Skip to main content
Version: 8.2411.x.x RR

Low-level properties

These parameters are defined, or can be overwritten in the bc.properties configuration file. This file is usually located under /var/opt/nevisproxy/<instance name>/conf/bc.properties. Under normal operating circumstances, there should be no need to alter the default values.

BC properties

ch.nevis.bc.net.AllowPostWithoutContentLength

Type: Boolean
Default: false

The HTTP 1.1 standard requires POST and PUT methods to have a valid Content-Length. If this attribute is configured, POST and PUT requests without a Content-Length will not cause an exception.

ch.nevis.bc.net.MaxHeaders

Type: Integer
Default: 100

Limits the maximum number of response headers. Any connector servlet or filter is affected that receives a response, for example, the HttpConnectorServlet, BackendConnectorServlet, ICAPFilter and so on.

org.jdom.EntityExpansionLimit

Type: Integer
Default: 1000

Limit the number of entity expansions of an xml-document.

bc.net.ssl.SSLCryptoDevice

Type: String

This property enables the use of a cryptographic hardware accelerator board to offload some of the SSL processing overhead. See Gemalto GemEngine support for the HttpsConnectorServlet for an example use case with the Gemalto engine.

bc.security.PassPhrasePolicy

Type: String
default: pipe,env,prompt

Controls the password access. The following options are available:

  • pipe: Executes the command set in the property bc.security.PassPhraseDialog
  • env: The package uses a prefetching mechanism and passes the passphrases via "env"
  • prompt: The passphrases are read from the controlling terminal (if possible). See also chapter Password handling for private keys.

bc.security.PassPhraseDialog

Type: String
Default: pipe://@PKG_HOME@/bin/keystorepwget

This property is relevant if the property bc.security.PassPhrasePolicy is set to pipe. In this case, the property bc.security.PassPhraseDialog must have the following format: pipe://<executable> [<args>] The <executable> is called with the given <args> followed by the name of the file for which the password should be returned. The <executable> has to write the password into stdout.

bc.security.pinenv

Type: String

This property is relevant if the property bc.security.PassPhrasePolicy is set to env. In this case, the property bc.security.pinenv must have one of the following values:

  • keep: Keeps the password as is in the defined environment variable.
  • obfuscate: Keeps an obfuscated value on the environment variable.

If not set, the environment variable will be removed once the password has been read. This may lead to errors if a password needs to be read more than once.

bc.net.ssl.EnableLegacyHostnameCheck

Type: Boolean
Default: false

Enables to switch back to the previous peer hostname check mechanism, which does not require setting the CA of the peer's node certificate.

bc.lang.system.MaxAllocSize

Type: Integer
Unit: bytes
Default: 16777215

With this property, the maximal allocable size can be increased. An attacker may try to allocate several times the defined size, which would cause a memory overflow on your server.

ch.nevis.bc.sql.mysql.MaxLoopsToGetAConnection

Type: Integer
Default: unlimited

With this property you can limit the number of retries to get an available MysqlConnection.

ch.nevis.bc.sql.mysql.ConnectTimeout

Type: Integer
Unit: seconds
Default: 10

This property defines the default connection timeout in seconds for a MySQL connection. If you do not set this property, the connection may "hang" for several minutes before a timeout occurs. This is because the default built-in timeout of the MariaDB database can be up to 20 minutes, depending on the configuration of your MariaDB installation.

ch.nevis.bc.sql.mysql.RetriesOnLockWaitTimeOut

Type: Integer
Default: 0

NevisProxy can try to re-execute the failed command, if the configured MariaDB session store returns one of the following errors:

Lock wait timeout exceeded; try restarting transaction (error code 1205);
Deadlock found when trying to get lock; try restarting transaction (error code 1213).

This property configures the number of retries allowed in such a case.

ch.nevis.bc.net.multipart.formdata.rfccompliant

Type: Boolean
Default: true

Allows multipart requests to have preamble and epilogue parts, as described in RFC1341.

