a4cc353375
Add the log_msg_template option in proxy-server.conf and log_format in a/c/o-server.conf. It is a string parsable by Python's format() function. Some fields containing user data might be anonymized by using log_anonymization_method and log_anonymization_salt. Change-Id: I29e30ef45fe3f8a026e7897127ffae08a6a80cd9
1166 lines
47 KiB
Groff
1166 lines
47 KiB
Groff
.\"
|
|
.\" Author: Joao Marcelo Martins <marcelo.martins@rackspace.com> or <btorch@gmail.com>
|
|
.\" Copyright (c) 2010-2012 OpenStack Foundation.
|
|
.\"
|
|
.\" Licensed under the Apache License, Version 2.0 (the "License");
|
|
.\" you may not use this file except in compliance with the License.
|
|
.\" You may obtain a copy of the License at
|
|
.\"
|
|
.\" http://www.apache.org/licenses/LICENSE-2.0
|
|
.\"
|
|
.\" Unless required by applicable law or agreed to in writing, software
|
|
.\" distributed under the License is distributed on an "AS IS" BASIS,
|
|
.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
.\" implied.
|
|
.\" See the License for the specific language governing permissions and
|
|
.\" limitations under the License.
|
|
.\"
|
|
.TH proxy-server.conf 5 "8/26/2011" "Linux" "OpenStack Swift"
|
|
|
|
.SH NAME
|
|
.LP
|
|
.B proxy-server.conf
|
|
\- configuration file for the OpenStack Swift proxy server
|
|
|
|
|
|
|
|
.SH SYNOPSIS
|
|
.LP
|
|
.B proxy-server.conf
|
|
|
|
|
|
|
|
.SH DESCRIPTION
|
|
.PP
|
|
This is the configuration file used by the proxy server and other proxy middlewares.
|
|
|
|
The configuration file follows the python-pastedeploy syntax. The file is divided
|
|
into sections, which are enclosed by square brackets. Each section will contain a
|
|
certain number of key/value parameters which are described later.
|
|
|
|
Any line that begins with a '#' symbol is ignored.
|
|
|
|
You can find more information about python-pastedeploy configuration format at
|
|
\fIhttp://pythonpaste.org/deploy/#config-format\fR
|
|
|
|
|
|
|
|
.SH GLOBAL SECTION
|
|
.PD 1
|
|
.RS 0
|
|
This is indicated by section named [DEFAULT]. Below are the parameters that
|
|
are acceptable within this section.
|
|
|
|
.IP "\fBbind_ip\fR"
|
|
IP address the proxy server should bind to. The default is 0.0.0.0 which will make
|
|
it bind to all available addresses.
|
|
.IP "\fBbind_port\fR"
|
|
TCP port the proxy server should bind to. The default is 80.
|
|
.IP "\fBkeep_idle\fR"
|
|
Value to set for socket TCP_KEEPIDLE. The default value is 600.
|
|
.IP "\fBbind_timeout\fR"
|
|
Timeout to bind socket. The default is 30.
|
|
.IP \fBbacklog\fR
|
|
TCP backlog. Maximum number of allowed pending connections. The default value is 4096.
|
|
.IP \fBadmin_key\fR
|
|
Key to use for admin calls that are HMAC signed. Default is empty,
|
|
which will disable admin calls to /info.
|
|
.IP \fBdisallowed_sections\fR
|
|
Allows the ability to withhold sections from showing up in the public calls
|
|
to /info. You can withhold subsections by separating the dict level with a
|
|
".". The following would cause the sections 'container_quotas' and 'tempurl'
|
|
to not be listed, and the key max_failed_deletes would be removed from
|
|
bulk_delete. Default value is 'swift.valid_api_versions' which allows all
|
|
registered features to be listed via HTTP GET /info except
|
|
swift.valid_api_versions information
|
|
.IP \fBworkers\fR
|
|
The number of pre-forked processes that will accept connections. Zero means
|
|
no fork. The default is auto which will make the server try to match the
|
|
number of effective cpu cores if python multiprocessing is available (included
|
|
with most python distributions >= 2.6) or fallback to one. It's worth noting
|
|
that individual workers will use many eventlet co-routines to service multiple
|
|
concurrent requests.
|
|
.IP \fBmax_clients\fR
|
|
Maximum number of clients one worker can process simultaneously (it will
|
|
actually accept(2) N + 1). Setting this to one (1) will only handle one request
|
|
at a time, without accepting another request concurrently. The default is 1024.
|
|
.IP \fBuser\fR
|
|
The system user that the proxy server will run as. The default is swift.
|
|
.IP \fBexpose_info\fR
|
|
Enables exposing configuration settings via HTTP GET /info. The default is true.
|
|
.IP \fBswift_dir\fR
|
|
Swift configuration directory. The default is /etc/swift.
|
|
.IP \fBcert_file\fR
|
|
Location of the SSL certificate file. The default path is /etc/swift/proxy.crt. This is
|
|
disabled by default.
|
|
.IP \fBkey_file\fR
|
|
Location of the SSL certificate key file. The default path is /etc/swift/proxy.key. This is
|
|
disabled by default.
|
|
.IP \fBexpiring_objects_container_divisor\fR
|
|
The default is 86400.
|
|
.IP \fBexpiring_objects_account_name\fR
|
|
The default is 'expiring_objects'.
|
|
.IP \fBlog_name\fR
|
|
Label used when logging. The default is swift.
|
|
.IP \fBlog_facility\fR
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP \fBlog_level\fR
|
|
Logging level. The default is INFO.
|
|
.IP \fBlog_address\fR
|
|
Logging address. The default is /dev/log.
|
|
.IP \fBlog_max_line_length\fR
|
|
To cap the length of log lines to the value given. No limit if set to 0, the default.
|
|
.IP \fBlog_headers\fR
|
|
The default is false.
|
|
.IP \fBlog_custom_handlers\fR
|
|
Comma separated list of functions to call to setup custom log handlers.
|
|
functions get passed: conf, name, log_to_console, log_route, fmt, logger,
|
|
adapted_logger. The default is empty.
