-
Notifications
You must be signed in to change notification settings - Fork 197
/
Copy pathconfig.toml
344 lines (292 loc) · 14.3 KB
/
config.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
# sozu proxy test config file
# top level options
# path to a file sozu can use to load an initial configuration state for its
# routing. You can generate this file from sozu's current routing by running
# the command `sozu state save -f state.json`
# this must be RELATIVE to config.toml
# saved_state = "./state.json"
# save the configuration to the saved_state file every time we receive a
# configuration message on the configuration socket
# defaults to false, and will not work if the 'saved_state' option is not set
# automatic_state_save = false
# logging verbosity. Possible values are "error", "warn", "info", "debug" and
# "trace". For performance reasons, the logs at "debug" or "trace" level are
# not compiled by default. To activate them, pass the "logs-debug" and
# "logs-trace" compilation options to cargo
log_level = "info"
# where the logs will be sent. It defaults to sending the logs on standard output,
# but they could be written to a UDP address:
# log_target = "udp://127.0.0.1:9876"
# to a TCP address:
# log_target = "tcp://127.0.0.1:9876"
# to a unix socket
# log_target = "unix:///var/sozu/logs
# to a file
# log_target = "file:///var/log/sozu.log"
# to_stdout
log_target = "stdout"
# optional different target for access logs (IP addresses, domains, URI, HTTP status, etc)
# It supports the same options as log_target
# access_logs_target = "file:///var/logs/sozu-access.log"
# format of the access logs. Defaults to ascii.
# - ascii
# - protobuf (defined in [sozu_command_lib::proto::command::ProtobufAccessLog])
# access_logs_format = "ascii"
# path to the unix socket file used to send commands to sozu
# default value points to "sozu.sock" file in the current directory
command_socket = "./sozu.sock"
