|
|
相关文章推荐
kong网关配置详解
curl -Lo kong-enterprise-edition-2.8.1.4.rpm $(rpm --eval "https://download.konghq.com/gateway-2.x-centos-7/Packages/k/kong-enterprise-edition-2.8.1.4.el7.noarch.rpm")
yum install kong-enterprise-edition-2.8.1.4.rpm -y
kong.conf.default
# -----------------------
# Kong configuration file
# -----------------------
# The commented-out settings shown in this file represent the default values.
# This file is read when `kong start` or `kong prepare` are used. Kong
# generates the Nginx configuration with the settings specified in this file.
# All environment variables prefixed with `KONG_` and capitalized will override
# the settings specified in this file.
# Example:
# `log_level` setting -> `KONG_LOG_LEVEL` env variable
# Boolean values can be specified as `on`/`off` or `true`/`false`.
# Lists must be specified as comma-separated strings.
# All comments in this file can be removed safely, including the
# commented-out properties.
# You can verify the integrity of your settings with `kong check <conf>`.
#------------------------------------------------------------------------------
# GENERAL
#------------------------------------------------------------------------------
#prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's
# prefix path, containing temporary files
# and logs.
# Each Kong process must have a separate
# working directory.
#log_level = notice # Log level of the Nginx server. Logs are
# found at `<prefix>/logs/error.log`.
# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list
# of accepted values.
#proxy_access_log = logs/access.log # Path for proxy port request access
# logs. Set this value to `off` to
# disable logging proxy requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#proxy_error_log = logs/error.log # Path for proxy port request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#proxy_stream_access_log = logs/access.log basic # Path for tcp streams proxy port access
# logs. Set this value to `off` to
# disable logging proxy requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
# `basic` is defined as `'$remote_addr [$time_local] '
# '$protocol $status $bytes_sent $bytes_received '
# '$session_time'`
#proxy_stream_error_log = logs/error.log # Path for tcp streams proxy port request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#admin_access_log = logs/admin_access.log # Path for Admin API request access
# logs. If Hybrid Mode is enabled
# and the current node is set to be
# the Control Plane, then the
# connection requests from Data Planes
# are also written to this file with
# server name "kong_cluster_listener".
# Set this value to `off` to
# disable logging Admin API requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#admin_error_log = logs/error.log # Path for Admin API request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#status_access_log = off # Path for Status API request access
# logs. The default value of `off`
# implies that logging for this API
# is disabled by default.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#status_error_log = logs/status_error.log # Path for Status API request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#vaults = bundled # Comma-separated list of vaults this node
# should load. By default, all the bundled
# vaults are enabled.
# The specified name(s) will be substituted as
# such in the Lua namespace:
# `kong.vaults.{name}.*`.
#plugins = bundled # Comma-separated list of plugins this node
# should load. By default, only plugins
# bundled in official distributions are
# loaded via the `bundled` keyword.
# Loading a plugin does not enable it by
# default, but only instructs Kong to load its
# source code, and allows to configure the
# plugin via the various related Admin API
# endpoints.
# The specified name(s) will be substituted as
# such in the Lua namespace:
# `kong.plugins.{name}.*`.
# When the `off` keyword is specified as the
# only value, no plugins will be loaded.
# `bundled` and plugin names can be mixed
# together, as the following examples suggest:
# - `plugins = bundled,custom-auth,custom-log`
# will include the bundled plugins plus two
# custom ones
# - `plugins = custom-auth,custom-log` will
# *only* include the `custom-auth` and
# `custom-log` plugins.
# - `plugins = off` will not include any
# plugins
# **Note:** Kong will not start if some
# plugins were previously configured (i.e.
# have rows in the database) and are not
# specified in this list. Before disabling a
# plugin, ensure all instances of it are
# removed before restarting Kong.
# **Note:** Limiting the amount of available
# plugins can improve P99 latency when
# experiencing LRU churning in the database
# cache (i.e. when the configured
# `mem_cache_size`) is full.
#pluginserver_names = # Comma-separated list of names for pluginserver
# processes. The actual names are used for
# log messages and to relate the actual settings.
#pluginserver_XXX_socket = <prefix>/<XXX>.socket # Path to the unix socket
# used by the <XXX> pluginserver.
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX> # Full command (including
# any needed arguments) to
# start the <XXX> pluginserver
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX> # Full command to "query" the
# <XXX> pluginserver. Should
# produce a JSON with the
# dump info of all plugins it
# manages
#port_maps = # With this configuration parameter, you can
# let the Kong to know about the port from
# which the packets are forwarded to it. This
# is fairly common when running Kong in a
# containerized or virtualized environment.
# For example, `port_maps=80:8000, 443:8443`
# instructs Kong that the port 80 is mapped
# to 8000 (and the port 443 to 8443), where
# 8000 and 8443 are the ports that Kong is
# listening to.
# This parameter helps Kong set a proper
# forwarded upstream HTTP request header or to
# get the proper forwarded port with the Kong PDK
# (in case other means determining it has
# failed). It changes routing by a destination
# port to route by a port from which packets
# are forwarded to Kong, and similarly it
# changes the default plugin log serializer to
# use the port according to this mapping
# instead of reporting the port Kong is
# listening to.
#anonymous_reports = on # Send anonymous usage data such as error
# stack traces to help improve Kong.
#------------------------------------------------------------------------------
# HYBRID MODE
#------------------------------------------------------------------------------
#role = traditional # Use this setting to enable Hybrid Mode,
# This allows running some Kong nodes in a
# control plane role with a database and
# have them deliver configuration updates
# to other nodes running to DB-less running in
# a Data Plane role.
# Valid values to this setting are:
# - `traditional`: do not use Hybrid Mode.
# - `control_plane`: this node runs in a
# control plane role. It can use a database
# and will deliver configuration updates
# to data plane nodes.
# - `data_plane`: this is a data plane node.
# It runs DB-less and receives configuration
# updates from a control plane node.
#cluster_mtls = shared # Sets the verification between nodes of the
# cluster.
# Valid values to this setting are:
# - `shared`: use a shared certificate/key
# pair specified with the `cluster_cert`
# and `cluster_cert_key` settings.
# Note that CP and DP nodes have to present
# the same certificate to establish mTLS
# connections.
# - `pki`: use `cluster_ca_cert`,
# `cluster_server_name` and `cluster_cert`
# for verification.
# These are different certificates for each
# DP node, but issued by a cluster-wide
# common CA certificate: `cluster_ca_cert`.
# - `pki_check_cn`: similar as `pki` but additionally
# checks for Common Name of data plane certificate
# specified in `cluster_allowed_common_names`.
#cluster_cert = # Filename of the cluster certificate to use
# when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
# generate the certificate/key pair.
# Under `shared` mode, it must be the same
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#cluster_cert_key = # Filename of the cluster certificate key to
# use when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
# generate the certificate/key pair.
# Under `shared` mode, it must be the same
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#cluster_ca_cert = # The trusted CA certificate file in PEM
# format used for Control Plane to verify
# Data Plane's certificate and Data Plane
# to verify Control Plane's certificate.
# Required on data plane if `cluster_mtls`
# is set to `pki`.
# If Control Plane certificate is issued
# by a well known CA, user can set
# `lua_ssl_trusted_certificate=system`
# on Data Plane and leave this field empty.
# This field is ignored if `cluster_mtls` is
# set to `shared`.
#cluster_allowed_common_names = # The list of Common Names that are allowed to
# connect to control plane. Multiple entries may
# be supplied in a comma-separated string. When not
# set, Data Plane with same parent domain of
# Control Plane cert is allowed to connect.
# This field is ignored if `cluster_mtls` is
# not set to `pki_check_cn`.
#------------------------------------------------------------------------------
# HYBRID MODE DATA PLANE
#------------------------------------------------------------------------------
#cluster_server_name = # The server name used in the SNI of the TLS
# connection from a DP node to a CP node.
# Must match the Common Name (CN) or Subject
# Alternative Name (SAN) found in the CP
# certificate.
# If `cluster_mtls` is set to
# `shared`, this setting is ignored and
# `kong_clustering` is used.
#cluster_control_plane = # To be used by data plane nodes only:
# address of the control plane node from
# which configuration updates will be fetched,
# in `host:port` format.
#cluster_telemetry_endpoint = # To be used by data plane nodes only:
# telemetry address of the control plane node
# to which telemetry updates will be posted
# in `host:port` format.
#data_plane_config_cache_mode = unencrypted
# Data planes can store their config to file system
# as a backup in case the node is restarted or reloaded
# to faster bring the node in configured state or in
# case there are issues connecting to control plane.
# This parameter can be used to control the behavior.
# To be used by data plane nodes only:
# `unencrypted` = stores config cache unencrypted
# `encrypted` = stores config cache encrypted
# `off` = does not store the config cache
#data_plane_config_cache_path = # The unencrypted config cache is stored by default
# to Kong `prefix` with a filename `config.cache.json.gz`.
# The encrypted config cache is stored by default
# to Kong `prefix` with a filename `.config.cache.jwt`
# Alternatively you can specify path for config cache
# with this parameter, e.g. `/tmp/kong-config-cache`.
#------------------------------------------------------------------------------
# HYBRID MODE CONTROL PLANE
#------------------------------------------------------------------------------
#cluster_listen = 0.0.0.0:8005
# Comma-separated list of addresses and ports on
# which the cluster control plane server should listen
# for data plane connections.
# The cluster communication port of the control plane
# must be accessible by all the data planes
# within the same cluster. This port is mTLS protected
# to ensure end-to-end security and integrity.
# This setting has no effect if `role` is not set to
# `control_plane`.
# Connection made to this endpoint are logged
# to the same location as Admin API access logs.
# See `admin_access_log` config description for more
# information.
#cluster_telemetry_listen = 0.0.0.0:8006
# Comma-separated list of addresses and ports on
# which the cluster control plane server should listen
# for data plane telemetry connections.
# The cluster communication port of the control plane
# must be accessible by all the data planes
# within the same cluster.
# This setting has no effect if `role` is not set to
# `control_plane`.
#cluster_data_plane_purge_delay = 1209600
# How many seconds must pass from the time a DP node
# becomes offline to the time its entry gets removed
# from the database, as returned by the
# /clustering/data-planes Admin API endpoint.
# This is to prevent the cluster data plane table from
# growing indefinitely. The default is set to
# 14 days. That is, if CP haven't heard from a DP for
# 14 days, its entry will be removed.
#cluster_ocsp = off
# Whether to check for revocation status of DP
# certificates using OCSP (Online Certificate Status Protocol).
# If enabled, the DP certificate should contain the
# "Certificate Authority Information Access" extension
# and the OCSP method with URI of which the OCSP responder
# can be reached from CP.
# OCSP checks are only performed on CP nodes, it has no
# effect on DP nodes.
# Valid values to this setting are:
# - `on`: OCSP revocation check is enabled and DP
# must pass the check in order to establish
# connection with CP.
# - `off`: OCSP revocation check is disabled.
# - `optional`: OCSP revocation check will be attempted,
# however, if the required extension is not
# found inside DP provided certificate
# or communication with the OCSP responder
# failed, then DP is still allowed through.
#cluster_max_payload = 4194304
# This sets the maximum payload size allowed
# to be sent across from CP to DP in Hybrid mode
# Default is 4Mb - 4 * 1024 * 1024 due to historical reasons
#------------------------------------------------------------------------------
# NGINX
#------------------------------------------------------------------------------
#proxy_listen = 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384
# Comma-separated list of addresses and ports on
# which the proxy server should listen for
# HTTP/HTTPS traffic.
# The proxy server is the public entry point of Kong,
# which proxies traffic from your consumers to your
# backend services. This value accepts IPv4, IPv6, and
# hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `http2` will allow for clients to open HTTP/2
# connections to Kong's proxy server.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `deferred` instructs to use a deferred accept on
# Linux (the TCP_DEFER_ACCEPT socket option).
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
# This value can be set to `off`, thus disabling
# the HTTP/HTTPS proxy port for this node.
# If stream_listen is also set to `off`, this enables
# 'control-plane' mode for this node
# (in which all traffic proxying capabilities are
# disabled). This node can then be used only to
# configure a cluster of Kong
# nodes connected to the same datastore.
# Example:
# `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# for a description of the accepted formats for this
# and other `*_listen` values.
# See https://www.nginx.com/resources/admin-guide/proxy-protocol/
# for more details about the `proxy_protocol`
# parameter.
# Not all `*_listen` values accept all formats
# specified in nginx's documentation.
#proxy_url = # Kong Proxy URL
# The lookup, or balancer, address for your Kong Proxy nodes.
# This value is commonly used in a microservices
# or service-mesh oriented architecture.
# Accepted format (parts in parentheses are optional):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Examples:
# - `<scheme>://<IP>:<PORT>` -> `proxy_url = http://127.0.0.1:8000`
# - `SSL <scheme>://<HOSTNAME>` -> `proxy_url = https://proxy.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>` -> `proxy_url = http://dev-machine/dev-285`
# By default, Kong Manager, and Kong Portal will use
# the window request host and append the resolved
# listener port depending on the requested protocol.
#stream_listen = off
# Comma-separated list of addresses and ports on
# which the stream mode should listen.
# This value accepts IPv4, IPv6, and hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
# Examples:
# ```
# stream_listen = 127.0.0.1:7000 reuseport backlog=16384
# stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20
# stream_listen = [::1]:1234 backlog=16384
# ```
# By default this value is set to `off`, thus
# disabling the stream proxy port for this node.
# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# for a description of the formats that Kong might accept in stream_listen.
#admin_api_uri = # Hierarchical part of a URI which is composed
# optionally of a host, port, and path at which the
# Admin API accepts HTTP or HTTPS traffic. When
# this config is disabled, Kong Manager will
# use the window protocol + host and append the
# resolved admin_listen HTTP/HTTPS port.
#admin_listen = 127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384
# Comma-separated list of addresses and ports on
# which the Admin interface should listen.
# The Admin interface is the API allowing you to
# configure and manage Kong.
# Access to this interface should be *restricted*
# to Kong administrators *only*. This value accepts
# IPv4, IPv6, and hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `http2` will allow for clients to open HTTP/2
# connections to Kong's proxy server.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `deferred` instructs to use a deferred accept on
# Linux (the TCP_DEFER_ACCEPT socket option).
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
# This value can be set to `off`, thus disabling
# the Admin interface for this node, enabling a
# 'data-plane' mode (without configuration
# capabilities) pulling its configuration changes
# from the database.
# Example: `admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off # Comma-separated list of addresses and ports on
# which the Status API should listen.
# The Status API is a read-only endpoint
# allowing monitoring tools to retrieve metrics,
# healthiness, and other non-sensitive information
# of the current Kong node.
# The following suffix can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# This value can be set to `off`, disabling
# the Status API for this node.
# Example: `status_listen = 0.0.0.0:8100`
#nginx_user = kong kong # Defines user and group credentials used by
# worker processes. If group is omitted, a
# group whose name equals that of user is
# used.
# Example: `nginx_user = nginx www`
# **Note**: If the `kong` user and the `kong`
# group are not available, the default user
# and group credentials will be
# `nobody nobody`.
#nginx_worker_processes = auto # Determines the number of worker processes
# spawned by Nginx.
# See http://nginx.org/en/docs/ngx_core_module.html#worker_processes
# for detailed usage of the equivalent Nginx
# directive and a description of accepted
# values.
#nginx_daemon = on # Determines whether Nginx will run as a daemon
# or as a foreground process. Mainly useful
# for development or when running Kong inside
# a Docker environment.
# See http://nginx.org/en/docs/ngx_core_module.html#daemon.
#mem_cache_size = 128m # Size of each of the two in-memory caches
# for database entities. The accepted units are
# `k` and `m`, with a minimum recommended value of
# a few MBs.
# **Note**: As this option controls the size of two
# different cache entries, the total memory Kong
# uses to cache entities might be double this value.
#ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`,
# `intermediate`, `old`, `fips` or `custom`.
# See https://wiki.mozilla.org/Security/Server_Side_TLS
# for detailed descriptions of each cipher
# suite. `fips` cipher suites are as decribed in
# https://wiki.openssl.org/index.php/FIPS_mode_and_TLS.
#ssl_ciphers = # Defines a custom list of TLS ciphers to be
# served by Nginx. This list must conform to
# the pattern defined by `openssl ciphers`.
# This value is ignored if `ssl_cipher_suite`
# is not `custom`.
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
# Enables the specified protocols for
# client-side connections. The set of
# supported protocol versions also depends
# on the version of OpenSSL Kong was built
# with. This value is ignored if
# `ssl_cipher_suite` is not `custom`.
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on # Specifies that server ciphers should be
# preferred over client ciphers when using
# the SSLv3 and TLS protocols. This value is
# ignored if `ssl_cipher_suite` is not `custom`.
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam = # Defines DH parameters for DHE ciphers from the
# predefined groups: `ffdhe2048`, `ffdhe3072`,
# `ffdhe4096`, `ffdhe6144`, `ffdhe8192`, or
# from the absolute path to a parameters file.
# This value is ignored if `ssl_cipher_suite`
# is `modern` or `intermediate`. The reason is
# that `modern` has no ciphers that needs this,
# and `intermediate` uses `ffdhe2048`.
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on # Enables or disables session resumption through
# TLS session tickets. This has no impact when
# used with TLSv1.3.
# Kong enables this by default for performance
# reasons, but it has security implications:
# https://github.com/mozilla/server-side-tls/issues/135
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d # Specifies a time during which a client may
# reuse the session parameters. See the rationale:
# https://github.com/mozilla/server-side-tls/issues/198
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `proxy_listen` values with TLS enabled.
# If more than one certificates are specified, it can be used to provide
# alternate type of certificate (for example, ECC certificate) that will be served
# to clients that supports them. Note to properly serve using ECC certificates,
# it is recommended to also set `ssl_cipher_suite` to
# `modern` or `intermediate`.
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default certificates (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `proxy_listen` values with TLS enabled.
# If more than one certificate was specified for `ssl_cert`, then this
# option should contain the corresponding key for all certificates
# provided in the same order.
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default private keys (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#client_ssl = off # Determines if Nginx should attempt to send client-side
# TLS certificates and perform Mutual TLS Authentication
# with upstream service when proxying requests.
#client_ssl_cert = # If `client_ssl` is enabled, the absolute
# path to the client certificate for the `proxy_ssl_certificate` directive.
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute
# path to the client TLS key for the `proxy_ssl_certificate_key` directive.
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#admin_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `admin_listen` values with TLS enabled.
# See docs for `ssl_cert` for detailed usage.
#admin_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `admin_listen` values with TLS enabled.
# See docs for `ssl_cert_key` for detailed usage.
#status_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `status_listen` values with TLS enabled.
# See docs for `ssl_cert` for detailed usage.
#status_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `status_listen` values with TLS enabled.
