forked from Kong/kong
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kong.conf.default
1546 lines (1394 loc) · 91.6 KB
/
kong.conf.default
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# -----------------------
# Kong configuration file
# -----------------------
#
# The commented-out settings shown in this file represent the default values.
#
# This file is read when `kong start` or `kong prepare` are used. Kong
# generates the Nginx configuration with the settings specified in this file.
#
# All environment variables prefixed with `KONG_` and capitalized will override
# the settings specified in this file.
# Example:
# `log_level` setting -> `KONG_LOG_LEVEL` env variable
#
# Boolean values can be specified as `on`/`off` or `true`/`false`.
# Lists must be specified as comma-separated strings.
#
# All comments in this file can be removed safely, including the
# commented-out properties.
# You can verify the integrity of your settings with `kong check <conf>`.
#------------------------------------------------------------------------------
# GENERAL
#------------------------------------------------------------------------------
#prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's
# prefix path, containing temporary files
# and logs.
# Each Kong process must have a separate
# working directory.
#log_level = notice # Log level of the Nginx server. Logs are
# found at `<prefix>/logs/error.log`.
# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list
# of accepted values.
#proxy_access_log = logs/access.log # Path for proxy port request access
# logs. Set this value to `off` to
# disable logging proxy requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#proxy_error_log = logs/error.log # Path for proxy port request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#proxy_stream_access_log = logs/access.log basic # Path for tcp streams proxy port access
# logs. Set this value to `off` to
# disable logging proxy requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
# `basic` is defined as `'$remote_addr [$time_local] '
# '$protocol $status $bytes_sent $bytes_received '
# '$session_time'`
#proxy_stream_error_log = logs/error.log # Path for tcp streams proxy port request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#admin_access_log = logs/admin_access.log # Path for Admin API request access
# logs. If Hybrid Mode is enabled
# and the current node is set to be
# the Control Plane, then the
# connection requests from Data Planes
# are also written to this file with
# server name "kong_cluster_listener".
#
# Set this value to `off` to
# disable logging Admin API requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#admin_error_log = logs/error.log # Path for Admin API request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#status_access_log = off # Path for Status API request access
# logs. The default value of `off`
# implies that logging for this API
# is disabled by default.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#status_error_log = logs/status_error.log # Path for Status API request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#vaults = off # Comma-separated list of vaults this node
