forked from apache/pulsar
-
Notifications
You must be signed in to change notification settings - Fork 0
/
proxy.conf
370 lines (270 loc) · 12.8 KB
/
proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
### --- Broker Discovery --- ###
# The metadata store URL
# Examples:
# * zk:my-zk-1:2181,my-zk-2:2181,my-zk-3:2181
# * my-zk-1:2181,my-zk-2:2181,my-zk-3:2181 (will default to ZooKeeper when the schema is not specified)
# * zk:my-zk-1:2181,my-zk-2:2181,my-zk-3:2181/my-chroot-path (to add a ZK chroot path)
metadataStoreUrl=
# The metadata store URL for the configuration data. If empty, we fall back to use metadataStoreUrl
configurationMetadataStoreUrl=
# If Service Discovery is Disabled this url should point to the discovery service provider.
# The URL must begin with pulsar:// for plaintext or with pulsar+ssl:// for TLS.
brokerServiceURL=
brokerServiceURLTLS=
# These settings are unnecessary if `zookeeperServers` is specified
brokerWebServiceURL=
brokerWebServiceURLTLS=
# If function workers are setup in a separate cluster, configure the following 2 settings
# to point to the function workers cluster
functionWorkerWebServiceURL=
functionWorkerWebServiceURLTLS=
# Metadata store session timeout in milliseconds
metadataStoreSessionTimeoutMillis=30000
# Metadata store cache expiry time in seconds
metadataStoreCacheExpirySeconds=300
### --- Server --- ###
# Hostname or IP address the service binds on, default is 0.0.0.0.
bindAddress=0.0.0.0
# Hostname or IP address the service advertises to the outside world.
# If not set, the value of `InetAddress.getLocalHost().getCanonicalHostName()` is used.
advertisedAddress=
# Enable or disable the HAProxy protocol.
haProxyProtocolEnabled=false
# Enables zero-copy transport of data across network interfaces using the splice system call.
# Zero copy mode cannot be used when TLS is enabled or when proxyLogLevel is > 0.
proxyZeroCopyModeEnabled=true
# The port to use for server binary Protobuf requests
servicePort=6650
# The port to use to server binary Protobuf TLS requests
servicePortTls=
# Port that discovery service listen on
webServicePort=8080
# Port to use to server HTTPS request
webServicePortTls=
# Number of threads used for Netty IO. Default is set to `2 * Runtime.getRuntime().availableProcessors()`
numIOThreads=
# Number of threads used for Netty Acceptor. Default is set to `1`
numAcceptorThreads=
### --- TLS config variables --- ###
## Note that some of the above TLS configs also apply to the KeyStore TLS configuration.
# Specify the TLS provider for the broker service:
# When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.
# When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc.
tlsProvider=
# Specify the TLS provider for the web service, available values can be SunJSSE, Conscrypt and etc.
webServiceTlsProvider=Conscrypt
# Enable TLS with KeyStore type configuration in proxy.
tlsEnabledWithKeyStore=false
# TLS KeyStore type configuration in proxy: JKS, PKCS12
tlsKeyStoreType=JKS
# TLS KeyStore path in proxy
tlsKeyStore=
# TLS KeyStore password for proxy
tlsKeyStorePassword=
# TLS TrustStore type configuration in proxy: JKS, PKCS12
tlsTrustStoreType=JKS
# TLS TrustStore path in proxy
tlsTrustStore=
# TLS TrustStore password in proxy, default value is empty password
tlsTrustStorePassword=
# Specify the tls protocols the proxy's web service will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
# Examples:
# webServiceTlsProtocols=TLSv1.3,TLSv1.2
webServiceTlsProtocols=
# Specify the tls cipher the proxy will use to negotiate during TLS Handshake
# (a comma-separated list of ciphers).
# Examples:
# webServiceTlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
webServiceTlsCiphers=
# Allowed broker target ports
brokerProxyAllowedTargetPorts=6650,6651
# Path for the file used to determine the rotation status for the proxy instance when responding
# to service discovery health checks
statusFilePath=
# Proxy log level, default is 0.
# 0: Do not log any tcp channel info
# 1: Parse and log any tcp channel info and command info without message body
# 2: Parse and log channel info, command info and message body
proxyLogLevel=0
### ---Authorization --- ###
# Role names that are treated as "super-users," meaning that they will be able to perform all admin
# operations and publish/consume to/from all topics (as a comma-separated list)
superUserRoles=
# Whether authorization is enforced by the Pulsar proxy
authorizationEnabled=false
# Authorization provider as a fully qualified class name
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
# Whether client authorization credentials are forwared to the broker for re-authorization.
# Authentication must be enabled via authenticationEnabled=true for this to take effect.
forwardAuthorizationCredentials=false
### --- Authentication --- ###
# Whether authentication is enabled for the Pulsar proxy
authenticationEnabled=false
# Authentication provider name list (a comma-separated list of class names)
authenticationProviders=
# When this parameter is not empty, unauthenticated users perform as anonymousUserRole
anonymousUserRole=
### --- Client Authentication --- ###
# The three brokerClient* authentication settings below are for the proxy itself and determine how it
# authenticates with Pulsar brokers
# The authentication plugin used by the Pulsar proxy to authenticate with Pulsar brokers
brokerClientAuthenticationPlugin=
# The authentication parameters used by the Pulsar proxy to authenticate with Pulsar brokers
brokerClientAuthenticationParameters=
# The path to trusted certificates used by the Pulsar proxy to authenticate with Pulsar brokers
brokerClientTrustCertsFilePath=
# Whether TLS is enabled when communicating with Pulsar brokers
tlsEnabledWithBroker=false
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
# You can add extra configuration options for the Pulsar Client
# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
# and before the above brokerClient configurations named above.
##### --- Rate Limiting --- #####
# Max concurrent inbound connections. The proxy will reject requests beyond that.
maxConcurrentInboundConnections=10000
# Max concurrent inbound connections per IP, The proxy will reject requests beyond that.
maxConcurrentInboundConnectionsPerIp=0
# Max concurrent outbound connections. The proxy will error out requests beyond that.
maxConcurrentLookupRequests=50000
##### --- TLS --- #####
# Deprecated - use servicePortTls and webServicePortTls instead
tlsEnabledInProxy=false
# Path for the TLS certificate file
tlsCertificateFilePath=
# Path for the TLS private key file
tlsKeyFilePath=
# Path for the trusted TLS certificate file.
# This cert is used to verify that any certs presented by connecting clients
# are signed by a certificate authority. If this verification
# fails, then the certs are untrusted and the connections are dropped.
tlsTrustCertsFilePath=
# Accept untrusted TLS certificate from client.
# If true, a client with a cert which cannot be verified with the
# 'tlsTrustCertsFilePath' cert will allowed to connect to the server,
# though the cert will not be used for client authentication.
tlsAllowInsecureConnection=false
# Whether the hostname is validated when the proxy creates a TLS connection with brokers
tlsHostnameVerificationEnabled=false
# Specify the tls protocols the broker will use to negotiate during TLS handshake
# (a comma-separated list of protocol names).
# Examples:
# tlsProtocols=TLSv1.3,TLSv1.2
tlsProtocols=
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
# (a comma-separated list of ciphers).
# Examples:
# tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
tlsCiphers=
# Whether client certificates are required for TLS. Connections are rejected if the client
# certificate isn't trusted.
tlsRequireTrustedClientCertOnConnect=false
##### --- HTTP --- #####
# Http directs to redirect to non-pulsar services.
httpReverseProxyConfigs=
# Http output buffer size. The amount of data that will be buffered for http requests
# before it is flushed to the channel. A larger buffer size may result in higher http throughput
# though it may take longer for the client to see data.
# If using HTTP streaming via the reverse proxy, this should be set to the minimum value, 1,
# so that clients see the data as soon as possible.
httpOutputBufferSize=32768
# Number of threads to use for HTTP requests processing. Default is
# 2 * Runtime.getRuntime().availableProcessors()
httpNumThreads=
# Enable the enforcement of limits on the incoming HTTP requests
httpRequestsLimitEnabled=false
# Max HTTP requests per seconds allowed. The excess of requests will be rejected with HTTP code 429 (Too many requests)
httpRequestsMaxPerSecond=100.0
# Capacity for thread pool queue in the HTTP server
httpServerThreadPoolQueueSize=8192
# Capacity for accept queue in the HTTP server
httpServerAcceptQueueSize=8192
# Maximum number of inbound http connections. (0 to disable limiting)
maxHttpServerConnections=2048
# Max concurrent web requests
maxConcurrentHttpRequests=1024
## Configure the datasource of basic authenticate, supports the file and Base64 format.
# file:
# basicAuthConf=/path/my/.htpasswd
# use Base64 to encode the contents of .htpasswd:
# basicAuthConf=YOUR-BASE64-DATA
basicAuthConf=
### --- Token Authentication Provider --- ###
## Symmetric key
# Configure the secret key to be used to validate auth tokens
# The key can be specified like:
# tokenSecretKey=data:;base64,xxxxxxxxx
# tokenSecretKey=file:///my/secret.key ( Note: key file must be DER-encoded )
tokenSecretKey=
## Asymmetric public/private key pair
# Configure the public key to be used to validate auth tokens
# The key can be specified like:
# tokenPublicKey=data:;base64,xxxxxxxxx
# tokenPublicKey=file:///my/public.key ( Note: key file must be DER-encoded )
tokenPublicKey=
# The token "claim" that will be interpreted as the authentication "role" or "principal" by AuthenticationProviderToken (defaults to "sub" if blank)
tokenAuthClaim=
# The token audience "claim" name, e.g. "aud", that will be used to get the audience from token.
# If not set, audience will not be verified.
tokenAudienceClaim=
# The token audience stands for this broker. The field `tokenAudienceClaim` of a valid token, need contains this.
tokenAudience=
### --- SASL Authentication Provider --- ###
# This is a regexp, which limits the range of possible ids which can connect to the Broker using SASL.
# Default value: `SaslConstants.JAAS_CLIENT_ALLOWED_IDS_DEFAULT`, which is ".*pulsar.*",
# so only clients whose id contains 'pulsar' are allowed to connect.
saslJaasClientAllowedIds=.*pulsar.*
# Service Principal, for login context name.
# Default value `SaslConstants.JAAS_DEFAULT_PROXY_SECTION_NAME`, which is "PulsarProxy".
saslJaasServerSectionName=PulsarProxy
# Path to file containing the secret to be used to SaslRoleTokenSigner
# The Path can be specified like:
# saslJaasServerRoleTokenSignerSecretPath=file:///my/saslRoleTokenSignerSecret.key
saslJaasServerRoleTokenSignerSecretPath=
### --- WebSocket config variables --- ###
# Enable or disable the WebSocket servlet.
webSocketServiceEnabled=false
# Name of the cluster to which this broker belongs to
clusterName=
### --- Proxy Extensions
# List of proxy extensions to load, which is a list of extension names
#proxyExtensions=
# The directory to locate extensions
#proxyExtensionsDirectory=
### --- Deprecated config variables --- ###
# Deprecated. Use configurationStoreServers
globalZookeeperServers=
# The ZooKeeper quorum connection string (as a comma-separated list)
zookeeperServers=
# Configuration store connection string (as a comma-separated list)
configurationStoreServers=
# ZooKeeper session timeout (in milliseconds)
# Deprecated: use metadataStoreSessionTimeoutMillis
zookeeperSessionTimeoutMs=-1
# ZooKeeper cache expiry time in seconds
# Deprecated: use metadataStoreCacheExpirySeconds
zooKeeperCacheExpirySeconds=-1
### --- Metrics --- ###
# Whether the '/metrics' endpoint requires authentication. Defaults to true
authenticateMetricsEndpoint=true
# Enable cache metrics data, default value is false
metricsBufferResponse=false