mirror of https://github.com/sozu-proxy/sozu.git
345 lines
14 KiB
TOML
345 lines
14 KiB
TOML
# sozu proxy test config file
|
|
|
|
# top level options
|
|
|
|
# path to a file sozu can use to load an initial configuration state for its
|
|
# routing. You can generate this file from sozu's current routing by running
|
|
# the command `sozu state save -f state.json`
|
|
# this must be RELATIVE to config.toml
|
|
# saved_state = "./state.json"
|
|
|
|
# save the configuration to the saved_state file every time we receive a
|
|
# configuration message on the configuration socket
|
|
# defaults to false, and will not work if the 'saved_state' option is not set
|
|
# automatic_state_save = false
|
|
|
|
# logging verbosity. Possible values are "error", "warn", "info", "debug" and
|
|
# "trace". For performance reasons, the logs at "debug" or "trace" level are
|
|
# not compiled by default. To activate them, pass the "logs-debug" and
|
|
# "logs-trace" compilation options to cargo
|
|
log_level = "info"
|
|
|
|
# where the logs will be sent. It defaults to sending the logs on standard output,
|
|
# but they could be written to a UDP address:
|
|
# log_target = "udp://127.0.0.1:9876"
|
|
# to a TCP address:
|
|
# log_target = "tcp://127.0.0.1:9876"
|
|
# to a unix socket
|
|
# log_target = "unix:///var/sozu/logs
|
|
# to a file
|
|
# log_target = "file:///var/log/sozu.log"
|
|
# to_stdout
|
|
log_target = "stdout"
|
|
|
|
# optional different target for access logs (IP addresses, domains, URI, HTTP status, etc)
|
|
# It supports the same options as log_target
|
|
# access_logs_target = "file:///var/logs/sozu-access.log"
|
|
|
|
# format of the access logs. Defaults to ascii.
|
|
# - ascii
|
|
# - protobuf (defined in [sozu_command_lib::proto::command::ProtobufAccessLog])
|
|
# access_logs_format = "ascii"
|
|
|
|
# path to the unix socket file used to send commands to sozu
|
|
# default value points to "sozu.sock" file in the current directory
|
|
command_socket = "./sozu.sock"
|
|
|
|
# size in bytes of the buffer used by the command socket protocol. If the message
|
|
# sent to sozu is too large, or the data that sozu must return is too large, the
|
|
# buffer will grow up to max_command_buffer_size. If the buffer is still not large
|
|
# enough sozu will close the connection
|
|
# defaults to 1000000
|
|
command_buffer_size = 16384
|
|
# defaults to command_buffer_size * 2
|
|
max_command_buffer_size = 163840
|
|
|
|
# the number of worker processes that will handle traffic
|
|
# defaults to 2 workers
|
|
worker_count = 2
|
|
|
|
# indicates if workers should be automatically restarted if they crash / hang
|
|
# should be true for production and false for development
|
|
# defaults to true
|
|
worker_automatic_restart = true
|
|
|
|
# maximum time to wait for a worker to respond, until it is deemed NotAnswering (10 seconds).
|
|
# Beware that if this duration is bigger than ctl_command timeout (that defaults to 1 second),
|
|
# and if a worker is not responding,
|
|
# you may not receive a reply from Sōzu at all when doing "sozu status"
|
|
worker_timeout = 10
|
|
|
|
# indicates if worker process will be pinned on a core. If you activate this, be sure
|
|
# that you do not have more workers than CPU cores (and leave at least one core for
|
|
# the kernel and the main process)
|
|
handle_process_affinity = false
|
|
|
|
# maximum number of connections to a worker. If it reached that number and
|
|
# there are new connections available, the worker will accept and close them
|
|
# immediately to indicate it is too busy to handle traffic
|
|
# defaults to 10000 maximum connections
|
|
max_connections = 500
|
|
|
|
# maximum number of buffers in the pool used by the protocol implementations
|
|
# for active connections (ie currently serving a request). For now, you should
|
|
# estimate that max_buffers = number of concurrent requests * 2
|
|
# defaults to 1000
|
|
# max_buffers = 1000
|
|
|
|
# minimum number of buffers preallocated in the pool
|
|
# cannot be larger than max_buffers
|
|
# defaults to 1
|
|
# min_buffers = 1
|
|
|
|
# size of the buffers used by the protocol implementations. Each worker will
|
|
# preallocate max_buffers * 2 * buffer_size bytes, so you should plan for this
|
|
# memory usage. If you plan to use sozu's runtime upgrade feature, you should
|
|
# leave enough memory for one more worker (also for the kernel, etc), so total
|
|
# RAM should be larger than (worker count + 1) * max_buffers * 2 * buffer_size bytes
|
|
# defaults to 16393 (minimum size for HTTP/2 is a 16384 bytes frame + 9 bytes of header
|
|
buffer_size = 16393
|
|
|
|
# how much time (in milliseconds) sozu command line will wait for a command to complete.
|
|
# Defaults to 1000 milliseconds
|
|
# ctl_command_timeout = 1000
|
|
|
|
# PID file is a file containing the PID of the main process of sozu.
|
|
# It can be helpful to help systemd or any other service system to keep track
|
|
# of the main process across upgrades. PID file is not created unless this option
|
|
# is set or if SOZU_PID_FILE_PATH environment variable was defined at build time.
|
|
# pid_file_path = "/run/sozu/sozu.pid"
|
|
|
|
# maximum time of inactivity for a frontend socket, in seconds
|
|
# defaults to 60 seconds, can be specified at the listener level
|
|
# front_timeout = 60
|
|
|
|
# maximum time of inactivity for a backend socket, in seconds
|
|
# defaults to 30 seconds, can be specified at the listener level
|
|
# back_timeout = 30
|
|
|
|
# maximum time to connect to a backend server, in seconds
|
|
# defaults to 3 seconds, can be specified at the listener level
|
|
# connect_timeout = 3
|
|
|
|
# maximum time to receive a request since the connection started
|
|
# defaults to 10 seconds, can be specified at the listener level
|
|
# request_timeout = 10
|
|
#
|
|
# duration between zombie checks, in seconds
|
|
# defaults to 30 minutes
|
|
# in case of bugs in sozu's event loop and protocol implementations, some client
|
|
# sessions could be stuck, not receiving any more event, and consuming resources.
|
|
# sozu verifies regularly if there are such zombie sessions, logs their state
|
|
# and removes them
|
|
# zombie_check_interval = 1800
|
|
|
|
# by default, all listeners start a TCP listen socket o startup
|
|
# if set to false, this option will prevent them from listening. You can then add
|
|
# the complete configuration, and send an ActivateListener message afterwards
|
|
activate_listeners = true
|
|
|
|
# various statistics can be sent to a server that supports the statsd protocol
|
|
# You can see those statistics with the command line, like this: `sozu metrics get` or
|
|
# `sozu metrics get --json` for machine consumption
|
|
#
|
|
#[metrics]
|
|
# address = "127.0.0.1:8125"
|
|
# use InfluxDB's statsd protocol flavor to add tags
|
|
# tagged_metrics = false
|
|
# metrics key prefix
|
|
# prefix = "sozu"
|
|
# by default, sozu register metrics for clusters, unless you want to spare ressources
|
|
# disable_cluster_metrics = true
|
|
|
|
# Listeners
|
|
# configuration options specific to a TCP listen socket
|
|
|
|
# Example for a HTTP (plaintext) listener
|
|
[[listeners]]
|
|
protocol = "http"
|
|
|
|
# listening address
|
|
address = "0.0.0.0:8080"
|
|
|
|
# specify a different IP than the one the socket sees, for logs and forwarded headers
|
|
# this option is incompatible with expect_proxy
|
|
# public_address = "1.2.3.4:80"
|
|
|
|
# For details about custom HTTP answers, see `doc/configure.md`,
|
|
# and for defaults, check out `/lib/src/protocol/kawa_h1/answers.rs`
|
|
# a 401 response is sent when a frontend has a Deny rule
|
|
# answer_401 = "/absolute/path/to/custom_401.http"
|
|
# a 404 response is sent when sozu does not know about the requested domain or path
|
|
# answer_404 = "/absolute/path/to/custom_404.http"
|
|
# a 408 response is sent when a frontend has a Deny rule (unusual)
|
|
# answer_408 = "/absolute/path/to/custom_408.http"
|
|
# a 413 response is sent when a request was too large
|
|
# answer_413 = "/absolute/path/to/custom_413.http"
|
|
# a 502 response means the response sent by a backend could not be parsed by Sōzu
|
|
# answer_502 = "/absolute/path/to/custom_502.http"
|
|
# a 503 response is sent if there are no backend servers available
|
|
# answer_503 = "/absolute/path/to/custom_503.http"
|
|
# a 504 response means the backend timed out
|
|
# answer_504 = "/absolute/path/to/custom_504.http"
|
|
# a 507 response occurs when the response sent by a backend is too big
|
|
# answer_507 = "/absolute/path/to/custom_507.http"
|
|
|
|
# defines the sticky session cookie's name, if `sticky_session` is activated for
|
|
# a cluster. Defaults to "SOZUBALANCEID"
|
|
# sticky_name = "SOZUBALANCEID"
|
|
#
|
|
# Configures the client socket to receive a PROXY protocol header
|
|
# this option is incompatible with public_address
|
|
# expect_proxy = false
|
|
|
|
# Example for a HTTPS listener
|
|
[[listeners]]
|
|
protocol = "https"
|
|
|
|
# listening address
|
|
address = "0.0.0.0:8443"
|
|
|
|
# specify a different IP than the one the socket sees, for logs and forwarded headers
|
|
# this option is incompatible with expect_proxy
|
|
# public_address = "1.2.3.4:80"
|
|
|
|
# For details about custom HTTP answers, see `doc/configure.md`,
|
|
# and for defaults, check out `/lib/src/protocol/kawa_h1/answers.rs`
|
|
# a 401 response is sent when a frontend has a Deny rule
|
|
# answer_401 = "/absolute/path/to/custom_401.http"
|
|
# a 404 response is sent when sozu does not know about the requested domain or path
|
|
# answer_404 = "/absolute/path/to/custom_404.http"
|
|
# a 408 response is sent when a frontend has a Deny rule (unusual)
|
|
# answer_408 = "/absolute/path/to/custom_408.http"
|
|
# a 413 response is sent when a request was too large
|
|
# answer_413 = "/absolute/path/to/custom_413.http"
|
|
# a 502 response means the response sent by a backend could not be parsed by Sōzu
|
|
# answer_502 = "/absolute/path/to/custom_502.http"
|
|
# a 503 response is sent if there are no backend servers available
|
|
# answer_503 = "/absolute/path/to/custom_503.http"
|
|
# a 504 response means the backend timed out
|
|
# answer_504 = "/absolute/path/to/custom_504.http"
|
|
# a 507 response occurs when the response sent by a backend is too big
|
|
# answer_507 = "/absolute/path/to/custom_507.http"
|
|
|
|
# defines the sticky session cookie's name, if `sticky_session` is activated for
|
|
# a cluster. Defaults to "SOZUBALANCEID"
|
|
# sticky_name = "SOZUBALANCEID"
|
|
|
|
# Configures the client socket to receive a PROXY protocol header
|
|
# this option is incompatible with public_address
|
|
# expect_proxy = false
|
|
|
|
# Supported TLS versions. Possible values are "SSL_V2", "SSL_V3", "TLSv1", "TLS_V11", "TLS_V12", "TLS_V13".
|
|
# Defaults to `["TLS_V12", "TLS_V13"]`. Besides, `rustls` tls provider only support "TLS_V12" and "TLS_V13" values.
|
|
tls_versions = ["TLS_V12", "TLS_V13"]
|
|
|
|
# TLS ciphers considered as secure can be retrieved on the ANSSI document located here:
|
|
# https://www.ssi.gouv.fr/uploads/2020/03/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf
|
|
#
|
|
# When using `Rustls` TLS provider:
|
|
# * Sets the lists of availables ciphers (TLSv1.2 and TLSv1.3). Supported ciphers names are specified at
|
|
# https://docs.rs/rustls/latest/rustls/static.ALL_CIPHER_SUITES.html
|
|
#
|
|
cipher_list = [
|
|
# TLS 1.3 cipher suites
|
|
"TLS13_AES_256_GCM_SHA384",
|
|
"TLS13_AES_128_GCM_SHA256",
|
|
"TLS13_CHACHA20_POLY1305_SHA256",
|
|
# TLS 1.2 cipher suites
|
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
]
|
|
|
|
# default certificate and key
|
|
# in case you want to set up TLS without SNI, you can define the default
|
|
# certificate here
|
|
#certificate = "../lib/assets/cert_test.pem"
|
|
#key = "../lib/assets/key_test.pem"
|
|
#certificate_chain = "../lib/assets/certificate_chain.pem"
|
|
|
|
# Number of TLS 1.3 tickets to send to a client when establishing a connection.
|
|
# The tickets allow the client to resume a session. This protects the client
|
|
# agains session tracking. Increases the number of getrandom syscalls,
|
|
# with little influence on performance. Defaults to 4.
|
|
# send_tls13_tickets = 4
|
|
|
|
# options specific to a TCP proxy listener
|
|
#[[listeners]]
|
|
# protocol = "tcp"
|
|
# address = "127.0.0.1:8081"
|
|
#
|
|
# specify a different IP than the one the socket sees, for logs and forwarded headers
|
|
# this option is incompatible with expect_proxy
|
|
# public_address = "1.2.3.4:81"
|
|
#
|
|
# Configures the client socket to receive a PROXY protocol header
|
|
# this option is incompatible with public_address
|
|
# expect_proxy = false
|
|
|
|
# static configuration for cluster
|
|
#
|
|
# A cluster is a set of frontends, routing rules, and backends.
|
|
# These clusters will be routed by sozu directly from start
|
|
[clusters]
|
|
|
|
# every cluster has a "cluster id", here it is "MyCluster"
|
|
# this is an example of a routing configuration for the HTTP and HTTPS proxies
|
|
[clusters.MyCluster]
|
|
|
|
# the protocol option indicates if we will use HTTP or TCP proxying
|
|
# possible options are "http" or "tcp"
|
|
protocol = "http"
|
|
|
|
# per cluster load balancing algorithm. The possible values are
|
|
# "ROUND_ROBIN", "RANDOM", "LEAST_LOADED" and "POWER_OF_TWO". Defaults to "ROUND_ROBIN"
|
|
load_balancing = "ROUND_ROBIN"
|
|
# metric evaluating the load on the backend. available options: connections, requests, connection_time
|
|
# load_metric = "connections"
|
|
|
|
# frontends configuration
|
|
# this specifies which listeners; domains, certificates that will be configured for a cluster
|
|
# each element of the array must be specified on one line (toml format limitation)
|
|
# possible frontend options:
|
|
# - address: TCP listener
|
|
# - hostname: host name of the cluster
|
|
# - path = "/api" # optional. A routing rule for incoming requests. The path of the request must match it. Can be a prefix (default), a regex, or a strictly equal path.
|
|
# - path_type = PREFIX | REGEX | EQUALS # defaults to PREFIX
|
|
# - sticky_session = false # activates sticky sessions for this cluster
|
|
# - https_redirect = false # activates automatic redirection to HTTPS for this cluster
|
|
# - custom_tag: a tag to retrieve a frontend with the CLI or in the logs
|
|
frontends = [
|
|
{ address = "0.0.0.0:8080", hostname = "lolcatho.st", tags = { key = "value" }, path = "/api" },
|
|
# HTTPS frontends also have an optional `tls_versions` key like the HTTPS listeners
|
|
{ address = "0.0.0.0:8443", hostname = "lolcatho.st", tags = { key = "value" }, certificate = "../lib/assets/certificate.pem", key = "../lib/assets/key.pem", certificate_chain = "../lib/assets/certificate_chain.pem" },
|
|
]
|
|
|
|
# backends configuration
|
|
# this indicates the backend servers used by the cluster
|
|
# possible options:
|
|
# - address: IP and port of the backend server
|
|
# - weight: weight used by the load balancing algorithm
|
|
# - sticky-id: sticky session identifier
|
|
backends = [
|
|
{ address = "127.0.0.1:1026", backend_id = "the-backend-to-my-app" }
|
|
]
|
|
|
|
# this is an example of a routing configuration for the TCP proxy
|
|
[clusters.TcpTest]
|
|
protocol = "tcp"
|
|
|
|
frontends = [
|
|
{ address = "0.0.0.0:8081", tags = { owner = "John", uuid = "3f740af1-45fd-45ce-b61f-17bf1a51505f" } }
|
|
]
|
|
|
|
# activates the proxy protocol to send IP information to the backend
|
|
# send_proxy = false
|
|
|
|
backends = [
|
|
{ address = "127.0.0.1:4000", weight = 100 },
|
|
{ address = "127.0.0.1:4001", weight = 50 }
|
|
]
|