The OpenIAM rProxy is implemented as a custom Apache module (mod_openiam.so). All OPENIAM_ directives listed here are proprietary to this module — they are not standard Apache httpd directives. They are loaded into Apache via:
LoadModule openiam_module modules/mod_openiam.so
Scope note: Some directives are global (outside any <VirtualHost> or <Location> block), some belong inside <Location> blocks. See the examples in rProxy Installation and the category notes below.
Core / ESB Connectivity
| Directive | Type | Description |
|---|
OPENIAM_ESBPath | URL | ESB endpoint. Use http://esb:9080 for Docker or http://localhost:9080 for standalone. Must be set outside <VirtualHost>. |
OPENIAM_ConfigureBackend | URL | Backend UI endpoint for the setup wizard. Use http://ui:8080 for Docker or http://localhost:8080 for standalone. |
OPENIAM_ConfigureHost | Path | Redirect target when the content provider is not yet configured (e.g. /webconsole/setup). |
OPENIAM_ConfigureUrls | Path (repeatable) | Paths accessible without authentication during initial setup. Can be specified multiple times. |
Authentication & Session
| Directive | Type | Description |
|---|
OPENIAM_AuthProvider | String | Name of the authentication provider to use. |
OPENIAM_AuthAuthoritative | Flag (on/off) | Whether OpenIAM auth is the authoritative authentication mechanism. |
OPENIAM_AuthCookieName | String | Override the default OPENIAM_AUTH_TOKEN session cookie name. |
OPENIAM_SetCookiesSecure | Flag (on/off) | Force the Secure attribute on all cookies set by the module. |
OPENIAM_ReadCookiesFrom | String | Read cookies from a header other than Cookie. |
OPENIAM_LogoutRedirect | URL (repeatable) | One or more URLs to redirect through before reaching /idp/logout. |
URL Routing & Redirects
| Directive | Type | Description |
|---|
OPENIAM_DefaultUrl | URL | Default redirect URL after login (e.g. /selfservice/). Used inside <Location />. |
OPENIAM_DefaultPostbackUrl | URL | Default postback URL to return to after authentication. |
OPENIAM_DefaultTimeout | Integer | Default request timeout in seconds. |
OPENIAM_DefaultUrlForLang | URL | Redirect from / to this URL when a language cookie is present. |
OPENIAM_NoAuth | Path (repeatable) | Paths that bypass authentication. Can be specified multiple times. |
OPENIAM_NoAuthOnPath | Path | Skip authentication for this specific path. |
OPENIAM_Redirect | URL | Unconditionally redirect to this URL. |
OPENIAM_RedirectWithAuth | URL | Redirect to this URL when the user is authenticated. |
OPENIAM_RedirectWithoutAuth | URL | Redirect to this URL when the user is not authenticated. |
OPENIAM_RedirectBackUrl | URL | URL to return the user to after completing authentication. |
OPENIAM_RedirectBackForLang | String | Set the OPENIAM_REDIRECT_BACK cookie for a specific language for / and /idp/login. |
OPENIAM_FixRedirectForLang | Flag (on/off) | Enable or disable language-cookie-based redirects for / and /idp/login. |
OPENIAM_FixLocationList | String (repeatable) | List of Location response headers to rewrite. |
OPENIAM_ProxyPassReverse | URL | Adjust Location headers in proxied responses (equivalent to Apache's ProxyPassReverse). |
OPENIAM_OutHeadersRedirectName | String | Name of a response header to inspect for conditional redirects. |
OPENIAM_OutHeadersRedirectValues | String | Two-argument value: if the header named by OPENIAM_OutHeadersRedirectName contains this value, redirect to the given URL. |
