Liberty -  Liberty -  Liberty -  Liberty -  Liberty -  Liberty -  Liberty -  Liberty - 

 Proxy server configuration

Find an example proxy server configuration at etc/proxy-server.conf-sample in the source code repository.

The available configuration options are:

Table 11.47. Description of configuration options for [DEFAULT] in proxy-server.conf
Configuration option = Default value Description
admin_key = secret_admin_key to use for admin calls that are HMAC signed. Default is empty, which will disable admin calls to /info. the proxy server. For most cases, this should be `egg:swift#proxy`. request whenever it has to failover to a handoff node
backlog = 4096 Maximum number of allowed pending TCP connections
bind_ip = 0.0.0.0 IP Address for server to bind to
bind_port = 8080 Port for server to bind to
bind_timeout = 30 Seconds to attempt bind before giving up
cert_file = /etc/swift/proxy.crt to the ssl .crt. This should be enabled for testing purposes only.
client_timeout = 60 Timeout to read one chunk from a client external services
cors_allow_origin = is a list of hosts that are included with any CORS request by default and returned with the Access-Control-Allow-Origin header in addition to what the container has set. to call to setup custom log handlers. for eventlet the proxy server. For most cases, this should be `egg:swift#proxy`. request whenever it has to failover to a handoff node
disallowed_sections = swift.valid_api_versions, container_quotas, tempurl No help text available for this option.
eventlet_debug = false If true, turn on debug logging for eventlet
expiring_objects_account_name = expiring_objects No help text available for this option.
expiring_objects_container_divisor = 86400 No help text available for this option.
expose_info = true Enables exposing configuration settings via HTTP GET /info.
key_file = /etc/swift/proxy.key to the ssl .key. This should be enabled for testing purposes only.
log_address = /dev/log Location where syslog sends the logs to
log_custom_handlers = Comma-separated list of functions to call to setup custom log handlers.
log_facility = LOG_LOCAL0 Syslog log facility
log_headers = false No help text available for this option.
log_level = INFO Logging level
log_max_line_length = 0 Caps the length of log lines to the value given; no limit if set to 0, the default.
log_name = swift Label used when logging
log_statsd_default_sample_rate = 1.0 Defines the probability of sending a sample for any given event or timing measurement.
log_statsd_host = localhost If not set, the StatsD feature is disabled.
log_statsd_metric_prefix = Value will be prepended to every metric sent to the StatsD server.
log_statsd_port = 8125 Port value for the StatsD server.
log_statsd_sample_rate_factor = 1.0 Not recommended to set this to a value less than 1.0, if frequency of logging is too high, tune the log_statsd_default_sample_rate instead.
log_udp_host = If not set, the UDP receiver for syslog is disabled.
log_udp_port = 514 Port value for UDP receiver, if enabled.
max_clients = 1024 Maximum number of clients one worker can process simultaneously Lowering the number of clients handled per worker, and raising the number of workers can lessen the impact that a CPU intensive, or blocking, request can have on other requests served by the same worker. If the maximum number of clients is set to one, then a given worker will not perform another call while processing, allowing other workers a chance to process it.
strict_cors_mode = True No help text available for this option.
swift_dir = /etc/swift Swift configuration directory
trans_id_suffix = No help text available for this option.
user = swift User to run as
workers = auto a much higher value, one can reduce the impact of slow file system operations in one request from negatively impacting other requests.

