Skip to content

T1K Documentation

Chaitin Tech has launched the T1K module, which can provide WAF/API security reinforcement for all proxy services based on Nginx (including Nginx Plus).

Compared to our Lua-Resty-T1K developed in Lua, the T1K module crafted in C not only delivers superior performance but also features unique response detection capabilities.

Request Detection

All configurations related to request detection are prefixed with t1k_.

t1k_intercept

Syntax:  t1k_intercept uri | off;
Default: t1k_intercept off;
Context: http, server, location

Sends the request to uri for detection, where uri is a location within the same server.

t1k_error_page

Syntax:  t1k_error_page status_code uri;
Default: t1k_error_page 403 default;
Context: http, server, location

Sets the status code and content when a request is intercepted.

status_code must satisfy 200 <= status_code <= 599.

uri is a (named) location within the same server.

t1k_pass

Syntax:  t1k_pass uri;
Default: -
Context: location

Sends the request to the given detection service. uri is a (named) location within the same server.

t1k_bind

Syntax:  t1k_bind address [transparent] | off;
Default: -
Context: http, server, location

Allows specifying a local address when sending a request to a detection service.

Refer to [proxy_bind](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_bind).

t1k_body_size

Syntax:  t1k_body_size size;
Default: t1k_body_size 0;
Context: http, server, location

Limits the size of the request body sent, where 0 means no limit.

t1k_buffer_size

Syntax:  t1k_buffer_size size;
Default: -;
Context: http, server, location

Modifies the buffer size for reading detection results from the detection service, defaulting to the system page size.

t1k_connect_timeout

Syntax:  t1k_connect_timeout time;
Default: t1k_connect_timeout 10s;
Context: http, server, location

The timeout for connecting to the detection service for request detection.

t1k_send_timeout

Syntax:  t1k_send_timeout time;
Default: t1k_send_timeout 10s;
Context: http, server, location

The timeout for sending data to the detection service per request detection.

t1k_read_timeout

Syntax:  t1k_read_timeout time;
Default: t1k_read_timeout 10s;
Context: http, server, location

The timeout for reading data from the detection service per request detection.

t1k_next_upstream

Syntax:  t1k_next_upstream error | timeout | invalid_response | off;
Default: t1k_next_upstream error timeout;
Context: http, server, location

Behavior on request detection failure.

Refer to [proxy_next_upstream](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream).

Response Detection

All configurations related to response detection are prefixed with tx_.

tx_intercept

Syntax:  tx_intercept uri | off;
Default: tx_intercept off;
Context: http, server, location

Sends the response to uri for detection, where uri is a location within the same server.

tx_error_page

Syntax:  tx_error_page status_code uri;
Default: tx_error_page 403 default;
Context: http, server, location

Sets the status code and content when a response is intercepted.

status_code must satisfy 200 <= status_code <= 599.

uri is a (named) location within the same server.

tx_pass

Syntax:  tx_pass uri;
Default: -
Context: location

Sends the response to the given detection service. uri is a (named) location within the same server.

tx_bind

Syntax:  tx_bind address [transparent] | off;
Default: -
Context: http, server, location

Allows specifying a local address when sending a response to a detection service.

Refer to [proxy_bind](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_bind).

tx_body_size

Syntax:  tx_body_size size;
Default: tx_body_size 4k;
Context: http, server, location

Limits the size of the response body sent, where 0 means no limit.

tx_buffer_size

Syntax:  tx_buffer_size size;
Default: -;
Context: http, server, location

Modifies the buffer size for reading detection results from the detection service, defaulting to the system page size.

tx_connect_timeout

Syntax:  tx_connect_timeout time;
Default: tx_connect_timeout 10s;
Context: http, server, location

The timeout for connecting to the detection service for response detection.

tx_send_timeout

Syntax:  tx_send_timeout time;
Default: tx_send_timeout 10s;
Context: http, server, location

The timeout for sending data to the detection service per response detection.

tx_read_timeout

Syntax:  tx_read_timeout time;
Default: tx_read_timeout 10s;
Context: http, server, location

The timeout for reading data from the detection service per response detection.

tx_next_upstream

Syntax:  tx_next_upstream error | timeout | invalid_response | off;
Default: tx_next_upstream error timeout;
Context: http, server, location

Behavior on response detection failure.

Refer to [proxy_next_upstream](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream).

Response Modification

t1k_extra_header

Syntax:  t1k_extra_header [on|off];
Default: t1k_extra_header off;
Context: http, server, location

Determines whether additional request headers are allowed to be inserted.

t1k_extra_body

Syntax:  t1k_extra_body [on|off];
Default: t1k_extra_body off;
Context: http, server, location

Determines whether additional request bodies are allowed to be inserted.

t1k_extra_body_types

Syntax:  t1k_extra_body_types { ... };
Default: t1k_extra_body_types text/html;
Context: http, server, location

Specifies the types of request bodies that are allowed for additional content insertion.

Miscellaneous

t1k_ulog

Syntax:  t1k_ulog [number|off];
Default: t1k_ulog off;
Context: http, server, location

Determines whether to send Access Log related data.

t1k_stat

Syntax:  t1k_stat [number|off];
Default: t1k_stat off;
Context: http, server, location

Determines whether to send detection module performance statistics data.

t1k_src_ip

Syntax:  t1k_src_ip value;
Default: -
Context: http, server, location

Sets the source IP address for requests sent to the detection service.

value can be a string or variable.

t1k_src_port

Syntax:  t1k_src_port value;
Default: -
Context: http, server, location

Sets the source port for requests sent to the detection service.

value can be a string or variable.

t1k_dst_ip

Syntax:  t1k_dst_ip value;
Default: -
Context: http, server, location

Sets the destination IP address for requests sent to the detection service.

value can be a string or variable.

t1k_dst_port

Syntax:  t1k_dst_port value;
Default: -
Context: http, server, location

Sets the destination port for requests sent to the detection service.

value can be a string or variable.

foreach_server

Syntax:  foreach_server { ... };
Default: -
Context: http

Inserts directives into each already appeared server.

Already appeared servers refer to those server configurations that have appeared before this directive and have been parsed.

Therefore, this directive is typically used at the end of all the server configuration blocks that require protection, ensuring that there are server configurations before this directive.

It is recommended to use foreach_server_include instead.

foreach_server_include

Syntax:  foreach_server_include file;
Default: -
Context: http

Inserts directives into each already appeared server.

Already appeared servers refer to those server configurations that have appeared before this directive and have been parsed.