# proxy.cs configures one or more certificate sources. # # Each certificate source is configured with a list of # key/value options. Each source must have a unique # name which can then be referred to in a listener # configuration. # # cs=;type=;opt=arg;opt[=arg];... # # All certificates need to be provided in PEM format. # # The following types of certificate sources are available: # # File # # The file certificate source supports one certificate which is loaded at # startup and is cached until the service exits. # # The 'cert' option contains the path to the certificate file. The 'key' # option contains the path to the private key file. If the certificate file # contains both the certificate and the private key the 'key' option can be # omitted. The 'clientca' option contains the path to one or more client # authentication certificates. # # cs=;type=file;cert=p/a-cert.pem;key=p/a-key.pem;clientca=p/clientAuth.pem # # Path # # The path certificate source loads certificates from a directory in # alphabetical order and refreshes them periodically. # # The 'cert' option provides the path to the TLS certificates and the # 'clientca' option provides the path to the certificates for client # authentication. # # TLS certificates are stored either in one or two files: # # www.example.com.pem or www.example.com-{cert,key}.pem # # TLS certificates are loaded in alphabetical order and the first certificate # is the default for clients which do not support SNI. # # The 'refresh' option can be set to specify the refresh interval for the TLS # certificates. Client authentication certificates cannot be refreshed since # Go does not provide a mechanism for that yet. # # The default refresh interval is 3 seconds and cannot be lower than 1 second # to prevent busy loops. To load the certificates only once and disable # automatic refreshing set 'refresh' to zero. # # cs=;type=path;cert=path/to/certs;clientca=path/to/clientcas;refresh=3s # # HTTP # # The http certificate source loads certificates from an HTTP/HTTPS server. # # The 'cert' option provides a URL to a text file which contains all files # that should be loaded from this directory. The filenames follow the same # rules as for the path source. The text file can be generated with: # # ls -1 *.pem > list # # The 'clientca' option provides a URL for the client authentication # certificates analogous to the 'cert' option. # # Authentication credentials can be provided in the URL as request parameter, # as basic authentication parameters or through a header. # # The 'refresh' option can be set to specify the refresh interval for the TLS # certificates. Client authentication certificates cannot be refreshed since # Go does not provide a mechanism for that yet. # # The default refresh interval is 3 seconds and cannot be lower than 1 second # to prevent busy loops. To load the certificates only once and disable # automatic refreshing set 'refresh' to zero. # # cs=;type=http;cert=https://host.com/path/to/cert/list&token=123 # cs=;type=http;cert=https://user:pass@host.com/path/to/cert/list # cs=;type=http;cert=https://host.com/path/to/cert/list;hdr=Authorization: Bearer 1234 # # Consul # # The consul certificate source loads certificates from consul. # # The 'cert' option provides a KV store URL where the the TLS certificates are # stored. # # The 'clientca' option provides a URL to a path in the KV store where the the # client authentication certificates are stored. # # The filenames follow the same rules as for the path source. # # The TLS certificates are updated automatically whenever the KV store # changes. The client authentication certificates cannot be updated # automatically since Go does not provide a mechanism for that yet. # # cs=;type=consul;cert=http://localhost:8500/v1/kv/path/to/cert&token=123 # # Vault # # The Vault certificate store uses HashiCorp Vault as the certificate # store. # # The 'cert' option provides the path to the TLS certificates and the # 'clientca' option provides the path to the certificates for client # authentication. # # The 'refresh' option can be set to specify the refresh interval for the TLS # certificates. Client authentication certificates cannot be refreshed since # Go does not provide a mechanism for that yet. # # The default refresh interval is 3 seconds and cannot be lower than 1 second # to prevent busy loops. To load the certificates only once and disable # automatic refreshing set 'refresh' to zero. # # The path to vault must be provided in the VAULT_ADDR environment # variable. The token can be provided in the VAULT_TOKEN environment # variable, or provided by using the Vault fetch token option. By default the # token is loaded once from the VAULT_TOKEN environment variable. See Vault PKI for details. # # cs=;type=vault;cert=secret/fabio/certs # # Vault PKI # # The Vault PKI certificate store uses HashiCorp Vault's PKI backend to issue # certificates on-demand. # # The 'cert' option provides a PKI backend path for issuing certificates. The # 'clientca' option works in the same way as for the generic Vault source. # # The 'refresh' option determines how long before the expiration date # certificates are re-issued. Values smaller than one hour are silently changed # to one hour, which is also the default. # # cs=;type=vault-pki;cert=pki/issue/example-dot-com;refresh=24h;clientca=secret/fabio/client-certs # # This source will issue server certificates on-demand using the PKI backend # and re-issue them 24 hours before they expire. The CA for client # authentication is expected to be stored at secret/fabio/client-certs. # # 'vaultfetchtoken' enables fetching the vault token from a file on the filesystem or an environment # variable at the Vault refresh interval. If fetching the token from a file the 'file:[path]' syntax should be used, # if fetching the token from an env variable, the 'env:[ENV]' syntax should be used. # # cs=;type=vault;cert=secret/fabio/certs;vaultfetchtoken=env:VAULT_TOKEN # # Common options # # All certificate stores support the following options: # # caupgcn: Upgrade a self-signed client auth certificate with this common-name # to a CA certificate. Typically used for self-singed certificates # for the Amazon AWS Api Gateway certificates which do not have the # CA flag set which makes them unsuitable for client certificate # authentication in Go. For the AWS Api Gateway set this value # to 'ApiGateway' to allow client certificate authentication. # This replaces the deprecated parameter 'aws.apigw.cert.cn' # which was introduced in version 1.1.5. # # Examples: # # # file based certificate source # proxy.cs = cs=some-name;type=file;cert=p/a-cert.pem;key=p/a-key.pem # # # path based certificate source # proxy.cs = cs=some-name;type=path;path=path/to/certs # # # HTTP certificate source # proxy.cs = cs=some-name;type=http;cert=https://user:pass@host:port/path/to/certs # # # Consul certificate source # proxy.cs = cs=some-name;type=consul;cert=https://host:port/v1/kv/path/to/certs?token=abc123 # # # Vault certificate source # proxy.cs = cs=some-name;type=vault;cert=secret/fabio/certs # # # Vault PKI certificate source # proxy.cs = cs=some-name;type=vault-pki;cert=pki/issue/example-dot-com # # # Multiple certificate sources # proxy.cs = cs=srcA;type=path;path=path/to/certs,\ # cs=srcB;type=http;cert=https://user:pass@host:port/path/to/certs # # # path based certificate source for AWS Api Gateway # proxy.cs = cs=some-name;type=path;path=path/to/certs;clientca=path/to/clientcas;caupgcn=ApiGateway # # The default is # # proxy.cs = # proxy.addr configures listeners. # # Each listener is configured with and address and a # list of optional arguments in the form of # # [host]:port;opt=arg;opt[=arg];... # # Each listener has a protocol which is configured # with the 'proto' option for which it routes and # forwards traffic. # # The supported protocols are: # # * http for HTTP based protocols # * https for HTTPS based protocols # * tcp for a raw TCP proxy with or witout TLS support # * tcp+sni for an SNI aware TCP proxy # * tcp-dynamic for a consul driven TCP proxy # * https+tcp+sni for an SNI aware TCP proxy with https fallthrough # * prometheus for a prometheus listener. use this with the prometheus metrics target. # # If no 'proto' option is specified then the protocol # is either 'http' or 'https' depending on whether a # certificate source is configured via the 'cs' option # which contains the name of the certificate source. # # The TCP+SNI proxy analyzes the ClientHello message # of TLS connections to extract the server name # extension and then forwards the encrypted traffic # to the destination without decrypting the traffic. # # General options: # # rt: Sets the read timeout as a duration value (e.g. '3s') # # wt: Sets the write timeout as a duration value (e.g. '3s') # # it: Sets the idle timeout as a duration value (e.g. '3s') # # strictmatch: When set to 'true' the certificate source must provide # a certificate that matches the hostname for the connection # to be established. Otherwise, the first certificate is used # if no matching certificate was found. This matches the default # behavior of the Go TLS server implementation. # # pxyproto: When set to 'true' the listener will respect upstream v1 # PROXY protocol headers. # NOTE: PROXY protocol was on by default from 1.1.3 to 1.5.10. # This changed to off when this option was introduced with # the 1.5.11 release. # For more information about the PROXY protocol, please see: # http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt # # pxytimeout: Sets PROXY protocol header read timeout as a duration (e.g. '250ms'). # This defaults to 250ms if not set when 'pxyproto' is enabled. # # refresh: Sets the refresh interval to check the route table for updates. # Used when 'tcp-dynamic' is enabled. # # TLS options: # # tlsmin: Sets the minimum TLS version for the handshake. This value # is one of [ssl30, tls10, tls11, tls12] or the corresponding # version number from https://golang.org/pkg/crypto/tls/#pkg-constants # # tlsmax: Sets the maximum TLS version for the handshake. See 'tlsmin' # for the format. # # tlsciphers: Sets the list of allowed ciphers for the handshake. The value # is a quoted comma-separated list of the hex cipher values or # the constant names from https://golang.org/pkg/crypto/tls/#pkg-constants, # e.g. "0xc00a,0xc02b" or "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" # # Examples: # # # HTTP listener on port 9999 # proxy.addr = :9999 # # # HTTP listener on IPv4 with read timeout # proxy.addr = 1.2.3.4:9999;rt=3s # # # HTTP listener on IPv6 with write timeout # proxy.addr = [2001:DB8::A/32]:9999;wt=5s # # # Multiple listeners # proxy.addr = 1.2.3.4:9999;rt=3s,[2001:DB8::A/32]:9999;wt=5s # # # HTTPS listener on port 443 with certificate source # proxy.addr = :443;cs=some-name # # # HTTPS listener on port 443 with certificate source and TLS options # proxy.addr = :443;cs=some-name;tlsmin=tls10;tlsmax=tls11;tlsciphers="0xc00a,0xc02b" # # # TCP listener on port 1234 with port routing # proxy.addr = :1234;proto=tcp # # # TCP listener on port 443 with SNI routing # proxy.addr = :443;proto=tcp+sni # # # TCP listener on port 443 with SNI routing with HTTPS fallthrough # proxy.addr = :443;proto=https+tcp+sni;cs=some-name # # # TCP listeners using consul for config with 5 second refresh interval # proxy.addr = 0.0.0.0:0;proto=tcp-dynamic;refresh=5s # # # prometheus listener. can optionally be used with cs= as well for TLS support. # proxy.addr = :9090;proto=prometheus;cs=some-name # # The default is # # proxy.addr = :9999 # proxy.localip configures the ip address of the proxy which is added # to the Header configured by header.clientip and to the 'Forwarded: by=' attribute. # # The local non-loopback address is detected during startup # but can be overwritten with this property. # # The default is # # proxy.localip = # proxy.strategy configures the load balancing strategy. # # rnd: pseudo-random distribution # rr: round-robin distribution # # "rnd" configures a pseudo-random distribution by using the microsecond # fraction of the time of the request. # # "rr" configures a round-robin distribution. # # The default is # # proxy.strategy = rnd # proxy.matcher configures the path matching algorithm. # # prefix: prefix matching # glob: glob matching # iprefix: case-insensitive prefix matching # # The default is # # proxy.matcher = prefix # proxy.noroutestatus configures the response code when no route was found. # # The default is # # proxy.noroutestatus = 404 # proxy.shutdownwait configures the time for a graceful shutdown. # # After a signal is caught the proxy will immediately suspend # routing traffic and respond with a 503 Service Unavailable # for the duration of the given period. # # The default is # # proxy.shutdownwait = 0s #proxy.deregistergraceperiod configures the time to wait before #shutting down the proxies de-registering from the service registry. # #After a signal is caught Fabio will immediately de-register from the #service registry and wait for `proxy.deregistergraceperiod` letting #in-flight requests finish after which it will continue with shutting #down the proxy. # #The default is # #proxy.deregistergraceperiod = 0s # proxy.responseheadertimeout configures the response header timeout. # # This configures the ResponseHeaderTimeout of the http.Transport. # # The default is # # proxy.responseheadertimeout = 0s # proxy.keepalivetimeout configures the keep-alive timeout. # # This configures the KeepAliveTimeout of the network dialer. # # The default is # # proxy.keepalivetimeout = 0s # proxy.idleconntimeout configures the idle connection timeout, when # to close (keep-alive) connections # # The default is # # proxy.idleconntimeout = 15s # proxy.dialtimeout configures the connection timeout for # outgoing connections. # # This configures the DialTimeout of the network dialer. # # The default is # # proxy.dialtimeout = 30s # proxy.flushinterval configures periodic flushing of the # response buffer for SSE (server-sent events) connections. # They are detected when the 'Accept' header is # 'text/event-stream'. # # The default is # # proxy.flushinterval = 1s # proxy.globalflushinterval configures periodic flushing of the # response buffer for non-SSE connections. By default it is not enabled. # # The default is # # proxy.globalflushinterval = 0 # proxy.maxconn configures the maximum number of cached # incoming and outgoing connections. # # This configures the MaxIdleConnsPerHost of the http.Transport. # # The default is # # proxy.maxconn = 10000 # proxy.header.clientip configures the header for the request ip. # # The remoteIP is taken from http.Request.RemoteAddr. # # The default is # # proxy.header.clientip = # proxy.header.tls configures the header to set for TLS connections. # # When set to a non-empty value the proxy will set this header on every # TLS request to the value of ${proxy.header.tls.value} # # The default is # # proxy.header.tls = # proxy.header.tls.value = # proxy.header.requestid configures the header for the adding a unique request id. # When set non-empty value the proxy will set this header on every request to the # unique UUID value. # # The default is # # proxy.header.requestid = # proxy.header.sts.maxage enables and configures the max-age of HSTS for TLS requests. # When set greater than zero this enables the Strict-Transport-Security header # and sets the max-age value in the header. # # The default is # # proxy.header.sts.maxage = 0 # proxy.header.sts.subdomains instructs HSTS to include subdomains. # When set to true, the 'includeSubDomains' option will be added to # the Strict-Transport-Security header. # # The default is # # proxy.header.sts.subdomains = false # proxy.header.sts.preload instructs HSTS to include the preload directive. # When set to true, the 'preload' option will be added to the # Strict-Transport-Security header. # # Sending the preload directive from your site can have PERMANENT CONSEQUENCES # and prevent users from accessing your site and any of its subdomains if you # find you need to switch back to HTTP. Please read the details at # https://hstspreload.org/#removal before sending the header with "preload". # # The default is # # proxy.header.sts.preload = false # proxy.gzip.contenttype configures which responses should be compressed. # # By default, responses sent to the client are not compressed even if the # client accepts compressed responses by setting the 'Accept-Encoding: gzip' # header. By setting this value responses are compressed if the Content-Type # header of the response matches and the response is not already compressed. # The list of compressable content types is defined as a regular expression. # The regular expression must follow the rules outlined in golang.org/pkg/regexp. # # A typical example is # # proxy.gzip.contenttype = ^(text/.*|application/(javascript|json|font-woff|xml)|.*\\+(json|xml))(;.*)?$ # # The default is # # proxy.gzip.contenttype = # proxy.auth configures one or more auth schemes. # # Each auth scheme is configured with a list of # key/value options. Each source must have a unique # name which can then be referred to in a routing # rule. # # name=;type=;opt=arg;opt[=arg];... # # The following types of auth schemes are available: # # Basic # # The basic auth scheme leverages http basic authentication using # one htpasswd file which is loaded at startup and by default is cached until # the service exits. However, it's possible to refresh htpasswd file # periodically by setting the refresh interval with 'refresh' option. # # The 'file' option contains the path to the htpasswd file. The 'realm' # option contains realm name (optional, default is the scheme name). # The 'refresh' option can set the htpasswd file refresh interval. Minimal # refresh interval is 1s to void busy loop. # By default refresh is disabled i.e. set to zero. # # name=;type=basic;file=p/creds.htpasswd;realm=foo # # Examples # # # single basic auth scheme # # name=mybasicauth;type=basic;file=p/creds.htpasswd; # # # single basic auth scheme with refresh interval set to 30 seconds # # name=mybasicauth;type=basic;file=p/creds.htpasswd;refresh=30s # # # basic auth with multiple schemes # # proxy.auth = name=mybasicauth;type=basic;file=p/creds.htpasswd # name=myotherauth;type=basic;file=p/other-creds.htpasswd;realm=myrealm # # # proxy.grpcmaxrxmsgsize configures the grpc max receive message size in bytes. # The default is # proxy.grpcmaxrxmsgsize = 4194304 # # proxy.grpcmaxtxmsgsize configures the grpc max transmit messsage size in bytes # The default is # proxy.grpcmaxtxmsgsize = 4194304 # # # proxy.grpcshutdowntimeout configures the amount of time fabio will wait to attempt # to close the connection while waiting for grpc traffic to finish to a backend that's been # deregistered. Default value is # proxy.grpcshutdowntimeout = 2s # setting to 0s disables the wait. # log.access.format configures the format of the access log. # # If the value is either 'common' or 'combined' then the logs are written in # the Common Log Format or the Combined Log Format as defined below: # # 'common': $remote_host - - [$time_common] "$request" $response_status $response_body_size # 'combined': $remote_host - - [$time_common] "$request" $response_status $response_body_size "$header.Referer" "$header.User-Agent" # # Otherwise, the value is interpreted as a custom log format which is defined # with the following parameters. Providing an empty format when logging is # enabled is an error. To disable access logging leave the log.access.target # value empty. # # $header. - request http header (name: [a-zA-Z0-9-]+) # $remote_addr - host:port of remote client # $remote_host - host of remote client # $remote_port - port of remote client # $request - request # $request_args - request query parameters # $request_host - request host header (aka server name) # $request_method - request method # $request_scheme - request scheme # $request_uri - request URI # $request_url - request URL # $request_proto - request protocol # $response_body_size - response body size in bytes # $response_status - response status code # $response_time_ms - response time in S.sss format # $response_time_us - response time in S.ssssss format # $response_time_ns - response time in S.sssssssss format # $time_rfc3339 - log timestamp in YYYY-MM-DDTHH:MM:SSZ format # $time_rfc3339_ms - log timestamp in YYYY-MM-DDTHH:MM:SS.sssZ format # $time_rfc3339_us - log timestamp in YYYY-MM-DDTHH:MM:SS.ssssssZ format # $time_rfc3339_ns - log timestamp in YYYY-MM-DDTHH:MM:SS.sssssssssZ format # $time_unix_ms - log timestamp in unix epoch ms # $time_unix_us - log timestamp in unix epoch us # $time_unix_ns - log timestamp in unix epoch ns # $time_common - log timestamp in DD/MMM/YYYY:HH:MM:SS -ZZZZ # $upstream_addr - host:port of upstream server # $upstream_host - host of upstream server # $upstream_port - port of upstream server # $upstream_request_scheme - upstream request scheme # $upstream_request_uri - upstream request URI # $upstream_request_url - upstream request URL # $upstream_service - name of the upstream service # # The default is # # log.access.format = common # log.access.target configures where the access log is written to. # # Options are 'stdout'. If the value is empty no access log is written. # # The default is # # log.access.target = # log.level configures the log level. # # Valid levels are TRACE, DEBUG, INFO, WARN, ERROR and FATAL. # # The default is # # log.level = INFO # log.routes.format configures the log output format of routing table updates. # # Changes to the routing table are written to the standard log. This option # configures the output format: # # detail: detailed routing table as ascii tree # delta: additions and deletions in config language # all: complete routing table in config language # # The default is # # log.routes.format = delta # registry.backend configures which backend is used. # Supported backends are: consul, static, file, custom # if custom is used fabio makes an api call to a remote system # expecting the below json response # [ # { # "cmd": "string", # "service": "string", # "src": "string", # "dst": "string", # "weight": float, # "tags": ["string"], # "opts": {"string":"string"} # } # ] # Short description of the fields required for a custom backend # # - cmd - the command to add, remove or change weight of a route. For example `route add` to add a new route mapping. # - service - the name that the service will show up in the UI. # - src - usually the prefix that will be used in the routing table. # - dst - the endpoint that will be used as the destination of the routing table. # - weight - defines the weight of this path to perform routing. For example route A 90% and route B 10% for canary deployments. # - tags - a list of tags, provide a way to filter routes, making it easier to do operations like bulk deletes `route del tags "dev"`. # - opts - a KV map of the config language list of options. for example `proto` or `prefix` # # The default is # # registry.backend = consul # registry.timeout configures how long fabio tries to connect to the registry # backend during startup. # # The default is # # registry.timeout = 10s # registry.retry configures the interval with which fabio tries to # connect to the registry during startup. # # The default is # # registry.retry = 500ms # registry.static.routes configures a static routing table. # # Example: # # registry.static.routes = \ # route add svc / http://1.2.3.4:5000/ # # The default is # # registry.static.routes = # registry.static.noroutehtmlpath configures the KV path for the HTML of the # noroutes page. # # The default is # # registry.static.noroutehtmlpath = # registry.file.path configures a file based routing table. # The value configures the path to the file with the routing table. # # The default is # # registry.file.path = # registry.file.noroutehtmlpath configures the KV path for the HTML of the # noroutes page. # # The default is # # registry.file.noroutehtmlpath = # registry.consul.addr configures the address of the consul agent to connect to. # # The default is # # registry.consul.addr = localhost:8500 # registry.consul.token configures the acl token for consul. # # The default is # # registry.consul.token = # registry.consul.tls.keyfile the path to the TLS certificate private key used for Consul communication. # # This is the full path to the TLS private key while using TLS transport to # communicate with Consul # # The default is # # registry.consul.tls.keyfile = # registry.consul.tls.certfile the path to the TLS certificate used for Consul communication. # # This is the full path to the TLS certificate while using TLS transport to # communicate with Consul # # The default is # # registry.consul.tls.certfile = # registry.consul.tls.cafile the path to the ca certificate used for Consul communication. # # This is the full path to the CA certificate while using TLS transport to # communicate with Consul # # The default is # # registry.consul.tls.cafile = # registry.consul.tls.capath the path to the folder containing CA certificates. # # This is the full path to the folder with CA certificates while using TLS transport to # communicate with Consul # # The default is # # registry.consul.tls.capath = # registry.consul.tls.insecureskipverify enable SSL verification with Consul. # # registry.consul.tls.insecureskipverify enables or disables SSL verification while using TLS transport to # communicate with Consul # # The default is # # registry.consul.tls.insecureskipverify = false # registry.consul.kvpath configures the KV path for manual routes. # # The consul KV path is watched for changes which get appended to # the routing table. This allows for manual overrides and weighted # round-robin routes. The key itself (e.g. fabio/config) and all # subkeys (e.g. fabio/config/foo and fabio/config/bar) are combined # in alphabetical order. # # The default is # # registry.consul.kvpath = /fabio/config # registry.consul.noroutehtmlpath configures the KV path for the HTML of the # noroutes page. # # The consul KV path is watched for changes. # # The default is # # registry.consul.noroutehtmlpath = /fabio/noroute.html # registry.consul.service.status configures the valid service status # values for services included in the routing table. # # The values are a comma separated list of # "passing", "warning", "critical" and "unknown" # # The default is # # registry.consul.service.status = passing # registry.consul.tagprefix configures the prefix for tags which define routes. # # Services which define routes publish one or more tags with host/path # routes which they serve. These tags must have this prefix to be # recognized as routes. # # The default is # # registry.consul.tagprefix = urlprefix- # registry.consul.register.enabled configures whether fabio registers itself in consul. # # Fabio will register itself in consul only if this value is set to "true" which # is the default. To disable registration set it to any other value, e.g. "false" # # The default is # # registry.consul.register.enabled = true # registry.consul.register.addr configures the address for the service registration. # # Fabio registers itself in consul with this host:port address. # It must point to the UI/API endpoint configured by ui.addr and defaults to its # value. # # The default is # # registry.consul.register.addr = :9998 # registry.consul.register.name configures the name for the service registration. # # Fabio registers itself in consul under this service name. # # The default is # # registry.consul.register.name = fabio # registry.consul.register.tags configures the tags for the service registration. # # Fabio registers itself with these tags. You can provide a comma separated list of tags. # # The default is # # registry.consul.register.tags = # registry.consul.register.checkInterval configures the interval for the health check. # # Fabio registers an http health check on http(s)://${ui.addr}/health # and this value tells consul how often to check it. # # The default is # # registry.consul.register.checkInterval = 1s # registry.consul.register.checkTimeout configures the timeout for the health check. # # Fabio registers an http health check on http(s)://${ui.addr}/health # and this value tells consul how long to wait for a response. # # The default is # # registry.consul.register.checkTimeout = 3s # registry.consul.register.checkTLSSkipVerify configures TLS verification for the health check. # # Fabio registers an http health check on http(s)://${ui.addr}/health # and this value tells consul to skip TLS certificate validation for # https checks. # # The default is # # registry.consul.register.checkTLSSkipVerify = false # registry.consul.register.checkDeregisterCriticalServiceAfter configures # automatic deregistration of a service after the health check is critical for # this length of time. # # Fabio registers an http health check on