Table 11.48. Description of configuration options for [app-proxy-server] in proxy-server.conf
Configuration option = Default value Description
account_autocreate = false If set to 'true' authorized accounts that do not yet exist within the Swift cluster will be automatically created.
allow_account_management = false Whether account PUTs and DELETEs are even callable
auto_create_account_prefix = . Prefix to use when automatically creating accounts
client_chunk_size = 65536 Chunk size to read from clients
conn_timeout = 0.5 Connection timeout to external services
deny_host_headers = No help text available for this option.
error_suppression_interval = 60 Time in seconds that must elapse since the last error for a node to be considered no longer error limited
error_suppression_limit = 10 Error count to consider a node error limited
log_handoffs = true No help text available for this option.
max_containers_per_account = 0 If set to a positive value, trying to create a container when the account already has at least this maximum containers will result in a 403 Forbidden. Note: This is a soft limit, meaning a user might exceed the cap for recheck_account_existence before the 403s kick in.
max_containers_whitelist = is a comma separated list of account names that ignore the max_containers_per_account cap.
max_large_object_get_time = 86400 No help text available for this option.
node_timeout = 10 Request timeout to external services
object_chunk_size = 65536 Chunk size to read from object servers
object_post_as_copy = true Set object_post_as_copy = false to turn on fast posts where only the metadata changes are stored anew and the original data file is kept in place. This makes for quicker posts; but since the container metadata isn't updated in this mode, features like container sync won't be able to sync posts.
post_quorum_timeout = 0.5 No help text available for this option.
put_queue_depth = 10 No help text available for this option.
read_affinity = r1z1=100, r1z2=200, r2=300 No help text available for this option.
recheck_account_existence = 60 Cache timeout in seconds to send memcached for account existence
recheck_container_existence = 60 Cache timeout in seconds to send memcached for container existence
recoverable_node_timeout = node_timeout Request timeout to external services for requests that, on failure, can be recovered from. For example, object GET. from a client external services
request_node_count = 2 * replicas * replicas Set to the number of nodes to contact for a normal request. You can use '* replicas' at the end to have it use the number given times the number of replicas for the ring being used for the request. conf file for values will only be shown to the list of swift_owners. The exact default definition of a swift_owner is headers> up to the auth system in use, but usually indicates administrative responsibilities. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request
set log_address = /dev/log Location where syslog sends the logs to
set log_facility = LOG_LOCAL0 Syslog log facility
set log_level = INFO Log level
set log_name = proxy-server Label to use when logging
sorting_method = shuffle No help text available for this option.
swift_owner_headers = x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control These are the headers whose conf file for values will only be shown to the list of swift_owners. The exact default definition of a swift_owner is headers> up to the auth system in use, but usually indicates administrative responsibilities. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request
timing_expiry = 300 No help text available for this option.
use = egg:swift#proxy Entry point of paste.deploy in the server
write_affinity = r1, r2 This setting lets you trade data distribution for throughput. It makes the proxy server prefer local back-end servers for object PUT requests over non-local ones. Note that only object PUT requests are affected by the write_affinity setting; POST, GET, HEAD, DELETE, OPTIONS, and account/container PUT requests are not affected. The format is r<N> for region N or r<N>z<M> for region N, zone M. If this is set, then when handling an object PUT request, some number (see the write_affinity_node_count setting) of local backend servers will be tried before any nonlocal ones. Example: try to write to regions 1 and 2 before writing to any other nodes: write_affinity = r1, r2
write_affinity_node_count = 2 * replicas This setting is only useful in conjunction with write_affinity; it governs how many local object servers will be tried before falling back to non-local ones. You can use '* replicas' at the end to have it use the number given times the number of replicas for the ring being used for the request: write_affinity_node_count = 2 * replicas

Table 11.49. Description of configuration options for [pipeline-main] in proxy-server.conf
Configuration option = Default value Description
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server No help text available for this option.

Table 11.50. Description of configuration options for [filter-account-quotas] in proxy-server.conf
Configuration option = Default value Description
use = egg:swift#account_quotas Entry point of paste.deploy in the server

Table 11.51. Description of configuration options for [filter-authtoken] in proxy-server.conf
Configuration option = Default value Description
admin_password = password No help text available for this option.
admin_tenant_name = service No help text available for this option.
admin_user = swift No help text available for this option.
auth_uri = http://keystonehost:5000/ No help text available for this option.
cache = swift.cache No help text available for this option.
delay_auth_decision = False No help text available for this option.
identity_uri = http://keystonehost:35357/ No help text available for this option.
include_service_catalog = False No help text available for this option.

Table 11.52. Description of configuration options for [filter-cache] in proxy-server.conf
Configuration option = Default value Description
memcache_max_connections = 2 Max number of connections to each memcached server per worker services
memcache_serialization_support = 2 Sets how memcache values are serialized and deserialized
memcache_servers = 127.0.0.1:11211 Comma-separated list of memcached servers ip:port services
set log_address = /dev/log Location where syslog sends the logs to
set log_facility = LOG_LOCAL0 Syslog log facility
set log_headers = false If True, log headers in each request
set log_level = INFO Log level
set log_name = cache Label to use when logging
use = egg:swift#memcache Entry point of paste.deploy in the server

Table 11.53. Description of configuration options for [filter-catch_errors] in proxy-server.conf
Configuration option = Default value Description
set log_address = /dev/log Location where syslog sends the logs to
set log_facility = LOG_LOCAL0 Syslog log facility
set log_headers = false If True, log headers in each request
set log_level = INFO Log level
set log_name = catch_errors Label to use when logging
use = egg:swift#catch_errors Entry point of paste.deploy in the server

Table 11.54. Description of configuration options for [filter-container_sync] in proxy-server.conf
Configuration option = Default value Description
allow_full_urls = true No help text available for this option.
current = //REALM/CLUSTER No help text available for this option.
use = egg:swift#container_sync Entry point of paste.deploy in the server

Table 11.55. Description of configuration options for [filter-dlo] in proxy-server.conf
Configuration option = Default value Description
max_get_time = 86400 No help text available for this option.
rate_limit_after_segment = 10 Rate limit the download of large object segments after this segment is downloaded.
rate_limit_segments_per_sec = 1 Rate limit large object downloads at this rate. contact for a normal request. You can use '* replicas' at the end to have it use the number given times the number of replicas for the ring being used for the request. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request
use = egg:swift#dlo Entry point of paste.deploy in the server

Table 11.56. Description of configuration options for [filter-versioned_writes] in proxy-server.conf
Configuration option = Default value Description
allow_versioned_writes = false No help text available for this option.
use = egg:swift#versioned_writes Entry point of paste.deploy in the server

Table 11.57. Description of configuration options for [filter-gatekeeper] in proxy-server.conf
Configuration option = Default value Description
set log_address = /dev/log Location where syslog sends the logs to
set log_facility = LOG_LOCAL0 Syslog log facility
set log_headers = false If True, log headers in each request
set log_level = INFO Log level
set log_name = gatekeeper Label to use when logging
use = egg:swift#gatekeeper Entry point of paste.deploy in the server

Table 11.58. Description of configuration options for [filter-healthcheck] in proxy-server.conf
Configuration option = Default value Description
disable_path = No help text available for this option.
use = egg:swift#healthcheck Entry point of paste.deploy in the server

Table 11.59. Description of configuration options for [filter-keystoneauth] in proxy-server.conf
Configuration option = Default value Description
allow_names_in_acls = true The backwards compatible behavior can be disabled by setting this option to False.
allow_overrides = true This option allows middleware higher in the WSGI pipeline to override auth processing, useful for middleware such as tempurl and formpost. If you know you are not going to use such middleware and you want a bit of extra security, you can set this to False.
default_domain_id = default Name of the default domain. It is identified by its UUID, which by default has the value "default".
is_admin = false If this option is set to True, it allows to give a user whose username is the same as the project name and who has any role in the project access rights elevated to be the same as if the user had one of the operator_roles. Note that the condition compares names rather than UUIDs. This option is deprecated. It is False by default.
operator_roles = admin, swiftoperator Operator role defines the user which is allowed to manage a tenant and create containers or give ACL to others. This parameter may be prefixed with an appropriate prefix.
reseller_admin_role = ResellerAdmin The reseller admin role gives the ability to create and delete accounts.
reseller_prefix = AUTH The naming scope for the auth service. Swift
service_roles = When present, this option requires that the X-Service-Token header supplies a token from a user who has a role listed in service_roles. This parameter may be prefixed with an appropriate prefix.
use = egg:swift#keystoneauth Entry point of paste.deploy in the server