# should load. By default, no vaults are
# enabled.
#
# The specified name(s) will be substituted as
# such in the Lua namespace:
# `kong.vaults.{name}.*`.
#plugins = bundled # Comma-separated list of plugins this node
# should load. By default, only plugins
# bundled in official distributions are
# loaded via the `bundled` keyword.
#
# Loading a plugin does not enable it by
# default, but only instructs Kong to load its
# source code, and allows to configure the
# plugin via the various related Admin API
# endpoints.
#
# The specified name(s) will be substituted as
# such in the Lua namespace:
# `kong.plugins.{name}.*`.
#
# When the `off` keyword is specified as the
# only value, no plugins will be loaded.
#
# `bundled` and plugin names can be mixed
# together, as the following examples suggest:
#
# - `plugins = bundled,custom-auth,custom-log`
# will include the bundled plugins plus two
# custom ones
# - `plugins = custom-auth,custom-log` will
# *only* include the `custom-auth` and
# `custom-log` plugins.
# - `plugins = off` will not include any
# plugins
#
# **Note:** Kong will not start if some
# plugins were previously configured (i.e.
# have rows in the database) and are not
# specified in this list. Before disabling a
# plugin, ensure all instances of it are
# removed before restarting Kong.
#
# **Note:** Limiting the amount of available
# plugins can improve P99 latency when
# experiencing LRU churning in the database
# cache (i.e. when the configured
# `mem_cache_size`) is full.
#pluginserver_names = # Comma-separated list of names for pluginserver
# processes. The actual names are used for
# log messages and to relate the actual settings.
#pluginserver_XXX_socket = <prefix>/<XXX>.socket # Path to the unix socket
# used by the <XXX> pluginserver.
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX> # Full command (including
# any needed arguments) to
# start the <XXX> pluginserver
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX> # Full command to "query" the
# <XXX> pluginserver. Should
# produce a JSON with the
# dump info of all plugins it
# manages
#port_maps = # With this configuration parameter, you can
# let the Kong to know about the port from
# which the packets are forwarded to it. This
# is fairly common when running Kong in a
# containerized or virtualized environment.
# For example, `port_maps=80:8000, 443:8443`
# instructs Kong that the port 80 is mapped
# to 8000 (and the port 443 to 8443), where
# 8000 and 8443 are the ports that Kong is
# listening to.
#
# This parameter helps Kong set a proper
# forwarded upstream HTTP request header or to
# get the proper forwarded port with the Kong PDK
# (in case other means determining it has
# failed). It changes routing by a destination
# port to route by a port from which packets
# are forwarded to Kong, and similarly it
# changes the default plugin log serializer to
# use the port according to this mapping
# instead of reporting the port Kong is
# listening to.
#anonymous_reports = on # Send anonymous usage data such as error
# stack traces to help improve Kong.
#------------------------------------------------------------------------------
# HYBRID MODE
#------------------------------------------------------------------------------
#role = traditional # Use this setting to enable Hybrid Mode,
# This allows running some Kong nodes in a
# control plane role with a database and
# have them deliver configuration updates
# to other nodes running to DB-less running in
# a Data Plane role.
#
# Valid values to this setting are:
#
# - `traditional`: do not use Hybrid Mode.
# - `control_plane`: this node runs in a
# control plane role. It can use a database
# and will deliver configuration updates
# to data plane nodes.
# - `data_plane`: this is a data plane node.
# It runs DB-less and receives configuration
# updates from a control plane node.
#cluster_mtls = shared # Sets the verification between nodes of the
# cluster.
#
# Valid values to this setting are:
#
# - `shared`: use a shared certificate/key
# pair specified with the `cluster_cert`
# and `cluster_cert_key` settings.
# Note that CP and DP nodes have to present
# the same certificate to establish mTLS
# connections.
# - `pki`: use `cluster_ca_cert`,
# `cluster_server_name` and `cluster_cert`
# for verification.
# These are different certificates for each
# DP node, but issued by a cluster-wide
# common CA certificate: `cluster_ca_cert`.
#cluster_cert = # Filename of the cluster certificate to use
# when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
# generate the certificate/key pair.
# Under `shared` mode, it must be the same
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#cluster_cert_key = # Filename of the cluster certificate key to
# use when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
# generate the certificate/key pair.
# Under `shared` mode, it must be the same
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#cluster_ca_cert = # The trusted CA certificate file in PEM
# format used for Control Plane to verify
# Data Plane's certificate and Data Plane
# to verify Control Plane's certificate.
# Required on data plane if `cluster_mtls`
# is set to `pki`.
# If Control Plane certificate is issued
# by a well known CA, user can set
# `lua_ssl_trusted_certificate=system`
# on Data Plane and leave this field empty.
#
# This field is ignored if `cluster_mtls` is
# set to `shared`.
#------------------------------------------------------------------------------
# HYBRID MODE DATA PLANE
#------------------------------------------------------------------------------
#cluster_server_name = # The server name used in the SNI of the TLS
# connection from a DP node to a CP node.
# Must match the Common Name (CN) or Subject
# Alternative Name (SAN) found in the CP
# certificate.
# If `cluster_mtls` is set to
# `shared`, this setting is ignored and
# `kong_clustering` is used.
#cluster_control_plane = # To be used by data plane nodes only:
# address of the control plane node from
# which configuration updates will be fetched,
# in `host:port` format.
#cluster_max_payload = 4194304
# This sets the maximum payload size allowed
# to be sent across from CP to DP in Hybrid mode
# Default is 4Mb - 4 * 1024 * 1024 due to historical reasons
#------------------------------------------------------------------------------
# HYBRID MODE CONTROL PLANE
#------------------------------------------------------------------------------
#cluster_listen = 0.0.0.0:8005
# Comma-separated list of addresses and ports on
# which the cluster control plane server should listen
# for data plane connections.
# The cluster communication port of the control plane
# must be accessible by all the data planes
# within the same cluster. This port is mTLS protected
# to ensure end-to-end security and integrity.
#
# This setting has no effect if `role` is not set to
# `control_plane`.
#
# Connection made to this endpoint are logged
# to the same location as Admin API access logs.
# See `admin_access_log` config description for more
# information.
#cluster_data_plane_purge_delay = 1209600
# How many seconds must pass from the time a DP node
# becomes offline to the time its entry gets removed
# from the database, as returned by the
# /clustering/data-planes Admin API endpoint.
#
# This is to prevent the cluster data plane table from
# growing indefinitely. The default is set to
# 14 days. That is, if CP haven't heard from a DP for
# 14 days, its entry will be removed.
#cluster_ocsp = off
# Whether to check for revocation status of DP
# certificates using OCSP (Online Certificate Status Protocol).
# If enabled, the DP certificate should contain the
# "Certificate Authority Information Access" extension
# and the OCSP method with URI of which the OCSP responder
# can be reached from CP.
#
# OCSP checks are only performed on CP nodes, it has no
# effect on DP nodes.
#
# Valid values to this setting are:
#
# - `on`: OCSP revocation check is enabled and DP
# must pass the check in order to establish
# connection with CP.
# - `off`: OCSP revocation check is disabled.
# - `optional`: OCSP revocation check will be attempted,
# however, if the required extension is not
# found inside DP provided certificate
# or communication with the OCSP responder
# failed, then DP is still allowed through.
#------------------------------------------------------------------------------
# NGINX
#------------------------------------------------------------------------------
#proxy_listen = 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384
# Comma-separated list of addresses and ports on
# which the proxy server should listen for
# HTTP/HTTPS traffic.
# The proxy server is the public entry point of Kong,
# which proxies traffic from your consumers to your
# backend services. This value accepts IPv4, IPv6, and
# hostnames.
#
# Some suffixes can be specified for each pair:
#
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `http2` will allow for clients to open HTTP/2
# connections to Kong's proxy server.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `deferred` instructs to use a deferred accept on
# Linux (the TCP_DEFER_ACCEPT socket option).
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
#
# This value can be set to `off`, thus disabling
# the HTTP/HTTPS proxy port for this node.
# If stream_listen is also set to `off`, this enables
# 'control-plane' mode for this node
# (in which all traffic proxying capabilities are
# disabled). This node can then be used only to
# configure a cluster of Kong
# nodes connected to the same datastore.
#
# Example:
# `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
#
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# for a description of the accepted formats for this
# and other `*_listen` values.
#
# See https://www.nginx.com/resources/admin-guide/proxy-protocol/
# for more details about the `proxy_protocol`
# parameter.
#
# Not all `*_listen` values accept all formats
# specified in nginx's documentation.
#stream_listen = off
# Comma-separated list of addresses and ports on
# which the stream mode should listen.
#
# This value accepts IPv4, IPv6, and hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
#
# Examples:
#
# ```
# stream_listen = 127.0.0.1:7000 reuseport backlog=16384
# stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20
# stream_listen = [::1]:1234 backlog=16384
# ```
#
# By default this value is set to `off`, thus
# disabling the stream proxy port for this node.
# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# for a description of the formats that Kong might accept in stream_listen.
