跳转至

核心配置

配置简介

bfe.conf是BFE的核心配置

配置描述

服务基础配置

配置项 描述
Server.HttpPort Integer
HTTP监听端口
默认值8080
Server.HttpsPort Integer
HTTPS(TLS)监听端口
默认值8443
Server.MonitorPort Integer
Monitor监听端口
默认值8421
Server.MonitorEnabled Boolean
Monitor服务器是否开启
默认值True
Server.MaxCpus Integer
最大使用CPU核数; 0代表使用所有CPU核
默认值0
Server.Layer4LoadBalancer String
四层负载均衡器类型(PROXY/NONE)
默认值NONE
Server.TlsHandshakeTimeout Integer
TLS握手超时时间,单位为秒
默认值30
Server.ClientReadTimeout Integer
读客户端超时时间,单位为秒
默认值60
Server.ClientWriteTimeout Integer
写客户端超时时间,单位为秒
默认值60
Server.GracefulShutdownTimeout Integer
优雅退出超时时间,单位为秒,最大300秒
默认值10
Server.KeepAliveEnabled Boolean
与用户端连接是否启用HTTP KeepAlive
默认值True
Server.MaxHeaderBytes Integer
请求头部的最大长度,单位为Byte
默认值1048576
Server.MaxHeaderUriBytes Integer
请求头部URI的最大长度,单位为Byte
默认值8192
Server.HostRuleConf String
租户域名表配置文件路径
默认值server_data_conf/host_rule.data
Server.VipRuleConf String
租户VIP表配置文件路径
默认值server_data_conf/vip_rule.data
Server.RouteRuleConf String
转发规则配置文件路径
默认值server_data_conf/route_rule.data
Server.ClusterConf String
后端集群相关配置文件路径
默认值server_data_conf/cluster_conf.data
Server.GslbConf String
子集群级别负载均衡配置文件(GSLB)路径
默认值cluster_conf/gslb.data
Server.ClusterTableConf String
实例级别负载均衡配置文件路径
默认值cluster_conf/cluster_table.data
Server.NameConf String
名字与实例映射表配置文件路径
默认值server_data_conf/name_conf.data
Server.Modules String
启用的模块列表; 启用多个模块请增加多行Modules配置,参见配置示例
默认值空
Server.MonitorInterval Integer
Monitor数据统计周期,单位为秒
默认值20
Server.DebugServHttp Boolean
是否开启反向代理模块调试日志
默认值False
Server.DebugBfeRoute Boolean
是否开启流量路由模块调试日志
默认值False
Server.DebugBal Boolean
是否开启负载均衡模块调试日志
默认值False
Server.DebugHealthCheck Boolean
是否开启健康检查模块调试日志
默认值False

TLS基础配置

配置项 描述
HttpsBasic.ServerCertConf String
服务端证书与密钥的配置文件路径
默认值tls_conf/server_cert_conf.data
HttpsBasic.TlsRuleConf String
TLS协议参数配置文件路径
默认值tls_conf/tls_rule_conf.data
HttpsBasic.CipherSuites String
启用的加密套件列表; 启用多个套件请增加多行cipherSuites配置,详见示例
默认值TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
HttpsBasic.CurvePreferences String
启用的ECC椭圆曲线,详见示例
默认值CurveP256
HttpsBasic.EnableSslv2ClientHello Boolean
针对SSLv3协议,启用对SSLv2格式ClientHello的兼容
默认值True
HttpsBasic.ClientCABaseDir String
客户端根CA证书基目录; 注意:证书文件后缀约定必须是 ".crt"
默认值tls_conf/client_ca
SessionCache.SessionCacheDisabled Boolean
是否禁用TLS Session Cache机制
默认值False
SessionCache.Servers String
Cache服务的访问地址
默认值无
SessionCache.KeyPrefix String
缓存key前缀
默认值bfe
SessionCache.ConnectTimeout Integer
连接Cache服务的超时时间, 单位毫秒
默认值50
SessionCache.ReadTimeout Integer
读取Cache服务的超时时间, 单位毫秒
默认值50
SessionCache.WriteTimeout Integer
写入Cache服务的超时时间, 单位毫秒
默认值50
SessionCache.MaxIdle Integer
与Cache服务的最大空闲长连接数
默认值20
SessionCache.SessionExpire Integer
存储在Cache服务中会话信息的过期时间, 单位秒
默认值3600
SessionTicket.SessionTicketsDisabled Boolean
是否禁用TLS Session Ticket
默认值True
SessionTicket.SessionTicketKeyFile String
Session Ticket Key配置文件路径
默认值tls_conf/session_ticket_key.data

