Built-in plugins
Otoroshi next provides some plugins out of the box. Here are the available plugins with their documentation and reference configuration. Click on a plugin card to expand it and see its reference and default configuration.
Remote Catalog Deploy Many
Defined on steps
CallBackend
This plugin deploys entities from multiple remote catalogs
Remote Catalog Deploy Single
Defined on steps
CallBackend
This plugin deploys entities from a single remote catalog
Remote Catalog Deploy Webhook
Defined on steps
CallBackend
This plugin handles webhooks from Git providers to deploy entities from remote catalogs
Additional cookies in
Defined on steps
TransformRequest
This plugin adds cookies in the otoroshi request
Additional cookies out
Defined on steps
TransformResponse
This plugin adds cookies in the otoroshi response
Additional headers in
Defined on steps
TransformRequest
This plugin adds headers in the incoming otoroshi request
Additional headers out
Defined on steps
TransformResponse
This plugin adds headers in the otoroshi response
Allowed HTTP methods
Defined on steps
ValidateAccess
This plugin verifies the current request only uses allowed http methods
Apikey auth module
Defined on steps
PreRoute
This plugin adds basic auth on service where credentials are valid apikeys on the current service.
Apikeys
Defined on steps
MatchRouteValidateAccessTransformRequest
This plugin expects to find an apikey to allow the request to pass
Apikey quotas
Defined on steps
ValidateAccess
Increments quotas for the currents apikey. Useful when 'legacy checks' are disabled on a service/globally or when apikey are extracted in a custom fashion.
Auth0 Passwordless end flow endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to end a passwordless flow
Auth0 Passwordless start/end flow
Defined on steps
ValidateAccessCallBackend
This plugin provide endpoints to start and end a passwordless flow
Auth0 Passwordless start/end flow endpoints
Defined on steps
CallBackend
This plugin provide endpoints to start and end a passwordless flow
Auth0 Passwordless start flow endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to start a passwordless flow
Authentication
Defined on steps
ValidateAccess
This plugin applies an authentication module
Basic Auth. caller
Defined on steps
TransformRequest
This plugin can be used to call api that are authenticated using basic auth.
Basic auth. from auth. module
Defined on steps
ValidateAccess
This plugin enforces basic auth. authentication with users coming from LDAP and In-memory auth. modules
Block non HTTPS traffic
Defined on steps
ValidateAccess
This plugin blocks any incoming non HTTPS traffic and returns a nice error message because nowadays HTTPS should be deployed everywhere.
Also, this plugin will revoke any apikey or user session passed in clear text if there is one.
In that case, make sure this plugins comes after Apikey and Authentication plugins.
Also, this plugin will revoke any apikey or user session passed in clear text if there is one.
In that case, make sure this plugins comes after Apikey and Authentication plugins.
Brotli compression
Defined on steps
TransformResponse
This plugin can compress responses using brotli
Build mode
Defined on steps
PreRoute
This plugin displays a build page
Canary mode
Defined on steps
PreRouteTransformResponse
This plugin can split a portion of the traffic to canary backends
Consumer endpoint
Defined on steps
CallBackend
This plugin returns the current consumer profile
Context validator
Defined on steps
ValidateAccess
This plugin validates the current context using JSONPath validators.
This plugin let you configure a list of validators that will check if the current call can pass.
A validator is composed of a JSONPath that will tell what to check and a value that is the expected value.
The JSONPath will be applied on a document that will look like
``
This plugin let you configure a list of validators that will check if the current call can pass.
A validator is composed of a JSONPath that will tell what to check and a value that is the expected value.
