Proxy server configuration

Kilo - Kilo - Kilo - Kilo - Kilo - Kilo - Kilo - Kilo -

Sample proxy server configuration file

Find an example proxy server configuration at etc/proxy-server.conf-sample in the source code repository.

The available configuration options are:

Table 10.47. Description of configuration options for `[DEFAULT]` in `proxy-server.conf`
Configuration option = Default value	Description
`admin_key` = `secret_admin_key`	to use for admin calls that are HMAC signed. Default is empty, which will disable admin calls to /info. the proxy server. For most cases, this should be `egg:swift#proxy`. request whenever it has to failover to a handoff node
`backlog` = `4096`	Maximum number of allowed pending TCP connections
`bind_ip` = `0.0.0.0`	IP Address for server to bind to
`bind_port` = `8080`	Port for server to bind to
`bind_timeout` = `30`	Seconds to attempt bind before giving up
`cert_file` = `/etc/swift/proxy.crt`	to the ssl .crt. This should be enabled for testing purposes only.
`client_timeout` = `60`	Timeout to read one chunk from a client external services
`cors_allow_origin` =	is a list of hosts that are included with any CORS request by default and returned with the Access-Control-Allow-Origin header in addition to what the container has set. to call to setup custom log handlers. for eventlet the proxy server. For most cases, this should be `egg:swift#proxy`. request whenever it has to failover to a handoff node
`disallowed_sections` = `swift.valid_api_versions, container_quotas, tempurl`	No help text available for this option.
`eventlet_debug` = `false`	If true, turn on debug logging for eventlet
`expiring_objects_account_name` = `expiring_objects`	No help text available for this option.
`expiring_objects_container_divisor` = `86400`	No help text available for this option.
`expose_info` = `true`	Enables exposing configuration settings via HTTP GET /info.
`key_file` = `/etc/swift/proxy.key`	to the ssl .key. This should be enabled for testing purposes only.
`log_address` = `/dev/log`	Location where syslog sends the logs to
`log_custom_handlers` =	Comma-separated list of functions to call to setup custom log handlers.
`log_facility` = `LOG_LOCAL0`	Syslog log facility
`log_headers` = `false`	No help text available for this option.
`log_level` = `INFO`	Logging level
`log_max_line_length` = `0`	Caps the length of log lines to the value given; no limit if set to 0, the default.
`log_name` = `swift`	Label used when logging
`log_statsd_default_sample_rate` = `1.0`	Defines the probability of sending a sample for any given event or timing measurement.
`log_statsd_host` = `localhost`	If not set, the StatsD feature is disabled.
`log_statsd_metric_prefix` =	Value will be prepended to every metric sent to the StatsD server.
`log_statsd_port` = `8125`	Port value for the StatsD server.
`log_statsd_sample_rate_factor` = `1.0`	Not recommended to set this to a value less than 1.0, if frequency of logging is too high, tune the log_statsd_default_sample_rate instead.
`log_udp_host` =	If not set, the UDP receiver for syslog is disabled.
`log_udp_port` = `514`	Port value for UDP receiver, if enabled.
`max_clients` = `1024`	Maximum number of clients one worker can process simultaneously Lowering the number of clients handled per worker, and raising the number of workers can lessen the impact that a CPU intensive, or blocking, request can have on other requests served by the same worker. If the maximum number of clients is set to one, then a given worker will not perform another call while processing, allowing other workers a chance to process it.
`strict_cors_mode` = `True`	No help text available for this option.
`swift_dir` = `/etc/swift`	Swift configuration directory
`trans_id_suffix` =	No help text available for this option.
`user` = `swift`	User to run as
`workers` = `auto`	a much higher value, one can reduce the impact of slow file system operations in one request from negatively impacting other requests.

