-
Notifications
You must be signed in to change notification settings - Fork 37
Expand file tree
/
Copy pathproxy.toml
More file actions
132 lines (107 loc) · 3.79 KB
/
proxy.toml
File metadata and controls
132 lines (107 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# workdir = "./work"
[proxy]
# addr = "0.0.0.0:6000"
# advertise-addr = ""
# tcp-keep-alive = true
# possible values:
# "" => disable proxy protocol.
# "v2" => accept proxy protocol if any, require backends to support proxy protocol.
# proxy-protocol = ""
# graceful-wait-before-shutdown is recommanded to be set to 0 when there's no other proxy(e.g. NLB) between the client and TiProxy.
# possible values:
# 0 => begin to drain clients immediately.
# 30 => HTTP status returns unhealthy and the SQL port accepts new connections for the last 30 seconds. After that, refuse new connections and drain clients.
# graceful-wait-before-shutdown = 0
# graceful-close-conn-timeout is recommanded to be set longer than the lifecycle of a transaction.
# possible values:
# 0 => force closing connections immediately.
# 15 => close connections when they have finished current transactions (AKA drain clients). After 15s, force closing all the connections.
graceful-close-conn-timeout = 15
# possible values:
# "" => enable static routing.
# "pd-addr:pd-port" => automatically tidb discovery.
# pd-addrs = "127.0.0.1:2379"
# possible values:
# 0 => no limitation.
# 100 => accept as many as 100 connections.
# max-connections = 0
# It's a tradeoff between memory and performance.
# possible values:
# 0 => default value
# 1K to 16M
# conn-buffer-size = 0
[api]
# addr = "0.0.0.0:3080"
# enable HTTP basic auth or not.
#
# enable-basic-auth = false
# user = ""
# password = ""
# same as [proxy.proxy-protocol], but for HTTP port
# proxy-protocol = ""
[log]
# level = "info"
# possible values:
# "tidb" => formats used by tidb, check https://github.com/tikv/rfcs/blob/master/text/0018-unified-log-format.md.
# "json" => structured json formats.
# "console" => log format for human.
# encoder = "tidb"
[log.log-file]
# non-empty filename will enable logging to file.
#
# filename = ""
# max-size = 300
# max-days = 3
# max-backups = 3
# [metering]
# provider type: "s3", "oss", "azure", or "localfs"
# type = "azure"
# bucket = "my-container"
# prefix = "tiproxy/metering"
# endpoint = "https://my-account.blob.core.windows.net"
#
# [metering.azure]
# account-name = "my-account"
# Use either account-key or sas-token, or rely on Azure DefaultAzureCredential.
# account-key = ""
# sas-token = ""
[security]
# tls object is either of type server, client, or peer
# [xxxx]
# ca = "ca.pem"
# cert = "c.pem"
# key = "k.pem"
# auto-certs = true # mostly used by tests. It will generate certs if no cert/key is specified.
# rsa-key-size = 4096 # generated RSA keysize if auto-certs is enabled.
# autocert-expire-duration = "72h" # default expire duration for auto certs.
# skip-ca = true
# min-tls-version = "1.1" # specify minimum TLS version
# client object:
# 1. requires: ca or skip-ca(skip verify server certs)
# 2. optionally: cert/key will be used if server asks, i.e. server-side client verification
# 3. useless/forbid: auto-certs
# server object:
# 1. requires: cert/key or auto-certs(generate a temporary cert, mostly for testing)
# 2. optionally: ca will enable server-side client verification. If skip-ca is true with non-empty ca, server will only verify clients if it can provide any cert. Otherwise, clients must provide a cert.
# client object
[security.cluster-tls]
# access to other components like TiDB or PD, will use this
# skip-ca = true
# client object
[security.sql-tls]
# access to TiDB SQL(4000) port will use this
skip-ca = true
# server object
[security.server-tls]
# proxy SQL port will use this
# auto-certs = true
# server object
[security.server-http-tls]
# proxy HTTP port will use this
# auto-certs = true
# cert-allowed-cn = ["tiproxy", "tidb", "test-client", "prometheus"]
# require-backend-tls = false
[advance]
# ignore-wrong-namespace = true
[balance]
# policy = "resource"