-
Notifications
You must be signed in to change notification settings - Fork 224
/
gateway.conf
executable file
·609 lines (516 loc) · 21.2 KB
/
gateway.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
ditto {
extensions {
jwt-authorization-subjects-provider = {
extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
}
# The provider for JSON Web Token authentication results
jwt-authentication-result-provider = {
extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider
# The provider for JSON Web Token authorization subjects
extension-config = {
jwt-authorization-subjects-provider = {
extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
}
}
}
# The provider for signal enrichment facades.
signal-enrichment-provider {
extension-class = org.eclipse.ditto.gateway.service.endpoints.utils.DefaultGatewaySignalEnrichmentProvider
extension-config = {
# timeout for all facades
ask-timeout = 10s
ask-timeout = ${?GATEWAY_SIGNAL_ENRICHMENT_ASK_TIMEOUT}
cache {
# enable/disable caching
enabled = true
enabled = ${?GATEWAY_SIGNAL_ENRICHMENT_CACHE_ENABLED}
# how many things to cache in total on a single cluster node
maximum-size = 20000
maximum-size = ${?GATEWAY_SIGNAL_ENRICHMENT_CACHE_MAXIMUM_SIZE}
# maximum duration of inconsistency after e.g. a policy update
expire-after-create = 2m
expire-after-create = ${?GATEWAY_SIGNAL_ENRICHMENT_CACHE_EXPIRE_AFTER_CREATE}
}
}
}
# The provider for custom HTTP bind flows.
http-bind-flow-provider = org.eclipse.ditto.gateway.service.endpoints.routes.LoggingHttpBindFlowProvider
# The supervisor for WebSocket connections
websocket-config-provider = org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpWebSocketConfigProvider
# The factory for the gateway authentication directive
gateway-authentication-directive-factory = org.eclipse.ditto.gateway.service.endpoints.directives.auth.DittoGatewayAuthenticationDirectiveFactory
# Creator of props of HTTP request actors. Must implement HttpRequestActorPropsFactory.
http-request-actor-props-factory = org.eclipse.ditto.gateway.service.endpoints.actors.DefaultHttpRequestActorPropsFactory
# The listener for SSE events
sse-event-sniffer = org.eclipse.ditto.gateway.service.endpoints.routes.sse.NoOpSseEventSniffer
streaming-authorization-enforcer = org.eclipse.ditto.gateway.service.streaming.NoOpAuthorizationEnforcer
# The listener for incoming WebSocket events
incoming-websocket-event-sniffer = org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpIncomingWebSocketEventSniffer
# The listener for outgoing WebSocket events
outgoing-websocket-event-sniffer = org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpOutgoingWebSocketEventSniffer
# The provider for custom API routes.
custom-api-routes-provider = org.eclipse.ditto.gateway.service.endpoints.routes.NoopCustomApiRoutesProvider
# The supervisor for SSE connections
sse-connection-supervisor = org.eclipse.ditto.gateway.service.endpoints.routes.sse.NoOpSseConnectionSupervisor
# The supervisor for WebSocket connections
websocket-connection-supervisor = "org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpWebSocketSupervisor"
# The Connections retreival actor factory
connections-retrieval-actor-props-factory = org.eclipse.ditto.gateway.service.endpoints.actors.DefaultConnectionsRetrievalActorPropsFactory
}
service-name = "gateway"
mapping-strategy.implementation = "org.eclipse.ditto.gateway.service.util.GatewayMappingStrategies"
gateway {
http {
# InetAddress.getLocalHost.getHostAddress is used if empty
hostname = ""
hostname = ${?HOSTNAME}
hostname = ${?BIND_HOSTNAME}
port = 8080
port = ${?HTTP_PORT}
port = ${?PORT}
coordinated-shutdown-timeout = 65s
coordinated-shutdown-timeout = ${?COORDINATED_SHUTDOWN_REQUEST_TIMEOUT}
schema-versions = [2]
# override schema-versions via system properties, e.g.: -Dditto.gateway.http.schema-versions.0=1 -Dditto.gateway.http.schema-versions.1=2
# headers to read the proxy-protocol from for HTTPS enforcement
protocol-headers = ["X-Forwarded-Proto", "x_forwarded_proto"]
forcehttps = false
forcehttps = ${?FORCE_HTTPS}
redirect-to-https = false
redirect-to-https = ${?REDIRECT_TO_HTTPS}
redirect-to-https-blocklist-pattern = "/api.*|/ws.*|/status.*|/overall.*"
enablecors = false
enablecors = ${?ENABLE_CORS}
request-timeout = 60s
request-timeout = ${?REQUEST_TIMEOUT}
# additional media-types which will also be accepted besides JSON, for compatibility/fallback reasons.
# comma separated list of media types, default: application/octet-stream
additional-accepted-media-types = ${?ADDITIONAL_ACCEPTED_MEDIA_TYPES}
query-params-as-headers = [
"accept",
"channel",
"correlation-id",
"requested-acks",
"declared-acks",
"response-required",
"timeout",
"live-channel-timeout-strategy",
"allow-policy-lockout",
"condition",
"live-channel-condition",
"at-historical-revision",
"at-historical-timestamp"
]
}
streaming {
# How often to update streaming session counter
session-counter-scrape-interval = 30s
# Maximum number of stream elements to process in parallel
parallelism = 64
parallelism = ${?GATEWAY_STREAMING_PARALLELISM}
# How long to wait before closing an idle search stream
search-idle-timeout = 60s
search-idle-timeout = ${?GATEWAY_STREAMING_SEARCH_IDLE_TIMEOUT}
subscription-refresh-delay = 5m
subscription-refresh-delay = ${?GATEWAY_STREAMING_SUBSCRIPTION_REFRESH_DELAY}
acknowledgement {
forwarder-fallback-timeout = 65s
}
websocket {
# the max queue size of how many inflight Commands a single Websocket client can have
subscriber {
backpressure-queue-size = 100
backpressure-queue-size = ${?WS_SUBSCRIBER_BACKPRESSURE}
}
# the max buffer size of how many outstanding CommandResponses and Events a single Websocket client can have
# additionally CommandResponses and Events are dropped if this size is reached
publisher {
backpressure-buffer-size = 200
backpressure-buffer-size = ${?WS_PUBLISHER_BACKPRESSURE}
}
# At which multiple of maximum throughput to send rejections.
# Should never be tripped if Pekko HTTP and TCP flow control are correct.
throttling-rejection-factor = 1.25
throttling-rejection-factor = ${?GATEWAY_WEBSOCKET_THROTTLING_REJECTION_FACTOR}
throttling {
enabled = false
enabled = ${?GATEWAY_WEBSOCKET_THROTTLING_ENABLED}
# Interval at which the websocket is rate-limited. Must be > 0s.
interval = 1s
interval = ${?GATEWAY_WEBSOCKET_THROTTLING_INTERVAL}
# The maximum number of messages the websocket is allowed to receive within the configured
# throttling interval e.g. 100 msgs/s. Must be > 0.
limit = 100
limit = ${?GATEWAY_WEBSOCKET_THROTTLING_LIMIT}
}
# The provider enforcer for WebSocket connections
streaming-authorization-enforcer = "org.eclipse.ditto.gateway.service.streaming.NoOpAuthorizationEnforcer"
}
sse {
throttling {
enabled = false
enabled = ${?GATEWAY_SSE_THROTTLING_ENABLED}
# Interval at which search SSE is rate-limited. Must be > 0s.
interval = 1s
interval = ${?GATEWAY_SSE_THROTTLING_INTERVAL}
# The maximum number of things a search SSE connection is allowed to send within the configured
# throttling interval e.g. 100 things/s. Must be > 0.
limit = 100
limit = ${?GATEWAY_SSE_THROTTLING_LIMIT}
}
# The provider enforcer for SSE connections
streaming-authorization-enforcer = "org.eclipse.ditto.gateway.service.streaming.NoOpAuthorizationEnforcer"
}
}
command {
default-timeout = ${ditto.gateway.http.request-timeout}
max-timeout = 1m
smart-channel-buffer = 10s
connections-retrieve-limit = 100
}
message {
default-timeout = 10s
max-timeout = 1m
}
claim-message {
default-timeout = 1m
max-timeout = 10m
}
dns {
# DNS server to use for looking up services
address = none
address = ${?DNS_SERVER} # may be overridden with this environment variable
}
authentication {
# configures HTTP for different authentication mechanisms: JWT (e.g. Google), ...
http {
# proxy config
proxy {
enabled = false
enabled = ${?AUTH_HTTP_PROXY_ENABLED}
hostname = ${?AUTH_HTTP_PROXY_HOST}
port = ${?AUTH_HTTP_PROXY_PORT}
username = ${?AUTH_HTTP_PROXY_USERNAME}
password = ${?AUTH_HTTP_PROXY_PASSWORD}
}
}
oauth {
# force protocol to HTTPS for security
protocol = "https"
protocol = ${?OAUTH_PROTOCOL}
# configure the amount of clock skew in seconds to tolerate when verifying the local time against the exp
# and nbf claims
allowed-clock-skew = 10s
allowed-clock-skew = ${?OAUTH_ALLOWED_CLOCK_SKEW}
# map <subject-issuer, configObject> of all supported OpenID Connect authorization servers
# issuer should not contain the protocol (e.g. https://)
openid-connect-issuers = {
# auth0 = {
# issuer = "<your-domain>.<region>.auth0.com/"
# issuers = [
# "<your-domain>.<region>.auth0.com/"
# "<your-domain-2>.<region>.auth0.com/"
# ]
# auth-subjects = [
# "{{ jwt:sub }}",
# "{{ jwt:sub }}/{{ jwt:scp }}",
# "{{ jwt:sub }}/{{ jwt:scp }}@{{ jwt:client_id }}",
# "{{ jwt:roles/support }}"
# ]
#}
google = {
issuer = "accounts.google.com"
}
}
# template for subject to inject
token-integration-subject = "integration:{{policy-entry:label}}:{{jwt:aud}}"
token-integration-subject = ${?OAUTH_TOKEN_INTEGRATION_SUBJECT}
}
pre-authentication {
enabled = false
enabled = ${?ENABLE_PRE_AUTHENTICATION}
# as fallback use the previous environment config name:
enabled = ${?ENABLE_DUMMY_AUTH}
}
devops {
secured = true
# Backwardcompatibility fallback
secured = ${?ditto.gateway.authentication.devops.securestatus}
secured = ${?DEVOPS_SECURED}
# default authentiation method for the devops route
# can be set to "basic" or "oauth2"
devops-authentication-method = "basic"
# override by environment variable
devops-authentication-method = ${?DEVOPS_AUTHENTICATION_METHOD}
# basic auth
# default password
password = "foobar"
# override default password by secret file if host environment is file-based
password = ${?secrets.devops_password.value}
# override all other sources by environment variable
password = ${?DEVOPS_PASSWORD}
# oauth2 auth
oauth {
# force protocol to HTTPS for security
protocol = "https"
protocol = ${?DEVOPS_OAUTH2_PROTOCOL}
# configure the amount of clock skew in seconds to tolerate when verifying the local time against the exp
# and nbf claims
allowed-clock-skew = 10s
allowed-clock-skew = ${?DEVOPS_OAUTH2_ALLOWED_CLOCK_SKEW}
# map <subject-issuer, configObject> of all supported OpenID Connect authorization servers
# issuer should not contain the protocol (e.g. https://)
openid-connect-issuers = {