The JSONPath will be applied on a document that will look like
``
js
{
"snowflake" : "1516772930422308903",
"apikey" : { // current apikey
"clientId" : "vrmElDerycXrofar",
"clientName" : "default-apikey",
"metadata" : {
"foo" : "bar"
},
"tags" : [ ]
},
"user" : null, // current user
"request" : {
"id" : 1,
"method" : "GET",
"headers" : {
"Host" : "ctx-validation-next-gen.oto.tools:9999",
"Accept" : "*/*",
"User-Agent" : "curl/7.64.1",
"Authorization" : "Basic dnJtRWxEZXJ5Y1hyb2ZhcjpvdDdOSTkyVGI2Q2J4bWVMYU9UNzJxamdCU2JlRHNLbkxtY1FBcXBjVjZTejh0Z3I1b2RUOHAzYjB5SEVNRzhZ",
"Remote-Address" : "127.0.0.1:58929",
"Timeout-Access" : "<function1>",
"Raw-Request-URI" : "/foo",
"Tls-Session-Info" : "Session(1650461821330|SSL_NULL_WITH_NULL_NULL)"
},
"cookies" : [ ],
"tls" : false,
"uri" : "/foo",
"path" : "/foo",
"version" : "HTTP/1.1",
"has_body" : false,
"remote" : "127.0.0.1",
"client_cert_chain" : null
},
"config" : {
"validators" : [ {
"path" : "$.apikey.metadata.foo",
"value" : "bar"
} ]
},
"global_config" : { ... }, // global config
"attrs" : {
"otoroshi.core.SnowFlake" : "1516772930422308903",
"otoroshi.core.ElCtx" : {
"requestId" : "1516772930422308903",
"requestSnowflake" : "1516772930422308903",
"requestTimestamp" : "2022-04-20T15:37:01.548+02:00"
},
"otoroshi.next.core.Report" : "otoroshi.next.proxy.NgExecutionReport@277b44e2",
"otoroshi.core.RequestStart" : 1650461821545,
"otoroshi.core.RequestWebsocket" : false,
"otoroshi.core.RequestCounterOut" : 0,
"otoroshi.core.RemainingQuotas" : {
"authorizedCallsPerWindow" : 10000000,
"throttlingCallsPerWindow" : 0,
"remainingCallsPerWindow" : 10000000,
"authorizedCallsPerDay" : 10000000,
"currentCallsPerDay" : 2,
"remainingCallsPerDay" : 9999998,
"authorizedCallsPerMonth" : 10000000,
"currentCallsPerMonth" : 269,
"remainingCallsPerMonth" : 9999731
},
"otoroshi.next.core.MatchedRoutes" : "MutableList(route_022825450-e97d-42ed-8e22-b23342c1c7c8)",
"otoroshi.core.RequestNumber" : 1,
"otoroshi.next.core.Route" : { ... }, // current route as json
"otoroshi.core.RequestTimestamp" : "2022-04-20T15:37:01.548+02:00",
"otoroshi.core.ApiKey" : { ... }, // current apikey as json
"otoroshi.core.User" : { ... }, // current user as json
"otoroshi.core.RequestCounterIn" : 0
},
"route" : { ... },
"token" : null // current valid jwt token if one
}
`
the expected value support some syntax tricks like
* on a string to check if the current value does not equals another value
* Regex(regex) on a string to check if the current value matches the regex
* RegexNot(regex) on a string to check if the current value does not matches the regex
* Wildcard(*value*) on a string to check if the current value matches the value with wildcards
* WildcardNot(*value*) on a string to check if the current value does not matches the value with wildcards
* Contains(value) on a string to check if the current value contains a value
* ContainsNot(value) on a string to check if the current value does not contains a value
* Contains(Regex(regex)) on an array to check if one of the item of the array matches the regex
* ContainsNot(Regex(regex)) on an array to check if one of the item of the array does not matches the regex
* Contains(Wildcard(*value*)) on an array to check if one of the item of the array matches the wildcard value
* ContainsNot(Wildcard(*value*)) on an array to check if one of the item of the array does not matches the wildcard value
* Contains(value) on an array to check if the array contains a value
* ContainsNot(value) on an array to check if the array does not contains a value
for instance to check if the current apikey has a metadata name foo with a value containing bar, you can write the following validator
`js
{
"path": "$.apikey.metadata.foo",
"value": "Contains(bar)"
}
``Cookies validation
Defined on steps
ValidateAccess
This plugin validates cookies content
CORS
Defined on steps
PreRouteTransformResponse
This plugin applies CORS rules
Disable HTTP/1.0
Defined on steps
ValidateAccess
This plugin forbids HTTP/1.0 requests
Request Echo
Defined on steps
CallBackend
This plugin returns request content as json
Endless HTTP responses
Defined on steps
TransformRequest
This plugin returns 128 Gb of 0 to the ip addresses is in the list
Eureka instance
Defined on steps
CallBackend
Eureka plugin description
Internal Eureka target
Defined on steps
PreRoute
This plugin can be used to used a target that come from an internal Eureka server.
