diff --git a/roles/kong/files/kong-3.1.1.conf b/roles/kong/files/kong-3.1.1.conf new file mode 100644 index 00000000..1dda4be8 --- /dev/null +++ b/roles/kong/files/kong-3.1.1.conf @@ -0,0 +1,958 @@ +# ----------------------- +# Kong configuration file +# ----------------------- +# +# The commented-out settings shown in this file represent the default values. +# +# This file is read when `kong start` or `kong prepare` are used. Kong +# generates the Nginx configuration with the settings specified in this file. +# +# All environment variables prefixed with `KONG_` and capitalized will override +# the settings specified in this file. +# Example: +# `log_level` setting -> `KONG_LOG_LEVEL` env variable +# +# Boolean values can be specified as `on`/`off` or `true`/`false`. +# Lists must be specified as comma-separated strings. +# +# All comments in this file can be removed safely, including the +# commented-out properties. +# You can verify the integrity of your settings with `kong check `. + +###GNM specific settings + +anonymous_reports = off # Send anonymous usage data such as error +proxy_listen = 0.0.0.0:8000 +admin_listen = 127.0.0.1:8101 +mem_cache_size = 256m # Size of the in-memory cache for database +pg_host = POSTGRES_HOST # The PostgreSQL host to connect to. This value is over-written on instance startup with the correct value. +pg_user = POSTGRES_USERNAME # The username to authenticate if required. This value is over-written on instance startup with the correct value. +pg_password = POSTGRES_PASSWORD # The password to authenticate if required. This value is over-written on instance startup with the correct value. + +###Everything below here is kept for reference; there are no active settings there. +###Pre-2.1 versions of Kong are considered "archive" and docs are now hard to come by. (we'll be upgrading shortly!) + +#------------------------------------------------------------------------------ +# GENERAL +#------------------------------------------------------------------------------ + +#prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's + # prefix path, containing temporary files + # and logs. + # Each Kong process must have a separate + # working directory. + +#log_level = notice # Log level of the Nginx server. Logs are + # found at `/logs/error.log`. + +# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list +# of accepted values. + +#proxy_access_log = logs/access.log # Path for proxy port request access + # logs. Set this value to `off` to + # disable logging proxy requests. + # If this value is a relative path, + # it will be placed under the + # `prefix` location. + +#proxy_error_log = logs/error.log # Path for proxy port request error + # logs. The granularity of these logs + # is adjusted by the `log_level` + # property. + +#admin_access_log = logs/admin_access.log # Path for Admin API request access + # logs. Set this value to `off` to + # disable logging Admin API requests. + # If this value is a relative path, + # it will be placed under the + # `prefix` location. + +#admin_error_log = logs/error.log # Path for Admin API request error + # logs. The granularity of these logs + # is adjusted by the `log_level` + # property. + +#status_access_log = off # Path for Status API request access + # logs. The default value of `off` + # implies that loggin for this API + # is disabled by default. + # If this value is a relative path, + # it will be placed under the + # `prefix` location. + +#status_error_log = logs/status_error.log # Path for Status API request error + # logs. The granularity of these logs + # is adjusted by the `log_level` + # property. + +#plugins = bundled # Comma-separated list of plugins this node + # should load. By default, only plugins + # bundled in official distributions are + # loaded via the `bundled` keyword. + # + # Loading a plugin does not enable it by + # default, but only instructs Kong to load its + # source code, and allows to configure the + # plugin via the various related Admin API + # endpoints. + # + # The specified name(s) will be substituted as + # such in the Lua namespace: + # `kong.plugins.{name}.*`. + # + # When the `off` keyword is specified as the + # only value, no plugins will be loaded. + # + # `bundled` and plugin names can be mixed + # together, as the following examples suggest: + # + # - `plugins = bundled,custom-auth,custom-log` + # will include the bundled plugins plus two + # custom ones + # - `plugins = custom-auth,custom-log` will + # *only* include the `custom-auth` and + # `custom-log` plugins. + # - `plugins = off` will not include any + # plugins + # + # **Note:** Kong will not start if some + # plugins were previously configured (i.e. + # have rows in the database) and are not + # specified in this list. Before disabling a + # plugin, ensure all instances of it are + # removed before restarting Kong. + # + # **Note:** Limiting the amount of available + # plugins can improve P99 latency when + # experiencing LRU churning in the database + # cache (i.e. when the configured + # `mem_cache_size`) is full. + +#service_mesh = off # When `on`, enable the built-in Service Mesh + # support of Kong. + # + # **Note:** Enabling service mesh causes + # upstream requests to HTTPS services to + # behave incorrectly. Service Mesh has been + # deprecated and will be removed in the next + # release of Kong. + +#------------------------------------------------------------------------------ +# NGINX +#------------------------------------------------------------------------------ + +#proxy_listen = + # Comma-separated list of addresses and ports on + # which the proxy server should listen for + # HTTP/HTTPS traffic. + # The proxy server is the public entry point of Kong, + # which proxies traffic from your consumers to your + # backend services. This value accepts IPv4, IPv6, and + # hostnames. + # + # Some suffixes can be specified for each pair: + # + # - `ssl` will require that all connections made + # through a particular address/port be made with TLS + # enabled. + # - `http2` will allow for clients to open HTTP/2 + # connections to Kong's proxy server. + # - `proxy_protocol` will enable usage of the + # PROXY protocol for a given address/port. + # - `transparent` will cause kong to listen to, and + # respond from, any and all IP addresses and ports + # you configure in iptables. + # - `deferred` instructs to use a deferred accept on + # Linux (the TCP_DEFER_ACCEPT socket option). + # - `bind` instructs to make a separate bind() call + # for a given address:port pair. + # - `reuseport` instructs to create an individual + # listening socket for each worker process + # allowing a kernel to distribute incoming + # connections between worker processes + # + # This value can be set to `off`, thus disabling + # the HTTP/HTTPS proxy port for this node. + # If stream_listen is also set to `off`, this enables + # 'control-plane' mode for this node + # (in which all traffic proxying capabilities are + # disabled). This node can then be used only to + # configure a cluster of Kong + # nodes connected to the same datastore. + # + # Example: + # `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl` + # + # See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen + # for a description of the accepted formats for this + # and other `*_listen` values. + # + # See https://www.nginx.com/resources/admin-guide/proxy-protocol/ + # for more details about the `proxy_protocol` + # parameter. + # + # Not all `*_listen` values accept all formats + # specified in nginx's documentation. + +#stream_listen = off + # Comma-separated list of addresses and ports on + # which the stream mode should listen. + # + # This value accepts IPv4, IPv6, and hostnames. + # Some suffixes can be specified for each pair: + # - `proxy_protocol` will enable usage of the + # PROXY protocol for a given address/port. + # - `transparent` will cause kong to listen to, and + # respond from, any and all IP addresses and ports + # you configure in iptables. + # - `bind` instructs to make a separate bind() call + # for a given address:port pair. + # - `reuseport` instructs to create an individual + # listening socket for each worker process + # allowing a kernel to distribute incoming + # connections between worker processes + # + # **Note:** The `ssl` suffix is not supported, + # and each address/port will accept TCP with or + # without TLS enabled. + # + # Examples: + # + # ``` + # stream_listen = 127.0.0.1:7000 + # stream_listen = 0.0.0.0:989, 0.0.0.0:20 + # stream_listen = [::1]:1234 + # ``` + # + # By default this value is set to `off`, thus + # disabling the stream proxy port for this node. + +# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen +# for a description of the formats that Kong might accept in stream_listen. + +# admin_listen = + # Comma-separated list of addresses and ports on + # which the Admin interface should listen. + # The Admin interface is the API allowing you to + # configure and manage Kong. + # Access to this interface should be *restricted* + # to Kong administrators *only*. This value accepts + # IPv4, IPv6, and hostnames. + # + # Some suffixes can be specified for each pair: + # + # - `ssl` will require that all connections made + # through a particular address/port be made with TLS + # enabled. + # - `http2` will allow for clients to open HTTP/2 + # connections to Kong's proxy server. + # - `proxy_protocol` will enable usage of the + # PROXY protocol for a given address/port. + # - `transparent` will cause kong to listen to, and + # respond from, any and all IP addresses and ports + # you configure in iptables. + # - `deferred` instructs to use a deferred accept on + # Linux (the TCP_DEFER_ACCEPT socket option). + # - `bind` instructs to make a separate bind() call + # for a given address:port pair. + # - `reuseport` instructs to create an individual + # listening socket for each worker process + # allowing a kernel to distribute incoming + # connections between worker processes + # + # This value can be set to `off`, thus disabling + # the Admin interface for this node, enabling a + # 'data-plane' mode (without configuration + # capabilities) pulling its configuration changes + # from the database. + # + # Example: `admin_listen = 127.0.0.1:8444 http2 ssl` + + #status_listen = off # Comma-separated list of addresses and ports on + # which the Status API should listen. + # The Status API is a read-only endpoint + # allowing monitoring tools to retrieve metrics, + # healthiness, and other non-sensitive information + # of the current Kong node. + # + # This value can be set to `off`, disabling + # the Status API for this node. + # + # Example: `status_listen = 0.0.0.0:8100` + + +#nginx_user = nobody nobody # Defines user and group credentials used by + # worker processes. If group is omitted, a + # group whose name equals that of user is + # used. + # + # Example: `nginx_user = nginx www` + +#nginx_worker_processes = auto # Determines the number of worker processes + # spawned by Nginx. + # + # See http://nginx.org/en/docs/ngx_core_module.html#worker_processes + # for detailed usage of the equivalent Nginx + # directive and a description of accepted + # values. + +#nginx_daemon = on # Determines whether Nginx will run as a daemon + # or as a foreground process. Mainly useful + # for development or when running Kong inside + # a Docker environment. + # + # See http://nginx.org/en/docs/ngx_core_module.html#daemon. + +#mem_cache_size = # Size of the in-memory cache for database + # entities. The accepted units are `k` and + # `m`, with a minimum recommended value of + # a few MBs. + +#ssl_cipher_suite = modern # Defines the TLS ciphers served by Nginx. + # Accepted values are `modern`, + # `intermediate`, `old`, or `custom`. + # + # See https://wiki.mozilla.org/Security/Server_Side_TLS + # for detailed descriptions of each cipher + # suite. + +#ssl_ciphers = # Defines a custom list of TLS ciphers to be + # served by Nginx. This list must conform to + # the pattern defined by `openssl ciphers`. + # This value is ignored if `ssl_cipher_suite` + # is not `custom`. + +#ssl_cert = # The absolute path to the SSL certificate for + # `proxy_listen` values with SSL enabled. + +#ssl_cert_key = # The absolute path to the SSL key for + # `proxy_listen` values with SSL enabled. + +#client_ssl = off # Determines if Nginx should send client-side + # SSL certificates when proxying requests. + +#client_ssl_cert = # If `client_ssl` is enabled, the absolute + # path to the client SSL certificate for the + # `proxy_ssl_certificate` directive. Note that + # this value is statically defined on the + # node, and currently cannot be configured on + # a per-API basis. + +#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute + # path to the client SSL key for the + # `proxy_ssl_certificate_key` address. Note + # this value is statically defined on the + # node, and currently cannot be configured on + # a per-API basis. + +#admin_ssl_cert = # The absolute path to the SSL certificate for + # `admin_listen` values with SSL enabled. + +#admin_ssl_cert_key = # The absolute path to the SSL key for + # `admin_listen` values with SSL enabled. + +#headers = server_tokens, latency_tokens + # Comma-separated list of headers Kong should + # inject in client responses. + # + # Accepted values are: + # - `Server`: Injects `Server: kong/x.y.z` + # on Kong-produced response (e.g. Admin + # API, rejected requests from auth plugin). + # - `Via`: Injects `Via: kong/x.y.z` for + # successfully proxied requests. + # - `X-Kong-Proxy-Latency`: Time taken + # (in milliseconds) by Kong to process + # a request and run all plugins before + # proxying the request upstream. + # - `X-Kong-Response-Latency`: time taken + # (in millisecond) by Kong to produce + # a response in case of e.g. plugin + # short-circuiting the request, or in + # in case of an error. + # - `X-Kong-Upstream-Latency`: Time taken + # (in milliseconds) by the upstream + # service to send response headers. + # - `X-Kong-Admin-Latency`: Time taken + # (in milliseconds) by Kong to process + # an Admin API request. + # - `X-Kong-Upstream-Status`: The HTTP status + # code returned by the upstream service. + # This is particularly useful for clients to + # distinguish upstream statuses if the + # response is rewritten by a plugin. + # - `server_tokens`: Same as specifying both + # `Server` and `Via`. + # - `latency_tokens`: Same as specifying + # `X-Kong-Proxy-Latency`, + # `X-Kong-Response-Latency`, + # `X-Kong-Admin-Latency` and + # `X-Kong-Upstream-Latency` + # + # In addition to those, this value can be set + # to `off`, which prevents Kong from injecting + # any of the above headers. Note that this + # does not prevent plugins from injecting + # headers of their own. + # + # Example: `headers = via, latency_tokens` + +#trusted_ips = # Defines trusted IP addresses blocks that are + # known to send correct `X-Forwarded-*` + # headers. + # Requests from trusted IPs make Kong forward + # their `X-Forwarded-*` headers upstream. + # Non-trusted requests make Kong insert its + # own `X-Forwarded-*` headers. + # + # This property also sets the + # `set_real_ip_from` directive(s) in the Nginx + # configuration. It accepts the same type of + # values (CIDR blocks) but as a + # comma-separated list. + # + # To trust *all* /!\ IPs, set this value to + # `0.0.0.0/0,::/0`. + # + # If the special value `unix:` is specified, + # all UNIX-domain sockets will be trusted. + # + # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from + # for examples of accepted values. + +#real_ip_header = X-Real-IP # Defines the request header field whose value + # will be used to replace the client address. + # This value sets the `ngx_http_realip_module` + # directive of the same name in the Nginx + # configuration. + # + # If this value receives `proxy_protocol`: + # + # - at least one of the `proxy_listen` entries + # must have the `proxy_protocol` flag + # enabled. + # - the `proxy_protocol` parameter will be + # appended to the `listen` directive of the + # Nginx template. + # + # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header + # for a description of this directive. + +#real_ip_recursive = off # This value sets the `ngx_http_realip_module` + # directive of the same name in the Nginx + # configuration. + # + # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive + # for a description of this directive. + +#client_max_body_size = 0 # Defines the maximum request body size allowed + # by requests proxied by Kong, specified in + # the Content-Length request header. If a + # request exceeds this limit, Kong will + # respond with a 413 (Request Entity Too + # Large). Setting this value to 0 disables + # checking the request body size. + +# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size +# for further description of this parameter. Numeric values may be suffixed +# with `k` or `m` to denote limits in terms of kilobytes or megabytes. + +#client_body_buffer_size = 8k # Defines the buffer size for reading the + # request body. If the client request body is + # larger than this value, the body will be + # buffered to disk. Note that when the body is + # buffered to disk Kong plugins that access or + # manipulate the request body may not work, so + # it is advisable to set this value as high as + # possible (e.g., set it as high as + # `client_max_body_size` to force request + # bodies to be kept in memory). Do note that + # high-concurrency environments will require + # significant memory allocations to process + # many concurrent large request bodies. + +# See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size +# for further description of this parameter. Numeric values may be suffixed +# with `k` or `m` to denote limits in terms of kilobytes or megabytes. + +#error_default_type = text/plain # Default MIME type to use when the request + # `Accept` header is missing and Nginx + # is returning an error for the request. + # Accepted values are `text/plain`, + # `text/html`, `application/json`, and + # `application/xml`. + +#------------------------------------------------------------------------------ +# NGINX injected directives +#------------------------------------------------------------------------------ + +# Nginx directives can be dynamically injected in the runtime nginx.conf file +# without requiring a custom Nginx configuration template. +# +# All configuration properties respecting the naming scheme +# `nginx__` will result in `` being injected in +# the Nginx configuration block corresponding to the property's ``. +# Example: +# `nginx_proxy_large_client_header_buffers = 8 24k` +# +# Will inject the following directive in Kong's proxy `server {}` block: +# +# `large_client_header_buffers 8 24k;` +# +# The following namespaces are supported: +# +# - `nginx_http_`: Injects `` in Kong's `http {}` block. +# - `nginx_proxy_`: Injects `` in Kong's proxy +# `server {}` block. +# - `nginx_http_upstream_`: Injects `` in Kong's proxy +# `upstream {}` block. +# - `nginx_admin_`: Injects `` in Kong's Admin API +# `server {}` block. +# - `nginx_stream_`: Injects `` in Kong's stream module +# `stream {}` block (only effective if `stream_listen` is enabled). +# - `nginx_sproxy_`: Injects `` in Kong's stream module +# `server {}` block (only effective if `stream_listen` is enabled). +# +# As with other configuration properties, Nginx directives can be injected via +# environment variables when capitalized and prefixed with `KONG_`. +# Example: +# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols` +# +# Will inject the following directive in Kong's `http {}` block: +# +# `ssl_protocols ;` +# +# If different sets of protocols are desired between the proxy and Admin API +# server, you may specify `nginx_proxy_ssl_protocols` and/or +# `nginx_admin_ssl_protocols`, both of which taking precedence over the +# `http {}` block. + +#nginx_http_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 + # Enables the specified protocols for + # client-side connections. The set of + # supported protocol versions also depends + # on the version of OpenSSL Kong was built + # with. + # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols + +#nginx_http_upstream_keepalive = 60 + # Sets the maximum number of idle keepalive + # connections to upstream servers that are + # preserved in the cache of each worker + # process. When this number is exceeded, the + # least recently used connections are closed. + # A value of `NONE` will disable this behavior + # altogether, forcing each upstream request + # to open a new connection. + # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + +#nginx_http_upstream_keepalive_requests = 100 + # Sets the maximum number of requests that can + # be served through one keepalive connection. + # After the maximum number of requests is + # made, the connection is closed. + # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests + +#nginx_http_upstream_keepalive_timeout = 60s + # Sets a timeout during which an idle + # keepalive connection to an upstream server + # will stay open. + # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout + +#------------------------------------------------------------------------------ +# DATASTORE +#------------------------------------------------------------------------------ + +# Kong can run with a database to store coordinated data between Kong nodes in +# a cluster, or without a database, where each node stores its information +# independently in memory. +# +# When using a database, Kong will store data for all its entities (such as +# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL, +# and all Kong nodes belonging to the same cluster must connect themselves +# to the same database. +# +# Kong supports the following database versions: +# - **PostgreSQL**: 9.5 and above. +# - **Cassandra**: 2.2 and above. +# +# When not using a database, Kong is said to be in "DB-less mode": it will keep +# its entities in memory, and each node needs to have this data entered via a +# declarative configuration file, which can be specified through the +# `declarative_config` property, or via the Admin API using the `/config` +# endpoint. + +#database = postgres # Determines which of PostgreSQL or Cassandra + # this node will use as its datastore. + # Accepted values are `postgres`, + # `cassandra`, and `off`. + +#pg_host = # The PostgreSQL host to connect to. +#pg_port = 5432 # The port to connect to. +#pg_user = # The username to authenticate if required. +#pg_password = # The password to authenticate if required. +#pg_database = kong # The database name to connect to. + +#pg_timeout = 5000 # Defines the timeout (in ms), for connecting, + # reading and writing. + +#pg_schema = # The database schema to use. If unspecified, + # Kong will respect the `search_path` value of + # your PostgreSQL instance. + +#pg_ssl = off # Toggles client-server TLS connections + # between Kong and PostgreSQL. + +#pg_ssl_verify = off # Toggles server certificate verification if + # `pg_ssl` is enabled. + # See the `lua_ssl_trusted_certificate` + # setting to specify a certificate authority. + +#pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries + # that can be executing at any given time. This + # limit is enforced per worker process; the + # total number of concurrent queries for this + # node will be will be: + # `pg_max_concurrent_queries * nginx_worker_processes`. + # + # The default value of 0 removes this + # concurrency limitation. + +#pg_semaphore_timeout = 60000 # Defines the timeout (in ms) after which + # PostgreSQL query semaphore resource + # acquisition attempts will fail. Such + # failures will generally result in the + # associated proxy or Admin API request + # failing with an HTTP 500 status code. + # Detailed discussion of this behavior is + # available in the online documentation. + +#cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact + # points to your cluster. + # You may specify IP addresses or + # hostnames. Note that the port + # component of SRV records will be + # ignored in favor of `cassandra_port`. + # When connecting to a multi-DC cluster, + # ensure that contact points from the + # local datacenter are specified first + # in this list. + +#cassandra_port = 9042 # The port on which your nodes are listening + # on. All your nodes and contact points must + # listen on the same port. Will be created if + # it doesn't exist. + +#cassandra_keyspace = kong # The keyspace to use in your cluster. + +#cassandra_consistency = ONE # Consistency setting to use when reading/ + # writing to the Cassandra cluster. + # +#cassandra_timeout = 5000 # Defines the timeout (in ms) for reading + # and writing. + +#cassandra_ssl = off # Toggles client-to-node TLS connections + # between Kong and Cassandra. + +#cassandra_ssl_verify = off # Toggles server certificate verification if + # `cassandra_ssl` is enabled. + # See the `lua_ssl_trusted_certificate` + # setting to specify a certificate authority. + +#cassandra_username = kong # Username when using the + # `PasswordAuthenticator` scheme. + +#cassandra_password = # Password when using the + # `PasswordAuthenticator` scheme. + +#cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when + # distributing queries across your + # Cassandra cluster. + # Accepted values are: + # `RoundRobin`, `RequestRoundRobin`, + # `DCAwareRoundRobin`, and + # `RequestDCAwareRoundRobin`. + # Policies prefixed with "Request" + # make efficient use of established + # connections throughout the same + # request. + # Prefer "DCAware" policies if and + # only if you are using a + # multi-datacenter cluster. + +#cassandra_local_datacenter = # When using the `DCAwareRoundRobin` + # or `RequestDCAwareRoundRobin` load + # balancing policy, you must specify the name + # of the local (closest) datacenter for this + # Kong node. + +#cassandra_refresh_frequency = 60 # Frequency (in seconds) at which + # the cluster topology will be + # checked for new or decommissioned + # nodes. + # A value of `0` will disable this + # check, and the cluster topology + # will never be refreshed. + +#cassandra_repl_strategy = SimpleStrategy # When migrating for the first time, + # Kong will use this setting to + # create your keyspace. + # Accepted values are + # `SimpleStrategy` and + # `NetworkTopologyStrategy`. + +#cassandra_repl_factor = 1 # When migrating for the first time, Kong + # will create the keyspace with this + # replication factor when using the + # `SimpleStrategy`. + +#cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time, + # will use this setting when using the + # `NetworkTopologyStrategy`. + # The format is a comma-separated list + # made of `:`. + +#cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for + # the waiting period to reach a + # schema consensus between your + # Cassandra nodes. + # This value is only used during + # migrations. + +#declarative_config = # The path to the declarative configuration + # file which holds the specification of all + # entities (Routes, Services, Consumers, etc.) + # to be used when the `database` is set to + # `off`. + # + # Entities are stored in Kong's in-memory cache, + # so you must ensure that enough memory is + # allocated to it via the `mem_cache_size` + # property. You must also ensure that items + # in the cache never expire, which means that + # `db_cache_ttl` should preserve its default + # value of 0. + +#------------------------------------------------------------------------------ +# DATASTORE CACHE +#------------------------------------------------------------------------------ + +# In order to avoid unnecessary communication with the datastore, Kong caches +# entities (such as APIs, Consumers, Credentials...) for a configurable period +# of time. It also handles invalidations if such an entity is updated. +# +# This section allows for configuring the behavior of Kong regarding the +# caching of such configuration entities. + +#db_update_frequency = 5 # Frequency (in seconds) at which to check for + # updated entities with the datastore. + # + # When a node creates, updates, or deletes an + # entity via the Admin API, other nodes need + # to wait for the next poll (configured by + # this value) to eventually purge the old + # cached entity and start using the new one. + +#db_update_propagation = 0 # Time (in seconds) taken for an entity in the + # datastore to be propagated to replica nodes + # of another datacenter. + # + # When in a distributed environment such as + # a multi-datacenter Cassandra cluster, this + # value should be the maximum number of + # seconds taken by Cassandra to propagate a + # row to other datacenters. + # + # When set, this property will increase the + # time taken by Kong to propagate the change + # of an entity. + # + # Single-datacenter setups or PostgreSQL + # servers should suffer no such delays, and + # this value can be safely set to 0. + +#db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from + # the datastore when cached by this node. + # + # Database misses (no entity) are also cached + # according to this setting. + # + # If set to 0 (default), such cached entities + # or misses never expire. + +#db_resurrect_ttl = 30 # Time (in seconds) for which stale entities + # from the datastore should be resurrected for + # when they cannot be refreshed (e.g., the + # datastore is unreachable). When this TTL + # expires, a new attempt to refresh the stale + # entities will be made. + +#db_cache_warmup_entities = services, plugins + # Entities to be pre-loaded from the datastore + # into the in-memory cache at Kong start-up. + # This speeds up the first access of endpoints + # that use the given entities. + # + # When the `services` entity is configured + # for warmup, the DNS entries for values in + # its `host` attribute are pre-resolved + # asynchronously as well. + # + # Cache size set in `mem_cache_size` should + # be set to a value large enough to hold all + # instances of the specified entities. + # If the size is insufficient, Kong will log + # a warning. + +#------------------------------------------------------------------------------ +# DNS RESOLVER +#------------------------------------------------------------------------------ + +# By default the DNS resolver will use the standard configuration files +# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be +# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if +# they have been set. +# +# Kong will resolve hostnames as either `SRV` or `A` records (in that order, and +# `CNAME` records will be dereferenced in the process). +# In case a name was resolved as an `SRV` record it will also override any given +# port number by the `port` field contents received from the DNS server. +# +# The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will +# be used to expand short names to fully qualified ones. So it will first try +# the entire `SEARCH` list for the `SRV` type, if that fails it will try the +# `SEARCH` list for `A`, etc. +# +# For the duration of the `ttl`, the internal DNS resolver will loadbalance each +# request it gets over the entries in the DNS record. For `SRV` records the +# `weight` fields will be honored, but it will only use the lowest `priority` +# field entries in the record. + +#dns_resolver = # Comma separated list of nameservers, each + # entry in `ip[:port]` format to be used by + # Kong. If not specified the nameservers in + # the local `resolv.conf` file will be used. + # Port defaults to 53 if omitted. Accepts + # both IPv4 and IPv6 addresses. + +#dns_hostsfile = /etc/hosts # The hosts file to use. This file is read + # once and its content is static in memory. + # To read the file again after modifying it, + # Kong must be reloaded. + +#dns_order = LAST,SRV,A,CNAME # The order in which to resolve different + # record types. The `LAST` type means the + # type of the last successful lookup (for the + # specified name). The format is a (case + # insensitive) comma separated list. + +#dns_valid_ttl = # By default, DNS records are cached using + # the TTL value of a response. If this + # property receives a value (in seconds), it + # will override the TTL for all records. + +#dns_stale_ttl = 4 # Defines, in seconds, how long a record will + # remain in cache past its TTL. This value + # will be used while the new DNS record is + # fetched in the background. + # Stale data will be used from expiry of a + # record until either the refresh query + # completes, or the `dns_stale_ttl` number of + # seconds have passed. + +#dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and + # "(3) name error" responses. + +#dns_error_ttl = 1 # TTL in seconds for error responses. + +#dns_no_sync = off # If enabled, then upon a cache-miss every + # request will trigger its own dns query. + # When disabled multiple requests for the + # same name/type will be synchronised to a + # single query. + +#------------------------------------------------------------------------------ +# TUNING & BEHAVIOR +#------------------------------------------------------------------------------ + +#router_consistency = strict # Defines whether this node should rebuild its + # router synchronously or asynchronously (the + # router is rebuilt every time a Route or a + # Service is updated via the Admin API or + # loading a declarative configuration file). + # + # Accepted values are: + # + # - `strict`: the router will be rebuilt + # synchronously, causing incoming requests to + # be delayed until the rebuild is finished. + # - `eventual`: the router will be rebuilt + # asynchronously via a recurring background + # job running every second inside of each + # worker. + # + # Note that `strict` ensures that all workers + # of a given node will always proxy requests + # with an identical router, but that increased + # long tail latency can be observed if + # frequent Routes and Services updates are + # expected. + # Using `eventual` will help preventing long + # tail latency issues in such cases, but may + # cause workers to route requests differently + # for a short period of time after Routes and + # Services updates. + +#router_update_frequency = 1 # Defines how often the router changes are + # checked with a background job. When a change + # is detected, a new router will be built. By + # default we check for changes every second. + # Raising this value will decrease the load on + # database servers and result in less jitter + # in proxy latency, with downside of longer + # converge time for router updates. + +#------------------------------------------------------------------------------ +# DEVELOPMENT & MISCELLANEOUS +#------------------------------------------------------------------------------ + +# Additional settings inherited from lua-nginx-module allowing for more +# flexibility and advanced usage. +# +# See the lua-nginx-module documentation for more information: +# https://github.com/openresty/lua-nginx-module + +#lua_ssl_trusted_certificate = # Absolute path to the certificate + # authority file for Lua cosockets in PEM + # format. This certificate will be the one + # used for verifying Kong's database + # connections, when `pg_ssl_verify` or + # `cassandra_ssl_verify` are enabled. + # + # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate + +#lua_ssl_verify_depth = 1 # Sets the verification depth in the server + # certificates chain used by Lua cosockets, + # set by `lua_ssl_trusted_certificate`. + # This includes the certificates configured + # for Kong's database connections. + # + # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth + +#lua_package_path = ./?.lua;./?/init.lua; # Sets the Lua module search path + # (LUA_PATH). Useful when developing + # or using custom plugins not stored + # in the default search path. + # + # See https://github.com/openresty/lua-nginx-module#lua_package_path + +#lua_package_cpath = # Sets the Lua C module search path + # (LUA_CPATH). + # + # See https://github.com/openresty/lua-nginx-module#lua_package_cpath + +#lua_socket_pool_size = 30 # Specifies the size limit for every cosocket + # connection pool associated with every remote + # server. + # + # See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size