# auth0 = {
# issuer = "<your-domain>.<region>.auth0.com/"
# issuers = [
# "<your-domain>.<region>.auth0.com/"
# "<your-domain-2>.<region>.auth0.com/"
# ]
#}
}
}
devops-oauth2-subjects = ${?DEVOPS_OAUTH2_SUBJECTS}
status-secured = true
status-secured = ${?DEVOPS_STATUS_SECURED}
# default authentiation method for the status route
# can be set to "basic" or "oauth2"
status-authentication-method = "basic"
# override by environment variable
status-authentication-method = ${?STATUS_AUTHENTICATION_METHOD}
#basic auth
# default password
statusPassword = "status"
# override default password by secret file if host environment is file-based
statusPassword = ${?secrets.status_password.value}
# override all other sources by environment variable
statusPassword = ${?STATUS_PASSWORD}
# oauth2 auth
status-oauth2-subjects = ${?STATUS_OAUTH2_SUBJECTS}
}
}
health-check {
enabled = true
enabled = ${?HEALTH_CHECK_ENABLED} # may be overridden with this environment variable
interval = 60s
interval = ${?HEALTH_CHECK_INTERVAL} # may be overridden with this environment variable
service.timeout = 10s
service.timeout = ${?HEALTH_CHECK_SERVICE_TIMEOUT} # may be overridden with this environment variable
cluster-roles = {
enabled = true
enabled = ${?HEALTH_CHECK_ROLES_ENABLED} # may be overridden with this environment variable
expected = [
"policies",
"things",
"search",
"gateway",
"connectivity"
]
}
}
public-health {
cache-timeout = 20s
cache-timeout = ${?GATEWAY_STATUS_HEALTH_EXTERNAL_TIMEOUT}
}
cloud-events {
empty-schema-allowed = true
data-types = [
"application/json"
"application/vnd.eclipse.ditto+json"
]
}
cache {
publickeys {
maxentries = 32
expiry = 60m
maximum-size = ${ditto.gateway.cache.publickeys.maxentries}
expire-after-write = ${ditto.gateway.cache.publickeys.expiry}
}
}
statistics {
# how long to wait for messages from other cluster members
ask-timeout = 5s
ask-timeout = ${?STATISTICS_UPDATE_INTERVAL}
# how often to update hot entities count for the public
update-interval = 15s
update-interval = ${?STATISTICS_UPDATE_INTERVAL}
# minimum pause between computations of statistics details
details-expire-after = 3s
details-expire-after = ${?STATISTICS_DETAILS_EXPIRE_AFTER}
# CAUTION: no shard name should be a part of another shard name, because statistics-actor identifies
# messages from shard regions by checking whether the sender's actor path contains the shard name.
# This restriction does not apply to cluster role names; it is okay for example to have both the role "things"
# and the role "things-search".
shards: [
{
region: "thing"
role: "things"
root: "/user/thingsRoot"
},
{
region: "policy"
role: "policies"
root: "/user/policiesRoot"
},
{
region: "search-wildcard-updater",
role: "search",
root: "/user/thingsWildcardSearchRoot/searchUpdaterRoot"
}
]
}
}
tracing {
filter: {
includes = ["**"],
excludes = ["GET /ws/2"]
}
}
}
# read docker secrets in /run/secrets if a "filebased" host environment is chosen
secrets {
devops_password {
name = "devops_password"
name = ${?DEVOPS_PASSWORD_NAME}
# value = ... # read from /run/secret/<name>
}
status_password {
name = "status_password"
name = ${?STATUS_PASSWORD_NAME}
# value = ... # read from /run/secret/<name>
}
}
pekko.http.client {
user-agent-header = eclipse-ditto/${ditto.version}
}
pekko {
actor {
default-dispatcher {
executor = "org.eclipse.ditto.internal.utils.metrics.executor.InstrumentedForkJoinExecutorServiceConfigurator"
}
deployment {
/gatewayRoot/proxy {
router = round-robin-pool
# nr-of-instances = 5
resizer {
lower-bound = 5
upper-bound = 100
messages-per-resize = 50
}
}
}
}
cluster {
sharding {
role = ${ditto.service-name}
passivation {
# default is "default-idle-strategy" with "idle-entity.timeout = 120s":
strategy = "off"
}
}
roles = [
"gateway"
]
