curl -Lo kong-enterprise-edition-2.8.1.4.rpm $(rpm --eval "https://download.konghq.com/gateway-2.x-centos-7/Packages/k/kong-enterprise-edition-2.8.1.4.el7.noarch.rpm")
yum install kong-enterprise-edition-2.8.1.4.rpm -y
kong.conf.default
# -----------------------
# Kong configuration file
# -----------------------
# The commented-out settings shown in this file represent the default values.
# This file is read when `kong start` or `kong prepare` are used. Kong
# generates the Nginx configuration with the settings specified in this file.
# All environment variables prefixed with `KONG_` and capitalized will override
# the settings specified in this file.
# Example:
# `log_level` setting -> `KONG_LOG_LEVEL` env variable
# Boolean values can be specified as `on`/`off` or `true`/`false`.
# Lists must be specified as comma-separated strings.
# All comments in this file can be removed safely, including the
# commented-out properties.
# You can verify the integrity of your settings with `kong check <conf>`.
#------------------------------------------------------------------------------
# GENERAL
#------------------------------------------------------------------------------
#prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's
# prefix path, containing temporary files
# and logs.
# Each Kong process must have a separate
# working directory.
#log_level = notice # Log level of the Nginx server. Logs are
# found at `<prefix>/logs/error.log`.
# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list
# of accepted values.
#proxy_access_log = logs/access.log # Path for proxy port request access
# logs. Set this value to `off` to
# disable logging proxy requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#proxy_error_log = logs/error.log # Path for proxy port request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#proxy_stream_access_log = logs/access.log basic # Path for tcp streams proxy port access
# logs. Set this value to `off` to
# disable logging proxy requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
# `basic` is defined as `'$remote_addr [$time_local] '
# '$protocol $status $bytes_sent $bytes_received '
# '$session_time'`
#proxy_stream_error_log = logs/error.log # Path for tcp streams proxy port request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#admin_access_log = logs/admin_access.log # Path for Admin API request access
# logs. If Hybrid Mode is enabled
# and the current node is set to be
# the Control Plane, then the
# connection requests from Data Planes
# are also written to this file with
# server name "kong_cluster_listener".
# Set this value to `off` to
# disable logging Admin API requests.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#admin_error_log = logs/error.log # Path for Admin API request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#status_access_log = off # Path for Status API request access
# logs. The default value of `off`
# implies that logging for this API
# is disabled by default.
# If this value is a relative path,
# it will be placed under the
# `prefix` location.
#status_error_log = logs/status_error.log # Path for Status API request error
# logs. The granularity of these logs
# is adjusted by the `log_level`
# property.
#vaults = bundled # Comma-separated list of vaults this node
# should load. By default, all the bundled
# vaults are enabled.
# The specified name(s) will be substituted as
# such in the Lua namespace:
# `kong.vaults.{name}.*`.
#plugins = bundled # Comma-separated list of plugins this node
# should load. By default, only plugins
# bundled in official distributions are
# loaded via the `bundled` keyword.
# Loading a plugin does not enable it by
# default, but only instructs Kong to load its
# source code, and allows to configure the
# plugin via the various related Admin API
# endpoints.
# The specified name(s) will be substituted as
# such in the Lua namespace:
# `kong.plugins.{name}.*`.
# When the `off` keyword is specified as the
# only value, no plugins will be loaded.
# `bundled` and plugin names can be mixed
# together, as the following examples suggest:
# - `plugins = bundled,custom-auth,custom-log`
# will include the bundled plugins plus two
# custom ones
# - `plugins = custom-auth,custom-log` will
# *only* include the `custom-auth` and
# `custom-log` plugins.
# - `plugins = off` will not include any
# plugins
# **Note:** Kong will not start if some
# plugins were previously configured (i.e.
# have rows in the database) and are not
# specified in this list. Before disabling a
# plugin, ensure all instances of it are
# removed before restarting Kong.
# **Note:** Limiting the amount of available
# plugins can improve P99 latency when
# experiencing LRU churning in the database
# cache (i.e. when the configured
# `mem_cache_size`) is full.
#pluginserver_names = # Comma-separated list of names for pluginserver
# processes. The actual names are used for
# log messages and to relate the actual settings.
#pluginserver_XXX_socket = <prefix>/<XXX>.socket # Path to the unix socket
# used by the <XXX> pluginserver.
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX> # Full command (including
# any needed arguments) to
# start the <XXX> pluginserver
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX> # Full command to "query" the
# <XXX> pluginserver. Should
# produce a JSON with the
# dump info of all plugins it
# manages
#port_maps = # With this configuration parameter, you can
# let the Kong to know about the port from
# which the packets are forwarded to it. This
# is fairly common when running Kong in a
# containerized or virtualized environment.
# For example, `port_maps=80:8000, 443:8443`
# instructs Kong that the port 80 is mapped
# to 8000 (and the port 443 to 8443), where
# 8000 and 8443 are the ports that Kong is
# listening to.
# This parameter helps Kong set a proper
# forwarded upstream HTTP request header or to
# get the proper forwarded port with the Kong PDK
# (in case other means determining it has
# failed). It changes routing by a destination
# port to route by a port from which packets
# are forwarded to Kong, and similarly it
# changes the default plugin log serializer to
# use the port according to this mapping
# instead of reporting the port Kong is
# listening to.
#anonymous_reports = on # Send anonymous usage data such as error
# stack traces to help improve Kong.
#------------------------------------------------------------------------------
# HYBRID MODE
#------------------------------------------------------------------------------
#role = traditional # Use this setting to enable Hybrid Mode,
# This allows running some Kong nodes in a
# control plane role with a database and
# have them deliver configuration updates
# to other nodes running to DB-less running in
# a Data Plane role.
# Valid values to this setting are:
# - `traditional`: do not use Hybrid Mode.
# - `control_plane`: this node runs in a
# control plane role. It can use a database
# and will deliver configuration updates
# to data plane nodes.
# - `data_plane`: this is a data plane node.
# It runs DB-less and receives configuration
# updates from a control plane node.
#cluster_mtls = shared # Sets the verification between nodes of the
# cluster.
# Valid values to this setting are:
# - `shared`: use a shared certificate/key
# pair specified with the `cluster_cert`
# and `cluster_cert_key` settings.
# Note that CP and DP nodes have to present
# the same certificate to establish mTLS
# connections.
# - `pki`: use `cluster_ca_cert`,
# `cluster_server_name` and `cluster_cert`
# for verification.
# These are different certificates for each
# DP node, but issued by a cluster-wide
# common CA certificate: `cluster_ca_cert`.
# - `pki_check_cn`: similar as `pki` but additionally
# checks for Common Name of data plane certificate
# specified in `cluster_allowed_common_names`.
#cluster_cert = # Filename of the cluster certificate to use
# when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
# generate the certificate/key pair.
# Under `shared` mode, it must be the same
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#cluster_cert_key = # Filename of the cluster certificate key to
# use when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
# generate the certificate/key pair.
# Under `shared` mode, it must be the same
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#cluster_ca_cert = # The trusted CA certificate file in PEM
# format used for Control Plane to verify
# Data Plane's certificate and Data Plane
# to verify Control Plane's certificate.
# Required on data plane if `cluster_mtls`
# is set to `pki`.
# If Control Plane certificate is issued
# by a well known CA, user can set
# `lua_ssl_trusted_certificate=system`
# on Data Plane and leave this field empty.
# This field is ignored if `cluster_mtls` is
# set to `shared`.
#cluster_allowed_common_names = # The list of Common Names that are allowed to
# connect to control plane. Multiple entries may
# be supplied in a comma-separated string. When not
# set, Data Plane with same parent domain of
# Control Plane cert is allowed to connect.
# This field is ignored if `cluster_mtls` is
# not set to `pki_check_cn`.
#------------------------------------------------------------------------------
# HYBRID MODE DATA PLANE
#------------------------------------------------------------------------------
#cluster_server_name = # The server name used in the SNI of the TLS
# connection from a DP node to a CP node.
# Must match the Common Name (CN) or Subject
# Alternative Name (SAN) found in the CP
# certificate.
# If `cluster_mtls` is set to
# `shared`, this setting is ignored and
# `kong_clustering` is used.
#cluster_control_plane = # To be used by data plane nodes only:
# address of the control plane node from
# which configuration updates will be fetched,
# in `host:port` format.
#cluster_telemetry_endpoint = # To be used by data plane nodes only:
# telemetry address of the control plane node
# to which telemetry updates will be posted
# in `host:port` format.
#data_plane_config_cache_mode = unencrypted
# Data planes can store their config to file system
# as a backup in case the node is restarted or reloaded
# to faster bring the node in configured state or in
# case there are issues connecting to control plane.
# This parameter can be used to control the behavior.
# To be used by data plane nodes only:
# `unencrypted` = stores config cache unencrypted
# `encrypted` = stores config cache encrypted
# `off` = does not store the config cache
#data_plane_config_cache_path = # The unencrypted config cache is stored by default
# to Kong `prefix` with a filename `config.cache.json.gz`.
# The encrypted config cache is stored by default
# to Kong `prefix` with a filename `.config.cache.jwt`
# Alternatively you can specify path for config cache
# with this parameter, e.g. `/tmp/kong-config-cache`.
#------------------------------------------------------------------------------
# HYBRID MODE CONTROL PLANE
#------------------------------------------------------------------------------
#cluster_listen = 0.0.0.0:8005
# Comma-separated list of addresses and ports on
# which the cluster control plane server should listen
# for data plane connections.
# The cluster communication port of the control plane
# must be accessible by all the data planes
# within the same cluster. This port is mTLS protected
# to ensure end-to-end security and integrity.
# This setting has no effect if `role` is not set to
# `control_plane`.
# Connection made to this endpoint are logged
# to the same location as Admin API access logs.
# See `admin_access_log` config description for more
# information.
#cluster_telemetry_listen = 0.0.0.0:8006
# Comma-separated list of addresses and ports on
# which the cluster control plane server should listen
# for data plane telemetry connections.
# The cluster communication port of the control plane
# must be accessible by all the data planes
# within the same cluster.
# This setting has no effect if `role` is not set to
# `control_plane`.
#cluster_data_plane_purge_delay = 1209600
# How many seconds must pass from the time a DP node
# becomes offline to the time its entry gets removed
# from the database, as returned by the
# /clustering/data-planes Admin API endpoint.
# This is to prevent the cluster data plane table from
# growing indefinitely. The default is set to
# 14 days. That is, if CP haven't heard from a DP for
# 14 days, its entry will be removed.
#cluster_ocsp = off
# Whether to check for revocation status of DP
# certificates using OCSP (Online Certificate Status Protocol).
# If enabled, the DP certificate should contain the
# "Certificate Authority Information Access" extension
# and the OCSP method with URI of which the OCSP responder
# can be reached from CP.
# OCSP checks are only performed on CP nodes, it has no
# effect on DP nodes.
# Valid values to this setting are:
# - `on`: OCSP revocation check is enabled and DP
# must pass the check in order to establish
# connection with CP.
# - `off`: OCSP revocation check is disabled.
# - `optional`: OCSP revocation check will be attempted,
# however, if the required extension is not
# found inside DP provided certificate
# or communication with the OCSP responder
# failed, then DP is still allowed through.
#cluster_max_payload = 4194304
# This sets the maximum payload size allowed
# to be sent across from CP to DP in Hybrid mode
# Default is 4Mb - 4 * 1024 * 1024 due to historical reasons
#------------------------------------------------------------------------------
# NGINX
#------------------------------------------------------------------------------
#proxy_listen = 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384
# Comma-separated list of addresses and ports on
# which the proxy server should listen for
# HTTP/HTTPS traffic.
# The proxy server is the public entry point of Kong,
# which proxies traffic from your consumers to your
# backend services. This value accepts IPv4, IPv6, and
# hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `http2` will allow for clients to open HTTP/2
# connections to Kong's proxy server.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `deferred` instructs to use a deferred accept on
# Linux (the TCP_DEFER_ACCEPT socket option).
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
# This value can be set to `off`, thus disabling
# the HTTP/HTTPS proxy port for this node.
# If stream_listen is also set to `off`, this enables
# 'control-plane' mode for this node
# (in which all traffic proxying capabilities are
# disabled). This node can then be used only to
# configure a cluster of Kong
# nodes connected to the same datastore.
# Example:
# `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# for a description of the accepted formats for this
# and other `*_listen` values.
# See https://www.nginx.com/resources/admin-guide/proxy-protocol/
# for more details about the `proxy_protocol`
# parameter.
# Not all `*_listen` values accept all formats
# specified in nginx's documentation.
#proxy_url = # Kong Proxy URL
# The lookup, or balancer, address for your Kong Proxy nodes.
# This value is commonly used in a microservices
# or service-mesh oriented architecture.
# Accepted format (parts in parentheses are optional):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Examples:
# - `<scheme>://<IP>:<PORT>` -> `proxy_url = http://127.0.0.1:8000`
# - `SSL <scheme>://<HOSTNAME>` -> `proxy_url = https://proxy.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>` -> `proxy_url = http://dev-machine/dev-285`
# By default, Kong Manager, and Kong Portal will use
# the window request host and append the resolved
# listener port depending on the requested protocol.
#stream_listen = off
# Comma-separated list of addresses and ports on
# which the stream mode should listen.
# This value accepts IPv4, IPv6, and hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
# Examples:
# ```
# stream_listen = 127.0.0.1:7000 reuseport backlog=16384
# stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20
# stream_listen = [::1]:1234 backlog=16384
# ```
# By default this value is set to `off`, thus
# disabling the stream proxy port for this node.
# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# for a description of the formats that Kong might accept in stream_listen.
#admin_api_uri = # Hierarchical part of a URI which is composed
# optionally of a host, port, and path at which the
# Admin API accepts HTTP or HTTPS traffic. When
# this config is disabled, Kong Manager will
# use the window protocol + host and append the
# resolved admin_listen HTTP/HTTPS port.
#admin_listen = 127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384
# Comma-separated list of addresses and ports on
# which the Admin interface should listen.
# The Admin interface is the API allowing you to
# configure and manage Kong.
# Access to this interface should be *restricted*
# to Kong administrators *only*. This value accepts
# IPv4, IPv6, and hostnames.
# Some suffixes can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# - `http2` will allow for clients to open HTTP/2
# connections to Kong's proxy server.
# - `proxy_protocol` will enable usage of the
# PROXY protocol for a given address/port.
# - `deferred` instructs to use a deferred accept on
# Linux (the TCP_DEFER_ACCEPT socket option).
# - `bind` instructs to make a separate bind() call
# for a given address:port pair.
# - `reuseport` instructs to create an individual
# listening socket for each worker process
# allowing the Kernel to better distribute incoming
# connections between worker processes
# - `backlog=N` sets the maximum length for the queue
# of pending TCP connections. This number should
# not be too small in order to prevent clients
# seeing "Connection refused" error connecting to
# a busy Kong instance.
# **Note:** on Linux, this value is limited by the
# setting of `net.core.somaxconn` Kernel parameter.
# In order for the larger `backlog` set here to take
# effect it is necessary to raise
# `net.core.somaxconn` at the same time to match or
# exceed the `backlog` number set.
# This value can be set to `off`, thus disabling
# the Admin interface for this node, enabling a
# 'data-plane' mode (without configuration
# capabilities) pulling its configuration changes
# from the database.
# Example: `admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off # Comma-separated list of addresses and ports on
# which the Status API should listen.
# The Status API is a read-only endpoint
# allowing monitoring tools to retrieve metrics,
# healthiness, and other non-sensitive information
# of the current Kong node.
# The following suffix can be specified for each pair:
# - `ssl` will require that all connections made
# through a particular address/port be made with TLS
# enabled.
# This value can be set to `off`, disabling
# the Status API for this node.
# Example: `status_listen = 0.0.0.0:8100`
#nginx_user = kong kong # Defines user and group credentials used by
# worker processes. If group is omitted, a
# group whose name equals that of user is
# used.
# Example: `nginx_user = nginx www`
# **Note**: If the `kong` user and the `kong`
# group are not available, the default user
# and group credentials will be
# `nobody nobody`.
#nginx_worker_processes = auto # Determines the number of worker processes
# spawned by Nginx.
# See http://nginx.org/en/docs/ngx_core_module.html#worker_processes
# for detailed usage of the equivalent Nginx
# directive and a description of accepted
# values.
#nginx_daemon = on # Determines whether Nginx will run as a daemon
# or as a foreground process. Mainly useful
# for development or when running Kong inside
# a Docker environment.
# See http://nginx.org/en/docs/ngx_core_module.html#daemon.
#mem_cache_size = 128m # Size of each of the two in-memory caches
# for database entities. The accepted units are
# `k` and `m`, with a minimum recommended value of
# a few MBs.
# **Note**: As this option controls the size of two
# different cache entries, the total memory Kong
# uses to cache entities might be double this value.
#ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
# Accepted values are `modern`,
# `intermediate`, `old`, `fips` or `custom`.
# See https://wiki.mozilla.org/Security/Server_Side_TLS
# for detailed descriptions of each cipher
# suite. `fips` cipher suites are as decribed in
# https://wiki.openssl.org/index.php/FIPS_mode_and_TLS.
#ssl_ciphers = # Defines a custom list of TLS ciphers to be
# served by Nginx. This list must conform to
# the pattern defined by `openssl ciphers`.
# This value is ignored if `ssl_cipher_suite`
# is not `custom`.
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
# Enables the specified protocols for
# client-side connections. The set of
# supported protocol versions also depends
# on the version of OpenSSL Kong was built
# with. This value is ignored if
# `ssl_cipher_suite` is not `custom`.
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on # Specifies that server ciphers should be
# preferred over client ciphers when using
# the SSLv3 and TLS protocols. This value is
# ignored if `ssl_cipher_suite` is not `custom`.
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam = # Defines DH parameters for DHE ciphers from the
# predefined groups: `ffdhe2048`, `ffdhe3072`,
# `ffdhe4096`, `ffdhe6144`, `ffdhe8192`, or
# from the absolute path to a parameters file.
# This value is ignored if `ssl_cipher_suite`
# is `modern` or `intermediate`. The reason is
# that `modern` has no ciphers that needs this,
# and `intermediate` uses `ffdhe2048`.
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on # Enables or disables session resumption through
# TLS session tickets. This has no impact when
# used with TLSv1.3.
# Kong enables this by default for performance
# reasons, but it has security implications:
# https://github.com/mozilla/server-side-tls/issues/135
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d # Specifies a time during which a client may
# reuse the session parameters. See the rationale:
# https://github.com/mozilla/server-side-tls/issues/198
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `proxy_listen` values with TLS enabled.
# If more than one certificates are specified, it can be used to provide
# alternate type of certificate (for example, ECC certificate) that will be served
# to clients that supports them. Note to properly serve using ECC certificates,
# it is recommended to also set `ssl_cipher_suite` to
# `modern` or `intermediate`.
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default certificates (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `proxy_listen` values with TLS enabled.
# If more than one certificate was specified for `ssl_cert`, then this
# option should contain the corresponding key for all certificates
# provided in the same order.
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default private keys (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#client_ssl = off # Determines if Nginx should attempt to send client-side
# TLS certificates and perform Mutual TLS Authentication
# with upstream service when proxying requests.
#client_ssl_cert = # If `client_ssl` is enabled, the absolute
# path to the client certificate for the `proxy_ssl_certificate` directive.
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute
# path to the client TLS key for the `proxy_ssl_certificate_key` directive.
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#admin_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `admin_listen` values with TLS enabled.
# See docs for `ssl_cert` for detailed usage.
#admin_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `admin_listen` values with TLS enabled.
# See docs for `ssl_cert_key` for detailed usage.
#status_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `status_listen` values with TLS enabled.
# See docs for `ssl_cert` for detailed usage.
#status_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `status_listen` values with TLS enabled.
