ApiSix配置详解

背景介绍

ApiSix官方介绍
ApiSix安装

配置详情

在centos上使用yum命令安装apisix之后, /usr/local 下会出现apisix的文件夹
apisix使用Nginx反向代理, 因而apisix配置导向nginx配置
apisix的配置文件在/usr/local/apisix/conf/config.yaml

以下是一个标准的apisix yaml配置, 笔者将相关配置详解写在注释后

apisix:
  node_listen: 9080              # APISIX的启动端口
  enable_admin: true             # 是否启用admin
  enable_admin_cors: true         # 允许CORS访问
  enable_debug: false             # debug模式
  enable_dev_mode: false          # True的时候nginx只会启动一个worker进程
  enable_reuseport: true          # True的时候nginx配置启动SO_REUSEPORT.
  enable_ipv6: true				  # ipv6
  config_center: etcd             # etcd: 使用etcd做配置同步
                                  # yaml: 获取 `/usr/local/apisix/conf/apisix.yaml` 以同步配置

  #proxy_protocol:                 # 代理协议配置, 以下不做详解
  #  listen_http_port: 9181        # The port with proxy protocol for http, it differs from node_listen and port_admin.
                                   # This port can only receive http request with proxy protocol, but node_listen & port_admin
                                   # can only receive http request. If you enable proxy protocol, you must use this port to
                                   # receive http request with proxy protocol
  #  listen_https_port: 9182       # The port with proxy protocol for https
  #  enable_tcp_pp: true           # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
  #  enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server

  proxy_cache:                     # Proxy Caching configuration
    cache_ttl: 10s                 # The default caching time if the upstream does not specify the cache time
    zones:                         # The parameters of a cache
    - name: disk_cache_one         # The name of the cache, administrator can be specify
                                   # which cache to use by name in the admin api
      memory_size: 50m             # The size of shared memory, it's used to store the cache index
      disk_size: 1G                # The size of disk, it's used to store the cache data
      disk_path: "/tmp/disk_cache_one" # The path to store the cache data
      cache_levels: "1:2"           # The hierarchy levels of a cache
  #  - name: disk_cache_two
  #    memory_size: 50m
  #    disk_size: 1G
  #    disk_path: "/tmp/disk_cache_two"
  #    cache_levels: "1:2"

  allow_admin:                  # 参考http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
    - 192.168.0.0/16              # 如果列表为空, 所有ip都能接受(笔者测试失败)
    - 127.0.0.0/16

  #   - "::/64"					 # ipv6配置
  # port_admin: 9180              # use a separate port
  # https_admin: true             # 使用https协议访问admin, apisix默认会读取conf/apisix_admin_api.crt和conf/apisix_admin_api.key作为证书.
  admin_api_mtls:               # 以下配置与port_admin和https_admin相关
    admin_ssl_cert: ""             # 自签名服务器端证书路径
    admin_ssl_cert_key: ""         # 自签名服务器端密钥路径
    admin_ssl_ca_cert: ""          # 自签名CA证书路径.CA用来签名所有admin api调用者的证书

  # 使用admin api所用的默认token
  # 注意: 为了保护admin API, 强烈建议更改这个值
  # 关闭这个配置意味着admin api不需要任何认证
  admin_key:
    -
      name: "admin"
      key: edd1c9f034335f136f87ad84b625c8f1
      role: admin                 # admin: 管理所有的配置数据
                                  # viewer: 只能查看所有的配置数据
    -
      name: "viewer"
      key: 4054f7cf07e344346cd3f287985e76a2
      role: viewer