http(s)://${ui.addr}/health # and this value tells consul to deregister the associated service if the check # is critical for the specified duration. # # The default is # # registry.consul.register.checkDeregisterCriticalServiceAfter = 90m # registry.consul.checksRequired configures how many health checks # must pass in order for fabio to consider a service available. # # Possible values are: # one: at least one health check must pass # all: all health checks must pass # # The default is # # registry.consul.checksRequired = one # registry.consul.serviceMonitors configures the concurrency for # route updates. Fabio will make up to the configured number of # concurrent calls to Consul to fetch status data for route # updates. # # The default is # # registry.consul.serviceMonitors = 1 # registry.consul.pollInterval configures the poll interval # for route updates. If Poll interval is set to 0 the updates will # be disabled and fall back to blocking queries. Other values can # be any time definition. e.g. 1s, 100ms # # The default is # registry.consul.pollInterval = 0 # registry.custom.host configures the host:port for fabio to make the API call # # The default is # # registry.custom.host = # registry.custom.scheme configures the scheme use to make the API call # must be one of http, https # # The default is # # registry.custom.scheme = https # registry.custom.checkTLSSkipVerify disables the TLS validation for the API call # # The default is # # registry.custom.checkTLSSkipVerify = false # registry.custom.timeout controls the timeout for the API call # # The default is # # registry.custom.timeout = 5s # registry.custom.pollinterval is the length of time between API calls # # The default is # #registry.custom.pollinterval = 10s # registry.custom.path is the path used in the custom back end API Call # # The path does not need to contain the initial '/' # # Example: # # registry.custom.path = api/v1/ # # The default is # # registry.custom.path = # registry.custom.queryparams is the query parameters used in the custom back # end API Call # # Multiple query parameters should be separated with an & # # Example: # # registry.custom.queryparams = foo=bar&bar=foo # # The default is # # registry.custom.queryparams = # glob.matching.disabled disables glob matching on route lookups # If glob matching is enabled there is a performance decrease # for every route lookup. At a large number of services (> 500) this # can have a significant impact on performance. If glob matching is disabled # Fabio performs a static string compare for route lookups. # # The default is # # glob.matching.disabled = false # glob.cache.size sets the globCache size used for matching on route lookups. # # The default is # # glob.cache.size = 1000 # metrics.target configures the backend the metrics values are # sent to. # # Possible values are: # : do not report metrics # stdout: report metrics to stdout # graphite: report metrics to Graphite on ${metrics.graphite.addr} # statsd_raw: report metrics to StatsD on ${metrics.statsd.addr} # dogstatsd: report metrics to DogstatsD on ${metrics.dogstatsd.addr} # circonus: report metrics to Circonus (http://circonus.com/) # prometheus: report metrics on a prometheus listener. To combined with prometheus proxy.addr config # # The default is # # metrics.target = # note - multiple metrics targets can be defined separated by comma # metrics.prefix configures the template for the prefix of all reported metrics. # # Each metric has a unique name which is hard-coded to # # prefix.service.host.path.target-addr # # The value is expanded by the text/template package and provides # the following variables: # # - Hostname: the Hostname of the server # - Exec: the executable name of application # # The following additional functions are defined: # # - clean: lowercase value and replace '.' and ':' with '_' # # Template may include regular string parts to customize final prefix # # Example: # # Server hostname: test-001.something.com # Binary executable name: fabio # # The template variables are: # # .Hostname = test-001.something.com # .Exec = fabio # # which results to the following prefix string when using the # default template: # # test-001_something_com.fabio # # The default is # # metrics.prefix = {{clean .Hostname}}.{{clean .Exec}} # metrics.names configures the template for the route metric names # on backends that don't support tags. This is used in circonus, # graphite and statsd_raw. dogstatsd and prometheus ignore this. # The value is expanded by the text/template package and provides # the following variables: # # - Service: the service name # - Host: the host part of the URL prefix # - Path: the path part of the URL prefix # - TargetURL: the URL of the target # # The following additional functions are defined: # # - clean: lowercase value and replace '.' and ':' with '_' # # Given a route rule of # # route add testservice www.example.com/ http://10.1.2.3:12345/ # # the template variables are: # # .Service = testservice # .Host = www.example.com # .Path = / # .TargetURL.Host = 10.1.2.3:12345 # # which results to the following metric name when using the # default template: # # testservice.www_example_com./.10_1_2_3_12345 # # The default is # # metrics.names = {{clean .Service}}.{{clean .Host}}.{{clean .Path}}.{{clean .TargetURL.Host}} # metrics.interval configures the interval in which metrics are # reported. This has no effect on prometheus. # # The default is # # metrics.interval = 30s # metrics.timeout configures how long fabio tries to connect to the metrics # backend during startup. # # The default is # # metrics.timeout = 10s # metrics.retry configures the interval with which fabio tries to # connect to the metrics backend during startup. # # The default is # # metrics.retry = 500ms # metrics.graphite.addr configures the host:port of the Graphite # server. This is required when ${metrics.target} is set to "graphite". # # The default is # # metrics.graphite.addr = # metrics.statsd.addr configures the host:port of the StatsD # server. This is required when ${metrics.target} is set to "statsd_raw". # # The default is # # metrics.statsd.addr = # metrics.dogstatsd.addr configures the host:port of the DogStatsD # server. This is required when ${metrics.target} is set to "dogstatsd". # # The default is # # metrics.dogstatsd.addr = # metrics.circonus.apikey configures the API token key to use when # submitting metrics to Circonus. See: https://login.circonus.com/user/tokens # This is optional when ${metrics.target} is set to "circonus" but # ${metrics.circonus.submissionurl is specified}. # # The default is # # metrics.circonus.apikey = # metrics.circonus.submissionurl configures a specific check submission url # for a Check API object of a previously created HTTPTRAP check # This is optional when ${metrics.target} is set to "circonus" but # ${metrics.circonus.apikey is specified}. # #### Example # # `http://127.0.0.1:2609/write/fabio` # # The default is # # metrics.circonus.submissionurl = # metrics.circonus.apiapp configures the API token app to use when # submitting metrics to Circonus. See: https://login.circonus.com/user/tokens # This is optional when ${metrics.target} is set to "circonus". # # The default is # # metrics.circonus.apiapp = fabio # metrics.circonus.apiurl configures the API URL to use when # submitting metrics to Circonus. https://api.circonus.com/v2/ # will be used if no specific URL is provided. # This is optional when ${metrics.target} is set to "circonus". # # The default is # # metrics.circonus.apiurl = # metrics.circonus.brokerid configures a specific broker to use when # creating a check for submitting metrics to Circonus. # This is optional when ${metrics.target} is set to "circonus". # Optional for public brokers, required for Inside brokers. # Only applicable if a check is being created. # # The default is # # metrics.circonus.brokerid = # metrics.circonus.checkid configures a specific check to use when # submitting metrics to Circonus. # This is optional when ${metrics.target} is set to "circonus". # An attempt will be made to search for a previously created check, # if no applicable check is found, one will be created. # # The default is # # metrics.circonus.checkid = # metrics.prometheus.subsystem configures the system name when reporting # metrics. This is basically appended to the prefix for metric names. # # The default is # # metrics.prometheus.subsystem = # metrics.prometheus.path configures the path to serve up metrics on any configured # proxy.addr's where proto=prometheus. # # The default is # # metrics.prometheus.path = /metrics # metrics.prometheus.buckets configures the time buckets for use with histograms, measured in seconds. # for instance, .005 is equivalent to 5ms. there is an implied "infinity" bucket tacked on at the end. # # The default is # # metrics.prometheus.buckets = .005,.01,.025,.05,.1,.25,.5,1,2.5,5,10 # runtime.gogc configures GOGC (the GC target percentage). # # Setting runtime.gogc is equivalent to setting the GOGC # environment variable which also takes precedence over # the value from the config file. # # NOTE - the default for fabio up to 1.5.14 was 800. This changed # to 100 in version 1.5.15 # # The default is # # runtime.gogc = 100 # runtime.gomaxprocs configures GOMAXPROCS. # # Setting runtime.gomaxprocs is equivalent to setting the GOMAXPROCS # environment variable which also takes precedence over # the value from the config file. # # If runtime.gomaxprocs < 0 then all CPU cores are used. # # The default is # # runtime.gomaxprocs = -1 # ui.access configures the access mode for the UI. # # ro: read-only access # rw: read-write access # # The default is # # ui.access = rw # ui.addr configures the address the UI is listening on. # The listener uses the same syntax as proxy.addr but # supports only a single listener. To enable HTTPS # configure a certificate source. You should use # a different certificate source than the one you # use for the external connections, e.g. 'cs=ui'. # # The default is # # ui.addr = :9998 # ui.color configures the background color of the UI. # Color names are from http://materializecss.com/color.html # # The default is # # ui.color = light-green # ui.title configures an optional title for the UI. # # The default is # # ui.title = # ui.routingtable.source.linkenabled optionally configure if the # routing table's column "source" should be a clickable link. # # The default is # # ui.routingtable.source.linkenabled = false # ui.routingtable.source.newtab configures if the source # link should open in a new tab. # This is only applicable if the 'linkenabled' is set to true. # # The default is # # ui.routingtable.source.newtab = true # ui.routingtable.source.scheme configures the scheme protocol # for the link of the source on the routing table. This is # useful when the scheme is different than the current page # or to force the traffic to a certain protocol. # This is only applicable if the 'linkenabled' is set to true. # # The default is # # ui.routingtable.source.scheme = http # ui.routingtable.source.host configures an optional host or # base address for the link in the source column. # This is only used when the source is not a separate # server (does not begin with '/', e.g. 'dev.google.net'). If # source is subdirectory it will set the link for the source to # this host. If this is not set, and the source link is # enabled, the link will default to current host. # This is only applicable if the 'linkenabled' is set to true. # # The default is # # ui.routingtable.source.host = # ui.routingtable.source.port configures an optional port # for the routing table source column link. This # is used in conjunction with the host and scheme. If the # source is not a separate server (does not begin with '/', # e.g. 