# Configuration File - Nginx Server Configs # This is a read-only file, do not try to modify it. master_process on; worker_processes 1; worker_cpu_affinity auto; # main configuration snippet starts # main configuration snippet ends error_log /dev/stderr warn; pid logs/nginx.pid; worker_rlimit_nofile 20480; events { accept_mutex off; worker_connections 10620; } worker_rlimit_core 16G; worker_shutdown_timeout 240s; env APISIX_PROFILE; env PATH; # for searching external plugin runner's binary # reserved environment variables for configuration env APISIX_DEPLOYMENT_ETCD_HOST; env API7_CONTROL_PLANE_ENDPOINTS; env API7_CONTROL_PLANE_TOKEN; env API7_CONTROL_PLANE_CERT; env API7_CONTROL_PLANE_KEY; thread_pool grpc-client-nginx-module threads=1; lua { lua_shared_dict prometheus-metrics 512m; } http { # put extra_lua_path in front of the builtin path # so user can override the source code lua_package_path "/opts/apisix-custom-plugins/?.lua;$prefix/deps/share/lua/5.1/?.lua;$prefix/deps/share/lua/5.1/?/init.lua;/usr/local/apisix/?.lua;/usr/local/apisix/?/init.lua;;/usr/local/apisix/?.lua;./?.lua;/usr/local/openresty/luajit/share/luajit-2.1/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/openresty/luajit/share/lua/5.1/?.lua;/usr/local/openresty/luajit/share/lua/5.1/?/init.lua;;"; lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;$prefix/deps/lib/lua/5.1/?.so;;./?.so;/usr/local/lib/lua/5.1/?.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;"; lua_max_pending_timers 16384; lua_max_running_timers 4096; lua_shared_dict internal-status 10m; lua_shared_dict upstream-healthcheck 10m; lua_shared_dict worker-events 10m; lua_shared_dict lrucache-lock 10m; lua_shared_dict balancer-ewma 10m; lua_shared_dict balancer-ewma-locks 10m; lua_shared_dict balancer-ewma-last-touched-at 10m; lua_shared_dict etcd-cluster-health-check 10m; # etcd health check # for discovery shared dict lua_shared_dict plugin-limit-conn 10m; lua_shared_dict plugin-limit-req 10m; lua_shared_dict plugin-limit-count 10m; lua_shared_dict plugin-ai-rate-limiting 10m; lua_shared_dict plugin-ai-rate-limiting-reset-header 10m; lua_shared_dict plugin-limit-count-redis-cluster-slot-lock 1m; lua_shared_dict plugin-limit-count-reset-header 10m; lua_shared_dict plugin-limit-count-advanced 10m; lua_shared_dict plugin-limit-count-advanced-redis-cluster-slot-lock 1m; lua_shared_dict plugin-limit-count-advanced-reset-header 10m; lua_shared_dict plugin-graphql-limit-count 10m; lua_shared_dict plugin-graphql-limit-count-reset-header 10m; lua_shared_dict tracing_buffer 10m; # plugin: skywalking lua_shared_dict plugin-api-breaker 10m; lua_shared_dict discovery 1m; # cache for discovery metadata documents lua_shared_dict status_report 1m; # for openid-connect plugin lua_shared_dict jwks 1m; # cache for JWKs lua_shared_dict introspection 10m; # cache for JWT verification results lua_shared_dict cas_sessions 10m; lua_shared_dict saml_sessions 10m; # for authz-keycloak lua_shared_dict access-tokens 1m; # cache for service account access tokens lua_shared_dict ext-plugin 1m; # cache for ext-plugin # for custom shared dict lua_shared_dict kubernetes 20m; lua_shared_dict config 5m; lua_shared_dict nacos 20m; lua_capture_error_log 10m; lua_ssl_verify_depth 5; ssl_session_timeout 86400; underscores_in_headers on; lua_socket_log_errors off; resolver 169.254.25.10 valid=30 ipv6=on; resolver_timeout 5; lua_http10_buffering off; lua_regex_match_limit 100000; lua_regex_cache_max_entries 8192; log_format main escape=json '{"time":"$time_iso8601","request_id":"$request_id","remote_user":"$remote_user","remote_addr":"$remote_addr","x_forwarded_for":"$http_x_forwarded_for","user-agent":"$http_user_agent","scheme":"$scheme","method":"$request_method","http_referrer":"$http_referer","request_length":$request_length,"request_time":$request_time,"status":$status,"upstream_response_length":"$upstream_response_length","upstream_response_time":"$upstream_response_time","upstream_addr":"$upstream_addr","upstream_scheme":"$upstream_scheme","upstream_uri":"$upstream_uri","upstream_status":"$upstream_status","body_bytes_sent":$body_bytes_sent,"version":"$server_protocol","vhost":"$host","path":"$uri","query":"$args","content_type":"$sent_http_content_type", "upgrade":"$sent_http_upgrade", "ssl_protocol":"$ssl_protocol", "route_id":"$route_id", "project":"$project", "namespace":"$namespace", "service_name":"$service_name", "app":"$app", "app-uid":"$app_uid", "user":"$user", "trace_id":"$trace_id", "span_id":"$span_id", "ua_source":"$ua_source", "ingress_type":"$ingress_type", "env":"$env"}'; uninitialized_variable_warn