settings
IP allowed list
: Only IP addresses that will be able to access Otoroshi exposed servicesIP blocklist
: IP addresses that will be refused to access Otoroshi exposed servicesEndless HTTP Responses
: IP addresses for which each request will return around 128 Gb of 0s
Quotas settings
Global throttling
: The max. number of requests allowed per second globally on OtoroshiThrottling per IP
: The max. number of requests allowed per second per IP address globally on Otoroshi
Analytics: Elastic dashboard datasource (read)
Cluster URI
: Elastic cluster URIIndex
: Elastic indexType
: Event type (not needed for elasticsearch above 6.x)User
: Elastic User (optional)Password
: Elastic password (optional)Version
: Elastic version (optional, if none provided it will be fetched from cluster)Apply template
: Automatically apply index templateCheck Connection
: Button to test the configuration. It will displayed a modal with a connection checklist, if connection is successfull, it will display the found version of the Elasticsearch and the index usedManually apply index template
: try to put the elasticsearch template by calling the api of elasticsearchShow index template
: try to retrieve the current index template present in elasticsearchClient side temporal indexes handling
: When enabled, Otoroshi will manage the creation of indexes over time. When it’s disabled, Otoroshi will push in the same indexOne index per
: When the previous field is enabled, you can choose the interval of time between the creation of a new index in elasticsearchCustom TLS Settings
: Enable the TLS configuration for the communication with ElasticsearchTLS loose
: if enabled, will block all untrustful ssl configsTrustAll
: allows any server certificates even the self-signed onesClient certificates
: list of client certificates used to communicate with elasticsearchTrusted certificates
: list of trusted certificates received from elasticsearch
Statsd settings
Datadog agent
: The StatsD agent is a Datadog agentStatsD agent host
: The host on which StatsD agent is listeningStatsD agent port
: The port on which StatsD agent is listening (default is 8125)
Backoffice auth. settings
Backoffice auth. config
: the authentication module used in front of Otoroshi. It will be used to connect to Otoroshi on the login page
Let’s encrypt settings
Enabled
: when enabled, Otoroshi will have the possiblity to sign certificate from let’s encrypt notably in the SSL/TSL Certificates pageServer URL
: ACME endpoint of let’s encryptEmail addresses
: (optional) list of addresses used to order the certificatesContact URLs
: (optional) list of addresses used to order the certificatesPublic Key
: used to ask a certificate to let’s encrypt, generated by OtoroshiPrivate Key
: used to ask a certificate to let’s encrypt, generated by Otoroshi
CleverCloud settings
Once configured, you can register one clever cloud app of your organization directly as an Otoroshi service.
CleverCloud consumer key
: consumer key of your clever cloud OAuth 1.0 appCleverCloud consumer secret
: consumer secret of your clever cloud OAuth 1.0 appOAuth Token
: oauth token of your clever cloud OAuth 1.0 appOAuth Secret
: oauth token secret of your clever cloud OAuth 1.0 appCleverCloud orga. Id
: id of your clever cloud organization
Global scripts
Global scripts will be deprecated soon, please use global plugins instead (see the next section)!
Global plugins
Enabled
: enable the use of global pluginsPlugins on new Otoroshi engine
: list of plugins used by the new Otoroshi enginePlugins on old Otoroshi engine
: list of plugins used by the old Otoroshi enginePlugin configuration
: the overloaded configuration of plugins
Proxies
In this section, you can add a list of proxies for :
- Proxy for alert emails (mailgun)
- Proxy for alert webhooks
- Proxy for Clever-Cloud API access
- Proxy for services access
- Proxy for auth. access (OAuth, OIDC)
- Proxy for client validators
- Proxy for JWKS access
- Proxy for elastic access
Each proxy has the following fields
Proxy host
: host of proxyProxy port
: port of proxyProxy principal
: user of proxyProxy password
: password of proxyNon proxy host
: IP address that can access the service
Quotas alerting settings
Enable quotas exceeding alerts
: When apikey quotas is almost exceeded, an alert will be sentDaily quotas threshold
: The percentage of daily calls before sending alertsMonthly quotas threshold
: The percentage of monthly calls before sending alerts
User-Agent extraction settings
User-Agent extraction
: Allow user-agent details extraction. Can have impact on consumed memory.
Geolocation extraction settings
Extract a geolocation for each call to Otoroshi.
Tls Settings
Use random cert.
: Use the first available cert when none matches the current domainDefault domain
: When the SNI domain cannot be found, this one will be used to find the matching certificateTrust JDK CAs (server)
: Trust JDK CAs. The CAs from the JDK CA bundle will be proposed in the certificate request when performing TLS handshakeTrust JDK CAs (trust)
: Trust JDK CAs. The CAs from the JDK CA bundle will be used as trusted CAs when calling HTTPS resourcesTrusted CAs (server)
: Select the trusted CAs you want for TLS terminaison. Those CAs only will be proposed in the certificate request when performing TLS handshake
Auto Generate Certificates
Enabled
: Generate certificates on the fly when they don’t existReply Nicely
: When receiving request from a not allowed domain name, accept connection and display a nice error messageCA
: certificate CA used to generate missing certificateAllowed domains
: Allowed domainsNot allowed domains
: Not allowed domains
Global metadata
Tags
: tags attached to the global configMetadata
: metadata attached to the global config
Actions at the bottom of the page
Recover from a full export file
: Load global configuration from a previous exportFull export
: Export with all created entitiesFull export (ndjson)
: Export your full state of database to ndjson formatJSON
: Get the global config at JSON formatYAML
: Get the global config at YAML formatEnable Panic Mode
: Log out all users from UI and prevent any changes to the database by setting the admin Otoroshi api to read-only. The only way to exit of this mode is to disable this mode directly in the database.