# See docs for `ssl_cert_key` for detailed usage.
#headers = server_tokens, latency_tokens
# Comma-separated list of headers Kong should
# inject in client responses.
# Accepted values are:
# - `Server`: Injects `Server: kong/x.y.z`
# on Kong-produced response (e.g. Admin
# API, rejected requests from auth plugin).
# - `Via`: Injects `Via: kong/x.y.z` for
# successfully proxied requests.
# - `X-Kong-Proxy-Latency`: Time taken
# (in milliseconds) by Kong to process
# a request and run all plugins before
# proxying the request upstream.
# - `X-Kong-Response-Latency`: time taken
# (in millisecond) by Kong to produce
# a response in case of e.g. plugin
# short-circuiting the request, or in
# in case of an error.
# - `X-Kong-Upstream-Latency`: Time taken
# (in milliseconds) by the upstream
# service to send response headers.
# - `X-Kong-Admin-Latency`: Time taken
# (in milliseconds) by Kong to process
# an Admin API request.
# - `X-Kong-Upstream-Status`: The HTTP status
# code returned by the upstream service.
# This is particularly useful for clients to
# distinguish upstream statuses if the
# response is rewritten by a plugin.
# - `server_tokens`: Same as specifying both
# `Server` and `Via`.
# - `latency_tokens`: Same as specifying
# `X-Kong-Proxy-Latency`,
# `X-Kong-Response-Latency`,
# `X-Kong-Admin-Latency` and
# `X-Kong-Upstream-Latency`
# In addition to those, this value can be set
# to `off`, which prevents Kong from injecting
# any of the above headers. Note that this
# does not prevent plugins from injecting
# headers of their own.
# Example: `headers = via, latency_tokens`
#trusted_ips = # Defines trusted IP addresses blocks that are
# known to send correct `X-Forwarded-*`
# headers.
# Requests from trusted IPs make Kong forward
# their `X-Forwarded-*` headers upstream.
# Non-trusted requests make Kong insert its
# own `X-Forwarded-*` headers.
# This property also sets the
# `set_real_ip_from` directive(s) in the Nginx
# configuration. It accepts the same type of
# values (CIDR blocks) but as a
# comma-separated list.
# To trust *all* /!\ IPs, set this value to
# `0.0.0.0/0,::/0`.
# If the special value `unix:` is specified,
# all UNIX-domain sockets will be trusted.
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
# for examples of accepted values.
#real_ip_header = X-Real-IP # Defines the request header field whose value
# will be used to replace the client address.
# This value sets the `ngx_http_realip_module`
# directive of the same name in the Nginx
# configuration.
# If this value receives `proxy_protocol`:
# - at least one of the `proxy_listen` entries
# must have the `proxy_protocol` flag
# enabled.
# - the `proxy_protocol` parameter will be
# appended to the `listen` directive of the
# Nginx template.
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
# for a description of this directive.
#real_ip_recursive = off # This value sets the `ngx_http_realip_module`
# directive of the same name in the Nginx
# configuration.
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
# for a description of this directive.
#error_default_type = text/plain # Default MIME type to use when the request
# `Accept` header is missing and Nginx
# is returning an error for the request.
# Accepted values are `text/plain`,
# `text/html`, `application/json`, and
# `application/xml`.
#upstream_keepalive_pool_size = 60 # Sets the default size of the upstream
# keepalive connection pools.
# Upstream keepalive connection pools
# are segmented by the `dst ip/dst
# port/SNI` attributes of a connection.
# A value of `0` will disable upstream
# keepalive connections by default, forcing
# each upstream request to open a new
# connection.
#upstream_keepalive_max_requests = 100 # Sets the default maximum number of
# requests than can be proxied upstream
# through one keepalive connection.
# After the maximum number of requests
# is reached, the connection will be
# closed.
# A value of `0` will disable this
# behavior, and a keepalive connection
# can be used to proxy an indefinite
# number of requests.
#upstream_keepalive_idle_timeout = 60 # Sets the default timeout (in seconds)
# for which an upstream keepalive
# connection should be kept open. When
# the timeout is reached while the
# connection has not been reused, it
# will be closed.
# A value of `0` will disable this
# behavior, and an idle keepalive
# connection may be kept open
# indefinitely.
#------------------------------------------------------------------------------
# NGINX injected directives
#------------------------------------------------------------------------------
# Nginx directives can be dynamically injected in the runtime nginx.conf file
# without requiring a custom Nginx configuration template.
# All configuration properties respecting the naming scheme
# `nginx_<namespace>_<directive>` will result in `<directive>` being injected in
# the Nginx configuration block corresponding to the property's `<namespace>`.
# Example:
# `nginx_proxy_large_client_header_buffers = 8 24k`
# Will inject the following directive in Kong's proxy `server {}` block:
# `large_client_header_buffers 8 24k;`
# The following namespaces are supported:
# - `nginx_main_<directive>`: Injects `<directive>` in Kong's configuration
# `main` context.
# - `nginx_events_<directive>`: Injects `<directive>` in Kong's `events {}`
# block.
# - `nginx_http_<directive>`: Injects `<directive>` in Kong's `http {}` block.
# - `nginx_proxy_<directive>`: Injects `<directive>` in Kong's proxy
# `server {}` block.
# - `nginx_upstream_<directive>`: Injects `<directive>` in Kong's proxy
# `upstream {}` block.
# - `nginx_admin_<directive>`: Injects `<directive>` in Kong's Admin API
# `server {}` block.
# - `nginx_status_<directive>`: Injects `<directive>` in Kong's Status API
# `server {}` block (only effective if `status_listen` is enabled).
# - `nginx_stream_<directive>`: Injects `<directive>` in Kong's stream module
# `stream {}` block (only effective if `stream_listen` is enabled).
# - `nginx_sproxy_<directive>`: Injects `<directive>` in Kong's stream module
# `server {}` block (only effective if `stream_listen` is enabled).
# - `nginx_supstream_<directive>`: Injects `<directive>` in Kong's stream
# module `upstream {}` block.
# As with other configuration properties, Nginx directives can be injected via
# environment variables when capitalized and prefixed with `KONG_`.
# Example:
# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
# Will inject the following directive in Kong's `http {}` block:
# `ssl_protocols <value>;`
# If different sets of protocols are desired between the proxy and Admin API
# server, you may specify `nginx_proxy_ssl_protocols` and/or
# `nginx_admin_ssl_protocols`, both of which taking precedence over the
# `http {}` block.
#nginx_main_worker_rlimit_nofile = auto
# Changes the limit on the maximum number of open files
# for worker processes.
# The special and default value of `auto` sets this
# value to `ulimit -n` with the upper bound limited to
# 16384 as a measure to protect against excess memory use.
# See http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = auto
# Sets the maximum number of simultaneous
# connections that can be opened by a worker process.
# The special and default value of `auto` sets this
# value to `ulimit -n` with the upper bound limited to
# 16384 as a measure to protect against excess memory use.
# See http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k # Sets buffer size for reading the
# client request headers.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k # Sets the maximum number and
# size of buffers used for
# reading large clients
# requests headers.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0 # Defines the maximum request body size
# allowed by requests proxied by Kong,
# specified in the Content-Length request
# header. If a request exceeds this
# limit, Kong will respond with a 413
# (Request Entity Too Large). Setting
# this value to 0 disables checking the
# request body size.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m # Defines the maximum request body size for
# Admin API.
#nginx_http_client_body_buffer_size = 8k # Defines the buffer size for reading
# the request body. If the client
# request body is larger than this
# value, the body will be buffered to
# disk. Note that when the body is
# buffered to disk, Kong plugins that
# access or manipulate the request
# body may not work, so it is
# advisable to set this value as high
# as possible (e.g., set it as high
# as `client_max_body_size` to force
# request bodies to be kept in
# memory). Do note that
# high-concurrency environments will
# require significant memory
# allocations to process many
# concurrent large request bodies.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m # Defines the buffer size for reading
# the request body on Admin API.
#nginx_http_lua_regex_match_limit = 100000 # Global `MATCH_LIMIT` for PCRE
# regex matching. The default of `100000` should ensure
# at worst any regex Kong executes could finish within
# roughly 2 seconds.
#------------------------------------------------------------------------------
# DATASTORE
#------------------------------------------------------------------------------
# Kong can run with a database to store coordinated data between Kong nodes in
# a cluster, or without a database, where each node stores its information
# independently in memory.
# When using a database, Kong will store data for all its entities (such as
# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL,
# and all Kong nodes belonging to the same cluster must connect themselves
# to the same database.
# Kong supports the following database versions:
# - **PostgreSQL**: 9.5 and above.
# - **Cassandra**: 2.2 and above.
# When not using a database, Kong is said to be in "DB-less mode": it will keep
# its entities in memory, and each node needs to have this data entered via a
# declarative configuration file, which can be specified through the
# `declarative_config` property, or via the Admin API using the `/config`
# endpoint.
# When using Postgres as the backend storage, you can optionally enable Kong
# to serve read queries from a separate database instance.
# When the number of proxies is large, this can greatly reduce the load
# on the main Postgres instance and achieve better scalability. It may also
# reduce the latency jitter if the Kong proxy node's latency to the main
# Postgres instance is high.
# The read-only Postgres instance only serves read queries and write
# queries still goes to the main connection. The read-only Postgres instance
# can be eventually consistent while replicating changes from the main
# instance.
# At least the `pg_ro_host` config is needed to enable this feature.
# By default, all other database config for the read-only connection are
# inherited from the corresponding main connection config described above but
# may be optionally overwritten explicitly using the `pg_ro_*` config below.
#database = postgres # Determines which of PostgreSQL or Cassandra
# this node will use as its datastore.
# Accepted values are `postgres`,
# `cassandra`, and `off`.
#pg_host = 127.0.0.1 # Host of the Postgres server.
#pg_port = 5432 # Port of the Postgres server.
#pg_timeout = 5000 # Defines the timeout (in ms), for connecting,
# reading and writing.
#pg_user = kong # Postgres user.
#pg_password = # Postgres user's password.
#pg_database = kong # The database name to connect to.
#pg_schema = # The database schema to use. If unspecified,
# Kong will respect the `search_path` value of
# your PostgreSQL instance.
#pg_ssl = off # Toggles client-server TLS connections
# between Kong and PostgreSQL.
# Because PostgreSQL uses the same port for TLS
# and non-TLS, this is only a hint. If the
# server does not support TLS, the established
# connection will be a plain one.
#pg_ssl_version = tlsv1 # When using ssl between Kong and PostgreSQL,
# the version of tls to use. Accepted values are
# `tlsv1`, `tlsv1_2`, or `tlsv1_3`.
#pg_ssl_required = off # When `pg_ssl` is on this determines if
# TLS must be used between Kong and PostgreSQL.
# It aborts the connection if the server does
# not support SSL connections.
#pg_ssl_verify = off # Toggles server certificate verification if
# `pg_ssl` is enabled.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.
#pg_ssl_cert = # The absolute path to the PEM encoded client
# TLS certificate for the PostgreSQL connection.
# Mutual TLS authentication against
# PostgreSQL is only enabled if this value is set.
#pg_ssl_cert_key = # If `pg_ssl_cert` is set, the absolute path to
# the PEM encoded client TLS private key for the
# PostgreSQL connection.
#pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries
# that can be executing at any given time. This
# limit is enforced per worker process; the
# total number of concurrent queries for this
# node will be will be:
# `pg_max_concurrent_queries * nginx_worker_processes`.
# The default value of 0 removes this
# concurrency limitation.
#pg_semaphore_timeout = 60000 # Defines the timeout (in ms) after which
# PostgreSQL query semaphore resource
# acquisition attempts will fail. Such
# failures will generally result in the
# associated proxy or Admin API request
# failing with an HTTP 500 status code.
# Detailed discussion of this behavior is
# available in the online documentation.
#pg_keepalive_timeout = 60000 # Defines the time in milliseconds that an idle connection to
# PostreSQL server will be kept alive.
#pg_ro_host = # Same as `pg_host`, but for the
# read-only connection.
# **Note:** Refer to the documentation
# section above for detailed usage.
#pg_ro_port = <pg_port> # Same as `pg_port`, but for the
# read-only connection.
#pg_ro_timeout = <pg_timeout> # Same as `pg_timeout`, but for the
# read-only connection.
#pg_ro_user = <pg_user> # Same as `pg_user`, but for the
# read-only connection.
#pg_ro_password = <pg_password> # Same as `pg_password`, but for the
# read-only connection.
#pg_ro_database = <pg_database> # Same as `pg_database`, but for the
# read-only connection.
#pg_ro_schema = <pg_schema> # Same as `pg_schema`, but for the
# read-only connection.
#pg_ro_ssl = <pg_ssl> # Same as `pg_ssl`, but for the
# read-only connection.
#pg_ro_ssl_required = <pg_ssl_required>
# Same as `pg_ssl_required`, but for the
# read-only connection.
#pg_ro_ssl_verify = <pg_ssl_verify>
# Same as `pg_ssl_verify`, but for the
# read-only connection.
#pg_ro_ssl_version = <pg_ssl_version>
# Same as `pg_ssl_version`, but for the
# read-only connection.
#pg_ro_max_concurrent_queries = <pg_max_concurrent_queries>
# Same as `pg_max_concurrent_queries`, but for
# the read-only connection.
# Note: read-only concurrency is not shared
# with the main (read-write) connection.
#pg_ro_semaphore_timeout = <pg_semaphore_timeout>
# Same as `pg_semaphore_timeout`, but for the
# read-only connection.
#pg_ro_keepalive_timeout = <pg_keepalive_timeout>
# Same as `pg_keepalive_timeout`, but for the
# read-only connection.
#cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact
# points to your cluster.
# You may specify IP addresses or
# hostnames. Note that the port
# component of SRV records will be
# ignored in favor of `cassandra_port`.
# When connecting to a multi-DC cluster,
# ensure that contact points from the
# local datacenter are specified first
# in this list.
#cassandra_port = 9042 # The port on which your nodes are listening
# on. All your nodes and contact points must
# listen on the same port. Will be created if
# it doesn't exist.
#cassandra_keyspace = kong # The keyspace to use in your cluster.
#cassandra_write_consistency = ONE # Consistency setting to use when
# writing to the Cassandra cluster.
#cassandra_read_consistency = ONE # Consistency setting to use when
# reading from the Cassandra cluster.
#cassandra_timeout = 5000 # Defines the timeout (in ms) for reading
# and writing.
#cassandra_ssl = off # Toggles client-to-node TLS connections
# between Kong and Cassandra.
#cassandra_ssl_verify = off # Toggles server certificate verification if
# `cassandra_ssl` is enabled.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.
#cassandra_username = kong # Username when using the
# `PasswordAuthenticator` scheme.
#cassandra_password = # Password when using the
# `PasswordAuthenticator` scheme.
#cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when
# distributing queries across your
# Cassandra cluster.
# Accepted values are:
# `RoundRobin`, `RequestRoundRobin`,
# `DCAwareRoundRobin`, and
# `RequestDCAwareRoundRobin`.
# Policies prefixed with "Request"
# make efficient use of established
# connections throughout the same
# request.
# Prefer "DCAware" policies if and
# only if you are using a
# multi-datacenter cluster.
#cassandra_local_datacenter = # When using the `DCAwareRoundRobin`
# or `RequestDCAwareRoundRobin` load
# balancing policy, you must specify the name
# of the local (closest) datacenter for this
# Kong node.
#cassandra_refresh_frequency = 60 # Frequency (in seconds) at which
# the cluster topology will be
# checked for new or decommissioned
# nodes.
# A value of `0` will disable this
# check, and the cluster topology
# will never be refreshed.
#cassandra_repl_strategy = SimpleStrategy # When migrating for the first time,
# Kong will use this setting to
# create your keyspace.
# Accepted values are
# `SimpleStrategy` and
# `NetworkTopologyStrategy`.
#cassandra_repl_factor = 1 # When migrating for the first time, Kong
# will create the keyspace with this
# replication factor when using the
# `SimpleStrategy`.
#cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time,
# will use this setting when using the
# `NetworkTopologyStrategy`.
# The format is a comma-separated list
# made of `<dc_name>:<repl_factor>`.
#cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for
# the waiting period to reach a
# schema consensus between your
# Cassandra nodes.
# This value is only used during
# migrations.
#declarative_config = # The path to the declarative configuration
# file which holds the specification of all
# entities (Routes, Services, Consumers, etc.)
# to be used when the `database` is set to
# `off`.
# Entities are stored in Kong's in-memory cache,
# so you must ensure that enough memory is
# allocated to it via the `mem_cache_size`
# property. You must also ensure that items
# in the cache never expire, which means that
# `db_cache_ttl` should preserve its default
# value of 0.
# If the Hybrid mode `role` is set to `data_plane`
# and there's no configuration cache file,
# this configuration is used before connecting
# to the Control Plane node as a user-controlled
# fallback.
#declarative_config_string = # The declarative configuration as a string
#------------------------------------------------------------------------------
# DATASTORE CACHE
#------------------------------------------------------------------------------
# In order to avoid unnecessary communication with the datastore, Kong caches
# entities (such as APIs, Consumers, Credentials...) for a configurable period
# of time. It also handles invalidations if such an entity is updated.
# This section allows for configuring the behavior of Kong regarding the
# caching of such configuration entities.
#db_update_frequency = 5 # Frequency (in seconds) at which to check for
# updated entities with the datastore.
# When a node creates, updates, or deletes an
# entity via the Admin API, other nodes need
# to wait for the next poll (configured by
# this value) to eventually purge the old
# cached entity and start using the new one.
#db_update_propagation = 0 # Time (in seconds) taken for an entity in the
# datastore to be propagated to replica nodes
# of another datacenter.
# When in a distributed environment such as
# a multi-datacenter Cassandra cluster, this
# value should be the maximum number of
# seconds taken by Cassandra to propagate a
# row to other datacenters.
# When set, this property will increase the
# time taken by Kong to propagate the change
# of an entity.
# Single-datacenter setups or PostgreSQL
# servers should suffer no such delays, and
# this value can be safely set to 0.
#db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from
# the datastore when cached by this node.
# Database misses (no entity) are also cached
# according to this setting if you do not
# configure `db_cache_neg_ttl`.
# If set to 0 (default), such cached entities
# or misses never expire.
#db_cache_neg_ttl = # Time-to-live (in seconds) of a datastore
# miss (no entity).
# If not specified (default), `db_cache_ttl`
# value will be used instead.
# If set to 0, misses will never expire.
#db_resurrect_ttl = 30 # Time (in seconds) for which stale entities
# from the datastore should be resurrected for
# when they cannot be refreshed (e.g., the
# datastore is unreachable). When this TTL
# expires, a new attempt to refresh the stale
# entities will be made.
#db_cache_warmup_entities = services
# Entities to be pre-loaded from the datastore
# into the in-memory cache at Kong start-up.
# This speeds up the first access of endpoints
# that use the given entities.
# When the `services` entity is configured
# for warmup, the DNS entries for values in
# its `host` attribute are pre-resolved
# asynchronously as well.
# Cache size set in `mem_cache_size` should
# be set to a value large enough to hold all
# instances of the specified entities.
# If the size is insufficient, Kong will log
# a warning.
#------------------------------------------------------------------------------
# DNS RESOLVER
#------------------------------------------------------------------------------
# By default, the DNS resolver will use the standard configuration files
# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be
# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if
# they have been set.
# Kong will resolve hostnames as either `SRV` or `A` records (in that order, and
# `CNAME` records will be dereferenced in the process).
# In case a name was resolved as an `SRV` record it will also override any given
# port number by the `port` field contents received from the DNS server.
# The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will
# be used to expand short names to fully qualified ones. So it will first try
# the entire `SEARCH` list for the `SRV` type, if that fails it will try the
# `SEARCH` list for `A`, etc.
# For the duration of the `ttl`, the internal DNS resolver will loadbalance each
# request it gets over the entries in the DNS record. For `SRV` records the
# `weight` fields will be honored, but it will only use the lowest `priority`
# field entries in the record.
#dns_resolver = # Comma separated list of nameservers, each
# entry in `ip[:port]` format to be used by
# Kong. If not specified the nameservers in
# the local `resolv.conf` file will be used.
# Port defaults to 53 if omitted. Accepts
# both IPv4 and IPv6 addresses.
#dns_hostsfile = /etc/hosts # The hosts file to use. This file is read
# once and its content is static in memory.
# To read the file again after modifying it,
# Kong must be reloaded.
#dns_order = LAST,SRV,A,CNAME # The order in which to resolve different
# record types. The `LAST` type means the
# type of the last successful lookup (for the
# specified name). The format is a (case
# insensitive) comma separated list.
#dns_valid_ttl = # By default, DNS records are cached using
# the TTL value of a response. If this
# property receives a value (in seconds), it
# will override the TTL for all records.
#dns_stale_ttl = 4 # Defines, in seconds, how long a record will
# remain in cache past its TTL. This value
# will be used while the new DNS record is
# fetched in the background.
# Stale data will be used from expiry of a
# record until either the refresh query
# completes, or the `dns_stale_ttl` number of
# seconds have passed.
#dns_cache_size = 10000 # Defines the maximum allowed number of
# DNS records stored in memory cache.
# Least recently used DNS records are discarded
# from cache if it is full. Both errors and
# data are cached, therefore a single name query
# can easily take up 10-15 slots.
#dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and
# "(3) name error" responses.
#dns_error_ttl = 1 # TTL in seconds for error responses.