| Directive | Type | Description |
|---|
OPENIAM_CSPEnabled | Flag (on/off) | Enable automatic Content-Security-Policy header generation. |
OPENIAM_CSPOverride | String | Fully replace the default CSP header value with this string. |
OPENIAM_CSPOverrideWithCors | String | Replace the CSP header value and also add CORS headers. Useful when OPENIAM_CORSAllowAll on is insufficient. |
OPENIAM_CSPReportEnalbed | Flag (on/off) | Enable CSP violation reporting. (Note: directive name contains a typo — Enalbed — use exactly as written.) |
OPENIAM_CSPReportOnly | Flag (on/off) | Set CSP header in Report-Only mode (logs violations without blocking). |
OPENIAM_CORSAllowAll | Flag (on/off) | Add Access-Control-Allow-Origin: * and related CORS headers to responses. |
OPENIAM_AddHSTSHeaders | Flag (on/off) | Add Strict-Transport-Security (HSTS) headers. |
OPENIAM_DefaultRespHeader | String (repeatable) | Set a default response header if it has not already been set by the upstream. Format: OPENIAM_DefaultRespHeader Header-Name value. Example: OPENIAM_DefaultRespHeader Referrer-Policy strict-origin. |
OPENIAM_RandomIV | Flag (on/off) | Use a random initialization vector for encryption. Default: off. |
CSP Example
# Simple — use built-in CSP generation
OPENIAM_CSPEnabled on
# Override with a custom policy
OPENIAM_CSPOverride "default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; \
style-src 'self' 'unsafe-inline' 'unsafe-eval' *; \
img-src 'self' data:; \
font-src 'self' *;"
# Override CSP and add CORS headers at the same time
OPENIAM_CSPOverrideWithCors "default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com; \
style-src 'self' 'unsafe-inline' 'unsafe-eval' *; \
form-action 'self' 'unsafe-inline' 'unsafe-eval' *; \
img-src 'self' data:; \
font-src 'self' *;"
Client Certificate Authentication
| Directive | Type | Description |
|---|
OPENIAM_CertPromptUrl | URL | URL that triggers the certificate selection prompt (e.g. /idp/auth-cert). |
OPENIAM_ClientCertHeaderName | String | Name of the HTTP header that contains the client certificate (used with OPENIAM_ReadClientCertFromHeader). Default: x-openiam-client-cert. |
OPENIAM_ReadClientCertFromHeader | Flag (on/off) | Read the client certificate from the header specified by OPENIAM_ClientCertHeaderName rather than from the TLS handshake. |
OPENIAM_NoAuthHeaderForCertAuth | String | Skip setting the auth header when cert-based auth is used. |
OPENIAM_NoAuthHeaderForCertFromHeader | String | Skip setting the auth header when the cert is read from a header. |
OPENIAM_NoCookieForCertAuth | Flag (on/off) | Do not set the session cookie when cert-based auth is used. |
OPENIAM_NoCookieForCertFromHeader | Flag (on/off) | Do not set the session cookie when the cert is read from a header. |
OPENIAM_DebugCertAuth | Flag (on/off) | Enable verbose debug logging for certificate authentication. |
Kerberos Authentication
| Directive | Type | Description |
|---|
OPENIAM_Kerberos | Flag (on/off) | Enable Kerberos (SPNEGO) authentication handling. |
OPENIAM_KrbPrincipalOnly | Flag (on/off) | Strip the realm from the Kerberos principal and use only the username portion. |
OPENIAM_KrbPrincipalPrefix | String | Prefix to prepend to the Kerberos principal before passing it to OpenIAM. |
OPENIAM_KrbPrincipalSuffix | String | Suffix to append to the Kerberos principal before passing it to OpenIAM. |
See also: Kerberos configuration guide.
