Configuration Files
API7 Enterprise provides the following configuration files in the /conf directory:
config-default.yaml: Contains the default configuration values and inline comments for reference.config.yaml: Used for user-defined custom configurations.
By default, API7 Enterprise loads settings from config-default.yaml, which should not be modified. This file serves as a reference and defines the default behavior of the system.
To customize the configuration, add or override settings in config.yaml. Any configuration defined in config.yaml takes precedence over the corresponding values in config-default.yaml.
Customize Configuration
API7 Gateway loads the configuration file only at startup. To apply configuration changes, modify config.yaml (which overrides the default settings in config-default.yaml) and reload the gateway.
- Docker
- Kubernetes
If you are running the gateway in Docker, the configuration file can be located at /usr/local/apisix/conf/config.yaml.
Reload the gateway container after any modifications for changes to take effect:
docker exec {gateway_container_name} apisix reload
If you are running the gateway on Kubernetes, export all configuration values (including default values) to a file:
helm get values ${GATEWAY_RELEASE_NAME} --all > values.yaml
Update the configuration in the values file. The available options may differ slightly from those in config.yaml. For reference, see the API7 Helm Chart.
Upgrade the release after any modifications for changes to take effect:
helm upgrade --install ${GATEWAY_RELEASE_NAME} api7/gateway -f values.yaml
Default Configuration
The following are the contents of the config-default.yaml file.
config-default.yaml
apisix:
# node_listen: 9080 # APISIX listening port
node_listen: # This style support multiple ports
- 9080
# - port: 9081
# enable_http2: true # If not set, the default value is `false`.
# - ip: 127.0.0.2 # Specific IP, If not set, the default value is `0.0.0.0`.
# port: 9082
# enable_http2: true
# - port: 9082
# backlog: 1024 # sets the backlog parameter in the listen() call that limits
# the maximum length for the queue of pending connections.
# By default, backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS,
# and to 511 on other platforms.
enable_admin: true
enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true
enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true.
show_upstream_status_in_response_header: false # when true all upstream status write to `X-APISIX-Upstream-Status` otherwise only 5xx code
enable_ipv6: true
#proxy_protocol: # Proxy Protocol configuration
# listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and admin_listen.
# This port can only receive http request with proxy protocol, but node_listen & admin_listen
# can only receive http request. If you enable proxy protocol, you must use this port to
# receive http request with proxy protocol
# listen_https_port: 9182 # The port with proxy protocol for https
# enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
# enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server
enable_server_tokens: true # Whether the APISIX version number should be shown in Server header.
# It's enabled by default.
# configurations to load third party code and/or override the builtin one.
extra_lua_path: "" # extend lua_package_path to load third party code
extra_lua_cpath: "" # extend lua_package_cpath to load third party code
lua_module_hook: "agent.hook" # the hook module which will be used to inject third party code into APISIX
proxy_cache: # Proxy Caching configuration
cache_ttl: 10s # The default caching time in disk if the upstream does not specify the cache time
zones: # The parameters of a cache
- name: disk_cache_one # The name of the cache, administrator can specify
# which cache to use by name in the admin api (disk|memory)
memory_size: 50m # The size of shared memory, it's used to store the cache index for
# disk strategy, store cache content for memory strategy (disk|memory)
disk_size: 1G # The size of disk, it's used to store the cache data (disk)
disk_path: /tmp/disk_cache_one # The path to store the cache data (disk)
cache_levels: "1:2" # The hierarchy levels of a cache (disk)
