kong网关配置详解

curl -Lo kong-enterprise-edition-2.8.1.4.rpm $(rpm --eval "https://download.konghq.com/gateway-2.x-centos-7/Packages/k/kong-enterprise-edition-2.8.1.4.el7.noarch.rpm")
yum install kong-enterprise-edition-2.8.1.4.rpm -y

kong.conf.default

# -----------------------
# Kong configuration file
# -----------------------
# The commented-out settings shown in this file represent the default values.
# This file is read when `kong start` or `kong prepare` are used. Kong
# generates the Nginx configuration with the settings specified in this file.
# All environment variables prefixed with `KONG_` and capitalized will override
# the settings specified in this file.
# Example:
#   `log_level` setting -> `KONG_LOG_LEVEL` env variable
# Boolean values can be specified as `on`/`off` or `true`/`false`.
# Lists must be specified as comma-separated strings.
# All comments in this file can be removed safely, including the
# commented-out properties.
# You can verify the integrity of your settings with `kong check <conf>`.
#------------------------------------------------------------------------------
# GENERAL
#------------------------------------------------------------------------------
#prefix = /usr/local/kong/       # Working directory. Equivalent to Nginx's
                                 # prefix path, containing temporary files
                                 # and logs.
                                 # Each Kong process must have a separate
                                 # working directory.
#log_level = notice              # Log level of the Nginx server. Logs are
                                 # found at `<prefix>/logs/error.log`.
# See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list
# of accepted values.
#proxy_access_log = logs/access.log       # Path for proxy port request access
                                          # logs. Set this value to `off` to
                                          # disable logging proxy requests.
                                          # If this value is a relative path,
                                          # it will be placed under the
                                          # `prefix` location.
#proxy_error_log = logs/error.log         # Path for proxy port request error
                                          # logs. The granularity of these logs
                                          # is adjusted by the `log_level`
                                          # property.
#proxy_stream_access_log = logs/access.log basic # Path for tcp streams proxy port access
                                                 # logs. Set this value to `off` to
                                                 # disable logging proxy requests.
                                                 # If this value is a relative path,
                                                 # it will be placed under the
                                                 # `prefix` location.
                                                 # `basic` is defined as `'$remote_addr [$time_local] '
                                                 # '$protocol $status $bytes_sent $bytes_received '
                                                 # '$session_time'`
#proxy_stream_error_log = logs/error.log         # Path for tcp streams proxy port request error
                                                 # logs. The granularity of these logs
                                                 # is adjusted by the `log_level`
                                                 # property.
#admin_access_log = logs/admin_access.log # Path for Admin API request access
                                          # logs. If Hybrid Mode is enabled
                                          # and the current node is set to be
                                          # the Control Plane, then the
                                          # connection requests from Data Planes
                                          # are also written to this file with
                                          # server name "kong_cluster_listener".
                                          # Set this value to `off` to
                                          # disable logging Admin API requests.
                                          # If this value is a relative path,
                                          # it will be placed under the
                                          # `prefix` location.
#admin_error_log = logs/error.log         # Path for Admin API request error
                                          # logs. The granularity of these logs
                                          # is adjusted by the `log_level`
                                          # property.
#status_access_log = off                  # Path for Status API request access
                                          # logs. The default value of `off`
                                          # implies that logging for this API
                                          # is disabled by default.
                                          # If this value is a relative path,
                                          # it will be placed under the
                                          # `prefix` location.
#status_error_log = logs/status_error.log # Path for Status API request error
                                          # logs. The granularity of these logs
                                          # is adjusted by the `log_level`
                                          # property.
#vaults = bundled                # Comma-separated list of vaults this node
                                 # should load. By default, all the bundled
                                 # vaults are enabled.
                                 # The specified name(s) will be substituted as
                                 # such in the Lua namespace:
                                 # `kong.vaults.{name}.*`.
#plugins = bundled               # Comma-separated list of plugins this node
                                 # should load. By default, only plugins
                                 # bundled in official distributions are
                                 # loaded via the `bundled` keyword.
                                 # Loading a plugin does not enable it by
                                 # default, but only instructs Kong to load its
                                 # source code, and allows to configure the
                                 # plugin via the various related Admin API
                                 # endpoints.
                                 # The specified name(s) will be substituted as
                                 # such in the Lua namespace:
                                 # `kong.plugins.{name}.*`.
                                 # When the `off` keyword is specified as the
                                 # only value, no plugins will be loaded.
                                 # `bundled` and plugin names can be mixed
                                 # together, as the following examples suggest:
                                 # - `plugins = bundled,custom-auth,custom-log`
                                 #   will include the bundled plugins plus two
                                 #   custom ones
                                 # - `plugins = custom-auth,custom-log` will
                                 #   *only* include the `custom-auth` and
                                 #   `custom-log` plugins.
                                 # - `plugins = off` will not include any
                                 #   plugins
                                 # **Note:** Kong will not start if some
                                 # plugins were previously configured (i.e.
                                 # have rows in the database) and are not
                                 # specified in this list.  Before disabling a
                                 # plugin, ensure all instances of it are
                                 # removed before restarting Kong.
                                 # **Note:** Limiting the amount of available
                                 # plugins can improve P99 latency when
                                 # experiencing LRU churning in the database
                                 # cache (i.e. when the configured
                                 # `mem_cache_size`) is full.
#pluginserver_names =            # Comma-separated list of names for pluginserver
                                 # processes.  The actual names are used for
                                 # log messages and to relate the actual settings.
#pluginserver_XXX_socket = <prefix>/<XXX>.socket            # Path to the unix socket
                                                            # used by the <XXX> pluginserver.
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX>          # Full command (including
                                                            # any needed arguments) to
                                                            # start the <XXX> pluginserver
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX>    # Full command to "query" the
                                                            # <XXX> pluginserver.  Should
                                                            # produce a JSON with the
                                                            # dump info of all plugins it
                                                            # manages
#port_maps =                     # With this configuration parameter, you can
                                 # let the Kong to know about the port from
                                 # which the packets are forwarded to it. This
                                 # is fairly common when running Kong in a
                                 # containerized or virtualized environment.
                                 # For example, `port_maps=80:8000, 443:8443`
                                 # instructs Kong that the port 80 is mapped
                                 # to 8000 (and the port 443 to 8443), where
                                 # 8000 and 8443 are the ports that Kong is
                                 # listening to.
                                 # This parameter helps Kong set a proper
                                 # forwarded upstream HTTP request header or to
                                 # get the proper forwarded port with the Kong PDK
                                 # (in case other means determining it has
                                 # failed). It changes routing by a destination
                                 # port to route by a port from which packets
                                 # are forwarded to Kong, and similarly it
                                 # changes the default plugin log serializer to
                                 # use the port according to this mapping
                                 # instead of reporting the port Kong is
                                 # listening to.
#anonymous_reports = on          # Send anonymous usage data such as error
                                 # stack traces to help improve Kong.
#------------------------------------------------------------------------------
# HYBRID MODE
#------------------------------------------------------------------------------
#role = traditional              # Use this setting to enable Hybrid Mode,
                                 # This allows running some Kong nodes in a
                                 # control plane role with a database and
                                 # have them deliver configuration updates
                                 # to other nodes running to DB-less running in
                                 # a Data Plane role.
                                 # Valid values to this setting are:
                                 # - `traditional`: do not use Hybrid Mode.
                                 # - `control_plane`: this node runs in a
                                 #   control plane role. It can use a database
                                 #   and will deliver configuration updates
                                 #   to data plane nodes.
                                 # - `data_plane`: this is a data plane node.
                                 #   It runs DB-less and receives configuration
                                 #   updates from a control plane node.
#cluster_mtls = shared           # Sets the verification between nodes of the
                                 # cluster.
                                 # Valid values to this setting are:
                                 # - `shared`: use a shared certificate/key
                                 #   pair specified with the `cluster_cert`
                                 #   and `cluster_cert_key` settings.
                                 #   Note that CP and DP nodes have to present
                                 #   the same certificate to establish mTLS
                                 #   connections.
                                 # - `pki`: use `cluster_ca_cert`,
                                 #   `cluster_server_name` and `cluster_cert`
                                 #   for verification.
                                 #   These are different certificates for each
                                 #   DP node, but issued by a cluster-wide
                                 #   common CA certificate: `cluster_ca_cert`.
                                 # - `pki_check_cn`: similar as `pki` but additionally
                                 #   checks for Common Name of data plane certificate
                                 #   specified in `cluster_allowed_common_names`.
#cluster_cert =                  # Filename of the cluster certificate to use
                                 # when establishing secure communication
                                 # between control and data plane nodes.
                                 # You can use the `kong hybrid` command to
                                 # generate the certificate/key pair.
                                 # Under `shared` mode, it must be the same
                                 # for all nodes.  Under `pki` mode it
                                 # should be a different certificate for each
                                 # DP node.
#cluster_cert_key =              # Filename of the cluster certificate key to
                                 # use when establishing secure communication
                                 # between control and data plane nodes.
                                 # You can use the `kong hybrid` command to
                                 # generate the certificate/key pair.
                                 # Under `shared` mode, it must be the same
                                 # for all nodes.  Under `pki` mode it
                                 # should be a different certificate for each
                                 # DP node.
#cluster_ca_cert =               # The trusted CA certificate file in PEM
                                 # format used for Control Plane to verify
                                 # Data Plane's certificate and Data Plane
                                 # to verify Control Plane's certificate.
                                 # Required on data plane if `cluster_mtls`
                                 # is set to `pki`.
                                 # If Control Plane certificate is issued
                                 # by a well known CA, user can set
                                 # `lua_ssl_trusted_certificate=system`
                                 # on Data Plane and leave this field empty.
                                 # This field is ignored if `cluster_mtls` is
                                 # set to `shared`.
#cluster_allowed_common_names =  # The list of Common Names that are allowed to
                                 # connect to control plane. Multiple entries may
                                 # be supplied in a comma-separated string. When not
                                 # set, Data Plane with same parent domain of
                                 # Control Plane cert is allowed to connect.
                                 # This field is ignored if `cluster_mtls` is
                                 # not set to `pki_check_cn`.
#------------------------------------------------------------------------------
# HYBRID MODE DATA PLANE
#------------------------------------------------------------------------------
#cluster_server_name =           # The server name used in the SNI of the TLS
                                 # connection from a DP node to a CP node.
                                 # Must match the Common Name (CN) or Subject
                                 # Alternative Name (SAN) found in the CP
                                 # certificate.
                                 # If `cluster_mtls` is set to
                                 # `shared`, this setting is ignored and
                                 # `kong_clustering` is used.
#cluster_control_plane =         # To be used by data plane nodes only:
                                 # address of the control plane node from
                                 # which configuration updates will be fetched,
                                 # in `host:port` format.
#cluster_telemetry_endpoint =    # To be used by data plane nodes only:
                                 # telemetry address of the control plane node
                                 # to which telemetry updates will be posted
                                 # in `host:port` format.
#data_plane_config_cache_mode = unencrypted
                                 # Data planes can store their config to file system
                                 # as a backup in case the node is restarted or reloaded
                                 # to faster bring the node in configured state or in
                                 # case there are issues connecting to control plane.
                                 # This parameter can be used to control the behavior.
                                 # To be used by data plane nodes only:
                                 # `unencrypted` = stores config cache unencrypted
                                 # `encrypted` = stores config cache encrypted
                                 # `off` = does not store the config cache
#data_plane_config_cache_path =  # The unencrypted config cache is stored by default
                                 # to Kong `prefix` with a filename `config.cache.json.gz`.
                                 # The encrypted config cache is stored by default
                                 # to Kong `prefix` with a filename `.config.cache.jwt`
                                 # Alternatively you can specify path for config cache
                                 # with this parameter, e.g. `/tmp/kong-config-cache`.
#------------------------------------------------------------------------------
# HYBRID MODE CONTROL PLANE
#------------------------------------------------------------------------------
#cluster_listen = 0.0.0.0:8005
                         # Comma-separated list of addresses and ports on
                         # which the cluster control plane server should listen
                         # for data plane connections.
                         # The cluster communication port of the control plane
                         # must be accessible by all the data planes
                         # within the same cluster. This port is mTLS protected
                         # to ensure end-to-end security and integrity.
                         # This setting has no effect if `role` is not set to
                         # `control_plane`.
                         # Connection made to this endpoint are logged
                         # to the same location as Admin API access logs.
                         # See `admin_access_log` config description for more
                         # information.
#cluster_telemetry_listen = 0.0.0.0:8006
                         # Comma-separated list of addresses and ports on
                         # which the cluster control plane server should listen
                         # for data plane telemetry connections.
                         # The cluster communication port of the control plane
                         # must be accessible by all the data planes
                         # within the same cluster.
                         # This setting has no effect if `role` is not set to
                         # `control_plane`.
#cluster_data_plane_purge_delay = 1209600
                         # How many seconds must pass from the time a DP node
                         # becomes offline to the time its entry gets removed
                         # from the database, as returned by the
                         # /clustering/data-planes Admin API endpoint.
                         # This is to prevent the cluster data plane table from
                         # growing indefinitely. The default is set to
                         # 14 days. That is, if CP haven't heard from a DP for
                         # 14 days, its entry will be removed.
#cluster_ocsp = off
                         # Whether to check for revocation status of DP
                         # certificates using OCSP (Online Certificate Status Protocol).
                         # If enabled, the DP certificate should contain the
                         # "Certificate Authority Information Access" extension
                         # and the OCSP method with URI of which the OCSP responder
                         # can be reached from CP.
                         # OCSP checks are only performed on CP nodes, it has no
                         # effect on DP nodes.
                         # Valid values to this setting are:
                         # - `on`: OCSP revocation check is enabled and DP
                         #   must pass the check in order to establish
                         #   connection with CP.
                         # - `off`: OCSP revocation check is disabled.
                         # - `optional`: OCSP revocation check will be attempted,
                         #   however, if the required extension is not
                         #   found inside DP provided certificate
                         #   or communication with the OCSP responder
                         #   failed, then DP is still allowed through.
#cluster_max_payload = 4194304
                         # This sets the maximum payload size allowed
                         # to be sent across from CP to DP in Hybrid mode
                         # Default is 4Mb - 4 * 1024 * 1024 due to historical reasons
#------------------------------------------------------------------------------
# NGINX
#------------------------------------------------------------------------------
#proxy_listen = 0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384
                         # Comma-separated list of addresses and ports on
                         # which the proxy server should listen for
                         # HTTP/HTTPS traffic.
                         # The proxy server is the public entry point of Kong,
                         # which proxies traffic from your consumers to your
                         # backend services. This value accepts IPv4, IPv6, and
                         # hostnames.
                         # Some suffixes can be specified for each pair:
                         # - `ssl` will require that all connections made
                         #   through a particular address/port be made with TLS
                         #   enabled.
                         # - `http2` will allow for clients to open HTTP/2
                         #   connections to Kong's proxy server.
                         # - `proxy_protocol` will enable usage of the
                         #   PROXY protocol for a given address/port.
                         # - `deferred` instructs to use a deferred accept on
                         #   Linux (the TCP_DEFER_ACCEPT socket option).
                         # - `bind` instructs to make a separate bind() call
                         #   for a given address:port pair.
                         # - `reuseport` instructs to create an individual
                         #   listening socket for each worker process
                         #   allowing the Kernel to better distribute incoming
                         #   connections between worker processes
                         # - `backlog=N` sets the maximum length for the queue
                         #   of pending TCP connections. This number should
                         #   not be too small in order to prevent clients
                         #   seeing "Connection refused" error connecting to
                         #   a busy Kong instance.
                         #   **Note:** on Linux, this value is limited by the
                         #   setting of `net.core.somaxconn` Kernel parameter.
                         #   In order for the larger `backlog` set here to take
                         #   effect it is necessary to raise
                         #   `net.core.somaxconn` at the same time to match or
                         #   exceed the `backlog` number set.
                         # This value can be set to `off`, thus disabling
                         # the HTTP/HTTPS proxy port for this node.
                         # If stream_listen is also set to `off`, this enables
                         # 'control-plane' mode for this node
                         # (in which all traffic proxying capabilities are
                         # disabled). This node can then be used only to
                         # configure a cluster of Kong
                         # nodes connected to the same datastore.
                         # Example:
                         # `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
                         # See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
                         # for a description of the accepted formats for this
                         # and other `*_listen` values.
                         # See https://www.nginx.com/resources/admin-guide/proxy-protocol/
                         # for more details about the `proxy_protocol`
                         # parameter.
                         # Not all `*_listen` values accept all formats
                         # specified in nginx's documentation.
#proxy_url =            # Kong Proxy URL
                        # The lookup, or balancer, address for your Kong Proxy nodes.
                        # This value is commonly used in a microservices
                        # or service-mesh oriented architecture.
                        # Accepted format (parts in parentheses are optional):
                        #   `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                        # Examples:
                        # - `<scheme>://<IP>:<PORT>` -> `proxy_url = http://127.0.0.1:8000`
                        # - `SSL <scheme>://<HOSTNAME>` -> `proxy_url = https://proxy.domain.tld`
                        # - `<scheme>://<HOSTNAME>/<PATH>` -> `proxy_url = http://dev-machine/dev-285`
                        # By default, Kong Manager, and Kong Portal will use
                        # the window request host and append the resolved
                        # listener port depending on the requested protocol.
#stream_listen = off
                         # Comma-separated list of addresses and ports on
                         # which the stream mode should listen.
                         # This value accepts IPv4, IPv6, and hostnames.
                         # Some suffixes can be specified for each pair:
                         # - `ssl` will require that all connections made
                         #   through a particular address/port be made with TLS
                         #   enabled.
                         # - `proxy_protocol` will enable usage of the
                         #   PROXY protocol for a given address/port.
                         # - `bind` instructs to make a separate bind() call
                         #   for a given address:port pair.
                         # - `reuseport` instructs to create an individual
                         #   listening socket for each worker process
                         #   allowing the Kernel to better distribute incoming
                         #   connections between worker processes
                         # - `backlog=N` sets the maximum length for the queue
                         #   of pending TCP connections. This number should
                         #   not be too small in order to prevent clients
                         #   seeing "Connection refused" error connecting to
                         #   a busy Kong instance.
                         #   **Note:** on Linux, this value is limited by the
                         #   setting of `net.core.somaxconn` Kernel parameter.
                         #   In order for the larger `backlog` set here to take
                         #   effect it is necessary to raise
                         #   `net.core.somaxconn` at the same time to match or
                         #   exceed the `backlog` number set.
                         # Examples:
                         # ```
                         # stream_listen = 127.0.0.1:7000 reuseport backlog=16384
                         # stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20
                         # stream_listen = [::1]:1234 backlog=16384
                         # ```
                         # By default this value is set to `off`, thus
                         # disabling the stream proxy port for this node.
# See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# for a description of the formats that Kong might accept in stream_listen.
#admin_api_uri =         # Hierarchical part of a URI which is composed
                         # optionally of a host, port, and path at which the
                         # Admin API accepts HTTP or HTTPS traffic. When
                         # this config is disabled, Kong Manager will
                         # use the window protocol + host and append the
                         # resolved admin_listen HTTP/HTTPS port.
#admin_listen = 127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384
                         # Comma-separated list of addresses and ports on
                         # which the Admin interface should listen.
                         # The Admin interface is the API allowing you to
                         # configure and manage Kong.
                         # Access to this interface should be *restricted*
                         # to Kong administrators *only*. This value accepts
                         # IPv4, IPv6, and hostnames.
                         # Some suffixes can be specified for each pair:
                         # - `ssl` will require that all connections made
                         #   through a particular address/port be made with TLS
                         #   enabled.
                         # - `http2` will allow for clients to open HTTP/2
                         #   connections to Kong's proxy server.
                         # - `proxy_protocol` will enable usage of the
                         #   PROXY protocol for a given address/port.
                         # - `deferred` instructs to use a deferred accept on
                         #   Linux (the TCP_DEFER_ACCEPT socket option).
                         # - `bind` instructs to make a separate bind() call
                         #   for a given address:port pair.
                         # - `reuseport` instructs to create an individual
                         #   listening socket for each worker process
                         #   allowing the Kernel to better distribute incoming
                         #   connections between worker processes
                         # - `backlog=N` sets the maximum length for the queue
                         #   of pending TCP connections. This number should
                         #   not be too small in order to prevent clients
                         #   seeing "Connection refused" error connecting to
                         #   a busy Kong instance.
                         #   **Note:** on Linux, this value is limited by the
                         #   setting of `net.core.somaxconn` Kernel parameter.
                         #   In order for the larger `backlog` set here to take
                         #   effect it is necessary to raise
                         #   `net.core.somaxconn` at the same time to match or
                         #   exceed the `backlog` number set.
                         # This value can be set to `off`, thus disabling
                         # the Admin interface for this node, enabling a
                         # 'data-plane' mode (without configuration
                         # capabilities) pulling its configuration changes
                         # from the database.
                         # Example: `admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off     # Comma-separated list of addresses and ports on
                         # which the Status API should listen.
                         # The Status API is a read-only endpoint
                         # allowing monitoring tools to retrieve metrics,
                         # healthiness, and other non-sensitive information
                         # of the current Kong node.
                         # The following suffix can be specified for each pair:
                         # - `ssl` will require that all connections made
                         #   through a particular address/port be made with TLS
                         #   enabled.
                         # This value can be set to `off`, disabling
                         # the Status API for this node.
                         # Example: `status_listen = 0.0.0.0:8100`
#nginx_user = kong kong          # Defines user and group credentials used by
                                 # worker processes. If group is omitted, a
                                 # group whose name equals that of user is
                                 # used.
                                 # Example: `nginx_user = nginx www`
                                 # **Note**: If the `kong` user and the `kong`
                                 # group are not available, the default user
                                 # and group credentials will be
                                 # `nobody nobody`.
#nginx_worker_processes = auto   # Determines the number of worker processes
                                 # spawned by Nginx.
                                 # See http://nginx.org/en/docs/ngx_core_module.html#worker_processes
                                 # for detailed usage of the equivalent Nginx
                                 # directive and a description of accepted
                                 # values.
#nginx_daemon = on               # Determines whether Nginx will run as a daemon
                                 # or as a foreground process. Mainly useful
                                 # for development or when running Kong inside
                                 # a Docker environment.
                                 # See http://nginx.org/en/docs/ngx_core_module.html#daemon.
#mem_cache_size = 128m           # Size of each of the two in-memory caches
                                 # for database entities. The accepted units are
                                 # `k` and `m`, with a minimum recommended value of
                                 # a few MBs.
                                 # **Note**: As this option controls the size of two
                                 # different cache entries, the total memory Kong
                                 # uses to cache entities might be double this value.
#ssl_cipher_suite = intermediate # Defines the TLS ciphers served by Nginx.
