# ----------------------- # Kong configuration file # ----------------------- # # The commented-out settings shown in this file represent the default values. # # This file is read when `kong start` or `kong prepare` are used. Kong # generates the Nginx configuration with the settings specified in this file. # # All environment variables prefixed with `KONG_` and capitalized will override # the settings specified in this file. # Example: # `log_level` setting -> `KONG_LOG_LEVEL` env variable # # Boolean values can be specified as `on`/`off` or `true`/`false`. # Lists must be specified as comma-separated strings. # # All comments in this file can be removed safely, including the # commented-out properties. # You can verify the integrity of your settings with `kong check `. #------------------------------------------------------------------------------ # GENERAL #------------------------------------------------------------------------------ prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's # prefix path, containing temporary files # and logs. # Each Kong process must have a separate # working directory. log_level = notice # Log level of the Nginx server. Logs are # found at `/logs/error.log`. # See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list # of accepted values. #proxy_access_log = logs/access.log times_incl proxy_access_log = logs/access.log # Path for proxy port request access # logs. Set this value to `off` to # disable logging proxy requests. # If this value is a relative path, # it will be placed under the # `prefix` location. proxy_error_log = logs/error.log # Path for proxy port request error # logs. The granularity of these logs # is adjusted by the `log_level` # directive. admin_access_log = logs/admin_access.log # Path for Admin API request access # logs. Set this value to `off` to # disable logging Admin API requests. # If this value is a relative path, # it will be placed under the # `prefix` location. admin_error_log = logs/error.log # Path for Admin API request error # logs. The granularity of these logs # is adjusted by the `log_level` # directive. plugins = bundled,nginx-headers,rfcheaders # Comma-separated list of plugins this node # should load. By default, only plugins # bundled in official distributions are # loaded via the `bundled` keyword. # # Loading a plugin does not enable it by # default, but only instructs Kong to load its # source code, and allows to configure the # plugin via the various related Admin API # endpoints. # # The specified name(s) will be substituted as # such in the Lua namespace: # `kong.plugins.{name}.*`. # # When the `off` keyword is specified as the # only value, no plugins will be loaded. # # `bundled` and plugin names can be mixed # together, as the following examples suggest: # # - `plugins = bundled,custom-auth,custom-log` will # include the bundled plugins plus two custom ones # - `plugins = custom-auth,custom-log` will *only* # include the `custom-auth` and `custom-log` plugins. # - `plugins = off` will not include any plugins # # **Note:** Kong will not start if some plugins # were previously configured (i.e. have rows in # the database) and are not specified in this list. # Before disabling a plugin, ensure all instances # of it are removed before restarting Kong. # # **Note:** Limiting the amount of available plugins # can improve P99 latency when experiencing LRU churning # in the database cache (i.e. when the configured # `mem_cache_size`) is full. #anonymous_reports = on # Send anonymous usage data such as error # stack traces to help improve Kong. #------------------------------------------------------------------------------ # NGINX #------------------------------------------------------------------------------ proxy_listen = 0.0.0.0:8000, 0.0.0.0:8443 ssl http2 # Comma-separated list of addresses and ports on # which the proxy server should listen for # HTTP/HTTPS traffic. # The proxy server is the public entry point of Kong, # which proxies traffic from your consumers to your # backend services. This value accepts IPv4, IPv6, and # hostnames. # # Some suffixes can be specified for each pair: # # - `ssl` will require that all connections made # through a particular address/port be made with TLS # enabled. # - `http2` will allow for clients to open HTTP/2 # connections to Kong's proxy server. # - `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # - `transparent` will cause kong to listen to, and # respond from, any and all IP addresses and ports # you configure in iptables. # # This value can be set to `off`, thus disabling # the HTTP/HTTPS proxy port for this node. # If stream_listen is also set to `off`, this enables # 'control-plane' mode for this node # (in which all traffic proxying capabilities are # disabled). This node can then be used only to # configure a cluster of Kong # nodes connected to the same datastore. # # Example: `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl` # # See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen for # a description of the accepted formats for this and other `*_listen` values. # # See https://www.nginx.com/resources/admin-guide/proxy-protocol/ # for more details about the `proxy_protocol` parameter. # Not all `*_listen` values accept all formats specified in nginx's documentation. #stream_listen = off # Comma-separated list of addresses and ports on # which the stream mode should listen. # # This value accepts IPv4, IPv6, and hostnames. # Some suffixes can be specified for each pair: # - `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # - `transparent` will cause kong to listen to, and # respond from, any and all IP addresses and ports # you configure in iptables. # # **Note:** The `ssl` suffix is not supported, # and each address/port will accept TCP with or # without TLS enabled. # # Examples: # # ``` # stream_listen = 127.0.0.1:7000 # stream_listen = 0.0.0.0:989, 0.0.0.0:20 # stream_listen = [::1]:1234 # ``` # # By default this value is set to `off`, thus # disabling the stream proxy port for this node. # See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen # for a description of the formats that Kong might accept in stream_listen. admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 ssl # Comma-separated list of addresses and ports on # which the Admin interface should listen. # The Admin interface is the API allowing you to # configure and manage Kong. # Access to this interface should be *restricted* # to Kong administrators *only*. This value accepts # IPv4, IPv6, and hostnames. # # Some suffixes can be specified for each pair: # # - `ssl` will require that all connections made # through a particular address/port be made with TLS # enabled. # - `http2` will allow for clients to open HTTP/2 # connections to Kong's proxy server. # - Finally, `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # # This value can be set to `off`, thus disabling # the Admin interface for this node, enabling a # 'data-plane' mode (without configuration # capabilities) pulling its configuration changes # from the database. # # Example: `stream_listen = 127.0.0.1:8444 http2 ssl` nginx_user = nobody nobody # Defines user and group credentials used by # worker processes. If group is omitted, a # group whose name equals that of user is # used. # # Example: `nginx_user = nginx www` nginx_worker_processes = auto # Determines the number of worker processes # spawned by Nginx. # # See http://nginx.org/en/docs/ngx_core_module.html#worker_processes # for detailed usage of this directive and # a description of accepted values. nginx_daemon = on # Determines whether Nginx will run as a daemon # or as a foreground process. Mainly useful # for development or when running Kong inside # a Docker environment. # # See http://nginx.org/en/docs/ngx_core_module.html#daemon. mem_cache_size = 128m # Size of the in-memory cache for database # entities. The accepted units are `k` and # `m`, with a minimum recommended value of # a few MBs. #ssl_cipher_suite = modern # Defines the TLS ciphers served by Nginx. # Accepted values are `modern`, # `intermediate`, `old`, or `custom`. # # See https://wiki.mozilla.org/Security/Server_Side_TLS # for detailed descriptions of each cipher suite. ssl_ciphers = HIGH # Defines a custom list of TLS ciphers to be # served by Nginx. This list must conform to # the pattern defined by `openssl ciphers`. # This value is ignored if `ssl_cipher_suite` # is not `custom`. # The absolute path to the SSL certificate for # `proxy_listen` values with SSL enabled. ssl_cert = /usr/local/kong/ssl/tf-vapigw-q001.xpedite.com.crt # The absolute path to the SSL key for # `proxy_listen` values with SSL enabled. ssl_cert_key = /usr/local/kong/ssl/tf-vapigw-q001.xpedite.com.key #client_ssl = off # Determines if Nginx should send client-side # SSL certificates when proxying requests. #client_ssl_cert = # If `client_ssl` is enabled, the absolute # path to the client SSL certificate for the # `proxy_ssl_certificate` directive. Note that # this value is statically defined on the # node, and currently cannot be configured on # a per-API basis. #client_ssl_cert_key = # If `client_ssl` is enabled, the absolute # path to the client SSL key for the # `proxy_ssl_certificate_key` address. Note # this value is statically defined on the # node, and currently cannot be configured on # a per-API basis. #admin_ssl_cert = # The absolute path to the SSL certificate for # `admin_listen` values with SSL enabled. #admin_ssl_cert_key = # The absolute path to the SSL key for # `admin_listen` values with SSL enabled. #upstream_keepalive = 60 # Sets the maximum number of idle keepalive # connections to upstream servers that are # preserved in the cache of each worker # process. When this number is exceeded, the # least recently used connections are closed. # A value of `0` will disable this behavior # altogether, forcing each upstream request # to open a new connection. #headers = server_tokens, latency_tokens # Comma-separated list of headers Kong should # inject in client responses. # # Accepted values are: # - `Server`: Injects `Server: kong/x.y.z` # on Kong-produced response (e.g. Admin # API, rejected requests from auth plugin, etc...). # - `Via`: Injects `Via: kong/x.y.z` for # successfully proxied requests. # - `X-Kong-Proxy-Latency`: Time taken (in milliseconds) # by Kong to process a request and run all plugins # before proxying the request upstream. # - `X-Kong-Upstream-Latency`: Time taken # (in milliseconds) by the upstream # service to send response headers. # - `X-Kong-Upstream-Status`: The HTTP status code # returned by the upstream service. This is # particularly useful for clients to distinguish # upstream statuses if the response is rewritten # by a plugin. # - `server_tokens`: Same as specifying both # `Server` and `Via`. # - `latency_tokens`: Same as specifying both # `X-Kong-Proxy-Latency` and `X-Kong-Upstream-Latency`. # # In addition to those, this value can be set to # `off`, which prevents Kong from injecting any of # the above headers. Note that this does not # prevent plugins from injecting headers # of their own. # # Example: `headers = via, latency_tokens` #trusted_ips = # Defines trusted IP addresses blocks that are # known to send correct `X-Forwarded-*` headers. # Requests from trusted IPs make Kong forward # their `X-Forwarded-*` headers upstream. # Non-trusted requests make Kong insert its # own `X-Forwarded-*` headers. # # This property also sets the # `set_real_ip_from` directive(s) in the Nginx # configuration. It accepts the same type of # values (CIDR blocks) but as a # comma-separated list. # # To trust *all* /!\ IPs, set this value to # `0.0.0.0/0,::/0`. # # If the special value `unix:` is specified, # all UNIX-domain sockets will be trusted. # # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from # for examples of accepted values. #real_ip_header = X-Real-IP # Defines the request header field whose value # will be used to replace the client address. # This value sets the `ngx_http_realip_module` # directive of the same name in the Nginx # configuration. # # If this value receives `proxy_protocol`: # # - at least one of the `proxy_listen` entries must # have the `proxy_protocol` flag enabled. # - the `proxy_protocol` parameter will be # appended to the `listen` directive of the # Nginx template. # # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header # for a description of this directive. #real_ip_recursive = off # This value sets the ngx_http_realip_module # directive of the same name in the Nginx # configuration. # # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive # for a description of this directive. #client_max_body_size = 0 # Defines the maximum request body size allowed # by requests proxied by Kong, specified in # the Content-Length request header. If a # request exceeds this limit, Kong will # respond with a 413 (Request Entity Too # Large). Setting this value to 0 disables # checking the request body size. # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size # for further description of this parameter. Numeric values may be suffixed # with `k` or `m` to denote limits in terms of kilobytes or megabytes. #client_body_buffer_size = 8k # Defines the buffer size for reading the # request body. If the client request body is # larger than this value, the body will be # buffered to disk. Note that when the body is # buffered to disk Kong plugins that access or # manipulate the request body may not work, so # it is advisable to set this value as high as # possible (e.g., set it as high as # `client_max_body_size` to force request # bodies to be kept in memory). Do note that # high-concurrency environments will require # significant memory allocations to process # many concurrent large request bodies. # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size # for further description of this parameter. Numeric values may be suffixed # with `k` or `m` to denote limits in terms of kilobytes or megabytes. #error_default_type = text/plain # Default MIME type to use when the request # `Accept` header is missing and Nginx # is returning an error for the request. # Accepted values are `text/plain`, # `text/html`, `application/json`, and # `application/xml`. #------------------------------------------------------------------------------ # DATASTORE #------------------------------------------------------------------------------ # Kong will store all of its data (such as Routes, Services, Consumers, and Plugins) in # either Cassandra or PostgreSQL, and all Kong nodes belonging to the same cluster # must connect themselves to the same database. # # Kong supports the following database versions: # - **PostgreSQL**: 9.5 and above. # - **Cassandra**: 2.2 and above. # database = postgres # Determines which of PostgreSQL or Cassandra # this node will use as its datastore. # Accepted values are `postgres` and # `cassandra`. pg_host = 127.0.0.1 # Host of the Postgres server. pg_port = 5432 # Port of the Postgres server. pg_timeout = 5000 # Defines the timeout (in ms), for connecting, # reading and writing. pg_user = kong # Postgres user. pg_password = kong # Postgres user's password. pg_database = kong # The database name to connect to. #pg_schema = # The database schema to use. If unspecified, # Kong will respect the `search_path` value of # your PostgreSQL instance. #pg_ssl = off # Toggles client-server TLS connections # between Kong and PostgreSQL. #pg_ssl_verify = off # Toggles server certificate verification if # `pg_ssl` is enabled. # See the `lua_ssl_trusted_certificate` # setting to specify a certificate authority. #cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact # points to your cluster. # You may specify IP addresses or # hostnames. Note that the port # component of SRV records will be # ignored in favor of `cassandra_port`. # When connecting to a multi-DC cluster, # ensure that contact points from the # local datacenter are specified first # in this list. #cassandra_port = 9042 # The port on which your nodes are listening # on. All your nodes and contact points must # listen on the same port. Will be created if # it doesn't exist. #cassandra_keyspace = kong # The keyspace to use in your cluster. #cassandra_consistency = ONE # Consistency setting to use when reading/ # writing to the Cassandra cluster. # #cassandra_timeout = 5000 # Defines the timeout (in ms) for reading # and writing. #cassandra_ssl = off # Toggles client-to-node TLS connections # between Kong and Cassandra. #cassandra_ssl_verify = off # Toggles server certificate verification if # `cassandra_ssl` is enabled. # See the `lua_ssl_trusted_certificate` # setting to specify a certificate authority. #cassandra_username = kong # Username when using the # `PasswordAuthenticator` scheme. #cassandra_password = # Password when using the # `PasswordAuthenticator` scheme. #cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when # distributing queries across your # Cassandra cluster. # Accepted values are: # `RoundRobin`, `RequestRoundRobin`, # `DCAwareRoundRobin`, and # `RequestDCAwareRoundRobin`. # Policies prefixed with "Request" # make efficient use of established # connections throughout the same # request. # Prefer "DCAware" policies if and # only if you are using a # multi-datacenter cluster. #cassandra_local_datacenter = # When using the `DCAwareRoundRobin` # or `RequestDCAwareRoundRobin` load # balancing policy, you must specify the name # of the local (closest) datacenter for this # Kong node. #cassandra_repl_strategy = SimpleStrategy # When migrating for the first time, # Kong will use this setting to # create your keyspace. # Accepted values are # `SimpleStrategy` and # `NetworkTopologyStrategy`. #cassandra_repl_factor = 1 # When migrating for the first time, Kong # will create the keyspace with this # replication factor when using the # `SimpleStrategy`. #cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time, # will use this setting when using the # `NetworkTopologyStrategy`. # The format is a comma-separated list # made of `:`. #cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for # the waiting period to reach a # schema consensus between your # Cassandra nodes. # This value is only used during # migrations. #------------------------------------------------------------------------------ # DATASTORE CACHE #------------------------------------------------------------------------------ # In order to avoid unnecessary communication with the datastore, Kong caches # entities (such as APIs, Consumers, Credentials...) for a configurable period # of time. It also handles invalidations if such an entity is updated. # # This section allows for configuring the behavior of Kong regarding the # caching of such configuration entities. #db_update_frequency = 5 # Frequency (in seconds) at which to check for # updated entities with the datastore. # # When a node creates, updates, or deletes an # entity via the Admin API, other nodes need # to wait for the next poll (configured by # this value) to eventually purge the old # cached entity and start using the new one. #db_update_propagation = 0 # Time (in seconds) taken for an entity in the # datastore to be propagated to replica nodes # of another datacenter. # # When in a distributed environment such as # a multi-datacenter Cassandra cluster, this # value should be the maximum number of # seconds taken by Cassandra to propagate a # row to other datacenters. # # When set, this property will increase the # time taken by Kong to propagate the change # of an entity. # # Single-datacenter setups or PostgreSQL # servers should suffer no such delays, and # this value can be safely set to 0. #db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from # the datastore when cached by this node. # # Database misses (no entity) are also cached # according to this setting. # # If set to 0 (default), such cached entities # or misses never expire. #db_resurrect_ttl = 30 # Time (in seconds) for which stale entities # from the datastore should be resurrected for # when they cannot be refreshed (e.g., the # datastore is unreachable). When this TTL # expires, a new attempt to refresh the stale # entities will be made. #------------------------------------------------------------------------------ # DNS RESOLVER #------------------------------------------------------------------------------ # By default the DNS resolver will use the standard configuration files # `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be # overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if # they have been set. # # Kong will resolve hostnames as either `SRV` or `A` records (in that order, and # `CNAME` records will be dereferenced in the process). # In case a name was resolved as an `SRV` record it will also override any given # port number by the `port` field contents received from the DNS server. # # The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will # be used to expand short names to fully qualified ones. So it will first try the # entire `SEARCH` list for the `SRV` type, if that fails it will try the `SEARCH` # list for `A`, etc. # # For the duration of the `ttl`, the internal DNS resolver will loadbalance each # request it gets over the entries in the DNS record. For `SRV` records the # `weight` fields will be honored, but it will only use the lowest `priority` # field entries in the record. #dns_resolver = # Comma separated list of nameservers, each # entry in `ip[:port]` format to be used by # Kong. If not specified the nameservers in # the local `resolv.conf` file will be used. # Port defaults to 53 if omitted. Accepts # both IPv4 and IPv6 addresses. #dns_hostsfile = /etc/hosts # The hosts file to use. This file is read # once and its content is static in memory. # To read the file again after modifying it, # Kong must be reloaded. #dns_order = LAST,SRV,A,CNAME # The order in which to resolve different # record types. The `LAST` type means the # type of the last successful lookup (for the # specified name). The format is a (case # insensitive) comma separated list. #dns_valid_ttl = # By default, DNS records are cached using # the TTL value of a response. If this # property receives a value (in seconds), it # will override the TTL for all records. #dns_stale_ttl = 4 # Defines, in seconds, how long a record will # remain in cache past its TTL. This value # will be used while the new DNS record is # fetched in the background. # Stale data will be used from expiry of a # record until either the refresh query # completes, or the `dns_stale_ttl` number of # seconds have passed. #dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and # "(3) name error" responses. #dns_error_ttl = 1 # TTL in seconds for error responses. #dns_no_sync = off # If enabled, then upon a cache-miss every # request will trigger its own dns query. # When disabled multiple requests for the # same name/type will be synchronised to a # single query. #------------------------------------------------------------------------------ # DEVELOPMENT & MISCELLANEOUS #------------------------------------------------------------------------------ # Additional settings inherited from lua-nginx-module allowing for more # flexibility and advanced usage. # # See the lua-nginx-module documentation for more information: # https://github.com/openresty/lua-nginx-module #lua_ssl_trusted_certificate = # Absolute path to the certificate # authority file for Lua cosockets in PEM # format. This certificate will be the one # used for verifying Kong's database # connections, when `pg_ssl_verify` or # `cassandra_ssl_verify` are enabled. # # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate #lua_ssl_verify_depth = 1 # Sets the verification depth in the server # certificates chain used by Lua cosockets, # set by `lua_ssl_trusted_certificate`. # This includes the certificates configured # for Kong's database connections. # # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth #lua_package_path = ./?.lua;./?/init.lua; # Sets the Lua module search path # (LUA_PATH). Useful when developing # or using custom plugins not stored # in the default search path. # # See https://github.com/openresty/lua-nginx-module#lua_package_path #lua_package_cpath = # Sets the Lua C module search path # (LUA_CPATH). # # See https://github.com/openresty/lua-nginx-module#lua_package_cpath #lua_socket_pool_size = 30 # Specifies the size limit for every cosocket # connection pool associated with every remote # server. # # See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size