#- name: disk_cache_two
# memory_size: 50m
# disk_size: 1G
# disk_path: "/tmp/disk_cache_two"
# cache_levels: "1:2"
- name: memory_cache
memory_size: 50m
delete_uri_tail_slash: false # delete the '/' at the end of the URI
# The URI normalization in servlet is a little different from the RFC's.
# See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
# which is used under Tomcat.
# Turn this option on if you want to be compatible with servlet when matching URI path.
normalize_uri_like_servlet: false
router:
http: radixtree_uri # radixtree_uri: match route by uri(base on radixtree)
# radixtree_host_uri: match route by host + uri(base on radixtree)
# radixtree_uri_with_parameter: like radixtree_uri but match uri with parameters,
# see https://github.com/api7/lua-resty-radixtree/#parameters-in-path for
# more details.
ssl: radixtree_sni # radixtree_sni: match route by SNI(base on radixtree)
#stream_proxy: # TCP/UDP proxy
# only: true # use stream proxy only, don't enable HTTP stuff
# tcp: # TCP proxy port list
# - addr: 9100
# tls: true
# - addr: "127.0.0.1:9101"
# udp: # UDP proxy port list
# - 9200
# - "127.0.0.1:9201"
#dns_resolver: # If not set, read from `/etc/resolv.conf`
# - 1.1.1.1
# - 8.8.8.8
#dns_resolver_valid: 30 # if given, override the TTL of the valid records. The unit is second.
resolver_timeout: 5 # resolver timeout
enable_resolv_search_opt: true # enable search option in resolv.conf
ssl:
enable: true
listen: # APISIX listening port in https.
- port: 9443
enable_http2: true
# - ip: 127.0.0.3 # Specific IP, If not set, the default value is `0.0.0.0`.
# port: 9445
# enable_http2: true
# - port: 9446
# backlog: 1024 # sets the backlog parameter in the listen() call that limits
# the maximum length for the queue of pending connections.
# By default, backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS,
# and to 511 on other platforms.
# ssl_trusted_combined_path: /usr/local/apisix/conf/cert/.ssl_trusted_combined.pem # All the trusted certificates will be combined into a single file
ssl_trusted_certificate: system # Specifies comma separated list of trusted CA. Value can be either "system"(for using system available ca certs) or
# a file path with trusted CA certificates in the PEM format
# used to verify the certificate when APISIX needs to do SSL/TLS handshaking
# with external services (e.g. etcd)
ssl_protocols: TLSv1.2 TLSv1.3
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
# ref: https://github.com/mozilla/server-side-tls/issues/135
key_encrypt_salt: # If not set, will save origin ssl key into etcd.
- edd1c9f0985e76a2 # If set this, the key_encrypt_salt should be an array whose elements are string, and the size is also 16, and it will encrypt ssl key with AES-128-CBC
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
# Only use the first key to encrypt, and decrypt in the order of the array.
#fallback_sni: "my.default.domain" # If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead
enable_control: true
#control:
# ip: 127.0.0.1
# port: 9090
disable_sync_configuration_during_start: false # safe exit. Remove this once the feature is stable
# This time will be used to distinguish whether the worker is started first time or restarted due to a crash, unit: second.
worker_startup_time_threshold: 60
data_encryption: # add `encrypt_fields = { $field },` in plugin schema to enable encryption
enable: false # if not set, the default value is `false`.
keyring:
- qeddd145sfvddff3 # If not set, will save origin value into etcd.
# If set this, the keyring should be an array whose elements are string, and the size is also 16, and it will encrypt fields with AES-128-CBC
# !!! So do not change it after encryption, it can't decrypt the fields have be saved if you change !!
# Only use the first key to encrypt, and decrypt in the order of the array.
# status: # When enabled, APISIX will provide `/status` and `/status/ready` endpoints
# ip: 127.0.0.1 # /status endpoint will return 200 status code if APISIX has successfully started and running correctly
# port: 7085 # /status/ready endpoint will return 503 status code if none of the configured etcd (dp_manager) are available
# disable_upstream_healthcheck: false # A global switch for healthcheck. Defaults to false.
# When set to true, it overrides all upstream healthcheck configurations and globally disabling healthchecks.
# fine tune the parameters of LRU cache for some features like secret
lru:
secret:
ttl: 300 # seconds
count: 512
neg_ttl: 60
neg_count: 512
nginx_config: # config for render the template to generate nginx.conf
#user: root # specifies the execution user of the worker process.