| Directive | Type | Description |
|---|
OPENIAM_Client_Ip_Header | String | Name of the header from which to read the originating client IP address. |
OPENIAM_Forwarded_For_Header | String | Header name to use for forwarding the client IP (X-Forwarded-For). |
OPENIAM_Forwarded_By_Header | String | Header name to use for the proxy identity (X-Forwarded-By). |
| Directive | Type | Description |
|---|
OPENIAM_SoapHeader | String | Set a SOAP header on backend requests. |
OPENIAM_SoapAuthHeaders | Flag (on/off) | Include authentication headers in SOAP requests to the backend. |
OPENIAM_AuthHeaderUsername | String | Header name for the username in header-based authentication flows. |
OPENIAM_AutnHeaderPassword | String | Header name for the password in header-based authentication flows. (Note: directive name contains a typo — Autn — use exactly as written.) |
OPENIAM_UserParam | String | URL query parameter name for the username. |
OPENIAM_PasswordParam | String | URL query parameter name for the password. |
cURL Backend Transport
By default the module uses Apache's internal HTTP client. To use libcurl instead:
| Directive | Type | Description |
|---|
OPENIAM_UseCurl | Flag (on/off) | Use libcurl for all backend HTTP requests. Default: off. |
OPENIAM_CurlPoolEnable | Flag (on/off) | Enable a persistent cURL connection pool. |
OPENIAM_CurlPoolSize | Integer | Number of connections in the cURL pool. Default: 32. |
OPENIAM_CurlConnectTimeout | Integer | TCP connection timeout in seconds. Default: 2. |
OPENIAM_CurlTimeout | Integer | Total request timeout in seconds. Default: 10. |
Worker Pool
The worker pool manages a set of persistent backend connections. These directives are set globally (outside <VirtualHost>):
| Directive | Type | Description |
|---|
OPENIAM_WorkerPooEnabled | Flag (On/Off) | Enable the worker pool. (Note: directive name contains a typo — Poo — use exactly as written.) |
OPENIAM_WorkerPoolMin | Integer | Minimum number of workers to keep alive. |
OPENIAM_WorkerPoolMax | Integer | Maximum number of workers. |
OPENIAM_WorkerPoolSoftMax | Integer | Soft maximum — workers above this value are eligible for idle reaping. |
OPENIAM_WorkerPoolTTL | Integer | Time-to-live for an idle worker connection, in seconds. |
OPENIAM_WorkerPoolTimeout | Integer | Timeout for a worker request, in seconds. |
OPENIAM_WorkerPoolKeepAlive | Flag (On/Off) | Keep backend connections alive between requests. |
OPENIAM_WorkerPoolRetry | Integer | Number of times to retry a failed backend request. |
Recommended worker pool settings (Docker deployment)
OPENIAM_WorkerPooEnabled On
OPENIAM_WorkerPoolMin 25
OPENIAM_WorkerPoolMax 100
OPENIAM_WorkerPoolSoftMax 100
OPENIAM_WorkerPoolTTL 600
OPENIAM_WorkerPoolTimeout 300
OPENIAM_WorkerPoolKeepAlive On
OPENIAM_WorkerPoolRetry 0
OPENIAM_CurlPoolEnable On
OPENIAM_CurlPoolSize 32
OPENIAM_CurlConnectTimeout 2
OPENIAM_CurlTimeout 10
Debug & Logging
All debug directives default to off. Enable only as needed for troubleshooting — they produce significant log volume.
| Directive | Type | Description |
|---|
OPENIAM_Verbose | Flag (on/off) | Enable verbose module logging. |
OPENIAM_DebugESB | Flag (on/off) | Log all ESB request/response details. |
OPENIAM_DebugCookies | Flag (on/off) | Log cookie inspection and manipulation. |
OPENIAM_DebugRespHeaders | Flag (on/off) | Log outgoing response headers. |
OPENIAM_DebugPatterns | Flag (on/off) | Log URL pattern matching decisions. |
OPENIAM_PrintTimings | Flag (on/off) | Log request timing information (useful for latency diagnosis). |
OPENIAM_AllowDumpHeaders | Flag (on/off) | Enable header dumping (required for the Dump* directives below to show headers). |
OPENIAM_DumpRequests | Flag (on/off) | Dump incoming request metadata to the error log. |
OPENIAM_DumpRequestsBody | Flag (on/off) | Dump incoming request bodies. |
OPENIAM_DumpRequestBody_filter | String | Only dump request bodies matching this pattern. |
OPENIAM_DumpNoAuth | Flag (on/off) | Also dump requests that do not require authentication. |
OPENIAM_DumpResponses | Flag (on/off) | Dump outgoing response metadata. |
OPENIAM_DumpResponsesBody | Flag (on/off) | Dump outgoing response bodies. |
Full debug configuration example
LogLevel debug
OPENIAM_Verbose on
OPENIAM_DebugESB on
OPENIAM_DebugCookies on
OPENIAM_DebugCertAuth on
OPENIAM_PrintTimings on
OPENIAM_AllowDumpHeaders on
OPENIAM_DumpRequests on
OPENIAM_DumpRequestsBody on
OPENIAM_DumpResponses on
OPENIAM_DumpResponsesBody on
OPENIAM_DebugRespHeaders on