# See docs for `ssl_cert_key` for detailed usage.
#headers = server_tokens, latency_tokens
# Comma-separated list of headers Kong should
# inject in client responses.
# Accepted values are:
# - `Server`: Injects `Server: kong/x.y.z`
# on Kong-produced response (e.g. Admin
# API, rejected requests from auth plugin).
# - `Via`: Injects `Via: kong/x.y.z` for
# successfully proxied requests.
# - `X-Kong-Proxy-Latency`: Time taken
# (in milliseconds) by Kong to process
# a request and run all plugins before
# proxying the request upstream.
# - `X-Kong-Response-Latency`: time taken
# (in millisecond) by Kong to produce
# a response in case of e.g. plugin
# short-circuiting the request, or in
# in case of an error.
# - `X-Kong-Upstream-Latency`: Time taken
# (in milliseconds) by the upstream
# service to send response headers.
# - `X-Kong-Admin-Latency`: Time taken
# (in milliseconds) by Kong to process
# an Admin API request.
# - `X-Kong-Upstream-Status`: The HTTP status
# code returned by the upstream service.
# This is particularly useful for clients to
# distinguish upstream statuses if the
# response is rewritten by a plugin.
# - `server_tokens`: Same as specifying both
# `Server` and `Via`.
# - `latency_tokens`: Same as specifying
# `X-Kong-Proxy-Latency`,
# `X-Kong-Response-Latency`,
# `X-Kong-Admin-Latency` and
# `X-Kong-Upstream-Latency`
# In addition to those, this value can be set
# to `off`, which prevents Kong from injecting
# any of the above headers. Note that this
# does not prevent plugins from injecting
# headers of their own.
# Example: `headers = via, latency_tokens`
#trusted_ips = # Defines trusted IP addresses blocks that are
# known to send correct `X-Forwarded-*`
# headers.
# Requests from trusted IPs make Kong forward
# their `X-Forwarded-*` headers upstream.
# Non-trusted requests make Kong insert its
# own `X-Forwarded-*` headers.
# This property also sets the
# `set_real_ip_from` directive(s) in the Nginx
# configuration. It accepts the same type of
# values (CIDR blocks) but as a
# comma-separated list.
# To trust *all* /!\ IPs, set this value to
# `0.0.0.0/0,::/0`.
# If the special value `unix:` is specified,
# all UNIX-domain sockets will be trusted.
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
# for examples of accepted values.
#real_ip_header = X-Real-IP # Defines the request header field whose value
# will be used to replace the client address.
# This value sets the `ngx_http_realip_module`
# directive of the same name in the Nginx
# configuration.
# If this value receives `proxy_protocol`:
# - at least one of the `proxy_listen` entries
# must have the `proxy_protocol` flag
# enabled.
# - the `proxy_protocol` parameter will be
# appended to the `listen` directive of the
# Nginx template.
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
# for a description of this directive.
#real_ip_recursive = off # This value sets the `ngx_http_realip_module`
# directive of the same name in the Nginx
# configuration.
# See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
# for a description of this directive.
#error_default_type = text/plain # Default MIME type to use when the request
# `Accept` header is missing and Nginx
# is returning an error for the request.
# Accepted values are `text/plain`,
# `text/html`, `application/json`, and
# `application/xml`.
#upstream_keepalive_pool_size = 60 # Sets the default size of the upstream
# keepalive connection pools.
# Upstream keepalive connection pools
# are segmented by the `dst ip/dst
# port/SNI` attributes of a connection.
# A value of `0` will disable upstream
# keepalive connections by default, forcing
# each upstream request to open a new
# connection.
#upstream_keepalive_max_requests = 100 # Sets the default maximum number of
# requests than can be proxied upstream
# through one keepalive connection.
# After the maximum number of requests
# is reached, the connection will be
# closed.
# A value of `0` will disable this
# behavior, and a keepalive connection
# can be used to proxy an indefinite
# number of requests.
#upstream_keepalive_idle_timeout = 60 # Sets the default timeout (in seconds)
# for which an upstream keepalive
# connection should be kept open. When
# the timeout is reached while the
# connection has not been reused, it
# will be closed.
# A value of `0` will disable this
# behavior, and an idle keepalive
# connection may be kept open
# indefinitely.
#------------------------------------------------------------------------------
# NGINX injected directives
#------------------------------------------------------------------------------
# Nginx directives can be dynamically injected in the runtime nginx.conf file
# without requiring a custom Nginx configuration template.
# All configuration properties respecting the naming scheme
# `nginx_<namespace>_<directive>` will result in `<directive>` being injected in
# the Nginx configuration block corresponding to the property's `<namespace>`.
# Example:
# `nginx_proxy_large_client_header_buffers = 8 24k`
# Will inject the following directive in Kong's proxy `server {}` block:
# `large_client_header_buffers 8 24k;`
# The following namespaces are supported:
# - `nginx_main_<directive>`: Injects `<directive>` in Kong's configuration
# `main` context.
# - `nginx_events_<directive>`: Injects `<directive>` in Kong's `events {}`
# block.
# - `nginx_http_<directive>`: Injects `<directive>` in Kong's `http {}` block.
# - `nginx_proxy_<directive>`: Injects `<directive>` in Kong's proxy
# `server {}` block.
# - `nginx_upstream_<directive>`: Injects `<directive>` in Kong's proxy
# `upstream {}` block.
# - `nginx_admin_<directive>`: Injects `<directive>` in Kong's Admin API
# `server {}` block.
# - `nginx_status_<directive>`: Injects `<directive>` in Kong's Status API
# `server {}` block (only effective if `status_listen` is enabled).
# - `nginx_stream_<directive>`: Injects `<directive>` in Kong's stream module
# `stream {}` block (only effective if `stream_listen` is enabled).
# - `nginx_sproxy_<directive>`: Injects `<directive>` in Kong's stream module
# `server {}` block (only effective if `stream_listen` is enabled).
# - `nginx_supstream_<directive>`: Injects `<directive>` in Kong's stream
# module `upstream {}` block.
# As with other configuration properties, Nginx directives can be injected via
# environment variables when capitalized and prefixed with `KONG_`.
# Example:
# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
# Will inject the following directive in Kong's `http {}` block:
# `ssl_protocols <value>;`
# If different sets of protocols are desired between the proxy and Admin API
# server, you may specify `nginx_proxy_ssl_protocols` and/or
# `nginx_admin_ssl_protocols`, both of which taking precedence over the
# `http {}` block.
#nginx_main_worker_rlimit_nofile = auto
# Changes the limit on the maximum number of open files
# for worker processes.
# The special and default value of `auto` sets this
# value to `ulimit -n` with the upper bound limited to
# 16384 as a measure to protect against excess memory use.
# See http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = auto
# Sets the maximum number of simultaneous
# connections that can be opened by a worker process.
# The special and default value of `auto` sets this
# value to `ulimit -n` with the upper bound limited to
# 16384 as a measure to protect against excess memory use.
# See http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k # Sets buffer size for reading the
# client request headers.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k # Sets the maximum number and
# size of buffers used for
# reading large clients
# requests headers.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0 # Defines the maximum request body size
# allowed by requests proxied by Kong,
# specified in the Content-Length request
# header. If a request exceeds this
# limit, Kong will respond with a 413
# (Request Entity Too Large). Setting
# this value to 0 disables checking the
# request body size.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m # Defines the maximum request body size for
# Admin API.
#nginx_http_client_body_buffer_size = 8k # Defines the buffer size for reading
# the request body. If the client
# request body is larger than this
# value, the body will be buffered to
# disk. Note that when the body is
# buffered to disk, Kong plugins that
# access or manipulate the request
# body may not work, so it is
# advisable to set this value as high
# as possible (e.g., set it as high
# as `client_max_body_size` to force
# request bodies to be kept in
# memory). Do note that
# high-concurrency environments will
# require significant memory
# allocations to process many
# concurrent large request bodies.
# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m # Defines the buffer size for reading
# the request body on Admin API.
#nginx_http_lua_regex_match_limit = 100000 # Global `MATCH_LIMIT` for PCRE
# regex matching. The default of `100000` should ensure
# at worst any regex Kong executes could finish within
# roughly 2 seconds.
#------------------------------------------------------------------------------
# DATASTORE
#------------------------------------------------------------------------------
# Kong can run with a database to store coordinated data between Kong nodes in
# a cluster, or without a database, where each node stores its information
# independently in memory.
# When using a database, Kong will store data for all its entities (such as
# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL,
# and all Kong nodes belonging to the same cluster must connect themselves
# to the same database.
# Kong supports the following database versions:
# - **PostgreSQL**: 9.5 and above.
# - **Cassandra**: 2.2 and above.
# When not using a database, Kong is said to be in "DB-less mode": it will keep
# its entities in memory, and each node needs to have this data entered via a
# declarative configuration file, which can be specified through the
# `declarative_config` property, or via the Admin API using the `/config`
# endpoint.
# When using Postgres as the backend storage, you can optionally enable Kong
# to serve read queries from a separate database instance.
# When the number of proxies is large, this can greatly reduce the load
# on the main Postgres instance and achieve better scalability. It may also
# reduce the latency jitter if the Kong proxy node's latency to the main
# Postgres instance is high.
# The read-only Postgres instance only serves read queries and write
# queries still goes to the main connection. The read-only Postgres instance
# can be eventually consistent while replicating changes from the main
# instance.
# At least the `pg_ro_host` config is needed to enable this feature.
# By default, all other database config for the read-only connection are
# inherited from the corresponding main connection config described above but
# may be optionally overwritten explicitly using the `pg_ro_*` config below.
#database = postgres # Determines which of PostgreSQL or Cassandra
# this node will use as its datastore.
# Accepted values are `postgres`,
# `cassandra`, and `off`.
#pg_host = 127.0.0.1 # Host of the Postgres server.
#pg_port = 5432 # Port of the Postgres server.
#pg_timeout = 5000 # Defines the timeout (in ms), for connecting,
# reading and writing.
#pg_user = kong # Postgres user.
#pg_password = # Postgres user's password.
#pg_database = kong # The database name to connect to.
#pg_schema = # The database schema to use. If unspecified,
# Kong will respect the `search_path` value of
# your PostgreSQL instance.
#pg_ssl = off # Toggles client-server TLS connections
# between Kong and PostgreSQL.
# Because PostgreSQL uses the same port for TLS
# and non-TLS, this is only a hint. If the
# server does not support TLS, the established
# connection will be a plain one.
#pg_ssl_version = tlsv1 # When using ssl between Kong and PostgreSQL,
# the version of tls to use. Accepted values are
# `tlsv1`, `tlsv1_2`, or `tlsv1_3`.
#pg_ssl_required = off # When `pg_ssl` is on this determines if
# TLS must be used between Kong and PostgreSQL.
# It aborts the connection if the server does
# not support SSL connections.
#pg_ssl_verify = off # Toggles server certificate verification if
# `pg_ssl` is enabled.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.
#pg_ssl_cert = # The absolute path to the PEM encoded client
# TLS certificate for the PostgreSQL connection.
# Mutual TLS authentication against
# PostgreSQL is only enabled if this value is set.
#pg_ssl_cert_key = # If `pg_ssl_cert` is set, the absolute path to
# the PEM encoded client TLS private key for the
# PostgreSQL connection.
#pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries
# that can be executing at any given time. This
# limit is enforced per worker process; the
# total number of concurrent queries for this
# node will be will be:
# `pg_max_concurrent_queries * nginx_worker_processes`.
# The default value of 0 removes this
# concurrency limitation.
#pg_semaphore_timeout = 60000 # Defines the timeout (in ms) after which
# PostgreSQL query semaphore resource
# acquisition attempts will fail. Such
# failures will generally result in the
# associated proxy or Admin API request
# failing with an HTTP 500 status code.
# Detailed discussion of this behavior is
# available in the online documentation.
#pg_keepalive_timeout = 60000 # Defines the time in milliseconds that an idle connection to
# PostreSQL server will be kept alive.
#pg_ro_host = # Same as `pg_host`, but for the
# read-only connection.
# **Note:** Refer to the documentation
# section above for detailed usage.
#pg_ro_port = <pg_port> # Same as `pg_port`, but for the
# read-only connection.
#pg_ro_timeout = <pg_timeout> # Same as `pg_timeout`, but for the
# read-only connection.
#pg_ro_user = <pg_user> # Same as `pg_user`, but for the
# read-only connection.
#pg_ro_password = <pg_password> # Same as `pg_password`, but for the
# read-only connection.
#pg_ro_database = <pg_database> # Same as `pg_database`, but for the
# read-only connection.
#pg_ro_schema = <pg_schema> # Same as `pg_schema`, but for the
# read-only connection.
#pg_ro_ssl = <pg_ssl> # Same as `pg_ssl`, but for the
# read-only connection.
#pg_ro_ssl_required = <pg_ssl_required>
# Same as `pg_ssl_required`, but for the
# read-only connection.
#pg_ro_ssl_verify = <pg_ssl_verify>
# Same as `pg_ssl_verify`, but for the
# read-only connection.
#pg_ro_ssl_version = <pg_ssl_version>
# Same as `pg_ssl_version`, but for the
# read-only connection.
#pg_ro_max_concurrent_queries = <pg_max_concurrent_queries>
# Same as `pg_max_concurrent_queries`, but for
# the read-only connection.
# Note: read-only concurrency is not shared
# with the main (read-write) connection.
#pg_ro_semaphore_timeout = <pg_semaphore_timeout>
# Same as `pg_semaphore_timeout`, but for the
# read-only connection.
#pg_ro_keepalive_timeout = <pg_keepalive_timeout>
# Same as `pg_keepalive_timeout`, but for the
# read-only connection.
#cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact
# points to your cluster.
# You may specify IP addresses or
# hostnames. Note that the port
# component of SRV records will be
# ignored in favor of `cassandra_port`.
# When connecting to a multi-DC cluster,
# ensure that contact points from the
# local datacenter are specified first
# in this list.
#cassandra_port = 9042 # The port on which your nodes are listening
# on. All your nodes and contact points must
# listen on the same port. Will be created if
# it doesn't exist.
#cassandra_keyspace = kong # The keyspace to use in your cluster.
#cassandra_write_consistency = ONE # Consistency setting to use when
# writing to the Cassandra cluster.
#cassandra_read_consistency = ONE # Consistency setting to use when
# reading from the Cassandra cluster.
#cassandra_timeout = 5000 # Defines the timeout (in ms) for reading
# and writing.
#cassandra_ssl = off # Toggles client-to-node TLS connections
# between Kong and Cassandra.
#cassandra_ssl_verify = off # Toggles server certificate verification if
# `cassandra_ssl` is enabled.
# See the `lua_ssl_trusted_certificate`
# setting to specify a certificate authority.
#cassandra_username = kong # Username when using the
# `PasswordAuthenticator` scheme.
#cassandra_password = # Password when using the
# `PasswordAuthenticator` scheme.
#cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when
# distributing queries across your
# Cassandra cluster.
# Accepted values are:
# `RoundRobin`, `RequestRoundRobin`,
# `DCAwareRoundRobin`, and
# `RequestDCAwareRoundRobin`.
# Policies prefixed with "Request"
# make efficient use of established
# connections throughout the same
# request.
# Prefer "DCAware" policies if and
# only if you are using a
# multi-datacenter cluster.
#cassandra_local_datacenter = # When using the `DCAwareRoundRobin`
# or `RequestDCAwareRoundRobin` load
# balancing policy, you must specify the name
# of the local (closest) datacenter for this
# Kong node.
#cassandra_refresh_frequency = 60 # Frequency (in seconds) at which
# the cluster topology will be
# checked for new or decommissioned
# nodes.
# A value of `0` will disable this
# check, and the cluster topology
# will never be refreshed.
#cassandra_repl_strategy = SimpleStrategy # When migrating for the first time,
# Kong will use this setting to
# create your keyspace.
# Accepted values are
# `SimpleStrategy` and
# `NetworkTopologyStrategy`.
#cassandra_repl_factor = 1 # When migrating for the first time, Kong
# will create the keyspace with this
# replication factor when using the
# `SimpleStrategy`.
#cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time,
# will use this setting when using the
# `NetworkTopologyStrategy`.
# The format is a comma-separated list
# made of `<dc_name>:<repl_factor>`.
#cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for
# the waiting period to reach a
# schema consensus between your
# Cassandra nodes.
# This value is only used during
# migrations.
#declarative_config = # The path to the declarative configuration
# file which holds the specification of all
# entities (Routes, Services, Consumers, etc.)
# to be used when the `database` is set to
# `off`.
# Entities are stored in Kong's in-memory cache,
# so you must ensure that enough memory is
# allocated to it via the `mem_cache_size`
# property. You must also ensure that items
# in the cache never expire, which means that
# `db_cache_ttl` should preserve its default
# value of 0.
# If the Hybrid mode `role` is set to `data_plane`
# and there's no configuration cache file,
# this configuration is used before connecting
# to the Control Plane node as a user-controlled
# fallback.
#declarative_config_string = # The declarative configuration as a string
#------------------------------------------------------------------------------
# DATASTORE CACHE
#------------------------------------------------------------------------------
# In order to avoid unnecessary communication with the datastore, Kong caches
# entities (such as APIs, Consumers, Credentials...) for a configurable period
# of time. It also handles invalidations if such an entity is updated.
# This section allows for configuring the behavior of Kong regarding the
# caching of such configuration entities.
#db_update_frequency = 5 # Frequency (in seconds) at which to check for
# updated entities with the datastore.
# When a node creates, updates, or deletes an
# entity via the Admin API, other nodes need
# to wait for the next poll (configured by
# this value) to eventually purge the old
# cached entity and start using the new one.
#db_update_propagation = 0 # Time (in seconds) taken for an entity in the
# datastore to be propagated to replica nodes
# of another datacenter.
# When in a distributed environment such as
# a multi-datacenter Cassandra cluster, this
# value should be the maximum number of
# seconds taken by Cassandra to propagate a
# row to other datacenters.
# When set, this property will increase the
# time taken by Kong to propagate the change
# of an entity.
# Single-datacenter setups or PostgreSQL
# servers should suffer no such delays, and
# this value can be safely set to 0.
#db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from
# the datastore when cached by this node.
# Database misses (no entity) are also cached
# according to this setting if you do not
# configure `db_cache_neg_ttl`.
# If set to 0 (default), such cached entities
# or misses never expire.
#db_cache_neg_ttl = # Time-to-live (in seconds) of a datastore
# miss (no entity).
# If not specified (default), `db_cache_ttl`
# value will be used instead.
# If set to 0, misses will never expire.
#db_resurrect_ttl = 30 # Time (in seconds) for which stale entities
# from the datastore should be resurrected for
# when they cannot be refreshed (e.g., the
# datastore is unreachable). When this TTL
# expires, a new attempt to refresh the stale
# entities will be made.
#db_cache_warmup_entities = services
# Entities to be pre-loaded from the datastore
# into the in-memory cache at Kong start-up.
# This speeds up the first access of endpoints
# that use the given entities.
# When the `services` entity is configured
# for warmup, the DNS entries for values in
# its `host` attribute are pre-resolved
# asynchronously as well.
# Cache size set in `mem_cache_size` should
# be set to a value large enough to hold all
# instances of the specified entities.
# If the size is insufficient, Kong will log
# a warning.
#------------------------------------------------------------------------------
# DNS RESOLVER
#------------------------------------------------------------------------------
# By default, the DNS resolver will use the standard configuration files
# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be
# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if
# they have been set.
# Kong will resolve hostnames as either `SRV` or `A` records (in that order, and
# `CNAME` records will be dereferenced in the process).
# In case a name was resolved as an `SRV` record it will also override any given
# port number by the `port` field contents received from the DNS server.
# The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will
# be used to expand short names to fully qualified ones. So it will first try
# the entire `SEARCH` list for the `SRV` type, if that fails it will try the
# `SEARCH` list for `A`, etc.
# For the duration of the `ttl`, the internal DNS resolver will loadbalance each
# request it gets over the entries in the DNS record. For `SRV` records the
# `weight` fields will be honored, but it will only use the lowest `priority`
# field entries in the record.
#dns_resolver = # Comma separated list of nameservers, each
# entry in `ip[:port]` format to be used by
# Kong. If not specified the nameservers in
# the local `resolv.conf` file will be used.
# Port defaults to 53 if omitted. Accepts
# both IPv4 and IPv6 addresses.
#dns_hostsfile = /etc/hosts # The hosts file to use. This file is read
# once and its content is static in memory.
# To read the file again after modifying it,
# Kong must be reloaded.
#dns_order = LAST,SRV,A,CNAME # The order in which to resolve different
# record types. The `LAST` type means the
# type of the last successful lookup (for the
# specified name). The format is a (case
# insensitive) comma separated list.
#dns_valid_ttl = # By default, DNS records are cached using
# the TTL value of a response. If this
# property receives a value (in seconds), it
# will override the TTL for all records.
#dns_stale_ttl = 4 # Defines, in seconds, how long a record will
# remain in cache past its TTL. This value
# will be used while the new DNS record is
# fetched in the background.
# Stale data will be used from expiry of a
# record until either the refresh query
# completes, or the `dns_stale_ttl` number of
# seconds have passed.
#dns_cache_size = 10000 # Defines the maximum allowed number of
# DNS records stored in memory cache.
# Least recently used DNS records are discarded
# from cache if it is full. Both errors and
# data are cached, therefore a single name query
# can easily take up 10-15 slots.
#dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and
# "(3) name error" responses.
#dns_error_ttl = 1 # TTL in seconds for error responses.
