Provided by: trafficserver_9.2.0+ds-2_amd64 
NAME
records.config - the records.config file (by default, located in
/usr/local/etc/trafficserver/) is a list of configurable variables used by the Traffic
Server software. Many of the variables in records.config are set automatically when you
set configuration options with traffic_ctl config set. After you modify records.config,
run the command traffic_ctl config reload to apply the changes
Note: The configuration directory, containing the SYSCONFDIR value specified at build time
relative to the installation prefix, contains Traffic Server configuration files. The
$TS_ROOT environment variable can be used alter the installation prefix at run time. The
directory must allow read/write access for configuration reloads.
FORMAT
Each variable has the following format:
CONFIG variable_name DATATYPE variable_value
Data Type
A variable's type is defined by the DATATYPE and must be one of:
┌───────┬──────────────────────────────────┐
│Type │ Description │
├───────┼──────────────────────────────────┤
│FLOAT │ Floating point, expressed as a │
│ │ decimal number without units or │
│ │ exponents. │
├───────┼──────────────────────────────────┤
│INT │ Integers, expressed with or │
│ │ without unit prefixes (as │
│ │ described below). │
├───────┼──────────────────────────────────┤
│STRING │ String of characters up to the │
│ │ first newline. No quoting │
│ │ necessary. │
└───────┴──────────────────────────────────┘
Values
The variable_value must conform to the variable's type. For STRING, this is simply any
character data until the first newline.
For integer (INT) variables, values are expressed as any normal integer, e.g. 32768. They
can also be expressed using more human readable values using standard unit prefixes, e.g.
32K. The following prefixes are supported for all INT type configurations:
┌───────┬─────────────┬──────────────────────────┐
│Prefix │ Description │ Equivalent in Bytes │
├───────┼─────────────┼──────────────────────────┤
│K │ Kilobytes │ 1,024 bytes │
├───────┼─────────────┼──────────────────────────┤
│M │ Megabytes │ 1,048,576 bytes (10242) │
├───────┼─────────────┼──────────────────────────┤
│G │ Gigabytes │ 1,073,741,824 bytes │
│ │ │ (10243) │
├───────┼─────────────┼──────────────────────────┤
│T │ Terabytes │ 1,099,511,627,776 bytes │
│ │ │ (10244) │
└───────┴─────────────┴──────────────────────────┘
Floating point variables (FLOAT) must be expressed as a regular decimal number. Unit
prefixes are not supported, nor are alternate notations (scientific, exponent, etc.).
Additional Attributes
Deprecated
A variable marked as Deprecated is still functional but should be avoided as it may be
removed in a future release without warning.
Reloadable
A variable marked as Reloadable can be updated via the command:
traffic_ctl config reload
This updates configuration parameters without restarting Traffic Server or interrupting
the processing of requests.
Overridable
A variable marked as Overridable can be changed on a per-remap basis using plugins (like
the Configuration Remap Plugin), affecting operations within the current transaction only.
EXAMPLES
In the following example, the variable proxy.config.proxy_name is a STRING datatype with
the value my_server. This means that the name of the Traffic Server proxy is my_server.
CONFIG proxy.config.proxy_name STRING my_server
If the server name should be that_server the line would be
CONFIG proxy.config.proxy_name STRING that_server
In the following example, the variable proxy.config.arm.enabled is a yes/no flag. A value
of 0 (zero) disables the option; a value of 1 enables the option.
CONFIG proxy.config.arm.enabled INT 0
In the following example, the variable sets the time to wait for a DNS response to 10
seconds.
CONFIG proxy.config.hostdb.lookup_timeout INT 10
The last examples configures a 64GB RAM cache, using a human readable prefix.
CONFIG proxy.config.cache.ram_cache.size INT 64G
ENVIRONMENT OVERRIDES
Every records.config configuration variable can be overridden by a corresponding
environment variable. This can be useful in situations where you need a static
records.config but still want to tweak one or two settings. The override variable is
formed by converting the records.config variable name to upper case, and replacing any dot
separators with an underscore.
Overriding a variable from the environment is permanent and will not be affected by future
configuration changes made in records.config or applied with traffic_ctl.
For example, we could override the proxy.config.product_company variable like this:
$ PROXY_CONFIG_PRODUCT_COMPANY=example traffic_manager &
$ traffic_ctl config get proxy.config.product_company
CONFIGURATION VARIABLES
The following list describes the configuration variables available in the records.config
file.
System Variables
proxy.config.product_company
Scope CONFIG.TP Type STRING.TP Default Apache Software Foundation.UNINDENT The name of
the organization developing Traffic Server.
proxy.config.product_vendor
Scope CONFIG.TP Type STRING.TP Default Apache.UNINDENT The name of the vendor providing
Traffic Server.
proxy.config.product_name
Scope CONFIG.TP Type STRING.TP Default |TS|.UNINDENT The name of the product.
proxy.config.proxy_name
Scope CONFIG.TP Type STRING.TP Default build_machine.TP Reloadable Yes.UNINDENT The name
of the Traffic Server node.
proxy.config.bin_path
Scope CONFIG.TP Type STRING.TP Default bin.UNINDENT The location of the Traffic Server
bin directory.
proxy.config.proxy_binary
Scope CONFIG.TP Type STRING.TP Default traffic_server.UNINDENT The name of the executable
that runs the traffic_server process.
If you want to set Environment Variables for traffic_server process, use a wrapper
script like below.
CONFIG proxy.config.proxy_binary STRING start_traffic_server.sh
#!/bin/sh
export ASAN_OPTIONS=detect_leaks=1
/opt/ats/bin/traffic_server "$@"
proxy.config.proxy_binary_opts
Scope CONFIG.TP Type STRING.TP Default -M.UNINDENT The command-line options for starting
Traffic Server.
proxy.config.manager_binary
Scope CONFIG.TP Type STRING.TP Default traffic_manager.UNINDENT The name of the
executable that runs the traffic_manager process.
proxy.config.memory.max_usage
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.UNINDENT Throttle incoming
connections if resident memory usage exceeds this value. Setting the option to 0
disables the feature.
proxy.config.env_prep
Scope CONFIG.TP Type STRING.TP Default *NONE*.UNINDENT The script executed before the
traffic_manager process spawns the traffic_server process.
proxy.config.syslog_facility
Scope CONFIG.TP Type STRING.TP Default LOG_DAEMON.UNINDENT The facility used to record
system log files. Refer to Understanding Traffic Server Logs for more in-depth
discussion of the contents and interpretations of log files.
proxy.config.output.logfile
Scope CONFIG.TP Type STRING.TP Default traffic.out.UNINDENT This is used for log rolling
configuration so Traffic Server knows the path of the output file that should be
rolled. This configuration takes the name of the file receiving traffic_server and
traffic_manager process output that is set via the --bind_stdout and --bind_stderr
command-line options. proxy.config.output.logfile is used only to identify the
name of the output file for log rolling purposes and does not override the values
set via --bind_stdout and --bind_stderr.
If a filename is passed to this option, then it will be interpreted relative to
proxy.config.log.logfile_dir. If a different location is desired, then pass an
absolute path to this configuration.
proxy.config.output.logfile_perm
Scope CONFIG.TP Type STRING.TP Default rw-r--r--.UNINDENT The log file permissions for
the file receiving Traffic Server output, the path of which is configured via the
--bind_stdout and --bind_stderr command-line options. The standard UNIX file
permissions are used (owner, group, other). Permissible values are:
┌──────┬─────────────────────┐
│Value │ Description │
├──────┼─────────────────────┤
│- │ No permissions. │
├──────┼─────────────────────┤
│r │ Read permission. │
├──────┼─────────────────────┤
│w │ Write permission. │
├──────┼─────────────────────┤
│x │ Execute permission. │
└──────┴─────────────────────┘
Permissions are subject to the umask settings for the Traffic Server process. This
means that a umask setting of 002 will not allow write permission for others, even
if specified in the configuration file. Permissions for existing log files are not
changed when the configuration is modified.
proxy.config.output.logfile.rolling_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies how the output
log is rolled. You can specify the following values:
┌──────┬──────────────────────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────────────────────┤
│0 │ Disables output log rolling. │
├──────┼──────────────────────────────────────────────────┤
│1 │ Enables output log rolling at │
│ │ specific intervals (specified │
│ │ with the │
│ │ proxy.config.output.logfile.rolling_interval_sec │
│ │ variable). The clock starts │
│ │ ticking on Traffic Server boot. │
├──────┼──────────────────────────────────────────────────┤
│2 │ Enables output log rolling when the output log │
│ │ reaches a specific size (specified with │
│ │ proxy.config.output.logfile.rolling_size_mb). │
├──────┼──────────────────────────────────────────────────┤
│3 │ Enables output log rolling at specific intervals │
│ │ or when the output log reaches a specific size │
│ │ (whichever occurs first). │
└──────┴──────────────────────────────────────────────────┘
proxy.config.output.logfile.rolling_interval_sec
Scope CONFIG.TP Type INT.TP Default 3600.TP Units seconds.TP Reloadable Yes.UNINDENT
Specifies how often the output log is rolled, in seconds. The timer starts on
Traffic Server startup.
proxy.config.output.logfile.rolling_size_mb
Scope CONFIG.TP Type INT.TP Default 100.TP Units megabytes.TP Reloadable Yes.UNINDENT
Specifies at what size to roll the output log at.
proxy.config.output.logfile.rolling_min_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the minimum
count of rolled output logs to keep. This value will be used to decide the order of
auto-deletion (if enabled). A default value of 0 means auto-deletion will try to
keep output logs as much as possible. See Log Rotation and Retention for guidance.
Thread Variables
proxy.config.exec_thread.autoconfig
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT When enabled (the default, 1), Traffic
Server scales threads according to the available CPU cores. See the config option
below.
proxy.config.exec_thread.autoconfig.scale
Scope CONFIG.TP Type FLOAT.TP Default 1.0.UNINDENT Factor by which Traffic Server scales
the number of threads. The multiplier is usually the number of available CPU cores.
By default this is scaling factor is 1.0.
proxy.config.exec_thread.limit
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT The number of threads Traffic Server will
create if proxy.config.exec_thread.autoconfig is set to 0, otherwise this option is
ignored.
proxy.config.exec_thread.listen
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT If enabled (1) all the exec_threads listen
for incoming connections. proxy.config.accept_threads should be disabled to enable
this variable.
proxy.config.accept_threads
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT The number of accept threads. If disabled
(0), then accepts will be done in each of the worker threads.
┌───────────────┬────────────────────┬──────────────────────────┐
│accept_threads │ exec_thread.listen │ Effect │
├───────────────┼────────────────────┼──────────────────────────┤
│0 │ 0 │ All worker threads │
│ │ │ accept new connections │
│ │ │ and share listen fd. │
├───────────────┼────────────────────┼──────────────────────────┤
│1 │ 0 │ New connections are │
│ │ │ accepted on a dedicated │
│ │ │ accept thread and │
│ │ │ distributed to worker │
│ │ │ threads in round robin │
│ │ │ fashion. │
├───────────────┼────────────────────┼──────────────────────────┤
│0 │ 1 │ All worker threads │
│ │ │ listen on the same port │
│ │ │ using SO_REUSEPORT. Each │
│ │ │ thread has its own │
│ │ │ listen fd and new │
│ │ │ connections are accepted │
│ │ │ on all the threads. │
└───────────────┴────────────────────┴──────────────────────────┘
By default, proxy.config.accept_threads is set to 1 and
proxy.config.exec_thread.listen is set to 0.
proxy.config.thread.default.stacksize
Scope CONFIG.TP Type INT.TP Default 1048576.UNINDENT Default thread stack size, in bytes,
for all threads (default is 1 MB).
proxy.config.exec_thread.affinity
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Bind threads to specific processing units.
┌──────┬──────────────────────────────────┐
│Value │ Effect │
├──────┼──────────────────────────────────┤
│0 │ Assign threads to machine. │
├──────┼──────────────────────────────────┤
│1 │ Assign threads to NUMA nodes │
│ │ [default]. │
├──────┼──────────────────────────────────┤
│2 │ Assign threads to sockets. │
├──────┼──────────────────────────────────┤
│3 │ Assign threads to cores. │
├──────┼──────────────────────────────────┤
│4 │ Assign threads to processing │
│ │ units. │
└──────┴──────────────────────────────────┘
NOTE:
This option only has an affect when Traffic Server has been compiled with
--enable-hwloc.
proxy.config.system.file_max_pct
Scope CONFIG.TP Type FLOAT.TP Default 0.9.UNINDENT Set the maximum number of file handles
for the traffic_server process as a percentage of the fs.file-max proc value in
Linux. The default is 90%.
proxy.config.crash_log_helper
Scope CONFIG.TP Type STRING.TP Default traffic_crashlog.UNINDENT This option directs
traffic_server to spawn a crash log helper at startup. The value should be the path
to an executable program. If the path is not absolute, it is located relative to
configured bin directory. Any user-provided program specified here must behave in
a fashion compatible with traffic_crashlog. Specifically, it must implement the
traffic_crashlog --wait behavior.
This setting not reloadable because the helper must be spawned before
traffic_server drops privilege. If this variable is set to NULL, no helper will be
spawned.
proxy.config.restart.active_client_threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This setting specifies
the number of active client connections for use by traffic_ctl server restart
--drain.
proxy.config.restart.stop_listening
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This option specifies
whether Traffic Server should close listening sockets while shutting down
gracefully.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Listening sockets will be kept │
│ │ open. │
├──────┼──────────────────────────────────┤
│1 │ Listening sockets will be closed │
│ │ when Traffic Server starts │
│ │ shutting down. │
└──────┴──────────────────────────────────┘
proxy.config.stop.shutdown_timeout
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT The shutdown timeout(in
seconds) to apply when stopping Traffic Server, in which ATS can initiate graceful
shutdowns. In order to effect graceful shutdown, the value specified should be
greater than 0. Value of 0 will not effect an abrupt shutdown. Abrupt shutdowns can
be achieved with out specifying --drain; (traffic_ctl server stop /restart).
Stopping Traffic Server here means sending traffic_server a signal either by
bin/trafficserver stop or kill.
proxy.config.thread.max_heartbeat_mseconds
Scope CONFIG.TP Type INT.TP Default 60.TP Units milliseconds.UNINDENT Set the maximum
heartbeat in milliseconds for threads, ranges from 0 to 1000.
This controls the maximum amount of time the event loop will wait for I/O activity.
On a system that is not busy, this option can be set to a higher value to decrease
the spin around overhead. If experiencing unexpected delays, setting a lower value
should improve the situation. Note that this setting should only be used by expert
system tuners, and will not be beneficial with random fiddling.
NETWORK
proxy.config.net.connections_throttle
Scope CONFIG.TP Type INT.TP Default 30000.UNINDENT The total number of client and origin
server connections that the server can handle simultaneously. This is in fact the
max number of file descriptors that the traffic_server process can have open at any
given time. Roughly 10% of these connections are reserved for origin server
connections, i.e. from the default, only ~27,000 client connections can be handled.
This should be tuned according to your memory size, and expected work load. If
this is set to 0, the throttling logic is disabled.
proxy.config.net.max_connections_in
Scope CONFIG.TP Type INT.TP Default 30000.UNINDENT The total number of client requests
that Traffic Server can handle simultaneously. This should be tuned according to
your memory size, and expected work load (network, cpu etc). This limit includes
both idle (keep alive) connections and active requests that Traffic Server can
handle at any given instant. The delta between proxy.config.net.max_connections_in
and proxy.config.net.max_requests_in is the amount of maximum idle (keepalive)
connections Traffic Server will maintain.
proxy.config.net.max_requests_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT The total number of concurrent requests or
active client connections that the Traffic Server can handle simultaneously. This
should be tuned according to your memory size, and expected work load (network, cpu
etc). When set to 0, active request tracking is disabled and max requests has no
separate limit and the total connections follow
proxy.config.net.connections_throttle
proxy.config.net.default_inactivity_timeout
Scope CONFIG.TP Type INT.TP Default 86400.TP Reloadable Yes.UNINDENT The connection
inactivity timeout (in seconds) to apply when Traffic Server detects that no
inactivity timeout has been applied by the HTTP state machine. When this timeout is
applied, the proxy.process.net.default_inactivity_timeout_applied metric is
incremented.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.net.inactivity_check_frequency
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT How frequent (in seconds) to check for
inactive connections. If you deal with a lot of concurrent connections, increasing
this setting can reduce pressure on the system.
proxy.local.incoming_ip_to_bind
Scope LOCAL.TP Type STRING.TP Default 0.0.0.0 [::].UNINDENT Controls the global default
IP addresses to which to bind proxy server ports. The value is a space separated
list of IP addresses, one per supported IP address family (currently IPv4 and
IPv6).