|
|
.IP \fBlog_udp_host\fR
|
|
If set, log_udp_host will override log_address.
|
|
.IP "\fBlog_udp_port\fR
|
|
UDP log port, the default is 514.
|
|
.IP \fBlog_statsd_host\fR
|
|
StatsD server. IPv4/IPv6 addresses and hostnames are
|
|
supported. If a hostname resolves to an IPv4 and IPv6 address, the IPv4
|
|
address will be used.
|
|
.IP \fBlog_statsd_port\fR
|
|
The default is 8125.
|
|
.IP \fBlog_statsd_default_sample_rate\fR
|
|
The default is 1.
|
|
.IP \fBlog_statsd_sample_rate_factor\fR
|
|
The default is 1.
|
|
.IP \fBlog_statsd_metric_prefix\fR
|
|
The default is empty.
|
|
.IP \fBclient_timeout\fR
|
|
Time to wait while receiving each chunk of data from a client or another
|
|
backend node. The default is 60.
|
|
.IP \fBeventlet_debug\fR
|
|
Debug mode for eventlet library. The default is false.
|
|
.IP \fBtrans_id_suffix\fR
|
|
This optional suffix (default is empty) that would be appended to the swift transaction
|
|
id allows one to easily figure out from which cluster that X-Trans-Id belongs to.
|
|
This is very useful when one is managing more than one swift cluster.
|
|
.IP \fBcors_allow_origin\fR
|
|
List of origin hosts that are allowed for CORS requests in addition to what
|
|
the container has set. Use a comma separated list of full URL (http://foo.bar:1234,https://foo.bar)
|
|
.IP \fBstrict_cors_mode\fR
|
|
If True (default) then CORS requests are only allowed if their Origin header
|
|
matches an allowed origin. Otherwise, any Origin is allowed.
|
|
.IP \fBcors_expose_headers\fR
|
|
Comma separated list of headers to expose through Access-Control-Expose-Headers,
|
|
in addition to the defaults and any headers set in container metadata.
|
|
.IP \fBnice_priority\fR
|
|
Modify scheduling priority of server processes. Niceness values range from -20
|
|
(most favorable to the process) to 19 (least favorable to the process).
|
|
The default does not modify priority.
|
|
.IP \fBionice_class\fR
|
|
Modify I/O scheduling class of server processes. I/O niceness class values
|
|
are IOPRIO_CLASS_RT (realtime), IOPRIO_CLASS_BE (best-effort) and IOPRIO_CLASS_IDLE (idle).
|
|
The default does not modify class and priority.
|
|
Work only with ionice_priority.
|
|
.IP \fBionice_priority\fR
|
|
Modify I/O scheduling priority of server processes. I/O niceness priority
|
|
is a number which goes from 0 to 7. The higher the value, the lower
|
|
the I/O priority of the process. Work only with ionice_class.
|
|
Ignored if IOPRIO_CLASS_IDLE is set.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
|
|
.SH PIPELINE SECTION
|
|
.PD 1
|
|
.RS 0
|
|
This is indicated by section name [pipeline:main]. Below are the parameters that
|
|
are acceptable within this section.
|
|
|
|
.IP "\fBpipeline\fR"
|
|
It is used when you need apply a number of filters. It is a list of filters
|
|
ended by an application. The normal pipeline is "catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server".
|
|
|
|
Note: The double proxy-logging in the pipeline is not a mistake. The
|
|
left-most proxy-logging is there to log requests that were handled in
|
|
middleware and never made it through to the right-most middleware (and
|
|
proxy server). Double logging is prevented for normal requests. See
|
|
proxy-logging docs.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
|
|
.SH FILTER SECTION
|
|
.PD 1
|
|
.RS 0
|
|
Any section that has its name prefixed by "filter:" indicates a filter section.
|
|
Filters are used to specify configuration parameters for specific swift middlewares.
|
|
Below are the filters available and respective acceptable parameters.
|
|
.IP "\fB[filter:healthcheck]\fR"
|
|
.RE
|
|
.RS 3
|
|
.IP "\fBuse\fR"
|
|
Entry point for paste.deploy for the healthcheck middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#healthcheck\fR.
|
|
.IP "\fBdisable_path\fR"
|
|
An optional filesystem path which, if present, will cause the healthcheck
|
|
URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE".
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:tempauth]\fR"
|
|
.RE
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the tempauth middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#tempauth\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is tempauth.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR "
|
|
Enables the ability to log request headers. The default is False.
|
|
.IP \fBreseller_prefix\fR
|
|
The reseller prefix will verify a token begins with this prefix before even
|
|
attempting to validate it. Also, with authorization, only Swift storage accounts
|
|
with this prefix will be authorized by this middleware. Useful if multiple auth
|
|
systems are in use for one Swift cluster. The default is AUTH.
|
|
.IP \fBauth_prefix\fR
|
|
The auth prefix will cause requests beginning with this prefix to be routed
|
|
to the auth subsystem, for granting tokens, etc. The default is /auth/.
|
|
.IP \fBrequire_group\fR
|
|
The require_group parameter names a group that must be presented by
|
|
either X-Auth-Token or X-Service-Token. Usually this parameter is
|
|
used only with multiple reseller prefixes (e.g., SERVICE_require_group=blah).
|
|
By default, no group is needed. Do not use .admin.
|
|
.IP \fBtoken_life\fR
|
|
This is the time in seconds before the token expires. The default is 86400.
|
|
.IP \fBallow_overrides\fR
|
|
This allows middleware higher in the WSGI pipeline to override auth
|
|
processing, useful for middleware such as tempurl and formpost. If you know
|
|
you're not going to use such middleware and you want a bit of extra security,
|
|
you can set this to false. The default is true.
|
|
.IP \fBstorage_url_scheme\fR
|
|
This specifies what scheme to return with storage urls:
|
|
http, https, or default (chooses based on what the server is running as)
|
|
This can be useful with an SSL load balancer in front of a non-SSL server.
|
|
.IP \fBuser_<account>_<user>\fR
|
|
Lastly, you need to list all the accounts/users you want here. The format is:
|
|
user_<account>_<user> = <key> [group] [group] [...] [storage_url]
|
|
or if you want underscores in <account> or <user>, you can base64 encode them
|
|
(with no equal signs) and use this format:
|
|
user64_<account_b64>_<user_b64> = <key> [group] [group] [...] [storage_url]
|
|
|
|
There are special groups of: \fI.reseller_admin\fR who can do anything to any account for this auth
|
|
and also \fI.admin\fR who can do anything within the account.
|
|
|
|
If neither of these groups are specified, the user can only access containers that
|
|
have been explicitly allowed for them by a \fI.admin\fR or \fI.reseller_admin\fR.
|
|
The trailing optional storage_url allows you to specify an alternate URL to hand
|
|
back to the user upon authentication. If not specified, this defaults to
|
|
\fIhttp[s]://<ip>:<port>/v1/<reseller_prefix>_<account>\fR where http or https depends
|
|
on whether cert_file is specified in the [DEFAULT] section, <ip> and <port> are based
|
|
on the [DEFAULT] section's bind_ip and bind_port (falling back to 127.0.0.1 and 8080),
|
|
<reseller_prefix> is from this section, and <account> is from the user_<account>_<user> name.
|
|
|
|
Here are example entries, required for running the tests:
|
|
.RE
|
|
|
|
.PD 0
|
|
.RS 10
|
|
.IP "user_admin_admin = admin .admin .reseller_admin"
|
|
.IP "user_test_tester = testing .admin"
|
|
.IP "user_test2_tester2 = testing2 .admin"
|
|
.IP "user_test_tester3 = testing3"
|
|
.RE
|
|
.PD
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:authtoken]\fR"
|
|
.RE
|
|
|
|
To enable Keystone authentication you need to have the auth token
|
|
middleware first to be configured. Here is an example below, please
|
|
refer to the keystone's documentation for details about the
|
|
different settings.
|
|
|
|
You'll need to have as well the keystoneauth middleware enabled
|
|
and have it in your main pipeline so instead of having tempauth in
|
|
there you can change it to: authtoken keystoneauth
|
|
|
|
The auth credentials ("project_domain_name", "user_domain_name", "username",
|
|
"project_name", "password") must match the Keystone credentials for the Swift
|
|
service. The example values shown here assume a user named "swift" with admin
|
|
role on a project named "service", both being in the Keystone domain with id
|
|
"default". Refer to the KeystoneMiddleware documentation at
|
|
.BI https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#configuration
|
|
for other examples.
|
|
|
|
.PD 0
|
|
.RS 10
|
|
.IP "paste.filter_factory = keystonemiddleware.auth_token:filter_factory"
|
|
.IP "www_authenticate_uri = http://keystonehost:5000"
|
|
.IP "auth_url = http://keystonehost:35357"
|
|
.IP "auth_plugin = password"
|
|
.IP "project_domain_id = default"
|
|
.IP "user_domain_id = default"
|
|
.IP "project_name = service"
|
|
.IP "username = swift"
|
|
.IP "password = password"
|
|
.IP ""
|
|
.IP "# delay_auth_decision defaults to False, but leaving it as false will"
|
|
.IP "# prevent other auth systems, staticweb, tempurl, formpost, and ACLs from"
|
|
.IP "# working. This value must be explicitly set to True."
|
|
.IP "delay_auth_decision = False"
|
|
.IP
|
|
.IP "cache = swift.cache"
|
|
.IP "include_service_catalog = False"
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:keystoneauth]\fR"
|
|
.RE
|
|
|
|
Keystone authentication middleware.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the keystoneauth middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#keystoneauth\fR.
|
|
.IP \fBreseller_prefix\fR
|
|
The reseller_prefix option lists account namespaces that this middleware is
|
|
responsible for. The prefix is placed before the Keystone project id.
|
|
For example, for project 12345678, and prefix AUTH, the account is
|
|
named AUTH_12345678 (i.e., path is /v1/AUTH_12345678/...).
|
|
Several prefixes are allowed by specifying a comma-separated list
|
|
as in: "reseller_prefix = AUTH, SERVICE". The empty string indicates a
|
|
single blank/empty prefix. If an empty prefix is required in a list of
|
|
prefixes, a value of '' (two single quote characters) indicates a
|
|
blank/empty prefix. Except for the blank/empty prefix, an underscore ('_')
|
|
character is appended to the value unless already present.
|
|
.IP \fBoperator_roles\fR
|
|
The user must have at least one role named by operator_roles on a
|
|
project in order to create, delete and modify containers and objects
|
|
and to set and read privileged headers such as ACLs.
|
|
If there are several reseller prefix items, you can prefix the
|
|
parameter so it applies only to those accounts (for example
|
|
the parameter SERVICE_operator_roles applies to the /v1/SERVICE_<project>
|
|
path). If you omit the prefix, the option applies to all reseller
|
|
prefix items. For the blank/empty prefix, prefix with '' (do not put
|
|
underscore after the two single quote characters).
|
|
.IP \fBreseller_admin_role\fR
|
|
The reseller admin role has the ability to create and delete accounts.
|
|
.IP \fBallow_overrides\fR
|
|
This allows middleware higher in the WSGI pipeline to override auth
|
|
processing, useful for middleware such as tempurl and formpost. If you know
|
|
you're not going to use such middleware and you want a bit of extra security,
|
|
you can set this to false.
|
|
.IP \fBservice_roles\fR
|
|
If the service_roles parameter is present, an X-Service-Token must be
|
|
present in the request that when validated, grants at least one role listed
|
|
in the parameter. The X-Service-Token may be scoped to any project.
|
|
If there are several reseller prefix items, you can prefix the
|
|
parameter so it applies only to those accounts (for example
|
|
the parameter SERVICE_service_roles applies to the /v1/SERVICE_<project>
|
|
path). If you omit the prefix, the option applies to all reseller
|
|
prefix items. For the blank/empty prefix, prefix with '' (do not put
|
|
underscore after the two single quote characters).
|
|
By default, no service_roles are required.
