| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # PLEASE DO NOT UPDATE THIS FILE! |
| # If you want to set the specified configuration value, you can set the new |
| # value in the conf/config.yaml file. |
| # |
| |
| apisix: |
| node_listen: 9080 # APISIX listening port |
| enable_admin: true |
| enable_admin_cors: true # Admin API support CORS response headers. |
| enable_debug: false |
| enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true |
| enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true. |
| enable_ipv6: true |
| config_center: etcd # etcd: use etcd to store the config value |
| # yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml` |
| |
| #proxy_protocol: # Proxy Protocol configuration |
| # listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and port_admin. |
| # This port can only receive http request with proxy protocol, but node_listen & port_admin |
| # can only receive http request. If you enable proxy protocol, you must use this port to |
| # receive http request with proxy protocol |
| # listen_https_port: 9182 # The port with proxy protocol for https |
| # enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option |
| # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server |
| |
| enable_server_tokens: true # Whether the APISIX version number should be shown in Server header. |
| # It's enabled by default. |
| |
| proxy_cache: # Proxy Caching configuration |
| cache_ttl: 10s # The default caching time if the upstream does not specify the cache time |
| zones: # The parameters of a cache |
| - name: disk_cache_one # The name of the cache, administrator can be specify |
| # which cache to use by name in the admin api |
| memory_size: 50m # The size of shared memory, it's used to store the cache index |
| disk_size: 1G # The size of disk, it's used to store the cache data |
| disk_path: "/tmp/disk_cache_one" # The path to store the cache data |
| cache_levels: "1:2" # The hierarchy levels of a cache |
| # - name: disk_cache_two |
| # memory_size: 50m |
| # disk_size: 1G |
| # disk_path: "/tmp/disk_cache_two" |
| # cache_levels: "1:2" |
| |
| allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow |
| - 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default. |
| # - "::/64" |
| port_admin: 9180 # use a separate port |
| # https_admin: true # enable HTTPS when use a separate port for Admin API. |
| # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. |
| admin_api_mtls: # Depends on `port_admin` and `https_admin`. |
| admin_ssl_cert: "" # Path of your self-signed server side cert. |
| admin_ssl_cert_key: "" # Path of your self-signed server side key. |
| admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates. |
| |
| # Default token when use API to call for Admin API. |
| # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. |
| # Disabling this configuration item means that the Admin API does not |
| # require any authentication. |
| admin_key: |
| - |
| name: "admin" |
| key: edd1c9f034335f136f87ad84b625c8f1 |
| role: admin # admin: manage all configuration data |
| # viewer: only can view configuration data |
| - |
| name: "viewer" |
| key: 4054f7cf07e344346cd3f287985e76a2 |
| role: viewer |
| |
| delete_uri_tail_slash: false # delete the '/' at the end of the URI |
| router: |
| http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree) |
| # radixtree_host_uri: match route by host + uri(base on radixtree) |
| ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree) |
| # stream_proxy: # TCP/UDP proxy |
| # tcp: # TCP proxy port list |
| # - 9100 |
| # - 9101 |
| # udp: # UDP proxy port list |
| # - 9200 |
| # - 9211 |
| # dns_resolver: # If not set, read from `/etc/resolv.conf` |
| # - 1.1.1.1 |
| # - 8.8.8.8 |
| dns_resolver_valid: 30 # valid time for dns result 30 seconds |
| resolver_timeout: 5 # resolver timeout |
| ssl: |
| enable: false # ssl is disabled by default |
| # enable it to use your own cert and key |
| enable_http2: true |
| listen_port: 9443 |
| # ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format |
| # used to verify the certificate when APISIX needs to do SSL/TLS handshaking |
| # with external services (e.g. etcd) |
| # ssl_cert: /path/to/ssl_cert |
| # ssl_cert_key: /path/to/ssl_cert_key |
| ssl_protocols: "TLSv1.2 TLSv1.3" |
| ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" |
| ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless. |
| # ref: https://github.com/mozilla/server-side-tls/issues/135 |
| key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. |
| # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC |
| # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! |
| nginx_config: # config for render the template to genarate nginx.conf |
| error_log: "logs/error.log" |
| error_log_level: "warn" # warn,error |
| worker_processes: auto # one worker will get best performance, you can use "auto", but remember it is just work well only on physical machine |
| # no more than 8 workers, otherwise competition between workers will consume a lot of resources |
| # if you want use multiple cores in container, you can inject the number of cpu as environment variable "APISIX_WORKER_PROCESSES" |
| enable_cpu_affinity: true # enbale cpu affinity, this is just work well only on physical machine |
| worker_rlimit_nofile: 20480 # the number of files a worker process can open, should be larger than worker_connections |
| worker_shutdown_timeout: 240s # timeout for a graceful shutdown of worker processes |
| event: |
| worker_connections: 10620 |
| #envs: # allow to get a list of environment variables |
| # - TEST_ENV |
| |
| # As user can add arbitrary configurations in the snippet, |
| # it is user's responsibility to check the configurations |
| # don't conflict with APISIX. |
| main_configuration_snippet: | |
| # Add custom Nginx main configuration to nginx.conf. |
| # The configuration should be well indented! |
| http_configuration_snippet: | |
| # Add custom Nginx http configuration to nginx.conf. |
| # The configuration should be well indented! |
| http_server_configuration_snippet: | |
| # Add custom Nginx http server configuration to nginx.conf. |
| # The configuration should be well indented! |
| http_admin_configuration_snippet: | |
| # Add custom Nginx admin server configuration to nginx.conf. |
| # The configuration should be well indented! |
| stream_configuration_snippet: | |
| # Add custom Nginx stream configuration to nginx.conf. |
| # The configuration should be well indented! |
| |
| http: |
| enable_access_log: true # enable access log or not, default true |
| access_log: "logs/access.log" |
| access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"" |
| access_log_format_escape: default # allows setting json or default characters escaping in variables |
| keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side. |
| client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client |
| client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client |
| client_max_body_size: 0 # The maximum allowed size of the client request body. |
| # If exceeded, the 413 (Request Entity Too Large) error is returned to the client. |
| # Note that unlike Nginx, we don't limit the body size by default. |
| |
| send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed |
| underscores_in_headers: "on" # default enables the use of underscores in client request header fields |
| real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header |
| real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from |
| - 127.0.0.1 |
| - 'unix:' |
| #lua_shared_dicts: # add custom shared cache to nginx.conf |
| # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` |
| |
| etcd: |
| host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. |
| - "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme, |
| # e.g. "https://127.0.0.1:2379". |
| prefix: "/apisix" # apisix configurations prefix |
| timeout: 30 # 30 seconds |
| # user: root # root username for etcd |
| # password: 5tHkHhYkjr6cQY # root password for etcd |
| tls: |
| verify: true # whether to verify the etcd endpoint certificate when setup a TLS connection to etcd, |
| # the default value is true, e.g. the certificate will be verified strictly. |
| |
| # discovery: # service discovery center |
| # eureka: |
| # host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. |
| # - "http://127.0.0.1:8761" |
| # prefix: "/eureka/" |
| # fetch_interval: 30 # default 30s |
| # weight: 100 # default weight for node |
| # timeout: |
| # connect: 2000 # default 2000ms |
| # send: 2000 # default 2000ms |
| # read: 5000 # default 5000ms |
| |
| plugins: # plugin list (sorted in alphabetical order) |
| - api-breaker |
| - authz-keycloak |
| - basic-auth |
| - batch-requests |
| - consumer-restriction |
| - cors |
| - echo |
| #- example-plugin |
| - fault-injection |
| - grpc-transcode |
| - hmac-auth |
| - http-logger |
| - ip-restriction |
| - jwt-auth |
| - kafka-logger |
| - key-auth |
| - limit-conn |
| - limit-count |
| - limit-req |
| #- log-rotate |
| - node-status |
| - openid-connect |
| - prometheus |
| - proxy-cache |
| - proxy-mirror |
| - proxy-rewrite |
| - redirect |
| - referer-restriction |
| - request-id |
| - request-validation |
| - response-rewrite |
| - serverless-post-function |
| - serverless-pre-function |
| #- skywalking |
| - sls-logger |
| - syslog |
| - tcp-logger |
| - udp-logger |
| - uri-blocker |
| - wolf-rbac |
| - zipkin |
| |
| stream_plugins: |
| - mqtt-proxy |
| |
| plugin_attr: |
| log-rotate: |
| interval: 3600 # rotate interval (unit: second) |
| max_kept: 168 # max number of log files will be kept |
| skywalking: |
| service_name: APISIX |
| service_instance_name: "APISIX Instance Name" |
| endpoint_addr: http://127.0.0.1:12800 |