Whether or not the virtual server should add an "X-Cluster-Client-Ip" header to the request that contains the remote client's IP address.

Value type: Yes / No

Default value: "Yes"

Whether or not the virtual server should append the remote client's IP address to the X-Forwarded-For header. If the header does not exist, it will be added.

Value type: Yes / No

Default value: "No"

Whether or not the virtual server should add an "X-Forwarded-Proto" header to the request that contains the original protocol used by the client to connect to the traffic manager.

Value type: Yes / No

Default value: "No"

The addresses on which to listen for incoming connections.

Value type: list

Default value: "*"

The SSL certificates and corresponding private keys.

Requires: ssl_decrypt is set to "Yes"

Value type: list

Default value: <none>

Whether the virtual server should optimize web content.

Value type: Yes / No

Default value: "No"

The application scopes for which to apply a particular acceleration profile.

Value type: list

Default value: <none>

Name of the Trusted Identity Provider configuration to use. To create Identity Providers, please visit section Trusted Identity Providers

Value type: string

Default value: <none>

The NameID format to request and expect from the identity provider.

Value type: enumeration

Default value: "none"

Permitted values:

none: none

unspecified: unspecified

emailAddress: emailAddress

The 'Assertion Consumer Service' endpoint for the SAML service provider on this virtual server, ie the endpoint to which the identity provider will cause the user agent to send SAML assertions. This should be an HTTPS URL, must be in the same cookie domain as all hostnames used by the end user to access the virtual server (see cookie configuration) and the port must be the port on which this virtual server is listening. It must match the URI placed by the identity provider in the 'Recipient' attribute in the SAML assertion, if present.

Value type: string

Default value: <none>

The entity ID to be used by the SAML service provider function on this virtual server. This should usually be a URL, or a URN, however it may be any string. It must match the entity ID placed by the identity provider in the 'Audience' field in the SAML assertion.

Value type: string

Default value: <none>

Time tolerance on authentication checks. When checking time-stamps and expiry dates against the current time on the system, allow a tolerance of this many seconds. For example, if a SAML response contains a 'NotOnOrAfter' that is 4 seconds in the past according to the local time, and the tolerance is set to 5 seconds, it will still be accepted. This is to prevent a lack of clock synchronization from resulting in rejection of SAML responses.

Value type: seconds

Default value: "5"

Attributes of cookie used for authentication session.

Value type: string

Default value: "HttpOnly; SameSite=Strict"

Name of cookie used for authentication session.

Value type: string

Default value: "VS_SamlSP_Auth"

Whether or not to include state of authentication sessions stored encrypted on the client as plaintext in the logs.

Value type: Yes / No

Default value: "No"

Timeout on authentication session.

Value type: seconds

Default value: "7200"

Type of authentication to apply to requests to the virtual server.

Value type: enumeration

Default value: "none"

Permitted values:

none: None

saml_sp: SAML Service Provider

Whether or not detailed messages about virtual server authentication should be written to the error log.

Value type: Yes / No

Default value: "No"

Whether the traffic manager should check for HTTP responses that confirm an HTTP connection is transitioning to the WebSockets protocol. If that such a response is detected, the traffic manager will cease any protocol-specific processing on the connection and just pass incoming data to the client/server as appropriate.

Value type: Yes / No

Default value: "Yes"

The bandwidth management class that this server should use, if any.

Value type: string

Default value: <none>

Which parts of the client certificate, if any, should be inserted into requests to a back-end node, as header fields. The same fields as for ssl_client_cert_headers are made available, and optionally the base64 encoded certificate itself.

Value type: enumeration

Default value: <none>

Permitted values:

none: None

simple: Fields

all: Fields and PEM

The certificate authorities used to verify client certificates for a particular destination site IP or SNI hostname. The specific site replaces the * (asterisk) in the key name, the value must be a valid file name in the conf/ssl/cas directory. The key can be specified multiple times to cover multiple IP addresses or SNI hostnames.

Requires: ssl_decrypt is set to "Yes"

Value type: list

Default value: <none>

Whether or not the virtual server should request an identifying certificate from each client connecting to particular destination IP address or SNI hostname. If a client certificate is requested this setting also determines whether the TLS handshake can continue successfully if the client does not present a certificate.

