-
Notifications
You must be signed in to change notification settings - Fork 617
/
fabio.properties
1554 lines (1332 loc) · 46.9 KB
/
fabio.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# proxy.cs configures one or more certificate sources.
#
# Each certificate source is configured with a list of
# key/value options. Each source must have a unique
# name which can then be referred to in a listener
# configuration.
#
# cs=<name>;type=<type>;opt=arg;opt[=arg];...
#
# All certificates need to be provided in PEM format.
#
# The following types of certificate sources are available:
#
# File
#
# The file certificate source supports one certificate which is loaded at
# startup and is cached until the service exits.
#
# The 'cert' option contains the path to the certificate file. The 'key'
# option contains the path to the private key file. If the certificate file
# contains both the certificate and the private key the 'key' option can be
# omitted. The 'clientca' option contains the path to one or more client
# authentication certificates.
#
# cs=<name>;type=file;cert=p/a-cert.pem;key=p/a-key.pem;clientca=p/clientAuth.pem
#
# Path
#
# The path certificate source loads certificates from a directory in
# alphabetical order and refreshes them periodically.
#
# The 'cert' option provides the path to the TLS certificates and the
# 'clientca' option provides the path to the certificates for client
# authentication.
#
# TLS certificates are stored either in one or two files:
#
# www.example.com.pem or www.example.com-{cert,key}.pem
#
# TLS certificates are loaded in alphabetical order and the first certificate
# is the default for clients which do not support SNI.
#
# The 'refresh' option can be set to specify the refresh interval for the TLS
# certificates. Client authentication certificates cannot be refreshed since
# Go does not provide a mechanism for that yet.
#
# The default refresh interval is 3 seconds and cannot be lower than 1 second
# to prevent busy loops. To load the certificates only once and disable
# automatic refreshing set 'refresh' to zero.
#
# cs=<name>;type=path;cert=path/to/certs;clientca=path/to/clientcas;refresh=3s
#
# HTTP
#
# The http certificate source loads certificates from an HTTP/HTTPS server.
#
# The 'cert' option provides a URL to a text file which contains all files
# that should be loaded from this directory. The filenames follow the same
# rules as for the path source. The text file can be generated with:
#
# ls -1 *.pem > list
#
# The 'clientca' option provides a URL for the client authentication
# certificates analogous to the 'cert' option.
#
# Authentication credentials can be provided in the URL as request parameter,
# as basic authentication parameters or through a header.
#
# The 'refresh' option can be set to specify the refresh interval for the TLS
# certificates. Client authentication certificates cannot be refreshed since
# Go does not provide a mechanism for that yet.
#
# The default refresh interval is 3 seconds and cannot be lower than 1 second
# to prevent busy loops. To load the certificates only once and disable
# automatic refreshing set 'refresh' to zero.
#
# cs=<name>;type=http;cert=https://host.com/path/to/cert/list&token=123
# cs=<name>;type=http;cert=https://user:pass@host.com/path/to/cert/list
# cs=<name>;type=http;cert=https://host.com/path/to/cert/list;hdr=Authorization: Bearer 1234
#
# Consul
#
# The consul certificate source loads certificates from consul.
#
# The 'cert' option provides a KV store URL where the the TLS certificates are
# stored.
#
# The 'clientca' option provides a URL to a path in the KV store where the the
# client authentication certificates are stored.
#
# The filenames follow the same rules as for the path source.
#
# The TLS certificates are updated automatically whenever the KV store
# changes. The client authentication certificates cannot be updated
# automatically since Go does not provide a mechanism for that yet.
#
# cs=<name>;type=consul;cert=http://localhost:8500/v1/kv/path/to/cert&token=123
#
# Vault
#
# The Vault certificate store uses HashiCorp Vault as the certificate
# store.
#
# The 'cert' option provides the path to the TLS certificates and the
# 'clientca' option provides the path to the certificates for client
# authentication.
#
# The 'refresh' option can be set to specify the refresh interval for the TLS
# certificates. Client authentication certificates cannot be refreshed since
# Go does not provide a mechanism for that yet.