}
coordinated-shutdown {
phases {
service-requests-done {
# default timeout is 5s for the phase - give a longer timeout in order
# to be able to let ongoing HTTP requests take longer:
# must be higher than ${ditto.gateway.http.coordinated-shutdown-timeout} !
timeout = 70s
timeout = ${?PEKKO_COORDINATED_SHUTDOWN_PHASES_SERVICE_REQUESTS_DONE_TIMEOUT}
}
}
}
http {
server {
server-header = "" # default: pekko-http/${pekko.http.version}
server-header = ${?SERVER_HEADER}
request-timeout = ${ditto.gateway.http.request-timeout}
request-timeout = ${?REQUEST_TIMEOUT}
idle-timeout = 610s # default: 60s
idle-timeout = ${?IDLE_TIMEOUT}
max-connections = 4096 # default: 1024
max-connections = ${?PEKKO_HTTP_SERVER_MAX_CONNECTIONS}
backlog = 100 # default: 100
backlog = ${?PEKKO_HTTP_SERVER_BACKLOG}
raw-request-uri-header = on # default: off
raw-request-uri-header = ${?PEKKO_HTTP_SERVER_RAW_REQUEST_URI_HEADER}
parsing {
max-uri-length = 8k # default: 2k
# Default maximum content length which should not be exceeded by incoming request entities.
# is handled + checked additionally by Ditto code - just in order to prevent the "worst case" where the backend
# has to read a lot of data it won't process anyway, set a reasonable limit:
max-content-length = 1m # default: 8m
# increase other default limits regarding headers:
max-header-name-length = 64 # default: 64
max-header-value-length = 16k # default: 8k
max-header-count = 64 # default: 64
illegal-header-warnings = off # default: on
error-logging-verbosity = simple # default: full
# Sets the strictness mode for parsing request target URIs.
# The following values are defined:
#
# `strict`: RFC3986-compliant URIs are required,
# a 400 response is triggered on violations
#
# `relaxed`: all visible 7-Bit ASCII chars are allowed
#
uri-parsing-mode = relaxed
}
websocket {
# could be also "pong" for unidirectional keepalives
periodic-keep-alive-mode = ping # default: ping
# Interval for sending periodic keep-alives
periodic-keep-alive-max-idle = 30s # default: infinite
}
termination-deadline-exceeded-response {
# Status code of the "terminating" response to be automatically sent to pending requests once the termination deadline is exceeded.
# default: 503
status = 502 # Bad Gateway
}
}
host-connection-pool {
# The maximum number of open requests accepted into the pool across all
# materializations of any of its client flows.
# Protects against (accidentally) overloading a single pool with too many client flow materializations.
# Note that with N concurrent materializations the max number of open request in the pool
# will never exceed N * max-connections * pipelining-limit.
# Must be a power of 2 and > 0!
max-open-requests = 1024 # default: 32
# The time after which an idle connection pool (without pending requests)
# will automatically terminate itself. Set to `infinite` to completely disable idle timeouts.
idle-timeout = 60s # default: 30s
}
}
management.health-checks.readiness-checks {
gateway-http-readiness = "org.eclipse.ditto.gateway.service.health.GatewayHttpReadinessCheck"
}
management.health-checks.liveness-checks {
subsystem-health = "org.eclipse.ditto.internal.utils.health.SubsystemHealthCheck"
}
}
include "ditto-protocol-subscriber.conf"
include "ditto-edge-service.conf"
authentication-dispatcher {
type = Dispatcher
executor = "org.eclipse.ditto.internal.utils.metrics.executor.InstrumentedThreadPoolExecutorServiceConfigurator"
thread-pool-executor {
# minimum number of threads to cap factor-based core number to
core-pool-size-min = 4
# No of core threads ... ceil(available processors * factor)
core-pool-size-factor = 2.0
core-pool-size-factor = ${?AUTHENTICATION_DISPATCHER_POOL_SIZE_FACTOR}
# maximum number of threads to cap factor-based number to
core-pool-size-max = 8
core-pool-size-max = ${?AUTHENTICATION_DISPATCHER_POOL_SIZE_MAX}
}
throughput = 100
}
signal-enrichment-cache-dispatcher {
type = Dispatcher
executor = "org.eclipse.ditto.internal.utils.metrics.executor.InstrumentedThreadPoolExecutorServiceConfigurator"
}
include "gateway-extension.conf"
include file("/opt/ditto/gateway-extension.conf")