Value type: enumeration

Default value: <none>

Permitted values:

0: No

1: Yes, allow if absent

2: Yes, deny if absent

The certificate authorities that this virtual server should trust to validate client certificates. If no certificate authorities are selected, and client certificates are requested, then all client certificates will be accepted.

Requires: ssl_decrypt is set to "Yes"

Value type: list

Default value: <none>

Whether or not connections from clients should be closed with a RST packet, rather than a FIN packet. This avoids the TIME_WAIT state, which on rare occasions allows wandering duplicate packets to be safely ignored.

Value type: Yes / No

Default value: "No"

Rules that are run at the end of a transaction, in order, comma separated.

Value type: list

Default value: <none>

The time, in seconds, for which an established connection can remain idle waiting for some initial data to be received from the client. The initial data is defined as a complete set of request headers for HTTP, SIP and RTSP services, or the first byte of data for all other services. A value of 0 will disable the timeout.

Value type: seconds

Default value: "10"

The way in which the traffic manager should rewrite the domain portion of any cookies set by a back-end web server.

Value type: enumeration

Default value: "0"

Permitted values:

0: Do not rewrite the domain

1: Rewrite the domain to the host header of the request

2: Rewrite the domain to the named domain value

The domain to use when rewriting a cookie's domain to a named value.

Requires: cookie!domain is set to "2"

Value type: string

Default value: <none>

If you wish to rewrite the path portion of any cookies set by a back-end web server, provide a regular expression to match the path:

Value type: string

Default value: <none>

If cookie path regular expression matches, it will be replaced by this substitution. Parameters $1-$9 can be used to represent bracketed parts of the regular expression.

Requires: cookie!pathregex is set to a regular expression

Value type: string

Default value: <none>

Whether or not the traffic manager should modify the "secure" tag of any cookies set by a back-end web server.

Value type: enumeration

Default value: "0"

Permitted values:

0: Do not modify the 'secure' tag

1: Set the 'secure' tag

2: Unset the 'secure' tag

Enable/Disable use of EDNS client subnet option

Value type: Yes / No

Default value: "Yes"

EDNS UDP size advertised in responses.

Value type: unsigned integer

Default value: "4096"

Maximum UDP answer size.

Value type: unsigned integer

Default value: "4096"

Response record ordering.

Value type: enumeration

Default value: "fixed"

Permitted values:

fixed: Fixed

cyclic: Cyclic

Whether or not the DNS Server should emit verbose logging. This is useful for diagnosing problems.

Value type: Yes / No

Default value: "No"

The DNS zones

Value type: list

Default value: <none>

Whether the virtual server is enabled.

Value type: Yes / No

Default value: "No"

Specify how the traffic manager should respond to the client when an internal or backend error is detected. In addition to sending custom or default error pages, the traffic manager can be instructed to close the connection without returning a response.

Custom error pages can be uploaded via the Extra Files catalog page.

Value type: string

Default value: "Default"

Use SSL on the data connection as well as the control connection (if not enabled it is left to the client and server to negotiate this).

Requires: ssl_decrypt is set to "Yes"

Value type: Yes / No

Default value: "Yes"

The source port to be used for active-mode FTP data connections. If 0, a random high port will be used, otherwise the specified port will be used. If a port below 1024 is required you must first explicitly permit use of low ports with the ftp_data_bind_low global setting.

Value type: unsigned integer

Default value: "0"

Whether or not the virtual server should require that incoming FTP data connections from the client originate from the same IP address as the corresponding client control connection.

Value type: Yes / No

Default value: "Yes"

Whether or not the virtual server should require that incoming FTP data connections from the nodes originate from the same IP address as the node.

Value type: Yes / No

Default value: "Yes"

If non-zero, then this controls the upper bound of the port range to use for FTP data connections.

Value type: unsigned integer

Default value: "0"

If non-zero, then this controls the lower bound of the port range to use for FTP data connections.

Value type: unsigned integer

Default value: "0"

The associated GLB services for this DNS virtual server.

Value type: list

Default value: <none>

Compression level (1-9, 1=low, 9=high).

Value type: unsigned integer

Default value: "1"

Compress web pages sent back by the server.

Value type: Yes / No

Default value: "No"

How the ETag header should be manipulated when compressing content.

Value type: enumeration

Default value: "wrap"

Permitted values:

ignore: Leave the ETag unchanged

delete: Delete the ETag header

weaken: Change the ETag header to specify a weak match

wrap: Wrap the ETag, and attempt to unwrap safe conditional requests

MIME types to compress. Complete MIME types can be used, or a type can end in a '*' to match multiple types.