#dns_no_sync = off # If enabled, then upon a cache-miss every
# request will trigger its own dns query.
# When disabled multiple requests for the
# same name/type will be synchronised to a
# single query.
#------------------------------------------------------------------------------
# TUNING & BEHAVIOR
#------------------------------------------------------------------------------
#worker_consistency = strict
# Defines whether this node should rebuild its
# state synchronously or asynchronously (the
# balancers and the router are rebuilt on
# updates that affects them, e.g., updates to
# Routes, Services or Upstreams, via the Admin
# API or loading a declarative configuration
# file).
# Accepted values are:
# - `strict`: the router will be rebuilt
# synchronously, causing incoming requests to
# be delayed until the rebuild is finished.
# - `eventual`: the router will be rebuilt
# asynchronously via a recurring background
# job running every second inside of each
# worker.
# Note that `strict` ensures that all workers
# of a given node will always proxy requests
# with an identical router, but that increased
# long tail latency can be observed if
# frequent Routes and Services updates are
# expected.
# Using `eventual` will help preventing long
# tail latency issues in such cases, but may
# cause workers to route requests differently
# for a short period of time after Routes and
# Services updates.
#worker_state_update_frequency = 5
# Defines how often the worker state changes are
# checked with a background job. When a change
# is detected, a new router or balancer will be
# built, as needed. Raising this value will
# decrease the load on database servers and
# result in less jitter in proxy latency, but
# it might take more time to propagate changes
# to each individual worker.
#------------------------------------------------------------------------------
# MISCELLANEOUS
#------------------------------------------------------------------------------
# Additional settings inherited from lua-nginx-module allowing for more
# flexibility and advanced usage.
# See the lua-nginx-module documentation for more information:
# https://github.com/openresty/lua-nginx-module
#lua_ssl_trusted_certificate = # Comma-separated list of paths to certificate
# authority files for Lua cosockets in PEM format.
# The special value `system` attempts to search for the
# "usual default" provided by each distro, according
# to an arbitrary heuristic. In the current implementation,
# The following pathnames will be tested in order,
# and the first one found will be used:
# - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
# - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
# - /etc/ssl/ca-bundle.pem (OpenSUSE)
# - /etc/pki/tls/cacert.pem (OpenELEC)
# - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
# - /etc/ssl/cert.pem (OpenBSD, Alpine)
# If no file is found on any of these paths, an error will
# be raised.
# `system` can be used by itself or in conjunction with other
# CA filepaths.
# When `pg_ssl_verify` or `cassandra_ssl_verify`
# are enabled, these certificate authority files will be
# used for verifying Kong's database connections.
# See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
#lua_ssl_verify_depth = 1 # Sets the verification depth in the server
# certificates chain used by Lua cosockets,
# set by `lua_ssl_trusted_certificate`.
# This includes the certificates configured
# for Kong's database connections.
# If the maximum depth is reached before
# reaching the end of the chain, verification
# will fail. This helps mitigate certificate
# based DoS attacks.
# See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 # Defines the TLS versions supported
# when handshaking with OpenResty's
# TCP cosocket APIs.
# This affects connections made by Lua
# code, such as connections to the
# database Kong uses, or when sending logs
# using a logging plugin. It does *not*
# affect connections made to the upstream
# Service or from downstream clients.
#lua_package_path = ./?.lua;./?/init.lua; # Sets the Lua module search path
# (LUA_PATH). Useful when developing
# or using custom plugins not stored
# in the default search path.
# See https://github.com/openresty/lua-nginx-module#lua_package_path
#lua_package_cpath = # Sets the Lua C module search path
# (LUA_CPATH).
# See https://github.com/openresty/lua-nginx-module#lua_package_cpath
#lua_socket_pool_size = 30 # Specifies the size limit for every cosocket
# connection pool associated with every remote
# server.
# See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size
#enforce_rbac = off # Specifies whether Admin API RBAC is enforced.
# Accepts one of `entity`, `both`, `on`, or
# `off`.
# - `on`: only endpoint-level authorization
# is enforced.
# - `entity`: entity-level authorization
# applies.
# - `both`: enables both endpoint and
# entity-level authorization.
# - `off`: disables both endpoint and
# entity-level authorization.
# When enabled, Kong will deny requests to the
# Admin API when a nonexistent or invalid RBAC
# authorization token is passed, or the RBAC
# user with which the token is associated does
# not have permissions to access/modify the
# requested resource.
#rbac_auth_header = Kong-Admin-Token # Defines the name of the HTTP request
# header from which the Admin API will
# attempt to authenticate the RBAC user.
#event_hooks_enabled = on # When enabled, event hook entities represent a relationship
# between an event (source and event) and an action
# (handler). Similar to web hooks, event hooks can be used to
# communicate Kong Gateway service events. When a particular
# event happens on a service, the event hook calls a URL with
# information about that event. Event hook configurations
# differ depending on the handler. The events that are
# triggered send associated data.
# See: https://docs.konghq.com/enterprise/latest/admin-api/event-hooks/reference/
#------------------------------------------------------------------------------
# KONG MANAGER
#------------------------------------------------------------------------------
# The Admin GUI for Kong Enterprise.
#admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl
# Kong Manager Listeners
# Comma-separated list of addresses and ports on which
# Kong will expose Kong Manager. This web application
# lets you configure and manage Kong, and therefore
# should be kept secured.
# Suffixes can be specified for each pair, similarly to
# the `admin_listen` directive.
#admin_gui_url = # Kong Manager URL
# The lookup, or balancer, address for Kong Manager.
# Accepted format (items in parentheses are optional):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Examples:
# - `http://127.0.0.1:8003`
# - `https://kong-admin.test`
# - `http://dev-machine/dev-285`
# By default, Kong Manager will use the window request
# host and append the resolved listener port depending
# on the requested protocol.
#admin_gui_ssl_cert = # The absolute path to the SSL certificate for
# `admin_gui_listen` values with SSL enabled.
#admin_gui_ssl_cert_key = # The absolute path to the SSL key for
# `admin_gui_listen` values with SSL enabled.
#admin_gui_flags = {}
# Alters the layout Admin GUI (JSON)
# The only supported value is `{ "IMMUNITY_ENABLED": true }`
# to enable Kong Immunity in the Admin GUI.
#admin_gui_access_log = logs/admin_gui_access.log
# Kong Manager Access Logs
# Here you can set an absolute or relative path for Kong
# Manager access logs. When the path is relative,
# logs are placed in the `prefix` location.
# Setting this value to `off` disables access logs
# for Kong Manager.
#admin_gui_error_log = logs/admin_gui_error.log
# Kong Manager Error Logs
# Here you can set an absolute or relative path for Kong
# Manager access logs. When the path is relative,
# logs are placed in the `prefix` location.
# Setting this value to `off` disables error logs for
# Kong Manager.
# Granularity can be adjusted through the `log_level`
# directive.
#admin_gui_auth = # Kong Manager Authentication Plugin Name
# Secures access to Kong Manager by specifying an
# authentication plugin to use.
# Supported Plugins:
# - `basic-auth`: Basic Authentication plugin
# - `ldap-auth-advanced`: LDAP Authentication plugin
# - `openid-connect`: OpenID Connect Authentication
# plugin
#admin_gui_auth_conf = # Kong Manager Authentication Plugin Config (JSON)
# Specifies the configuration for the authentication
# plugin specified in `admin_gui_auth`.
# For information about Plugin Configuration
# consult the associated plugin documentation.
# Example for `basic-auth`:
# `admin_gui_auth_conf = { "hide_credentials": true }`
#admin_gui_auth_password_complexity = # Kong Manager Authentication Password Complexity (JSON)
# When `admin_gui_auth = basic-auth`, this property defines
# the rules required for Kong Manager passwords. Choose
# from preset rules or write your own.
# Example using preset rules:
# `admin_gui_auth_password_complexity = { "kong-preset": "min_8" }`
# All values for kong-preset require the password to contain
# characters from at least three of the following categories:
# 1. Uppercase characters (A through Z)
# 2. Lowercase characters (a through z)
# 3. Base-10 digits (0 through 9)
# 4. Special characters (for example, &, $, #, %)
# Supported preset rules:
# - `min_8`: minimum length of 8
# - `min_12`: minimum length of 12
# - `min_20`: minimum length of 20
# To write your own rules, see
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.
# NOTE: Only keywords "min", "max" and "passphrase" are supported.
# Example:
# `admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#admin_gui_session_conf = # Kong Manager Session Config (JSON)
# Specifies the configuration for the Session plugin as
# used by Kong Manager.
# For information about plugin configuration, consult
# the Kong Session plugin documentation.
# Example:
# ```
# admin_gui_session_conf = { "cookie_name": "kookie", \
# "secret": "changeme" }
# ```
#admin_gui_auth_header = Kong-Admin-User
# Defines the name of the HTTP request header from which
# the Admin API will attempt to identify the Kong Admin
# user.
#admin_gui_auth_login_attempts = 0
# Number of times a user can attempt to login to Kong
# Manager. 0 means infinite attempts allowed.
#admin_gui_header_txt = # Kong Manager Header Text
# Sets text for Kong Manager Header Banner. Header Banner
# is not shown if this config is empty.
#admin_gui_header_bg_color = # Kong Manager Header Background Color
# Sets background color for Kong Manager Header Banner
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Manager.
#admin_gui_header_txt_color = # Kong Manager Header Text Color
# Sets text color for Kong Manager Header Banner.
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Kong Manager.
#admin_gui_footer_txt = # Kong Manager Footer Text
# Sets text for Kong Manager Footer Banner. Footer Banner
# is not shown if this config is empty
#admin_gui_footer_bg_color = # Kong Manager Footer Background Color
# Sets background color for Kong Manager Footer Banner.
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Manager.
#admin_gui_footer_txt_color = # Kong Manager Footer Text Color
# Sets text color for Kong Manager Footer Banner.
# Accepts css color keyword, #-hexadecimal or rgb
# format. Invalid values are ignored by Kong Manager.
#admin_gui_login_banner_title = # Kong Manager Login Banner Title Text
# Sets title text for Kong Manager Login Banner.
# Login Banner is not shown if both
# `admin_gui_login_banner_title` and
# `admin_gui_login_banner_body` are empty.
#admin_gui_login_banner_body = # Kong Manager Login Banner Body Text
# Sets body text for Kong Manager Login Banner.
# Login Banner is not shown if both
# `admin_gui_login_banner_title` and
# `admin_gui_login_banner_body` are empty.
#------------------------------------------------------------------------------
# VITALS
#------------------------------------------------------------------------------
#vitals = on # When enabled, Kong will store and report
# metrics about its performance.
# When running Kong in a multi-node setup,
# `vitals` entails two separate meanings
# depending on the node.
# On a Proxy-only node, `vitals` determines
# whether to collect data for Vitals.
# On an Admin-only node, `vitals` determines
# whether to display Vitals metrics and
# visualizations on the dashboard.
#vitals_strategy = database # Determines whether to use the Kong database
# (either PostgreSQL or Cassandra, as defined
# by the `database` config value above), or a
# separate storage engine, for Vitals metrics.
# Accepted values are `database`, `prometheus`,
# or `influxdb`.
#vitals_tsdb_address = # Defines the host and port of the TSDB server
# to which Vitals data is written and read.
# This value is only applied when the
# `vitals_strategy` option is set to
# `prometheus` or `influxdb`. This value
# accepts IPv4, IPv6, and hostname values.
# If the `vitals_strategy` is set to
# `prometheus`, this value determines the
# address of the Prometheus server from which
# Vitals data will be read. For `influxdb`
# strategies, this value controls both the read
# and write source for Vitals data.
#vitals_tsdb_user = # Influxdb user
#vitals_tsdb_password = # Influxdb password
#vitals_statsd_address = # Defines the host and port (and an optional
# protocol) of the StatsD server to which
# Kong should write Vitals metics. This value
# is only applied when the `vitals_strategy` is
# set to `prometheus`. This value accepts IPv4,
# IPv6, and, hostnames. Additionally, the suffix
# `tcp` can be specified; doing so will result
# in Kong sending StatsD metrics via TCP
# instead of the UDP (default).
#vitals_statsd_prefix = kong # Defines the prefix value attached to all
# Vitals StatsD events. This prefix is useful
# when writing metrics to a multi-tenant StatsD
# exporter or server.
#vitals_statsd_udp_packet_size = 1024 # Defines the maximum buffer size in
# which Vitals statsd metrics will be
# held and sent in batches.
# This value is defined in bytes.
#vitals_prometheus_scrape_interval = 5 # Defines the scrape_interval query
# parameter sent to the Prometheus
# server when reading Vitals data.
# This should be same as the scrape
# interval (in seconds) of the
# Prometheus server.
#------------------------------------------------------------------------------
# DEVELOPER PORTAL
#------------------------------------------------------------------------------
#portal = off
# Developer Portal Switch
# When enabled:
# Kong will expose the Dev Portal interface and
# read-only APIs on the `portal_gui_listen` address,
# and endpoints on the Admin API to manage assets.
# When enabled along with `portal_auth`:
# Kong will expose management endpoints for developer
# accounts on the Admin API and the Dev Portal API.
#portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl
# Developer Portal GUI Listeners
# Comma-separated list of addresses on which Kong will
# expose the Developer Portal GUI. Suffixes can be
# specified for each pair, similarly to
# the `admin_listen` directive.
#portal_gui_protocol = http
# Developer Portal GUI protocol
# The protocol used in conjunction with
# `portal_gui_host` to construct the lookup, or balancer
# address for your Kong Proxy nodes.
# Examples: `http`,`https`
#portal_gui_host = 127.0.0.1:8003
# Developer Portal GUI host
# The host used in conjunction with
# `portal_gui_protocol` to construct the lookup,
# or balancer address for your Kong Proxy nodes.
# Examples:
# - `<IP>:<PORT>`
# -> `portal_gui_host = 127.0.0.1:8003`
# - `<HOSTNAME>`
# -> `portal_gui_host = portal_api.domain.tld`
# - `<HOSTNAME>/<PATH>`
# -> `portal_gui_host = dev-machine/dev-285`
#portal_cors_origins = # Developer Portal CORS Origins
# A comma separated list of allowed domains for
# `Access-Control-Allow-Origin` header. This can be used to
# resolve CORS issues in custom networking environments.
# Examples:
# - list of domains:
# `portal_cors_origins = http://localhost:8003, https://localhost:8004`
# - single domain:
# `portal_cors_origins = http://localhost:8003`
# - all domains:
# `portal_cors_origins = *`
# NOTE: In most cases, the Developer Portal is able to derive
# valid CORS origins by using `portal_gui_protocol`, `portal_gui_host`,
# and if applicable, `portal_gui_use_subdomains`. In these cases,
# `portal_cors_origins` is not needed and can remain unset.
#portal_gui_use_subdomains = off
# Developer Portal GUI subdomain toggle
# By default Kong Portal uses the first namespace in
# the request path to determine workspace. By turning
# `portal_gui_subdomains` on, Kong Portal will expect
# workspace to be included in the request url as a subdomain.
# Example (off):
# - `<scheme>://<HOSTNAME>/<WORKSPACE>/<PATH>` ->
# `http://kong-portal.com/example-workspace/index`
# Example (on):
# - `<scheme>://<WORKSPACE>.<HOSTNAME>` ->
# `http://example-workspace.kong-portal.com/index`
#portal_gui_ssl_cert = # Developer Portal GUI SSL Certificate
# The absolute path to the SSL certificate for
# `portal_gui_listen` values with SSL enabled.
#portal_gui_ssl_cert_key = # Developer Portal GUI SSL Certificate Key
# The absolute path to the SSL key for
# `portal_gui_listen` values with SSL enabled.
#portal_gui_access_log = logs/portal_gui_access.log
# Developer Portal GUI Access Log location
# Here you can set an absolute or relative path for your
# Portal GUI access logs.
# Setting this value to `off` will disable logging
# Portal GUI access logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
#portal_gui_error_log = logs/portal_gui_error.log
# Developer Portal GUI Error Log location
# Here you can set an absolute or relative path for your
# Portal GUI error logs.
# Setting this value to `off` will disable logging
# Portal GUI error logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
# Granularity can be adjusted through the `log_level`
# directive.
#portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl
# Developer Portal API Listeners
# Comma-separated list of addresses on which Kong will
# expose the Developer Portal API. Suffixes can be
# specified for each pair, similarly to
# the `admin_listen` directive.
#portal_api_url = # Developer Portal API URL
# The lookup, or balancer, address for your Developer
# Portal nodes.
# This value is commonly used in a microservices
# or service-mesh oriented architecture.
# `portal_api_url` is the address on which your
# Kong Dev Portal API is accessible by Kong. You
# should only set this value if your Kong Dev Portal API
# lives on a different node than your Kong Proxy.
# Accepted format (parts in parenthesis are optional):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Examples:
# - `<scheme>://<IP>:<PORT>`
# -> `portal_api_url = http://127.0.0.1:8003`
# - `SSL <scheme>://<HOSTNAME>`
# -> `portal_api_url = https://portal_api.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>`
# -> `portal_api_url = http://dev-machine/dev-285`
# By default this value points to the local interface:
# - `http://0.0.0.0:8004`
#portal_api_ssl_cert = # Developer Portal API SSL Certificate
# The absolute path to the SSL certificate for
# `portal_api_listen` values with SSL enabled.
#portal_api_ssl_cert_key = # Developer Portal API SSL Certificate Key
# The absolute path to the SSL key for
# `portal_api_listen` values with SSL enabled.
#portal_api_access_log = logs/portal_api_access.log
# Developer Portal API Access Log location
# Here you can set an absolute or relative path for your
# Portal API access logs.
# Setting this value to `off` will disable logging
# Portal API access logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
#portal_api_error_log = logs/portal_api_error.log
# Developer Portal API Error Log location
# Here you can set an absolute or relative path for your
# Portal API error logs.
# Setting this value to `off` will disable logging
# Portal API error logs.
# When using relative pathing, logs will be placed under
# the `prefix` location.
# Granularity can be adjusted through the `log_level`
# directive.
#portal_is_legacy = off
# Developer Portal legacy support
# Setting this value to `on` will cause all new
# portals to render using the legacy rendering system by default.
# Setting this value to `off` will cause all new
# portals to render using the current rendering system.
#portal_app_auth = kong-oauth2
# Developer Portal application registration
# auth provider and strategy. Must be set to enable
# application_registration plugin
# Currently accepts kong-oauth2 or external-oauth2
#------------------------------------------------------------------------------
# DEFAULT DEVELOPER PORTAL AUTHENTICATION
#------------------------------------------------------------------------------
# Referenced on workspace creation to set Dev Portal authentication defaults
# in the database for that particular workspace.
#portal_auth = # Developer Portal Authentication Plugin Name
# Specifies the authentication plugin
# to apply to your Developer Portal. Developers
# will use the specified form of authentication
# to request access, register, and login to your
# Developer Portal.
# Supported Plugins:
# - Basic Authentication: `portal_auth = basic-auth`
# - OIDC Authentication: `portal_auth = openid-connect`
#portal_auth_password_complexity = # Kong Portal Authentication Password Complexity (JSON)
# When portal_auth = basic-auth, this property defines
# the rules required for Kong Portal passwords. Choose
# from preset rules or write your own.
# Example using preset rules:
# `portal_auth_password_complexity = { "kong-preset": "min_8" }`
# All values for kong-preset require the password to contain
# characters from at least three of the following categories:
# 1. Uppercase characters (A through Z)
# 2. Lowercase characters (a through z)
# 3. Base-10 digits (0 through 9)
# 4. Special characters (for example, &, $, #, %)
# Supported preset rules:
# - `min_8`: minimum length of 8
# - `min_12`: minimum length of 12
# - `min_20`: minimum length of 20
# To write your own rules, see
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.