#admin_listen = 127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384
# Comma-separated list of addresses and ports on
# which the Admin interface should listen.
# The Admin interface is the API allowing you to
# configure and manage Kong.
# Access to this interface should be *restricted*
# to Kong administrators *only*. This value accepts
# IPv4, IPv6, and hostnames.
#
# Some suffixes can be specified for each pair:
#
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `http2` will allow for clients to open HTTP/2
# connections to Kong's proxy server.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `deferred` instructs to use a deferred accept on
# Linux (the TCP_DEFER_ACCEPT socket option).
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
#
# This value can be set to `off`, thus disabling
# the Admin interface for this node, enabling a
# 'data-plane' mode (without configuration
# capabilities) pulling its configuration changes
# from the database.
#
# Example: `admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off # Comma-separated list of addresses and ports on
# which the Status API should listen.
# The Status API is a read-only endpoint
# allowing monitoring tools to retrieve metrics,
# healthiness, and other non-sensitive information
# of the current Kong node.
#
# The following suffix can be specified for each pair:
#
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
#
# This value can be set to `off`, disabling
# the Status API for this node.
#
# Example: `status_listen = 0.0.0.0:8100`
#nginx_user = kong kong # Defines user and group credentials used by
# worker processes. If group is omitted, a
# group whose name equals that of user is
# used.
#
# Example: `nginx_user = nginx www`
#
# **Note**: If the `kong` user and the `kong`
# group are not available, the default user
# and group credentials will be
# `nobody nobody`.
#nginx_worker_processes = auto # Determines the number of worker processes
# spawned by Nginx.
#
# See http://nginx.org/en/docs/ngx_core_module.html#worker_processes
# for detailed usage of the equivalent Nginx
# directive and a description of accepted
# values.
#nginx_daemon = on # Determines whether Nginx will run as a daemon
# or as a foreground process. Mainly useful
# for development or when running Kong inside
# a Docker environment.
#
# See http://nginx.org/en/docs/ngx_core_module.html#daemon.
#mem_cache_size = 128m # Size of each of the two in-memory caches
# for database entities. The accepted units are
# `k` and `m`, with a minimum recommended value of
# a few MBs.
#
# **Note**: As this option controls the size of two
# different cache entries, the total memory Kong
# uses to cache entities might be double this value.
#ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`,
# `intermediate`, `old`, `fips` or `custom`.
#
# See https://wiki.mozilla.org/Security/Server_Side_TLS
# for detailed descriptions of each cipher
# suite. `fips` cipher suites are as decribed in
# https://wiki.openssl.org/index.php/FIPS_mode_and_TLS.
#ssl_ciphers = # Defines a custom list of TLS ciphers to be
# served by Nginx. This list must conform to
# the pattern defined by `openssl ciphers`.
# This value is ignored if `ssl_cipher_suite`
# is not `custom`.
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
# Enables the specified protocols for
# client-side connections. The set of
# supported protocol versions also depends
# on the version of OpenSSL Kong was built
# with. This value is ignored if
# `ssl_cipher_suite` is not `custom`.
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on # Specifies that server ciphers should be
# preferred over client ciphers when using
# the SSLv3 and TLS protocols. This value is
# ignored if `ssl_cipher_suite` is not `custom`.
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam = # Defines DH parameters for DHE ciphers from the
# predefined groups: `ffdhe2048`, `ffdhe3072`,
# `ffdhe4096`, `ffdhe6144`, `ffdhe8192`, or
# from the absolute path to a parameters file.
#
# This value is ignored if `ssl_cipher_suite`
# is `modern` or `intermediate`. The reason is
# that `modern` has no ciphers that needs this,
# and `intermediate` uses `ffdhe2048`.
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on # Enables or disables session resumption through
# TLS session tickets. This has no impact when
# used with TLSv1.3.
#
# Kong enables this by default for performance
# reasons, but it has security implications:
# https://github.com/mozilla/server-side-tls/issues/135
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d # Specifies a time during which a client may
# reuse the session parameters. See the rationale:
# https://github.com/mozilla/server-side-tls/issues/198
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `proxy_listen` values with TLS enabled.
#
# If more than one certificates are specified, it can be used to provide
# alternate type of certificate (for example, ECC certificate) that will be served
# to clients that supports them. Note to properly serve using ECC certificates,
# it is recommended to also set `ssl_cipher_suite` to
# `modern` or `intermediate`.
#
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default certificates (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `proxy_listen` values with TLS enabled.
#
# If more than one certificate was specified for `ssl_cert`, then this
# option should contain the corresponding key for all certificates
# provided in the same order.
#
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default private keys (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#client_ssl = off # Determines if Nginx should attempt to send client-side
# TLS certificates and perform Mutual TLS Authentication
# with upstream service when proxying requests.
#client_ssl_cert = # If `client_ssl` is enabled, the absolute
# path to the client certificate for the `proxy_ssl_certificate` directive.
#
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute
# path to the client TLS key for the `proxy_ssl_certificate_key` directive.
#
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#admin_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `admin_listen` values with TLS enabled.
#
# See docs for `ssl_cert` for detailed usage.
#admin_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `admin_listen` values with TLS enabled.
#
# See docs for `ssl_cert_key` for detailed usage.
#status_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `status_listen` values with TLS enabled.
#
# See docs for `ssl_cert` for detailed usage.
#status_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `status_listen` values with TLS enabled.
#
# See docs for `ssl_cert_key` for detailed usage.
#headers = server_tokens, latency_tokens
# Comma-separated list of headers Kong should
# inject in client responses.
#
# Accepted values are:
# - `Server`: Injects `Server: kong/x.y.z`
# on Kong-produced response (e.g. Admin
# API, rejected requests from auth plugin).
# - `Via`: Injects `Via: kong/x.y.z` for
# successfully proxied requests.
# - `X-Kong-Proxy-Latency`: Time taken
# (in milliseconds) by Kong to process
# a request and run all plugins before
# proxying the request upstream.
# - `X-Kong-Response-Latency`: time taken
# (in millisecond) by Kong to produce
# a response in case of e.g. plugin
# short-circuiting the request, or in
# in case of an error.
# - `X-Kong-Upstream-Latency`: Time taken
# (in milliseconds) by the upstream
# service to send response headers.
# - `X-Kong-Admin-Latency`: Time taken
# (in milliseconds) by Kong to process
# an Admin API request.
# - `X-Kong-Upstream-Status`: The HTTP status
# code returned by the upstream service.
# This is particularly useful for clients to
# distinguish upstream statuses if the
# response is rewritten by a plugin.
# - `server_tokens`: Same as specifying both
# `Server` and `Via`.
# - `latency_tokens`: Same as specifying
# `X-Kong-Proxy-Latency`,
# `X-Kong-Response-Latency`,
# `X-Kong-Admin-Latency` and
# `X-Kong-Upstream-Latency`
#
# In addition to those, this value can be set
# to `off`, which prevents Kong from injecting
# any of the above headers. Note that this
# does not prevent plugins from injecting
# headers of their own.
#
# Example: `headers = via, latency_tokens`
#trusted_ips = # Defines trusted IP addresses blocks that are
# known to send correct `X-Forwarded-*`
# headers.
# Requests from trusted IPs make Kong forward
# their `X-Forwarded-*` headers upstream.
# Non-trusted requests make Kong insert its
# own `X-Forwarded-*` headers.
#
# This property also sets the
# `set_real_ip_from` directive(s) in the Nginx
# configuration. It accepts the same type of
# values (CIDR blocks) but as a
# comma-separated list.
#
# To trust *all* /!\ IPs, set this value to
# `0.0.0.0/0,::/0`.
#
# If the special value `unix:` is specified,
# all UNIX-domain sockets will be trusted.
#
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
# for examples of accepted values.
#real_ip_header = X-Real-IP # Defines the request header field whose value
# will be used to replace the client address.
# This value sets the `ngx_http_realip_module`
# directive of the same name in the Nginx
# configuration.
#
# If this value receives `proxy_protocol`:
#
# - at least one of the `proxy_listen` entries
# must have the `proxy_protocol` flag
# enabled.
# - the `proxy_protocol` parameter will be
# appended to the `listen` directive of the
# Nginx template.
#
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
# for a description of this directive.
#real_ip_recursive = off # This value sets the `ngx_http_realip_module`
# directive of the same name in the Nginx
# configuration.
#
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
# for a description of this directive.
#error_default_type = text/plain # Default MIME type to use when the request
# `Accept` header is missing and Nginx
# is returning an error for the request.
# Accepted values are `text/plain`,
# `text/html`, `application/json`, and
# `application/xml`.
#upstream_keepalive_pool_size = 60 # Sets the default size of the upstream
# keepalive connection pools.
# Upstream keepalive connection pools
# are segmented by the `dst ip/dst
# port/SNI` attributes of a connection.
# A value of `0` will disable upstream
# keepalive connections by default, forcing
# each upstream request to open a new
# connection.
#upstream_keepalive_max_requests = 100 # Sets the default maximum number of
# requests than can be proxied upstream
# through one keepalive connection.
# After the maximum number of requests
# is reached, the connection will be
# closed.
# A value of `0` will disable this
# behavior, and a keepalive connection
# can be used to proxy an indefinite
# number of requests.
#upstream_keepalive_idle_timeout = 60 # Sets the default timeout (in seconds)
