Created
March 1, 2016 22:43
-
-
Save danielrmeyer/c2dc122c639fbebf3494 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###### | |
| ## Kong configuration file. All commented values are default values. | |
| ## Uncomment and update a value to configure Kong to your needs. | |
| ## | |
| ## Lines starting with `##` are comments. | |
| ## Lines starting with `#` are properties that can be updated. | |
| ## Beware of YAML formatting for nested properties. | |
| ###### | |
| ## Additional plugins that this node needs to load. | |
| ## If you want to load custom plugins that are not supported by Kong, uncomment and update | |
| ## this property with the names of the plugins to load. | |
| ## Plugins will be loaded from the kong.plugins.{name}.* namespace. | |
| # custom_plugins: | |
| # - hello_world | |
| # - custom_plugin2 | |
| # - ... | |
| ###### | |
| ## The Kong working directory. Equivalent to nginx's prefix path. | |
| ## This is where this running nginx instance will keep server files including logs. | |
| ## Make sure it has the appropriate permissions. | |
| # nginx_working_dir: /usr/local/kong/ | |
| ###### | |
| ## Address and port on which the server will accept HTTP requests, consumers will make requests on this port. | |
| # proxy_listen: "0.0.0.0:8000" | |
| ###### | |
| ## Same as proxy_listen, but for HTTPS requests. | |
| # proxy_listen_ssl: "0.0.0.0:8443" | |
| ###### | |
| ## Address and port on which the admin API will listen to. The admin API is a private API which lets you | |
| ## manage your Kong infrastructure. It needs to be secured appropriately. | |
| # admin_api_listen: "0.0.0.0:8001" | |
| ###### | |
| ## Address and port used by the node to communicate with other Kong nodes in the cluster with both UDP and | |
| ## TCP messages. All the nodes in the cluster must be able to communicate with this node on this address. | |
| ## Only IPv4 addresses are allowed (no hostnames). | |
| # cluster_listen: "0.0.0.0:7946" | |
| ###### | |
| ## Address and port used by the node to communicate with the local clustering agent (TCP only, and local only). | |
| ## Used internally by this Kong node. Only IPv4 addresses are allowed (no hostnames). | |
| # cluster_listen_rpc: "127.0.0.1:7373" | |
| ###### | |
| ## The path to the SSL certificate and key that Kong will use when listening on the `https` port. | |
| # ssl_cert_path: /path/to/certificate.pem | |
| # ssl_key_path: /path/to/certificate.key | |
| ###### | |
| ## Specify how Kong performs DNS resolution (in the `dns_resolvers_available` property) you want to use. | |
| ## Options are: "dnsmasq" (You will need dnsmasq to be installed) or "server". | |
| # dns_resolver: dnsmasq | |
| ###### | |
| ## A dictionary of DNS resolvers Kong can use, and their respective properties. | |
| ## Currently `dnsmasq` (default, http://www.thekelleys.org.uk/dnsmasq/doc.html) and `server` are supported. | |
| ## By choosing `dnsmasq`, Kong will resolve hostnames using the local `/etc/hosts` file and `resolv.conf` | |
| ## configuration. By choosing `server`, you can specify a custom DNS server. | |
| # dns_resolvers_available: | |
| # server: | |
| # address: "8.8.8.8:53" | |
| # dnsmasq: | |
| # port: 8053 | |
| ###### | |
| ## Cluster settings between Kong nodes. | |
| ## For more information take a look at the Clustering Reference: https://getkong.org/docs/latest/clustering/ | |
| # cluster: | |
| ###### | |
| ## Address and port used by the node to communicate with other Kong nodes in the cluster with both UDP and | |
| ## TCP messages. All the nodes in the cluster must be able to communicate with this node on this address. | |
| ## Only IPv4 addresses are allowed (no hostnames). | |
| ## The advertise flag is used to change the address that we advertise to other nodes in the | |
| ## cluster. By default, the cluster_listen address is advertised. If the cluster_listen host is "0.0.0.0", | |