|
|
.IP \fBdefault_domain_id\fR
|
|
For backwards compatibility, keystoneauth will match names in cross-tenant
|
|
access control lists (ACLs) when both the requesting user and the tenant
|
|
are in the default domain i.e the domain to which existing tenants are
|
|
migrated. The default_domain_id value configured here should be the same as
|
|
the value used during migration of tenants to keystone domains.
|
|
.IP \fBallow_names_in_acls\fR
|
|
For a new installation, or an installation in which keystone projects may
|
|
move between domains, you should disable backwards compatible name matching
|
|
in ACLs by setting allow_names_in_acls to false:
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:cache]\fR"
|
|
.RE
|
|
|
|
Caching middleware that manages caching in swift.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the memcache middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#memcache\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is memcache.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR"
|
|
Enables the ability to log request headers. The default is False.
|
|
.IP \fBmemcache_max_connections\fR
|
|
Sets the maximum number of connections to each memcached server per worker.
|
|
.IP \fBmemcache_servers\fR
|
|
If not set in the configuration file, the value for memcache_servers will be
|
|
read from /etc/swift/memcache.conf (see memcache.conf-sample) or lacking that
|
|
file, it will default to 127.0.0.1:11211. You can specify multiple servers
|
|
separated with commas, as in: 10.1.2.3:11211,10.1.2.4:11211. (IPv6
|
|
addresses must follow rfc3986 section-3.2.2, i.e. [::1]:11211)
|
|
.IP \fBmemcache_serialization_support\fR
|
|
This sets how memcache values are serialized and deserialized:
|
|
.RE
|
|
|
|
.PD 0
|
|
.RS 10
|
|
.IP "0 = older, insecure pickle serialization"
|
|
.IP "1 = json serialization but pickles can still be read (still insecure)"
|
|
.IP "2 = json serialization only (secure and the default)"
|
|
.RE
|
|
|
|
.RS 10
|
|
To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. In the future, the ability to use pickle serialization will be removed.
|
|
|
|
If not set in the configuration file, the value for memcache_serialization_support will be read from /etc/swift/memcache.conf if it exists (see memcache.conf-sample). Otherwise, the default value as indicated above will be used.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:ratelimit]\fR"
|
|
.RE
|
|
|
|
Rate limits requests on both an Account and Container level. Limits are configurable.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the ratelimit middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#ratelimit\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is ratelimit.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR "
|
|
Enables the ability to log request headers. The default is False.
|
|
.IP \fBclock_accuracy\fR
|
|
This should represent how accurate the proxy servers' system clocks are with each other.
|
|
1000 means that all the proxies' clock are accurate to each other within 1 millisecond.
|
|
No ratelimit should be higher than the clock accuracy. The default is 1000.
|
|
.IP \fBmax_sleep_time_seconds\fR
|
|
App will immediately return a 498 response if the necessary sleep time ever exceeds
|
|
the given max_sleep_time_seconds. The default is 60 seconds.
|
|
.IP \fBlog_sleep_time_seconds\fR
|
|
To allow visibility into rate limiting set this value > 0 and all sleeps greater than
|
|
the number will be logged. If set to 0 means disabled. The default is 0.
|
|
.IP \fBrate_buffer_seconds\fR
|
|
Number of seconds the rate counter can drop and be allowed to catch up
|
|
(at a faster than listed rate). A larger number will result in larger spikes in
|
|
rate but better average accuracy. The default is 5.
|
|
.IP \fBaccount_ratelimit\fR
|
|
If set, will limit PUT and DELETE requests to /account_name/container_name. Number is
|
|
in requests per second. If set to 0 means disabled. The default is 0.
|
|
.IP \fBcontainer_ratelimit_size\fR
|
|
When set with container_limit_x = r: for containers of size x, limit requests per second
|
|
to r. Will limit PUT, DELETE, and POST requests to /a/c/o. The default is ''.
|
|
.IP \fBcontainer_listing_ratelimit_size\fR
|
|
Similarly to the above container-level write limits, the following will limit
|
|
container GET (listing) requests.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:domain_remap]\fR"
|
|
.RE
|
|
|
|
Middleware that translates container and account parts of a domain to path parameters that the proxy server understands.
|
|
The container.account.storageurl/object gets translated to container.account.storageurl/path_root/account/container/object and account.storageurl/path_root/container/object gets translated to account.storageurl/path_root/account/container/object
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the domain_remap middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#domain_remap\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is domain_remap.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR "
|
|
Enables the ability to log request headers. The default is False.
|
|
.IP \fBstorage_domain\fR
|
|
The domain to be used by the middleware. Multiple domains can be specified separated by a comma.
|
|
.IP \fBpath_root\fR
|
|
The path root value for the storage URL. The default is v1.
|
|
.IP \fBreseller_prefixes\fR
|
|
Browsers can convert a host header to lowercase, so check that reseller
|
|
prefix on the account is the correct case. This is done by comparing the
|
|
items in the reseller_prefixes config option to the found prefix. If they
|
|
match except for case, the item from reseller_prefixes will be used
|
|
instead of the found reseller prefix. When none match, the default reseller
|
|
prefix is used. When no default reseller prefix is configured, any request with
|
|
an account prefix not in that list will be ignored by this middleware.
|
|
Defaults to 'AUTH'.
|
|
.IP \fBdefault_reseller_prefix\fR
|
|
The default reseller prefix. This is used when none of the configured
|
|
reseller_prefixes match. When not set, no reseller prefix is added.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:catch_errors]\fR"
|
|
.RE
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the catch_errors middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#catch_errors\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is catch_errors.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR "
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR"
|
|
Enables the ability to log request headers. The default is False.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:cname_lookup]\fR"
|
|
.RE
|
|
|
|
Note: this middleware requires python-dnspython
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the cname_lookup middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#cname_lookup\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is cname_lookup.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR"
|
|
Enables the ability to log request headers. The default is False.
|
|
.IP \fBstorage_domain\fR
|
|
The domain to be used by the middleware.
|
|
.IP \fBlookup_depth\fR
|
|
How deep in the CNAME chain to look for something that matches the storage domain.
