Built-in plugins
Otoroshi next provides some plugins out of the box. Here is the available plugins with their documentation and reference configuration
Additional cookies in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.AdditionalCookieIn
Description
This plugin adds cookies in the otoroshi request
Default configuration
{
"name" : "cookie",
"value" : "value"
}
Additional cookies out
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.AdditionalCookieOut
Description
This plugin adds cookies in the otoroshi response
Default configuration
{
"name" : "cookie",
"value" : "value",
"domain" : null,
"path" : null,
"maxAge" : null,
"secure" : false,
"httpOnly" : false,
"sameSite" : null
}
Additional headers in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.AdditionalHeadersIn
Description
This plugin adds headers in the incoming otoroshi request
Default configuration
{
"headers" : { }
}
Additional headers out
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.AdditionalHeadersOut
Description
This plugin adds headers in the otoroshi response
Default configuration
{
"headers" : { }
}
Allowed HTTP methods
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.AllowHttpMethods
Description
This plugin verifies the current request only uses allowed http methods
Default configuration
{
"allowed" : [ ],
"forbidden" : [ ]
}
Apikey auth module
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.ApikeyAuthModule
Description
This plugin adds basic auth on service where credentials are valid apikeys on the current service.
Default configuration
{
"realm" : "apikey-auth-module-realm",
"matcher" : null
}
Apikeys
Defined on steps
MatchRouteValidateAccessTransformRequest
Plugin reference
cp:otoroshi.next.plugins.ApikeyCalls
Description
This plugin expects to find an apikey to allow the request to pass
Default configuration
{
"extractors" : {
"basic" : {
"enabled" : true,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
},
"custom_headers" : {
"enabled" : true,
"client_id_header_name" : null,
"client_secret_header_name" : null
},
"client_id" : {
"enabled" : true,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
},
"jwt" : {
"enabled" : true,
"secret_signed" : true,
"keypair_signed" : true,
"include_request_attrs" : false,
"max_jwt_lifespan_sec" : null,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
},
"oto_bearer" : {
"enabled" : true,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
}
},
"routing" : {
"enabled" : false
},
"validate" : true,
"mandatory" : true,
"pass_with_user" : false,
"wipe_backend_request" : true,
"update_quotas" : true
}
Apikey quotas
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.ApikeyQuotas
Description
Increments quotas for the currents apikey. Useful when ‘legacy checks’ are disabled on a service/globally or when apikey are extracted in a custom fashion.
Auth0 Passwordless end flow endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.Auth0PasswordlessEndFlowEndpoint
Description
This plugin provide an endpoint to end a passwordless flow
Default configuration
{
"ref" : "",
"connection" : "email",
"send" : "code",
"audience" : null
}
Auth0 Passwordless start/end flow
Defined on steps
ValidateAccessCallBackend
Plugin reference
cp:otoroshi.next.plugins.Auth0PasswordlessFlow
Description
This plugin provide endpoints to start and end a passwordless flow
Default configuration
{
"ref" : "",
"connection" : "email",
"send" : "code",
"audience" : null
}
Auth0 Passwordless start/end flow endpoints
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.Auth0PasswordlessStartEndFlowEndpoints
Description
This plugin provide endpoints to start and end a passwordless flow
Default configuration
{
"ref" : "",
"connection" : "email",
"send" : "code",
"audience" : null
}
Auth0 Passwordless start flow endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.Auth0PasswordlessStartFlowEndpoint
Description
This plugin provide an endpoint to start a passwordless flow
Default configuration
{
"ref" : "",
"connection" : "email",
"send" : "code",
"audience" : null
}
Authentication
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.AuthModule
Description
This plugin applies an authentication module
Default configuration
{
"pass_with_apikey" : false,
"auth_module" : null
}
Basic Auth. caller
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.BasicAuthCaller
Description
This plugin can be used to call api that are authenticated using basic auth.
Default configuration
{
"username" : null,
"password" : null,
"headerName" : "Authorization",
"headerValueFormat" : "Basic %s"
}
Basic auth. from auth. module
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.BasicAuthWithAuthModule
Description
This plugin enforces basic auth. authentication with users coming from LDAP and In-memory auth. modules
Default configuration
{
"ref" : "",
"add_authenticate_header" : true
}
Block non HTTPS traffic
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.BlockHttpTraffic
Description
This plugin blocks any incoming non HTTPS traffic and returns a nice error message because nowadays HTTPS should be deployed everywhere. Also, this plugin will revoke any apikey or user session passed in clear text if there is one. In that case, make sure this plugins comes after Apikey and Authentication plugins.
Default configuration
{
"revoke_apikeys" : true,
"revoke_user_session" : false,
"message" : null
}
Brotli compression
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.BrotliResponseCompressor
Description
This plugin can compress responses using brotli
Default configuration
{
"excluded_patterns" : [ ],
"allowed_list" : [ "text/*", "application/javascript", "application/json" ],
"blocked_list" : [ ],
"buffer_size" : 8192,
"chunked_threshold" : 102400,
"compression_level" : 5
}
Build mode
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.BuildMode
Description
This plugin displays a build page
Canary mode
Defined on steps
PreRouteTransformResponse
Plugin reference
cp:otoroshi.next.plugins.CanaryMode
Description
This plugin can split a portion of the traffic to canary backends
Default configuration
{
"traffic" : 0.2,
"targets" : [ ],
"root" : "/"
}
Consumer endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.ConsumerEndpoint
Description
This plugin returns the current consumer profile
Context validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.ContextValidation
Description
This plugin validates the current context using JSONPath validators.
