Global config
The global config, named Danger zone in Otoroshi, is the place to configure Otoroshi globally.
Warning: In this page, the configuration is really sensitive and affects the global behaviour of Otoroshi.
Misc. Settings
Maintenance mode: It passes every single service in maintenance mode. If a user calls a service, the maintenance page will be displayedNo OAuth login for BackOffice: Forces admins to login only with user/password or user/password/u2F deviceAPI Read Only: Freeze Otoroshi datastore in read only mode. Only people with access to the actual underlying datastore will be able to disable this.Auto link default: When no group is specified on a service, it will be assigned to default oneUse circuit breakers: Use circuit breaker on all servicesUse new http client as the default Http client: All http calls will use the new http client by defaultEnable live metrics: Enable live metrics in the Otoroshi cluster. Performs a lot of writes in the datastoreDigitus medius: Use middle finger emoji as a response character for endless HTTP responses (see IP address filtering settings).Limit conc. req.: Limit the number of concurrent request processed by Otoroshi to a certain amount. Highly recommended for resilienceUse X-Forwarded-* headers for routing: When evaluating routing of a request, X-Forwarded-* headers will be used if presentsMax conc. req.: Maximum number of concurrent requests processed by otoroshi.Max HTTP/1.0 resp. size: Maximum size of an HTTP/1.0 response in bytes. After this limit, response will be cut and sent as is. The best value here should satisfy (maxConcurrentRequests * maxHttp10ResponseSize) < process.memory for worst case scenario.Max local events: Maximum number of events stored.Lines: deprecated
IP address filtering settings
IP allowed list: Only IP addresses that will be able to access Otoroshi exposed servicesIP blocklist: IP addresses that will be refused to access Otoroshi exposed servicesEndless HTTP Responses: IP addresses for which each request will return around 128 Gb of 0s
Quotas settings
Global throttling: The max. number of requests allowed per second globally on OtoroshiThrottling per IP: The max. number of requests allowed per second per IP address globally on Otoroshi
Analytics: Elastic dashboard datasource (read)
Cluster URI: Elastic cluster URIIndex: Elastic indexType: Event type (not needed for elasticsearch above 6.x)User: Elastic User (optional)Password: Elastic password (optional)Version: Elastic version (optional, if none provided it will be fetched from cluster)Apply template: Automatically apply index templateCheck Connection: Button to test the configuration. It will displayed a modal with a connection checklist, if connection is successfull, it will display the found version of the Elasticsearch and the index usedManually apply index template: try to put the elasticsearch template by calling the api of elasticsearchShow index template: try to retrieve the current index template present in elasticsearchClient side temporal indexes handling: When enabled, Otoroshi will manage the creation of indexes over time. When it’s disabled, Otoroshi will push in the same indexOne index per: When the previous field is enabled, you can choose the interval of time between the creation of a new index in elasticsearchCustom TLS Settings: Enable the TLS configuration for the communication with ElasticsearchTLS loose: if enabled, will block all untrustful ssl configsTrustAll: allows any server certificates even the self-signed onesClient certificates: list of client certificates used to communicate with elasticsearchTrusted certificates: list of trusted certificates received from elasticsearch
Statsd settings
Datadog agent: The StatsD agent is a Datadog agentStatsD agent host: The host on which StatsD agent is listeningStatsD agent port: The port on which StatsD agent is listening (default is 8125)
Backoffice auth. settings
Backoffice auth. config: the authentication module used in front of Otoroshi. It will be used to connect to Otoroshi on the login page
Let’s encrypt settings
Enabled: when enabled, Otoroshi will have the possiblity to sign certificate from let’s encrypt notably in the SSL/TSL Certificates pageServer URL: ACME endpoint of let’s encryptEmail addresses: (optional) list of addresses used to order the certificatesContact URLs: (optional) list of addresses used to order the certificatesPublic Key: used to ask a certificate to let’s encrypt, generated by OtoroshiPrivate Key: used to ask a certificate to let’s encrypt, generated by Otoroshi
CleverCloud settings
Once configured, you can register one clever cloud app of your organization directly as an Otoroshi service.
CleverCloud consumer key: consumer key of your clever cloud OAuth 1.0 appCleverCloud consumer secret: consumer secret of your clever cloud OAuth 1.0 appOAuth Token: oauth token of your clever cloud OAuth 1.0 appOAuth Secret: oauth token secret of your clever cloud OAuth 1.0 appCleverCloud orga. Id: id of your clever cloud organization
Global scripts
Global scripts will be deprecated soon, please use global plugins instead (see the next section)!
Global plugins
Enabled: enable the use of global pluginsPlugins on new Otoroshi engine: list of plugins used by the new Otoroshi enginePlugins on old Otoroshi engine: list of plugins used by the old Otoroshi enginePlugin configuration: the overloaded configuration of plugins
Proxies
In this section, you can add a list of proxies for :
- Proxy for alert emails (mailgun)
- Proxy for alert webhooks
- Proxy for Clever-Cloud API access
- Proxy for services access
- Proxy for auth. access (OAuth, OIDC)
- Proxy for client validators
- Proxy for JWKS access
- Proxy for elastic access
Each proxy has the following fields
Proxy host: host of proxyProxy port: port of proxyProxy principal: user of proxyProxy password: password of proxyNon proxy host: IP address that can access the service
Quotas alerting settings
Enable quotas exceeding alerts: When apikey quotas is almost exceeded, an alert will be sentDaily quotas threshold: The percentage of daily calls before sending alertsMonthly quotas threshold: The percentage of monthly calls before sending alerts
User-Agent extraction settings
User-Agent extraction: Allow user-agent details extraction. Can have impact on consumed memory.
Geolocation extraction settings
Extract a geolocation for each call to Otoroshi.
Tls Settings
Use random cert.: Use the first available cert when none matches the current domainDefault domain: When the SNI domain cannot be found, this one will be used to find the matching certificateTrust JDK CAs (server): Trust JDK CAs. The CAs from the JDK CA bundle will be proposed in the certificate request when performing TLS handshakeTrust JDK CAs (trust): Trust JDK CAs. The CAs from the JDK CA bundle will be used as trusted CAs when calling HTTPS resourcesTrusted CAs (server): Select the trusted CAs you want for TLS terminaison. Those CAs only will be proposed in the certificate request when performing TLS handshake
Auto Generate Certificates
Enabled: Generate certificates on the fly when they don’t existReply Nicely: When receiving request from a not allowed domain name, accept connection and display a nice error messageCA: certificate CA used to generate missing certificateAllowed domains: Allowed domainsNot allowed domains: Not allowed domains
Global metadata
Tags: tags attached to the global configMetadata: metadata attached to the global config
Actions at the bottom of the page
Recover from a full export file: Load global configuration from a previous exportFull export: Export with all created entitiesFull export (ndjson): Export your full state of database to ndjson formatJSON: Get the global config at JSON formatYAML: Get the global config at YAML formatEnable Panic Mode: Log out all users from UI and prevent any changes to the database by setting the admin Otoroshi api to read-only. The only way to exit of this mode is to disable this mode directly in the database.