#
# The default refresh interval is 3 seconds and cannot be lower than 1 second
# to prevent busy loops. To load the certificates only once and disable
# automatic refreshing set 'refresh' to zero.
#
# The path to vault must be provided in the VAULT_ADDR environment
# variable. The token can be provided in the VAULT_TOKEN environment
# variable, or provided by using the Vault fetch token option. By default the
# token is loaded once from the VAULT_TOKEN environment variable. See Vault PKI for details.
#
# cs=<name>;type=vault;cert=secret/fabio/certs
#
# Vault PKI
#
# The Vault PKI certificate store uses HashiCorp Vault's PKI backend to issue
# certificates on-demand.
#
# The 'cert' option provides a PKI backend path for issuing certificates. The
# 'clientca' option works in the same way as for the generic Vault source.
#
# The 'refresh' option determines how long before the expiration date
# certificates are re-issued. Values smaller than one hour are silently changed
# to one hour, which is also the default.
#
# cs=<name>;type=vault-pki;cert=pki/issue/example-dot-com;refresh=24h;clientca=secret/fabio/client-certs
#
# This source will issue server certificates on-demand using the PKI backend
# and re-issue them 24 hours before they expire. The CA for client
# authentication is expected to be stored at secret/fabio/client-certs.
#
# 'vaultfetchtoken' enables fetching the vault token from a file on the filesystem or an environment
# variable at the Vault refresh interval. If fetching the token from a file the 'file:[path]' syntax should be used,
# if fetching the token from an env variable, the 'env:[ENV]' syntax should be used.
#
# cs=<name>;type=vault;cert=secret/fabio/certs;vaultfetchtoken=env:VAULT_TOKEN
#
# Common options
#
# All certificate stores support the following options:
#
# caupgcn: Upgrade a self-signed client auth certificate with this common-name
# to a CA certificate. Typically used for self-singed certificates
# for the Amazon AWS Api Gateway certificates which do not have the
# CA flag set which makes them unsuitable for client certificate
# authentication in Go. For the AWS Api Gateway set this value
# to 'ApiGateway' to allow client certificate authentication.
# This replaces the deprecated parameter 'aws.apigw.cert.cn'
# which was introduced in version 1.1.5.
#
# Examples:
#
# # file based certificate source
# proxy.cs = cs=some-name;type=file;cert=p/a-cert.pem;key=p/a-key.pem
#
# # path based certificate source
# proxy.cs = cs=some-name;type=path;path=path/to/certs
#
# # HTTP certificate source
# proxy.cs = cs=some-name;type=http;cert=https://user:pass@host:port/path/to/certs
#
# # Consul certificate source
# proxy.cs = cs=some-name;type=consul;cert=https://host:port/v1/kv/path/to/certs?token=abc123
#
# # Vault certificate source
# proxy.cs = cs=some-name;type=vault;cert=secret/fabio/certs
#
# # Vault PKI certificate source
# proxy.cs = cs=some-name;type=vault-pki;cert=pki/issue/example-dot-com
#
# # Multiple certificate sources
# proxy.cs = cs=srcA;type=path;path=path/to/certs,\
# cs=srcB;type=http;cert=https://user:pass@host:port/path/to/certs
#
# # path based certificate source for AWS Api Gateway
# proxy.cs = cs=some-name;type=path;path=path/to/certs;clientca=path/to/clientcas;caupgcn=ApiGateway
#
# The default is
#
# proxy.cs =
# proxy.addr configures listeners.
#
# Each listener is configured with and address and a
# list of optional arguments in the form of
#
# [host]:port;opt=arg;opt[=arg];...
#
# Each listener has a protocol which is configured
# with the 'proto' option for which it routes and
# forwards traffic.
#
# The supported protocols are:
#
# * http for HTTP based protocols
# * https for HTTPS based protocols
# * tcp for a raw TCP proxy with or witout TLS support
# * tcp+sni for an SNI aware TCP proxy
# * tcp-dynamic for a consul driven TCP proxy
# * https+tcp+sni for an SNI aware TCP proxy with https fallthrough
# * prometheus for a prometheus listener. use this with the prometheus metrics target.
#
# If no 'proto' option is specified then the protocol
# is either 'http' or 'https' depending on whether a
# certificate source is configured via the 'cs' option
# which contains the name of the certificate source.
#
# The TCP+SNI proxy analyzes the ClientHello message
# of TLS connections to extract the server name
# extension and then forwards the encrypted traffic
# to the destination without decrypting the traffic.
#
# General options:
#
# rt: Sets the read timeout as a duration value (e.g. '3s')
#
# wt: Sets the write timeout as a duration value (e.g. '3s')
#
# it: Sets the idle timeout as a duration value (e.g. '3s')
#
# strictmatch: When set to 'true' the certificate source must provide
# a certificate that matches the hostname for the connection
# to be established. Otherwise, the first certificate is used
# if no matching certificate was found. This matches the default
# behavior of the Go TLS server implementation.
#
# pxyproto: When set to 'true' the listener will respect upstream v1
# PROXY protocol headers.
# NOTE: PROXY protocol was on by default from 1.1.3 to 1.5.10.
# This changed to off when this option was introduced with
# the 1.5.11 release.
# For more information about the PROXY protocol, please see:
# http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
#
# pxytimeout: Sets PROXY protocol header read timeout as a duration (e.g. '250ms').
# This defaults to 250ms if not set when 'pxyproto' is enabled.
#
# refresh: Sets the refresh interval to check the route table for updates.
# Used when 'tcp-dynamic' is enabled.
#
# TLS options:
#
# tlsmin: Sets the minimum TLS version for the handshake. This value
# is one of [ssl30, tls10, tls11, tls12] or the corresponding
# version number from https://golang.org/pkg/crypto/tls/#pkg-constants
#
# tlsmax: Sets the maximum TLS version for the handshake. See 'tlsmin'
# for the format.
#
# tlsciphers: Sets the list of allowed ciphers for the handshake. The value
# is a quoted comma-separated list of the hex cipher values or
# the constant names from https://golang.org/pkg/crypto/tls/#pkg-constants,
# e.g. "0xc00a,0xc02b" or "TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
#
# Examples:
#
# # HTTP listener on port 9999
# proxy.addr = :9999
#
# # HTTP listener on IPv4 with read timeout
# proxy.addr = 1.2.3.4:9999;rt=3s
#
# # HTTP listener on IPv6 with write timeout
# proxy.addr = [2001:DB8::A/32]:9999;wt=5s
#
# # Multiple listeners
# proxy.addr = 1.2.3.4:9999;rt=3s,[2001:DB8::A/32]:9999;wt=5s
#
# # HTTPS listener on port 443 with certificate source
# proxy.addr = :443;cs=some-name
#
# # HTTPS listener on port 443 with certificate source and TLS options
# proxy.addr = :443;cs=some-name;tlsmin=tls10;tlsmax=tls11;tlsciphers="0xc00a,0xc02b"
#
# # TCP listener on port 1234 with port routing
# proxy.addr = :1234;proto=tcp
#
# # TCP listener on port 443 with SNI routing
# proxy.addr = :443;proto=tcp+sni
#
# # TCP listener on port 443 with SNI routing with HTTPS fallthrough
# proxy.addr = :443;proto=https+tcp+sni;cs=some-name
#
# # TCP listeners using consul for config with 5 second refresh interval
# proxy.addr = 0.0.0.0:0;proto=tcp-dynamic;refresh=5s
#
# # prometheus listener. can optionally be used with cs= as well for TLS support.
# proxy.addr = :9090;proto=prometheus;cs=some-name
#
# The default is
#
# proxy.addr = :9999
# proxy.localip configures the ip address of the proxy which is added
# to the Header configured by header.clientip and to the 'Forwarded: by=' attribute.
#
# The local non-loopback address is detected during startup
# but can be overwritten with this property.
#
# The default is
#
# proxy.localip =
# proxy.strategy configures the load balancing strategy.
#
# rnd: pseudo-random distribution
# rr: round-robin distribution
#
# "rnd" configures a pseudo-random distribution by using the microsecond
# fraction of the time of the request.
#
# "rr" configures a round-robin distribution.
#
# The default is
#
# proxy.strategy = rnd
# proxy.matcher configures the path matching algorithm.
#
# prefix: prefix matching
# glob: glob matching
# iprefix: case-insensitive prefix matching
#
# The default is
#
# proxy.matcher = prefix
# proxy.noroutestatus configures the response code when no route was found.
#
# The default is
#
# proxy.noroutestatus = 404
# proxy.shutdownwait configures the time for a graceful shutdown.
#
# After a signal is caught the proxy will immediately suspend
# routing traffic and respond with a 503 Service Unavailable
# for the duration of the given period.
#
# The default is
#
# proxy.shutdownwait = 0s
#proxy.deregistergraceperiod configures the time to wait before
#shutting down the proxies de-registering from the service registry.