This plugin let you configure a list of validators that will check if the current call can pass. A validator is composed of a JSONPath that will tell what to check and a value that is the expected value. The JSONPath will be applied on a document that will look like
{
"snowflake" : "1516772930422308903",
"apikey" : { // current apikey
"clientId" : "vrmElDerycXrofar",
"clientName" : "default-apikey",
"metadata" : {
"foo" : "bar"
},
"tags" : [ ]
},
"user" : null, // current user
"request" : {
"id" : 1,
"method" : "GET",
"headers" : {
"Host" : "ctx-validation-next-gen.oto.tools:9999",
"Accept" : "*/*",
"User-Agent" : "curl/7.64.1",
"Authorization" : "Basic dnJtRWxEZXJ5Y1hyb2ZhcjpvdDdOSTkyVGI2Q2J4bWVMYU9UNzJxamdCU2JlRHNLbkxtY1FBcXBjVjZTejh0Z3I1b2RUOHAzYjB5SEVNRzhZ",
"Remote-Address" : "127.0.0.1:58929",
"Timeout-Access" : "<function1>",
"Raw-Request-URI" : "/foo",
"Tls-Session-Info" : "Session(1650461821330|SSL_NULL_WITH_NULL_NULL)"
},
"cookies" : [ ],
"tls" : false,
"uri" : "/foo",
"path" : "/foo",
"version" : "HTTP/1.1",
"has_body" : false,
"remote" : "127.0.0.1",
"client_cert_chain" : null
},
"config" : {
"validators" : [ {
"path" : "$.apikey.metadata.foo",
"value" : "bar"
} ]
},
"global_config" : { ... }, // global config
"attrs" : {
"otoroshi.core.SnowFlake" : "1516772930422308903",
"otoroshi.core.ElCtx" : {
"requestId" : "1516772930422308903",
"requestSnowflake" : "1516772930422308903",
"requestTimestamp" : "2022-04-20T15:37:01.548+02:00"
},
"otoroshi.next.core.Report" : "otoroshi.next.proxy.NgExecutionReport@277b44e2",
"otoroshi.core.RequestStart" : 1650461821545,
"otoroshi.core.RequestWebsocket" : false,
"otoroshi.core.RequestCounterOut" : 0,
"otoroshi.core.RemainingQuotas" : {
"authorizedCallsPerWindow" : 10000000,
"throttlingCallsPerWindow" : 0,
"remainingCallsPerWindow" : 10000000,
"authorizedCallsPerDay" : 10000000,
"currentCallsPerDay" : 2,
"remainingCallsPerDay" : 9999998,
"authorizedCallsPerMonth" : 10000000,
"currentCallsPerMonth" : 269,
"remainingCallsPerMonth" : 9999731
},
"otoroshi.next.core.MatchedRoutes" : "MutableList(route_022825450-e97d-42ed-8e22-b23342c1c7c8)",
"otoroshi.core.RequestNumber" : 1,
"otoroshi.next.core.Route" : { ... }, // current route as json
"otoroshi.core.RequestTimestamp" : "2022-04-20T15:37:01.548+02:00",
"otoroshi.core.ApiKey" : { ... }, // current apikey as json
"otoroshi.core.User" : { ... }, // current user as json
"otoroshi.core.RequestCounterIn" : 0
},
"route" : { ... },
"token" : null // current valid jwt token if one
}
the expected value support some syntax tricks like
Not(value)on a string to check if the current value does not equals another valueRegex(regex)on a string to check if the current value matches the regexRegexNot(regex)on a string to check if the current value does not matches the regexWildcard(*value*)on a string to check if the current value matches the value with wildcardsWildcardNot(*value*)on a string to check if the current value does not matches the value with wildcardsContains(value)on a string to check if the current value contains a valueContainsNot(value)on a string to check if the current value does not contains a valueContains(Regex(regex))on an array to check if one of the item of the array matches the regexContainsNot(Regex(regex))on an array to check if one of the item of the array does not matches the regexContains(Wildcard(*value*))on an array to check if one of the item of the array matches the wildcard valueContainsNot(Wildcard(*value*))on an array to check if one of the item of the array does not matches the wildcard valueContains(value)on an array to check if the array contains a valueContainsNot(value)on an array to check if the array does not contains a value
for instance to check if the current apikey has a metadata name foo with a value containing bar, you can write the following validator
{
"path": "$.apikey.metadata.foo",
"value": "Contains(bar)"
}
Default configuration
{
"validators" : [ ]
}
Cookies validation
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.CookiesValidation
Description
This plugin validates cookies content
Default configuration
{
"cookies" : { }
}
CORS
Defined on steps
PreRouteTransformResponse
Plugin reference
cp:otoroshi.next.plugins.Cors
Description
This plugin applies CORS rules
Default configuration
{
"allow_origin" : "*",
"expose_headers" : [ ],
"allow_headers" : [ ],
"allow_methods" : [ ],
"excluded_patterns" : [ ],
"max_age" : null,
"allow_credentials" : true
}
Disable HTTP/1.0
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.DisableHttp10
Description
This plugin forbids HTTP/1.0 requests
Request Echo
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.EchoBackend
Description
This plugin returns request content as json
Default configuration
{
"limit" : 524288
}
Endless HTTP responses
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.EndlessHttpResponse
Description
This plugin returns 128 Gb of 0 to the ip addresses is in the list
Default configuration
{
"finger" : false,
"addresses" : [ ],
"is_debug" : false
}
Eureka instance
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.EurekaServerSink
Description
Eureka plugin description
Default configuration
{
"evictionTimeout" : 300
}
Internal Eureka target
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.EurekaTarget
Description
This plugin can be used to used a target that come from an internal Eureka server. If you want to use a target which it locate outside of Otoroshi, you must use the External Eureka Server.
Default configuration
{
"eureka_server" : null,
"eureka_app" : null
}
External Eureka target
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.ExternalEurekaTarget
Description
This plugin can be used to used a target that come from an external Eureka server. If you want to use a target that is directly exposed by an implementation of Eureka by Otoroshi, you must use the Internal Eureka Server.
Default configuration
{
"eureka_server" : null,
"eureka_app" : null
}
fail2ban
Defined on steps
ValidateAccessTransformResponse
Plugin reference
cp:otoroshi.next.plugins.Fail2BanPlugin
Description
Temporarily bans client when too many failed requests occur within a detection window (fail2ban-like). Client is identified by the ‘identifier’ that can use the Otoroshi expression language to extract informations like user id, apikey, ip address, etc.
Default configuration
{
"identifier" : "${req.ip}",
"detect_time" : 600000,
"ban_time" : 10800000,
"max_retry" : 4,
"url_regex" : [ ],
"status_codes" : [ "400", "401", "403-499", "500-599" ],
"ignored" : [ ],
"blocked" : [ ]
}
Force HTTPS traffic
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.ForceHttpsTraffic
Description
This plugin verifies the current request uses HTTPS
Forwarded header
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.ForwardedHeader
Description
This plugin adds all the Forwarded header to the request for the backend target
Global Maintenance mode
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.GlobalMaintenanceMode
Description
This plugin displays a maintenance page for every services. Useful when ‘legacy checks’ are disabled on a service/globally
Global per ip address throttling
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.GlobalPerIpAddressThrottling
Description
Enforce global per ip address throttling. Useful when ‘legacy checks’ are disabled on a service/globally
Global throttling
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.GlobalThrottling
Description
Enforce global throttling. Useful when ‘legacy checks’ are disabled on a service/globally
GraphQL Composer
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.GraphQLBackend
Description
This plugin exposes a GraphQL API that you can compose with whatever you want
Default configuration
{
"schema" : "\n type User {\n name: String!\n firstname: String!\n }\n\n type Query {\n users: [User] @json(data: \"[{ \\\"firstname\\\": \\\"Foo\\\", \\\"name\\\": \\\"Bar\\\" }, { \\\"firstname\\\": \\\"Bar\\\", \\\"name\\\": \\\"Foo\\\" }]\")\n }\n ",
"permissions" : [ ],
"initial_data" : null,
"max_depth" : 15
}
GraphQL Proxy
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.GraphQLProxy
Description
This plugin can apply validations (query, schema, max depth, max complexity) on graphql endpoints
Default configuration
{
"endpoint" : "https://countries.trevorblades.com/graphql",
"schema" : null,
"max_depth" : 50,
"max_complexity" : 50000,
"path" : "/graphql",
"headers" : { }
}
GraphQL Query to REST
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.GraphQLQuery
Description
This plugin can be used to call GraphQL query endpoints and expose it as a REST endpoint
Default configuration
{
"url" : "https://some.graphql/endpoint",
"headers" : { },
"method" : "POST",
"query" : "{\n\n}",
"timeout" : 60000,
"response_path" : null,
"response_filter" : null
}
Gzip compression
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.GzipResponseCompressor
Description
This plugin can compress responses using gzip
Default configuration
{
"excluded_patterns" : [ ],
"allowed_list" : [ "text/*", "application/javascript", "application/json" ],
"blocked_list" : [ ],
"buffer_size" : 8192,
"chunked_threshold" : 102400,
"compression_level" : 5
}
HMAC caller plugin
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.HMACCaller
Description
This plugin can be used to call a “protected” api by an HMAC signature. It will adds a signature with the secret configured on the plugin. The signature string will always the content of the header list listed in the plugin configuration.
