apisix: node_listen: # APISIX listening ports. - ${{APISIX_NODE_LISTEN}} enable_admin: true # Admin API enable_dev_mode: false # If true, set nginx `worker_processes` to 1. enable_reuseport: true # If true, enable nginx SO_REUSEPORT option. show_upstream_status_in_response_header: false # If true, include the upstream HTTP status code in enable_ipv6: false enable_server_tokens: true # If true, show APISIX version in the `Server` response header. extra_lua_path: "" # Extend lua_package_path to load third-party code. extra_lua_cpath: "" # Extend lua_package_cpath to load third-party code. proxy_cache: # Proxy Caching configuration cache_ttl: 10s # The default caching time on disk if the upstream does not specify a caching time. zones: - name: disk_cache_one # Name of the cache. memory_size: 50m # Size of the memory to store the cache index. disk_size: 1G # Size of the disk to store the cache data. disk_path: /tmp/disk_cache_one # Path to the cache file for disk cache. cache_levels: 1:2 # Cache hierarchy levels of disk cache. - name: memory_cache memory_size: 50m delete_uri_tail_slash: false # Delete the '/' at the end of the URI normalize_uri_like_servlet: false # If true, use the same path normalization rules as the Java router: http: radixtree_host_uri # radixtree_host_uri: match route by host and URI ssl: radixtree_sni # radixtree_sni: match route by SNI proxy_mode: http resolver_timeout: 5 # Set the time in seconds that the server will wait for a response from the enable_resolv_search_opt: true # If true, use search option in the resolv.conf file in DNS lookups. ssl: enable: true listen: # APISIX listening port for HTTPS traffic. - port: 9443 enable_http2: true ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported. ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_session_tickets: false # If true, session tickets are used for SSL/TLS connections. enable_control: true # Control API disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED. data_encryption: # Data encryption settings. enable_encrypt_fields: false # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. keyring: # This field is used to encrypt the private key of SSL and the `encrypt_fields` - qeddd145sfvddff3 # Set the encryption key for AES-128-CBC. It should be a hexadecimal string - edd1c9f0985e76a2 # If not set, APISIX saves the original data into etcd. events: # Event distribution module configuration module: lua-resty-events # Sets the name of the events module used. nginx_config: # Config for render the template to generate nginx.conf error_log: logs/error.log # Location of the error log. error_log_level: warn # Logging level: info, debug, notice, warn, error, crit, alert, or emerg. worker_processes: auto # Automatically determine the optimal number of worker processes based enable_cpu_affinity: false # Disable CPU affinity by default as worker_cpu_affinity affects the worker_rlimit_nofile: 20480 # The number of files a worker process can open. worker_shutdown_timeout: 240s # Timeout for a graceful shutdown of worker processes. max_pending_timers: 16384 # The maximum number of pending timers that can be active at any given time. max_running_timers: 4096 # The maximum number of running timers that can be active at any given time. event: worker_connections: 10620 meta: lua_shared_dict: # Nginx Lua shared memory zone. Size units are m or k. prometheus-metrics: 15m stream: enable_access_log: false # Enable stream proxy access logging. access_log: logs/access_stream.log # Location of the stream access log. access_log_format: "$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time" # Customize log format: http://nginx.org/en/docs/varindex.html access_log_format_escape: default # Escape default or json characters in variables. lua_shared_dict: # Nginx Lua shared memory zone. Size units are m or k. etcd-cluster-health-check-stream: 10m lrucache-lock-stream: 10m plugin-limit-conn-stream: 10m worker-events-stream: 10m tars-stream: 1m main_configuration_snippet: | # Add custom Nginx main configuration to nginx.conf. # The configuration should be well indented! http_configuration_snippet: | # Add custom Nginx http configuration to nginx.conf. # The configuration should be well indented! http_server_configuration_snippet: | # Add custom Nginx http server configuration to nginx.conf. # The configuration should be well indented! http_server_location_configuration_snippet: | # Add custom Nginx http server location configuration to nginx.conf. # The configuration should be well indented! http_admin_configuration_snippet: | # Add custom Nginx admin server configuration to nginx.conf. # The configuration should be well indented! http_end_configuration_snippet: | # Add custom Nginx http end configuration to nginx.conf. # The configuration should be well indented! stream_configuration_snippet: | # Add custom Nginx stream configuration to nginx.conf. # The configuration should be well indented! http: enable_access_log: true # Enable HTTP proxy access logging. access_log: logs/access.log # Location of the access log. access_log_buffer: 16384 # buffer size of access log. access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"" access_log_format_escape: default # Escape default or json characters in variables. keepalive_timeout: 60s # Set the maximum time for which TCP connection keeps alive. client_header_timeout: 60s # Set the maximum time waiting for client to send the entire HTTP client_body_timeout: 60s # Set the maximum time waiting for client to send the request body. client_max_body_size: 0 # Set the maximum allowed size of the client request body. send_timeout: 10s # Set the maximum time for transmitting a response to the client before closing. underscores_in_headers: "on" # Allow HTTP request headers to contain underscores in their names. real_ip_header: X-Real-IP # https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header real_ip_recursive: "off" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from - 127.0.0.1 - "unix:" proxy_ssl_server_name: true # Send the server name in the SNI extension when establishing an SSL/TLS upstream: keepalive: 320 # Set the maximum time of keep-alive connections to the upstream servers. keepalive_requests: 1000 # Set the maximum number of requests that can be served through one keepalive_timeout: 60s # Set the maximum time for which TCP connection keeps alive. charset: utf-8 # Add the charset to the "Content-Type" response header field. variables_hash_max_size: 2048 # Set the maximum size of the variables hash table. lua_shared_dict: # Nginx Lua shared memory zone. Size units are m or k. internal-status: 10m plugin-limit-req: 10m plugin-limit-count: 10m prometheus-metrics: 10m plugin-limit-conn: 10m upstream-healthcheck: 10m worker-events: 10m lrucache-lock: 10m balancer-ewma: 10m balancer-ewma-locks: 10m balancer-ewma-last-touched-at: 10m plugin-limit-count-redis-cluster-slot-lock: 1m tracing_buffer: 10m plugin-api-breaker: 10m etcd-cluster-health-check: 10m discovery: 1m jwks: 1m introspection: 10m access-tokens: 1m ext-plugin: 1m tars: 1m cas-auth: 10m ocsp-stapling: 10m graphql: max_size: 1048576 # Set the maximum size limitation of graphql in bytes. Default to 1MiB. plugins: # plugin list (sorted by priority) - real-ip # priority: 23000 - ai # priority: 22900 - client-control # priority: 22000 - proxy-control # priority: 21990 - request-id # priority: 12015 - zipkin # priority: 12011 #- skywalking # priority: 12010 #- opentelemetry # priority: 12009 - ext-plugin-pre-req # priority: 12000 - fault-injection # priority: 11000 - mocking # priority: 10900 - serverless-pre-function # priority: 10000 #- batch-requests # priority: 4010 - cors # priority: 4000 - ip-restriction # priority: 3000 - ua-restriction # priority: 2999 - referer-restriction # priority: 2990 - csrf # priority: 2980 - uri-blocker # priority: 2900 - request-validation # priority: 2800 - chaitin-waf # priority: 2700 - multi-auth # priority: 2600 - openid-connect # priority: 2599 - cas-auth # priority: 2597 - authz-casbin # priority: 2560 - authz-casdoor # priority: 2559 - wolf-rbac # priority: 2555 - ldap-auth # priority: 2540 - hmac-auth # priority: 2530 - basic-auth # priority: 2520 - jwt-auth # priority: 2510 - jwe-decrypt # priority: 2509 - key-auth # priority: 2500 - consumer-restriction # priority: 2400 - forward-auth # priority: 2002 - opa # priority: 2001 - authz-keycloak # priority: 2000 #- error-log-logger # priority: 1091 - proxy-cache # priority: 1085 - body-transformer # priority: 1080 - proxy-mirror # priority: 1010 - proxy-rewrite # priority: 1008 - workflow # priority: 1006 - api-breaker # priority: 1005 - limit-conn # priority: 1003 - limit-count # priority: 1002 - limit-req # priority: 1001 #- node-status # priority: 1000 #- brotli # priority: 996 - gzip # priority: 995 - server-info # priority: 990 - traffic-split # priority: 966 - redirect # priority: 900 - response-rewrite # priority: 899 - degraphql # priority: 509 - kafka-proxy # priority: 508 #- dubbo-proxy # priority: 507 - grpc-transcode # priority: 506 - grpc-web # priority: 505 - http-dubbo # priority: 504 - public-api # priority: 501 - prometheus # priority: 500 - datadog # priority: 495 - loki-logger # priority: 414 - elasticsearch-logger # priority: 413 - echo # priority: 412 - loggly # priority: 411 - http-logger # priority: 410 - splunk-hec-logging # priority: 409 - skywalking-logger # priority: 408 - google-cloud-logging # priority: 407 - sls-logger # priority: 406 - tcp-logger # priority: 405 - kafka-logger # priority: 403 - rocketmq-logger # priority: 402 - syslog # priority: 401 - udp-logger # priority: 400 - file-logger # priority: 399 - clickhouse-logger # priority: 398 - tencent-cloud-cls # priority: 397 - inspect # priority: 200 #- log-rotate # priority: 100 # <- recommend to use priority (0, 100) for your custom plugins - example-plugin # priority: 0 #- gm # priority: -43 #- ocsp-stapling # priority: -44 - aws-lambda # priority: -1899 - azure-functions # priority: -1900 - openwhisk # priority: -1901 - openfunction # priority: -1902 - serverless-post-function # priority: -2000 - ext-plugin-post-req # priority: -3000 - ext-plugin-post-resp # priority: -4000 stream_plugins: # stream plugin list (sorted by priority) - ip-restriction # priority: 3000 - limit-conn # priority: 1003 - mqtt-proxy # priority: 1000 #- prometheus # priority: 500 - syslog # priority: 401 # <- recommend to use priority (0, 100) for your custom plugins plugin_attr: # Plugin attributes log-rotate: # Plugin: log-rotate timeout: 10000 # maximum wait time for a log rotation(unit: millisecond) interval: 3600 # Set the log rotate interval in seconds. max_kept: 168 # Set the maximum number of log files to keep. If exceeded, historic logs are deleted. max_size: -1 # Set the maximum size of log files in bytes before a rotation. # Skip size check if max_size is less than 0. enable_compression: false # Enable log file compression (gzip). skywalking: # Plugin: skywalking service_name: APISIX # Set the service name for SkyWalking reporter. service_instance_name: APISIX Instance Name # Set the service instance name for SkyWalking reporter. endpoint_addr: http://127.0.0.1:12800 # Set the SkyWalking HTTP endpoint. report_interval: 3 # Set the reporting interval in second. opentelemetry: # Plugin: opentelemetry trace_id_source: x-request-id # Specify the source of the trace ID for OpenTelemetry traces. resource: service.name: APISIX # Set the service name for OpenTelemetry traces. collector: address: 127.0.0.1:4318 # Set the address of the OpenTelemetry collector to send traces to. request_timeout: 3 # Set the timeout for requests to the OpenTelemetry collector in seconds. request_headers: # Set the headers to include in requests to the OpenTelemetry collector. Authorization: token # Set the authorization header to include an access token. batch_span_processor: drop_on_queue_full: false # Drop spans when the export queue is full. max_queue_size: 1024 # Set the maximum size of the span export queue. batch_timeout: 2 # Set the timeout for span batches to wait in the export queue before # being sent. inactive_timeout: 1 # Set the timeout for spans to wait in the export queue before being sent, # if the queue is not full. max_export_batch_size: 16 # Set the maximum number of spans to include in each batch sent to the set_ngx_var: false # export opentelemetry variables to nginx variables # OpenTelemetry collector. prometheus: # Plugin: prometheus export_uri: /apisix/prometheus/metrics # Set the URI for the Prometheus metrics endpoint. metric_prefix: apisix_ # Set the prefix for Prometheus metrics generated by APISIX. enable_export_server: true # Enable the Prometheus export server. export_addr: # Set the address for the Prometheus export server. ip: 127.0.0.1 # Set the IP. port: 9091 # Set the port. # metrics: # Create extra labels from nginx variables: https://nginx.org/en/docs/varindex.html # http_status: # extra_labels: # - upstream_addr: $upstream_addr # - status: $upstream_status # The label name does not need to be the same as the variable name. # http_latency: # extra_labels: # - upstream_addr: $upstream_addr # bandwidth: # extra_labels: # - upstream_addr: $upstream_addr # default_buckets: # - 10 # - 50 # - 100 # - 200 # - 500 server-info: # Plugin: server-info report_ttl: 60 # Set the TTL in seconds for server info in etcd. # Maximum: 86400. Minimum: 3. dubbo-proxy: # Plugin: dubbo-proxy upstream_multiplex_count: 32 # Set the maximum number of connections that can be multiplexed over # a single network connection between the Dubbo Proxy and the upstream # Dubbo services. proxy-mirror: # Plugin: proxy-mirror timeout: # Set the timeout for mirrored requests. connect: 60s read: 60s send: 60s # redirect: # Plugin: redirect # https_port: 8443 # Set the default port used to redirect HTTP to HTTPS. inspect: # Plugin: inspect delay: 3 # Set the delay in seconds for the frequency of checking the hooks file. hooks_file: "/usr/local/apisix/plugin_inspect_hooks.lua" # Set the path to the Lua file that defines # hooks. Only administrators should have # write access to this file for security. zipkin: # Plugin: zipkin set_ngx_var: false # export zipkin variables to nginx variables deployment: # Deployment configurations role: traditional # Set deployment mode: traditional, control_plane, or data_plane. role_traditional: config_provider: etcd # Set the configuration center. #role_data_plane: # Set data plane details if role is data_plane. # config_provider: etcd # Set the configuration center: etcd, xds, or yaml. #role_control_plane: # Set control plane details if role is control_plane. # config_provider: etcd # Set the configuration center. admin: # Admin API admin_key_required: true # Enable Admin API authentication by default for security. admin_key: - name: admin # admin: write access to configurations. key: ${{APISIX_ADMIN_KEY}} # Set API key for the admin of Admin API. role: admin - name: viewer # viewer: read-only to configurations. key: ${{APISIX_VIEWER_KEY}} # Set API key for the viewer of Admin API. role: viewer enable_admin_cors: true # Enable Admin API CORS response header `Access-Control-Allow-Origin`. allow_admin: # Limit Admin API access by IP addresses. - 127.0.0.0/24 # If not set, any IP address is allowed. # - "::/64" admin_listen: # Set the Admin API listening addresses. ip: 0.0.0.0 # Set listening IP. port: 9180 # Set listening port. Beware of port conflict with node_listen. admin_api_version: v3 # Set the version of Admin API (latest: v3). etcd: host: # Set etcd address(es) in the same etcd cluster. - ${{APISIX_ETCD_URL}} # If TLS is enabled for etcd, use https://127.0.0.1:2379. prefix: /apisix # Set etcd prefix. timeout: 30 # The timeout when connect/read/write to etcd, Set timeout in seconds. watch_timeout: 50 # The timeout when watch etcd startup_retry: 2 # Set the number of retries to etcd on startup. Default to 2. tls: verify: false