Value type: list

Default value: "text/html text/plain"

Maximum document size to compress (0 means unlimited).

Value type: bytes

Default value: "10000000"

Minimum document size to compress.

Value type: bytes

Default value: "1000"

Compress documents with no given size.

Value type: Yes / No

Default value: "Yes"

The time, in seconds, to wait for a request on a new HTTP/2 connection. If no request is received within this time, the connection will be closed. This setting overrides the connect_timeout setting. If set to 0 (zero), the value of connect_timeout will be used instead.

Value type: unsigned integer

Default value: "0"

This setting controls the preferred frame size used when sending body data to the client. If the client specifies a smaller maximum size than this setting, the client's maximum size will be used. Every data frame sent has at least a 9-byte header, in addition to this frame size, prepended to it.

Value type: bytes

Default value: "4096"

This setting allows the HTTP/2 protocol to be used by a HTTP virtual server. Unless use of HTTP/2 is negotiated by the client, the virtual server will fall back to HTTP 1.x automatically.

Value type: Yes / No

Default value: "Yes"

This setting controls the amount of memory allowed for header compression on each HTTP/2 connection.

Value type: bytes

Default value: "4096"

A list of header names that should never be compressed using indexing.

Value type: list

Default value: <none>

The HTTP/2 HPACK compression scheme allows for HTTP headers to be compressed using indexing. Sensitive headers can be marked as "never index", which prevents them from being compressed using indexing. When this setting is Yes, only headers included in http2!headers_index_blacklist are marked as "never index". When this setting is No, all headers will be marked as "never index" unless they are included in http2!headers_index_whitelist.

Value type: Yes / No

Default value: "Yes"

A list of header names that can be compressed using indexing when the value of http2!headers_index_default is set to No.

Value type: list

Default value: <none>

The maximum size, in bytes, of decompressed headers for an HTTP/2 request. If the limit is exceeded, the connection on which the request was sent will be dropped. A value of 0 disables the limit check. If a service protection class with http!max_header_length configured is associated with this service then that setting will take precedence.

Value type: unsigned integer

Default value: "262144"

The time, in seconds, to wait for a new HTTP/2 request on a previously used HTTP/2 connection that has no open HTTP/2 streams. If an HTTP/2 request is not received within this time, the connection will be closed. A value of 0 (zero) will disable the timeout.

Value type: unsigned integer

Default value: "120"

The time, in seconds, to wait for data on an idle HTTP/2 connection, which has open streams, when no data has been sent recently (e.g. for long-polled requests). If data is not sent within this time, all open streams and the HTTP/2 connection will be closed. A value of 0 (zero) will disable the timeout.

Value type: unsigned integer

Default value: "600"

This setting controls the number of streams a client is permitted to open concurrently on a single connection.

Value type: unsigned integer

Default value: "200"

This setting controls the maximum HTTP/2 frame size clients are permitted to send to the traffic manager.

Value type: bytes

Default value: "16384"

The maximum size, in bytes, of the random-length padding to add to HTTP/2 header frames. The padding, a random number of zero bytes up to the maximum specified.

Value type: bytes

Default value: "0"

Whether Cookie headers received from an HTTP/2 client should be merged into a single Cookie header using RFC6265 rules before forwarding to an HTTP/1.1 server. Some web applications do not handle multiple Cookie headers correctly.

Value type: Yes / No

Default value: "Yes"

This setting controls the flow control window for each HTTP/2 stream. This will limit the memory used for buffering when the client is sending body data faster than the pool node is reading it.

Value type: bytes

Default value: "65535"

The amount of memory, in multiples of the value specified by max_client_buffer, that the virtual server should use to store data sent by a client through a HTTP/2 connection. The value specified can be between 0 and 200. The value of 0 means unlimited. This setting limits buffer size for a HTTP/2 connection and does not affect buffer size for HTTP/1 connections or TCP stream connections. The number of HTTP/2 streams that can be opened in a single HTTP/2 connection is given by the http2!max_concurrent_streams. An overall cap to the amount of memory allocated for buffers for all TCP connections is given by the global max_tcp_buff_mem setting.

