benchmark/benchmark-server/src/main/resources/rest.yaml
#
# REST automation is the recommended way to create REST endpoints properly
# Note that URL comparison is case-insensitive but case sensitivity is preserved
# for the original URL and path parameters
#
rest:
# service should be a target service name or a list of service names
# If more than one service name is provided, the first one is the primary target
# and the rest are secondary target(s). The system will copy the HTTP request event to the secondary targets.
#
# This feature is used for seamless legacy system migration where we can send
# the same request to the old and the new services at the same time for A/B comparison.
- service: ["hello.world"]
methods: ['GET', 'PUT', 'POST', 'HEAD', 'PATCH', 'DELETE']
url: "/api/hello/world"
timeout: 10s
#
# Optional authentication service which should return a true or false result
# The authentication service can also add session info in headers using EventEnvelope as a response
# and annotate trace with key-values that you want to persist into distributed trace logging.
#
# You can also route the authentication request to different functions based on HTTP request header
# i.e. you can provide a single authentication function or a list of functions selected by header routing.
#
# If you want to route based on header/value, use the "key: value : service" format.
# For routing using header only, use "key: service" format
# For default authentication service, use "default: service" format
#
# authentication: "v1.api.auth"
# authentication:
# - "x-app-name: demo : v1.app.auth"
# - "authorization: v1.app.auth"
# - "default: v1.api.auth"
cors: cors_1
headers: header_1
# for HTTP request body that is not JSON/XML, it will be turned into a stream if it is undefined
# or larger than threshold. Otherwise, it will be delivered as a byte array in the message body.
# Default is 50000 bytes, min is 5000, max is 500000
threshold: 30000
# optionally, you can turn on Distributed Tracing
tracing: true
- service: "hello.world"
methods: ['POST']
url: "/api/upload/demo"
# to support multi-part file upload, set upload to true
upload: true
timeout: 15s
cors: cors_1
headers: header_1
# demonstrate path parameter and wild card
- service: "hello.world"
methods: ['GET', 'PUT', 'POST']
url: "/api/nice/{task}/*"
timeout: 12
cors: cors_1
headers: header_1
#
# When service is a URL, it will relay HTTP or HTTPS requests.
# "trust_all_cert" and "url_rewrite" are optional.
#
# For target host with self-signed certificate, you may set "trust_all_cert" to true.
# trust_all_cert: true
#
# "url_rewrite", when present as a list of 2 strings, is used to rewrite the url.
# e.g. url_rewrite: ['/api/v1', '/v1/api']
# In this example, "/api/v1" will be replaced with "/v1/api"
#
- service: "http://127.0.0.1:8100"
trust_all_cert: true
methods: ['GET', 'PUT', 'POST']
url: "/api/v1/*"
url_rewrite: ['/api/v1', '/api']
timeout: 20
cors: cors_1
headers: header_1
tracing: true
- service: "hello.download"
methods: ['GET']
url: "/api/hello/download"
timeout: 20
cors: cors_1
headers: header_1
#
# CORS HEADERS for pre-flight (HTTP OPTIONS) and normal responses
#
# Access-Control-Allow-Origin must be "*" or domain name starting with "http://" or "https://"
# The use of wildcard "*" should only be allowed for non-prod environments.
#
# For production, please add the "api.origin" key in the application.properties.
# In this example, the api.origin value will be used to override the value
# in "Access-Control-Allow-Origin".
#
cors:
- id: cors_1
# origin is optional. If present, it will replace Access-Control-Allow-Origin value in options and headers
origin: ${api.origin}
options:
- "Access-Control-Allow-Origin: *"
- "Access-Control-Allow-Methods: GET, DELETE, PUT, POST, PATCH, OPTIONS"
- "Access-Control-Allow-Headers: Origin, Authorization, X-Session-Id, X-Correlation-Id, Accept, Content-Type, X-Requested-With"
- "Access-Control-Max-Age: 86400"
headers:
- "Access-Control-Allow-Origin: *"
- "Access-Control-Allow-Methods: GET, DELETE, PUT, POST, PATCH, OPTIONS"
- "Access-Control-Allow-Headers: Origin, Authorization, X-Session-Id, X-Correlation-Id, Accept, Content-Type, X-Requested-With"
- "Access-Control-Allow-Credentials: true"
#
# add/drop/keep HTTP request and response headers
#
headers:
- id: header_1
request:
#
# headers to be inserted
# add: ["hello-world: nice"]
#
# keep and drop are mutually exclusive where keep has precedent over drop
# i.e. when keep is not empty, it will drop all headers except those to be kept
# when keep is empty and drop is not, it will drop only the headers in the drop list
# e.g.
# keep: ['x-session-id', 'user-agent']
# drop: ['Upgrade-Insecure-Requests', 'cache-control', 'accept-encoding', 'host', 'connection']
#
drop: ['Upgrade-Insecure-Requests', 'cache-control', 'accept-encoding', 'host', 'connection']
response:
#
# the system can filter the response headers set by a target service
# but it cannot remove any response headers set by the underlying servlet container.
# However, you may override non-essential headers using the "add" directive. e.g. the "server" header.
# i.e. don't touch essential headers such as content-length.
#
# keep: ['only_this_header_and_drop_all']
# drop: ['drop_only_these_headers', 'another_drop_header']
#
# add: ["server: mercury"]
#
# You may want to add cache-control to disable browser and CDN caching.
# add: ["Cache-Control: no-cache, no-store", "Pragma: no-cache", "Expires: Thu, 01 Jan 1970 00:00:00 GMT"]
#
add:
- "Strict-Transport-Security: max-age=31536000"
- "Cache-Control: no-cache, no-store"
- "Pragma: no-cache"
- "Expires: Thu, 01 Jan 1970 00:00:00 GMT"