-
-
Notifications
You must be signed in to change notification settings - Fork 18
/
config.yml.dist
334 lines (327 loc) · 13.7 KB
/
config.yml.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
### GLOBAL CONFIGURATION
################################################################################
server:
# --- GENERIC
port:
http: "80"
https: "443"
# --- GZIP
# Automatically enable GZip compression on all requests.
gzip: false
# --- INTERNALS
internals:
# Internal listening Address for metrics and healthchecks.
# Default: 127.0.0.1
listening_address: "127.0.0.1"
# Internal listening port for metrics and healthchecks.
# Default: 52021
listening_port: 52021
# --- TLS
tls:
# Automatic Certificate Management Environment
# Provides automatic generation of SSL/TLS certificates from Let's Encrypt
# and any other ACME-based CA.
# Default: false (need to provide `cert_file` and `key_file`)
auto: false
# Email optionally specifies a contact email address.
# This is used by CAs, such as Let's Encrypt, to notify about problems with
# issued certificates.
email: [email protected]
# Pair or files: the certificate and the key.
# Used by LoadX509KeyPair to read and parse a public/private key pair from a
# pair of files. The files must contain PEM encoded data. The certificate
# file may contain intermediate certificates following the leaf certificate
# to form a certificate chain.
cert_file: ~
key_file: ~
# WARNING: INTERNAL SERVER BEHAVIOUR
override:
# CipherSuites is a list of supported cipher suites for TLS versions up to
# TLS 1.2. If CipherSuites is nil, a default list of secure cipher suites
# is used, with a preference order based on hardware performance. The
# default cipher suites might change over Go versions. Note that TLS 1.3
# ciphersuites are not configurable.
#
# Value Description DLTS-OK IANA Recommended
# ------------------------------------------------------------------------------------
# TLS 1.0 - 1.2 cipher suites.
# 5 = TLS_RSA_WITH_RC4_128_SHA N N
# 10 = TLS_RSA_WITH_3DES_EDE_CBC_SHA Y N
# 47 = TLS_RSA_WITH_AES_128_CBC_SHA Y N
# 53 = TLS_RSA_WITH_AES_256_CBC_SHA Y N
# 60 = TLS_RSA_WITH_AES_128_CBC_SHA256 Y N
# 156 = TLS_RSA_WITH_AES_128_GCM_SHA256 Y N
# 157 = TLS_RSA_WITH_AES_256_GCM_SHA384 Y N
# 49159 = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA N N
# 49161 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Y N
# 49162 = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Y N
# 49169 = TLS_ECDHE_RSA_WITH_RC4_128_SHA N N
# 49170 = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Y N
# 49171 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Y N
# 49172 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Y N
# 49187 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Y N
# 49191 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Y N
# 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Y Y
# 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Y Y
# 49200 = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Y Y
# 49196 = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Y Y
# 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Y Y
# 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 Y Y
# 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Y Y
# 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 Y Y
#
# TLS 1.3 cipher suites.
# 4865 = TLS_AES_128_GCM_SHA256 Y Y
# 4866 = TLS_AES_256_GCM_SHA384 Y Y
# 4867 = TLS_CHACHA20_POLY1305_SHA256 Y Y
#
# TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
# that the client is doing version fallback. See RFC 7507.
# 22016 = TLS_FALLBACK_SCSV Y N
#
# More details on:
# https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
# https://blogs.sap.com/2018/12/09/perfect-forward-secrecy-and-how-to-choose-pfs-based-cipher-suites/
ciphersuites:
- 49200 # TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- 49196 # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- 52393 # TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- 52392 # TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# needed by HTTP/2
- 4865 # TLS_AES_128_GCM_SHA256
- 49199 # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- 49195 # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# MinVersion contains the minimum TLS version that is acceptable.
# If zero, TLS 1.0 is currently taken as the minimum.
# 769 = VersionTLS10
# 770 = VersionTLS11
# 771 = VersionTLS12
# 772 = VersionTLS13
minversion: 771 # VersionTLS12
# MaxVersion contains the maximum TLS version that is acceptable.
# If zero, the maximum version supported by this package is used,
# which is currently TLS 1.3.
# 769 = VersionTLS10
# 770 = VersionTLS11
# 771 = VersionTLS12
# 772 = VersionTLS13
maxversion: 772 # VersionTLS13
# CurvePreferences contains the elliptic curves that will be used in
# an ECDHE handshake, in preference order. If empty, the default will
# be used. The client will use the first preference as the type for
# its key share in TLS 1.3. This may change in the future.
# CurveID is the type of a TLS identifier for an elliptic curve. See
# https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8.
#
# In TLS 1.3, this type is called NamedGroup, but at this time this library
# only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7.
# 23 = CurveP256
# 24 = CurveP384
# 25 = CurveP521
# 29 = X25519
#
# Only use curves which have assembly implementations
# https://github.com/golang/go/tree/master/src/crypto/elliptic
curvepreferences:
- 23 # CurveP256
# --- TIMEOUT
timeout:
# It is the maximum duration for reading the entire request, including the
# body.
# Because it does not let Handlers make per-request decisions on each
# request body's acceptable deadline or upload rate, most users will prefer
# to use `read_header`. It is valid to use them both.
read: 5s
# It is the amount of time allowed to read request headers. The connection's
# read deadline is reset after reading the headers and the Handler can
# decide what is considered too slow for the body. If it is zero, the value
# of `read` is used. If both are zero, there is no timeout.
read_header: 2s
# It is the maximum duration before timing out writes of the response. It is
# reset whenever a new request's header is read. Like `read`, it does not
# let Handlers make decisions on a per-request basis.
write: 5s
# It is the maximum amount of time to wait for the next request when
# keep-alives are enabled. If is zero, the value of `read` is used. If both
# ara zero, there is no timeout.
idle: 20s
# It runs the handler with the given time limit.
handler: 5s
# --- FORWARDING
upstream:
# Hostname to be used for requests forwarding.
host: ~
# Port to be used for requests forwarding.
# Default: incoming connection.
# Values: 80, 443.
port: 443
# Endpoint scheme to be used when forwarding traffic.
# Default: incoming connection.
# Values: http, https, ws, wss.
scheme: ~
# Load Balancing Algorithm to be used when present multiple endpoints.
# Default: round-robin
# Allowed formats: ip-hash, least-connections, random, round-robin.
balancing_algorithm: round-robin
# List of IPs/Hostnames to be used as load balanced backend servers.
# They'll be selected using the chosen algorithm (or round-robin).
# Allowed formats: IPv4, IPv4:port
endpoints:
- 127.0.0.1
- 127.0.1.2:443
# Forces redirect from HTTP to HTTPS.
# Default: false
http_to_https: true
# This allows to have communication between the proxy and the upstream in
# case of invalid TLS certificate.
# Can be disabled in the global config.
# Default: false
insecure_bridge: false
# Status code to be used when redirecting HTTP to HTTPS.
# Default: 301
redirect_status_code: 301
health_check:
# Status codes for healthy node.
# A list of space-separated status codes.
status_codes:
- 200
# Timeout request time.
timeout: ~
# Interval frequency for health checks.
interval: ~
# Port to be used for requests forwarding.
# Default: incoming connection.
# Values: 80, 443.
port: 443
# Fallback scheme if endpoint doesn't provide it.
scheme: https
# Allow healthchecks on self-signed TLS certificates (or expired/invalid).
# Default: false
allow_insecure: false
# --- CACHE
cache:
# --- REDIS SERVER
hosts:
- localhost:6379
password: ~
db: 0
# --- TTL
# Fallback storage TTL when saving the cache when no header is specified.
# It follows the order:
# - If the cache is shared and the s-maxage response directives present, use
# its value, or
# - If the max-age response directive is present, use its value, or
# - If the Expires response header field is present, use its value minus the
# value of the Date response header field, or
# - Otherwise, no explicit expiration time is present in the response.
# A heuristic freshness lifetime might be applicable.
# Default: 0
ttl: 0
# --- ALLOWED VALUES
# Allows caching for different response codes.
# Default: 200, 301, 302
allowed_statuses:
- 200
- 301
- 302
# Allows caching for different HTTP methods.
# If the client request method is listed in this directive then the response
# will be cached. "GET" and "HEAD" methods are always added to the list,
# though it is recommended to specify them explicitly.
# Default: HEAD, GET
allowed_methods:
- HEAD
- GET
# --- CIRCUIT BREAKER
# WARNING: INTERNAL SERVER BEHAVIOUR
circuit_breaker:
# Will start evaluating the failures after n requests as defined by the
# threshold.
threshold: 0
# It'll open the circuit after `threshold` requests which are greater or
# equal to the failure rate defined
# (total failures / total requests).
failurerate: 0
# Interval is the cyclic period of the closed state
# for the CircuitBreaker to clear the internal Counts.
# If Interval is 0, the CircuitBreaker doesn't clear internal Counts during
# the closed state.
interval: 0s
# Timeout is the period of the open state,
# after which the state of the CircuitBreaker becomes half-open.
# If Timeout is 0, the timeout value of the CircuitBreaker is set to 60
# seconds.
timeout: 0s
# MaxRequests is the maximum number of requests allowed to pass through
# when the CircuitBreaker is half-open.
# If MaxRequests is 0, the CircuitBreaker allows only 1 request.
maxrequests: 0
# --- LOG
log:
# Ref: https://golang.org/src/time/format.go
time_format: "2006/01/02 15:04:05"
# Available variables:
# - $host = request host
# - $remote_addr = request remote addr
# - $remote_user = -
# - $time_local = local time with format of `time_format`
# - $protocol = protocol
# - $request_method = method
# - $request = full URI
# - $status = status code
# - $body_bytes_sent = number of bytes in content body
# - $http_referer = referer
# - $http_user_agent = user agent
# - $cached_status = cache flag
# - $cached_status_label = cached flag label (HIT/MISS/STALE)
format: $host - $remote_addr - $remote_user $protocol $request_method "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $cached_status
# Sentry DSN
# All errors will be tracked and sent to Sentry.
# Logged levels: warning, error, fatal, panic.
# Default (empty)
sentry_dsn: ~
# Syslog Protocol
# If no protocol and no endpoint is specified, all the logs will be sent to
# the local syslog.
# Default (empty)
syslog_protocol: ~
# Syslog Endpoint
# If no protocol and no endpoint is specified, all the logs will be sent to
# the local syslog.
# All errors will be tracked and sent to syslog.
# Logged levels: warning, error, critical, alert, emergency.
# Default (empty)
syslog_endpoint: ~
# --- TRACING
tracing:
# Endpoint for Local Jaeger Agent (eg: jaeger:6831)
jaeger_endpoint: ~
# Enable/Disable the tracing.
enabled: false
# Set the sampling ratio for tracing (float).
# Default: 1.0
sampling_ratio: 1.0
# --- JWT (careful, setting JWT config here affects all domains)
# jwt:
# # A list of paths.
# excluded_paths:
# - /
# # A list of scopes to be allowed.
# allowed_scopes:
# - scope1
# - scope2
# # The JSON Web Key Set (JWKS) URL where it is stored the the public keys used to verify the JSON Web Token (JWT).
# jwks_url: ~
# # Time in minutes that takes for JWKS to refresh automatically
# jwks_refresh_interval: 15
### PER DOMAIN CONFIGURATION OVERRIDE
################################################################################
domains:
example_com:
server:
upstream:
host: example.com
example_org:
server:
upstream:
host: example.org