# for which an upstream keepalive
# connection should be kept open. When
# the timeout is reached while the
# connection has not been reused, it
# will be closed.
# A value of `0` will disable this
# behavior, and an idle keepalive
# connection may be kept open
# indefinitely.
#------------------------------------------------------------------------------
# NGINX injected directives
#------------------------------------------------------------------------------
# Nginx directives can be dynamically injected in the runtime nginx.conf file
# without requiring a custom Nginx configuration template.
#
# All configuration properties respecting the naming scheme
# `nginx_<namespace>_<directive>` will result in `<directive>` being injected in
# the Nginx configuration block corresponding to the property's `<namespace>`.
# Example:
# `nginx_proxy_large_client_header_buffers = 8 24k`
#
# Will inject the following directive in Kong's proxy `server {}` block:
#
# `large_client_header_buffers 8 24k;`
#
# The following namespaces are supported:
#
# - `nginx_main_<directive>`: Injects `<directive>` in Kong's configuration
# `main` context.
# - `nginx_events_<directive>`: Injects `<directive>` in Kong's `events {}`
# block.
# - `nginx_http_<directive>`: Injects `<directive>` in Kong's `http {}` block.
# - `nginx_proxy_<directive>`: Injects `<directive>` in Kong's proxy
# `server {}` block.
# - `nginx_upstream_<directive>`: Injects `<directive>` in Kong's proxy
# `upstream {}` block.
# - `nginx_admin_<directive>`: Injects `<directive>` in Kong's Admin API
# `server {}` block.
# - `nginx_status_<directive>`: Injects `<directive>` in Kong's Status API
# `server {}` block (only effective if `status_listen` is enabled).
# - `nginx_stream_<directive>`: Injects `<directive>` in Kong's stream module
# `stream {}` block (only effective if `stream_listen` is enabled).
# - `nginx_sproxy_<directive>`: Injects `<directive>` in Kong's stream module
# `server {}` block (only effective if `stream_listen` is enabled).
# - `nginx_supstream_<directive>`: Injects `<directive>` in Kong's stream
# module `upstream {}` block.
#
# As with other configuration properties, Nginx directives can be injected via
# environment variables when capitalized and prefixed with `KONG_`.
# Example:
# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
#
# Will inject the following directive in Kong's `http {}` block:
#
# `ssl_protocols <value>;`
#
# If different sets of protocols are desired between the proxy and Admin API
# server, you may specify `nginx_proxy_ssl_protocols` and/or
# `nginx_admin_ssl_protocols`, both of which taking precedence over the
# `http {}` block.
#nginx_main_worker_rlimit_nofile = auto
# Changes the limit on the maximum number of open files
# for worker processes.
#
# The special and default value of `auto` sets this
# value to `ulimit -n` with the upper bound limited to
# 16384 as a measure to protect against excess memory use.
#
# See http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = auto
# Sets the maximum number of simultaneous
# connections that can be opened by a worker process.
#
# The special and default value of `auto` sets this
# value to `ulimit -n` with the upper bound limited to
# 16384 as a measure to protect against excess memory use.
#
# See http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k # Sets buffer size for reading the
# client request headers.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k # Sets the maximum number and
# size of buffers used for
# reading large clients
# requests headers.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0 # Defines the maximum request body size
# allowed by requests proxied by Kong,
# specified in the Content-Length request
# header. If a request exceeds this
# limit, Kong will respond with a 413
# (Request Entity Too Large). Setting
# this value to 0 disables checking the
# request body size.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m # Defines the maximum request body size for
# Admin API.
#nginx_http_client_body_buffer_size = 8k # Defines the buffer size for reading