|
|
The default is 1.
|
|
.IP \fBnameservers\fR
|
|
Specify the nameservers to use to do the CNAME resolution. If unset, the system
|
|
configuration is used. Multiple nameservers can be specified separated by a comma.
|
|
Default is unset.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:staticweb]\fR"
|
|
.RE
|
|
|
|
Note: Put staticweb just after your auth filter(s) in the pipeline
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the staticweb middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#staticweb\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is staticweb.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR "
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR"
|
|
Enables the ability to log request headers. The default is False.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:tempurl]\fR"
|
|
.RE
|
|
|
|
Note: Put tempurl before slo, dlo, and your auth filter(s) in the pipeline
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the tempurl middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#tempurl\fR.
|
|
.IP \fBmethods\fR
|
|
The methods allowed with Temp URLs. The default is 'GET HEAD PUT POST DELETE'.
|
|
.IP \fBincoming_remove_headers\fR
|
|
The headers to remove from incoming requests. Simply a whitespace delimited list of header names and names can optionally end with '*' to indicate a prefix match. incoming_allow_headers is a list of exceptions to these removals.
|
|
.IP \fBincoming_allow_headers\fR
|
|
The headers allowed as exceptions to incoming_remove_headers. Simply a whitespace delimited list of header names and names can optionally end with '*' to indicate a prefix match.
|
|
.IP "\fBoutgoing_remove_headers\fR"
|
|
The headers to remove from outgoing responses. Simply a whitespace delimited list of header names and names can optionally end with '*' to indicate a prefix match. outgoing_allow_headers is a list of exceptions to these removals.
|
|
.IP "\fBoutgoing_allow_headers\fR"
|
|
The headers allowed as exceptions to outgoing_remove_headers. Simply a whitespace delimited list of header names and names can optionally end with '*' to indicate a prefix match.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:formpost]\fR"
|
|
.RE
|
|
|
|
Note: Put formpost just before your auth filter(s) in the pipeline
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the formpost middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#formpost\fR.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:name_check]\fR"
|
|
.RE
|
|
|
|
Note: Just needs to be placed before the proxy-server in the pipeline.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the name_check middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#name_check\fR.
|
|
.IP \fBforbidden_chars\fR
|
|
Characters that will not be allowed in a name. The default is '"`<>.
|
|
.IP \fBmaximum_length\fR
|
|
Maximum number of characters that can be in the name. The default is 255.
|
|
.IP \fBforbidden_regexp\fR
|
|
Python regular expressions of substrings that will not be allowed in a name. The default is /\./|/\.\./|/\.$|/\.\.$.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:list-endpoints]\fR"
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the list_endpoints middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#list_endpoints\fR.
|
|
.IP \fBlist_endpoints_path\fR
|
|
The default is '/endpoints/'.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:proxy-logging]\fR"
|
|
.RE
|
|
|
|
Logging for the proxy server now lives in this middleware.
|
|
If the access_* variables are not set, logging directives from [DEFAULT]
|
|
without "access_" will be used.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the proxy_logging middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#proxy_logging\fR.
|
|
.IP "\fBaccess_log_name\fR"
|
|
Label used when logging. The default is proxy-server.
|
|
.IP "\fBaccess_log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBaccess_log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP \fBaccess_log_address\fR
|
|
Default is /dev/log.
|
|
.IP \fBaccess_log_udp_host\fR
|
|
If set, access_log_udp_host will override access_log_address. Default is
|
|
unset.
|
|
.IP \fBaccess_log_udp_port\fR
|
|
Default is 514.
|
|
.IP \fBaccess_log_statsd_host\fR
|
|
You can use log_statsd_* from [DEFAULT], or override them here.
|
|
StatsD server. IPv4/IPv6 addresses and hostnames are
|
|
supported. If a hostname resolves to an IPv4 and IPv6 address, the IPv4
|
|
address will be used.
|
|
.IP \fBaccess_log_statsd_port\fR
|
|
Default is 8125.
|
|
.IP \fBaccess_log_statsd_default_sample_rate\fR
|
|
Default is 1.
|
|
.IP \fBaccess_log_statsd_sample_rate_factor\fR
|
|
The default is 1.
|
|
.IP \fBaccess_log_statsd_metric_prefix\fR
|
|
Default is "" (empty-string)
|
|
.IP \fBaccess_log_headers\fR
|
|
Default is False.
|
|
.IP \fBaccess_log_headers_only\fR
|
|
If access_log_headers is True and access_log_headers_only is set only
|
|
these headers are logged. Multiple headers can be defined as comma separated
|
|
list like this: access_log_headers_only = Host, X-Object-Meta-Mtime
|
|
.IP \fBreveal_sensitive_prefix\fR
|
|
By default, the X-Auth-Token is logged. To obscure the value,
|
|
set reveal_sensitive_prefix to the number of characters to log.
|
|
For example, if set to 12, only the first 12 characters of the
|
|
token appear in the log. An unauthorized access of the log file
|
|
won't allow unauthorized usage of the token. However, the first
|
|
12 or so characters is unique enough that you can trace/debug
|
|
token usage. Set to 0 to suppress the token completely (replaced
|
|
by '...' in the log). The default is 16 chars.
|
|
Note: reveal_sensitive_prefix will not affect the value logged with access_log_headers=True.
|
|
.IP \fBlog_statsd_valid_http_methods\fR
|
|
What HTTP methods are allowed for StatsD logging (comma-sep); request methods
|
|
not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
|
|
Default is "GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS".
|
|
.IP \fBlog_anonymization_method\fR
|
|
Hashing algorithm for anonymization. Must be one of algorithms supported by Python's hashlib. Default is MD5.
|
|
.IP \fBlog_anonymization_salt\fR
|
|
Salt added as prefix before hashing the value to anonymize. Default is empty (no salt).
|
|
.IP "\fBlog_msg_template\fR"
|
|
Template used to format access logs. All words surrounded by curly brackets will be substituted with the appropriate values.
|
|
|
|
.RE
|
|
.PD 0
|
|
.RS 10
|
|
.IP "Some keywords map to timestamps and can be converted to standard dates formats using the matching transformers: 'datetime', 'asctime' or 'iso8601'."
|
|
.IP "Other transformers for timestamps are 's', 'ms', 'us' and 'ns' for seconds, milliseconds, microseconds and nanoseconds."
|
|
.IP "Python's strftime directives can also be used as tranformers (a, A, b, B, c, d, H, I, j, m, M, p, S, U, w, W, x, X, y, Y, Z)."
|
|
.IP "Some keywords map to user data that could be anonymized by using the transformer 'anonymized'."
|
|
.IP "Keywords availables are:"
|
|
.PD 0
|
|
.RS 7
|
|
.IP "client_ip (anonymizable)"
|
|
.IP "remote_addr (anonymizable)"
|
|
.IP "method (request method)"
|
|
.IP "path (anonymizable)"
|
|
.IP "protocol"
|
|
.IP "status_int"
|
|
.IP "referer (anonymizable)"
|
|
.IP "user_agent (anonymizable)"
|
|
.IP "auth_token"
|
|
.IP "bytes_recvd (number of bytes received)"
|
|
.IP "bytes_sent (number of bytes sent)"
|
|
.IP "client_etag (anonymizable)"
|
|
.IP "transaction_id"
|
|
.IP "headers (anonymizable)"
|
|
.IP "request_time (difference between start and end timestamps)
|
|
.IP "source"
|
|
.IP "log_info"
|
|
.IP "start_time (timestamp at the receiving, timestamp)"
|
|
.IP "end_time (timestamp at the end of the treatment, timestamp)"
|
|
.IP "policy_index"
|
|
.IP "account (account name, anonymizable)"
|
|
.IP "container (container name, anonymizable)"
|
|
.IP "object (object name, anonymizable)"
|
|
.PD
|
|
.RE
|
|
|
|
.IP "Example: '{client_ip.anonymized} {remote_addr.anonymized} {start_time.iso8601} {end_time.H}:{end_time.M} {method} acc:{account} cnt:{container} obj:{object.anonymized}'"
|
|
.IP "Default: '{client_ip} {remote_addr} {end_time.datetime} {method} {path} {protocol} {status_int} {referer} {user_agent} {auth_token} {bytes_recvd} {bytes_sent} {client_etag} {transaction_id} {headers} {request_time} {source} {log_info} {start_time} {end_time} {policy_index}'"
|
|
.IP "Warning: A bad log message template will raise an error in initialization."
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:bulk]\fR"
|
|
.RE
|
|
|
|
Note: Put before both ratelimit and auth in the pipeline.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the bulk middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#bulk\fR.
|
|
.IP \fBmax_containers_per_extraction\fR
|
|
The default is 10000.
|
|
.IP \fBmax_failed_extractions\fR
|
|
The default is 1000.
|
|
.IP \fBmax_deletes_per_request\fR
|
|
The default is 10000.
|
|
.IP \fBmax_failed_deletes\fR
|
|
The default is 1000.
|
|
|
|
In order to keep a connection active during a potentially long bulk request,
|
|
Swift may return whitespace prepended to the actual response body. This
|
|
whitespace will be yielded no more than every yield_frequency seconds.
|
|
The default is 10.
|
|
.IP \fByield_frequency\fR
|
|
|
|
.IP \fBdelete_container_retry_count\fR
|
|
Note: This parameter is used during a bulk delete of objects and
|
|
their container. This would frequently fail because it is very likely
|
|
that all replicated objects have not been deleted by the time the middleware got a
|
|
successful response. It can be configured the number of retries. And the
|
|
number of seconds to wait between each retry will be 1.5**retry
|
|
The default is 0.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:slo]\fR"
|
|
.RE
|
|
|
|
Note: Put after auth and staticweb in the pipeline.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the slo middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#slo\fR.
|
|
.IP \fBmax_manifest_segments\fR
|
|
The default is 1000.
|
|
.IP \fBmax_manifest_size\fR
|
|
The default is 2097152.
|
|
.IP \fBmin_segment_size\fR
|
|
The default is 1048576
|
|
.IP \fBrate_limit_after_segment\fR
|
|
Start rate-limiting object segments after the Nth segment of a segmented
|
|
object. The default is 10 segments.
|
|
.IP \fBrate_limit_segments_per_sec\fR
|
|
Once segment rate-limiting kicks in for an object, limit segments served to N
|
|
per second. The default is 1.
|
|
.IP \fBmax_get_time\fR
|
|
Time limit on GET requests (seconds). The default is 86400.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:dlo]\fR"
|
|
.RE
|
|
|
|
Note: Put after auth and staticweb in the pipeline.
|
|
If you don't put it in the pipeline, it will be inserted for you.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the dlo middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#dlo\fR.
|
|
.IP \fBrate_limit_after_segment\fR
|
|
Start rate-limiting object segments after the Nth segment of a segmented
|
|
object. The default is 10 segments.
|
|
.IP \fBrate_limit_segments_per_sec\fR
|
|
Once segment rate-limiting kicks in for an object, limit segments served to N
|
|
per second. The default is 1.
|
|
.IP \fBmax_get_time\fR
|
|
Time limit on GET requests (seconds). The default is 86400.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:container-quotas]\fR"
|
|
.RE
|
|
|
|
Note: Put after auth in the pipeline.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the container_quotas middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#container_quotas\fR.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:account-quotas]\fR"
|
|
.RE
|
|
|
|
Note: Put after auth in the pipeline.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the account_quotas middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#account_quotas\fR.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:gatekeeper]\fR"
|
|
.RE
|
|
|
|
Note: this middleware requires python-dnspython
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the gatekeeper middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#gatekeeper\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is gatekeeper.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR "
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP "\fBset log_headers\fR"
|
|
Enables the ability to log request headers. The default is False.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:container_sync]\fR"
|
|
.RE
|
|
|
|
Note: this middleware requires python-dnspython
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the container_sync middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#container_sync\fR.
|
|
.IP \fBallow_full_urls\fR
|
|
Set this to false if you want to disallow any full URL values to be set for
|
|
any new X-Container-Sync-To headers. This will keep any new full urls from
|
|
coming in, but won't change any existing values already in the cluster.
|
|
Updating those will have to be done manually, as knowing what the true realm
|
|
endpoint should be cannot always be guessed. The default is true.
|
|
.IP \fBcurrent\fR
|
|
Set this to specify this clusters //realm/cluster as "current" in /info
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:xprofile]\fR"
|
|
.RE
|
|
|
|
Note: Put it at the beginning of the pipeline to profile all middleware. But it is safer to put this after healthcheck.
|
|
|
|
.RS 3
|
|
.IP "\fBuse\fR"
|
|
Entry point for paste.deploy for the xprofile middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#xprofile\fR.
|
|
.IP "\fBprofile_module\fR"
|
|
This option enable you to switch profilers which should inherit from python
|
|
standard profiler. Currently the supported value can be 'cProfile', 'eventlet.green.profile' etc.
|
|
.IP "\fBlog_filename_prefix\fR"
|
|
This prefix will be used to combine process ID and timestamp to name the
|
|
profile data file. Make sure the executing user has permission to write
|
|
into this path (missing path segments will be created, if necessary).
|
|
If you enable profiling in more than one type of daemon, you must override
|
|
it with an unique value like, the default is /var/log/swift/profile/account.profile.
|
|
.IP "\fBdump_interval\fR"
|
|
The profile data will be dumped to local disk based on above naming rule
|
|
in this interval. The default is 5.0.
|
|
.IP "\fBdump_timestamp\fR"
|
|
Be careful, this option will enable profiler to dump data into the file with
|
|
time stamp which means there will be lots of files piled up in the directory.
|
|
The default is false
|
|
.IP "\fBpath\fR"
|
|
This is the path of the URL to access the mini web UI. The default is __profile__.
|
|
.IP "\fBflush_at_shutdown\fR"
|
|
Clear the data when the wsgi server shutdown. The default is false.
|
|
.IP "\fBunwind\fR"
|
|
Unwind the iterator of applications. Default is false.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.RS 0
|
|
.IP "\fB[filter:versioned_writes]\fR"
|
|
.RE
|
|
|
|
Note: Put after slo, dlo in the pipeline.
|
|
If you don't put it in the pipeline, it will be inserted automatically.
|
|
|
|
.RS 3
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the versioned_writes middleware. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#versioned_writes\fR.
|
|
.IP \fBallow_versioned_writes\fR
|
|
Enables using versioned writes middleware and exposing configuration settings via HTTP GET /info.
|
|
WARNING: Setting this option bypasses the "allow_versions" option
|
|
in the container configuration file, which will be eventually
|
|
deprecated. See documentation for more details.
|
|
.RE
|
|
.PD
|
|
|
|
|
|
.SH APP SECTION
|
|
.PD 1
|
|
.RS 0
|
|
This is indicated by section name [app:proxy-server]. Below are the parameters
|
|
that are acceptable within this section.
|
|
.IP \fBuse\fR
|
|
Entry point for paste.deploy for the proxy server. This is the reference to the installed python egg.
|
|
This is normally \fBegg:swift#proxy\fR.
|
|
.IP "\fBset log_name\fR"
|
|
Label used when logging. The default is proxy-server.
|
|
.IP "\fBset log_facility\fR"
|
|
Syslog log facility. The default is LOG_LOCAL0.
|
|
.IP "\fBset log_level\fR"
|
|
Logging level. The default is INFO.
|
|
.IP "\fBset log_address\fR"
|
|
Logging address. The default is /dev/log.
|
|
.IP \fBlog_handoffs\fR
|
|
Log when handoff locations are used. Default is True.
|
|
.IP \fBrecheck_account_existence\fR
|
|
Cache timeout in seconds to send memcached for account existence. The default is 60 seconds.
|
|
.IP \fBrecheck_container_existence\fR
|
|
Cache timeout in seconds to send memcached for container existence. The default is 60 seconds.
|
|
.IP \fBobject_chunk_size\fR
|
|
Chunk size to read from object servers. The default is 65536.
|
|
.IP \fBclient_chunk_size\fR
|
|
Chunk size to read from clients. The default is 65536.
|
|
.IP \fBnode_timeout\fR
|
|
Request timeout to external services. The default is 10 seconds.
|
|
.IP \fBrecoverable_node_timeout\fR
|
|
How long the proxy server will wait for an initial response and to read a
|
|
chunk of data from the object servers while serving GET / HEAD requests.
|
|
Timeouts from these requests can be recovered from so setting this to
|
|
something lower than node_timeout would provide quicker error recovery
|
|
while allowing for a longer timeout for non-recoverable requests (PUTs).
|
|
Defaults to node_timeout, should be overridden if node_timeout is set to a
|
|
high number to prevent client timeouts from firing before the proxy server
|
|
has a chance to retry.
|
|
.IP \fBconn_timeout\fR
|
|
Connection timeout to external services. The default is 0.5 seconds.
|
|
.IP \fBpost_quorum_timeout\fR
|
|
How long to wait for requests to finish after a quorum has been established. The default is 0.5 seconds.
|
|
.IP \fBerror_suppression_interval\fR
|
|
Time in seconds that must elapse since the last error for a node to
|
|
be considered no longer error limited. The default is 60 seconds.
|
|
.IP \fBerror_suppression_limit\fR
|
|
Error count to consider a node error limited. The default is 10.
|
|
.IP \fBallow_account_management\fR
|
|
Whether account PUTs and DELETEs are even callable. If set to 'true' any authorized
|
|
user may create and delete accounts; if 'false' no one, even authorized, can. The default
|
|
is false.
|
|
.IP \fBaccount_autocreate\fR
|
|
If set to 'true' authorized accounts that do not yet exist within the Swift cluster
|
|
will be automatically created. The default is set to false.
|
|
.IP \fBauto_create_account_prefix\fR
|
|
Prefix used when automatically creating accounts. The default is '.'.