'dev.google.net'), and the host is set, or default to # the current scheme protocol port (80 for http or 443 for https). # This is only applicable if the 'linkenabled' is set to true. # # The default is # # ui.routingtable.source.port = # Open Trace Configuration Currently supports ZipKin Collector # tracing.TracingEnabled enables/disables Open Tracing in Fabio. Bool value true/false # # The default is # # tracing.TracingEnabled = false # tracing.CollectorType sets what type of collector is used. # Currently only two types are supported http and kafka # # http: sets collector type to http tracing.ConnectString must also be set # kafka: sets collector type to emit via kafka. tracing.Topic must also be set # # The default is # # tracing.CollectorType = http # tracing.ConnectString sets the connection string per connection type. # If tracing.CollectorType = http tracing.ConnectString should be # http://URL:PORT where URL is the URL of your collector and PORT is the TCP Port # it is listening on # # If tracing.CollectorType = kafka tracing.ConnectString should be # HOSTNAME:PORT of your kafka broker # tracing.Topic must also be set # # The default is # # tracing.ConnectString = http://localhost:9411/api/v1/spans # tracing.ServiceName sets the service name used in reporting span information # # The default is # # tracing.ServiceName = Fabiolb # tracing.SpanName configures the template used in reporting span information # # The value is expanded by the text/template package and provides # the following variables: # # - Proto: the protocol version # - Method: the HTTP method # - Host: the host part of the URL # - Scheme: the scheme of the requested URL # - Path: the path of the requested URL # - RawQuery: the encoded query values of the requested URL # # SpanName defaults to the value of tracing.ServiceName but can be # overridden with this property. # # Example: tracing.SpanName = {{.Proto}} {{.Method}} {{.Path}} # # The default is # # tracing.SpanName = # tracing.Topic sets the Topic String used if tracing.CollectorType is kafka and # tracing.ConnectSting is set to a kafka broker # # The default is # # tracing.Topic = Fabiolb-Kafka-Topic # tracing.SamplerRate is the rate at which opentrace span data will be collected and sent # If SamplerRate is <= 0 Never sample # If SamplerRate is >= 1.0 always sample # Values between 0 and 1 will be the percentage in decimal form # Example a value of .50 will be 50% sample rate # # The default is # tracing.SamplerRate = -1 # tracing.SpanHost sets host information. # This is used to specify additional information when sending spans to a collector # # The default is # tracing.SpanHost = localhost:9998 # BGP Anycast configuration # Experimental. Leopards will eat your face. # bgp.enabled enables the embedded gobgpd daemon. # The default is # bgp.enabled = false # bgp.asn sets the asn ID of our router # The default is: # bgp.asn = 65000 # bgp.anycastaddresses sets the anycast addresses we will advertise, separated by comma. Technically this # will advertise any route prefix. These should already be configured on the host probably hung off loopback. # for example, 192.168.5.3/32. The default value is: # bgp.anycastaddresses = # # If bgp is enabled, this must be defined. # bgp.routerid is the router id (ip address) of this router. This is required if bgp is enabled. # the default value is: # bgp.routerid = # # bgp.listenport sets the listen ports for bgp communication from other routers. # default vaule is : # bgp.listenport = 179 # bgp.listenaddresses sets the listen addresses for bgp, separated by comma. The default is # bgp.listenaddresses = 0.0.0.0 # which listens on all interfaces. # bgp.nexthop sets the next hop address. If not set, it uses the bgp.routerid instead. # default value: # bgp.nexthop = # bgp.peers sets the bgp peers we will advertise routes to. This is required if bgp is enabled. # bgp.peers is specified as a comma separated list of neighboraddress and asn pairs, i.e. # bgp.peers = address=1.2.3.4;asn=65001,address=5.6.7.8;asn=65002 # valid parameters for peers are: # address - required # port - optional, defaults to 179 # asn - required # multihop - optional, defaults to false # multihoplength - optional, defaults to 2 # password - optional # default value # bgp.peers = # bgp.enablegrpc enables the gobgp grpc interface. To be used with the gobgp command line client. # default value is: # bgp.enablegrpc=false # bgp.grpclistenaddress is the listen interface and port if bgp.enablegrpc is set to true. defaults to: # bgp.grpclistenaddress = 127.0.0.1:50051 # bgp.grpctls is whether to enable TLS on the bgp grpc interface. default value is: # bgp.grpctls = false # bgp.certfile is the file path of the certificate, and is required if bgp.grpctls is set to true. Default value is: # bgp.certfile = # bgp.keyfile is the file path of the key file, and is required if bgp.grpctls is set to true. Default value is: # bgp.keyfile = # bgp.nexthop explicitly sets the value of the nexthop for all routes we publish. If not set, this uses the # bgp.routerid value, which is what makes sense in most cases. Default value is: # bgp.nexthop = # bgp.gobgpdcfgfile is the optional file path to a gobgpd config file. This overrides the global config # items above, such as bgp.routerid, bgp.asn etc. This also skips # # automatically adding gobgpd policies that prevent us from accepting prefixes from neighbors. only # use this if you know what you're doing, this is to allow for more flexibility than we expose directly # with fabio. # default value is: # bgp.gobgpdcfgfile =