Bastion XML Summary
Option | Values | Role |
|---|---|---|
bastion | This category contains the interface to listen on and the address being published by Bastion. | |
listeners | You can define as many listeners as you want as long as the ip:port pair are different. For example consider a computer with more than one ip (either by different NIC or multiple ips on the same NIC) say 192.168.1.1 and 192.168.1.2 you can configure two listener on port 80 for those ips and do different things for each one of them. | |
<listener name="" > | A Listener heading (name must be unique) | |
address | IP Address | The IP address to bind the listener to. (default: 0.0.0.0) |
port | Port number | Which port will listen for HTTP traffic |
sslPort | Port number | Which port will listen for TLS traffic |
ssl | SSL configuration | |
allowedCiphers | OpenSSL Cipher suite | The allowed Ciphers based on OpenSSL Ciphersuite (For more information see: How can I remove support for insecure TLS ciphers?) |
minAllowedVersion | tls1.0/tls1.1/tls1.2 | The minimum allowed TLS version |
dhParamsFile | Custom Diffie-Hellman param file | Custom Diffie-Hellman param file(not relevant to Skype for Business) |
certificates | Configuration relating to the certificate | |
caBundleFile | Relative path to CA bundle file | Path to the certificate authority files (in case that you want to use SSL from Bastion to the published server) |
caCertsDirPath | Relative path to CA bundle directory | Path to the certificate authority bundle directory (in case that you want to use SSL from Bastion to the published server) |
ignoreUpstreamCertificatesErrors | true/false | Whether or not published server certificates should be verified |
serverCert | Server certificate which Bastion will present to clients connecting to this listener | |
path | Relative path to the Server certificate/ | Path to the server certificate |
privateKey | Relative path to the Server certificate key | Only relevant if just the server's certificate is in use |
intermediateCaChain | Relative path to the Server intermediate certificate bundle | Only relevant if just the server's certificate is in use |
<password encrypted="false"> | PFX Password | Only relevant when PFX is in use If the private key file is a password protected file you need to supply the password to use it. You may encrypt this password with Bastion. To obtain an encrypted version of the password open the command line in the Bastion folder and type “Bastion encrypt mypassword”, replacing mypassword with your password. The output can then be entered in to the Bastion XML file. If you do this, you need to set the attribute "encrypted" in this tag to "true". Otherwise the attribute should be set to "false". The encryption algorithm is AES, there is no decrypt option. |
clientCert | ignore/ask/require | What to do with client certificates:
|
filters | Define where the Bastion should look for filter plugin files | |
path | Relative path to the filters root folder | The path to the folder that contains the filter plugins. These are *.dll files in Windows and *.so files in Linux. Place the configuration files for each filter in the same folder, named as filtername.xml. As from Bastion version 1.4.1.0 you can make subdirectories in this directory and put more filters in them. This is useful when you want to use the same filter on two different channels, the configuration file and the license file for the filter in the subdirectory can be in this directory or in the parent directory i.e. in this defined path. |
channels | Description of routing between host header request and published host
| |
<Channel name="UNIQUE-CHANNEL-IDENTIFIER" listener="RELATED-LISTENER-NAME"> | (You can have as many as you like.) This tag has one attribute "name" which states the name of this channel; the name is needed for logging. | |
externalHosts | List of the host headers requests that will be routed | |
host | PUBLIC-HOSTNAME | Name of the host that appears in the Host directive in the HTTP header. Wildcards (*) may be used only at the beginning of the hostname. The channel will be selected according to the most complete match. If there is no match the channel with the name * will be selected. That means that you must have one host that is set to accept *.
If a request is sent to help.agat.com according to the above rules Bastion will publish the connection to domain2. If a request is sent to securemail.agat.com according to the above rules Bastion will publish the connection to domain3. If a request is sent to foo.bar.com Bastion will publish the connection to domain1. |
publish | Details to where the request headers will be published to | |
host | INTERNAL-HOST-NAME | The host to publish to. |
port | Port number | The port on the above host to publish to. |
sslport | Port number | The port for a SSL connection. Only required if publishing to an SSL port |
convertTo | keep/SSL/http | Convert data transferred from http to https or vice versa , or retain the protocol used by the request. |
proxy | PROXY-ADDRESS | Proxy to use (optional). |
filters | Which filters to use on this channel. The filters will be applied to the connection in the order they are listed. | |
filter | Relative path to the the filter directory based on filters::path | (Multiple filters may be used together. Any filter available in the path defined in 6.2.1 may be used.) The name of a filter located in the previously defined path, without the file extension (e.g. .dll) .As from Bastion version 1.4.1.0 the filter name can contain a directory name before the filter name for the filters that are in subdirectories of the filters path, e.g. <filter>sub/filter_name</filter>. |
logging | ||
main | Logging settings to a log file | |
enabled | true/false | Enabling logging to file |
severity | info/xtrace/debug | The Logging level - debug is the most verbose |
maxFileSizeMb | Size in MB | The maximum size of a log file, before it's archived |
maxArchiveSizeMb | Size in MB | The maximum size of archive folder |
minFreeSpaceMb | Size in MB | The minimum size of disk space free to enable logging |
consoleLog | Logging settings to console | |
enabled | true/false | Enabling logging to cmd |
severity | info/xtrace/debug | The Logging level - debug is the most verbose |
dumps | Enable traffic dump(please note this will consume a lot of disk space and should be used only for testing) | |
enabled | true/false | Enabling network dumps |
debug | Not relevant | |
enabled | true/false | Not relevant |