Default configuration
{
"secret" : null,
"algo" : "HMAC-SHA512",
"authorizationHeader" : null
}
HMAC access validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.HMACValidator
Description
This plugin can be used to check if a HMAC signature is present and valid in Authorization header.
Default configuration
{
"secret" : null,
"authorizationHeader" : null
}
Headers validation
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.HeadersValidation
Description
This plugin validates the values of incoming request headers
Default configuration
{
"headers" : { }
}
Documentation
You can use otoroshi expression languages in headers values. You can also use the following validation expressions:
- Regex(foo[1-9]+bar)
- Wildcard(foo*bar)
- WildcardNot(foo*bar)
- Contains(foo)
- ContainsNot(foo)
- Not(foo)
- ContainedIn(a, b, c)
- NotContainedIn(a, b, c)
Http3 traffic switch
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.Http3Switch
Description
This plugin injects additional alt-svc header to switch to the http3 server
Default configuration
{
"ma" : 3600
}
Image replacer
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.ImageReplacer
Description
Replace all response with content-type image/* as they are proxied
Default configuration
{
"url" : "https://raw.githubusercontent.com/MAIF/otoroshi/master/resources/otoroshi-logo.png"
}
IP allowed list
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.IpAddressAllowedList
Description
This plugin verifies the current request ip address is in the allowed list
Default configuration
{
"addresses" : [ ]
}
IP block list
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.IpAddressBlockList
Description
This plugin verifies the current request ip address is not in the blocked list
Default configuration
{
"addresses" : [ ]
}
JQ
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.JQ
Description
This plugin let you transform JSON bodies (in requests and responses) using JQ filters.
Default configuration
{
"request" : ".",
"response" : ""
}
JQ transform request
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.JQRequest
Description
This plugin let you transform request JSON body using JQ filters.
Default configuration
{
"filter" : "."
}
JQ transform response
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.JQResponse
Description
This plugin let you transform JSON response using JQ filters.
Default configuration
{
"filter" : "."
}
Websocket JQ transformer
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.JqWebsocketMessageTransformer
Description
Transform messages JSON content using JQ filters
Default configuration
{
"request_filter" : ".",
"response_filter" : "."
}
request body json-to-xml
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.JsonToXmlRequest
Description
This plugin transform incoming request body from json to xml and may apply a jq transformation
Default configuration
{
"filter" : null
}
response body json-to-xml
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.JsonToXmlResponse
Description
This plugin transform response body from json to xml and may apply a jq transformation
Default configuration
{
"filter" : null
}
JWE extractor
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.JweExtractor
Description
This plugin validates and extracts the payload of JWE
Default configuration
{
"keyManagementAlgorithm" : "RSA_OAEP_256",
"contentEncryptionAlgorithm" : "A128CBC_HS256",
"certId" : null,
"source" : {
"type" : "InHeader",
"name" : "X-JWT-Token",
"remove" : ""
},
"forward_location" : {
"type" : "InHeader",
"name" : "X-JWT-Token",
"remove" : ""
},
"strict" : false,
"metadata" : { }
}
JWE signer
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.JweSigner
Description
This plugin can only generate token
Default configuration
{
"keyManagementAlgorithm" : "RSA_OAEP_256",
"contentEncryptionAlgorithm" : "A128CBC_HS256",
"certId" : null,
"source" : {
"type" : "InHeader",
"name" : "X-JWT-Token",
"remove" : ""
},
"forward_location" : {
"type" : "InHeader",
"name" : "X-JWT-Token",
"remove" : ""
},
"strict" : false,
"metadata" : { }
}
Jwt signer
Defined on steps
ValidateAccessTransformRequest
Plugin reference
cp:otoroshi.next.plugins.JwtSigner
Description
This plugin can only generate token
Default configuration
{
"verifier" : null,
"replace_if_present" : true,
"fail_if_present" : false
}
Jwt verifiers
Defined on steps
ValidateAccessTransformRequest
Plugin reference
cp:otoroshi.next.plugins.JwtVerification
Description
This plugin verifies the current request with one or more jwt verifier
Default configuration
{
"verifiers" : [ ]
}
Jwt verification only
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.JwtVerificationOnly
Description
This plugin verifies the current request with one jwt verifier
Default configuration
{
"verifier" : null,
"fail_if_absent" : true
}
Limit headers in too long
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.LimitHeaderInTooLong
Description
This plugin limit all headers to backend with a length above a max
Default configuration
{
"value" : 8192
}
Limit headers out too long
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.LimitHeaderOutTooLong
Description
This plugin limit all headers from backend with a length above a max
Default configuration
{
"value" : 8192
}
Maintenance mode
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.MaintenanceMode
Description
This plugin displays a maintenance page
Missing cookies in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.MissingCookieIn
Description
This plugin adds cookies in the otoroshi request if not present
Default configuration
{
"name" : "cookie",
"value" : "value",
"domain" : null,
"path" : null,
"maxAge" : null,
"secure" : false,
"httpOnly" : false,
"sameSite" : null
}
Missing cookies out
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.MissingCookieOut
Description
This plugin adds cookies in the otoroshi response if not present
Default configuration
{
"name" : "cookie",
"value" : "value",
"domain" : null,
"path" : null,
"maxAge" : null,
"secure" : false,
"httpOnly" : false,
"sameSite" : null
}
Missing headers in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.MissingHeadersIn
Description
This plugin adds headers (if missing) in the incoming otoroshi request
Default configuration
{
"headers" : { }
}
Missing headers out
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.MissingHeadersOut
Description
This plugin adds headers (if missing) in the otoroshi response
Default configuration
{
"headers" : { }
}
Mock Responses
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.MockResponses
Description
This plugin returns mock responses
Default configuration
{
"responses" : [ ],
"pass_through" : true
}
Multi Authentication
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.MultiAuthModule
Description
This plugin applies an authentication module from a list of selected modules
Default configuration
{
"pass_with_apikey" : false,
"auth_modules" : [ ],
"use_email_prompt" : false,
"users_groups" : { }
}
Apikey mandatory metadata
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgApikeyMandatoryMetadata
Description
This plugin checks that if an apikey is provided, there is one or more metadata on it
Default configuration
{
"metadata" : { }
}
Apikey mandatory tags
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgApikeyMandatoryTags
Description
This plugin checks that if an apikey is provided, there is one or more tags on it
Default configuration
{
"tags" : [ ]
}
User logged in expected
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgAuthModuleExpectedUser
Description
This plugin enforce that a user from any auth. module is logged in
Default configuration
{
"only_from" : [ ]
}
User extraction from auth. module
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgAuthModuleUserExtractor
Description
This plugin extracts users from an authentication module without enforcing login
Default configuration
{
"auth_module" : null
}
Apikey from Biscuit token extractor
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgBiscuitExtractor
Description
This plugin extract an from a Biscuit token where the biscuit has an #authority fact ‘client_id’ containing apikey client_id and an #authority fact ‘client_sign’ that is the HMAC256 signature of the apikey client_id with the apikey client_secret
Default configuration
{
"public_key" : null,
"checks" : [ ],
"facts" : [ ],
"resources" : [ ],
"rules" : [ ],
"revocation_ids" : [ ],
"extractor" : {
"name" : "Authorization",
"type" : "header"
},
"enforce" : false
}
Biscuit token validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgBiscuitValidator
Description
This plugin validates a Biscuit token
Default configuration
{
"public_key" : null,
"checks" : [ ],
"facts" : [ ],
"resources" : [ ],
"rules" : [ ],
"revocation_ids" : [ ],
"extractor" : {
"name" : "Authorization",
"type" : "header"
},
"enforce" : false
}
Client certificate as apikey
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgCertificateAsApikey
Description
This plugin uses client certificate as an apikey. The apikey will be stored for classic apikey usage
Default configuration
{
"read_only" : false,
"allow_client_id_only" : false,
"throttling_quota" : 100,
"daily_quota" : 10000000,
"monthly_quota" : 10000000,
"constrained_services_only" : false,
"tags" : [ ],
"metadata" : { }
}
Client certificate header
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgClientCertChainHeader
Description
This plugin pass client certificate informations to the target in headers
Default configuration
{
"send_pem" : false,
"pem_header_name" : "X-Client-Cert-Pem",
"send_dns" : false,
"dns_header_name" : "X-Client-Cert-DNs",
"send_chain" : false,
"chain_header_name" : "X-Client-Cert-Chain"
}
Client credential token endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.NgClientCredentialTokenEndpoint
Description
This plugin provide the endpoint for the client_credential flow
Default configuration
{
"expiration" : 3600000,
"default_key_pair" : "otoroshi-jwt-signing",
"allowed_apikeys" : [ ],
"allowed_groups" : [ ]
}
Client Credential Service
Defined on steps
Sink
Plugin reference
cp:otoroshi.next.plugins.NgClientCredentials
Description
This plugin add an an oauth client credentials service (https://unhandleddomain/.well-known/otoroshi/oauth/token) to create an access_token given a client id and secret
Default configuration
{
"expiration" : 3600000,
"default_key_pair" : "otoroshi-jwt-signing",
"domain" : "*",
"secure" : true,
"biscuit" : null
}
Custom quotas
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgCustomQuotas
Description
This plugin will enforce quotas on the current route based on whatever you want
Default configuration
{
"per_route" : true,
"global" : false,
"group" : null,
"expression" : "${req.ip}",
"daily_quota" : 10000000,
"monthly_quota" : 10000000
}
Custom throttling
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgCustomThrottling
Description
This plugin will enforce throttling on the current route based on whatever you want
Default configuration
{
"per_route" : true,
"global" : false,
"group" : null,
"expression" : "${req.ip}",
"throttling_quota" : 100
}
Default request body
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgDefaultRequestBody
Description
This plugin adds a default request body if none specified
Default configuration
{
"bodyBinary" : "",
"contentType" : "text/plain",
"contentEncoding" : null
}
Defer Responses
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgDeferPlugin
Description
This plugin will expect a X-Defer header or a defer query param and defer the response according to the value in milliseconds. This plugin is some kind of inside joke as one a our customer ask us to make slower apis.
Default configuration
{
"duration" : 0
}
Global self registration endpoints (service discovery)
Defined on steps
Sink
Plugin reference
cp:otoroshi.next.plugins.NgDiscoverySelfRegistrationSink
Description
This plugin add support for self registration endpoint on specific hostnames
Default configuration
{ }
Self registration endpoints (service discovery)
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgDiscoverySelfRegistrationTransformer
Description
This plugin add support for self registration endpoint on a specific service
Default configuration
{ }
Service discovery target selector (service discovery)
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgDiscoveryTargetsSelector
Description
This plugin select a target in the pool of discovered targets for this service. Use in combination with either DiscoverySelfRegistrationSink or DiscoverySelfRegistrationTransformer to make it work using the self registration pattern. Or use an implementation of DiscoveryJob for the third party registration pattern.
Default configuration
{ }
Error response rewrite
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.NgErrorRewriter
Description
This plugin catch http response with specific statuses and rewrite the response
Default configuration
{
"ranges" : [ {
"from" : 500,
"to" : 599
} ],
"templates" : {
"default" : "<html>\n <body style=\"background-color: #333; color: #eee; display: flex; flex-direction: column; justify-content: center; align-items: center; font-size: 40px\">\n <p>An error occurred with id: <span style=\"color: red\">${error_id}</span></p>\n <p>please contact your administrator with this error id !</p>\n </body>\n</html>"
},
"log" : true,
"export" : true
}
Expected consumer
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgExpectedConsumer
Description
This plugin expect that a user or an apikey made the call
External request validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgExternalValidator
Description
This plugin checks let requests pass based on an external validation service
Default configuration
{
"cache_expression" : null,
"url" : null,
"ttl" : 60000,
"timeout" : 30000,
"headers" : { },
"error_message" : "forbidden",
"error_status" : 403
}
Generic allowed list
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgGenericAllowedList
Description
This plugin checks let requests pass based on an el expression
Default configuration
{
"expression" : "${req.ip_address}",
"values" : [ ]
}
Generic block list
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgGenericBlockList
Description
This plugin checks let requests is blocked based on an el expression
Default configuration
{
"expression" : "${req.ip_address}",
"values" : [ ]
}
Geolocation endpoint
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgGeolocationInfoEndpoint
Description
This plugin will expose current geolocation informations on the following endpoint /.well-known/otoroshi/plugins/geolocation
Geolocation header
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgGeolocationInfoHeader
Description
This plugin will send informations extracted by the Geolocation details extractor to the target service in a header.
Default configuration
{
"header_name" : "X-User-Agent-Info"
}
Allowed users only
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgHasAllowedUsersValidator
Description
This plugin only let allowed users pass
Default configuration
{
"usernames" : [ ],
"emails" : [ ],
"email_domains" : [ ],
"metadata_match" : [ ],
"metadata_not_match" : [ ],
"otoroshi_data_match" : [ ],
"otoroshi_data_not_match" : [ ],
"profile_match" : [ ],
"profile_not_match" : [ ]
}
Client Certificate + Api Key only
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgHasClientCertMatchingApikeyValidator
Description
Check if a client certificate is present in the request and that the apikey used matches the client certificate. You can set the client cert. DN in an apikey metadata named allowed-client-cert-dn
Client certificate matching (over http)
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgHasClientCertMatchingHttpValidator
Description
Check if client certificate matches the following fetched from an http endpoint
Default configuration
{
"serial_numbers" : [ ],
"subject_dns" : [ ],
"issuer_dns" : [ ],
"regex_subject_dns" : [ ],
"regex_issuer_dns" : [ ]
}
Client certificate matching
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgHasClientCertMatchingValidator
Description
Check if client certificate matches the following configuration
Default configuration
{
"serial_numbers" : [ ],
"subject_dns" : [ ],
"issuer_dns" : [ ],
"regex_subject_dns" : [ ],
"regex_issuer_dns" : [ ]
}
Client Certificate Only
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgHasClientCertValidator
Description
Check if a client certificate is present in the request
Html Patcher
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.NgHtmlPatcher
Description
This plugin can inject elements in html pages (in the body or in the head) returned by the service
Default configuration
{
"append_head" : [ ],
"append_body" : [ ],
"prepend_head" : [ ],
"prepend_body" : [ ]
}
HTTP Client Cache
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.NgHttpClientCache
Description
This plugin add cache headers to responses
Default configuration
{
"max_age_seconds" : 86400,
"methods" : [ "GET" ],
"status" : [ 200 ],
"mime_types" : [ "text/html" ]
}
Globally allowed domain names
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgIncomingRequestValidatorAllowedDomainNames
Description
Globally allowed domain names plugin
Globally denied domain names
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgIncomingRequestValidatorDeniedDomainNames
Description
Globally denied domain names plugin
Geolocation details extractor (using IpStack api)
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgIpStackGeolocationInfoExtractor
Description
This plugin extract geolocation informations from ip address using the IpStack dbs. The informations are store in plugins attrs for other plugins to use
Default configuration
{
"apikey" : null,
"timeout" : 2000,
"log" : false
}
Izanami V1 Canary Campaign
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.NgIzanamiV1Canary
Description
This plugin allow you to perform canary testing based on an izanami experiment campaign (A/B test)
Default configuration
{
"experiment_id" : "foo:bar:qix",
"config_id" : "foo:bar:qix:config",
"izanami_url" : "https://izanami.foo.bar",
"tls" : {
"certs" : [ ],
"trusted_certs" : [ ],
"enabled" : false,
"loose" : false,
"trust_all" : false
},
"client_id" : "client",
"client_secret" : "secret",
"timeout" : 5000,
"route_config" : null
}
Izanami v1 APIs Proxy
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgIzanamiV1Proxy
Description
This plugin exposes routes to proxy Izanami configuration and features tree APIs
Default configuration
{
"path" : "/api/izanami",
"feature_pattern" : "*",
"config_pattern" : "*",
"auto_context" : false,
"features_enabled" : true,
"features_with_context_enabled" : true,
"configuration_enabled" : false,
"tls" : {
"certs" : [ ],
"trusted_certs" : [ ],
"enabled" : false,
"loose" : false,
"trust_all" : false
},
"izanami_url" : "https://izanami.foo.bar",
"client_id" : "client",
"client_secret" : "secret",
"timeout" : 500
}
Jwt user extractor
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgJwtUserExtractor
Description
This plugin extract a user from a JWT token
Default configuration
{
"verifier" : "none",
"strict" : true,
"strip" : false,
"name_path" : null,
"email_path" : null,
"meta_path" : null
}
Legacy apikeys
Defined on steps
MatchRouteValidateAccessTransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgLegacyApikeyCall
Description
This plugin expects to find an apikey to allow the request to pass. This plugin behaves exactly like the service descriptor does
Default configuration
{
"public_patterns" : [ ],
"private_patterns" : [ ],
"extractors" : {
"basic" : {
"enabled" : true,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
},
"custom_headers" : {
"enabled" : true,
"client_id_header_name" : null,
"client_secret_header_name" : null
},
"client_id" : {
"enabled" : true,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
},
"jwt" : {
"enabled" : true,
"secret_signed" : true,
"keypair_signed" : true,
"include_request_attrs" : false,
"max_jwt_lifespan_sec" : null,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
},
"oto_bearer" : {
"enabled" : true,
"header_name" : null,
"query_name" : null,
"cookie_name" : null,
"path_name" : null
}
},
"routing" : {
"enabled" : false
},
"validate" : true,
"mandatory" : true,
"pass_with_user" : false,
"wipe_backend_request" : true,
"update_quotas" : true
}
Legacy Authentication
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgLegacyAuthModuleCall
Description
This plugin applies an authentication module the same way service descriptor does
Default configuration
{
"public_patterns" : [ ],
"private_patterns" : [ ],
"pass_with_apikey" : false,
"auth_module" : null
}
Log4Shell mitigation plugin
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgLog4ShellFilter
Description
This plugin try to detect Log4Shell attacks in request and block them
Default configuration
{
"status" : 200,
"body" : "",
"parse_body" : false
}
Geolocation details extractor (using Maxmind db)
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgMaxMindGeolocationInfoExtractor
Description
This plugin extract geolocation informations from ip address using the Maxmind dbs. The informations are store in plugins attrs for other plugins to use
Default configuration
{
"path" : "global",
"log" : false
}
Response Cache
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.NgResponseCache
Description
This plugin can cache responses from target services in the otoroshi datasstore It also provides a debug UI at /.well-known/otoroshi/bodylogger.
Default configuration
{
"ttl" : 3600000,
"maxSize" : 52428800,
"autoClean" : true,
"filter" : null
}
Security Txt
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgSecurityTxt
Description
This plugin exposes a special route /.well-known/security.txt as defined in RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116.html)
Default configuration
{
"contact" : [ "contact@foo.bar" ],
"auto_expires" : false,
"expires_years" : 1
}
Public quotas
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.NgServiceQuotas
Description
This plugin will enforce public quotas on the current route
Default configuration
{
"throttling_quota" : 10000000,
"daily_quota" : 10000000,
"monthly_quota" : 10000000
}
Traffic Mirroring
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.NgTrafficMirroring
Description
This plugin will mirror every request to other targets
Default configuration
{
"to" : "https://foo.bar.dev",
"enabled" : true,
"capture_response" : false,
"generate_events" : false
}
User-Agent details extractor
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.NgUserAgentExtractor
Description
This plugin extract informations from User-Agent header such as browsser version, OS version, etc. The informations are store in plugins attrs for other plugins to use
Default configuration
{
"log" : false
}
User-Agent endpoint
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgUserAgentInfoEndpoint
Description
This plugin will expose current user-agent informations on the following endpoint: /.well-known/otoroshi/plugins/user-agent
User-Agent header
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.NgUserAgentInfoHeader
Description
This plugin will sent informations extracted by the User-Agent details extractor to the target service in a header
Default configuration
{
"header_name" : "X-User-Agent-Info"
}
OAuth1 caller
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.OAuth1Caller
Description
This plugin can be used to call api that are authenticated using OAuth1. Consumer key, secret, and OAuth token et OAuth token secret can be pass through the metadata of an api key or via the configuration of this plugin.
Default configuration
{
"consumerKey" : null,
"consumerSecret" : null,
"token" : null,
"tokenSecret" : null,
"algo" : null
}
OAuth2 caller
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.OAuth2Caller
Description
This plugin can be used to call api that are authenticated using OAuth2 client_credential/password flow. Do not forget to enable client retry to handle token generation on expire.