# the "user" directive makes sense only if the master process runs with super-user privileges.
# if you're not root user,the default is current user.
error_log: logs/error.log
error_log_level: warn # warn,error
worker_processes: auto # if you want use multiple cores in container, you can inject the number of cpu as environment variable "APISIX_WORKER_PROCESSES"
enable_cpu_affinity: false # disable CPU affinity by default, if APISIX is deployed on a physical machine, it can be enabled and work well.
worker_rlimit_nofile: 20480 # the number of files a worker process can open, should be larger than worker_connections
worker_shutdown_timeout: 240s # timeout for a graceful shutdown of worker processes
max_pending_timers: 16384 # increase it if you see "too many pending timers" error
max_running_timers: 4096 # increase it if you see "lua_max_running_timers are not enough" error
event:
worker_connections: 10620
#envs: # allow to get a list of environment variables
# - TEST_ENV
meta:
lua_shared_dict:
prometheus-metrics: 15m
stream:
enable_access_log: false # enable access log or not, default false
access_log: logs/access_stream.log
access_log_format: "$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time"
# create your custom log format by visiting http://nginx.org/en/docs/varindex.html
access_log_format_escape: default # allows setting json or default characters escaping in variables
lua_shared_dict:
etcd-cluster-health-check-stream: 10m
lrucache-lock-stream: 10m
plugin-limit-conn-stream: 10m
worker-events-stream: 10m
tars-stream: 1m
config-stream: 5m
# As user can add arbitrary configurations in the snippet,
# it is user's responsibility to check the configurations
# don't conflict with APISIX.
main_configuration_snippet: |
# Add custom Nginx main configuration to nginx.conf.
# The configuration should be well indented!
http_configuration_snippet: |
# Add custom Nginx http configuration to nginx.conf.
# The configuration should be well indented!
http_server_configuration_snippet: |
# Add custom Nginx http server configuration to nginx.conf.
# The configuration should be well indented!
http_server_location_configuration_snippet: |
# Add custom Nginx http server location configuration to nginx.conf.
# The configuration should be well indented!
http_admin_configuration_snippet: |
# Add custom Nginx admin server configuration to nginx.conf.
# The configuration should be well indented!
http_end_configuration_snippet: |
# Add custom Nginx http end configuration to nginx.conf.
# The configuration should be well indented!
stream_configuration_snippet: |
# Add custom Nginx stream configuration to nginx.conf.
# The configuration should be well indented!
http:
enable_access_log: true # enable access log or not, default true
access_log: logs/access.log
# available variables:
# request_type: traditional_http / ai_chat / ai_stream
# llm_time_to_first_token: duration from the start send request to ai server to the first token received
# llm_prompt_tokens: number of tokens in the prompt
# llm_completion_tokens: number of tokens in the chat completion
access_log_format: "$remote_addr - $remote_user [$time_local] $http_host \"$request_line\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\" \"$apisix_request_id\""
access_log_format_escape: default # allows setting json or default characters escaping in variables
keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side.
client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
client_max_body_size: 0 # The maximum allowed size of the client request body.
# If exceeded, the 413 (Request Entity Too Large) error is returned to the client.
# Note that unlike Nginx, we don't limit the body size by default.
send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed
underscores_in_headers: "on" # default enables the use of underscores in client request header fields
real_ip_header: X-Real-IP # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
real_ip_recursive: "off" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- 127.0.0.1
- "unix:"
custom_lua_shared_dict: # add custom shared cache to nginx.conf
# ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size`
config: 5m
kubernetes: 20m
nacos: 20m
# Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066)
# when establishing a connection with the proxied HTTPS server.
proxy_ssl_server_name: true
upstream:
keepalive: 320 # Sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process.
# When this number is exceeded, the least recently used connections are closed.
keepalive_requests: 1000 # Sets the maximum number of requests that can be served through one keepalive connection.
# After the maximum number of requests is made, the connection is closed.
keepalive_timeout: 60s # Sets a timeout during which an idle keepalive connection to an upstream server will stay open.
charset: utf-8 # Adds the specified charset to the "Content-Type" response header field, see
# http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
variables_hash_max_size: 2048 # Sets the maximum size of the variables hash table.
lua_shared_dict:
internal-status: 10m
plugin-limit-req: 10m
plugin-limit-count: 10m
plugin-limit-conn: 10m
plugin-limit-conn-redis-cluster-slot-lock: 1m
plugin-graphql-limit-count: 10m
plugin-graphql-limit-count-reset-header: 10m
plugin-ai-rate-limiting: 10m
plugin-ai-rate-limiting-reset-header: 10m
upstream-healthcheck: 10m
worker-events: 10m
lrucache-lock: 10m
balancer-ewma: 10m
balancer-ewma-locks: 10m
balancer-ewma-last-touched-at: 10m
plugin-limit-req-redis-cluster-slot-lock: 1m
plugin-limit-count-redis-cluster-slot-lock: 1m
plugin-limit-count-advanced: 10m
plugin-limit-count-advanced-redis-cluster-slot-lock: 1m
tracing_buffer: 10m
plugin-api-breaker: 10m
etcd-cluster-health-check: 10m
discovery: 1m
jwks: 1m
introspection: 10m
access-tokens: 1m
ext-plugin: 1m
tars: 1m
cas-auth: 10m
saml_sessions: 10m
status_report: 1m
#discovery: # service discovery center
# dns:
# servers:
# - "127.0.0.1:8600" # use the real address of your dns server
# order: # order in which to try different dns record types when resolving
# - last # "last" will try the last previously successful type for a hostname.
# - SRV
# - A
# - AAAA
# - CNAME
# eureka:
# host: # it's possible to define multiple eureka hosts addresses of the same eureka cluster.
# - "http://127.0.0.1:8761"
# prefix: /eureka/
# fetch_interval: 30 # default 30s
# weight: 100 # default weight for node
# timeout:
# connect: 2000 # default 2000ms
# send: 2000 # default 2000ms
# read: 5000 # default 5000ms
# nacos:
# host:
# - "http://${username}:${password}@${host1}:${port1}"
# prefix: "/nacos/v1/"
# fetch_interval: 30 # default 30 sec
# weight: 100 # default 100
# timeout:
# connect: 2000 # default 2000 ms
# send: 2000 # default 2000 ms
# read: 5000 # default 5000 ms
# consul_kv:
# servers:
# - "http://127.0.0.1:8500"
# - "http://127.0.0.1:8600"
# prefix: "upstreams"
# skip_keys: # if you need to skip special keys
# - "upstreams/unused_api/"
# timeout:
# connect: 2000 # default 2000 ms
# read: 2000 # default 2000 ms
# wait: 60 # default 60 sec
# weight: 1 # default 1
# fetch_interval: 3 # default 3 sec, only take effect for keepalive: false way
# keepalive: true # default true, use the long pull way to query consul servers
# sort_type: "origin" # default origin
# default_server: # you can define default server when missing hit
# host: "127.0.0.1"
# port: 20999
# metadata:
# fail_timeout: 1 # default 1 ms
# weight: 1 # default 1
# max_fails: 1 # default 1
# dump: # if you need, when registered nodes updated can dump into file
# path: "logs/consul_kv.dump"
# expire: 2592000 # unit sec, here is 30 day
# consul:
# servers: # make sure service name is unique in these consul servers
# - "http://127.0.0.1:8500" # `http://127.0.0.1:8500` and `http://127.0.0.1:8600` are different clusters
# - "http://127.0.0.1:8600"
# skip_services: # if you need to skip special services
# - "service_a" # `consul` service is default skip service
# timeout:
# connect: 2000 # default 2000 ms
# read: 2000 # default 2000 ms
# wait: 60 # default 60 sec
# weight: 1 # default 1
# fetch_interval: 3 # default 3 sec, only take effect for keepalive: false way
# keepalive: true # default true, use the long pull way to query consul servers
# default_service: # you can define default server when missing hit
# host: "127.0.0.1"
# port: 20999
# metadata:
# fail_timeout: 1 # default 1 ms
# weight: 1 # default 1
# max_fails: 1 # default 1
# dump: # if you need, when registered nodes updated can dump into file
# path: "logs/consul.dump"
# expire: 2592000 # unit sec, here is 30 day
# load_on_init: true # default true, load the consul dump file on init
# kubernetes:
# ### kubernetes service discovery both support single-cluster and multi-cluster mode
# ### applicable to the case where the service is distributed in a single or multiple kubernetes clusters.
#
# ### single-cluster mode ###
# service:
# schema: https #apiserver schema, options [http, https], default https
# host: ${KUBERNETES_SERVICE_HOST} #apiserver host, options [ipv4, ipv6, domain, environment variable], default ${KUBERNETES_SERVICE_HOST}
# port: ${KUBERNETES_SERVICE_PORT} #apiserver port, options [port number, environment variable], default ${KUBERNETES_SERVICE_PORT}
# client:
# # serviceaccount token or path of serviceaccount token_file
# token_file: ${KUBERNETES_CLIENT_TOKEN_FILE}
# # token: |-
# # eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEif
# # 6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEifeyJhbGciOiJSUzI1NiIsImtpZCI
# # kubernetes discovery plugin support use namespace_selector
# # you can use one of [equal, not_equal, match, not_match] filter namespace
# namespace_selector:
# # only save endpoints with namespace equal default
# equal: default
# # only save endpoints with namespace not equal default
# #not_equal: default
# # only save endpoints with namespace match one of [default, ^my-[a-z]+$]
# #match:
# #- default
# #- ^my-[a-z]+$
# # only save endpoints with namespace not match one of [default, ^my-[a-z]+$ ]
# #not_match:
# #- default
# #- ^my-[a-z]+$
# # kubernetes discovery plugin support use label_selector
# # for the expression of label_selector, please refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
# label_selector: |-
# first="a",second="b"
# # reserved lua shared memory size,1m memory can store about 1000 pieces of endpoint
# shared_size: 1m #default 1m
# ### single-cluster mode ###
#
# ### multi-cluster mode ###
# - id: release # a custom name refer to the cluster, pattern ^[a-z0-9]{1,8}
# service:
# schema: https #apiserver schema, options [http, https], default https
# host: ${KUBERNETES_SERVICE_HOST} #apiserver host, options [ipv4, ipv6, domain, environment variable]
# port: ${KUBERNETES_SERVICE_PORT} #apiserver port, options [port number, environment variable]
# client:
# # serviceaccount token or path of serviceaccount token_file
# token_file: ${KUBERNETES_CLIENT_TOKEN_FILE}
# # token: |-
# # eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEif
# # 6Ikx5ME1DNWdnbmhQNkZCNlZYMXBsT3pYU3BBS2swYzBPSkN3ZnBESGpkUEEifeyJhbGciOiJSUzI1NiIsImtpZCI
# # kubernetes discovery plugin support use namespace_selector
# # you can use one of [equal, not_equal, match, not_match] filter namespace
# namespace_selector:
# # only save endpoints with namespace equal default
# equal: default
# # only save endpoints with namespace not equal default
# #not_equal: default
# # only save endpoints with namespace match one of [default, ^my-[a-z]+$]
# #match:
# #- default
# #- ^my-[a-z]+$
# # only save endpoints with namespace not match one of [default, ^my-[a-z]+$ ]
# #not_match:
# #- default
# #- ^my-[a-z]+$
# # kubernetes discovery plugin support use label_selector
# # for the expression of label_selector, please refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
# label_selector: |-
# first="a",second="b"
# # reserved lua shared memory size,1m memory can store about 1000 pieces of endpoint
# shared_size: 1m #default 1m
# ### multi-cluster mode ###
graphql:
max_size: 1048576 # the maximum size limitation of graphql in bytes, default 1MiB
#ext-plugin:
#cmd: ["ls", "-l"]
plugins: # plugin list (sorted by priority)
# - exit-transformer # priority: 9999999
- real-ip # priority: 23000
# - toolset # priority: 22901
- ai # priority: 22900
- client-control # priority: 22000
- proxy-buffering # priority: 21991
- proxy-control # priority: 21990
- request-id # priority: 12015
- zipkin # priority: 12011
#- skywalking # priority: 12010
#- opentelemetry # priority: 12009
- ext-plugin-pre-req # priority: 12000
- fault-injection # priority: 11000
- mocking # priority: 10900
- serverless-pre-function # priority: 10000
#- batch-requests # priority: 4010
- cors # priority: 4000
- ip-restriction # priority: 3000
- ua-restriction # priority: 2999
- referer-restriction # priority: 2990
- csrf # priority: 2980
- uri-blocker # priority: 2900
- request-validation # priority: 2800
- portal-auth # priority: 2750
- chaitin-waf # priority: 2700
- multi-auth # priority: 2600
- openid-connect # priority: 2599
- saml-auth # priority: 2598
- cas-auth # priority: 2597
- authz-casbin # priority: 2560
- authz-casdoor # priority: 2559
- wolf-rbac # priority: 2555
- ldap-auth # priority: 2540
- hmac-auth # priority: 2530
- basic-auth # priority: 2520
- jwt-auth # priority: 2510
- key-auth # priority: 2500
- acl # priority: 2410
- consumer-restriction # priority: 2400
- attach-consumer-label # priority: 2399
- forward-auth # priority: 2002
- opa # priority: 2001
- authz-keycloak # priority: 2000
- data-mask # priority: 1500
#- error-log-logger # priority: 1091
- proxy-cache # priority: 1085
- body-transformer # priority: 1080
- ai-request-rewrite # priority: 1073
- ai-prompt-template # priority: 1071
- ai-prompt-decorator # priority: 1070
- ai-prompt-guard # priority: 1072
- ai-rag # priority: 1060
- ai-aws-content-moderation # priority: 1050
- ai-proxy-multi # priority: 1041
- ai-proxy # priority: 1040
- ai-rate-limiting # priority: 1030
- ai-aliyun-content-moderation # priority: 1029
- proxy-mirror # priority: 1010
- graphql-proxy-cache # priority: 1009
- proxy-rewrite # priority: 1008
- workflow # priority: 1006
- api-breaker # priority: 1005
- graphql-limit-count # priority: 1004
- limit-conn # priority: 1003
- limit-count # priority: 1002
- limit-count-advanced # priority: 1001
- limit-req # priority: 999
#- node-status # priority: 998
- traffic-label # priority: 995
- gzip # priority: 994
- server-info # priority: 990
- api7-traffic-split # priority: 966
- traffic-split # priority: 966
- redirect # priority: 900
- response-rewrite # priority: 899
- soap # priority: 554
- openapi-to-mcp # priority: 540
- oas-validator # priority: 510
- degraphql # priority: 509
- kafka-proxy # priority: 508
#- dubbo-proxy # priority: 507
- grpc-transcode # priority: 506
- grpc-web # priority: 505
- public-api # priority: 501
- prometheus # priority: 500
- datadog # priority: 495
- lago # priority: 415
- error-page # priority: 450
- loki-logger # priority: 414
- elasticsearch-logger # priority: 413
- echo # priority: 412
- loggly # priority: 411
- http-logger # priority: 410
- splunk-hec-logging # priority: 409
- skywalking-logger # priority: 408
- google-cloud-logging # priority: 407
- sls-logger # priority: 406
- tcp-logger # priority: 405
- kafka-logger # priority: 403
- rocketmq-logger # priority: 402
- syslog # priority: 401
- udp-logger # priority: 400
- file-logger # priority: 399
- clickhouse-logger # priority: 398
- tencent-cloud-cls # priority: 397
#- log-rotate # priority: 100
# <- recommend to use priority (0, 100) for your custom plugins
- example-plugin # priority: 0
#- gm # priority: -43
- aws-lambda # priority: -1899
- azure-functions # priority: -1900
- openwhisk # priority: -1901
- openfunction # priority: -1902
- serverless-post-function # priority: -2000
- ext-plugin-post-req # priority: -3000
- ext-plugin-post-resp # priority: -4000
stream_plugins: # sorted by priority
- ip-restriction # priority: 3000
- limit-conn # priority: 1003
- mqtt-proxy # priority: 1000
- traffic-split # priority: 966
#- prometheus # priority: 500
- syslog # priority: 401
# <- recommend to use priority (0, 100) for your custom plugins
#wasm:
#plugins:
#- name: wasm_log
#priority: 7999
#file: t/wasm/log/main.go.wasm
#xrpc:
#protocols:
#- name: pingpong
plugin_attr:
log-rotate:
enable: false
timeout: 10000 # maximum wait time for a log rotation(unit: millisecond) interval: 3600 # rotate interval (unit: second)
max_kept: 168 # max number of log files will be kept
max_size: -1 # max size bytes of log files to be rotated, size check would be skipped with a value less than 0
enable_compression: false # enable log file compression(gzip) or not, default false
skywalking:
service_name: APISIX
service_instance_name: APISIX Instance Name
endpoint_addr: http://127.0.0.1:12800
soap:
endpoint: http://127.0.0.1:5000
timeout: 3000
prometheus:
export_uri: /apisix/prometheus/metrics
metric_prefix: apisix_
enable_export_server: true
export_addr:
ip: 127.0.0.1
port: 9091
fetch_metric_timeout: 5
allow_degradation: false
degradation_pause_steps: [ 60 ]
#metrics:
# http_status:
# # extra labels from nginx variables
# extra_labels:
# # the label name doesn't need to be the same as variable name
# # below labels are only examples, you could add any valid variables as you need
# - upstream_addr: $upstream_addr
# - upstream_status: $upstream_status
# expire: 0 # The expiration time after which metrics are removed. unit: second.
# # 0 means the metrics will not expire
# http_latency:
# extra_labels:
# - upstream_addr: $upstream_addr
# expire: 0 # The expiration time after which metrics are removed. unit: second.
# # 0 means the metrics will not expire
# bandwidth:
# extra_labels:
# - upstream_addr: $upstream_addr
# expire: 0 # The expiration time after which metrics are removed. unit: second.
# # 0 means the metrics will not expire
# default_buckets:
# - 10
# - 50
# - 100
# - 200
# - 500
server-info:
report_ttl: 60 # live time for server info in etcd (unit: second)
dubbo-proxy:
upstream_multiplex_count: 32
proxy-mirror:
timeout: # proxy timeout in mirrored sub-request
connect: 60s
read: 60s
send: 60s
# redirect:
# https_port: 8443 # the default port for use by HTTP redirects to HTTPS
inspect:
delay: 3 # in seconds
hooks_file: "/usr/local/apisix/plugin_inspect_hooks.lua"
zipkin: # Plugin: zipkin
set_ngx_var: false # export zipkin variables to nginx variables
deployment:
role: traditional
role_traditional:
config_provider: etcd
admin:
# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
# require any authentication.
admin_key:
-
name: admin
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
# viewer: only can view configuration data
-
name: viewer
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
enable_admin_cors: true # Admin API support CORS response headers.
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 127.0.0.0/24 # If we don't set any IP list, then any IP access is allowed by default.
#- "::/64"
admin_listen: # use a separate port
ip: 0.0.0.0 # Specific IP, if not set, the default value is `0.0.0.0`.
port: 9180 # Specific port, which must be different from node_listen's port.
#https_admin: true # enable HTTPS when use a separate port for Admin API.