Table 10.48. Description of configuration options for `[app-proxy-server]` in `proxy-server.conf`
Configuration option = Default value	Description
`account_autocreate` = `false`	If set to 'true' authorized accounts that do not yet exist within the Swift cluster will be automatically created.
`allow_account_management` = `false`	Whether account PUTs and DELETEs are even callable
`auto_create_account_prefix` = `.`	Prefix to use when automatically creating accounts
`client_chunk_size` = `65536`	Chunk size to read from clients
`conn_timeout` = `0.5`	Connection timeout to external services
`deny_host_headers` =	No help text available for this option.
`error_suppression_interval` = `60`	Time in seconds that must elapse since the last error for a node to be considered no longer error limited
`error_suppression_limit` = `10`	Error count to consider a node error limited
`log_handoffs` = `true`	No help text available for this option.
`max_containers_per_account` = `0`	If set to a positive value, trying to create a container when the account already has at least this maximum containers will result in a 403 Forbidden. Note: This is a soft limit, meaning a user might exceed the cap for recheck_account_existence before the 403s kick in.
`max_containers_whitelist` =	is a comma separated list of account names that ignore the max_containers_per_account cap.
`max_large_object_get_time` = `86400`	No help text available for this option.
`node_timeout` = `10`	Request timeout to external services
`object_chunk_size` = `65536`	Chunk size to read from object servers
`object_post_as_copy` = `true`	Set object_post_as_copy = false to turn on fast posts where only the metadata changes are stored anew and the original data file is kept in place. This makes for quicker posts; but since the container metadata isn't updated in this mode, features like container sync won't be able to sync posts.
`post_quorum_timeout` = `0.5`	No help text available for this option.
`put_queue_depth` = `10`	No help text available for this option.
`read_affinity` = `r1z1=100, r1z2=200, r2=300`	No help text available for this option.
`recheck_account_existence` = `60`	Cache timeout in seconds to send memcached for account existence
`recheck_container_existence` = `60`	Cache timeout in seconds to send memcached for container existence
`recoverable_node_timeout` = `node_timeout`	Request timeout to external services for requests that, on failure, can be recovered from. For example, object GET. from a client external services
`request_node_count` = `2 replicas`*	* replicas Set to the number of nodes to contact for a normal request. You can use '* replicas' at the end to have it use the number given times the number of replicas for the ring being used for the request. conf file for values will only be shown to the list of swift_owners. The exact default definition of a swift_owner is headers> up to the auth system in use, but usually indicates administrative responsibilities. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request
`set log_address` = `/dev/log`	Location where syslog sends the logs to
`set log_facility` = `LOG_LOCAL0`	Syslog log facility
`set log_level` = `INFO`	Log level
`set log_name` = `proxy-server`	Label to use when logging
`sorting_method` = `shuffle`	No help text available for this option.
`swift_owner_headers` = `x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control`	These are the headers whose conf file for values will only be shown to the list of swift_owners. The exact default definition of a swift_owner is headers> up to the auth system in use, but usually indicates administrative responsibilities. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request
`timing_expiry` = `300`	No help text available for this option.
`use` = `egg:swift#proxy`	Entry point of paste.deploy in the server
`write_affinity` = `r1, r2`	This setting lets you trade data distribution for throughput. It makes the proxy server prefer local back-end servers for object PUT requests over non-local ones. Note that only object PUT requests are affected by the write_affinity setting; POST, GET, HEAD, DELETE, OPTIONS, and account/container PUT requests are not affected. The format is r<N> for region N or r<N>z<M> for region N, zone M. If this is set, then when handling an object PUT request, some number (see the write_affinity_node_count setting) of local backend servers will be tried before any nonlocal ones. Example: try to write to regions 1 and 2 before writing to any other nodes: write_affinity = r1, r2
`write_affinity_node_count` = `2 replicas`*	This setting is only useful in conjunction with write_affinity; it governs how many local object servers will be tried before falling back to non-local ones. You can use '* replicas' at the end to have it use the number given times the number of replicas for the ring being used for the request: write_affinity_node_count = 2 * replicas

Table 10.49. Description of configuration options for `[pipeline-main]` in `proxy-server.conf`
Configuration option = Default value	Description
`pipeline` = `catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-logging proxy-server`	No help text available for this option.

Table 10.50. Description of configuration options for `[filter-account-quotas]` in `proxy-server.conf`
Configuration option = Default value	Description
`use` = `egg:swift#account_quotas`	Entry point of paste.deploy in the server

Table 10.51. Description of configuration options for `[filter-authtoken]` in `proxy-server.conf`
Configuration option = Default value	Description
`admin_password` = `password`	No help text available for this option.
`admin_tenant_name` = `service`	No help text available for this option.
`admin_user` = `swift`	No help text available for this option.
`auth_uri` = `http://keystonehost:5000/`	No help text available for this option.
`cache` = `swift.cache`	No help text available for this option.
`delay_auth_decision` = `False`	No help text available for this option.
`identity_uri` = `http://keystonehost:35357/`	No help text available for this option.
`include_service_catalog` = `False`	No help text available for this option.

Table 10.52. Description of configuration options for `[filter-cache]` in `proxy-server.conf`
Configuration option = Default value	Description
`memcache_max_connections` = `2`	Max number of connections to each memcached server per worker services
`memcache_serialization_support` = `2`	Sets how memcache values are serialized and deserialized
`memcache_servers` = `127.0.0.1:11211`	Comma-separated list of memcached servers ip:port services
`set log_address` = `/dev/log`	Location where syslog sends the logs to
`set log_facility` = `LOG_LOCAL0`	Syslog log facility
`set log_headers` = `false`	If True, log headers in each request
`set log_level` = `INFO`	Log level
`set log_name` = `cache`	Label to use when logging
`use` = `egg:swift#memcache`	Entry point of paste.deploy in the server

Table 10.53. Description of configuration options for `[filter-catch_errors]` in `proxy-server.conf`
Configuration option = Default value	Description
`set log_address` = `/dev/log`	Location where syslog sends the logs to
`set log_facility` = `LOG_LOCAL0`	Syslog log facility
`set log_headers` = `false`	If True, log headers in each request
`set log_level` = `INFO`	Log level
`set log_name` = `catch_errors`	Label to use when logging
`use` = `egg:swift#catch_errors`	Entry point of paste.deploy in the server

Table 10.54. Description of configuration options for `[filter-container_sync]` in `proxy-server.conf`
Configuration option = Default value	Description
`allow_full_urls` = `true`	No help text available for this option.
`current` = `//REALM/CLUSTER`	No help text available for this option.
`use` = `egg:swift#container_sync`	Entry point of paste.deploy in the server

Table 10.55. Description of configuration options for `[filter-dlo]` in `proxy-server.conf`
Configuration option = Default value	Description
`max_get_time` = `86400`	No help text available for this option.
`rate_limit_after_segment` = `10`	Rate limit the download of large object segments after this segment is downloaded.
`rate_limit_segments_per_sec` = `1`	Rate limit large object downloads at this rate. contact for a normal request. You can use '* replicas' at the end to have it use the number given times the number of replicas for the ring being used for the request. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request
`use` = `egg:swift#dlo`	Entry point of paste.deploy in the server

Table 10.56. Description of configuration options for `[filter-gatekeeper]` in `proxy-server.conf`
Configuration option = Default value	Description
`set log_address` = `/dev/log`	Location where syslog sends the logs to
`set log_facility` = `LOG_LOCAL0`	Syslog log facility
`set log_headers` = `false`	If True, log headers in each request
`set log_level` = `INFO`	Log level
`set log_name` = `gatekeeper`	Label to use when logging
`use` = `egg:swift#gatekeeper`	Entry point of paste.deploy in the server

Table 10.57. Description of configuration options for `[filter-healthcheck]` in `proxy-server.conf`
Configuration option = Default value	Description
`disable_path` =	No help text available for this option.
`use` = `egg:swift#healthcheck`	Entry point of paste.deploy in the server

Table 10.58. Description of configuration options for `[filter-keystoneauth]` in `proxy-server.conf`
Configuration option = Default value	Description
`allow_names_in_acls` = `true`	The backwards compatible behavior can be disabled by setting this option to False.
`allow_overrides` = `true`	This option allows middleware higher in the WSGI pipeline to override auth processing, useful for middleware such as tempurl and formpost. If you know you are not going to use such middleware and you want a bit of extra security, you can set this to False.
`default_domain_id` = `default`	Name of the default domain. It is identified by its UUID, which by default has the value "default".
`is_admin` = `false`	If this option is set to True, it allows to give a user whose username is the same as the project name and who has any role in the project access rights elevated to be the same as if the user had one of the operator_roles. Note that the condition compares names rather than UUIDs. This option is deprecated. It is False by default.
`operator_roles` = `admin, swiftoperator`	Operator role defines the user which is allowed to manage a tenant and create containers or give ACL to others. This parameter may be prefixed with an appropriate prefix.
`reseller_admin_role` = `ResellerAdmin`	The reseller admin role gives the ability to create and delete accounts.
`reseller_prefix` = `AUTH`	The naming scope for the auth service. Swift
`service_roles` =	When present, this option requires that the X-Service-Token header supplies a token from a user who has a role listed in service_roles. This parameter may be prefixed with an appropriate prefix.
`use` = `egg:swift#keystoneauth`	Entry point of paste.deploy in the server