#dns_no_sync = off # If enabled, then upon a cache-miss every
# request will trigger its own dns query.
# When disabled multiple requests for the
# same name/type will be synchronised to a
# single query.
#------------------------------------------------------------------------------
# TUNING & BEHAVIOR
#------------------------------------------------------------------------------
#worker_consistency = strict
# Defines whether this node should rebuild its
# state synchronously or asynchronously (the
# balancers and the router are rebuilt on
# updates that affects them, e.g., updates to
# Routes, Services or Upstreams, via the Admin
# API or loading a declarative configuration
# file).
# Accepted values are:
# - `strict`: the router will be rebuilt
# synchronously, causing incoming requests to
# be delayed until the rebuild is finished.
# - `eventual`: the router will be rebuilt
# asynchronously via a recurring background
# job running every second inside of each
# worker.
# Note that `strict` ensures that all workers
# of a given node will always proxy requests
# with an identical router, but that increased
# long tail latency can be observed if
# frequent Routes and Services updates are
# expected.
# Using `eventual` will help preventing long
# tail latency issues in such cases, but may
# cause workers to route requests differently
# for a short period of time after Routes and
# Services updates.
#worker_state_update_frequency = 5
# Defines how often the worker state changes are
# checked with a background job. When a change
# is detected, a new router or balancer will be
# built, as needed. Raising this value will
# decrease the load on database servers and
# result in less jitter in proxy latency, but
# it might take more time to propagate changes
# to each individual worker.
#------------------------------------------------------------------------------
# MISCELLANEOUS
#------------------------------------------------------------------------------
# Additional settings inherited from lua-nginx-module allowing for more
# flexibility and advanced usage.
# See the lua-nginx-module documentation for more information:
# https://github.com/openresty/lua-nginx-module
#lua_ssl_trusted_certificate = # Comma-separated list of paths to certificate
# authority files for Lua cosockets in PEM format.
# The special value `system` attempts to search for the
# "usual default" provided by each distro, according
# to an arbitrary heuristic. In the current implementation,
# The following pathnames will be tested in order,
# and the first one found will be used:
# - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
# - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
# - /etc/ssl/ca-bundle.pem (OpenSUSE)
# - /etc/pki/tls/cacert.pem (OpenELEC)
# - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
# - /etc/ssl/cert.pem (OpenBSD, Alpine)
# If no file is found on any of these paths, an error will
# be raised.
# `system` can be used by itself or in conjunction with other
# CA filepaths.
# When `pg_ssl_verify` or `cassandra_ssl_verify`
# are enabled, these certificate authority files will be
# used for verifying Kong's database connections.
# See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
#lua_ssl_verify_depth = 1 # Sets the verification depth in the server
# certificates chain used by Lua cosockets,
# set by `lua_ssl_trusted_certificate`.
# This includes the certificates configured
# for Kong's database connections.
# If the maximum depth is reached before
# reaching the end of the chain, verification
# will fail. This helps mitigate certificate
# based DoS attacks.
# See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 # Defines the TLS versions supported
# when handshaking with OpenResty's
# TCP cosocket APIs.
# This affects connections made by Lua
# code, such as connections to the
# database Kong uses, or when sending logs
# using a logging plugin. It does *not*
# affect connections made to the upstream
# Service or from downstream clients.
#lua_package_path = ./?.lua;./?/init.lua; # Sets the Lua module search path
# (LUA_PATH). Useful when developing
# or using custom plugins not stored
# in the default search path.
# See https://github.com/openresty/lua-nginx-module#lua_package_path
#lua_package_cpath = # Sets the Lua C module search path
# (LUA_CPATH).
# See https://github.com/openresty/lua-nginx-module#lua_package_cpath
#lua_socket_pool_size = 30 # Specifies the size limit for every cosocket
# connection pool associated with every remote
# server.
# See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size
#enforce_rbac = off # Specifies whether Admin API RBAC is enforced.
# Accepts one of `entity`, `both`, `on`, or
# `off`.
# - `on`: only endpoint-level authorization
# is enforced.
# - `entity`: entity-level authorization
# applies.
# - `both`: enables both endpoint and
# entity-level authorization.
# - `off`: disables both endpoint and
# entity-level authorization.
# When enabled, Kong will deny requests to the
# Admin API when a nonexistent or invalid RBAC
# authorization token is passed, or the RBAC
# user with which the token is associated does
# not have permissions to access/modify the
# requested resource.
#rbac_auth_header = Kong-Admin-Token # Defines the name of the HTTP request
# header from which the Admin API will
# attempt to authenticate the RBAC user.
#event_hooks_enabled = on # When enabled, event hook entities represent a relationship
# between an event (source and event) and an action
# (handler). Similar to web hooks, event hooks can be used to
# communicate Kong Gateway service events. When a particular
# event happens on a service, the event hook calls a URL with
# information about that event. Event hook configurations
# differ depending on the handler. The events that are
# triggered send associated data.
# See: https://docs.konghq.com/enterprise/latest/admin-api/event-hooks/reference/
#------------------------------------------------------------------------------
# KONG MANAGER
#------------------------------------------------------------------------------
# The Admin GUI for Kong Enterprise.
#admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl
# Kong Manager Listeners
# Comma-separated list of addresses and ports on which
# Kong will expose Kong Manager. This web application
# lets you configure and manage Kong, and therefore
# should be kept secured.
# Suffixes can be specified for each pair, similarly to
# the `admin_listen` directive.
#admin_gui_url = # Kong Manager URL
# The lookup, or balancer, address for Kong Manager.
# Accepted format (items in parentheses are optional):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Examples:
# - `http://127.0.0.1:8003`
# - `https://kong-admin.test`
# - `http://dev-machine/dev-285`
# By default, Kong Manager will use the window request
# host and append the resolved listener port depending
# on the requested protocol.
#admin_gui_ssl_cert = # The absolute path to the SSL certificate for
# `admin_gui_listen` values with SSL enabled.
#admin_gui_ssl_cert_key = # The absolute path to the SSL key for
# `admin_gui_listen` values with SSL enabled.
#admin_gui_flags = {}
# Alters the layout Admin GUI (JSON)
# The only supported value is `{ "IMMUNITY_ENABLED": true }`
# to enable Kong Immunity in the Admin GUI.
#admin_gui_access_log = logs/admin_gui_access.log
# Kong Manager Access Logs
# Here you can set an absolute or relative path for Kong
# Manager access logs. When the path is relative,
# logs are placed in the `prefix` location.
# Setting this value to `off` disables access logs
# for Kong Manager.
#admin_gui_error_log = logs/admin_gui_error.log
# Kong Manager Error Logs
# Here you can set an absolute or relative path for Kong
# Manager access logs. When the path is relative,
# logs are placed in the `prefix` location.
# Setting this value to `off` disables error logs for
# Kong Manager.
# Granularity can be adjusted through the `log_level`
# directive.
#admin_gui_auth = # Kong Manager Authentication Plugin Name
# Secures access to Kong Manager by specifying an
# authentication plugin to use.
# Supported Plugins:
# - `basic-auth`: Basic Authentication plugin
# - `ldap-auth-advanced`: LDAP Authentication plugin
# - `openid-connect`: OpenID Connect Authentication
# plugin
#admin_gui_auth_conf = # Kong Manager Authentication Plugin Config (JSON)
# Specifies the configuration for the authentication
# plugin specified in `admin_gui_auth`.
# For information about Plugin Configuration
# consult the associated plugin documentation.
# Example for `basic-auth`:
# `admin_gui_auth_conf = { "hide_credentials": true }`
#admin_gui_auth_password_complexity = # Kong Manager Authentication Password Complexity (JSON)
# When `admin_gui_auth = basic-auth`, this property defines
# the rules required for Kong Manager passwords. Choose
# from preset rules or write your own.
# Example using preset rules:
# `admin_gui_auth_password_complexity = { "kong-preset": "min_8" }`
# All values for kong-preset require the password to contain
# characters from at least three of the following categories:
# 1. Uppercase characters (A through Z)
# 2. Lowercase characters (a through z)
# 3. Base-10 digits (0 through 9)
# 4. Special characters (for example, &, $, #, %)
# Supported preset rules:
# - `min_8`: minimum length of 8
# - `min_12`: minimum length of 12
# - `min_20`: minimum length of 20
# To write your own rules, see
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.
# NOTE: Only keywords "min", "max" and "passphrase" are supported.
# Example:
# `admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#admin_gui_session_conf = # Kong Manager Session Config (JSON)
# Specifies the configuration for the Session plugin as
# used by Kong Manager.
# For information about plugin configuration, consult
# the Kong Session plugin documentation.
# Example:
# ```
# admin_gui_session_conf = { "cookie_name": "kookie", \
# "secret": "changeme" }
# ```
#admin_gui_auth_header = Kong-Admin-User
# Defines the name of the HTTP request header from which
# the Admin API will attempt to identify the Kong Admin
# user.
#admin_gui_auth_login_attempts = 0
# Number of times a user can attempt to login to Kong
# Manager. 0 means infinite attempts allowed.
#admin_gui_header_txt = # Kong Manager Header Text
# Sets text for Kong Manager Header Banner. Header Banner
# is not shown if this config is empty.
#admin_gui_header_bg_color = # Kong Manager Header Background Color
# Sets background color for Kong Manager Header Banner
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Manager.
#admin_gui_header_txt_color = # Kong Manager Header Text Color
# Sets text color for Kong Manager Header Banner.
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Kong Manager.
#admin_gui_footer_txt = # Kong Manager Footer Text
# Sets text for Kong Manager Footer Banner. Footer Banner
# is not shown if this config is empty
#admin_gui_footer_bg_color = # Kong Manager Footer Background Color
# Sets background color for Kong Manager Footer Banner.
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Manager.
#admin_gui_footer_txt_color = # Kong Manager Footer Text Color
# Sets text color for Kong Manager Footer Banner.
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Kong Manager.
#admin_gui_login_banner_title = # Kong Manager Login Banner Title Text
# Sets title text for Kong Manager Login Banner.
# Login Banner is not shown if both
# `admin_gui_login_banner_title` and
# `admin_gui_login_banner_body` are empty.
#admin_gui_login_banner_body = # Kong Manager Login Banner Body Text
# Sets body text for Kong Manager Login Banner.
# Login Banner is not shown if both
# `admin_gui_login_banner_title` and
# `admin_gui_login_banner_body` are empty.
#------------------------------------------------------------------------------
# VITALS
#------------------------------------------------------------------------------
#vitals = on # When enabled, Kong will store and report
# metrics about its performance.
# When running Kong in a multi-node setup,
# `vitals` entails two separate meanings
# depending on the node.
# On a Proxy-only node, `vitals` determines
# whether to collect data for Vitals.
# On an Admin-only node, `vitals` determines
# whether to display Vitals metrics and
# visualizations on the dashboard.
#vitals_strategy = database # Determines whether to use the Kong database
# (either PostgreSQL or Cassandra, as defined
# by the `database` config value above), or a
# separate storage engine, for Vitals metrics.
# Accepted values are `database`, `prometheus`,
# or `influxdb`.
#vitals_tsdb_address = # Defines the host and port of the TSDB server
# to which Vitals data is written and read.
# This value is only applied when the
# `vitals_strategy` option is set to
# `prometheus` or `influxdb`. This value
# accepts IPv4, IPv6, and hostname values.
# If the `vitals_strategy` is set to
# `prometheus`, this value determines the
# address of the Prometheus server from which
# Vitals data will be read. For `influxdb`
# strategies, this value controls both the read
# and write source for Vitals data.
#vitals_tsdb_user = # Influxdb user
#vitals_tsdb_password = # Influxdb password
#vitals_statsd_address = # Defines the host and port (and an optional
# protocol) of the StatsD server to which
# Kong should write Vitals metics. This value
# is only applied when the `vitals_strategy` is
# set to `prometheus`. This value accepts IPv4,
# IPv6, and, hostnames. Additionally, the suffix
# `tcp` can be specified; doing so will result
# in Kong sending StatsD metrics via TCP
# instead of the UDP (default).
#vitals_statsd_prefix = kong # Defines the prefix value attached to all
# Vitals StatsD events. This prefix is useful
# when writing metrics to a multi-tenant StatsD
# exporter or server.
#vitals_statsd_udp_packet_size = 1024 # Defines the maximum buffer size in
# which Vitals statsd metrics will be
# held and sent in batches.
# This value is defined in bytes.
#vitals_prometheus_scrape_interval = 5 # Defines the scrape_interval query
# parameter sent to the Prometheus
# server when reading Vitals data.
# This should be same as the scrape
# interval (in seconds) of the
# Prometheus server.
#------------------------------------------------------------------------------
# DEVELOPER PORTAL
#------------------------------------------------------------------------------
#portal = off
# Developer Portal Switch
# When enabled:
# Kong will expose the Dev Portal interface and
# read-only APIs on the `portal_gui_listen` address,
# and endpoints on the Admin API to manage assets.
# When enabled along with `portal_auth`:
# Kong will expose management endpoints for developer
# accounts on the Admin API and the Dev Portal API.
#portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl
# Developer Portal GUI Listeners
# Comma-separated list of addresses on which Kong will
# expose the Developer Portal GUI. Suffixes can be
# specified for each pair, similarly to
# the `admin_listen` directive.
#portal_gui_protocol = http
# Developer Portal GUI protocol
# The protocol used in conjunction with
# `portal_gui_host` to construct the lookup, or balancer
# address for your Kong Proxy nodes.
# Examples: `http`,`https`
#portal_gui_host = 127.0.0.1:8003
# Developer Portal GUI host
# The host used in conjunction with
# `portal_gui_protocol` to construct the lookup,
# or balancer address for your Kong Proxy nodes.
# Examples:
# - `<IP>:<PORT>`
# -> `portal_gui_host = 127.0.0.1:8003`
# - `<HOSTNAME>`
# -> `portal_gui_host = portal_api.domain.tld`
# - `<HOSTNAME>/<PATH>`
# -> `portal_gui_host = dev-machine/dev-285`
#portal_cors_origins = # Developer Portal CORS Origins
# A comma separated list of allowed domains for
# `Access-Control-Allow-Origin` header. This can be used to
# resolve CORS issues in custom networking environments.
# Examples:
# - list of domains:
# `portal_cors_origins = http://localhost:8003, https://localhost:8004`
# - single domain:
# `portal_cors_origins = http://localhost:8003`
# - all domains:
# `portal_cors_origins = *`
# NOTE: In most cases, the Developer Portal is able to derive
# valid CORS origins by using `portal_gui_protocol`, `portal_gui_host`,
# and if applicable, `portal_gui_use_subdomains`. In these cases,
# `portal_cors_origins` is not needed and can remain unset.
#portal_gui_use_subdomains = off
# Developer Portal GUI subdomain toggle
# By default Kong Portal uses the first namespace in
# the request path to determine workspace. By turning
# `portal_gui_subdomains` on, Kong Portal will expect
# workspace to be included in the request url as a subdomain.
# Example (off):
# - `<scheme>://<HOSTNAME>/<WORKSPACE>/<PATH>` ->
# `http://kong-portal.com/example-workspace/index`
# Example (on):
# - `<scheme>://<WORKSPACE>.<HOSTNAME>` ->
# `http://example-workspace.kong-portal.com/index`
#portal_gui_ssl_cert = # Developer Portal GUI SSL Certificate
# The absolute path to the SSL certificate for
# `portal_gui_listen` values with SSL enabled.
#portal_gui_ssl_cert_key = # Developer Portal GUI SSL Certificate Key
# The absolute path to the SSL key for
# `portal_gui_listen` values with SSL enabled.
#portal_gui_access_log = logs/portal_gui_access.log
# Developer Portal GUI Access Log location
# Here you can set an absolute or relative path for your
# Portal GUI access logs.
# Setting this value to `off` will disable logging
# Portal GUI access logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
#portal_gui_error_log = logs/portal_gui_error.log
# Developer Portal GUI Error Log location
# Here you can set an absolute or relative path for your
# Portal GUI error logs.
# Setting this value to `off` will disable logging
# Portal GUI error logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
# Granularity can be adjusted through the `log_level`
# directive.
#portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl
# Developer Portal API Listeners
# Comma-separated list of addresses on which Kong will
# expose the Developer Portal API. Suffixes can be
# specified for each pair, similarly to
# the `admin_listen` directive.
#portal_api_url = # Developer Portal API URL
# The lookup, or balancer, address for your Developer
# Portal nodes.
# This value is commonly used in a microservices
# or service-mesh oriented architecture.
# `portal_api_url` is the address on which your
# Kong Dev Portal API is accessible by Kong. You
# should only set this value if your Kong Dev Portal API
# lives on a different node than your Kong Proxy.
# Accepted format (parts in parenthesis are optional):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Examples:
# - `<scheme>://<IP>:<PORT>`
# -> `portal_api_url = http://127.0.0.1:8003`
# - `SSL <scheme>://<HOSTNAME>`
# -> `portal_api_url = https://portal_api.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>`
# -> `portal_api_url = http://dev-machine/dev-285`
# By default this value points to the local interface:
# - `http://0.0.0.0:8004`
#portal_api_ssl_cert = # Developer Portal API SSL Certificate
# The absolute path to the SSL certificate for
# `portal_api_listen` values with SSL enabled.
#portal_api_ssl_cert_key = # Developer Portal API SSL Certificate Key
# The absolute path to the SSL key for
# `portal_api_listen` values with SSL enabled.
#portal_api_access_log = logs/portal_api_access.log
# Developer Portal API Access Log location
# Here you can set an absolute or relative path for your
# Portal API access logs.
# Setting this value to `off` will disable logging
# Portal API access logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
#portal_api_error_log = logs/portal_api_error.log
# Developer Portal API Error Log location
# Here you can set an absolute or relative path for your
# Portal API error logs.
# Setting this value to `off` will disable logging
# Portal API error logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
# Granularity can be adjusted through the `log_level`
# directive.
#portal_is_legacy = off
# Developer Portal legacy support
# Setting this value to `on` will cause all new
# portals to render using the legacy rendering system by default.
# Setting this value to `off` will cause all new
# portals to render using the current rendering system.
#portal_app_auth = kong-oauth2
# Developer Portal application registration
# auth provider and strategy. Must be set to enable
# application_registration plugin
# Currently accepts kong-oauth2 or external-oauth2
#------------------------------------------------------------------------------
# DEFAULT DEVELOPER PORTAL AUTHENTICATION
#------------------------------------------------------------------------------
# Referenced on workspace creation to set Dev Portal authentication defaults
# in the database for that particular workspace.
#portal_auth = # Developer Portal Authentication Plugin Name
# Specifies the authentication plugin
# to apply to your Developer Portal. Developers
# will use the specified form of authentication
# to request access, register, and login to your
# Developer Portal.
# Supported Plugins:
# - Basic Authentication: `portal_auth = basic-auth`
# - OIDC Authentication: `portal_auth = openid-connect`
#portal_auth_password_complexity = # Kong Portal Authentication Password Complexity (JSON)
# When portal_auth = basic-auth, this property defines
# the rules required for Kong Portal passwords. Choose
# from preset rules or write your own.
# Example using preset rules:
# `portal_auth_password_complexity = { "kong-preset": "min_8" }`
# All values for kong-preset require the password to contain
# characters from at least three of the following categories:
# 1. Uppercase characters (A through Z)
# 2. Lowercase characters (a through z)
# 3. Base-10 digits (0 through 9)
# 4. Special characters (for example, &, $, #, %)
# Supported preset rules:
# - `min_8`: minimum length of 8
# - `min_12`: minimum length of 12
# - `min_20`: minimum length of 20
# To write your own rules, see
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.
# NOTE: Only keywords "min", "max" and "passphrase" are supported.
# Example:
# `portal_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#portal_auth_conf = # Developer Portal Authentication Plugin Config (JSON)
# Specifies the plugin configuration object
# in JSON format to be applied to your Developer
# Portal authentication.
# For information about Plugin Configuration
# consult the associated plugin documentation.
# Example for `basic-auth`:
# `portal_auth_conf = { "hide_credentials": true }`
#portal_auth_login_attempts = 0
# Number of times a user can attempt to login to the
# Dev Portal before password must be reset.
# 0 (default) means infinite attempts allowed.
# Note: Any value greater than 0 will only affect
# Dev Portals secured with basic-auth.
#portal_session_conf = # Portal Session Config (JSON)
# Specifies the configuration for the
# Session plugin as used by Kong Portal.
# For information about Plugin Configuration consult
# the Kong Session Plugin documentation.
# Example:
# ```
# portal_session_conf = { "cookie_name": "portal_session", \
# "secret": "changeme", \
# "storage": "kong" }
# ```
#portal_auto_approve = off
# Developer Portal Auto Approve Access
# When this flag is set to `on`, a developer will
# automatically be marked as "approved" after completing
# registration. Access can still be revoked through the
# Admin GUI or API.
#portal_token_exp = 21600
# Duration in seconds for the expiration of portal
# login reset/account validation token.
#portal_email_verification = off
# Portal Developer Email Verification.
# When enabled Developers will receive an email upon
# registration to verify their account. Developers will
# not be able to use the Developer Portal until they
# verify their account.
# Note: SMTP must be turned on in order to use this feature.
#------------------------------------------------------------------------------
# DEFAULT PORTAL SMTP CONFIGURATION
#------------------------------------------------------------------------------
# Referenced on workspace creation to set SMTP defaults in the database
# for that particular workspace.
#portal_invite_email = on
# Enable or disable portal_invite_email
#portal_access_request_email = on
# Enable or disable portal_access_request_email
#portal_approved_email = on
# Enable or disable portal_approved_email
#portal_reset_email = on
# Enable or disable portal_reset_email
#portal_reset_success_email = on
# Enable or disable portal_reset_success_email
#portal_application_status_email = off
# When enabled, developers will receive an email
# when the status changes for their appliciation
# service requests.
# When disabled, developers will still be able
# to view the status in their developer portal
# application page.
# The email looks like the following:
# ```
# Subject: Dev Portal application request <REQUEST_STATUS> (<DEV_PORTAL_URL>)
# Hello Developer,
# We are emailing you to let you know that your request for application access from the
# Developer Portal account at <DEV_PORTAL_URL> is <REQUEST_STATUS>.
# Application: <APPLICATION_NAME>
# Service: <SERVICE_NAME>
# You will receive another email when your access has been approved.
# ```
#portal_application_request_email = off
# When enabled, Kong admins specified by `smtp_admin_emails`
# will receive an email when a developer requests access
# to service through an application.
# When disabled, Kong admins will have to manually check
# the Kong Manager to view any requests.
# By default, `smtp_admin_emails` will be the recipients.
# This can be overriden by `portal_smtp_admin_emails`,
# which can be set dynamically per workspace through
# the Admin API.
# The email looks like the following:
# ```
# Subject: Request to access Dev Portal (<DEV_PORTAL_URL>) service from <DEVELOPER_EMAIL>
# Hello Admin,
# <DEVELOPER NAME> (<DEVELOPER_EMAIL>) has requested application access for <DEV_PORTAL_URL>.
# Requested workspace: <WORKSPACE_NAME>
# Requested application: <APPLICATION_NAME>
# Requested service: <SERVICE_NAME>
# Please visit <KONG_MANAGER_URL/WORKSPACE_NAME/applications/APPLICATION_ID#requested> to review this request.
# ```
#portal_emails_from = # The name and email address for the `From` header
# for portal emails
# Example:
# `portal_emails_from = Your Name <example@example.com>`
# Note: Some SMTP servers will not use
# this value, but instead insert the email and name
# associated with the account.
#portal_emails_reply_to = # Email address for the `Reply-To` header for
# portal emails
# Example:
# `portal_emails_reply_to = example@example.com`
# Note: Some SMTP servers will not use
# this value, but instead insert the email
# associated with the account.
#portal_smtp_admin_emails =
# Comma separated list of admin emails to receive
# portal notifications. Can be dynamically set per
# workspace through the Admin API.
# If not set, `smtp_admin_emails` will be used.
# Example `admin1@example.com, admin2@example.com`
#------------------------------------------------------------------------------
# ADMIN SMTP CONFIGURATION
#------------------------------------------------------------------------------
#admin_emails_from = "" # The email address for the `From` header
# for admin emails.
#admin_emails_reply_to = # Email address for the `Reply-To` header
# for admin emails.
#admin_invitation_expiry = 259200 # Expiration time for the admin invitation link
# (in seconds). 0 means no expiration.
# Example, 72 hours: `72 * 60 * 60 = 259200`
#------------------------------------------------------------------------------
# GENERAL SMTP CONFIGURATION
#------------------------------------------------------------------------------
#smtp_mock = on # This flag will mock the sending of emails. This can be
# used for testing before the SMTP client is fully
# configured.
#smtp_host = localhost
# The hostname of the SMTP server to connect to.
#smtp_port = 25
# The port number on the SMTP server to connect to.
#smtp_starttls = off
# When set to `on`, STARTTLS is used to encrypt
# communication with the SMTP server. This is normally
# used in conjunction with port 587.
#smtp_username = # Username used for authentication with SMTP server
#smtp_password = # Password used for authentication with SMTP server
#smtp_ssl = off
# When set to `on`, SMTPS is used to encrypt
# communication with the SMTP server. This is normally
# used in conjunction with port 465.
#smtp_auth_type = # The method used to authenticate with the SMTP server
# Valid options are `plain`, `login`, or `nil`
#smtp_domain = localhost.localdomain
# The domain used in the `EHLO` connection and part of
# the `Message-ID` header
#smtp_timeout_connect = 60000
# The timeout (in milliseconds) for connecting to the
# SMTP server.
#smtp_timeout_send = 60000
# The timeout (in milliseconds) for sending data to the
# SMTP server.
#smtp_timeout_read = 60000
# The timeout (in milliseconds) for reading data from
# the SMTP server.
#smtp_admin_emails = # Comma separated list of admin emails to receive
# notifications.
# Example `admin1@example.com, admin2@example.com`
#-------------------------------------------------------------------------------
# DATA & ADMIN AUDIT
#-------------------------------------------------------------------------------
# When enabled, Kong will store detailed audit data regarding Admin API and
# database access. In most cases, updates to the database are associated with
# Admin API requests. As such, database object audit log data is tied to a
# given HTTP via a unique identifier, providing built-in association of Admin
# API and database traffic.
#audit_log = off # When enabled, Kong will log information about
# Admin API access and database row insertions,
# updates, and deletes.
#audit_log_ignore_methods = # Comma-separated list of HTTP methods that
# will not generate audit log entries. By
# default, all HTTP requests will be logged.
#audit_log_ignore_paths = # Comma-separated list of request paths that
# will not generate audit log entries. By
# default, all HTTP requests will be logged.
#audit_log_ignore_tables = # Comma-separated list of database tables that
# will not generate audit log entries. By
# default, updates to all database tables will
# be logged (the term "updates" refers to the
# creation, update, or deletion of a row).
#audit_log_payload_exclude = token, secret, password
# Comma-separated list of keys that will be
# filtered out of the payload. Keys that were
# filtered will be recorded in the audit log.
#audit_log_record_ttl = 2592000 # Length, in seconds, of the TTL for audit log
# records. Records in the database older than
# their TTL are automatically purged.
# Example, 30 days: `30 * 24 * 60 * 60 = 2592000`
#audit_log_signing_key = # Defines the path to a private RSA signing key
# that can be used to insert a signature of
# audit records, adjacent to the record. The
# corresponding public key should be stored
# offline, and can be used the validate audit
# entries in the future. If this value is
# undefined, no signature will be generated.
#-------------------------------------------------------------------------------
# GRANULAR TRACING
#-------------------------------------------------------------------------------
# Granular tracing offers a mechanism to expose metrics and detailed debug data
# about the lifecycle of Kong in a human- or machine-consumable format.
#tracing = off # When enabled, Kong will generate granular
# debug data about various portions of the
# request lifecycle, such as DB or DNS queries,
# plugin execution, core handler timing, etc.
#tracing_write_strategy = file # Defines how Kong will write tracing data at
# the conclusion of the request. The default
# option, `file`, writes a human-readable
# depiction of tracing data to a configurable
# location on the node's file system. Other
# strategies write tracing data as a JSON
# document to the configured endpoint. Valid
# entries for this option are `file`,
# `file_raw`, `http`, `tcp`, `tls`, and `udp`.
#tracing_write_endpoint = # Defines the endpoint to which tracing data
# will be written.
# - For the `file` and `file_raw` tracing write
# strategies, this value must be a valid
# location on the node's file system to which
# Kong must have write access.
# - For the `tcp`, `tls`, and
# `udp` strategies, this value is defined as a
# string in the form of:
# `<HOST>:<PORT>`
# - For the `http` strategy, this value is
# defined in the form of:
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Traces sent via HTTP are delivered via POST
# method with an `application/json`
# Content-Type.
#tracing_time_threshold = 0 # The minimum time, in microseconds, over which
# a trace must execute in order to write the
# trace data to the configured endpoint. This
# configuration can be used to lower the noise
# present in trace data by removing trace
# objects that are not interesting from a
# timing perspective. The default value of `0`
# removes this limitation, causing traces of
# any duration to be written.
#tracing_types = all # Defines the types of traces that are written.
# Trace types not defined in this list are
# ignored, regardless of their lifetime. The
# default special value of `all` results in all
# trace types being written, regardless of type.
# The following trace types are included:
# - `query`: trace the database query
# - `legacy_query`: (deprecated) trace the
# database query with legacy DAO
# - `router`: trace Kong routing the request;
# internal routing time
# - `balancer`: trace the execution of the overall
# balancer phase
# - `balancer.getPeer`: trace Kong selecting an
# upstream peer from the ring-balancer
# - `balancer.toip`: trace balancer to resolve
# peer's host to IP
# - `connect.toip`: trace cosocket to resolve
# target's host to IP
# - `access.before`: trace the preprocessing of
# access phase, like parameter parsing, route
# matching, and balance preparation
# - `access.after`: trace the postprocess of
# access phase, like balancer execution and
# internal variable assigning
# - `cassandra_iterate`: trace Cassandra driver to
# paginate over results
# - `plugin`: trace plugins phase handlers
#tracing_debug_header = # Defines the name of the HTTP request header
# that must be present in order to generate
# traces within a request. Setting this value
# provides a mechanism to selectively generate
# request traces at the client's request. Note
# that the value of the header does not matter,
# only that the header is present in the
# request. When this value is not set and
# tracing is enabled, Kong will generate trace
# data for all requests flowing through the
# proxy and Admin API. Note that data from
# certificate handling phases is not logged
# when this setting is enabled.
#generate_trace_details = off # When enabled, Kong will write context-
# specific details into traces. Trace details
# offer more data about the context of the
# trace. This can significantly increase the
# size of trace reports. Note also that trace
# details may contain potentially sensitive
# information, such as raw SQL queries; care
# should be taken to store traces properly when
# this option is enabled.
#-------------------------------------------------------------------------------
# ROUTE COLLISION DETECTION/PREVENTION
# -------------------------------------------------------------------------------
#route_validation_strategy = smart # The strategy used to validate
# routes when creating or updating them.
# Different strategies are available to tune
# how to enforce splitting traffic of
# workspaces.
# - `smart` is the default option and uses the
# algorithm described in
# https://docs.konghq.com/enterprise/latest/admin-api/workspaces/examples/#important-note-conflicting-services-or-routes-in-workspaces
# - `off` disables any check
# - `path` enforces routes to comply with the pattern
# described in config enforce_route_path_pattern
#enforce_route_path_pattern = # Specifies the Lua pattern which will
# be enforced on the `paths` attribute of a
# Route object. You can also add a placeholder
# for the workspace in the pattern, which
# will be rendered during runtime based on the
# workspace to which the `route` belongs.
# This setting is only relevant if
# `route_validation_strategy` is set to `path`.
# Example
# For Pattern `/$(workspace)/v%d/.*` valid paths
# are:
# 1. `/group1/v1/` if route belongs to
# workspace `group1`.
# 2. `/group2/v1/some_path` if route belongs to
# workspace `group2`.
#-------------------------------------------------------------------------------
# DATABASE ENCRYPTION & KEYRING MANAGEMENT
#-------------------------------------------------------------------------------
# When enabled, Kong will transparently encrypt sensitive fields, such as Consumer
# credentials, TLS private keys, and RBAC user tokens, among others. A full list
# of encrypted fields is available from the Kong Enterprise documentation site.
# Encrypted data is transparently decrypted before being displayed to the Admin
# API or made available to plugins or core routing logic.
# While this feature is GA, do note that we currently do not provide normal semantic
# versioning compatibility guarantees on the keyring feature's APIs in that Kong may
# make a breaking change to the feature in a minor version. Also note that
# mis-management of keyring data may result in irrecoverable data loss.
#keyring_enabled = off # When enabled, Kong will encrypt sensitive
# field values before writing them to the
# database, and subsuquently decrypt them when
# retrieving data for the Admin API, Developer
# Portal, or proxy business logic. Symmetric
# encryption keys are managed based on the
# strategy defined below.
#keyring_strategy = cluster # Defines the strategy implementation by which
# Kong nodes will manage symmetric encryption
# keys. Please see the Kong Enterprise
# documentation for a detailed description of
# each strategies. Acceptable values for this
# option are 'cluster' and 'vault'.
#keyring_public_key = # Defines the filesystem path at which the
# public key of an RSA keypair resides. This
# keypair is used for symmetric keyring import/
# export, e.g., for disaster recovery and
# optional bootstrapping.
#keyring_private_key = # Defines the filesystem path at which the
# private key of an RSA keypair resides. This
# keypair is used for symmetric keyring import/
# export, e.g., for disaster recovery and
# optional bootstrapping.
#keyring_blob_path = # Defines the filesystem path at which Kong
# will backup the initial keyring material.
# This option is useful largely for development
# purposes.
#keyring_vault_host = # Defines the Vault host at which Kong will
# fetch the encryption material. This value
# should be defined in the format:
# `<scheme>://<IP / HOSTNAME>:<PORT>`
#keyring_vault_mount = # Defines the name of the Vault v2 KV secrets
# engine at which symmetric keys are found.
#keyring_vault_path = # Defines the names of the Vault v2 KV path
# at which symmetric keys are found.
#keyring_vault_token = # Defines the token value used to communicate
# with the v2 KV Vault HTTP(S) API.
#untrusted_lua = sandbox
# Controls loading of Lua functions from admin-supplied
# sources such as the Admin API. LuaJIT bytecode
# loading is always disabled.
# **Warning:** LuaJIT is not designed as a secure
# runtime for running malicious code, therefore
# you should properly protect your Admin API endpoint
# even with sandboxing enabled. The sandbox only
# provides protection against trivial attackers or
# unintentional modification of the Kong global
# environment.
# Accepted values are: `off`, `sandbox`, or
# `on`:
# * `off`: Disallow loading of any arbitrary
# Lua functions. The `off` option
# disables any functionality that runs
# arbitrary Lua code, including the
# Serverless Functions plugins and any
# transformation plugin that allows
# custom Lua functions.
# * `sandbox`: Allow loading of Lua functions,
# but use a sandbox when executing
# them. The sandboxed function has
# restricted access to the global
# environment and only has access
# to standard Lua functions that
# will generally not cause harm to
# the Kong Gateway node.
# * `on`: Functions have unrestricted
# access to the global environment and
# can load any Lua modules. This is
# similar to the behavior in
# Kong Gateway prior to 2.3.0.
# The default `sandbox` environment does not
# allow importing other modules or libraries,
# or executing anything at the OS level (for
# example, file read/write). The global
# environment is also not accessible.
# Examples of `untrusted_lua = sandbox`
# behavior:
# * You can't access or change global values
# such as `kong.configuration.pg_password`
# * You can run harmless lua:
# `local foo = 1 + 1`. However, OS level
# functions are not allowed, like:
# `os.execute('rm -rf /*')`.
# For a full allowed/disallowed list, see:
# https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua
# To customize the sandbox environment, use
# the `untrusted_lua_sandbox_requires` and
# `untrusted_lua_sandbox_environment`
# parameters below.
#untrusted_lua_sandbox_requires = # Comma-separated list of modules allowed to
# be loaded with `require` inside the
# sandboxed environment. Ignored
# if `untrusted_lua` is not `sandbox`.
# For example, say you have configured the
# Serverless pre-function plugin and it
# contains the following `requires`:
# ```
# local template = require "resty.template"
# local split = require "kong.tools.utils".split
# ```
# To run the plugin, add the modules to the
# allowed list:
# ```
# untrusted_lua_sandbox_requires = resty.template, kong.tools.utils
# ```
# **Warning:** Allowing certain modules may
# create opportunities to escape the
# sandbox. For example, allowing `os` or
# `luaposix` may be unsafe.
#untrusted_lua_sandbox_environment = # Comma-separated list of global Lua
# variables that should be made available
# inside the sandboxed environment. Ignored
# if `untrusted_lua` is not `sandbox`.
# **Warning**: Certain variables, when made
# available, may create opportunities to
# escape the sandbox.
以下是谷歌翻译的
# ----------
# Kong 配置文件
# ----------
# 此文件中显示的注释掉的设置代表默认值。
# 使用 `kong start` 或 `kong prepare` 时读取此文件。孔
# 使用此文件中指定的设置生成 Nginx 配置。
# 所有以 `KONG_` 为前缀且大写的环境变量都会被覆盖
# 此文件中指定的设置。
# 例子:
# `log_level` 设置 -> `KONG_LOG_LEVEL` 环境变量
# 布尔值可以指定为 `on`/`off` 或 `true`/`false`。
# 列表必须指定为逗号分隔的字符串。
# 此文件中的所有注释都可以安全删除,包括
# 注释掉的属性。
# 您可以使用 `kong check <conf>` 验证设置的完整性。
#------------------------------------------------ -----------------------------------------
# 一般的
#------------------------------------------------ -----------------------------------------
#prefix = /usr/local/kong/ # 工作目录。相当于Nginx的
# 前缀路径,包含临时文件
# 和日志。
# 每个Kong进程必须有一个单独的
# 工作目录。
#log_level = notice # Nginx 服务器的日志级别。日志是
# 在 `<prefix>/logs/error.log` 找到。
# 查看 http://nginx.org/en/docs/ngx_core_module.html#error_log 获取列表
# 接受值。
#proxy_access_log = logs/access.log #代理端口请求访问路径
# 日志。将此值设置为 `off` 以
# 禁用记录代理请求。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
#proxy_error_log = logs/error.log # 代理端口请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#proxy_stream_access_log = logs/access.log basic # tcp流代理端口访问路径
# 日志。将此值设置为 `off` 以
# 禁用记录代理请求。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
# `basic` 定义为 `'$remote_addr [$time_local] '
# '$protocol $status $bytes_sent $bytes_received '
#'$session_time'`
#proxy_stream_error_log = logs/error.log # tcp 流代理端口请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#admin_access_log = logs/admin_access.log # Admin API 请求访问的路径
# 日志。如果启用混合模式
# 并且当前节点设置为
# 控制平面,然后是
# 来自数据平面的连接请求
# 也被写入这个文件
# 服务器名称“kong_cluster_listener”。
# 将此值设置为 `off` 以
# 禁用记录管理 API 请求。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
#admin_error_log = logs/error.log # Admin API 请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#status_access_log = off #Status API 请求访问的路径
# 日志。 `off` 的默认值
# 暗示此 API 的日志记录
# 默认禁用。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
#status_error_log = logs/status_error.log #Status API 请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#vaults = bundled # 此节点的 Vault 的逗号分隔列表
# 应该加载。默认情况下,所有捆绑的
# 保险库已启用。
# 指定的名称将被替换为
# 这样在 Lua 命名空间中:
# `kong.vaults.{name}.*`。
#plugins = bundled # 逗号分隔的插件列表这个节点
# 应该加载。默认情况下,只有插件
# 捆绑在官方发行版中的是
# 通过 `bundled` 关键字加载。
# 加载插件不会启用它
# 默认,但仅指示 Kong 加载其
# 源代码,并允许配置
# 插件通过各种相关的 Admin API
# 端点。
# 指定的名称将被替换为
# 这样在 Lua 命名空间中:
# `kong.plugins.{name}.*`.
# 当 `off` 关键字被指定为
# 只有值,不会加载任何插件。
# `bundled` 和插件名称可以混用
# 一起,如以下示例所示:
# - `plugins = bundled,custom-auth,custom-log`
# 将包括捆绑的插件加上两个
# 自定义的
# - `plugins = custom-auth,custom-log` 将
# *仅*包括 `custom-auth` 和
# `custom-log` 插件。
# - `plugins = off` 将不包含任何
# **注意:** Kong 将不会启动,如果一些
# 插件先前已配置(即
# 在数据库中有行)并且没有
# 在此列表中指定。在禁用之前
# 插件,确保它的所有实例都是
# 在重启 Kong 之前删除。
# **注意:** 限制可用数量
# 插件可以改善 P99 延迟
# 在数据库中体验 LRU 搅动
# 缓存(即当配置
# `mem_cache_size`) 已满。
#pluginserver_names = # 以逗号分隔的插件服务器名称列表
# 进程。实际名称用于
# 记录消息并关联实际设置。
#pluginserver_XXX_socket = <prefix>/<XXX>.socket # unix socket 的路径
# 由 <XXX> 插件服务器使用。
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX> #完整的命令(包括
# 任何需要的参数)到
# 启动 <XXX> 插件服务器
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX> #“查询”的完整命令
# <XXX> 插件服务器。应该
# 生成一个 JSON
# 转储所有插件的信息
#port_maps = # 有了这个配置参数,你可以
# 让 Kong 从
# 数据包转发给它。这个
# 在运行 Kong 时相当常见
# 容器化或虚拟化环境。
# 例如,`port_maps=80:8000, 443:8443`
# 指示 Kong 映射了 80 端口
# 到 8000(以及端口 443 到 8443),其中
# 8000 和 8443 是 Kong 所在的端口
# 这个参数帮助Kong设置一个合适的
# 转发上游 HTTP 请求头或到
# 使用 Kong PDK 获取正确的转发端口
# (如果有其他方法确定它有
# 失败的)。它通过目的地改变路由
# 端口通过一个端口路由数据包
# 转发给 Kong,同样它
# 将默认插件日志序列化程序更改为
# 根据这个映射使用端口
# 而不是报告端口 Kong 是
#anonymous_reports = on # 发送错误等匿名使用数据
# 堆栈跟踪以帮助改进 Kong。
#------------------------------------------------ -----------------------------------------
# 混合模式
#------------------------------------------------ -----------------------------------------
#role = traditional # 使用此设置启用混合模式,
# 这允许运行一些 Kong 节点
# 具有数据库的控制平面角色和
# 让他们提供配置更新
# 到其他节点运行到 DB-less 运行
# 数据平面角色。
# 此设置的有效值为:
# - `traditional`:不要使用混合模式。
# - `control_plane`: 这个节点运行在一个
# 控制平面角色。它可以使用数据库
# 并将提供配置更新
# 到数据平面节点。
# - `data_plane`:这是一个数据平面节点。
# 它运行 DB-less 并接收配置
# 从控制平面节点更新。
#cluster_mtls = shared # 设置节点间的验证
# 此设置的有效值为:
# - `shared`:使用共享证书/密钥
# 用 `cluster_cert` 指定的对
# 和 `cluster_cert_key` 设置。
# 注意 CP 和 DP 节点必须存在
# 建立mTLS的同一个证书
# 连接。
# - `pki`:使用`cluster_ca_cert`,
# `cluster_server_name` 和 `cluster_cert`
# 进行验证。
# 这些是每个不同的证书
# DP 节点,但由集群范围内发布
# 通用 CA 证书:`cluster_ca_cert`。
# - `pki_check_cn`: 类似于 `pki` 但另外
# 检查数据平面证书的通用名称
# 在 `cluster_allowed_common_names` 中指定。
#cluster_cert = # 要使用的集群证书的文件名
# 建立安全通信时
# 在控制和数据平面节点之间。
# 你可以使用 `kong hybrid` 命令来
# 生成证书/密钥对。
# 在`shared`模式下,必须相同
# 所有节点。在 `pki` 模式下
# 应该是每个不同的证书
#DP节点。
#cluster_cert_key = # 集群证书密钥的文件名
# 建立安全通信时使用
#c之间控制和数据平面节点。
# 你可以使用 `kong hybrid` 命令来
# 生成证书/密钥对。
# 在`shared`模式下,必须相同
# 所有节点。在 `pki` 模式下
# 应该是每个不同的证书
#DP节点。
#cluster_ca_cert = # PEM 中受信任的 CA 证书文件
# 用于控制平面验证的格式
# Data Plane的证书和Data Plane
# 验证控制平面的证书。
# 如果是 `cluster_mtls`,则在数据平面上是必需的
# 设置为`pki`。
# 如果控制平面证书颁发
# 由知名 CA,用户可以设置
# `lua_ssl_trusted_certificate=system`
# 在数据平面上并将此字段留空。
# 如果 `cluster_mtls` 是,则忽略此字段
# 设置为“共享”。
#cluster_allowed_common_names = # 允许的通用名称列表
# 连接到控制平面。多个条目可能
# 以逗号分隔的字符串形式提供。没有的时候
# 设置,具有相同父域的数据平面
# 控制平面证书允许连接。
# 如果 `cluster_mtls` 是,则忽略此字段
# 未设置为 `pki_check_cn`。
#------------------------------------------------ -----------------------------------------
# 混合模式数据平面
#------------------------------------------------ -----------------------------------------
#cluster_server_name = # TLS的SNI中使用的服务器名称
# 从 DP 节点到 CP 节点的连接。
# 必须与通用名称 (CN) 或主题匹配
# 在 CP 中找到备用名称 (SAN)
# 证书。
# 如果 `cluster_mtls` 设置为
# `shared`,这个设置被忽略并且
# 使用了`kong_clustering`。
#cluster_control_plane = # 仅供数据平面节点使用:
# 控制平面节点的地址 from
# 将获取哪些配置更新,
# 以 `host:port` 格式。
#cluster_telemetry_endpoint = # 仅供数据平面节点使用:
# 控制平面节点的遥测地址
# 遥测更新将发布到哪个
# 以 `host:port` 格式。
#data_plane_config_cache_mode = 未加密
# 数据平面可以将其配置存储到文件系统
# 作为备份,以防节点重新启动或重新加载
# 更快地使节点进入配置状态或
# case 连接到控制平面时出现问题。
# 这个参数可以用来控制行为。
# 仅供数据平面节点使用:
# `unencrypted` = 存储未加密的配置缓存
# `encrypted` = 存储配置缓存加密
# `off` = 不存储配置缓存
#data_plane_config_cache_path = # 默认存储未加密的配置缓存
# 使用文件名 `config.cache.json.gz` 的 Kong `prefix`。
# 默认存储加密的配置缓存
# 使用文件名 `.config.cache.jwt` 的 Kong `prefix`
# 或者你可以指定配置缓存的路径
# 带有这个参数,例如`/tmp/kong-config-cache`。
#------------------------------------------------ -----------------------------------------
# 混合模式控制平面
#------------------------------------------------ -----------------------------------------
#cluster_listen = 0.0.0.0:8005
# 逗号分隔的地址和端口列表
# 集群控制平面服务器应该监听哪个
# 用于数据平面连接。
# 控制平面的集群通信端口
# 必须可以被所有数据平面访问
# 在同一个集群中。此端口受 mTLS 保护
# 确保端到端的安全性和完整性。
# 如果 `role` 没有设置为
# `控制平面`。
# 记录到此端点的连接
# 到与管理 API 访问日志相同的位置。
# 更多信息见 `admin_access_log` 配置描述
# 信息。
#cluster_telemetry_listen = 0.0.0.0:8006
# 逗号分隔的地址和端口列表
# 集群控制平面服务器应该监听哪个
# 用于数据平面遥测连接。
# 控制平面的集群通信端口
# 必须可以被所有数据平面访问
# 在同一个集群中。
# 如果 `role` 没有设置为
# `控制平面`。
#cluster_data_plane_purge_delay = 1209600