  delete_uri_tail_slash: false    # delete the '/' at the end of the URI
  router:
    http: 'radixtree_uri'         # radixtree_uri: 基于基数树的uri匹配
                                  # radixtree_host_uri: 基于基数树的uri+host匹配
    ssl: 'radixtree_sni'          # radixtree_sni: 基于基数树的sni匹配
  # stream_proxy:                 # TCP/UDP proxy TCP/UDP代理, 下不详述
  #   tcp:                        # TCP proxy port list
  #     - 9100
  #     - 9101
  #   udp:                        # UDP proxy port list
  #     - 9200
  #     - 9211
  # dns_resolver:                   # If not set, read from `/etc/resolv.conf`
  #  - 1.1.1.1
  #  - 8.8.8.8
  dns_resolver_valid: 30          # dns结果有效时间30s
  resolver_timeout: 5             # 解析超时时间
  ssl:
    enable: true
    enable_http2: true
    listen_port: 9443
    ssl_protocols: "TLSv1.2 TLSv1.3"
    ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
    key_encrypt_salt: "edd1c9f0985e76a2"    #  如果不设置, 会保留原始的ssl key到etcd
                                            #  如果设置了, 必须是长度为16的字符串, 并且该字符串会对ssl key 以AES-128-CBC算法加密
                                            #  !!! 千万不要在保存ssl之后更改, 否则将不能解密保存的ssl keys !!
#  discovery: eureka               # 服务发现中心
nginx_config:                     # 用以渲染生成nginx_config.conf模板的配置
  error_log: "logs/error.log"
  error_log_level: "warn"         # warn,error可选值
  worker_rlimit_nofile: 20480     # 每个worker process可以打开的文件数量, 应当大于worker_connections
  worker_shutdown_timeout: 240s     # 正常关闭worker进程的超时时间
  event:
    worker_connections: 10620
  http:
    access_log: "logs/access.log"
    keepalive_timeout: 60s         # keep-alive 客户端连接在服务端的超时时间
    client_header_timeout: 60s     # 读取客户端请求头的超时事件, 一旦超时, 返回408给客户端
    client_body_timeout: 60s       # 读取客户端请求体的超时事件, 一旦超时, 返回408给客户端
    send_timeout: 10s              # 发送响应给客户端的超时时间, 超时之后, 连接会被关闭
    underscores_in_headers: "on"   # 默认允许在请求头中使用下划线
    real_ip_header: "X-Real-IP"    # 参考http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
    real_ip_from:                  # 参考http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
      - 127.0.0.1
      - 'unix:'
    #lua_shared_dicts:              # 在nginx.conf中添加定制的共享缓存, 定制共享缓存的格式是:`cache-key: cache-size`
    #  ipc_shared_dict: 100m        

etcd:
  host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
    - "http://127.0.0.1:2379"     # multiple etcd address
  prefix: "/apisix"               # apisix configurations prefix
  timeout: 30                     # 30 seconds
  # user: root                     # root username for etcd
  # password: 5tHkHhYkjr6cQY        # root password for etcd
#eureka:
#  host:                           # 可以在同一个erueka集群中定义多个eureka地址
#    - "http://127.0.0.1:8761"
#  prefix: "/eureka/"
#  fetch_interval: 30              # 默认获取间隔30秒
#  weight: 100                     # 默认weight 100
#  timeout:
#    connect: 2000                 # 默认 2000ms
#    send: 2000                    # 默认 2000ms
#    read: 5000                    # 默认 5000ms

plugins:                          # apisix可使用的插件列表
  - example-plugin
  - limit-req
  - limit-count
  - limit-conn
  - key-auth
  - basic-auth
  - prometheus
  - node-status
  - jwt-auth
  - zipkin
  - ip-restriction
  - grpc-transcode
  - serverless-pre-function
  - serverless-post-function
  - openid-connect
  - proxy-rewrite
  - redirect
  - response-rewrite
  - fault-injection
  - udp-logger
  - wolf-rbac
  - proxy-cache
  - tcp-logger
  - proxy-mirror
  - kafka-logger
  - cors
  - consumer-restriction
  - syslog
  - batch-requests
  - http-logger
  - skywalking
  - echo
  - authz-keycloak
  - uri-blocker
  - request-validation

stream_plugins:							# apisix可使用的流插件
  - mqtt-proxy

更改配置完成之后使用命令 apisix reload 使配置生效, 或者apisix stop; apisix start 重新启动apisix