Value type: unsigned integer

Default value: "0"

The amount of memory, in multiples of the value specified by max_server_buffer, that the virtual server should use to store data sent to a client through HTTP/2 connection. The value specified can be between 0 and 200. The value of 0 means unlimited. This setting limits buffer size for a HTTP/2 connection and does not affect buffer size for HTTP/1 connections or TCP stream connections. The number of HTTP/2 streams that can be opened in a single HTTP/2 connection is given by the http2!max_concurrent_streams. An overall cap to the amount of memory allocated for buffers for all TCP connections is given by the global max_tcp_buff_mem setting.

Value type: unsigned integer

Default value: "0"

Handling of HTTP chunk overhead. When vTM receives data from a server or client that consists purely of protocol overhead (contains no payload), forwarding of such segments is delayed until useful payload data arrives (setting "lazy"). Changing this key to "eager" will make vTM incur the overhead of immediately passing such data on; it should only be used with HTTP peers whose chunk handling requires it.

Value type: enumeration

Default value: "lazy"

Permitted values:

lazy: lazy

eager: eager

When the virtual server verifies certificates signed by these certificate authorities, it doesn't check the 'not after' date, i.e., they are considered valid even after their expiration date has passed (but not if they have been revoked).

Requires: ssl_decrypt is set to "Yes"

Value type: list

Default value: <none>

This setting gives the number of certificates in a certificate chain beyond those listed as issued_certs_never_expire whose certificate expiry will not be checked. For example "0" will result in the expiry checks being made for certificates issued by issued_certs_never_expire certificates, "1" will result in no expiry checks being performed for the certificates directly issued by issued_certs_never_expire certificates, "2" will avoid checking expiry for certificates issued by certificates issued by the issued_certs_never_expire certificates as well, and so on.

Value type: unsigned integer

Default value: "1"

Whether or not the virtual server should use keepalive connections with the remote clients.

Value type: Yes / No

Default value: "Yes"

The length of time that the virtual server should keep an idle keepalive connection before discarding it. A value of 0 (zero) will mean that the keepalives are never closed by the traffic manager.

Value type: seconds

Default value: "10"

Whether or not the virtual server should use Kerberos Protocol Transition.

Value type: Yes / No

Default value: "No"

The Kerberos principal this virtual server should use to perform Kerberos Protocol Transition.

Value type: string

Default value: <none>

The Kerberos principal name of the service this virtual server targets.

Value type: string

Default value: <none>

If the 'Location' header matches this regular expression, rewrite the header using the 'location!replace' pattern:

Value type: string

Default value: <none>

If the 'Location' header matches the 'location!regex' regular expression, rewrite the header with this pattern (parameters such as $1-$9 can be used to match parts of the regular expression):

Requires: location!regex is set to a regular expression

Value type: string

Default value: <none>

The action the virtual server should take if the "Location" header does not match the location!regex regular expression.

Value type: enumeration

Default value: "1"

Permitted values:

0: Nothing;

2: Rewrite the hostname to the request's "Host" header, and rewrite the protocol and port if necessary;

1: Do not rewrite the hostname. Rewrite the protocol and port if the hostname matches the request's "Host" header.

Should the virtual server log failures occurring on connections to clients.

Value type: Yes / No

Default value: "No"

Whether or not to log connections to the virtual server to a disk on the file system.

Value type: Yes / No

Default value: "No"

The name of the file in which to store the request logs. The filename can contain macros which will be expanded by the traffic manager to generate the full filename.

Requires: log!enabled is set to "Yes"

Value type: string

Default value: "%zeushome%/zxtm/log/%v.log"

The log file format. This specifies the line of text that will be written to the log file when a connection to the traffic manager is completed. Many parameters from the connection can be recorded using macros.

Requires: log!enabled is set to "Yes"

Value type: string

Default value: "%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i""

Whether to log all connections by default, or log no connections by default. Specific connections can be selected for addition to or exclusion from the log using the TrafficScript function requestlog.include().

Value type: Yes / No

Default value: "Yes"

Should the virtual server log failures occurring on connections to nodes.

Value type: Yes / No

Default value: "No"

Should the virtual server log session persistence events.

Value type: Yes / No

Default value: "No"

Should the virtual server log failures occurring on SSL secure negotiation.

Value type: Yes / No

Default value: "No"

Should the virtual server log messages when attempts to resume SSL sessions (either from the session cache or a session ticket) fail. Note that failure to resume an SSL session does not result in the SSL connection being closed, but it does cause a full SSL handshake to take place.

