# ----------------------- # Kong configuration file # ----------------------- # # The commented-out settings shown in this file represent the default values. # # This file is read when `kong start` or `kong prepare` are used. Kong # generates the Nginx configuration with the settings specified in this file. # # All environment variables prefixed with `KONG_` and capitalized will override # the settings specified in this file. # Example: # `log_level` setting -> `KONG_LOG_LEVEL` env variable # # Boolean values can be specified as `on`/`off` or `true`/`false`. # Lists must be specified as comma-separated strings. # # All comments in this file can be removed safely, including the # commented-out properties. # You can verify the integrity of your settings with `kong check `. #------------------------------------------------------------------------------ # GENERAL #------------------------------------------------------------------------------ #prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's # prefix path, containing temporary files # and logs. # Each Kong process must have a separate # working directory. #log_level = notice # Log level of the Nginx server. Logs are # found at `/logs/error.log`. # See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list # of accepted values. #proxy_access_log = logs/access.log # Path for proxy port request access # logs. Set this value to `off` to # disable logging proxy requests. # If this value is a relative path, # it will be placed under the # `prefix` location. #proxy_error_log = logs/error.log # Path for proxy port request error # logs. The granularity of these logs # is adjusted by the `log_level` # property. #admin_access_log = logs/admin_access.log # Path for Admin API request access # logs. Set this value to `off` to # disable logging Admin API requests. # If this value is a relative path, # it will be placed under the # `prefix` location. #admin_error_log = logs/error.log # Path for Admin API request error # logs. The granularity of these logs # is adjusted by the `log_level` # property. #status_access_log = off # Path for Status API request access # logs. The default value of `off` # implies that loggin for this API # is disabled by default. # If this value is a relative path, # it will be placed under the # `prefix` location. #status_error_log = logs/status_error.log # Path for Status API request error # logs. The granularity of these logs # is adjusted by the `log_level` # property. #plugins = bundled # Comma-separated list of plugins this node # should load. By default, only plugins # bundled in official distributions are # loaded via the `bundled` keyword. # # Loading a plugin does not enable it by # default, but only instructs Kong to load its # source code, and allows to configure the # plugin via the various related Admin API # endpoints. # # The specified name(s) will be substituted as # such in the Lua namespace: # `kong.plugins.{name}.*`. # # When the `off` keyword is specified as the # only value, no plugins will be loaded. # # `bundled` and plugin names can be mixed # together, as the following examples suggest: # # - `plugins = bundled,custom-auth,custom-log` # will include the bundled plugins plus two # custom ones # - `plugins = custom-auth,custom-log` will # *only* include the `custom-auth` and # `custom-log` plugins. # - `plugins = off` will not include any # plugins # # **Note:** Kong will not start if some # plugins were previously configured (i.e. # have rows in the database) and are not # specified in this list. Before disabling a # plugin, ensure all instances of it are # removed before restarting Kong. # # **Note:** Limiting the amount of available # plugins can improve P99 latency when # experiencing LRU churning in the database # cache (i.e. when the configured # `mem_cache_size`) is full. #anonymous_reports = on # Send anonymous usage data such as error # stack traces to help improve Kong. #service_mesh = off # When `on`, enable the built-in Service Mesh # support of Kong. # # **Note:** Enabling service mesh causes # upstream requests to HTTPS services to # behave incorrectly. Service Mesh has been # deprecated and will be removed in the next # release of Kong. #------------------------------------------------------------------------------ # NGINX #------------------------------------------------------------------------------ #proxy_listen = 0.0.0.0:8000, 0.0.0.0:8443 ssl # Comma-separated list of addresses and ports on # which the proxy server should listen for # HTTP/HTTPS traffic. # The proxy server is the public entry point of Kong, # which proxies traffic from your consumers to your # backend services. This value accepts IPv4, IPv6, and # hostnames. # # Some suffixes can be specified for each pair: # # - `ssl` will require that all connections made # through a particular address/port be made with TLS # enabled. # - `http2` will allow for clients to open HTTP/2 # connections to Kong's proxy server. # - `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # - `transparent` will cause kong to listen to, and # respond from, any and all IP addresses and ports # you configure in iptables. # - `deferred` instructs to use a deferred accept on # Linux (the TCP_DEFER_ACCEPT socket option). # - `bind` instructs to make a separate bind() call # for a given address:port pair. # - `reuseport` instructs to create an individual # listening socket for each worker process # allowing a kernel to distribute incoming # connections between worker processes # # This value can be set to `off`, thus disabling # the HTTP/HTTPS proxy port for this node. # If stream_listen is also set to `off`, this enables # 'control-plane' mode for this node # (in which all traffic proxying capabilities are # disabled). This node can then be used only to # configure a cluster of Kong # nodes connected to the same datastore. # # Example: # `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl` # # See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen # for a description of the accepted formats for this # and other `*_listen` values. # # See https://www.nginx.com/resources/admin-guide/proxy-protocol/ # for more details about the `proxy_protocol` # parameter. # # Not all `*_listen` values accept all formats # specified in nginx's documentation. #stream_listen = off # Comma-separated list of addresses and ports on # which the stream mode should listen. # # This value accepts IPv4, IPv6, and hostnames. # Some suffixes can be specified for each pair: # - `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # - `transparent` will cause kong to listen to, and # respond from, any and all IP addresses and ports # you configure in iptables. # - `bind` instructs to make a separate bind() call # for a given address:port pair. # - `reuseport` instructs to create an individual # listening socket for each worker process # allowing a kernel to distribute incoming # connections between worker processes # # **Note:** The `ssl` suffix is not supported, # and each address/port will accept TCP with or # without TLS enabled. # # Examples: # # ``` # stream_listen = 127.0.0.1:7000 # stream_listen = 0.0.0.0:989, 0.0.0.0:20 # stream_listen = [::1]:1234 # ``` # # By default this value is set to `off`, thus # disabling the stream proxy port for this node. # See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen # for a description of the formats that Kong might accept in stream_listen. #admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 ssl # Comma-separated list of addresses and ports on # which the Admin interface should listen. # The Admin interface is the API allowing you to # configure and manage Kong. # Access to this interface should be *restricted* # to Kong administrators *only*. This value accepts # IPv4, IPv6, and hostnames. # # Some suffixes can be specified for each pair: # # - `ssl` will require that all connections made # through a particular address/port be made with TLS # enabled. # - `http2` will allow for clients to open HTTP/2 # connections to Kong's proxy server. # - `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # - `transparent` will cause kong to listen to, and # respond from, any and all IP addresses and ports # you configure in iptables. # - `deferred` instructs to use a deferred accept on # Linux (the TCP_DEFER_ACCEPT socket option). # - `bind` instructs to make a separate bind() call # for a given address:port pair. # - `reuseport` instructs to create an individual # listening socket for each worker process # allowing a kernel to distribute incoming # connections between worker processes # # This value can be set to `off`, thus disabling # the Admin interface for this node, enabling a # 'data-plane' mode (without configuration # capabilities) pulling its configuration changes # from the database. # # Example: `admin_listen = 127.0.0.1:8444 http2 ssl` #status_listen = off # Comma-separated list of addresses and ports on # which the Status API should listen. # The Status API is a read-only endpoint # allowing monitoring tools to retrieve metrics, # healthiness, and other non-sensitive information # of the current Kong node. # # This value can be set to `off`, disabling # the Status API for this node. # # Example: `status_listen = 0.0.0.0:8100` #nginx_user = nobody nobody # Defines user and group credentials used by # worker processes. If group is omitted, a # group whose name equals that of user is # used. # # Example: `nginx_user = nginx www` #nginx_worker_processes = auto # Determines the number of worker processes # spawned by Nginx. # # See http://nginx.org/en/docs/ngx_core_module.html#worker_processes # for detailed usage of the equivalent Nginx # directive and a description of accepted # values. #nginx_daemon = on # Determines whether Nginx will run as a daemon # or as a foreground process. Mainly useful # for development or when running Kong inside # a Docker environment. # # See http://nginx.org/en/docs/ngx_core_module.html#daemon. #mem_cache_size = 128m # Size of the in-memory cache for database # entities. The accepted units are `k` and # `m`, with a minimum recommended value of # a few MBs. #ssl_cipher_suite = modern # Defines the TLS ciphers served by Nginx. # Accepted values are `modern`, # `intermediate`, `old`, or `custom`. # # See https://wiki.mozilla.org/Security/Server_Side_TLS # for detailed descriptions of each cipher # suite. #ssl_ciphers = # Defines a custom list of TLS ciphers to be # served by Nginx. This list must conform to # the pattern defined by `openssl ciphers`. # This value is ignored if `ssl_cipher_suite` # is not `custom`. #ssl_cert = # The absolute path to the SSL certificate for # `proxy_listen` values with SSL enabled. #ssl_cert_key = # The absolute path to the SSL key for # `proxy_listen` values with SSL enabled. #client_ssl = off # Determines if Nginx should send client-side # SSL certificates when proxying requests. #client_ssl_cert = # If `client_ssl` is enabled, the absolute # path to the client SSL certificate for the # `proxy_ssl_certificate` directive. Note that # this value is statically defined on the # node, and currently cannot be configured on # a per-API basis. #client_ssl_cert_key = # If `client_ssl` is enabled, the absolute # path to the client SSL key for the # `proxy_ssl_certificate_key` address. Note # this value is statically defined on the # node, and currently cannot be configured on # a per-API basis. #admin_ssl_cert = # The absolute path to the SSL certificate for # `admin_listen` values with SSL enabled. #admin_ssl_cert_key = # The absolute path to the SSL key for # `admin_listen` values with SSL enabled. #headers = server_tokens, latency_tokens # Comma-separated list of headers Kong should # inject in client responses. # # Accepted values are: # - `Server`: Injects `Server: kong/x.y.z` # on Kong-produced response (e.g. Admin # API, rejected requests from auth plugin). # - `Via`: Injects `Via: kong/x.y.z` for # successfully proxied requests. # - `X-Kong-Proxy-Latency`: Time taken # (in milliseconds) by Kong to process # a request and run all plugins before # proxying the request upstream. # - `X-Kong-Response-Latency`: time taken # (in millisecond) by Kong to produce # a response in case of e.g. plugin # short-circuiting the request, or in # in case of an error. # - `X-Kong-Upstream-Latency`: Time taken # (in milliseconds) by the upstream # service to send response headers. # - `X-Kong-Admin-Latency`: Time taken # (in milliseconds) by Kong to process # an Admin API request. # - `X-Kong-Upstream-Status`: The HTTP status # code returned by the upstream service. # This is particularly useful for clients to # distinguish upstream statuses if the # response is rewritten by a plugin. # - `server_tokens`: Same as specifying both # `Server` and `Via`. # - `latency_tokens`: Same as specifying # `X-Kong-Proxy-Latency`, # `X-Kong-Response-Latency`, # `X-Kong-Admin-Latency` and # `X-Kong-Upstream-Latency` # # In addition to those, this value can be set # to `off`, which prevents Kong from injecting # any of the above headers. Note that this # does not prevent plugins from injecting # headers of their own. # # Example: `headers = via, latency_tokens` #trusted_ips = # Defines trusted IP addresses blocks that are # known to send correct `X-Forwarded-*` # headers. # Requests from trusted IPs make Kong forward # their `X-Forwarded-*` headers upstream. # Non-trusted requests make Kong insert its # own `X-Forwarded-*` headers. # # This property also sets the # `set_real_ip_from` directive(s) in the Nginx # configuration. It accepts the same type of # values (CIDR blocks) but as a # comma-separated list. # # To trust *all* /!\ IPs, set this value to # `0.0.0.0/0,::/0`. # # If the special value `unix:` is specified, # all UNIX-domain sockets will be trusted. # # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from # for examples of accepted values. #real_ip_header = X-Real-IP # Defines the request header field whose value # will be used to replace the client address. # This value sets the `ngx_http_realip_module` # directive of the same name in the Nginx # configuration. # # If this value receives `proxy_protocol`: # # - at least one of the `proxy_listen` entries # must have the `proxy_protocol` flag # enabled. # - the `proxy_protocol` parameter will be # appended to the `listen` directive of the # Nginx template. # # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header # for a description of this directive. #real_ip_recursive = off # This value sets the `ngx_http_realip_module` # directive of the same name in the Nginx # configuration. # # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive # for a description of this directive. #client_max_body_size = 0 # Defines the maximum request body size allowed # by requests proxied by Kong, specified in # the Content-Length request header. If a # request exceeds this limit, Kong will # respond with a 413 (Request Entity Too # Large). Setting this value to 0 disables # checking the request body size. # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size # for further description of this parameter. Numeric values may be suffixed # with `k` or `m` to denote limits in terms of kilobytes or megabytes. #client_body_buffer_size = 8k # Defines the buffer size for reading the # request body. If the client request body is # larger than this value, the body will be # buffered to disk. Note that when the body is # buffered to disk Kong plugins that access or # manipulate the request body may not work, so # it is advisable to set this value as high as # possible (e.g., set it as high as # `client_max_body_size` to force request # bodies to be kept in memory). Do note that # high-concurrency environments will require # significant memory allocations to process # many concurrent large request bodies. # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size # for further description of this parameter. Numeric values may be suffixed # with `k` or `m` to denote limits in terms of kilobytes or megabytes. #error_default_type = text/plain # Default MIME type to use when the request # `Accept` header is missing and Nginx # is returning an error for the request. # Accepted values are `text/plain`, # `text/html`, `application/json`, and # `application/xml`. #------------------------------------------------------------------------------ # NGINX injected directives #------------------------------------------------------------------------------ # Nginx directives can be dynamically injected in the runtime nginx.conf file # without requiring a custom Nginx configuration template. # # All configuration properties respecting the naming scheme # `nginx__` will result in `` being injected in # the Nginx configuration block corresponding to the property's ``. # Example: # `nginx_proxy_large_client_header_buffers = 8 24k` # # Will inject the following directive in Kong's proxy `server {}` block: # # `large_client_header_buffers 8 24k;` # # The following namespaces are supported: # # - `nginx_http_`: Injects `` in Kong's `http {}` block. # - `nginx_proxy_`: Injects `` in Kong's proxy # `server {}` block. # - `nginx_http_upstream_`: Injects `` in Kong's proxy # `upstream {}` block. # - `nginx_admin_`: Injects `` in Kong's Admin API # `server {}` block. # - `nginx_stream_`: Injects `` in Kong's stream module # `stream {}` block (only effective if `stream_listen` is enabled). # - `nginx_sproxy_`: Injects `` in Kong's stream module # `server {}` block (only effective if `stream_listen` is enabled). # # As with other configuration properties, Nginx directives can be injected via # environment variables when capitalized and prefixed with `KONG_`. # Example: # `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols` # # Will inject the following directive in Kong's `http {}` block: # # `ssl_protocols ;` # # If different sets of protocols are desired between the proxy and Admin API # server, you may specify `nginx_proxy_ssl_protocols` and/or # `nginx_admin_ssl_protocols`, both of which taking precedence over the # `http {}` block. #nginx_http_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 # Enables the specified protocols for # client-side connections. The set of # supported protocol versions also depends # on the version of OpenSSL Kong was built # with. # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols #nginx_http_upstream_keepalive = 60 # Sets the maximum number of idle keepalive # connections to upstream servers that are # preserved in the cache of each worker # process. When this number is exceeded, the # least recently used connections are closed. # A value of `NONE` will disable this behavior # altogether, forcing each upstream request # to open a new connection. # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive #nginx_http_upstream_keepalive_requests = 100 # Sets the maximum number of requests that can # be served through one keepalive connection. # After the maximum number of requests is # made, the connection is closed. # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests #nginx_http_upstream_keepalive_timeout = 60s # Sets a timeout during which an idle # keepalive connection to an upstream server # will stay open. # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout #------------------------------------------------------------------------------ # DATASTORE #------------------------------------------------------------------------------ # Kong can run with a database to store coordinated data between Kong nodes in # a cluster, or without a database, where each node stores its information # independently in memory. # # When using a database, Kong will store data for all its entities (such as # Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL, # and all Kong nodes belonging to the same cluster must connect themselves # to the same database. # # Kong supports the following database versions: # - **PostgreSQL**: 9.5 and above. # - **Cassandra**: 2.2 and above. # # When not using a database, Kong is said to be in "DB-less mode": it will keep # its entities in memory, and each node needs to have this data entered via a # declarative configuration file, which can be specified through the # `declarative_config` property, or via the Admin API using the `/config` # endpoint. #database = postgres # Determines which of PostgreSQL or Cassandra # this node will use as its datastore. # Accepted values are `postgres`, # `cassandra`, and `off`. #pg_host = 127.0.0.1 # Host of the Postgres server. #pg_port = 5432 # Port of the Postgres server. #pg_timeout = 5000 # Defines the timeout (in ms), for connecting, # reading and writing. #pg_user = kong # Postgres user. #pg_password = # Postgres user's password. #pg_database = kong # The database name to connect to. #pg_schema = # The database schema to use. If unspecified, # Kong will respect the `search_path` value of # your PostgreSQL instance. #pg_ssl = off # Toggles client-server TLS connections # between Kong and PostgreSQL. #pg_ssl_verify = off # Toggles server certificate verification if # `pg_ssl` is enabled. # See the `lua_ssl_trusted_certificate` # setting to specify a certificate authority. #pg_max_concurrent_queries = 0 # Sets the maximum number of concurrent queries # that can be executing at any given time. This # limit is enforced per worker process; the # total number of concurrent queries for this # node will be will be: # `pg_max_concurrent_queries * nginx_worker_processes`. # # The default value of 0 removes this # concurrency limitation. #pg_semaphore_timeout = 60000 # Defines the timeout (in ms) after which # PostgreSQL query semaphore resource # acquisition attempts will fail. Such # failures will generally result in the # associated proxy or Admin API request # failing with an HTTP 500 status code. # Detailed discussion of this behavior is # available in the online documentation. #cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact # points to your cluster. # You may specify IP addresses or # hostnames. Note that the port # component of SRV records will be # ignored in favor of `cassandra_port`. # When connecting to a multi-DC cluster, # ensure that contact points from the # local datacenter are specified first # in this list. #cassandra_port = 9042 # The port on which your nodes are listening # on. All your nodes and contact points must # listen on the same port. Will be created if # it doesn't exist. #cassandra_keyspace = kong # The keyspace to use in your cluster. #cassandra_consistency = ONE # Consistency setting to use when reading/ # writing to the Cassandra cluster. # #cassandra_timeout = 5000 # Defines the timeout (in ms) for reading # and writing. #cassandra_ssl = off # Toggles client-to-node TLS connections # between Kong and Cassandra. #cassandra_ssl_verify = off # Toggles server certificate verification if # `cassandra_ssl` is enabled. # See the `lua_ssl_trusted_certificate` # setting to specify a certificate authority. #cassandra_username = kong # Username when using the # `PasswordAuthenticator` scheme. #cassandra_password = # Password when using the # `PasswordAuthenticator` scheme. #cassandra_lb_policy = RequestRoundRobin # Load balancing policy to use when # distributing queries across your # Cassandra cluster. # Accepted values are: # `RoundRobin`, `RequestRoundRobin`, # `DCAwareRoundRobin`, and # `RequestDCAwareRoundRobin`. # Policies prefixed with "Request" # make efficient use of established # connections throughout the same # request. # Prefer "DCAware" policies if and # only if you are using a # multi-datacenter cluster. #cassandra_local_datacenter = # When using the `DCAwareRoundRobin` # or `RequestDCAwareRoundRobin` load # balancing policy, you must specify the name # of the local (closest) datacenter for this # Kong node. #cassandra_refresh_frequency = 60 # Frequency (in seconds) at which # the cluster topology will be # checked for new or decommissioned # nodes. # A value of `0` will disable this # check, and the cluster topology # will never be refreshed. #cassandra_repl_strategy = SimpleStrategy # When migrating for the first time, # Kong will use this setting to # create your keyspace. # Accepted values are # `SimpleStrategy` and # `NetworkTopologyStrategy`. #cassandra_repl_factor = 1 # When migrating for the first time, Kong # will create the keyspace with this # replication factor when using the # `SimpleStrategy`. #cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time, # will use this setting when using the # `NetworkTopologyStrategy`. # The format is a comma-separated list # made of `:`. #cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for # the waiting period to reach a # schema consensus between your # Cassandra nodes. # This value is only used during # migrations. #declarative_config = # The path to the declarative configuration # file which holds the specification of all # entities (Routes, Services, Consumers, etc.) # to be used when the `database` is set to # `off`. # # Entities are stored in Kong's in-memory cache, # so you must ensure that enough memory is # allocated to it via the `mem_cache_size` # property. You must also ensure that items # in the cache never expire, which means that # `db_cache_ttl` should preserve its default # value of 0. #------------------------------------------------------------------------------ # DATASTORE CACHE #------------------------------------------------------------------------------ # In order to avoid unnecessary communication with the datastore, Kong caches # entities (such as APIs, Consumers, Credentials...) for a configurable period # of time. It also handles invalidations if such an entity is updated. # # This section allows for configuring the behavior of Kong regarding the # caching of such configuration entities. #db_update_frequency = 5 # Frequency (in seconds) at which to check for # updated entities with the datastore. # # When a node creates, updates, or deletes an # entity via the Admin API, other nodes need # to wait for the next poll (configured by # this value) to eventually purge the old # cached entity and start using the new one. #db_update_propagation = 0 # Time (in seconds) taken for an entity in the # datastore to be propagated to replica nodes # of another datacenter. # # When in a distributed environment such as # a multi-datacenter Cassandra cluster, this # value should be the maximum number of # seconds taken by Cassandra to propagate a # row to other datacenters. # # When set, this property will increase the # time taken by Kong to propagate the change # of an entity. # # Single-datacenter setups or PostgreSQL # servers should suffer no such delays, and # this value can be safely set to 0. #db_cache_ttl = 0 # Time-to-live (in seconds) of an entity from # the datastore when cached by this node. # # Database misses (no entity) are also cached # according to this setting. # # If set to 0 (default), such cached entities # or misses never expire. #db_resurrect_ttl = 30 # Time (in seconds) for which stale entities # from the datastore should be resurrected for # when they cannot be refreshed (e.g., the # datastore is unreachable). When this TTL # expires, a new attempt to refresh the stale # entities will be made. #db_cache_warmup_entities = services, plugins # Entities to be pre-loaded from the datastore # into the in-memory cache at Kong start-up. # This speeds up the first access of endpoints # that use the given entities. # # When the `services` entity is configured # for warmup, the DNS entries for values in # its `host` attribute are pre-resolved # asynchronously as well. # # Cache size set in `mem_cache_size` should # be set to a value large enough to hold all # instances of the specified entities. # If the size is insufficient, Kong will log # a warning. #------------------------------------------------------------------------------ # DNS RESOLVER #------------------------------------------------------------------------------ # By default the DNS resolver will use the standard configuration files # `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be # overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if # they have been set. # # Kong will resolve hostnames as either `SRV` or `A` records (in that order, and # `CNAME` records will be dereferenced in the process). # In case a name was resolved as an `SRV` record it will also override any given # port number by the `port` field contents received from the DNS server. # # The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will # be used to expand short names to fully qualified ones. So it will first try # the entire `SEARCH` list for the `SRV` type, if that fails it will try the # `SEARCH` list for `A`, etc. # # For the duration of the `ttl`, the internal DNS resolver will loadbalance each # request it gets over the entries in the DNS record. For `SRV` records the # `weight` fields will be honored, but it will only use the lowest `priority` # field entries in the record. #dns_resolver = # Comma separated list of nameservers, each # entry in `ip[:port]` format to be used by # Kong. If not specified the nameservers in # the local `resolv.conf` file will be used. # Port defaults to 53 if omitted. Accepts # both IPv4 and IPv6 addresses. #dns_hostsfile = /etc/hosts # The hosts file to use. This file is read # once and its content is static in memory. # To read the file again after modifying it, # Kong must be reloaded. #dns_order = LAST,SRV,A,CNAME # The order in which to resolve different # record types. The `LAST` type means the # type of the last successful lookup (for the # specified name). The format is a (case # insensitive) comma separated list. #dns_valid_ttl = # By default, DNS records are cached using # the TTL value of a response. If this # property receives a value (in seconds), it # will override the TTL for all records. #dns_stale_ttl = 4 # Defines, in seconds, how long a record will # remain in cache past its TTL. This value # will be used while the new DNS record is # fetched in the background. # Stale data will be used from expiry of a # record until either the refresh query # completes, or the `dns_stale_ttl` number of # seconds have passed. #dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and # "(3) name error" responses. #dns_error_ttl = 1 # TTL in seconds for error responses. #dns_no_sync = off # If enabled, then upon a cache-miss every # request will trigger its own dns query. # When disabled multiple requests for the # same name/type will be synchronised to a # single query. #------------------------------------------------------------------------------ # TUNING & BEHAVIOR #------------------------------------------------------------------------------ #router_consistency = strict # Defines whether this node should rebuild its # router synchronously or asynchronously (the # router is rebuilt every time a Route or a # Service is updated via the Admin API or # loading a declarative configuration file). # # Accepted values are: # # - `strict`: the router will be rebuilt # synchronously, causing incoming requests to # be delayed until the rebuild is finished. # - `eventual`: the router will be rebuilt # asynchronously via a recurring background # job running every second inside of each # worker. # # Note that `strict` ensures that all workers # of a given node will always proxy requests # with an identical router, but that increased # long tail latency can be observed if # frequent Routes and Services updates are # expected. # Using `eventual` will help preventing long # tail latency issues in such cases, but may # cause workers to route requests differently # for a short period of time after Routes and # Services updates. #router_update_frequency = 1 # Defines how often the router changes are # checked with a background job. When a change # is detected, a new router will be built. By # default we check for changes every second. # Raising this value will decrease the load on # database servers and result in less jitter # in proxy latency, with downside of longer # converge time for router updates. #------------------------------------------------------------------------------ # DEVELOPMENT & MISCELLANEOUS #------------------------------------------------------------------------------ # Additional settings inherited from lua-nginx-module allowing for more # flexibility and advanced usage. # # See the lua-nginx-module documentation for more information: # https://github.com/openresty/lua-nginx-module #lua_ssl_trusted_certificate = # Absolute path to the certificate # authority file for Lua cosockets in PEM # format. This certificate will be the one # used for verifying Kong's database # connections, when `pg_ssl_verify` or # `cassandra_ssl_verify` are enabled. # # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate #lua_ssl_verify_depth = 1 # Sets the verification depth in the server # certificates chain used by Lua cosockets, # set by `lua_ssl_trusted_certificate`. # This includes the certificates configured # for Kong's database connections. # # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth #lua_package_path = ./?.lua;./?/init.lua; # Sets the Lua module search path # (LUA_PATH). Useful when developing # or using custom plugins not stored # in the default search path. # # See https://github.com/openresty/lua-nginx-module#lua_package_path #lua_package_cpath = # Sets the Lua C module search path # (LUA_CPATH). # # See https://github.com/openresty/lua-nginx-module#lua_package_cpath #lua_socket_pool_size = 30 # Specifies the size limit for every cosocket # connection pool associated with every remote # server. # # See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size