off; access_log /dev/stdout main buffer=16384 flush=3; open_file_cache max=1000 inactive=60; client_max_body_size 0; keepalive_timeout 60s; client_header_timeout 60s; client_body_timeout 60s; send_timeout 10s; variables_hash_max_size 2048; server_tokens off; include mime.types; charset utf-8; real_ip_header X-Real-IP; real_ip_recursive off; set_real_ip_from 127.0.0.1; set_real_ip_from unix:; lua_ssl_trusted_certificate /usr/local/apisix/conf/cert/.ssl_trusted_combined.pem; # http configuration snippet starts large_client_header_buffers 16 64k; proxy_buffering off; gzip on; gzip_comp_level 1; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component; gzip_proxied any; gzip_vary on; # http configuration snippet ends upstream apisix_backend { server 0.0.0.1; keepalive 320; keepalive_requests 1000; keepalive_timeout 60s; # we put the static configuration above so that we can override it in the Lua code balancer_by_lua_block { apisix.http_balancer_phase() } } upstream apisix_dubbo_backend { server 0.0.0.1; balancer_by_lua_block { apisix.http_balancer_phase() } # dynamical keepalive doesn't work with dubbo as the connection here # is managed by ngx_multi_upstream_module multi 32; keepalive 320; keepalive_requests 1000; keepalive_timeout 60s; } apisix_delay_client_max_body_check on; apisix_mirror_on_demand on; init_by_lua_block { require "resty.core" require "agent.hook" apisix = require("apisix") local dns_resolver = { "169.254.25.10", } local args = { dns_resolver = dns_resolver, } apisix.http_init(args) -- set apisix_lua_home into constans module -- it may be used by plugins to determine the work path of apisix local constants = require("apisix.constants") constants.apisix_lua_home = "/usr/local/apisix" } init_worker_by_lua_block { apisix.http_init_worker() } exit_worker_by_lua_block { apisix.http_exit_worker() } server { listen 127.0.0.1:9090; access_log off; location / { content_by_lua_block { apisix.http_control() } } } server { listen 0.0.0.0:9091 enable_process=privileged_agent; access_log off; location / { content_by_lua_block { local prometheus = require("apisix.plugins.prometheus.exporter") prometheus.export_metrics() } } location = /apisix/nginx_status { allow 127.0.0.0/24; deny all; stub_status; } location = /apisix/collect_nginx_status { content_by_lua_block { local prometheus = require("apisix.plugins.prometheus.exporter") prometheus.collect_api_specific_metrics() } } } # for proxy cache proxy_cache_path /tmp/disk_cache_one levels=1:2 keys_zone=disk_cache_one:50m inactive=1d max_size=1G use_temp_path=off; map $upstream_cache_zone $upstream_cache_zone_info { disk_cache_one /tmp/disk_cache_one,1:2; } server { listen 0.0.0.0:9080 default_server reuseport; listen [::]:9080 default_server reuseport; listen 0.0.0.0:9443 ssl default_server http2 reuseport; listen [::]:9443 ssl default_server http2 reuseport; server_name _; ssl_certificate cert/ssl_PLACE_HOLDER.crt; ssl_certificate_key cert/ssl_PLACE_HOLDER.key; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; ssl_session_tickets off; proxy_ssl_trusted_certificate /usr/local/apisix/conf/cert/.ssl_trusted_combined.pem; # opentelemetry_set_ngx_var starts set $opentelemetry_context_traceparent ''; set $opentelemetry_trace_id ''; set $opentelemetry_span_id ''; # opentelemetry_set_ngx_var ends # zipkin_set_ngx_var starts # zipkin_set_ngx_var ends # http server configuration snippet starts set $route_id ""; set $project ""; set $namespace ""; set $service_name ""; set $app ""; set $app_uid ""; set $user ""; set $trace_id ""; set $span_id ""; set $ua_source ""; set $ingress_type ""; set $env ""; # http server configuration snippet ends location = /apisix/nginx_status { allow 127.0.0.0/24; deny all; access_log off; stub_status; } ssl_client_hello_by_lua_block { apisix.http_ssl_client_hello_phase() } ssl_certificate_by_lua_block { apisix.http_ssl_phase() } proxy_ssl_name $upstream_host; proxy_ssl_server_name on; location / { set $upstream_mirror_host ''; set $upstream_mirror_uri ''; set $upstream_upgrade ''; set $upstream_connection ''; set $upstream_scheme 'http'; set $upstream_host $http_host; set $upstream_uri ''; set $request_line ''; set $ctx_ref ''; # http server location configuration snippet