If you want to use a target which it locate outside of Otoroshi, you must use the External Eureka Server.
If you want to use a target which it locate outside of Otoroshi, you must use the External Eureka Server.
External Eureka target
Defined on steps
PreRoute
This plugin can be used to used a target that come from an external Eureka server.
If you want to use a target that is directly exposed by an implementation of Eureka by Otoroshi,
you must use the Internal Eureka Server.
If you want to use a target that is directly exposed by an implementation of Eureka by Otoroshi,
you must use the Internal Eureka Server.
fail2ban
Defined on steps
ValidateAccessTransformResponse
Temporarily bans client when too many failed requests occur within a detection window (fail2ban-like). Client is identified by the 'identifier' that can use the Otoroshi expression language to extract informations like user id, apikey, ip address, etc.
Force HTTPS traffic
Defined on steps
PreRoute
This plugin verifies the current request uses HTTPS
Forwarded header
Defined on steps
TransformRequest
This plugin adds all the Forwarded header to the request for the backend target
Global Maintenance mode
Defined on steps
PreRoute
This plugin displays a maintenance page for every services. Useful when 'legacy checks' are disabled on a service/globally
Global per ip address throttling
Defined on steps
ValidateAccess
Enforce global per ip address throttling. Useful when 'legacy checks' are disabled on a service/globally
Global throttling
Defined on steps
ValidateAccess
Enforce global throttling. Useful when 'legacy checks' are disabled on a service/globally
GraphQL Composer
Defined on steps
CallBackend
This plugin exposes a GraphQL API that you can compose with whatever you want
GraphQL Proxy
Defined on steps
CallBackend
This plugin can apply validations (query, schema, max depth, max complexity) on graphql endpoints
GraphQL Query to REST
Defined on steps
CallBackend
This plugin can be used to call GraphQL query endpoints and expose it as a REST endpoint
gRPC-Web Proxy
Defined on steps
TransformRequestTransformResponse
Proxies gRPC-Web requests to gRPC backend - Envoy compatible
Gzip compression
Defined on steps
TransformResponse
This plugin can compress responses using gzip
HMAC caller plugin
Defined on steps
TransformRequest
This plugin can be used to call a "protected" api by an HMAC signature. It will adds a signature with the secret configured on the plugin.
The signature string will always the content of the header list listed in the plugin configuration.
The signature string will always the content of the header list listed in the plugin configuration.
HMAC access validator
Defined on steps
ValidateAccess
This plugin can be used to check if a HMAC signature is present and valid in Authorization header.
Headers validation
Defined on steps
ValidateAccess
This plugin validates the values of incoming request headers
Http3 traffic switch
Defined on steps
TransformResponse
This plugin injects additional alt-svc header to switch to the http3 server
Image replacer
Defined on steps
TransformResponse
Replace all response with content-type image/* as they are proxied
IP allowed list
Defined on steps
ValidateAccess
This plugin verifies the current request ip address is in the allowed list
IP block list
Defined on steps
ValidateAccess
This plugin verifies the current request ip address is not in the blocked list
Izanami V2 proxy
Defined on steps
CallBackend
This plugin exposes Izanami routes
JQ
Defined on steps
TransformRequestTransformResponse
This plugin let you transform JSON bodies (in requests and responses) using JQ filters.