# Admin API will use conf/apisix_admin_api.crt and conf/apisix_admin_api.key as certificate.
admin_api_mtls: # Depends on `admin_listen` and `https_admin`.
admin_ssl_cert: "" # Path of your self-signed server side cert.
admin_ssl_cert_key: "" # Path of your self-signed server side key.
admin_ssl_ca_cert: "" # Path of your self-signed ca cert.The CA is used to sign all admin api callers' certificates.
admin_api_version: v3 # The version of admin api, latest version is v3.
# fallback_cp:
# mode: "write" # "write" specifies that the dp instance will run on backup mode and not accept/proxy any requests. defaults to "write", which specifies "fallback" mode
# interval: 1 # interval in seconds for backup mode
# aws_s3: # configuration for AWS S3 to store configuration/resources either to push (in backup mode) or pull (in fallback mode)
# access_key: "just-access"
# secret_key: "super-secret"
# resource_bucket: "resource_bucket"
# config_bucket: "config_bucket"
# region: "ap-south-1"
# endpoint: "http://localhost:6969"
# azure_blob: # configuration for Azure Blob Storage to store configuration/resources either to push (in backup mode) or pull (in fallback mode)
# account_name: devstoreaccount1
# account_key: "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
# resource_container: yaml
# config_container: config
# endpoint: "http://localhost:10000/devstoreaccount1"
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme,
# e.g. https://127.0.0.1:2379.
prefix: /apisix # configuration prefix in etcd
timeout: 30 # The timeout when connect/read/write to etcd.
watch_timeout: 50 # The timeout when watch etcd
#resync_delay: 5 # when sync failed and a rest is needed, resync after the configured seconds plus 50% random jitter
#health_check_timeout: 10 # etcd retry the unhealthy nodes after the configured seconds
startup_retry: 2 # the number of retry to etcd during the startup, default to 2
#user: root # root username for etcd
#password: 5tHkHhYkjr6cQY # root password for etcd
tls:
# To enable etcd client certificate you need to build APISIX-Base, see
# https://apisix.apache.org/docs/apisix/FAQ#how-do-i-build-the-apisix-base-environment
#cert: /path/to/cert # path of certificate used by the etcd client
#key: /path/to/key # path of key used by the etcd client
verify: true # whether to verify the etcd endpoint certificate when setup a TLS connection to etcd,
# the default value is true, e.g. the certificate will be verified strictly.
#sni: # the SNI for etcd TLS requests. If missed, the host part of the URL will be used.
api7ee:
telemetry:
enable: true # enable telemetry data report to the control plane
interval: 15 # interval in seconds to send telemetry data to the control plane
max_metrics_size: 33554432 # max size in bytes(32M) of the metrics data sent to the control plane, if the size exceeds, the data will be truncated
metrics_batch_size: 4194304 # Max batch size before compression (bytes, 4 MiB).
compression_level: -1 # gzip compression level. -1 uses library default (usually 6).
# Range 0-9; 1 fastest, 9 highest compression. Gzip is enabled by default.
healthcheck_report_interval: 120 # healthcheck data report interval in seconds
http_timeout: 30s # http timeout used while sending healthcheck and telemetry data to the control plane
consumer_proxy:
enable: false # if enable is true, the consumer resources will be proxied by the control plane.
cache_success_count: 512 # cache the count of successful results queried from the control plane.
cache_success_ttl: 60 # (unit:sec), cache the ttl of successful results queried from the control plane.
cache_failure_count: 512 # cache the count of failed results queried from the control plane.
cache_failure_ttl: 60 # (unit:sec), cache the ttl of failed results queried from the control plane.
developer_proxy: # proxy portal-auth plugin
cache_success_count: 256 # cache the count of successful results queried from the control plane.
cache_success_ttl: 15 # (unit:sec), cache the ttl of successful results queried from the control plane.
cache_failure_count: 256 # cache the count of failed results queried from the control plane.
cache_failure_ttl: 15 # (unit:sec), cache the ttl of failed results queried from the control plane.