|
|
.IP \fBmax_containers_per_account\fR
|
|
If set to a positive value, trying to create a container when the account
|
|
already has at least this maximum containers will result in a 403 Forbidden.
|
|
Note: This is a soft limit, meaning a user might exceed the cap for
|
|
recheck_account_existence before the 403s kick in.
|
|
.IP \fBmax_containers_whitelist\fR
|
|
This is a comma separated list of account hashes that ignore the max_containers_per_account cap.
|
|
.IP \fBdeny_host_headers\fR
|
|
Comma separated list of Host headers to which the proxy will deny requests. The default is empty.
|
|
.IP \fBput_queue_depth\fR
|
|
Depth of the proxy put queue. The default is 10.
|
|
.IP \fBsorting_method\fR
|
|
Storage nodes can be chosen at random (shuffle - default), by using timing
|
|
measurements (timing), or by using an explicit match (affinity).
|
|
Using timing measurements may allow for lower overall latency, while
|
|
using affinity allows for finer control. In both the timing and
|
|
affinity cases, equally-sorting nodes are still randomly chosen to
|
|
spread load.
|
|
The valid values for sorting_method are "affinity", "shuffle", and "timing".
|
|
.IP \fBtiming_expiry\fR
|
|
If the "timing" sorting_method is used, the timings will only be valid for
|
|
the number of seconds configured by timing_expiry. The default is 300.
|
|
.IP \fBconcurrent_gets\fR
|
|
If "on" then use replica count number of threads concurrently during a GET/HEAD
|
|
and return with the first successful response. In the EC case, this parameter
|
|
only affects an EC HEAD as an EC GET behaves differently. Default is "off".
|
|
.IP \fBconcurrency_timeout\fR
|
|
This parameter controls how long to wait before firing off the next
|
|
concurrent_get thread. A value of 0 would we fully concurrent, any other number
|
|
will stagger the firing of the threads. This number should be between 0 and
|
|
node_timeout. The default is the value of conn_timeout (0.5).
|
|
.IP \fBrequest_node_count\fR
|
|
Set to the number of nodes to contact for a normal request. You can use '* replicas'
|
|
at the end to have it use the number given times the number of
|
|
replicas for the ring being used for the request. The default is '2 * replicas'.
|
|
.IP \fBread_affinity\fR
|
|
Specifies which backend servers to prefer on reads. Format is a comma
|
|
separated list of affinity descriptors of the form <selection>=<priority>.
|
|
The <selection> may be r<N> for selecting nodes in region N or r<N>z<M> for
|
|
selecting nodes in region N, zone M. The <priority> value should be a whole
|
|
number that represents the priority to be given to the selection; lower numbers
|
|
are higher priority. Default is empty, meaning no preference.
|
|
|
|
Example: first read from region 1 zone 1, then region 1 zone 2, then anything
|
|
in region 2, then everything else:
|
|
|
|
.PD 0
|
|
.RS 10
|
|
.IP "read_affinity = r1z1=100, r1z2=200, r2=300"
|
|
.RE
|
|
.PD
|
|
.IP \fBwrite_affinity\fR
|
|
Specifies which backend servers to prefer on writes. Format is a comma
|
|
separated list of affinity descriptors of the form r<N> for region N or
|
|
r<N>z<M> for region N, zone M. If this is set, then when handling an object
|
|
PUT request, some number (see setting write_affinity_node_count) of local
|
|
backend servers will be tried before any nonlocal ones. Default is empty,
|
|
meaning no preference.
|
|
|
|
Example: try to write to regions 1 and 2 before writing to any other
|
|
nodes:
|
|
|
|
.PD 0
|
|
.RS 10
|
|
write_affinity = r1, r2
|
|
.RE
|
|
.PD
|
|
.IP \fBwrite_affinity_node_count\fR
|
|
The number of local (as governed by the write_affinity setting) nodes to
|
|
attempt to contact first on writes, before any non-local ones. The value
|
|
should be an integer number, or use '* replicas' at the end to have it use
|
|
the number given times the number of replicas for the ring being used for the
|
|
request. The default is '2 * replicas'.
|
|
.IP \fBswift_owner_headers\fR
|
|
These are the headers whose values will only be shown to swift_owners. The
|
|
exact definition of a swift_owner is up to the auth system in use, but
|
|
usually indicates administrative responsibilities.
|
|
The default is 'x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control'.
|
|
.IP \fBrate_limit_after_segment\fR
|
|
Start rate-limiting object segments after the Nth segment of a segmented
|
|
object. The default is 10 segments.
|
|
.IP \fBrate_limit_segments_per_sec\fR
|
|
Once segment rate-limiting kicks in for an object, limit segments served to N
|
|
per second. The default is 1.
|
|
.IP \fBnice_priority\fR
|
|
Modify scheduling priority of server processes. Niceness values range from -20
|
|
(most favorable to the process) to 19 (least favorable to the process).
|
|
The default does not modify priority.
|
|
.IP \fBionice_class\fR
|
|
Modify I/O scheduling class of server processes. I/O niceness class values
|
|
are IOPRIO_CLASS_RT (realtime), IOPRIO_CLASS_BE (best-effort) and IOPRIO_CLASS_IDLE (idle).
|
|
The default does not modify class and priority.
|
|
Work only with ionice_priority.
|
|
.IP \fBionice_priority\fR
|
|
Modify I/O scheduling priority of server processes. I/O niceness priority
|
|
is a number which goes from 0 to 7. The higher the value, the lower
|
|
the I/O priority of the process. Work only with ionice_class.
|
|
Ignored if IOPRIO_CLASS_IDLE is set.
|
|
.RE
|
|
.PD
|
|
|
|
.SH DOCUMENTATION
|
|
.LP
|
|
More in depth documentation about the swift-proxy-server and
|
|
also OpenStack Swift as a whole can be found at
|
|
.BI https://docs.openstack.org/swift/latest/admin_guide.html
|
|
and
|
|
.BI https://docs.openstack.org/swift/latest/
|
|
|
|
.SH "SEE ALSO"
|
|
.BR swift-proxy-server(1)
|