270 lines
6.1 KiB
Django/Jinja
270 lines
6.1 KiB
Django/Jinja
[system]
|
||
nr_worker_threads={{ workload_proxy.worker_thread }}
|
||
enable_kni_v1=0
|
||
enable_kni_v2=0
|
||
enable_kni_v3=1
|
||
|
||
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
|
||
|
||
{% raw %}{% if coredump.format == 'none' %}
|
||
disable_coredump=1
|
||
enable_breakpad=0
|
||
enable_breakpad_upload=0
|
||
{% endif %}
|
||
{% if coredump.format == 'core' %}
|
||
disable_coredump=0
|
||
enable_breakpad=0
|
||
enable_breakpad_upload=0
|
||
{% endif %}
|
||
{% if coredump.format == 'minidump' %}
|
||
disable_coredump=1
|
||
enable_breakpad=1
|
||
{% if coredump.collect == 'sentry' %}
|
||
enable_breakpad_upload=1
|
||
breakpad_upload_url={{ coredump.sentry_url }}
|
||
{% endif %}
|
||
{% if coredump.collect == 'local' %}
|
||
enable_breakpad_upload=0
|
||
{% endif %}
|
||
{% endif %}
|
||
{% endraw %}
|
||
# must be /run/tfe/crashreport,due to tmpfile limit
|
||
breakpad_minidump_dir=/run/tfe/crashreport
|
||
breakpad_upload_tools=/opt/tsg/framework/bin/minidump_upload
|
||
|
||
# ask for at least (1 + nr_worker_threads) masks
|
||
# the first mask for acceptor thread
|
||
# the others mask for worker thread
|
||
enable_cpu_affinity={{ workload_proxy.enable_cpu_affinity }}
|
||
cpu_affinity_mask={{ workload_proxy.cpu_affinity }}
|
||
|
||
# LEAST_CONN = 0; ROUND_ROBIN = 1
|
||
load_balance=1
|
||
|
||
# for enable kni v3
|
||
[nfq]
|
||
queue_id=1
|
||
queue_maxlen=655350
|
||
queue_rcvbufsiz=983025000
|
||
queue_no_enobufs=1
|
||
|
||
[kni]
|
||
# kni v1
|
||
#uxdomain=/var/run/.tfe_kni_acceptor_handler
|
||
# kni v2
|
||
#scm_socket_file=/var/run/.tfe_kmod_scm_socket
|
||
|
||
# send cmsg
|
||
send_switch=1
|
||
{% if dp_steering_proxy.location == 'local' %}
|
||
ip=127.0.0.1
|
||
{% endif %}
|
||
{% if dp_steering_proxy.location == 'foreign'%}
|
||
ip=192.168.100.1
|
||
{% endif %}
|
||
cmsg_port=2475
|
||
|
||
# watch dog
|
||
watchdog_switch=1
|
||
watchdog_port=2476
|
||
|
||
[watchdog_tfe]
|
||
# The worker thread updates the timestamp every two seconds
|
||
# The watchdog thread checks the timestamp every second
|
||
enable=1
|
||
timeout_seconds=5
|
||
statistics_window=20
|
||
timeout_cnt_as_fail=3
|
||
timeout_debug=0
|
||
|
||
[ssl]
|
||
ssl_debug=0
|
||
ssl_ja3_table=PXY_SSL_FINGERPRINT
|
||
# ssl version Not available, configured via TSG website
|
||
# ssl_max_version=tls13
|
||
# ssl_min_version=ssl3
|
||
ssl_compression=1
|
||
no_ssl2=1
|
||
no_ssl3=0
|
||
no_tls10=0
|
||
no_tls11=0
|
||
no_tls12=0
|
||
default_ciphers=ALL:-aNULL
|
||
no_cert_verify=0
|
||
|
||
# session ticket
|
||
no_session_ticket=0
|
||
stek_group_num=4096
|
||
stek_rotation_time=3600
|
||
|
||
# session cache
|
||
no_session_cache=0
|
||
session_cache_slots=4194304
|
||
session_cache_expire_seconds=1800
|
||
|
||
# service cache
|
||
service_cache_slots=4194304
|
||
service_cache_expire_seconds=300
|
||
service_cache_fail_as_pinning_cnt=4
|
||
service_cache_fail_as_proto_err_cnt=5
|
||
#service_cache_succ_as_app_not_pinning_cnt=0
|
||
service_cache_fail_time_window=30
|
||
|
||
# cert
|
||
check_cert_crl=0
|
||
trusted_cert_load_local=1
|
||
trusted_cert_file=resource/tfe/tsg_diagnose_ca.pem
|
||
trusted_cert_dir=resource/tfe/trusted_storage
|
||
|
||
# master key
|
||
log_master_key=0
|
||
key_log_file=log/sslkeylog.log
|
||
|
||
# mid cert cache
|
||
mc_cache_enable=1
|
||
|
||
[key_keeper]
|
||
#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
|
||
#0 on cache 1 off cache
|
||
no_cache=0
|
||
mode=normal
|
||
{% if dp_certstore.location == 'local' %}
|
||
cert_store_host=127.0.0.1
|
||
{% endif %}
|
||
{% if dp_certstore.location == 'foreign'%}
|
||
cert_store_host=192.168.100.1
|
||
{% endif %}
|
||
cert_store_port=9991
