简介

bfe.conf是BFE的核心配置。

配置

服务基础配置

配置项 类型 描述
HttpPort Int HTTP监听端口
HttpsPort Int HTTPS(TLS)监听端口
MonitorPort Int Monitor监听端口
MaxCpus Int 最大使用CPU核数; 0代表使用所有CPU核
Layer4LoadBalancer String 四层负载均衡器类型 (PROXY/BGW/NONE)
TlsHandshakeTimeout Int TLS握手超时时间,单位为秒
ClientReadTimeout Int 读客户端超时时间,单位为秒
ClientWriteTimeout Int 写客户端超时时间,单位为秒
GracefulShutdownTimeout Int 优雅退出超时时间,单位为秒,最大300秒
KeepAliveEnabled Bool 与用户端连接是否启用HTTP KeepAlive
MaxHeaderBytes Int 请求头部的最大长度,单位为Byte
MaxHeaderUriBytes Int 请求头部URI的最大长度,单位为Byte
HostRuleConf String 租户域名表配置文件
VipRuleConf String 租户VIP表配置文件
RouteRuleConf String 转发规则配置文件
ClusterConf String 后端集群相关配置文件
GslbConf String 子集群级别负载均衡配置文件(GSLB)
ClusterTableConf String 实例级别负载均衡配置文件
NameConf String 名字与实例映射表配置文件
Modules String 启用的模块列表; 启用多个模块请增加多行Modules配置,详见下文示例
MonitorInterval Int Monitor数据统计周期
DebugServHttp Bool 是否开启反向代理模块调试日志
DebugBfeRoute Bool 是否开启流量路由模块调试日志
DebugBal Bool 是否开启负载均衡模块调试日志
DebugHealthCheck Bool 是否开启健康检查模块调试日志

TLS基础配置

配置项 类型 描述
ServerCertConf String 服务端证书与密钥的配置文件
TlsRuleConf String TLS协议参数配置文件
CipherSuites String 启用的加密套件列表; 启用多个套件请增加多行cipherSuites配置,详见下文示例
CurvePreferences String 启用的ECC椭圆曲线 ,详见下文示例
EnableSslv2ClientHello Bool 针对SSLv3协议,启用对SSLv2格式ClientHello的兼容
ClientCABaseDir String 客户端根CA证书基目录 注意:证书文件后缀约定必须是 “.crt”

TLS Session Cache相关配置

配置项 类型 描述
SessionCacheDisabled Bool 是否禁用TLS Session Cache机制
Servers String Cache服务的访问地址
KeyPrefix String 缓存key前缀
ConnectTimeout Int 连接Cache服务的超时时间, 单位毫秒
ReadTimeout Int 读取Cache服务的超时时间, 单位毫秒
WriteTimeout Int 写入Cache服务的超时时间, 单位毫秒
MaxIdle Int 与Cache服务的最大空闲长连接数
SessionExpire Int 存储在Cache服务中会话信息的过期时间, 单位秒

TLS Session Ticket相关配置

配置项 类型 描述
SessionTicketsDisabled Bool 是否禁用TLS Session Ticket
SessionTicketKeyFile String Session Ticket Key文件路径

示例

  1. [server]
  2. # listen port for http request
  3. httpPort = 8080
  4. # listen port for https request
  5. httpsPort = 8443
  6. # listen port for monitor request
  7. monitorPort = 8299
  8. # max number of CPUs to use (0 to use all CPUs)
  9. maxCpus = 0
  10. # type of layer-4 load balancer (PROXY/BGW/NONE)
  11. #
  12. # Note:
  13. # - PROXY: layer-4 balancer talking the proxy protocol
  14. # eg. F5 BigIP/Citrix ADC
  15. # - BGW: Baidu GateWay
  16. # - NONE: layer-4 balancer disabled
  17. layer4LoadBalancer = ""
  18. # tls handshake timeout, in seconds
  19. tlsHandshakeTimeout = 30
  20. # read timeout, in seconds
  21. clientReadTimeout = 60
  22. # write timeout, in seconds
  23. clientWriteTimeout = 60
  24. # if false, client connection is shutdown disregard of http headers
  25. keepAliveEnabled = true
  26. # timeout for graceful shutdown (maximum 300 sec)
  27. gracefulShutdownTimeout = 10
  28. # max header length in bytes in request
  29. maxHeaderBytes = 1048576
  30. # max URI(in header) length in bytes in request
  31. maxHeaderUriBytes = 8192
  32. # routing related conf
  33. hostRuleConf = server_data_conf/host_rule.data
  34. vipRuleConf = server_data_conf/vip_rule.data
  35. routeRuleConf = server_data_conf/route_rule.data
  36. clusterConf = server_data_conf/cluster_conf.data
  37. # load balancing related conf
  38. gslbConf = cluster_conf/gslb.data
  39. clusterTableConf = cluster_conf/cluster_table.data
  40. # naming related conf
  41. nameConf = server_data_conf/name_conf.data
  42. # moduels enabled
  43. modules = mod_trust_clientip
  44. modules = mod_block
  45. modules = mod_header
  46. modules = mod_rewrite
  47. modules = mod_redirect
  48. modules = mod_logid
  49. # interval for get diff of proxy-state
  50. monitorInterval = 20
  51. # debug flags
  52. debugServHttp = false
  53. debugBfeRoute = false
  54. debugBal = false
  55. debugHealthCheck = false
  56. [httpsBasic]
  57. # tls cert conf
  58. serverCertConf = tls_conf/server_cert_conf.data
  59. # tls rule
  60. tlsRuleConf = tls_conf/tls_rule_conf.data
  61. # supported cipherSuites preference settings
  62. #
  63. # ciphersuites implemented in golang:
  64. # TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  65. # TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  66. # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  67. # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  68. # TLS_ECDHE_RSA_WITH_RC4_128_SHA
  69. # TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  70. # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  71. # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  72. # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  73. # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  74. # TLS_RSA_WITH_RC4_128_SHA
  75. # TLS_RSA_WITH_AES_128_CBC_SHA
  76. # TLS_RSA_WITH_AES_256_CBC_SHA
  77. # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  78. # TLS_RSA_WITH_3DES_EDE_CBC_SHA
  79. #
  80. # Note:
  81. # -. Equivalent cipher suites (cipher suites with same priority in server side):
  82. # cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  83. # cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  84. #
  85. cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  86. cipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA
  87. cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  88. cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  89. cipherSuites=TLS_RSA_WITH_RC4_128_SHA
  90. cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
  91. cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
  92. # supported curve perference settings
  93. #
  94. # curves implemented in golang:
  95. # CurveP256
  96. # CurveP384
  97. # CurveP521
  98. #
  99. # Note:
  100. # - Do not use CurveP384/CurveP521 which is with poor performance
  101. #
  102. curvePreferences=CurveP256
  103. # support Sslv2 ClientHello for compatible with ancient
  104. # TLS capable clients (mozilla 5, java 5/6, openssl 0.9.8 etc)
  105. enableSslv2ClientHello = true
  106. # base directory of client ca certificates
  107. # Note: filename suffix of ca certificate file should be ".crt"
  108. clientCABaseDir = tls_conf/client_ca
  109. [sessionCache]
  110. # disable tls session cache or not
  111. sessionCacheDisabled = true
  112. # address of cache server
  113. servers = "example.redis.cluster"
  114. # prefix for cache key
  115. keyPrefix = "bfe"
  116. # connection params (ms)
  117. connectTimeout = 50
  118. readTimeout = 50
  119. writeTimeout = 50
  120. # max idle connections in connection pool
  121. maxIdle = 20
  122. # expire time for tls session state (second)
  123. sessionExpire = 3600
  124. [sessionTicket]
  125. # disable tls session ticket or not
  126. sessionTicketsDisabled = true
  127. # session ticket key
  128. sessionTicketKeyFile = tls_conf/session_ticket_key.data