/
gateway.conf
executable file
·375 lines (318 loc) · 11.9 KB
/
gateway.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
ditto {
mapping-strategy.implementation = "org.eclipse.ditto.services.gateway.util.GatewayMappingStrategies"
cluster-downing.role = "gateway"
gateway {
http {
# InetAddress.getLocalHost.getHostAddress is used if empty
hostname = ""
hostname = ${?HOSTNAME}
hostname = ${?BIND_HOSTNAME}
port = 8080
port = ${?HTTP_PORT}
port = ${?PORT}
schema-versions = [1, 2]
# override schema-versions via system properties, e.g.: -Dditto.gateway.http.schema-versions.0=1 -Dditto.gateway.http.schema-versions.1=2
# Creator of props of HTTP request actors. Must implement HttpRequestActorPropsFactory.
actor-props-factory = "org.eclipse.ditto.services.gateway.endpoints.actors.DefaultHttpRequestActorPropsFactory"
forcehttps = false
forcehttps = ${?FORCE_HTTPS}
redirect-to-https = false
redirect-to-https = ${?REDIRECT_TO_HTTPS}
redirect-to-https-blacklist-pattern = "/cr.*|/api.*|/ws.*|/status.*|/overall.*"
enablecors = false
enablecors = ${?ENABLE_CORS}
request-timeout = 60s # default: 20 s
request-timeout = ${?REQUEST_TIMEOUT}
}
streaming {
# How often to update streaming session counter
session-counter-scrape-interval = 30s
# Maximum number of stream elements to process in parallel
parallelism = 64
parallelism = ${?GATEWAY_STREAMING_PARALLELISM}
signal-enrichment {
provider = "org.eclipse.ditto.services.gateway.endpoints.utils.GatewayCachingSignalEnrichmentProvider"
provider = ${?GATEWAY_STREAMING_SIGNAL_ENRICHMENT_PROVIDER}
provider-config {
# timeout for all facades
ask-timeout = 10s
ask-timeout = ${?GATEWAY_STREAMING_SIGNAL_ENRICHMENT_ASK_TIMEOUT}
cache {
# how many things to cache per stream if a caching implementation is chosen
maximum-size = 100
maximum-size = ${?GATEWAY_STREAMING_SIGNAL_ENRICHMENT_CACHE_MAXIMUM_SIZE}
# maximum duration of inconsistency after missing a cache invalidation
expire-after-write = 2m
expire-after-write = ${?GATEWAY_STREAMING_SIGNAL_ENRICHMENT_CACHE_EXPIRE_AFTER_WRITE}
expire-after-access = 5m
expire-after-access = ${?GATEWAY_STREAMING_SIGNAL_ENRICHMENT_CACHE_EXPIRE_AFTER_ACCESS}
}
}
}
websocket {
# the max queue size of how many inflight Commands a single Websocket client can have
subscriber {
backpressure-queue-size = 100
backpressure-queue-size = ${?WS_SUBSCRIBER_BACKPRESSURE}
}
# the max buffer size of how many outstanding CommandResponses and Events a single Websocket client can have
# additionally CommandResponses and Events are dropped if this size is reached
publisher {
backpressure-buffer-size = 200
backpressure-buffer-size = ${?WS_PUBLISHER_BACKPRESSURE}
}
# At which multiple of maximum throughput to send rejections.
# Should never be tripped if Akka HTTP and TCP flow control are correct.
throttling-rejection-factor = 1.25
throttling-rejection-factor = ${?GATEWAY_WEBSOCKET_THROTTLING_REJECTION_FACTOR}
throttling {
# Interval at which the websocket is rate-limited. Disable rate limit with a value of zero.
interval = 1s
interval = ${?GATEWAY_WEBSOCKET_THROTTLING_INTERVAL}
# The maximum number of messages the websocket is allowed to receive within the configured
# throttling interval e.g. 100 msgs/s. Disable throttling with a value of zero.
limit = 100
limit = ${?GATEWAY_WEBSOCKET_THROTTLING_LIMIT}
}
}
}
message {
default-timeout = 10s
max-timeout = 1m
}
claim-message {
default-timeout = 1m
max-timeout = 10m
}
dns {
# DNS server to use for looking up services
address = none
address = ${?DNS_SERVER} # may be overridden with this environment variable
}
authentication {
# configures HTTP for different authentication mechanisms: IM3, JWT (e.g. Google), ...
http {
# proxy config
proxy {
enabled = false
enabled = ${?AUTH_HTTP_PROXY_ENABLED}
hostname = ${?AUTH_HTTP_PROXY_HOST}
port = ${?AUTH_HTTP_PROXY_PORT}
username = ${?AUTH_HTTP_PROXY_USERNAME}
password = ${?AUTH_HTTP_PROXY_PASSWORD}
}
}
oauth {
# map <subject-issuer, issuer> of all supported OpenID Connect authorization servers
# issuer should not contain the protocol (e.g. https://)
openid-connect-issuers = {
# auth0 = "<your-domain>.<region>.auth0.com/"
google = "accounts.google.com"
}
}
dummy {
# enable/disable dummy authentication (for dev purposes)
enabled = false
enabled = ${?ENABLE_DUMMY_AUTH}
}
devops {
securestatus = true
securestatus = ${?DEVOPS_SECURE_STATUS}
// default password
password = "foobar"
// override default password by secret file if host environment is file-based
password = ${?secrets.devops_password.value}
// override all other sources by environment variable
password = ${?DEVOPS_PASSWORD}
// default password
statusPassword = "status"
// override default password by secret file if host environment is file-based
statusPassword = ${?secrets.status_password.value}
// override all other sources by environment variable
statusPassword = ${?STATUS_PASSWORD}
}
}
health-check {
enabled = true
enabled = ${?HEALTH_CHECK_ENABLED} # may be overridden with this environment variable
interval = 60s
service.timeout = 10s
service.timeout = ${?HEALTH_CHECK_SERVICE_TIMEOUT} # may be overridden with this environment variable
cluster-roles = {
enabled = true
enabled = ${?HEALTH_CHECK_ROLES_ENABLED} # may be overridden with this environment variable
expected = [
"policies",
"things",
"things-search",
"gateway",
"connectivity",
"concierge"
]
}
}
public-health {
cache-timeout = 20s
cache-timeout = ${?GATEWAY_STATUS_HEALTH_EXTERNAL_TIMEOUT}
}
cache {
publickeys {
maxentries = 32
expiry = 60m
maximum-size = ${ditto.gateway.cache.publickeys.maxentries}
expire-after-write = ${ditto.gateway.cache.publickeys.expiry}
}
}
statistics {
// how long to wait for messages from other cluster members
ask-timeout = 5s
// how often to update hot entities count for the public
update-interval = 30s
update-interval = ${?STATISTICS_UPDATE_INTERVAL}
// minimum pause between computations of statistics details
details-expire-after = 5s
details-expire-after = ${?STATISTICS_DETAILS_EXPIRE_AFTER}
// CAUTION: no shard name should be a part of another shard name, because statistics-actor identifies
// messages from shard regions by checking whether the sender's actor path contains the shard name.
// This restriction does not apply to cluster role names; it is okay for example to have both the role "things"
// and the role "things-search".
shards: [
{
region: "thing"
role: "things"
root: "/user/thingsRoot"
},
{
region: "policy"
role: "policies"
root: "/user/policiesRoot"
},
{
region: "search-updater",
role: "things-search",
root: "/user/thingsSearchRoot/searchUpdaterRoot"
}
]
}
}
}
// read docker secrets in /run/secrets if a "filebased" host environment is chosen
secrets {
devops_password {
name = "devops_password"
name = ${?DEVOPS_PASSWORD_NAME}
// value = ... // read from /run/secret/<name>
}
status_password {
name = "status_password"
name = ${?STATUS_PASSWORD_NAME}
// value = ... // read from /run/secret/<name>
}
}
akka.http.client {
user-agent-header = eclipse-ditto/${ditto.version}
}
akka {
actor {
deployment {
/gatewayRoot/proxy {
router = round-robin-pool
# nr-of-instances = 5
resizer {
lower-bound = 5
upper-bound = 100
messages-per-resize = 50
}
}
}
}
cluster {
sharding {
role = "gateway"
}
roles = [
"gateway",
"thing-event-aware",
"live-signal-aware"
]
}
http {
server {
server-header = "" # default: akka-http/${akka.http.version}
request-timeout = ${ditto.gateway.http.request-timeout}
idle-timeout = 610s # default: 60s
idle-timeout = ${?IDLE_TIMEOUT}
max-connections = 4096 # default: 1024
backlog = 100 # default: 100
raw-request-uri-header = on # default: off
parsing {
max-uri-length = 8k # default: 2k
# Default maximum content length which should not be exceeded by incoming request entities.
# is handled + checked additionally by Ditto code - just in order to prevent the "worst case" where the backend
# has to read a lot of data it won't process anyway, set a reasonable limit:
max-content-length = 1m # default: 8m
illegal-header-warnings = off # default: on
error-logging-verbosity = simple # default: full
# Sets the strictness mode for parsing request target URIs.
# The following values are defined:
#
# `strict`: RFC3986-compliant URIs are required,
# a 400 response is triggered on violations
#
# `relaxed`: all visible 7-Bit ASCII chars are allowed
#
uri-parsing-mode = relaxed
}
websocket {
# could be also "pong" for unidirectional keepalives
periodic-keep-alive-mode = ping # default: ping
# Interval for sending periodic keep-alives
periodic-keep-alive-max-idle = 30s # default: infinite
}
termination-deadline-exceeded-response {
# Status code of the "terminating" response to be automatically sent to pending requests once the termination deadline is exceeded.
# default: 503
status = 502 # Bad Gateway
}
}
host-connection-pool {
# The maximum number of open requests accepted into the pool across all
# materializations of any of its client flows.
# Protects against (accidentally) overloading a single pool with too many client flow materializations.
# Note that with N concurrent materializations the max number of open request in the pool
# will never exceed N * max-connections * pipelining-limit.
# Must be a power of 2 and > 0!
max-open-requests = 1024 # default: 32
# The time after which an idle connection pool (without pending requests)
# will automatically terminate itself. Set to `infinite` to completely disable idle timeouts.
idle-timeout = 60s # default: 30s
}
}
management.health-checks.readiness-checks {
gateway-http-readiness = "org.eclipse.ditto.services.gateway.health.GatewayHttpReadinessCheck"
}
}
authentication-dispatcher {
type = Dispatcher
executor = "thread-pool-executor"
thread-pool-executor {
# minimum number of threads to cap factor-based core number to
core-pool-size-min = 4
# No of core threads ... ceil(available processors * factor)
core-pool-size-factor = 2.0
# maximum number of threads to cap factor-based number to
core-pool-size-max = 8
}
throughput = 100
}
signal-enrichment-cache-dispatcher {
type = "Dispatcher"
executor = "thread-pool-executor"
thread-pool-executor {
keep-alive-time = 60s
fixed-pool-size = off
max-pool-size-max = 256
max-pool-size-max = ${?CACHE_DISPATCHER_POOL_SIZE_MAX}
max-pool-size-max = ${?SIGNAL_ENRICHMENT_CACHE_DISPATCHER_POOL_SIZE_MAX}
}
}