ApplicationProfile

Description

API


    POST /api/applicationprofile
    PUT /api/applicationprofile/&ltkey>
    DELETE /api/applicationprofile/&ltkey>
    GET /api/applicationprofile
    GET /api/applicationprofile/&ltkey>

CLI


    configure applicationprofile &ltkey>
    show applicationprofile &ltkey>

Data

ApplicationProfile

uuid

Type
string
Category
required
Description
UUID of the application profile.

name

Type
string
Category
required
Description
The name of the application profile.

type

Type
enum
Category
required
Description
Specifies which application layer proxy is enabled for the virtual service.
Choices
APPLICATION_PROFILE_TYPE_DNS, APPLICATION_PROFILE_TYPE_SYSLOG, APPLICATION_PROFILE_TYPE_HTTP, APPLICATION_PROFILE_TYPE_L4

http_profile

Type
HTTPApplicationProfile
Category
optional
Description
Specifies the HTTP application proxy profile parameters.

dos_rl_profile

Type
DosRateLimitProfile
Category
optional
Description
Specifies various security related controls for virtual service.

description

Type
string
Category
optional
Description

tenant_ref

Type
Reference to Tenant
Category
required
Description

HTTPApplicationProfile

connection_multiplexing_enabled

Type
bool
Category
optional
Description
Allows HTTP requests, not just TCP connections, to be load balanced across servers. Proxied TCP connections to servers may be reused by multiple clients to improve performance.
Default
True

xff_enabled

Type
bool
Category
optional
Description
The client's original IP address is inserted into an HTTP request header sent to the server. Servers may use this address for logging or other purposes, rather than Avi's source NAT address used in the Avi to server IP connection.
Default
True

xff_alternate_name

Type
string
Category
optional
Description
Provide a custom name for the X-Forwarded-For header sent to the servers.
Default
X-Forwarded-For

ssl_everywhere_enabled

Type
bool
Category
optional
Description
Enable common settings to increase the level of security for virtual services running HTTP and HTTPS. For sites that are HTTP only, these settings will have no effect.
Default
False

hsts_enabled

Type
bool
Category
optional
Description
Inserts HTTP Strict-Transport-Security header in the HTTPS response. HSTS can help mitigate man-in-the-middle attacks by telling browsers that support HSTS that they should only access this site via HTTP.
Default
False

hsts_max_age

Type
uint64
Category
optional
Description
Number of days for which the client should regard this virtual service as a known HSTS host.
Default
365

secure_cookie_enabled

Type
bool
Category
optional
Description
Mark server cookies with the 'Secure' attribute. Client browsers will not send a cookie marked as secure over an unencrypted connection. If Avi is terminating SSL from clients and passing it as HTTP to the server, the server may return cookies without the secure flag set.
Default
False

httponly_enabled

Type
bool
Category
optional
Description
Mark HTTP cookies as HTTPonly. This helps mitigate cross site scripting attacks as browsers will not allow these cookies to be read by third parties, such as javascript.
Default
False

http_to_https

Type
bool
Category
optional
Description
Client requests received via HTTP will be redirected to HTTPS.
Default
False

server_side_redirect_to_https

Type
bool
Category
optional
Description
When terminating client SSL sessions at Avi, servers may incorrectly send redirect to clients as HTTP. This option will rewrite the server's redirect responses for this virtual service from HTTP to HTTPS.
Default
False

x_forwarded_proto_enabled

Type
bool
Category
optional
Description
Insert an X-Forwarded-Proto header in the request sent to the server. When the client connects via SSL, Avi terminates the SSL, and then forwards the requests to the servers via HTTP, so the servers can determine the original protocol via this header. In this example, the value will be 'https'.
Default
False

compression_profile

Type
CompressionProfile
Category
optional
Description
HTTP Compression settings to use with this HTTP Profile.