Table 11.60. Description of configuration options for [filter-list-endpoints] in proxy-server.conf
Configuration option = Default value Description
list_endpoints_path = /endpoints/ No help text available for this option.
use = egg:swift#list_endpoints Entry point of paste.deploy in the server

Table 11.61. Description of configuration options for [filter-proxy-logging] in proxy-server.conf
Configuration option = Default value Description
access_log_address = /dev/log No help text available for this option.
access_log_facility = LOG_LOCAL0 No help text available for this option.
access_log_headers = false No help text available for this option.
access_log_headers_only = If access_log_headers is True and access_log_headers_only is set only these headers are logged. Multiple headers can be defined as comma separated list like this: access_log_headers_only = Host, X-Object-Meta-Mtime
access_log_level = INFO No help text available for this option.
access_log_name = swift No help text available for this option.
access_log_statsd_default_sample_rate = 1.0 No help text available for this option.
access_log_statsd_host = localhost No help text available for this option.
access_log_statsd_metric_prefix = No help text available for this option.
access_log_statsd_port = 8125 No help text available for this option.
access_log_statsd_sample_rate_factor = 1.0 No help text available for this option.
access_log_udp_host = No help text available for this option.
access_log_udp_port = 514 No help text available for this option.
log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS No help text available for this option.
logged with access_log_headers = True. No help text available for this option.
reveal_sensitive_prefix = 16 The X-Auth-Token is sensitive data. If revealed to an unauthorised person, they can now make requests against an account until the token expires. Set reveal_sensitive_prefix to the number of characters of the token that are logged. For example reveal_sensitive_prefix = 12 so only first 12 characters of the token are logged. Or, set to 0 to completely remove the token.
use = egg:swift#proxy_logging Entry point of paste.deploy in the server

Table 11.62. Description of configuration options for [filter-tempauth] in proxy-server.conf
Configuration option = Default value Description
allow_overrides = true This option allows middleware higher in the WSGI pipeline to override auth processing, useful for middleware such as tempurl and formpost. If you know you are not going to use such middleware and you want a bit of extra security, you can set this to False.
auth_prefix = /auth/ The HTTP request path prefix for the auth service. Swift itself reserves anything beginning with the letter `v`.
require_group = No help text available for this option.
reseller_prefix = AUTH The naming scope for the auth service. Swift
set log_address = /dev/log Location where syslog sends the logs to
set log_facility = LOG_LOCAL0 Syslog log facility
set log_headers = false If True, log headers in each request
set log_level = INFO Log level
set log_name = tempauth Label to use when logging
storage_url_scheme = default Scheme to return with storage urls: http, https, or default (chooses based on what the server is running as) This can be useful with an SSL load balancer in front of a non-SSL server.
token_life = 86400 The number of seconds a token is valid.
use = egg:swift#tempauth Entry point of paste.deploy in the server
user_admin_admin = admin .admin .reseller_admin No help text available for this option.
user_test2_tester2 = testing2 .admin No help text available for this option.
user_test5_tester5 = testing5 service No help text available for this option.
user_test_tester = testing .admin No help text available for this option.
user_test_tester3 = testing3 No help text available for this option.

Table 11.63. Description of configuration options for [filter-xprofile] in proxy-server.conf
Configuration option = Default value Description
dump_interval = 5.0 No help text available for this option.
dump_timestamp = false No help text available for this option.
flush_at_shutdown = false No help text available for this option.
log_filename_prefix = /tmp/log/swift/profile/default.profile No help text available for this option.
path = /__profile__ No help text available for this option.
profile_module = eventlet.green.profile No help text available for this option.
unwind = false No help text available for this option.
use = egg:swift#xprofile Entry point of paste.deploy in the server

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...