#
#After a signal is caught Fabio will immediately de-register from the
#service registry and wait for `proxy.deregistergraceperiod` letting
#in-flight requests finish after which it will continue with shutting
#down the proxy.
#
#The default is
#
#proxy.deregistergraceperiod = 0s
# proxy.responseheadertimeout configures the response header timeout.
#
# This configures the ResponseHeaderTimeout of the http.Transport.
#
# The default is
#
# proxy.responseheadertimeout = 0s
# proxy.keepalivetimeout configures the keep-alive timeout.
#
# This configures the KeepAliveTimeout of the network dialer.
#
# The default is
#
# proxy.keepalivetimeout = 0s
# proxy.idleconntimeout configures the idle connection timeout, when
# to close (keep-alive) connections
#
# The default is
#
# proxy.idleconntimeout = 15s
# proxy.dialtimeout configures the connection timeout for
# outgoing connections.
#
# This configures the DialTimeout of the network dialer.
#
# The default is
#
# proxy.dialtimeout = 30s
# proxy.flushinterval configures periodic flushing of the
# response buffer for SSE (server-sent events) connections.
# They are detected when the 'Accept' header is
# 'text/event-stream'.
#
# The default is
#
# proxy.flushinterval = 1s
# proxy.globalflushinterval configures periodic flushing of the
# response buffer for non-SSE connections. By default it is not enabled.
#
# The default is
#
# proxy.globalflushinterval = 0
# proxy.maxconn configures the maximum number of cached
# incoming and outgoing connections.
#
# This configures the MaxIdleConnsPerHost of the http.Transport.
#
# The default is
#
# proxy.maxconn = 10000
# proxy.header.clientip configures the header for the request ip.
#
# The remoteIP is taken from http.Request.RemoteAddr.
#
# The default is
#
# proxy.header.clientip =
# proxy.header.tls configures the header to set for TLS connections.
#
# When set to a non-empty value the proxy will set this header on every
# TLS request to the value of ${proxy.header.tls.value}
#
# The default is
#
# proxy.header.tls =
# proxy.header.tls.value =
# proxy.header.requestid configures the header for the adding a unique request id.
# When set non-empty value the proxy will set this header on every request to the
# unique UUID value.
#
# The default is
#
# proxy.header.requestid =
# proxy.header.sts.maxage enables and configures the max-age of HSTS for TLS requests.
# When set greater than zero this enables the Strict-Transport-Security header
# and sets the max-age value in the header.
#
# The default is
#
# proxy.header.sts.maxage = 0
# proxy.header.sts.subdomains instructs HSTS to include subdomains.
# When set to true, the 'includeSubDomains' option will be added to
# the Strict-Transport-Security header.
#
# The default is
#
# proxy.header.sts.subdomains = false
# proxy.header.sts.preload instructs HSTS to include the preload directive.
# When set to true, the 'preload' option will be added to the
# Strict-Transport-Security header.
#
# Sending the preload directive from your site can have PERMANENT CONSEQUENCES
# and prevent users from accessing your site and any of its subdomains if you
# find you need to switch back to HTTP. Please read the details at
# https://hstspreload.org/#removal before sending the header with "preload".
#
# The default is
#
# proxy.header.sts.preload = false
# proxy.gzip.contenttype configures which responses should be compressed.
#
# By default, responses sent to the client are not compressed even if the
# client accepts compressed responses by setting the 'Accept-Encoding: gzip'
# header. By setting this value responses are compressed if the Content-Type
# header of the response matches and the response is not already compressed.
# The list of compressable content types is defined as a regular expression.
# The regular expression must follow the rules outlined in golang.org/pkg/regexp.
#
# A typical example is
#
# proxy.gzip.contenttype = ^(text/.*|application/(javascript|json|font-woff|xml)|.*\\+(json|xml))(;.*)?$
#
# The default is
#
# proxy.gzip.contenttype =
# proxy.auth configures one or more auth schemes.
#
# Each auth scheme is configured with a list of
# key/value options. Each source must have a unique
# name which can then be referred to in a routing
# rule.
#
# name=<name>;type=<type>;opt=arg;opt[=arg];...
#
# The following types of auth schemes are available:
#
# Basic
#
# The basic auth scheme leverages http basic authentication using
# one htpasswd file which is loaded at startup and by default is cached until
# the service exits. However, it's possible to refresh htpasswd file
# periodically by setting the refresh interval with 'refresh' option.
#
# The 'file' option contains the path to the htpasswd file. The 'realm'
# option contains realm name (optional, default is the scheme name).
# The 'refresh' option can set the htpasswd file refresh interval. Minimal
# refresh interval is 1s to void busy loop.
# By default refresh is disabled i.e. set to zero.
#
# name=<name>;type=basic;file=p/creds.htpasswd;realm=foo
#
# Examples
#
# # single basic auth scheme
#
# name=mybasicauth;type=basic;file=p/creds.htpasswd;
#
# # single basic auth scheme with refresh interval set to 30 seconds
#
# name=mybasicauth;type=basic;file=p/creds.htpasswd;refresh=30s
#
# # basic auth with multiple schemes
#
# proxy.auth = name=mybasicauth;type=basic;file=p/creds.htpasswd
# name=myotherauth;type=basic;file=p/other-creds.htpasswd;realm=myrealm
#
#
# proxy.grpcmaxrxmsgsize configures the grpc max receive message size in bytes.
# The default is
# proxy.grpcmaxrxmsgsize = 4194304
#
# proxy.grpcmaxtxmsgsize configures the grpc max transmit messsage size in bytes
# The default is
# proxy.grpcmaxtxmsgsize = 4194304
#
#
# proxy.grpcshutdowntimeout configures the amount of time fabio will wait to attempt
# to close the connection while waiting for grpc traffic to finish to a backend that's been
# deregistered. Default value is
# proxy.grpcshutdowntimeout = 2s
# setting to 0s disables the wait.
# log.access.format configures the format of the access log.
#
# If the value is either 'common' or 'combined' then the logs are written in
# the Common Log Format or the Combined Log Format as defined below:
#
# 'common': $remote_host - - [$time_common] "$request" $response_status $response_body_size
# 'combined': $remote_host - - [$time_common] "$request" $response_status $response_body_size "$header.Referer" "$header.User-Agent"
