简介

bfe.conf是BFE的核心配置。

配置

服务基础配置

配置项 类型 描述
HttpPort Int HTTP监听端口
HttpsPort Int HTTPS(TLS)监听端口
MonitorPort Int Monitor监听端口
MaxCpus Int 最大使用CPU核数; 0代表使用所有CPU核
Layer4LoadBalancer String 四层负载均衡器类型 (PROXY/BGW/NONE)
TlsHandshakeTimeout Int TLS握手超时时间,单位为秒
ClientReadTimeout Int 读客户端超时时间,单位为秒
ClientWriteTimeout Int 写客户端超时时间,单位为秒
GracefulShutdownTimeout Int 优雅退出超时时间,单位为秒,最大300秒
KeepAliveEnabled Bool 与用户端连接是否启用HTTP KeepAlive
MaxHeaderBytes Int 请求头部的最大长度,单位为Byte
MaxHeaderUriBytes Int 请求头部URI的最大长度,单位为Byte
HostRuleConf String 租户域名表配置文件
VipRuleConf String 租户VIP表配置文件
RouteRuleConf String 转发规则配置文件
ClusterConf String 后端集群相关配置文件
GslbConf String 子集群级别负载均衡配置文件(GSLB)
ClusterTableConf String 实例级别负载均衡配置文件
NameConf String 名字与实例映射表配置文件
Modules String 启用的模块列表; 启用多个模块请增加多行Modules配置,详见下文示例
MonitorInterval Int Monitor数据统计周期
DebugServHttp Bool 是否开启反向代理模块调试日志
DebugBfeRoute Bool 是否开启流量路由模块调试日志
DebugBal Bool 是否开启负载均衡模块调试日志
DebugHealthCheck Bool 是否开启健康检查模块调试日志

TLS基础配置

配置项 类型 描述
ServerCertConf String 服务端证书与密钥的配置文件
TlsRuleConf String TLS协议参数配置文件
CipherSuites String 启用的加密套件列表; 启用多个套件请增加多行cipherSuites配置,详见下文示例
CurvePreferences String 启用的ECC椭圆曲线 ,详见下文示例
EnableSslv2ClientHello Bool 针对SSLv3协议,启用对SSLv2格式ClientHello的兼容
ClientCABaseDir String 客户端根CA证书基目录 注意:证书文件后缀约定必须是 “.crt”

TLS Session Cache相关配置

配置项 类型 描述
SessionCacheDisabled Bool 是否禁用TLS Session Cache机制
Servers String Cache服务的访问地址
KeyPrefix String 缓存key前缀
ConnectTimeout Int 连接Cache服务的超时时间, 单位毫秒
ReadTimeout Int 读取Cache服务的超时时间, 单位毫秒
WriteTimeout Int 写入Cache服务的超时时间, 单位毫秒
MaxIdle Int 与Cache服务的最大空闲长连接数
SessionExpire Int 存储在Cache服务中会话信息的过期时间, 单位秒

TLS Session Ticket相关配置

配置项 类型 描述
SessionTicketsDisabled Bool 是否禁用TLS Session Ticket
SessionTicketKeyFile String Session Ticket Key文件路径

示例

  1. [server]
  2. # listen port for http request
  3. httpPort = 8080
  4. # listen port for https request
  5. httpsPort = 8443
  6. # listen port for monitor request
  7. monitorPort = 8299
  9. # max number of CPUs to use (0 to use all CPUs)
  10. maxCpus = 0
  12. # type of layer-4 load balancer (PROXY/BGW/NONE)
  13. #
  14. # Note:
  15. # - PROXY: layer-4 balancer talking the proxy protocol
  16. #          eg. F5 BigIP/Citrix ADC
  17. # - BGW: Baidu GateWay
  18. # - NONE: layer-4 balancer disabled
  19. layer4LoadBalancer = ""
  21. # tls handshake timeout, in seconds
  22. tlsHandshakeTimeout = 30
  24. # read timeout, in seconds
  25. clientReadTimeout = 60
  27. # write timeout, in seconds
  28. clientWriteTimeout = 60
  30. # if false, client connection is shutdown disregard of http headers
  31. keepAliveEnabled = true
  33. # timeout for graceful shutdown (maximum 300 sec)
  34. gracefulShutdownTimeout = 10
  36. # max header length in bytes in request
  37. maxHeaderBytes = 1048576
  39. # max URI(in header) length in bytes in request
  40. maxHeaderUriBytes = 8192
  42. # routing related conf
  43. hostRuleConf = server_data_conf/host_rule.data
  44. vipRuleConf = server_data_conf/vip_rule.data
  45. routeRuleConf = server_data_conf/route_rule.data
  46. clusterConf = server_data_conf/cluster_conf.data
  48. # load balancing related conf
  49. gslbConf = cluster_conf/gslb.data
  50. clusterTableConf = cluster_conf/cluster_table.data
  52. # naming related conf
  53. nameConf = server_data_conf/name_conf.data
  55. # moduels enabled
  56. modules = mod_trust_clientip
  57. modules = mod_block
  58. modules = mod_header
  59. modules = mod_rewrite
  60. modules = mod_redirect
  61. modules = mod_logid
  63. # interval for get diff of proxy-state
  64. monitorInterval = 20
  66. # debug flags
  67. debugServHttp = false
  68. debugBfeRoute = false
  69. debugBal = false
  70. debugHealthCheck = false
  72. [httpsBasic]
  73. # tls cert conf
  74. serverCertConf = tls_conf/server_cert_conf.data
  76. # tls rule
  77. tlsRuleConf = tls_conf/tls_rule_conf.data
  79. # supported cipherSuites preference settings
  80. #
  81. # ciphersuites implemented in golang:
  82. #     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  83. #     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  84. #     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  85. #     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  86. #     TLS_ECDHE_RSA_WITH_RC4_128_SHA
  87. #     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  88. #     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  89. #     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  90. #     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  91. #     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  92. #     TLS_RSA_WITH_RC4_128_SHA
  93. #     TLS_RSA_WITH_AES_128_CBC_SHA
  94. #     TLS_RSA_WITH_AES_256_CBC_SHA
  95. #     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  96. #     TLS_RSA_WITH_3DES_EDE_CBC_SHA
  97. #
  98. # Note:
  99. # -. Equivalent cipher suites (cipher suites with same priority in server side):
  100. #    cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  101. #    cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  102. #
  103. cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  104. cipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA
  105. cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  106. cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  107. cipherSuites=TLS_RSA_WITH_RC4_128_SHA
  108. cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
  109. cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
  111. # supported curve perference settings
  112. #
  113. # curves implemented in golang: 
  114. #     CurveP256 
  115. #     CurveP384 
  116. #     CurveP521
  117. #
  118. # Note:
  119. # - Do not use CurveP384/CurveP521 which is with poor performance
  120. #
  121. curvePreferences=CurveP256
  123. # support Sslv2 ClientHello for compatible with ancient 
  124. # TLS capable clients (mozilla 5, java 5/6, openssl 0.9.8 etc)
  125. enableSslv2ClientHello = true
  127. # base directory of client ca certificates
  128. # Note: filename suffix of ca certificate file should be ".crt"
  129. clientCABaseDir = tls_conf/client_ca
  131. [sessionCache]
  132. # disable tls session cache or not
  133. sessionCacheDisabled = true
  135. # address of cache server
  136. servers = "example.redis.cluster"
  138. # prefix for cache key
  139. keyPrefix = "bfe"
  141. # connection params (ms)
  142. connectTimeout = 50
  143. readTimeout = 50
  144. writeTimeout = 50
  146. # max idle connections in connection pool
  147. maxIdle = 20
  149. # expire time for tls session state (second)
  150. sessionExpire = 3600
  152. [sessionTicket]
  153. # disable tls session ticket or not
  154. sessionTicketsDisabled = true
  155. # session ticket key
  156. sessionTicketKeyFile = tls_conf/session_ticket_key.data