Unless explicitly specified in proxy.config.http.server_ports, the server port will
be bound to one of these addresses, selected by IP address family. The built in
default is any address. This is used if no address for a family is specified. This
setting is useful if most or all server ports should be bound to the same address.
NOTE:
This is ignored for inbound transparent server ports because they must be able to
accept connections on arbitrary IP addresses.
Example
Set the global default for IPv4 to 192.168.101.18 and leave the global default for IPv6 as
any address:
LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.18
Example
Set the global default for IPv4 to 191.68.101.18 and the global default for IPv6 to
fc07:192:168:101::17:
LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.18 [fc07:192:168:101::17]
proxy.local.outgoing_ip_to_bind
Scope LOCAL.TP Type STRING.TP Default 0.0.0.0 [::].UNINDENT This controls the global
default for the local IP address for outbound connections to origin servers. The
value is a list of space separated IP addresses, one per supported IP address
family (currently IPv4 and IPv6).
Unless explicitly specified in proxy.config.http.server_ports, one of these
addresses, selected by IP address family, will be used as the local address for
outbound connections. This setting is useful if most or all of the server ports
should use the same outbound IP addresses.
NOTE:
This is ignored for outbound transparent ports as the local outbound address will be
the same as the client local address.
Example
Set the default local outbound IP address for IPv4 connections to 192.168.101.18.:
LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.18
Example
Set the default local outbound IP address to 192.168.101.17 for IPv4 and
fc07:192:168:101::17 for IPv6.:
LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.17 [fc07:192:168:101::17]
proxy.config.net.event_period
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT How often, in milli-seconds, to schedule
IO event processing. This is unlikely to be necessary to tune, and we discourage
setting it to a value smaller than 10ms (on Linux).
proxy.config.net.accept_period
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT How often, in milli-seconds, to schedule
accept() processing. This is unlikely to be necessary to tune, and we discourage
setting it to a value smaller than 10ms (on Linux).
proxy.config.net.retry_delay
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT How long to wait until
we retry various events that would otherwise block the network processing threads
(e.g. locks). We discourage setting this to a value smaller than 10ms (on Linux).
proxy.config.net.throttle_delay
Scope CONFIG.TP Type INT.TP Default 50.TP Reloadable Yes.UNINDENT When we trigger a
throttling scenario, this how long our accept() are delayed.
LOCAL MANAGER
proxy.node.config.manager_log_filename
Scope CONFIG.TP Type STRING.TP Default manager.log.UNINDENT The name of the file to which
traffic_manager logs will be emitted.
If this is set to stdout or stderr, then all traffic_manager logging will go to the
stdout or stderr stream, respectively.
proxy.config.admin.user_id
Scope CONFIG.TP Type STRING.TP Default nobody.UNINDENT Designates the non-privileged
account to run the traffic_server process as, which also has the effect of setting
ownership of configuration and log files.
If the user_id is prefixed with pound character (#), the remainder of the string is
considered to be a numeric user identifier. If the value is set to #-1, Traffic
Server will not change the user during startup.
IMPORTANT:
Attempting to set this option to root or #0 is now forbidden, as a measure to increase
security. Doing so will cause a fatal failure upon startup in traffic_server. However,
there are two ways to bypass this restriction:
• Specify -DBIG_SECURITY_HOLE in CXXFLAGS during compilation.
• Set the user_id=#-1 and start trafficserver as root.
proxy.config.admin.api.restricted
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This setting specifies whether the
management API should be restricted to root processes. If this is set to 0, then on
platforms that support passing process credentials, non-root processes will be
allowed to make read-only management API calls. Any management API calls that
modify server state (eg. setting a configuration variable) will still be restricted
to root processes.
This setting is not reloadable, since it is must be applied when traffic_manager
initializes.
proxy.config.track_config_files
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) tracking
configuration file updates. This setting is enabled by default, meaning that
configuration files are monitored for changes. Having tracking enabled is a
dependency for traffic_ctl config status to function. However, tracking the files
is implemented via a frequent call to stat() which may be problematic in some
deployments. If the call to stat() on configuration files causes problems, then it
can be avoided by setting this value to 0 at the cost of disabling the config
status feature for traffic_ctl.
This setting is not reloadable, since it is must be applied when traffic_manager
initializes.
proxy.node.config.manager_exponential_sleep_ceiling
Scope CONFIG.TP Type INT.TP Default 60.UNINDENT In case of traffic_manager is unable to
start traffic_server, this setting specifies the maximum amount of seconds that the
traffic_manager process should wait until it tries again to restart traffic_server.
In case of traffic_manager failing to start traffic_server, it will retry
exponentially until it reaches the ceiling time.
proxy.node.config.manager_retry_cap
Scope CONFIG.TP Type INT.TP Default 5.UNINDENT This setting specifies the number of times
that traffic_manager will retry to restart traffic_server once the maximum ceiling
time is reached.
NOTE:
If set to 0, no cap will take place.
ALARM CONFIGURATION
proxy.config.alarm.abs_path
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The absolute path
to the directory containing the alarm script. If this is not set, the script will
be located relative to proxy.config.bin_path.
proxy.config.alarm.script_runtime
Scope CONFIG.TP Type INT.TP Default 5.TP Reloadable Yes.UNINDENT The number of seconds
that Traffic Server allows the alarm script to run before aborting it.
HTTP ENGINE
proxy.config.http.server_ports
Scope CONFIG.TP Type STRING.TP Default 8080 8080:ipv6.UNINDENT Ports used for proxying
HTTP traffic.
This is a list, separated by space or comma, of port descriptors. Each descriptor
is a sequence of keywords and values separated by colons. Not all keywords have
values, those that do are specifically noted. Keywords with values can have an
optional = character separating the keyword and value. The case of keywords is
ignored. The order of keywords is irrelevant but unspecified results may occur if
incompatible options are used (noted below). Options without values are idempotent.
Options with values use the last (right most) value specified, except for ip-out as
detailed later.
Quick reference chart:
┌───────────┬─────────────────┬──────────────────────────┐
│Name │ Note │ Definition │
├───────────┼─────────────────┼──────────────────────────┤
│number │ Required │ The local port. │
└───────────┴─────────────────┴──────────────────────────┘
│blind │ │ Blind (CONNECT) port. │
├───────────┼─────────────────┼──────────────────────────┤
│compress │ Not Implemented │ Compressed. │
├───────────┼─────────────────┼──────────────────────────┤
│ipv4 │ Default │ Bind to IPv4 address │
│ │ │ family. │
├───────────┼─────────────────┼──────────────────────────┤
│ipv6 │ │ Bind to IPv6 address │
│ │ │ family. │
├───────────┼─────────────────┼──────────────────────────┤
│ip-in │ Value │ Local inbound IP │
│ │ │ address. │
├───────────┼─────────────────┼──────────────────────────┤
│ip-out │ Value │ Local outbound IP │
│ │ │ address. │
├───────────┼─────────────────┼──────────────────────────┤
│ip-resolve │ Value │ IP address resolution │
│ │ │ style. │
├───────────┼─────────────────┼──────────────────────────┤
│proto │ Value │ List of supported │
│ │ │ session protocols. │
├───────────┼─────────────────┼──────────────────────────┤
│pp │ │ Enable Proxy Protocol. │
├───────────┼─────────────────┼──────────────────────────┤
│ssl │ │ SSL terminated. │
├───────────┼─────────────────┼──────────────────────────┤
│quic │ │ QUIC terminated. │
├───────────┼─────────────────┼──────────────────────────┤
│tr-full │ │ Fully transparent │
│ │ │ (inbound and outbound) │
├───────────┼─────────────────┼──────────────────────────┤
│tr-in │ │ Inbound transparent. │
├───────────┼─────────────────┼──────────────────────────┤
│tr-out │ │ Outbound transparent. │
├───────────┼─────────────────┼──────────────────────────┤
│tr-pass │ │ Pass through enabled. │
├───────────┼─────────────────┼──────────────────────────┤
│mptcp │ │ Multipath TCP. │
└───────────┴─────────────────┴──────────────────────────┘
number Local IP port to bind. This is the port to which ATS clients will connect.
blind Accept only the CONNECT method on this port.
Not compatible with: tr-in, ssl and quic.
compress
Compress the connection. Retained only by inertia, should be considered "not
implemented".
ipv4 Use IPv4. This is the default and is included primarily for completeness. This
forced if the ip-in option is used with an IPv4 address.
ipv6 Use IPv6. This is forced if the ip-in option is used with an IPv6 address.
ssl Require SSL termination for inbound connections. SSL must be configured for this
option to provide a functional server port.
Not compatible with: blind and quic.
quic Require QUIC termination for inbound connections. SSL must be configured for this
option to provide a functional server port. THIS IS EXPERIMENTAL SUPPORT AND NOT
READY FOR PRODUCTION USE.
Not compatible with: blind and ssl.
proto Specify the session level protocols supported. These should be separated by
semi-colons. For TLS proxy ports the default value is all available protocols. For
non-TLS proxy ports the default is HTTP only. HTTP/3 is only available on QUIC
ports.
pp Enables Proxy Protocol on the port. If Proxy Protocol is enabled on the port, all
incoming requests must be prefaced with the PROXY header. See Proxy Protocol for
more details on how to configure this option properly.
tr-full
Fully transparent. This is a convenience option and is identical to specifying both
tr-in and tr-out.
Not compatible with: Any option not compatible with tr-in or tr-out.
tr-in Inbound transparent. The proxy port will accept connections to any IP address on
the port. To have IPv6 inbound transparent you must use this and the ipv6 option.
This overrides proxy.local.incoming_ip_to_bind for this port.
Not compatible with: ip-in, blind
tr-out Outbound transparent. If ATS connects to an origin server for a transaction on this
port, it will use the client's address as its local address. This overrides
proxy.local.outgoing_ip_to_bind for this port.
Not compatible with: ip-out, ip-resolve
tr-pass
Transparent pass through. This option is useful only for inbound transparent proxy
ports. If the parsing of the expected HTTP header fails, then the transaction is
switched to a blind tunnel instead of generating an error response to the client.
It effectively enables proxy.config.http.use_client_target_addr for the transaction
as there is no other place to obtain the origin server address.
ip-in Set the local IP address for the port. This is the address to which clients will
connect. This forces the IP address family for the port. The ipv4 or ipv6 can be
used but it is optional and is an error for it to disagree with the IP address
family of this value. An IPv6 address must be enclosed in square brackets. If this
option is omitted proxy.local.incoming_ip_to_bind is used.
Not compatible with: tr-in.
ip-out Set the local IP address for outbound connections. This is the address used by ATS
locally when it connects to an origin server for transactions on this port. If this
is omitted proxy.local.outgoing_ip_to_bind is used.
This option can used multiple times, once for each IP address family. The address
used is selected by the IP address family of the origin server address.
Not compatible with: tr-out.
ip-resolve
Set the host resolution style for transactions on this proxy port.
Not compatible with: tr-out - this option requires a value of client;none which is
forced and should not be explicitly specified.
mptcp Enable Multipath TCP on this proxy port.
Requires custom Linux kernel available at https://multipath-tcp.org.
Example
Listen on port 80 on any address for IPv4 and IPv6.:
80 80:ipv6
Example
Listen transparently on any IPv4 address on port 8080, and transparently on port 8080 on
local address fc01:10:10:1::1 (which implies ipv6).:
IPv4:tr-FULL:8080 TR-full:IP-in=[fc02:10:10:1::1]:8080
Example
Listen on port 8080 for IPv6, fully transparent. Set up an SSL port on 443. These ports
will use the IP address from proxy.local.incoming_ip_to_bind. Listen on IP address
192.168.17.1, port 80, IPv4, and connect to origin servers using the local address
10.10.10.1 for IPv4 and fc01:10:10:1::1 for IPv6.:
8080:ipv6:tr-full 443:ssl ip-in=192.168.17.1:80:ip-out=[fc01:10:10:1::1]:ip-out=10.10.10.1
Example
Listen on port 9090 for TLS enabled HTTP/2 or HTTP connections, accept no other session
protocols.:
9090:proto=http2;http:ssl
Example
Listen on port 9090 for TLS disabled HTTP/2 and enabled HTTP connections, accept no other
session protocols.:
9090:proto=http:ssl
Example
Listen on port 4433 for QUIC connections.:
4433:quic
proxy.config.http.connect_ports
Scope CONFIG.TP Type STRING.TP Default 443.UNINDENT The range of origin server ports that
can be used for tunneling via CONNECT.
Traffic Server allows tunnels only to the specified ports. Supports both wildcards
(*) and ranges (e.g. 0-1023).
NOTE:
These are the ports on the origin server, not Traffic Server proxy ports.
proxy.config.http.forward_connect_method
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
default, Traffic Server behavior for handling a CONNECT method request is to
establish a tunnel to the requested destination. This configuration alters the
behavior so that Traffic Server forwards the CONNECT method to the next hop, and
establishes the tunnel after receiving a positive response. This behavior is useful
in a proxy hierarchy, and is equivalent to setting
proxy.local.http.parent_proxy.disable_connect_tunneling to 0 when parent proxying
is enabled.
proxy.config.http.insert_request_via_str
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set
how the Via field is handled on a request to the origin server.
┌──────┬──────────────────────────────────┐
│Value │ Effect │
├──────┼──────────────────────────────────┤
│0 │ Do not modify or set this Via │
│ │ header. │
├──────┼──────────────────────────────────┤
│1 │ Add the basic protocol and proxy │
│ │ identifier. │
├──────┼──────────────────────────────────┤
│2 │ Add basic transaction codes. │
├──────┼──────────────────────────────────┤
│3 │ Add detailed transaction codes. │
├──────┼──────────────────────────────────┤
│4 │ Add full user agent connection │
│ │ protocol tags. │
└──────┴──────────────────────────────────┘
NOTE:
The Via transaction codes can be decoded with the Via Decoder Ring.
proxy.config.http.request_via_str
Scope CONFIG.TP Type STRING.TP Default ApacheTrafficServer/${PACKAGE_VERSION}.TP
Reloadable Yes.TP Overridable Yes.UNINDENT Set the server and version string in the
Via request header to the origin server which is inserted when the value of
proxy.config.http.insert_request_via_str is not 0. Note that the actual default
value is defined with "ApacheTrafficServer/" PACKAGE_VERSION in a C++ source code,
and you must write such as ApacheTrafficServer/6.0.0 if you really set a value with
the version in records.config file. If you want to hide the version, you can set
this value to ApacheTrafficServer.
proxy.config.http.insert_response_via_str
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set
how the Via field is handled on the response to the client.
┌──────┬──────────────────────────────────┐
│Value │ Effect │
├──────┼──────────────────────────────────┤
│0 │ Do not modify or set this Via │
│ │ header. │
├──────┼──────────────────────────────────┤
│1 │ Add the basic protocol and proxy │
│ │ identifier. │
├──────┼──────────────────────────────────┤
│2 │ Add basic transaction codes. │
├──────┼──────────────────────────────────┤
│3 │ Add detailed transaction codes. │
├──────┼──────────────────────────────────┤
│4 │ Add full upstream connection │
│ │ protocol tags. │
└──────┴──────────────────────────────────┘
NOTE:
The Via transaction code can be decoded with the Via Decoder Ring.
proxy.config.http.response_via_str
Scope CONFIG.TP Type STRING.TP Default ApacheTrafficServer/${PACKAGE_VERSION}.TP
Reloadable Yes.TP Overridable Yes.UNINDENT Set the server and version string in the
Via response header to the client which is inserted when the value of
proxy.config.http.insert_response_via_str is not 0. Note that the actual default
value is defined with "ApacheTrafficServer/" PACKAGE_VERSION in a C++ source code,
and you must write such as ApacheTrafficServer/6.0.0 if you really set a value with
the version in records.config file. If you want to hide the version, you can set
this value to ApacheTrafficServer.
proxy.config.http.send_100_continue_response
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT You can specify one of
the following:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Traffic Server will buffer the │
│ │ request until the post body has │
│ │ been received and then send the │
│ │ request to the origin server. │
├──────┼──────────────────────────────────┤
│1 │ Immediately return a 100 │
│ │ Continue from Traffic Server │
│ │ without waiting for the post │
│ │ body. │
└──────┴──────────────────────────────────┘
proxy.config.http.response_server_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT You
can specify one of the following:
┌──────┬────────────────────────────────────────┐
│Value │ Description │
├──────┼────────────────────────────────────────┤
│0 │ No Server header is added to the │
│ │ response. │
├──────┼────────────────────────────────────────┤
│1 │ The Server header is added │
│ │ according to │
│ │ proxy.config.http.response_server_str. │
├──────┼────────────────────────────────────────┤
│2 │ The Server header is added only if the │
│ │ response from origin does not have one │
│ │ already. │
└──────┴────────────────────────────────────────┘
proxy.config.http.response_server_str
Scope CONFIG.TP Type STRING.TP Default ATS/${PACKAGE_VERSION}.TP Reloadable Yes.TP
Overridable Yes.UNINDENT The Server string that Traffic Server will insert in a
response header (if requested, see above). Note that the actual default value is
defined with "ATS/" PACKAGE_VERSION in the C++ source, and you must write such as
ATS/6.0.0 if you really set a value with the version in records.config. If you want
to hide the version, you can set this value to ATS.
proxy.config.http.insert_age_in_response
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT This
option specifies whether Traffic Server should insert an Age header in the
response. The value is the cache's estimate of the amount of time since the
response was generated or revalidated by the origin server.
┌──────┬─────────────────────────┐
│Value │ Description │
├──────┼─────────────────────────┤
│0 │ No Age header is added. │
├──────┼─────────────────────────┤
│1 │ Age header is added. │
└──────┴─────────────────────────┘
proxy.config.http.chunking_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies whether Traffic Server can generate a chunked response:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Never respond with chunked │
│ │ encoding. │
├──────┼──────────────────────────────────┤
│1 │ Always respond with chunked │
│ │ encoding. │
├──────┼──────────────────────────────────┤
│2 │ Generate a chunked response if │
│ │ the origin server has previously │
│ │ returned HTTP/1.1. │
├──────┼──────────────────────────────────┤
│3 │ Generate a chunked response if │
│ │ the client request is HTTP/1.1 │
│ │ and the origin server has │
│ │ previously returned HTTP/1.1. │
└──────┴──────────────────────────────────┘
proxy.config.http.chunking.size
Scope CONFIG.TP Type INT.TP Default 4096.TP Overridable Yes.UNINDENT If chunked transfer
encoding is enabled with proxy.config.http.chunking_enabled, and the conditions
specified by that option's setting are met by the current request, this option
determines the size of the chunks, in bytes, to use when sending content to an
HTTP/1.1 client.
proxy.config.http.send_http11_requests
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies when and how Traffic Server uses HTTP/1.1 to communicate with the origin
server.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Never use HTTP/1.1. │
├──────┼──────────────────────────────────┤
│1 │ Always use HTTP/1.1. │
├──────┼──────────────────────────────────┤
│2 │ Use HTTP/1.1 with origin │
│ │ connections only if the server │
│ │ has previously returned │
│ │ HTTP/1.1. │
├──────┼──────────────────────────────────┤
│3 │ If the client request is │
│ │ HTTP/1.1 and the origin server │
│ │ has previously returned │
│ │ HTTP/1.1, then use HTTP/1.1 for │
│ │ origin server connections. │
└──────┴──────────────────────────────────┘
NOTE:
If proxy.config.http.use_client_target_addr is set to 1, then options 2 and 3 for this
configuration variable cause the proxy to use the client HTTP version for upstream
requests.
proxy.config.http.auth_server_session_private
Scope CONFIG.TP Type INT.TP Default 1.TP Overridable Yes.UNINDENT If enabled (1) anytime
a request contains a Authorization, Proxy-Authorization, or Www-Authenticate header
the connection will be closed and not reused. This marks the connection as private.
When disabled (0) the connection will be available for reuse.
proxy.config.http.server_session_sharing.match
Scope CONFIG.TP Type STRING.TP Default both.TP Overridable Yes.UNINDENT Enable and set
the ability to re-use server connections across client connections. Multiple values
can be specified when separated by commas with no white spaces. Valid values are:
┌─────────┬──────────────────────────────────┐
│Value │ Description │
├─────────┼──────────────────────────────────┤
│none │ Do not match and do not re-use │
│ │ server sessions. │
├─────────┼──────────────────────────────────┤
│ip │ Re-use server sessions, checking │
│ │ only that the IP address and │
│ │ port of the origin server │
│ │ matches. │
├─────────┼──────────────────────────────────┤
│host │ Re-use server sessions, checking │
│ │ that the fully qualified domain │
│ │ name matches. In addition, if │
│ │ the session uses TLS, it also │
│ │ checks that the current │
│ │ transaction's host header value │
│ │ matches the session's SNI. │
├─────────┼──────────────────────────────────┤
│both │ Equivalent to host,ip. │
├─────────┼──────────────────────────────────┤
│hostonly │ Check that the fully qualified │
│ │ domain name matches. │
├─────────┼──────────────────────────────────┤
│sni │ Check that the SNI of the │
│ │ session matches the SNI that │
│ │ would be used to create a new │
│ │ session. Only applicable for │
│ │ TLS sessions. │
├─────────┼──────────────────────────────────┤
│cert │ Check that the certificate file │
│ │ name used for the server session │
│ │ matches the certificate file │
│ │ name that would be used for the │
│ │ new server session. Only │
│ │ applicable for TLS sessions. │
└─────────┴──────────────────────────────────┘
The setting must contain at least one of ip, host, hostonly or both for session
reuse to operate. The other values may be used for greater control with TLS
session reuse.
NOTE:
Server sessions to different upstream ports never match even if the FQDN and IP address
match.
NOTE:
Upstream session tracking uses a similar set of options for matching sessions, but is
set independently from session sharing.
proxy.config.http.server_session_sharing.pool
Scope CONFIG.TP Type STRING.TP Default thread.UNINDENT Control the scope of server
session re-use if it is enabled by proxy.config.http.server_session_sharing.match.
Valid values are:
┌───────┬──────────────────────────────────┐
│Value │ Description │
├───────┼──────────────────────────────────┤
│global │ Re-use sessions from a global │
│ │ pool of all server sessions. │
├───────┼──────────────────────────────────┤
│thread │ Re-use sessions from a │
│ │ per-thread pool. │
├───────┼──────────────────────────────────┤
│hybrid │ Try to work as a global pool, │
│ │ but release server sessions to │
│ │ the per-thread pool if there is │
│ │ lock contention on the global │
│ │ pool. │
└───────┴──────────────────────────────────┘
Setting proxy.config.http.server_session_sharing.pool to global can reduce the
number of connections to origin for some traffic loads. However, if many execute
threads are active, the thread contention on the global pool can reduce the
lifetime of connections to origin and reduce effective origin connection reuse.
For a hybrid pool, the operation starts as the global pool, but sessons are
returned to the local thread pool if the global pool lock is not acquired rather
than just closing the origin connection as is the case in standard global mode.
proxy.config.http.attach_server_session_to_client
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Control the re-use of
an server session by a user agent (client) session. Currently only applies to user
agents using HTTP/1.0 or HTTP/1.1. For other HTTP versions, the origin connection
is always returned to the session sharing pool or closed.
If a user agent performs more than one HTTP transaction on its connection to
Traffic Server a server session must be obtained for the second (and subsequent)
transaction as for the first. This settings affects how that server session is
selected.
If this setting is 0 then after the first transaction the server session for that
transaction is released to the server pool (if any). When a server session is
needed for subsequent transactions one is selected from the server pool or created
if there is no suitable server session in the pool.
If this setting is not 0 then the current server session for the user agent session
is "sticky". It will be preferred to any other server session (either from the pool
or newly created). The server session will be detached from the user agent session
only if it cannot be used for the transaction. This is determined by the
proxy.config.http.server_session_sharing.match value. If the server session matches
the next transaction according to this setting then it will be used, otherwise it
will be released to the pool and a different session selected or created.
proxy.config.http.max_proxy_cycles
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Control the proxy cycle
detection function in the following manner --
If this setting is 0, then next hop is self IP address and port detection is
active.
In addition, the proxy cycle detection using the Via string will declare a cycle if
the current cache appears one or more times in the Via string, i.e, > 0.
If this setting is 1 or more (N), then next hop is self IP address and port
detection is inactive.
In addition, the proxy cycle detection using the Via string will declare a cycle if
the current cache appears more than N times in the Via string, i.e., > N.
Examples:
If the setting is 0, then the second time a request enters a cache it will have its
own machine identifier in the Via string once, so a cycle will be detected. So no
cycles are allowed.
If the setting is 1, then the third time a request enters a cache it will have its
own machine identifier in the Via string twice, so a cycle will be detected. So one
cycle is allowed. The first cycle with two visits to the cache and one instance in
the Via string is allowed. The second cycle with three visits to the cache and two
instances in the Via string is not allowed.
This setting allows an edge cache peering arrangement where an edge cache may
forward a request to a peer edge cache (possibly itself) a limited of times
(usually once). Infinite loops are still detected when the cycle allowance is
exceeded.
proxy.config.http.use_client_target_addr
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT For fully transparent ports use the same
origin server address as the client.
This option causes Traffic Server to avoid where possible doing DNS lookups in
forward transparent proxy mode. The option is only effective if the following three
conditions are true:
• Traffic Server is in forward proxy mode.
• The proxy port is inbound transparent.
• The target URL has not been modified by either remapping or a plugin.
If any of these conditions are not true, then normal DNS processing is done for the
connection.
There are three valid values.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disables the feature. │
├──────┼──────────────────────────────────┤
│1 │ Enables the feature with address │
│ │ verification. The proxy does the │
│ │ regular DNS processing. If the │
│ │ client-specified origin address │
│ │ is not in the set of addresses │
│ │ found by the proxy, the request │
│ │ continues to the client │
│ │ specified address, but the │
│ │ result is not cached. │
├──────┼──────────────────────────────────┤
│2 │ Enables the feature with no │
│ │ address verification. No DNS │
│ │ processing is performed. The │
│ │ result is cached (if allowed │
│ │ otherwise). This option is │
│ │ vulnerable to cache poisoning if │
│ │ an incorrect Host header is │
│ │ specified, so this option should │
│ │ be used with extreme caution if │
│ │ HTTP caching is enabled. See │
│ │ bug TS-2954 for details. │
└──────┴──────────────────────────────────┘
If all of these conditions are met, then the origin server IP address is retrieved from
the original client connection, rather than through HostDB or DNS lookup. In effect,
client DNS resolution is used instead of Traffic Server DNS.
This can be used to be a little more efficient (looking up the target once by the client
rather than by both the client and Traffic Server) but the primary use is when client DNS
resolution can differ from that of Traffic Server. Two known uses cases are:
1. Embedded IP addresses in a protocol with DNS load sharing. In this case, even though
Traffic Server and the client both make the same request to the same DNS resolver
chain, they may get different origin server addresses. If the address is embedded in
the protocol then the overall exchange will fail. One current example is Microsoft
Windows update, which presumably embeds the address as a security measure.
2. The client has access to local DNS zone information which is not available to Traffic
Server. There are corporate nets with local DNS information for internal servers which,
by design, is not propagated outside the core corporate network. Depending a network
topology it can be the case that Traffic Server can access the servers by IP address
but cannot resolve such addresses by name. In such as case the client supplied target
address must be used.
This solution must be considered interim. In the longer term, it should be possible to
arrange for much finer grained control of DNS lookup so that wildcard domain can be set to
use Traffic Server or client resolution. In both known use cases, marking specific domains
as client determined (rather than a single global switch) would suffice. It is possible to
do this crudely with this flag by enabling it and then use identity URL mappings to
re-disable it for specific domains.
proxy.config.http.keep_alive_enabled_in
Scope CONFIG.TP Type INT.TP Default 1.TP Overridable Yes.UNINDENT Enables (1) or disables
(0) incoming keep-alive connections.
proxy.config.http.keep_alive_enabled_out
Scope CONFIG.TP Type INT.TP Default 1.TP Overridable Yes.UNINDENT Enables (1) or disables
(0) outgoing keep-alive connections.
NOTE:
Enabling keep-alive does not automatically enable purging of keep-alive requests when
nearing the connection limit, that is controlled by
proxy.config.http.server_max_connections.
proxy.config.http.keep_alive_post_out
Scope CONFIG.TP Type INT.TP Default 1.TP Overridable Yes.UNINDENT Controls whether new
POST requests re-use keep-alive sessions (1) or create new connections per request
(0).
proxy.config.http.disallow_post_100_continue
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Allows you to return a 405 Method Not
Supported with Posts also containing an Expect: 100-continue.
When a Post w/ Expect: 100-continue is blocked the stat
proxy.process.http.disallowed_post_100_continue will be incremented.
proxy.config.http.default_buffer_size
Scope CONFIG.TP Type INT.TP Default 8.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Configures the default buffer size, in bytes, to allocate for incoming request
bodies which lack a Content-length header.
proxy.config.http.default_buffer_water_mark
Scope CONFIG.TP Type INT.TP Default 32768.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Number of bytes Traffic Server is allowed to read ahead of the client from the
origin. Note that when Read While Write settings are in place, this setting will
apply to the first client to request the object, regardless if subsequent,
simultaneous clients of that object can read faster. The buffered bytes will
consume memory while waiting for the client to consume them.
While this setting is reloadable, dramatic changes can cause bigger memory usage
than expected and is thus not recommended.
proxy.config.http.request_buffer_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT This enables buffering
the content for incoming POST requests. If enabled no outbound connection is made
until the entire POST request has been buffered. If enabled,
proxy.config.http.post_copy_size needs to be set to the maximum of the post body
size allowed, otherwise, the post would fail.
proxy.config.http.request_line_max_size
Scope CONFIG.TP Type INT.TP Default 65535.TP Reloadable Yes.UNINDENT Controls the maximum
size, in bytes, of an HTTP Request Line in requests. Requests with a request line
exceeding this size will be treated as invalid and rejected by the proxy. Note that
the HTTP request line typically includes HTTP method, request target and HTTP
version string except when the request is made using absolute URI in which case the
request line may also include the request scheme and domain name.
proxy.config.http.header_field_max_size
Scope CONFIG.TP Type INT.TP Default 131070.TP Reloadable Yes.UNINDENT Controls the
maximum size, in bytes, of an HTTP header field in requests. Headers in a request
with the sum of their name and value that exceed this size will cause the entire
request to be treated as invalid and rejected by the proxy.
proxy.config.http.request_header_max_size
Scope CONFIG.TP Type INT.TP Default 131072.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Controls the maximum size, in bytes, of an HTTP header in requests. Headers in a
request which exceed this size will cause the entire request to be treated as
invalid and rejected by the proxy.
proxy.config.http.response_header_max_size
Scope CONFIG.TP Type INT.TP Default 131072.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Controls the maximum size, in bytes, of headers in HTTP responses from the proxy.
Any responses with a header exceeding this limit will be treated as invalid and a
client error will be returned instead.
proxy.config.http.global_user_agent_header
Scope CONFIG.TP Type STRING.TP Default null.TP Overridable Yes.UNINDENT An arbitrary
string value that, if set, will be used to replace any request User-Agent header.
proxy.config.http.strict_uri_parsing
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Takes a value between 0 and 2. 0 disables
strict_uri_parsing. Any character can appears in the URI. 1 causes Traffic Server
to return 400 Bad Request if client's request URI includes character which is not
RFC 3986 compliant. 2 directs Traffic Server to reject the clients request if it
contains whitespace or non-printable characters.
proxy.config.http.errors.log_error_pages
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Enables (1) or disables
(0) the logging of responses to bad requests to the error logging destination.
Disabling this option prevents error responses (such as 403s) from appearing in the
error logs. Any HTTP response status codes equal to, or higher, than the minimum
code defined by TS_HTTP_STATUS_BAD_REQUEST are affected by this setting.