spdy_enabled

Type
bool
Category
optional
Description
Enable SPDY proxy for traffic from clients to the virtual service. SPDY requires SSL from the clients to Avi. Avi ADC will proxy the SPDY protocol, and forward requests to servers as HTTP 1.1.
Default
False

spdy_fwd_proxy_mode

Type
bool
Category
optional
Description
Enable fwd proxy mode with SPDY. This makes the Proxy combine the :host and :uri spdy headers to create a fwd-proxy style request URI
Default
False

post_accept_timeout

Type
int32
Category
optional
Description
The max allowed length of time between a client establishing a TCP connection until Avi receives the first byte of the client's HTTP request.
Default
30000

client_header_timeout

Type
int32
Category
optional
Description
The max length of time allowed for a client to transmit the entire request headers. This helps to mitigate various forms of SlowLoris attacks.
Default
10000

client_body_timeout

Type
int32
Category
optional
Description
The max allowed length of time to receive a request body from a client. Default of 0 specifies no timeout. This setting generally impacts the length of time allowed for a client to send a POST.
Default
0

keepalive_timeout

Type
int32
Category
optional
Description
The max idle time allowed between HTTP requests over a Keep-alive connection.
Default
30000

client_max_header_size

Type
int32
Category
optional
Description
Maximum size in Kbytes of a single HTTP header in the client request.
Default
12

client_max_request_size

Type
int32
Category
optional
Description
Maximum size in Kbytes of all the client HTTP request headers.
Default
48

client_max_body_size

Type
Unknown
Category
optional
Description
Maximum size for the client request body. This limits the size of the client data that can be uploaded/posted as part of a single HTTP Request. Default 0 => Unlimited.
Default
0

cache_config

Type
HttpCacheConfig
Category
optional
Description
HTTP Caching config to use with this HTTP Profile.

max_rps_unknown_uri

Type
uint32
Category
optional
Description
Maximum unknown URIs per second.
Default
0

max_rps_cip

Type
uint32
Category
optional
Description
Maximum requests per second per client IP.
Default
0

max_rps_uri

Type
uint32
Category
optional
Description
Maximum requests per second per URI.
Default
0

max_rps_cip_uri

Type
uint32
Category
optional
Description
Maximum requests per second per client IP and URI.
Default
0

ssl_client_certificate_action

Type
SSLClientCertificateAction
Category
optional
Description
Set of match/action rules that govern what happens when the client certificate request is enabled

ssl_client_certificate_mode

Type
enum
Category
optional
Description
Specifies whether the client side verification is set to none, request or require.
Default
SSL_CLIENT_CERTIFICATE_NONE
Choices
SSL_CLIENT_CERTIFICATE_REQUEST, SSL_CLIENT_CERTIFICATE_REQUIRE, SSL_CLIENT_CERTIFICATE_NONE

pki_profile_ref

Type
Reference to PKIProfile
Category
optional
Description
Select the PKI profile to be associated with the Virtual Service. This profile defines the Certificate Authority and Revocation List.

websockets_enabled

Type
bool
Category
optional
Description
Enable Websockets proxy for traffic from clients to the virtual service. Connections to this VS start in HTTP mode. If the client requests an Upgrade to Websockets, and the server responds back with success, then the connection is upgraded to WebSockets mode.
Default
True

max_rps_unknown_cip

Type
uint32
Category
optional
Description
Maximum unknown client IPs per second.
Default
0

max_bad_rps_cip

Type
uint32
Category
optional
Description
Maximum bad requests per second per client IP.
Default
0

max_bad_rps_uri

Type
uint32
Category
optional
Description
Maximum bad requests per second per URI.
Default
0

max_bad_rps_cip_uri

Type
uint32
Category
optional
Description
Maximum bad requests per second per client IP and URI.
Default
0

CompressionProfile

compression

Type
bool
Category
required
Description
Compress HTTP response content if it wasn't already compressed.
Default
False

remove_accept_encoding_header

Type
bool
Category
required
Description
Offload compression from the servers to AVI. Saves compute cycles on the servers.
Default
True

compressible_content_ref

Type
Reference to StringGroup
Category
optional
Description
Compress only content types listed in this string group. Content types not present in this list are not compressed.
Default
/api/stringgroup?name=System-Compressible-Content-Types

type

Type
enum
Category
required
Description
Compress content automatically or add custom filters to define compressible content and compression levels.
Default
AUTO_COMPRESSION
Choices
CUSTOM_COMPRESSION, AUTO_COMPRESSION

filter

Type
CompressionFilter
Category
repeated
Description
Custom filters used when auto compression is not selected.

