mirror of https://github.com/sozu-proxy/sozu.git
242 lines
10 KiB
TOML
242 lines
10 KiB
TOML
# top level options
|
|
|
|
# path to a file sozu can use to load an initial configuration state for its
|
|
# routing. You can generate this file from sozu's current routing by running
|
|
# the command `sozu state save -f state.json`
|
|
# this must be RELATIVE to config.toml
|
|
saved_state = "/var/lib/sozu/state.json"
|
|
|
|
# save the configuration to the saved_state file every time we receive a
|
|
# configuration message on the configuration socket
|
|
# defaults to false, and will not work if the 'saved_state' option is not set
|
|
# automatic_state_save = false
|
|
|
|
# logging verbosity. Possible values are "error", "warn", "info", "debug" and
|
|
# "trace". For performance reasons, the logs at "debug" or "trace" level are
|
|
# not compiled by default. To activate them, pass the "logs-debug" and
|
|
# "logs-trace" compilation options to cargo
|
|
log_level = "info"
|
|
|
|
# where the logs will be sent. It defaults to sending the logs on standard output,
|
|
# but they could be written to a UDP address:
|
|
# log_target = "udp://127.0.0.1:9876"
|
|
# to a TCP address:
|
|
# log_target = "tcp://127.0.0.1:9876"
|
|
# to a unix socket
|
|
# log_target = "unix:///var/sozu/logs
|
|
# to a file
|
|
# log_target = "file:///var/log/sozu.log"
|
|
# to_stdout
|
|
log_target = "stdout"
|
|
|
|
# optional different target for access logs (IP addresses, domains, URI, HTTP status, etc)
|
|
# It supports the same options as log_target
|
|
# access_logs_target = "file:///var/log/sozu-access.log"
|
|
|
|
# path to the unix socket file used to send commands to sozu
|
|
# default value points to "sozu.sock" file in the current directory
|
|
command_socket = "/run/sozu/sozu.sock"
|
|
|
|
# size in bytes of the buffer used by the command socket protocol. If the message
|
|
# sent to sozu is too large, or the data that sozu must return is too large, the
|
|
# buffer will grow up to max_command_buffer_size. If the buffer is still not large
|
|
# enough sozu will close the connection
|
|
# defaults to 1000000
|
|
command_buffer_size = 163_840
|
|
|
|
# defaults to command_buffer_size * 2
|
|
max_command_buffer_size = 1_638_400
|
|
|
|
# the number of worker processes that will handle traffic
|
|
# defaults to 2 workers
|
|
worker_count = 2
|
|
|
|
# indicates if workers should be automatically restarted if they crash / hang
|
|
# should be true for production and false for development
|
|
# defaults to true
|
|
worker_automatic_restart = true
|
|
|
|
# indicates if worker process will be pinned on a core. If you activate this, be sure
|
|
# that you do not have more workers than CPU cores (and leave at least one core for
|
|
# the kernel and the main process)
|
|
handle_process_affinity = false
|
|
|
|
# maximum number of connections to a worker. If it reached that number and
|
|
# there are new connections available, the worker will accept and close them
|
|
# immediately to indicate it is too busy to handle traffic
|
|
# defaults to 10000 maximum connections
|
|
max_connections = 10_000
|
|
|
|
# maximum number of buffers in the pool used by the protocol implementations
|
|
# for active connections (ie currently serving a request). For now, you should
|
|
# estimate that max_buffers = number of concurrent requests * 2
|
|
# defaults to 1000
|
|
max_buffers = 20_000
|
|
|
|
# minimum number of buffers preallocated in the pool
|
|
# cannot be larger than max_buffers
|
|
# defaults to 1
|
|
# min_buffers = 1
|
|
|
|
# size of the buffers used by the protocol implementations. Each worker will
|
|
# preallocate max_buffers * 2 * buffer_size bytes, so you should plan for this
|
|
# memory usage. If you plan to use sozu's runtime upgrade feature, you should
|
|
# leave enough memory for one more worker (also for the kernel, etc), so total
|
|
# RAM should be larger than (worker count + 1) * max_buffers * 2 * buffer_size bytes
|
|
# defaults to 16393 (minimum size for HTTP/2 is a 16384 bytes frame + 9 bytes of header
|
|
buffer_size = 16_393
|
|
|
|
# how much time (in milliseconds) sozu command line will wait for a command to complete.
|
|
# Defaults to 1000 milliseconds
|
|
# ctl_command_timeout = 1000
|
|
|
|
# PID file is a file containing the PID of the main process of sozu.
|
|
# It can be helpful to help systemd or any other service system to keep track
|
|
# of the main process across upgrades. PID file is not created unless this option
|
|
# is set or if SOZU_PID_FILE_PATH environment variable was defined at build time.
|
|
pid_file_path = "/run/sozu/sozu.pid"
|
|
|
|
# maximum time of inactivity for a frontend socket, in seconds
|
|
# defaults to 60 seconds, can be specified at the listener level
|
|
front_timeout = 900
|
|
|
|
# maximum time of inactivity for a backend socket, in seconds
|
|
# defaults to 30 seconds, can be specified at the listener level
|
|
back_timeout = 900
|
|
|
|
# maximum time to connect to a backend server, in seconds
|
|
# defaults to 3 seconds, can be specified at the listener level
|
|
connect_timeout = 3
|
|
|
|
# maximum time to receive a request since the connection started
|
|
# defaults to 10 seconds, can be specified at the listener level
|
|
request_timeout = 180
|
|
|
|
# duration between zombie checks, in seconds
|
|
# defaults to 30 minutes
|
|
# in case of bugs in sozu's event loop and protocol implementations, some client
|
|
# sessions could be stuck, not receiving any more event, and consuming resources.
|
|
# sozu verifies regularly if there are such zombie sessions, logs their state
|
|
# and removes them
|
|
zombie_check_interval = 1800
|
|
|
|
# by default, all listeners start a TCP listen socket o startup
|
|
# if set to false, this option will prevent them from listening. You can then add
|
|
# the complete configuration, and send an ActivateListener message afterwards
|
|
activate_listeners = true
|
|
|
|
# various statistics can be sent to a server that supports the statsd protocol
|
|
# You can see those statistics with sozu command line, like this: `sozu metrics get` or
|
|
# `sozu metrics get --json` for machine consumption
|
|
#
|
|
#[metrics]
|
|
# address = "127.0.0.1:8125"
|
|
# use InfluxDB's statsd protocol flavor to add tags
|
|
# tagged_metrics = false
|
|
# metrics key prefix
|
|
# prefix = "sozu"
|
|
|
|
# Listeners
|
|
# configuration options specific to a TCP listen socket
|
|
|
|
# Example for a HTTP (plaintext) listener
|
|
[[listeners]]
|
|
protocol = "http"
|
|
|
|
# listening address
|
|
address = "0.0.0.0:80"
|
|
|
|
# specify a different IP than the one the socket sees, for logs and forwarded headers
|
|
# this option is incompatible with expect_proxy
|
|
# public_address = "1.2.3.4:80"
|
|
|
|
# For details about custom HTTP answers, see `doc/configure.md`,
|
|
# and for defaults, check out `/lib/src/protocol/kawa_h1/answers.rs`
|
|
# a 401 response is sent when a frontend has a Deny rule
|
|
# answer_401 = "/absolute/path/to/custom_401.http"
|
|
# a 404 response is sent when sozu does not know about the requested domain or path
|
|
# answer_404 = "/absolute/path/to/custom_404.http"
|
|
# a 408 response is sent when a frontend has a Deny rule (unusual)
|
|
# answer_408 = "/absolute/path/to/custom_408.http"
|
|
# a 413 response is sent when a request was too large
|
|
# answer_413 = "/absolute/path/to/custom_413.http"
|
|
# a 502 response means the response sent by a backend could not be parsed by Sōzu
|
|
# answer_502 = "/absolute/path/to/custom_502.http"
|
|
# a 503 response is sent if there are no backend servers available
|
|
# answer_503 = "/absolute/path/to/custom_503.http"
|
|
# a 504 response means the backend timed out
|
|
# answer_504 = "/absolute/path/to/custom_504.http"
|
|
# a 507 response occurs when the response sent by a backend is too big
|
|
# answer_507 = "/absolute/path/to/custom_507.http"
|
|
|
|
# defines the sticky session cookie's name, if `sticky_session` is activated for
|
|
# a cluster. Defaults to "SOZUBALANCEID"
|
|
# sticky_name = "SOZUBALANCEID"
|
|
#
|
|
# Configures the client socket to receive a PROXY protocol header
|
|
# this option is incompatible with public_address
|
|
# expect_proxy = false
|
|
|
|
# Example for a HTTPS listener
|
|
[[listeners]]
|
|
protocol = "https"
|
|
|
|
# listening address
|
|
address = "0.0.0.0:443"
|
|
|
|
# specify a different IP than the one the socket sees, for logs and forwarded headers
|
|
# this option is incompatible with expect_proxy
|
|
# public_address = "1.2.3.4:80"
|
|
|
|
# For details about custom HTTP answers, see `doc/configure.md`,
|
|
# and for defaults, check out `/lib/src/protocol/kawa_h1/answers.rs`
|
|
# a 401 response is sent when a frontend has a Deny rule
|
|
# answer_401 = "/absolute/path/to/custom_401.http"
|
|
# a 404 response is sent when sozu does not know about the requested domain or path
|
|
# answer_404 = "/absolute/path/to/custom_404.http"
|
|
# a 408 response is sent when a frontend has a Deny rule (unusual)
|
|
# answer_408 = "/absolute/path/to/custom_408.http"
|
|
# a 413 response is sent when a request was too large
|
|
# answer_413 = "/absolute/path/to/custom_413.http"
|
|
# a 502 response means the response sent by a backend could not be parsed by Sōzu
|
|
# answer_502 = "/absolute/path/to/custom_502.http"
|
|
# a 503 response is sent if there are no backend servers available
|
|
# answer_503 = "/absolute/path/to/custom_503.http"
|
|
# a 504 response means the backend timed out
|
|
# answer_504 = "/absolute/path/to/custom_504.http"
|
|
# a 507 response occurs when the response sent by a backend is too big
|
|
# answer_507 = "/absolute/path/to/custom_507.http"
|
|
|
|
# defines the sticky session cookie's name, if `sticky_session` is activated for
|
|
# a cluster. Defaults to "SOZUBALANCEID"
|
|
# sticky_name = "SOZUBALANCEID"
|
|
|
|
# Configures the client socket to receive a PROXY protocol header
|
|
# this option is incompatible with public_address
|
|
# expect_proxy = false
|
|
|
|
# Supported TLS versions. Possible values are "SSL_V2", "SSL_V3", "TLSv1", "TLS_V11", "TLS_V12", "TLS_V13".
|
|
# Defaults to `["TLS_V12", "TLS_V13"]`. Besides, `rustls` tls provider only support "TLS_V12" and "TLS_V13" values.
|
|
tls_versions = ["TLS_V12", "TLS_V13"]
|
|
|
|
# TLS ciphers considered as secure can be retrieved on the ANSSI document located here:
|
|
# https://www.ssi.gouv.fr/uploads/2020/03/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf
|
|
#
|
|
# When using `Rustls` TLS provider:
|
|
# * Sets the lists of availables ciphers (TLSv1.2 and TLSv1.3). Supported ciphers names are specified at
|
|
# https://docs.rs/rustls/latest/rustls/static.ALL_CIPHER_SUITES.html
|
|
#
|
|
cipher_list = [
|
|
# TLS 1.3 cipher suites
|
|
"TLS13_AES_256_GCM_SHA384",
|
|
"TLS13_AES_128_GCM_SHA256",
|
|
"TLS13_CHACHA20_POLY1305_SHA256",
|
|
# TLS 1.2 cipher suites
|
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
]
|