starts # http server location configuration snippet ends set $dubbo_service_name ''; set $dubbo_service_version ''; set $dubbo_method ''; set $apisix_request_id $request_id; lua_error_log_request_id $apisix_request_id; set $ai_token_usage '-'; set $ai_ttfb '-'; access_by_lua_block { apisix.http_access_phase() } proxy_http_version 1.1; proxy_set_header Host $upstream_host; proxy_set_header Upgrade $upstream_upgrade; proxy_set_header Connection $upstream_connection; proxy_set_header X-Real-IP $remote_addr; proxy_pass_header Date; ### the following x-forwarded-* headers is to send to upstream server set $var_x_forwarded_proto $scheme; set $var_x_forwarded_host $host; set $var_x_forwarded_port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $var_x_forwarded_proto; proxy_set_header X-Forwarded-Host $var_x_forwarded_host; proxy_set_header X-Forwarded-Port $var_x_forwarded_port; ### the following configuration is to cache response content from upstream server set $upstream_cache_zone off; set $upstream_cache_key ''; set $upstream_cache_bypass ''; set $upstream_no_cache ''; proxy_cache $upstream_cache_zone; proxy_cache_valid any 10s; proxy_cache_min_uses 1; proxy_cache_methods GET HEAD POST; proxy_cache_lock_timeout 5s; proxy_cache_use_stale off; proxy_cache_key $upstream_cache_key; proxy_no_cache $upstream_no_cache; proxy_cache_bypass $upstream_cache_bypass; proxy_pass $upstream_scheme://apisix_backend$upstream_uri; mirror /proxy_mirror; header_filter_by_lua_block { apisix.http_header_filter_phase() } body_filter_by_lua_block { apisix.http_body_filter_phase() } log_by_lua_block { apisix.http_log_phase() } } location @disable_proxy_buffering { # http server location configuration snippet starts # http server location configuration snippet ends proxy_http_version 1.1; proxy_set_header Host $upstream_host; proxy_set_header Upgrade $upstream_upgrade; proxy_set_header Connection $upstream_connection; proxy_set_header X-Real-IP $remote_addr; proxy_pass_header Date; ### the following x-forwarded-* headers is to send to upstream server proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $var_x_forwarded_proto; proxy_set_header X-Forwarded-Host $var_x_forwarded_host; proxy_set_header X-Forwarded-Port $var_x_forwarded_port; ### the following configuration is to cache response content from upstream server proxy_cache $upstream_cache_zone; proxy_cache_valid any 10s; proxy_cache_min_uses 1; proxy_cache_methods GET HEAD POST; proxy_cache_lock_timeout 5s; proxy_cache_use_stale off; proxy_cache_key $upstream_cache_key; proxy_no_cache $upstream_no_cache; proxy_cache_bypass $upstream_cache_bypass; proxy_pass $upstream_scheme://apisix_backend$upstream_uri; mirror /proxy_mirror; header_filter_by_lua_block { apisix.http_header_filter_phase() } body_filter_by_lua_block { apisix.http_body_filter_phase() } log_by_lua_block { apisix.http_log_phase() } proxy_buffering off; access_by_lua_block { apisix.disable_proxy_buffering_access_phase() } } location @grpc_pass { access_by_lua_block { apisix.grpc_access_phase() } # For servers which obey the standard, when `:authority` is missing, # `host` will be used instead. When used with apisix-base, we can do # better by setting `:authority` directly grpc_set_header ":authority" $upstream_host; grpc_set_header Content-Type application/grpc; grpc_set_header TE trailers; grpc_socket_keepalive on; grpc_pass $upstream_scheme://apisix_backend; mirror /proxy_mirror_grpc; header_filter_by_lua_block { apisix.http_header_filter_phase() } body_filter_by_lua_block { apisix.http_body_filter_phase() } log_by_lua_block { apisix.http_log_phase() } } location @dubbo_pass { access_by_lua_block { apisix.dubbo_access_phase() } dubbo_pass_all_headers on; dubbo_pass_body on; dubbo_pass $dubbo_service_name $dubbo_service_version $dubbo_method apisix_dubbo_backend; header_filter_by_lua_block { apisix.http_header_filter_phase() } body_filter_by_lua_block { apisix.http_body_filter_phase() } log_by_lua_block { apisix.http_log_phase() } } location = /proxy_mirror { internal; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; proxy_http_version 1.1; proxy_set_header Host $upstream_host; proxy_pass $upstream_mirror_uri; } location = /proxy_mirror_grpc { internal; grpc_connect_timeout 60s; grpc_read_timeout 60s; grpc_send_timeout 60s; grpc_pass $upstream_mirror_host; } } # http end configuration snippet starts # http end configuration snippet ends }