                                 # Accepted values are `modern`,
                                 # `intermediate`, `old`, `fips` or `custom`.
                                 # See https://wiki.mozilla.org/Security/Server_Side_TLS
                                 # for detailed descriptions of each cipher
                                 # suite. `fips` cipher suites are as decribed in
                                 # https://wiki.openssl.org/index.php/FIPS_mode_and_TLS.
#ssl_ciphers =                   # Defines a custom list of TLS ciphers to be
                                 # served by Nginx. This list must conform to
                                 # the pattern defined by `openssl ciphers`.
                                 # This value is ignored if `ssl_cipher_suite`
                                 # is not `custom`.
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
                                 # Enables the specified protocols for
                                 # client-side connections. The set of
                                 # supported protocol versions also depends
                                 # on the version of OpenSSL Kong was built
                                 # with. This value is ignored if
                                 # `ssl_cipher_suite` is not `custom`.
                                 # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on  # Specifies that server ciphers should be
                                 # preferred over client ciphers when using
                                 # the SSLv3 and TLS protocols. This value is
                                 # ignored if `ssl_cipher_suite` is not `custom`.
                                 # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam =                   # Defines DH parameters for DHE ciphers from the
                                 # predefined groups: `ffdhe2048`, `ffdhe3072`,
                                 # `ffdhe4096`, `ffdhe6144`, `ffdhe8192`, or
                                 # from the absolute path to a parameters file.
                                 # This value is ignored if `ssl_cipher_suite`
                                 # is `modern` or `intermediate`. The reason is
                                 # that `modern` has no ciphers that needs this,
                                 # and `intermediate` uses `ffdhe2048`.
                                 # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on        # Enables or disables session resumption through
                                 # TLS session tickets. This has no impact when
                                 # used with TLSv1.3.
                                 # Kong enables this by default for performance
                                 # reasons, but it has security implications:
                                 # https://github.com/mozilla/server-side-tls/issues/135
                                 # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d        # Specifies a time during which a client may
                                 # reuse the session parameters. See the rationale:
                                 # https://github.com/mozilla/server-side-tls/issues/198
                                 # See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert =                      # Comma-separated list of the absolute path to the certificates for
                                 # `proxy_listen` values with TLS enabled.
                                 # If more than one certificates are specified, it can be used to provide
                                 # alternate type of certificate (for example, ECC certificate) that will be served
                                 # to clients that supports them. Note to properly serve using ECC certificates,
                                 # it is recommended to also set `ssl_cipher_suite` to
                                 # `modern` or `intermediate`.
                                 # Unless this option is explicitly set, Kong will auto-generate
                                 # a pair of default certificates (RSA + ECC) first time it starts up and use
                                 # it for serving TLS requests.
#ssl_cert_key =                  # Comma-separated list of the absolute path to the keys for
                                 # `proxy_listen` values with TLS enabled.
                                 # If more than one certificate was specified for `ssl_cert`, then this
                                 # option should contain the corresponding key for all certificates
                                 # provided in the same order.
                                 # Unless this option is explicitly set, Kong will auto-generate
                                 # a pair of default private keys (RSA + ECC) first time it starts up and use
                                 # it for serving TLS requests.
#client_ssl = off                # Determines if Nginx should attempt to send client-side
                                 # TLS certificates and perform Mutual TLS Authentication
                                 # with upstream service when proxying requests.
#client_ssl_cert =               # If `client_ssl` is enabled, the absolute
                                 # path to the client certificate for the `proxy_ssl_certificate` directive.
                                 # This value can be overwritten dynamically with the `client_certificate`
                                 # attribute of the `Service` object.
#client_ssl_cert_key =           # If `client_ssl` is enabled, the absolute
                                 # path to the client TLS key for the `proxy_ssl_certificate_key` directive.
                                 # This value can be overwritten dynamically with the `client_certificate`
                                 # attribute of the `Service` object.
#admin_ssl_cert =                # Comma-separated list of the absolute path to the certificates for
                                 # `admin_listen` values with TLS enabled.
                                 # See docs for `ssl_cert` for detailed usage.
#admin_ssl_cert_key =            # Comma-separated list of the absolute path to the keys for
                                 # `admin_listen` values with TLS enabled.
                                 # See docs for `ssl_cert_key` for detailed usage.
#status_ssl_cert =               # Comma-separated list of the absolute path to the certificates for
                                 # `status_listen` values with TLS enabled.
                                 # See docs for `ssl_cert` for detailed usage.
#status_ssl_cert_key =           # Comma-separated list of the absolute path to the keys for
                                 # `status_listen` values with TLS enabled.
                                 # See docs for `ssl_cert_key` for detailed usage.
#headers = server_tokens, latency_tokens
                                 # Comma-separated list of headers Kong should
                                 # inject in client responses.
                                 # Accepted values are:
                                 # - `Server`: Injects `Server: kong/x.y.z`
                                 #   on Kong-produced response (e.g. Admin
                                 #   API, rejected requests from auth plugin).
                                 # - `Via`: Injects `Via: kong/x.y.z` for
                                 #   successfully proxied requests.
                                 # - `X-Kong-Proxy-Latency`: Time taken
                                 #   (in milliseconds) by Kong to process
                                 #   a request and run all plugins before
                                 #   proxying the request upstream.
                                 # - `X-Kong-Response-Latency`: time taken
                                 #   (in millisecond) by Kong to produce
                                 #   a response in case of e.g. plugin
                                 #   short-circuiting the request, or in
                                 #   in case of an error.
                                 # - `X-Kong-Upstream-Latency`: Time taken
                                 #   (in milliseconds) by the upstream
                                 #   service to send response headers.
                                 # - `X-Kong-Admin-Latency`: Time taken
                                 #   (in milliseconds) by Kong to process
                                 #   an Admin API request.
                                 # - `X-Kong-Upstream-Status`: The HTTP status
                                 #   code returned by the upstream service.
                                 #   This is particularly useful for clients to
                                 #   distinguish upstream statuses if the
                                 #   response is rewritten by a plugin.
                                 # - `server_tokens`: Same as specifying both
                                 #   `Server` and `Via`.
                                 # - `latency_tokens`: Same as specifying
                                 #   `X-Kong-Proxy-Latency`,
                                 #   `X-Kong-Response-Latency`,
                                 #   `X-Kong-Admin-Latency` and
                                 #   `X-Kong-Upstream-Latency`
                                 # In addition to those, this value can be set
                                 # to `off`, which prevents Kong from injecting
                                 # any of the above headers. Note that this
                                 # does not prevent plugins from injecting
                                 # headers of their own.
                                 # Example: `headers = via, latency_tokens`
#trusted_ips =                   # Defines trusted IP addresses blocks that are
                                 # known to send correct `X-Forwarded-*`
                                 # headers.
                                 # Requests from trusted IPs make Kong forward
                                 # their `X-Forwarded-*` headers upstream.
                                 # Non-trusted requests make Kong insert its
                                 # own `X-Forwarded-*` headers.
                                 # This property also sets the
                                 # `set_real_ip_from` directive(s) in the Nginx
                                 # configuration. It accepts the same type of
                                 # values (CIDR blocks) but as a
                                 # comma-separated list.
                                 # To trust *all* /!\ IPs, set this value to
                                 # `0.0.0.0/0,::/0`.
                                 # If the special value `unix:` is specified,
                                 # all UNIX-domain sockets will be trusted.
                                 # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                                 # for examples of accepted values.
#real_ip_header = X-Real-IP      # Defines the request header field whose value
                                 # will be used to replace the client address.
                                 # This value sets the `ngx_http_realip_module`
                                 # directive of the same name in the Nginx
                                 # configuration.
                                 # If this value receives `proxy_protocol`:
                                 # - at least one of the `proxy_listen` entries
                                 #   must have the `proxy_protocol` flag
                                 #   enabled.
                                 # - the `proxy_protocol` parameter will be
                                 #   appended to the `listen` directive of the
                                 #   Nginx template.
                                 # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
                                 # for a description of this directive.
#real_ip_recursive = off         # This value sets the `ngx_http_realip_module`
                                 # directive of the same name in the Nginx
                                 # configuration.
                                 # See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
                                 # for a description of this directive.
#error_default_type = text/plain  # Default MIME type to use when the request
                                  # `Accept` header is missing and Nginx
                                  # is returning an error for the request.
                                  # Accepted values are `text/plain`,
                                  # `text/html`, `application/json`, and
                                  # `application/xml`.
#upstream_keepalive_pool_size = 60  # Sets the default size of the upstream
                                    # keepalive connection pools.
                                    # Upstream keepalive connection pools
                                    # are segmented by the `dst ip/dst
                                    # port/SNI` attributes of a connection.
                                    # A value of `0` will disable upstream
                                    # keepalive connections by default, forcing
                                    # each upstream request to open a new
                                    # connection.
#upstream_keepalive_max_requests = 100  # Sets the default maximum number of
                                        # requests than can be proxied upstream
                                        # through one keepalive connection.
                                        # After the maximum number of requests
                                        # is reached, the connection will be
                                        # closed.
                                        # A value of `0` will disable this
                                        # behavior, and a keepalive connection
                                        # can be used to proxy an indefinite
                                        # number of requests.
#upstream_keepalive_idle_timeout = 60   # Sets the default timeout (in seconds)
                                        # for which an upstream keepalive
                                        # connection should be kept open. When
                                        # the timeout is reached while the
                                        # connection has not been reused, it
                                        # will be closed.
                                        # A value of `0` will disable this
                                        # behavior, and an idle keepalive
                                        # connection may be kept open
                                        # indefinitely.
#------------------------------------------------------------------------------
# NGINX injected directives
#------------------------------------------------------------------------------
# Nginx directives can be dynamically injected in the runtime nginx.conf file
# without requiring a custom Nginx configuration template.
# All configuration properties respecting the naming scheme
# `nginx_<namespace>_<directive>` will result in `<directive>` being injected in
# the Nginx configuration block corresponding to the property's `<namespace>`.
# Example:
#   `nginx_proxy_large_client_header_buffers = 8 24k`
#   Will inject the following directive in Kong's proxy `server {}` block:
#   `large_client_header_buffers 8 24k;`
# The following namespaces are supported:
# - `nginx_main_<directive>`: Injects `<directive>` in Kong's configuration
#   `main` context.
# - `nginx_events_<directive>`: Injects `<directive>` in Kong's `events {}`
#    block.
# - `nginx_http_<directive>`: Injects `<directive>` in Kong's `http {}` block.
# - `nginx_proxy_<directive>`: Injects `<directive>` in Kong's proxy
#   `server {}` block.
# - `nginx_upstream_<directive>`: Injects `<directive>` in Kong's proxy
#   `upstream {}` block.
# - `nginx_admin_<directive>`: Injects `<directive>` in Kong's Admin API
#   `server {}` block.
# - `nginx_status_<directive>`: Injects `<directive>` in Kong's Status API
#   `server {}` block  (only effective if `status_listen` is enabled).
# - `nginx_stream_<directive>`: Injects `<directive>` in Kong's stream module
#   `stream {}` block (only effective if `stream_listen` is enabled).
# - `nginx_sproxy_<directive>`: Injects `<directive>` in Kong's stream module
#   `server {}` block (only effective if `stream_listen` is enabled).
# - `nginx_supstream_<directive>`: Injects `<directive>` in Kong's stream
#   module `upstream {}` block.
# As with other configuration properties, Nginx directives can be injected via
# environment variables when capitalized and prefixed with `KONG_`.
# Example:
#   `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
#   Will inject the following directive in Kong's `http {}` block:
#   `ssl_protocols <value>;`
#   If different sets of protocols are desired between the proxy and Admin API
#   server, you may specify `nginx_proxy_ssl_protocols` and/or
#   `nginx_admin_ssl_protocols`, both of which taking precedence over the
#   `http {}` block.
#nginx_main_worker_rlimit_nofile = auto
                                 # Changes the limit on the maximum number of open files
                                 # for worker processes.
                                 # The special and default value of `auto` sets this
                                 # value to `ulimit -n` with the upper bound limited to
                                 # 16384 as a measure to protect against excess memory use.
                                 # See http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = auto
                                 # Sets the maximum number of simultaneous
                                 # connections that can be opened by a worker process.
                                 # The special and default value of `auto` sets this
                                 # value to `ulimit -n` with the upper bound limited to
                                 # 16384 as a measure to protect against excess memory use.
                                 # See http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k  # Sets buffer size for reading the
                                            # client request headers.
                                            # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k  # Sets the maximum number and
                                                # size of buffers used for
                                                # reading large clients
                                                # requests headers.
                                                # See http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0  # Defines the maximum request body size
                                      # allowed by requests proxied by Kong,
                                      # specified in the Content-Length request
                                      # header. If a request exceeds this
                                      # limit, Kong will respond with a 413
                                      # (Request Entity Too Large). Setting
                                      # this value to 0 disables checking the
                                      # request body size.
                                      # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m  # Defines the maximum request body size for
                                         # Admin API.
#nginx_http_client_body_buffer_size = 8k  # Defines the buffer size for reading
                                          # the request body. If the client
                                          # request body is larger than this
                                          # value, the body will be buffered to
                                          # disk. Note that when the body is
                                          # buffered to disk, Kong plugins that
                                          # access or manipulate the request
                                          # body may not work, so it is
                                          # advisable to set this value as high
                                          # as possible (e.g., set it as high
                                          # as `client_max_body_size` to force
                                          # request bodies to be kept in
                                          # memory). Do note that
                                          # high-concurrency environments will
                                          # require significant memory
                                          # allocations to process many
                                          # concurrent large request bodies.
                                          # See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m  # Defines the buffer size for reading
                                            # the request body on Admin API.
#nginx_http_lua_regex_match_limit = 100000  # Global `MATCH_LIMIT` for PCRE
                                            # regex matching. The default of `100000` should ensure
                                            # at worst any regex Kong executes could finish within
                                            # roughly 2 seconds.
#------------------------------------------------------------------------------
# DATASTORE
#------------------------------------------------------------------------------
# Kong can run with a database to store coordinated data between Kong nodes in
# a cluster, or without a database, where each node stores its information
# independently in memory.
# When using a database, Kong will store data for all its entities (such as
# Routes, Services, Consumers, and Plugins) in either Cassandra or PostgreSQL,
# and all Kong nodes belonging to the same cluster must connect themselves
# to the same database.
# Kong supports the following database versions:
# - **PostgreSQL**: 9.5 and above.
# - **Cassandra**: 2.2 and above.
# When not using a database, Kong is said to be in "DB-less mode": it will keep
# its entities in memory, and each node needs to have this data entered via a
# declarative configuration file, which can be specified through the
# `declarative_config` property, or via the Admin API using the `/config`
# endpoint.
# When using Postgres as the backend storage, you can optionally enable Kong
# to serve read queries from a separate database instance.
# When the number of proxies is large, this can greatly reduce the load
# on the main Postgres instance and achieve better scalability. It may also
# reduce the latency jitter if the Kong proxy node's latency to the main
# Postgres instance is high.
# The read-only Postgres instance only serves read queries and write
# queries still goes to the main connection. The read-only Postgres instance
# can be eventually consistent while replicating changes from the main
# instance.
# At least the `pg_ro_host` config is needed to enable this feature.
# By default, all other database config for the read-only connection are
# inherited from the corresponding main connection config described above but
# may be optionally overwritten explicitly using the `pg_ro_*` config below.
#database = postgres             # Determines which of PostgreSQL or Cassandra
                                 # this node will use as its datastore.
                                 # Accepted values are `postgres`,
                                 # `cassandra`, and `off`.
#pg_host = 127.0.0.1             # Host of the Postgres server.
#pg_port = 5432                  # Port of the Postgres server.
#pg_timeout = 5000               # Defines the timeout (in ms), for connecting,
                                 # reading and writing.
#pg_user = kong                  # Postgres user.
#pg_password =                   # Postgres user's password.
#pg_database = kong              # The database name to connect to.
#pg_schema =                     # The database schema to use. If unspecified,
                                 # Kong will respect the `search_path` value of
                                 # your PostgreSQL instance.
#pg_ssl = off                    # Toggles client-server TLS connections
                                 # between Kong and PostgreSQL.
                                 # Because PostgreSQL uses the same port for TLS
                                 # and non-TLS, this is only a hint. If the
                                 # server does not support TLS, the established
                                 # connection will be a plain one.
#pg_ssl_version = tlsv1          # When using ssl between Kong and PostgreSQL,
                                 # the version of tls to use. Accepted values are
                                 # `tlsv1`, `tlsv1_2`, or `tlsv1_3`.
#pg_ssl_required = off           # When `pg_ssl` is on this determines if
                                 # TLS must be used between Kong and PostgreSQL.
                                 # It aborts the connection if the server does
                                 # not support SSL connections.
#pg_ssl_verify = off             # Toggles server certificate verification if
                                 # `pg_ssl` is enabled.
                                 # See the `lua_ssl_trusted_certificate`
                                 # setting to specify a certificate authority.
#pg_ssl_cert =                   # The absolute path to the PEM encoded client
                                 # TLS certificate for the PostgreSQL connection.
                                 # Mutual TLS authentication against
                                 # PostgreSQL is only enabled if this value is set.
#pg_ssl_cert_key =               # If `pg_ssl_cert` is set, the absolute path to
                                 # the PEM encoded client TLS private key for the
                                 # PostgreSQL connection.
#pg_max_concurrent_queries = 0   # Sets the maximum number of concurrent queries
                                 # that can be executing at any given time. This
                                 # limit is enforced per worker process; the
                                 # total number of concurrent queries for this
                                 # node will be will be:
                                 # `pg_max_concurrent_queries * nginx_worker_processes`.
                                 # The default value of 0 removes this
                                 # concurrency limitation.
#pg_semaphore_timeout = 60000    # Defines the timeout (in ms) after which
                                 # PostgreSQL query semaphore resource
                                 # acquisition attempts will fail. Such
                                 # failures will generally result in the
                                 # associated proxy or Admin API request
                                 # failing with an HTTP 500 status code.
                                 # Detailed discussion of this behavior is
                                 # available in the online documentation.
#pg_keepalive_timeout = 60000    # Defines the time in milliseconds that an idle connection to
                                 # PostreSQL server will be kept alive.
#pg_ro_host =                    # Same as `pg_host`, but for the
                                 # read-only connection.
                                 # **Note:** Refer to the documentation
                                 # section above for detailed usage.
#pg_ro_port = <pg_port>          # Same as `pg_port`, but for the
                                 # read-only connection.
#pg_ro_timeout = <pg_timeout>    # Same as `pg_timeout`, but for the
                                 # read-only connection.
#pg_ro_user = <pg_user>          # Same as `pg_user`, but for the
                                 # read-only connection.
#pg_ro_password = <pg_password>  # Same as `pg_password`, but for the
                                 # read-only connection.
#pg_ro_database = <pg_database>  # Same as `pg_database`, but for the
                                 # read-only connection.
#pg_ro_schema = <pg_schema>      # Same as `pg_schema`, but for the
                                 # read-only connection.
#pg_ro_ssl = <pg_ssl>            # Same as `pg_ssl`, but for the
                                 # read-only connection.
#pg_ro_ssl_required = <pg_ssl_required>
                                 # Same as `pg_ssl_required`, but for the
                                 # read-only connection.
#pg_ro_ssl_verify = <pg_ssl_verify>
                                 # Same as `pg_ssl_verify`, but for the
                                 # read-only connection.
#pg_ro_ssl_version = <pg_ssl_version>
                                 # Same as `pg_ssl_version`, but for the
                                 # read-only connection.
#pg_ro_max_concurrent_queries = <pg_max_concurrent_queries>
                                 # Same as `pg_max_concurrent_queries`, but for
                                 # the read-only connection.
                                 # Note: read-only concurrency is not shared
                                 # with the main (read-write) connection.
#pg_ro_semaphore_timeout = <pg_semaphore_timeout>
                                 # Same as `pg_semaphore_timeout`, but for the
                                 # read-only connection.
#pg_ro_keepalive_timeout = <pg_keepalive_timeout>
                                 # Same as `pg_keepalive_timeout`, but for the
                                 # read-only connection.
#cassandra_contact_points = 127.0.0.1  # A comma-separated list of contact
                                       # points to your cluster.
                                       # You may specify IP addresses or
                                       # hostnames. Note that the port
                                       # component of SRV records will be
                                       # ignored in favor of `cassandra_port`.
                                       # When connecting to a multi-DC cluster,
                                       # ensure that contact points from the
                                       # local datacenter are specified first
                                       # in this list.
#cassandra_port = 9042           # The port on which your nodes are listening
                                 # on. All your nodes and contact points must
                                 # listen on the same port. Will be created if
                                 # it doesn't exist.
#cassandra_keyspace = kong       # The keyspace to use in your cluster.
