286 lines
6.3 KiB
Plaintext
286 lines
6.3 KiB
Plaintext
[system]
|
||
nr_worker_threads=8
|
||
enable_kni_v1=0
|
||
enable_kni_v2=0
|
||
enable_kni_v3=0
|
||
enable_kni_v4=1
|
||
|
||
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
|
||
disable_coredump=0
|
||
enable_breakpad=1
|
||
enable_breakpad_upload=1
|
||
breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025
|
||
# must be /run/tfe/crashreport,due to tmpfile limit
|
||
breakpad_minidump_dir=/run/tfe/crashreport
|
||
|
||
# ask for at least (1 + nr_worker_threads) masks
|
||
# the first mask for acceptor thread
|
||
# the others mask for worker thread
|
||
enable_cpu_affinity=0
|
||
cpu_affinity_mask=1-9
|
||
# LEAST_CONN = 0; ROUND_ROBIN = 1
|
||
load_balance=1
|
||
|
||
|
||
# for enable kni v3
|
||
[nfq]
|
||
device=tap0
|
||
queue_id=1
|
||
queue_maxlen=655350
|
||
queue_rcvbufsiz=983025000
|
||
queue_no_enobufs=1
|
||
|
||
[kni]
|
||
# kni v1
|
||
#uxdomain=/var/run/.tfe_kni_acceptor_handler
|
||
# kni v2
|
||
#scm_socket_file=/var/run/.tfe_kmod_scm_socket
|
||
|
||
# send cmsg
|
||
send_switch=1
|
||
ip=192.168.100.1
|
||
cmsg_port=2475
|
||
|
||
# watch dog
|
||
watchdog_switch=1
|
||
watchdog_port=2476
|
||
|
||
[watchdog_tfe]
|
||
# The worker thread updates the timestamp every two seconds
|
||
# The watchdog thread checks the timestamp every second
|
||
enable=1
|
||
timeout_seconds=5
|
||
statistics_window=20
|
||
timeout_cnt_as_fail=3
|
||
timeout_debug=0
|
||
|
||
[ssl]
|
||
ssl_debug=0
|
||
ssl_ja3_table=PXY_SSL_FINGERPRINT
|
||
# ssl version Not available, configured via TSG website
|
||
# ssl_max_version=tls13
|
||
# ssl_min_version=ssl3
|
||
ssl_compression=1
|
||
no_ssl2=1
|
||
no_ssl3=0
|
||
no_tls10=0
|
||
no_tls11=0
|
||
no_tls12=0
|
||
default_ciphers=ALL:-aNULL
|
||
no_cert_verify=0
|
||
|
||
# session ticket
|
||
no_session_ticket=0
|
||
stek_group_num=4096
|
||
stek_rotation_time=3600
|
||
|
||
# session cache
|
||
no_session_cache=0
|
||
session_cache_slots=4194304
|
||
session_cache_expire_seconds=1800
|
||
|
||
# service cache
|
||
service_cache_slots=4194304
|
||
service_cache_expire_seconds=300
|
||
service_cache_fail_as_pinning_cnt=4
|
||
service_cache_fail_as_proto_err_cnt=5
|
||
service_cache_fail_time_window=30
|
||
|
||
# cert
|
||
check_cert_crl=0
|
||
trusted_cert_load_local=1
|
||
# trusted_cert_file=resource/tfe/tls-ca-bundle.pem
|
||
trusted_cert_file=resource/tfe/tsg_diagonse_ca.pem
|
||
trusted_cert_dir=resource/tfe/trusted_storage
|
||
|
||
# master key
|
||
log_master_key=0
|
||
key_log_file=log/sslkeylog.log
|
||
|
||
# mid cert cache
|
||
mc_cache_enable=1
|
||
|
||
[key_keeper]
|
||
#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
|
||
#0 on cache 1 off cache
|
||
no_cache=0
|
||
mode=normal
|
||
cert_store_host=192.168.10.8
|
||
cert_store_port=9991
|
||
ca_path=resource/tfe/tango-ca-trust-ca.pem
|
||
untrusted_ca_path=resource/tfe/tango-ca-untrust-ca.pem
|
||
hash_slot_size=131072
|
||
hash_expire_seconds=300
|
||
cert_expire_time=24
|
||
|
||
# health_check only for "mode=normal" default 1
|
||
enable_health_check=1
|
||
|
||
[tsg_http]
|
||
enable_plugin=1
|
||
en_sendlog=1
|
||
|
||
[debug]
|
||
# 1 : enforce tcp passthrough
|
||
# 0 : Whether to passthrough depends on the tcp_options in cmsg
|
||
passthrough_all_tcp=0
|
||
|
||
[ratelimit]
|
||
read_rate=0
|
||
read_burst=0
|
||
write_rate=0
|
||
write_burst=0
|
||
|
||
[tcp]
|
||
# read rcv_buff/snd_buff options from tfe conf
|
||
sz_rcv_buffer=-1
|
||
sz_snd_buffer=-1
|
||
|
||
# 1 : use tcp_options in tfe.conf
|
||
# 0 : use tcp_options in cmsg
|
||
enable_overwrite=0
|
||
tcp_nodelay=1
|
||
so_keepalive=1
|
||
tcp_keepcnt=8
|
||
tcp_keepintvl=15
|
||
tcp_keepidle=30
|
||
tcp_user_timeout=600
|
||
tcp_ttl_upstream=75
|
||
tcp_ttl_downstream=70
|
||
|
||
[stat]
|
||
statsd_server=127.0.0.1
|
||
statsd_port=8100
|
||
statsd_cycle=5
|
||
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
|
||
statsd_format=2
|
||
histogram_bins=0.5,0.8,0.9,0.95
|
||
statsd_set_prometheus_port=9001
|
||
statsd_set_prometheus_url_path=/tfe_prometheus
|
||
|
||
[traffic_mirror]
|
||
enable=1
|
||
device=eth4
|
||
# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
|
||
type=1
|
||
default_vlan_id=2
|
||
table_info=resource/pangu/table_info_traffic_mirror.conf
|
||
stat_file=log/traffic_mirror.status
|
||
app_symbol=tfe-mirror
|
||
|
||
[traffic_steering]
|
||
enable_steering_http=0
|
||
enable_steering_ssl=0
|
||
# 17: 0x11
|
||
so_mask_client=17
|
||
# 34: 0x22
|
||
so_mask_server=34
|
||
device_client=tap_c
|
||
device_server=tap_s
|
||
|
||
http_keepalive_enable=1
|
||
http_keepalive_path="/metrics"
|
||
http_keepalive_addr=192.168.41.60
|
||
http_keepalive_port=9273
|
||
|
||
[kafka]
|
||
enable=1
|
||
vsystem_id=1
|
||
NIC_NAME=enp2s0
|
||
kafka_brokerlist=192.168.40.224:9092
|
||
logger_send_topic=PROXY-EVENT
|
||
file_bucket_topic=TRAFFIC-FILE-STREAM-RECORD
|
||
mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
|
||
sasl_username=admin
|
||
sasl_passwd=galaxy2019
|
||
device_id_filepath=/opt/tsg/etc/tsg_sn.json
|
||
|
||
[maat]
|
||
# 0:json 1:redis 2:iris
|
||
maat_input_mode=1
|
||
stat_switch=1
|
||
perf_switch=1
|
||
table_info=resource/pangu/table_info.conf
|
||
accept_path=/opt/tsg/etc/tsg_device_tag.json
|
||
accept_tag_key=device_id
|
||
stat_file=log/pangu_scan.fs2
|
||
effect_interval_s=1
|
||
deferred_load_on=0
|
||
|
||
# json mode conf iterm
|
||
json_cfg_file=resource/pangu/pangu_http.json
|
||
|
||
# redis mode conf iterm
|
||
maat_redis_server=10.4.34.4
|
||
maat_redis_port_range=6380-6389
|
||
maat_redis_db_index=4
|
||
|
||
# iris mode conf iterm
|
||
full_cfg_dir=pangu_policy/full/index/
|
||
inc_cfg_dir=pangu_policy/inc/index/
|
||
|
||
|
||
[proxy_hits]
|
||
cycle=1000
|
||
telegraf_port=8400
|
||
telegraf_ip=127.0.0.1
|
||
app_name="proxy_rule_hits"
|
||
|
||
# for enable kni v4
|
||
[packet_io]
|
||
dup_packet_filter_enable=1
|
||
dup_packet_filter_capacity=1000000
|
||
dup_packet_filter_timeout=10
|
||
# MESA_load_profile not support double
|
||
#dup_packet_filter_error_rate=0.00001
|
||
packet_io_debug=0
|
||
packet_io_threads=8
|
||
packet_io_cpu_affinity_mask=1-9
|
||
|
||
firewall_sids=1000
|
||
proxy_sids=1001
|
||
service_chaining_sids=1002
|
||
|
||
# bypass_all_traffic:1 NF2NF and SF2SF
|
||
bypass_all_traffic=0
|
||
|
||
rx_burst_max=128
|
||
app_symbol=tfe
|
||
dev_nf_interface=eth_nf_interface
|
||
|
||
src_mac_addr = 00:0e:c6:d6:72:c1
|
||
|
||
# tap config
|
||
tap_name=tap0
|
||
|
||
# 1.tap_allow_mutilthread=1 load bpf rss obj
|
||
# 2.tap_allow_mutilthread=0 not load bpf rss obj
|
||
tap_allow_mutilthread=1
|
||
bpf_obj=/opt/tsg/tfe/resource/bpf/bpf_tun_rss_steering.o
|
||
# tap_bpf_debug_log: cat /sys/kernel/debug/tracing/trace_pipe
|
||
bpf_debug_log=0
|
||
# 2: BPF 使用二元组分流
|
||
# 4: BPF 使用四元组分流
|
||
bpf_hash_mode=4
|
||
|
||
# 配置 tap 网卡的 RPS
|
||
tap_rps_enable=1
|
||
tap_rps_mask=0,1fffffff,c0000000,00000000
|
||
|
||
# iouring config
|
||
enable_iouring=1
|
||
enable_debuglog=0
|
||
ring_size=1024
|
||
buff_size=2048
|
||
# io_uring_setup() flags
|
||
# IORING_SETUP_IOPOLL (1U << 0) /* io_context is polled */
|
||
# IORING_SETUP_SQPOLL (1U << 1) /* SQ poll thread */
|
||
# IORING_SETUP_SQ_AFF (1U << 2) /* sq_thread_cpu is valid */
|
||
# IORING_SETUP_CQSIZE (1U << 3) /* app defines CQ size */
|
||
# IORING_SETUP_CLAMP (1U << 4) /* clamp SQ/CQ ring sizes */
|
||
# IORING_SETUP_ATTACH_WQ (1U << 5) /* attach to existing wq */
|
||
# IORING_SETUP_R_DISABLED (1U << 6) /* start with ring disabled */
|
||
# IORING_SETUP_SUBMIT_ALL (1U << 7) /* continue submit on error */
|
||
flags=0
|
||
sq_thread_idle=0
|