JQ transform request
Defined on steps
TransformRequest
This plugin let you transform request JSON body using JQ filters.
JQ transform response
Defined on steps
TransformResponse
This plugin let you transform JSON response using JQ filters.
Websocket JQ transformer
Defined on steps
TransformResponse
Transform messages JSON content using JQ filters
request body json-to-xml
Defined on steps
TransformRequest
This plugin transform incoming request body from json to xml and may apply a jq transformation
response body json-to-xml
Defined on steps
TransformResponse
This plugin transform response body from json to xml and may apply a jq transformation
JWE extractor
Defined on steps
TransformRequest
This plugin validates and extracts the payload of JWE
JWE signer
Defined on steps
TransformRequest
This plugin can only generate token
Jwt signer
Defined on steps
ValidateAccessTransformRequest
This plugin can only generate token
Jwt verifiers
Defined on steps
ValidateAccessTransformRequest
This plugin verifies the current request with one or more jwt verifier
Jwt verification only
Defined on steps
ValidateAccess
This plugin verifies the current request with one jwt verifier
Kubernetes Namespace Scanner
Defined on steps
CallBackend
Triggers Kubernetes CRD controller to scan specified namespaces
Limit headers in too long
Defined on steps
TransformRequest
This plugin limit all headers to backend with a length above a max
Limit headers out too long
Defined on steps
TransformRequest
This plugin limit all headers from backend with a length above a max
Maintenance mode
Defined on steps
PreRoute
This plugin displays a maintenance page
Missing cookies in
Defined on steps
TransformRequest
This plugin adds cookies in the otoroshi request if not present
Missing cookies out
Defined on steps
TransformResponse
This plugin adds cookies in the otoroshi response if not present
Missing headers in
Defined on steps
TransformRequest
This plugin adds headers (if missing) in the incoming otoroshi request
Missing headers out
Defined on steps
TransformResponse
This plugin adds headers (if missing) in the otoroshi response
Mock Responses
Defined on steps
CallBackend
This plugin returns mock responses
Multi Authentication
Defined on steps
ValidateAccess
This plugin applies an authentication module from a list of selected modules
Apikey mandatory metadata
Defined on steps
ValidateAccess
This plugin checks that if an apikey is provided, there is one or more metadata on it
Apikey mandatory tags
Defined on steps
ValidateAccess
This plugin checks that if an apikey is provided, there is one or more tags on it
User logged in expected
Defined on steps
ValidateAccess
This plugin enforce that a user from any auth. module is logged in
User extraction from auth. module
Defined on steps
ValidateAccess
This plugin extracts users from an authentication module without enforcing login
Apikey from Biscuit token extractor
Defined on steps
PreRoute
This plugin extract an from a Biscuit token where the biscuit has an #authority fact 'client_id' containing
apikey client_id and an #authority fact 'client_sign' that is the HMAC256 signature of the apikey client_id with the apikey client_secret
apikey client_id and an #authority fact 'client_sign' that is the HMAC256 signature of the apikey client_id with the apikey client_secret
Biscuit token validator
Defined on steps
ValidateAccess
This plugin validates a Biscuit token
Client certificate as apikey
Defined on steps
PreRoute
This plugin uses client certificate as an apikey. The apikey will be stored for classic apikey usage
Client certificate header
Defined on steps
TransformRequest
This plugin pass client certificate informations to the target in headers
Client credential token endpoint
Defined on steps
CallBackend
This plugin provide the endpoint for the client_credential flow
Client Credential Service
Defined on steps
Sink
This plugin add an an oauth client credentials service (
https://unhandleddomain/.well-known/otoroshi/oauth/token) to create an access_token given a client id and secretCustom quotas
Defined on steps
ValidateAccess
This plugin will enforce quotas on the current route based on whatever you want
Custom throttling
Defined on steps
ValidateAccess
This plugin will enforce throttling on the current route based on whatever you want
Default request body
Defined on steps
TransformRequest
This plugin adds a default request body if none specified
Defer Responses
Defined on steps
TransformRequest
This plugin will expect a
This plugin is some kind of inside joke as one a our customer ask us to make slower apis.
X-Defer header or a defer query param and defer the response according to the value in milliseconds.This plugin is some kind of inside joke as one a our customer ask us to make slower apis.
Global self registration endpoints (service discovery)
Defined on steps
Sink
This plugin add support for self registration endpoint on specific hostnames
Self registration endpoints (service discovery)
Defined on steps
TransformRequest
This plugin add support for self registration endpoint on a specific service
Service discovery target selector (service discovery)
Defined on steps
PreRoute
This plugin select a target in the pool of discovered targets for this service.
Use in combination with either
Or use an implementation of
Use in combination with either
DiscoverySelfRegistrationSink or DiscoverySelfRegistrationTransformer to make it work using the self registration pattern.Or use an implementation of
DiscoveryJob for the third party registration pattern.Error response rewrite
Defined on steps
TransformResponse
This plugin catch http response with specific statuses and rewrite the response
Expected consumer
Defined on steps
ValidateAccess
This plugin expect that a user or an apikey made the call
External request validator
Defined on steps
ValidateAccess
This plugin checks let requests pass based on an external validation service
Generic allowed list
Defined on steps
ValidateAccess
This plugin checks let requests pass based on an el expression
Generic block list
Defined on steps
ValidateAccess
This plugin checks let requests is blocked based on an el expression
Geolocation endpoint
Defined on steps
TransformRequest
This plugin will expose current geolocation informations on the following endpoint
/.well-known/otoroshi/plugins/geolocationGeolocation header
Defined on steps
TransformRequest
This plugin will send informations extracted by the Geolocation details extractor to the target service in a header.
Allowed users only
Defined on steps
ValidateAccess
This plugin only let allowed users pass
Client Certificate + Api Key only
Defined on steps
ValidateAccess
Check if a client certificate is present in the request and that the apikey used matches the client certificate.
You can set the client cert. DN in an apikey metadata named
You can set the client cert. DN in an apikey metadata named
allowed-client-cert-dnClient certificate matching (over http)
Defined on steps
ValidateAccess
Check if client certificate matches the following fetched from an http endpoint
Client certificate matching
Defined on steps
ValidateAccess
Check if client certificate matches the following configuration
Client Certificate Only
Defined on steps
ValidateAccess
Check if a client certificate is present in the request
Html Patcher
Defined on steps
TransformResponse
This plugin can inject elements in html pages (in the body or in the head) returned by the service
HTTP Client Cache
Defined on steps
TransformResponse
This plugin add cache headers to responses
Globally allowed domain names
Defined on steps
ValidateAccess
Globally allowed domain names plugin
Globally denied domain names
Defined on steps
ValidateAccess
Globally denied domain names plugin
Geolocation details extractor (using IpStack api)
Defined on steps
PreRoute
This plugin extract geolocation informations from ip address using the IpStack dbs.
The informations are store in plugins attrs for other plugins to use
The informations are store in plugins attrs for other plugins to use
Izanami V1 Canary Campaign
Defined on steps
TransformRequestTransformResponse
This plugin allow you to perform canary testing based on an izanami experiment campaign (A/B test)
Izanami v1 APIs Proxy
Defined on steps
TransformRequest
This plugin exposes routes to proxy Izanami configuration and features tree APIs
Jwt user extractor
Defined on steps
PreRoute
This plugin extract a user from a JWT token
Legacy apikeys
Defined on steps
MatchRouteValidateAccessTransformRequest
This plugin expects to find an apikey to allow the request to pass. This plugin behaves exactly like the service descriptor does
Legacy Authentication
Defined on steps
ValidateAccess
This plugin applies an authentication module the same way service descriptor does
Log4Shell mitigation plugin
Defined on steps
TransformRequest
This plugin try to detect Log4Shell attacks in request and block them
Geolocation details extractor (using Maxmind db)
Defined on steps
PreRoute
This plugin extract geolocation informations from ip address using the Maxmind dbs.
The informations are store in plugins attrs for other plugins to use
The informations are store in plugins attrs for other plugins to use
Response Cache
Defined on steps
TransformRequestTransformResponse
This plugin can cache responses from target services in the otoroshi datasstore
It also provides a debug UI at
It also provides a debug UI at
/.well-known/otoroshi/bodylogger.Security Txt
Defined on steps
TransformRequest
This plugin exposes a special route
/.well-known/security.txt as defined in RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116.html)Public quotas
Defined on steps
ValidateAccess
This plugin will enforce public quotas on the current route
Traffic Mirroring
Defined on steps
TransformRequestTransformResponse
This plugin will mirror every request to other targets
User-Agent details extractor
Defined on steps
PreRoute
This plugin extract informations from User-Agent header such as browsser version, OS version, etc.
The informations are store in plugins attrs for other plugins to use
The informations are store in plugins attrs for other plugins to use
User-Agent endpoint
Defined on steps
TransformRequest
This plugin will expose current user-agent informations on the following endpoint: /.well-known/otoroshi/plugins/user-agent
User-Agent header
Defined on steps
TransformRequest
This plugin will sent informations extracted by the User-Agent details extractor to the target service in a header
OAuth1 caller
Defined on steps
TransformRequestTransformResponse
This plugin can be used to call api that are authenticated using OAuth1.
Consumer key, secret, and OAuth token et OAuth token secret can be pass through the metadata of an api key
or via the configuration of this plugin.```
Consumer key, secret, and OAuth token et OAuth token secret can be pass through the metadata of an api key
or via the configuration of this plugin.```
OAuth2 caller
Defined on steps
TransformRequest
This plugin can be used to call api that are authenticated using OAuth2 client_credential/password flow.
Do not forget to enable client retry to handle token generation on expire.
Do not forget to enable client retry to handle token generation on expire.
OIDC access_token as apikey
Defined on steps
PreRoute
This plugin will use the third party apikey configuration to generate an apikey
OIDC access_token validator
Defined on steps
ValidateAccess
This plugin will use the third party apikey configuration and apply it while keeping the apikey mecanism of otoroshi.
Use it to combine apikey validation and OIDC access_token validation.
Use it to combine apikey validation and OIDC access_token validation.
OIDC access_token authentication
Defined on steps
ValidateAccess
This plugin will authenticate a user based on it's OIDC access_token
OIDC headers
Defined on steps
TransformRequest
This plugin injects headers containing tokens and profile from current OIDC provider.
OIDC JWT verification
Defined on steps
ValidateAccess
This plugin verifies the current request jwt token against OIDC JWT verification settings living in an OIDC auth. module
OpenFGA validator
Defined on steps
ValidateAccess
Enforces fine-grained authorizations using OpenFGA
Otoroshi AIA endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to return Otoroshi Authority Information Access for your certificates
Otoroshi challenge token
Defined on steps
TransformRequestTransformResponse
This plugin adds a jwt challenge token to the request to a backend and expects a response with a matching token
Otoroshi headers in
Defined on steps
TransformRequest
This plugin adds Otoroshi specific headers to the request
Otoroshi Health endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to return Otoroshi Health informations data for the current node
Otoroshi info. token
Defined on steps
TransformRequest
This plugin adds a jwt token with informations about the caller to the backend
Otoroshi JWKS endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to return Otoroshi JWKS data
Otoroshi Metrics endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to return Otoroshi metrics data for the current node
Otoroshi OCSP Responder endpoint
Defined on steps
CallBackend
This plugin provide an endpoint to act as the Otoroshi OCSP Responder
Override host header
Defined on steps
TransformRequest
This plugin override the current Host header with the Host of the backend target
Override Location header
Defined on steps
TransformResponse
This plugin override the current Location header with the current frontend host if the location start with the Host of the backend target
cdn.polyfill.io detector
Defined on steps
TransformResponse
This plugin detects compromised cdn.polyfill.io script tags in html resource with the cloudflare equivalent and send an alert event. For each occurence of a cdn.polyfill.io script tag, a CdnPolyfillIoDetectedAlert will be sent
cdn.polyfill.io mitigation
Defined on steps
TransformResponse
This plugin replaces compromised cdn.polyfill.io script tags in html resource with the cloudflare equivalent. For each occurence of a cdn.polyfill.io script tag, a CdnPolyfillIoReplacedAlert will be sent
Public/Private paths
Defined on steps
ValidateAccess
This plugin allows or forbid request based on path patterns
Strict mode = restricted access.