SecToken properties

ch.nevis.session.sectoken.data.charset

Type: String
default: ISO-8859-1

This property sets the charset you expect for the SecToken received by nevisAuth. Set the property's value to "UTF-8" if nevisAuth sends UTF-8-encoded SecTokens.

ch.nevis.session.sectoken.SecTokenVerifier.checkCertificateValidity

Type: Boolean
Default: true

Disables the verification of the validity (expiration date) of the CA certificate which signed the given sectoken. For security reasons, never set this property to 'false' in a productive setup.

ch.nevis.session.sectoken.Signer.checkCertificateValidity

Type: Boolean
Default: true

Disables the verification of the validity (expiration date) of the the sectoken signer. For security reasons, never set this property to 'false' in a productive setup.

ch.nevis.session.sectoken.algorithm.blacklist

Type: String
Default: MD2withRSA, MD5withRSA

Defines a blacklist of algorithms which are not accepted for sectoken signing. Existing algorithms: SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, MD2withRSA, MD5withRSA, SHA1withDSA

user.locale

Type: String
Default: en_US.utf8

Extended character set handling. Use 'locale -a' to see installed language support. It is recommended to use UTF8, but LATIN1 may be required, due to 1-byte extended ascii support.

Carrier server properties

org.apache.response.UseBufferdWrite

Type: Boolean
Default: false

If set to 'true', the response is buffered by Apache up to ~8kb. If set to 'false', Apache will not buffer the response.

org.apache.runtime.UseApachePoolMemory

Type: Boolean
Default: false

If set to "true", this bc property will improve the performance of nevisProxy when allocating memory. A performance increase of up to 10% is possible, depending on the filter chain. The bigger the chain, the higher the performance improvement.

org.apache.modules.ssl.disable.SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

Type: Boolean
Default: not configured

If configured, the respective openssl option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG will be disabled.

org.apache.hooks.TranslateName.disable

Type: Boolean
Default: not configured

If set to 'false', the apache default for the hook ap_hook_translate_name(..) will be invoked. If not configured, or set to any other value, the Apache default for the hook will not be invoked for performance reasons.

org.apache.hooks.MapToStorage.disable

Type: Boolean
Default: not configured

The same behavior like above for the MapToStorage hook.

org.apache.request.UseProxyReq

Type: Boolean
Default: false

If set to 'false', Apache adds an own HTTP "Server" header with value "Apache" for each response, no matter if the header has already been set by the backend. See also attribute SetServerHeader of the HttpConnectorServlet.

ch.nevis.navajo.boot.ShowErrorsOnBoot

Type: Boolean
Default: false

Set this property if navajo doesn't start without a visible reason printed or logged.

ch.nevis.navajo.boot.PreventStartOnInvalidConfig

Type: Boolean
Default: false

This property defines the behavior of nevisProxy in case of an invalid configuration, such as an invalid web.xml file or a missing .cert file. If you set the property to "true", nevisProxy will not start the instance at all. If you set the property to "false", nevisProxy will start the instance, but returns the HTTP status code "500".

ch.nevis.navajo.boot.PreloadLibraries

Type: String
Default: not configured

Configures a list of shared object files that will be loaded first.

ch.nevis.navajo.tracing.ReconfigurationPeriod

Type: Integer
Default: not configured

This property allows detecting changes in the trace configuration. It defines the period during which the changes are detected.

ch.nevis.navajo.AlwaysNoticeOnClientClose

Type: Boolean
Default: false

When a backend takes some time to respond, the frontend may close the connection. Due to a bug in apache this close is not recognised by the proxy. By setting this property to true, the proxy checks regularly if the connection is still open when sending back the response. If the connection was closed, a NOTICE with a GW02 event is traced. There may still be some situations when the connection was closed right after the response was sent back, which may lead to a false positive. Furthermore, setting this property to true may have a minimal performance impact.

ch.nevis.navajo.TraceClIdAlwaysIfSessionIsThere

Type: Boolean
Default: false

Normally if nobody was interested in a session no ClId is logged. This property turns on ClId logging even if no filter/servlet needed a session at all. This also implies a session cache access.

ch.nevis.ErrorOnDeprecated

Type: Boolean
Default: false

This property defines the behavior of nevisProxy in case a filter or servlet configuration contains a deprecated parameter.

