Built-in plugins

Otoroshi next provides some plugins out of the box. Here is the available plugins with their documentation and reference configuration.

Additional headers in

Defined on steps

  • TransformRequest

This plugin adds headers in the incoming otoroshi request

Additional headers out

Defined on steps

  • TransformResponse

This plugin adds headers in the otoroshi response

Allowed HTTP methods

Defined on steps

  • ValidateAccess

This plugin verifies the current request only uses allowed http methods

Apikey auth module

Defined on steps

  • PreRoute

This plugin adds basic auth on service where credentials are valid apikeys on the current service.

Apikeys

Defined on steps

  • MatchRoute
  • ValidateAccess
  • TransformRequest

This plugin expects to find an apikey to allow the request to pass

Apikey quotas

Defined on steps

  • ValidateAccess

Increments quotas for the currents apikey. Useful when ‘legacy checks’ are disabled on a service/globally or when apikey are extracted in a custom fashion.

Authentication

Defined on steps

  • ValidateAccess

This plugin applies an authentication module

Basic Auth. caller

Defined on steps

  • TransformRequest

This plugin can be used to call api that are authenticated using basic auth.

Brotli compression

Defined on steps

  • TransformResponse

This plugin can compress responses using brotli

Build mode

Defined on steps

  • PreRoute

This plugin displays a build page

Canary mode

Defined on steps

  • PreRoute
  • TransformResponse

This plugin can split a portion of the traffic to canary backends

Context validator

Defined on steps

  • ValidateAccess

This plugin validates the current context using JSONPath validators.

CORS

Defined on steps

  • PreRoute
  • TransformResponse

This plugin applies CORS rules

Disable HTTP/1.0

Defined on steps

  • ValidateAccess

This plugin forbids HTTP/1.0 requests

Endless HTTP responses

Defined on steps

  • TransformRequest

This plugin returns 128 Gb of 0 to the ip addresses is in the list

Eureka instance

Defined on steps

  • CallBackend

Eureka plugin description

Internal Eureka target

Defined on steps

  • PreRoute

This plugin can be used to used a target that come from an internal Eureka server. If you want to use a target which it locate outside of Otoroshi, you must use the External Eureka Server.

External Eureka target

Defined on steps

  • PreRoute

This plugin can be used to used a target that come from an external Eureka server. If you want to use a target that is directly exposed by an implementation of Eureka by Otoroshi, you must use the Internal Eureka Server.

Force HTTPS traffic

Defined on steps

  • PreRoute

This plugin verifies the current request uses HTTPS

Forwarded header

Defined on steps

  • TransformRequest

This plugin adds all the Forwarded header to the request for the backend target

Global Maintenance mode

Defined on steps

  • PreRoute

This plugin displays a maintenance page for every services. Useful when ‘legacy checks’ are disabled on a service/globally

Global per ip address throttling

Defined on steps

  • ValidateAccess

Enforce global per ip address throttling. Useful when ‘legacy checks’ are disabled on a service/globally

Global throttling

Defined on steps

  • ValidateAccess

Enforce global throttling. Useful when ‘legacy checks’ are disabled on a service/globally

GraphQL Composer

Defined on steps

  • CallBackend

This plugin exposes a GraphQL API that you can compose with whatever you want

GraphQL Proxy

Defined on steps

  • CallBackend

This plugin can apply validations (query, schema, max depth, max complexity) on graphql endpoints

GraphQL Query to REST

Defined on steps

  • CallBackend

This plugin can be used to call GraphQL query endpoints and expose it as a REST endpoint

Gzip compression

Defined on steps

  • TransformResponse

This plugin can compress responses using gzip

HMAC caller plugin

Defined on steps

  • TransformRequest

This plugin can be used to call a “protected” api by an HMAC signature. It will adds a signature with the secret configured on the plugin. The signature string will always the content of the header list listed in the plugin configuration.

HMAC access validator

Defined on steps

  • ValidateAccess

This plugin can be used to check if a HMAC signature is present and valid in Authorization header.