#
# Otherwise, the value is interpreted as a custom log format which is defined
# with the following parameters. Providing an empty format when logging is
# enabled is an error. To disable access logging leave the log.access.target
# value empty.
#
# $header.<name> - request http header (name: [a-zA-Z0-9-]+)
# $remote_addr - host:port of remote client
# $remote_host - host of remote client
# $remote_port - port of remote client
# $request - request <method> <uri> <proto>
# $request_args - request query parameters
# $request_host - request host header (aka server name)
# $request_method - request method
# $request_scheme - request scheme
# $request_uri - request URI
# $request_url - request URL
# $request_proto - request protocol
# $response_body_size - response body size in bytes
# $response_status - response status code
# $response_time_ms - response time in S.sss format
# $response_time_us - response time in S.ssssss format
# $response_time_ns - response time in S.sssssssss format
# $time_rfc3339 - log timestamp in YYYY-MM-DDTHH:MM:SSZ format
# $time_rfc3339_ms - log timestamp in YYYY-MM-DDTHH:MM:SS.sssZ format
# $time_rfc3339_us - log timestamp in YYYY-MM-DDTHH:MM:SS.ssssssZ format
# $time_rfc3339_ns - log timestamp in YYYY-MM-DDTHH:MM:SS.sssssssssZ format
# $time_unix_ms - log timestamp in unix epoch ms
# $time_unix_us - log timestamp in unix epoch us
# $time_unix_ns - log timestamp in unix epoch ns
# $time_common - log timestamp in DD/MMM/YYYY:HH:MM:SS -ZZZZ
# $upstream_addr - host:port of upstream server
# $upstream_host - host of upstream server
# $upstream_port - port of upstream server
# $upstream_request_scheme - upstream request scheme
# $upstream_request_uri - upstream request URI
# $upstream_request_url - upstream request URL
# $upstream_service - name of the upstream service
#
# The default is
#
# log.access.format = common
# log.access.target configures where the access log is written to.
#
# Options are 'stdout'. If the value is empty no access log is written.
#
# The default is
#
# log.access.target =
# log.level configures the log level.
#
# Valid levels are TRACE, DEBUG, INFO, WARN, ERROR and FATAL.
#
# The default is
#
# log.level = INFO
# log.routes.format configures the log output format of routing table updates.
#
# Changes to the routing table are written to the standard log. This option
# configures the output format:
#
# detail: detailed routing table as ascii tree
# delta: additions and deletions in config language
# all: complete routing table in config language
#
# The default is
#
# log.routes.format = delta
# registry.backend configures which backend is used.
# Supported backends are: consul, static, file, custom
# if custom is used fabio makes an api call to a remote system
# expecting the below json response
# [
# {
# "cmd": "string",
# "service": "string",
# "src": "string",
# "dst": "string",
# "weight": float,
# "tags": ["string"],
# "opts": {"string":"string"}
# }
# ]
# Short description of the fields required for a custom backend
#
# - cmd - the command to add, remove or change weight of a route. For example `route add` to add a new route mapping.
# - service - the name that the service will show up in the UI.
# - src - usually the prefix that will be used in the routing table.
# - dst - the endpoint that will be used as the destination of the routing table.
# - weight - defines the weight of this path to perform routing. For example route A 90% and route B 10% for canary deployments.
# - tags - a list of tags, provide a way to filter routes, making it easier to do operations like bulk deletes `route del tags "dev"`.