Value type: Yes / No

Default value: "No"

The amount of memory, in bytes, that the virtual server should use to store data sent by the client through one TCP connection or HTTP/2 stream. Larger values will use more memory, but will minimise the number of read() and write() system calls that the traffic manager must perform.

Value type: bytes

Default value: "65536"

The maximum number of concurrent TCP connections that will be handled by this virtual server. If set to a non-zero value, the traffic manager will limit the number of concurrent TCP connections that this virtual server will accept to the value specified. When the limit is reached, new connections to this virtual server will not be accepted. If set to 0 the number of concurrent TCP connections will not be limited.

Value type: unsigned integer

Default value: "0"

The amount of memory, in bytes, that the virtual server should use to store data returned by the server through one TCP connection. Larger values will use more memory, but will minimise the number of read() and write() system calls that the traffic manager must perform.

Value type: bytes

Default value: "65536"

The total amount of time a transaction can take, counted from the first byte being received until the transaction is complete. For HTTP, this can mean all data has been written in both directions, or the connection has been closed; in most other cases it is the same as the connection being closed.

The default value of 0 means there is no maximum duration, i.e., transactions can take arbitrarily long if none of the other timeouts occur.

Value type: seconds

Default value: "0"

Auto-correct MIME types if the server sends the "default" MIME type for files.

Value type: string

Default value: "text/plain"

Auto-detect MIME types if the server does not provide them.

Value type: Yes / No

Default value: "No"

A description for the virtual server.

Value type: string

Default value: <none>

The default pool to use for traffic.

Value type: string

Default value: <none>

The port on which to listen for incoming connections.

Value type: unsigned integer

Default value: <none>

The SSL private key.

Requires: ssl_decrypt is set to "Yes"

Value type: string

Default value: <none>

The service protection class that should be used to protect this server, if any.

Value type: string

Default value: <none>

The protocol that the virtual server is using.

Value type: enumeration

Default value: "http"

Permitted values:

http: HTTP

ftp: FTP

imapv2: IMAPv2

imapv3: IMAPv3

imapv4: IMAPv4

pop3: POP3

smtp: SMTP

ldap: LDAP

telnet: Telnet

ssl: SSL

https: SSL (HTTPS)

imaps: SSL (IMAPS)

pop3s: SSL (POP3S)

ldaps: SSL (LDAPS)

udpstreaming: UDP - Streaming

udp: UDP

dns: DNS (UDP)

dns_tcp: DNS (TCP)

sipudp: SIP (UDP)

siptcp: SIP (TCP)

rtsp: RTSP

server_first: Generic server first

client_first: Generic client first

stream: Generic streaming

If set to Yes the traffic manager will send the client FIN to the back-end server and wait for a server response instead of closing the connection immediately. This is only necessary for protocols that require half-close support to function correctly, such as "rsh". If the traffic manager is responding to the request itself, setting this key to Yes will cause the traffic manager to continue writing the response even after it has received a FIN from the client.

Value type: Yes / No

Default value: "No"

Expect connections to the traffic manager to be prefixed with a PROXY protocol header. If enabled, the information contained in the PROXY header will be available in TrafficScript. Connections that are not prefixed with a valid PROXY protocol header will be discarded.

Value type: Yes / No

Default value: "No"

The SSL public certificate.

Requires: ssl_decrypt is set to "Yes"

Value type: string

Default value: <none>

Whether or not connections handled by this virtual server should be shown on the Activity > Connections page.

Value type: Yes / No

Default value: "Yes"

Whether or not all connections handled by this virtual server should be shown on the Connections page. Individual connections can be selectively shown on the Connections page using the recentconns.include() TrafficScript function.

Value type: Yes / No

Default value: "No"

Whether or not the virtual server should request an identifying certificate from each client.

Value type: enumeration

Default value: "0"

Permitted values:

0: Do not request a client certificate

1: Request, but do not require a client certificate

2: Require a client certificate

Record a trace of major connection processing events for each request and response.

Value type: Yes / No

Default value: "No"

Include details of individual I/O events in request and response traces. Requires request tracing to be enabled.

Requires: request_tracing!enabled is set to "Yes"

Value type: Yes / No

Default value: "No"

Rules to be applied to responses, in order, comma separated.

Value type: list

Default value: <none>

If non-zero this controls the upper bound of the port range to use for streaming data connections.

Value type: unsigned integer

Default value: "0"

If non-zero this controls the lower bound of the port range to use for streaming data connections.

Value type: unsigned integer

Default value: "0"

If non-zero data-streams associated with RTSP connections will timeout if no data is transmitted for this many seconds.

Value type: seconds

Default value: "30"

Rules to be applied to incoming requests, in order, comma separated.

Value type: list

Default value: <none>

If specified, the traffic manager will use the value as the banner to send for server-first protocols such as FTP, POP, SMTP and IMAP. This allows rules to use the first part of the client data (such as the username) to select a pool. The banner should be in the correct format for the protocol, e.g. for FTP it should start with "220 "

Value type: string

Default value: <none>

The action to take when a SIP request with body data arrives that should be routed to an external IP.

Value type: enumeration

Default value: "node"

Permitted values:

node: Send the request to a back-end node

forbid: Send a 403 Forbidden response to the client

forward: Forward the request to its target URI (dangerous)

Should the virtual server follow routing information contained in SIP requests. If set to No requests will be routed to the chosen back-end node regardless of their URI or Route header.

Value type: Yes / No

Default value: "Yes"

SIP clients can have several pending requests at one time. To protect the traffic manager against DoS attacks, this setting limits the amount of memory each client can use. When the limit is reached new requests will be sent a 413 response. If the value is set to 0 (zero) the memory limit is disabled.

Value type: bytes

Default value: "65536"

The mode that this SIP virtual server should operate in.

Value type: enumeration

Default value: "pi"

Permitted values:

lb: SIP Routing

pi: SIP Gateway

fc: Full Gateway

Replace the Request-URI of SIP requests with the address of the selected back-end node.

Value type: Yes / No

Default value: "No"

If non-zero this controls the upper bound of the port range to use for streaming data connections.

Value type: unsigned integer

Default value: "0"

If non-zero, then this controls the lower bound of the port range to use for streaming data connections.

Value type: unsigned integer

Default value: "0"

If non-zero a UDP stream will timeout when no data has been seen within this time.

Value type: seconds

Default value: "60"

When timing out a SIP transaction, send a 'timed out' response to the client and, in the case of an INVITE transaction, a CANCEL request to the server.

Value type: Yes / No

Default value: "Yes"

The virtual server should discard a SIP transaction when no further messages have been seen within this time.

Value type: seconds

Default value: "30"

Require that SIP datagrams which are part of the same transaction are received from the same address and port.

Value type: Yes / No

Default value: "Yes"

The service level monitoring class that this server should use, if any.

Value type: string

Default value: <none>

Whether or not the traffic manager should expect the connection to start off in plain text and then upgrade to SSL using STARTTLS when handling SMTP traffic.

Value type: Yes / No

Default value: "Yes"

Whether or not Nagle's algorithm should be used for TCP connections.

Value type: Yes / No

Default value: "No"

The SSL/TLS cipher suites to allow for connections to this virtual server. Leaving this empty will make the virtual server use the globally configured cipher suites, see configuration key ssl!cipher_suites in the Global Settings section of the System tab. See there for how to specify SSL/TLS cipher suites.

Value type: string

Default value: <none>

What HTTP headers the virtual server should add to each request to show the data in the client certificate.

Value type: enumeration

Default value: "none"

Permitted values:

none: No data

simple: Certificate fields

all: Certificate fields and certificate text

Whether or not the virtual server should decrypt incoming SSL traffic.

Value type: Yes / No

Default value: "No"

The SSL elliptic curve preference list for SSL connections to this virtual server using TLS version 1.0 or higher. Leaving this empty will make the virtual server use the globally configured preference list, ssl!elliptic_curves in the Global Settings section of the System tab. See there for how to specify elliptic curves.

Value type: string

Default value: <none>

Whether or not the virtual server should add HTTP headers to each request to show the SSL connection parameters.

Value type: Yes / No

Default value: "No"

Whether or not the Fallback SCSV sent by TLS clients is honored by this virtual server. Choosing the global setting means the value of configuration key ssl!honor_fallback_scsv from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for Fallback SCSV

enabled: Enable Fallback SCSV

disabled: Disable Fallback SCSV

Whether or not the traffic manager should use AIA information contained in a client certificate to determine which OCSP responder to contact.

Value type: Yes / No

Default value: <none>

Use the OCSP nonce extension, which protects against OCSP replay attacks. Some OCSP servers do not support nonces.

Value type: enumeration

Default value: <none>

Permitted values:

off: No nonce check

on: Use nonce, server does not have to reply with nonce

strict: Use nonce, server must reply with nonce

Should we do an OCSP check for this issuer, and is it required or optional.

Value type: enumeration

Default value: <none>

Permitted values:

none: None

optional: OCSP check optional

strict: OCSP check required

The expected responder certificate.

Value type: string

Default value: <none>

If set the request will be signed with the supplied certificate.

Value type: string

Default value: <none>

Which OCSP responders this virtual server should use to verify client certificates.

Value type: string

Default value: <none>

The number of seconds for which an OCSP response is considered valid if it has not yet exceeded the time specified in the 'nextUpdate' field. If set to 0 (zero) then OCSP responses are considered valid until the time specified in their 'nextUpdate' field.

Value type: seconds

Default value: "0"

If OCSP URIs are present in certificates used by this virtual server, then enabling this option will allow the traffic manager to provide OCSP responses for these certificates as part of the handshake, if the client sends a TLS status_request extension in the ClientHello.

Value type: Yes / No

Default value: "No"

The number of seconds outside the permitted range for which the 'thisUpdate' and 'nextUpdate' fields of an OCSP response are still considered valid.

Value type: seconds

Default value: "30"

The number of seconds after which OCSP requests will be timed out.

Value type: seconds

Default value: "10"

Whether or not to send an SSL/TLS "close alert" when the traffic manager is initiating an SSL socket disconnection.

Value type: Yes / No

Default value: "Yes"

Whether or not use of the session cache is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!session_cache_enabled from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for use of the session cache

enabled: Enable use of the session cache

disabled: Disable use of the session cache

Whether or not use of session tickets is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!tickets!enabled from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for use of session tickets

enabled: Enable use of the session tickets

disabled: Disable use of the session tickets

The SSL signature algorithms preference list for SSL connections to this virtual server using TLS version 1.2 or higher. Leaving this empty will make the virtual server use the globally configured preference list, ssl!signature_algorithms in the Global Settings section of the System tab. See there for how to specify TLS signature algorithms.

Value type: string

Default value: <none>

The SSL public certificates for a particular destination site IP or SNI hostname. The specific site replaces the * (asterisk) in the key name, the value must be a valid file name in the conf/ssl/server_keys directory without the private or public file name extensions. The key can be specified multiple times to cover multiple IP addresses.

Requires: ssl_decrypt is set to "Yes"

Value type: list

Default value: <none>

The SSL private key for a particular destination site IP.

Requires: ssl_decrypt is set to "Yes"

Value type: string

Default value: <none>

The SSL public certificate for a particular destination site IP or SNI hostname. The specific site replaces the * (asterisk) in the key name, the value must be a valid certificate in the conf/ssl/server_keys directory. The key can be specified multiple times to cover multiple IP addresses.

Requires: ssl_decrypt is set to "Yes"

Value type: string

Default value: <none>

Whether or not SSLv3 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_ssl3 from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for SSLv3

enabled: Enable SSLv3

disabled: Disable SSLv3

Whether or not TLSv1.0 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1 from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for TLSv1.0

enabled: Enable TLSv1.0

disabled: Disable TLSv1.0

Whether or not TLSv1.1 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1_1 from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for TLSv1.1

enabled: Enable TLSv1.1

disabled: Disable TLSv1.1

Whether or not TLSv1.2 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1_2 from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for TLSv1.2

enabled: Enable TLSv1.2

disabled: Disable TLSv1.2

Whether or not TLSv1.3 is enabled for this virtual server. Choosing the global setting means the value of configuration key ssl!support_tls1_3 from the Global Settings section of the System tab will be enforced.

Value type: enumeration

Default value: "use_default"

Permitted values:

use_default: Use the global setting for TLSv1.3

enabled: Enable TLSv1.3

disabled: Disable TLSv1.3

If the traffic manager is receiving traffic sent from another traffic manager, then enabling this option will allow it to decode extra information on the true origin of the SSL connection. This information is supplied by the first traffic manager.

Value type: Yes / No

Default value: "No"

Whether or not the traffic manager should use OCSP to check the revocation status of client certificates.

Value type: Yes / No

Default value: "No"

Whether or not the virtual server should strip the 'X-Forwarded-Proto' header from incoming requests.

Value type: Yes / No

Default value: "Yes"

Whether or not to log connections to the virtual server to a remote syslog host.

Value type: Yes / No

Default value: "No"

The log format for the remote syslog. This specifies the line of text that will be sent to the remote syslog when a connection to the traffic manager is completed. Many parameters from the connection can be recorded using macros.

Requires: syslog!enabled is set to "Yes"

Value type: string

Default value: "%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i""

The remote host and port (default is 514) to send request log lines to.

Requires: syslog!enabled is set to "Yes"

Value type: string

Default value: <none>

Maximum length in bytes of a message sent to the remote syslog. Messages longer than this will be truncated before they are sent.

Requires: syslog!enabled is set to "Yes"

Value type: unsigned integer

Default value: "2048"

A connection should be closed if no additional data has been received for this period of time. A value of 0 (zero) will disable this timeout. Note that the default value may vary depending on the protocol selected.

Value type: seconds

Default value: "300"

Whether to export a restricted set of metadata about transactions processed by this virtual server. If enabled, more verbose information such as client and server headers and request tracing events will be omitted from the exported data.

Requires: transaction_export!enabled is set to "Yes"

Value type: Yes / No

Default value: "No"

Export metadata about transactions handled by this service to the globally configured endpoint. Data will be exported only if the global transaction_export!enabled setting is enabled.

Value type: Yes / No

Default value: "Yes"

Whether the transaction processing timeline included in the metadata export is recorded with a high, microsecond, resolution. If set to No, timestamps will be recorded with a resolution of milliseconds.

Value type: Yes / No

Default value: "No"

The set of HTTP header names for which corresponding values should be redacted from the metadata exported by this virtual server.

Value type: list

Default value: "Authorization"

Whether or not bound sockets should be configured for transparent proxying.

Value type: Yes / No

Default value: "No"

Whether UDP datagrams received from the same IP address and port are sent to the same pool node if they match an existing UDP session. Sessions are defined by the protocol being handled, for example SIP datagrams are grouped based on the value of the Call-ID header.

Value type: Yes / No

Default value: "Yes"

Whether or not UDP datagrams should be distributed across all traffic manager processes, if this behaviour is not normally selected automatically due to other settings.

Value type: Yes / No

Default value: "No"

If this setting is non-zero, the virtual server will set the socket receive buffer size to this number of bytes. If set, this will override the so_rbuff_size setting. An OS-specified limit on socket buffer sizes such as given by sysctl net.core.rmem_max can be exceeded using this setting.

Value type: unsigned integer

Default value: "0"

The virtual server should discard any UDP connection and reclaim resources when the node has responded with this number of datagrams. For simple request/response protocols this can be often set to 1. If set to -1, the connection will not be discarded until the udp_timeout is reached.

Value type: int

Default value: "1"

Whether the traffic manager should try to use SO_REUSEPORT for distributing incoming UDP datagrams across multiple processes (if kernel support is detected) or whether the legacy (pre-20.2) multi-processing mode should be used.

Value type: enumeration

Default value: "auto"

Permitted values:

auto: auto

legacy: legacy

The virtual server should discard any UDP connection and reclaim resources when no further UDP traffic has been seen within this time.

Value type: seconds

Default value: "7"

If this setting is non-zero, the virtual server will set the socket send buffer size to this number of bytes. If set, this will override the so_wbuff_size setting. An OS-specified limit on socket buffer sizes such as given by sysctl net.core.wmem_max can be exceeded using this setting.

Value type: unsigned integer

Default value: "0"

The "Cache-Control" header to add to every cached HTTP response, no-cache or max-age=600 for example.

Value type: string

Default value: <none>

If set to Yes the traffic manager will attempt to cache web server responses.

Value type: Yes / No

Default value: "No"

Time period to cache error pages for.

Value type: seconds

Default value: "30"

If a cached page is about to expire within this time, the traffic manager will start to forward some new requests on to the web servers. A maximum of one request per second will be forwarded; the remainder will continue to be served from the cache. This prevents "bursts" of traffic to your web servers when an item expires from the cache. Setting this value to 0 will stop the traffic manager updating the cache before it expires.

Value type: seconds

Default value: "2"