Proxy Configuration options:
This is list of options for proxy configuration, the requirement to see these options is to set Access Mode != JDBC:
These options are inside given virtual database configuration file. For example: postgresTest-vdb_1.conf. The filename depends on the name of the vdb → nameOfVdb.conf.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| Local Proxy | - | mgmtProxyEnable | Allow the management server to start an instance of this proxy, and manage restarts as necessary | Boolean | false |
| Run as Service | Local Proxy | runAsService | Allow proxy to run in background as a systemd service even when heimdall is off (please restart on change) | Boolean | false |
| Address Binding Type | - | proxyAddress | Options: Any: In this binding mode, all local IP addresses will be bound to, or more specifically, it binds to "0.0.0.0", localhost Only: When this option is set, the binding will be to the 127.0.0.1 IP only, specific IP: This allows a specific IP address to be bound for use. | String (see desc.) | 0.0.0.0 (Any) |
| Proxy Port(s) | - | proxyPort | Port of the proxy, value must be unique from any other service on the server. | String | 5050 |
| Proxy Address | Address Binding Type = Specific IP | proxyAddress | Allows specific address, must use Specific Ip option from Address Binding Type. | String (IP) | - |
| Max Heap Size (MB) | Local Proxy | xmx | This option sets the maximum Java heap size when the management server is managing the proxy. | Integer | 600 |
| Proxy GSS Support | Authentication Mode = Kerberos/GSSAPI AND PostgreSQL | gssEncEnabled | When enabled, and the client requests it, this option will enable GSS negotiation. (PostgreSQL - Kerberos/GSSAPI only) --this can induce higher overhead when enabled | Boolean | false |
| Proxy GSS Required | Authentication Mode = Kerberos/GSSAPI AND Proxy GSS Support AND PostgreSQL AND !Proxy Tls Required | gssEncRequired | When enabled, this option will force all connections to connect only with GSS. Any attempt to connect without GSS will be rejected. This option can't work together with TLS required option. (PostgreSQL - Kerberos/GSSAPI only) | Boolean | false |
| Proxy TLS Support | - | tlsEnable | Enable TLS support on the proxy--this can induce higher overhead when enabled | Boolean | false |
| Proxy TLS Required | Proxy TLS Support = true AND !Proxy GSS Required | tlsRequired | Require TLS negotiation on the proxy. | Boolean | false |
| Enable Legacy TLS | Proxy TLS Support = true | tlsLegacy | Enable TLS 1.0 and 1.1 support. | Boolean | false |
| Certificate | Proxy TLS Support = true | certificateAlias | Certificate assigned to Virtual Database for TLS connections | String (global_use_certificate, tomcat) | - |
| Case Sensitive Usernames | Access mode = SQL Server Proxy | userCaseSensitive | Use this option if you want SQL Server username to be case sensitive | Boolean | false |
| Authentication mode | - | authMode | Method to perform authentication. Possible values are: Passthrough, Proxy Configured Users, SQL Driven, Active Directory/LDAP, Kerberos/GSSAPI | String (options in desc.) | - |
| user | Authentication mode = Proxy Configured Users | users.user | User required for proxy connections. | String | - |
| password | Authentication mode = Proxy Configured Users | users.password | Password for proxy user. | String | - |
| Admin User | Authentication mode = SQL Driven OR Synchronize Db Authentication | syncUser | Privileged Database User | String | - |
| Admin Password | Authentication mode = SQL Driven OR Synchronize Db Authentication | syncPassword | Privileged Database Password | String | - |
| Sync Command | Synchronize Db Authentication | syncCommand | Synchronization command, use ${user}, ${password} and ${ldapgroups} as placeholders. | String | - |
| Auth Cache Expiration Time | Synchronize Db Authentication | authenticationCacheExpirationTime | Determines how long (in ms) that data will stay in Authentication Cache. | Long | - |
| Authorization Query | Authentication mode = SQL Driven | authorizationQuery | Query to retrieve data for authorization. | String | select * from heimdall.pg_hba where enabled = true order by line_number asc |
| Dual Authentication Mode | Access mode = SQL Server Proxy AND Authentication mode = Kerberos/GSSAPI | dualAuthMode | Facilitates the use of Kerberos Authentication alongside passthrough authentication. However, there's a condition: users must adhere to a single authentication method and cannot switch between them interchangeably. | Boolean | false |
| Keytab Location | Authentication mode = Kerberos/GSSAPI | keytabLocation | Location to keytab file that stores secret keys for service principal (proxy). | String | - |
| Service Principals | Authentication mode = Kerberos/GSSAPI | kerberosServicePrincipals | The unique identity of a service (proxy) in the Kerberos system. e.g postgres/proxy.example.org | String | - |
| Synchronize Db Authentication | Authentication mode != None OR Passthrough | synchAuthentication | Synchronize Users & Groups. | Boolean | false |
| Tokenized Authentication | Synchronize Db Authentication AND Authentication mode != Kerberos/GSSAPI | tokenizedAuthentication | If enabled, use a token instead of the database password. This ensures that the proxy will not be bypassed and the database password will not be exposed. | Boolean | false |
| Allow Portal User To Log In | - | allowPortalUsersToLogIn | If selected, during login to the proxy, it will first check if the user is a portal user before proceeding with the authentication process. | Boolean | true |
Authentication Test
It's an option to test authentication. Requirements to see this subsection: Authentication mode must be one of: Proxy Configured Users, SQL Driven, Active Directory/LDAP
| Key | Description | Possible values |
|---|---|---|
| Test User | Test Password | String |
| Test Password | Test User | String |
| Test IP Address | Taken from Data Source by default. If JDBC URL there contains ${host} this field has to be provided. | String (IP) |
| Test Database | Taken from Data Source by default. If JDBC URL there contains ${database} this field has to be provided. | String |
| UseSSL | Should SSL be used for authentication test. | Boolean |