| ## then the first local, non-loopback, IPv4 address will be advertised to the other nodes. However, in some | |
| ## cases (specifically NAT traversal), there may be a routable address that cannot be bound to. This flag | |
| ## enables gossiping a different address to support this. | |
| # advertise: "" | |
| ###### | |
| ## Key for encrypting network traffic within Kong. Must be a base64-encoded 16-byte key. | |
| # encrypt: "foo" | |
| ###### | |
| ## Specify which database to use. Only "cassandra" is currently available. | |
| # database: cassandra | |
| ###### | |
| ## Cassandra configuration (keyspace, authentication, client-to-node encryption) | |
| # cassandra: | |
| ###### | |
| ## Contact points to your Cassandra cluster. | |
| contact_points: | |
| - "172.31.32.51:9042" | |
| ###### | |
| ## Name of the keyspace used by Kong. Will be created if it does not exist. | |
| # keyspace: kong | |
| ##### | |
| ## Connection and reading timeout (in ms). | |
| # timeout: 5000 | |
| ###### | |
| ## Keyspace options. Set those before running Kong or any migration. | |
| ## Those settings will be used to create a keyspace with the desired options | |
| ## when first running the migrations. | |
| ## See http://docs.datastax.com/en/cql/3.1/cql/cql_reference/create_keyspace_r.html | |
| ###### | |
| ## The name of the replica placement strategy class for the keyspace. | |
| ## Can be "SimpleStrategy" or "NetworkTopologyStrategy". | |
| # replication_strategy: SimpleStrategy | |
| ###### | |
| ## For SimpleStrategy only. | |
| ## The number of replicas of data on multiple nodes. | |
| # replication_factor: 1 | |
| ###### | |
| ## For NetworkTopologyStrategy only. | |
| ## The number of replicas of data on multiple nodes in each data center. | |
| # data_centers: | |
| # dc1: 2 | |
| # dc2: 3 | |
| ##### | |
| ## Client-to-node TLS options. | |
| ## `enabled`: if true, will connect to your Cassandra instance using TLS. | |
| ## `verify`: if true, will verify the server certificate using the given CA file. | |
| ## `certificate_authority`: an absolute path to the trusted CA certificate in PEM format used to verify the server certificate. | |
| ## For additional SSL settings, see the ngx_lua `lua_ssl_*` directives. | |
| # ssl: | |
| # enabled: false | |
| # verify: false | |
| # certificate_authority: "/path/to/cluster-ca-certificate.pem" | |
| ###### | |
| ## Cluster authentication options. Provide a user and a password here if your cluster uses the | |
| ## PasswordAuthenticator scheme. | |
| # username: cassandra | |
| # password: cassandra | |
| ###### | |
| ## Kong will send anonymous reports to Mashape. This helps Mashape fixing bugs/errors and improving Kong. | |
| ## By default is `true`. | |
| # send_anonymous_reports: true | |
| ###### | |
| ## A value specifying (in MB) the size of the internal preallocated in-memory cache. Kong uses an in-memory | |
| ## cache to store database entities in order to optimize access to the underlying datastore. The cache size | |
| ## needs to be as big as the size of the entities being used by Kong at any given time. The default value | |
| ## is `128`, and the potential maximum value is the total size of the datastore. | |
| ## This value may not be smaller than 32MB. | |
| # memory_cache_size: 128 | |
| ###### | |
| ## The NGINX configuration (or `nginx.conf`) that will be used for this instance. | |
| ## The placeholders will be computed and this property will be written as a file | |
| ## by Kong at `<nginx_working_dir>/nginx.conf` during startup. | |
| ## This file can tweaked to some extent, but many directives are necessary for Kong to work. | |
| ## /!\ BE CAREFUL | |
| nginx: | | |
| {{user}} | |
| worker_processes auto; | |
| error_log logs/error.log error; | |
| daemon on; | |
| worker_rlimit_nofile {{auto_worker_rlimit_nofile}}; | |
| env KONG_CONF; | |
| env PATH; | |
| events { | |
| worker_connections {{auto_worker_connections}}; | |
| multi_accept on; | |
| } | |
| http { | |
| resolver {{dns_resolver}} ipv6=off; | |
| charset UTF-8; | |
| access_log logs/access.log; | |
| access_log off; | |
| # Timeouts | |
| keepalive_timeout 60s; | |
| client_header_timeout 60s; | |
| client_body_timeout 60s; | |
| send_timeout 60s; | |
| # Proxy Settings | |
| proxy_buffer_size 128k; | |
| proxy_buffers 4 256k; | |
| proxy_busy_buffers_size 256k; | |
| proxy_ssl_server_name on; | |
| # IP Address | |
| real_ip_header X-Forwarded-For; | |
| set_real_ip_from 0.0.0.0/0; | |
| real_ip_recursive on; | |
| # Other Settings | |
| client_max_body_size 0; | |
| underscores_in_headers on; | |
| reset_timedout_connection on; | |
| tcp_nopush on; | |
| ################################################ | |
| # The following code is required to run Kong # | |
| # Please be careful if you'd like to change it # | |
| ################################################ | |
| # Lua Settings | |
| lua_package_path ';;'; | |
| lua_code_cache on; | |
| lua_max_running_timers 4096; | |
| lua_max_pending_timers 16384; | |
| lua_shared_dict reports_locks 100k; | |
| lua_shared_dict cluster_locks 100k; | |
| lua_shared_dict cluster_autojoin_locks 100k; | |
| lua_shared_dict cache {{memory_cache_size}}m; | |
| lua_shared_dict cassandra 1m; | |
| lua_shared_dict cassandra_prepared 5m; | |
| lua_socket_log_errors off; | |
| {{lua_ssl_trusted_certificate}} | |
| init_by_lua_block { | |
| kong = require "kong" | |
| kong.init() | |
| } | |
| init_worker_by_lua_block { | |
| kong.init_worker() | |
| } | |
| server { | |
| server_name _; | |
| listen {{proxy_listen}}; | |
| listen {{proxy_listen_ssl}} ssl; | |
| ssl_certificate_by_lua_block { | |
| kong.ssl_certificate() | |
| } | |
| ssl_certificate {{ssl_cert}}; | |
| ssl_certificate_key {{ssl_key}}; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2;# omit SSLv3 because of POODLE (CVE-2014-3566) | |
| location / { | |
| default_type 'text/plain'; | |
| # These properties will be used later by proxy_pass | |
| set $upstream_host nil; | |
| set $upstream_url nil; | |
| # Authenticate the user and load the API info | |
| access_by_lua_block { | |
| kong.access() | |
| } | |
| # Proxy the request | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_set_header Host $upstream_host; | |
| proxy_pass $upstream_url; | |
| proxy_pass_header Server; | |
| # Add additional response headers | |
| header_filter_by_lua_block { | |
| kong.header_filter() | |
| } | |
| # Change the response body | |
| body_filter_by_lua_block { | |
| kong.body_filter() | |
| } | |
| # Log the request | |
| log_by_lua_block { | |
| kong.log() | |
| } | |
| } | |
| location /robots.txt { | |
| return 200 'User-agent: *\nDisallow: /'; | |
| } | |
| error_page 500 502 503 504 /50x; | |
| location = /50x { | |
| internal; | |
| content_by_lua_block { | |
| require("kong.core.error_handlers")(ngx) | |
| } | |
| } | |
| } | |
| server { | |
| listen {{admin_api_listen}}; | |
| client_max_body_size 10m; | |
| client_body_buffer_size 10m; | |
| location / { | |
| default_type application/json; | |
| content_by_lua_block { | |
| ngx.header["Access-Control-Allow-Origin"] = "*" | |
| if ngx.req.get_method() == "OPTIONS" then | |
| ngx.header["Access-Control-Allow-Methods"] = "GET,HEAD,PUT,PATCH,POST,DELETE" | |
| ngx.header["Access-Control-Allow-Headers"] = "Content-Type" | |
| ngx.exit(204) | |
| end | |
| local lapis = require "lapis" | |
| lapis.serve "kong.api.app" | |
| } | |
| } | |
| location /nginx_status { | |
| internal; | |
| access_log off; | |
| stub_status; | |
| } | |
| location /robots.txt { | |
| return 200 'User-agent: *\nDisallow: /'; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment