# ----------------------- # Kong configuration file # ----------------------- # # The commented-out settings shown in this file represent the default values. # # This file is read when `kong start` or `kong prepare` are used. Kong # generates the Nginx configuration with the settings specified in this file. # # All environment variables prefixed with `KONG_` and capitalized will override # the settings specified in this file. # Example: # `log_level` setting -> `KONG_LOG_LEVEL` env variable # # Boolean values can be specified as `on`/`off` or `true`/`false`. # Lists must be specified as comma-separated strings. # # All comments in this file can be removed safely, including the # commented-out properties. # You can verify the integrity of your settings with `kong check `. #------------------------------------------------------------------------------ # GENERAL #------------------------------------------------------------------------------ #prefix = /usr/local/kong/ # Working directory. Equivalent to Nginx's # prefix path, containing temporary files # and logs. # Each Kong process must have a separate # working directory. #log_level = notice # Log level of the Nginx server. Logs are # found at /logs/error.log. # Note: see http://nginx.org/en/docs/ngx_core_module.html#error_log for a list # of accepted values. #proxy_access_log = logs/access.log # Path for proxy port request access # logs. Set this value to `off` to # disable logging proxy requests. # If this value is a relative path, # it will be placed under the # `prefix` location. #proxy_error_log = logs/error.log # Path for proxy port request error # logs. Granularity of these logs is # adjusted by the `log_level` # directive. #admin_access_log = logs/admin_access.log # Path for Admin API request access # logs. Set this value to `off` to # disable logging Admin API requests. # If this value is a relative path, # it will be placed under the # `prefix` location. #admin_error_log = logs/error.log # Path for Admin API request error # logs. Granularity of these logs is # adjusted by the `log_level` # directive. #custom_plugins = # Comma-separated list of additional plugins # this node should load. # Use this property to load custom plugins # that are not bundled with Kong. # Plugins will be loaded from the # `kong.plugins.{name}.*` namespace. #anonymous_reports = on # Send anonymous usage data such as error # stack traces to help improve Kong. #------------------------------------------------------------------------------ # NGINX #------------------------------------------------------------------------------ #proxy_listen = 0.0.0.0:8000, 0.0.0.0:8443 ssl # Comma-separated list of addresses and ports on # which the proxy server should listen. # The proxy server is the public entrypoint of Kong, # which proxies traffic from your consumers to your # backend services. This value accepts IPv4, IPv6, and # hostnames. # Some suffixes can be specified for each pair: # - `ssl` will require that all connections made # through a particular address/port be made with TLS # enabled. # - `http2` will allow for clients to open HTTP/2 # connections to Kong's proxy server. # - Finally, `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # # This value can be set to `off`, thus disabling # the proxy port for this node, enabling a # 'control-plane' mode (without traffic proxying # capabilities) which can configure a cluster of # nodes connected to the same database. #proxy_url = # Kong Proxy URL # # Here you may provide the lookup, or balancer, # address for your Kong Proxy nodes. # # This value is commonly used in a microservices # or service-mesh oriented architecture. # # Accepted format (parts in parenthesis are optional): # # ://(:(/)) # # Examples: # # - ://: # proxy_url = http://127.0.0.1:8000 # - SSL :// # proxy_url = https://proxy.domain.tld # - :/// # proxy_url = http://dev-machine/dev-285 # # By default: # # Kong Manager, and Kong Portal will use # the window request host and append the resolved # listener port depending on the requested protocol. # Note: see http://nginx.org/en/docs/http/ngx_http_core_module.html#listen for # a description of the accepted formats for this and other *_listen values. # Note bis: see https://www.nginx.com/resources/admin-guide/proxy-protocol/ # for more details about the `proxy_protocol` parameter. #admin_api_uri = # Hierarchical part of a URI which is composed # optionally of a host, port, and path at which your # Admin interface API accepts HTTP or HTTPS traffic. # When this config is disabled, the gui will use the # window protocol + host and append the resolved # admin_gui_listen HTTP/HTTPS port. #admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 ssl # Comma-separated list of addresses and ports on # which the Admin interface should listen. # The Admin interface is the API allowing you to # configure and manage Kong. # Access to this interface should be *restricted* # to Kong administrators *only*. This value accepts # IPv4, IPv6, and hostnames. # Some suffixes can be specified for each pair: # - `ssl` will require that all connections made # through a particular address/port be made with TLS # enabled. # - `http2` will allow for clients to open HTTP/2 # connections to Kong's proxy server. # - Finally, `proxy_protocol` will enable usage of the # PROXY protocol for a given address/port. # # This value can be set to `off`, thus disabling # the Admin interface for this node, enabling a # 'data-plane' mode (without configuration # capabilities) pulling its configuration changes # from the database. #nginx_user = nobody nobody # Defines user and group credentials used by # worker processes. If group is omitted, a # group whose name equals that of user is # used. Ex: [user] [group]. #nginx_worker_processes = auto # Determines the number of worker processes # spawned by Nginx. #nginx_daemon = on # Determines wether Nginx will run as a daemon # or as a foreground process. Mainly useful # for development or when running Kong inside # a Docker environment. #mem_cache_size = 128m # Size of the in-memory cache for database # entities. The accepted units are `k` and # `m`, with a minimum recommended value of # a few MBs. #ssl_cipher_suite = modern # Defines the TLS ciphers served by Nginx. # Accepted values are `modern`, # `intermediate`, `old`, or `custom`. # Note: see https://wiki.mozilla.org/Security/Server_Side_TLS for detailed # descriptions of each cipher suite. #ssl_ciphers = # Defines a custom list of TLS ciphers to be # served by Nginx. This list must conform to # the pattern defined by `openssl ciphers`. # This value is ignored if `ssl_cipher_suite` # is not `custom`. #ssl_cert = # The absolute path to the SSL certificate for # `proxy_listen` values with SSL enabled. #ssl_cert_key = # The absolute path to the SSL key for # `proxy_listen` values with SSL enabled. #client_ssl = off # Determines if Nginx should send client-side # SSL certificates when proxying requests. #client_ssl_cert = # If `client_ssl` is enabled, the absolute # path to the client SSL certificate for the # `proxy_ssl_certificate` directive. Note that # this value is statically defined on the # node, and currently cannot be configured on # a per-API basis. #client_ssl_cert_key = # If `client_ssl` is enabled, the absolute # path to the client SSL key for the # `proxy_ssl_certificate_key` address. Note # this value is statically defined on the # node, and currently cannot be configured on # a per-API basis. #admin_ssl_cert = # The absolute path to the SSL certificate for # `admin_listen` values with SSL enabled. #admin_ssl_cert_key = # The absolute path to the SSL key for # `admin_listen` values with SSL enabled. #upstream_keepalive = 60 # Sets the maximum number of idle keepalive # connections to upstream servers that are # preserved in the cache of each worker # process. When this number is exceeded, the # least recently used connections are closed. #server_tokens = on # Enables or disables emitting Kong version on # error pages and in the "Server" or "Via" # (in case the request was proxied) response # header field. #latency_tokens = on # Enables or disables emitting Kong latency # information in the "X-Kong-Proxy-Latency" # and "X-Kong-Upstream-Latency" response # header fields. #trusted_ips = # Defines trusted IP addresses blocks that are # known to send correct X-Forwarded-* headers. # Requests from trusted IPs make Kong forward # their X-Forwarded-* headers upstream. # Non-trusted requests make Kong insert its # own X-Forwarded-* headers. # # This property also sets the # `set_real_ip_from` directive(s) in the Nginx # configuration. It accepts the same type of # values (CIDR blocks) but as a # comma-separated list. # # To trust *all* /!