# NOTE: Only keywords "min", "max" and "passphrase" are supported.
# Example:
# `portal_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#portal_auth_conf = # Developer Portal Authentication Plugin Config (JSON)
# Specifies the plugin configuration object
# in JSON format to be applied to your Developer
# Portal authentication.
# For information about Plugin Configuration
# consult the associated plugin documentation.
# Example for `basic-auth`:
# `portal_auth_conf = { "hide_credentials": true }`
#portal_auth_login_attempts = 0
# Number of times a user can attempt to login to the
# Dev Portal before password must be reset.
# 0 (default) means infinite attempts allowed.
# Note: Any value greater than 0 will only affect
# Dev Portals secured with basic-auth.
#portal_session_conf = # Portal Session Config (JSON)
# Specifies the configuration for the
# Session plugin as used by Kong Portal.
# For information about Plugin Configuration consult
# the Kong Session Plugin documentation.
# Example:
# ```
# portal_session_conf = { "cookie_name": "portal_session", \
# "secret": "changeme", \
# "storage": "kong" }
# ```
#portal_auto_approve = off
# Developer Portal Auto Approve Access
# When this flag is set to `on`, a developer will
# automatically be marked as "approved" after completing
# registration. Access can still be revoked through the
# Admin GUI or API.
#portal_token_exp = 21600
# Duration in seconds for the expiration of portal
# login reset/account validation token.
#portal_email_verification = off
# Portal Developer Email Verification.
# When enabled Developers will receive an email upon
# registration to verify their account. Developers will
# not be able to use the Developer Portal until they
# verify their account.
# Note: SMTP must be turned on in order to use this feature.
#------------------------------------------------------------------------------
# DEFAULT PORTAL SMTP CONFIGURATION
#------------------------------------------------------------------------------
# Referenced on workspace creation to set SMTP defaults in the database
# for that particular workspace.
#portal_invite_email = on
# Enable or disable portal_invite_email
#portal_access_request_email = on
# Enable or disable portal_access_request_email
#portal_approved_email = on
# Enable or disable portal_approved_email
#portal_reset_email = on
# Enable or disable portal_reset_email
#portal_reset_success_email = on
# Enable or disable portal_reset_success_email
#portal_application_status_email = off
# When enabled, developers will receive an email
# when the status changes for their appliciation
# service requests.
# When disabled, developers will still be able
# to view the status in their developer portal
# application page.
# The email looks like the following:
# ```
# Subject: Dev Portal application request <REQUEST_STATUS> (<DEV_PORTAL_URL>)
# Hello Developer,
# We are emailing you to let you know that your request for application access from the
# Developer Portal account at <DEV_PORTAL_URL> is <REQUEST_STATUS>.
# Application: <APPLICATION_NAME>
# Service: <SERVICE_NAME>
# You will receive another email when your access has been approved.
# ```
#portal_application_request_email = off
# When enabled, Kong admins specified by `smtp_admin_emails`
# will receive an email when a developer requests access
# to service through an application.
# When disabled, Kong admins will have to manually check
# the Kong Manager to view any requests.
# By default, `smtp_admin_emails` will be the recipients.
# This can be overriden by `portal_smtp_admin_emails`,
# which can be set dynamically per workspace through
# the Admin API.
# The email looks like the following:
# ```
# Subject: Request to access Dev Portal (<DEV_PORTAL_URL>) service from <DEVELOPER_EMAIL>
# Hello Admin,
# <DEVELOPER NAME> (<DEVELOPER_EMAIL>) has requested application access for <DEV_PORTAL_URL>.
# Requested workspace: <WORKSPACE_NAME>
# Requested application: <APPLICATION_NAME>
# Requested service: <SERVICE_NAME>
# Please visit <KONG_MANAGER_URL/WORKSPACE_NAME/applications/APPLICATION_ID#requested> to review this request.
# ```
#portal_emails_from = # The name and email address for the `From` header
# for portal emails
# Example:
# `portal_emails_from = Your Name <example@example.com>`
# Note: Some SMTP servers will not use
# this value, but instead insert the email and name
# associated with the account.
#portal_emails_reply_to = # Email address for the `Reply-To` header for
# portal emails
# Example:
# `portal_emails_reply_to = example@example.com`
# Note: Some SMTP servers will not use
# this value, but instead insert the email
# associated with the account.
#portal_smtp_admin_emails =
# Comma separated list of admin emails to receive
# portal notifications. Can be dynamically set per
# workspace through the Admin API.
# If not set, `smtp_admin_emails` will be used.
# Example `admin1@example.com, admin2@example.com`
#------------------------------------------------------------------------------
# ADMIN SMTP CONFIGURATION
#------------------------------------------------------------------------------
#admin_emails_from = "" # The email address for the `From` header
# for admin emails.
#admin_emails_reply_to = # Email address for the `Reply-To` header
# for admin emails.
#admin_invitation_expiry = 259200 # Expiration time for the admin invitation link
# (in seconds). 0 means no expiration.
# Example, 72 hours: `72 * 60 * 60 = 259200`
#------------------------------------------------------------------------------
# GENERAL SMTP CONFIGURATION
#------------------------------------------------------------------------------
#smtp_mock = on # This flag will mock the sending of emails. This can be
# used for testing before the SMTP client is fully
# configured.
#smtp_host = localhost
# The hostname of the SMTP server to connect to.
#smtp_port = 25
# The port number on the SMTP server to connect to.
#smtp_starttls = off
# When set to `on`, STARTTLS is used to encrypt
# communication with the SMTP server. This is normally
# used in conjunction with port 587.
#smtp_username = # Username used for authentication with SMTP server
#smtp_password = # Password used for authentication with SMTP server
#smtp_ssl = off
# When set to `on`, SMTPS is used to encrypt
# communication with the SMTP server. This is normally
# used in conjunction with port 465.
#smtp_auth_type = # The method used to authenticate with the SMTP server
# Valid options are `plain`, `login`, or `nil`
#smtp_domain = localhost.localdomain
# The domain used in the `EHLO` connection and part of
# the `Message-ID` header
#smtp_timeout_connect = 60000
# The timeout (in milliseconds) for connecting to the
# SMTP server.
#smtp_timeout_send = 60000
# The timeout (in milliseconds) for sending data to the
# SMTP server.
#smtp_timeout_read = 60000
# The timeout (in milliseconds) for reading data from
# the SMTP server.
#smtp_admin_emails = # Comma separated list of admin emails to receive
# notifications.
# Example `admin1@example.com, admin2@example.com`
#-------------------------------------------------------------------------------
# DATA & ADMIN AUDIT
#-------------------------------------------------------------------------------
# When enabled, Kong will store detailed audit data regarding Admin API and
# database access. In most cases, updates to the database are associated with
# Admin API requests. As such, database object audit log data is tied to a
# given HTTP via a unique identifier, providing built-in association of Admin
# API and database traffic.
#audit_log = off # When enabled, Kong will log information about
# Admin API access and database row insertions,
# updates, and deletes.
#audit_log_ignore_methods = # Comma-separated list of HTTP methods that
# will not generate audit log entries. By
# default, all HTTP requests will be logged.
#audit_log_ignore_paths = # Comma-separated list of request paths that
# will not generate audit log entries. By
# default, all HTTP requests will be logged.
#audit_log_ignore_tables = # Comma-separated list of database tables that
# will not generate audit log entries. By
# default, updates to all database tables will
# be logged (the term "updates" refers to the
# creation, update, or deletion of a row).
#audit_log_payload_exclude = token, secret, password
# Comma-separated list of keys that will be
# filtered out of the payload. Keys that were
# filtered will be recorded in the audit log.
#audit_log_record_ttl = 2592000 # Length, in seconds, of the TTL for audit log
# records. Records in the database older than
# their TTL are automatically purged.
# Example, 30 days: `30 * 24 * 60 * 60 = 2592000`
#audit_log_signing_key = # Defines the path to a private RSA signing key
# that can be used to insert a signature of
# audit records, adjacent to the record. The
# corresponding public key should be stored
# offline, and can be used the validate audit
# entries in the future. If this value is
# undefined, no signature will be generated.
#-------------------------------------------------------------------------------
# GRANULAR TRACING
#-------------------------------------------------------------------------------
# Granular tracing offers a mechanism to expose metrics and detailed debug data
# about the lifecycle of Kong in a human- or machine-consumable format.
#tracing = off # When enabled, Kong will generate granular
# debug data about various portions of the
# request lifecycle, such as DB or DNS queries,
# plugin execution, core handler timing, etc.
#tracing_write_strategy = file # Defines how Kong will write tracing data at
# the conclusion of the request. The default
# option, `file`, writes a human-readable
# depiction of tracing data to a configurable
# location on the node's file system. Other
# strategies write tracing data as a JSON
# document to the configured endpoint. Valid
# entries for this option are `file`,
# `file_raw`, `http`, `tcp`, `tls`, and `udp`.
#tracing_write_endpoint = # Defines the endpoint to which tracing data
# will be written.
# - For the `file` and `file_raw` tracing write
# strategies, this value must be a valid
# location on the node's file system to which
# Kong must have write access.
# - For the `tcp`, `tls`, and
# `udp` strategies, this value is defined as a
# string in the form of:
# `<HOST>:<PORT>`
# - For the `http` strategy, this value is
# defined in the form of:
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# Traces sent via HTTP are delivered via POST
# method with an `application/json`
# Content-Type.
#tracing_time_threshold = 0 # The minimum time, in microseconds, over which
# a trace must execute in order to write the
# trace data to the configured endpoint. This
# configuration can be used to lower the noise
# present in trace data by removing trace
# objects that are not interesting from a
# timing perspective. The default value of `0`
# removes this limitation, causing traces of
# any duration to be written.
#tracing_types = all # Defines the types of traces that are written.
# Trace types not defined in this list are
# ignored, regardless of their lifetime. The
# default special value of `all` results in all
# trace types being written, regardless of type.
# The following trace types are included:
# - `query`: trace the database query
# - `legacy_query`: (deprecated) trace the
# database query with legacy DAO
# - `router`: trace Kong routing the request;
# internal routing time
# - `balancer`: trace the execution of the overall
# balancer phase
# - `balancer.getPeer`: trace Kong selecting an
# upstream peer from the ring-balancer
# - `balancer.toip`: trace balancer to resolve
# peer's host to IP
# - `connect.toip`: trace cosocket to resolve
# target's host to IP
# - `access.before`: trace the preprocessing of
# access phase, like parameter parsing, route
# matching, and balance preparation
# - `access.after`: trace the postprocess of
# access phase, like balancer execution and
# internal variable assigning
# - `cassandra_iterate`: trace Cassandra driver to
# paginate over results
# - `plugin`: trace plugins phase handlers
#tracing_debug_header = # Defines the name of the HTTP request header
# that must be present in order to generate
# traces within a request. Setting this value
# provides a mechanism to selectively generate
# request traces at the client's request. Note
# that the value of the header does not matter,
# only that the header is present in the
# request. When this value is not set and
# tracing is enabled, Kong will generate trace
# data for all requests flowing through the
# proxy and Admin API. Note that data from
# certificate handling phases is not logged
# when this setting is enabled.
#generate_trace_details = off # When enabled, Kong will write context-
# specific details into traces. Trace details
# offer more data about the context of the
# trace. This can significantly increase the
# size of trace reports. Note also that trace
# details may contain potentially sensitive
# information, such as raw SQL queries; care
# should be taken to store traces properly when
# this option is enabled.
#-------------------------------------------------------------------------------
# ROUTE COLLISION DETECTION/PREVENTION
# -------------------------------------------------------------------------------
#route_validation_strategy = smart # The strategy used to validate
# routes when creating or updating them.
# Different strategies are available to tune
# how to enforce splitting traffic of
# workspaces.
# - `smart` is the default option and uses the
# algorithm described in
# https://docs.konghq.com/enterprise/latest/admin-api/workspaces/examples/#important-note-conflicting-services-or-routes-in-workspaces
# - `off` disables any check
# - `path` enforces routes to comply with the pattern
# described in config enforce_route_path_pattern
#enforce_route_path_pattern = # Specifies the Lua pattern which will
# be enforced on the `paths` attribute of a
# Route object. You can also add a placeholder
# for the workspace in the pattern, which
# will be rendered during runtime based on the
# workspace to which the `route` belongs.
# This setting is only relevant if
# `route_validation_strategy` is set to `path`.
# Example
# For Pattern `/$(workspace)/v%d/.*` valid paths
# are:
# 1. `/group1/v1/` if route belongs to
# workspace `group1`.
# 2. `/group2/v1/some_path` if route belongs to
# workspace `group2`.
#-------------------------------------------------------------------------------
# DATABASE ENCRYPTION & KEYRING MANAGEMENT
#-------------------------------------------------------------------------------
# When enabled, Kong will transparently encrypt sensitive fields, such as Consumer
# credentials, TLS private keys, and RBAC user tokens, among others. A full list
# of encrypted fields is available from the Kong Enterprise documentation site.
# Encrypted data is transparently decrypted before being displayed to the Admin
# API or made available to plugins or core routing logic.
# While this feature is GA, do note that we currently do not provide normal semantic
# versioning compatibility guarantees on the keyring feature's APIs in that Kong may
# make a breaking change to the feature in a minor version. Also note that
# mis-management of keyring data may result in irrecoverable data loss.
#keyring_enabled = off # When enabled, Kong will encrypt sensitive
# field values before writing them to the
# database, and subsuquently decrypt them when
# retrieving data for the Admin API, Developer
# Portal, or proxy business logic. Symmetric
# encryption keys are managed based on the
# strategy defined below.
#keyring_strategy = cluster # Defines the strategy implementation by which
# Kong nodes will manage symmetric encryption
# keys. Please see the Kong Enterprise
# documentation for a detailed description of
# each strategies. Acceptable values for this
# option are 'cluster' and 'vault'.
#keyring_public_key = # Defines the filesystem path at which the
# public key of an RSA keypair resides. This
# keypair is used for symmetric keyring import/
# export, e.g., for disaster recovery and
# optional bootstrapping.
#keyring_private_key = # Defines the filesystem path at which the
# private key of an RSA keypair resides. This
# keypair is used for symmetric keyring import/
# export, e.g., for disaster recovery and
# optional bootstrapping.
#keyring_blob_path = # Defines the filesystem path at which Kong
# will backup the initial keyring material.
# This option is useful largely for development
# purposes.
#keyring_vault_host = # Defines the Vault host at which Kong will
# fetch the encryption material. This value
# should be defined in the format:
# `<scheme>://<IP / HOSTNAME>:<PORT>`
#keyring_vault_mount = # Defines the name of the Vault v2 KV secrets
# engine at which symmetric keys are found.
#keyring_vault_path = # Defines the names of the Vault v2 KV path
# at which symmetric keys are found.
#keyring_vault_token = # Defines the token value used to communicate
# with the v2 KV Vault HTTP(S) API.
#untrusted_lua = sandbox
# Controls loading of Lua functions from admin-supplied
# sources such as the Admin API. LuaJIT bytecode
# loading is always disabled.
# **Warning:** LuaJIT is not designed as a secure
# runtime for running malicious code, therefore
# you should properly protect your Admin API endpoint
# even with sandboxing enabled. The sandbox only
# provides protection against trivial attackers or
# unintentional modification of the Kong global
# environment.
# Accepted values are: `off`, `sandbox`, or
# `on`:
# * `off`: Disallow loading of any arbitrary
# Lua functions. The `off` option
# disables any functionality that runs
# arbitrary Lua code, including the
# Serverless Functions plugins and any
# transformation plugin that allows
# custom Lua functions.
# * `sandbox`: Allow loading of Lua functions,
# but use a sandbox when executing
# them. The sandboxed function has
# restricted access to the global
# environment and only has access
# to standard Lua functions that
# will generally not cause harm to
# the Kong Gateway node.
# * `on`: Functions have unrestricted
# access to the global environment and
# can load any Lua modules. This is
# similar to the behavior in
# Kong Gateway prior to 2.3.0.
# The default `sandbox` environment does not
# allow importing other modules or libraries,
# or executing anything at the OS level (for
# example, file read/write). The global
# environment is also not accessible.
# Examples of `untrusted_lua = sandbox`
# behavior:
# * You can't access or change global values
# such as `kong.configuration.pg_password`
# * You can run harmless lua:
# `local foo = 1 + 1`. However, OS level
# functions are not allowed, like:
# `os.execute('rm -rf /*')`.
# For a full allowed/disallowed list, see:
# https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua
# To customize the sandbox environment, use
# the `untrusted_lua_sandbox_requires` and
# `untrusted_lua_sandbox_environment`
# parameters below.
#untrusted_lua_sandbox_requires = # Comma-separated list of modules allowed to
# be loaded with `require` inside the
# sandboxed environment. Ignored
# if `untrusted_lua` is not `sandbox`.
# For example, say you have configured the
# Serverless pre-function plugin and it
# contains the following `requires`:
# ```
# local template = require "resty.template"
# local split = require "kong.tools.utils".split
# ```
# To run the plugin, add the modules to the
# allowed list:
# ```
# untrusted_lua_sandbox_requires = resty.template, kong.tools.utils
# ```
# **Warning:** Allowing certain modules may
# create opportunities to escape the
# sandbox. For example, allowing `os` or
# `luaposix` may be unsafe.
#untrusted_lua_sandbox_environment = # Comma-separated list of global Lua
# variables that should be made available
# inside the sandboxed environment. Ignored
# if `untrusted_lua` is not `sandbox`.
# **Warning**: Certain variables, when made
# available, may create opportunities to
# escape the sandbox.
以下是谷歌翻译的
# ----------
# Kong 配置文件
# ----------
# 此文件中显示的注释掉的设置代表默认值。
# 使用 `kong start` 或 `kong prepare` 时读取此文件。孔
# 使用此文件中指定的设置生成 Nginx 配置。
# 所有以 `KONG_` 为前缀且大写的环境变量都会被覆盖
# 此文件中指定的设置。
# 例子:
# `log_level` 设置 -> `KONG_LOG_LEVEL` 环境变量
# 布尔值可以指定为 `on`/`off` 或 `true`/`false`。
# 列表必须指定为逗号分隔的字符串。
# 此文件中的所有注释都可以安全删除,包括
# 注释掉的属性。
# 您可以使用 `kong check <conf>` 验证设置的完整性。
#------------------------------------------------ -----------------------------------------
# 一般的
#------------------------------------------------ -----------------------------------------
#prefix = /usr/local/kong/ # 工作目录。相当于Nginx的
# 前缀路径,包含临时文件
# 和日志。
# 每个Kong进程必须有一个单独的
# 工作目录。
#log_level = notice # Nginx 服务器的日志级别。日志是
# 在 `<prefix>/logs/error.log` 找到。
# 查看 http://nginx.org/en/docs/ngx_core_module.html#error_log 获取列表
# 接受值。
#proxy_access_log = logs/access.log #代理端口请求访问路径
# 日志。将此值设置为 `off` 以
# 禁用记录代理请求。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
#proxy_error_log = logs/error.log # 代理端口请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#proxy_stream_access_log = logs/access.log basic # tcp流代理端口访问路径
# 日志。将此值设置为 `off` 以
# 禁用记录代理请求。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
# `basic` 定义为 `'$remote_addr [$time_local] '
# '$protocol $status $bytes_sent $bytes_received '
#'$session_time'`
#proxy_stream_error_log = logs/error.log # tcp 流代理端口请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#admin_access_log = logs/admin_access.log # Admin API 请求访问的路径
# 日志。如果启用混合模式
# 并且当前节点设置为
# 控制平面,然后是
# 来自数据平面的连接请求
# 也被写入这个文件
# 服务器名称“kong_cluster_listener”。
# 将此值设置为 `off` 以
# 禁用记录管理 API 请求。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
#admin_error_log = logs/error.log # Admin API 请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#status_access_log = off #Status API 请求访问的路径
# 日志。 `off` 的默认值
# 暗示此 API 的日志记录
# 默认禁用。
# 如果这个值是相对路径,
# 它将被放置在
# `前缀`位置。
#status_error_log = logs/status_error.log #Status API 请求错误的路径
# 日志。这些日志的粒度
# 由 `log_level` 调整
# 财产。
#vaults = bundled # 此节点的 Vault 的逗号分隔列表
# 应该加载。默认情况下,所有捆绑的
# 保险库已启用。
# 指定的名称将被替换为
# 这样在 Lua 命名空间中:
# `kong.vaults.{name}.*`。
#plugins = bundled # 逗号分隔的插件列表这个节点
# 应该加载。默认情况下,只有插件
# 捆绑在官方发行版中的是
# 通过 `bundled` 关键字加载。
# 加载插件不会启用它
# 默认,但仅指示 Kong 加载其
# 源代码,并允许配置
# 插件通过各种相关的 Admin API
# 端点。
# 指定的名称将被替换为
# 这样在 Lua 命名空间中:
# `kong.plugins.{name}.*`.
# 当 `off` 关键字被指定为
# 只有值,不会加载任何插件。
# `bundled` 和插件名称可以混用
# 一起,如以下示例所示:
# - `plugins = bundled,custom-auth,custom-log`
# 将包括捆绑的插件加上两个
# 自定义的
# - `plugins = custom-auth,custom-log` 将
# *仅*包括 `custom-auth` 和
# `custom-log` 插件。
# - `plugins = off` 将不包含任何
# **注意:** Kong 将不会启动,如果一些
# 插件先前已配置(即
# 在数据库中有行)并且没有
# 在此列表中指定。在禁用之前
# 插件,确保它的所有实例都是
# 在重启 Kong 之前删除。
# **注意:** 限制可用数量
# 插件可以改善 P99 延迟
# 在数据库中体验 LRU 搅动
# 缓存(即当配置
# `mem_cache_size`) 已满。
#pluginserver_names = # 以逗号分隔的插件服务器名称列表
# 进程。实际名称用于
# 记录消息并关联实际设置。
#pluginserver_XXX_socket = <prefix>/<XXX>.socket # unix socket 的路径
# 由 <XXX> 插件服务器使用。
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX> #完整的命令(包括
# 任何需要的参数)到
# 启动 <XXX> 插件服务器
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX> #“查询”的完整命令
# <XXX> 插件服务器。应该
# 生成一个 JSON
# 转储所有插件的信息
#port_maps = # 有了这个配置参数,你可以
# 让 Kong 从
# 数据包转发给它。这个
# 在运行 Kong 时相当常见
# 容器化或虚拟化环境。
# 例如,`port_maps=80:8000, 443:8443`
# 指示 Kong 映射了 80 端口
# 到 8000(以及端口 443 到 8443),其中
# 8000 和 8443 是 Kong 所在的端口
# 这个参数帮助Kong设置一个合适的
# 转发上游 HTTP 请求头或到
# 使用 Kong PDK 获取正确的转发端口
# (如果有其他方法确定它有
# 失败的)。它通过目的地改变路由
# 端口通过一个端口路由数据包
# 转发给 Kong,同样它
# 将默认插件日志序列化程序更改为
# 根据这个映射使用端口
# 而不是报告端口 Kong 是
#anonymous_reports = on # 发送错误等匿名使用数据
# 堆栈跟踪以帮助改进 Kong。
#------------------------------------------------ -----------------------------------------
# 混合模式
#------------------------------------------------ -----------------------------------------
#role = traditional # 使用此设置启用混合模式,
# 这允许运行一些 Kong 节点
# 具有数据库的控制平面角色和
# 让他们提供配置更新
# 到其他节点运行到 DB-less 运行
# 数据平面角色。
# 此设置的有效值为:
# - `traditional`:不要使用混合模式。
# - `control_plane`: 这个节点运行在一个
# 控制平面角色。它可以使用数据库
# 并将提供配置更新
# 到数据平面节点。
# - `data_plane`:这是一个数据平面节点。
# 它运行 DB-less 并接收配置
# 从控制平面节点更新。
#cluster_mtls = shared # 设置节点间的验证
# 此设置的有效值为:
# - `shared`:使用共享证书/密钥
# 用 `cluster_cert` 指定的对
# 和 `cluster_cert_key` 设置。
# 注意 CP 和 DP 节点必须存在
# 建立mTLS的同一个证书
# 连接。
# - `pki`:使用`cluster_ca_cert`,
# `cluster_server_name` 和 `cluster_cert`
# 进行验证。
# 这些是每个不同的证书
# DP 节点,但由集群范围内发布
# 通用 CA 证书:`cluster_ca_cert`。
# - `pki_check_cn`: 类似于 `pki` 但另外
# 检查数据平面证书的通用名称
# 在 `cluster_allowed_common_names` 中指定。
#cluster_cert = # 要使用的集群证书的文件名
# 建立安全通信时
# 在控制和数据平面节点之间。
# 你可以使用 `kong hybrid` 命令来
# 生成证书/密钥对。
# 在`shared`模式下,必须相同
# 所有节点。在 `pki` 模式下
# 应该是每个不同的证书
#DP节点。
#cluster_cert_key = # 集群证书密钥的文件名
# 建立安全通信时使用
#c之间控制和数据平面节点。
# 你可以使用 `kong hybrid` 命令来
# 生成证书/密钥对。
# 在`shared`模式下,必须相同
# 所有节点。在 `pki` 模式下
# 应该是每个不同的证书
#DP节点。
#cluster_ca_cert = # PEM 中受信任的 CA 证书文件
# 用于控制平面验证的格式
# Data Plane的证书和Data Plane
# 验证控制平面的证书。
# 如果是 `cluster_mtls`,则在数据平面上是必需的
# 设置为`pki`。
# 如果控制平面证书颁发
# 由知名 CA,用户可以设置
# `lua_ssl_trusted_certificate=system`
# 在数据平面上并将此字段留空。
# 如果 `cluster_mtls` 是,则忽略此字段
# 设置为“共享”。
#cluster_allowed_common_names = # 允许的通用名称列表
# 连接到控制平面。多个条目可能
# 以逗号分隔的字符串形式提供。没有的时候
# 设置,具有相同父域的数据平面
# 控制平面证书允许连接。
# 如果 `cluster_mtls` 是,则忽略此字段
# 未设置为 `pki_check_cn`。
#------------------------------------------------ -----------------------------------------
# 混合模式数据平面
#------------------------------------------------ -----------------------------------------
#cluster_server_name = # TLS的SNI中使用的服务器名称
# 从 DP 节点到 CP 节点的连接。
# 必须与通用名称 (CN) 或主题匹配
# 在 CP 中找到备用名称 (SAN)
# 证书。
# 如果 `cluster_mtls` 设置为
# `shared`,这个设置被忽略并且
# 使用了`kong_clustering`。
#cluster_control_plane = # 仅供数据平面节点使用:
# 控制平面节点的地址 from
# 将获取哪些配置更新,
# 以 `host:port` 格式。
#cluster_telemetry_endpoint = # 仅供数据平面节点使用:
# 控制平面节点的遥测地址
# 遥测更新将发布到哪个
# 以 `host:port` 格式。
#data_plane_config_cache_mode = 未加密
# 数据平面可以将其配置存储到文件系统
# 作为备份,以防节点重新启动或重新加载
# 更快地使节点进入配置状态或
# case 连接到控制平面时出现问题。
# 这个参数可以用来控制行为。
# 仅供数据平面节点使用:
# `unencrypted` = 存储未加密的配置缓存
# `encrypted` = 存储配置缓存加密
# `off` = 不存储配置缓存
#data_plane_config_cache_path = # 默认存储未加密的配置缓存
# 使用文件名 `config.cache.json.gz` 的 Kong `prefix`。
# 默认存储加密的配置缓存
# 使用文件名 `.config.cache.jwt` 的 Kong `prefix`
# 或者你可以指定配置缓存的路径
# 带有这个参数,例如`/tmp/kong-config-cache`。
#------------------------------------------------ -----------------------------------------
# 混合模式控制平面
#------------------------------------------------ -----------------------------------------
#cluster_listen = 0.0.0.0:8005
# 逗号分隔的地址和端口列表
# 集群控制平面服务器应该监听哪个
# 用于数据平面连接。
# 控制平面的集群通信端口
# 必须可以被所有数据平面访问
# 在同一个集群中。此端口受 mTLS 保护
# 确保端到端的安全性和完整性。
# 如果 `role` 没有设置为
# `控制平面`。
# 记录到此端点的连接
# 到与管理 API 访问日志相同的位置。
# 更多信息见 `admin_access_log` 配置描述
# 信息。
#cluster_telemetry_listen = 0.0.0.0:8006
# 逗号分隔的地址和端口列表
# 集群控制平面服务器应该监听哪个
# 用于数据平面遥测连接。
# 控制平面的集群通信端口
# 必须可以被所有数据平面访问
# 在同一个集群中。
# 如果 `role` 没有设置为
# `控制平面`。
#cluster_data_plane_purge_delay = 1209600
# 从一个 DP 节点开始必须经过多少秒
# 在其条目被删除之前变为脱机状态
# 来自数据库,由
# /clustering/data-planes 管理 API 端点。
# 这是为了防止集群数据平面表
# 无限增长。默认设置为
# 14 天。也就是说,如果 CP 没有收到 DP 的消息
# 14 天,它的条目将被删除。
#cluster_ocsp = 关闭
# 是否检查DP的撤销状态
# 使用 OCSP(在线证书状态协议)的证书。
# 如果启用,DP 证书应该包含
#“证书颁发机构信息访问”扩展
# 以及 OCSP 响应者的 URI 的 OCSP 方法
# 可以从 CP 到达。
# OCSP 检查只在 CP 节点上进行,它没有
# 对 DP 节点的影响。
# 此设置的有效值为:
# - `on`: 启用 OCSP 撤销检查和 DP
# 必须通过检查才能建立
# 与 CP 的连接。
# - `off`: OCSP 撤销检查被禁用。
# - `optional`:将尝试 OCSP 吊销检查,
# 但是,如果所需的扩展名不是
# 在 DP 提供的证书中找到
# 或与 OCSP 响应者通信
# 失败,那么 DP 仍然允许通过。
#cluster_max_payload = 4194304
# 这设置允许的最大有效负载大小
# 在混合模式下从 CP 发送到 DP
# 默认是4Mb - 4 * 1024 * 1024 由于历史原因
#------------------------------------------------ -----------------------------------------
#NGINX
#------------------------------------------------ -----------------------------------------
#proxy_listen = 0.0.0.0:8000 重用端口积压 = 16384,0.0.0.0:8443 http2 ssl 重用端口积压 = 16384
# 逗号分隔的地址和端口列表
# 代理服务器应该监听哪个
# HTTP/HTTPS 流量。
# 代理服务器是Kong的公共入口点,
# 代理从你的消费者到你的流量
#后端服务。此值接受 IPv4、IPv6 和
# 主机名。
# 可以为每一对指定一些后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# - `http2` 将允许客户端打开 HTTP/2
# 连接到 Kong 的代理服务器。
# - `proxy_protocol` 将启用
# 给定地址/端口的代理协议。
# - `延迟`
指示使用延迟接受
# Linux(TCP_DEFER_ACCEPT 套接字选项)。
# - `bind` 指示进行单独的 bind() 调用
# 对于给定的地址:端口对。
# - `reuseport` 指示创建一个个体
# 监听每个工作进程的套接字
# 允许内核更好地分配传入的
# 工作进程之间的连接
# - `backlog=N` 设置队列的最大长度
# 挂起的 TCP 连接数。这个数字应该
# 不能太小以防客户端
# 看到“连接被拒绝”错误连接到
# 一个繁忙的 Kong 实例。
# **注意:** 在 Linux 上,此值受
# 设置 `net.core.somaxconn` 内核参数。
# 为了让这里设置的较大的 `backlog`
# 效果需要提升
# `net.core.somaxconn` 同时匹配或
# 超过 `backlog` 数量集。
# 这个值可以设置为 `off`,从而禁用
# 此节点的 HTTP/HTTPS 代理端口。
# 如果 stream_listen 也设置为 `off`,则启用
# 此节点的“控制平面”模式
# (其中所有流量代理功能
# 禁用)。该节点只能用于
# 配置Kong集群
# 个节点连接到同一数据存储。
# 例子:
# `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# 用于对此接受的格式的描述
# 和其他 `*_listen` 值。
# 见 https://www.nginx.com/resources/admin-guide/proxy-protocol/
# 有关 `proxy_protocol` 的更多详细信息
# 范围。
# 并非所有 `*_listen` 值都接受所有格式
# 在 nginx 的文档中指定。
#proxy_url = # Kong 代理 URL
# Kong 代理节点的查找或平衡器地址。
# 这个值是微服务中常用的
# 或面向服务网格的架构。
# 接受的格式(括号中的部分是可选的):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# 例子:
# - `<scheme>://<IP>:<PORT>` -> `proxy_url = http://127.0.0.1:8000`
# - `SSL <scheme>://<HOSTNAME>` -> `proxy_url = https://proxy.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>` -> `proxy_url = http://dev-machine/dev-285`
# 默认情况下,Kong Manager 和 Kong Portal 将使用
# 窗口请求主机并附加已解析的
# 侦听器端口取决于请求的协议。
#stream_listen = 关闭
# 逗号分隔的地址和端口列表
# 流模式应该听哪个。
# 此值接受 IPv4、IPv6 和主机名。
# 可以为每一对指定一些后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# - `proxy_protocol` 将启用
# 给定地址/端口的代理协议。
# - `bind` 指示进行单独的 bind() 调用
# 对于给定的地址:端口对。
# - `reuseport` 指示创建一个个体
# 监听每个工作进程的套接字
# 允许内核更好地分配传入的
# 工作进程之间的连接
# - `backlog=N` 集队列的最大长度
# 挂起的 TCP 连接数。这个数字应该
# 不能太小以防客户端
# 看到“连接被拒绝”错误连接到
# 一个繁忙的 Kong 实例。
# **注意:** 在 Linux 上,此值受
# 设置 `net.core.somaxconn` 内核参数。
# 为了让这里设置的较大的 `backlog`
# 效果需要提升
# `net.core.somaxconn` 同时匹配或
# 超过 `backlog` 数量集。
# 例子:
#stream_listen = 127.0.0.1:7000 重用端口积压 = 16384
# stream_listen = 0.0.0.0:989 重用端口积压 = 65536, 0.0.0.0:20
#stream_listen = [::1]:1234 backlog=16384
# 默认情况下,此值设置为 `off`,因此
# 禁用此节点的流代理端口。
# 见 http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# 对于 Kong 可能在 stream_listen 中接受的格式的描述。
#admin_api_uri = # 组成的 URI 的分层部分
# 可选的主机、端口和路径
# Admin API 接受 HTTP 或 HTTPS 流量。什么时候
# 此配置已禁用,Kong Manager 将
# 使用窗口协议 + 主机并附加
# 解析 admin_listen HTTP/HTTPS 端口。
#admin_listen = 127.0.0.1:8001 重用端口积压=16384, 127.0.0.1:8444 http2 ssl 重用端口积压=16384
# 逗号分隔的地址和端口列表
# Admin 界面应该监听哪个。
# Admin 界面是 API,允许您
# 配置和管理Kong。
# 访问这个接口应该是*restricted*
# 仅限 Kong 管理员*。这个值接受
# IPv4、IPv6 和主机名。
# 可以为每一对指定一些后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# - `http2` 将允许客户端打开 HTTP/2
# 连接到 Kong 的代理服务器。
# - `proxy_protocol` 将启用
# 给定地址/端口的代理协议。
# - `deferred` 指示使用延迟接受
# Linux(TCP_DEFER_ACCEPT 套接字选项)。
# - `bind` 指示进行单独的 bind() 调用
# 对于给定的地址:端口对。
# - `reuseport` 指示创建一个个体
# 监听每个工作进程的套接字
# 允许内核更好地分配传入的
# 工作进程之间的连接
# - `backlog=N` 设置队列的最大长度
# 挂起的 TCP 连接数。这个数字应该
# 不能太小以防客户端
# 看到“连接被拒绝”错误连接到
# 一个繁忙的 Kong 实例。
# **注意:** 在 Linux 上,此值受
# 设置 `net.core.somaxconn` 内核参数。
# 为了让这里设置的较大的 `backlog`
# 效果需要提升
# `net.core.somaxconn` 同时匹配或
# 超过 `backlog` 数量集。
# 这个值可以设置为 `off`,从而禁用
# 此节点的管理界面,启用
# 'data-plane' 模式(无需配置
# 能力) 拉动其配置更改
# 来自数据库。
# 示例:`admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off # 逗号分隔的地址和端口列表 on# Status API 应该监听哪个。
# Status API 是一个只读端点
# 允许监控工具检索指标,
# 健康状况和其他非敏感信息
# 当前 Kong 节点。
# 可以为每对指定以下后缀:
# - `ssl` 将要求建立所有连接
# 通过使用 TLS 的特定地址/端口
# 启用。
# 这个值可以设置为 `off`,禁用
# 此节点的状态 API。
# 示例:`status_listen = 0.0.0.0:8100`
#nginx_user = kong kong # 定义用户和组使用的凭据
# 工作进程。如果省略 group,则
# 名称与用户名相同的组是
# 用过的。
# 示例:`nginx_user = nginx www`
# **注意**:如果 `kong` 用户和 `kong`
# 组不可用,默认用户
# 和组凭据将是
# `没人没人`。
#nginx_worker_processes = auto #确定工作进程的数量
# 由 Nginx 生成。
# 见 http://nginx.org/en/docs/ngx_core_module.html#worker_processes
# 等价Nginx的详细用法
# 指令和接受的描述
#nginx_daemon = on #判断Nginx是否会作为守护进程运行
# 或作为前台进程。主要有用
# 用于开发或在内部运行 Kong
# 一个 Docker 环境。
# 参见 http://nginx.org/en/docs/ngx_core_module.html#daemon。
#mem_cache_size = 128m # 两个内存缓存的大小
# 用于数据库实体。接受的单位是
# `k` 和 `m`,最小推荐值为
# 几MB。
# **注意**:由于此选项控制两个的大小
# 不同的缓存条目,Kong的总内存
# 用于缓存实体的可能是这个值的两倍。
#ssl_cipher_suite = intermediate # 定义 Nginx 提供的 TLS 密码。
# 接受的值为 `modern`,
# `intermediate`、`old`、`fips` 或 `custom`。
# 见 https://wiki.mozilla.org/Security/Server_Side_TLS
# 每个密码的详细描述
#套房。 `fips` 密码套件如中所述
# https://wiki.openssl.org/index.php/FIPS_mode_and_TLS。
#ssl_ciphers = # 定义一个自定义的 TLS 密码列表
# 由 Nginx 提供服务。此列表必须符合
# 由 `openssl ciphers` 定义的模式。
# 如果 `ssl_cipher_suite`,则忽略此值
# 不是“自定义”。
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
# 启用指定的协议
# 客户端连接。该组
# 支持的协议版本也取决于
# 关于OpenSSL Kong的版本
# 和。如果出现此值,则忽略此值
# `ssl_cipher_suite` 不是 `custom`。
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on # 指定服务器密码应该是
# 使用时优先于客户端密码
# SSLv3 和 TLS 协议。这个值是
# 如果 `ssl_cipher_suite` 不是 `custom`,则忽略。
## 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam = # 定义 DHE 密码的 DH 参数
# 预定义组:`ffdhe2048`、`ffdhe3072`、
# `ffdhe4096`、`ffdhe6144`、`ffdhe8192`,或
# 从绝对路径到参数文件。
# 如果 `ssl_cipher_suite`,则忽略此值
# 是“现代”或“中级”。原因是
# `modern` 没有需要这个的密码,
# 和 `intermediate` 使用 `ffdhe2048`。
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on # 启用或禁用会话恢复
# TLS 会话票证。这在以下情况下没有影响
# 与 TLSv1.3 一起使用。
# Kong 默认启用此功能以提高性能
# 原因,但它具有安全隐患:
# https://github.com/mozilla/server-side-tls/issues/135
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d # 指定客户端可以使用的时间
# 重用会话参数。看原理:
# https://github.com/mozilla/server-side-tls/issues/198
# 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert = # 以逗号分隔的证书绝对路径列表
# 启用 TLS 的 `proxy_listen` 值。
# 如果指定了多个证书,可以用来提供
# 将提供的替代证书类型(例如,ECC 证书)
# 给支持他们的客户。注意正确使用ECC证书服务,
# 建议也将 `ssl_cipher_suite` 设置为
# `现代`或`中级`。
# 除非明确设置此选项,Kong 将自动生成
# 一对默认证书(RSA + ECC)首次启动并使用
# 它用于服务 TLS 请求。
#ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
# 启用 TLS 的 `proxy_listen` 值。
# 如果为 `ssl_cert` 指定了多个证书,则此
# 选项应包含所有证书的相应密钥
# 以相同的顺序提供。
# 除非明确设置此选项,Kong 将自动生成
# 一对默认私钥(RSA + ECC)首次启动并使用
# 它用于服务 TLS 请求。
#client_ssl = off # 确定 Nginx 是否应该尝试发送客户端
# TLS 证书并执行双向 TLS 身份验证
# 代理请求时使用上游服务。
#client_ssl_cert = # 如果启用了 `client_ssl`,则绝对
# `proxy_ssl_certificate` 指令的客户端证书路径。
# 这个值可以被 `client_certificate` 动态覆盖
# `Service` 对象的属性。
#client_ssl_cert_key = # 如果启用了 `client_ssl`,则绝对
# `proxy_ssl_certificate_key` 指令的客户端 TLS 密钥的路径。
# 这个值可以被 `client_certificate` 动态覆盖
# `Service` 对象的属性。
#admin_ssl_cert = # 以逗号分隔的证书绝对路径列表
# 启用 TLS 的 `admin_listen` 值。
## 有关详细用法,请参阅 `ssl_cert` 的文档。
#admin_ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
# 启用 TLS 的 `admin_listen` 值。
# 有关详细用法,请参阅 `ssl_cert_key` 的文档。
#status_ssl_cert = # 以逗号分隔的证书绝对路径列表
# 启用 TLS 的 `status_listen` 值。
# 有关详细用法,请参阅 `ssl_cert` 的文档。
#status_ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
# 启用 TLS 的 `status_listen` 值。
# 有关详细用法,请参阅 `ssl_cert_key` 的文档。
#headers = server_tokens,latency_tokens
# 逗号分隔的标头列表 Kong 应该
# 注入客户端响应。
# 接受的值为:
# - `Server`: 注入`Server: kong/x.y.z`
# 关于 Kong 产生的响应(例如 Admin
# API,拒绝来自身份验证插件的请求)。
# - `Via`: 注入`Via: kong/x.y.z` for
# 成功代理请求。
# - `X-Kong-Proxy-Latency`: 花费的时间
# (以毫秒为单位) 由 Kong 处理
# 一个请求并在之前运行所有插件
# 代理上游请求。
# - `X-Kong-Response-Latency`:花费的时间
# (以毫秒为单位) 由 Kong 生成
# 在例如的情况下的响应插入
# 使请求短路,或者在
# 如果出现错误。
# - `X-Kong-Upstream-Latency`: 花费的时间
#(以毫秒为单位)由上游
# 发送响应头的服务。
# - `X-Kong-Admin-Latency`: 花费的时间
# (以毫秒为单位) 由 Kong 处理
# 一个管理 API 请求。
# - `X-Kong-Upstream-Status`: HTTP 状态
# 上游服务返回的代码。
# 这对客户特别有用
# 区分上游状态,如果
# 响应被插件重写。
# - `server_tokens`: 与指定两者相同
# `Server` 和 `Via`。
# - `latency_tokens`:与指定相同
# `X-Kong-Proxy-Latency`,
# `X-Kong-Response-Latency`,
# `X-Kong-Admin-Latency` 和
# `X-Kong-Upstream-Latency`
# 除此之外,还可以设置这个值
# 到 `off`,防止 Kong 注入
# 以上任何标题。请注意,这
# 不阻止插件注入
#他们自己的标题。
# 示例:`headers = via,latency_tokens`
#trusted_ips = # 定义受信任的 IP 地址块
# 已知发送正确的 `X-Forwarded-*`
# 标题。
# 来自受信任 IP 的请求使 Kong 转发
# 上游的 `X-Forwarded-*` 标头。
# 不可信的请求让 Kong 插入它的
# 自己的 `X-Forwarded-*` 标头。
# 这个属性还设置了
# Nginx 中的 `set_real_ip_from` 指令
# 配置。它接受相同类型的
# 值(CIDR 块)但作为
# 逗号分隔的列表。
# 要信任 *all* /!\ IP,请将此值设置为# `0.0.0.0/0,::/0`。
# 如果指定了特殊值`unix:`,
# 所有 UNIX 域套接字都将被信任。
# 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
# 接受值的例子。
#real_ip_header = X-Real-IP #定义请求头域,其值
# 将用于替换客户端地址。
# 这个值设置 `ngx_http_realip_module`
# Nginx 中的同名指令
# 配置。
# 如果这个值接收到 `proxy_protocol`:
# - 至少一个 `proxy_listen` 条目
# 必须有 `proxy_protocol` 标志
# 启用。
# - `proxy_protocol` 参数将是
# 附加到 `listen` 指令的后面
# Nginx 模板。
# 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
# 该指令的描述。
#real_ip_recursive = off # 这个值设置 `ngx_http_realip_module`
# Nginx 中的同名指令
# 配置。
# 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
# 该指令的描述。
#error_default_type = text/plain # 请求时使用的默认 MIME 类型
# `Accept` 标头丢失和 Nginx
# 正在为请求返回错误。
# 接受的值为 `text/plain`,
# `text/html`、`application/json` 和
# `应用程序/xml`。
#upstream_keepalive_pool_size = 60 #设置upstream的默认大小
#keepalive 连接池。
# 上游keepalive连接池
# 由`dst ip/dst 分割
# port/SNI` 连接的属性。
# `0` 值将禁用上游
# 默认情况下保持连接,强制
# 每个上游请求打开一个新的
# 联系。
#upstream_keepalive_max_requests = 100 # 设置默认最大请求数
# 请求可以被上游代理
# 通过一个keepalive连接。
# 最大请求数之后
# 达到,连接将是
# 值 `0` 将禁用此功能
# 行为和保持连接
# 可以用来代理一个不定的
# 请求数。
#upstream_keepalive_idle_timeout = 60 # 设置默认超时时间(以秒为单位)
# 上游的keepalive
# 连接应该保持打开。什么时候
# 超时时间到达,而
# 连接没有被重用,它
# 将被关闭。
# 值 `0` 将禁用此功能
# 行为,和一个空闲的保活
# 连接可能保持打开状态
# 无限期。
#------------------------------------------------ -----------------------------------------
# NGINX 注入指令
#------------------------------------------------ -----------------------------------------
# Nginx 指令可以动态注入到运行时的 nginx.conf 文件中
# 无需自定义 Nginx 配置模板。
# 所有关于命名方案的配置属性
# `nginx_<namespace>_<directive>` 将导致 `<directive>` 被注入# 对应属性的`<namespace>`的Nginx配置块。
# 例子:
# `nginx_proxy_large_client_header_buffers = 8 24k`
# 将在 Kong 的代理 `server {}` 块中注入以下指令:
# `large_client_header_buffers 8 24k;`
# 支持以下命名空间:
# - `nginx_main_<directive>`: 在 Kong 的配置中注入 `<directive>`
# `main` 上下文。
# - `nginx_events_<directive>`:在 Kong 的 `events {}` 中注入 `<directive>`
# 堵塞。
# - `nginx_http_<directive>`:在 Kong 的 `http {}` 块中注入 `<directive>`。
# - `nginx_proxy_<directive>`: 在 Kong 的代理中注入 `<directive>`
# `server {}` 块。
# - `nginx_upstream_<directive>`: 在 Kong 的代理中注入 `<directive>`
# `上游{}`块。
# - `nginx_admin_<directive>`: 在 Kong 的 Admin API 中注入 `<directive>`
# `server {}` 块。
# - `nginx_status_<directive>`:在 Kong 的 Status API 中注入 `<directive>`
# `server {}` 块(仅在启用 `status_listen` 时有效)。
# - `nginx_stream_<directive>`: 在 Kong 的流模块中注入 `<directive>`
# `stream {}` 块(仅在启用 `stream_listen` 时有效)。
# - `nginx_sproxy_<directive>`: 在 Kong 的流模块中注入 `<directive>`
# `server {}` 块(仅在启用 `stream_listen` 时有效)。
# - `nginx_supstream_<directive>`: 在 Kong 的流中注入 `<directive>`
# 模块`上游{}`块。
# 与其他配置属性一样,Nginx 指令可以通过
# 环境变量大写并以 `KONG_` 为前缀。
# 例子:
# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
# 将在 Kong 的 `http {}` 块中注入以下指令:
# `ssl_protocols <值>;`
# 如果代理和管理 API 之间需要不同的协议集
# 服务器,你可以指定 `nginx_proxy_ssl_protocols` 和/或
# `nginx_admin_ssl_protocols`,两者都优先于
# `http {}` 块。
#nginx_main_worker_rlimit_nofile = 自动
# 更改打开文件的最大数量限制
# 用于工作进程。
# `auto` 的特殊和默认值设置这个
# 为 `ulimit -n` 的值,上限限制为
#16384 作为防止过度使用内存的措施。
# 见 http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = 自动
# 设置最大并发数
# 可以由工作进程打开的连接。
# `auto` 的特殊和默认值设置这个
# 为 `ulimit -n` 的值,上限限制为
#16384 作为防止过度使用内存的措施。
# 见 http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k # 设置读取缓冲区大小
# 客户端请求头。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k #设置最大数量和
# 使用的缓冲区大小
# 读取大客户
# 请求标头。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0 #定义最大请求体大小
# 被 Kong 代理的请求所允许,
# 在 Content-Length 请求中指定
# 标题。如果请求超过此
# 限制,Kong 会返回 413
# (请求的实体太大)。环境
# 此值为 0 禁用检查
# 请求正文大小。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m # 定义最大请求体大小
# 管理 API。
#nginx_http_client_body_buffer_size = 8k # 定义读取的缓冲区大小
# 请求正文。如果客户端# 请求体大于这个
# 值,body 将被缓冲到
#磁盘。请注意,当身体
# 缓冲到磁盘,Kong 插件
# 访问或操作请求
# body 可能不起作用,所以它是
# 建议将此值设置为高
# 尽可能(例如,将其设置为高
# as `client_max_body_size` 强制
# 请求要保存的主体
# 记忆)。请注意
# 高并发环境将
# 需要大量内存
# 分配处理许多
# 并发大型请求体。
# 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m #定义读取的缓冲区大小
# Admin API 上的请求正文。
#nginx_http_lua_regex_match_limit = 100000 # PCRE 的全局 `MATCH_LIMIT`
# 正则表达式匹配。 `100000` 的默认值应确保
# 在最坏的情况下,Kong 执行的任何正则表达式都可以在
# 大约 2 秒。
#------------------------------------------------ -----------------------------------------
# 数据存储
#------------------------------------------------ -----------------------------------------
# Kong 可以与数据库一起运行,以将 Kong 节点之间的协调数据存储在
# 一个集群,或者没有数据库,每个节点都存储它的信息
# 在内存中独立。
# 当使用数据库时,Kong 将存储其所有实体的数据(例如
# 路由、服务、消费者和插件)在 Cassandra 或 PostgreSQL 中,
# 并且属于同一个集群的所有Kong节点必须自己连接
# 到同一个数据库。
# Kong 支持以下数据库版本:
# - **PostgreSQL**:9.5 及更高版本。
# - **Cassandra**:2.2 及更高版本。
# 当不使用数据库时,Kong 处于“DB-less 模式”:它将保持
# 它在内存中的实体,每个节点都需要通过一个
# 声明式配置文件,可以通过
# `declarative_config` 属性,或通过使用 `/config` 的 Admin API
# 使用 Postgres 作为后端存储时,可以选择启用 Kong
# 提供来自单独数据库实例的读取查询。
# 当代理数量很大时,这样可以大大减少负载
# 在主 Postgres 实例上实现更好的可扩展性。它也可能
# 如果 Kong 代理节点延迟到主节点,则减少延迟抖动
# Postgres 实例很高。
# 只读的 Postgres 实例只服务于读查询和写
# 查询仍会转到主连接。只读 Postgres 实例
# 在从主目录复制更改时可以最终保持一致
# 实例。
# 至少需要 `pg_ro_host` 配置来启用此功能。
# 默认情况下,只读连接的所有其他数据库配置都是
# 继承自上述相应的主连接配置,但是
# 可以选择使用下面的 `pg_ro_*` 配置显式覆盖。
#database = postgres # 确定是 PostgreSQL 还是 Cassandra
# 此节点将用作其数据存储。
# 接受的值为 `postgres`,
# `cassandra` 和 `off`。
#pg_host = 127.0.0.1 # Postgres 服务器的主机。
#pg_port = 5432 # Postgres 服务器的端口。
#pg_timeout = 5000 # 定义超时时间(以毫秒为单位),用于连接,
# 读写。
#pg_user = kong # Postgres 用户。
#pg_password = # Postgres 用户的密码。
#pg_database = kong # 要连接的数据库名称。
#pg_schema = # 要使用的数据库模式。如果未指定,
# Kong 将尊重 `search_path` 的值
# 你的 PostgreSQL 实例。
#pg_ssl = off # 切换客户端-服务器 TLS 连接
# 在 Kong 和 PostgreSQL 之间。
# 因为 PostgreSQL 为 TLS 使用相同的端口
# 和非 TLS,这只是一个提示。如果
# 服务器不支持t TLS,已建立的
# 连接将是一个普通的连接。
#pg_ssl_version = tlsv1 # 在 Kong 和 PostgreSQL 之间使用 ssl 时,
# 要使用的 tls 版本。可接受的值为
# `tlsv1`、`tlsv1_2` 或 `tlsv1_3`。
#pg_ssl_required = off # 当 `pg_ssl` 开启时,这决定了是否
# Kong 和 PostgreSQL 之间必须使用 TLS。
# 如果服务器这样做,它将中止连接
# 不支持 SSL 连接。
#pg_ssl_verify = off # 切换服务器证书验证,如果
# `pg_ssl` 已启用。
# 查看`lua_ssl_trusted_certificate`
# 设置指定证书颁发机构。
#pg_ssl_cert = # PEM 编码客户端的绝对路径
# PostgreSQL 连接的 TLS 证书。
# 双向 TLS 身份验证
# PostgreSQL 仅在设置此值时启用。
#pg_ssl_cert_key = # 如果设置了 `pg_ssl_cert`,则绝对路径
# PEM 编码的客户端 TLS 私钥
# PostgreSQL 连接。
#pg_max_concurrent_queries = 0 # 设置最大并发查询数
# 可以在任何给定时间执行。这个
# 每个工作进程都强制执行限制;这
# 并发查询总数
# 节点将是:
# `pg_max_concurrent_queries * nginx_worker_processes`。
# 默认值 0 去掉这个
# 并发限制。
#pg_semaphore_timeout = 60000 # 定义超时时间(以毫秒为单位),之后
# PostgreSQL 查询信号量资源
# 次获取尝试将失败。这样的
# 失败通常会导致
# 关联的代理或管理 API 请求
# 失败并返回 HTTP 500 状态码。
# 这个行为的详细讨论是
# 在在线文档中可用。
#pg_keepalive_timeout = 60000 # 定义空闲连接到的时间(以毫秒为单位)
# PostreSQL 服务器将保持活动状态。
#pg_ro_host = # 与 `pg_host` 相同,但对于
# 只读连接。
# **注意:** 参考文档
#以上部分了解详细用法。
#pg_ro_port = <pg_port> # 与 `pg_port` 相同,但对于
# 只读连接。
#pg_ro_timeout = <pg_timeout> # 与 `pg_timeout` 相同,但对于
# 只读连接。
#pg_ro_user = <pg_user> # 和 `pg_user` 一样,但是对于
# 只读连接。
#pg_ro_password = <pg_password> # 和 `pg_password` 一样,但是对于
# 只读连接。
#pg_ro_database = <pg_database> # 和 `pg_database` 一样,但是对于
# 只读连接。
#pg_ro_schema = <pg_schema> # 和 `pg_schema` 一样,但是对于
# 只读连接。
#pg_ro_ssl = <pg_ssl> # 和 `pg_ssl` 一样,但是对于
# 只读连接。
#pg_ro_ssl_required = <pg_ssl_required>
# 与 `pg_ssl_required` 相同,但对于
# 只读连接。
#pg_ro_ssl_verify = <pg_ssl_verify>
# 与 `pg_ssl_verify` 相同,但对于
# 只读连接。
#pg_ro_ssl_version = <pg_ssl_version>
# 与 `pg_ssl_version` 相同,但对于
# 只读连接。
#pg_ro_max_concurrent_queries = <pg_max_concurrent_queries>
# 与 `pg_max_concurrent_queries` 相同,但对于
# 只读连接。
# 注意:只读并发不共享
# 与主(读写)连接。
#pg_ro_semaphore_timeout = <pg_semaphore_timeout>
# 与 `pg_semaphore_timeout` 相同,但对于
# r只读连接。
#pg_ro_keepalive_timeout = <pg_keepalive_timeout>
# 与 `pg_keepalive_timeout` 相同,但对于
# 只读连接。
#cassandra_contact_points = 127.0.0.1 # 逗号分隔的联系人列表
# 指向你的集群。
# 您可以指定 IP 地址或
# 主机名。注意端口
# SRV 记录的组成部分将是
# 忽略以支持 `cassandra_port`。
# 连接多DC集群时,
# 确保接触点从
# 首先指定本地数据中心
# 在这个列表中。
#cassandra_port = 9042 # 节点监听的端口
# 上。您的所有节点和接触点必须
# 监听同一个端口。将被创建,如果
# 它不存在。
#cassandra_keyspace = kong # 在集群中使用的密钥空间。
#cassandra_write_consistency = ONE # 何时使用的一致性设置
# 写入 Cassandra 集群。
#cassandra_read_consistency = ONE # 何时使用的一致性设置
# 从 Cassandra 集群中读取。
#cassandra_timeout = 5000 # 定义读取的超时时间(以毫秒为单位)
# 和写作。
#cassandra_ssl = off # 切换客户端到节点的 TLS 连接
# 在 Kong 和 Cassandra 之间。
#cassandra_ssl_verify = off # 切换服务器证书验证,如果
# `cassandra_ssl` 已启用。
# 查看`lua_ssl_trusted_certificate`
# 设置指定证书颁发机构。
#cassandra_username = kong # 使用时的用户名
# `PasswordAuthenticator` 方案。
#cassandra_password = # 使用时的密码
# `PasswordAuthenticator` 方案。
#cassandra_lb_policy = RequestRoundRobin # 何时使用负载均衡策略
# 将查询分布在你的
# Cassandra 集群。
# 接受的值为:
# `RoundRobin`, `RequestRoundRobin`,
# `DCAwareRoundRobin`,和
# `RequestDCAwareRoundRobin`。
# 以“请求”为前缀的策略
# 有效利用已建立的
# 相同的连接
# 要求。
# 如果和
# 仅当您使用
# 多数据中心集群。
#cassandra_local_datacenter = # 使用 `DCAwareRoundRobin` 时
# 或 `RequestDCAwareRoundRobin` 加载
# 平衡策略,必须指定名称
# 本地(最近的)数据中心
# Kong 节点。
#cassandra_refresh_frequency = 60 # 频率(以秒为单位)
# 集群拓扑将是
# 检查新的或退役的
# 节点。
# 值 `0` 将禁用此功能
# 检查,集群拓扑
# 永远不会刷新。
#cassandra_repl_strategy = SimpleStrategy # 第一次迁移时,
# Kong 将使用此设置
# 创建你的密钥空间。
# 接受的值是
# `SimpleStrategy` 和
# `网络拓扑策略`。
#cassandra_repl_factor = 1 # 第一次迁移时,Kong
# 将用这个创建键空间
# 使用时的复制因子
# `简单策略`。
#cassandra_data_centers = dc1:2,dc2:3 # 迁移时g第一次,
# 使用时将使用此设置
# `网络拓扑策略`。
# 格式为逗号分隔列表
# 由`<dc_name>:<repl_factor>` 组成。
#cassandra_schema_consensus_timeout = 10000 # 定义超时时间(以毫秒为单位)
#达到a的等待时间
# 你之间的模式共识
# Cassandra 节点。
# 此值仅在使用期间使用
# 迁移。
#declarative_config = # 声明性配置的路径
# 包含所有规格的文件
# 实体(路由、服务、消费者等)
# 当 `database` 设置为
# `关闭`。
# 实体存储在 Kong 的内存缓存中,
# 所以你必须确保有足够的内存
# 通过 `mem_cache_size` 分配给它
# 财产。您还必须确保项目
# 在缓存中永不过期,这意味着
# `db_cache_ttl` 应该保留它的默认值
# 值为 0。
# 如果混合模式 `role` 设置为 `data_plane`
# 并且没有配置缓存文件,
# 连接前使用此配置
# 到控制平面节点作为用户控制
# 倒退。
#declarative_config_string = # 声明性配置为字符串
#------------------------------------------------ -----------------------------------------
# 数据存储缓存
#------------------------------------------------ -----------------------------------------
# 为了避免与数据存储不必要的通信,Kong 缓存
# 实体(例如 API、消费者、凭证...),用于可配置的时间段
#时间。如果这样的实体被更新,它也会处理失效。
# 此部分允许配置 Kong 的行为
# 缓存此类配置实体。
#db_update_frequency = 5 # 检查频率(以秒为单位)
# 使用数据存储更新实体。
# 当一个节点创建、更新或删除一个
# 实体通过 Admin API,其他节点需要
# 等待下一次轮询(由
# 这个值)最终清除旧的
# 缓存实体并开始使用新实体。
#db_update_propagation = 0 # 实体在
# 要传播到副本节点的数据存储
# 另一个数据中心。
# 在分布式环境中如
# 一个多数据中心的 Cassandra 集群,这个
# value 应该是最大数量
# Cassandra 传播 a 所花费的秒数
# 行到其他数据中心。
# 设置后,该属性会增加
# Kong 传播更改所花费的时间
# 一个实体。
# 单数据中心设置或 PostgreSQL
# 服务器不应遭受此类延迟,并且
# 这个值可以安全地设置为 0。
#db_cache_ttl = 0 # 实体的生存时间(以秒为单位)
# 被该节点缓存时的数据存储。
# 数据库未命中(无实体)也被缓存
# 如果不这样做就按照这个设置
# 配置`db_cache_neg_ttl`。
# 如果设置为0(默认),这样缓存的实体
# 或未命中永不过期。
#db_cache_neg_ttl = # 数据存储的生存时间(以秒为单位)# 错过(没有实体)。
# 如果没有指定(默认),`db_cache_ttl`
# 值将被使用。
# 如果设置为 0,未命中将永不过期。
#db_resurrect_ttl = 30 # 陈旧实体的时间(以秒为单位)
# 来自数据存储的应该被复活
# 当它们不能被刷新时(例如,
# 数据存储不可访问)。当这个 TTL
# expires,重新尝试刷新旧的
# 实体将被制作。
#db_cache_warmup_entities = 服务
# 要从数据存储区预加载的实体
# 在 Kong 启动时进入内存缓存。
# 这加快了端点的首次访问
# 使用给定实体。
# 当 `services` 实体被配置时
# 用于预热,值的 DNS 条目
# 它的 `host` 属性是预先解析的
# 也是异步的。
# 在 `mem_cache_size` 中设置的缓存大小应该
# 设置为足够大的值以容纳所有
# 指定实体的实例。
# 如果大小不足,Kong 会记录
# 一个警告。
#------------------------------------------------ -----------------------------------------
#DNS解析器
#------------------------------------------------ -----------------------------------------
# 默认情况下,DNS 解析器将使用标准配置文件
# `/etc/hosts` 和 `/etc/resolv.conf`。后一个文件中的设置将是
# 被环境变量 `LOCALDOMAIN` 和 `RES_OPTIONS` 覆盖 if
# 他们已经设置好了。
# Kong 会将主机名解析为 `SRV` 或 `A` 记录(按此顺序,并且
# `CNAME` 记录将在此过程中被取消引用)。
# 如果名称被解析为 `SRV` 记录,它还将覆盖任何给定的记录
# 端口号由从 DNS 服务器接收的 `port` 字段内容。
# DNS 选项 `SEARCH` 和 `NDOTS`(来自 `/etc/resolv.conf` 文件)将
# 用于将短名称扩展为完全限定名称。所以它会首先尝试
# `SRV` 类型的整个 `SEARCH` 列表,如果失败,它将尝试
# `A` 等的`SEARCH` 列表
# 在 `ttl` 期间,内部 DNS 解析器将负载均衡每个
# 请求它通过 DNS 记录中的条目。对于`SRV`记录
# `weight` 字段将被尊重,但它只会使用最低的`priority`
# 记录中的字段条目。
#dns_resolver = # 逗号分隔的名称服务器列表,每个
# 使用 `ip[:port]` 格式的条目
#孔。如果未指定名称服务器
# 将使用本地 `resolv.conf` 文件。
# 如果省略,端口默认为 53。接受
# IPv4 和 IPv6 地址。
#dns_hostsfile = /etc/hosts # 要使用的主机文件。该文件被读取
# 一次,它的内容在内存中是静态的。
# 修改后再次读取文件,
# Kong 必须重新加载。
#dns_order = LAST,SRV,A,CNAME #解析不同的顺序
# 记录类型。 `LAST` 类型表示
# 最后一次成功查找的类型(对于
# 指定名称)。格式为(大小写
# 不敏感)逗号分隔列表。
#dns_valid_ttl = # 默认情况下,DNS 记录使用缓存
# 响应的 TTL 值。如果这
# 属性接收一个值(以秒为单位),它
# 将覆盖所有记录的 TTL。
#dns_stale_ttl = 4 # 以秒为单位定义一条记录将持续多长时间
# 保留在缓存中超过其 TTL。这个值
# 将在新的 DNS 记录出现时使用
# 在后台获取。
# 过期数据将在 a 到期时使用
# 记录直到刷新查询
# 完成,或 `dns_stale_ttl` 数量
# 秒过去了。
#dns_cache_size = 10000 #定义允许的最大数量
# DNS 记录存储在内存缓存中。
# 最近最少使用的 DNS 记录被丢弃
# 如果缓存已满,则从缓存中获取。错误和
# 数据被缓存,因此单个名称查询
# 可以轻松占用 10-15 个插槽。
#dns_not_found_ttl = 30 # 以秒为单位的空 DNS 响应的 TTL 和
# “(3) 名称错误”响应。
#dns_error_ttl = 1 # 错误响应的 TTL 秒数。
#dns_no_sync = off # 如果启用,则每次缓存未命中
# 请求会触发自己的 dns 查询。
# 当禁用多个请求时
# 相同的名称/类型将被同步到一个
# 单个查询。
#------------------------------------------------ -----------------------------------------
# 调整和行为
#------------------------------------------------ -----------------------------------------
#worker_consistency = 严格
# 定义这个节点是否应该重建它的
# 同步或异步状态(
# 平衡器和路由器在
# 影响他们的更新,例如,更新到
# 路由、服务或上游,通过管理员
# API 或加载声明性配置
# 文件)。
# 接受的值为:
# - `strict`: 路由器将被重建
# 同步,导致传入的请求
# 延迟到重建完成。
# - `eventual`:路由器将被重建
# 通过循环后台异步
# 作业在每个内部每秒运行一次
# 请注意,`strict` 确保所有工作人员
# 给定节点将始终代理请求
# 使用相同的路由器,但增加了
# 可以观察到长尾延迟,如果
# 频繁的路由和服务更新是
# 预期的。
# 使用 `eventual` 将有助于防止长时间
# 在这种情况下出现尾部延迟问题,但可能
# 使工作人员以不同的方式路由请求
# 在 Routes 和
# 服务更新。
#worker_state_update_frequency = 5
# 定义工作者状态改变的频率
# 使用后台作业进行检查。当一个变化
# 检测到,一个新的路由器或平衡器将
# 根据需要构建。提高这个值将
# 减少数据库服务器的负载和
# 减少代理延迟的抖动,但是
# 传播更改可能需要更多时间
# 给每个工人。
#------------------------------------------------ -----------------------------------------
# 各种各样的
#------------------------------------------------ -----------------------------------------
# 从 lua-nginx-module 继承的附加设置允许更多
# 灵活性和高级用法。
# 更多信息参见 lua-nginx-module 文档:
# https://github.com/openresty/lua-nginx-module
#lua_ssl_trusted_certificate = # 逗号分隔的证书路径列表
# PEM 格式的 Lua cosockets 授权文件。
# 特殊值 `system` 尝试搜索
# 每个发行版提供的“通常默认值”,根据
# 到任意启发式。在当前的实现中,
# 以下路径名将按顺序进行测试,
# 并且将使用找到的第一个:
## - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
# - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
# - /etc/ssl/ca-bundle.pem (OpenSUSE)
# - /etc/pki/tls/cacert.pem (OpenELEC)
# - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
# - /etc/ssl/cert.pem (OpenBSD, Alpine)
# 如果在这些路径中没有找到文件,则会出现错误
# 被提高。
# `system` 可以单独使用,也可以和其他的一起使用
#CA 文件路径。
# 当 `pg_ssl_verify` 或 `cassandra_ssl_verify`
# 已启用,这些证书颁发机构文件将是
# 用于验证 Kong 的数据库连接。
# 见 https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
#lua_ssl_verify_depth = 1 #在服务器设置验证深度
# Lua cosockets 使用的证书链,
# 由 `lua_ssl_trusted_certificate` 设置。
# 这包括配置的证书
# 用于 Kong 的数据库连接。
# 如果之前达到最大深度
# 到达链的末端,验证
# 将失败。这有助于减轻证书
# 基于 DoS 攻击。
# 见 https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 #定义支持的TLS版本
# 与 OpenResty 握手时
# TCP cosocket API。
# 这会影响 Lua 建立的连接
# 代码,例如连接到
# Kong 使用的数据库,或者发送日志的时候
# 使用日志插件。它不是*
# 影响到上游的连接
# 服务或来自下游客户端。
#lua_package_path = ./?.lua;./?/init.lua; # 设置 Lua 模块搜索路径
# (LUA_PATH)。开发时有用
# 或使用未存储的自定义插件
# 在默认搜索路径中。
# 见 https://github.com/openresty/lua-nginx-module#lua_package_path
#lua_package_cpath = # 设置 Lua C 模块搜索路径
# (LUA_CPATH)。
# 见 https://github.com/openresty/lua-nginx-module#lua_package_cpath
#lua_socket_pool_size = 30 # 指定每个 cosocket 的大小限制
# 与每个远程关联的连接池
# 服务器。
# 见 https://github.com/openresty/lua-nginx-module#lua_socket_pool_size
#enforce_rbac = off # 指定是否强制执行 Admin API RBAC。
# 接受 `entity`、`both`、`on` 或
# `关闭`。
# - `on`:仅端点级授权
# 被强制执行。
# - `entity`: 实体级授权
# 适用。
# - `both`:同时启用端点和
# 实体级授权。
# - `off`: 禁用端点和
# 实体级授权。
# 启用后,Kong 将拒绝对
# 当 RBAC 不存在或无效时的管理 API
# 授权令牌通过,或者RBAC# 与令牌关联的用户
# 无权访问/修改
# 请求的资源。
#rbac_auth_header = Kong-Admin-Token #定义HTTP请求的名称
# 管理 API 将从的标头
# 尝试验证 RBAC 用户。
#event_hooks_enabled = on # 启用时,事件挂钩实体代表一种关系
# 在一个事件(源和事件)和一个动作之间
#(处理程序)。与 web 挂钩类似,事件挂钩可用于
# 通信 Kong Gateway 服务事件。当一个特定的
# 事件发生在服务上,事件挂钩调用 URL
# 关于该事件的信息。事件挂钩配置
# 因处理程序而异。发生的事件
# 触发发送关联数据。
# 见:https://docs.konghq.com/enterprise/latest/admin-api/event-hooks/reference/
#------------------------------------------------ -----------------------------------------
# 港经理
#------------------------------------------------ -----------------------------------------
# Kong Enterprise 的管理 GUI。
#admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl
# Kong Manager 监听器
# 逗号分隔的地址和端口列表
# Kong 会暴露 Kong Manager。这个网络应用程序
# 让你配置和管理 Kong,因此
# 应保持安全。
# 可以为每一对指定后缀,类似于
# `admin_listen` 指令。
#admin_gui_url = # Kong 管理器 URL
# Kong Manager 的查找或平衡器地址。
# 接受的格式(括号中的项目是可选的):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# 例子:
# - `http://127.0.0.1:8003`
# - `https://kong-admin.test`
# - `http://dev-machine/dev-285`
# 默认情况下,Kong Manager 会使用窗口请求
# 主机并附加解析的侦听器端口,具体取决于
# 在请求的协议上。
#admin_gui_ssl_cert = # SSL 证书的绝对路径
# 启用 SSL 的 `admin_gui_listen` 值。
#admin_gui_ssl_cert_key = # SSL 密钥的绝对路径
# 启用 SSL 的 `admin_gui_listen` 值。
#admin_gui_flags = {}
# 改变布局管理 GUI (JSON)
# 唯一支持的值是 `{ "IMMUNITY_ENABLED": true }`
# 在管理 GUI 中启用 Kong Immunity。
#admin_gui_access_log = 日志/admin_gui_access.log
# Kong Manager 访问日志
# 这里可以设置Kong的绝对或相对路径
# 管理员访问日志。当路径是相对的时,
# 日志放置在 `prefix` 位置。
# 将此值设置为 `off` 禁用访问日志
# 为 Kong 经理。
#admin_gui_error_log = 日志/admin_gui_error.log
# Kong Manager 错误日志
# 这里可以设置Kong的绝对或相对路径
# 管理员访问日志。当路径是相对的时,
# 日志放置在 `prefix` 位置。
# 将此值设置为 `off` 会禁用错误日志
#孔经理。
# 粒度可以通过 `log_level` 进行调整
#admin_gui_auth = # Kong Manager 身份验证插件名称
# 通过指定一个来保护对 Kong Manager 的访问
# 要使用的身份验证插件。
# 支持的插件:
# - `basic-auth`: 基本认证插件
# - `ldap-auth-advanced`: LDAP 认证插件# - `openid-connect`: OpenID 连接认证
# 插入
#admin_gui_auth_conf = # Kong Manager 身份验证插件配置 (JSON)
# 指定认证的配置
# 在 `admin_gui_auth` 中指定的插件。
# 关于插件配置的信息
# 查阅相关的插件文档。
# `basic-auth` 的示例:
# `admin_gui_auth_conf = { "hide_credentials": true }`
#admin_gui_auth_password_complexity = # Kong Manager 身份验证密码复杂度 (JSON)
# 当 `admin_gui_auth = basic-auth` 时,该属性定义
# Kong Manager 密码所需的规则。选择
# 来自预设规则或编写您自己的规则。
# 使用预设规则的示例:
# `admin_gui_auth_password_complexity = { "kong-preset": "min_8" }`
# kong-preset 的所有值都需要包含密码
# 来自以下至少三个类别的字符:
# 1. 大写字符(A 到 Z)
# 2. 小写字符(a 到 z)
# 3. Base-10 数字(0 到 9)
# 4. 特殊字符(例如&、$、#、%)
# 支持的预设规则:
# - `min_8`: 最小长度为 8
# - `min_12`: 最小长度为 12
# - `min_20`: 最小长度为 20
# 要编写自己的规则,请参阅
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html。
# 注意:仅支持关键字“min”、“max”和“passphrase”。
# 例子:
# `admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#admin_gui_session_conf = # Kong Manager 会话配置 (JSON)
# 指定 Session 插件的配置为
# 由 Kong Manager 使用。
# 有关插件配置的信息,请参阅
# Kong Session 插件文档。
# 例子:
# admin_gui_session_conf = { "cookie_name": "kookie", \
# “秘密”:“改变我” }
#admin_gui_auth_header = Kong-Admin-User
# 定义 HTTP 请求头的名称
# Admin API 将尝试识别 Kong Admin
# 用户。
#admin_gui_auth_login_attempts = 0
# 用户可以尝试登录 Kong 的次数
# 经理。 0 表示允许无限尝试。
#admin_gui_header_txt = # Kong Manager 标题文本
# 设置 Kong Manager 标题横幅的文本。标题横幅
# 如果此配置为空,则不显示。
#admin_gui_header_bg_color = # Kong Manager 标题背景颜色
# 设置Kong Manager Header Banner的背景颜色
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Manager 会忽略无效值。
#admin_gui_header_txt_color = # Kong Manager 标题文本颜色
# 设置 Kong Manager Header Banner 的文本颜色。
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Kong Manager 会忽略无效值。
#admin_gui_footer_txt = # Kong 管理器页脚文本
# 设置 Kong Manager 页脚横幅的文本。页脚横幅
# 如果此配置为空,则不显示
#admin_gui_footer_bg_color = #Kong Manager 页脚背景颜色
# 设置 Kong Manager 页脚横幅的背景颜色。
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Manager 会忽略无效值。
#admin_gui_footer_txt_color = # Kong Manager 页脚文本颜色
# 设置 texKong Manager 页脚横幅的 t 颜色。
# 接受 css 颜色关键字,#-hexadecimal 或 rgb
# 格式。 Kong Manager 会忽略无效值。
#admin_gui_login_banner_title = # Kong Manager 登录横幅标题文本
# 设置 Kong Manager Login Banner 的标题文本。
# 如果两者都显示,则不显示登录横幅
# `admin_gui_login_banner_title` 和
# `admin_gui_login_banner_body` 为空。
#admin_gui_login_banner_body = # Kong Manager 登录横幅正文
# 设置 Kong Manager Login Banner 的正文。
# 如果两者都显示,则不显示登录横幅
# `admin_gui_login_banner_title` 和
# `admin_gui_login_banner_body` 为空。
#------------------------------------------------ -----------------------------------------
# 生命体征
#------------------------------------------------ -----------------------------------------
#vitals = on #启用后,Kong将存储并报告
# 关于其性能的指标。
# 在多节点设置中运行 Kong 时,
# `vitals` 包含两个不同的含义
# 取决于节点。
# 在仅代理节点上,`vitals` 确定
# 是否收集 Vitals 的数据。
# 在仅管理员节点上,`vitals` 确定
# 是否显示 Vitals 指标和
# 仪表板上的可视化。
#vitals_strategy = database #判断是否使用Kong数据库
# (PostgreSQL 或 Cassandra,定义
# 通过上面的 `database` 配置值),或者
# 单独的存储引擎,用于 Vitals 指标。
# 接受的值为 `database`, `prometheus`,
# 或`influxdb`。
#vitals_tsdb_address = # 定义 TSDB 服务器的主机和端口
# 写入和读取 Vitals 数据的位置。
# 此值仅适用于
# `vitals_strategy` 选项设置为
# `prometheus` 或 `influxdb`。这个值
# 接受 IPv4、IPv6 和主机名值。
# 如果 `vitals_strategy` 设置为
# `prometheus`,这个值决定了
# Prometheus 服务器地址
# Vitals 数据将被读取。对于`influxdb`
# 策略,这个值控制读取
# 并为 Vitals 数据编写源代码。
#vitals_tsdb_user = # Influxdb 用户
#vitals_tsdb_password = # Influxdb 密码
#vitals_statsd_address = # 定义主机和端口(以及一个可选的
# 协议)的 StatsD 服务器
# Kong 应该写 Vitals metics。这个值
# 仅在 `vitals_strategy` 为
# 设置为`普罗米修斯`。此值接受 IPv4,
# IPv6 和主机名。此外,后缀
# `tcp` 可以指定;这样做会导致
# 在 Kong 通过 TCP 发送 StatsD 指标
# 而不是 UDP(默认)。
#vitals_statsd_prefix = kong # 定义附加到所有的前缀值
# Vitals StatsD 事件。这个前缀很有用
# 将指标写入多租户 StatsD 时
# 出口商或服务器。
#vitals_statsd_udp_packet_size = 1024 # 定义最大缓冲区大小
# Vitals statsd 指标将是哪些
# 持有并分批发送。
# 此值以字节为单位定义。
#vitals_prometheus_scrape_interval = 5 #定义scrape_interval查询
# 参数发送到 Prometheus
# 读取 Vitals 数据时的服务器。
# 这应该和scrape一样
# 在的间隔(以秒为单位)
# 普罗米修斯服务器。
#------------------------------------------------ -----------------------------------------
# 开发者门户
#------------------------------------------------ -----------------------------------------
#portal = 关闭
# 开发者门户切换
# 启用时:
# Kong 将公开 Dev Portal 界面和
# `portal_gui_listen` 地址上的只读 API,
# 和管理 API 上的端点来管理资产。
# 当与 `portal_auth` 一起启用时:
# Kong 将为开发人员公开管理端点
# 管理 API 和开发门户 API 上的帐户。
#portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl
# 开发者门户 GUI 监听器
# Kong 将访问的地址的逗号分隔列表
# 公开开发者门户 GUI。后缀可以
# 为每一对指定,类似于
# `admin_listen` 指令。
#portal_gui_protocol = http
# 开发者门户 GUI 协议
# 结合使用的协议
# `portal_gui_host` 构建查找或平衡器
# Kong 代理节点的地址。
# 示例:`http`、`https`
#portal_gui_host = 127.0.0.1:8003
# 开发者门户 GUI 主机
# 配合使用的主机
# `portal_gui_protocol` 构造查找,
# 或 Kong 代理节点的平衡器地址。
# 例子:
# - `<IP>:<PORT>`
# -> `portal_gui_host = 127.0.0.1:8003`
# - `<主机名>`
# -> `portal_gui_host = portal_api.domain.tld`
# - `<主机名>/<路径>`
# -> `portal_gui_host = dev-machine/dev-285`
#portal_cors_origins = # 开发者门户 CORS 起源
# 一个逗号分隔的允许域列表
# `Access-Control-Allow-Origin` 标头。这可以用来
# 解决自定义网络环境中的 CORS 问题。
# 例子:
# - 域列表:
# `portal_cors_origins = http://localhost:8003, https://localhost:8004`
# - 单个域:
# `portal_cors_origins = http://localhost:8003`
# - 所有域:
# `portal_cors_origins = *`
# 注意:在大多数情况下,Developer Portal 能够导出
# 使用 `portal_gui_protocol`、`portal_gui_host` 的有效 CORS 来源,
# 如果适用,`portal_gui_use_subdomains`。在这些情况下,
# `portal_cors_origins` 不需要并且可以保持未设置。
#portal_gui_use_subdomains = 关闭
# Developer Portal GUI 子域切换
# 默认情况下,Kong Portal 使用第一个命名空间
# 确定工作空间的请求路径。通过转动
# `portal_gui_subdomains` 开启,Kong Portal 将期待
# 工作区作为子域包含在请求 url 中。
# 示例(关闭):
# - `<scheme>://<HOSTNAME>/<WORKSPACE>/<PATH>`->
# `http://kong-portal.com/example-workspace/index`
# 示例(上):
# - `<scheme>://<WORKSPACE>.<HOSTNAME>` ->
# `http://example-workspace.kong-portal.com/index`
#portal_gui_ssl_cert = # 开发者门户 GUI SSL 证书
# SSL证书的绝对路径
# 启用 SSL 的 `portal_gui_listen` 值。
#portal_gui_ssl_cert_key = # 开发者门户 GUI SSL 证书密钥
# SSL 密钥的绝对路径
# 启用 SSL 的 `portal_gui_listen` 值。
#portal_gui_access_log = 日志/portal_gui_access。日志
# Developer Portal GUI 访问日志位置
# 这里可以设置绝对路径或者相对路径
# Portal GUI 访问日志。
# 将此值设置为 `off` 将禁用日志记录
# Portal GUI 访问日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
#portal_gui_error_log = 日志/portal_gui_error.log
# Developer Portal GUI 错误日志位置
# 这里可以设置绝对路径或者相对路径
# 门户 GUI 错误日志。
# 将此值设置为 `off` 将禁用日志记录
# 门户 GUI 错误日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
# 粒度可以通过 `log_level` 进行调整
#portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl
# 开发者门户 API 监听器
# Kong 将访问的地址的逗号分隔列表
# 公开开发者门户 API。后缀可以
# 为每一对指定,类似于
# `admin_listen` 指令。
#portal_api_url = # 开发者门户 API URL
# 开发者的查找地址或平衡器地址
# 门户节点。
# 这个值是微服务中常用的
# 或面向服务网格的架构。
# `portal_api_url` 是你的地址
# Kong Dev Portal API 可由 Kong 访问。你
# 仅当您的 Kong Dev Portal API 时才应设置此值
# 与 Kong Proxy 位于不同的节点上。
# 接受的格式(括号中的部分是可选的):
# `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
# 例子:
# - `<scheme>://<IP>:<PORT>`
# -> `portal_api_url = http://127.0.0.1:8003`
# - `SSL <scheme>://<HOSTNAME>`
# -> `portal_api_url = https://portal_api.domain.tld`
# - `<scheme>://<HOSTNAME>/<PATH>`
# -> `portal_api_url = http://dev-machine/dev-285`
# 默认情况下,此值指向本地接口:
# - `http://0.0.0.0:8004`
#portal_api_ssl_cert = # 开发者门户 API SSL 证书
# SSL证书的绝对路径
# 启用 SSL 的 `portal_api_listen` 值。
#portal_api_ssl_cert_key = # 开发者门户 API SSL 证书密钥
# SSL 密钥的绝对路径
# 启用 SSL 的 `portal_api_listen` 值。
#portal_api_access_log = 日志/portal_api_access.log
# Developer Portal API 访问日志位置
# 这里可以设置绝对路径或者相对路径
# Portal API 访问日志。
# 将此值设置为 `off` 将禁用日志记录
# Portal API 访问日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
#portal_api_error_log = 日志/portal_api_error.log
# Developer Portal API 错误日志位置
# 这里可以设置绝对路径或者相对路径
# 门户 API 错误日志。
# 将此值设置为 `off` 将禁用日志记录
# 门户 API 错误日志。
# 使用相对路径时,日志会放在下面
# `prefix` 位置。
# 粒度可以通过 `log_level` 进行调整
#指令。#portal_is_legacy = 关闭
# 开发者门户旧版支持
# 将此值设置为 `on` 将导致所有新的
# 默认情况下使用旧版渲染系统渲染的门户。
# 将此值设置为 `off` 将导致所有新的
# 使用当前渲染系统渲染的门户。
#portal_app_auth = kong-oauth2
# 开发者门户应用注册
# 身份验证提供者和策略。必须设置为启用
# application_registration 插件
# 目前接受 kong-oauth2 或 external-oauth2
#------------------------------------------------ -----------------------------------------
# 默认开发者门户认证
#------------------------------------------------ -----------------------------------------
# 在创建工作区时引用以设置 Dev Portal 身份验证默认值
# 在该特定工作区的数据库中。
#portal_auth = # 开发者门户认证插件名称
# 指定认证插件
# 申请到您的开发者门户。开发者
# 将使用指定的认证形式
# 请求访问、注册和登录到您的
# 开发者门户。
# 支持的插件:
# - 基本身份验证:`portal_auth = basic-auth`
# - OIDC 身份验证:`portal_auth = openid-connect`
#portal_auth_password_complexity = # Kong 门户身份验证密码复杂度 (JSON)
# 当portal_auth = basic-auth时,该属性定义
# Kong Portal 密码所需的规则。选择
# 来自预设规则或编写您自己的规则。
# 使用预设规则的示例:
# `portal_auth_password_complexity = { "kong-preset": "min_8" }`
# kong-preset 的所有值都需要包含密码
# 来自以下至少三个类别的字符:
# 1. 大写字符(A 到 Z)
# 2. 小写字符(a 到 z)
# 3. Base-10 数字(0 到 9)
# 4. 特殊字符(例如&、$、#、%)
# 支持的预设规则:
# - `min_8`: 最小长度为 8
# - `min_12`: 最小长度为 12
# - `min_20`: 最小长度为 20
# 要编写自己的规则,请参阅
# https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html。
# 注意:仅支持关键字“min”、“max”和“passphrase”。
# 例子:
# `portal_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#portal_auth_conf = # 开发者门户身份验证插件配置 (JSON)
# 指定插件配置对象
# 以 JSON 格式应用于您的开发人员
# 门户认证。
# 关于插件配置的信息
# 查阅相关的插件文档。
# `basic-auth` 的示例:
# `portal_auth_conf = { "hide_credentials": true }`
#portal_auth_login_attempts = 0
# 用户可以尝试登录的次数
# 必须重置密码之前的开发门户。
# 0(默认)表示允许无限尝试。
# 注意:任何大于 0 的值只会影响
# 使用基本身份验证保护的开发门户。
#portal_session_conf = # 门户会话配置 (JSON)
# 指定配置
# Kong Portal 使用的会话插件。
# 有关插件配置的信息,请参阅# Kong 会话插件文档。
# 例子:
#portal_session_conf = {“cookie_name”:“portal_session”,\
# “秘密”:“改变我”,\
# "存储": "kong" }
#portal_auto_approve = 关闭
# 开发者门户自动批准访问
# 当此标志设置为 `on` 时,开发人员将
# 完成后自动标记为“已批准”
# 登记。仍然可以通过
# 管理 GUI 或 API。
#portal_token_exp = 21600
# 门户过期的持续时间(秒)
# 登录重置/帐户验证令牌。
#portal_email_verification = 关闭
# 门户开发者电子邮件验证。
# 启用后,开发人员将收到一封电子邮件
# 注册以验证他们的帐户。开发商将
# 在他们之前不能使用开发者门户
# 验证他们的帐户。
# 注意:必须打开 SMTP 才能使用此功能。
#------------------------------------------------ -----------------------------------------
# 默认门户 SMTP 配置
#------------------------------------------------ -----------------------------------------
# 在创建工作区时引用以在数据库中设置 SMTP 默认值
# 对于那个特定的工作空间。
#portal_invite_email = 开启
# 启用或禁用portal_invite_email
#portal_access_request_email = 开启
# 启用或禁用portal_access_request_email
#portal_approved_email = 开启
# 启用或禁用portal_approved_email
#portal_reset_email = 开启
# 启用或禁用portal_reset_email
#portal_reset_success_email = 开启
# 启用或禁用portal_reset_success_email
#portal_application_status_email = 关闭
# 启用后,开发者会收到一封邮件
# 当他们的应用程序的状态发生变化时
# 服务请求。
# 禁用后,开发人员仍然可以
# 在他们的开发者门户中查看状态
# 申请页面。
# 邮件如下所示:
# 主题:开发门户应用程序请求 <REQUEST_STATUS> (<DEV_PORTAL_URL>)
# 你好开发者,
# 我们正在向您发送电子邮件,让您知道您的应用程序访问请求来自
# <DEV_PORTAL_URL> 的开发者门户帐户是 <REQUEST_STATUS>。
# 应用程序:<APPLICATION_NAME>
# 服务:<SERVICE_NAME>
# 当您的访问被批准后,您将收到另一封电子邮件。
#portal_application_request_email = 关闭
# 启用后,由 `smtp_admin_emails` 指定的 Kong 管理员
# 当开发者请求访问时会收到一封电子邮件
# 通过应用程序提供服务。
# 禁用时,Kong 管理员必须手动检查
# Kong Manager 查看任何请求。
# 默认情况下,`smtp_admin_emails` 将是收件人。
# 这可以被 `portal_smtp_admin_emails` 覆盖,
# 可以通过每个工作区动态设置
# 管理 API。
# 邮件如下所示:
# 主题:从 <DEVELOPER_EMAIL> 请求访问开发门户 (<DEV_PORTAL_URL>) 服务
配置加载
Kong的默认
配置在 /etc/
kong/
kong.conf.default 。如果你通过一个官方的安装包来安装
Kong。您可以复制下面的文件,开始
配置Kong:
$ cp /etc/
kong/
kong.conf.default /etc/
kong/
kong.conf
Kong 开源API网关安装与配置教程
kongKong是一款高性能的开源API网关,支持多种协议和插件,能够实现API路由、认证、限流等功能,助力企业构建灵活、安全且可扩展的API架构。项目地址:https://gitcode.com/gh_mirrors/ko/kong 1. 项目目录结构及介绍
在下载并克隆Kong仓库(https://github.com/Kong/kong.git)后,...
本篇文件介绍
kong配置文件的
配置
配置文件
Kong启动时,如果存在 /etc/
kong/
kong.conf 文件,将会使用该文件的
配置,该文件由开发者自己生成
/etc/
kong/
kong.conf.default是
kong提供的模板
配置,开发者可参考该
配置
基于
配置文件的Docker启动
如下,我们使用
配置文件启动
Kong Docker
1.新建一个Test
Kong目录
2.目录下新建
kong.conf,其内容如下
database = postgres
pg_host = postgres
安装kong
$ curl -Lo kong-2.5.0.amd64.rpm $( rpm --eval "https://download.konghq.com/gateway-2.x-centos-%{centos_ver}/Packages/k/kong-2.5.0.el%{centos_ver}.amd64.rpm")
$ sudo yum install kong-2.5.0.amd64.rpm
安装 postgresql
官网下载页面:http://www.postgres.cn/v.
Kong的默认配置在/etc/kong/kong.conf.default
在开始时,Kong可能会查找的几个缺省配置文件位置如下:
测试 类似 nginx -t
kong checkconfiguration at /etc/kong/kong.conf is valid
重新加载 类似 nginx -s reload
kong reload
如此 配置生效,问题解决
Kong配置文件是Kong服务的核心文件,它配置了Kong以怎么的方式运行,并且依赖于这个配置生成Nginx的配置文件,本文通过解读Kong配置文件,以了解Kong的运行和配置。
在成功安装Kong以后,会有一个名为kong.conf.default默认的配置文件示例,如果是通过包管理器安装的,通常位于/etc/kong/kong.conf.default,我们要将其复制为kong.co...
个人理解,仅供参考:
首先,
kong+
konga除去其他高级功能,个人觉得就是把nginx,变成可以页面
配置的了。比如,
配置的router,service就是反向代理,
配置upstream就是负载均衡。
本文只介绍
KONGA
配置service,router,upstream。
使用docker-compose安装:
docker-compose.yml
[root@ecs-f841-0003
kong]# cat docker-compose.yml
version: '3'
services:
物联网网关神器 Kong ( 四 )- 利用 Konga 来配置生产环境安全连接 Kong
上一篇我们讲解了 Konga 的搭建和与 Kong 进行默认连接,本篇文章将讲一下如何在生产环境中基于验证的连接 Kong ,并详细讲解其中的参数。
如果你需要在生产环境使用,那么你可以将 admin 端口只监听 127.0.0.1 ,然后通过 Kong 自己进行代理并增加效验。
首先,你可以通过默认方法连接上你的 Kong admin,这样方便进行配置。而后创建 Service。
Service
Kong.conf
配置文件属性
详解1. 基础部分2. NGINX部分3. 数据库部分databasePostgres设置4. 数据存储区缓存部分5. DNS解析器部分6. 开发和其他
配置部分备注header
配置项可选参数:
1. 基础部分
Kong 是一个开源的云原生 API 网关,它可以用来管理和路由 API 请求。与此同时,Nginx 是一个高性能的 Web 服务器和反向代理服务器。在配置 Kong 和 Nginx 时,你需要将 Kong 配置为 Nginx 的插件,并将其与 Nginx 进行集成。
下面是一个简单的示例配置,展示了如何将 Kong 配置为 Nginx 的插件:
1. 首先,确保你已经安装了 Nginx 和 Kong。
2. 打开 Nginx 的配置文件,通常位于 `/etc/nginx/nginx.conf`。在 `http` 块中添加以下内容:
http {
# ...其他配置...
# 启用 HTTP 代理模块
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# 配置 Kong 的代理
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# 配置 Kong 的 Admin API
location /kong {
proxy_pass http://localhost:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# ...其他配置...
上述配置中,我们首先启用了 HTTP 代理模块,然后为 Kong 的代理和 Admin API 分别配置了对应的 `location`。
3. 保存并退出 Nginx 配置文件。
4. 启动 Nginx 和 Kong,并确保它们都正常运行。
这只是一个简单的示例配置,你可以根据自己的需求进行更详细的配置。另外,Kong 还提供了更多高级功能和插件,你可以根据文档进一步了解和配置。