System Settings¶

To fine-tune system API Firewall settings, use the following optional environment variables or YAML parameters:

Environment variable	YAML parameter	Description
`APIFW_READ_TIMEOUT`	Server → `ReadTimeout`	The timeout for API Firewall to read the full request (including the body) sent to the application URL. The default value is `5s`.
`APIFW_WRITE_TIMEOUT`	Server → `WriteTimeout`	The timeout for API Firewall to return the response to the request sent to the application URL. The default value is `5s`.
`APIFW_SERVER_MAX_CONNS_PER_HOST` (for `PROXY` and `graphql` modes)	`MaxConnsPerHost`	The maximum number of connections that API Firewall can handle simultaneously. The default value is `512`.
`APIFW_SERVER_READ_TIMEOUT` (for `PROXY` and `graphql` modes)	Backend → ProtectedAPI → `ReadTimeout`	The timeout for API Firewall to read the full response (including the body) returned to the request by the application. The default value is `5s`.
`APIFW_SERVER_WRITE_TIMEOUT` (for `PROXY` and `graphql` modes)	Backend → ProtectedAPI → `WriteTimeout`	The timeout for API Firewall to write the full request (including the body) to the application. The default value is `5s`.
`APIFW_SERVER_DIAL_TIMEOUT` (for `PROXY` and `graphql` modes)	`DialTimeout`	The timeout for API Firewall to connect to the application. The default value is `200ms`.
`APIFW_SERVER_CLIENT_POOL_CAPACITY` (for `PROXY` and `graphql` modes)	`ClientPoolCapacity`	Maximum number of the fasthttp clients. The default value is `1000`.
`APIFW_HEALTH_HOST`	HealthAPIHost	The host of the health check service. The default value is `0.0.0.0:9667`. The liveness probe service path is `/v1/liveness` and the readiness service path is `/v1/readiness`.
`APIFW_READ_BUFFER_SIZE` (for APIFW server)	`ReadBufferSize`	Per-connection buffer size for request reading. This also limits the maximum header size. Increase this buffer if your clients send multi-KB RequestURIs and/or multi-KB headers (for example, BIG cookies). The default value is `8192`.
`APIFW_WRITE_BUFFER_SIZE` (for APIFW server)	`WriteBufferSize`	Per-connection buffer size for response writing. The default value is `8192`.
`APIFW_MAX_REQUEST_BODY_SIZE` (for APIFW server)	`MaxRequestBodySize`	Maximum request body size. The server rejects requests with bodies exceeding this limit. The default value is `4194304`.
`APIFW_DISABLE_KEEPALIVE` (for APIFW server)	`DisableKeepalive`	Disables the keep-alive connections. The server will close all the incoming connections after sending the first response to the client if this option is set to `true`. The default value is `false`.
`APIFW_MAX_CONNS_PER_IP` (for APIFW server)	`MaxConnsPerIP`	Maximum number of concurrent client connections allowed per IP. The default value is `0` (means "unlimited").
`APIFW_MAX_REQUESTS_PER_CONN` (for APIFW server)	`MaxRequestsPerConn`	Maximum number of requests served per connection. The server closes the connection after the last request. The `Connection: close` header is added to the last response. The default value is `0` (means "unlimited").
`APIFW_SERVER_READ_BUFFER_SIZE` (for HTTP client sending requests)	`ReadBufferSize`	Per-connection buffer size for request reading. This also limits the maximum header size. The default value is `8192`.
`APIFW_SERVER_WRITE_BUFFER_SIZE` (for HTTP client sending requests)	`WriteBufferSize`	Per-connection buffer size for response writing. The default value is `8192`.
`APIFW_SERVER_MAX_RESPONSE_BODY_SIZE` (for HTTP client sending requests)	`MaxResponseBodySize`	Maximum response body size. The default value is `0` (means "unlimited").

Example of apifw.yaml

mode: "PROXY"
RequestValidation: "BLOCK"
ResponseValidation: "BLOCK"
CustomBlockStatusCode: 403
AddValidationStatusHeader: false
APISpecs: "openapi.yaml"
APISpecsCustomHeader:
  Name: ""
  Value: ""
PassOptionsRequests: true
SpecificationUpdatePeriod: "0"
Server:
  APIHost: "http://0.0.0.0:8282"
  HealthAPIHost: "0.0.0.0:9999"
  ReadTimeout: "5s"
  WriteTimeout: "5s"
  ReadBufferSize: 8192
  WriteBufferSize: 8192
  MaxRequestBodySize: 4194304
  DisableKeepalive: false
  MaxConnsPerIP: 0
  MaxRequestsPerConn: 0
DNS:
  Nameserver:
    Host: ""
    Port: "53"
    Proto: "udp"
  Cache: false
  FetchTimeout: "1m"
  LookupTimeout: "1s"
Denylist:
  Tokens:
    CookieName: ""
    HeaderName: ""
    TrimBearerPrefix: true
    File: ""
AllowIP:
  File: ""
  HeaderName: ""
ShadowAPI:
  ExcludeList:
    - 404
    - 200
  UnknownParametersDetection: false
TLS:
  CertsPath: "certs"
  CertFile: "localhost.crt"
  CertKey: "localhost.key"
ModSecurity:
  ConfFiles: []
  RulesDir: ""
Endpoints: []
Backend:
  Oauth:
    ValidationType: "JWT"
    JWT:
      SignatureAlgorithm: "RS256"
      PubCertFile: ""
      SecretKey: ""
    Introspection:
      ClientAuthBearerToken: ""
      Endpoint: ""
      EndpointParams: ""
      TokenParamName: ""
      ContentType: ""
      EndpointMethod: "GET"
      RefreshInterval: "10m"
  ProtectedAPI:
    URL: "http://localhost:3000/v1/"
    RequestHostHeader: ""
    ClientPoolCapacity: 1000
    InsecureConnection: false
    RootCA: ""
    MaxConnsPerHost: 512
    ReadTimeout: "5s"
    WriteTimeout: "5s"
    DialTimeout: "200ms"
    ReadBufferSize: 8192
    WriteBufferSize: 8192
    MaxResponseBodySize: 0
    DeleteAcceptEncoding: false