# 从一个 DP 节点开始必须经过多少秒
# 在其条目被删除之前变为脱机状态
# 来自数据库,由
# /clustering/data-planes 管理 API 端点。
# 这是为了防止集群数据平面表
# 无限增长。默认设置为
# 14 天。也就是说,如果 CP 没有收到 DP 的消息
# 14 天,它的条目将被删除。
#cluster_ocsp = 关闭
# 是否检查DP的撤销状态
# 使用 OCSP(在线证书状态协议)的证书。
# 如果启用,DP 证书应该包含
#“证书颁发机构信息访问”扩展
# 以及 OCSP 响应者的 URI 的 OCSP 方法
# 可以从 CP 到达。
# OCSP 检查只在 CP 节点上进行,它没有
# 对 DP 节点的影响。
# 此设置的有效值为:
# - `on`: 启用 OCSP 撤销检查和 DP
# 必须通过检查才能建立
# 与 CP 的连接。
# - `off`: OCSP 撤销检查被禁用。
# - `optional`:将尝试 OCSP 吊销检查,
# 但是,如果所需的扩展名不是
# 在 DP 提供的证书中找到
# 或与 OCSP 响应者通信
# 失败,那么 DP 仍然允许通过。
#cluster_max_payload = 4194304
# 这设置允许的最大有效负载大小
# 在混合模式下从 CP 发送到 DP
# 默认是4Mb - 4 * 1024 * 1024 由于历史原因
#------------------------------------------------ -----------------------------------------
#NGINX
#------------------------------------------------ -----------------------------------------
#proxy_listen = 0.0.0.0:8000 重用端口积压 = 16384,0.0.0.0:8443 http2 ssl 重用端口积压 = 16384
# 逗号分隔的地址和端口列表
# 代理服务器应该监听哪个
# HTTP/HTTPS 流量。
# 代理服务器是Kong的公共入口点,
# 代理从你的消费者到你的流量
#后端服务。此值接受 IPv4、IPv6 和
# 主机名。
# 可以为每一对指定一些后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# - `http2` 将允许客户端打开 HTTP/2
# 连接到 Kong 的代理服务器。
# - `proxy_protocol` 将启用
# 给定地址/端口的代理协议。
# - `延迟`
指示使用延迟接受
# Linux(TCP_DEFER_ACCEPT 套接字选项)。
# - `bind` 指示进行单独的 bind() 调用
# 对于给定的地址:端口对。
# - `reuseport` 指示创建一个个体
# 监听每个工作进程的套接字
# 允许内核更好地分配传入的
# 工作进程之间的连接
# - `backlog=N` 设置队列的最大长度
# 挂起的 TCP 连接数。这个数字应该
# 不能太小以防客户端
# 看到“连接被拒绝”错误连接到
# 一个繁忙的 Kong 实例。
# **注意:** 在 Linux 上,此值受
# 设置 `net.core.somaxconn` 内核参数。
# 为了让这里设置的较大的 `backlog`
# 效果需要提升
# `net.core.somaxconn` 同时匹配或
# 超过 `backlog` 数量集。
# 这个值可以设置为 `off`,从而禁用
# 此节点的 HTTP/HTTPS 代理端口。
# 如果 stream_listen 也设置为 `off`,则启用
# 此节点的“控制平面”模式
# (其中所有流量代理功能
# 禁用)。该节点只能用于
# 配置Kong集群
# 个节点连接到同一数据存储。
# 例子:
# `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# 用于对此接受的格式的描述
# 和其他 `*_listen` 值。
# 见 https://www.nginx.com/resources/admin-guide/proxy-protocol/
# 有关 `proxy_protocol` 的更多详细信息
# 范围。
# 并非所有 `*_listen` 值都接受所有格式
# 在 nginx 的文档中指定。
#proxy_url = # Kong 代理 URL
# Kong 代理节点的查找或平衡器地址。
# 这个值是微服务中常用的
# 或面向服务网格的架构。
# 接受的格式(括号中的部分是可选的):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# 例子:
# - `<scheme>://<IP>:<PORT>` -> `proxy_url = http://127.0.0.1:8000`
# - `SSL <scheme>://<HOSTNAME>` -> `proxy_url = https://proxy.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>` -> `proxy_url = http://dev-machine/dev-285`
# 默认情况下,Kong Manager 和 Kong Portal 将使用
# 窗口请求主机并附加已解析的
# 侦听器端口取决于请求的协议。
#stream_listen = 关闭
# 逗号分隔的地址和端口列表
# 流模式应该听哪个。
# 此值接受 IPv4、IPv6 和主机名。
# 可以为每一对指定一些后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# - `proxy_protocol` 将启用
# 给定地址/端口的代理协议。
# - `bind` 指示进行单独的 bind() 调用
# 对于给定的地址:端口对。
# - `reuseport` 指示创建一个个体
# 监听每个工作进程的套接字
# 允许内核更好地分配传入的
# 工作进程之间的连接
# - `backlog=N` 集队列的最大长度
# 挂起的 TCP 连接数。这个数字应该
# 不能太小以防客户端
# 看到“连接被拒绝”错误连接到
# 一个繁忙的 Kong 实例。
# **注意:** 在 Linux 上,此值受
# 设置 `net.core.somaxconn` 内核参数。
# 为了让这里设置的较大的 `backlog`
# 效果需要提升
# `net.core.somaxconn` 同时匹配或
# 超过 `backlog` 数量集。
# 例子:
#stream_listen = 127.0.0.1:7000 重用端口积压 = 16384
# stream_listen = 0.0.0.0:989 重用端口积压 = 65536, 0.0.0.0:20
#stream_listen = [::1]:1234 backlog=16384
# 默认情况下,此值设置为 `off`,因此
# 禁用此节点的流代理端口。
# 见 http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# 对于 Kong 可能在 stream_listen 中接受的格式的描述。
#admin_api_uri = # 组成的 URI 的分层部分
# 可选的主机、端口和路径
# Admin API 接受 HTTP 或 HTTPS 流量。什么时候
# 此配置已禁用,Kong Manager 将
# 使用窗口协议 + 主机并附加
# 解析 admin_listen HTTP/HTTPS 端口。
#admin_listen = 127.0.0.1:8001 重用端口积压=16384, 127.0.0.1:8444 http2 ssl 重用端口积压=16384
# 逗号分隔的地址和端口列表
# Admin 界面应该监听哪个。
# Admin 界面是 API,允许您
# 配置和管理Kong。
# 访问这个接口应该是*restricted*
# 仅限 Kong 管理员*。这个值接受
# IPv4、IPv6 和主机名。
# 可以为每一对指定一些后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# - `http2` 将允许客户端打开 HTTP/2
# 连接到 Kong 的代理服务器。
# - `proxy_protocol` 将启用
# 给定地址/端口的代理协议。
# - `deferred` 指示使用延迟接受
# Linux(TCP_DEFER_ACCEPT 套接字选项)。
# - `bind` 指示进行单独的 bind() 调用
# 对于给定的地址:端口对。
# - `reuseport` 指示创建一个个体
# 监听每个工作进程的套接字
# 允许内核更好地分配传入的
# 工作进程之间的连接
# - `backlog=N` 设置队列的最大长度
# 挂起的 TCP 连接数。这个数字应该
# 不能太小以防客户端
# 看到“连接被拒绝”错误连接到
# 一个繁忙的 Kong 实例。
# **注意:** 在 Linux 上,此值受
# 设置 `net.core.somaxconn` 内核参数。
# 为了让这里设置的较大的 `backlog`
# 效果需要提升
# `net.core.somaxconn` 同时匹配或
# 超过 `backlog` 数量集。
# 这个值可以设置为 `off`,从而禁用
# 此节点的管理界面,启用
# 'data-plane' 模式(无需配置
# 能力) 拉动其配置更改
# 来自数据库。
# 示例:`admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off # 逗号分隔的地址和端口列表 on# Status API 应该监听哪个。
# Status API 是一个只读端点
# 允许监控工具检索指标,
# 健康状况和其他非敏感信息
# 当前 Kong 节点。
# 可以为每对指定以下后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# 这个值可以设置为 `off`,禁用
# 此节点的状态 API。
# 示例:`status_listen = 0.0.0.0:8100`
#nginx_user = kong kong # 定义用户和组使用的凭据
# 工作进程。如果省略 group,则
# 名称与用户名相同的组是
# 用过的。
# 示例:`nginx_user = nginx www`
# **注意**:如果 `kong` 用户和 `kong`
# 组不可用,默认用户
# 和组凭据将是
# `没人没人`。
#nginx_worker_processes = auto #确定工作进程的数量
# 由 Nginx 生成。
# 见 http://nginx.org/en/docs/ngx_core_module.html#worker_processes
# 等价Nginx的详细用法
# 指令和接受的描述
#nginx_daemon = on #判断Nginx是否会作为守护进程运行
# 或作为前台进程。主要有用
# 用于开发或在内部运行 Kong
# 一个 Docker 环境。
# 参见 http://nginx.org/en/docs/ngx_core_module.html#daemon。
#mem_cache_size = 128m # 两个内存缓存的大小
# 用于数据库实体。接受的单位是
# `k` 和 `m`,最小推荐值为
# 几MB。
# **注意**:由于此选项控制两个的大小
# 不同的缓存条目,Kong的总内存
# 用于缓存实体的可能是这个值的两倍。
#ssl_cipher_suite = intermediate # 定义 Nginx 提供的 TLS 密码。
# 接受的值为 `modern`,
# `intermediate`、`old`、`fips` 或 `custom`。
# 见 https://wiki.mozilla.org/Security/Server_Side_TLS
# 每个密码的详细描述
#套房。 `fips` 密码套件如中所述
# https://wiki.openssl.org/index.php/FIPS_mode_and_TLS。
#ssl_ciphers = # 定义一个自定义的 TLS 密码列表
# 由 Nginx 提供服务。此列表必须符合
# 由 `openssl ciphers` 定义的模式。
# 如果 `ssl_cipher_suite`,则忽略此值
# 不是“自定义”。
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
# 启用指定的协议
# 客户端连接。该组
# 支持的协议版本也取决于
# 关于OpenSSL Kong的版本
# 和。如果出现此值,则忽略此值
# `ssl_cipher_suite` 不是 `custom`。
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on # 指定服务器密码应该是
# 使用时优先于客户端密码
# SSLv3 和 TLS 协议。这个值是
# 如果 `ssl_cipher_suite` 不是 `custom`,则忽略。
## 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam = # 定义 DHE 密码的 DH 参数
# 预定义组:`ffdhe2048`、`ffdhe3072`、
# `ffdhe4096`、`ffdhe6144`、`ffdhe8192`,或
# 从绝对路径到参数文件。
# 如果 `ssl_cipher_suite`,则忽略此值
# 是“现代”或“中级”。原因是
# `modern` 没有需要这个的密码,
# 和 `intermediate` 使用 `ffdhe2048`。
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on # 启用或禁用会话恢复
# TLS 会话票证。这在以下情况下没有影响
# 与 TLSv1.3 一起使用。
# Kong 默认启用此功能以提高性能
# 原因,但它具有安全隐患:
# https://github.com/mozilla/server-side-tls/issues/135
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d # 指定客户端可以使用的时间
# 重用会话参数。看原理:
# https://github.com/mozilla/server-side-tls/issues/198
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert = # 以逗号分隔的证书绝对路径列表
# 启用 TLS 的 `proxy_listen` 值。
# 如果指定了多个证书,可以用来提供
# 将提供的替代证书类型(例如,ECC 证书)
# 给支持他们的客户。注意正确使用ECC证书服务,
# 建议也将 `ssl_cipher_suite` 设置为
# `现代`或`中级`。
# 除非明确设置此选项,Kong 将自动生成
# 一对默认证书(RSA + ECC)首次启动并使用
# 它用于服务 TLS 请求。
#ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
# 启用 TLS 的 `proxy_listen` 值。
# 如果为 `ssl_cert` 指定了多个证书,则此
# 选项应包含所有证书的相应密钥
# 以相同的顺序提供。
# 除非明确设置此选项,Kong 将自动生成
# 一对默认私钥(RSA + ECC)首次启动并使用
# 它用于服务 TLS 请求。
#client_ssl = off # 确定 Nginx 是否应该尝试发送客户端
# TLS 证书并执行双向 TLS 身份验证
# 代理请求时使用上游服务。
#client_ssl_cert = # 如果启用了 `client_ssl`,则绝对
# `proxy_ssl_certificate` 指令的客户端证书路径。
# 这个值可以被 `client_certificate` 动态覆盖
# `Service` 对象的属性。
#client_ssl_cert_key = # 如果启用了 `client_ssl`,则绝对
# `proxy_ssl_certificate_key` 指令的客户端 TLS 密钥的路径。
# 这个值可以被 `client_certificate` 动态覆盖
# `Service` 对象的属性。
#admin_ssl_cert = # 以逗号分隔的证书绝对路径列表
# 启用 TLS 的 `admin_listen` 值。
## 有关详细用法,请参阅 `ssl_cert` 的文档。
#admin_ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
# 启用 TLS 的 `admin_listen` 值。
# 有关详细用法,请参阅 `ssl_cert_key` 的文档。
#status_ssl_cert = # 以逗号分隔的证书绝对路径列表
# 启用 TLS 的 `status_listen` 值。
# 有关详细用法,请参阅 `ssl_cert` 的文档。
#status_ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
# 启用 TLS 的 `status_listen` 值。
# 有关详细用法,请参阅 `ssl_cert_key` 的文档。
#headers = server_tokens,latency_tokens
# 逗号分隔的标头列表 Kong 应该
# 注入客户端响应。
# 接受的值为:
# - `Server`: 注入`Server: kong/x.y.z`
# 关于 Kong 产生的响应(例如 Admin
# API,拒绝来自身份验证插件的请求)。
# - `Via`: 注入`Via: kong/x.y.z` for
# 成功代理请求。
# - `X-Kong-Proxy-Latency`: 花费的时间
# (以毫秒为单位) 由 Kong 处理
# 一个请求并在之前运行所有插件
# 代理上游请求。
# - `X-Kong-Response-Latency`:花费的时间
# (以毫秒为单位) 由 Kong 生成
# 在例如的情况下的响应插入
# 使请求短路,或者在
# 如果出现错误。
# - `X-Kong-Upstream-Latency`: 花费的时间
#(以毫秒为单位)由上游
# 发送响应头的服务。
# - `X-Kong-Admin-Latency`: 花费的时间
# (以毫秒为单位) 由 Kong 处理
# 一个管理 API 请求。
# - `X-Kong-Upstream-Status`: HTTP 状态
# 上游服务返回的代码。
# 这对客户特别有用
# 区分上游状态,如果
# 响应被插件重写。
# - `server_tokens`: 与指定两者相同
# `Server` 和 `Via`。
# - `latency_tokens`:与指定相同
# `X-Kong-Proxy-Latency`,
# `X-Kong-Response-Latency`,
# `X-Kong-Admin-Latency` 和
# `X-Kong-Upstream-Latency`
# 除此之外,还可以设置这个值
# 到 `off`,防止 Kong 注入
# 以上任何标题。请注意,这
# 不阻止插件注入
#他们自己的标题。
# 示例:`headers = via,latency_tokens`
#trusted_ips = # 定义受信任的 IP 地址块
# 已知发送正确的 `X-Forwarded-*`
# 标题。
# 来自受信任 IP 的请求使 Kong 转发
# 上游的 `X-Forwarded-*` 标头。
# 不可信的请求让 Kong 插入它的
# 自己的 `X-Forwarded-*` 标头。
# 这个属性还设置了
# Nginx 中的 `set_real_ip_from` 指令
# 配置。它接受相同类型的
# 值(CIDR 块)但作为
# 逗号分隔的列表。
# 要信任 *all* /!\ IP,请将此值设置为# `0.0.0.0/0,::/0`。
# 如果指定了特殊值`unix:`,
# 所有 UNIX 域套接字都将被信任。
# 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
# 接受值的例子。
#real_ip_header = X-Real-IP #定义请求头域,其值
# 将用于替换客户端地址。
# 这个值设置 `ngx_http_realip_module`
# Nginx 中的同名指令
# 配置。
# 如果这个值接收到 `proxy_protocol`:
# - 至少一个 `proxy_listen` 条目
# 必须有 `proxy_protocol` 标志
# 启用。
# - `proxy_protocol` 参数将是
# 附加到 `listen` 指令的后面
# Nginx 模板。
# 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
# 该指令的描述。
#real_ip_recursive = off # 这个值设置 `ngx_http_realip_module`
# Nginx 中的同名指令
# 配置。
# 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
# 该指令的描述。
#error_default_type = text/plain # 请求时使用的默认 MIME 类型
# `Accept` 标头丢失和 Nginx
# 正在为请求返回错误。
# 接受的值为 `text/plain`,
# `text/html`、`application/json` 和
# `应用程序/xml`。
#upstream_keepalive_pool_size = 60 #设置upstream的默认大小
#keepalive 连接池。
# 上游keepalive连接池
# 由`dst ip/dst 分割
# port/SNI` 连接的属性。
# `0` 值将禁用上游
# 默认情况下保持连接,强制
# 每个上游请求打开一个新的
# 联系。
#upstream_keepalive_max_requests = 100 # 设置默认最大请求数
# 请求可以被上游代理
# 通过一个keepalive连接。
# 最大请求数之后
# 达到,连接将是
# 值 `0` 将禁用此功能
# 行为和保持连接
# 可以用来代理一个不定的
# 请求数。
#upstream_keepalive_idle_timeout = 60 # 设置默认超时时间(以秒为单位)
# 上游的keepalive
# 连接应该保持打开。什么时候
# 超时时间到达,而
# 连接没有被重用,它
# 将被关闭。
# 值 `0` 将禁用此功能
# 行为,和一个空闲的保活
# 连接可能保持打开状态
# 无限期。
#------------------------------------------------ -----------------------------------------
# NGINX 注入指令
#------------------------------------------------ -----------------------------------------
# Nginx 指令可以动态注入到运行时的 nginx.conf 文件中
# 无需自定义 Nginx 配置模板。
# 所有关于命名方案的配置属性
# `nginx_<namespace>_<directive>` 将导致 `<directive>` 被注入# 对应属性的`<namespace>`的Nginx配置块。
# 例子:
# `nginx_proxy_large_client_header_buffers = 8 24k`
# 将在 Kong 的代理 `server {}` 块中注入以下指令:
# `large_client_header_buffers 8 24k;`
# 支持以下命名空间:
# - `nginx_main_<directive>`: 在 Kong 的配置中注入 `<directive>`
# `main` 上下文。
# - `nginx_events_<directive>`:在 Kong 的 `events {}` 中注入 `<directive>`
# 堵塞。
# - `nginx_http_<directive>`:在 Kong 的 `http {}` 块中注入 `<directive>`。
# - `nginx_proxy_<directive>`: 在 Kong 的代理中注入 `<directive>`
# `server {}` 块。
# - `nginx_upstream_<directive>`: 在 Kong 的代理中注入 `<directive>`
# `上游{}`块。
# - `nginx_admin_<directive>`: 在 Kong 的 Admin API 中注入 `<directive>`
# `server {}` 块。
# - `nginx_status_<directive>`:在 Kong 的 Status API 中注入 `<directive>`
# `server {}` 块(仅在启用 `status_listen` 时有效)。
# - `nginx_stream_<directive>`: 在 Kong 的流模块中注入 `<directive>`
# `stream {}` 块(仅在启用 `stream_listen` 时有效)。
# - `nginx_sproxy_<directive>`: 在 Kong 的流模块中注入 `<directive>`
# `server {}` 块(仅在启用 `stream_listen` 时有效)。
# - `nginx_supstream_<directive>`: 在 Kong 的流中注入 `<directive>`
# 模块`上游{}`块。
# 与其他配置属性一样,Nginx 指令可以通过
# 环境变量大写并以 `KONG_` 为前缀。
# 例子:
# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
# 将在 Kong 的 `http {}` 块中注入以下指令:
# `ssl_protocols <值>;`
# 如果代理和管理 API 之间需要不同的协议集
# 服务器,你可以指定 `nginx_proxy_ssl_protocols` 和/或
# `nginx_admin_ssl_protocols`,两者都优先于
# `http {}` 块。
#nginx_main_worker_rlimit_nofile = 自动
# 更改打开文件的最大数量限制
# 用于工作进程。
# `auto` 的特殊和默认值设置这个
# 为 `ulimit -n` 的值,上限限制为
#16384 作为防止过度使用内存的措施。
# 见 http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = 自动
# 设置最大并发数
# 可以由工作进程打开的连接。
# `auto` 的特殊和默认值设置这个
# 为 `ulimit -n` 的值,上限限制为
#16384 作为防止过度使用内存的措施。
# 见 http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k # 设置读取缓冲区大小
# 客户端请求头。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k #设置最大数量和
# 使用的缓冲区大小
# 读取大客户
# 请求标头。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0 #定义最大请求体大小
# 被 Kong 代理的请求所允许,
# 在 Content-Length 请求中指定
# 标题。如果请求超过此
# 限制,Kong 会返回 413
# (请求的实体太大)。环境
# 此值为 0 禁用检查
# 请求正文大小。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m # 定义最大请求体大小
# 管理 API。
#nginx_http_client_body_buffer_size = 8k # 定义读取的缓冲区大小
# 请求正文。如果客户端# 请求体大于这个
# 值,body 将被缓冲到
#磁盘。请注意,当身体
# 缓冲到磁盘,Kong 插件
# 访问或操作请求
# body 可能不起作用,所以它是
# 建议将此值设置为高
# 尽可能(例如,将其设置为高
# as `client_max_body_size` 强制
# 请求要保存的主体
# 记忆)。请注意
# 高并发环境将
# 需要大量内存
# 分配处理许多
# 并发大型请求体。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m #定义读取的缓冲区大小
# Admin API 上的请求正文。
#nginx_http_lua_regex_match_limit = 100000 # PCRE 的全局 `MATCH_LIMIT`
# 正则表达式匹配。 `100000` 的默认值应确保
# 在最坏的情况下,Kong 执行的任何正则表达式都可以在
# 大约 2 秒。
#------------------------------------------------ -----------------------------------------
# 数据存储
#------------------------------------------------ -----------------------------------------
# Kong 可以与数据库一起运行,以将 Kong 节点之间的协调数据存储在
# 一个集群,或者没有数据库,每个节点都存储它的信息
# 在内存中独立。
# 当使用数据库时,Kong 将存储其所有实体的数据(例如
# 路由、服务、消费者和插件)在 Cassandra 或 PostgreSQL 中,
# 并且属于同一个集群的所有Kong节点必须自己连接
# 到同一个数据库。
# Kong 支持以下数据库版本:
# - **PostgreSQL**:9.5 及更高版本。
# - **Cassandra**:2.2 及更高版本。
# 当不使用数据库时,Kong 处于“DB-less 模式”:它将保持
# 它在内存中的实体,每个节点都需要通过一个
# 声明式配置文件,可以通过
# `declarative_config` 属性,或通过使用 `/config` 的 Admin API
# 使用 Postgres 作为后端存储时,可以选择启用 Kong
# 提供来自单独数据库实例的读取查询。
# 当代理数量很大时,这样可以大大减少负载
# 在主 Postgres 实例上实现更好的可扩展性。它也可能
# 如果 Kong 代理节点延迟到主节点,则减少延迟抖动
# Postgres 实例很高。
# 只读的 Postgres 实例只服务于读查询和写
# 查询仍会转到主连接。只读 Postgres 实例
# 在从主目录复制更改时可以最终保持一致
# 实例。
# 至少需要 `pg_ro_host` 配置来启用此功能。
# 默认情况下,只读连接的所有其他数据库配置都是
# 继承自上述相应的主连接配置,但是
# 可以选择使用下面的 `pg_ro_*` 配置显式覆盖。
#database = postgres # 确定是 PostgreSQL 还是 Cassandra
# 此节点将用作其数据存储。
# 接受的值为 `postgres`,
# `cassandra` 和 `off`。
#pg_host = 127.0.0.1 # Postgres 服务器的主机。
#pg_port = 5432 # Postgres 服务器的端口。
#pg_timeout = 5000 # 定义超时时间(以毫秒为单位),用于连接,
# 读写。
#pg_user = kong # Postgres 用户。
#pg_password = # Postgres 用户的密码。
#pg_database = kong # 要连接的数据库名称。
#pg_schema = # 要使用的数据库模式。如果未指定,
# Kong 将尊重 `search_path` 的值
# 你的 PostgreSQL 实例。
#pg_ssl = off # 切换客户端-服务器 TLS 连接
# 在 Kong 和 PostgreSQL 之间。
# 因为 PostgreSQL 为 TLS 使用相同的端口
# 和非 TLS,这只是一个提示。如果
# 服务器不支持t TLS,已建立的
# 连接将是一个普通的连接。
#pg_ssl_version = tlsv1 # 在 Kong 和 PostgreSQL 之间使用 ssl 时,
# 要使用的 tls 版本。可接受的值为
# `tlsv1`、`tlsv1_2` 或 `tlsv1_3`。
#pg_ssl_required = off # 当 `pg_ssl` 开启时,这决定了是否
# Kong 和 PostgreSQL 之间必须使用 TLS。
# 如果服务器这样做,它将中止连接
# 不支持 SSL 连接。
#pg_ssl_verify = off # 切换服务器证书验证,如果
# `pg_ssl` 已启用。
# 查看`lua_ssl_trusted_certificate`
# 设置指定证书颁发机构。
#pg_ssl_cert = # PEM 编码客户端的绝对路径
# PostgreSQL 连接的 TLS 证书。
# 双向 TLS 身份验证
# PostgreSQL 仅在设置此值时启用。
#pg_ssl_cert_key = # 如果设置了 `pg_ssl_cert`,则绝对路径
# PEM 编码的客户端 TLS 私钥
# PostgreSQL 连接。
#pg_max_concurrent_queries = 0 # 设置最大并发查询数
# 可以在任何给定时间执行。这个
# 每个工作进程都强制执行限制;这
# 并发查询总数
# 节点将是:
# `pg_max_concurrent_queries * nginx_worker_processes`。
# 默认值 0 去掉这个
# 并发限制。
#pg_semaphore_timeout = 60000 # 定义超时时间(以毫秒为单位),之后
# PostgreSQL 查询信号量资源
# 次获取尝试将失败。这样的
# 失败通常会导致
# 关联的代理或管理 API 请求
# 失败并返回 HTTP 500 状态码。
# 这个行为的详细讨论是
# 在在线文档中可用。
#pg_keepalive_timeout = 60000 # 定义空闲连接到的时间(以毫秒为单位)
# PostreSQL 服务器将保持活动状态。
#pg_ro_host = # 与 `pg_host` 相同,但对于
# 只读连接。
# **注意:** 参考文档
#以上部分了解详细用法。
#pg_ro_port = <pg_port> # 与 `pg_port` 相同,但对于
# 只读连接。
#pg_ro_timeout = <pg_timeout> # 与 `pg_timeout` 相同,但对于
# 只读连接。
#pg_ro_user = <pg_user> # 和 `pg_user` 一样,但是对于
# 只读连接。
#pg_ro_password = <pg_password> # 和 `pg_password` 一样,但是对于
# 只读连接。
#pg_ro_database = <pg_database> # 和 `pg_database` 一样,但是对于
# 只读连接。
#pg_ro_schema = <pg_schema> # 和 `pg_schema` 一样,但是对于
# 只读连接。
#pg_ro_ssl = <pg_ssl> # 和 `pg_ssl` 一样,但是对于
# 只读连接。
#pg_ro_ssl_required = <pg_ssl_required>
# 与 `pg_ssl_required` 相同,但对于
# 只读连接。
#pg_ro_ssl_verify = <pg_ssl_verify>
# 与 `pg_ssl_verify` 相同,但对于
# 只读连接。
#pg_ro_ssl_version = <pg_ssl_version>
# 与 `pg_ssl_version` 相同,但对于
# 只读连接。
#pg_ro_max_concurrent_queries = <pg_max_concurrent_queries>
# 与 `pg_max_concurrent_queries` 相同,但对于
# 只读连接。
# 注意:只读并发不共享
# 与主(读写)连接。
#pg_ro_semaphore_timeout = <pg_semaphore_timeout>
# 与 `pg_semaphore_timeout` 相同,但对于
# r只读连接。
#pg_ro_keepalive_timeout = <pg_keepalive_timeout>
# 与 `pg_keepalive_timeout` 相同,但对于
# 只读连接。
#cassandra_contact_points = 127.0.0.1 # 逗号分隔的联系人列表
# 指向你的集群。
# 您可以指定 IP 地址或
# 主机名。注意端口
# SRV 记录的组成部分将是
# 忽略以支持 `cassandra_port`。
# 连接多DC集群时,
# 确保接触点从
# 首先指定本地数据中心
# 在这个列表中。
#cassandra_port = 9042 # 节点监听的端口
# 上。您的所有节点和接触点必须
# 监听同一个端口。将被创建,如果
# 它不存在。
#cassandra_keyspace = kong # 在集群中使用的密钥空间。
#cassandra_write_consistency = ONE # 何时使用的一致性设置
# 写入 Cassandra 集群。
#cassandra_read_consistency = ONE # 何时使用的一致性设置
# 从 Cassandra 集群中读取。
#cassandra_timeout = 5000 # 定义读取的超时时间(以毫秒为单位)
# 和写作。
#cassandra_ssl = off # 切换客户端到节点的 TLS 连接
# 在 Kong 和 Cassandra 之间。
#cassandra_ssl_verify = off # 切换服务器证书验证,如果
# `cassandra_ssl` 已启用。
# 查看`lua_ssl_trusted_certificate`
# 设置指定证书颁发机构。
#cassandra_username = kong # 使用时的用户名
# `PasswordAuthenticator` 方案。
#cassandra_password = # 使用时的密码
# `PasswordAuthenticator` 方案。
#cassandra_lb_policy = RequestRoundRobin # 何时使用负载均衡策略
# 将查询分布在你的
# Cassandra 集群。
# 接受的值为:
# `RoundRobin`, `RequestRoundRobin`,
# `DCAwareRoundRobin`,和
# `RequestDCAwareRoundRobin`。
# 以“请求”为前缀的策略
# 有效利用已建立的
# 相同的连接
# 要求。
# 如果和
# 仅当您使用
# 多数据中心集群。
#cassandra_local_datacenter = # 使用 `DCAwareRoundRobin` 时
# 或 `RequestDCAwareRoundRobin` 加载
# 平衡策略,必须指定名称
# 本地(最近的)数据中心
# Kong 节点。
#cassandra_refresh_frequency = 60 # 频率(以秒为单位)
# 集群拓扑将是
# 检查新的或退役的
# 节点。
# 值 `0` 将禁用此功能
# 检查,集群拓扑
# 永远不会刷新。
#cassandra_repl_strategy = SimpleStrategy # 第一次迁移时,
# Kong 将使用此设置
# 创建你的密钥空间。
# 接受的值是
# `SimpleStrategy` 和
# `网络拓扑策略`。
#cassandra_repl_factor = 1 # 第一次迁移时,Kong
# 将用这个创建键空间
# 使用时的复制因子
# `简单策略`。
#cassandra_data_centers = dc1:2,dc2:3 # 迁移时g第一次,
# 使用时将使用此设置
# `网络拓扑策略`。
# 格式为逗号分隔列表
# 由`<dc_name>:<repl_factor>` 组成。
#cassandra_schema_consensus_timeout = 10000 # 定义超时时间(以毫秒为单位)
#达到a的等待时间
# 你之间的模式共识
# Cassandra 节点。
# 此值仅在使用期间使用
# 迁移。
#declarative_config = # 声明性配置的路径
# 包含所有规格的文件
# 实体(路由、服务、消费者等)
# 当 `database` 设置为
# `关闭`。
# 实体存储在 Kong 的内存缓存中,
# 所以你必须确保有足够的内存
# 通过 `mem_cache_size` 分配给它
# 财产。您还必须确保项目
# 在缓存中永不过期,这意味着
# `db_cache_ttl` 应该保留它的默认值
# 值为 0。
# 如果混合模式 `role` 设置为 `data_plane`
# 并且没有配置缓存文件,
# 连接前使用此配置
# 到控制平面节点作为用户控制
# 倒退。
#declarative_config_string = # 声明性配置为字符串
#------------------------------------------------ -----------------------------------------
# 数据存储缓存
#------------------------------------------------ -----------------------------------------
# 为了避免与数据存储不必要的通信,Kong 缓存
# 实体(例如 API、消费者、凭证...),用于可配置的时间段
#时间。如果这样的实体被更新,它也会处理失效。
# 此部分允许配置 Kong 的行为
# 缓存此类配置实体。
#db_update_frequency = 5 # 检查频率(以秒为单位)
# 使用数据存储更新实体。
# 当一个节点创建、更新或删除一个
# 实体通过 Admin API,其他节点需要
# 等待下一次轮询(由
# 这个值)最终清除旧的
# 缓存实体并开始使用新实体。
#db_update_propagation = 0 # 实体在
# 要传播到副本节点的数据存储
# 另一个数据中心。
# 在分布式环境中如
# 一个多数据中心的 Cassandra 集群,这个
# value 应该是最大数量
# Cassandra 传播 a 所花费的秒数
# 行到其他数据中心。
# 设置后,该属性会增加
# Kong 传播更改所花费的时间
# 一个实体。
# 单数据中心设置或 PostgreSQL
# 服务器不应遭受此类延迟,并且
# 这个值可以安全地设置为 0。
#db_cache_ttl = 0 # 实体的生存时间(以秒为单位)
# 被该节点缓存时的数据存储。
# 数据库未命中(无实体)也被缓存
# 如果不这样做就按照这个设置
# 配置`db_cache_neg_ttl`。
# 如果设置为0(默认),这样缓存的实体
# 或未命中永不过期。
#db_cache_neg_ttl = # 数据存储的生存时间(以秒为单位)# 错过(没有实体)。
# 如果没有指定(默认),`db_cache_ttl`
# 值将被使用。
# 如果设置为 0,未命中将永不过期。
#db_resurrect_ttl = 30 # 陈旧实体的时间(以秒为单位)
# 来自数据存储的应该被复活
# 当它们不能被刷新时(例如,
# 数据存储不可访问)。当这个 TTL
# expires,重新尝试刷新旧的
# 实体将被制作。
#db_cache_warmup_entities = 服务
# 要从数据存储区预加载的实体
# 在 Kong 启动时进入内存缓存。
# 这加快了端点的首次访问
# 使用给定实体。
# 当 `services` 实体被配置时
# 用于预热,值的 DNS 条目
# 它的 `host` 属性是预先解析的
# 也是异步的。
# 在 `mem_cache_size` 中设置的缓存大小应该
# 设置为足够大的值以容纳所有
# 指定实体的实例。
# 如果大小不足,Kong 会记录
# 一个警告。
#------------------------------------------------ -----------------------------------------
#DNS解析器
#------------------------------------------------ -----------------------------------------
# 默认情况下,DNS 解析器将使用标准配置文件
# `/etc/hosts` 和 `/etc/resolv.conf`。后一个文件中的设置将是
# 被环境变量 `LOCALDOMAIN` 和 `RES_OPTIONS` 覆盖 if
# 他们已经设置好了。
# Kong 会将主机名解析为 `SRV` 或 `A` 记录(按此顺序,并且
# `CNAME` 记录将在此过程中被取消引用)。
# 如果名称被解析为 `SRV` 记录,它还将覆盖任何给定的记录
# 端口号由从 DNS 服务器接收的 `port` 字段内容。
# DNS 选项 `SEARCH` 和 `NDOTS`(来自 `/etc/resolv.conf` 文件)将
# 用于将短名称扩展为完全限定名称。所以它会首先尝试
# `SRV` 类型的整个 `SEARCH` 列表,如果失败,它将尝试
# `A` 等的`SEARCH` 列表
# 在 `ttl` 期间,内部 DNS 解析器将负载均衡每个
# 请求它通过 DNS 记录中的条目。对于`SRV`记录
# `weight` 字段将被尊重,但它只会使用最低的`priority`
# 记录中的字段条目。
#dns_resolver = # 逗号分隔的名称服务器列表,每个
# 使用 `ip[:port]` 格式的条目
#孔。如果未指定名称服务器
# 将使用本地 `resolv.conf` 文件。
# 如果省略,端口默认为 53。接受
# IPv4 和 IPv6 地址。
#dns_hostsfile = /etc/hosts # 要使用的主机文件。该文件被读取
# 一次,它的内容在内存中是静态的。
# 修改后再次读取文件,
# Kong 必须重新加载。
#dns_order = LAST,SRV,A,CNAME #解析不同的顺序
# 记录类型。 `LAST` 类型表示
# 最后一次成功查找的类型(对于
# 指定名称)。格式为(大小写
# 不敏感)逗号分隔列表。
#dns_valid_ttl = # 默认情况下,DNS 记录使用缓存
# 响应的 TTL 值。如果这
# 属性接收一个值(以秒为单位),它
# 将覆盖所有记录的 TTL。
#dns_stale_ttl = 4 # 以秒为单位定义一条记录将持续多长时间
# 保留在缓存中超过其 TTL。这个值
# 将在新的 DNS 记录出现时使用
# 在后台获取。
# 过期数据将在 a 到期时使用
# 记录直到刷新查询
# 完成,或 `dns_stale_ttl` 数量
# 秒过去了。
#dns_cache_size = 10000 #定义允许的最大数量
# DNS 记录存储在内存缓存中。
# 最近最少使用的 DNS 记录被丢弃
# 如果缓存已满,则从缓存中获取。错误和
# 数据被缓存,因此单个名称查询
# 可以轻松占用 10-15 个插槽。
#dns_not_found_ttl = 30 # 以秒为单位的空 DNS 响应的 TTL 和
# “(3) 名称错误”响应。
#dns_error_ttl = 1 # 错误响应的 TTL 秒数。
#dns_no_sync = off # 如果启用,则每次缓存未命中
# 请求会触发自己的 dns 查询。
# 当禁用多个请求时
# 相同的名称/类型将被同步到一个
# 单个查询。
#------------------------------------------------ -----------------------------------------
# 调整和行为
#------------------------------------------------ -----------------------------------------
#worker_consistency = 严格
# 定义这个节点是否应该重建它的
# 同步或异步状态(
# 平衡器和路由器在
# 影响他们的更新,例如,更新到
# 路由、服务或上游,通过管理员
# API 或加载声明性配置
# 文件)。
# 接受的值为:
# - `strict`: 路由器将被重建
# 同步,导致传入的请求
# 延迟到重建完成。
# - `eventual`:路由器将被重建
# 通过循环后台异步
# 作业在每个内部每秒运行一次
# 请注意,`strict` 确保所有工作人员
# 给定节点将始终代理请求
# 使用相同的路由器,但增加了
# 可以观察到长尾延迟,如果
# 频繁的路由和服务更新是
# 预期的。
# 使用 `eventual` 将有助于防止长时间
# 在这种情况下出现尾部延迟问题,但可能
# 使工作人员以不同的方式路由请求
# 在 Routes 和
# 服务更新。
#worker_state_update_frequency = 5
# 定义工作者状态改变的频率
# 使用后台作业进行检查。当一个变化
# 检测到,一个新的路由器或平衡器将
# 根据需要构建。提高这个值将
# 减少数据库服务器的负载和
# 减少代理延迟的抖动,但是
# 传播更改可能需要更多时间
# 给每个工人。
#------------------------------------------------ -----------------------------------------
# 各种各样的
#------------------------------------------------ -----------------------------------------
# 从 lua-nginx-module 继承的附加设置允许更多
# 灵活性和高级用法。
# 更多信息参见 lua-nginx-module 文档:
# https://github.com/openresty/lua-nginx-module
#lua_ssl_trusted_certificate = # 逗号分隔的证书路径列表
# PEM 格式的 Lua cosockets 授权文件。
# 特殊值 `system` 尝试搜索
# 每个发行版提供的“通常默认值”,根据
# 到任意启发式。在当前的实现中,
# 以下路径名将按顺序进行测试,
# 并且将使用找到的第一个:
## - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
# - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
# - /etc/ssl/ca-bundle.pem (OpenSUSE)
# - /etc/pki/tls/cacert.pem (OpenELEC)
# - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
# - /etc/ssl/cert.pem (OpenBSD, Alpine)
# 如果在这些路径中没有找到文件,则会出现错误
# 被提高。
# `system` 可以单独使用,也可以和其他的一起使用
#CA 文件路径。
# 当 `pg_ssl_verify` 或 `cassandra_ssl_verify`
# 已启用,这些证书颁发机构文件将是
# 用于验证 Kong 的数据库连接。
# 见 https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
#lua_ssl_verify_depth = 1 #在服务器设置验证深度
# Lua cosockets 使用的证书链,
# 由 `lua_ssl_trusted_certificate` 设置。
# 这包括配置的证书
# 用于 Kong 的数据库连接。
# 如果之前达到最大深度
# 到达链的末端,验证
# 将失败。这有助于减轻证书
# 基于 DoS 攻击。
# 见 https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 #定义支持的TLS版本
# 与 OpenResty 握手时
# TCP cosocket API。
# 这会影响 Lua 建立的连接
# 代码,例如连接到
# Kong 使用的数据库,或者发送日志的时候
# 使用日志插件。它不是*
# 影响到上游的连接
# 服务或来自下游客户端。
#lua_package_path = ./?.lua;./?/init.lua; # 设置 Lua 模块搜索路径
# (LUA_PATH)。开发时有用
# 或使用未存储的自定义插件
# 在默认搜索路径中。
# 见 https://github.com/openresty/lua-nginx-module#lua_package_path
#lua_package_cpath = # 设置 Lua C 模块搜索路径
# (LUA_CPATH)。
# 见 https://github.com/openresty/lua-nginx-module#lua_package_cpath
#lua_socket_pool_size = 30 # 指定每个 cosocket 的大小限制
# 与每个远程关联的连接池
# 服务器。
# 见 https://github.com/openresty/lua-nginx-module#lua_socket_pool_size
#enforce_rbac = off # 指定是否强制执行 Admin API RBAC。
# 接受 `entity`、`both`、`on` 或
# `关闭`。
# - `on`:仅端点级授权
# 被强制执行。
# - `entity`: 实体级授权
# 适用。
# - `both`:同时启用端点和
# 实体级授权。
# - `off`: 禁用端点和
# 实体级授权。
# 启用后,Kong 将拒绝对
# 当 RBAC 不存在或无效时的管理 API
# 授权令牌通过,或者RBAC# 与令牌关联的用户
# 无权访问/修改
# 请求的资源。
#rbac_auth_header = Kong-Admin-Token #定义HTTP请求的名称
# 管理 API 将从的标头
# 尝试验证 RBAC 用户。
#event_hooks_enabled = on # 启用时,事件挂钩实体代表一种关系
# 在一个事件(源和事件)和一个动作之间
#(处理程序)。与 web 挂钩类似,事件挂钩可用于
# 通信 Kong Gateway 服务事件。当一个特定的
# 事件发生在服务上,事件挂钩调用 URL
# 关于该事件的信息。事件挂钩配置
# 因处理程序而异。发生的事件
# 触发发送关联数据。
# 见:https://docs.konghq.com/enterprise/latest/admin-api/event-hooks/reference/
#------------------------------------------------ -----------------------------------------
# 港经理
#------------------------------------------------ -----------------------------------------
# Kong Enterprise 的管理 GUI。
#admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl
# Kong Manager 监听器
# 逗号分隔的地址和端口列表
# Kong 会暴露 Kong Manager。这个网络应用程序
# 让你配置和管理 Kong,因此
# 应保持安全。
# 可以为每一对指定后缀,类似于
# `admin_listen` 指令。
#admin_gui_url = # Kong 管理器 URL
# Kong Manager 的查找或平衡器地址。
# 接受的格式(括号中的项目是可选的):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# 例子:
# - `http://127.0.0.1:8003`
# - `https://kong-admin.test`
# - `http://dev-machine/dev-285`
# 默认情况下,Kong Manager 会使用窗口请求
# 主机并附加解析的侦听器端口,具体取决于
# 在请求的协议上。
#admin_gui_ssl_cert = # SSL 证书的绝对路径
# 启用 SSL 的 `admin_gui_listen` 值。
#admin_gui_ssl_cert_key = # SSL 密钥的绝对路径
# 启用 SSL 的 `admin_gui_listen` 值。
#admin_gui_flags = {}
# 改变布局管理 GUI (JSON)
# 唯一支持的值是 `{ "IMMUNITY_ENABLED": true }`
# 在管理 GUI 中启用 Kong Immunity。
#admin_gui_access_log = 日志/admin_gui_access.log
# Kong Manager 访问日志
# 这里可以设置Kong的绝对或相对路径
# 管理员访问日志。当路径是相对的时,
# 日志放置在 `prefix` 位置。
# 将此值设置为 `off` 禁用访问日志
# 为 Kong 经理。
#admin_gui_error_log = 日志/admin_gui_error.log
# Kong Manager 错误日志
# 这里可以设置Kong的绝对或相对路径
# 管理员访问日志。当路径是相对的时,
# 日志放置在 `prefix` 位置。
# 将此值设置为 `off` 会禁用错误日志
#孔经理。
# 粒度可以通过 `log_level` 进行调整
#admin_gui_auth = # Kong Manager 身份验证插件名称
# 通过指定一个来保护对 Kong Manager 的访问
# 要使用的身份验证插件。
# 支持的插件:
# - `basic-auth`: 基本认证插件
# - `ldap-auth-advanced`: LDAP 认证插件# - `openid-connect`: OpenID 连接认证
# 插入
#admin_gui_auth_conf = # Kong Manager 身份验证插件配置 (JSON)
# 指定认证的配置
# 在 `admin_gui_auth` 中指定的插件。
# 关于插件配置的信息
# 查阅相关的插件文档。
# `basic-auth` 的示例:
# `admin_gui_auth_conf = { "hide_credentials": true }`
#admin_gui_auth_password_complexity = # Kong Manager 身份验证密码复杂度 (JSON)
# 当 `admin_gui_auth = basic-auth` 时,该属性定义
# Kong Manager 密码所需的规则。选择
# 来自预设规则或编写您自己的规则。
# 使用预设规则的示例:
# `admin_gui_auth_password_complexity = { "kong-preset": "min_8" }`
# kong-preset 的所有值都需要包含密码
# 来自以下至少三个类别的字符:
# 1. 大写字符(A 到 Z)
# 2. 小写字符(a 到 z)
# 3. Base-10 数字(0 到 9)
# 4. 特殊字符(例如&、$、#、%)
# 支持的预设规则:
# - `min_8`: 最小长度为 8
# - `min_12`: 最小长度为 12
# - `min_20`: 最小长度为 20
# 要编写自己的规则,请参阅
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html。
# 注意:仅支持关键字“min”、“max”和“passphrase”。
# 例子:
# `admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#admin_gui_session_conf = # Kong Manager 会话配置 (JSON)
# 指定 Session 插件的配置为
# 由 Kong Manager 使用。
# 有关插件配置的信息,请参阅
# Kong Session 插件文档。
# 例子:
# admin_gui_session_conf = { "cookie_name": "kookie", \
# “秘密”:“改变我” }
#admin_gui_auth_header = Kong-Admin-User
# 定义 HTTP 请求头的名称
# Admin API 将尝试识别 Kong Admin
# 用户。
#admin_gui_auth_login_attempts = 0
# 用户可以尝试登录 Kong 的次数
# 经理。 0 表示允许无限尝试。
#admin_gui_header_txt = # Kong Manager 标题文本
# 设置 Kong Manager 标题横幅的文本。标题横幅
# 如果此配置为空,则不显示。
#admin_gui_header_bg_color = # Kong Manager 标题背景颜色
# 设置Kong Manager Header Banner的背景颜色
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Manager 会忽略无效值。
#admin_gui_header_txt_color = # Kong Manager 标题文本颜色
# 设置 Kong Manager Header Banner 的文本颜色。
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Kong Manager 会忽略无效值。
#admin_gui_footer_txt = # Kong 管理器页脚文本
# 设置 Kong Manager 页脚横幅的文本。页脚横幅
# 如果此配置为空,则不显示
#admin_gui_footer_bg_color = #Kong Manager 页脚背景颜色
# 设置 Kong Manager 页脚横幅的背景颜色。
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Manager 会忽略无效值。
#admin_gui_footer_txt_color = # Kong Manager 页脚文本颜色
# 设置 texKong Manager 页脚横幅的 t 颜色。
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Kong Manager 会忽略无效值。
#admin_gui_login_banner_title = # Kong Manager 登录横幅标题文本
# 设置 Kong Manager Login Banner 的标题文本。
# 如果两者都显示,则不显示登录横幅
# `admin_gui_login_banner_title` 和
# `admin_gui_login_banner_body` 为空。
#admin_gui_login_banner_body = # Kong Manager 登录横幅正文
# 设置 Kong Manager Login Banner 的正文。
# 如果两者都显示,则不显示登录横幅
# `admin_gui_login_banner_title` 和
# `admin_gui_login_banner_body` 为空。
#------------------------------------------------ -----------------------------------------
# 生命体征
#------------------------------------------------ -----------------------------------------
#vitals = on #启用后,Kong将存储并报告
# 关于其性能的指标。
# 在多节点设置中运行 Kong 时,
# `vitals` 包含两个不同的含义
# 取决于节点。
# 在仅代理节点上,`vitals` 确定
# 是否收集 Vitals 的数据。
# 在仅管理员节点上,`vitals` 确定
# 是否显示 Vitals 指标和
# 仪表板上的可视化。
#vitals_strategy = database #判断是否使用Kong数据库
# (PostgreSQL 或 Cassandra,定义
# 通过上面的 `database` 配置值),或者
# 单独的存储引擎,用于 Vitals 指标。
# 接受的值为 `database`, `prometheus`,
# 或`influxdb`。
#vitals_tsdb_address = # 定义 TSDB 服务器的主机和端口
# 写入和读取 Vitals 数据的位置。
# 此值仅适用于
# `vitals_strategy` 选项设置为
# `prometheus` 或 `influxdb`。这个值
# 接受 IPv4、IPv6 和主机名值。
# 如果 `vitals_strategy` 设置为
# `prometheus`,这个值决定了
# Prometheus 服务器地址
# Vitals 数据将被读取。对于`influxdb`
# 策略,这个值控制读取
# 并为 Vitals 数据编写源代码。
#vitals_tsdb_user = # Influxdb 用户
#vitals_tsdb_password = # Influxdb 密码
#vitals_statsd_address = # 定义主机和端口(以及一个可选的
# 协议)的 StatsD 服务器
# Kong 应该写 Vitals metics。这个值
# 仅在 `vitals_strategy` 为
# 设置为`普罗米修斯`。此值接受 IPv4,
# IPv6 和主机名。此外,后缀
# `tcp` 可以指定;这样做会导致
# 在 Kong 通过 TCP 发送 StatsD 指标
# 而不是 UDP(默认)。
#vitals_statsd_prefix = kong # 定义附加到所有的前缀值
# Vitals StatsD 事件。这个前缀很有用
# 将指标写入多租户 StatsD 时
# 出口商或服务器。
#vitals_statsd_udp_packet_size = 1024 # 定义最大缓冲区大小
# Vitals statsd 指标将是哪些
# 持有并分批发送。
# 此值以字节为单位定义。
#vitals_prometheus_scrape_interval = 5 #定义scrape_interval查询
# 参数发送到 Prometheus
# 读取 Vitals 数据时的服务器。
# 这应该和scrape一样
# 在的间隔(以秒为单位)
# 普罗米修斯服务器。
#------------------------------------------------ -----------------------------------------
# 开发者门户
#------------------------------------------------ -----------------------------------------
#portal = 关闭
# 开发者门户切换
# 启用时:
# Kong 将公开 Dev Portal 界面和
# `portal_gui_listen` 地址上的只读 API,
# 和管理 API 上的端点来管理资产。
# 当与 `portal_auth` 一起启用时:
# Kong 将为开发人员公开管理端点
# 管理 API 和开发门户 API 上的帐户。
#portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl
# 开发者门户 GUI 监听器
# Kong 将访问的地址的逗号分隔列表
# 公开开发者门户 GUI。后缀可以
# 为每一对指定,类似于
# `admin_listen` 指令。
#portal_gui_protocol = http
# 开发者门户 GUI 协议
# 结合使用的协议
# `portal_gui_host` 构建查找或平衡器
# Kong 代理节点的地址。
# 示例:`http`、`https`
#portal_gui_host = 127.0.0.1:8003
# 开发者门户 GUI 主机
# 配合使用的主机
# `portal_gui_protocol` 构造查找,
# 或 Kong 代理节点的平衡器地址。
# 例子:
# - `<IP>:<PORT>`
# -> `portal_gui_host = 127.0.0.1:8003`
# - `<主机名>`
# -> `portal_gui_host = portal_api.domain.tld`
# - `<主机名>/<路径>`
# -> `portal_gui_host = dev-machine/dev-285`
#portal_cors_origins = # 开发者门户 CORS 起源
# 一个逗号分隔的允许域列表
# `Access-Control-Allow-Origin` 标头。这可以用来
# 解决自定义网络环境中的 CORS 问题。
# 例子:
# - 域列表:
# `portal_cors_origins = http://localhost:8003, https://localhost:8004`
# - 单个域:
# `portal_cors_origins = http://localhost:8003`
# - 所有域:
# `portal_cors_origins = *`
# 注意:在大多数情况下,Developer Portal 能够导出
# 使用 `portal_gui_protocol`、`portal_gui_host` 的有效 CORS 来源,
# 如果适用,`portal_gui_use_subdomains`。在这些情况下,
# `portal_cors_origins` 不需要并且可以保持未设置。
#portal_gui_use_subdomains = 关闭
# Developer Portal GUI 子域切换
# 默认情况下,Kong Portal 使用第一个命名空间
# 确定工作空间的请求路径。通过转动
# `portal_gui_subdomains` 开启,Kong Portal 将期待
# 工作区作为子域包含在请求 url 中。
# 示例(关闭):
# - `<scheme>://<HOSTNAME>/<WORKSPACE>/<PATH>`->
# `http://kong-portal.com/example-workspace/index`
# 示例(上):
# - `<scheme>://<WORKSPACE>.<HOSTNAME>` ->
# `http://example-workspace.kong-portal.com/index`
#portal_gui_ssl_cert = # 开发者门户 GUI SSL 证书
# SSL证书的绝对路径
# 启用 SSL 的 `portal_gui_listen` 值。
#portal_gui_ssl_cert_key = # 开发者门户 GUI SSL 证书密钥
# SSL 密钥的绝对路径
# 启用 SSL 的 `portal_gui_listen` 值。
#portal_gui_access_log = 日志/portal_gui_access。日志
# Developer Portal GUI 访问日志位置
# 这里可以设置绝对路径或者相对路径
# Portal GUI 访问日志。
# 将此值设置为 `off` 将禁用日志记录
# Portal GUI 访问日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
#portal_gui_error_log = 日志/portal_gui_error.log
# Developer Portal GUI 错误日志位置
# 这里可以设置绝对路径或者相对路径
# 门户 GUI 错误日志。
# 将此值设置为 `off` 将禁用日志记录
# 门户 GUI 错误日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
# 粒度可以通过 `log_level` 进行调整
#portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl
# 开发者门户 API 监听器
# Kong 将访问的地址的逗号分隔列表
# 公开开发者门户 API。后缀可以
# 为每一对指定,类似于
# `admin_listen` 指令。
#portal_api_url = # 开发者门户 API URL
# 开发者的查找地址或平衡器地址
# 门户节点。
# 这个值是微服务中常用的
# 或面向服务网格的架构。
# `portal_api_url` 是你的地址
# Kong Dev Portal API 可由 Kong 访问。你
# 仅当您的 Kong Dev Portal API 时才应设置此值
# 与 Kong Proxy 位于不同的节点上。
# 接受的格式(括号中的部分是可选的):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# 例子:
# - `<scheme>://<IP>:<PORT>`
# -> `portal_api_url = http://127.0.0.1:8003`
# - `SSL <scheme>://<HOSTNAME>`
# -> `portal_api_url = https://portal_api.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>`
# -> `portal_api_url = http://dev-machine/dev-285`
# 默认情况下,此值指向本地接口:
# - `http://0.0.0.0:8004`
#portal_api_ssl_cert = # 开发者门户 API SSL 证书
# SSL证书的绝对路径
# 启用 SSL 的 `portal_api_listen` 值。
#portal_api_ssl_cert_key = # 开发者门户 API SSL 证书密钥
# SSL 密钥的绝对路径
# 启用 SSL 的 `portal_api_listen` 值。
#portal_api_access_log = 日志/portal_api_access.log
# Developer Portal API 访问日志位置
# 这里可以设置绝对路径或者相对路径
# Portal API 访问日志。
# 将此值设置为 `off` 将禁用日志记录
# Portal API 访问日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
#portal_api_error_log = 日志/portal_api_error.log
# Developer Portal API 错误日志位置
# 这里可以设置绝对路径或者相对路径
# 门户 API 错误日志。
# 将此值设置为 `off` 将禁用日志记录
# 门户 API 错误日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
# 粒度可以通过 `log_level` 进行调整
#指令。#portal_is_legacy = 关闭
# 开发者门户旧版支持
# 将此值设置为 `on` 将导致所有新的
# 默认情况下使用旧版渲染系统渲染的门户。
# 将此值设置为 `off` 将导致所有新的
# 使用当前渲染系统渲染的门户。
#portal_app_auth = kong-oauth2
# 开发者门户应用注册
# 身份验证提供者和策略。必须设置为启用
# application_registration 插件
# 目前接受 kong-oauth2 或 external-oauth2
#------------------------------------------------ -----------------------------------------
# 默认开发者门户认证
#------------------------------------------------ -----------------------------------------
# 在创建工作区时引用以设置 Dev Portal 身份验证默认值
# 在该特定工作区的数据库中。
#portal_auth = # 开发者门户认证插件名称
# 指定认证插件
# 申请到您的开发者门户。开发者
# 将使用指定的认证形式
# 请求访问、注册和登录到您的
# 开发者门户。
# 支持的插件:
# - 基本身份验证:`portal_auth = basic-auth`
# - OIDC 身份验证:`portal_auth = openid-connect`
#portal_auth_password_complexity = # Kong 门户身份验证密码复杂度 (JSON)
# 当portal_auth = basic-auth时,该属性定义
# Kong Portal 密码所需的规则。选择
# 来自预设规则或编写您自己的规则。
# 使用预设规则的示例:
# `portal_auth_password_complexity = { "kong-preset": "min_8" }`
# kong-preset 的所有值都需要包含密码
# 来自以下至少三个类别的字符:
# 1. 大写字符(A 到 Z)
# 2. 小写字符(a 到 z)
# 3. Base-10 数字(0 到 9)
# 4. 特殊字符(例如&、$、#、%)
# 支持的预设规则:
# - `min_8`: 最小长度为 8
# - `min_12`: 最小长度为 12
# - `min_20`: 最小长度为 20
# 要编写自己的规则,请参阅
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html。
# 注意:仅支持关键字“min”、“max”和“passphrase”。
# 例子:
# `portal_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#portal_auth_conf = # 开发者门户身份验证插件配置 (JSON)
# 指定插件配置对象
# 以 JSON 格式应用于您的开发人员
# 门户认证。
# 关于插件配置的信息
# 查阅相关的插件文档。
# `basic-auth` 的示例:
# `portal_auth_conf = { "hide_credentials": true }`
#portal_auth_login_attempts = 0
# 用户可以尝试登录的次数
# 必须重置密码之前的开发门户。
# 0(默认)表示允许无限尝试。
# 注意:任何大于 0 的值只会影响
# 使用基本身份验证保护的开发门户。
#portal_session_conf = # 门户会话配置 (JSON)
# 指定配置
# Kong Portal 使用的会话插件。
# 有关插件配置的信息,请参阅# Kong 会话插件文档。
# 例子:
#portal_session_conf = {“cookie_name”:“portal_session”,\
# “秘密”:“改变我”,\
# "存储": "kong" }
#portal_auto_approve = 关闭
# 开发者门户自动批准访问
# 当此标志设置为 `on` 时,开发人员将
# 完成后自动标记为“已批准”
# 登记。仍然可以通过
# 管理 GUI 或 API。
#portal_token_exp = 21600
# 门户过期的持续时间(秒)
# 登录重置/帐户验证令牌。
#portal_email_verification = 关闭
# 门户开发者电子邮件验证。
# 启用后,开发人员将收到一封电子邮件
# 注册以验证他们的帐户。开发商将
# 在他们之前不能使用开发者门户
# 验证他们的帐户。
# 注意:必须打开 SMTP 才能使用此功能。
#------------------------------------------------ -----------------------------------------
# 默认门户 SMTP 配置
#------------------------------------------------ -----------------------------------------
# 在创建工作区时引用以在数据库中设置 SMTP 默认值
# 对于那个特定的工作空间。
#portal_invite_email = 开启
# 启用或禁用portal_invite_email
#portal_access_request_email = 开启
# 启用或禁用portal_access_request_email
#portal_approved_email = 开启
# 启用或禁用portal_approved_email
#portal_reset_email = 开启
# 启用或禁用portal_reset_email
#portal_reset_success_email = 开启
# 启用或禁用portal_reset_success_email
#portal_application_status_email = 关闭
# 启用后,开发者会收到一封邮件
# 当他们的应用程序的状态发生变化时
# 服务请求。
# 禁用后,开发人员仍然可以
# 在他们的开发者门户中查看状态
# 申请页面。
# 邮件如下所示:
# 主题:开发门户应用程序请求 <REQUEST_STATUS> (<DEV_PORTAL_URL>)
# 你好开发者,
# 我们正在向您发送电子邮件,让您知道您的应用程序访问请求来自
# <DEV_PORTAL_URL> 的开发者门户帐户是 <REQUEST_STATUS>。
# 应用程序:<APPLICATION_NAME>
# 服务:<SERVICE_NAME>
# 当您的访问被批准后,您将收到另一封电子邮件。
#portal_application_request_email = 关闭
# 启用后,由 `smtp_admin_emails` 指定的 Kong 管理员
# 当开发者请求访问时会收到一封电子邮件
# 通过应用程序提供服务。
# 禁用时,Kong 管理员必须手动检查
# Kong Manager 查看任何请求。
# 默认情况下,`smtp_admin_emails` 将是收件人。
# 这可以被 `portal_smtp_admin_emails` 覆盖,
# 可以通过每个工作区动态设置
# 管理 API。
# 邮件如下所示:
# 主题:从 <DEVELOPER_EMAIL> 请求访问开发门户 (<DEV_PORTAL_URL>) 服务
配置加载
Kong的默认配置在 /etc/kong/kong.conf.default 。如果你通过一个官方的安装包来安装Kong。您可以复制下面的文件,开始配置Kong:
$ cp /etc/kong/kong.conf.default /etc/kong/kong.conf
Kong 开源API网关安装与配置教程
kongKong是一款高性能的开源API网关,支持多种协议和插件,能够实现API路由、认证、限流等功能,助力企业构建灵活、安全且可扩展的API架构。项目地址:https://gitcode.com/gh_mirrors/ko/kong 1. 项目目录结构及介绍
在下载并克隆Kong仓库(https://github.com/Kong/kong.git)后,...
本篇文件介绍kong配置文件的配置
配置文件
Kong启动时,如果存在 /etc/kong/kong.conf 文件,将会使用该文件的配置,该文件由开发者自己生成
/etc/kong/kong.conf.default是kong提供的模板配置,开发者可参考该配置
基于配置文件的Docker启动
如下,我们使用配置文件启动Kong Docker
1.新建一个TestKong目录
2.目录下新建kong.conf,其内容如下
database = postgres
pg_host = postgres
安装kong
$ curl -Lo kong-2.5.0.amd64.rpm $( rpm --eval "https://download.konghq.com/gateway-2.x-centos-%{centos_ver}/Packages/k/kong-2.5.0.el%{centos_ver}.amd64.rpm")
$ sudo yum install kong-2.5.0.amd64.rpm
安装 postgresql
官网下载页面:http://www.postgres.cn/v.
Kong的默认配置在/etc/kong/kong.conf.default
在开始时,Kong可能会查找的几个缺省配置文件位置如下:
测试 类似 nginx -t
kong checkconfiguration at /etc/kong/kong.conf is valid
重新加载 类似 nginx -s reload
kong reload
如此 配置生效,问题解决
Kong配置文件是Kong服务的核心文件,它配置了Kong以怎么的方式运行,并且依赖于这个配置生成Nginx的配置文件,本文通过解读Kong配置文件,以了解Kong的运行和配置。
在成功安装Kong以后,会有一个名为kong.conf.default默认的配置文件示例,如果是通过包管理器安装的,通常位于/etc/kong/kong.conf.default,我们要将其复制为kong.co...
个人理解,仅供参考:
首先,kong+konga除去其他高级功能,个人觉得就是把nginx,变成可以页面配置的了。比如,配置的router,service就是反向代理,配置upstream就是负载均衡。
本文只介绍KONGA配置service,router,upstream。
使用docker-compose安装:
docker-compose.yml
[root@ecs-f841-0003 kong]# cat docker-compose.yml
version: '3'
services:
物联网网关神器 Kong ( 四 )- 利用 Konga 来配置生产环境安全连接 Kong
上一篇我们讲解了 Konga 的搭建和与 Kong 进行默认连接,本篇文章将讲一下如何在生产环境中基于验证的连接 Kong ,并详细讲解其中的参数。
如果你需要在生产环境使用,那么你可以将 admin 端口只监听 127.0.0.1 ,然后通过 Kong 自己进行代理并增加效验。
首先,你可以通过默认方法连接上你的 Kong admin,这样方便进行配置。而后创建 Service。
Service
Kong.conf 配置文件属性详解1. 基础部分2. NGINX部分3. 数据库部分databasePostgres设置4. 数据存储区缓存部分5. DNS解析器部分6. 开发和其他配置部分备注header配置项可选参数:
1. 基础部分
Kong 是一个开源的云原生 API 网关,它可以用来管理和路由 API 请求。与此同时,Nginx 是一个高性能的 Web 服务器和反向代理服务器。在配置 Kong 和 Nginx 时,你需要将 Kong 配置为 Nginx 的插件,并将其与 Nginx 进行集成。
下面是一个简单的示例配置,展示了如何将 Kong 配置为 Nginx 的插件:
1. 首先,确保你已经安装了 Nginx 和 Kong。
2. 打开 Nginx 的配置文件,通常位于 `/etc/nginx/nginx.conf`。在 `http` 块中添加以下内容:
http {
# ...其他配置...
# 启用 HTTP 代理模块
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# 配置 Kong 的代理
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# 配置 Kong 的 Admin API
location /kong {
proxy_pass http://localhost:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# ...其他配置...
上述配置中,我们首先启用了 HTTP 代理模块,然后为 Kong 的代理和 Admin API 分别配置了对应的 `location`。
3. 保存并退出 Nginx 配置文件。
4. 启动 Nginx 和 Kong,并确保它们都正常运行。
这只是一个简单的示例配置,你可以根据自己的需求进行更详细的配置。另外,Kong 还提供了更多高级功能和插件,你可以根据文档进一步了解和配置。
推荐文章