Only an API key is accepted.
Strict mode = restricted access.
Only an API key is accepted.
Query param transformer
Defined on steps
TransformRequest
This plugin can modify the query params of the request
RBAC
Defined on steps
ValidateAccess
This plugin check if current user/apikey/jwt token has the right role
React2Shell detector
Defined on steps
TransformRequest
This plugin detects (and block) React2Shell attacks
Read only requests
Defined on steps
ValidateAccess
This plugin verifies the current request only reads data
Redirection
Defined on steps
PreRoute
This plugin redirects the current request elsewhere
Regex request body rewriter
Defined on steps
TransformRequest
Rewrites the HTTP request body using a set of regex rules
Regex request headers rewriter
Defined on steps
TransformRequest
Rewrites the HTTP request headers using a set of regex rules
Regex response body rewriter
Defined on steps
TransformResponse
Rewrites the HTTP response body using a set of regex rules, with optional auto-prefix for relative hrefs.
Regex response headers rewriter
Defined on steps
TransformResponse
Rewrites the HTTP response headers using a set of regex rules
Reject headers in too long
Defined on steps
TransformRequest
This plugin remove all headers to backend with a length above a max
Reject headers out too long
Defined on steps
TransformRequest
This plugin remove all headers from backend with a length above a max
Remove cookies in
Defined on steps
TransformRequest
This plugin remove cookies from the otoroshi request
Remove cookies out
Defined on steps
TransformResponse
This plugin remove cookies from the otoroshi response
Remove headers in
Defined on steps
TransformRequest
This plugin removes headers in the incoming otoroshi request
Remove headers out
Defined on steps
TransformResponse
This plugin removes headers in the otoroshi response
Request bandwidth throttling
Defined on steps
TransformRequest
This plugin will limit request body bandwidth
Request body Echo
Defined on steps
CallBackend
This plugin returns request body content
Request Body length limiter
Defined on steps
TransformRequest
This plugin will limit request body length
Response bandwidth throttling
Defined on steps
TransformResponse
This plugin will limit response body bandwidth
Response Body length limiter
Defined on steps
TransformResponse
This plugin will limit response body length
Robots
Defined on steps
TransformRequestTransformResponse
This plugin provides all the necessary tool to handle search engine robots
Routing Restrictions
Defined on steps
ValidateAccess
This plugin apply routing restriction
method domain/path on the current request/routeS3 Static backend
Defined on steps
CallBackend
This plugin is able to S3 bucket with file content
SOAP action
Defined on steps
CallBackend
This plugin is able to call SOAP actions and expose it as a rest endpoint
Security Headers
Defined on steps
TransformResponse
Inject common HTTP security headers on responses (HSTS, CSP, XFO, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
Send otoroshi headers back
Defined on steps
TransformResponse
This plugin adds response header containing useful informations about the current call
Basic Auth
Defined on steps
ValidateAccess
This plugin can be used to protect a route with basic auth. You can use clear text passwords (not recommended for production usage) or Bcryt hashed password as password values
Snow Monkey Chaos
Defined on steps
TransformRequestTransformResponse
This plugin introduce some chaos into you life
Http static asset
Defined on steps
TransformRequest
Serve any static http asset for the current request
Static backend
Defined on steps
CallBackend
This plugin is able to serve a static folder with file content
Static Response
Defined on steps
CallBackend
This plugin returns static responses
Swagger UI
Defined on steps
CallBackend
Serves a Swagger UI page from a configurable OpenAPI specification URL
Tailscale select target by name
Defined on steps
TransformRequest