配置示例

[Server]
# listen port for http request
HttpPort = 8080
# listen port for https request
HttpsPort = 8443
# listen port for monitor request
MonitorPort = 8421

# max number of CPUs to use (0 to use all CPUs)
MaxCpus = 0

# type of layer-4 load balancer (PROXY/NONE)
#
# Note:
# - PROXY: layer-4 balancer talking the proxy protocol
#          eg. F5 BigIP/Citrix ADC
# - NONE: layer-4 balancer disabled
Layer4LoadBalancer = ""

# tls handshake timeout, in seconds
TlsHandshakeTimeout = 30

# read timeout, in seconds
ClientReadTimeout = 60

# write timeout, in seconds
ClientWriteTimeout = 60

# if false, client connection is shutdown disregard of http headers
KeepAliveEnabled = true

# timeout for graceful shutdown (maximum 300 sec)
GracefulShutdownTimeout = 10

# max header length in bytes in request
MaxHeaderBytes = 1048576

# max URI(in header) length in bytes in request
MaxHeaderUriBytes = 8192

# routing related conf
HostRuleConf = server_data_conf/host_rule.data
VipRuleConf = server_data_conf/vip_rule.data
RouteRuleConf = server_data_conf/route_rule.data
ClusterConf = server_data_conf/cluster_conf.data

# load balancing related conf
GslbConf = cluster_conf/gslb.data
ClusterTableConf = cluster_conf/cluster_table.data

# naming related conf
NameConf = server_data_conf/name_conf.data

# moduels enabled
Modules = mod_trust_clientip
Modules = mod_block
Modules = mod_header
Modules = mod_rewrite
Modules = mod_redirect
Modules = mod_logid

# interval for get diff of proxy-state
MonitorInterval = 20

# debug flags
DebugServHttp = false
DebugBfeRoute = false
DebugBal = false
DebugHealthCheck = false

[HttpsBasic]
# tls cert conf
ServerCertConf = tls_conf/server_cert_conf.data

# tls rule
TlsRuleConf = tls_conf/tls_rule_conf.data

# supported cipherSuites preference settings
#
# ciphersuites implemented in golang:
#     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
#     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#     TLS_ECDHE_RSA_WITH_RC4_128_SHA
#     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
#     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#     TLS_RSA_WITH_RC4_128_SHA
#     TLS_RSA_WITH_AES_128_CBC_SHA
#     TLS_RSA_WITH_AES_256_CBC_SHA
#     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
#     TLS_RSA_WITH_3DES_EDE_CBC_SHA
#
# Note:
# -. Equivalent cipher suites (cipher suites with same priority in server side):
#    CipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#    CipherSuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
#
CipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
CipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA
CipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
CipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
CipherSuites=TLS_RSA_WITH_RC4_128_SHA
CipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
CipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA

# supported curve perference settings
#
# curves implemented in golang: 
#     CurveP256 
#     CurveP384 
#     CurveP521
#
# Note:
# - Do not use CurveP384/CurveP521 which is with poor performance
#
CurvePreferences=CurveP256

# support Sslv2 ClientHello for compatible with ancient 
# TLS capable clients (mozilla 5, java 5/6, openssl 0.9.8 etc)
EnableSslv2ClientHello = true

# base directory of client ca certificates
# Note: filename suffix of ca certificate file should be ".crt"
ClientCABaseDir = tls_conf/client_ca

[SessionCache]
# disable tls session cache or not
SessionCacheDisabled = true

# address of cache server
Servers = "example.redis.cluster"

# prefix for cache key
KeyPrefix = "bfe"

# connection params (ms)
ConnectTimeout = 50
ReadTimeout = 50
WriteTimeout = 50

# max idle connections in connection pool
MaxIdle = 20

# expire time for tls session state (second)
SessionExpire = 3600

[SessionTicket]
# disable tls session ticket or not
SessionTicketsDisabled = true
# session ticket key
SessionTicketKeyFile = tls_conf/session_ticket_key.data