====== 4.2 Proxy Configuration ======

Setting up the TLS proxy with PQ support.

===== Configuration File =====

Location: ''%SERVICES_ROOT%\Proxy\config.json''

<code javascript>
{
  "Proxy": {
    "ListenPort": 443,
    "TLS": {
      "Enabled": true,
      "Protocol": "TLS1.3",
      "Certificate": "%CERTS_PATH%\\server.pfx",
      "CertificatePassword": "...",
      "ClientCertificateRequired": true,
      "ClientCertificateValidation": "ChainTrust"
    },
    "PQCrypto": {
      "KeyExchange": "ML-KEM-768",
      "Signature": "ML-DSA-65",
      "HybridMode": true
    }
  }
}
</code>

===== Routing Rules =====

<code javascript>
{
  "Routing": {
    "Rules": [
      {
        "Match": {
          "PathPrefix": "/api/",
          "Headers": { "X-Gateway-Request": "true" }
        },
        "Target": {
          "Type": "NamedPipe",
          "PipeName": "DataGatewayApi"
        }
      },
      {
        "Match": {
          "PathPrefix": "/odata/"
        },
        "Target": {
          "Type": "NamedPipe",
          "PipeName": "DataGatewayApi"
        }
      },
      {
        "Match": {
          "Default": true
        },
        "Target": {
          "Type": "Http",
          "Url": "http://localhost:8443"
        }
      }
    ]
  }
}
</code>

===== Certificate Validation =====

<code javascript>
{
  "CertificateValidation": {
    "TrustedRoots": [
      "%CERTS_PATH%\\CA\\root-ca.crt"
    ],
    "RevocationCheck": {
      "Mode": "Online",
      "CrlEndpoint": "http://crl.intern/ca.crl",
      "OcspEndpoint": "http://ocsp.intern/"
    },
    "ValidationServer": {
      "Enabled": true,
      "Url": "https://trust.intern/api/validate"
    }
  }
}
</code>