This plugin selects a machine instance on Tailscale network based on its name
TCP Tunnel
Defined on steps
HandlesTunnel
This plugin creates TCP tunnels through otoroshi
Time controlled Canary mode
Defined on steps
PreRouteTransformResponse
This plugin can split a portion of the traffic to canary backends between two dates
Time Restriction
Defined on steps
ValidateAccess
This plugin restrict when a route is accessible
UDP Tunnel
Defined on steps
HandlesTunnel
This plugin creates UDP tunnels through otoroshi
User logout endpoint
Defined on steps
CallBackend
This plugin logout the current user
User profile endpoint
Defined on steps
CallBackend
This plugin returns the current user profile
W3C Trace Context
Defined on steps
TransformRequestTransformResponse
This plugin propagates W3C Trace Context spans and can export it to Jaeger or Zipkin
Wasm Access control
Defined on steps
ValidateAccess
Delegate route access to a wasm plugin
Wasm Backend
Defined on steps
CallBackend
This plugin can be used to use a wasm plugin as backend
Open Policy Agent (OPA)
Defined on steps
ValidateAccess
Repo policies as WASM modules
Wasm pre-route
Defined on steps
PreRoute
This plugin can be used to use a wasm plugin as in pre-route phase
Wasm Request Transformer
Defined on steps
TransformRequest
Transform the content of the request with a wasm plugin
Wasm Response Transformer
Defined on steps
TransformResponse
Transform the content of a response with a wasm plugin
Wasm Route Matcher
Defined on steps
MatchRoute
This plugin can be used to use a wasm plugin as route matcher
Wasm Router
Defined on steps
Router
Can decide for routing with a wasm plugin
Wasm Sink
Defined on steps
Sink
Handle unmatched requests with a wasm plugin
Websocket Wasm transformer
Defined on steps
TransformResponse
Transform messages and filter websocket messages
Websocket content validator in
Defined on steps
ValidateAccess
Validate the content of each frame
Websocket json format validator
Defined on steps
ValidateAccess
Validate the json
Websocket mirror backend
Defined on steps
CallBackend
Mirror incoming websocket messages to another target
Websocket size validator
Defined on steps
ValidateAccessTransformResponse
Make sure the frame does not exceed the maximum size set.
Websocket type validator
Defined on steps
ValidateAccess
Validate the type of each frame
Websocket Workflow transformer
Defined on steps
TransformRequestTransformResponse
Transform messages and filter websocket messages
X-Forwarded-* headers
Defined on steps
TransformRequest
This plugin adds all the X-Forwarded-* headers to the request for the backend target
request body xml-to-json
Defined on steps
TransformRequest
This plugin transform incoming request body from xml to json and may apply a jq transformation
response body xml-to-json
Defined on steps
TransformResponse
This plugin transform response body from xml to json and may apply a jq transformation
Zip Bomb backend
Defined on steps
CallBackend
This plugin returns zip bomb responses based on predicates
Zip file backend
Defined on steps
CallBackend
Serves content from a zip file
Yes
Defined on steps
CallBackend
Outputs Ys to the client
Remote tunnel calls
Defined on steps
CallBackend
This plugin can contact remote service using tunnels
Workflow Access control
Defined on steps
ValidateAccess
Delegate route access to a worflow
Workflow Backend
Defined on steps
CallBackend
This plugin uses a workflow as a backend
Workflow Request Transformer
Defined on steps
TransformRequest
Transform the content of the request with a workflow
Workflow Response Transformer
Defined on steps
TransformResponse
Transform the content of a response with a workflow
Workflow Resume Backend
Defined on steps
CallBackend
This plugin can be used to resume a paused workflow
Coraza WAF
Defined on steps
ValidateAccessTransformRequestTransformResponse
Coraza WAF plugin
Coraza WAF - Incoming Request Validator
Defined on steps
ValidateAccess
Coraza WAF - Incoming Request Validator plugin