CompressionFilter

name

Type
string
Category
required
Description

index

Type
int32
Category
required
Description

match

Type
enum
Category
optional
Description
Whether to apply Filter when group criteria is matched or not
Default
IS_IN
Choices
IS_NOT_IN, IS_IN

ip_addrs_ref

Type
Reference to IpAddrGroup
Category
optional
Description

ip_addrs

Type
IpAddr
Category
repeated
Description

ip_addr_ranges

Type
IpAddrRange
Category
repeated
Description

ip_addr_prefixes

Type
IpAddrPrefix
Category
repeated
Description

devices_ref

Type
Reference to StringGroup
Category
optional
Description

user_agent

Type
RepeatableString
Category
repeated
Description

level

Type
enum
Category
required
Description
Default
NORMAL_COMPRESSION
Choices
NORMAL_COMPRESSION, AGGRESSIVE_COMPRESSION, NO_COMPRESSION

IpAddr

addr

Type
string
Category
required
Description
IP address

type

Type
enum
Category
required
Description
Choices
V4, DNS

IpAddrRange

begin

Type
IpAddr
Category
required
Description
Starting IP address of the range

end

Type
IpAddr
Category
required
Description
Ending IP address of the range

IpAddrPrefix

ip_addr

Type
IpAddr
Category
required
Description

mask

Type
int32
Category
required
Description

RepeatableString

str

Type
string
Category
required
Description

HttpCacheConfig

enabled

Type
bool
Category
optional
Description
Enable/disable HTTP object caching.
Default
False

xcache_header

Type
bool
Category
optional
Description
Add an X-Cache header to content served from cache, which indicates to the client that the object was server from an intermediate cache.
Default
True

age_header

Type
bool
Category
optional
Description
Add an Age header to content served from cache, which indicates to the client the number of seconds the object has been in the cache.
Default
True

date_header

Type
bool
Category
optional
Description
If a Date header was not added by the server, add a Date header to the object served from cache. This indicates to the client when the object was originally sent by the server to the cache.
Default
True

min_object_size

Type
uint32
Category
optional
Description
Minimum size of an object to store in the cache.
Default
100

max_object_size

Type
uint32
Category
optional
Description
Maximum size of an object to store in the cache.
Default
4194304

default_expire

Type
uint32
Category
optional
Description
Default expiration time of cache objects received from the server without a Cache-Control expiration header. This value may be overwritten by the Heuristic Expire setting.
Default
600

heuristic_expire

Type
bool
Category
optional
Description
If a response object from the server does not include the Cache-Control header, but does include a Last-Modified header, the system will use this time to calculate the Cache-Control expiration. If unable to solicit an Last-Modified header, then the system will fall back to the Cache Expire Time value.
Default
False

max_cache_size

Type
uint64
Category
optional
Description
Max size, in bytes, of the cache. The default, zero, indicates auto configuration.
Default
0

query_cacheable

Type
bool
Category
optional
Description
Allow caching of objects whose URI included a query argument. When disabled, these objects are not cached. When enabled, the request must match the URI query to be considered a hit.
Default
False

mime_types_list

Type
RepeatableString
Category
repeated
Description
Whitelist of cacheable mime types. If both Cacheable Mime Types string list and string group are empty, this defaults to */*

mime_types_group_refs

Type
Reference to StringGroup
Category
repeated
Description
Whitelist string group of cacheable mime types. If both Cacheable Mime Types string list and string group are empty, this defaults to */*

aggressive

Type
bool
Category
optional
Description
Enable/disable caching objects without Cache-Control headers
Default
False

mime_types_black_list

Type
RepeatableString
Category
repeated
Description
Blacklist of non-cacheable mime types

mime_types_black_group_refs

Type
Reference to StringGroup
Category
repeated
Description
Blacklist string group of non-cacheable mime types

SSLClientCertificateAction

headers

Type
SSLClientRequestHeader
Category
repeated
Description

close_connection

Type
bool
Category
optional
Description
Default
False

SSLClientRequestHeader

request_header

Type
string
Category
optional
Description
If this header exists, reset the connection. If the ssl variable is specified, add a header with this value

request_header_value

Type
enum
Category
optional
Description
Set the request header with the value as indicated by this SSL variable. Eg. send the whole certificate in PEM format
Choices
HTTP_POLICY_VAR_SSL_CLIENT_SERIAL, HTTP_POLICY_VAR_SSL_CLIENT_FINGERPRINT, HTTP_POLICY_VAR_USER_NAME, HTTP_POLICY_VAR_HTTP_HDR, HTTP_POLICY_VAR_VS_PORT, HTTP_POLICY_VAR_SSL_CLIENT_SUBJECT, HTTP_POLICY_VAR_SSL_SERVER_NAME, HTTP_POLICY_VAR_CLIENT_IP, HTTP_POLICY_VAR_VS_IP, HTTP_POLICY_VAR_SSL_CLIENT_RAW, HTTP_POLICY_VAR_SSL_CLIENT_ISSUER, HTTP_POLICY_VAR_SSL_PROTOCOL

DosRateLimitProfile

rl_profile

Type
RateLimiterProfile
Category
optional
Description
Profile for Connections/Requests rate limiting.

dos_profile

Type
DosThresholdProfile
Category
optional
Description
Profile for DoS attack detection.

RateLimiterProfile

client_ip_connections_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all connections made from any single client IP address to the Virtual Service.

client_ip_requests_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all HTTP requests from any single client IP address to all URLs of the Virtual Service.

uri_requests_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all HTTP requests from all client IP addresses to any single URL.

client_ip_to_uri_requests_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all HTTP requests from any single client IP address to any single URL.

client_ip_failed_requests_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all requests from a client for a specified period of time once the count of failed requests from that client crosses a threshold for that period. Clients are tracked based on their IP address. Count and time period are specified through the RateProfile. Requests are deemed failed based on client or server side error status codes, consistent with how Avi Logs and Metrics subsystems mark failed requests.

uri_failed_requests_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all requests to a URI for a specified period of time once the count of failed requests to that URI crosses a threshold for that period. Count and time period are specified through the RateProfile. Requests are deemed failed based on client or server side error status codes, consistent with how Avi Logs and Metrics subsystems mark failed requests.

client_ip_to_uri_failed_requests_rate_limit

Type
RateProfile
Category
optional
Description
Rate Limit all requests from a client to a URI for a specified period of time once the count of failed requests from that client to the URI crosses a threshold for that period. Clients are tracked based on their IP address. Count and time period are specified through the RateProfile. Requests are deemed failed based on client or server side error status codes, consistent with how Avi Logs and Metrics subsystems mark failed requests.

client_ip_scanners_requests_rate_limit

Type
RateProfile
Category
optional
Description
Automatically track clients and classify them into 3 groups - Good, Bad, Unknown. Clients are tracked based on their IP Address. Clients are added to the Good group when the Avi Scan Detection system builds history of requests from them that complete successfully. Clients are added to Unknown group when there is insufficient history about them. Requests from such clients are rate limited to the rate specified in the RateProfile. Finally, Clients with history of failed requests are added to Bad group and their requests are rate limited with stricter thresholds than the Unknown Clients group. The Avi Scan Detection system automatically tunes itself so that the Good, Bad, and Unknown client IPs group membership changes dynamically with the changes in traffic patterns through the ADC.

uri_scanners_requests_rate_limit

Type
RateProfile
Category
optional
Description
Automatically track URIs and classify them into 3 groups - Good, Bad, Unknown. URIs are added to the Good group when the Avi Scan Detection system builds history of requests to URIs that complete successfully. URIs are added to Unknown group when there is insufficient history about them. Requests for such URIs are rate limited to the rate specified in the RateProfile. Finally, URIs with history of failed requests are added to Bad group and requests to them are rate limited with stricter thresholds than the Unknown URIs group. The Avi Scan Detection system automatically tunes itself so that the Good, Bad, and Unknown URIs group membership changes dynamically with the changes in traffic patterns through the ADC.

RateProfile

count

Type
int32
Category
optional
Description
Maximum number of connections or requests or packets
Default
0

burst_sz

Type
int32
Category
optional
Description
Maximum number of connections or requests or packets to be let through instantaneously
Default
0

period

Type
int32
Category
optional
Description
Time value in seconds to enforce rate count
Default
1

explicit_tracking

Type
bool
Category
optional
Description
Explicitly tracks an attacker across rate periods
Default
False

fine_grain

Type
bool
Category
optional
Description
Enable fine granularity
Default
False

action

Type
RateLimiterAction
Category
optional
Description
Action to perform upon rate limiting

RateLimiterAction

type

Type
enum
Category
optional
Description
Type of action to be enforced upon hitting the rate limit.
Default
RL_ACTION_NONE
Choices
RL_ACTION_RESET_CONN, RL_ACTION_LOCAL_RSP, RL_ACTION_DROP_CONN, RL_ACTION_CLOSE_CONN, RL_ACTION_NONE, RL_ACTION_REDIRECT

redirect

Type
HTTPRedirectAction
Category
optional
Description
Parameters for HTTP Redirect rate limit action.

status_code

Type
enum
Category
optional
Description
HTTP status code for Local Response rate limit action.
Default
HTTP_LOCAL_RESPONSE_STATUS_CODE_429
Choices
HTTP_LOCAL_RESPONSE_STATUS_CODE_403, HTTP_LOCAL_RESPONSE_STATUS_CODE_429, HTTP_LOCAL_RESPONSE_STATUS_CODE_200, HTTP_LOCAL_RESPONSE_STATUS_CODE_404

file

Type
HTTPLocalFile
Category
optional
Description
File to be used for HTTP Local response rate limit action.

HTTPRedirectAction

protocol

Type
enum
Category
required
Description
Protocol type
Choices
HTTP, HTTPS

host

Type
URIParam
Category
optional
Description
Host config

port

Type
Port
Category
optional
Description
Port to which redirect the request

path

Type
URIParam
Category
optional
Description
Path config

keep_query

Type
bool
Category
optional
Description
Keep or drop the query of the incoming request URI in the redirected URI
Default
True

status_code

Type
enum
Category
optional
Description
HTTP redirect status code
Default
HTTP_REDIRECT_STATUS_CODE_302
Choices
HTTP_REDIRECT_STATUS_CODE_302, HTTP_REDIRECT_STATUS_CODE_301, HTTP_REDIRECT_STATUS_CODE_307

URIParam

type

Type
enum
Category
required
Description
URI param type
Choices
URI_PARAM_TYPE_TOKENIZED

tokens

Type
URIParamToken
Category
repeated
Description
Token config either for the URI components or a constant string

URIParamToken

type

Type
enum
Category
required
Description
Token type for constructing the URI
Choices
URI_TOKEN_TYPE_PATH, URI_TOKEN_TYPE_REGEX, URI_TOKEN_TYPE_STRING, URI_TOKEN_TYPE_STRING_GROUP, URI_TOKEN_TYPE_HOST

start_index

Type
uint32
Category
optional
Description
Index of the starting token in the incoming URI

end_index

Type
uint32
Category
optional
Description
Index of the ending token in the incoming URI

str_value

Type
string
Category
optional
Description
Constant string to use as a token

Port

port

Type
uint32
Category
required
Description
TCP/UDP port number.

HTTPLocalFile

content_type

Type
string
Category
required
Description
Mime-type of the content in the file.

file_content

Type
string
Category
required
Description
File content to used in the local HTTP response body.

DosThresholdProfile

thresh_period

Type
int32
Category
required
Description
Timer value in seconds to collect DoS attack metrics based on threshold on the Service Engine for this Virtual Service.
Default
5

thresh_info

Type
DosThreshold
Category
repeated
Description
Attack type, min and max values for DoS attack detection.

DosThreshold

attack

Type
enum
Category
required
Description
Attack type.
Choices
DOS_REQ_IP_URI_RL_DROP_BAD, DOS_REQ_CIP_SCAN_BAD_RL_DROP, MALFORMED_FLOOD, POLICY_DROPS, IP_FRAG_INCOMPLETE, DOS_CONN_IP_RL_DROP, FAKE_SESSION, DOS_HTTP_ABORT, SMURF, IP_FRAG_TOOSMALL, ICMP_PING_FLOOD, DOS_REQ_CIP_SCAN_UNKNOWN_RL_DROP, DOS_REQ_IP_URI_RL_DROP, LAND, UNKOWN_PROTOCOL, DOS_REQ_IP_RL_DROP_BAD, TCP_NON_SYN_FLOOD, ZERO_WINDOW_STRESS, IP_FRAG_FULL, DOS_REQ_RL_DROP, SMALL_WINDOW_STRESS, BAD_RST_FLOOD, DOS_APP_ERROR, DOS_SSL_ERROR, IP_FRAG_OVERRUN, PORT_SCAN, DOS_REQ_IP_RL_DROP, DOS_REQ_URI_RL_DROP_BAD, TCP_NON_SYN_FLOOD_OLD, DOS_REQ_URI_SCAN_BAD_RL_DROP, DOS_SLOW_URL, DOS_REQ_URI_RL_DROP, SYN_FLOOD, DOS_HTTP_ERROR, TEARDROP, DOS_REQ_URI_SCAN_UNKNOWN_RL_DROP, DOS_HTTP_TIMEOUT, DOS_CONN_RL_DROP

min_value

Type
int32
Category
required
Description
Minimum number of packets or connections or requests in a given interval of time to be deemed as attack.

max_value

Type
int32
Category
required
Description
Maximum number of packets or connections or requests in a given interval of time to be deemed as attack.

References

IpAddrGroup StringGroup PKIProfile Tenant

Sub Objects

ApplicationProfileInternal

API


    GET /api/applicationprofile/&ltkey>/runtime/internal/&ltkey>

CLI


    show applicationprofile &ltkey> internal

Data

ApplicationProfileInternal

se_uuid

Type
string
Category
optional
Description

proc_id

Type
string
Category
optional
Description

application_profile_config

Type
ApplicationProfile
Category
required
Description

app_cfg_ref_l4

Type
int32
Category
required
Description

app_rtm_l4

Type
ApplicationProfileInternalRtmL4
Category
repeated
Description

ApplicationProfileInternalRtmL4

app_rtm_uuid_l4

Type
string
Category
required
Description

app_rtm_name_l4

Type
string
Category
required
Description

app_rtm_type_l4

Type
enum
Category
required
Description
Choices
APPLICATION_PROFILE_TYPE_DNS, APPLICATION_PROFILE_TYPE_SYSLOG, APPLICATION_PROFILE_TYPE_HTTP, APPLICATION_PROFILE_TYPE_L4

app_rtm_vserver_uuid_l4

Type
string
Category
required
Description

app_rtm_vserver_name_l4

Type
string
Category
required
Description

app_rtm_ref_l4

Type
int32
Category
required
Description