# # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # PLEASE DO NOT UPDATE THIS FILE! # If you want to set the specified configuration value, you can set the new # value in the conf/config.yaml file. #
apisix: # node_listen: 9080 # APISIX listening port node_listen:# This style support multiple ports -9080 # - port: 9081 # enable_http2: true # If not set, the default value is `false`. # - ip: 127.0.0.2 # Specific IP, If not set, the default value is `0.0.0.0`. # port: 9082 # enable_http2: true enable_admin:true enable_admin_cors:true# Admin API support CORS response headers. enable_dev_mode:false# Sets nginx worker_processes to 1 if set to true enable_reuseport:true# Enable nginx SO_REUSEPORT switch if set to true. show_upstream_status_in_response_header:false# when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code enable_ipv6:true config_center:etcd# etcd: use etcd to store the config value # yaml: fetch the config value from local yaml file `/your_path/conf/apisix.yaml`
#proxy_protocol: # Proxy Protocol configuration #listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and admin_listen. # This port can only receive http request with proxy protocol, but node_listen & admin_listen # can only receive http request. If you enable proxy protocol, you must use this port to # receive http request with proxy protocol #listen_https_port: 9182 # The port with proxy protocol for https #enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option #enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server enable_server_tokens:true# Whether the APISIX version number should be shown in Server header. # It's enabled by default.
# configurations to load third party code and/or override the builtin one. extra_lua_path:""# extend lua_package_path to load third party code extra_lua_cpath:""# extend lua_package_cpath to load third party code #lua_module_hook: "my_project.my_hook" # the hook module which will be used to inject third party code into APISIX
proxy_cache:# Proxy Caching configuration cache_ttl:10s# The default caching time in disk if the upstream does not specify the cache time zones:# The parameters of a cache -name:disk_cache_one# The name of the cache, administrator can specify # which cache to use by name in the admin api (disk|memory) memory_size:50m# The size of shared memory, it's used to store the cache index for # disk strategy, store cache content for memory strategy (disk|memory) disk_size:1G# The size of disk, it's used to store the cache data (disk) disk_path:/tmp/disk_cache_one# The path to store the cache data (disk) cache_levels:1:2# The hierarchy levels of a cache (disk) #- name: disk_cache_two # memory_size: 50m # disk_size: 1G # disk_path: "/tmp/disk_cache_two" # cache_levels: "1:2" -name:memory_cache memory_size:50m
allow_admin:# http://nginx.org/en/docs/http/ngx_http_access_module.html#allow -127.0.0.0/24# If we don't set any IP list, then any IP access is allowed by default. #- "::/64" #admin_listen: # use a separate port # ip: 127.0.0.1 # Specific IP, if not set, the default value is `0.0.0.0`. # port: 9180 #https_admin: true # enable HTTPS when use a separate port for Admin API. # Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate. admin_api_mtls:# Depends on `admin_listen` and `https_admin`. admin_ssl_cert:""# Path of your self-signed server side cert. admin_ssl_cert_key:""# Path of your self-signed server side key. admin_ssl_ca_cert:""# Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.
admin_api_version:v3# The version of admin api, latest version is v3.
# Default token when use API to call for Admin API. # *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API. # Disabling this configuration item means that the Admin API does not # require any authentication. admin_key: - name:admin key:edd1c9f034335f136f87ad84b625c8f1 role:admin# admin: manage all configuration data # viewer: only can view configuration data - name:viewer key:4054f7cf07e344346cd3f287985e76a2 role:viewer
delete_uri_tail_slash:false# delete the '/' at the end of the URI # The URI normalization in servlet is a little different from the RFC's. # See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization, # which is used under Tomcat. # Turn this option on if you want to be compatible with servlet when matching URI path. normalize_uri_like_servlet:false router: http:radixtree_uri# radixtree_uri: match route by uri(base on radixtree) # radixtree_host_uri: match route by host + uri(base on radixtree) # radixtree_uri_with_parameter: like radixtree_uri but match uri with parameters, # see https://github.com/api7/lua-resty-radixtree/#parameters-in-path for # more details. ssl:radixtree_sni# radixtree_sni: match route by SNI(base on radixtree) #stream_proxy: # TCP/UDP proxy # only: true # use stream proxy only, don't enable HTTP stuff # tcp: # TCP proxy port list # - addr: 9100 # tls: true # - addr: "127.0.0.1:9101" # udp: # UDP proxy port list # - 9200 # - "127.0.0.1:9201" #dns_resolver: # If not set, read from `/etc/resolv.conf` # - 1.1.1.1 # - 8.8.8.8 #dns_resolver_valid: 30 # if given, override the TTL of the valid records. The unit is second. resolver_timeout:5# resolver timeout enable_resolv_search_opt:true# enable search option in resolv.conf ssl: enable:true listen:# APISIX listening port in https. -port:9443 enable_http2:true # - ip: 127.0.0.3 # Specific IP, If not set, the default value is `0.0.0.0`. # port: 9445 # enable_http2: true #ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format # used to verify the certificate when APISIX needs to do SSL/TLS handshaking # with external services (e.g. etcd) ssl_protocols:TLSv1.2TLSv1.3 ssl_ciphers:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_session_tickets:false# disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless. # ref: https://github.com/mozilla/server-side-tls/issues/135
key_encrypt_salt:edd1c9f0985e76a2# If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
#fallback_sni: "my.default.domain" # If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead enable_control:true #control: # ip: 127.0.0.1 # port: 9090 disable_sync_configuration_during_start:false# safe exit. Remove this once the feature is stable
nginx_config:# config for render the template to generate nginx.conf #user: root # specifies the execution user of the worker process. # the "user" directive makes sense only if the master process runs with super-user privileges. # if you're not root user,the default is current user. error_log:logs/error.log error_log_level:warn# warn,error worker_processes:auto# if you want use multiple cores in container, you can inject the number of cpu as environment variable "APISIX_WORKER_PROCESSES" enable_cpu_affinity:true# enable cpu affinity, this is just work well only on physical machine worker_rlimit_nofile:20480# the number of files a worker process can open, should be larger than worker_connections worker_shutdown_timeout:240s# timeout for a graceful shutdown of worker processes
max_pending_timers:16384# increase it if you see "too many pending timers" error max_running_timers:4096# increase it if you see "lua_max_running_timers are not enough" error
event: worker_connections:10620 #envs: # allow to get a list of environment variables # - TEST_ENV
meta: lua_shared_dict: prometheus-metrics:15m
stream: enable_access_log:false# enable access log or not, default false access_log:logs/access_stream.log access_log_format:"$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time" # create your custom log format by visiting http://nginx.org/en/docs/varindex.html access_log_format_escape:default# allows setting json or default characters escaping in variables lua_shared_dict: etcd-cluster-health-check-stream:10m lrucache-lock-stream:10m plugin-limit-conn-stream:10m
# As user can add arbitrary configurations in the snippet, # it is user's responsibility to check the configurations # don't conflict with APISIX. main_configuration_snippet:| # Add custom Nginx main configuration to nginx.conf. # The configuration should be well indented! http_configuration_snippet:| # Add custom Nginx http configuration to nginx.conf. # The configuration should be well indented! http_server_configuration_snippet:| # Add custom Nginx http server configuration to nginx.conf. # The configuration should be well indented! http_server_location_configuration_snippet:| # Add custom Nginx http server location configuration to nginx.conf. # The configuration should be well indented! http_admin_configuration_snippet:| # Add custom Nginx admin server configuration to nginx.conf. # The configuration should be well indented! http_end_configuration_snippet:| # Add custom Nginx http end configuration to nginx.conf. # The configuration should be well indented! stream_configuration_snippet:| # Add custom Nginx stream configuration to nginx.conf. # The configuration should be well indented!
http: enable_access_log:true# enable access log or not, default true access_log:logs/access.log access_log_format:"$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"" access_log_format_escape:default# allows setting json or default characters escaping in variables keepalive_timeout:60s# timeout during which a keep-alive client connection will stay open on the server side. client_header_timeout:60s# timeout for reading client request header, then 408 (Request Time-out) error is returned to the client client_body_timeout:60s# timeout for reading client request body, then 408 (Request Time-out) error is returned to the client client_max_body_size:0# The maximum allowed size of the client request body. # If exceeded, the 413 (Request Entity Too Large) error is returned to the client. # Note that unlike Nginx, we don't limit the body size by default.
send_timeout:10s# timeout for transmitting a response to the client.then the connection is closed underscores_in_headers:"on"# default enables the use of underscores in client request header fields real_ip_header:X-Real-IP# http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header real_ip_recursive:"off"# http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive real_ip_from:# http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from -127.0.0.1 -"unix:" #custom_lua_shared_dict: # add custom shared cache to nginx.conf # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size`
# Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) # when establishing a connection with the proxied HTTPS server. proxy_ssl_server_name:true upstream: keepalive:320# Sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. # When this number is exceeded, the least recently used connections are closed. keepalive_requests:1000# Sets the maximum number of requests that can be served through one keepalive connection. # After the maximum number of requests is made, the connection is closed. keepalive_timeout:60s# Sets a timeout during which an idle keepalive connection to an upstream server will stay open. charset:utf-8# Adds the specified charset to the "Content-Type" response header field, see # http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset variables_hash_max_size:2048# Sets the maximum size of the variables hash table.
etcd: host:# it's possible to define multiple etcd hosts addresses of the same etcd cluster. -"http://127.0.0.1:2379"# multiple etcd address, if your etcd cluster enables TLS, please use https scheme, # e.g. https://127.0.0.1:2379. prefix:/apisix# apisix configurations prefix #timeout: 30 # 30 seconds #resync_delay: 5 # when sync failed and a rest is needed, resync after the configured seconds plus 50% random jitter #health_check_timeout: 10 # etcd retry the unhealthy nodes after the configured seconds startup_retry:2# the number of retry to etcd during the startup, default to 2 #user: root # root username for etcd #password: 5tHkHhYkjr6cQY # root password for etcd tls: # To enable etcd client certificate you need to build APISIX-Base, see # https://apisix.apache.org/docs/apisix/FAQ#how-do-i-build-the-apisix-base-environment #cert: /path/to/cert # path of certificate used by the etcd client #key: /path/to/key # path of key used by the etcd client
verify:true# whether to verify the etcd endpoint certificate when setup a TLS connection to etcd, # the default value is true, e.g. the certificate will be verified strictly. #sni: # the SNI for etcd TLS requests. If missed, the host part of the URL will be used.
# HashiCorp Vault storage backend for sensitive data retrieval. The config shows an example of what APISIX expects if you # wish to integrate Vault for secret (sensetive string, public private keys etc.) retrieval. APISIX communicates with Vault # server HTTP APIs. By default, APISIX doesn't need this configuration. # vault: # host: "http://0.0.0.0:8200" # The host address where the vault server is running. # timeout: 10 # request timeout 30 seconds # token: root # Authentication token to access Vault HTTP APIs # prefix: kv/apisix # APISIX supports vault kv engine v1, where sensitive data are being stored # and retrieved through vault HTTP APIs. enabling a prefix allows you to better enforcement of # policies, generate limited scoped tokens and tightly control the data that can be accessed # from APISIX.
#discovery: # service discovery center # dns: # servers: # - "127.0.0.1:8600" # use the real address of your dns server # eureka: # host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster. # - "http://127.0.0.1:8761" # prefix: /eureka/ # fetch_interval: 30 # default 30s # weight: 100 # default weight for node # timeout: # connect: 2000 # default 2000ms # send: 2000 # default 2000ms # read: 5000 # default 5000ms # nacos: # host: # - "http://${username}:${password}@${host1}:${port1}" # prefix: "/nacos/v1/" # fetch_interval: 30 # default 30 sec # weight: 100 # default 100 # timeout: # connect: 2000 # default 2000 ms # send: 2000 # default 2000 ms # read: 5000 # default 5000 ms # consul_kv: # servers: # - "http://127.0.0.1:8500" # - "http://127.0.0.1:8600" # prefix: "upstreams" # skip_keys: # if you need to skip special keys # - "upstreams/unused_api/" # timeout: # connect: 2000 # default 2000 ms # read: 2000 # default 2000 ms # wait: 60 # default 60 sec # weight: 1 # default 1 # fetch_interval: 3 # default 3 sec, only take effect for keepalive: false way # keepalive: true # default true, use the long pull way to query consul servers # default_server: # you can define default server when missing hit # host: "127.0.0.1" # port: 20999 # metadata: # fail_timeout: 1 # default 1 ms # weight: 1 # default 1 # max_fails: 1 # default 1 # dump: # if you need, when registered nodes updated can dump into file # path: "logs/consul_kv.dump" # expire: 2592000 # unit sec, here is 30 day # kubernetes: # service: # schema: https #apiserver schema, options [http, https], default https # host: ${KUBERNETES_SERVICE_HOST} #apiserver host, options [ipv4, ipv6, domain, environment variable], default ${KUBERNETES_SERVICE_HOST} # port: ${KUBERNETES_SERVICE_PORT} #apiserver port, options [port number, environment variable], default ${KUBERNETES_SERVICE_PORT} # client: # # serviceaccount token or path of serviceaccount token_file # token_file: ${KUBERNETES_CLIENT_TOKEN_FILE} # # token: |- # # eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEif # # 6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEifeyJhbGciOiJSUzI1NiIsImtpZCI # # kubernetes discovery plugin support use namespace_selector # # you can use one of [equal, not_equal, match, not_match] filter namespace # namespace_selector: # # only save endpoints with namespace equal default # equal: default # # only save endpoints with namespace not equal default # #not_equal: default # # only save endpoints with namespace match one of [default, ^my-[a-z]+$] # #match: # #- default # #- ^my-[a-z]+$ # # only save endpoints with namespace not match one of [default, ^my-[a-z]+$ ] # #not_match: # #- default # #- ^my-[a-z]+$ # # kubernetes discovery plugin support use label_selector # # for the expression of label_selector, please refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels # label_selector: |- # first="a",second="b"
graphql: max_size:1048576# the maximum size limitation of graphql in bytes, default 1MiB
plugin_attr: log-rotate: interval:3600# rotate interval (unit: second) max_kept:168# max number of log files will be kept max_size:-1# max size bytes of log files to be rotated, size check would be skipped with a value less than 0 enable_compression:false# enable log file compression(gzip) or not, default false skywalking: service_name:APISIX service_instance_name:APISIXInstanceName endpoint_addr:http://127.0.0.1:12800 opentelemetry: trace_id_source:x-request-id resource: service.name:APISIX collector: address:127.0.0.1:4318 request_timeout:3 request_headers: Authorization:token batch_span_processor: drop_on_queue_full:false max_queue_size:1024 batch_timeout:2 inactive_timeout:1 max_export_batch_size:16 prometheus: export_uri:/apisix/prometheus/metrics metric_prefix:apisix_ enable_export_server:true export_addr: ip:127.0.0.1 port:9091 #metrics: # http_status: # # extra labels from nginx variables # extra_labels: # # the label name doesn't need to be the same as variable name # # below labels are only examples, you could add any valid variables as you need # - upstream_addr: $upstream_addr # - upstream_status: $upstream_status # http_latency: # extra_labels: # - upstream_addr: $upstream_addr # bandwidth: # extra_labels: # - upstream_addr: $upstream_addr server-info: report_ttl:60# live time for server info in etcd (unit: second) dubbo-proxy: upstream_multiplex_count:32 request-id: snowflake: enable:false snowflake_epoc:1609459200000# the starting timestamp is expressed in milliseconds data_machine_bits:12# data machine bit, maximum 31, because Lua cannot do bit operations greater than 31 sequence_bits:10# each machine generates a maximum of (1 << sequence_bits) serial numbers per millisecond data_machine_ttl:30# live time for data_machine in etcd (unit: second) data_machine_interval:10# lease renewal interval in etcd (unit: second) proxy-mirror: timeout:# proxy timeout in mirrored sub-request connect:60s read:60s send:60s # redirect: # https_port: 8443 # the default port for use by HTTP redirects to HTTPS
#deployment: # role: traditional # role_traditional: # config_provider: etcd # etcd: # host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. # - "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme, # # e.g. https://127.0.0.1:2379. # prefix: /apisix # configuration prefix in etcd # timeout: 30 # 30 seconds
# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License.
# log options log_level:"info"# the error log level, default is info, optional values are: # debug # info # warn # error # panic # fatal log_output:"stderr"# the output file path of error log, default is stderr, when # the file path is "stderr" or "stdout", logs are marshalled # plainly, which is more readable for human; otherwise logs # are marshalled in JSON format, which can be parsed by # programs easily.
log_rotate_output_path:""# rotate output path, the logs will be written in this file log_rotation_max_size:100# rotate max size, max size in megabytes of log file before it get rotated. It defaults to 100 log_rotation_max_age:0# rotate max age, max age of old log files to retain log_rotation_max_backups:0# rotate max backups, max numbers of old log files to retain
cert_file:"/etc/webhook/certs/cert.pem"# the TLS certificate file path. key_file:"/etc/webhook/certs/key.pem"# the TLS key file path.
http_listen:":8080"# the HTTP Server listen address, default is ":8080" https_listen:":8443"# the HTTPS Server listen address, default is ":8443" ingress_publish_service:""# the controller will use the Endpoint of this Service to # update the status information of the Ingress resource. # The format is "namespace/svc-name" to solve the situation that # the data plane and the controller are not deployed in the same namespace. ingress_status_address:[]# when there is no available information on the Service # used for publishing on the data plane, # the static address provided here will be # used to update the status information of Ingress. # When ingress-publish-service is specified at the same time, ingress-status-address is preferred. # For example, no available LB exists in the bare metal environment. enable_profiling:true# enable profiling via web interfaces # host:port/debug/pprof, default is true. apisix-resource-sync-interval:"300s"# Default interval for synchronizing Kubernetes resources to APISIX # Kubernetes related configurations. kubernetes: kubeconfig:""# the Kubernetes configuration file path, default is # "", so the in-cluster configuration will be used. resync_interval:"6h"# how long should apisix-ingress-controller # re-synchronizes with Kubernetes, default is 6h, # and the minimal resync interval is 30s. app_namespaces:["*"]# namespace list that controller will watch for resources, # by default all namespaces (represented by "*") are watched. # The `app_namespace` is deprecated, using `namespace_selector` instead since version 1.4.0 namespace_selector:[""]# namespace_selector represent basis for selecting managed namespaces. # the field is support since version 1.4.0 # For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching" election_id:"ingress-apisix-leader"# the election id for the controller leader campaign, # only the leader will watch and delivery resource changes, # other instances (as candidates) stand by. ingress_class:"apisix"# the class of an Ingress object is set using the field # IngressClassName in Kubernetes clusters version v1.18.0 # or higher or the annotation "kubernetes.io/ingress.class" # (deprecated). ingress_version:"networking/v1"# the supported ingress api group version, can be "networking/v1beta1" # , "networking/v1" (for Kubernetes version v1.19.0 or higher), and # "extensions/v1beta1", default is "networking/v1". watch_endpointslices:false# whether to watch EndpointSlices rather than Endpoints.
apisix_route_version:"apisix.apache.org/v2"# the supported apisixroute api group version. # the latest version is "apisix.apache.org/v2".
enable_gateway_api:false# whether to enable support for Gateway API. # Note: This feature is currently under development and may not work as expected. # It is not recommended to use it in a production environment. # Before we announce support for it to reach Beta level or GA. api_version:apisix.apache.org/v2# the default value of API version is "apisix.apache.org/v2", support "apisix.apache.org/v2beta3" and "apisix.apache.org/v2".
# APISIX related configurations. apisix: default_cluster_base_url:"http://127.0.0.1:9080/apisix/admin"# The base url of admin api / manager api # of the default APISIX cluster
default_cluster_admin_key:""# the admin key used for the authentication of admin api / manager api in the # default APISIX cluster, by default this field is unset.
default_cluster_name:"default"# name of the default APISIX cluster.
# # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. #
# yamllint disable rule:comments-indentation conf: listen: # host: 127.0.0.1 # the address on which the `Manager API` should listen. # The default value is 0.0.0.0, if want to specify, please enable it. # This value accepts IPv4, IPv6, and hostname. port:9000# The port on which the `Manager API` should listen.
# ssl: # host: 127.0.0.1 # the address on which the `Manager API` should listen for HTTPS. # The default value is 0.0.0.0, if want to specify, please enable it. # port: 9001 # The port on which the `Manager API` should listen for HTTPS. # cert: "/tmp/cert/example.crt" # Path of your SSL cert. # key: "/tmp/cert/example.key" # Path of your SSL key.
allow_list:# If we don't set any IP list, then any IP access is allowed by default. -127.0.0.1# The rules are checked in sequence until the first match is found. -::1# In this example, access is allowed only for IPv4 network 127.0.0.1, and for IPv6 network ::1. # It also support CIDR like 192.168.1.0/24 and 2001:0db8::/32 etcd: endpoints:# supports defining multiple etcd host addresses for an etcd cluster -127.0.0.1:2379 # yamllint disable rule:comments-indentation # etcd basic auth info # username: "root" # ignore etcd username if not enable etcd auth # password: "123456" # ignore etcd password if not enable etcd auth mtls: key_file:""# Path of your self-signed client side key cert_file:""# Path of your self-signed client side cert ca_file:""# Path of your self-signed ca cert, the CA is used to sign callers' certificates # prefix: /apisix # apisix config's prefix in etcd, /apisix by default log: error_log: level:warn# supports levels, lower to higher: debug, info, warn, error, panic, fatal file_path: logs/error.log# supports relative path, absolute path, standard output # such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr # such as absolute path on Windows: winfile:///C:\error.log access_log: file_path: logs/access.log# supports relative path, absolute path, standard output # such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr # such as absolute path on Windows: winfile:///C:\access.log # log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []} max_cpu:0# supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile. # security: # access_control_allow_origin: "http://httpbin.org" # access_control_allow_credentials: true # support using custom cors configration # access_control_allow_headers: "Authorization" # access_control-allow_methods: "*" # x_frame_options: "deny" # content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src xx.xx.xx.xx:3000" # You can set frame-src to provide content for your grafana panel.
authentication: secret: secret# secret for jwt token generation. # NOTE: Highly recommended to modify this value to protect `manager api`. # if it's default value, when `manager api` start, it will generate a random string to replace it. expire_time:3600# jwt token expire time, in second users:# yamllint enable rule:comments-indentation -username:admin# username and password for login `manager api` password:admin -username:user password:user