# - opts - a KV map of the config language list of options. for example `proto` or `prefix`
#
# The default is
#
# registry.backend = consul
# registry.timeout configures how long fabio tries to connect to the registry
# backend during startup.
#
# The default is
#
# registry.timeout = 10s
# registry.retry configures the interval with which fabio tries to
# connect to the registry during startup.
#
# The default is
#
# registry.retry = 500ms
# registry.static.routes configures a static routing table.
#
# Example:
#
# registry.static.routes = \
# route add svc / http://1.2.3.4:5000/
#
# The default is
#
# registry.static.routes =
# registry.static.noroutehtmlpath configures the KV path for the HTML of the
# noroutes page.
#
# The default is
#
# registry.static.noroutehtmlpath =
# registry.file.path configures a file based routing table.
# The value configures the path to the file with the routing table.
#
# The default is
#
# registry.file.path =
# registry.file.noroutehtmlpath configures the KV path for the HTML of the
# noroutes page.
#
# The default is
#
# registry.file.noroutehtmlpath =
# registry.consul.addr configures the address of the consul agent to connect to.
#
# The default is
#
# registry.consul.addr = localhost:8500
# registry.consul.token configures the acl token for consul.
#
# The default is
#
# registry.consul.token =
# registry.consul.tls.keyfile the path to the TLS certificate private key used for Consul communication.
#
# This is the full path to the TLS private key while using TLS transport to
# communicate with Consul
#
# The default is
#
# registry.consul.tls.keyfile =
# registry.consul.tls.certfile the path to the TLS certificate used for Consul communication.
#
# This is the full path to the TLS certificate while using TLS transport to
# communicate with Consul
#
# The default is
#
# registry.consul.tls.certfile =
# registry.consul.tls.cafile the path to the ca certificate used for Consul communication.
#
# This is the full path to the CA certificate while using TLS transport to
# communicate with Consul
#
# The default is
#
# registry.consul.tls.cafile =
# registry.consul.tls.capath the path to the folder containing CA certificates.
#
# This is the full path to the folder with CA certificates while using TLS transport to
# communicate with Consul
#
# The default is
#
# registry.consul.tls.capath =
# registry.consul.tls.insecureskipverify enable SSL verification with Consul.
#
# registry.consul.tls.insecureskipverify enables or disables SSL verification while using TLS transport to
# communicate with Consul
#
# The default is
#
# registry.consul.tls.insecureskipverify = false
# registry.consul.kvpath configures the KV path for manual routes.
#
# The consul KV path is watched for changes which get appended to
# the routing table. This allows for manual overrides and weighted
# round-robin routes. The key itself (e.g. fabio/config) and all
# subkeys (e.g. fabio/config/foo and fabio/config/bar) are combined
# in alphabetical order.
#
# The default is
#
# registry.consul.kvpath = /fabio/config
# registry.consul.noroutehtmlpath configures the KV path for the HTML of the
# noroutes page.
#
# The consul KV path is watched for changes.
#
# The default is
#
# registry.consul.noroutehtmlpath = /fabio/noroute.html
# registry.consul.service.status configures the valid service status
# values for services included in the routing table.
#
# The values are a comma separated list of
# "passing", "warning", "critical" and "unknown"
#
# The default is
#
# registry.consul.service.status = passing
# registry.consul.tagprefix configures the prefix for tags which define routes.
#
# Services which define routes publish one or more tags with host/path
# routes which they serve. These tags must have this prefix to be
# recognized as routes.
#
# The default is
#
# registry.consul.tagprefix = urlprefix-
# registry.consul.register.enabled configures whether fabio registers itself in consul.