Headers validation

Defined on steps

  • ValidateAccess

This plugin validates the values of incoming request headers

Http3 traffic switch

Defined on steps

  • TransformResponse

This plugin injects additional alt-svc header to switch to the http3 server

Image replacer

Defined on steps

  • TransformResponse

Replace all response with content-type image/* as they are proxied

IP allowed list

Defined on steps

  • ValidateAccess

This plugin verifies the current request ip address is in the allowed list

IP block list

Defined on steps

  • ValidateAccess

This plugin verifies the current request ip address is not in the blocked list

JQ

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin let you transform JSON bodies (in requests and responses) using JQ filters.

JQ transform request

Defined on steps

  • TransformRequest

This plugin let you transform request JSON body using JQ filters.

JQ transform response

Defined on steps

  • TransformResponse

This plugin let you transform JSON response using JQ filters.

request body json-to-xml

Defined on steps

  • TransformRequest

This plugin transform incoming request body from json to xml and may apply a jq transformation

response body json-to-xml

Defined on steps

  • TransformResponse

This plugin transform response body from json to xml and may apply a jq transformation

Jwt signer

Defined on steps

  • ValidateAccess
  • TransformRequest

This plugin can only generate token

Jwt verifiers

Defined on steps

  • ValidateAccess
  • TransformRequest

This plugin verifies the current request with one or more jwt verifier

Jwt verification only

Defined on steps

  • ValidateAccess

This plugin verifies the current request with one jwt verifier

Maintenance mode

Defined on steps

  • PreRoute

This plugin displays a maintenance page

Missing headers in

Defined on steps

  • TransformRequest

This plugin adds headers (if missing) in the incoming otoroshi request

Missing headers out

Defined on steps

  • TransformResponse

This plugin adds headers (if missing) in the otoroshi response

Mock Responses

Defined on steps

  • CallBackend

This plugin returns mock responses

Multi Authentication

Defined on steps

  • ValidateAccess

This plugin applies an authentication module from a list of selected modules

User logged in expected

Defined on steps

  • ValidateAccess

This plugin enforce that a user from any auth. module is logged in

User extraction from auth. module

Defined on steps

  • ValidateAccess

This plugin extracts users from an authentication module without enforcing login

Apikey from Biscuit token extractor

Defined on steps

  • PreRoute

This plugin extract an from a Biscuit token where the biscuit has an #authority fact ‘client_id’ containing apikey client_id and an #authority fact ‘client_sign’ that is the HMAC256 signature of the apikey client_id with the apikey client_secret

Biscuit token validator

Defined on steps

  • ValidateAccess

This plugin validates a Biscuit token

Client certificate as apikey

Defined on steps

  • PreRoute

This plugin uses client certificate as an apikey. The apikey will be stored for classic apikey usage

Client certificate header

Defined on steps

  • TransformRequest

This plugin pass client certificate informations to the target in headers

Client credential token endpoint

Defined on steps

  • CallBackend

This plugin provide the endpoint for the client_credential flow token endpoint

Client Credential Service

Defined on steps

  • Sink

This plugin add an an oauth client credentials service (https://unhandleddomain/.well-known/otoroshi/oauth/token) to create an access_token given a client id and secret

Custom quotas

Defined on steps

  • ValidateAccess

This plugin will enforce quotas on the current route based on whatever you want

Custom throttling

Defined on steps

  • ValidateAccess

This plugin will enforce throttling on the current route based on whatever you want

Default request body

Defined on steps

  • TransformRequest

This plugin adds a default request body if none specified

Defer Responses

Defined on steps

  • TransformRequest

This plugin will expect a X-Defer header or a defer query param and defer the response according to the value in milliseconds. This plugin is some kind of inside joke as one a our customer ask us to make slower apis.

Global self registration endpoints (service discovery)

Defined on steps

  • Sink

This plugin add support for self registration endpoint on specific hostnames

Self registration endpoints (service discovery)

Defined on steps

  • TransformRequest

This plugin add support for self registration endpoint on a specific service

Service discovery target selector (service discovery)

Defined on steps

  • PreRoute

This plugin select a target in the pool of discovered targets for this service. Use in combination with either DiscoverySelfRegistrationSink or DiscoverySelfRegistrationTransformer to make it work using the self registration pattern. Or use an implementation of DiscoveryJob for the third party registration pattern.

Error response rewrite

Defined on steps

  • TransformResponse

This plugin catch http response with specific statuses and rewrite the response

Geolocation endpoint

Defined on steps

  • TransformRequest

This plugin will expose current geolocation informations on the following endpoint /.well-known/otoroshi/plugins/geolocation

Geolocation header

Defined on steps

  • TransformRequest

This plugin will send informations extracted by the Geolocation details extractor to the target service in a header.

Allowed users only

Defined on steps

  • ValidateAccess

This plugin only let allowed users pass

Client Certificate + Api Key only

Defined on steps

  • ValidateAccess

Check if a client certificate is present in the request and that the apikey used matches the client certificate. You can set the client cert. DN in an apikey metadata named allowed-client-cert-dn

Client certificate matching (over http)

Defined on steps

  • ValidateAccess

Check if client certificate matches the following fetched from an http endpoint

Client certificate matching

Defined on steps

  • ValidateAccess

Check if client certificate matches the following configuration

Client Certificate Only

Defined on steps

  • ValidateAccess

Check if a client certificate is present in the request

Html Patcher

Defined on steps

  • TransformResponse

This plugin can inject elements in html pages (in the body or in the head) returned by the service

HTTP Client Cache

Defined on steps

  • TransformResponse

This plugin add cache headers to responses

Geolocation details extractor (using IpStack api)

Defined on steps

  • PreRoute

This plugin extract geolocation informations from ip address using the IpStack dbs. The informations are store in plugins attrs for other plugins to use

Izanami V1 Canary Campaign

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin allow you to perform canary testing based on an izanami experiment campaign (A/B test)

Izanami v1 APIs Proxy

Defined on steps

  • TransformRequest

This plugin exposes routes to proxy Izanami configuration and features tree APIs

Jwt user extractor

Defined on steps

  • PreRoute

This plugin extract a user from a JWT token

Legacy apikeys

Defined on steps

  • MatchRoute
  • ValidateAccess
  • TransformRequest

This plugin expects to find an apikey to allow the request to pass. This plugin behaves exactly like the service descriptor does

Legacy Authentication

Defined on steps

  • ValidateAccess

This plugin applies an authentication module the same way service descriptor does

Log4Shell mitigation plugin

Defined on steps

  • TransformRequest

This plugin try to detect Log4Shell attacks in request and block them

Geolocation details extractor (using Maxmind db)

Defined on steps

  • PreRoute

This plugin extract geolocation informations from ip address using the Maxmind dbs. The informations are store in plugins attrs for other plugins to use

Response Cache

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin can cache responses from target services in the otoroshi datasstore It also provides a debug UI at /.well-known/otoroshi/bodylogger.

Security Txt

Defined on steps

  • TransformRequest

This plugin exposes a special route /.well-known/security.txt as proposed at https://securitytxt.org/

Public quotas

Defined on steps

  • ValidateAccess

This plugin will enforce public quotas on the current route

Traffic Mirroring

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin will mirror every request to other targets

User-Agent details extractor

Defined on steps

  • PreRoute

This plugin extract informations from User-Agent header such as browsser version, OS version, etc. The informations are store in plugins attrs for other plugins to use

User-Agent endpoint

Defined on steps

  • TransformRequest

This plugin will expose current user-agent informations on the following endpoint: /.well-known/otoroshi/plugins/user-agent

User-Agent header

Defined on steps

  • TransformRequest

This plugin will sent informations extracted by the User-Agent details extractor to the target service in a header

OAuth1 caller

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin can be used to call api that are authenticated using OAuth1. Consumer key, secret, and OAuth token et OAuth token secret can be pass through the metadata of an api key or via the configuration of this plugin.

OAuth2 caller

Defined on steps

  • TransformRequest

This plugin can be used to call api that are authenticated using OAuth2 client_credential/password flow. Do not forget to enable client retry to handle token generation on expire.

OIDC access_token as apikey

Defined on steps

  • PreRoute

This plugin will use the third party apikey configuration to generate an apikey

OIDC access_token validator

Defined on steps

  • ValidateAccess

This plugin will use the third party apikey configuration and apply it while keeping the apikey mecanism of otoroshi. Use it to combine apikey validation and OIDC access_token validation.