  • If you set the property to "true", nevisProxy will not load the related filter or servlet and block all requests using this filter. Additionally, nevisProxy will log the error message CONF-0001.
  • If you set the property to "false", nevisProxy will only log a notice message. The related filter or servlet will be loaded and work as usual.

ch.nevis.navajo.AllowUnknownParameters

Type: Boolean
Default: false

If you set this property to "true", the system will silently accept unknown filter or servlet parameters. If the property is set to "false" or not set at all, the system will trace error NVUT-0010 in case of an unknown parameter.

ch.nevis.navajo.AllowMultipleMapping

Type: Boolean
Default: false

Checks for multiple mappings of the same filter. If you set this property to "false", the system traces an ERROR if a filter is added multiple times to the filter chain of a request. If set to "true", the system only traces an INFO message.

ch.nevis.navajo.response.BufferBlocks

Type: Integer
Default: 512

Determines the number of blocks used for response buffering. One block is buffering 8192 bytes.

ch.nevis.navajo.request.BufferSize

Type: Integer
Default: 65536

Defines the number of bytes for request body buffering. May be needed for TLS renegotiation and body parsing.

ch.nevis.navajo.request.MemBufferSize

Type: Integer
Default: 102400

Maximum size of a request body that will be buffered into memory. If the request body exceeds that value, a file will be used for buffering.

ch.nevis.navajo.error-page.CheckAcceptHeader

Type: Boolean
Default: true

If this property is set to "true", nevisProxy checks the Accept HTTP header against the mime type for the configured error page.

ch.nevis.navajo.loading.servlet.LibPath

Type: String
Default: not configured

Normally, all servlets and filters will be loaded from the directory WEB-INF/lib. With this property an alternative directory can be configured.

ch.nevis.navajo.request.ThrowExceptionOnInvalidHeader

Type: Boolean
Default: false

If this property is set to "true", nevisProxy returns a Bad Request (status code 400) to the client if a header is not RFC 2616 conform. If this property is set to "false", or not set at all, nevisProxy just cuts off the invalid header. In both cases, nevisProxy logs an ERROR message with one of the following error codes: [NVRQ-0001], [NVRQ-0002], [NVRQ-0003]

ch.nevis.navajo.ListenerWaitTimeout

Type: Integer
Unit: msec
Default: 30000

Timeout to wait for exiting the listeners, before shutting down an instance.

ch.nevis.navajo.response.Location.rfc2616compliant

Type: Boolean
Default: false

If set to 'true', all absolute redirects are prefixed either with the name set in the incoming 'Host' header, or with the configured server name in navajo.xml. The value that is taken depends on the configured 'UseCanonicalName' in navajo.xml:

  • UseCanonicalName==On (default) -> the configured server name is taken
  • UseCanonicalName==Off -> the host header is taken. For example: /redirect -> http://mys.host/redirect

Setting this property to true and the server parameter 'UseCanonicalName=Off' is considered unsecure. Hint: Make sure that you configure a HeaderValidationFilter where you add a whitelist of allowed Host-header values.

ch.nevis.navajo.hsm.engine.hook

Type: Boolean
Default: false

Disables the Proxy's internal OpenSSL's at-exit cleanup when it is set to 'true'. Use this parameter when GemEngine's own OpenSSL's at-exit cleanup is causing cores.

Isiweb4 properties

ch.nevis.isiweb4.listener.SessionListener.MaxPendingWorkerJobs

Type: Integer
Default: 10000

Defines the maximal number of jobs that will be queued when reaping. Once this limit is reached, the listeners will not be called for the related sessions.

ch.nevis.isiweb4.listener.SessionListener.NumWorkerThreads

Type: Integer
Default: 10

Defines the number of threads which will be used to call the listeners when a session is invalidated. If set to '0' the reaping is done sequentially which may have a performance impact if many sessions expire at the same time.

ch.nevis.nevisproxy.UseSecureDefaults

Type: Boolean
Default: false

This property allows you to activate the recommended secure filter and servlet values as defaults. This is a global configuration option for the entire nevisProxy installation. See the chapter Secure defaults for more information.

ch.nevis.isiweb4.filter.lua.CheckMemory

Type: Boolean
Default: false

With this property the memory in the LuaFilter will be analyzed and an exception will be thrown in case of memory errors. Do not use in production!