Default configuration
{
"kind" : "client_credentials",
"url" : "https://127.0.0.1:8080/oauth/token",
"method" : "POST",
"headerName" : "Authorization",
"headerValueFormat" : "Bearer %s",
"jsonPayload" : false,
"clientId" : "the client_id",
"clientSecret" : "the client_secret",
"scope" : null,
"audience" : null,
"user" : null,
"password" : null,
"cacheTokenSeconds" : 600000,
"tlsConfig" : {
"certs" : [ ],
"trustedCerts" : [ ],
"mtls" : false,
"loose" : false,
"trustAll" : false
}
}
OIDC access_token as apikey
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.OIDCAccessTokenAsApikey
Description
This plugin will use the third party apikey configuration to generate an apikey
Default configuration
{
"enabled" : true,
"atLeastOne" : false,
"config" : {
"enabled" : true,
"quotasEnabled" : true,
"uniqueApiKey" : false,
"type" : "OIDC",
"oidcConfigRef" : "some-oidc-auth-module-id",
"localVerificationOnly" : false,
"mode" : "Tmp",
"ttl" : 0,
"headerName" : "Authorization",
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"excludedPatterns" : [ ],
"scopes" : [ ],
"rolesPath" : [ ],
"roles" : [ ]
}
}
OIDC access_token validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.OIDCAccessTokenValidator
Description
This plugin will use the third party apikey configuration and apply it while keeping the apikey mecanism of otoroshi. Use it to combine apikey validation and OIDC access_token validation.
Default configuration
{
"enabled" : true,
"atLeastOne" : false,
"config" : {
"enabled" : true,
"quotasEnabled" : true,
"uniqueApiKey" : false,
"type" : "OIDC",
"oidcConfigRef" : "some-oidc-auth-module-id",
"localVerificationOnly" : false,
"mode" : "Tmp",
"ttl" : 0,
"headerName" : "Authorization",
"throttlingQuota" : 100,
"dailyQuota" : 10000000,
"monthlyQuota" : 10000000,
"excludedPatterns" : [ ],
"scopes" : [ ],
"rolesPath" : [ ],
"roles" : [ ]
}
}
OIDC access_token authentication
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.OIDCAuthToken
Description
This plugin will authenticate a user based on it’s OIDC access_token
Default configuration
{
"ref" : "",
"opaque" : true,
"fetch_user_profile" : true,
"validate_audience" : false,
"header_name" : "Authorization"
}
OIDC headers
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.OIDCHeaders
Description
This plugin injects headers containing tokens and profile from current OIDC provider.
Default configuration
{
"profile" : {
"send" : false,
"headerName" : "X-OIDC-User"
},
"idToken" : {
"send" : false,
"name" : "id_token",
"headerName" : "X-OIDC-Id-Token",
"jwt" : true
},
"accessToken" : {
"send" : false,
"name" : "access_token",
"headerName" : "X-OIDC-Access-Token",
"jwt" : true
}
}
Otoroshi AIA endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.OtoroshiAIAEndpoint
Description
This plugin provide an endpoint to return Otoroshi Authority Information Access for your certificates
Default configuration
{
"cert_ids" : [ ]
}
Otoroshi challenge token
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.OtoroshiChallenge
Description
This plugin adds a jwt challenge token to the request to a backend and expects a response with a matching token
Default configuration
{
"version" : "V2",
"ttl" : 30,
"request_header_name" : null,
"response_header_name" : null,
"algo_to_backend" : {
"type" : "HSAlgoSettings",
"size" : 512,
"secret" : "secret",
"base64" : false
},
"algo_from_backend" : {
"type" : "HSAlgoSettings",
"size" : 512,
"secret" : "secret",
"base64" : false
},
"state_resp_leeway" : 10
}
Otoroshi headers in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.OtoroshiHeadersIn
Description
This plugin adds Otoroshi specific headers to the request
Otoroshi Health endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.OtoroshiHealthEndpoint
Description
This plugin provide an endpoint to return Otoroshi Health informations data for the current node
Otoroshi info. token
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.OtoroshiInfos
Description
This plugin adds a jwt token with informations about the caller to the backend
Default configuration
{
"version" : "Latest",
"ttl" : 30,
"header_name" : null,
"add_fields" : null,
"projection" : { },
"algo" : {
"type" : "HSAlgoSettings",
"size" : 512,
"secret" : "secret",
"base64" : false
}
}
Otoroshi JWKS endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.OtoroshiJWKSEndpoint
Description
This plugin provide an endpoint to return Otoroshi JWKS data
Default configuration
{
"cert_ids" : [ ]
}
Otoroshi Metrics endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.OtoroshiMetricsEndpoint
Description
This plugin provide an endpoint to return Otoroshi metrics data for the current node
Default configuration
{
"filter" : null
}
Otoroshi OCSP Responder endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.OtoroshiOCSPResponderEndpoint
Description
This plugin provide an endpoint to act as the Otoroshi OCSP Responder
Default configuration
{
"cert_ids" : [ ]
}
Override host header
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.OverrideHost
Description
This plugin override the current Host header with the Host of the backend target
Override Location header
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.OverrideLocationHeader
Description
This plugin override the current Location header with the Host of the backend target
cdn.polyfill.io detector
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.PolyfillIoDetector
Description
This plugin detects compromised cdn.polyfill.io script tags in html resource with the cloudflare equivalent and send an alert event. For each occurence of a cdn.polyfill.io script tag, a CdnPolyfillIoDetectedAlert will be sent
cdn.polyfill.io mitigation
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.PolyfillIoReplacer
Description
This plugin replaces compromised cdn.polyfill.io script tags in html resource with the cloudflare equivalent. For each occurence of a cdn.polyfill.io script tag, a CdnPolyfillIoReplacedAlert will be sent
Public/Private paths
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.PublicPrivatePaths
Description
This plugin allows or forbid request based on path patterns
Strict mode = restricted access. Only an API key is accepted.
Default configuration
{
"strict" : false,
"private_patterns" : [ ],
"public_patterns" : [ ]
}
Query param transformer
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.QueryTransformer
Description
This plugin can modify the query params of the request
Default configuration
{
"remove" : [ ],
"rename" : { },
"add" : { }
}
RBAC
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.RBAC
Description
This plugin check if current user/apikey/jwt token has the right role
Default configuration
{
"allow" : [ ],
"deny" : [ ],
"allow_all" : false,
"deny_all" : false,
"jwt_path" : null,
"apikey_path" : null,
"user_path" : null,
"role_prefix" : null,
"roles" : "roles"
}
Read only requests
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.ReadOnlyCalls
Description
This plugin verifies the current request only reads data
Redirection
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.Redirection
Description
This plugin redirects the current request elsewhere
Default configuration
{
"code" : 303,
"to" : "https://www.otoroshi.io"
}
Regex request body rewriter
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RegexRequestBodyRewriter
Description
Rewrites the HTTP request body using a set of regex rules
Default configuration
{
"content_types" : [ "text/html" ],
"rules" : [ ],
"auto_href_prefix" : null,
"max_body_size" : null,
"charset_fallback" : "UTF-8"
}
Documentation
Examples
1) Rewrite a domain to another
{ “plugin”: “cp:otoroshi.next.plugins.RegexResponseBodyRewriter”, “enabled”: true, “config”: { “content_types”: [“text/html”], “rules”: [ { “pattern”: “(?i)https?://example.com”, “replacement”: “https://public.example.com” } ], “max_body_size”: 1048576 } }
2) Rewrite paths while keeping captured groups
{ “plugin”: “cp:otoroshi.next.plugins.RegexResponseBodyRewriter”, “enabled”: true, “config”: { “content_types”: [“text/html”, “text/plain”], “rules”: [ { “pattern”: “href=(["’])/v1/(.+?)\1”, “replacement”: “href=$1/v2/$2$1”, “flags”: “i” } ] } }
Note: replacement supports backrefs $1, $2, … Remember to properly escape backslashes in JSON.
Regex request headers rewriter
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RegexRequestHeadersRewriter
Description
Rewrites the HTTP request headers using a set of regex rules
Default configuration
{
"rules" : [ ]
}
Regex response body rewriter
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.RegexResponseBodyRewriter
Description
Rewrites the HTTP response body using a set of regex rules, with optional auto-prefix for relative hrefs.
Default configuration
{
"content_types" : [ "text/html" ],
"rules" : [ ],
"auto_href_prefix" : null,
"max_body_size" : null,
"charset_fallback" : "UTF-8"
}
Documentation
1) Prefix all relative hrefs with /proxy and rewrite a domain to another
{
"plugin": "cp:otoroshi.next.plugins.RegexResponseBodyRewriter",
"enabled": true,
"config": {
"content_types": ["text/html"],
"auto_href_prefix": "/proxy",
"rules": [
{ "pattern": "(?i)https?://example\.com", "replacement": "https://public.example.com" }
],
"max_body_size": 1048576
}
}
2) Rewrite paths while keeping captured groups
{
"plugin": "cp:otoroshi.next.plugins.RegexResponseBodyRewriter",
"enabled": true,
"config": {
"content_types": ["text/html", "text/plain"],
"rules": [
{ "pattern": "href=([\"'])/v1/(.+?)\1", "replacement": "href=$1/v2/$2$1", "flags": "i" }
]
}
}
Note: replacement supports backrefs $1, $2, …
Regex response headers rewriter
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.RegexResponseHeadersRewriter
Description
Rewrites the HTTP response headers using a set of regex rules
Default configuration
{
"rules" : [ ]
}
Reject headers in too long
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RejectHeaderInTooLong
Description
This plugin remove all headers to backend with a length above a max
Default configuration
{
"value" : 8192
}
Reject headers out too long
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RejectHeaderOutTooLong
Description
This plugin remove all headers from backend with a length above a max
Default configuration
{
"value" : 8192
}
Remove cookies in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RemoveCookiesIn
Description
This plugin remove cookies from the otoroshi request
Default configuration
{
"names" : [ ]
}
Remove cookies out
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.RemoveCookiesOut
Description
This plugin remove cookies from the otoroshi response
Default configuration
{
"names" : [ ]
}
Remove headers in
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RemoveHeadersIn
Description
This plugin removes headers in the incoming otoroshi request
Default configuration
{
"header_names" : [ ]
}
Remove headers out
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.RemoveHeadersOut
Description
This plugin removes headers in the otoroshi response
Default configuration
{
"header_names" : [ ]
}
Request bandwidth throttling
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RequestBandwidthThrottling
Description
This plugin will limit request body bandwidth
Default configuration
{
"window_millis" : "60000",
"throttling_quota" : "10485760",
"group_expr" : "${route.id}",
"fail" : true,
"kind" : "per_request"
}
Request body Echo
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.RequestBodyEchoBackend
Description
This plugin returns request body content
Default configuration
{
"limit" : 524288
}
Request Body length limiter
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.RequestBodyLengthLimiter
Description
This plugin will limit request body length
Default configuration
{
"max_length" : null,
"fail" : false
}
Response bandwidth throttling
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.ResponseBandwidthThrottling
Description
This plugin will limit response body bandwidth
Default configuration
{
"window_millis" : "60000",
"throttling_quota" : "10485760",
"group_expr" : "${route.id}",
"fail" : true,
"kind" : "per_request"
}
Response Body length limiter
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.ResponseBodyLengthLimiter
Description
This plugin will limit response body length
Default configuration
{
"max_length" : null,
"fail" : false
}
Robots
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.Robots
Description
This plugin provides all the necessary tool to handle search engine robots
Default configuration
{
"robot_txt_enabled" : true,
"robot_txt_content" : "User-agent: *\nDisallow: /\n",
"meta_enabled" : true,
"meta_content" : "noindex,nofollow,noarchive",
"header_enabled" : true,
"header_content" : "noindex, nofollow, noarchive"
}
Routing Restrictions
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.RoutingRestrictions
Description
This plugin apply routing restriction method domain/path on the current request/route
Default configuration
{
"allow_last" : true,
"allowed" : [ ],
"forbidden" : [ ],
"not_found" : [ ]
}
S3 Static backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.S3Backend
Description
This plugin is able to S3 bucket with file content
Default configuration
{
"bucket" : "",
"endpoint" : "",
"region" : "eu-west-1",
"access" : "client",
"secret" : "secret",
"key" : "",
"chunkSize" : 8388608,
"v4auth" : true,
"writeEvery" : 60000,
"acl" : "private",
"pathStyleAccess" : false
}
SOAP action
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.SOAPAction
Description
This plugin is able to call SOAP actions and expose it as a rest endpoint
Default configuration
{
"url" : null,
"envelope" : "<soap envelope />",
"action" : null,
"preserve_query" : true,
"charset" : null,
"jq_request_filter" : null,
"jq_response_filter" : null
}
Security Headers
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.SecurityHeadersPlugin
Description
Inject common HTTP security headers on responses (HSTS, CSP, XFO, X-XSS-Protection, X-Content-Type-Options)
Default configuration
{
"frame_options" : "DISABLED",
"xss_protection" : "DISABLED",
"content_type_options" : false,
"hsts" : {
"enabled" : false,
"include_subdomains" : false,
"max_age" : 3600,
"preload" : false,
"on_http" : false
},
"csp" : {
"mode" : "DISABLED",
"csp" : ""
}
}
Send otoroshi headers back
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.SendOtoroshiHeadersBack
Description
This plugin adds response header containing useful informations about the current call
Basic Auth
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.SimpleBasicAuth
Description
This plugin can be used to protect a route with basic auth. You can use clear text passwords (not recommended for production usage) or Bcryt hashed password as password values
Default configuration
{
"realm" : "authentication",
"users" : { }
}
Snow Monkey Chaos
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.SnowMonkeyChaos
Description
This plugin introduce some chaos into you life
Default configuration
{
"large_request_fault" : null,
"large_response_fault" : null,
"latency_injection_fault" : null,
"bad_responses_fault" : null
}
Http static asset
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.StaticAssetEndpoint
Description
Serve any static http asset for the current request
Default configuration
{
"url" : null
}
Static backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.StaticBackend
Description
This plugin is able to serve a static folder with file content
Default configuration
{
"root_path" : "/tmp"
}
Static Response
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.StaticResponse
Description
This plugin returns static responses
Default configuration
{
"status" : 200,
"headers" : { },
"body" : "",
"apply_el" : false
}
Swagger UI
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.SwaggerUIPlugin
Description
Serves a Swagger UI page from a configurable OpenAPI specification URL
Default configuration
{
"swagger_url" : "",
"title" : "",
"swagger_ui_version" : "5.30.2",
"filter" : true,
"show_models" : false,
"display_operation_id" : false,
"show_extensions" : false,
"layout" : "BaseLayout",
"sort_tags" : "alpha",
"sort_ops" : "alpha",
"theme" : "default"
}
Tailscale select target by name
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.TailscaleSelectTargetByName
Description
This plugin selects a machine instance on Tailscale network based on its name