#
# Fabio will register itself in consul only if this value is set to "true" which
# is the default. To disable registration set it to any other value, e.g. "false"
#
# The default is
#
# registry.consul.register.enabled = true
# registry.consul.register.addr configures the address for the service registration.
#
# Fabio registers itself in consul with this host:port address.
# It must point to the UI/API endpoint configured by ui.addr and defaults to its
# value.
#
# The default is
#
# registry.consul.register.addr = :9998
# registry.consul.register.name configures the name for the service registration.
#
# Fabio registers itself in consul under this service name.
#
# The default is
#
# registry.consul.register.name = fabio
# registry.consul.register.tags configures the tags for the service registration.
#
# Fabio registers itself with these tags. You can provide a comma separated list of tags.
#
# The default is
#
# registry.consul.register.tags =
# registry.consul.register.checkInterval configures the interval for the health check.
#
# Fabio registers an http health check on http(s)://${ui.addr}/health
# and this value tells consul how often to check it.
#
# The default is
#
# registry.consul.register.checkInterval = 1s
# registry.consul.register.checkTimeout configures the timeout for the health check.
#
# Fabio registers an http health check on http(s)://${ui.addr}/health
# and this value tells consul how long to wait for a response.
#
# The default is
#
# registry.consul.register.checkTimeout = 3s
# registry.consul.register.checkTLSSkipVerify configures TLS verification for the health check.
#
# Fabio registers an http health check on http(s)://${ui.addr}/health
# and this value tells consul to skip TLS certificate validation for
# https checks.
#
# The default is
#
# registry.consul.register.checkTLSSkipVerify = false
# registry.consul.register.checkDeregisterCriticalServiceAfter configures
# automatic deregistration of a service after the health check is critical for
# this length of time.
#
# Fabio registers an http health check on http(s)://${ui.addr}/health
# and this value tells consul to deregister the associated service if the check
# is critical for the specified duration.
#
# The default is
#
# registry.consul.register.checkDeregisterCriticalServiceAfter = 90m
# registry.consul.checksRequired configures how many health checks
# must pass in order for fabio to consider a service available.
#
# Possible values are:
# one: at least one health check must pass
# all: all health checks must pass
#
# The default is
#
# registry.consul.checksRequired = one
# registry.consul.serviceMonitors configures the concurrency for
# route updates. Fabio will make up to the configured number of
# concurrent calls to Consul to fetch status data for route
# updates.
#
# The default is
#
# registry.consul.serviceMonitors = 1
# registry.consul.pollInterval configures the poll interval
# for route updates. If Poll interval is set to 0 the updates will
# be disabled and fall back to blocking queries. Other values can
# be any time definition. e.g. 1s, 100ms
#
# The default is
# registry.consul.pollInterval = 0
# registry.custom.host configures the host:port for fabio to make the API call
#
# The default is
#
# registry.custom.host =
# registry.custom.scheme configures the scheme use to make the API call
# must be one of http, https
#
# The default is
#
# registry.custom.scheme = https
# registry.custom.checkTLSSkipVerify disables the TLS validation for the API call
#
# The default is
#
# registry.custom.checkTLSSkipVerify = false
# registry.custom.timeout controls the timeout for the API call
#
# The default is
#
# registry.custom.timeout = 5s
# registry.custom.pollinterval is the length of time between API calls
#
# The default is
#
#registry.custom.pollinterval = 10s
# registry.custom.path is the path used in the custom back end API Call
#
# The path does not need to contain the initial '/'
#
# Example:
#
# registry.custom.path = api/v1/
#