#cassandra_write_consistency = ONE  # Consistency setting to use when
                                    # writing to the Cassandra cluster.
#cassandra_read_consistency = ONE   # Consistency setting to use when
                                    # reading from the Cassandra cluster.
#cassandra_timeout = 5000        # Defines the timeout (in ms) for reading
                                 # and writing.
#cassandra_ssl = off             # Toggles client-to-node TLS connections
                                 # between Kong and Cassandra.
#cassandra_ssl_verify = off      # Toggles server certificate verification if
                                 # `cassandra_ssl` is enabled.
                                 # See the `lua_ssl_trusted_certificate`
                                 # setting to specify a certificate authority.
#cassandra_username = kong       # Username when using the
                                 # `PasswordAuthenticator` scheme.
#cassandra_password =            # Password when using the
                                 # `PasswordAuthenticator` scheme.
#cassandra_lb_policy = RequestRoundRobin  # Load balancing policy to use when
                                          # distributing queries across your
                                          # Cassandra cluster.
                                          # Accepted values are:
                                          # `RoundRobin`, `RequestRoundRobin`,
                                          # `DCAwareRoundRobin`, and
                                          # `RequestDCAwareRoundRobin`.
                                          # Policies prefixed with "Request"
                                          # make efficient use of established
                                          # connections throughout the same
                                          # request.
                                          # Prefer "DCAware" policies if and
                                          # only if you are using a
                                          # multi-datacenter cluster.
#cassandra_local_datacenter =    # When using the `DCAwareRoundRobin`
                                 # or `RequestDCAwareRoundRobin` load
                                 # balancing policy, you must specify the name
                                 # of the local (closest) datacenter for this
                                 # Kong node.
#cassandra_refresh_frequency = 60          # Frequency (in seconds) at which
                                           # the cluster topology will be
                                           # checked for new or decommissioned
                                           # nodes.
                                           # A value of `0` will disable this
                                           # check, and the cluster topology
                                           # will never be refreshed.
#cassandra_repl_strategy = SimpleStrategy  # When migrating for the first time,
                                           # Kong will use this setting to
                                           # create your keyspace.
                                           # Accepted values are
                                           # `SimpleStrategy` and
                                           # `NetworkTopologyStrategy`.
#cassandra_repl_factor = 1       # When migrating for the first time, Kong
                                 # will create the keyspace with this
                                 # replication factor when using the
                                 # `SimpleStrategy`.
#cassandra_data_centers = dc1:2,dc2:3  # When migrating for the first time,
                                       # will use this setting when using the
                                       # `NetworkTopologyStrategy`.
                                       # The format is a comma-separated list
                                       # made of `<dc_name>:<repl_factor>`.
#cassandra_schema_consensus_timeout = 10000  # Defines the timeout (in ms) for
                                             # the waiting period to reach a
                                             # schema consensus between your
                                             # Cassandra nodes.
                                             # This value is only used during
                                             # migrations.
#declarative_config =           # The path to the declarative configuration
                                # file which holds the specification of all
                                # entities (Routes, Services, Consumers, etc.)
                                # to be used when the `database` is set to
                                # `off`.
                                # Entities are stored in Kong's in-memory cache,
                                # so you must ensure that enough memory is
                                # allocated to it via the `mem_cache_size`
                                # property. You must also ensure that items
                                # in the cache never expire, which means that
                                # `db_cache_ttl` should preserve its default
                                # value of 0.
                                # If the Hybrid mode `role` is set to `data_plane`
                                # and there's no configuration cache file,
                                # this configuration is used before connecting
                                # to the Control Plane node as a user-controlled
                                # fallback.
#declarative_config_string =    # The declarative configuration as a string
#------------------------------------------------------------------------------
# DATASTORE CACHE
#------------------------------------------------------------------------------
# In order to avoid unnecessary communication with the datastore, Kong caches
# entities (such as APIs, Consumers, Credentials...) for a configurable period
# of time. It also handles invalidations if such an entity is updated.
# This section allows for configuring the behavior of Kong regarding the
# caching of such configuration entities.
#db_update_frequency = 5         # Frequency (in seconds) at which to check for
                                 # updated entities with the datastore.
                                 # When a node creates, updates, or deletes an
                                 # entity via the Admin API, other nodes need
                                 # to wait for the next poll (configured by
                                 # this value) to eventually purge the old
                                 # cached entity and start using the new one.
#db_update_propagation = 0       # Time (in seconds) taken for an entity in the
                                 # datastore to be propagated to replica nodes
                                 # of another datacenter.
                                 # When in a distributed environment such as
                                 # a multi-datacenter Cassandra cluster, this
                                 # value should be the maximum number of
                                 # seconds taken by Cassandra to propagate a
                                 # row to other datacenters.
                                 # When set, this property will increase the
                                 # time taken by Kong to propagate the change
                                 # of an entity.
                                 # Single-datacenter setups or PostgreSQL
                                 # servers should suffer no such delays, and
                                 # this value can be safely set to 0.
#db_cache_ttl = 0                # Time-to-live (in seconds) of an entity from
                                 # the datastore when cached by this node.
                                 # Database misses (no entity) are also cached
                                 # according to this setting if you do not
                                 # configure `db_cache_neg_ttl`.
                                 # If set to 0 (default), such cached entities
                                 # or misses never expire.
#db_cache_neg_ttl =              # Time-to-live (in seconds) of a datastore
                                 # miss (no entity).
                                 # If not specified (default), `db_cache_ttl`
                                 # value will be used instead.
                                 # If set to 0, misses will never expire.
#db_resurrect_ttl = 30           # Time (in seconds) for which stale entities
                                 # from the datastore should be resurrected for
                                 # when they cannot be refreshed (e.g., the
                                 # datastore is unreachable). When this TTL
                                 # expires, a new attempt to refresh the stale
                                 # entities will be made.
#db_cache_warmup_entities = services
                                 # Entities to be pre-loaded from the datastore
                                 # into the in-memory cache at Kong start-up.
                                 # This speeds up the first access of endpoints
                                 # that use the given entities.
                                 # When the `services` entity is configured
                                 # for warmup, the DNS entries for values in
                                 # its `host` attribute are pre-resolved
                                 # asynchronously as well.
                                 # Cache size set in `mem_cache_size` should
                                 # be set to a value large enough to hold all
                                 # instances of the specified entities.
                                 # If the size is insufficient, Kong will log
                                 # a warning.
#------------------------------------------------------------------------------
# DNS RESOLVER
#------------------------------------------------------------------------------
# By default, the DNS resolver will use the standard configuration files
# `/etc/hosts` and `/etc/resolv.conf`. The settings in the latter file will be
# overridden by the environment variables `LOCALDOMAIN` and `RES_OPTIONS` if
# they have been set.
# Kong will resolve hostnames as either `SRV` or `A` records (in that order, and
# `CNAME` records will be dereferenced in the process).
# In case a name was resolved as an `SRV` record it will also override any given
# port number by the `port` field contents received from the DNS server.
# The DNS options `SEARCH` and `NDOTS` (from the `/etc/resolv.conf` file) will
# be used to expand short names to fully qualified ones. So it will first try
# the entire `SEARCH` list for the `SRV` type, if that fails it will try the
# `SEARCH` list for `A`, etc.
# For the duration of the `ttl`, the internal DNS resolver will loadbalance each
# request it gets over the entries in the DNS record. For `SRV` records the
# `weight` fields will be honored, but it will only use the lowest `priority`
# field entries in the record.
#dns_resolver =                  # Comma separated list of nameservers, each
                                 # entry in `ip[:port]` format to be used by
                                 # Kong. If not specified the nameservers in
                                 # the local `resolv.conf` file will be used.
                                 # Port defaults to 53 if omitted. Accepts
                                 # both IPv4 and IPv6 addresses.
#dns_hostsfile = /etc/hosts      # The hosts file to use. This file is read
                                 # once and its content is static in memory.
                                 # To read the file again after modifying it,
                                 # Kong must be reloaded.
#dns_order = LAST,SRV,A,CNAME    # The order in which to resolve different
                                 # record types. The `LAST` type means the
                                 # type of the last successful lookup (for the
                                 # specified name). The format is a (case
                                 # insensitive) comma separated list.
#dns_valid_ttl =                 # By default, DNS records are cached using
                                 # the TTL value of a response. If this
                                 # property receives a value (in seconds), it
                                 # will override the TTL for all records.
#dns_stale_ttl = 4               # Defines, in seconds, how long a record will
                                 # remain in cache past its TTL. This value
                                 # will be used while the new DNS record is
                                 # fetched in the background.
                                 # Stale data will be used from expiry of a
                                 # record until either the refresh query
                                 # completes, or the `dns_stale_ttl` number of
                                 # seconds have passed.
#dns_cache_size = 10000          # Defines the maximum allowed number of
                                 # DNS records stored in memory cache.
                                 # Least recently used DNS records are discarded
                                 # from cache if it is full. Both errors and
                                 # data are cached, therefore a single name query
                                 # can easily take up 10-15 slots.
#dns_not_found_ttl = 30          # TTL in seconds for empty DNS responses and
                                 # "(3) name error" responses.
#dns_error_ttl = 1               # TTL in seconds for error responses.
#dns_no_sync = off               # If enabled, then upon a cache-miss every
                                 # request will trigger its own dns query.
                                 # When disabled multiple requests for the
                                 # same name/type will be synchronised to a
                                 # single query.
#------------------------------------------------------------------------------
# TUNING & BEHAVIOR
#------------------------------------------------------------------------------
#worker_consistency = strict
                                 # Defines whether this node should rebuild its
                                 # state synchronously or asynchronously (the
                                 # balancers and the router are rebuilt on
                                 # updates that affects them, e.g., updates to
                                 # Routes, Services or Upstreams, via the Admin
                                 # API or loading a declarative configuration
                                 # file).
                                 # Accepted values are:
                                 # - `strict`: the router will be rebuilt
                                 #   synchronously, causing incoming requests to
                                 #   be delayed until the rebuild is finished.
                                 # - `eventual`: the router will be rebuilt
                                 #   asynchronously via a recurring background
                                 #   job running every second inside of each
                                 #   worker.
                                 # Note that `strict` ensures that all workers
                                 # of a given node will always proxy requests
                                 # with an identical router, but that increased
                                 # long tail latency can be observed if
                                 # frequent Routes and Services updates are
                                 # expected.
                                 # Using `eventual` will help preventing long
                                 # tail latency issues in such cases, but may
                                 # cause workers to route requests differently
                                 # for a short period of time after Routes and
                                 # Services updates.
#worker_state_update_frequency = 5
                                 # Defines how often the worker state changes are
                                 # checked with a background job. When a change
                                 # is detected, a new router or balancer will be
                                 # built, as needed. Raising this value will
                                 # decrease the load on database servers and
                                 # result in less jitter in proxy latency, but
                                 # it might take more time to propagate changes
                                 # to each individual worker.
#------------------------------------------------------------------------------
# MISCELLANEOUS
#------------------------------------------------------------------------------
# Additional settings inherited from lua-nginx-module allowing for more
# flexibility and advanced usage.
# See the lua-nginx-module documentation for more information:
# https://github.com/openresty/lua-nginx-module
#lua_ssl_trusted_certificate =   # Comma-separated list of paths to certificate
                                 # authority files for Lua cosockets in PEM format.
                                 # The special value `system` attempts to search for the
                                 # "usual default" provided by each distro, according
                                 # to an arbitrary heuristic. In the current implementation,
                                 # The following pathnames will be tested in order,
                                 # and the first one found will be used:
                                 # - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
                                 # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
                                 # - /etc/ssl/ca-bundle.pem (OpenSUSE)
                                 # - /etc/pki/tls/cacert.pem (OpenELEC)
                                 # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
                                 # - /etc/ssl/cert.pem (OpenBSD, Alpine)
                                 # If no file is found on any of these paths, an error will
                                 # be raised.
                                 # `system` can be used by itself or in conjunction with other
                                 # CA filepaths.
                                 # When `pg_ssl_verify` or `cassandra_ssl_verify`
                                 # are enabled, these certificate authority files will be
                                 # used for verifying Kong's database connections.
                                 # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
#lua_ssl_verify_depth = 1        # Sets the verification depth in the server
                                 # certificates chain used by Lua cosockets,
                                 # set by `lua_ssl_trusted_certificate`.
                                 # This includes the certificates configured
                                 # for Kong's database connections.
                                 # If the maximum depth is reached before
                                 # reaching the end of the chain, verification
                                 # will fail. This helps mitigate certificate
                                 # based DoS attacks.
                                 # See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3   # Defines the TLS versions supported
                                               # when handshaking with OpenResty's
                                               # TCP cosocket APIs.
                                               # This affects connections made by Lua
                                               # code, such as connections to the
                                               # database Kong uses, or when sending logs
                                               # using a logging plugin. It does *not*
                                               # affect connections made to the upstream
                                               # Service or from downstream clients.
#lua_package_path = ./?.lua;./?/init.lua;  # Sets the Lua module search path
                                           # (LUA_PATH). Useful when developing
                                           # or using custom plugins not stored
                                           # in the default search path.
                                           # See https://github.com/openresty/lua-nginx-module#lua_package_path
#lua_package_cpath =             # Sets the Lua C module search path
                                 # (LUA_CPATH).
                                 # See https://github.com/openresty/lua-nginx-module#lua_package_cpath
#lua_socket_pool_size = 30       # Specifies the size limit for every cosocket
                                 # connection pool associated with every remote
                                 # server.
                                 # See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size
#enforce_rbac = off              # Specifies whether Admin API RBAC is enforced.
                                 # Accepts one of `entity`, `both`, `on`, or
                                 # `off`.
                                 # - `on`: only endpoint-level authorization
                                 #   is enforced.
                                 # - `entity`: entity-level authorization
                                 #   applies.
                                 # - `both`: enables both endpoint and
                                 #   entity-level authorization.
                                 # - `off`: disables both endpoint and
                                 #   entity-level authorization.
                                 # When enabled, Kong will deny requests to the
                                 # Admin API when a nonexistent or invalid RBAC
                                 # authorization token is passed, or the RBAC
                                 # user with which the token is associated does
                                 # not have permissions to access/modify the
                                 # requested resource.
#rbac_auth_header = Kong-Admin-Token  # Defines the name of the HTTP request
                                      # header from which the Admin API will
                                      # attempt to authenticate the RBAC user.
#event_hooks_enabled = on   # When enabled, event hook entities represent a relationship
                            # between an event (source and event) and an action
                            # (handler). Similar to web hooks, event hooks can be used to
                            # communicate Kong Gateway service events. When a particular
                            # event happens on a service, the event hook calls a URL with
                            # information about that event. Event hook configurations
                            # differ depending on the handler. The events that are
                            # triggered send associated data.
                            # See: https://docs.konghq.com/enterprise/latest/admin-api/event-hooks/reference/
#------------------------------------------------------------------------------
# KONG MANAGER
#------------------------------------------------------------------------------
# The Admin GUI for Kong Enterprise.
#admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl
                        # Kong Manager Listeners
                        # Comma-separated list of addresses and ports on which
                        # Kong will expose Kong Manager. This web application
                        # lets you configure and manage Kong, and therefore
                        # should be kept secured.
                        # Suffixes can be specified for each pair, similarly to
                        # the `admin_listen` directive.
#admin_gui_url =        # Kong Manager URL
                        # The lookup, or balancer, address for Kong Manager.
                        # Accepted format (items in parentheses are optional):
                        #   `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                        # Examples:
                        # - `http://127.0.0.1:8003`
                        # - `https://kong-admin.test`
                        # - `http://dev-machine/dev-285`
                        # By default, Kong Manager will use the window request
                        # host and append the resolved listener port depending
                        # on the requested protocol.
#admin_gui_ssl_cert =   # The absolute path to the SSL certificate for
                        # `admin_gui_listen` values with SSL enabled.
#admin_gui_ssl_cert_key = # The absolute path to the SSL key for
                          # `admin_gui_listen` values with SSL enabled.
#admin_gui_flags = {}
                        # Alters the layout Admin GUI (JSON)
                        # The only supported value is `{ "IMMUNITY_ENABLED": true }`
                        # to enable Kong Immunity in the Admin GUI.
#admin_gui_access_log = logs/admin_gui_access.log
                        # Kong Manager Access Logs
                        # Here you can set an absolute or relative path for Kong
                        # Manager access logs. When the path is relative,
                        # logs are placed in the `prefix` location.
                        # Setting this value to `off` disables access logs
                        # for Kong Manager.
#admin_gui_error_log = logs/admin_gui_error.log
                        # Kong Manager Error Logs
                        # Here you can set an absolute or relative path for Kong
                        # Manager access logs. When the path is relative,
                        # logs are placed in the `prefix` location.
                        # Setting this value to `off` disables error logs for
                        # Kong Manager.
                        # Granularity can be adjusted through the `log_level`
                        # directive.
#admin_gui_auth =       # Kong Manager Authentication Plugin Name
                        # Secures access to Kong Manager by specifying an
                        # authentication plugin to use.
                        # Supported Plugins:
                        # - `basic-auth`: Basic Authentication plugin
                        # - `ldap-auth-advanced`: LDAP Authentication plugin
                        # - `openid-connect`: OpenID Connect Authentication
                        #   plugin
#admin_gui_auth_conf =  # Kong Manager Authentication Plugin Config (JSON)
                        # Specifies the configuration for the authentication
                        # plugin specified in `admin_gui_auth`.
                        # For information about Plugin Configuration
                        # consult the associated plugin documentation.
                        # Example for `basic-auth`:
                        # `admin_gui_auth_conf = { "hide_credentials": true }`
#admin_gui_auth_password_complexity = # Kong Manager Authentication Password Complexity (JSON)
                        # When `admin_gui_auth = basic-auth`, this property defines
                        # the rules required for Kong Manager passwords. Choose
                        # from preset rules or write your own.
                        # Example using preset rules:
                        # `admin_gui_auth_password_complexity = { "kong-preset": "min_8" }`
                        # All values for kong-preset require the password to contain
                        # characters from at least three of the following categories:
                        # 1. Uppercase characters (A through Z)
                        # 2. Lowercase characters (a through z)
                        # 3. Base-10 digits (0 through 9)
                        # 4. Special characters (for example, &, $, #, %)
                        # Supported preset rules:
                        # - `min_8`: minimum length of 8
                        # - `min_12`: minimum length of 12
                        # - `min_20`: minimum length of 20
                        # To write your own rules, see
                        # https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.
                        # NOTE: Only keywords "min", "max" and "passphrase" are supported.
                        # Example:
                        # `admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#admin_gui_session_conf = # Kong Manager Session Config (JSON)
                          # Specifies the configuration for the Session plugin as
                          # used by Kong Manager.
                          # For information about plugin configuration, consult
                          # the Kong Session plugin documentation.
                          # Example:
                          # ```
                          # admin_gui_session_conf = { "cookie_name": "kookie", \
                          #                            "secret": "changeme" }
                          # ```
#admin_gui_auth_header = Kong-Admin-User
                        # Defines the name of the HTTP request header from which
                        # the Admin API will attempt to identify the Kong Admin
                        # user.
#admin_gui_auth_login_attempts = 0
                        # Number of times a user can attempt to login to Kong
                        # Manager. 0 means infinite attempts allowed.
#admin_gui_header_txt = # Kong Manager Header Text
                    # Sets text for Kong Manager Header Banner. Header Banner
                    # is not shown if this config is empty.
#admin_gui_header_bg_color = # Kong Manager Header Background Color
                         # Sets background color for Kong Manager Header Banner
                         # Accepts css color keyword, #-hexadecimal or rgb
                         # format. Invalid values are ignored by Manager.
#admin_gui_header_txt_color = # Kong Manager Header Text Color
                          # Sets text color for Kong Manager Header Banner.
                          # Accepts css color keyword, #-hexadecimal or rgb
                          # format. Invalid values are ignored by Kong Manager.
#admin_gui_footer_txt = # Kong Manager Footer Text
                    # Sets text for Kong Manager Footer Banner. Footer Banner
                    # is not shown if this config is empty
#admin_gui_footer_bg_color = # Kong Manager Footer Background Color
                         # Sets background color for Kong Manager Footer Banner.
                         # Accepts css color keyword, #-hexadecimal or rgb
                         # format. Invalid values are ignored by Manager.
#admin_gui_footer_txt_color = # Kong Manager Footer Text Color
                          # Sets text color for Kong Manager Footer Banner.
                          # Accepts css color keyword, #-hexadecimal or rgb
                          # format. Invalid values are ignored by Kong Manager.
#admin_gui_login_banner_title = # Kong Manager Login Banner Title Text
                                # Sets title text for Kong Manager Login Banner.
                                # Login Banner is not shown if both
                                # `admin_gui_login_banner_title` and
                                # `admin_gui_login_banner_body` are empty.
#admin_gui_login_banner_body = # Kong Manager Login Banner Body Text
                                # Sets body text for Kong Manager Login Banner.
                                # Login Banner is not shown if both
                                # `admin_gui_login_banner_title` and
                                # `admin_gui_login_banner_body` are empty.
#------------------------------------------------------------------------------
# VITALS
#------------------------------------------------------------------------------
#vitals = on                     # When enabled, Kong will store and report
                                 # metrics about its performance.
                                 # When running Kong in a multi-node setup,
                                 # `vitals` entails two separate meanings
                                 # depending on the node.
                                 # On a Proxy-only node, `vitals` determines
                                 # whether to collect data for Vitals.
                                 # On an Admin-only node, `vitals` determines
                                 # whether to display Vitals metrics and
                                 # visualizations on the dashboard.
#vitals_strategy = database      # Determines whether to use the Kong database
                                 # (either PostgreSQL or Cassandra, as defined
                                 # by the `database` config value above), or a
                                 # separate storage engine, for Vitals metrics.
                                 # Accepted values are `database`, `prometheus`,
                                 # or `influxdb`.
#vitals_tsdb_address =           # Defines the host and port of the TSDB server
                                 # to which Vitals data is written and read.
                                 # This value is only applied when the
                                 # `vitals_strategy` option is set to
                                 # `prometheus` or `influxdb`. This value
                                 # accepts IPv4, IPv6, and hostname values.
                                 # If the `vitals_strategy` is set to
                                 # `prometheus`, this value determines the
                                 # address of the Prometheus server from which
                                 # Vitals data will be read. For `influxdb`
                                 # strategies, this value controls both the read
                                 # and write source for Vitals data.
#vitals_tsdb_user =              # Influxdb user
#vitals_tsdb_password =          # Influxdb password
#vitals_statsd_address =         # Defines the host and port (and an optional
                                 # protocol) of the StatsD server to which
                                 # Kong should write Vitals metics. This value
                                 # is only applied when the `vitals_strategy` is
                                 # set to `prometheus`. This value accepts IPv4,
                                 # IPv6, and, hostnames. Additionally, the suffix
                                 # `tcp` can be specified; doing so will result
                                 # in Kong sending StatsD metrics via TCP
                                 # instead of the UDP (default).
#vitals_statsd_prefix = kong     # Defines the prefix value attached to all
                                 # Vitals StatsD events. This prefix is useful
                                 # when writing metrics to a multi-tenant StatsD
                                 # exporter or server.
#vitals_statsd_udp_packet_size = 1024   # Defines the maximum buffer size in
                                        # which Vitals statsd metrics will be
                                        # held and sent in batches.
                                        # This value is defined in bytes.
#vitals_prometheus_scrape_interval = 5  # Defines the scrape_interval query
                                        # parameter sent to the Prometheus
                                        # server when reading Vitals data.
                                        # This should be same as the scrape
                                        # interval (in seconds) of the
                                        # Prometheus server.
#------------------------------------------------------------------------------
# DEVELOPER PORTAL
#------------------------------------------------------------------------------
#portal = off
                        # Developer Portal Switch
                        # When enabled:
                        #   Kong will expose the Dev Portal interface and
                        #   read-only APIs on the `portal_gui_listen` address,
                        #   and endpoints on the Admin API to manage assets.
                        # When enabled along with `portal_auth`:
                        #   Kong will expose management endpoints for developer
                        #   accounts on the Admin API and the Dev Portal API.
#portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl
                        # Developer Portal GUI Listeners
                        # Comma-separated list of addresses on which Kong will
                        # expose the Developer Portal GUI. Suffixes can be
                        # specified for each pair, similarly to
                        # the `admin_listen` directive.
#portal_gui_protocol = http
                        # Developer Portal GUI protocol
                        # The protocol used in conjunction with
                        # `portal_gui_host` to construct the lookup, or balancer
                        # address for your Kong Proxy nodes.
                        # Examples: `http`,`https`
#portal_gui_host = 127.0.0.1:8003
                        # Developer Portal GUI host
                        # The host used in conjunction with
                        # `portal_gui_protocol` to construct the lookup,
                        # or balancer address for your Kong Proxy nodes.
                        # Examples:
                        # - `<IP>:<PORT>`
                        #   -> `portal_gui_host = 127.0.0.1:8003`
                        # - `<HOSTNAME>`
                        #   -> `portal_gui_host = portal_api.domain.tld`
                        # - `<HOSTNAME>/<PATH>`
                        #   -> `portal_gui_host = dev-machine/dev-285`
#portal_cors_origins =  # Developer Portal CORS Origins
                        # A comma separated list of allowed domains for
                        # `Access-Control-Allow-Origin` header. This can be used to
                        # resolve CORS issues in custom networking environments.
                        # Examples:
                        # - list of domains:
                        #   `portal_cors_origins = http://localhost:8003, https://localhost:8004`
                        # - single domain:
                        #   `portal_cors_origins = http://localhost:8003`
                        # - all domains:
                        #   `portal_cors_origins = *`
                        # NOTE: In most cases, the Developer Portal is able to derive
                        # valid CORS origins by using `portal_gui_protocol`, `portal_gui_host`,
                        # and if applicable, `portal_gui_use_subdomains`. In these cases,
                        # `portal_cors_origins` is not needed and can remain unset.
#portal_gui_use_subdomains = off
                        # Developer Portal GUI subdomain toggle
                        # By default Kong Portal uses the first namespace in
                        # the request path to determine workspace. By turning
                        # `portal_gui_subdomains` on, Kong Portal will expect
                        # workspace to be included in the request url as a subdomain.
                        # Example (off):
                        #   - `<scheme>://<HOSTNAME>/<WORKSPACE>/<PATH>` ->
                        #     `http://kong-portal.com/example-workspace/index`
                        # Example (on):
                        #   - `<scheme>://<WORKSPACE>.<HOSTNAME>` ->
                        #     `http://example-workspace.kong-portal.com/index`
#portal_gui_ssl_cert =  # Developer Portal GUI SSL Certificate
                        # The absolute path to the SSL certificate for
                        # `portal_gui_listen` values with SSL enabled.
#portal_gui_ssl_cert_key = # Developer Portal GUI SSL Certificate Key
                           # The absolute path to the SSL key for
                           # `portal_gui_listen` values with SSL enabled.
#portal_gui_access_log = logs/portal_gui_access.log
                        # Developer Portal GUI Access Log location
                        # Here you can set an absolute or relative path for your
                        # Portal GUI access logs.
                        # Setting this value to `off` will disable logging
                        # Portal GUI access logs.
                        # When using relative pathing, logs will be placed under
                        # the `prefix` location.
#portal_gui_error_log = logs/portal_gui_error.log
                        # Developer Portal GUI Error Log location
                        # Here you can set an absolute or relative path for your
                        # Portal GUI error logs.
                        # Setting this value to `off` will disable logging
                        # Portal GUI error logs.
                        # When using relative pathing, logs will be placed under
                        # the `prefix` location.
                        # Granularity can be adjusted through the `log_level`
                        # directive.
#portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl
                        # Developer Portal API Listeners
                        # Comma-separated list of addresses on which Kong will
                        # expose the Developer Portal API. Suffixes can be
                        # specified for each pair, similarly to
                        # the `admin_listen` directive.
#portal_api_url =       # Developer Portal API URL
                        # The lookup, or balancer, address for your Developer
                        # Portal nodes.
                        # This value is commonly used in a microservices
                        # or service-mesh oriented architecture.
                        # `portal_api_url` is the address on which your
                        # Kong Dev Portal API is accessible by Kong. You
                        # should only set this value if your Kong Dev Portal API
                        # lives on a different node than your Kong Proxy.
                        # Accepted format (parts in parenthesis are optional):
                        #   `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                        # Examples:
                        # - `<scheme>://<IP>:<PORT>`
                        #   -> `portal_api_url = http://127.0.0.1:8003`
                        # - `SSL <scheme>://<HOSTNAME>`
                        #   -> `portal_api_url = https://portal_api.domain.tld`
                        # - `<scheme>://<HOSTNAME>/<PATH>`
                        #   -> `portal_api_url = http://dev-machine/dev-285`
                        # By default this value points to the local interface:
                        # - `http://0.0.0.0:8004`
#portal_api_ssl_cert =  # Developer Portal API SSL Certificate
                        # The absolute path to the SSL certificate for
                        # `portal_api_listen` values with SSL enabled.
#portal_api_ssl_cert_key = # Developer Portal API SSL Certificate Key
                           # The absolute path to the SSL key for
                           # `portal_api_listen` values with SSL enabled.
#portal_api_access_log = logs/portal_api_access.log
                        # Developer Portal API Access Log location
                        # Here you can set an absolute or relative path for your
                        # Portal API access logs.
                        # Setting this value to `off` will disable logging
                        # Portal API access logs.
                        # When using relative pathing, logs will be placed under
                        # the `prefix` location.
#portal_api_error_log = logs/portal_api_error.log
                        # Developer Portal API Error Log location
                        # Here you can set an absolute or relative path for your
                        # Portal API error logs.
                        # Setting this value to `off` will disable logging
                        # Portal API error logs.
                        # When using relative pathing, logs will be placed under
                        # the `prefix` location.
                        # Granularity can be adjusted through the `log_level`
                        # directive.
#portal_is_legacy = off
                        # Developer Portal legacy support
                        # Setting this value to `on` will cause all new
                        # portals to render using the legacy rendering system by default.
                        # Setting this value to `off` will cause all new
                        # portals to render using the current rendering system.
#portal_app_auth = kong-oauth2
                        # Developer Portal application registration
                        # auth provider and strategy. Must be set to enable
                        # application_registration plugin
                        # Currently accepts kong-oauth2 or external-oauth2
#------------------------------------------------------------------------------
# DEFAULT DEVELOPER PORTAL AUTHENTICATION
#------------------------------------------------------------------------------
# Referenced on workspace creation to set Dev Portal authentication defaults
# in the database for that particular workspace.
#portal_auth =          # Developer Portal Authentication Plugin Name
                        # Specifies the authentication plugin
                        # to apply to your Developer Portal. Developers
                        # will use the specified form of authentication
                        # to request access, register, and login to your
                        # Developer Portal.
                        # Supported Plugins:
                        # - Basic Authentication: `portal_auth = basic-auth`
                        # - OIDC Authentication: `portal_auth = openid-connect`
#portal_auth_password_complexity = # Kong Portal Authentication Password Complexity (JSON)
                        # When portal_auth = basic-auth, this property defines
                        # the rules required for Kong Portal passwords. Choose
                        # from preset rules or write your own.
                        # Example using preset rules:
                        # `portal_auth_password_complexity = { "kong-preset": "min_8" }`
                        # All values for kong-preset require the password to contain
                        # characters from at least three of the following categories:
                        # 1. Uppercase characters (A through Z)
                        # 2. Lowercase characters (a through z)
                        # 3. Base-10 digits (0 through 9)
                        # 4. Special characters (for example, &, $, #, %)
                        # Supported preset rules:
                        # - `min_8`: minimum length of 8
                        # - `min_12`: minimum length of 12
                        # - `min_20`: minimum length of 20
                        # To write your own rules, see
                        # https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.
                        # NOTE: Only keywords "min", "max" and "passphrase" are supported.
                        # Example:
                        # `portal_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#portal_auth_conf =     # Developer Portal Authentication Plugin Config (JSON)
                        # Specifies the plugin configuration object
                        # in JSON format to be applied to your Developer
                        # Portal authentication.
                        # For information about Plugin Configuration
                        # consult the associated plugin documentation.
                        # Example for `basic-auth`:
                        # `portal_auth_conf = { "hide_credentials": true }`
#portal_auth_login_attempts = 0
                        # Number of times a user can attempt to login to the
                        # Dev Portal before password must be reset.
                        # 0 (default) means infinite attempts allowed.
                        # Note: Any value greater than 0 will only affect
                        # Dev Portals secured with basic-auth.
#portal_session_conf =  # Portal Session Config (JSON)
                        # Specifies the configuration for the
                        # Session plugin as used by Kong Portal.
                        # For information about Plugin Configuration consult
                        # the Kong Session Plugin documentation.
                        # Example:
                        # ```
                        # portal_session_conf = { "cookie_name": "portal_session", \
                        #                          "secret": "changeme", \
                        #                          "storage": "kong" }
                        # ```
#portal_auto_approve = off
                        # Developer Portal Auto Approve Access
                        # When this flag is set to `on`, a developer will
                        # automatically be marked as "approved" after completing
                        # registration. Access can still be revoked through the
                        # Admin GUI or API.
#portal_token_exp = 21600
                        # Duration in seconds for the expiration of portal
                        # login reset/account validation token.
#portal_email_verification = off
                        # Portal Developer Email Verification.
                        # When enabled Developers will receive an email upon
                        # registration to verify their account.  Developers will
                        # not be able to use the Developer Portal until they
                        # verify their account.
                        # Note: SMTP must be turned on in order to use this feature.
#------------------------------------------------------------------------------
# DEFAULT PORTAL SMTP CONFIGURATION
#------------------------------------------------------------------------------
# Referenced on workspace creation to set SMTP defaults in the database
# for that particular workspace.
#portal_invite_email = on
                        # Enable or disable portal_invite_email
#portal_access_request_email = on
                        # Enable or disable portal_access_request_email
#portal_approved_email = on
                        # Enable or disable portal_approved_email
#portal_reset_email = on
                        # Enable or disable portal_reset_email
#portal_reset_success_email = on
                        # Enable or disable portal_reset_success_email
#portal_application_status_email = off
                        # When enabled, developers will receive an email
                        # when the status changes for their appliciation
                        # service requests.
                        # When disabled, developers will still be able
                        # to view the status in their developer portal
                        # application page.
                        # The email looks like the following:
                        # ```
                        # Subject: Dev Portal application request <REQUEST_STATUS> (<DEV_PORTAL_URL>)
                        # Hello Developer,
                        # We are emailing you to let you know that your request for application access from the
                        # Developer Portal account at <DEV_PORTAL_URL> is <REQUEST_STATUS>.
                        # Application: <APPLICATION_NAME>
                        # Service: <SERVICE_NAME>
                        # You will receive another email when your access has been approved.
                        # ```
#portal_application_request_email = off
                        # When enabled, Kong admins specified by `smtp_admin_emails`
                        # will receive an email when a developer requests access
                        # to service through an application.
                        # When disabled, Kong admins will have to manually check
                        # the Kong Manager to view any requests.
                        # By default, `smtp_admin_emails` will be the recipients.
                        # This can be overriden by `portal_smtp_admin_emails`,
                        # which can be set dynamically per workspace through
                        # the Admin API.
                        # The email looks like the following:
                        # ```
                        # Subject: Request to access Dev Portal (<DEV_PORTAL_URL>) service from <DEVELOPER_EMAIL>
                        # Hello Admin,
                        # <DEVELOPER NAME> (<DEVELOPER_EMAIL>) has requested application access for <DEV_PORTAL_URL>.
                        # Requested workspace: <WORKSPACE_NAME>
                        # Requested application: <APPLICATION_NAME>
                        # Requested service: <SERVICE_NAME>
                        # Please visit <KONG_MANAGER_URL/WORKSPACE_NAME/applications/APPLICATION_ID#requested> to review this request.
                        # ```
#portal_emails_from =   # The name and email address for the `From` header
                        # for portal emails
                        # Example:
                        # `portal_emails_from = Your Name <[email protected]>`
                        # Note: Some SMTP servers will not use
                        # this value, but instead insert the email and name
                        # associated with the account.
#portal_emails_reply_to = # Email address for the `Reply-To` header for
                          # portal emails
                          # Example:
                          # `portal_emails_reply_to = [email protected]`
                          # Note: Some SMTP servers will not use
                          # this value, but instead insert the email
                          # associated with the account.
#portal_smtp_admin_emails =
                          # Comma separated list of admin emails to receive
                          # portal notifications. Can be dynamically set per
                          # workspace through the Admin API.
                          # If not set, `smtp_admin_emails` will be used.
                          # Example `[email protected], [email protected]`
#------------------------------------------------------------------------------
# ADMIN SMTP CONFIGURATION
#------------------------------------------------------------------------------
#admin_emails_from =  ""              # The email address for the `From` header
                                      # for admin emails.
#admin_emails_reply_to =              # Email address for the `Reply-To` header
                                      # for admin emails.
#admin_invitation_expiry = 259200     # Expiration time for the admin invitation link
                                      # (in seconds). 0 means no expiration.
                                      # Example, 72 hours: `72 * 60 * 60 = 259200`
#------------------------------------------------------------------------------
# GENERAL SMTP CONFIGURATION
#------------------------------------------------------------------------------
#smtp_mock = on        # This flag will mock the sending of emails. This can be
                       # used for testing before the SMTP client is fully
                       # configured.
#smtp_host = localhost
                       # The hostname of the SMTP server to connect to.
#smtp_port = 25
                       # The port number on the SMTP server to connect to.
#smtp_starttls = off
                       # When set to `on`, STARTTLS is used to encrypt
                       # communication with the SMTP server. This is normally
                       # used in conjunction with port 587.
#smtp_username =       # Username used for authentication with SMTP server
#smtp_password =       # Password used for authentication with SMTP server
#smtp_ssl = off
                       # When set to `on`, SMTPS is used to encrypt
                       # communication with the SMTP server. This is normally
                       # used in conjunction with port 465.
#smtp_auth_type =      # The method used to authenticate with the SMTP server
                       # Valid options are `plain`, `login`, or `nil`
#smtp_domain = localhost.localdomain
                       # The domain used in the `EHLO` connection and part of
                       # the `Message-ID` header
#smtp_timeout_connect = 60000
                       # The timeout (in milliseconds) for connecting to the
                       # SMTP server.
#smtp_timeout_send = 60000
                       # The timeout (in milliseconds) for sending data to the
                       # SMTP server.
#smtp_timeout_read = 60000
                       # The timeout (in milliseconds) for reading data from
                       # the SMTP server.
#smtp_admin_emails =   # Comma separated list of admin emails to receive
                       # notifications.
                       # Example `[email protected], [email protected]`
#-------------------------------------------------------------------------------
# DATA & ADMIN AUDIT
#-------------------------------------------------------------------------------
# When enabled, Kong will store detailed audit data regarding Admin API and
# database access. In most cases, updates to the database are associated with
# Admin API requests. As such, database object audit log data is tied to a
# given HTTP via a unique identifier, providing built-in association of Admin
# API and database traffic.
#audit_log = off                 # When enabled, Kong will log information about
                                 # Admin API access and database row insertions,
                                 # updates, and deletes.
#audit_log_ignore_methods =      # Comma-separated list of HTTP methods that
                                 # will not generate audit log entries. By
                                 # default, all HTTP requests will be logged.
#audit_log_ignore_paths =        # Comma-separated list of request paths that
                                 # will not generate audit log entries. By
                                 # default, all HTTP requests will be logged.
#audit_log_ignore_tables =       # Comma-separated list of database tables that
                                 # will not generate audit log entries. By
                                 # default, updates to all database tables will
                                 # be logged (the term "updates" refers to the
                                 # creation, update, or deletion of a row).
#audit_log_payload_exclude = token, secret, password
                                 # Comma-separated list of keys that will be
                                 # filtered out of the payload. Keys that were
                                 # filtered will be recorded in the audit log.
#audit_log_record_ttl = 2592000  # Length, in seconds, of the TTL for audit log
                                 # records. Records in the database older than
                                 # their TTL are automatically purged.
                                 # Example, 30 days: `30 * 24 * 60 * 60 = 2592000`
#audit_log_signing_key =         # Defines the path to a private RSA signing key
                                 # that can be used to insert a signature of
                                 # audit records, adjacent to the record. The
                                 # corresponding public key should be stored
                                 # offline, and can be used the validate audit
                                 # entries in the future. If this value is
                                 # undefined, no signature will be generated.
#-------------------------------------------------------------------------------
# GRANULAR TRACING
#-------------------------------------------------------------------------------
# Granular tracing offers a mechanism to expose metrics and detailed debug data
# about the lifecycle of Kong in a human- or machine-consumable format.
#tracing = off                   # When enabled, Kong will generate granular
                                 # debug data about various portions of the
                                 # request lifecycle, such as DB or DNS queries,
                                 # plugin execution, core handler timing, etc.
#tracing_write_strategy = file   # Defines how Kong will write tracing data at
                                 # the conclusion of the request. The default
                                 # option, `file`, writes a human-readable
                                 # depiction of tracing data to a configurable
                                 # location on the node's file system. Other
                                 # strategies write tracing data as a JSON
                                 # document to the configured endpoint. Valid
                                 # entries for this option are `file`,
                                 # `file_raw`, `http`, `tcp`, `tls`, and `udp`.
#tracing_write_endpoint =        # Defines the endpoint to which tracing data
                                 # will be written.
                                 # - For the `file` and `file_raw` tracing write
                                 #   strategies, this value must be a valid
                                 #   location on the node's file system to which
                                 #   Kong must have write access.
                                 # - For the `tcp`, `tls`, and
                                 #   `udp` strategies, this value is defined as a
                                 #   string in the form of:
                                 #  `<HOST>:<PORT>`
                                 # - For the `http` strategy, this value is
                                 #   defined in the form of:
                                 #  `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                                 # Traces sent via HTTP are delivered via POST
                                 # method with an `application/json`
                                 # Content-Type.
#tracing_time_threshold = 0      # The minimum time, in microseconds, over which
                                 # a trace must execute in order to write the
                                 # trace data to the configured endpoint. This
                                 # configuration can be used to lower the noise
                                 # present in trace data by removing trace
                                 # objects that are not interesting from a
                                 # timing perspective. The default value of `0`
                                 # removes this limitation, causing traces of
                                 # any duration to be written.
#tracing_types = all             # Defines the types of traces that are written.
                                 # Trace types not defined in this list are
                                 # ignored, regardless of their lifetime. The
                                 # default special value of `all` results in all
                                 # trace types being written, regardless of type.
                                 # The following trace types are included:
                                 # - `query`: trace the database query
                                 # - `legacy_query`: (deprecated) trace the
                                 #    database query with legacy DAO
                                 # - `router`: trace Kong routing the request;
                                 #    internal routing time
                                 # - `balancer`: trace the execution of the overall
                                 #    balancer phase
                                 # - `balancer.getPeer`: trace Kong selecting an
                                 #    upstream peer from the ring-balancer
                                 # - `balancer.toip`: trace balancer to resolve
                                 #    peer's host to IP
                                 # - `connect.toip`: trace cosocket to resolve
                                 #    target's host to IP
                                 # - `access.before`: trace the preprocessing of
                                 #    access phase, like parameter parsing, route
                                 #    matching, and balance preparation
                                 # - `access.after`: trace the postprocess of
                                 #    access phase, like balancer execution and
                                 #    internal variable assigning
                                 # - `cassandra_iterate`: trace Cassandra driver to
                                 #    paginate over results
                                 # - `plugin`: trace plugins phase handlers
#tracing_debug_header =          # Defines the name of the HTTP request header
                                 # that must be present in order to generate
                                 # traces within a request. Setting this value
                                 # provides a mechanism to selectively generate
                                 # request traces at the client's request. Note
                                 # that the value of the header does not matter,
                                 # only that the header is present in the
                                 # request. When this value is not set and
                                 # tracing is enabled, Kong will generate trace
                                 # data for all requests flowing through the
                                 # proxy and Admin API. Note that data from
                                 # certificate handling phases is not logged
                                 # when this setting is enabled.
#generate_trace_details = off    # When enabled, Kong will write context-
                                 # specific details into traces. Trace details
                                 # offer more data about the context of the
                                 # trace. This can significantly increase the
                                 # size of trace reports. Note also that trace
                                 # details may contain potentially sensitive
                                 # information, such as raw SQL queries; care
                                 # should be taken to store traces properly when
                                 # this option is enabled.
#-------------------------------------------------------------------------------
# ROUTE COLLISION DETECTION/PREVENTION
# -------------------------------------------------------------------------------
#route_validation_strategy = smart  # The strategy used to validate
                                    # routes when creating or updating them.
                                    # Different strategies are available to tune
                                    # how to enforce splitting traffic of
                                    # workspaces.
                                    # - `smart` is the default option and uses the
                                    #   algorithm described in
                                    #   https://docs.konghq.com/enterprise/latest/admin-api/workspaces/examples/#important-note-conflicting-services-or-routes-in-workspaces
                                    # - `off` disables any check
                                    # - `path` enforces routes to comply with the pattern
                                    #   described in config enforce_route_path_pattern
#enforce_route_path_pattern =   # Specifies the Lua pattern which will
                                # be enforced on the `paths` attribute of a
                                # Route object. You can also add a placeholder
                                # for the workspace in the pattern, which
                                # will be rendered during runtime based on the
                                # workspace to which the `route` belongs.
                                # This setting is only relevant if
                                # `route_validation_strategy` is set to `path`.
                                # Example
                                # For Pattern `/$(workspace)/v%d/.*` valid paths
                                # are:
                                # 1. `/group1/v1/` if route belongs to
                                #   workspace `group1`.
                                # 2. `/group2/v1/some_path` if route belongs to
                                #   workspace `group2`.
#-------------------------------------------------------------------------------
# DATABASE ENCRYPTION & KEYRING MANAGEMENT
#-------------------------------------------------------------------------------
# When enabled, Kong will transparently encrypt sensitive fields, such as Consumer
# credentials, TLS private keys, and RBAC user tokens, among others. A full list
# of encrypted fields is available from the Kong Enterprise documentation site.
# Encrypted data is transparently decrypted before being displayed to the Admin
# API or made available to plugins or core routing logic.
# While this feature is GA, do note that we currently do not provide normal semantic
# versioning compatibility guarantees on the keyring feature's APIs in that Kong may
# make a breaking change to the feature in a minor version. Also note that
# mis-management of keyring data may result in irrecoverable data loss.
#keyring_enabled = off           # When enabled, Kong will encrypt sensitive
                                 # field values before writing them to the
                                 # database, and subsuquently decrypt them when
                                 # retrieving data for the Admin API, Developer
                                 # Portal, or proxy business logic. Symmetric
                                 # encryption keys are managed based on the
                                 # strategy defined below.
#keyring_strategy = cluster      # Defines the strategy implementation by which
                                 # Kong nodes will manage symmetric encryption
                                 # keys. Please see the Kong Enterprise
                                 # documentation for a detailed description of
                                 # each strategies. Acceptable values for this
                                 # option are 'cluster' and 'vault'.
#keyring_public_key =            # Defines the filesystem path at which the
                                 # public key of an RSA keypair resides. This
                                 # keypair is used for symmetric keyring import/
                                 # export, e.g., for disaster recovery and
                                 # optional bootstrapping.
#keyring_private_key =           # Defines the filesystem path at which the
                                 # private key of an RSA keypair resides. This
                                 # keypair is used for symmetric keyring import/
                                 # export, e.g., for disaster recovery and
                                 # optional bootstrapping.
#keyring_blob_path =             # Defines the filesystem path at which Kong
                                 # will backup the initial keyring material.
                                 # This option is useful largely for development
                                 # purposes.
#keyring_vault_host =            # Defines the Vault host at which Kong will
                                 # fetch the encryption material. This value
                                 # should be defined in the format:
                                 # `<scheme>://<IP / HOSTNAME>:<PORT>`
#keyring_vault_mount =           # Defines the name of the Vault v2 KV secrets
                                 # engine at which symmetric keys are found.
#keyring_vault_path =            # Defines the names of the Vault v2 KV path
                                 # at which symmetric keys are found.
#keyring_vault_token =           # Defines the token value used to communicate
                                 # with the v2 KV Vault HTTP(S) API.
#untrusted_lua = sandbox
                                 # Controls loading of Lua functions from admin-supplied
                                 # sources such as the Admin API. LuaJIT bytecode
                                 # loading is always disabled.
                                 # **Warning:** LuaJIT is not designed as a secure
                                 # runtime for running malicious code, therefore
                                 # you should properly protect your Admin API endpoint
                                 # even with sandboxing enabled. The sandbox only
                                 # provides protection against trivial attackers or
                                 # unintentional modification of the Kong global
                                 # environment.
                                 # Accepted values are: `off`, `sandbox`, or
                                 # `on`:
                                 # * `off`: Disallow loading of any arbitrary
                                 #          Lua functions. The `off` option
                                 #          disables any functionality that runs
                                 #          arbitrary Lua code, including the
                                 #          Serverless Functions plugins and any
                                 #          transformation plugin that allows
                                 #          custom Lua functions.
                                 # * `sandbox`: Allow loading of Lua functions,
                                 #              but use a sandbox when executing
                                 #              them. The sandboxed function has
                                 #              restricted access to the global
                                 #              environment and only has access
                                 #              to standard Lua functions that
                                 #              will generally not cause harm to
                                 #              the Kong Gateway node.
                                 # * `on`: Functions have unrestricted
                                 #         access to the global environment and
                                 #         can load any Lua modules. This is
                                 #         similar to the behavior in
                                 #         Kong Gateway prior to 2.3.0.
                                 # The default `sandbox` environment does not
                                 # allow importing other modules or libraries,
                                 # or executing anything at the OS level (for
                                 # example, file read/write). The global
                                 # environment is also not accessible.
                                 # Examples of `untrusted_lua = sandbox`
                                 # behavior:
                                 # * You can't access or change global values
                                 # such as `kong.configuration.pg_password`
                                 # * You can run harmless lua:
                                 # `local foo = 1 + 1`. However, OS level
                                 # functions are not allowed, like:
                                 # `os.execute('rm -rf /*')`.
                                 # For a full allowed/disallowed list, see:
                                 # https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua
                                 # To customize the sandbox environment, use
                                 # the `untrusted_lua_sandbox_requires` and
                                 # `untrusted_lua_sandbox_environment`
                                 # parameters below.
#untrusted_lua_sandbox_requires = # Comma-separated list of modules allowed to
                                  # be loaded with `require` inside the
                                  # sandboxed environment. Ignored
                                  # if `untrusted_lua` is not `sandbox`.
                                  # For example, say you have configured the
                                  # Serverless pre-function plugin and it
                                  # contains the following `requires`:
                                  # ```
                                  # local template = require "resty.template"
                                  # local split = require "kong.tools.utils".split
                                  # ```
                                  # To run the plugin, add the modules to the
                                  # allowed list:
                                  # ```
                                  # untrusted_lua_sandbox_requires = resty.template, kong.tools.utils
                                  # ```
                                  # **Warning:** Allowing certain modules may
                                  # create opportunities to escape the
                                  # sandbox. For example, allowing `os` or
                                  # `luaposix` may be unsafe.
#untrusted_lua_sandbox_environment = # Comma-separated list of global Lua
                                     # variables that should be made available
                                     # inside the sandboxed environment. Ignored
                                     # if `untrusted_lua` is not `sandbox`.
                                     # **Warning**: Certain variables, when made
                                     # available, may create opportunities to
                                     # escape the sandbox.

以下是谷歌翻译的

# ----------
# Kong 配置文件
# ----------
# 此文件中显示的注释掉的设置代表默认值。
# 使用 `kong start` 或 `kong prepare` 时读取此文件。孔
# 使用此文件中指定的设置生成 Nginx 配置。
# 所有以 `KONG_` 为前缀且大写的环境变量都会被覆盖
# 此文件中指定的设置。
# 例子:
# `log_level` 设置 -> `KONG_LOG_LEVEL` 环境变量
# 布尔值可以指定为 `on`/`off` 或 `true`/`false`。
# 列表必须指定为逗号分隔的字符串。
# 此文件中的所有注释都可以安全删除,包括
# 注释掉的属性。
# 您可以使用 `kong check <conf>` 验证设置的完整性。
#------------------------------------------------ -----------------------------------------
# 一般的
#------------------------------------------------ -----------------------------------------
#prefix = /usr/local/kong/ # 工作目录。相当于Nginx的
                                 # 前缀路径,包含临时文件
                                 # 和日志。
                                 # 每个Kong进程必须有一个单独的
                                 # 工作目录。
#log_level = notice # Nginx 服务器的日志级别。日志是
                                 # 在 `<prefix>/logs/error.log` 找到。
# 查看 http://nginx.org/en/docs/ngx_core_module.html#error_log 获取列表
# 接受值。
#proxy_access_log = logs/access.log #代理端口请求访问路径
                                          # 日志。将此值设置为 `off` 以
                                          # 禁用记录代理请求。
                                          # 如果这个值是相对路径,
                                          # 它将被放置在
                                          # `前缀`位置。
#proxy_error_log = logs/error.log # 代理端口请求错误的路径
                                          # 日志。这些日志的粒度
                                          # 由 `log_level` 调整
                                          # 财产。
#proxy_stream_access_log = logs/access.log basic # tcp流代理端口访问路径
                                                 # 日志。将此值设置为 `off` 以
                                                 # 禁用记录代理请求。
                                                 # 如果这个值是相对路径,
                                                 # 它将被放置在
                                                 # `前缀`位置。
                                                 # `basic` 定义为 `'$remote_addr [$time_local] '
                                                 # '$protocol $status $bytes_sent $bytes_received '
                                                 #'$session_time'`
#proxy_stream_error_log = logs/error.log # tcp 流代理端口请求错误的路径
                                                 # 日志。这些日志的粒度
                                                 # 由 `log_level` 调整
                                                 # 财产。
#admin_access_log = logs/admin_access.log # Admin API 请求访问的路径
                                          # 日志。如果启用混合模式
                                          # 并且当前节点设置为
                                          # 控制平面,然后是
                                          # 来自数据平面的连接请求
                                          # 也被写入这个文件
                                          # 服务器名称“kong_cluster_listener”。
                                          # 将此值设置为 `off` 以
                                          # 禁用记录管理 API 请求。
                                          # 如果这个值是相对路径,
                                          # 它将被放置在
                                          # `前缀`位置。
#admin_error_log = logs/error.log # Admin API 请求错误的路径
                                          # 日志。这些日志的粒度
                                          # 由 `log_level` 调整
                                          # 财产。
#status_access_log = off #Status API 请求访问的路径
                                          # 日志。 `off` 的默认值
                                          # 暗示此 API 的日志记录
                                          # 默认禁用。
                                          # 如果这个值是相对路径,
# 它将被放置在
                                          # `前缀`位置。
#status_error_log = logs/status_error.log #Status API 请求错误的路径
                                          # 日志。这些日志的粒度
                                          # 由 `log_level` 调整
                                          # 财产。
#vaults = bundled # 此节点的 Vault 的逗号分隔列表
                                 # 应该加载。默认情况下,所有捆绑的
                                 # 保险库已启用。
                                 # 指定的名称将被替换为
                                 # 这样在 Lua 命名空间中:
                                 # `kong.vaults.{name}.*`。
#plugins = bundled # 逗号分隔的插件列表这个节点
                                 # 应该加载。默认情况下,只有插件
                                 # 捆绑在官方发行版中的是
                                 # 通过 `bundled` 关键字加载。
                                 # 加载插件不会启用它
                                 # 默认,但仅指示 Kong 加载其
                                 # 源代码,并允许配置
                                 # 插件通过各种相关的 Admin API
                                 # 端点。
                                 # 指定的名称将被替换为
                                 # 这样在 Lua 命名空间中:
                                 # `kong.plugins.{name}.*`.
                                 # 当 `off` 关键字被指定为
                                 # 只有值,不会加载任何插件。
                                 # `bundled` 和插件名称可以混用
                                 # 一起,如以下示例所示:
                                 # - `plugins = bundled,custom-auth,custom-log`
                                 # 将包括捆绑的插件加上两个
                                 # 自定义的
                                 # - `plugins = custom-auth,custom-log` 将
                                 # *仅*包括 `custom-auth` 和
                                 # `custom-log` 插件。
                                 # - `plugins = off` 将不包含任何
                                 # **注意:** Kong 将不会启动,如果一些
                                 # 插件先前已配置(即
                                 # 在数据库中有行)并且没有
                                 # 在此列表中指定。在禁用之前
                                 # 插件,确保它的所有实例都是
                                 # 在重启 Kong 之前删除。
                                 # **注意:** 限制可用数量
                                 # 插件可以改善 P99 延迟
                                 # 在数据库中体验 LRU 搅动
                                 # 缓存(即当配置
                                 # `mem_cache_size`) 已满。
#pluginserver_names = # 以逗号分隔的插件服务器名称列表
                                 # 进程。实际名称用于
                                 # 记录消息并关联实际设置。
#pluginserver_XXX_socket = <prefix>/<XXX>.socket # unix socket 的路径
                                                            # 由 <XXX> 插件服务器使用。
#pluginserver_XXX_start_cmd = /usr/local/bin/<XXX> #完整的命令(包括
                                                            # 任何需要的参数)到
                                                            # 启动 <XXX> 插件服务器
#pluginserver_XXX_query_cmd = /usr/local/bin/query_<XXX> #“查询”的完整命令
                                                            # <XXX> 插件服务器。应该
                                                            # 生成一个 JSON
                                                            # 转储所有插件的信息
#port_maps = # 有了这个配置参数,你可以
                                 # 让 Kong 从
                                 # 数据包转发给它。这个
                                 # 在运行 Kong 时相当常见
                                 # 容器化或虚拟化环境。
                                 # 例如,`port_maps=80:8000, 443:8443`
                                 # 指示 Kong 映射了 80 端口
                                 # 到 8000(以及端口 443 到 8443),其中
                                 # 8000 和 8443 是 Kong 所在的端口
                                 # 这个参数帮助Kong设置一个合适的
                                 # 转发上游 HTTP 请求头或到
                                 # 使用 Kong PDK 获取正确的转发端口
                                 # (如果有其他方法确定它有
                                 # 失败的)。它通过目的地改变路由
                                 # 端口通过一个端口路由数据包
                                 # 转发给 Kong,同样它
                                 # 将默认插件日志序列化程序更改为
                                 # 根据这个映射使用端口
                                 # 而不是报告端口 Kong 是
#anonymous_reports = on # 发送错误等匿名使用数据
                                 # 堆栈跟踪以帮助改进 Kong。
#------------------------------------------------ -----------------------------------------
# 混合模式
#------------------------------------------------ -----------------------------------------
#role = traditional # 使用此设置启用混合模式,
                                 # 这允许运行一些 Kong 节点
                                 # 具有数据库的控制平面角色和
                                 # 让他们提供配置更新
                                 # 到其他节点运行到 DB-less 运行
                                 # 数据平面角色。
                                 # 此设置的有效值为:
                                 # - `traditional`:不要使用混合模式。
                                 # - `control_plane`: 这个节点运行在一个
                                 # 控制平面角色。它可以使用数据库
                                 # 并将提供配置更新
                                 # 到数据平面节点。
                                 # - `data_plane`:这是一个数据平面节点。
                                 # 它运行 DB-less 并接收配置
                                 # 从控制平面节点更新。
#cluster_mtls = shared # 设置节点间的验证
                                 # 此设置的有效值为:
                                 # - `shared`:使用共享证书/密钥
                                 # 用 `cluster_cert` 指定的对
                                 # 和 `cluster_cert_key` 设置。
                                 # 注意 CP 和 DP 节点必须存在
                                 # 建立mTLS的同一个证书
                                 # 连接。
                                 # - `pki`:使用`cluster_ca_cert`,
                                 # `cluster_server_name` 和 `cluster_cert`
                                 # 进行验证。
                                 # 这些是每个不同的证书
                                 # DP 节点,但由集群范围内发布
                                 # 通用 CA 证书:`cluster_ca_cert`。
                                 # - `pki_check_cn`: 类似于 `pki` 但另外
                                 # 检查数据平面证书的通用名称
                                 # 在 `cluster_allowed_common_names` 中指定。
#cluster_cert = # 要使用的集群证书的文件名
                                 # 建立安全通信时
                                 # 在控制和数据平面节点之间。
                                 # 你可以使用 `kong hybrid` 命令来
                                 # 生成证书/密钥对。
                                 # 在`shared`模式下,必须相同
                                 # 所有节点。在 `pki` 模式下
                                 # 应该是每个不同的证书
                                 #DP节点。
#cluster_cert_key = # 集群证书密钥的文件名
                                 # 建立安全通信时使用
                                 #c之间控制和数据平面节点。
                                 # 你可以使用 `kong hybrid` 命令来
                                 # 生成证书/密钥对。
                                 # 在`shared`模式下,必须相同
                                 # 所有节点。在 `pki` 模式下
                                 # 应该是每个不同的证书
                                 #DP节点。
#cluster_ca_cert = # PEM 中受信任的 CA 证书文件
                                 # 用于控制平面验证的格式
                                 # Data Plane的证书和Data Plane
                                 # 验证控制平面的证书。
                                 # 如果是 `cluster_mtls`,则在数据平面上是必需的
                                 # 设置为`pki`。
                                 # 如果控制平面证书颁发
                                 # 由知名 CA,用户可以设置
                                 # `lua_ssl_trusted_certificate=system`
                                 # 在数据平面上并将此字段留空。
                                 # 如果 `cluster_mtls` 是,则忽略此字段
                                 # 设置为“共享”。
#cluster_allowed_common_names = # 允许的通用名称列表
                                 # 连接到控制平面。多个条目可能
                                 # 以逗号分隔的字符串形式提供。没有的时候
                                 # 设置,具有相同父域的数据平面
                                 # 控制平面证书允许连接。
                                 # 如果 `cluster_mtls` 是,则忽略此字段
                                 # 未设置为 `pki_check_cn`。
#------------------------------------------------ -----------------------------------------
# 混合模式数据平面
#------------------------------------------------ -----------------------------------------
#cluster_server_name = # TLS的SNI中使用的服务器名称
                                 # 从 DP 节点到 CP 节点的连接。
                                 # 必须与通用名称 (CN) 或主题匹配
                                 # 在 CP 中找到备用名称 (SAN)
                                 # 证书。
                                 # 如果 `cluster_mtls` 设置为
                                 # `shared`,这个设置被忽略并且
                                 # 使用了`kong_clustering`。
#cluster_control_plane = # 仅供数据平面节点使用:
                                 # 控制平面节点的地址 from
                                 # 将获取哪些配置更新,
                                 # 以 `host:port` 格式。
#cluster_telemetry_endpoint = # 仅供数据平面节点使用:
                                 # 控制平面节点的遥测地址
                                 # 遥测更新将发布到哪个
                                 # 以 `host:port` 格式。
#data_plane_config_cache_mode = 未加密
                                 # 数据平面可以将其配置存储到文件系统
                                 # 作为备份,以防节点重新启动或重新加载
                                 # 更快地使节点进入配置状态或
                                 # case 连接到控制平面时出现问题。
                                 # 这个参数可以用来控制行为。
                                 # 仅供数据平面节点使用:
                                 # `unencrypted` = 存储未加密的配置缓存
                                 # `encrypted` = 存储配置缓存加密
                                 # `off` = 不存储配置缓存
#data_plane_config_cache_path = # 默认存储未加密的配置缓存
                                 # 使用文件名 `config.cache.json.gz` 的 Kong `prefix`。
                                 # 默认存储加密的配置缓存
                                 # 使用文件名 `.config.cache.jwt` 的 Kong `prefix`
                                 # 或者你可以指定配置缓存的路径
                                 # 带有这个参数,例如`/tmp/kong-config-cache`。
#------------------------------------------------ -----------------------------------------
# 混合模式控制平面
#------------------------------------------------ -----------------------------------------
#cluster_listen = 0.0.0.0:8005
                         # 逗号分隔的地址和端口列表
                         # 集群控制平面服务器应该监听哪个
                         # 用于数据平面连接。
# 控制平面的集群通信端口
                         # 必须可以被所有数据平面访问
                         # 在同一个集群中。此端口受 mTLS 保护
                         # 确保端到端的安全性和完整性。
                         # 如果 `role` 没有设置为
                         # `控制平面`。
                         # 记录到此端点的连接
                         # 到与管理 API 访问日志相同的位置。
                         # 更多信息见 `admin_access_log` 配置描述
                         # 信息。
#cluster_telemetry_listen = 0.0.0.0:8006
                         # 逗号分隔的地址和端口列表
                         # 集群控制平面服务器应该监听哪个
                         # 用于数据平面遥测连接。
                         # 控制平面的集群通信端口
                         # 必须可以被所有数据平面访问
                         # 在同一个集群中。
                         # 如果 `role` 没有设置为
                         # `控制平面`。
#cluster_data_plane_purge_delay = 1209600
                         # 从一个 DP 节点开始必须经过多少秒
                         # 在其条目被删除之前变为脱机状态
                         # 来自数据库,由
                         # /clustering/data-planes 管理 API 端点。
                         # 这是为了防止集群数据平面表
                         # 无限增长。默认设置为
                         # 14 天。也就是说,如果 CP 没有收到 DP 的消息
                         # 14 天,它的条目将被删除。
#cluster_ocsp = 关闭
                         # 是否检查DP的撤销状态
                         # 使用 OCSP(在线证书状态协议)的证书。
                         # 如果启用,DP 证书应该包含
                         #“证书颁发机构信息访问”扩展
                         # 以及 OCSP 响应者的 URI 的 OCSP 方法
                         # 可以从 CP 到达。
                         # OCSP 检查只在 CP 节点上进行,它没有
                         # 对 DP 节点的影响。
                         # 此设置的有效值为:
                         # - `on`: 启用 OCSP 撤销检查和 DP
                         # 必须通过检查才能建立
                         # 与 CP 的连接。
                         # - `off`: OCSP 撤销检查被禁用。
                         # - `optional`:将尝试 OCSP 吊销检查,
                         # 但是,如果所需的扩展名不是
                         # 在 DP 提供的证书中找到
                         # 或与 OCSP 响应者通信
                         # 失败,那么 DP 仍然允许通过。
#cluster_max_payload = 4194304
                         # 这设置允许的最大有效负载大小
                         # 在混合模式下从 CP 发送到 DP
                         # 默认是4Mb - 4 * 1024 * 1024 由于历史原因
#------------------------------------------------ -----------------------------------------
#NGINX
#------------------------------------------------ -----------------------------------------
#proxy_listen = 0.0.0.0:8000 重用端口积压 = 16384,0.0.0.0:8443 http2 ssl 重用端口积压 = 16384
                         # 逗号分隔的地址和端口列表
                         # 代理服务器应该监听哪个
                         # HTTP/HTTPS 流量。
                         # 代理服务器是Kong的公共入口点,
                         # 代理从你的消费者到你的流量
                         #后端服务。此值接受 IPv4、IPv6 和
                         # 主机名。
                         # 可以为每一对指定一些后缀:
                         # - `ssl` 将要求建立所有连接
                         # 通过使用 TLS 的特定地址/端口
                         # 启用。
                         # - `http2` 将允许客户端打开 HTTP/2
                         # 连接到 Kong 的代理服务器。
                         # - `proxy_protocol` 将启用
                         # 给定地址/端口的代理协议。
                         # - `延迟`
指示使用延迟接受
                         # Linux(TCP_DEFER_ACCEPT 套接字选项)。
                         # - `bind` 指示进行单独的 bind() 调用
                         # 对于给定的地址:端口对。
                         # - `reuseport` 指示创建一个个体
                         # 监听每个工作进程的套接字
                         # 允许内核更好地分配传入的
                         # 工作进程之间的连接
                         # - `backlog=N` 设置队列的最大长度
                         # 挂起的 TCP 连接数。这个数字应该
                         # 不能太小以防客户端
                         # 看到“连接被拒绝”错误连接到
                         # 一个繁忙的 Kong 实例。
                         # **注意:** 在 Linux 上,此值受
                         # 设置 `net.core.somaxconn` 内核参数。
                         # 为了让这里设置的较大的 `backlog`
                         # 效果需要提升
                         # `net.core.somaxconn` 同时匹配或
                         # 超过 `backlog` 数量集。
                         # 这个值可以设置为 `off`,从而禁用
                         # 此节点的 HTTP/HTTPS 代理端口。
                         # 如果 stream_listen 也设置为 `off`,则启用
                         # 此节点的“控制平面”模式
                         # (其中所有流量代理功能
                         # 禁用)。该节点只能用于
                         # 配置Kong集群
                         # 个节点连接到同一数据存储。
                         # 例子:
                         # `proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl`
                         # 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
                         # 用于对此接受的格式的描述
                         # 和其他 `*_listen` 值。
                         # 见 https://www.nginx.com/resources/admin-guide/proxy-protocol/
                         # 有关 `proxy_protocol` 的更多详细信息
                         # 范围。
                         # 并非所有 `*_listen` 值都接受所有格式
                         # 在 nginx 的文档中指定。
#proxy_url = # Kong 代理 URL
                        # Kong 代理节点的查找或平衡器地址。
                        # 这个值是微服务中常用的
                        # 或面向服务网格的架构。
                        # 接受的格式(括号中的部分是可选的):
                        # `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                        # 例子:
                        # - `<scheme>://<IP>:<PORT>` -> `proxy_url = http://127.0.0.1:8000`
                        # - `SSL <scheme>://<HOSTNAME>` -> `proxy_url = https://proxy.domain.tld`
                        # - `<scheme>://<HOSTNAME>/<PATH>` -> `proxy_url = http://dev-machine/dev-285`
                        # 默认情况下,Kong Manager 和 Kong Portal 将使用
                        # 窗口请求主机并附加已解析的
                        # 侦听器端口取决于请求的协议。
#stream_listen = 关闭
                         # 逗号分隔的地址和端口列表
                         # 流模式应该听哪个。
                         # 此值接受 IPv4、IPv6 和主机名。
                         # 可以为每一对指定一些后缀:
                         # - `ssl` 将要求建立所有连接
                         # 通过使用 TLS 的特定地址/端口
                         # 启用。
                         # - `proxy_protocol` 将启用
                         # 给定地址/端口的代理协议。
                         # - `bind` 指示进行单独的 bind() 调用
                         # 对于给定的地址:端口对。
                         # - `reuseport` 指示创建一个个体
                         # 监听每个工作进程的套接字
                         # 允许内核更好地分配传入的
                         # 工作进程之间的连接
                         # - `backlog=N` 集队列的最大长度
                         # 挂起的 TCP 连接数。这个数字应该
                         # 不能太小以防客户端
                         # 看到“连接被拒绝”错误连接到
                         # 一个繁忙的 Kong 实例。
                         # **注意:** 在 Linux 上,此值受
                         # 设置 `net.core.somaxconn` 内核参数。
                         # 为了让这里设置的较大的 `backlog`
                         # 效果需要提升
                         # `net.core.somaxconn` 同时匹配或
                         # 超过 `backlog` 数量集。
                         # 例子:
                         #stream_listen = 127.0.0.1:7000 重用端口积压 = 16384
                         # stream_listen = 0.0.0.0:989 重用端口积压 = 65536, 0.0.0.0:20
                         #stream_listen = [::1]:1234 backlog=16384
                         # 默认情况下,此值设置为 `off`,因此
                         # 禁用此节点的流代理端口。
# 见 http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen
# 对于 Kong 可能在 stream_listen 中接受的格式的描述。
#admin_api_uri = # 组成的 URI 的分层部分
                         # 可选的主机、端口和路径
                         # Admin API 接受 HTTP 或 HTTPS 流量。什么时候
                         # 此配置已禁用,Kong Manager 将
                         # 使用窗口协议 + 主机并附加
                         # 解析 admin_listen HTTP/HTTPS 端口。
#admin_listen = 127.0.0.1:8001 重用端口积压=16384, 127.0.0.1:8444 http2 ssl 重用端口积压=16384
                         # 逗号分隔的地址和端口列表
                         # Admin 界面应该监听哪个。
                         # Admin 界面是 API,允许您
                         # 配置和管理Kong。
                         # 访问这个接口应该是*restricted*
                         # 仅限 Kong 管理员*。这个值接受
                         # IPv4、IPv6 和主机名。
                         # 可以为每一对指定一些后缀:
                         # - `ssl` 将要求建立所有连接
                         # 通过使用 TLS 的特定地址/端口
                         # 启用。
                         # - `http2` 将允许客户端打开 HTTP/2
                         # 连接到 Kong 的代理服务器。
                         # - `proxy_protocol` 将启用
                         # 给定地址/端口的代理协议。
                         # - `deferred` 指示使用延迟接受
                         # Linux(TCP_DEFER_ACCEPT 套接字选项)。
                         # - `bind` 指示进行单独的 bind() 调用
                         # 对于给定的地址:端口对。
                         # - `reuseport` 指示创建一个个体
                         # 监听每个工作进程的套接字
                         # 允许内核更好地分配传入的
                         # 工作进程之间的连接
                         # - `backlog=N` 设置队列的最大长度
                         # 挂起的 TCP 连接数。这个数字应该
                         # 不能太小以防客户端
                         # 看到“连接被拒绝”错误连接到
                         # 一个繁忙的 Kong 实例。
                         # **注意:** 在 Linux 上,此值受
                         # 设置 `net.core.somaxconn` 内核参数。
                         # 为了让这里设置的较大的 `backlog`
                         # 效果需要提升
                         # `net.core.somaxconn` 同时匹配或
                         # 超过 `backlog` 数量集。
                         # 这个值可以设置为 `off`,从而禁用
                         # 此节点的管理界面,启用
                         # 'data-plane' 模式(无需配置
                         # 能力) 拉动其配置更改
                         # 来自数据库。
                         # 示例:`admin_listen = 127.0.0.1:8444 http2 ssl`
#status_listen = off # 逗号分隔的地址和端口列表 on# Status API 应该监听哪个。
                         # Status API 是一个只读端点
                         # 允许监控工具检索指标,
                         # 健康状况和其他非敏感信息
                         # 当前 Kong 节点。
                         # 可以为每对指定以下后缀:
                         # - `ssl` 将要求建立所有连接
                         # 通过使用 TLS 的特定地址/端口
                         # 启用。
                         # 这个值可以设置为 `off`,禁用
                         # 此节点的状态 API。
                         # 示例:`status_listen = 0.0.0.0:8100`
#nginx_user = kong kong # 定义用户和组使用的凭据
                                 # 工作进程。如果省略 group,则
                                 # 名称与用户名相同的组是
                                 # 用过的。
                                 # 示例:`nginx_user = nginx www`
                                 # **注意**:如果 `kong` 用户和 `kong`
                                 # 组不可用,默认用户
                                 # 和组凭据将是
                                 # `没人没人`。
#nginx_worker_processes = auto #确定工作进程的数量
                                 # 由 Nginx 生成。
                                 # 见 http://nginx.org/en/docs/ngx_core_module.html#worker_processes
                                 # 等价Nginx的详细用法
                                 # 指令和接受的描述
#nginx_daemon = on #判断Nginx是否会作为守护进程运行
                                 # 或作为前台进程。主要有用
                                 # 用于开发或在内部运行 Kong
                                 # 一个 Docker 环境。
                                 # 参见 http://nginx.org/en/docs/ngx_core_module.html#daemon。
#mem_cache_size = 128m # 两个内存缓存的大小
                                 # 用于数据库实体。接受的单位是
                                 # `k` 和 `m`,最小推荐值为
                                 # 几MB。
                                 # **注意**:由于此选项控制两个的大小
                                 # 不同的缓存条目,Kong的总内存
                                 # 用于缓存实体的可能是这个值的两倍。
#ssl_cipher_suite = intermediate # 定义 Nginx 提供的 TLS 密码。
                                 # 接受的值为 `modern`,
                                 # `intermediate`、`old`、`fips` 或 `custom`。
                                 # 见 https://wiki.mozilla.org/Security/Server_Side_TLS
                                 # 每个密码的详细描述
                                 #套房。 `fips` 密码套件如中所述
                                 # https://wiki.openssl.org/index.php/FIPS_mode_and_TLS。
#ssl_ciphers = # 定义一个自定义的 TLS 密码列表
                                 # 由 Nginx 提供服务。此列表必须符合
                                 # 由 `openssl ciphers` 定义的模式。
                                 # 如果 `ssl_cipher_suite`,则忽略此值
                                 # 不是“自定义”。
#ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
                                 # 启用指定的协议
                                 # 客户端连接。该组
                                 # 支持的协议版本也取决于
                                 # 关于OpenSSL Kong的版本
                                 # 和。如果出现此值,则忽略此值
                                 # `ssl_cipher_suite` 不是 `custom`。
                                 # 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
#ssl_prefer_server_ciphers = on # 指定服务器密码应该是
                                 # 使用时优先于客户端密码
                                 # SSLv3 和 TLS 协议。这个值是
                                 # 如果 `ssl_cipher_suite` 不是 `custom`,则忽略。
                                 ## 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
#ssl_dhparam = # 定义 DHE 密码的 DH 参数
                                 # 预定义组:`ffdhe2048`、`ffdhe3072`、
                                 # `ffdhe4096`、`ffdhe6144`、`ffdhe8192`,或
                                 # 从绝对路径到参数文件。
                                 # 如果 `ssl_cipher_suite`,则忽略此值
                                 # 是“现代”或“中级”。原因是
                                 # `modern` 没有需要这个的密码,
                                 # 和 `intermediate` 使用 `ffdhe2048`。
                                 # 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#ssl_session_tickets = on # 启用或禁用会话恢复
                                 # TLS 会话票证。这在以下情况下没有影响
                                 # 与 TLSv1.3 一起使用。
                                 # Kong 默认启用此功能以提高性能
                                 # 原因,但它具有安全隐患:
                                 # https://github.com/mozilla/server-side-tls/issues/135
                                 # 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#ssl_session_timeout = 1d # 指定客户端可以使用的时间
                                 # 重用会话参数。看原理:
                                 # https://github.com/mozilla/server-side-tls/issues/198
                                 # 见 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
#ssl_cert = # 以逗号分隔的证书绝对路径列表
                                 # 启用 TLS 的 `proxy_listen` 值。
                                 # 如果指定了多个证书,可以用来提供
                                 # 将提供的替代证书类型(例如,ECC 证书)
                                 # 给支持他们的客户。注意正确使用ECC证书服务,
                                 # 建议也将 `ssl_cipher_suite` 设置为
                                 # `现代`或`中级`。
                                 # 除非明确设置此选项,Kong 将自动生成
                                 # 一对默认证书(RSA + ECC)首次启动并使用
                                 # 它用于服务 TLS 请求。
#ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
                                 # 启用 TLS 的 `proxy_listen` 值。
                                 # 如果为 `ssl_cert` 指定了多个证书,则此
                                 # 选项应包含所有证书的相应密钥
                                 # 以相同的顺序提供。
                                 # 除非明确设置此选项,Kong 将自动生成
                                 # 一对默认私钥(RSA + ECC)首次启动并使用
                                 # 它用于服务 TLS 请求。
#client_ssl = off # 确定 Nginx 是否应该尝试发送客户端
                                 # TLS 证书并执行双向 TLS 身份验证
                                 # 代理请求时使用上游服务。
#client_ssl_cert = # 如果启用了 `client_ssl`,则绝对
                                 # `proxy_ssl_certificate` 指令的客户端证书路径。
                                 # 这个值可以被 `client_certificate` 动态覆盖
                                 # `Service` 对象的属性。
#client_ssl_cert_key = # 如果启用了 `client_ssl`,则绝对
                                 # `proxy_ssl_certificate_key` 指令的客户端 TLS 密钥的路径。
                                 # 这个值可以被 `client_certificate` 动态覆盖
                                 # `Service` 对象的属性。
#admin_ssl_cert = # 以逗号分隔的证书绝对路径列表
                                 # 启用 TLS 的 `admin_listen` 值。
                                 ## 有关详细用法,请参阅 `ssl_cert` 的文档。
#admin_ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
                                 # 启用 TLS 的 `admin_listen` 值。
                                 # 有关详细用法,请参阅 `ssl_cert_key` 的文档。
#status_ssl_cert = # 以逗号分隔的证书绝对路径列表
                                 # 启用 TLS 的 `status_listen` 值。
                                 # 有关详细用法,请参阅 `ssl_cert` 的文档。
#status_ssl_cert_key = # 以逗号分隔的密钥绝对路径列表
                                 # 启用 TLS 的 `status_listen` 值。
                                 # 有关详细用法,请参阅 `ssl_cert_key` 的文档。
#headers = server_tokens,latency_tokens
                                 # 逗号分隔的标头列表 Kong 应该
                                 # 注入客户端响应。
                                 # 接受的值为:
                                 # - `Server`: 注入`Server: kong/x.y.z`
                                 # 关于 Kong 产生的响应(例如 Admin
                                 # API,拒绝来自身份验证插件的请求)。
                                 # - `Via`: 注入`Via: kong/x.y.z` for
                                 # 成功代理请求。
                                 # - `X-Kong-Proxy-Latency`: 花费的时间
                                 # (以毫秒为单位) 由 Kong 处理
                                 # 一个请求并在之前运行所有插件
                                 # 代理上游请求。
                                 # - `X-Kong-Response-Latency`:花费的时间
                                 # (以毫秒为单位) 由 Kong 生成
                                 # 在例如的情况下的响应插入
                                 # 使请求短路,或者在
                                 # 如果出现错误。
                                 # - `X-Kong-Upstream-Latency`: 花费的时间
                                 #(以毫秒为单位)由上游
                                 # 发送响应头的服务。
                                 # - `X-Kong-Admin-Latency`: 花费的时间
                                 # (以毫秒为单位) 由 Kong 处理
                                 # 一个管理 API 请求。
                                 # - `X-Kong-Upstream-Status`: HTTP 状态
                                 # 上游服务返回的代码。
                                 # 这对客户特别有用
                                 # 区分上游状态,如果
                                 # 响应被插件重写。
                                 # - `server_tokens`: 与指定两者相同
                                 # `Server` 和 `Via`。
                                 # - `latency_tokens`:与指定相同
                                 # `X-Kong-Proxy-Latency`,
                                 # `X-Kong-Response-Latency`,
                                 # `X-Kong-Admin-Latency` 和
                                 # `X-Kong-Upstream-Latency`
                                 # 除此之外,还可以设置这个值
                                 # 到 `off`,防止 Kong 注入
                                 # 以上任何标题。请注意,这
                                 # 不阻止插件注入
                                 #他们自己的标题。
                                 # 示例:`headers = via,latency_tokens`
#trusted_ips = # 定义受信任的 IP 地址块
                                 # 已知发送正确的 `X-Forwarded-*`
                                 # 标题。
                                 # 来自受信任 IP 的请求使 Kong 转发
                                 # 上游的 `X-Forwarded-*` 标头。
                                 # 不可信的请求让 Kong 插入它的
                                 # 自己的 `X-Forwarded-*` 标头。
                                 # 这个属性还设置了
                                 # Nginx 中的 `set_real_ip_from` 指令
                                 # 配置。它接受相同类型的
                                 # 值(CIDR 块)但作为
                                 # 逗号分隔的列表。
                                 # 要信任 *all* /!\ IP,请将此值设置为# `0.0.0.0/0,::/0`。
                                 # 如果指定了特殊值`unix:`,
                                 # 所有 UNIX 域套接字都将被信任。
                                 # 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                                 # 接受值的例子。
#real_ip_header = X-Real-IP #定义请求头域,其值
                                 # 将用于替换客户端地址。
                                 # 这个值设置 `ngx_http_realip_module`
                                 # Nginx 中的同名指令
                                 # 配置。
                                 # 如果这个值接收到 `proxy_protocol`:
                                 # - 至少一个 `proxy_listen` 条目
                                 # 必须有 `proxy_protocol` 标志
                                 # 启用。
                                 # - `proxy_protocol` 参数将是
                                 # 附加到 `listen` 指令的后面
                                 # Nginx 模板。
                                 # 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
                                 # 该指令的描述。
#real_ip_recursive = off # 这个值设置 `ngx_http_realip_module`
                                 # Nginx 中的同名指令
                                 # 配置。
                                 # 见 http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
                                 # 该指令的描述。
#error_default_type = text/plain # 请求时使用的默认 MIME 类型
                                  # `Accept` 标头丢失和 Nginx
                                  # 正在为请求返回错误。
                                  # 接受的值为 `text/plain`,
                                  # `text/html`、`application/json` 和
                                  # `应用程序/xml`。
#upstream_keepalive_pool_size = 60 #设置upstream的默认大小
                                    #keepalive 连接池。
                                    # 上游keepalive连接池
                                    # 由`dst ip/dst 分割
                                    # port/SNI` 连接的属性。
                                    # `0` 值将禁用上游
                                    # 默认情况下保持连接,强制
                                    # 每个上游请求打开一个新的
                                    # 联系。
#upstream_keepalive_max_requests = 100 # 设置默认最大请求数
                                        # 请求可以被上游代理
                                        # 通过一个keepalive连接。
                                        # 最大请求数之后
                                        # 达到,连接将是
                                        # 值 `0` 将禁用此功能
                                        # 行为和保持连接
                                        # 可以用来代理一个不定的
                                        # 请求数。
#upstream_keepalive_idle_timeout = 60 # 设置默认超时时间(以秒为单位)
                                        # 上游的keepalive
                                        # 连接应该保持打开。什么时候
                                        # 超时时间到达,而
                                        # 连接没有被重用,它
                                        # 将被关闭。
                                        # 值 `0` 将禁用此功能
                                        # 行为,和一个空闲的保活
                                        # 连接可能保持打开状态
                                        # 无限期。
#------------------------------------------------ -----------------------------------------
# NGINX 注入指令
#------------------------------------------------ -----------------------------------------
# Nginx 指令可以动态注入到运行时的 nginx.conf 文件中
# 无需自定义 Nginx 配置模板。
# 所有关于命名方案的配置属性
# `nginx_<namespace>_<directive>` 将导致 `<directive>` 被注入# 对应属性的`<namespace>`的Nginx配置块。
# 例子:
# `nginx_proxy_large_client_header_buffers = 8 24k`
# 将在 Kong 的代理 `server {}` 块中注入以下指令:
# `large_client_header_buffers 8 24k;`
# 支持以下命名空间:
# - `nginx_main_<directive>`: 在 Kong 的配置中注入 `<directive>`
# `main` 上下文。
# - `nginx_events_<directive>`:在 Kong 的 `events {}` 中注入 `<directive>`
#    堵塞。
# - `nginx_http_<directive>`:在 Kong 的 `http {}` 块中注入 `<directive>`。
# - `nginx_proxy_<directive>`: 在 Kong 的代理中注入 `<directive>`
# `server {}` 块。
# - `nginx_upstream_<directive>`: 在 Kong 的代理中注入 `<directive>`
# `上游{}`块。
# - `nginx_admin_<directive>`: 在 Kong 的 Admin API 中注入 `<directive>`
# `server {}` 块。
# - `nginx_status_<directive>`:在 Kong 的 Status API 中注入 `<directive>`
# `server {}` 块(仅在启用 `status_listen` 时有效)。
# - `nginx_stream_<directive>`: 在 Kong 的流模块中注入 `<directive>`
# `stream {}` 块(仅在启用 `stream_listen` 时有效)。
# - `nginx_sproxy_<directive>`: 在 Kong 的流模块中注入 `<directive>`
# `server {}` 块(仅在启用 `stream_listen` 时有效)。
# - `nginx_supstream_<directive>`: 在 Kong 的流中注入 `<directive>`
# 模块`上游{}`块。
# 与其他配置属性一样,Nginx 指令可以通过
# 环境变量大写并以 `KONG_` 为前缀。
# 例子:
# `KONG_NGINX_HTTP_SSL_PROTOCOLS` -> `nginx_http_ssl_protocols`
# 将在 Kong 的 `http {}` 块中注入以下指令:
# `ssl_protocols <值>;`
# 如果代理和管理 API 之间需要不同的协议集
# 服务器,你可以指定 `nginx_proxy_ssl_protocols` 和/或
# `nginx_admin_ssl_protocols`,两者都优先于
# `http {}` 块。
#nginx_main_worker_rlimit_nofile = 自动
                                 # 更改打开文件的最大数量限制
                                 # 用于工作进程。
                                 # `auto` 的特殊和默认值设置这个
                                 # 为 `ulimit -n` 的值,上限限制为
                                 #16384 作为防止过度使用内存的措施。
                                 # 见 http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
#nginx_events_worker_connections = 自动
                                 # 设置最大并发数
                                 # 可以由工作进程打开的连接。
                                 # `auto` 的特殊和默认值设置这个
                                 # 为 `ulimit -n` 的值,上限限制为
                                 #16384 作为防止过度使用内存的措施。
                                 # 见 http://nginx.org/en/docs/ngx_core_module.html#worker_connections
#nginx_http_client_header_buffer_size = 1k # 设置读取缓冲区大小
                                            # 客户端请求头。
                                            # 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
#nginx_http_large_client_header_buffers = 4 8k #设置最大数量和
                                                # 使用的缓冲区大小
                                                # 读取大客户
                                                # 请求标头。
                                                # 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
#nginx_http_client_max_body_size = 0 #定义最大请求体大小
                                      # 被 Kong 代理的请求所允许,
                                      # 在 Content-Length 请求中指定
                                      # 标题。如果请求超过此
                                      # 限制,Kong 会返回 413
                                      # (请求的实体太大)。环境
                                      # 此值为 0 禁用检查
                                      # 请求正文大小。
                                      # 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
#nginx_admin_client_max_body_size = 10m # 定义最大请求体大小
                                         # 管理 API。
#nginx_http_client_body_buffer_size = 8k # 定义读取的缓冲区大小
                                          # 请求正文。如果客户端# 请求体大于这个
                                          # 值,body 将被缓冲到
                                          #磁盘。请注意,当身体
                                          # 缓冲到磁盘,Kong 插件
                                          # 访问或操作请求
                                          # body 可能不起作用,所以它是
                                          # 建议将此值设置为高
                                          # 尽可能(例如,将其设置为高
                                          # as `client_max_body_size` 强制
                                          # 请求要保存的主体
                                          # 记忆)。请注意
                                          # 高并发环境将
                                          # 需要大量内存
                                          # 分配处理许多
                                          # 并发大型请求体。
                                          # 见 http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
#nginx_admin_client_body_buffer_size = 10m #定义读取的缓冲区大小
                                            # Admin API 上的请求正文。
#nginx_http_lua_regex_match_limit = 100000 # PCRE 的全局 `MATCH_LIMIT`
                                            # 正则表达式匹配。 `100000` 的默认值应确保
                                            # 在最坏的情况下,Kong 执行的任何正则表达式都可以在
                                            # 大约 2 秒。
#------------------------------------------------ -----------------------------------------
# 数据存储
#------------------------------------------------ -----------------------------------------
# Kong 可以与数据库一起运行,以将 Kong 节点之间的协调数据存储在
# 一个集群,或者没有数据库,每个节点都存储它的信息
# 在内存中独立。
# 当使用数据库时,Kong 将存储其所有实体的数据(例如
# 路由、服务、消费者和插件)在 Cassandra 或 PostgreSQL 中,
# 并且属于同一个集群的所有Kong节点必须自己连接
# 到同一个数据库。
# Kong 支持以下数据库版本:
# - **PostgreSQL**:9.5 及更高版本。
# - **Cassandra**:2.2 及更高版本。
# 当不使用数据库时,Kong 处于“DB-less 模式”:它将保持
# 它在内存中的实体,每个节点都需要通过一个
# 声明式配置文件,可以通过
# `declarative_config` 属性,或通过使用 `/config` 的 Admin API
# 使用 Postgres 作为后端存储时,可以选择启用 Kong
# 提供来自单独数据库实例的读取查询。
# 当代理数量很大时,这样可以大大减少负载
# 在主 Postgres 实例上实现更好的可扩展性。它也可能
# 如果 Kong 代理节点延迟到主节点,则减少延迟抖动
# Postgres 实例很高。
# 只读的 Postgres 实例只服务于读查询和写
# 查询仍会转到主连接。只读 Postgres 实例
# 在从主目录复制更改时可以最终保持一致
# 实例。
# 至少需要 `pg_ro_host` 配置来启用此功能。
# 默认情况下,只读连接的所有其他数据库配置都是
# 继承自上述相应的主连接配置,但是
# 可以选择使用下面的 `pg_ro_*` 配置显式覆盖。
#database = postgres # 确定是 PostgreSQL 还是 Cassandra
                                 # 此节点将用作其数据存储。
                                 # 接受的值为 `postgres`,
                                 # `cassandra` 和 `off`。
#pg_host = 127.0.0.1 # Postgres 服务器的主机。
#pg_port = 5432 # Postgres 服务器的端口。
#pg_timeout = 5000 # 定义超时时间(以毫秒为单位),用于连接,
                                 # 读写。
#pg_user = kong # Postgres 用户。
#pg_password = # Postgres 用户的密码。
#pg_database = kong # 要连接的数据库名称。
#pg_schema = # 要使用的数据库模式。如果未指定,
                                 # Kong 将尊重 `search_path` 的值
                                 # 你的 PostgreSQL 实例。
#pg_ssl = off # 切换客户端-服务器 TLS 连接
                                 # 在 Kong 和 PostgreSQL 之间。
                                 # 因为 PostgreSQL 为 TLS 使用相同的端口
                                 # 和非 TLS,这只是一个提示。如果
                                 # 服务器不支持t TLS,已建立的
                                 # 连接将是一个普通的连接。
#pg_ssl_version = tlsv1 # 在 Kong 和 PostgreSQL 之间使用 ssl 时,
                                 # 要使用的 tls 版本。可接受的值为
                                 # `tlsv1`、`tlsv1_2` 或 `tlsv1_3`。
#pg_ssl_required = off # 当 `pg_ssl` 开启时,这决定了是否
                                 # Kong 和 PostgreSQL 之间必须使用 TLS。
                                 # 如果服务器这样做,它将中止连接
                                 # 不支持 SSL 连接。
#pg_ssl_verify = off # 切换服务器证书验证,如果
                                 # `pg_ssl` 已启用。
                                 # 查看`lua_ssl_trusted_certificate`
                                 # 设置指定证书颁发机构。
#pg_ssl_cert = # PEM 编码客户端的绝对路径
                                 # PostgreSQL 连接的 TLS 证书。
                                 # 双向 TLS 身份验证
                                 # PostgreSQL 仅在设置此值时启用。
#pg_ssl_cert_key = # 如果设置了 `pg_ssl_cert`,则绝对路径
                                 # PEM 编码的客户端 TLS 私钥
                                 # PostgreSQL 连接。
#pg_max_concurrent_queries = 0 # 设置最大并发查询数
                                 # 可以在任何给定时间执行。这个
                                 # 每个工作进程都强制执行限制;这
                                 # 并发查询总数
                                 # 节点将是:
                                 # `pg_max_concurrent_queries * nginx_worker_processes`。
                                 # 默认值 0 去掉这个
                                 # 并发限制。
#pg_semaphore_timeout = 60000 # 定义超时时间(以毫秒为单位),之后
                                 # PostgreSQL 查询信号量资源
                                 # 次获取尝试将失败。这样的
                                 # 失败通常会导致
                                 # 关联的代理或管理 API 请求
                                 # 失败并返回 HTTP 500 状态码。
                                 # 这个行为的详细讨论是
                                 # 在在线文档中可用。
#pg_keepalive_timeout = 60000 # 定义空闲连接到的时间(以毫秒为单位)
                                 # PostreSQL 服务器将保持活动状态。
#pg_ro_host = # 与 `pg_host` 相同,但对于
                                 # 只读连接。
                                 # **注意:** 参考文档
                                 #以上部分了解详细用法。
#pg_ro_port = <pg_port> # 与 `pg_port` 相同,但对于
                                 # 只读连接。
#pg_ro_timeout = <pg_timeout> # 与 `pg_timeout` 相同,但对于
                                 # 只读连接。
#pg_ro_user = <pg_user> # 和 `pg_user` 一样,但是对于
                                 # 只读连接。
#pg_ro_password = <pg_password> # 和 `pg_password` 一样,但是对于
                                 # 只读连接。
#pg_ro_database = <pg_database> # 和 `pg_database` 一样,但是对于
                                 # 只读连接。
#pg_ro_schema = <pg_schema> # 和 `pg_schema` 一样,但是对于
                                 # 只读连接。
#pg_ro_ssl = <pg_ssl> # 和 `pg_ssl` 一样,但是对于
                                 # 只读连接。
#pg_ro_ssl_required = <pg_ssl_required>
                                 # 与 `pg_ssl_required` 相同,但对于
                                 # 只读连接。
#pg_ro_ssl_verify = <pg_ssl_verify>
                                 # 与 `pg_ssl_verify` 相同,但对于
                                 # 只读连接。
#pg_ro_ssl_version = <pg_ssl_version>
                                 # 与 `pg_ssl_version` 相同,但对于
                                 # 只读连接。
#pg_ro_max_concurrent_queries = <pg_max_concurrent_queries>
                                 # 与 `pg_max_concurrent_queries` 相同,但对于
                                 # 只读连接。
                                 # 注意:只读并发不共享
                                 # 与主(读写)连接。
#pg_ro_semaphore_timeout = <pg_semaphore_timeout>
                                 # 与 `pg_semaphore_timeout` 相同,但对于
                                 # r只读连接。
#pg_ro_keepalive_timeout = <pg_keepalive_timeout>
                                 # 与 `pg_keepalive_timeout` 相同,但对于
                                 # 只读连接。
#cassandra_contact_points = 127.0.0.1 # 逗号分隔的联系人列表
                                       # 指向你的集群。
                                       # 您可以指定 IP 地址或
                                       # 主机名。注意端口
                                       # SRV 记录的组成部分将是
                                       # 忽略以支持 `cassandra_port`。
                                       # 连接多DC集群时,
                                       # 确保接触点从
                                       # 首先指定本地数据中心
                                       # 在这个列表中。
#cassandra_port = 9042 # 节点监听的端口
                                 # 上。您的所有节点和接触点必须
                                 # 监听同一个端口。将被创建,如果
                                 # 它不存在。
#cassandra_keyspace = kong # 在集群中使用的密钥空间。
#cassandra_write_consistency = ONE # 何时使用的一致性设置
                                    # 写入 Cassandra 集群。
#cassandra_read_consistency = ONE # 何时使用的一致性设置
                                    # 从 Cassandra 集群中读取。
#cassandra_timeout = 5000 # 定义读取的超时时间(以毫秒为单位)
                                 # 和写作。
#cassandra_ssl = off # 切换客户端到节点的 TLS 连接
                                 # 在 Kong 和 Cassandra 之间。
#cassandra_ssl_verify = off # 切换服务器证书验证,如果
                                 # `cassandra_ssl` 已启用。
                                 # 查看`lua_ssl_trusted_certificate`
                                 # 设置指定证书颁发机构。
#cassandra_username = kong # 使用时的用户名
                                 # `PasswordAuthenticator` 方案。
#cassandra_password = # 使用时的密码
                                 # `PasswordAuthenticator` 方案。
#cassandra_lb_policy = RequestRoundRobin # 何时使用负载均衡策略
                                          # 将查询分布在你的
                                          # Cassandra 集群。
                                          # 接受的值为:
                                          # `RoundRobin`, `RequestRoundRobin`,
                                          # `DCAwareRoundRobin`,和
                                          # `RequestDCAwareRoundRobin`。
                                          # 以“请求”为前缀的策略
                                          # 有效利用已建立的
                                          # 相同的连接
                                          # 要求。
                                          # 如果和
                                          # 仅当您使用
                                          # 多数据中心集群。
#cassandra_local_datacenter = # 使用 `DCAwareRoundRobin` 时
                                 # 或 `RequestDCAwareRoundRobin` 加载
                                 # 平衡策略,必须指定名称
                                 # 本地(最近的)数据中心
                                 # Kong 节点。
#cassandra_refresh_frequency = 60 # 频率(以秒为单位)
                                           # 集群拓扑将是
                                           # 检查新的或退役的
                                           # 节点。
                                           # 值 `0` 将禁用此功能
                                           # 检查,集群拓扑
                                           # 永远不会刷新。
#cassandra_repl_strategy = SimpleStrategy # 第一次迁移时,
                                           # Kong 将使用此设置
                                           # 创建你的密钥空间。
                                           # 接受的值是
                                           # `SimpleStrategy` 和
                                           # `网络拓扑策略`。
#cassandra_repl_factor = 1 # 第一次迁移时,Kong
                                 # 将用这个创建键空间
                                 # 使用时的复制因子
                                 # `简单策略`。
#cassandra_data_centers = dc1:2,dc2:3 # 迁移时g第一次,
                                       # 使用时将使用此设置
                                       # `网络拓扑策略`。
                                       # 格式为逗号分隔列表
                                       # 由`<dc_name>:<repl_factor>` 组成。
#cassandra_schema_consensus_timeout = 10000 # 定义超时时间(以毫秒为单位)
                                             #达到a的等待时间
                                             # 你之间的模式共识
                                             # Cassandra 节点。
                                             # 此值仅在使用期间使用
                                             # 迁移。
#declarative_config = # 声明性配置的路径
                                # 包含所有规格的文件
                                # 实体(路由、服务、消费者等)
                                # 当 `database` 设置为
                                # `关闭`。
                                # 实体存储在 Kong 的内存缓存中,
                                # 所以你必须确保有足够的内存
                                # 通过 `mem_cache_size` 分配给它
                                # 财产。您还必须确保项目
                                # 在缓存中永不过期,这意味着
                                # `db_cache_ttl` 应该保留它的默认值
                                # 值为 0。
                                # 如果混合模式 `role` 设置为 `data_plane`
                                # 并且没有配置缓存文件,
                                # 连接前使用此配置
                                # 到控制平面节点作为用户控制
                                # 倒退。
#declarative_config_string = # 声明性配置为字符串
#------------------------------------------------ -----------------------------------------
# 数据存储缓存
#------------------------------------------------ -----------------------------------------
# 为了避免与数据存储不必要的通信,Kong 缓存
# 实体(例如 API、消费者、凭证...),用于可配置的时间段
#时间。如果这样的实体被更新,它也会处理失效。
# 此部分允许配置 Kong 的行为
# 缓存此类配置实体。
#db_update_frequency = 5 # 检查频率(以秒为单位)
                                 # 使用数据存储更新实体。
                                 # 当一个节点创建、更新或删除一个
                                 # 实体通过 Admin API,其他节点需要
                                 # 等待下一次轮询(由
                                 # 这个值)最终清除旧的
                                 # 缓存实体并开始使用新实体。
#db_update_propagation = 0 # 实体在
                                 # 要传播到副本节点的数据存储
                                 # 另一个数据中心。
                                 # 在分布式环境中如
                                 # 一个多数据中心的 Cassandra 集群,这个
                                 # value 应该是最大数量
                                 # Cassandra 传播 a 所花费的秒数
                                 # 行到其他数据中心。
                                 # 设置后,该属性会增加
                                 # Kong 传播更改所花费的时间
                                 # 一个实体。
                                 # 单数据中心设置或 PostgreSQL
                                 # 服务器不应遭受此类延迟,并且
                                 # 这个值可以安全地设置为 0。
#db_cache_ttl = 0 # 实体的生存时间(以秒为单位)
                                 # 被该节点缓存时的数据存储。
                                 # 数据库未命中(无实体)也被缓存
                                 # 如果不这样做就按照这个设置
                                 # 配置`db_cache_neg_ttl`。
                                 # 如果设置为0(默认),这样缓存的实体
                                 # 或未命中永不过期。
#db_cache_neg_ttl = # 数据存储的生存时间(以秒为单位)# 错过(没有实体)。
                                 # 如果没有指定(默认),`db_cache_ttl`
                                 # 值将被使用。
                                 # 如果设置为 0,未命中将永不过期。
#db_resurrect_ttl = 30 # 陈旧实体的时间(以秒为单位)
                                 # 来自数据存储的应该被复活
                                 # 当它们不能被刷新时(例如,
                                 # 数据存储不可访问)。当这个 TTL
                                 # expires,重新尝试刷新旧的
                                 # 实体将被制作。
#db_cache_warmup_entities = 服务
                                 # 要从数据存储区预加载的实体
                                 # 在 Kong 启动时进入内存缓存。
                                 # 这加快了端点的首次访问
                                 # 使用给定实体。
                                 # 当 `services` 实体被配置时
                                 # 用于预热,值的 DNS 条目
                                 # 它的 `host` 属性是预先解析的
                                 # 也是异步的。
                                 # 在 `mem_cache_size` 中设置的缓存大小应该
                                 # 设置为足够大的值以容纳所有
                                 # 指定实体的实例。
                                 # 如果大小不足,Kong 会记录
                                 # 一个警告。
#------------------------------------------------ -----------------------------------------
#DNS解析器
#------------------------------------------------ -----------------------------------------
# 默认情况下,DNS 解析器将使用标准配置文件
# `/etc/hosts` 和 `/etc/resolv.conf`。后一个文件中的设置将是
# 被环境变量 `LOCALDOMAIN` 和 `RES_OPTIONS` 覆盖 if
# 他们已经设置好了。
# Kong 会将主机名解析为 `SRV` 或 `A` 记录(按此顺序,并且
# `CNAME` 记录将在此过程中被取消引用)。
# 如果名称被解析为 `SRV` 记录,它还将覆盖任何给定的记录
# 端口号由从 DNS 服务器接收的 `port` 字段内容。
# DNS 选项 `SEARCH` 和 `NDOTS`(来自 `/etc/resolv.conf` 文件)将
# 用于将短名称扩展为完全限定名称。所以它会首先尝试
# `SRV` 类型的整个 `SEARCH` 列表,如果失败,它将尝试
# `A` 等的`SEARCH` 列表
# 在 `ttl` 期间,内部 DNS 解析器将负载均衡每个
# 请求它通过 DNS 记录中的条目。对于`SRV`记录
# `weight` 字段将被尊重,但它只会使用最低的`priority`
# 记录中的字段条目。
#dns_resolver = # 逗号分隔的名称服务器列表,每个
                                 # 使用 `ip[:port]` 格式的条目
                                 #孔。如果未指定名称服务器
                                 # 将使用本地 `resolv.conf` 文件。
                                 # 如果省略,端口默认为 53。接受
                                 # IPv4 和 IPv6 地址。
#dns_hostsfile = /etc/hosts # 要使用的主机文件。该文件被读取
                                 # 一次,它的内容在内存中是静态的。
                                 # 修改后再次读取文件,
                                 # Kong 必须重新加载。
#dns_order = LAST,SRV,A,CNAME #解析不同的顺序
                                 # 记录类型。 `LAST` 类型表示
                                 # 最后一次成功查找的类型(对于
                                 # 指定名称)。格式为(大小写
                                 # 不敏感)逗号分隔列表。
#dns_valid_ttl = # 默认情况下,DNS 记录使用缓存
                                 # 响应的 TTL 值。如果这
                                 # 属性接收一个值(以秒为单位),它
                                 # 将覆盖所有记录的 TTL。
#dns_stale_ttl = 4 # 以秒为单位定义一条记录将持续多长时间
                                 # 保留在缓存中超过其 TTL。这个值
                                 # 将在新的 DNS 记录出现时使用
                                 # 在后台获取。
                                 # 过期数据将在 a 到期时使用
                                 # 记录直到刷新查询
                                 # 完成,或 `dns_stale_ttl` 数量
                                 # 秒过去了。
#dns_cache_size = 10000 #定义允许的最大数量
                                 # DNS 记录存储在内存缓存中。
                                 # 最近最少使用的 DNS 记录被丢弃
                                 # 如果缓存已满,则从缓存中获取。错误和
                                 # 数据被缓存,因此单个名称查询
                                 # 可以轻松占用 10-15 个插槽。
#dns_not_found_ttl = 30 # 以秒为单位的空 DNS 响应的 TTL 和
                                 # “(3) 名称错误”响应。
#dns_error_ttl = 1 # 错误响应的 TTL 秒数。
#dns_no_sync = off # 如果启用,则每次缓存未命中
                                 # 请求会触发自己的 dns 查询。
                                 # 当禁用多个请求时
                                 # 相同的名称/类型将被同步到一个
                                 # 单个查询。
#------------------------------------------------ -----------------------------------------
# 调整和行为
#------------------------------------------------ -----------------------------------------
#worker_consistency = 严格
                                 # 定义这个节点是否应该重建它的
                                 # 同步或异步状态(
                                 # 平衡器和路由器在
                                 # 影响他们的更新,例如,更新到
                                 # 路由、服务或上游,通过管理员
                                 # API 或加载声明性配置
                                 # 文件)。
                                 # 接受的值为:
                                 # - `strict`: 路由器将被重建
                                 # 同步,导致传入的请求
                                 # 延迟到重建完成。
                                 # - `eventual`:路由器将被重建
                                 # 通过循环后台异步
                                 # 作业在每个内部每秒运行一次
                                 # 请注意,`strict` 确保所有工作人员
                                 # 给定节点将始终代理请求
                                 # 使用相同的路由器,但增加了
                                 # 可以观察到长尾延迟,如果
                                 # 频繁的路由和服务更新是
                                 # 预期的。
                                 # 使用 `eventual` 将有助于防止长时间
                                 # 在这种情况下出现尾部延迟问题,但可能
                                 # 使工作人员以不同的方式路由请求
                                 # 在 Routes 和
                                 # 服务更新。
#worker_state_update_frequency = 5
                                 # 定义工作者状态改变的频率
                                 # 使用后台作业进行检查。当一个变化
                                 # 检测到,一个新的路由器或平衡器将
                                 # 根据需要构建。提高这个值将
                                 # 减少数据库服务器的负载和
                                 # 减少代理延迟的抖动,但是
                                 # 传播更改可能需要更多时间
                                 # 给每个工人。
#------------------------------------------------ -----------------------------------------
# 各种各样的
#------------------------------------------------ -----------------------------------------
# 从 lua-nginx-module 继承的附加设置允许更多
# 灵活性和高级用法。
# 更多信息参见 lua-nginx-module 文档:
# https://github.com/openresty/lua-nginx-module
#lua_ssl_trusted_certificate = # 逗号分隔的证书路径列表
                                 # PEM 格式的 Lua cosockets 授权文件。
                                 # 特殊值 `system` 尝试搜索
                                 # 每个发行版提供的“通常默认值”,根据
                                 # 到任意启发式。在当前的实现中,
                                 # 以下路径名将按顺序进行测试,
                                 # 并且将使用找到的第一个:
                                 ## - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
                                 # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
                                 # - /etc/ssl/ca-bundle.pem (OpenSUSE)
                                 # - /etc/pki/tls/cacert.pem (OpenELEC)
                                 # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
                                 # - /etc/ssl/cert.pem (OpenBSD, Alpine)
                                 # 如果在这些路径中没有找到文件,则会出现错误
                                 # 被提高。
                                 # `system` 可以单独使用,也可以和其他的一起使用
                                 #CA 文件路径。
                                 # 当 `pg_ssl_verify` 或 `cassandra_ssl_verify`
                                 # 已启用,这些证书颁发机构文件将是
                                 # 用于验证 Kong 的数据库连接。
                                 # 见 https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
#lua_ssl_verify_depth = 1 #在服务器设置验证深度
                                 # Lua cosockets 使用的证书链,
                                 # 由 `lua_ssl_trusted_certificate` 设置。
                                 # 这包括配置的证书
                                 # 用于 Kong 的数据库连接。
                                 # 如果之前达到最大深度
                                 # 到达链的末端,验证
                                 # 将失败。这有助于减轻证书
                                 # 基于 DoS 攻击。
                                 # 见 https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth
#lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3 #定义支持的TLS版本
                                               # 与 OpenResty 握手时
                                               # TCP cosocket API。
                                               # 这会影响 Lua 建立的连接
                                               # 代码,例如连接到
                                               # Kong 使用的数据库,或者发送日志的时候
                                               # 使用日志插件。它不是*
                                               # 影响到上游的连接
                                               # 服务或来自下游客户端。
#lua_package_path = ./?.lua;./?/init.lua; # 设置 Lua 模块搜索路径
                                           # (LUA_PATH)。开发时有用
                                           # 或使用未存储的自定义插件
                                           # 在默认搜索路径中。
                                           # 见 https://github.com/openresty/lua-nginx-module#lua_package_path
#lua_package_cpath = # 设置 Lua C 模块搜索路径
                                 # (LUA_CPATH)。
                                 # 见 https://github.com/openresty/lua-nginx-module#lua_package_cpath
#lua_socket_pool_size = 30 # 指定每个 cosocket 的大小限制
                                 # 与每个远程关联的连接池
                                 # 服务器。
                                 # 见 https://github.com/openresty/lua-nginx-module#lua_socket_pool_size
#enforce_rbac = off # 指定是否强制执行 Admin API RBAC。
                                 # 接受 `entity`、`both`、`on` 或
                                 # `关闭`。
                                 # - `on`:仅端点级授权
                                 # 被强制执行。
                                 # - `entity`: 实体级授权
                                 # 适用。
                                 # - `both`:同时启用端点和
                                 # 实体级授权。
                                 # - `off`: 禁用端点和
                                 # 实体级授权。
                                 # 启用后,Kong 将拒绝对
                                 # 当 RBAC 不存在或无效时的管理 API
                                 # 授权令牌通过,或者RBAC# 与令牌关联的用户
                                 # 无权访问/修改
                                 # 请求的资源。
#rbac_auth_header = Kong-Admin-Token #定义HTTP请求的名称
                                      # 管理 API 将从的标头
                                      # 尝试验证 RBAC 用户。
#event_hooks_enabled = on # 启用时,事件挂钩实体代表一种关系
                            # 在一个事件(源和事件)和一个动作之间
                            #(处理程序)。与 web 挂钩类似,事件挂钩可用于
                            # 通信 Kong Gateway 服务事件。当一个特定的
                            # 事件发生在服务上,事件挂钩调用 URL
                            # 关于该事件的信息。事件挂钩配置
                            # 因处理程序而异。发生的事件
                            # 触发发送关联数据。
                            # 见:https://docs.konghq.com/enterprise/latest/admin-api/event-hooks/reference/
#------------------------------------------------ -----------------------------------------
# 港经理
#------------------------------------------------ -----------------------------------------
# Kong Enterprise 的管理 GUI。
#admin_gui_listen = 0.0.0.0:8002, 0.0.0.0:8445 ssl
                        # Kong Manager 监听器
                        # 逗号分隔的地址和端口列表
                        # Kong 会暴露 Kong Manager。这个网络应用程序
                        # 让你配置和管理 Kong,因此
                        # 应保持安全。
                        # 可以为每一对指定后缀,类似于
                        # `admin_listen` 指令。
#admin_gui_url = # Kong 管理器 URL
                        # Kong Manager 的查找或平衡器地址。
                        # 接受的格式(括号中的项目是可选的):
                        # `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                        # 例子:
                        # - `http://127.0.0.1:8003`
                        # - `https://kong-admin.test`
                        # - `http://dev-machine/dev-285`
                        # 默认情况下,Kong Manager 会使用窗口请求
                        # 主机并附加解析的侦听器端口,具体取决于
                        # 在请求的协议上。
#admin_gui_ssl_cert = # SSL 证书的绝对路径
                        # 启用 SSL 的 `admin_gui_listen` 值。
#admin_gui_ssl_cert_key = # SSL 密钥的绝对路径
                          # 启用 SSL 的 `admin_gui_listen` 值。
#admin_gui_flags = {}
                        # 改变布局管理 GUI (JSON)
                        # 唯一支持的值是 `{ "IMMUNITY_ENABLED": true }`
                        # 在管理 GUI 中启用 Kong Immunity。
#admin_gui_access_log = 日志/admin_gui_access.log
                        # Kong Manager 访问日志
                        # 这里可以设置Kong的绝对或相对路径
                        # 管理员访问日志。当路径是相对的时,
                        # 日志放置在 `prefix` 位置。
                        # 将此值设置为 `off` 禁用访问日志
                        # 为 Kong 经理。
#admin_gui_error_log = 日志/admin_gui_error.log
                        # Kong Manager 错误日志
                        # 这里可以设置Kong的绝对或相对路径
                        # 管理员访问日志。当路径是相对的时,
                        # 日志放置在 `prefix` 位置。
                        # 将此值设置为 `off` 会禁用错误日志
                        #孔经理。
                        # 粒度可以通过 `log_level` 进行调整
#admin_gui_auth = # Kong Manager 身份验证插件名称
                        # 通过指定一个来保护对 Kong Manager 的访问
                        # 要使用的身份验证插件。
                        # 支持的插件:
                        # - `basic-auth`: 基本认证插件
                        # - `ldap-auth-advanced`: LDAP 认证插件# - `openid-connect`: OpenID 连接认证
                        #   插入
#admin_gui_auth_conf = # Kong Manager 身份验证插件配置 (JSON)
                        # 指定认证的配置
                        # 在 `admin_gui_auth` 中指定的插件。
                        # 关于插件配置的信息
                        # 查阅相关的插件文档。
                        # `basic-auth` 的示例:
                        # `admin_gui_auth_conf = { "hide_credentials": true }`
#admin_gui_auth_password_complexity = # Kong Manager 身份验证密码复杂度 (JSON)
                        # 当 `admin_gui_auth = basic-auth` 时,该属性定义
                        # Kong Manager 密码所需的规则。选择
                        # 来自预设规则或编写您自己的规则。
                        # 使用预设规则的示例:
                        # `admin_gui_auth_password_complexity = { "kong-preset": "min_8" }`
                        # kong-preset 的所有值都需要包含密码
                        # 来自以下至少三个类别的字符:
                        # 1. 大写字符(A 到 Z)
                        # 2. 小写字符(a 到 z)
                        # 3. Base-10 数字(0 到 9)
                        # 4. 特殊字符(例如&、$、#、%)
                        # 支持的预设规则:
                        # - `min_8`: 最小长度为 8
                        # - `min_12`: 最小长度为 12
                        # - `min_20`: 最小长度为 20
                        # 要编写自己的规则,请参阅
                        # https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html。
                        # 注意:仅支持关键字“min”、“max”和“passphrase”。
                        # 例子:
                        # `admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#admin_gui_session_conf = # Kong Manager 会话配置 (JSON)
                          # 指定 Session 插件的配置为
                          # 由 Kong Manager 使用。
                          # 有关插件配置的信息,请参阅
                          # Kong Session 插件文档。
                          # 例子:
                          # admin_gui_session_conf = { "cookie_name": "kookie", \
                          # “秘密”:“改变我” }
#admin_gui_auth_header = Kong-Admin-User
                        # 定义 HTTP 请求头的名称
                        # Admin API 将尝试识别 Kong Admin
                        # 用户。
#admin_gui_auth_login_attempts = 0
                        # 用户可以尝试登录 Kong 的次数
                        # 经理。 0 表示允许无限尝试。
#admin_gui_header_txt = # Kong Manager 标题文本
                    # 设置 Kong Manager 标题横幅的文本。标题横幅
                    # 如果此配置为空,则不显示。
#admin_gui_header_bg_color = # Kong Manager 标题背景颜色
                         # 设置Kong Manager Header Banner的背景颜色
                         # 接受 css 颜色关键字,#-hexadecimal 或 rgb
                         # 格式。 Manager 会忽略无效值。
#admin_gui_header_txt_color = # Kong Manager 标题文本颜色
                          # 设置 Kong Manager Header Banner 的文本颜色。
                          # 接受 css 颜色关键字,#-hexadecimal 或 rgb
                          # 格式。 Kong Manager 会忽略无效值。
#admin_gui_footer_txt = # Kong 管理器页脚文本
                    # 设置 Kong Manager 页脚横幅的文本。页脚横幅
                    # 如果此配置为空,则不显示
#admin_gui_footer_bg_color = #Kong Manager 页脚背景颜色
                         # 设置 Kong Manager 页脚横幅的背景颜色。
                         # 接受 css 颜色关键字,#-hexadecimal 或 rgb
                         # 格式。 Manager 会忽略无效值。
#admin_gui_footer_txt_color = # Kong Manager 页脚文本颜色
                          # 设置 texKong Manager 页脚横幅的 t 颜色。
                          # 接受 css 颜色关键字,#-hexadecimal 或 rgb
                          # 格式。 Kong Manager 会忽略无效值。
#admin_gui_login_banner_title = # Kong Manager 登录横幅标题文本
                                # 设置 Kong Manager Login Banner 的标题文本。
                                # 如果两者都显示,则不显示登录横幅
                                # `admin_gui_login_banner_title` 和
                                # `admin_gui_login_banner_body` 为空。
#admin_gui_login_banner_body = # Kong Manager 登录横幅正文
                                # 设置 Kong Manager Login Banner 的正文。
                                # 如果两者都显示,则不显示登录横幅
                                # `admin_gui_login_banner_title` 和
                                # `admin_gui_login_banner_body` 为空。
#------------------------------------------------ -----------------------------------------
# 生命体征
#------------------------------------------------ -----------------------------------------
#vitals = on #启用后,Kong将存储并报告
                                 # 关于其性能的指标。
                                 # 在多节点设置中运行 Kong 时,
                                 # `vitals` 包含两个不同的含义
                                 # 取决于节点。
                                 # 在仅代理节点上,`vitals` 确定
                                 # 是否收集 Vitals 的数据。
                                 # 在仅管理员节点上,`vitals` 确定
                                 # 是否显示 Vitals 指标和
                                 # 仪表板上的可视化。
#vitals_strategy = database #判断是否使用Kong数据库
                                 # (PostgreSQL 或 Cassandra,定义
                                 # 通过上面的 `database` 配置值),或者
                                 # 单独的存储引擎,用于 Vitals 指标。
                                 # 接受的值为 `database`, `prometheus`,
                                 # 或`influxdb`。
#vitals_tsdb_address = # 定义 TSDB 服务器的主机和端口
                                 # 写入和读取 Vitals 数据的位置。
                                 # 此值仅适用于
                                 # `vitals_strategy` 选项设置为
                                 # `prometheus` 或 `influxdb`。这个值
                                 # 接受 IPv4、IPv6 和主机名值。
                                 # 如果 `vitals_strategy` 设置为
                                 # `prometheus`,这个值决定了
                                 # Prometheus 服务器地址
                                 # Vitals 数据将被读取。对于`influxdb`
                                 # 策略,这个值控制读取
                                 # 并为 Vitals 数据编写源代码。
#vitals_tsdb_user = # Influxdb 用户
#vitals_tsdb_password = # Influxdb 密码
#vitals_statsd_address = # 定义主机和端口(以及一个可选的
                                 # 协议)的 StatsD 服务器
                                 # Kong 应该写 Vitals metics。这个值
                                 # 仅在 `vitals_strategy` 为
                                 # 设置为`普罗米修斯`。此值接受 IPv4,
                                 # IPv6 和主机名。此外,后缀
                                 # `tcp` 可以指定;这样做会导致
                                 # 在 Kong 通过 TCP 发送 StatsD 指标
                                 # 而不是 UDP(默认)。
#vitals_statsd_prefix = kong # 定义附加到所有的前缀值
                                 # Vitals StatsD 事件。这个前缀很有用
                                 # 将指标写入多租户 StatsD 时
                                 # 出口商或服务器。
#vitals_statsd_udp_packet_size = 1024 # 定义最大缓冲区大小
                                        # Vitals statsd 指标将是哪些
                                        # 持有并分批发送。
                                        # 此值以字节为单位定义。
#vitals_prometheus_scrape_interval = 5 #定义scrape_interval查询
                                        # 参数发送到 Prometheus
                                        # 读取 Vitals 数据时的服务器。
                                        # 这应该和scrape一样
                                        # 在的间隔(以秒为单位)
                                        # 普罗米修斯服务器。
#------------------------------------------------ -----------------------------------------
# 开发者门户
#------------------------------------------------ -----------------------------------------
#portal = 关闭
                        # 开发者门户切换
                        # 启用时:
                        # Kong 将公开 Dev Portal 界面和
                        # `portal_gui_listen` 地址上的只读 API,
                        # 和管理 API 上的端点来管理资产。
                        # 当与 `portal_auth` 一起启用时:
                        # Kong 将为开发人员公开管理端点
                        # 管理 API 和开发门户 API 上的帐户。
#portal_gui_listen = 0.0.0.0:8003, 0.0.0.0:8446 ssl
                        # 开发者门户 GUI 监听器
                        # Kong 将访问的地址的逗号分隔列表
                        # 公开开发者门户 GUI。后缀可以
                        # 为每一对指定,类似于
                        # `admin_listen` 指令。
#portal_gui_protocol = http
                        # 开发者门户 GUI 协议
                        # 结合使用的协议
                        # `portal_gui_host` 构建查找或平衡器
                        # Kong 代理节点的地址。
                        # 示例:`http`、`https`
#portal_gui_host = 127.0.0.1:8003
                        # 开发者门户 GUI 主机
                        # 配合使用的主机
                        # `portal_gui_protocol` 构造查找,
                        # 或 Kong 代理节点的平衡器地址。
                        # 例子:
                        # - `<IP>:<PORT>`
                        # -> `portal_gui_host = 127.0.0.1:8003`
                        # - `<主机名>`
                        # -> `portal_gui_host = portal_api.domain.tld`
                        # - `<主机名>/<路径>`
                        # -> `portal_gui_host = dev-machine/dev-285`
#portal_cors_origins = # 开发者门户 CORS 起源
                        # 一个逗号分隔的允许域列表
                        # `Access-Control-Allow-Origin` 标头。这可以用来
                        # 解决自定义网络环境中的 CORS 问题。
                        # 例子:
                        # - 域列表:
                        # `portal_cors_origins = http://localhost:8003, https://localhost:8004`
                        # - 单个域:
                        # `portal_cors_origins = http://localhost:8003`
                        # - 所有域:
                        # `portal_cors_origins = *`
                        # 注意:在大多数情况下,Developer Portal 能够导出
                        # 使用 `portal_gui_protocol`、`portal_gui_host` 的有效 CORS 来源,
                        # 如果适用,`portal_gui_use_subdomains`。在这些情况下,
                        # `portal_cors_origins` 不需要并且可以保持未设置。
#portal_gui_use_subdomains = 关闭
                        # Developer Portal GUI 子域切换
                        # 默认情况下,Kong Portal 使用第一个命名空间
                        # 确定工作空间的请求路径。通过转动
                        # `portal_gui_subdomains` 开启,Kong Portal 将期待
                        # 工作区作为子域包含在请求 url 中。
                        # 示例(关闭):
                        # - `<scheme>://<HOSTNAME>/<WORKSPACE>/<PATH>`->
                        # `http://kong-portal.com/example-workspace/index`
                        # 示例(上):
                        # - `<scheme>://<WORKSPACE>.<HOSTNAME>` ->
                        # `http://example-workspace.kong-portal.com/index`
#portal_gui_ssl_cert = # 开发者门户 GUI SSL 证书
                        # SSL证书的绝对路径
                        # 启用 SSL 的 `portal_gui_listen` 值。
#portal_gui_ssl_cert_key = # 开发者门户 GUI SSL 证书密钥
                           # SSL 密钥的绝对路径
                           # 启用 SSL 的 `portal_gui_listen` 值。
#portal_gui_access_log = 日志/portal_gui_access。日志
                        # Developer Portal GUI 访问日志位置
                        # 这里可以设置绝对路径或者相对路径
                        # Portal GUI 访问日志。
                        # 将此值设置为 `off` 将禁用日志记录
                        # Portal GUI 访问日志。
                        # 使用相对路径时,日志会放在下面
                        # `prefix` 位置。
#portal_gui_error_log = 日志/portal_gui_error.log
                        # Developer Portal GUI 错误日志位置
                        # 这里可以设置绝对路径或者相对路径
                        # 门户 GUI 错误日志。
                        # 将此值设置为 `off` 将禁用日志记录
                        # 门户 GUI 错误日志。
                        # 使用相对路径时,日志会放在下面
                        # `prefix` 位置。
                        # 粒度可以通过 `log_level` 进行调整
#portal_api_listen = 0.0.0.0:8004, 0.0.0.0:8447 ssl
                        # 开发者门户 API 监听器
                        # Kong 将访问的地址的逗号分隔列表
                        # 公开开发者门户 API。后缀可以
                        # 为每一对指定,类似于
                        # `admin_listen` 指令。
#portal_api_url = # 开发者门户 API URL
                        # 开发者的查找地址或平衡器地址
                        # 门户节点。
                        # 这个值是微服务中常用的
                        # 或面向服务网格的架构。
                        # `portal_api_url` 是你的地址
                        # Kong Dev Portal API 可由 Kong 访问。你
                        # 仅当您的 Kong Dev Portal API 时才应设置此值
                        # 与 Kong Proxy 位于不同的节点上。
                        # 接受的格式(括号中的部分是可选的):
                        # `<scheme>://<IP / HOSTNAME>(:<PORT>(/<PATH>))`
                        # 例子:
                        # - `<scheme>://<IP>:<PORT>`
                        # -> `portal_api_url = http://127.0.0.1:8003`
                        # - `SSL <scheme>://<HOSTNAME>`
                        # -> `portal_api_url = https://portal_api.domain.tld`
                        # - `<scheme>://<HOSTNAME>/<PATH>`
                        # -> `portal_api_url = http://dev-machine/dev-285`
                        # 默认情况下,此值指向本地接口:
                        # - `http://0.0.0.0:8004`
#portal_api_ssl_cert = # 开发者门户 API SSL 证书
                        # SSL证书的绝对路径
                        # 启用 SSL 的 `portal_api_listen` 值。
#portal_api_ssl_cert_key = # 开发者门户 API SSL 证书密钥
                           # SSL 密钥的绝对路径
                           # 启用 SSL 的 `portal_api_listen` 值。
#portal_api_access_log = 日志/portal_api_access.log
                        # Developer Portal API 访问日志位置
                        # 这里可以设置绝对路径或者相对路径
                        # Portal API 访问日志。
                        # 将此值设置为 `off` 将禁用日志记录
                        # Portal API 访问日志。
                        # 使用相对路径时,日志会放在下面
                        # `prefix` 位置。
#portal_api_error_log = 日志/portal_api_error.log
                        # Developer Portal API 错误日志位置
                        # 这里可以设置绝对路径或者相对路径
                        # 门户 API 错误日志。
                        # 将此值设置为 `off` 将禁用日志记录
                        # 门户 API 错误日志。
                        # 使用相对路径时,日志会放在下面
                        # `prefix` 位置。
                        # 粒度可以通过 `log_level` 进行调整
                        #指令。#portal_is_legacy = 关闭
                        # 开发者门户旧版支持
                        # 将此值设置为 `on` 将导致所有新的
                        # 默认情况下使用旧版渲染系统渲染的门户。
                        # 将此值设置为 `off` 将导致所有新的
                        # 使用当前渲染系统渲染的门户。
#portal_app_auth = kong-oauth2
                        # 开发者门户应用注册
                        # 身份验证提供者和策略。必须设置为启用
                        # application_registration 插件
                        # 目前接受 kong-oauth2 或 external-oauth2
#------------------------------------------------ -----------------------------------------
# 默认开发者门户认证
#------------------------------------------------ -----------------------------------------
# 在创建工作区时引用以设置 Dev Portal 身份验证默认值
# 在该特定工作区的数据库中。
#portal_auth = # 开发者门户认证插件名称
                        # 指定认证插件
                        # 申请到您的开发者门户。开发者
                        # 将使用指定的认证形式
                        # 请求访问、注册和登录到您的
                        # 开发者门户。
                        # 支持的插件:
                        # - 基本身份验证:`portal_auth = basic-auth`
                        # - OIDC 身份验证:`portal_auth = openid-connect`
#portal_auth_password_complexity = # Kong 门户身份验证密码复杂度 (JSON)
                        # 当portal_auth = basic-auth时,该属性定义
                        # Kong Portal 密码所需的规则。选择
                        # 来自预设规则或编写您自己的规则。
                        # 使用预设规则的示例:
                        # `portal_auth_password_complexity = { "kong-preset": "min_8" }`
                        # kong-preset 的所有值都需要包含密码
                        # 来自以下至少三个类别的字符:
                        # 1. 大写字符(A 到 Z)
                        # 2. 小写字符(a 到 z)
                        # 3. Base-10 数字(0 到 9)
                        # 4. 特殊字符(例如&、$、#、%)
                        # 支持的预设规则:
                        # - `min_8`: 最小长度为 8
                        # - `min_12`: 最小长度为 12
                        # - `min_20`: 最小长度为 20
                        # 要编写自己的规则,请参阅
                        # https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html。
                        # 注意:仅支持关键字“min”、“max”和“passphrase”。
                        # 例子:
                        # `portal_auth_password_complexity = { "min": "disabled,24,11,9,8" }`
#portal_auth_conf = # 开发者门户身份验证插件配置 (JSON)
                        # 指定插件配置对象
                        # 以 JSON 格式应用于您的开发人员
                        # 门户认证。
                        # 关于插件配置的信息
                        # 查阅相关的插件文档。
                        # `basic-auth` 的示例:
                        # `portal_auth_conf = { "hide_credentials": true }`
#portal_auth_login_attempts = 0
                        # 用户可以尝试登录的次数
                        # 必须重置密码之前的开发门户。
                        # 0(默认)表示允许无限尝试。
                        # 注意:任何大于 0 的值只会影响
                        # 使用基本身份验证保护的开发门户。
#portal_session_conf = # 门户会话配置 (JSON)
                        # 指定配置
                        # Kong Portal 使用的会话插件。
                        # 有关插件配置的信息,请参阅# Kong 会话插件文档。
                        # 例子:
                        #portal_session_conf = {“cookie_name”:“portal_session”,\
                        # “秘密”:“改变我”,\
                        # "存储": "kong" }
#portal_auto_approve = 关闭
                        # 开发者门户自动批准访问
                        # 当此标志设置为 `on` 时,开发人员将
                        # 完成后自动标记为“已批准”
                        # 登记。仍然可以通过
                        # 管理 GUI 或 API。
#portal_token_exp = 21600
                        # 门户过期的持续时间(秒)
                        # 登录重置/帐户验证令牌。
#portal_email_verification = 关闭
                        # 门户开发者电子邮件验证。
                        # 启用后,开发人员将收到一封电子邮件
                        # 注册以验证他们的帐户。开发商将
                        # 在他们之前不能使用开发者门户
                        # 验证他们的帐户。
                        # 注意:必须打开 SMTP 才能使用此功能。
#------------------------------------------------ -----------------------------------------
# 默认门户 SMTP 配置
#------------------------------------------------ -----------------------------------------
# 在创建工作区时引用以在数据库中设置 SMTP 默认值
# 对于那个特定的工作空间。
#portal_invite_email = 开启
                        # 启用或禁用portal_invite_email
#portal_access_request_email = 开启
                        # 启用或禁用portal_access_request_email
#portal_approved_email = 开启
                        # 启用或禁用portal_approved_email
#portal_reset_email = 开启
                        # 启用或禁用portal_reset_email
#portal_reset_success_email = 开启
                        # 启用或禁用portal_reset_success_email
#portal_application_status_email = 关闭
                        # 启用后,开发者会收到一封邮件
                        # 当他们的应用程序的状态发生变化时
                        # 服务请求。
                        # 禁用后,开发人员仍然可以
                        # 在他们的开发者门户中查看状态
                        # 申请页面。
                        # 邮件如下所示:
                        # 主题:开发门户应用程序请求 <REQUEST_STATUS> (<DEV_PORTAL_URL>)
                        # 你好开发者,
                        # 我们正在向您发送电子邮件,让您知道您的应用程序访问请求来自
                        # <DEV_PORTAL_URL> 的开发者门户帐户是 <REQUEST_STATUS>。
                        # 应用程序:<APPLICATION_NAME>
                        # 服务:<SERVICE_NAME>
                        # 当您的访问被批准后,您将收到另一封电子邮件。
#portal_application_request_email = 关闭
                        # 启用后,由 `smtp_admin_emails` 指定的 Kong 管理员
                        # 当开发者请求访问时会收到一封电子邮件
                        # 通过应用程序提供服务。
                        # 禁用时,Kong 管理员必须手动检查
                        # Kong Manager 查看任何请求。
                        # 默认情况下,`smtp_admin_emails` 将是收件人。
                        # 这可以被 `portal_smtp_admin_emails` 覆盖,
                        # 可以通过每个工作区动态设置
                        # 管理 API。
                        # 邮件如下所示:
                        # 主题:从 <DEVELOPER_EMAIL> 请求访问开发门户 (<DEV_PORTAL_URL>) 服务
				
配置加载 Kong的默认配置在 /etc/kong/kong.conf.default 。如果你通过一个官方的安装包来安装Kong。您可以复制下面的文件,开始配置Kong: $ cp /etc/kong/kong.conf.default /etc/kong/kong.conf
Kong 开源API网关安装与配置教程 kongKong是一款高性能的开源API网关,支持多种协议和插件,能够实现API路由、认证、限流等功能,助力企业构建灵活、安全且可扩展的API架构。项目地址:https://gitcode.com/gh_mirrors/ko/kong 1. 项目目录结构及介绍 在下载并克隆Kong仓库(https://github.com/Kong/kong.git)后,...
本篇文件介绍kong配置文件的配置 配置文件 Kong启动时,如果存在 /etc/kong/kong.conf 文件,将会使用该文件的配置,该文件由开发者自己生成 /etc/kong/kong.conf.default是kong提供的模板配置,开发者可参考该配置 基于配置文件的Docker启动 如下,我们使用配置文件启动Kong Docker 1.新建一个TestKong目录 2.目录下新建kong.conf,其内容如下 database = postgres pg_host = postgres
安装kong $ curl -Lo kong-2.5.0.amd64.rpm $( rpm --eval "https://download.konghq.com/gateway-2.x-centos-%{centos_ver}/Packages/k/kong-2.5.0.el%{centos_ver}.amd64.rpm") $ sudo yum install kong-2.5.0.amd64.rpm 安装 postgresql 官网下载页面:http://www.postgres.cn/v.
Kong的默认配置在/etc/kong/kong.conf.default 在开始时,Kong可能会查找的几个缺省配置文件位置如下: 测试 类似 nginx -t kong checkconfiguration at /etc/kong/kong.conf is valid 重新加载 类似 nginx -s reload kong reload 如此 配置生效,问题解决 Kong配置文件是Kong服务的核心文件,它配置Kong以怎么的方式运行,并且依赖于这个配置生成Nginx的配置文件,本文通过解读Kong配置文件,以了解Kong的运行和配置。 在成功安装Kong以后,会有一个名为kong.conf.default默认的配置文件示例,如果是通过包管理器安装的,通常位于/etc/kong/kong.conf.default,我们要将其复制为kong.co...
个人理解,仅供参考: 首先,kong+konga除去其他高级功能,个人觉得就是把nginx,变成可以页面配置的了。比如,配置的router,service就是反向代理,配置upstream就是负载均衡。 本文只介绍KONGA配置service,router,upstream。 使用docker-compose安装: docker-compose.yml [root@ecs-f841-0003 kong]# cat docker-compose.yml version: '3' services:
物联网网关神器 Kong ( 四 )- 利用 Konga 来配置生产环境安全连接 Kong 上一篇我们讲解了 Konga 的搭建和与 Kong 进行默认连接,本篇文章将讲一下如何在生产环境中基于验证的连接 Kong ,并详细讲解其中的参数。 如果你需要在生产环境使用,那么你可以将 admin 端口只监听 127.0.0.1 ,然后通过 Kong 自己进行代理并增加效验。 首先,你可以通过默认方法连接上你的 Kong admin,这样方便进行配置。而后创建 Service。 Service
Kong.conf 配置文件属性详解1. 基础部分2. NGINX部分3. 数据库部分databasePostgres设置4. 数据存储区缓存部分5. DNS解析器部分6. 开发和其他配置部分备注header配置项可选参数: 1. 基础部分
Kong 是一个开源的云原生 API 网关,它可以用来管理和路由 API 请求。与此同时,Nginx 是一个高性能的 Web 服务器和反向代理服务器。在配置 Kong 和 Nginx 时,你需要将 Kong 配置为 Nginx 的插件,并将其与 Nginx 进行集成。 下面是一个简单的示例配置,展示了如何将 Kong 配置为 Nginx 的插件: 1. 首先,确保你已经安装了 Nginx 和 Kong。 2. 打开 Nginx 的配置文件,通常位于 `/etc/nginx/nginx.conf`。在 `http` 块中添加以下内容: http { # ...其他配置... # 启用 HTTP 代理模块 proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # 配置 Kong 的代理 location / { proxy_pass http://localhost:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # 配置 Kong 的 Admin API location /kong { proxy_pass http://localhost:8001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # ...其他配置... 上述配置中,我们首先启用了 HTTP 代理模块,然后为 Kong 的代理和 Admin API 分别配置了对应的 `location`。 3. 保存并退出 Nginx 配置文件。 4. 启动 Nginx 和 Kong,并确保它们都正常运行。 这只是一个简单的示例配置,你可以根据自己的需求进行更详细的配置。另外,Kong 还提供了更多高级功能和插件,你可以根据文档进一步了解和配置