Provided by: swift-proxy_1.13.1-0ubuntu1.5_all 
NAME
proxy-server.conf - configuration file for the openstack-swift proxy server
SYNOPSIS
proxy-server.conf
DESCRIPTION
This is the configuration file used by the proxy server and other proxy middlewares.
The configuration file follows the python-pastedeploy syntax. The file is divided into
sections, which are enclosed by square brackets. Each section will contain a certain
number of key/value parameters which are described later.
Any line that begins with a '#' symbol is ignored.
You can find more information about python-pastedeploy configuration format at
http://pythonpaste.org/deploy/#config-format
GLOBAL SECTION
This is indicated by section named [DEFAULT]. Below are the parameters that are acceptable
within this section.
bind_ip
IP address the proxy server should bind to. The default is 0.0.0.0 which will make
it bind to all available addresses.
bind_port
TCP port the proxy server should bind to. The default is 80.
backlog
TCP backlog. Maximum number of allowed pending connections. The default value is
4096.
workers
The number of pre-forked processes that will accept connections. Zero means no
fork. The default is auto which will make the server try to match the number of
effective cpu cores if python multiprocessing is available (included with most
python distributions >= 2.6) or fallback to one. It's worth noting that individual
workers will use many eventlet co-routines to service multiple concurrent requests.
max_clients
Maximum number of clients one worker can process simultaneously (it will actually
accept(2) N + 1). Setting this to one (1) will only handle one request at a time,
without accepting another request concurrently. The default is 1024.
user The system user that the proxy server will run as. The default is swift.
swift_dir
Swift configuration directory. The default is /etc/swift.
cert_file
Location of the SSL certificate file. The default path is /etc/swift/proxy.crt.
This is disabled by default.
key_file
Location of the SSL certificate key file. The default path is /etc/swift/proxy.key.
This is disabled by default.
log_name
Label used when logging. The default is swift.
log_facility
Syslog log facility. The default is LOG_LOCAL0.
log_level
Logging level. The default is INFO.
log_address
Logging address. The default is /dev/log.
trans_id_suffix
This optional suffix (default is empty) that would be appended to the swift
transaction id allows one to easily figure out from which cluster that X-Trans-Id
belongs to. This is very useful when one is managing more than one swift cluster.
PIPELINE SECTION
This is indicated by section name [pipeline:main]. Below are the parameters that are
acceptable within this section.
pipeline
It is used when you need apply a number of filters. It is a list of filters ended
by an application. The normal pipeline is "catch_errors healthcheck cache ratelimit
tempauth proxy-logging proxy-server".
FILTER SECTION
Any section that has its name prefixed by "filter:" indicates a filter section. Filters
are used to specify configuration parameters for specific swift middlewares. Below are
the filters available and respective acceptable parameters.
[filter:healthcheck]
use Entry point for paste.deploy for the healthcheck middleware. This is the
reference to the installed python egg. This is normally egg:swift#healthcheck.
disable_path
An optional filesystem path which, if present, will cause the healthcheck URL to
return "503 Service Unavailable" with a body of "DISABLED BY FILE".
[filter:tempauth]
use Entry point for paste.deploy for the tempauth middleware. This is the reference
to the installed python egg. This is normally egg:swift#tempauth.
set log_name
Label used when logging. The default is tempauth.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
reseller_prefix
The reseller prefix will verify a token begins with this prefix before even
attempting to validate it. Also, with authorization, only Swift storage accounts
with this prefix will be authorized by this middleware. Useful if multiple auth
systems are in use for one Swift cluster. The default is AUTH.
auth_prefix
The auth prefix will cause requests beginning with this prefix to be routed to
the auth subsystem, for granting tokens, etc. The default is /auth/.
token_life
This is the time in seconds before the token expires. The default is 86400.
user_<account>_<user>
Lastly, you need to list all the accounts/users you want here. The format is:
user_<account>_<user> = <key> [group] [group] [...] [storage_url]
There are special groups of: .reseller_admin who can do anything to any account
for this auth and also .admin who can do anything within the account.
If neither of these groups are specified, the user can only access containers
that have been explicitly allowed for them by a .admin or .reseller_admin. The
trailing optional storage_url allows you to specify an alternate url to hand
back to the user upon authentication. If not specified, this defaults to
http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https depends
on whether cert_file is specified in the [DEFAULT] section, <ip> and <port> are
based on the [DEFAULT] section's bind_ip and bind_port (falling back to
127.0.0.1 and 8080), <reseller_prefix> is from this section, and <account> is
from the user_<account>_<user> name.
Here are example entries, required for running the tests:
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
[filter:cache]
Caching middleware that manages caching in swift.
use Entry point for paste.deploy for the memcache middleware. This is the reference
to the installed python egg. This is normally egg:swift#memcache.
set log_name
Label used when logging. The default is memcache.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
memcache_servers
If not set in the configuration file, the value for memcache_servers will be
read from /etc/swift/memcache.conf (see memcache.conf-sample) or lacking that
file, it will default to 127.0.0.1:11211. You can specify multiple servers
separated with commas, as in: 10.1.2.3:11211,10.1.2.4:11211.
memcache_serialization_support
This sets how memcache values are serialized and deserialized:
0 = older, insecure pickle serialization
1 = json serialization but pickles can still be read (still insecure)
2 = json serialization only (secure and the default)
To avoid an instant full cache flush, existing installations should upgrade with
0, then set to 1 and reload, then after some time (24 hours) set to 2 and
reload. In the future, the ability to use pickle serialization will be removed.
If not set in the configuration file, the value for
memcache_serialization_support will be read from /etc/swift/memcache.conf if it
exists (see memcache.conf-sample). Otherwise, the default value as indicated
above will be used.
[filter:ratelimit]
Rate limits requests on both an Account and Container level. Limits are configurable.
use Entry point for paste.deploy for the ratelimit middleware. This is the reference
to the installed python egg. This is normally egg:swift#ratelimit.
set log_name
Label used when logging. The default is ratelimit.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
clock_accuracy
This should represent how accurate the proxy servers' system clocks are with
each other. 1000 means that all the proxies' clock are accurate to each other
within 1 millisecond. No ratelimit should be higher than the clock accuracy.
The default is 1000.
max_sleep_time_seconds
App will immediately return a 498 response if the necessary sleep time ever
exceeds the given max_sleep_time_seconds. The default is 60 seconds.
log_sleep_time_seconds
To allow visibility into rate limiting set this value > 0 and all sleeps greater
than the number will be logged. If set to 0 means disabled. The default is 0.
rate_buffer_seconds
Number of seconds the rate counter can drop and be allowed to catch up (at a
faster than listed rate). A larger number will result in larger spikes in rate
but better average accuracy. The default is 5.
account_ratelimit
If set, will limit PUT and DELETE requests to /account_name/container_name.
Number is in requests per second. If set to 0 means disabled. The default is 0.
account_whitelist
Comma separated lists of account names that will not be rate limited. The
default is ''.
account_blacklist
Comma separated lists of account names that will not be allowed. Returns a 497
response. The default is ''.
container_ratelimit_size
When set with container_limit_x = r: for containers of size x, limit requests
per second to r. Will limit PUT, DELETE, and POST requests to /a/c/o. The
default is ''.
[filter:domain_remap]
Middleware that translates container and account parts of a domain to path parameters that
the proxy server understands. The container.account.storageurl/object gets translated to
container.account.storageurl/path_root/account/container/object and
account.storageurl/path_root/container/object gets translated to
account.storageurl/path_root/account/container/object
use Entry point for paste.deploy for the domain_remap middleware. This is the
reference to the installed python egg. This is normally egg:swift#domain_remap.
set log_name
Label used when logging. The default is domain_remap.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
storage_domain
The domain to be used by the middleware.
path_root
The path root value for the storage URL. The default is v1.
reseller_prefixes
Browsers can convert a host header to lowercase, so check that reseller prefix
on the account is the correct case. This is done by comparing the items in the
reseller_prefixes config option to the found prefix. If they match except for
case, the item from reseller_prefixes will be used instead of the found reseller
prefix. The reseller_prefixes list is exclusive. If defined, any request with
an account prefix not in that list will be ignored by this middleware. Defaults
to 'AUTH'.
[filter:catch_errors]
use Entry point for paste.deploy for the catch_errors middleware. This is the
reference to the installed python egg. This is normally egg:swift#catch_errors.
set log_name
Label used when logging. The default is catch_errors.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
[filter:cname_lookup]
Note: this middleware requires python-dnspython
use Entry point for paste.deploy for the cname_lookup middleware. This is the
reference to the installed python egg. This is normally egg:swift#cname_lookup.
set log_name
Label used when logging. The default is cname_lookup.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
storage_domain
The domain to be used by the middleware.
lookup_depth
How deep in the CNAME chain to look for something that matches the storage
domain. The default is 1.
[filter:staticweb]
Note: Put staticweb just after your auth filter(s) in the pipeline
use Entry point for paste.deploy for the staticweb middleware. This is the reference
to the installed python egg. This is normally egg:swift#staticweb.
cache_timeout
Seconds to cache container x-container-meta-web-* header values. The default is
300 seconds.
set log_name
Label used when logging. The default is staticweb.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
set log_headers
Enables the ability to log request headers. The default is False.
set access_log_name
Label used when logging. The default is staticweb.
set access_log_facility
Syslog log facility. The default is LOG_LOCAL0.
set access_log_level
Logging level. The default is INFO.
[filter:tempurl]
Note: Put tempurl before slo, dlo, and your auth filter(s) in the pipeline
incoming_remove_headers
The headers to remove from incoming requests. Simply a whitespace delimited list
of header names and names can optionally end with '*' to indicate a prefix
match. incoming_allow_headers is a list of exceptions to these removals.
incoming_allow_headers
The headers allowed as exceptions to incoming_remove_headers. Simply a
whitespace delimited list of header names and names can optionally end with '*'
to indicate a prefix match.
outgoing_remove_headers
The headers to remove from outgoing responses. Simply a whitespace delimited
list of header names and names can optionally end with '*' to indicate a prefix
match. outgoing_allow_headers is a list of exceptions to these removals.
outgoing_allow_headers
The headers allowed as exceptions to outgoing_remove_headers. Simply a
whitespace delimited list of header names and names can optionally end with '*'
to indicate a prefix match.
set log_level
[filter:formpost]
Note: Put formpost just before your auth filter(s) in the pipeline
use Entry point for paste.deploy for the formpost middleware. This is the reference
to the installed python egg. This is normally egg:swift#formpost.
[filter:name_check]
Note: Just needs to be placed before the proxy-server in the pipeline.
use Entry point for paste.deploy for the name_check middleware. This is the
reference to the installed python egg. This is normally egg:swift#name_check.
forbidden_chars
Characters that will not be allowed in a name.
maximum_length
Maximum number of characters that can be in the name.
forbidden_regexp
Python regular expressions of substrings that will not be allowed in a name.
[filter:proxy-logging]
Logging for the proxy server now lives in this middleware. If the access_* variables are
not set, logging directives from [DEFAULT] without "access_" will be used.
use Entry point for paste.deploy for the proxy_logging middleware. This is the
reference to the installed python egg. This is normally
egg:swift#proxy_logging.
access_log_name
Label used when logging. The default is proxy-server.
access_log_facility
Syslog log facility. The default is LOG_LOCAL0.
access_log_level
Logging level. The default is INFO.
access_log_address
Default is /dev/log.
access_log_udp_host
If set, access_log_udp_host will override access_log_address. Default is unset.
access_log_udp_port
Default is 514.
access_log_statsd_host
You can use log_statsd_* from [DEFAULT], or override them here. Default is
localhost.
access_log_statsd_port
Default is 8125.
access_log_statsd_default_sample_rate
Default is 1.
access_log_statsd_metric_prefix
Default is "" (empty-string)
access_log_headers
Default is False.
log_statsd_valid_http_methods
What HTTP methods are allowed for StatsD logging (comma-sep); request methods
not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
Default is "GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS".
APP SECTION
This is indicated by section name [app:proxy-server]. Below are the parameters that are
acceptable within this section.
use Entry point for paste.deploy for the proxy server. This is the reference to the
installed python egg. This is normally egg:swift#proxy.
set log_name
Label used when logging. The default is proxy-server.
set log_facility
Syslog log facility. The default is LOG_LOCAL0.
set log_level
Logging level. The default is INFO.
set log_address
Logging address. The default is /dev/log.
log_handoffs
Log when handoff locations are used. Default is True.
recheck_account_existence
Cache timeout in seconds to send memcached for account existence. The default is 60
seconds.
recheck_container_existence
Cache timeout in seconds to send memcached for container existence. The default is
60 seconds.
object_chunk_size
Chunk size to read from object servers. The default is 8192.
client_chunk_size
Chunk size to read from clients. The default is 8192.
node_timeout
Request timeout to external services. The default is 10 seconds.
client_timeoutt
Timeout to read one chunk from a client. The default is 60 seconds.
conn_timeout
Connection timeout to external services. The default is 0.5 seconds.
error_suppression_interval
Time in seconds that must elapse since the last error for a node to be considered
no longer error limited. The default is 60 seconds.
error_suppression_limit
Error count to consider a node error limited. The default is 10.
allow_account_management
Whether account PUTs and DELETEs are even callable. If set to 'true' any authorized
user may create and delete accounts; if 'false' no one, even authorized, can. The
default is false.
object_post_as_copy
Set object_post_as_copy = false to turn on fast posts where only the metadata
changes are stored as new and the original data file is kept in place. This makes
for quicker posts; but since the container metadata isn't updated in this mode,
features like container sync won't be able to sync posts. The default is True.
account_autocreate
If set to 'true' authorized accounts that do not yet exist within the Swift cluster
will be automatically created. The default is set to false.
rate_limit_after_segment
Start rate-limiting object segments after the Nth segment of a segmented object.
The default is 10 segments.
rate_limit_segments_per_sec
Once segment rate-limiting kicks in for an object, limit segments served to N per
second. The default is 1.
DOCUMENTATION
More in depth documentation about the swift-proxy-server and also Openstack-Swift as a
whole can be found at http://swift.openstack.org/admin_guide.html and
http://swift.openstack.org
SEE ALSO
swift-proxy-server(1)