• 简介
  • 配置
    • 服务基础配置
    • TLS基础配置
    • TLS Session Cache相关配置
    • TLS Session Ticket相关配置
  • 示例

    简介

    bfe.conf是BFE的核心配置。

    配置

    服务基础配置

    配置项 类型 描述
    HttpPort Int HTTP监听端口
    HttpsPort Int HTTPS(TLS)监听端口
    MonitorPort Int Monitor监听端口
    MaxCpus Int 最大使用CPU核数; 0代表使用所有CPU核
    Layer4LoadBalancer String 四层负载均衡器类型 (PROXY/BGW/NONE)
    TlsHandshakeTimeout Int TLS握手超时时间,单位为秒
    ClientReadTimeout Int 读客户端超时时间,单位为秒
    ClientWriteTimeout Int 写客户端超时时间,单位为秒
    GracefulShutdownTimeout Int 优雅退出超时时间,单位为秒,最大300秒
    KeepAliveEnabled Bool 与用户端连接是否启用HTTP KeepAlive
    MaxHeaderBytes Int 请求头部的最大长度,单位为Byte
    MaxHeaderUriBytes Int 请求头部URI的最大长度,单位为Byte
    HostRuleConf String 租户域名表配置文件
    VipRuleConf String 租户VIP表配置文件
    RouteRuleConf String 转发规则配置文件
    ClusterConf String 后端集群相关配置文件
    GslbConf String 子集群级别负载均衡配置文件(GSLB)
    ClusterTableConf String 实例级别负载均衡配置文件
    NameConf String 名字与实例映射表配置文件
    Modules String 启用的模块列表; 启用多个模块请增加多行Modules配置,详见下文示例
    MonitorInterval Int Monitor数据统计周期
    DebugServHttp Bool 是否开启反向代理模块调试日志
    DebugBfeRoute Bool 是否开启流量路由模块调试日志
    DebugBal Bool 是否开启负载均衡模块调试日志
    DebugHealthCheck Bool 是否开启健康检查模块调试日志

    TLS基础配置

    配置项 类型 描述
    ServerCertConf String 服务端证书与密钥的配置文件
    TlsRuleConf String TLS协议参数配置文件
    CipherSuites String 启用的加密套件列表; 启用多个套件请增加多行cipherSuites配置,详见下文示例
    CurvePreferences String 启用的ECC椭圆曲线 ,详见下文示例
    EnableSslv2ClientHello Bool 针对SSLv3协议,启用对SSLv2格式ClientHello的兼容
    ClientCABaseDir String 客户端根CA证书基目录 注意:证书文件后缀约定必须是 “.crt”

    TLS Session Cache相关配置

    配置项 类型 描述
    SessionCacheDisabled Bool 是否禁用TLS Session Cache机制
    Servers String Cache服务的访问地址
    KeyPrefix String 缓存key前缀
    ConnectTimeout Int 连接Cache服务的超时时间, 单位毫秒
    ReadTimeout Int 读取Cache服务的超时时间, 单位毫秒
    WriteTimeout Int 写入Cache服务的超时时间, 单位毫秒
    MaxIdle Int 与Cache服务的最大空闲长连接数
    SessionExpire Int 存储在Cache服务中会话信息的过期时间, 单位秒

    TLS Session Ticket相关配置

    配置项 类型 描述
    SessionTicketsDisabled Bool 是否禁用TLS Session Ticket
    SessionTicketKeyFile String Session Ticket Key文件路径

    示例

    1. [server]
    2. # listen port for http request
    3. httpPort = 8080
    4. # listen port for https request
    5. httpsPort = 8443
    6. # listen port for monitor request
    7. monitorPort = 8299
    9. # max number of CPUs to use (0 to use all CPUs)
    10. maxCpus = 0
    12. # type of layer-4 load balancer (PROXY/BGW/NONE)
    13. #
    14. # Note:
    15. # - PROXY: layer-4 balancer talking the proxy protocol
    16. #          eg. F5 BigIP/Citrix ADC
    17. # - BGW: Baidu GateWay
    18. # - NONE: layer-4 balancer disabled
    19. layer4LoadBalancer = ""
    21. # tls handshake timeout, in seconds
    22. tlsHandshakeTimeout = 30
    24. # read timeout, in seconds
    25. clientReadTimeout = 60
    27. # write timeout, in seconds
    28. clientWriteTimeout = 60
    30. # if false, client connection is shutdown disregard of http headers
    31. keepAliveEnabled = true
    33. # timeout for graceful shutdown (maximum 300 sec)
    34. gracefulShutdownTimeout = 10
    36. # max header length in bytes in request
    37. maxHeaderBytes = 1048576
    39. # max URI(in header) length in bytes in request
    40. maxHeaderUriBytes = 8192
    42. # routing related conf
    43. hostRuleConf = server_data_conf/host_rule.data
    44. vipRuleConf = server_data_conf/vip_rule.data
    45. routeRuleConf = server_data_conf/route_rule.data
    46. clusterConf = server_data_conf/cluster_conf.data
    48. # load balancing related conf
    49. gslbConf = cluster_conf/gslb.data
    50. clusterTableConf = cluster_conf/cluster_table.data
    52. # naming related conf
    53. nameConf = server_data_conf/name_conf.data
    55. # moduels enabled
    56. modules = mod_trust_clientip
    57. modules = mod_block
    58. modules = mod_header
    59. modules = mod_rewrite
    60. modules = mod_redirect
    61. modules = mod_logid
    63. # interval for get diff of proxy-state
    64. monitorInterval = 20
    66. # debug flags
    67. debugServHttp = false
    68. debugBfeRoute = false
    69. debugBal = false
    70. debugHealthCheck = false
    72. [httpsBasic]
    73. # tls cert conf
    74. serverCertConf = tls_conf/server_cert_conf.data
    76. # tls rule
    77. tlsRuleConf = tls_conf/tls_rule_conf.data
    79. # supported cipherSuites preference settings
    80. #
    81. # ciphersuites implemented in golang:
    82. #     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    83. #     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    84. #     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    85. #     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    86. #     TLS_ECDHE_RSA_WITH_RC4_128_SHA
    87. #     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    88. #     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    89. #     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    90. #     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    91. #     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    92. #     TLS_RSA_WITH_RC4_128_SHA
    93. #     TLS_RSA_WITH_AES_128_CBC_SHA
    94. #     TLS_RSA_WITH_AES_256_CBC_SHA
    95. #     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    96. #     TLS_RSA_WITH_3DES_EDE_CBC_SHA
    97. #
    98. # Note:
    99. # -. Equivalent cipher suites (cipher suites with same priority in server side):
    100. #    cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    101. #    cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    102. #
    103. cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    104. cipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA
    105. cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    106. cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    107. cipherSuites=TLS_RSA_WITH_RC4_128_SHA
    108. cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
    109. cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
    111. # supported curve perference settings
    112. #
    113. # curves implemented in golang: 
    114. #     CurveP256 
    115. #     CurveP384 
    116. #     CurveP521
    117. #
    118. # Note:
    119. # - Do not use CurveP384/CurveP521 which is with poor performance
    120. #
    121. curvePreferences=CurveP256
    123. # support Sslv2 ClientHello for compatible with ancient 
    124. # TLS capable clients (mozilla 5, java 5/6, openssl 0.9.8 etc)
    125. enableSslv2ClientHello = true
    127. # base directory of client ca certificates
    128. # Note: filename suffix of ca certificate file should be ".crt"
    129. clientCABaseDir = tls_conf/client_ca
    131. [sessionCache]
    132. # disable tls session cache or not
    133. sessionCacheDisabled = true
    135. # address of cache server
    136. servers = "example.redis.cluster"
    138. # prefix for cache key
    139. keyPrefix = "bfe"
    141. # connection params (ms)
    142. connectTimeout = 50
    143. readTimeout = 50
    144. writeTimeout = 50
    146. # max idle connections in connection pool
    147. maxIdle = 20
    149. # expire time for tls session state (second)
    150. sessionExpire = 3600
    152. [sessionTicket]
    153. # disable tls session ticket or not
    154. sessionTicketsDisabled = true
    155. # session ticket key
    156. sessionTicketKeyFile = tls_conf/session_ticket_key.data