\ IPs, set this value to # `0.0.0.0/0,::/0`. # # If the special value `unix:` is specified, # all UNIX-domain sockets will be trusted. # Note: see http://nginx.org/en/docs/http/ngx_http_realip_module.html for # examples of accepted values. #real_ip_header = X-Real-IP # Defines the request header field whose value # will be used to replace the client address. # This value sets the ngx_http_realip_module # directive of the same name in the Nginx # configuration. # If set to `proxy_protocol`, then at least # one of the `proxy_listen` entries must # have the `proxy_protocol` flag enabled. # Note: see http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header # for a description of this directive. #real_ip_recursive = off # This value sets the ngx_http_realip_module # directive of the same name in the Nginx # configuration. # Note: see http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive # for a description of this directive. #client_max_body_size = 0 # Defines the maximum request body size allowed # by requests proxied by Kong, specified in # the Content-Length request header. If a # request exceeds this limit, Kong will # respond with a 413 (Request Entity Too # Large). Setting this value to 0 disables # checking the request body size. # Note: see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size # for further description of this parameter. Numeric values may be suffixed # with 'k' or 'm' to denote limits in terms of kilobytes or megabytes. #client_body_buffer_size = 8k # Defines the buffer size for reading the # request body. If the client request body is # larger than this value, the body will be # buffered to disk. Note that when the body is # buffered to disk Kong plugins that access or # manipulate the request body may not work, so # it is advisable to set this value as high as # possible (e.g., set it as high as # `client_max_body_size` to force request # bodies to be kept in memory). Do note that # high-concurrency environments will require # significant memory allocations to process # many concurrent large request bodies. # Note: see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size # for further description of this parameter. Numeric values may be suffixed # with 'k' or 'm' to denote limits in terms of kilobytes or megabytes. #error_default_type = text/plain # Default MIME type to use when the request # `Accept` header is missing and Nginx # is returning an error for the request. # Accepted values are `text/plain`, # `text/html`, `application/json`, and # `application/xml`. #------------------------------------------------------------------------------ # DATASTORE #------------------------------------------------------------------------------ # Kong will store all of its data (such as APIs, consumers and plugins) in # either Cassandra or PostgreSQL. # # All Kong nodes belonging to the same cluster must connect themselves to the # same database. #database = postgres # Determines which of PostgreSQL or Cassandra # this node will use as its datastore. # Accepted values are `postgres` and # `cassandra`. #pg_host = 127.0.0.1 # The PostgreSQL host to connect to. #pg_port = 5432 # The port to connect to. #pg_user = kong # The username to authenticate if required. #pg_password = # The password to authenticate if required. #pg_database = kong # The database name to connect to. #pg_ssl = off # Toggles client-server TLS connections # between Kong and PostgreSQL. #pg_ssl_verify = off # Toggles server certificate verification if # `pg_ssl` is enabled. # See the `lua_ssl_trusted_certificate` # setting to specify a certificate authority. #cassandra_contact_points = 127.0.0.1 # A comma-separated list of contact # points to your cluster. #cassandra_port = 9042 # The port on which your nodes are listening # on. All your nodes and contact points must # listen on the same port. #cassandra_keyspace = kong # The keyspace to use in your cluster. #cassandra_timeout = 5000 # Defines the timeout (in ms), for reading # and writing. #cassandra_ssl = off # Toggles client-to-node TLS connections # between Kong and Cassandra. #cassandra_ssl_verify = off # Toggles server certificate verification if # `cassandra_ssl` is enabled. # See the `lua_ssl_trusted_certificate` # setting to specify a certificate authority. #cassandra_username = kong # Username when using the # `PasswordAuthenticator` scheme. #cassandra_password = # Password when using the # `PasswordAuthenticator` scheme. #cassandra_consistency = ONE # Consistency setting to use when reading/ # writing to the Cassandra cluster. #cassandra_lb_policy = RoundRobin # Load balancing policy to use when # distributing queries across your Cassandra # cluster. # Accepted values are: # `RoundRobin`, `RequestRoundRobin`, # `DCAwareRoundRobin`, and # `RequestDCAwareRoundRobin`. # Prefer the later if and only if you are # using a multi-datacenter cluster. #cassandra_local_datacenter = # When using the `DCAwareRoundRobin` # or `RequestDCAwareRoundRobin` load # balancing policy, you must specify the name # of the local (closest) datacenter for this # Kong node. #cassandra_repl_strategy = SimpleStrategy # When migrating for the first time, # Kong will use this setting to # create your keyspace. # Accepted values are # `SimpleStrategy` and # `NetworkTopologyStrategy`. #cassandra_repl_factor = 1 # When migrating for the first time, Kong # will create the keyspace with this # replication factor when using the # `SimpleStrategy`. #cassandra_data_centers = dc1:2,dc2:3 # When migrating for the first time, # will use this setting when using the # `NetworkTopologyStrategy`. # The format is a comma-separated list # made of :. #cassandra_schema_consensus_timeout = 10000 # Defines the timeout (in ms) for # the waiting period to reach a # schema consensus between your # Cassandra nodes. # This value is only used during # migrations. #------------------------------------------------------------------------------ # DATASTORE CACHE #------------------------------------------------------------------------------ # In order to avoid unecessary communication with the datastore, Kong caches # entities (such as APIs, Consumers, Credentials...) for a configurable period # of time. It also handles invalidations if such an entity is updated. # # This section allows for configuring the behavior of Kong regarding the # caching of such configuration entities. #db_update_frequency = 5 # Frequency (in seconds) at which to check for # updated entities with the datastore. # When a node creates, updates, or deletes an # entity via the Admin API, other nodes need # to wait for the next poll (configured by # this value) to eventually purge the old # cached entity and start using the new one. #db_update_propagation = 0 # Time (in seconds) taken for an entity in the # datastore to be propagated to replica nodes # of another datacenter. # When in a distributed environment such as # a multi-datacenter Cassandra cluster, this # value should be the maximum number of # seconds taken by Cassandra to propagate a # row to other datacenters. # When set, this property will increase the # time taken by Kong to propagate the change # of an entity. # Single-datacenter setups or PostgreSQL # servers should suffer no such delays, and # this value can be safely set to 0. #db_cache_ttl = 3600 # Time-to-live (in seconds) of an entity from # the datastore when cached by this node. # Database misses (no entity) are also cached # according to this setting. # If set to 0, such cached entities/misses # never expire. #------------------------------------------------------------------------------ # DNS RESOLVER #------------------------------------------------------------------------------ # By default the DNS resolver will use the standard configuration files # `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be # overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if # they have been set. #dns_resolver = # Comma separated list of nameservers, each # entry in `ip[:port]` format to be used by # Kong. If not specified the nameservers in # the local `resolv.conf` file will be used. # Port defaults to 53 if omitted. Accepts # both IPv4 and IPv6 addresses. #dns_hostsfile = /etc/hosts # The hosts file to use. This file is read # once and its content is static in memory. # To read the file again after modifying it, # Kong must be reloaded. #dns_order = LAST,SRV,A,CNAME # The order in which to resolve different # record types. The `LAST` type means the # type of the last successful lookup (for the # specified name). The format is a (case # insensitive) comma separated list. #dns_stale_ttl = 4 # Defines, in seconds, how long a record will # remain in cache past its TTL. This value # will be used while the new DNS record is # fetched in the background. # Stale data will be used from expiry of a # record until either the refresh query # completes, or the `dns_stale_ttl` number of # seconds have passed. #dns_not_found_ttl = 30 # TTL in seconds for empty DNS responses and # "(3) name error" responses. #dns_error_ttl = 1 # TTL in seconds for error responses. #dns_no_sync = off # If enabled, then upon a cache-miss every # request will trigger its own dns query. # When disabled multiple requests for the # same name/type will be synchronised to a # single query. #------------------------------------------------------------------------------ # DEVELOPMENT & MISCELLANEOUS #------------------------------------------------------------------------------ # Additional settings inherited from lua-nginx-module allowing for more # flexibility and advanced usage. # # See the lua-nginx-module documentation for more informations: # https://github.com/openresty/lua-nginx-module #lua_ssl_trusted_certificate = # Absolute path to the certificate # authority file for Lua cosockets in PEM # format. This certificate will be the one # used for verifying Kong's database # connections, when `pg_ssl_verify` or # `cassandra_ssl_verify` are enabled. #lua_ssl_verify_depth = 1 # Sets the verification depth in the server # certificates chain used by Lua cosockets, # set by `lua_ssl_trusted_certificate`. # This includes the certificates configured # for Kong's database connections. #lua_package_path = # Sets the Lua module search path (LUA_PATH). # Useful when developing or using custom # plugins not stored in the default search # path. #lua_package_cpath = # Sets the Lua C module search path # (LUA_CPATH). #lua_socket_pool_size = 30 # Specifies the size limit for every cosocket # connection pool associated with every remote # server. #enforce_rbac = off # Specifies whether Admin API RBAC is enforced; # accepts one of 'entity', 'both', 'on', or # 'off'. When 'on' is passed, only # endpoint-level authorization is enforced; # when 'entity' is passed, entity-level # authorization applies; 'both' enables both # endpoint and entity-level authorization; # 'off' disables both. When enabled, Kong will # deny requests to the Admin API when a # nonexistent or invalid RBAC authorization # token is passed, or the RBAC user with which # the token is associated does not have # permissions to access/modify the requested # resource. #rbac_auth_header = Kong-Admin-Token # Defines the name of the HTTP request # header from which the Admin API will # attempt to identify the RBAC user. #------------------------------------------------------------------------------ # ADMIN GUI #------------------------------------------------------------------------------ #admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl # Admin GUI Listeners # # Comma-separated list of addresses and ports on which # Kong will expose the Admin GUI. This web application # lets you configure and manage Kong, and therefore # should be kept private and secured. # # Suffixes can be specified for each pair, similarly to # the `admin_listen` directive. #admin_gui_url = # Admin GUI URL # # Here you may provide the lookup, or balancer, # address for your admin application. # # Accepted format (items in parenthesis are optional): # # ://(:(/)) # # Examples: # # - http://127.0.0.1:8003 # - https://kong-admin.test # - http://dev-machine/dev-285 # # By default: # # The application will use the window request host and # append the resolved listener port depending on the # requested protocol. #admin_gui_ssl_cert = # The absolute path to the SSL certificate for # `admin_gui_listen` values with SSL enabled. #admin_gui_ssl_cert_key = # The absolute path to the SSL key for # `admin_gui_listen` values with SSL enabled. #admin_gui_flags = {} # Alters the layout Admin GUI (JSON) #admin_gui_access_log = logs/admin_gui_access.log # Admin GUI Access Logs # # Here you can set an absolute or relative path for the # Admin GUI access logs. When the path is relative, # logs are placed in the `prefix` location. # # Setting this value to `off` disables access logs # for the Admin GUI. #admin_gui_error_log = logs/admin_gui_error.log # Admin GUI Error Logs # # Here you can set an absolute or relative path for your # Portal API access logs. When the path is relative, # logs are placed in the `prefix` location. # # Setting this value to `off` disables error logs for # the Admin GUI. # # Granularity can be adjusted through the `log_level` # directive. #admin_gui_auth = # Admin GUI Authentication Plugin Name # # Here you may secure access to the Admin GUI by # specifying an authentication plugin to use. # # Supported Plugins: # # Value to Use | Authentication Type # ----------------------+-------------------------- # basic-auth | Basic Authentication # ldap-auth-advanced | LDAP Authentication #admin_gui_auth_conf = # Admin GUI Authentication Plugin Config (JSON) # # Here you may specify the configuration for the # authentication plugin you have chosen. # # For information about Plugin Configuration # consult the associated plugin documentation. # # Example for `basic-auth`: # # admin_gui_auth_conf = { "hide_credentials": true } #------------------------------------------------------------------------------ # VITALS #------------------------------------------------------------------------------ #vitals = on # When enabled, Kong will store and report # metrics about its performance. # # When running Kong in a multi-node setup, # `vitals` entails two separate meanings # depending on the node. # # On a Proxy-only node, `vitals` determines # whether to collect data for Vitals. # # On an Admin-only node, `vitals` determines # whether to display Vitals metrics and # visualizations on the dashboard. #vitals_strategy = database # Determines whether to use the Kong database # (either PostgreSQL or Cassandra, as defined # by the 'database' config value above), or a # separate storage engine, for Vitals metrics. # Accepted values are 'database', 'prometheus', # or 'influxdb'. #vitals_tsdb_address = # Defines the host and port of the TSDB server # to which Vitals data is written and read. # This value is only applied when the # 'vitals_strategy` option is set to # 'prometheus' or 'influxdb'. This value # accepts IPv4, IPv6, and hostname values. # If the 'vitals_strategy' is set to # 'prometheus', this value determines the # address of the Prometheus server from which # Vitals data will be read. For 'influxdb' # strategies, this value controls both the read # and write source for Vitals data. #vitals_statsd_address = # Defines the host and port (and an optional # protocol) of the StatsD server to which # Kong should write Vitals metics. This value # is only applied when the 'vitals_strategy' is # set to 'prometheus'. This value accepts IPv4, # IPv6, and, hostnames. Additionally, the suffix # 'tcp' can be specified; doing so will result # in Kong sending StatsD metrics via TCP # instead of the UDP (default). #vitals_statsd_prefix = kong # Defines the prefix value attached to all # Vitals StatsD events. This prefix is useful # when writing metrics to a multi-tenant StatsD # exporter or server. #vitals_statsd_udp_packet_size = 1024 # Defines the maximum buffer size in # which Vitals statsd metrics will be # held and sent in batches. # This value is defined in bytes. #vitals_prometheus_scrape_interval = 5 # Defines the scrape_interval query # parameter sent to the Prometheus # server when reading Vitals data. # This should be same as the scrape # interval (in seconds) of the # Prometheus server. #------------------------------------------------------------------------------ # DEVELOPER PORTAL #------------------------------------------------------------------------------ #portal = off # Developer Portal Switch # # When enabled: # # Kong will expose the Dev Portal interface and # read-only APIs on the `portal_gui_listen` address, # and endpoints on the Admin API to manage assets. # # When enabled along with `portal_auth`: # # Kong will expose management endpoints for developer # accounts on the Admin API and the Dev Portal API. #portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl # Developer Portal GUI Listeners # # Comma-separated list of addresses on which Kong will # expose the Developer Portal GUI. Suffixes can be # specified for each pair, similarly to # the `admin_listen` directive. #portal_gui_protocol = http # Developer Portal GUI protocol # # Here you may provide the protocol used in conjunction # with portal_gui_host to construct the lookup, or balancer # address for your Kong Proxy nodes. # # Examples: http # https #portal_gui_host = 127.0.0.1:8003 # Developer Portal GUI host # # Here you may provide the host used in conjunction # with portal_gui_protocol to construct the lookup, # or balancer address for your Kong Proxy nodes. # # Examples: # # - : # portal_gui_host = 127.0.0.1:8003 # - # portal_gui_host = portal_api.domain.tld # - / # portal_gui_host = dev-machine/dev-285 #portal_gui_use_subdomains = off # Developer Portal GUI subdomain toggle # # By default Kong Portal uses the first namespace in # the request path to determine workspace. By turning # portal_gui_subdomains 'on', Kong Portal will expect # workspace to be included in the request url as a subdomain. # # Example (off): # - ://// # http://kong-portal.com/example-workspace/index # # Example (on): # - ://. # http://example-workspace.kong-portal.com/index #portal_gui_ssl_cert = # Developer Portal GUI SSL Certificate # # The absolute path to the SSL certificate for # `portal_gui_listen` values with SSL enabled. #portal_gui_ssl_cert_key = # Developer Portal GUI SSL Certificate Key # # The absolute path to the SSL key for # `portal_gui_listen` values with SSL enabled. #portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl # Developer Portal API Listeners # # Comma-separated list of addresses on which Kong will # expose the Developer Portal API. Suffixes can be # specified for each pair, similarly to # the `admin_listen` directive. #portal_api_url = # Developer Portal API URL # # Here you may provide the lookup, or balancer, # address for your Developer Portal nodes. # # This value is commonly used in a microservices # or service-mesh oriented architecture. # # portal_api_url is the address on which your # Kong Dev Portal API is accessible by Kong. You # should only set this value if your Kong Dev Portal API # lives on a different node than your Kong Proxy. # # Accepted format (parts in parenthesis are optional): # # ://(:(/)) # # Examples: # # - ://: # portal_api_url = http://127.0.0.1:8003 # - SSL :// # portal_api_url = https://portal_api.domain.tld # - :/// # portal_api_url = http://dev-machine/dev-285 # # By default this value points to the local interface: # # - http://0.0.0.0:8004 #portal_api_ssl_cert = # Developer Portal API SSL Certificate # # The absolute path to the SSL certificate for # `portal_api_listen` values with SSL enabled. #portal_api_ssl_cert_key = # Developer Portal API SSL Certificate Key # # The absolute path to the SSL key for # `portal_api_listen` values with SSL enabled. #portal_api_access_log = logs/portal_api_access.log # Developer Portal API Access Log location # # Here you can set an absolute or relative path for your # Portal API access logs. # # Setting this value to `off` will disable logging # Portal API access logs. # # When using relative pathing, logs will be placed under # the `prefix` location. #portal_api_error_log = logs/error.log # Developer Portal API Error Log location # # Here you can set an absolute or relative path for your # Portal API access logs. # # Setting this value to `off` will disable logging # Portal API access logs. # # When using relative pathing, logs will be placed under # the `prefix` location. # # Granularity can be adjusted through the `log_level` # directive. #------------------------------------------------------------------------------ # DEFAULT DEVELOPER PORTAL AUTHENTICATION # # Referenced on workspace creation to set Dev Portal authentication defaults # in the database for that particular workspace. #------------------------------------------------------------------------------ #portal_auth = # Developer Portal Authentication Plugin Name # # Here you may specify the authentication plugin # to apply to your Developer Portal. Developers # will use the specified form of authentication # to request access, register, and login to your # Developer Portal. # # Supported Plugins: # # - Basic Authentication: # # portal_auth = basic-auth # # - OIDC Authentication: # # portal_auth = openid-connect # #portal_auth_conf = # Developer Portal Authentication Plugin Config (JSON) # # Here you may specify the plugin configuration object # in JSON format to be applied to your Developer # Portal authentication. # # For information about Plugin Configuration # consult the associated plugin documentation. # # Example for `basic-auth`: # # portal_auth_conf = { "hide_credentials": true } #portal_auto_approve = off # Developer Portal Auto Approve Access # # When this flag is set to "on", a developer will # automatically be marked as "approved" after completing # registration. Access can still be revoked through the # Admin GUI or API. #portal_token_exp = 21600 # Duration in seconds for the expiration of portal # reset token. # Default `21600` (6 hours) #------------------------------------------------------------------------------ # DEFAULT PORTAL SMTP CONFIGURATION # # Referenced on workspace creation to set SMTP defaults in the database # for that particular workspace. #------------------------------------------------------------------------------ #portal_invite_email = on # Enable or disable portal_invite_email # Default `on` #portal_access_request_email = on # Enable or disable portal_access_request_email # Default `on` #portal_approved_email = on # Enable or disable portal_approved_email # Default `on` #portal_reset_email = on # Enable or disable portal_reset_email # Default `on` #portal_reset_success_email = on # Enable or disable portal_reset_success_email # Default `on` #portal_emails_from = # The name and email address for the `From` header # for portal emails # # Example # portal_emails_from = Your Name # # Note: Some SMTP servers will not use # this value, but instead insert the email and name # associated with the account. # Default `nil` #portal_emails_reply_to = # Email address for the `Reply-To` header for # portal emails # # Example # portal_emails_reply_to = example@example.com # # Note: Some SMTP servers will not use # this value, but instead insert the email # associated with the account. # Default `nil` #------------------------------------------------------------------------------ # ADMIN SMTP CONFIGURATION #------------------------------------------------------------------------------ #admin_emails_from = "" # The email address for the `From` header # for admin emails #admin_emails_reply_to = # Email address for the `Reply-To` header # for admin emails #admin_invitation_expiry = 259200 # Seconds before admin invitation link # expires. 0 means no expiration. # # Examples: # 259200 = 1 * 60 * 60 * 72 # ^ number of hours #------------------------------------------------------------------------------ # GENERAL SMTP CONFIGURATION #------------------------------------------------------------------------------ #smtp_mock = on # This flag will mock the sending of emails. This can be # used for testing before the SMTP client is fully # configured. # # Example # smtp_mock = on - Emails will NOT attempt send. # smtp_mock = off - Emails will attempt send. # # Default `on` #smtp_host = # The host of the SMTP server to connect to. # Default `localhost` #smtp_port = # The port number on the SMTP server to connect to. # Default `25` #smtp_starttls = # When set to `on`, STARTTLS is used to encrypt # communication with the SMTP server. This is normally # used in conjunction with port 587. # Default `off` #smtp_username = # Username used for authentication with SMTP server # Default `nil` #smtp_password = # Password used for authentication with SMTP server # Default `nil` #smtp_ssl = # When set to `on`, SMTPS is used to encrypt # communication with the SMTP server. This is normally # used in conjunction with port 465. # Default `off` #smtp_auth_type = # The method used to authenticate with the SMTP server # Valid options are `plain`, `login`, or `nil` # Default `nil` #smtp_domain = localhost.localdomain # The domain used in the `EHLO` connection and part of # the `Message-ID` header # Default `localhost.localdomain` #smtp_timeout_connect = 60000 # The timeout (in milliseconds) for connecting to the # SMTP server. # Default 60000 #smtp_timeout_send = 60000 # The timeout (in milliseconds) for sending data to the # SMTP server. # Default 60000 #smtp_timeout_read = 60000 # The timeout (in milliseconds) for reading data from # the SMTP server. # Default 60000 #smtp_admin_emails = # Comma separated list of admin emails to receive # notifications. # Example `admin1@example.com, admin2@example.com` # Default `nil` #------------------------------------------------------------------------------- # DATA & ADMIN AUDIT #------------------------------------------------------------------------------- # When enabled, Kong will store detailed audit data regarding Admin API and # database access. In most cases, updates to the database are associated with # Admin API requests. As such, database object audit log data is tied to a # given HTTP via a unique identifier, providing built-in association of Admin # API and database traffic. # audit_log = off # When enabled, Kong will log information about # Admin API access and database row insertions, # updates, and deletes. # audit_log_ignore_methods = # Comma-separated list of HTTP methods that # will not generate audit log entries. By # default, all HTTP requests will be logged. # audit_log_ignore_paths = # Comma-separated list of request paths that # will not generate audit log entries. By # default, all HTTP requests will be logged. # audit_log_ignore_tables = # Comma-separated list of database tables that # will not generate audit log entries. By # default, updates to all database tables will # be logged (the term "updates" refers to the # creation, update, or deletion of a row). # audit_log_record_ttl = 2592000 # Length, in seconds, of the TTL for audit log # records. Records in the database older than # their TTL are automatically purged. # audit_log_signing_key = # Defines the path to a private RSA signing key # that can be used to insert a signature of # audit records, adjacent to the record. The # corresponding public key should be stored # offline, and can be used the validate audit # entries in the future. If this value is # undefined, no signature will be generated.