-
Notifications
You must be signed in to change notification settings - Fork 0
/
kong.yml
335 lines (280 loc) · 10.6 KB
/
kong.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
######
## Kong configuration file. All commented values are default values.
## Uncomment and update a value to configure Kong to your needs.
##
## Lines starting with `##` are comments.
## Lines starting with `#` are properties that can be updated.
## Beware of YAML formatting for nested properties.
######
## Additional plugins that this node needs to load.
## If you want to load custom plugins that are not supported by Kong, uncomment and update
## this property with the names of the plugins to load.
## Plugins will be loaded from the kong.plugins.{name}.* namespace.
# custom_plugins:
# - hello_world
# - custom_plugin2
# - ...
######
## The Kong working directory. Equivalent to nginx's prefix path.
## This is where this running nginx instance will keep server files including logs.
## Make sure it has the appropriate permissions.
# nginx_working_dir: /usr/local/kong/
######
## Address and port on which the server will accept HTTP requests, consumers will make requests on this port.
# proxy_listen: "0.0.0.0:8000"
######
## Same as proxy_listen, but for HTTPS requests.
# proxy_listen_ssl: "0.0.0.0:8443"
######
## Address and port on which the admin API will listen to. The admin API is a private API which lets you
## manage your Kong infrastructure. It needs to be secured appropriately.
# admin_api_listen: "0.0.0.0:8001"
######
## Address and port used by the node to communicate with other Kong nodes in the cluster with both UDP and
## TCP messages. All the nodes in the cluster must be able to communicate with this node on this address.
## Only IPv4 addresses are allowed (no hostnames).
# cluster_listen: "0.0.0.0:7946"
######
## Address and port used by the node to communicate with the local clustering agent (TCP only, and local only).
## Used internally by this Kong node. Only IPv4 addresses are allowed (no hostnames).
# cluster_listen_rpc: "127.0.0.1:7373"
######
## The path to the SSL certificate and key that Kong will use when listening on the `https` port.
# ssl_cert_path: /path/to/certificate.pem
# ssl_key_path: /path/to/certificate.key
######
## Specify how Kong performs DNS resolution (in the `dns_resolvers_available` property) you want to use.
## Options are: "dnsmasq" (You will need dnsmasq to be installed) or "server".
# dns_resolver: dnsmasq
######
## A dictionary of DNS resolvers Kong can use, and their respective properties.
## Currently `dnsmasq` (default, http://www.thekelleys.org.uk/dnsmasq/doc.html) and `server` are supported.
## By choosing `dnsmasq`, Kong will resolve hostnames using the local `/etc/hosts` file and `resolv.conf`
## configuration. By choosing `server`, you can specify a custom DNS server.
# dns_resolvers_available:
# server:
# address: "8.8.8.8:53"
# dnsmasq:
# port: 8053
######
## Cluster settings between Kong nodes.
## For more information take a look at the Clustering Reference: https://getkong.org/docs/latest/clustering/
# cluster:
######
## Address and port used by the node to communicate with other Kong nodes in the cluster with both UDP and
## TCP messages. All the nodes in the cluster must be able to communicate with this node on this address.
## Only IPv4 addresses are allowed (no hostnames).
## The advertise flag is used to change the address that we advertise to other nodes in the
## cluster. By default, the cluster_listen address is advertised. If the cluster_listen host is "0.0.0.0",
## then the first local, non-loopback, IPv4 address will be advertised to the other nodes. However, in some
## cases (specifically NAT traversal), there may be a routable address that cannot be bound to. This flag
## enables gossiping a different address to support this.
# advertise: ""
######
## Key for encrypting network traffic within Kong. Must be a base64-encoded 16-byte key.
# encrypt: "foo"
######
## Specify which database to use. Only "cassandra" is currently available.
# database: cassandra
######
## Cassandra configuration (keyspace, authentication, client-to-node encryption)
# cassandra:
######
## Contact points to your Cassandra cluster.
# contact_points:
# - "127.0.0.1:9042"
# port: 9042
######
## Name of the keyspace used by Kong. Will be created if it does not exist.
# keyspace: kong
#####
## Connection and reading timeout (in ms).
# timeout: 5000
######
## Keyspace options. Set those before running Kong or any migration.
## Those settings will be used to create a keyspace with the desired options
## when first running the migrations.
## See http://docs.datastax.com/en/cql/3.1/cql/cql_reference/create_keyspace_r.html
######
## The name of the replica placement strategy class for the keyspace.
## Can be "SimpleStrategy" or "NetworkTopologyStrategy".
# replication_strategy: SimpleStrategy
######
## For SimpleStrategy only.
## The number of replicas of data on multiple nodes.
# replication_factor: 1
######
## For NetworkTopologyStrategy only.
## The number of replicas of data on multiple nodes in each data center.
# data_centers:
# dc1: 2
# dc2: 3
#####
## Client-to-node TLS options.
## `enabled`: if true, will connect to your Cassandra instance using TLS.
## `verify`: if true, will verify the server certificate using the given CA file.
## `certificate_authority`: an absolute path to the trusted CA certificate in PEM format used to verify the server certificate.
## For additional SSL settings, see the ngx_lua `lua_ssl_*` directives.
# ssl:
# enabled: false
# verify: false
# certificate_authority: "/path/to/cluster-ca-certificate.pem"
######
## Cluster authentication options. Provide a user and a password here if your cluster uses the
## PasswordAuthenticator scheme.
# username: cassandra
# password: cassandra
######
## Kong will send anonymous reports to Mashape. This helps Mashape fixing bugs/errors and improving Kong.
## By default is `true`.
# send_anonymous_reports: true
######
## A value specifying (in MB) the size of the internal preallocated in-memory cache. Kong uses an in-memory
## cache to store database entities in order to optimize access to the underlying datastore. The cache size
## needs to be as big as the size of the entities being used by Kong at any given time. The default value
## is `128`, and the potential maximum value is the total size of the datastore.
## This value may not be smaller than 32MB.
# memory_cache_size: 128
######
## The NGINX configuration (or `nginx.conf`) that will be used for this instance.
## The placeholders will be computed and this property will be written as a file
## by Kong at `<nginx_working_dir>/nginx.conf` during startup.
## This file can tweaked to some extent, but many directives are necessary for Kong to work.
## /!\ BE CAREFUL
nginx: |
{{user}}
worker_processes auto;
error_log logs/error.log error;
daemon on;
worker_rlimit_nofile {{auto_worker_rlimit_nofile}};
env KONG_CONF;
env PATH;
events {
worker_connections {{auto_worker_connections}};
multi_accept on;
}
http {
resolver {{dns_resolver}} ipv6=off;
charset UTF-8;
access_log logs/access.log;
access_log off;
# Timeouts
keepalive_timeout 60s;
client_header_timeout 60s;
client_body_timeout 60s;
send_timeout 60s;
# Proxy Settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_ssl_server_name on;
# IP Address
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
real_ip_recursive on;
# Other Settings
client_max_body_size 0;
underscores_in_headers on;
reset_timedout_connection on;
tcp_nopush on;
################################################
# The following code is required to run Kong #
# Please be careful if you'd like to change it #
################################################
# Lua Settings
lua_package_path ';;';
lua_code_cache on;
lua_max_running_timers 4096;
lua_max_pending_timers 16384;
lua_shared_dict reports_locks 100k;
lua_shared_dict cluster_locks 100k;
lua_shared_dict cluster_autojoin_locks 100k;
lua_shared_dict cache {{memory_cache_size}}m;
lua_shared_dict cassandra 1m;
lua_shared_dict cassandra_prepared 5m;
lua_socket_log_errors off;
{{lua_ssl_trusted_certificate}}
init_by_lua_block {
kong = require "kong"
kong.init()
}
init_worker_by_lua_block {
kong.init_worker()
}
server {
server_name _;
listen {{proxy_listen}};
listen {{proxy_listen_ssl}} ssl;
ssl_certificate_by_lua_block {
kong.ssl_certificate()
}
ssl_certificate {{ssl_cert}};
ssl_certificate_key {{ssl_key}};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;# omit SSLv3 because of POODLE (CVE-2014-3566)
location / {
default_type 'text/plain';
# These properties will be used later by proxy_pass
set $upstream_host nil;
set $upstream_url nil;
# Authenticate the user and load the API info
access_by_lua_block {
kong.access()
}
# Proxy the request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $upstream_host;
proxy_pass $upstream_url;
proxy_pass_header Server;
# Add additional response headers
header_filter_by_lua_block {
kong.header_filter()
}
# Change the response body
body_filter_by_lua_block {
kong.body_filter()
}
# Log the request
log_by_lua_block {
kong.log()
}
}
location /robots.txt {
return 200 'User-agent: *\nDisallow: /';
}
error_page 500 502 503 504 /50x;
location = /50x {
internal;
content_by_lua_block {
require("kong.core.error_handlers")(ngx)
}
}
}
server {
listen {{admin_api_listen}};
client_max_body_size 10m;
client_body_buffer_size 10m;
location / {
default_type application/json;
content_by_lua_block {
ngx.header["Access-Control-Allow-Origin"] = "*"
if ngx.req.get_method() == "OPTIONS" then
ngx.header["Access-Control-Allow-Methods"] = "GET,HEAD,PUT,PATCH,POST,DELETE"
ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
ngx.exit(204)
end
local lapis = require "lapis"
lapis.serve "kong.api.app"
}
}
location /nginx_status {
internal;
access_log off;
stub_status;
}
location /robots.txt {
return 200 'User-agent: *\nDisallow: /';
}
}
}