Table 10.59. Description of configuration options for `[filter-list-endpoints]` in `proxy-server.conf`
Configuration option = Default value	Description
`list_endpoints_path` = `/endpoints/`	No help text available for this option.
`use` = `egg:swift#list_endpoints`	Entry point of paste.deploy in the server

Table 10.60. Description of configuration options for `[filter-proxy-logging]` in `proxy-server.conf`
Configuration option = Default value	Description
`access_log_address` = `/dev/log`	No help text available for this option.
`access_log_facility` = `LOG_LOCAL0`	No help text available for this option.
`access_log_headers` = `false`	No help text available for this option.
`access_log_headers_only` =	If access_log_headers is True and access_log_headers_only is set only these headers are logged. Multiple headers can be defined as comma separated list like this: access_log_headers_only = Host, X-Object-Meta-Mtime
`access_log_level` = `INFO`	No help text available for this option.
`access_log_name` = `swift`	No help text available for this option.
`access_log_statsd_default_sample_rate` = `1.0`	No help text available for this option.
`access_log_statsd_host` = `localhost`	No help text available for this option.
`access_log_statsd_metric_prefix` =	No help text available for this option.
`access_log_statsd_port` = `8125`	No help text available for this option.
`access_log_statsd_sample_rate_factor` = `1.0`	No help text available for this option.
`access_log_udp_host` =	No help text available for this option.
`access_log_udp_port` = `514`	No help text available for this option.
`log_statsd_valid_http_methods` = `GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS`	No help text available for this option.
`logged with access_log_headers` = `True.`	No help text available for this option.
`reveal_sensitive_prefix` = `16`	The X-Auth-Token is sensitive data. If revealed to an unauthorised person, they can now make requests against an account until the token expires. Set reveal_sensitive_prefix to the number of characters of the token that are logged. For example reveal_sensitive_prefix = 12 so only first 12 characters of the token are logged. Or, set to 0 to completely remove the token.
`use` = `egg:swift#proxy_logging`	Entry point of paste.deploy in the server

Table 10.61. Description of configuration options for `[filter-tempauth]` in `proxy-server.conf`
Configuration option = Default value	Description
`allow_overrides` = `true`	This option allows middleware higher in the WSGI pipeline to override auth processing, useful for middleware such as tempurl and formpost. If you know you are not going to use such middleware and you want a bit of extra security, you can set this to False.
`auth_prefix` = `/auth/`	The HTTP request path prefix for the auth service. Swift itself reserves anything beginning with the letter `v`.
`require_group` =	No help text available for this option.
`reseller_prefix` = `AUTH`	The naming scope for the auth service. Swift
`set log_address` = `/dev/log`	Location where syslog sends the logs to
`set log_facility` = `LOG_LOCAL0`	Syslog log facility
`set log_headers` = `false`	If True, log headers in each request
`set log_level` = `INFO`	Log level
`set log_name` = `tempauth`	Label to use when logging
`storage_url_scheme` = `default`	Scheme to return with storage urls: http, https, or default (chooses based on what the server is running as) This can be useful with an SSL load balancer in front of a non-SSL server.
`token_life` = `86400`	The number of seconds a token is valid.
`use` = `egg:swift#tempauth`	Entry point of paste.deploy in the server
`user_admin_admin` = `admin .admin .reseller_admin`	No help text available for this option.
`user_test2_tester2` = `testing2 .admin`	No help text available for this option.
`user_test5_tester5` = `testing5 service`	No help text available for this option.
`user_test_tester` = `testing .admin`	No help text available for this option.
`user_test_tester3` = `testing3`	No help text available for this option.

Table 10.62. Description of configuration options for `[filter-xprofile]` in `proxy-server.conf`
Configuration option = Default value	Description
`dump_interval` = `5.0`	No help text available for this option.
`dump_timestamp` = `false`	No help text available for this option.
`flush_at_shutdown` = `false`	No help text available for this option.
`log_filename_prefix` = `/tmp/log/swift/profile/default.profile`	No help text available for this option.
`path` = `/__profile__`	No help text available for this option.
`profile_module` = `eventlet.green.profile`	No help text available for this option.
`unwind` = `false`	No help text available for this option.
`use` = `egg:swift#xprofile`	Entry point of paste.deploy in the server

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices