Common Configuration Options

Timeout

Following configuration options are supported:

  • read: Duration (optional)

    The amount of time allowed to read the full request including body. Defaults to 5 seconds.

  • write: Duration (optional)

    The maximum duration before timing out writes of the response. Defaults to 10 seconds.

  • idle: Duration (optional)

    The maximum amount of time to wait for the next request when keep-alive is enabled. If ìdle is 0, the value of read timeout is used. Defaults to 2 minutes.

Example 1. Setting the read timeout to 1 second, write timeout to 2 seconds and the idle timeout to 1 minute.
read: 1s
write: 2s
idle: 1m

Duration

Duration is actually a string type, which adheres to the following pattern: ^[0-9]+(ns|us|ms|s|m|h)$

So with 10s you can define the duration of 10 seconds and with 2h you can say 2 hours.

CORS

CORS (Cross-Origin Resource Sharing) headers can be added and configured by making use of this option. This functionality allows for advanced security features to quickly be set. If CORS headers are set, then the Heimdall does not pass preflight requests to its decision pipeline, instead the response will be generated and sent back to the client directly. Following configuration options are supported:

  • allowed_origins: string array (optional)

    List of origins that may access the resource. Defaults to all, if not set, but any of the other CORS options are configured.

  • allowed_methods: string array (optional)

    List of methods allowed when accessing the resource. This is used in response to a preflight request. Defaults to GET, POST, HEAD, PUT, DELETE and PATCH if not set, but any of the other CORS options are configured.

  • allowed_headers: string array (optional)

    List of request headers that can be used when making the actual request.

  • exposed_headers: string array (optional)

    "Allow-List" of headers that clients are allowed to access.

  • allow_credentials: boolean (optional)

    Indicates whether the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether the actual request can be made using credentials. Defaults to false if not set, but any of the other CORS options are configured.

  • max_age: Duration (optional)

    Indicates how long the results of a preflight request can be cached. Defaults to 0 seconds if not set, but any of the other CORS options are configured.

Example 2. Possible configuration
allowed_origins:
  - example.org
allowed_methods:
  - HEAD
  - PATCH
allow_credentials: true
max_age: 10s

TLS

Following are the supported TLS configuration options:

  • key: string (mandatory)

    Path to the private key in PEM format. PKCS#1, as well as PKCS#8 formats are supported.

  • cert: string (mandatory)

    Path to the certificate in PEM format. The certificate file may contain intermediate certificates following the leaf certificate to form a certificate chain

  • min_version: string (optional)

    The minimal TLS version to support. Can be either TLS1.2 or TLS1.3. Defaults to TLS1.3.

  • cipher_suites: string array (optional)

    Can be configured if min_version is set to TLS1.2. If min_version is set to TLS1.3 the configured values are ignored. Only the following PFS cipher suites are supported:

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

    Defaults to the last six cipher suites if min_version is set to TLS1.2 and cipher_suites is not configured.

Last updated on Nov 7, 2022

Management
Logging