Default configuration
{
"machine_name" : "my-machine",
"use_ip_address" : false
}
TCP Tunnel
Defined on steps
HandlesTunnel
Plugin reference
cp:otoroshi.next.plugins.TcpTunnel
Description
This plugin creates TCP tunnels through otoroshi
Time controlled Canary mode
Defined on steps
PreRouteTransformResponse
Plugin reference
cp:otoroshi.next.plugins.TimeControlledCanaryMode
Description
This plugin can split a portion of the traffic to canary backends between two dates
Default configuration
{
"start" : "2025-12-03T08:27:36.471Z",
"stop" : "2025-12-04T08:27:36.492Z",
"increment_percent" : 1,
"targets" : [ ],
"root" : "/"
}
Time Restriction
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.TimeRestrictedAccessPlugin
Description
This plugin restrict when a route is accessible
Default configuration
{
"rules" : [ ],
"timezone" : null
}
UDP Tunnel
Defined on steps
HandlesTunnel
Plugin reference
cp:otoroshi.next.plugins.UdpTunnel
Description
This plugin creates UDP tunnels through otoroshi
User profile endpoint
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.UserProfileEndpoint
Description
This plugin returns the current user profile
W3C Trace Context
Defined on steps
TransformRequestTransformResponse
Plugin reference
cp:otoroshi.next.plugins.W3CTracing
Description
This plugin propagates W3C Trace Context spans and can export it to Jaeger or Zipkin
Default configuration
{
"kind" : "noop",
"endpoint" : "http://localhost:3333/spans",
"timeout" : 30000,
"baggage" : { }
}
Wasm Access control
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.WasmAccessValidator
Description
Delegate route access to a wasm plugin
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.WasmBackend
Description
This plugin can be used to use a wasm plugin as backend
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Open Policy Agent (OPA)
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.WasmOPA
Description
Repo policies as WASM modules
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : true,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm pre-route
Defined on steps
PreRoute
Plugin reference
cp:otoroshi.next.plugins.WasmPreRoute
Description
This plugin can be used to use a wasm plugin as in pre-route phase
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Request Transformer
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.WasmRequestTransformer
Description
Transform the content of the request with a wasm plugin
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Response Transformer
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.WasmResponseTransformer
Description
Transform the content of a response with a wasm plugin
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Route Matcher
Defined on steps
MatchRoute
Plugin reference
cp:otoroshi.next.plugins.WasmRouteMatcher
Description
This plugin can be used to use a wasm plugin as route matcher
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Router
Defined on steps
Router
Plugin reference
cp:otoroshi.next.plugins.WasmRouter
Description
Can decide for routing with a wasm plugin
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Sink
Defined on steps
Sink
Plugin reference
cp:otoroshi.next.plugins.WasmSink
Description
Handle unmatched requests with a wasm plugin
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Wasm Websocket transformer
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.WasmWebsocketTransformer
Description
Transform messages and filter websocket messages
Default configuration
{
"source" : {
"kind" : "Unknown",
"path" : "",
"opts" : { }
},
"memoryPages" : 50,
"functionName" : null,
"config" : { },
"allowedHosts" : [ ],
"allowedPaths" : { },
"wasi" : false,
"opa" : false,
"httpWasm" : false,
"authorizations" : {
"httpAccess" : false,
"proxyHttpCallTimeout" : 5000,
"globalDataStoreAccess" : {
"read" : false,
"write" : false
},
"pluginDataStoreAccess" : {
"read" : false,
"write" : false
},
"globalMapAccess" : {
"read" : false,
"write" : false
},
"pluginMapAccess" : {
"read" : false,
"write" : false
},
"proxyStateAccess" : false,
"configurationAccess" : false
},
"instances" : 1,
"killOptions" : {
"immortal" : false,
"max_calls" : 2147483647,
"max_memory_usage" : 0,
"max_avg_call_duration" : 0,
"max_unused_duration" : 300000
},
"isJS" : false
}
Websocket content validator in
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.WebsocketContentValidatorIn
Description
Validate the content of each frame
Default configuration
{
"validator" : {
"kind" : "json-path-validator",
"path" : "$.message",
"value" : "foo",
"error" : null
},
"reject_strategy" : "drop"
}
Websocket json format validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.WebsocketJsonFormatValidator
Description
Validate the json
Default configuration
{
"schema" : "{ \"type\": \"object\", \"required\": [\"name\"] }",
"specification" : "https://json-schema.org/draft/2020-12/schema",
"reject_strategy" : "drop"
}
Websocket size validator
Defined on steps
ValidateAccessTransformResponse
Plugin reference
cp:otoroshi.next.plugins.WebsocketSizeValidator
Description
Make sure the frame does not exceed the maximum size set.
Default configuration
{
"client_max_payload" : 4096,
"upstream_max_payload" : 4096,
"reject_strategy" : "drop"
}
Websocket type validator
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.plugins.WebsocketTypeValidator
Description
Validate the type of each frame
Default configuration
{
"allowed_format" : "all",
"reject_strategy" : "drop"
}
X-Forwarded-* headers
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.XForwardedHeaders
Description
This plugin adds all the X-Forwarded-* headers to the request for the backend target
request body xml-to-json
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.plugins.XmlToJsonRequest
Description
This plugin transform incoming request body from xml to json and may apply a jq transformation
Default configuration
{
"filter" : null
}
response body xml-to-json
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.plugins.XmlToJsonResponse
Description
This plugin transform response body from xml to json and may apply a jq transformation
Default configuration
{
"filter" : null
}
Zip Bomb backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.ZipBombBackend
Description
This plugin returns zip bomb responses based on predicates
Default configuration
{
"predicates" : [ ],
"or" : false,
"size" : "10G",
"status" : null,
"content_type" : null
}
Zip file backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.ZipFileBackend
Description
Serves content from a zip file
Default configuration
{
"url" : "https://github.com/MAIF/otoroshi/releases/download/16.11.2/otoroshi-manual-16.11.2.zip",
"headers" : { },
"dir" : "./zips",
"prefix" : null,
"ttl" : 3600000
}
Yes
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.plugins.api.YesWebsocketBackend
Description
Outputs Ys to the client
Remote tunnel calls
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.tunnel.TunnelPlugin
Description
This plugin can contact remote service using tunnels
Default configuration
{
"tunnel_id" : "default"
}
Workflow Access control
Defined on steps
ValidateAccess
Plugin reference
cp:otoroshi.next.workflow.WorkflowAccessValidator
Description
Delegate route access to a worflow
Default configuration
{ }
Workflow Backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.workflow.WorkflowBackend
Description
This plugin uses a workflow as a backend
Default configuration
{ }
Workflow Request Transformer
Defined on steps
TransformRequest
Plugin reference
cp:otoroshi.next.workflow.WorkflowRequestTransformer
Description
Transform the content of the request with a workflow
Default configuration
{ }
Workflow Response Transformer
Defined on steps
TransformResponse
Plugin reference
cp:otoroshi.next.workflow.WorkflowResponseTransformer
Description
Transform the content of a response with a workflow
Default configuration
{ }
Workflow Resume Backend
Defined on steps
CallBackend
Plugin reference
cp:otoroshi.next.workflow.WorkflowResumeBackend
Description
This plugin can be used to resume a paused workflow
Default configuration
{ }