tango-tfe/conf/tfe/tfe.conf

[system]
nr_worker_threads=8
enable_kni_v1=0
enable_kni_v2=0
enable_kni_v3=1

# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0
enable_breakpad=1
enable_breakpad_upload=1
breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025
# must be /run/tfe/crashreport，due to tmpfile limit
breakpad_minidump_dir=/run/tfe/crashreport

# ask for at least (1 + nr_worker_threads) masks
# the first  mask for acceptor thread
# the others mask for worker   thread
enable_cpu_affinity=0
cpu_affinity_mask=1-9
# LEAST_CONN = 0; ROUND_ROBIN = 1
load_balance=1

# for enable kni v3
[nfq]
device=tap0
queue_id=1
queue_maxlen=655350
queue_rcvbufsiz=983025000
queue_no_enobufs=1

[kni]
# kni v1
#uxdomain=/var/run/.tfe_kni_acceptor_handler
# kni v2
#scm_socket_file=/var/run/.tfe_kmod_scm_socket

# send cmsg
send_switch=1
ip=192.168.100.1
cmsg_port=2475

# watch dog
watchdog_switch=1
watchdog_port=2476

[watchdog_tfe]
# The worker thread updates the timestamp every two seconds
# The watchdog thread checks the timestamp every second
enable=1
timeout_seconds=5
statistics_window=20
timeout_cnt_as_fail=3
timeout_debug=0

[ssl]
ssl_debug=0
ssl_ja3_table=PXY_SSL_FINGERPRINT
# ssl version Not available, configured via TSG website
# ssl_max_version=tls13
# ssl_min_version=ssl3
ssl_compression=1
no_ssl2=1
no_ssl3=0
no_tls10=0
no_tls11=0
no_tls12=0
default_ciphers=ALL:-aNULL
no_cert_verify=0

# session ticket
no_session_ticket=0
stek_group_num=4096
stek_rotation_time=3600

# session cache
no_session_cache=0
session_cache_slots=4194304
session_cache_expire_seconds=1800

# service cache
service_cache_slots=4194304
service_cache_expire_seconds=300
service_cache_fail_as_pinning_cnt=4
service_cache_fail_as_proto_err_cnt=5
service_cache_fail_time_window=30

# cert
check_cert_crl=0
trusted_cert_load_local=1
# trusted_cert_file=resource/tfe/tls-ca-bundle.pem
trusted_cert_file=resource/tfe/tsg_diagonse_ca.pem
trusted_cert_dir=resource/tfe/trusted_storage

# master key
log_master_key=0
key_log_file=log/sslkeylog.log

# mid cert cache
mc_cache_enable=1
mc_vsystem_id=1
mc_cache_eth=eth0
mc_cache_broker_list=192.168.40.224:9092
mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
sasl_username=admin
sasl_passwd=galaxy2019

[key_keeper]
#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
#0 on cache 1 off cache
no_cache=0
mode=normal
cert_store_host=192.168.10.8
cert_store_port=9991
ca_path=resource/tfe/tango-ca-trust-ca.pem
untrusted_ca_path=resource/tfe/tango-ca-untrust-ca.pem
hash_slot_size=131072
hash_expire_seconds=300
cert_expire_time=24

# health_check only for "mode=normal" default 1
enable_health_check=1

[debug]
# 1 : enforce tcp passthrough
# 0 : Whether to passthrough depends on the tcp_options in cmsg
passthrough_all_tcp=0

[ratelimit]
read_rate=0
read_burst=0
write_rate=0
write_burst=0

[tcp]
# read rcv_buff/snd_buff options from tfe conf
sz_rcv_buffer=-1
sz_snd_buffer=-1

# 1 : use tcp_options in tfe.conf
# 0 : use tcp_options in cmsg
enable_overwrite=0
tcp_nodelay=1
so_keepalive=1
tcp_keepcnt=8
tcp_keepintvl=15
tcp_keepidle=30
tcp_user_timeout=600
tcp_ttl_upstream=75
tcp_ttl_downstream=70

[stat]
statsd_server=127.0.0.1
statsd_port=8100
statsd_cycle=5
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
statsd_format=2
histogram_bins=0.5,0.8,0.9,0.95
statsd_set_prometheus_port=9001
statsd_set_prometheus_url_path=/tfe_prometheus

[traffic_mirror]
enable=1
device=eth4
# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
type=1
default_vlan_id=2
table_info=resource/pangu/table_info_traffic_mirror.conf
stat_file=log/traffic_mirror.status

[traffic_steering]
enable_steering_http=1
enable_steering_ssl=1
# 17: 0x11
so_mask_client=17
# 34: 0x22
so_mask_server=34
device_client=eth_client
device_server=eth_server

http_keepalive_enable=1
http_keepalive_path="/metrics"
http_keepalive_addr=192.168.41.60
http_keepalive_port=9273

[kafka]
enable=1
vsystem_id=1
NIC_NAME=enp2s0
kafka_brokerlist=192.168.40.224:9092
kafka_topic=PROXY-EVENT
sasl_username=admin
sasl_passwd=galaxy2019
device_id_filepath=/opt/tsg/etc/tsg_sn.json

[maat]
# 0:json 1:redis 2:iris
maat_input_mode=1
stat_switch=1
perf_switch=1
table_info=resource/pangu/table_info.conf
accept_path=/opt/tsg/etc/tsg_device_tag.json
accept_tag_key=device_id
stat_file=log/pangu_scan.fs2
effect_interval_s=1
deferred_load_on=0

# json mode conf iterm
json_cfg_file=resource/pangu/pangu_http.json

# redis mode conf iterm
maat_redis_server=10.4.34.4
maat_redis_port_range=6380-6389
maat_redis_db_index=4

# iris mode conf iterm
full_cfg_dir=pangu_policy/full/index/
inc_cfg_dir=pangu_policy/inc/index/

[proxy_hits]
cycle=1000
telegraf_port=8400
telegraf_ip=127.0.0.1
app_name="proxy_rule_hits"