背景介绍
配置详情
在centos上使用yum命令安装apisix之后, /usr/local
下会出现apisix的文件夹
apisix使用Nginx反向代理, 因而apisix配置导向nginx配置
apisix的配置文件在/usr/local/apisix/conf/config.yaml
以下是一个标准的apisix yaml配置, 笔者将相关配置详解写在注释后
apisix:
node_listen: 9080 # APISIX的启动端口
enable_admin: true # 是否启用admin
enable_admin_cors: true # 允许CORS访问
enable_debug: false # debug模式
enable_dev_mode: false # True的时候nginx只会启动一个worker进程
enable_reuseport: true # True的时候nginx配置启动SO_REUSEPORT.
enable_ipv6: true # ipv6
config_center: etcd # etcd: 使用etcd做配置同步
# yaml: 获取 `/usr/local/apisix/conf/apisix.yaml` 以同步配置
#proxy_protocol: # 代理协议配置, 以下不做详解
# listen_http_port: 9181 # The port with proxy protocol for http, it differs from node_listen and port_admin.
# This port can only receive http request with proxy protocol, but node_listen & port_admin
# can only receive http request. If you enable proxy protocol, you must use this port to
# receive http request with proxy protocol
# listen_https_port: 9182 # The port with proxy protocol for https
# enable_tcp_pp: true # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
# enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server
proxy_cache: # Proxy Caching configuration
cache_ttl: 10s # The default caching time if the upstream does not specify the cache time
zones: # The parameters of a cache
- name: disk_cache_one # The name of the cache, administrator can be specify
# which cache to use by name in the admin api
memory_size: 50m # The size of shared memory, it's used to store the cache index
disk_size: 1G # The size of disk, it's used to store the cache data
disk_path: "/tmp/disk_cache_one" # The path to store the cache data
cache_levels: "1:2" # The hierarchy levels of a cache
# - name: disk_cache_two
# memory_size: 50m
# disk_size: 1G
# disk_path: "/tmp/disk_cache_two"
# cache_levels: "1:2"
allow_admin: # 参考http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 192.168.0.0/16 # 如果列表为空, 所有ip都能接受(笔者测试失败)
- 127.0.0.0/16
# - "::/64" # ipv6配置
# port_admin: 9180 # use a separate port
# https_admin: true # 使用https协议访问admin, apisix默认会读取conf/apisix_admin_api.crt和conf/apisix_admin_api.key作为证书.
admin_api_mtls: # 以下配置与port_admin和https_admin相关
admin_ssl_cert: "" # 自签名服务器端证书路径
admin_ssl_cert_key: "" # 自签名服务器端密钥路径
admin_ssl_ca_cert: "" # 自签名CA证书路径.CA用来签名所有admin api调用者的证书
# 使用admin api所用的默认token
# 注意: 为了保护admin API, 强烈建议更改这个值
# 关闭这个配置意味着admin api不需要任何认证
admin_key:
-
name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: 管理所有的配置数据
# viewer: 只能查看所有的配置数据
-
name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
delete_uri_tail_slash: false # delete the '/' at the end of the URI
router:
http: 'radixtree_uri' # radixtree_uri: 基于基数树的uri匹配
# radixtree_host_uri: 基于基数树的uri+host匹配
ssl: 'radixtree_sni' # radixtree_sni: 基于基数树的sni匹配
# stream_proxy: # TCP/UDP proxy TCP/UDP代理, 下不详述
# tcp: # TCP proxy port list
# - 9100
# - 9101
# udp: # UDP proxy port list
# - 9200
# - 9211
# dns_resolver: # If not set, read from `/etc/resolv.conf`
# - 1.1.1.1
# - 8.8.8.8
dns_resolver_valid: 30 # dns结果有效时间30s
resolver_timeout: 5 # 解析超时时间
ssl:
enable: true
enable_http2: true
listen_port: 9443
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
key_encrypt_salt: "edd1c9f0985e76a2" # 如果不设置, 会保留原始的ssl key到etcd
# 如果设置了, 必须是长度为16的字符串, 并且该字符串会对ssl key 以AES-128-CBC算法加密
# !!! 千万不要在保存ssl之后更改, 否则将不能解密保存的ssl keys !!
# discovery: eureka # 服务发现中心
nginx_config: # 用以渲染生成nginx_config.conf模板的配置
error_log: "logs/error.log"
error_log_level: "warn" # warn,error可选值
worker_rlimit_nofile: 20480 # 每个worker process可以打开的文件数量, 应当大于worker_connections
worker_shutdown_timeout: 240s # 正常关闭worker进程的超时时间
event:
worker_connections: 10620
http:
access_log: "logs/access.log"
keepalive_timeout: 60s # keep-alive 客户端连接在服务端的超时时间
client_header_timeout: 60s # 读取客户端请求头的超时事件, 一旦超时, 返回408给客户端
client_body_timeout: 60s # 读取客户端请求体的超时事件, 一旦超时, 返回408给客户端
send_timeout: 10s # 发送响应给客户端的超时时间, 超时之后, 连接会被关闭
underscores_in_headers: "on" # 默认允许在请求头中使用下划线
real_ip_header: "X-Real-IP" # 参考http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
real_ip_from: # 参考http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- 127.0.0.1
- 'unix:'
#lua_shared_dicts: # 在nginx.conf中添加定制的共享缓存, 定制共享缓存的格式是:`cache-key: cache-size`
# ipc_shared_dict: 100m
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://127.0.0.1:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
# user: root # root username for etcd
# password: 5tHkHhYkjr6cQY # root password for etcd
#eureka:
# host: # 可以在同一个erueka集群中定义多个eureka地址
# - "http://127.0.0.1:8761"
# prefix: "/eureka/"
# fetch_interval: 30 # 默认获取间隔30秒
# weight: 100 # 默认weight 100
# timeout:
# connect: 2000 # 默认 2000ms
# send: 2000 # 默认 2000ms
# read: 5000 # 默认 5000ms
plugins: # apisix可使用的插件列表
- example-plugin
- limit-req
- limit-count
- limit-conn
- key-auth
- basic-auth
- prometheus
- node-status
- jwt-auth
- zipkin
- ip-restriction
- grpc-transcode
- serverless-pre-function
- serverless-post-function
- openid-connect
- proxy-rewrite
- redirect
- response-rewrite
- fault-injection
- udp-logger
- wolf-rbac
- proxy-cache
- tcp-logger
- proxy-mirror
- kafka-logger
- cors
- consumer-restriction
- syslog
- batch-requests
- http-logger
- skywalking
- echo
- authz-keycloak
- uri-blocker
- request-validation
stream_plugins: # apisix可使用的流插件
- mqtt-proxy
更改配置完成之后使用命令 apisix reload
使配置生效, 或者apisix stop; apisix start
重新启动apisix