# the request body. If the client
# request body is larger than this
# value, the body will be buffered to
# disk. Note that when the body is
# buffered to disk, Kong plugins that
# access or manipulate the request
# body may not work, so it is
# advisable to set this value as high
# as possible (e.g., set it as high
# as `client_max_body_size` to force
# request bodies to be kept in
# memory). Do note that
# high-concurrency environments will
# require significant memory
# allocations to process many
# concurrent large request bodies.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m # Defines the buffer size for reading
# the request body on Admin API.
#nginx_http_lua_regex_match_limit = 100000 # Global `MATCH_LIMIT` for PCRE
# regex matching. The default of `100000` should ensure
# at worst any regex Kong executes could finish within
# roughly 2 seconds.
#------------------------------------------------------------------------------
# DATASTORE
#------------------------------------------------------------------------------
# Kong can run with a database to store coordinated data between Kong nodes in
# a cluster, or without a database, where each node stores its information
# independently in memory.
#
# When using a database, Kong will store data for all its entities (such as
# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL,
# and all Kong nodes belonging to the same cluster must connect themselves
# to the same database.
#
# Kong supports the following database versions:
# - **PostgreSQL**: 9.5 and above.
# - **Cassandra**: 2.2 and above.
#
# When not using a database, Kong is said to be in "DB-less mode": it will keep
# its entities in memory, and each node needs to have this data entered via a
# declarative configuration file, which can be specified through the
# `declarative_config` property, or via the Admin API using the `/config`
# endpoint.
#
# When using Postgres as the backend storage, you can optionally enable Kong
# to serve read queries from a separate database instance.
# When the number of proxies is large, this can greatly reduce the load
# on the main Postgres instance and achieve better scalability. It may also
# reduce the latency jitter if the Kong proxy node's latency to the main
# Postgres instance is high.
#
# The read-only Postgres instance only serves read queries and write
# queries still goes to the main connection. The read-only Postgres instance
# can be eventually consistent while replicating changes from the main
# instance.
#
# At least the `pg_ro_host` config is needed to enable this feature.
# By default, all other database config for the read-only connection are
# inherited from the corresponding main connection config described above but
# may be optionally overwritten explicitly using the `pg_ro_*` config below.
#database = postgres # Determines which of PostgreSQL or Cassandra
# this node will use as its datastore.
# Accepted values are `postgres`,
# `cassandra`, and `off`.
#pg_host = 127.0.0.1 # Host of the Postgres server.
#pg_port = 5432 # Port of the Postgres server.
#pg_timeout = 5000 # Defines the timeout (in ms), for connecting,
# reading and writing.
#pg_user = kong # Postgres user.
#pg_password = # Postgres user's password.
#pg_database = kong # The database name to connect to.
#pg_schema = # The database schema to use. If unspecified,
# Kong will respect the `search_path` value of
# your PostgreSQL instance.
#pg_ssl = off # Toggles client-server TLS connections
# between Kong and PostgreSQL.
# Because PostgreSQL uses the same port for TLS
# and non-TLS, this is only a hint. If the
# server does not support TLS, the established
# connection will be a plain one.
#pg_ssl_verify = off # Toggles server certificate verification if
# `pg_ssl` is enabled.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.
#pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries
# that can be executing at any given time. This
# limit is enforced per worker process; the
# total number of concurrent queries for this
# node will be will be: