Built-in plugins
Otoroshi next provides some plugins out of the box. Here is the available plugins with their documentation and reference configuration.
Additional headers in
Defined on steps
TransformRequest
This plugin adds headers in the incoming otoroshi request
Additional headers out
Defined on steps
TransformResponse
This plugin adds headers in the otoroshi response
Allowed HTTP methods
Defined on steps
ValidateAccess
This plugin verifies the current request only uses allowed http methods
Apikey auth module
Defined on steps
PreRoute
This plugin adds basic auth on service where credentials are valid apikeys on the current service.
Apikeys
Defined on steps
MatchRoute
ValidateAccess
TransformRequest
This plugin expects to find an apikey to allow the request to pass
Apikey quotas
Defined on steps
ValidateAccess
Increments quotas for the currents apikey. Useful when ‘legacy checks’ are disabled on a service/globally or when apikey are extracted in a custom fashion.
Basic Auth. caller
Defined on steps
TransformRequest
This plugin can be used to call api that are authenticated using basic auth.
Brotli compression
Defined on steps
TransformResponse
This plugin can compress responses using brotli
Canary mode
Defined on steps
PreRoute
TransformResponse
This plugin can split a portion of the traffic to canary backends
Context validator
Defined on steps
ValidateAccess
This plugin validates the current context using JSONPath validators.
Endless HTTP responses
Defined on steps
TransformRequest
This plugin returns 128 Gb of 0 to the ip addresses is in the list
Internal Eureka target
Defined on steps
PreRoute
This plugin can be used to used a target that come from an internal Eureka server. If you want to use a target which it locate outside of Otoroshi, you must use the External Eureka Server.
External Eureka target
Defined on steps
PreRoute
This plugin can be used to used a target that come from an external Eureka server. If you want to use a target that is directly exposed by an implementation of Eureka by Otoroshi, you must use the Internal Eureka Server.
Forwarded header
Defined on steps
TransformRequest
This plugin adds all the Forwarded header to the request for the backend target
Global Maintenance mode
Defined on steps
PreRoute
This plugin displays a maintenance page for every services. Useful when ‘legacy checks’ are disabled on a service/globally
Global per ip address throttling
Defined on steps
ValidateAccess
Enforce global per ip address throttling. Useful when ‘legacy checks’ are disabled on a service/globally
Global throttling
Defined on steps
ValidateAccess
Enforce global throttling. Useful when ‘legacy checks’ are disabled on a service/globally
GraphQL Composer
Defined on steps
CallBackend
This plugin exposes a GraphQL API that you can compose with whatever you want
GraphQL Proxy
Defined on steps
CallBackend
This plugin can apply validations (query, schema, max depth, max complexity) on graphql endpoints
GraphQL Query to REST
Defined on steps
CallBackend
This plugin can be used to call GraphQL query endpoints and expose it as a REST endpoint
HMAC caller plugin
Defined on steps
TransformRequest
This plugin can be used to call a “protected” api by an HMAC signature. It will adds a signature with the secret configured on the plugin. The signature string will always the content of the header list listed in the plugin configuration.
HMAC access validator
Defined on steps
ValidateAccess
This plugin can be used to check if a HMAC signature is present and valid in Authorization header.
Headers validation
Defined on steps
ValidateAccess
This plugin validates the values of incoming request headers
Http3 traffic switch
Defined on steps
TransformResponse
This plugin injects additional alt-svc header to switch to the http3 server
Image replacer
Defined on steps
TransformResponse
Replace all response with content-type image/* as they are proxied
IP allowed list
Defined on steps
ValidateAccess
This plugin verifies the current request ip address is in the allowed list
IP block list
Defined on steps
ValidateAccess
This plugin verifies the current request ip address is not in the blocked list
JQ
Defined on steps
TransformRequest
TransformResponse
This plugin let you transform JSON bodies (in requests and responses) using JQ filters.
JQ transform request
Defined on steps
TransformRequest
This plugin let you transform request JSON body using JQ filters.
JQ transform response
Defined on steps
TransformResponse
This plugin let you transform JSON response using JQ filters.
request body json-to-xml
Defined on steps
TransformRequest
This plugin transform incoming request body from json to xml and may apply a jq transformation
response body json-to-xml
Defined on steps
TransformResponse
This plugin transform response body from json to xml and may apply a jq transformation
Jwt verifiers
Defined on steps
ValidateAccess
TransformRequest
This plugin verifies the current request with one or more jwt verifier
Jwt verification only
Defined on steps
ValidateAccess
This plugin verifies the current request with one jwt verifier
Missing headers in
Defined on steps
TransformRequest
This plugin adds headers (if missing) in the incoming otoroshi request
Missing headers out
Defined on steps
TransformResponse
This plugin adds headers (if missing) in the otoroshi response
Multi Authentication
Defined on steps
ValidateAccess
This plugin applies an authentication module from a list of selected modules
User logged in expected
Defined on steps
ValidateAccess
This plugin enforce that a user from any auth. module is logged in
User extraction from auth. module
Defined on steps
ValidateAccess
This plugin extracts users from an authentication module without enforcing login
Apikey from Biscuit token extractor
Defined on steps
PreRoute
This plugin extract an from a Biscuit token where the biscuit has an #authority fact ‘client_id’ containing apikey client_id and an #authority fact ‘client_sign’ that is the HMAC256 signature of the apikey client_id with the apikey client_secret
Client certificate as apikey
Defined on steps
PreRoute
This plugin uses client certificate as an apikey. The apikey will be stored for classic apikey usage
Client certificate header
Defined on steps
TransformRequest
This plugin pass client certificate informations to the target in headers
Client credential token endpoint
Defined on steps
CallBackend
This plugin provide the endpoint for the client_credential flow token endpoint
Client Credential Service
Defined on steps
Sink
This plugin add an an oauth client credentials service (https://unhandleddomain/.well-known/otoroshi/oauth/token
) to create an access_token given a client id and secret
Custom quotas
Defined on steps
ValidateAccess
This plugin will enforce quotas on the current route based on whatever you want
Custom throttling
Defined on steps
ValidateAccess
This plugin will enforce throttling on the current route based on whatever you want
Default request body
Defined on steps
TransformRequest
This plugin adds a default request body if none specified
Defer Responses
Defined on steps
TransformRequest
This plugin will expect a X-Defer
header or a defer
query param and defer the response according to the value in milliseconds. This plugin is some kind of inside joke as one a our customer ask us to make slower apis.
Global self registration endpoints (service discovery)
Defined on steps
Sink
This plugin add support for self registration endpoint on specific hostnames
Self registration endpoints (service discovery)
Defined on steps
TransformRequest
This plugin add support for self registration endpoint on a specific service
Service discovery target selector (service discovery)
Defined on steps
PreRoute
This plugin select a target in the pool of discovered targets for this service. Use in combination with either DiscoverySelfRegistrationSink
or DiscoverySelfRegistrationTransformer
to make it work using the self registration
pattern. Or use an implementation of DiscoveryJob
for the third party registration pattern
.
Error response rewrite
Defined on steps
TransformResponse
This plugin catch http response with specific statuses and rewrite the response
Geolocation endpoint
Defined on steps
TransformRequest
This plugin will expose current geolocation informations on the following endpoint /.well-known/otoroshi/plugins/geolocation
Geolocation header
Defined on steps
TransformRequest
This plugin will send informations extracted by the Geolocation details extractor to the target service in a header.
Client Certificate + Api Key only
Defined on steps
ValidateAccess
Check if a client certificate is present in the request and that the apikey used matches the client certificate. You can set the client cert. DN in an apikey metadata named allowed-client-cert-dn
Client certificate matching (over http)
Defined on steps
ValidateAccess
Check if client certificate matches the following fetched from an http endpoint
Client certificate matching
Defined on steps
ValidateAccess
Check if client certificate matches the following configuration
Client Certificate Only
Defined on steps
ValidateAccess
Check if a client certificate is present in the request
Html Patcher
Defined on steps
TransformResponse
This plugin can inject elements in html pages (in the body or in the head) returned by the service
Geolocation details extractor (using IpStack api)
Defined on steps
PreRoute
This plugin extract geolocation informations from ip address using the IpStack dbs. The informations are store in plugins attrs for other plugins to use
Izanami V1 Canary Campaign
Defined on steps
TransformRequest
TransformResponse
This plugin allow you to perform canary testing based on an izanami experiment campaign (A/B test)
Izanami v1 APIs Proxy
Defined on steps
TransformRequest
This plugin exposes routes to proxy Izanami configuration and features tree APIs
Legacy apikeys
Defined on steps
MatchRoute
ValidateAccess
TransformRequest
This plugin expects to find an apikey to allow the request to pass. This plugin behaves exactly like the service descriptor does
Legacy Authentication
Defined on steps
ValidateAccess
This plugin applies an authentication module the same way service descriptor does
Log4Shell mitigation plugin
Defined on steps
TransformRequest
This plugin try to detect Log4Shell attacks in request and block them
Geolocation details extractor (using Maxmind db)
Defined on steps
PreRoute
This plugin extract geolocation informations from ip address using the Maxmind dbs. The informations are store in plugins attrs for other plugins to use
Response Cache
Defined on steps
TransformRequest
TransformResponse
This plugin can cache responses from target services in the otoroshi datasstore It also provides a debug UI at /.well-known/otoroshi/bodylogger
.
Security Txt
Defined on steps
TransformRequest
This plugin exposes a special route /.well-known/security.txt
as proposed at https://securitytxt.org/
Public quotas
Defined on steps
ValidateAccess
This plugin will enforce public quotas on the current route
Traffic Mirroring
Defined on steps
TransformRequest
TransformResponse
This plugin will mirror every request to other targets
User-Agent details extractor
Defined on steps
PreRoute
This plugin extract informations from User-Agent header such as browsser version, OS version, etc. The informations are store in plugins attrs for other plugins to use
User-Agent endpoint
Defined on steps
TransformRequest
This plugin will expose current user-agent informations on the following endpoint: /.well-known/otoroshi/plugins/user-agent
User-Agent header
Defined on steps
TransformRequest
This plugin will sent informations extracted by the User-Agent details extractor to the target service in a header
OAuth1 caller
Defined on steps
TransformRequest
TransformResponse
This plugin can be used to call api that are authenticated using OAuth1. Consumer key, secret, and OAuth token et OAuth token secret can be pass through the metadata of an api key or via the configuration of this plugin.
OAuth2 caller
Defined on steps
TransformRequest
This plugin can be used to call api that are authenticated using OAuth2 client_credential/password flow. Do not forget to enable client retry to handle token generation on expire.
OIDC access_token as apikey
Defined on steps
PreRoute
This plugin will use the third party apikey configuration to generate an apikey
OIDC access_token validator
Defined on steps
ValidateAccess
This plugin will use the third party apikey configuration and apply it while keeping the apikey mecanism of otoroshi. Use it to combine apikey validation and OIDC access_token validation.
OIDC headers
Defined on steps
TransformRequest
This plugin injects headers containing tokens and profile from current OIDC provider.
Otoroshi challenge token
Defined on steps
TransformRequest
TransformResponse
This plugin adds a jwt challenge token to the request to a backend and expects a response with a matching token
Otoroshi headers in
Defined on steps
TransformRequest
This plugin adds Otoroshi specific headers to the request
Otoroshi info. token
Defined on steps
TransformRequest
This plugin adds a jwt token with informations about the caller to the backend
Override host header
Defined on steps
TransformRequest
This plugin override the current Host header with the Host of the backend target
Public/Private paths
Defined on steps
ValidateAccess
This plugin allows or forbid request based on path patterns
Query param transformer
Defined on steps
TransformRequest
This plugin can modify the query params of the request
RBAC
Defined on steps
ValidateAccess
This plugin check if current user/apikey/jwt token has the right role
Read only requests
Defined on steps
ValidateAccess
This plugin verifies the current request only reads data
Remove headers in
Defined on steps
TransformRequest
This plugin removes headers in the incoming otoroshi request
Remove headers out
Defined on steps
TransformResponse
This plugin removes headers in the otoroshi response
Robots
Defined on steps
TransformRequest
TransformResponse
This plugin provides all the necessary tool to handle search engine robots
Routing Restrictions
Defined on steps
ValidateAccess
This plugin apply routing restriction method domain/path
on the current request/route
SOAP action
Defined on steps
CallBackend
This plugin is able to call SOAP actions and expose it as a rest endpoint
Send otoroshi headers back
Defined on steps
TransformResponse
This plugin adds response header containing useful informations about the current call
Snow Monkey Chaos
Defined on steps
TransformRequest
TransformResponse
This plugin introduce some chaos into you life
Static backend
Defined on steps
CallBackend
This plugin is able to serve a static folder with file content
Tailscale select target by name
Defined on steps
TransformRequest
This plugin selects a machine instance on Tailscale network based on its name
W3C Trace Context
Defined on steps
TransformRequest
TransformResponse
This plugin propagates W3C Trace Context spans and can export it to Jaeger or Zipkin
Wasm pre-route
Defined on steps
PreRoute
This plugin can be used to use a wasm plugin as in pre-route phase
Wasm Request Transformer
Defined on steps
TransformRequest
Transform the content of the request with a wasm plugin
Wasm Response Transformer
Defined on steps
TransformResponse
Transform the content of a response with a wasm plugin
Wasm Route Matcher
Defined on steps
MatchRoute
This plugin can be used to use a wasm plugin as route matcher
X-Forwarded-* headers
Defined on steps
TransformRequest
This plugin adds all the X-Forwarded-* headers to the request for the backend target
request body xml-to-json
Defined on steps
TransformRequest
This plugin transform incoming request body from xml to json and may apply a jq transformation
response body xml-to-json
Defined on steps
TransformResponse
This plugin transform response body from xml to json and may apply a jq transformation