OIDC headers

Defined on steps

  • TransformRequest

This plugin injects headers containing tokens and profile from current OIDC provider.

Otoroshi challenge token

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin adds a jwt challenge token to the request to a backend and expects a response with a matching token

Otoroshi headers in

Defined on steps

  • TransformRequest

This plugin adds Otoroshi specific headers to the request

Otoroshi info. token

Defined on steps

  • TransformRequest

This plugin adds a jwt token with informations about the caller to the backend

Override host header

Defined on steps

  • TransformRequest

This plugin override the current Host header with the Host of the backend target

Public/Private paths

Defined on steps

  • ValidateAccess

This plugin allows or forbid request based on path patterns

Query param transformer

Defined on steps

  • TransformRequest

This plugin can modify the query params of the request

RBAC

Defined on steps

  • ValidateAccess

This plugin check if current user/apikey/jwt token has the right role

Read only requests

Defined on steps

  • ValidateAccess

This plugin verifies the current request only reads data

Redirection

Defined on steps

  • PreRoute

This plugin redirects the current request elsewhere

Remove headers in

Defined on steps

  • TransformRequest

This plugin removes headers in the incoming otoroshi request

Remove headers out

Defined on steps

  • TransformResponse

This plugin removes headers in the otoroshi response

Robots

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin provides all the necessary tool to handle search engine robots

Routing Restrictions

Defined on steps

  • ValidateAccess

This plugin apply routing restriction method domain/path on the current request/route

S3 Static backend

Defined on steps

  • CallBackend

This plugin is able to S3 bucket with file content

SOAP action

Defined on steps

  • CallBackend

This plugin is able to call SOAP actions and expose it as a rest endpoint

Send otoroshi headers back

Defined on steps

  • TransformResponse

This plugin adds response header containing useful informations about the current call

Snow Monkey Chaos

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin introduce some chaos into you life

Static backend

Defined on steps

  • CallBackend

This plugin is able to serve a static folder with file content

Static Response

Defined on steps

  • CallBackend

This plugin returns static responses

Tailscale select target by name

Defined on steps

  • TransformRequest

This plugin selects a machine instance on Tailscale network based on its name

TCP Tunnel

Defined on steps

  • HandlesTunnel

This plugin creates TCP tunnels through otoroshi

UDP Tunnel

Defined on steps

  • HandlesTunnel

This plugin creates UDP tunnels through otoroshi

W3C Trace Context

Defined on steps

  • TransformRequest
  • TransformResponse

This plugin propagates W3C Trace Context spans and can export it to Jaeger or Zipkin

Wasm Access control

Defined on steps

  • ValidateAccess

Delegate route access to a wasm plugin

Wasm Backend

Defined on steps

  • CallBackend

This plugin can be used to use a wasm plugin as backend

Open Policy Agent (OPA)

Defined on steps

  • ValidateAccess

Repo policies as WASM modules

Wasm pre-route

Defined on steps

  • PreRoute

This plugin can be used to use a wasm plugin as in pre-route phase

Wasm Request Transformer

Defined on steps

  • TransformRequest

Transform the content of the request with a wasm plugin

Wasm Response Transformer

Defined on steps

  • TransformResponse

Transform the content of a response with a wasm plugin

Wasm Route Matcher

Defined on steps

  • MatchRoute

This plugin can be used to use a wasm plugin as route matcher

Wasm Router

Defined on steps

  • Router

Can decide for routing with a wasm plugin

Wasm Sink

Defined on steps

  • Sink

Handle unmatched requests with a wasm plugin

X-Forwarded-* headers

Defined on steps

  • TransformRequest

This plugin adds all the X-Forwarded-* headers to the request for the backend target

request body xml-to-json

Defined on steps

  • TransformRequest

This plugin transform incoming request body from xml to json and may apply a jq transformation

response body xml-to-json

Defined on steps

  • TransformResponse

This plugin transform response body from xml to json and may apply a jq transformation

Zip file backend

Defined on steps

  • CallBackend

Serves content from a zip file

Remote tunnel calls

Defined on steps

  • CallBackend

This plugin can contact remote service using tunnels

Coraza WAF

Defined on steps

  • ValidateAccess
  • TransformRequest
  • TransformResponse

Coraza WAF plugin