-
Notifications
You must be signed in to change notification settings - Fork 0
/
kong.yml
295 lines (240 loc) · 8.34 KB
/
kong.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
######
## Kong configuration file. All commented values are default values.
## Uncomment and update a value to configure Kong to your needs.
##
## Lines starting with `##` are comments.
## Lines starting with `#` are properties that can be updated.
## Beware of YAML formatting for nested properties.
######
## Plugins that this node needs to execute.
## By default, Kong will try to execute all installed plugins on every request.
## If you are sure to only use a few plugins, uncomment and update this property to contain
## only those.
## Custom plugins also need to be added to this list.
# plugins_available:
# - ssl
# - jwt
# - ...
######
## The Kong working directory. Equivalent to nginx's prefix path.
## This is where this running nginx instance will keep server files including logs.
## Make sure it has the appropriate permissions.
# nginx_working_dir: /usr/local/kong/
######
## Port which Kong proxies HTTP requests through, consumers will make requests against this port
## so make sure it is publicly available.
# proxy_port: 8000
######
## Same as proxy_port, but for HTTPS requests.
# proxy_ssl_port: 8443
######
## Specify how Kong performs DNS resolution (in the `dns_resolvers_available` property) you want to use.
## Options are: "dnsmasq" (You will need dnsmasq to be installed) or "server".
# dns_resolver: dnsmasq
######
## DNS resolvers configuration. Specify a DNS server or the port on which you want
## dnsmasq to run.
# dns_resolvers_available:
# server:
# address: "8.8.8.8:53"
# dnsmasq:
# port: 8053
######
## Port on which the admin API will listen to. The admin API is a private API which lets you
## manage your Kong infrastructure. It needs to be secured appropriatly.
# admin_api_port: 8001
######
## Specify which database to use from the databases_available property.
# database: cassandra
######
## Databases configuration.
# databases_available:
# cassandra:
######
## Contact points to your Cassandra cluster.
# contact_points:
# - "localhost:9042"
# timeout: 1000
# keyspace: kong
######
## Time (in milliseconds) for which sockets will be keep alive.
## for being eventually re-used before being closed.
# keepalive: 60000
######
## Keyspace options. Set those before running Kong or any migration.
## Those settings will be used to create a keyspace with the desired options
## when first running the migrations.
## See http://docs.datastax.com/en/cql/3.1/cql/cql_reference/create_keyspace_r.html
######
## The name of the replica placement strategy class for the new keyspace.
## Can be "SimpleStrategy" or "NetworkTopologyStrategy".
# replication_strategy: SimpleStrategy
######
## For SimpleStrategy only.
## The number of replicas of data on multiple nodes.
# replication_factor: 1
######
## For NetworkTopologyStrategy only.
## The number of replicas of data on multiple nodes in each data center.
# data_centers:
# dc1: 2
# dc2: 3
######
## If true, will enable client-to-node encryption.
# ssl: false
######
## If true, will verify the SSL certificate in use.
## `ssl_certificate` must be provided.
# ssl_verify: false
######
## **Absolute path** to the certificate authority file for your cluster.
# ssl_certificate: "/path/to/cluster-ca-certificate.pem"
######
## If the cluster as authentication enabled, provide a user and a password here.
# user: cassandra
# password: cassandra
######
## Time (in seconds) for which entities from the database (APIs, plugins configurations...)
## are cached by Kong. Increase this value if you want to lower the number of requests made
## to your database.
# database_cache_expiration: 5
######
## SSL certificates to use.
# ssl_cert_path: /path/to/certificate.pem
# ssl_key_path: /path/to/certificate.key
######
## Sending anonymous error reports helps Kong developers to understand how it performs.
# send_anonymous_reports: true
######
## Size (in MB) of the Lua cache. This value may not be smaller than 32MB.
# memory_cache_size: 128
######
## The nginx configuration file which allows Kong to run.
## The placeholders will be computed and this property will be written as a file
## by Kong at `<nginx_working_dir>/nginx.conf` during startup.
## This file can tweaked to some extent, but many directives are necessary for Kong to work.
## /!\ BE CAREFUL
nginx: |
worker_processes auto;
error_log logs/error.log error;
daemon on;
worker_rlimit_nofile {{auto_worker_rlimit_nofile}};
env KONG_CONF;
events {
worker_connections {{auto_worker_connections}};
multi_accept on;
}
http {
resolver {{dns_resolver}} ipv6=off;
charset UTF-8;
access_log logs/access.log;
access_log off;
# Timeouts
keepalive_timeout 60s;
client_header_timeout 60s;
client_body_timeout 60s;
send_timeout 60s;
# Proxy Settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_ssl_server_name on;
# IP Address
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
real_ip_recursive on;
# Other Settings
client_max_body_size 0;
underscores_in_headers on;
reset_timedout_connection on;
tcp_nopush on;
################################################
# The following code is required to run Kong #
# Please be careful if you'd like to change it #
################################################
# Lua Settings
lua_package_path ';;';
lua_code_cache on;
lua_max_running_timers 4096;
lua_max_pending_timers 16384;
lua_shared_dict locks 100k;
lua_shared_dict cache {{memory_cache_size}}m;
lua_socket_log_errors off;
{{lua_ssl_trusted_certificate}}
init_by_lua '
kong = require "kong"
local status, err = pcall(kong.init)
if not status then
ngx.log(ngx.ERR, "Startup error: "..err)
os.exit(1)
end
';
init_worker_by_lua 'kong.exec_plugins_init_worker()';
server {
server_name _;
listen {{proxy_port}};
listen {{proxy_ssl_port}} ssl;
ssl_certificate_by_lua 'kong.exec_plugins_certificate()';
ssl_certificate {{ssl_cert}};
ssl_certificate_key {{ssl_key}};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;# omit SSLv3 because of POODLE (CVE-2014-3566)
location / {
default_type 'text/plain';
# These properties will be used later by proxy_pass
set $backend_host nil;
set $backend_url nil;
# Authenticate the user and load the API info
access_by_lua 'kong.exec_plugins_access()';
# Proxy the request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $backend_host;
proxy_pass $backend_url;
proxy_pass_header Server;
# Add additional response headers
header_filter_by_lua 'kong.exec_plugins_header_filter()';
# Change the response body
body_filter_by_lua 'kong.exec_plugins_body_filter()';
# Log the request
log_by_lua 'kong.exec_plugins_log()';
}
location /robots.txt {
return 200 'User-agent: *\nDisallow: /';
}
error_page 500 /500.html;
location = /500.html {
internal;
content_by_lua '
local responses = require "kong.tools.responses"
responses.send_HTTP_INTERNAL_SERVER_ERROR("An unexpected error occurred")
';
}
}
server {
listen {{admin_api_port}};
location / {
default_type application/json;
content_by_lua '
ngx.header["Access-Control-Allow-Origin"] = "*"
if ngx.req.get_method() == "OPTIONS" then
ngx.header["Access-Control-Allow-Methods"] = "GET,HEAD,PUT,PATCH,POST,DELETE"
ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
ngx.exit(204)
end
local lapis = require "lapis"
lapis.serve("kong.api.app")
';
}
location /nginx_status {
internal;
access_log off;
stub_status;
}
location /robots.txt {
return 200 'User-agent: *\nDisallow: /';
}
# Do not remove, additional configuration placeholder for some plugins
# {{additional_configuration}}
}
}