# size in bytes of the buffer used by the command socket protocol. If the message
# sent to sozu is too large, or the data that sozu must return is too large, the
# buffer will grow up to max_command_buffer_size. If the buffer is still not large
# enough sozu will close the connection
# defaults to 1000000
command_buffer_size = 16384
# defaults to command_buffer_size * 2
max_command_buffer_size = 163840
# the number of worker processes that will handle traffic
# defaults to 2 workers
worker_count = 2
# indicates if workers should be automatically restarted if they crash / hang
# should be true for production and false for development
# defaults to true
worker_automatic_restart = true
# maximum time to wait for a worker to respond, until it is deemed NotAnswering (10 seconds).
# Beware that if this duration is bigger than ctl_command timeout (that defaults to 1 second),
# and if a worker is not responding,
# you may not receive a reply from Sōzu at all when doing "sozu status"
worker_timeout = 10
# indicates if worker process will be pinned on a core. If you activate this, be sure
# that you do not have more workers than CPU cores (and leave at least one core for
# the kernel and the main process)
handle_process_affinity = false
# maximum number of connections to a worker. If it reached that number and
# there are new connections available, the worker will accept and close them
# immediately to indicate it is too busy to handle traffic
# defaults to 10000 maximum connections
max_connections = 500
# maximum number of buffers in the pool used by the protocol implementations
# for active connections (ie currently serving a request). For now, you should
# estimate that max_buffers = number of concurrent requests * 2
# defaults to 1000
# max_buffers = 1000
# minimum number of buffers preallocated in the pool
# cannot be larger than max_buffers
# defaults to 1
# min_buffers = 1
# size of the buffers used by the protocol implementations. Each worker will
# preallocate max_buffers * 2 * buffer_size bytes, so you should plan for this
# memory usage. If you plan to use sozu's runtime upgrade feature, you should
# leave enough memory for one more worker (also for the kernel, etc), so total
# RAM should be larger than (worker count + 1) * max_buffers * 2 * buffer_size bytes
# defaults to 16393 (minimum size for HTTP/2 is a 16384 bytes frame + 9 bytes of header
buffer_size = 16393
# how much time (in milliseconds) sozu command line will wait for a command to complete.
# Defaults to 1000 milliseconds
# ctl_command_timeout = 1000
# PID file is a file containing the PID of the main process of sozu.
# It can be helpful to help systemd or any other service system to keep track
# of the main process across upgrades. PID file is not created unless this option
# is set or if SOZU_PID_FILE_PATH environment variable was defined at build time.
# pid_file_path = "/run/sozu/sozu.pid"
# maximum time of inactivity for a frontend socket, in seconds
# defaults to 60 seconds, can be specified at the listener level
# front_timeout = 60
# maximum time of inactivity for a backend socket, in seconds
# defaults to 30 seconds, can be specified at the listener level
# back_timeout = 30
# maximum time to connect to a backend server, in seconds
# defaults to 3 seconds, can be specified at the listener level
# connect_timeout = 3
# maximum time to receive a request since the connection started
# defaults to 10 seconds, can be specified at the listener level
# request_timeout = 10
#
# duration between zombie checks, in seconds
# defaults to 30 minutes
# in case of bugs in sozu's event loop and protocol implementations, some client
# sessions could be stuck, not receiving any more event, and consuming resources.
# sozu verifies regularly if there are such zombie sessions, logs their state
# and removes them
# zombie_check_interval = 1800
# by default, all listeners start a TCP listen socket o startup
# if set to false, this option will prevent them from listening. You can then add
# the complete configuration, and send an ActivateListener message afterwards
activate_listeners = true
# various statistics can be sent to a server that supports the statsd protocol
# You can see those statistics with the command line, like this: `sozu metrics get` or
# `sozu metrics get --json` for machine consumption
#
#[metrics]
# address = "127.0.0.1:8125"
# use InfluxDB's statsd protocol flavor to add tags
# tagged_metrics = false
# metrics key prefix
# prefix = "sozu"
# by default, sozu register metrics for clusters, unless you want to spare ressources
# disable_cluster_metrics = true
# Listeners
# configuration options specific to a TCP listen socket
# Example for a HTTP (plaintext) listener
[[listeners]]
protocol = "http"
# listening address
address = "0.0.0.0:8080"
# specify a different IP than the one the socket sees, for logs and forwarded headers
# this option is incompatible with expect_proxy
# public_address = "1.2.3.4:80"
# For details about custom HTTP answers, see `doc/configure.md`,
# and for defaults, check out `/lib/src/protocol/kawa_h1/answers.rs`
# a 401 response is sent when a frontend has a Deny rule
# answer_401 = "/absolute/path/to/custom_401.http"
# a 404 response is sent when sozu does not know about the requested domain or path
# answer_404 = "/absolute/path/to/custom_404.http"
# a 408 response is sent when a frontend has a Deny rule (unusual)
# answer_408 = "/absolute/path/to/custom_408.http"
# a 413 response is sent when a request was too large
# answer_413 = "/absolute/path/to/custom_413.http"
# a 502 response means the response sent by a backend could not be parsed by Sōzu
# answer_502 = "/absolute/path/to/custom_502.http"
# a 503 response is sent if there are no backend servers available
# answer_503 = "/absolute/path/to/custom_503.http"
# a 504 response means the backend timed out
# answer_504 = "/absolute/path/to/custom_504.http"
# a 507 response occurs when the response sent by a backend is too big
# answer_507 = "/absolute/path/to/custom_507.http"
# defines the sticky session cookie's name, if `sticky_session` is activated for
# a cluster. Defaults to "SOZUBALANCEID"
# sticky_name = "SOZUBALANCEID"
#
# Configures the client socket to receive a PROXY protocol header
# this option is incompatible with public_address
# expect_proxy = false
# Example for a HTTPS listener
[[listeners]]
protocol = "https"
# listening address
address = "0.0.0.0:8443"