|
||
ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
|
||
untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
|
||
hash_slot_size=131072
|
||
hash_expire_seconds=300
|
||
cert_expire_time=24
|
||
|
||
# health_check only for "mode=normal" default 1
|
||
enable_health_check=1
|
||
|
||
[tsg_http]
|
||
enable_plugin=1
|
||
en_sendlog=1
|
||
|
||
[debug]
|
||
# 1 : enforce tcp passthrough
|
||
# 0 : Whether to passthrough depends on the tcp_options in cmsg
|
||
passthrough_all_tcp=0
|
||
|
||
[ratelimit]
|
||
read_rate=0
|
||
read_burst=0
|
||
write_rate=0
|
||
write_burst=0
|
||
|
||
[tcp]
|
||
# read rcv_buff/snd_buff options from tfe conf
|
||
sz_rcv_buffer=-1
|
||
sz_snd_buffer=-1
|
||
|
||
# 1 : use tcp_options in tfe.conf
|
||
# 0 : use tcp_options in cmsg
|
||
enable_overwrite=0
|
||
tcp_nodelay=1
|
||
so_keepalive=1
|
||
tcp_keepcnt=8
|
||
tcp_keepintvl=15
|
||
tcp_keepidle=30
|
||
tcp_user_timeout=600
|
||
tcp_ttl_upstream=75
|
||
tcp_ttl_downstream=70
|
||
|
||
[stat]
|
||
{% if dp_steering_proxy.location == 'foreign' %}
|
||
statsd_server=192.168.100.1
|
||
{% endif %}
|
||
{% if dp_steering_proxy.location == 'local' %}
|
||
statsd_server=127.0.0.1
|
||
{% endif %}
|
||
statsd_port=8900
|
||
statsd_cycle=5
|
||
# 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE
|
||
statsd_format=2
|
||
histogram_bins=0.5,0.8,0.9,0.95
|
||
statsd_set_prometheus_port=9001
|
||
statsd_set_prometheus_url_path=/metrics
|
||
|
||
[traffic_mirror]
|
||
enable={{ dp_proxy.enable_traffic_mirror }}
|
||
device={{ dp_traffic_mirror.nic_name }}
|
||
# 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO
|
||
type={{ dp_proxy.traffic_mirror_type }}
|
||
|
||
table_info=resource/pangu/table_info_traffic_mirror.conf
|
||
stat_file=log/traffic_mirror.status
|
||
default_vlan_id={{ dp_traffic_mirror.traffic_mirror_vlan_id }}
|
||
|
||
[kafka]
|
||
enable=1
|
||
NIC_NAME={{ control_and_policy.nic_name }}
|
||
{% raw %}kafka_brokerlist={{ olap.kafka_broker.address_list | join(",") }}
|
||
{% endraw %}
|
||
logger_send_topic=PROXY-EVENT
|
||
file_bucket_topic=TRAFFIC-FILE-STREAM-RECORD
|
||
mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
|
||
sasl_username=admin
|
||
sasl_passwd=galaxy2019
|
||
device_id_filepath=/opt/tsg/etc/tsg_sn.json
|
||
vsystem_id={% raw %}{{ vsys_id }}
|
||
{% endraw %}
|
||
|
||
[maat]
|
||
# 0:json 1:redis 2:iris
|
||
maat_input_mode=1
|
||
stat_switch=1
|
||
perf_switch=1
|
||
table_info=resource/pangu/table_info.conf
|
||
accept_path=/opt/tsg/etc/tsg_device_tag.json
|
||
stat_file=log/pangu_scan.fs2
|
||
effect_interval_s=1
|
||
deferred_load_on=0
|
||
|
||
# json mode conf iterm
|
||
json_cfg_file=resource/pangu/pangu_http.json
|
||
|
||
# redis mode conf iterm
|
||
maat_redis_server={% raw %}{{ cm_policy_server_ip }}
|
||
{% endraw %}
|
||
maat_redis_port_range={% raw %}{{ cm_policy_server_port }}
|
||
{% endraw %}
|
||
{% raw %}maat_redis_db_index={{ vsys_id }}
|
||
{% endraw %}
|
||
|
||
# iris mode conf iterm
|
||
full_cfg_dir=pangu_policy/full/index/
|
||
inc_cfg_dir=pangu_policy/inc/index/
|
||
accept_tag_key=data_center
|
||
|
||
[proxy_hits]
|
||
cycle=1000
|
||
telegraf_port=8900
|
||
{% if dp_steering_proxy.location == 'local' %}
|
||
telegraf_ip=127.0.0.1
|
||
{% endif %}
|
||
{% if dp_steering_proxy.location == 'foreign'%}
|
||
telegraf_ip=192.168.100.1
|
||
{% endif %}
|
||
app_name="proxy_rule_hits"
|
||
|
||
[traffic_steering]
|
||
enable_steering_http=0
|
||
enable_steering_ssl=0
|
||
# 17: 0x11
|
||
so_mask_client=17
|
||
# 34: 0x22
|
||
so_mask_server=34
|
||
device_client=tap_c
|
||
device_server=tap_s
|
||
|
||
http_keepalive_enable=0
|
||
http_keepalive_path="/metrics"
|
||
http_keepalive_addr=192.168.41.60
|
||
http_keepalive_port=9273
|