核心配置
配置简介
bfe.conf是BFE的核心配置
配置描述
服务基础配置
| 配置项 | 描述 |
|---|---|
| Server.HttpPort | Integer HTTP监听端口 默认值8080 |
| Server.HttpsPort | Integer HTTPS(TLS)监听端口 默认值8443 |
| Server.MonitorPort | Integer Monitor监听端口 默认值8421 |
| Server.MonitorEnabled | Boolean Monitor服务器是否开启 默认值True |
| Server.MaxCpus | Integer 最大使用CPU核数; 0代表使用所有CPU核 默认值0 |
| Server.Layer4LoadBalancer | String 四层负载均衡器类型(PROXY/NONE) 默认值NONE |
| Server.TlsHandshakeTimeout | Integer TLS握手超时时间,单位为秒 默认值30 |
| Server.ClientReadTimeout | Integer 读客户端超时时间,单位为秒 默认值60 |
| Server.ClientWriteTimeout | Integer 写客户端超时时间,单位为秒 默认值60 |
| Server.GracefulShutdownTimeout | Integer 优雅退出超时时间,单位为秒,最大300秒 默认值10 |
| Server.KeepAliveEnabled | Boolean 与用户端连接是否启用HTTP KeepAlive 默认值True |
| Server.MaxHeaderBytes | Integer 请求头部的最大长度,单位为Byte 默认值1048576 |
| Server.MaxHeaderUriBytes | Integer 请求头部URI的最大长度,单位为Byte 默认值8192 |
| Server.HostRuleConf | String 租户域名表配置文件路径 默认值server_data_conf/host_rule.data |
| Server.VipRuleConf | String 租户VIP表配置文件路径 默认值server_data_conf/vip_rule.data |
| Server.RouteRuleConf | String 转发规则配置文件路径 默认值server_data_conf/route_rule.data |
| Server.ClusterConf | String 后端集群相关配置文件路径 默认值server_data_conf/cluster_conf.data |
| Server.GslbConf | String 子集群级别负载均衡配置文件(GSLB)路径 默认值cluster_conf/gslb.data |
| Server.ClusterTableConf | String 实例级别负载均衡配置文件路径 默认值cluster_conf/cluster_table.data |
| Server.NameConf | String 名字与实例映射表配置文件路径 默认值server_data_conf/name_conf.data |
| Server.Modules | String 启用的模块列表; 启用多个模块请增加多行Modules配置,参见配置示例 默认值空 |
| Server.MonitorInterval | Integer Monitor数据统计周期,单位为秒 默认值20 |
| Server.DebugServHttp | Boolean 是否开启反向代理模块调试日志 默认值False |
| Server.DebugBfeRoute | Boolean 是否开启流量路由模块调试日志 默认值False |
| Server.DebugBal | Boolean 是否开启负载均衡模块调试日志 默认值False |
| Server.DebugHealthCheck | Boolean 是否开启健康检查模块调试日志 默认值False |
TLS基础配置
| 配置项 | 描述 |
|---|---|
| HttpsBasic.ServerCertConf | String 服务端证书与密钥的配置文件路径 默认值tls_conf/server_cert_conf.data |
| HttpsBasic.TlsRuleConf | String TLS协议参数配置文件路径 默认值tls_conf/tls_rule_conf.data |
| HttpsBasic.CipherSuites | String 启用的加密套件列表; 启用多个套件请增加多行cipherSuites配置,详见示例 默认值TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA |
| HttpsBasic.CurvePreferences | String 启用的ECC椭圆曲线,详见示例 默认值CurveP256 |
| HttpsBasic.EnableSslv2ClientHello | Boolean 针对SSLv3协议,启用对SSLv2格式ClientHello的兼容 默认值True |
| HttpsBasic.ClientCABaseDir | String 客户端根CA证书基目录; 注意:证书文件后缀约定必须是 ".crt" 默认值tls_conf/client_ca |
| SessionCache.SessionCacheDisabled | Boolean 是否禁用TLS Session Cache机制 默认值False |
| SessionCache.Servers | String Cache服务的访问地址 默认值无 |
| SessionCache.KeyPrefix | String 缓存key前缀 默认值bfe |
| SessionCache.ConnectTimeout | Integer 连接Cache服务的超时时间, 单位毫秒 默认值50 |
| SessionCache.ReadTimeout | Integer 读取Cache服务的超时时间, 单位毫秒 默认值50 |
| SessionCache.WriteTimeout | Integer 写入Cache服务的超时时间, 单位毫秒 默认值50 |
| SessionCache.MaxIdle | Integer 与Cache服务的最大空闲长连接数 默认值20 |
| SessionCache.SessionExpire | Integer 存储在Cache服务中会话信息的过期时间, 单位秒 默认值3600 |
| SessionTicket.SessionTicketsDisabled | Boolean 是否禁用TLS Session Ticket 默认值True |
| SessionTicket.SessionTicketKeyFile | String Session Ticket Key配置文件路径 默认值tls_conf/session_ticket_key.data |
配置示例
[Server]
# listen port for http request
HttpPort = 8080
# listen port for https request
HttpsPort = 8443
# listen port for monitor request
MonitorPort = 8421
# max number of CPUs to use (0 to use all CPUs)
MaxCpus = 0
# type of layer-4 load balancer (PROXY/NONE)
#
# Note:
# - PROXY: layer-4 balancer talking the proxy protocol
# eg. F5 BigIP/Citrix ADC
# - NONE: layer-4 balancer disabled
Layer4LoadBalancer = ""
# tls handshake timeout, in seconds
TlsHandshakeTimeout = 30
# read timeout, in seconds
ClientReadTimeout = 60
# write timeout, in seconds
ClientWriteTimeout = 60
# if false, client connection is shutdown disregard of http headers
KeepAliveEnabled = true
# timeout for graceful shutdown (maximum 300 sec)
GracefulShutdownTimeout = 10
# max header length in bytes in request
MaxHeaderBytes = 1048576
# max URI(in header) length in bytes in request
MaxHeaderUriBytes = 8192
# routing related conf
HostRuleConf = server_data_conf/host_rule.data
VipRuleConf = server_data_conf/vip_rule.data
RouteRuleConf = server_data_conf/route_rule.data
ClusterConf = server_data_conf/cluster_conf.data
# load balancing related conf
GslbConf = cluster_conf/gslb.data
ClusterTableConf = cluster_conf/cluster_table.data
# naming related conf
NameConf = server_data_conf/name_conf.data
# moduels enabled
Modules = mod_trust_clientip
Modules = mod_block
Modules = mod_header
Modules = mod_rewrite
Modules = mod_redirect
Modules = mod_logid
# interval for get diff of proxy-state
MonitorInterval = 20
# debug flags
DebugServHttp = false
DebugBfeRoute = false
DebugBal = false
DebugHealthCheck = false
[HttpsBasic]
# tls cert conf
ServerCertConf = tls_conf/server_cert_conf.data
# tls rule
TlsRuleConf = tls_conf/tls_rule_conf.data
# supported cipherSuites preference settings
#
# ciphersuites implemented in golang:
# TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# TLS_ECDHE_RSA_WITH_RC4_128_SHA
# TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# TLS_RSA_WITH_RC4_128_SHA
# TLS_RSA_WITH_AES_128_CBC_SHA
# TLS_RSA_WITH_AES_256_CBC_SHA
# TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# TLS_RSA_WITH_3DES_EDE_CBC_SHA
#
# Note:
# -. Equivalent cipher suites (cipher suites with same priority in server side):
# CipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# CipherSuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
#
CipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
CipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA
CipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
CipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
CipherSuites=TLS_RSA_WITH_RC4_128_SHA
CipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
CipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
# supported curve perference settings
#
# curves implemented in golang:
# CurveP256
# CurveP384
# CurveP521
#
# Note:
# - Do not use CurveP384/CurveP521 which is with poor performance
#
CurvePreferences=CurveP256
# support Sslv2 ClientHello for compatible with ancient
# TLS capable clients (mozilla 5, java 5/6, openssl 0.9.8 etc)
EnableSslv2ClientHello = true
# base directory of client ca certificates
# Note: filename suffix of ca certificate file should be ".crt"
ClientCABaseDir = tls_conf/client_ca
[SessionCache]
# disable tls session cache or not
SessionCacheDisabled = true
# address of cache server
Servers = "example.redis.cluster"
# prefix for cache key
KeyPrefix = "bfe"
# connection params (ms)
ConnectTimeout = 50
ReadTimeout = 50
WriteTimeout = 50
# max idle connections in connection pool
MaxIdle = 20
# expire time for tls session state (second)
SessionExpire = 3600
[SessionTicket]
# disable tls session ticket or not
SessionTicketsDisabled = true
# session ticket key
SessionTicketKeyFile = tls_conf/session_ticket_key.data