# specify a different IP than the one the socket sees, for logs and forwarded headers
# this option is incompatible with expect_proxy
# public_address = "1.2.3.4:80"
# For details about custom HTTP answers, see `doc/configure.md`,
# and for defaults, check out `/lib/src/protocol/kawa_h1/answers.rs`
# a 401 response is sent when a frontend has a Deny rule
# answer_401 = "/absolute/path/to/custom_401.http"
# a 404 response is sent when sozu does not know about the requested domain or path
# answer_404 = "/absolute/path/to/custom_404.http"
# a 408 response is sent when a frontend has a Deny rule (unusual)
# answer_408 = "/absolute/path/to/custom_408.http"
# a 413 response is sent when a request was too large
# answer_413 = "/absolute/path/to/custom_413.http"
# a 502 response means the response sent by a backend could not be parsed by Sōzu
# answer_502 = "/absolute/path/to/custom_502.http"
# a 503 response is sent if there are no backend servers available
# answer_503 = "/absolute/path/to/custom_503.http"
# a 504 response means the backend timed out
# answer_504 = "/absolute/path/to/custom_504.http"
# a 507 response occurs when the response sent by a backend is too big
# answer_507 = "/absolute/path/to/custom_507.http"
# defines the sticky session cookie's name, if `sticky_session` is activated for
# a cluster. Defaults to "SOZUBALANCEID"
# sticky_name = "SOZUBALANCEID"
# Configures the client socket to receive a PROXY protocol header
# this option is incompatible with public_address
# expect_proxy = false
# Supported TLS versions. Possible values are "SSL_V2", "SSL_V3", "TLSv1", "TLS_V11", "TLS_V12", "TLS_V13".
# Defaults to `["TLS_V12", "TLS_V13"]`. Besides, `rustls` tls provider only support "TLS_V12" and "TLS_V13" values.
tls_versions = ["TLS_V12", "TLS_V13"]
# TLS ciphers considered as secure can be retrieved on the ANSSI document located here:
# https://www.ssi.gouv.fr/uploads/2020/03/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf
#
# When using `Rustls` TLS provider:
# * Sets the lists of availables ciphers (TLSv1.2 and TLSv1.3). Supported ciphers names are specified at
# https://docs.rs/rustls/latest/rustls/static.ALL_CIPHER_SUITES.html
#
cipher_list = [
# TLS 1.3 cipher suites
"TLS13_AES_256_GCM_SHA384",
"TLS13_AES_128_GCM_SHA256",
"TLS13_CHACHA20_POLY1305_SHA256",
# TLS 1.2 cipher suites
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
]
# default certificate and key
# in case you want to set up TLS without SNI, you can define the default
# certificate here
#certificate = "../lib/assets/cert_test.pem"
#key = "../lib/assets/key_test.pem"
#certificate_chain = "../lib/assets/certificate_chain.pem"
# Number of TLS 1.3 tickets to send to a client when establishing a connection.
# The tickets allow the client to resume a session. This protects the client
# agains session tracking. Increases the number of getrandom syscalls,
# with little influence on performance. Defaults to 4.
# send_tls13_tickets = 4
# options specific to a TCP proxy listener
#[[listeners]]
# protocol = "tcp"
# address = "127.0.0.1:8081"
#
# specify a different IP than the one the socket sees, for logs and forwarded headers
# this option is incompatible with expect_proxy
# public_address = "1.2.3.4:81"
#
# Configures the client socket to receive a PROXY protocol header
# this option is incompatible with public_address
# expect_proxy = false
# static configuration for cluster
#
# A cluster is a set of frontends, routing rules, and backends.
# These clusters will be routed by sozu directly from start
[clusters]
# every cluster has a "cluster id", here it is "MyCluster"
# this is an example of a routing configuration for the HTTP and HTTPS proxies
[clusters.MyCluster]
# the protocol option indicates if we will use HTTP or TCP proxying
# possible options are "http" or "tcp"
protocol = "http"
# per cluster load balancing algorithm. The possible values are
# "ROUND_ROBIN", "RANDOM", "LEAST_LOADED" and "POWER_OF_TWO". Defaults to "ROUND_ROBIN"
load_balancing = "ROUND_ROBIN"
# metric evaluating the load on the backend. available options: connections, requests, connection_time
# load_metric = "connections"
# frontends configuration
# this specifies which listeners; domains, certificates that will be configured for a cluster
# each element of the array must be specified on one line (toml format limitation)
# possible frontend options:
# - address: TCP listener
# - hostname: host name of the cluster
# - path = "/api" # optional. A routing rule for incoming requests. The path of the request must match it. Can be a prefix (default), a regex, or a strictly equal path.
# - path_type = PREFIX | REGEX | EQUALS # defaults to PREFIX
# - sticky_session = false # activates sticky sessions for this cluster
# - https_redirect = false # activates automatic redirection to HTTPS for this cluster
# - custom_tag: a tag to retrieve a frontend with the CLI or in the logs
frontends = [
{ address = "0.0.0.0:8080", hostname = "lolcatho.st", tags = { key = "value" }, path = "/api" },
# HTTPS frontends also have an optional `tls_versions` key like the HTTPS listeners
{ address = "0.0.0.0:8443", hostname = "lolcatho.st", tags = { key = "value" }, certificate = "../lib/assets/certificate.pem", key = "../lib/assets/key.pem", certificate_chain = "../lib/assets/certificate_chain.pem" },
]
# backends configuration
# this indicates the backend servers used by the cluster
# possible options:
# - address: IP and port of the backend server
# - weight: weight used by the load balancing algorithm
# - sticky-id: sticky session identifier
backends = [
{ address = "127.0.0.1:1026", backend_id = "the-backend-to-my-app" }
]
# this is an example of a routing configuration for the TCP proxy
[clusters.TcpTest]
protocol = "tcp"
frontends = [
{ address = "0.0.0.0:8081", tags = { owner = "John", uuid = "3f740af1-45fd-45ce-b61f-17bf1a51505f" } }
]
# activates the proxy protocol to send IP information to the backend
# send_proxy = false
backends = [
{ address = "127.0.0.1:4000", weight = 100 },
{ address = "127.0.0.1:4001", weight = 50 }
]