PARENT PROXY CONFIGURATION
proxy.config.http.parent_proxy.retry_time
Scope CONFIG.TP Type INT.TP Default 300.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
amount of time allowed between connection retries to a parent cache that is
unavailable.
proxy.config.http.parent_proxy.max_trans_retries
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Limits the number of simultaneous
transactions that may retry a parent once the parents retry_time has expired.
proxy.config.http.parent_proxy.fail_threshold
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
number of times the connection to the parent cache can fail before Traffic Server
considers the parent unavailable.
proxy.config.http.parent_proxy.total_connect_attempts
Scope CONFIG.TP Type INT.TP Default 4.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
total number of connection attempts for a specific transaction allowed to a parent
cache before Traffic Server bypasses the parent or fails the request (depending on
the go_direct option in the parent.config file). The number of parents tried is
proxy.config.http.parent_proxy.fail_threshold /
proxy.config.http.parent_proxy.total_connect_attempts
proxy.config.http.parent_proxy.per_parent_connect_attempts
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
total number of connection attempts allowed per parent for a specific transaction,
if multiple parents are used.
proxy.config.http.parent_proxy.connect_attempts_timeout
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
timeout value (in seconds) for parent cache connection attempts.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.parent_proxy.mark_down_hostdb
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) marking parent proxies down in hostdb when a connection
error is detected. Normally parent selection manages parent proxies and will mark
them as unavailable as needed. But when parents are defined in dns with multiple
ip addresses, it may be useful to mark the failing ip down in hostdb. In this case
you would enable these updates.
proxy.config.http.forward.proxy_auth_to_parent
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Configures Traffic Server to send proxy authentication headers on to the parent
cache.
proxy.config.http.no_dns_just_forward_to_parent
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Don't try to resolve
DNS, forward all DNS requests to the parent. This is off (0) by default.
proxy.local.http.parent_proxy.disable_connect_tunneling
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT
proxy.config.http.parent_proxy.self_detect
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT For each host that has been specified in a
parent or secondary_parent list in the parent.config file, determine if the host is
the same as the current host. Obvious examples include localhost and 127.0.0.1. If
a match is found, take an action depending upon the value below.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disables the feature by not │
│ │ checking for matches. │
├──────┼──────────────────────────────────┤
│1 │ Remove the matching host from │
│ │ the list. │
├──────┼──────────────────────────────────┤
│2 │ Mark the host down. This is the │
│ │ default. │
└──────┴──────────────────────────────────┘
proxy.config.http.parent_proxy.enable_parent_timeout_markdowns
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) parent proxy mark downs due to inactivity timeouts. By
default parent proxies are not marked down due to inactivity timeouts, the
transaction will retry using another parent instead. The default for this
configuration keeps this behavior and is disabled (0). This setting is overridable
using one of the two plugins header_rewrite or conf_remap to enable inactivity
timeout markdowns and should be done so rather than enabling this globally. This
setting should not be used in conjunction with
proxy.config.http.parent_proxy.disable_parent_markdowns
proxy.config.http.parent_proxy.disable_parent_markdowns
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) parent proxy markdowns. This is useful if parent
entries in a parent.config line are VIP's and one doesn't wish to mark down a VIP
which may have several origin or parent proxies behind the load balancer. This
setting is overridable using one of the header_rewrite or the conf_remap plugins to
override the default setting and this method should be used rather than disabling
markdowns globally. This setting should not be used in conjunction with
proxy.config.http.parent_proxy.enable_parent_timeout_markdowns
HTTP CONNECTION TIMEOUTS
proxy.config.http.keep_alive_no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long Traffic Server keeps connections to clients open for a
subsequent request after a transaction ends. A value of 0 will set
proxy.config.net.default_inactivity_timeout as the timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.keep_alive_no_activity_timeout_out
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long Traffic Server keeps connections to origin servers open for a
subsequent transfer of data after a transaction ends. A value of 0 will set
proxy.config.net.default_inactivity_timeout as the timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long Traffic Server keeps connections to clients open if a
transaction stalls.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_no_activity_timeout_out
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long Traffic Server keeps connections to origin servers open if the
transaction stalls.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.websocket.no_activity_timeout
Scope CONFIG.TP Type INT.TP Default 600.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long Traffic Server keeps connections open if a websocket stalls.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.websocket.active_timeout
Scope CONFIG.TP Type INT.TP Default 3600.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The maximum amount of time Traffic Server keeps websocket connections open.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_active_timeout_in
Scope CONFIG.TP Type INT.TP Default 900.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
maximum amount of time Traffic Server can remain connected to a client. If the
transfer to the client is not complete before this timeout expires, then Traffic
Server closes the connection.
The value of 0 specifies that there is no timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_active_timeout_out
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
maximum amount of time Traffic Server waits for fulfillment of a connection request
to an origin server. If Traffic Server does not complete the transfer to the origin
server before this timeout expires, then Traffic Server terminates the connection
request.
The default value of 0 specifies that there is no timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.accept_no_activity_timeout
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.UNINDENT The timeout interval
in seconds before Traffic Server closes a connection that has no activity.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.background_fill_active_timeout
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long Traffic Server continues a background fill before giving up and
dropping the origin server connection.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.background_fill_completed_threshold
Scope CONFIG.TP Type FLOAT.TP Default 0.0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The proportion of total document size already transferred when a client aborts at
which the proxy continues fetching the document from the origin server to get it
into the cache (a background fill).
HTTP REDIRECTION
proxy.config.http.number_of_redirections
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT This
setting determines the maximum number of times Trafficserver does a redirect follow
location on receiving a 3XX Redirect response for a given client request.
NOTE:
When proxy.config.http.number_of_redirections is set to a positive value and Traffic
Server has previously cached a 3XX Redirect response, the cached response will continue
to be refreshed and returned until the response is no longer in the cache.
NOTE:
In previous versions proxy.config.http.redirection_enabled had to be set to 1 before
this setting was evaluated. Now setting proxy.config.http.number_of_redirections to a
value greater than zero is sufficient to cause Traffic Server to follow redirects.
proxy.config.http.redirect_host_no_port
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT This setting enables
Trafficserver to not include the port in the Host header in the redirect follow
request for default/standard ports (e.g. 80 for HTTP and 443 for HTTPS). Note that
the port is still included in the Host header if it's non-default.
proxy.config.http.redirect_use_orig_cache_key
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT This
setting enables Trafficserver to allow using original request cache key (for
example, set using a TS API) during a 3xx redirect follow. The default behavior
(0) is to use the URL specified by Location header in the 3xx response as the cache
key.
proxy.config.http.post_copy_size
Scope CONFIG.TP Type INT.TP Default 2048.TP Reloadable Yes.UNINDENT This setting
determines the maximum size in bytes of uploaded content to be buffered for HTTP
methods such as POST and PUT.
proxy.config.http.redirect.actions
Scope CONFIG.TP Type STRING.TP Default routable:follow.TP Reloadable Yes.UNINDENT This
setting determines how redirects should be handled. The setting consists of a
comma-separated list of key-value pairs, where the keys are named IP address ranges
and the values are actions.
The following are valid keys:
┌──────────┬──────────────────────────────────┐
│Key │ Description │
├──────────┼──────────────────────────────────┤
│self │ Addresses of the host's │
│ │ interfaces │
├──────────┼──────────────────────────────────┤
│loopback │ IPv4 127.0.0.0/8 and IPv6 ::1 │
├──────────┼──────────────────────────────────┤
│private │ IPv4 10.0.0.0/8 100.64.0.0/10 │
│ │ 172.16.0.0/12 192.168.0.0/16 and │
│ │ IPv6 fc00::/7 │
├──────────┼──────────────────────────────────┤
│multicast │ IPv4 224.0.0.0/4 and IPv6 │
│ │ ff00::/8 │
└──────────┴──────────────────────────────────┘
│linklocal │ IPv4 169.254.0.0/16 and IPv6 │
│ │ fe80::/10 │
├──────────┼──────────────────────────────────┤
│routable │ All publicly routable addresses │
├──────────┼──────────────────────────────────┤
│default │ All address ranges not │
│ │ configured specifically │
└──────────┴──────────────────────────────────┘
The following are valid values:
┌───────┬───────────────────────────────────────────┐
│Value │ Description │
├───────┼───────────────────────────────────────────┤
│return │ Do not process the redirect, │
│ │ send it as the proxy response. │
├───────┼───────────────────────────────────────────┤
│reject │ Do not process the redirect, │
│ │ send a 403 as the proxy │
│ │ response. │
├───────┼───────────────────────────────────────────┤
│follow │ Internally follow the redirect │
│ │ up to │
│ │ proxy.config.http.number_of_redirections. │
│ │ Use this setting with caution! │
└───────┴───────────────────────────────────────────┘
WARNING:
Following a redirect to other than routable addresses can be dangerous, as it allows
the controller of an origin to arrange a probe the Traffic Server host. Enabling these
redirects makes Traffic Server open to third party attacks and probing and therefore
should be considered only in known safe environments.
For example, a setting of loopback:reject,private:reject,routable:follow,default:return
would send 403 as the proxy response to loopback and private addresses, routable addresses
would be followed up to proxy.config.http.number_of_redirections, and redirects to all
other ranges will be sent as the proxy response.
The action for self has the highest priority when an address would match multiple keys,
and the action for default has the lowest priority. Other keys represent disjoint sets of
addresses that will not conflict. If duplicate keys are present in the setting, the
right-most key-value pair is used.
The default value is routable:follow, which means "follow routable redirects, return all
other redirects". Note that proxy.config.http.number_of_redirections must be positive
also, otherwise redirects will be returned rather than followed.
ORIGIN SERVER CONNECT ATTEMPTS
proxy.config.http.connect_attempts_max_retries
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
maximum number of connection retries Traffic Server can make when the origin server
is not responding. Each retry attempt lasts for
proxy.config.http.connect_attempts_timeout seconds. Once the maximum number of
retries is reached, the origin is marked dead (as controlled by
proxy.config.http.connect.dead.policy. After this, the setting
proxy.config.http.connect_attempts_max_retries_dead_server is used to limit the
number of retry attempts to the known dead origin.
proxy.config.http.connect_attempts_max_retries_dead_server
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Maximum number of connection attempts Traffic Server can make while an origin is
marked dead per request. Typically this value is smaller than
proxy.config.http.connect_attempts_max_retries so an error is returned to the
client faster and also to reduce the load on the dead origin. The timeout interval
proxy.config.http.connect_attempts_timeout in seconds is used with this setting.
proxy.config.http.connect.dead.policy
Scope CONFIG.TP Type INT.TP Default 2.TP Overridable Yes.UNINDENT Controls what origin
server connection failures contribute to marking a server dead. When set to 2, any
connection failure during the TCP and TLS handshakes will contribute to marking the
server dead. When set to 1, only TCP handshake failures will contribute to marking
a server dead. When set to 0, no connection failures will be used towards marking
a server dead.
proxy.config.http.server_max_connections
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Limits the number of
socket connections across all origin servers to the value specified. To disable,
set to zero (0).
This value is used in determining when and if to prune active origin sessions.
Without this value set, connections to origins can consume all the way up to
proxy.config.net.connections_throttle connections, which in turn can starve
incoming requests from available connections.
proxy.config.http.per_server.connection.max
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set a
limit for the number of concurrent connections to an upstream server group. A value
of 0 disables checking. If a transaction attempts to connect to a group which
already has the maximum number of concurrent connections the transaction either
rechecks after a delay or a 503 (HTTP_STATUS_SERVICE_UNAVAILABLE) error response is
sent to the user agent. To configure
Number of transactions that can be delayed concurrently
See proxy.config.http.per_server.connection.queue_size.
How long to delay before rechecking
See proxy.config.http.per_server.connection.queue_delay.
Upstream server group definition
See proxy.config.http.per_server.connection.match.
Frequency of alerts
See proxy.config.http.per_server.connection.alert_delay.
proxy.config.http.per_server.connection.match
Scope CONFIG.TP Type STRING.TP Default both.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Control the definition of an upstream server group for
proxy.config.http.per_server.connection.max. This must be one of the following
keywords.
ip Group by IP address. Each IP address is a group.
port Group by IP address and port. Each distinct IP address and port pair is a group.
host Group by host name. The host name is the post remap FQDN used to resolve the
upstream address.
both Group by IP address, port, and host name. Each distinct combination is a group.
To disable upstream server grouping, set proxy.config.http.per_server.connection.max to 0.
NOTE:
This setting is independent of the setting for upstream session sharing matching.
proxy.config.http.per_server.connection.queue_size
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Controls the number of
transactions that can be waiting on an upstream server group.
-1 Unlimited.
0 Never wait. If the connection maximum has been reached immediately respond with an
error.
A positive number
If there are less than this many waiting transactions, delay this transaction and
try again. Otherwise respond immediately with an error.
proxy.config.http.per_server.connection.queue_delay
Scope CONFIG.TP Type INT.TP Default 100.TP Units milliseconds.TP Reloadable Yes.UNINDENT
If a transaction is delayed due to too many connections in an upstream server
group, delay this amount of time before checking again.
proxy.config.http.per_server.connection.alert_delay
Scope CONFIG.TP Type INT.TP Default 60.TP Units seconds.TP Reloadable Yes.UNINDENT
Throttle alerts per upstream server group to be no more often than this many
seconds. Summary data is provided per alert to allow log scrubbing to generate
accurate data.
proxy.config.http.per_server.connection.min
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set a
target for the minimum number of active connections to an upstream server group.
When an outbound connection is in keep alive state and the inactivity timer
expires, if there are fewer than this many connections in the group a new
connection the timer is reset instead of closing the connection. Useful when the
origin supports keep-alive, removing the time needed to set up a new connection
from the next request at the expense of added (inactive) connections.
proxy.config.http.connect_attempts_rr_retries
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
maximum number of failed connection attempts allowed before a round-robin entry is
marked as 'down' if a server has round-robin DNS entries.
proxy.config.http.connect_attempts_timeout
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
timeout value (in seconds) for time to set up a connection to the origin. After the
connection is established the value of
proxy.config.http.transaction_no_activity_timeout_out is used to established
timeouts on the data over the connection.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.post_connect_attempts_timeout
Scope CONFIG.TP Type INT.TP Default 1800.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The timeout value (in seconds) for an origin server connection when the client
request is a POST or PUT request.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.post.check.content_length.enabled
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) checking the
Content-Length: Header for a POST request.
proxy.config.http.down_server.cache_time
Scope CONFIG.TP Type INT.TP Default 60.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how long (in seconds) Traffic Server remembers that an origin server was
unreachable.
proxy.config.http.uncacheable_requests_bypass_parent
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server bypasses the parent proxy for a request that is not
cacheable.
CONGESTION CONTROL
proxy.config.http.flow_control.enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Transaction buffering /
flow control is enabled if this is set to a non-zero value. Otherwise no flow
control is done.
proxy.config.http.flow_control.high_water
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.TP Overridable Yes.UNINDENT The high
water mark for transaction buffer control. External source I/O is halted when the
total buffer space in use by the transaction exceeds this value.
proxy.config.http.flow_control.low_water
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.TP Overridable Yes.UNINDENT The low
water mark for transaction buffer control. External source I/O is resumed when the
total buffer space in use by the transaction is no more than this value.
proxy.config.http.websocket.max_number_of_connections
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.UNINDENT When enabled >= (0),
Traffic Server will enforce a maximum number of simultaneous websocket connections.
NEGATIVE RESPONSE CACHING
proxy.config.http.negative_caching_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server caches negative responses (such as 404 Not Found) when
a requested page does not exist. The next time a client requests the same page,
Traffic Server serves the negative response directly from cache.
When disabled (0), Traffic Server will only cache the response if the response has
Cache-Control headers.
The following negative responses are cached by Traffic Server by default:
┌───────────────────┬───────────────────────┐
│HTTP Response Code │ Description │
├───────────────────┼───────────────────────┤
│204 │ No Content │
├───────────────────┼───────────────────────┤
│305 │ Use Proxy │
├───────────────────┼───────────────────────┤
│403 │ Forbidden │
├───────────────────┼───────────────────────┤
│404 │ Not Found │
├───────────────────┼───────────────────────┤
│414 │ URI Too Long │
├───────────────────┼───────────────────────┤
│500 │ Internal Server Error │
├───────────────────┼───────────────────────┤
│501 │ Not Implemented │
├───────────────────┼───────────────────────┤
│502 │ Bad Gateway │
├───────────────────┼───────────────────────┤
│503 │ Service Unavailable │
├───────────────────┼───────────────────────┤
│504 │ Gateway Timeout │
└───────────────────┴───────────────────────┘
The cache lifetime for objects cached from this setting is controlled via
proxy.config.http.negative_caching_lifetime.
proxy.config.http.negative_caching_lifetime
Scope CONFIG.TP Type INT.TP Default 1800.TP Reloadable Yes.TP Overridable Yes.UNINDENT
How long (in seconds) Traffic Server keeps the negative responses valid in cache.
This value only affects negative responses that do NOT have explicit Expires: or
Cache-Control: lifetimes set by the server.
proxy.config.http.negative_caching_list
Scope CONFIG.TP Type STRING.TP Default 204 305 403 404 414 500 501 502 503 504.TP
Reloadable Yes.UNINDENT The HTTP status code for negative caching. Default values
are mentioned above. The unwanted status codes can be taken out from the list.
Other status codes can be added. The variable is a list but parsed as STRING.
proxy.config.http.negative_revalidating_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Negative revalidating allows Traffic Server to return stale content if revalidation
to the origin fails due to network or HTTP errors. If it is enabled, rather than
caching the negative response, the current stale content is preserved and served.
Note this is considered only on a revalidation of already cached content. A
revalidation failure means a connection failure or a 50x response code. When
considering replying with a stale response in these negative revalidating
circumstances, Traffic Server will respect the
proxy.config.http.cache.max_stale_age configuration and will not use a cached
response older than max_stale_age seconds.
A value of 0 disables serving stale content and a value of 1 enables keeping and
serving stale content if revalidation fails.
proxy.config.http.negative_revalidating_lifetime
Scope CONFIG.TP Type INT.TP Default 1800.UNINDENT When replying with a stale cached
response in negative revalidating circumstances (see
proxy.config.http.negative_revalidating_enabled), Traffic Server includes an
Expires: HTTP header field in the cached response with a future time so that
upstream caches will not try to revalidate their respective stale objects. This
configuration specifies how many seconds in the future Traffic Server will
calculate the value of this inserted Expires: header field.
There is a limitation to this method to be aware of: per specification (see IETF
RFC 7234, section 4.2.1), Cache-Control: response directives take precedence over
the Expires: header field when determining object freshness. Thus if the cached
response contains either a max-age or an s-maxage Cache-Control: response
directive, then these directives would take precedence for the upstream caches over
the inserted Expires: field, rendering the Expires: header ineffective in
specifying the configured freshness lifetime.
Finally, be aware that the only way this configuration is used is as input into
calculating the value of these inserted Expires: header fields. This configuration
does not direct Traffic Server behavior with regard to whether it considers a stale
object to be fresh enough to serve out of cache when revalidation fails. As
mentioned above in proxy.config.http.negative_revalidating_enabled,
proxy.config.http.cache.max_stale_age is used for that determination.
This configuration defaults to 1,800 seconds (30 minutes).
PROXY USER VARIABLES
proxy.config.http.anonymize_remove_from
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server removes the From header to protect the privacy of your
users.
proxy.config.http.anonymize_remove_referer
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT When enabled (1),
Traffic Server removes the Referrer header to protect the privacy of your site and
users.
proxy.config.http.anonymize_remove_user_agent
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server removes the User-agent header to protect the privacy of
your site and users.
proxy.config.http.anonymize_remove_cookie
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server removes the Cookie header to protect the privacy of
your site and users.
proxy.config.http.anonymize_remove_client_ip
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server removes Client-IP headers for more privacy.
proxy.config.http.insert_client_ip
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies whether Traffic Server inserts Client-IP headers to retain the client IP
address:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Don't insert the Client-ip │
│ │ header │
├──────┼──────────────────────────────────┤
│1 │ Insert the Client-ip header, but │
│ │ only if the UA did not send one │
├──────┼──────────────────────────────────┤
│2 │ Always insert the Client-ip │
│ │ header │
└──────┴──────────────────────────────────┘
proxy.config.http.anonymize_other_header_list
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT Comma separated
list of headers Traffic Server should remove from outgoing requests.
proxy.config.http.insert_squid_x_forwarded_for
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server adds the client IP address to the X-Forwarded-For
header.
proxy.config.http.insert_forwarded
Scope CONFIG.TP Type STRING.TP Default none.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The default value (none) means that Traffic Server does not insert or append
information to any Forwarded header (described in IETF RFC 7239) in the request
message. To put information into a Forwarded header in the request, the value of
this variable must be a list of the Forwarded parameters to be inserted.
┌───────────────────┬──────────────────────────────────┐
│Parameter │ Value of parameter place in │
│ │ outgoing Forwarded header │
├───────────────────┼──────────────────────────────────┤
│for │ Client IP address │
├───────────────────┼──────────────────────────────────┤
│by=ip │ Proxy IP address │
├───────────────────┼──────────────────────────────────┤
│by=unknown │ The literal string unknown │
├───────────────────┼──────────────────────────────────┤
│by=servername │ Proxy server name │
├───────────────────┼──────────────────────────────────┤
│by=uuid │ Server UUID prefixed with _ │
├───────────────────┼──────────────────────────────────┤
│proto │ Protocol of incoming request │
├───────────────────┼──────────────────────────────────┤
│host │ The host specified in the │
│ │ incoming request │
├───────────────────┼──────────────────────────────────┤
│connection=compact │ Connection with basic │
│ │ transaction codes. │
├───────────────────┼──────────────────────────────────┤
│connection=std │ Connection with detailed │
│ │ transaction codes. │
├───────────────────┼──────────────────────────────────┤
│connection=full │ Full user agent connection │
│ │ protocol tags │
└───────────────────┴──────────────────────────────────┘
Each parameter in the list must be separated by | or :. For example,
for|by=uuid|proto is a valid value for this variable. Note that the connection
parameter is a non-standard extension to RFC 7239. Also note that, while Traffic
Server allows multiple by parameters for the same proxy, this is prohibited by RFC
7239. Currently, for the host parameter to provide the original host from the
incoming client request, proxy.config.url_remap.pristine_host_hdr must be enabled.
proxy.config.http.proxy_protocol_allowlist
Scope CONFIG.TP Type STRING.TP Default ```<ip list>```.UNINDENT This defines a allowlist
of server IPs that are trusted to provide connections with Proxy Protocol
information. This is a comma delimited list of IP addresses. Addressed may be
listed individually, in a range separated by a dash or by using CIDR notation.
┌────────────────────┬──────────────────────────────────┐
│Example Effect │ │
├────────────────────┼──────────────────────────────────┤
│10.0.2.123 │ A single IP Address. │
├────────────────────┼──────────────────────────────────┤
│10.0.3.1-10.0.3.254 │ A range of IP address. │
├────────────────────┼──────────────────────────────────┤
│10.0.4.0/24 │ A range of IP address specified │
│ │ by CIDR notation. │
└────────────────────┴──────────────────────────────────┘
IMPORTANT:
If Proxy Protocol is enabled on the port, but this directive is not defined any server
may initiate a connection with Proxy Protocol information. See
proxy.config.http.server_ports for information on how to enable Proxy Protocol on a
port.
See Proxy Protocol for more discussion on how Traffic Server transforms the Forwarded:
header.
proxy.config.http.proxy_protocol_out
Scope CONFIG.TP Type INT.TP Default ``-1``.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Set the behavior of outbound PROXY Protocol.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│-1 │ Disable (default) │
├──────┼──────────────────────────────────┤
│0 │ Forward received PROXY protocol │
│ │ to the next hop │
├──────┼──────────────────────────────────┤
│1 │ Send client information in PROXY │
│ │ protocol version 1 │
├──────┼──────────────────────────────────┤
│2 │ Send client information in PROXY │
│ │ protocol version 2 │
└──────┴──────────────────────────────────┘
proxy.config.http.normalize_ae
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies normalization, if any, of Accept-Encoding: headers.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ No normalization. │
├──────┼──────────────────────────────────┤
│1 │ Accept-Encoding: gzip (if the │
│ │ header has gzip or x-gzip with │
│ │ any q) OR blank (for any header │
│ │ that does not include gzip) │
├──────┼──────────────────────────────────┤
│2 │ Accept-Encoding: br if the │
│ │ header has br (with any q) ELSE │
│ │ normalize as for value 1 │
├──────┼──────────────────────────────────┤
│3 │ Accept-Encoding: br, gzip (if │
│ │ the header has br and gzip (with │
│ │ any q for either) then br, gzip) │
│ │ ELSE normalize as for value 2 │
└──────┴──────────────────────────────────┘
This is useful for minimizing cached alternates of documents (e.g. gzip, deflate
vs. deflate, gzip). Enabling this option is recommended if your origin servers use
no encodings other than gzip or br (Brotli).
SECURITY
proxy.config.http.push_method_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables (1) or disables
(0) the HTTP PUSH option, which allows you to deliver content directly to the cache
without a user request.
IMPORTANT:
If you enable this option, then you must also specify a filtering rule in the
ip_allow.yaml file to allow only certain machines to push content into the cache.
proxy.config.http.max_post_size
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This feature is disabled
by default with a value of (0), any positive value will limit the size of post
bodies. If a request is received with a post body larger than this limit the
response will be terminated with 413 - Request Entity Too Large and logged
accordingly.
proxy.config.http.allow_multi_range
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT This
option allows the administrator to configure different behavior and handling of
requests with multiple ranges in the Range header.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Do not allow multiple ranges, │
│ │ effectively ignoring the Range │
│ │ header │
└──────┴──────────────────────────────────┘
│1 │ Allows multiple ranges. This can │
│ │ be potentially dangerous since │
│ │ well formed requests can cause │
│ │ excessive resource consumption │
│ │ on the server. │
├──────┼──────────────────────────────────┤
│2 │ Similar to 0, except return a │
│ │ 416 error code and no response │
│ │ body. │
└──────┴──────────────────────────────────┘
proxy.config.http.host_sni_policy
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT This option controls how host header and
SNI name mismatches are handled. Mismatches may result in SNI-based policies
defined in sni.yaml being avoided. For example, foo.com may be the fqdn value in
sni.yaml which defines that client certificates are required. The user could
specify bar.com as the SNI to avoid the policy requiring the client certificate but
specify foo.com as the HTTP host header to still access the same object.
Therefore, if a host header would have triggered a SNI policy, it is possible that
the user is trying to bypass a SNI policy if the host header and SNI values do not
match.
If this setting is 0, no checking is performed. If this setting is 1 or 2, the
host header and SNI values are compared if the host header value would have
triggered a SNI policy. If there is a mismatch and the value is 1, a warning is
generated but the transaction is allowed to proceed. If the value is 2 and there
is a mismatch, a warning is generated and a status 403 is returned.
Note that SNI and hostname consistency checking is not performed on all connections
indiscriminately, even if this global proxy.config.http.host_sni_policy is set to a
value of 1 or 2. It is only performed for connections to hosts specifying
verify_client and/or ip_allow policies in sni.yaml. That is, the SNI and hostname
mismatch check is only performed if a relevant security policy for the SNI is set
in sni.yaml. The proxy.config.http.host_sni_policy records.config value is used as
the default value if either of these policies is set in the corresponding sni.yaml
file entry and the sni.yaml entry does not override this value via a
host_sni_policy attribute.
CACHE CONTROL
proxy.config.cache.enable_read_while_writer
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Specifies when to enable
the ability to read a cached object while another connection is completing the
write to cache for that same object. The goal here is to avoid multiple origin
connections for the same cacheable object upon a cache miss. The possible values of
this config are:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Never read while writing. │
├──────┼──────────────────────────────────┤
│1 │ Always read while writing. │
├──────┼──────────────────────────────────┤
│2 │ Always read while writing, but │
│ │ allow non-cached Range requests │
│ │ through to the origin server. │
└──────┴──────────────────────────────────┘
The 2 option is useful to avoid delaying requests which can not easily be satisfied
by the partially written response.
Several other configuration values need to be set for this to be usable. See
Reducing Origin Server Requests (Avoiding the Thundering Herd).
proxy.config.cache.read_while_writer.max_retries
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT Specifies how many
retries trafficserver attempts to trigger read_while_writer on failing to obtain
the write VC mutex or until the first fragment is downloaded for the object being
downloaded. The retry duration is specified using the setting
proxy.config.cache.read_while_writer_retry.delay
proxy.config.cache.read_while_writer_retry.delay
Scope CONFIG.TP Type INT.TP Default 50.TP Reloadable Yes.UNINDENT Specifies the delay in
msec, trafficserver waits to reattempt read_while_writer on failing to obtain the
write VC mutex or until the first fragment is downloaded for the object being
downloaded. Note that trafficserver implements a progressive delay in reattempting,
by doubling the configured duration from the third reattempt onwards.
proxy.config.cache.force_sector_size
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Forces the use of a
specific hardware sector size, e.g. 4096, for all disks.
SSDs and "advanced format" drives claim a sector size of 512; however, it is safe
to force a higher size than the hardware supports natively as we count atomicity in
512 byte increments.
4096-sized drives formatted for Windows will have partitions aligned on 63 512-byte
sector boundaries, so they will be unaligned. There are workarounds, but you need
to do some research on your particular drive. Some drives have a one-time option to
switch the partition boundary, while others might require reformatting or
repartitioning.
To be safe in Linux, you could just use the entire drive: /dev/sdb instead of
/dev/sdb1 and Traffic Server will do the right thing. Misaligned partitions on
Linux are auto-detected.
For example: If /sys/block/sda/sda1/alignment_offset is non-zero, ATS will offset
reads/writes to that disk by that alignment. If Linux knows about any existing
partition misalignments, ATS will compensate.
Partitions formatted to support hardware sector size of more than 512 (e.g. 4096)
will result in all objects stored in the cache to be integral multiples of 4096
bytes, which will result in some waste for small files.
proxy.config.http.cache.http
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) caching of HTTP requests.
proxy.config.http.cache.post_method
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) caching of HTTP POST requests.
proxy.config.http.cache.generation
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.TP Overridable Yes.UNINDENT If
set to a value other than -1, the value if this configuration option is combined
with the cache key at cache lookup time. Changing this value has the effect of an
instantaneous, zero-cost cache purge since it will cause all subsequent cache keys
to change. Since this is an overridable configuration, it can be used to purge the
entire cache, or just a specific remap.config rule.
proxy.config.http.doc_in_cache_skip_dns
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), do not perform origin server DNS resolution if a fresh copy of the
requested document is available in the cache. This setting has no effect if HTTP
caching is disabled or if there are IP based ACLs configured.
Note that plugins, particularly authorization plugins, which use the
TS_HTTP_OS_DNS_HOOK hook may require this configuration variable to be disabled (0)
in order to function properly. This will ensure that the hook will be evaluated and
plugin execution will occur even when there is a fresh copy of the requested object
in the cache (which would normally allow the DNS lookup to be skipped, thus
eliminating the hook evaluation).
The downside is that the performance gain by skipping otherwise unnecessary DNS
lookups is lost. Because the variable is overridable, you may retain this
performance benefit for portions of your cache which do not require the use of
TS_HTTP_OS_DNS_HOOK plugins, by ensuring that the setting is first disabled within
only the relevant transactions. Refer to the documentation on Configuration Remap
Plugin for more information.
proxy.config.http.cache.ignore_client_no_cache
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server ignores client requests to bypass the cache.
Specifically, Pragma: no-cache, Cache-Control: no-cache and Cache-Control: no-store
in requests are ignored.
proxy.config.http.cache.ims_on_client_no_cache
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server issues a conditional request to the origin server if an
incoming request has a No-Cache header.
proxy.config.http.cache.ignore_server_no_cache
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server ignores origin server requests to bypass the cache.
Specifically, Pragma: no-cache, Cache-Control: no-cache and Cache-Control: no-store
in responses are ignored.
proxy.config.http.cache.cache_responses_to_cookies
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies how cookies are cached:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Do not cache any responses to │
│ │ cookies. │
├──────┼──────────────────────────────────┤
│1 │ Cache for any content-type. │
├──────┼──────────────────────────────────┤
│2 │ Cache only for image types. │
├──────┼──────────────────────────────────┤
│3 │ Cache for all but text │
│ │ content-types. │
├──────┼──────────────────────────────────┤
│4 │ Cache for all but text │
│ │ content-types; except origin │
│ │ server response without │
│ │ Set-Cookie or with │
│ │ Cache-Control: public. │
└──────┴──────────────────────────────────┘
proxy.config.http.cache.ignore_authentication
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server ignores WWW-Authentication headers in responses and the responses
are cached.
proxy.config.http.cache.cache_urls_that_look_dynamic
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) caching of URLs that look dynamic, i.e.: URLs that end
in .asp or contain a question mark (?), a semicolon (;), or cgi. For a full list,
please refer to HttpTransact::url_looks_dynamic
proxy.config.http.cache.when_to_revalidate
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies when to revalidate content:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Use cache directives or │
│ │ heuristic (the default value). │
├──────┼──────────────────────────────────┤
│1 │ Stale if heuristic. │
├──────┼──────────────────────────────────┤
│2 │ Always stale (always │
│ │ revalidate). │
├──────┼──────────────────────────────────┤
│3 │ Never stale. │
├──────┼──────────────────────────────────┤
│4 │ Use cache directives or │
│ │ heuristic (0) unless the request │
│ │ has an If-Modified-Since header. │
└──────┴──────────────────────────────────┘
If the request contains the If-Modified-Since header, then Traffic Server always
revalidates the cached content and uses the client's If-Modified-Since header for
the proxy request.
proxy.config.http.cache.required_headers
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT The
type of headers required in a request for the request to be cacheable.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ No headers required to make │
│ │ document cacheable. │
├──────┼──────────────────────────────────┤
│1 │ Either the Last-Modified header, │
│ │ or an explicit lifetime header │
│ │ (Expires or Cache-Control: │
│ │ max-age) is required. │
├──────┼──────────────────────────────────┤
│2 │ Explicit lifetime is required, │
│ │ from either Expires or │
│ │ Cache-Control: max-age. │
└──────┴──────────────────────────────────┘
proxy.config.http.cache.max_stale_age
Scope CONFIG.TP Type INT.TP Default 604800.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The maximum age in seconds allowed for a stale response before it cannot be cached.
proxy.config.http.cache.guaranteed_min_lifetime
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Establishes a guaranteed minimum lifetime boundary for object freshness. Setting
this to 0 (default) disables the feature.
proxy.config.http.cache.guaranteed_max_lifetime
Scope CONFIG.TP Type INT.TP Default 31536000.TP Reloadable Yes.TP Overridable
Yes.UNINDENT Establishes a guaranteed maximum lifetime boundary for object
freshness. Setting this to 0 disables the feature.
proxy.config.http.cache.range.lookup
Scope CONFIG.TP Type INT.TP Default 1.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server looks up range requests in the cache.
proxy.config.http.cache.range.write
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server will attempt to write (lock) the URL to cache for a request
specifying a range. This is useful when the origin server might ignore a range
request and respond with a full (200) response. Additionally, this setting will
attempt to transform a 200 response from the origin server to a partial (206)
response, honoring the requested range, while caching the full response.
proxy.config.http.cache.ignore_accept_mismatch
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled with a value of 1, Traffic Server serves documents from cache with a
Content-Type: header even if it does not match the Accept: header of the request.
If set to 2 (default), this logic only happens in the absence of a Vary header in
the cached response (which is the recommended and safe use).
NOTE:
This option should only be enabled with 1 if you're having problems with caching and
you origin server doesn't set the Vary header. Alternatively, if the origin is
incorrectly setting Vary: Accept or doesn't respond with 406 (Not Acceptable), you can
also enable this configuration with a 1.
proxy.config.http.cache.ignore_accept_language_mismatch
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled with a value of 1, Traffic Server serves documents from cache with a
Content-Language: header even if it does not match the Accept-Language: header of
the request. If set to 2 (default), this logic only happens in the absence of a
Vary header in the cached response (which is the recommended and safe use).
NOTE:
This option should only be enabled with 1 if you're having problems with caching and
you origin server doesn't set the Vary header. Alternatively, if the origin is
incorrectly setting Vary: Accept-Language or doesn't respond with 406 (Not Acceptable),
you can also enable this configuration with a 1.
proxy.config.http.cache.ignore_accept_encoding_mismatch
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled with a value of 1, Traffic Server serves documents from cache with a
Content-Encoding: header even if it does not match the Accept-Encoding: header of
the request. If set to 2 (default), this logic only happens in the absence of a
Vary header in the cached response (which is the recommended and safe use).
NOTE:
This option should only be enabled with 1 if you're having problems with caching and
you origin server doesn't set the Vary header. Alternatively, if the origin is
incorrectly setting Vary: Accept-Encoding or doesn't respond with 406 (Not Acceptable)
you can also enable this configuration with a 1.
proxy.config.http.cache.ignore_accept_charset_mismatch
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled with a value of 1, Traffic Server serves documents from cache with a
Content-Type: header even if it does not match the Accept-Charset: header of the
request. If set to 2 (default), this logic only happens in the absence of a Vary
header in the cached response (which is the recommended and safe use).
NOTE:
This option should only be enabled with 1 if you're having problems with caching and
you origin server doesn't set the Vary header. Alternatively, if the origin is
incorrectly setting Vary: Accept-Charset or doesn't respond with 406 (Not Acceptable),
you can also enable this configuration with a 1.
proxy.config.http.cache.ignore_client_cc_max_age
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When
enabled (1), Traffic Server ignores any Cache-Control: max-age headers from the
client. This technically violates the HTTP RFC, but avoids a problem where a client
can forcefully invalidate a cached object.
proxy.config.cache.max_doc_size
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Specifies the maximum object size that
will be cached. 0 is unlimited.
proxy.config.cache.min_average_object_size
Scope CONFIG.TP Type INT.TP Default 8000.UNINDENT Specifies the lower boundary of average
object sizes in the cache and is used in determining the number of directory
buckets to allocate for the in-memory cache directory.
proxy.config.cache.permit.pinning
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT When enabled (1),
Traffic Server will keep certain HTTP objects in the cache for a certain time as
specified in cache.config.
proxy.config.cache.hit_evacuate_percent
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT The size of the region (as a percentage of
the total content storage in a cache stripe) in front of the write cursor that
constitutes a recent access hit for evacuating the accessed object.
When an object is accessed it can be marked for evacuation, that is to be copied
over the write cursor and thereby preserved from being overwritten. This is done if
it is no more than a specific number of bytes in front of the write cursor. The
number of bytes is a percentage of the total number of bytes of content storage in
the cache stripe where the object is stored and that percentage is set by this
variable.
By default, the feature is off (set to 0).
proxy.config.cache.hit_evacuate_size_limit
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.UNINDENT Limit the size of objects
that are hit evacuated.
Objects larger than the limit are not hit evacuated. A value of 0 disables the
limit.
proxy.config.cache.limits.http.max_alts
Scope CONFIG.TP Type INT.TP Default 5.UNINDENT The maximum number of alternates that are
allowed for any given URL. Disable by setting to 0.
proxy.config.cache.log.alternate.eviction
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT When enabled (1), Traffic Server will emit
a Status level log entry every time an alternate for an object is evicted due to
the number of its alternates exceeding the value of
proxy.config.cache.limits.http.max_alts. The URI for the evicted alternate is
included in the log. This logging may be useful to determine whether
proxy.config.cache.limits.http.max_alts is tuned correctly for a given environment.
It also provides visibility into alternate eviction for individual objects, which
can be helpful for diagnosing unexpected Vary: header behavior from particular
origins.
For further details concerning the caching of alternates, see Caching HTTP
Alternates.
By default, alternate eviction logging is disabled (set to 0).
proxy.config.cache.target_fragment_size
Scope CONFIG.TP Type INT.TP Default 1048576.UNINDENT Sets the target size of a contiguous
fragment of a file in the disk cache. When setting this, consider that larger
numbers could waste memory on slow connections, but smaller numbers could increase
(waste) seeks.
proxy.config.cache.alt_rewrite_max_size
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT Configures the size,
in bytes, of an alternate that will be considered small enough to trigger a rewrite
of the resident alt fragment within a write vector. For further details on cache
write vectors, refer to the developer documentation for CacheVC.
RAM CACHE
proxy.config.cache.ram_cache.size
Scope CONFIG.TP Type INT.TP Default -1.UNINDENT By default the RAM cache size is
automatically determined, based on disk cache size; approximately 10 MB of RAM
cache per GB of disk cache. Alternatively, it can be set to a fixed value such as
20GB (21474836480)
proxy.config.cache.ram_cache_cutoff
Scope CONFIG.TP Type INT.TP Default 4194304.UNINDENT Objects greater than this size will
not be kept in the RAM cache. This should be set high enough to keep objects
accessed frequently in memory in order to improve performance. 4MB (4194304)
proxy.config.cache.ram_cache.algorithm
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Two distinct RAM caches are supported, the
default (1) being the simpler LRU (Least Recently Used) cache. As an alternative,
the CLFUS (Clocked Least Frequently Used by Size) is also available, by changing
this configuration to 0.
proxy.config.cache.ram_cache.use_seen_filter
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enabling this option will filter inserts
into the RAM cache to ensure that they have been seen at least once. For the LRU,
this provides scan resistance. Note that CLFUS already requires that a document
have history before it is inserted, so for CLFUS, setting this option means that a
document must be seen three times before it is added to the RAM cache.
proxy.config.cache.ram_cache.compress
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT The CLFUS RAM cache also supports an
optional in-memory compression. This is not to be confused with Content-Encoding:
gzip compression. The RAM cache compression is intended to try to save space in
the RAM, and is not visible to the User-Agent (client).
Possible values are:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ No compression │
├──────┼──────────────────────────────────┤
│1 │ Fastlz (extremely fast, │
│ │ relatively low compression) │
├──────┼──────────────────────────────────┤
│2 │ Libz (moderate speed, reasonable │
│ │ compression) │
├──────┼──────────────────────────────────┤
│3 │ Liblzma (very slow, high │
│ │ compression) │
└──────┴──────────────────────────────────┘
Compression runs on task threads. To use more cores for RAM cache compression,
increase proxy.config.task_threads.
HEURISTIC EXPIRATION
proxy.config.http.cache.heuristic_min_lifetime
Scope CONFIG.TP Type INT.TP Default 3600.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The minimum amount of time, in seconds, an HTTP object without an expiration date
can remain fresh in the cache before is considered to be stale.
proxy.config.http.cache.heuristic_max_lifetime
Scope CONFIG.TP Type INT.TP Default 86400.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The maximum amount of time, in seconds, an HTTP object without an expiration date
can remain fresh in the cache before is considered to be stale.
proxy.config.http.cache.heuristic_lm_factor
Scope CONFIG.TP Type FLOAT.TP Default 0.10.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The aging factor for freshness computations. Traffic Server stores an object for
this percentage of the time that elapsed since it last changed.
DYNAMIC CONTENT & CONTENT NEGOTIATION
proxy.config.http.cache.open_read_retry_time
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The number of milliseconds a cacheable request will wait before requesting the object
from cache if an equivalent request is in flight.
proxy.config.http.cache.max_open_read_retries
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The number of times to attempt fetching an object from cache if there was an equivalent
request in flight.
proxy.config.http.cache.max_open_write_retries
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The number of times to attempt a cache open write upon failure to get a write lock.
This config is ignored when proxy.config.http.cache.open_write_fail_action is set to 5.
proxy.config.http.cache.open_write_fail_action
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
This setting indicates the action taken on failing to obtain the cache open write lock
on either a cache miss or a cache hit stale. This typically happens when there is more
than one request to the same cache object simultaneously. During such a scenario, all
but one (which goes to the origin) request is served either a stale copy or an error
depending on this setting.
┌──────┬─────────────────────────────────────────────┐
│Value │ Description │
├──────┼─────────────────────────────────────────────┤
│0 │ Default. Disable cache and go to │
│ │ origin server. │
├──────┼─────────────────────────────────────────────┤
│1 │ Return a 502 error on a cache │
│ │ miss. │
├──────┼─────────────────────────────────────────────┤
│2 │ Serve stale if object's age is │
│ │ under │
│ │ proxy.config.http.cache.max_stale_age. │
│ │ Otherwise, go to origin server. │
├──────┼─────────────────────────────────────────────┤
│3 │ Return a 502 error on a cache miss or │
│ │ serve stale on a cache revalidate if │
│ │ object's age is under │
│ │ proxy.config.http.cache.max_stale_age. │
│ │ Otherwise, go to origin server. │
├──────┼─────────────────────────────────────────────┤
│4 │ Return a 502 error on either a cache │
│ │ miss or on a revalidation. │
├──────┼─────────────────────────────────────────────┤
│5 │ Retry Cache Read on a Cache Write Lock │
│ │ failure. This option together with │
│ │ proxy.config.cache.enable_read_while_writer │
│ │ configuration allows to collapse │
│ │ concurrent requests without a need for │
│ │ any plugin. Make sure to configure │
│ │ the Read While Writer feature │
│ │ correctly. Note that this option may │
│ │ result in CACHE_LOOKUP_COMPLETE HOOK │
│ │ being called back more than once. │
└──────┴─────────────────────────────────────────────┘
CUSTOMIZABLE USER RESPONSE PAGES
proxy.config.body_factory.enable_customizations
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Specifies whether customizable response
pages are language specific or not:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│1 │ Enable customizable user │
│ │ response pages in the default │
│ │ directory only. │
├──────┼──────────────────────────────────┤
│2 │ Enable language-targeted user │
│ │ response pages. │
├──────┼──────────────────────────────────┤
│3 │ Enable host-targeted user │
│ │ response pages. │
└──────┴──────────────────────────────────┘
proxy.config.body_factory.enable_logging
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) logging for
customizable response pages. When enabled, Traffic Server records a message in the
error log each time a customized response page is used or modified.
proxy.config.body_factory.template_sets_dir
Scope CONFIG.TP Type STRING.TP Default etc/trafficserver/body_factory.UNINDENT The
customizable response page default directory. If this is a relative path, Traffic
Server resolves it relative to the PREFIX directory.
proxy.config.body_factory.template_base
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.TP Overridable Yes.UNINDENT A
prefix for the file name to use to find an error template file. If set (not the
empty string) this value and an underscore are prepended to the file name to find
in the template sets directory. See HTML Messages Sent to Clients.
proxy.config.body_factory.response_max_size
Scope CONFIG.TP Type INT.TP Default 8192.TP Reloadable Yes.UNINDENT Maximum size of the
error template response page.
proxy.config.body_factory.response_suppression_mode
Scope CONFIG.TP Type INT.TP Default 0
:reloadable:
:overridable:.UNINDENT Specifies when Traffic Server suppresses generated response
pages:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Never suppress generated │
│ │ response pages. │
├──────┼──────────────────────────────────┤
│1 │ Always suppress generated │
│ │ response pages. │
├──────┼──────────────────────────────────┤
│2 │ Suppress response pages only for │
│ │ internal traffic. │
└──────┴──────────────────────────────────┘
proxy.config.http_ui_enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Specifies which http Inspector UI
endpoints to allow within remap.config:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disable all http UI endpoints. │
├──────┼──────────────────────────────────┤
│1 │ Enable only Cache Inspector │
│ │ endpoints. │
├──────┼──────────────────────────────────┤
│2 │ Enable only stats endpoints. │
├──────┼──────────────────────────────────┤
│3 │ Enable all http UI endpoints. │
└──────┴──────────────────────────────────┘
To enable any endpoint there needs to be an entry in remap.config which
specifically enables it. Such a line would look like:
map / http://{cache}
The following are the cache endpoints:
┌──────┬────────────────────────────────┐
│Name │ Description │
├──────┼────────────────────────────────┤
│cache │ UI to interact with the cache. │
└──────┴────────────────────────────────┘
The following are the stats endpoints:
┌───────────────┬─────────────────────────────────────┐
│Name │ Description │
├───────────────┼─────────────────────────────────────┤
│cache-internal │ Statistics about cache │
│ │ evacuation and volumes. │
├───────────────┼─────────────────────────────────────┤
│hostdb │ Lookups against the hostdb. │
├───────────────┼─────────────────────────────────────┤
│http │ HTTPSM details, this endpoint is │
│ │ also gated by │
│ │ proxy.config.http.enable_http_info. │
├───────────────┼─────────────────────────────────────┤
│net │ Lookup and listing of open │
│ │ connections. │
└───────────────┴─────────────────────────────────────┘
proxy.config.http.enable_http_info
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) access to an
endpoint within proxy.config.http_ui_enabled which shows details about inflight
transactions (HttpSM).
DNS
proxy.config.dns.search_default_domains
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Traffic Server can
attempt to resolve unqualified hostnames by expanding to the local domain. For
example if a client makes a request to an unqualified host (e.g. host_x) and the
Traffic Server local domain is y.com, then Traffic Server will expand the hostname
to host_x.y.com.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disable local domain expansion. │
├──────┼──────────────────────────────────┤
│1 │ Enable local domain expansion. │
├──────┼──────────────────────────────────┤
│2 │ Enable local domain expansion, │
│ │ but do not split local domain │
│ │ name. │
└──────┴──────────────────────────────────┘
proxy.config.dns.splitDNS.enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables (1) or disables
(0) DNS server selection. When enabled, Traffic Server refers to the
splitdns.config file for the selection specification. Refer to Configuring DNS
Server Selection.
proxy.config.dns.resolv_conf
Scope CONFIG.TP Type STRING.TP Default /etc/resolv.conf.UNINDENT Allows one to specify
which resolv.conf file to use for finding resolvers. While the format of this file
must be the same as the standard resolv.conf file, this option allows an
administrator to manage the set of resolvers in an external configuration file,
without affecting how the rest of the operating system uses DNS. Note that this
setting works in conjunction with proxy.config.dns.nameservers, with its settings
appended to the resolv.conf contents.
proxy.config.dns.round_robin_nameservers
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Enables (1) or disables
(0) DNS server round-robin.
proxy.config.dns.nameservers
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The DNS servers.
Note that this does not override proxy.config.dns.resolv_conf. That is, the
contents of the file listed in proxy.config.dns.resolv_conf will be appended to the
list of nameservers specified here. To prevent this, a bogus file can be listed
there.
Example
IPv4 DNS server, loopback and port 9999
CONFIG proxy.config.dns.nameservers STRING 127.0.0.1:9999
Example
IPv6 DNS server, loopback and port 9999
CONFIG proxy.config.dns.nameservers STRING [::1]:9999
proxy.config.srv_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Enables (1) or disables (0) the use of SRV records for origin server lookup.
Traffic Server will use weights found in the SRV record as a weighted round robin
in origin selection. Note that Traffic Server will lookup
_$scheme._$internet_protocol.$origin_name. For instance, if the origin is set to
https://my.example.com, Traffic Server would lookup _https._tcp.my.example.com.
Also note that the port returned in the SRV record MUST match the port being used
for the origin (e.g. if the origin scheme is http and a default port, there should
be a SRV record with port 80).
proxy.config.dns.dedicated_thread
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Create and dedicate a thread entirely for
DNS processing. This is probably most useful on system which do a significant
number of DNS lookups, typically forward proxies. But even on other systems, it can
avoid some contention on the first worker thread (which otherwise takes on the
burden of all DNS lookups).
proxy.config.dns.validate_query_name
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT When enabled (1) provides additional
resilience against DNS forgery (for instance in DNS Injection attacks),
particularly in forward or transparent proxies, but requires that the resolver
populates the queries section of the response properly.
proxy.config.dns.connection_mode
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Three connection modes between Traffic
Server and nameservers can be set -- UDP_ONLY, TCP_RETRY, TCP_ONLY.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ UDP_ONLY: Traffic Server always │
│ │ talks to nameservers over UDP. │
├──────┼──────────────────────────────────┤
│1 │ TCP_RETRY: Traffic Server first │
│ │ UDP, retries with TCP if UDP │
│ │ response is truncated. │
├──────┼──────────────────────────────────┤
│2 │ TCP_ONLY: Traffic Server always │
│ │ talks to nameservers over TCP. │
└──────┴──────────────────────────────────┘
proxy.config.dns.max_tcp_continuous_failures
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT If DNS connection mode is TCP_RETRY, set
the threshold of the continuous TCP query failures count for the TCP connection,
reset the TCP connection immediately if the continuous TCP query failures conut
over the threshold. If the threshold is 0 (or less than 0) we close this feature.
proxy.config.dns.max_dns_in_flight
Scope CONFIG.TP Type INT.TP Default 2048.UNINDENT Maximum inflight DNS queries made by
Traffic Server at any given instant
proxy.config.dns.lookup_timeout
Scope CONFIG.TP Type INT.TP Default 20.UNINDENT Time to wait for a DNS response in
seconds.
proxy.config.dns.retries
Scope CONFIG.TP Type INT.TP Default 5.UNINDENT Maximum number of retries made by Traffic
Server on a given DNS query
proxy.config.dns.local_ipv4
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT Local IPV4 address to bind to in
order to make DNS requests
proxy.config.dns.local_ipv6
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT Local IPV6 address to bind to in
order to make DNS requests
HOSTDB
proxy.config.hostdb.lookup_timeout
Scope CONFIG.TP Type INT.TP Default 30.TP Units seconds.TP Reloadable Yes.UNINDENT Time
to wait for a DNS response in seconds.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.hostdb.serve_stale_for
Scope CONFIG.TP Type INT.TP Default *NONE*.TP Units seconds.TP Reloadable Yes.UNINDENT
The number of seconds for which to use a stale NS record while initiating a
background fetch for the new data.
If not set then stale records are not served.
proxy.config.hostdb.max_size
Scope CONFIG.TP Type INT.TP Default 10737418240.TP Units bytes.UNINDENT The maximum
amount of space (in bytes) allocated to hostdb. Setting this value to -1 will
disable size limit enforcement.
proxy.config.hostdb.max_count
Scope CONFIG.TP Type INT.TP Default -1.UNINDENT The maximum number of entries that can be
stored in hostdb. A value of -1 disables item count limit enforcement.
NOTE:
For values above 200000, you must increase proxy.config.hostdb.max_size by at least 44
bytes per entry.
proxy.config.hostdb.round_robin_max_count
Scope CONFIG.TP Type INT.TP Default 16.UNINDENT The maximum count of DNS answers per
round robin hostdb record. The default variable is 16.
proxy.config.hostdb.ttl_mode
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT A host entry will
eventually time out and be discarded. This variable controls how that time is
calculated. A DNS request will return a TTL value and an internal value can be set
with proxy.config.hostdb.timeout. This variable determines which value will be
used.
┌──────┬──────────────────────────────────┐
│Value │ TTL │
├──────┼──────────────────────────────────┤
│0 │ The TTL from the DNS response. │
├──────┼──────────────────────────────────┤
│1 │ The internal timeout value. │
├──────┼──────────────────────────────────┤
│2 │ The smaller of the DNS and │
│ │ internal TTL values. The │
│ │ internal timeout value becomes a │
│ │ maximum TTL. │
├──────┼──────────────────────────────────┤
│3 │ The larger of the DNS and │
│ │ internal TTL values. The │
│ │ internal timeout value become a │
│ │ minimum TTL. │
└──────┴──────────────────────────────────┘
proxy.config.hostdb.timeout
Scope CONFIG.TP Type INT.TP Default 86400.TP Units seconds.TP Reloadable Yes.UNINDENT
Internal time to live value for host DB entries in seconds.
See proxy.config.hostdb.ttl_mode for when this value is used. See Timeout Settings
for more discussion on Traffic Server timeouts.
proxy.config.hostdb.fail.timeout
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Time to live value for "failed" hostdb
lookups.
NOTE:
HostDB considers any response that does not contain a response to the query a failure.
This means "failure" responses (such as SOA) are subject to this timeout
proxy.config.hostdb.strict_round_robin
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Set host resolution to
use strict round robin.
When this and proxy.config.hostdb.timed_round_robin are both disabled (set to 0),
Traffic Server always uses the same origin server for the same client, for as long
as the origin server is available. Otherwise if this is set then IP address is
rotated on every request. This setting takes precedence over
proxy.config.hostdb.timed_round_robin.
proxy.config.hostdb.timed_round_robin
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Set host resolution to
use timed round robin.
When this and proxy.config.hostdb.strict_round_robin are both disabled (set to 0),
Traffic Server always uses the same origin server for the same client, for as long
as the origin server is available. Otherwise if this is set to N the IP address is
rotated if more than N seconds have passed since the first time the current address
was used.
proxy.config.hostdb.host_file.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT Set the file path for an external
host file.
If this is set (non-empty) then the file is presumed to be a hosts file in the
standard . It is read and the entries there added to the HostDB. The file is
periodically checked for a more recent modification date in which case it is
reloaded. The interval is set with proxy.config.hostdb.host_file.interval.
While not technically reloadable, the value is read every time the file is to be
checked so that if changed the new value will be used on the next check and the
file will be treated as modified.
proxy.config.hostdb.host_file.interval
Scope CONFIG.TP Type INT.TP Default 86400.TP Units seconds.TP Reloadable Yes.UNINDENT Set
the file changed check timer for proxy.config.hostdb.host_file.path.
The file is checked every this many seconds to see if it has changed. If so the
HostDB is updated with the new values in the file.
proxy.config.hostdb.partitions
Scope CONFIG.TP Type INT.TP Default 64.UNINDENT The number of partitions for hostdb. If
you are seeing lock contention within hostdb's cache (due to a large number of
records) you can increase the number of partitions
proxy.config.hostdb.ip_resolve
Scope CONFIG.TP Type STRING.TP Default NULL.TP Overridable Yes.UNINDENT Set the host
resolution style.
This is an ordered list of keywords separated by semicolons that specify how a host
name is to be resolved to an IP address. The keywords are case insensitive.
┌────────┬──────────────────────────────────┐
│Keyword │ Description │
├────────┼──────────────────────────────────┤
│ipv4 │ Resolve to an IPv4 address. │
├────────┼──────────────────────────────────┤
│ipv6 │ Resolve to an IPv6 address. │
├────────┼──────────────────────────────────┤
│client │ Resolve to the same family as │
│ │ the client IP address. │
├────────┼──────────────────────────────────┤
│only │ Stop resolving. │
└────────┴──────────────────────────────────┘
The order of the keywords is critical. When a host name needs to be resolved it is
resolved in same order as the keywords. If a resolution fails, the next option in
the list is tried. The keyword only means to give up resolution entirely. The
keyword list has a maximum length of three keywords, more are never needed. By
default there is an implicit ipv4;ipv6 attached to the end of the string unless the
keyword only appears.
Example
Use the incoming client family, then try IPv4 and IPv6.
client;ipv4;ipv6
Because of the implicit resolution this can also be expressed as just
client
Example
Resolve only to IPv4.
ipv4;only
Example
Resolve only to the same family as the client (do not permit cross family transactions).
client;only
This value is a global default that can be overridden by proxy.config.http.server_ports.
NOTE:
This style is used as a convenience for the administrator. During a resolution the
resolution order will be one family, then possibly the other. This is determined by
changing client to ipv4 or ipv6 based on the client IP address and then removing
duplicates.
IMPORTANT:
This option has no effect on outbound transparent connections The local IP address used
in the connection to the origin server is determined by the client, which forces the IP
address family of the address used for the origin server. In effect, outbound
transparent connections always use a resolution style of "client".
proxy.config.hostdb.verify_after
Scope CONFIG.TP Type INT.TP Default 720.UNINDENT Set the interval (in seconds) in which
to re-query DNS regardless of TTL status.
proxy.config.hostdb.filename
Scope CONFIG.TP Type STRING.TP Default host.db.UNINDENT The filename to persist hostdb to
on disk.
proxy.config.cache.hostdb.sync_frequency
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Set the frequency (in seconds) to sync
hostdb to disk. If set to zero (default as of v9.0.0), we won't sync to disk ever.
Note: hostdb is synced to disk on a per-partition basis (of which there are 64).
This means that the minimum time to sync all data to disk is
proxy.config.cache.hostdb.sync_frequency * 64
LOGGING CONFIGURATION
proxy.config.log.logging_enabled
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT Enables and disables
event logging:
┌──────┬──────────────────────────────────┐
│Value │ Effect │
├──────┼──────────────────────────────────┤
│0 │ Logging disabled. │
├──────┼──────────────────────────────────┤
│1 │ Log errors only. │
├──────┼──────────────────────────────────┤
│2 │ Log transactions only. │
├──────┼──────────────────────────────────┤
│3 │ Dual logging (errors and │
│ │ transactions). │
└──────┴──────────────────────────────────┘
Refer to Logging for more information on event logging.
proxy.config.log.max_secs_per_buffer
Scope CONFIG.TP Type INT.TP Default 5.TP Reloadable Yes.UNINDENT The maximum amount of
time before data in the buffer is flushed to disk.
NOTE:
The effective lower bound to this config is whatever
proxy.config.log.periodic_tasks_interval is set to.
proxy.config.log.max_space_mb_for_logs
Scope CONFIG.TP Type INT.TP Default 25000.TP Units megabytes.TP Reloadable Yes.UNINDENT
The amount of space allocated to the logging directory (in MB). The headroom
amount specified by proxy.config.log.max_space_mb_headroom is taken from this space
allocation.
NOTE:
All files in the logging directory contribute to the space used, even if they are not
log files.
proxy.config.log.max_space_mb_headroom
Scope CONFIG.TP Type INT.TP Default 1000.TP Units megabytes.TP Reloadable Yes.UNINDENT
The tolerance for the log space limit (in megabytes). If the variable
proxy.config.log.auto_delete_rolled_files is set to 1 (enabled), then auto-deletion
of log files is triggered when the amount of free space available in the logging
directory is less than the value specified here.
proxy.config.log.hostname
Scope CONFIG.TP Type STRING.TP Default localhost.TP Reloadable Yes.UNINDENT The hostname
of the machine running Traffic Server.
proxy.config.log.logfile_dir
Scope CONFIG.TP Type STRING.TP Default var/log/trafficserver.TP Reloadable Yes.UNINDENT
The path to the logging directory. This can be an absolute path or a path relative
to the PREFIX directory in which Traffic Server is installed.
NOTE:
The directory you specify must already exist.
proxy.config.log.logfile_perm
Scope CONFIG.TP Type STRING.TP Default rw-r--r--.TP Reloadable Yes.UNINDENT The log file
permissions. The standard UNIX file permissions are used (owner, group, other).
Permissible values are:
┌──────┬─────────────────────┐
│Value │ Description │
├──────┼─────────────────────┤
│- │ No permissions. │
├──────┼─────────────────────┤
│r │ Read permission. │
├──────┼─────────────────────┤
│w │ Write permission. │
├──────┼─────────────────────┤
│x │ Execute permission. │
└──────┴─────────────────────┘
Permissions are subject to the umask settings for the Traffic Server process. This
means that a umask setting of 002 will not allow write permission for others, even
if specified in the configuration file. Permissions for existing log files are not
changed when the configuration is modified.
proxy.config.log.rolling_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Specifies how log files
are rolled. You can specify the following values:
┌──────┬───────────────────────────────────────┐
│Value │ Description │
├──────┼───────────────────────────────────────┤
│0 │ Disables log file rolling. │
├──────┼───────────────────────────────────────┤
│1 │ Enables log file rolling at │
│ │ specific intervals during the │
│ │ day (specified with the │
│ │ proxy.config.log.rolling_interval_sec │
│ │ and │
│ │ proxy.config.log.rolling_offset_hr │
│ │ variables). │
├──────┼───────────────────────────────────────┤
│2 │ Enables log file rolling when log │
│ │ files reach a specific size │
│ │ (specified with │
│ │ proxy.config.log.rolling_size_mb). │
├──────┼───────────────────────────────────────┤
│3 │ Enables log file rolling at specific │
│ │ intervals during the day or when log │
│ │ files reach a specific size │
│ │ (whichever occurs first). │
├──────┼───────────────────────────────────────┤
│4 │ Enables log file rolling at specific │
│ │ intervals during the day when log │
│ │ files reach a specific size (i.e. at │
│ │ a specified time if the file is of │
│ │ the specified size). │
└──────┴───────────────────────────────────────┘
proxy.config.log.rolling_interval_sec
Scope CONFIG.TP Type INT.TP Default 86400.TP Reloadable Yes.UNINDENT The log file rolling
interval, in seconds. The minimum value is 60 (1 minute). The maximum, and default,
value is 86400 seconds (one day).
NOTE:
If you start Traffic Server within a few minutes of the next rolling time, then rolling
might not occur until the next rolling time.
proxy.config.log.rolling_offset_hr
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT The file rolling offset
hour. The hour of the day that starts the log rolling period.
proxy.config.log.rolling_size_mb
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT The size, in megabytes,
that log files must reach before rolling takes place. The minimum value for this
setting is 10.
proxy.config.log.rolling_min_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the minimum
count of rolled (event) logs to keep. This value will be used to decide the order
of auto-deletion (if enabled). A default value of 0 means auto-deletion will try to
keep logs as much as possible. This value can be and should be overridden in
logging.yaml. See Log Rotation and Retention for guidance.
proxy.config.log.rolling_max_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the maximum
count of rolled output logs to keep. This value will be used by the auto-deletion
(if enabled) to trim the number of rolled log files every time the log is rolled.
A default value of 0 means auto-deletion will not try to limit the number of output
logs. See Log Rotation and Retention for an use-case for this option.
proxy.config.log.rolling_allow_empty
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT While rolling default
behavior is to rename, close and re-open the log file only when/if there is
something to log to the log file. This option opens a new log file right after
rolling even if there is nothing to log (i.e. nothing to be logged due to lack of
requests to the server) which may lead to 0-sized log files while rolling. See Log
Rotation and Retention for an use-case for this option.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ No empty log files created and │
│ │ rolled if there was nothing to │
│ │ log │
├──────┼──────────────────────────────────┤
│1 │ Allow empty log files to be │
│ │ created and rolled even if │
│ │ there was nothing to log │
└──────┴──────────────────────────────────┘
proxy.config.log.auto_delete_rolled_files
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Enables (1) or disables
(0) automatic deletion of rolled files.
proxy.config.log.sampling_frequency
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Configures Traffic
Server to log only a sample of transactions rather than every transaction. You can
specify the following values:
┌──────┬───────────────────────────────┐
│Value │ Description │
├──────┼───────────────────────────────┤
│1 │ Log every transaction. │
├──────┼───────────────────────────────┤
│2 │ Log every second transaction. │
├──────┼───────────────────────────────┤
│3 │ Log every third transaction. │
├──────┼───────────────────────────────┤
│n │ ... and so on... │
└──────┴───────────────────────────────┘
proxy.config.log.periodic_tasks_interval
Scope CONFIG.TP Type INT.TP Default 5.TP Units seconds.TP Reloadable Yes.UNINDENT How
often Traffic Server executes log related periodic tasks, in seconds
proxy.config.log.proxy.config.log.throttling_interval_msec
Scope CONFIG.TP Type INT.TP Default 60000.TP Units milliseconds.TP Reloadable
Yes.UNINDENT The minimum amount of milliseconds between repeated throttled Traffic
Server log events. A value of 0 implies no throttling. Note that for performance
reasons only certain logs are compiled with throttling applied to them.
Throttling is applied to all log events for a particular message which is emitted
within its throttling interval. That is, once a throttled log is emitted, none will
be emitted until the next log event for that message which occurs outside of this
configured interval. As mentioned above, this message is applied not broadly but
rather to potentially noisy log messages, such as ones that might occur thousands
of times a second under certain error conditions. Once the next log event occurs
outside of its interval, a summary message is printed conveying how many messages
of that type were throttled since the last time it was emitted.
It is possible that a log is emitted, followed by more of its type in an interval,
then none are emitted after that. Be aware this would result in no summary log
message for that interval until the message is emitted again outside of the
throttled interval.
proxy.config.http.slow.log.threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT If
set to a non-zero value N then any connection that takes longer than N milliseconds
from accept to completion will cause its timing stats to be written to the
debugging log file. This is identifying data about the transaction and all of the
transaction milestones.
proxy.config.http2.connection.slow.log.threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT If
set to a non-zero value N then any HTTP/2 connection that takes longer than N
milliseconds from open to close will cause its timing stats to be written to the
debugging log file. This is identifying data about the transaction and all of the
transaction milestones.
proxy.config.http2.stream.slow.log.threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT If
set to a non-zero value N then any HTTP/2 stream that takes longer than N
milliseconds from open to close will cause its timing stats to be written to the
debugging log file. This is identifying data about the transaction and all of the
transaction milestones.
proxy.config.log.config.filename
Scope CONFIG.TP Type STRING.TP Default logging.yaml.TP Reloadable Yes.TP Deprecated
Yes.UNINDENT This configuration value specifies the path to the logging.yaml
configuration file. If this is a relative path, Traffic Server loads it relative to
the SYSCONFDIR directory.
proxy.config.log.max_line_size
Scope CONFIG.TP Type INT.TP Default 9216.TP Units bytes.UNINDENT This controls the
maximum line length for ASCII formatted log entries. This applies to ASCII_PIPE
and ASCII file logs, unless proxy.config.log.ascii_buffer_size is also specified
and the value of ascii_buffer_size is larger than max_line_size: in that case,
max_line_size only applies to ASCII_PIPE logs while ascii_buffer_size will apply to
ASCII (non-pipe) log files.
proxy.config.log.ascii_buffer_size
Scope CONFIG.TP Type INT.TP Default 36864.TP Units bytes.UNINDENT This controls the
maximum line length for ASCII formatted log entries that are non-pipe log files. If
this value is smaller than proxy.config.log.max_line_size, then the latter will be
used for both ASCII and ASCII_PIPE log files. If both max_line_size and
ascii_buffer_size are set, then max_line_size will be used for ASCII_PIPE logs
while ascii_buffer_size will be used for ASCII (non-pipe) log files. This all
might seem complicated, but just keep in mind that the intention of
ascii_buffer_size is to simply provide a way for the user to configure different
ASCII and ASCII_PIPE maximum line lengths.
proxy.config.log.log_buffer_size
Scope CONFIG.TP Type INT.TP Default 9216.TP Units bytes.TP Reloadable Yes.UNINDENT This
is an orthogonal mechanism from proxy.config.log.max_line_size and
proxy.config.log.ascii_buffer_size for limiting line length size by constraining
the log entry buffer to a particular amount of memory. Unlike the above two
configurations, log_buffer_size applies to both binary and ASCII log file entries.
For ASCII log files, if a maximum log size is set via both the above mechanisms and
by log_buffer_size, then the smaller of the two configurations will be applied to
the line length.
DIAGNOSTIC LOGGING CONFIGURATION
proxy.config.diags.output.diag
Scope CONFIG.TP Type STRING.TP Default E.UNINDENT
proxy.config.diags.output.debug
Scope CONFIG.TP Type STRING.TP Default E.UNINDENT
proxy.config.diags.output.status
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.note
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.warning
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.error
Scope CONFIG.TP Type STRING.TP Default SL.UNINDENT
proxy.config.diags.output.fatal
Scope CONFIG.TP Type STRING.TP Default SL.UNINDENT
proxy.config.diags.output.alert
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.emergency
Scope CONFIG.TP Type STRING.TP Default SL.UNINDENT The diagnostic output configuration
variables control where Traffic Server should log diagnostic output. Messages at
each diagnostic level can be directed to any combination of diagnostic
destinations. Valid diagnostic message destinations are:
┌──────┬───────────────────────────────────────┐
│Value │ Description │
├──────┼───────────────────────────────────────┤
│O │ Log to standard output. │
├──────┼───────────────────────────────────────┤
│E │ Log to standard error. │
├──────┼───────────────────────────────────────┤
│S │ Log to syslog. │
├──────┼───────────────────────────────────────┤
│L │ Log to diags.log (with the │
│ │ filename configurable via │
│ │ proxy.config.diags.logfile.filename). │
└──────┴───────────────────────────────────────┘
Example
To log debug diagnostics to both syslog and diags.log:
CONFIG proxy.config.diags.output.debug STRING SL
proxy.config.diags.show_location
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Annotates diagnostic messages with the
source code location. Set to 1 to enable for Debug() messages only. Set to 2 to
enable for all messages.
proxy.config.diags.debug.enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT When set to 1, enables
logging for diagnostic messages whose log level is diag or debug.
When set to 2, interprets the proxy.config.diags.debug.client_ip setting determine
whether diagnostic messages are logged.
proxy.config.diags.debug.client_ip
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT if proxy.config.diags.debug.enabled
is set to 2, this value is tested against the source IP of the incoming connection.
If there is a match, all the diagnostic messages for that connection and the
related outgoing connection will be logged.
proxy.config.diags.debug.tags
Scope CONFIG.TP Type STRING.TP Default http|dns.UNINDENT Each Traffic Server diag and
debug level message is annotated with a subsystem tag. This configuration contains
an anchored regular expression that filters the messages based on the tag. The
expressions are prefix matched which creates an implicit .* at the end. Therefore
the default value http|dns will match tags such as http, http_hdrs, dns, and
dns_recv.
Some commonly used debug tags are:
┌───────────┬──────────────────────────────────┐
│Tag │ Subsystem usage │
├───────────┼──────────────────────────────────┤
│dns │ DNS query resolution │
├───────────┼──────────────────────────────────┤
│http_hdrs │ Logs the headers for HTTP │
│ │ requests and responses │
└───────────┴──────────────────────────────────┘
│privileges │ Privilege elevation │
├───────────┼──────────────────────────────────┤
│ssl │ TLS termination and certificate │
│ │ processing │
└───────────┴──────────────────────────────────┘
Traffic Server plugins will typically log debug messages using the TSDebug() API,
passing the plugin name as the debug tag.
proxy.config.diags.debug.throttling_interval_msec
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT
The minimum amount of milliseconds between repeated Traffic Server diag and debug
log events. A value of 0 implies no throttling. All diags and debug logs are
compiled with throttling applied to them.
For details about how log throttling works, see log.throttling_interval_msec.
proxy.config.diags.logfile.filename
Scope CONFIG.TP Type STRING.TP Default diags.log.UNINDENT The name of the file to which
Traffic Server diagnostic logs will be emitted. For information on the diagnostic
log file, see diags.log. For the configurable parameters concerning what log
content is emitted to diags.log, see the Diagnostic Output Configuration Variables
above.
If this is set to stdout or stderr, then all diagnostic logging will go to the
stdout or stderr stream, respectively.
proxy.config.error.logfile.filename
Scope CONFIG.TP Type STRING.TP Default error.log.UNINDENT The name of the file to which
Traffic Server transaction error logs will be emitted. For more information on
these log messages, see error.log.
If this is set to stdout or stderr, then all transaction error logging will go to
the stdout or stderr stream, respectively.
proxy.config.diags.logfile_perm
Scope CONFIG.TP Type STRING.TP Default rw-r--r--.UNINDENT The log file permissions. The
standard UNIX file permissions are used (owner, group, other). Permissible values
are:
┌──────┬─────────────────────┐
│Value │ Description │
├──────┼─────────────────────┤
│- │ No permissions. │
├──────┼─────────────────────┤
│r │ Read permission. │
├──────┼─────────────────────┤
│w │ Write permission. │
├──────┼─────────────────────┤
│x │ Execute permission. │
└──────┴─────────────────────┘
Permissions are subject to the umask settings for the Traffic Server process. This
means that a umask setting of 002 will not allow write permission for others, even
if specified in the configuration file. Permissions for existing log files are not
changed when the configuration is modified.
proxy.config.diags.logfile.rolling_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies how the
diagnostics log is rolled. You can specify the following values:
┌──────┬───────────────────────────────────────────────────┐
│Value │ Description │
├──────┼───────────────────────────────────────────────────┤
│0 │ Disables diagnostics log │
│ │ rolling. │
├──────┼───────────────────────────────────────────────────┤
│1 │ Enables diagnostics log rolling │
│ │ at specific intervals (specified │
│ │ with │
│ │ proxy.config.diags.logfile.rolling_interval_sec). │
│ │ The "clock" starts ticking on │
│ │ Traffic Server startup. │
├──────┼───────────────────────────────────────────────────┤
│2 │ Enables diagnostics log rolling when the │
│ │ diagnostics log reaches a specific size │
│ │ (specified with │
│ │ proxy.config.diags.logfile.rolling_size_mb). │
└──────┴───────────────────────────────────────────────────┘
│3 │ Enables diagnostics log rolling at specific │
│ │ intervals or when the diagnostics log reaches a │
│ │ specific size (whichever occurs first). │
└──────┴───────────────────────────────────────────────────┘
proxy.config.diags.logfile.rolling_interval_sec
Scope CONFIG.TP Type INT.TP Default 3600.TP Units seconds.TP Reloadable Yes.UNINDENT
Specifies how often the diagnostics log is rolled, in seconds. The timer starts on
Traffic Server startup.
proxy.config.diags.logfile.rolling_size_mb
Scope CONFIG.TP Type INT.TP Default 100.TP Units megabytes.TP Reloadable Yes.UNINDENT
Specifies at what size to roll the diagnostics log at.
proxy.config.diags.logfile.rolling_min_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the minimum
count of rolled diagnostic logs to keep. This value will be used to decide the
order of auto-deletion (if enabled). A default value of 0 means auto-deletion will
try to keep diagnostic logs as much as possible. See Log Rotation and Retention for
guidance.
REVERSE PROXY
proxy.config.reverse_proxy.enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Enables (1) or disables
(0) HTTP reverse proxy.
proxy.config.header.parse.no_host_url_redirect
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The URL to which
to redirect requests with no host headers (reverse proxy).
URL REMAP RULES
proxy.config.url_remap.filename
Scope CONFIG.TP Type STRING.TP Default remap.config.TP Deprecated Yes.UNINDENT Sets the
name of the remap.config file.
proxy.config.url_remap.remap_required
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Set this variable to 1
if you want Traffic Server to serve requests only from origin servers listed in the
mapping rules of the remap.config file. If a request does not match, then the
browser will receive an error.
proxy.config.url_remap.pristine_host_hdr
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set
this variable to 1 if you want to retain the client host header in a request during
remapping.
SSL TERMINATION
proxy.config.ssl.server.cipher_suite
Scope CONFIG.TP Type STRING.TP Default <see notes>.UNINDENT Configures the set of
encryption, digest, authentication, and key exchange algorithms provided by OpenSSL
which Traffic Server will use for SSL connections. For the list of algorithms and
instructions on constructing an appropriately formatting cipher_suite string, see
OpenSSL Ciphers.
The current default is:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-CCM8:AES128-CCM8:AES256-CCM:AES128-CCM:AES256-SHA256:AES128-SHA2
proxy.config.ssl.client.cipher_suite
Scope CONFIG.TP Type STRING.TP Default <See notes under
proxy.config.ssl.server.cipher_suite.>.UNINDENT Configures the cipher_suite which
Traffic Server will use for SSL connections to origin or next hop. This currently
defaults to:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:RSA-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:RSA-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:RSA-PSK-AES128-GCM-SHA256:RSA-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:AES128-SHA256:CAMELLIA128-SHA256
proxy.config.ssl.server.TLSv1_3.cipher_suites
Scope CONFIG.TP Type STRING.TP Default <See notes>.UNINDENT Configures the pair of the
AEAD algorithm and hash algorithm to be used with HKDF provided by OpenSSL which
Traffic Server will use for TLSv1.3 connections. For the list of algorithms and
instructions, see The -ciphersuites section of OpenSSL Ciphers.
The current default value is:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
This configuration works with OpenSSL v1.1.1 and above.
proxy.config.ssl.server.honor_cipher_order
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT By default (1) Traffic Server will use the
server's cipher suites preferences instead of the client preferences. By disabling
it (0) Traffic Server will use client's cipher suites preferences.
proxy.config.ssl.server.prioritize_chacha
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT By enabling it (1) Traffic Server will
temporarily reprioritize ChaCha20-Poly1305 ciphers to the top of the server cipher
list if a ChaCha20-Poly1305 cipher is at the top of the client cipher list.
This configuration works with OpenSSL v1.1.1 and above.
proxy.config.ssl.client.TLSv1_3.cipher_suites
Scope CONFIG.TP Type STRING.TP Default <See notes under
proxy.config.ssl.server.tls.cipher_suites>.UNINDENT Configures the cipher_suites
which Traffic Server will use for TLSv1.3 connections to origin or next hop. This
configuration works with OpenSSL v1.1.1 and above.
The current default is:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
proxy.config.ssl.server.groups_list
Scope CONFIG.TP Type STRING.TP Default <See notes>.UNINDENT Configures the list of
supported groups provided by OpenSSL which Traffic Server will be used to determine
the set of shared groups. The value is a colon separated list of group NIDs or
names, for example "P-521:P-384:P-256". For instructions, see "Groups" section of
TLS1.3 - OpenSSLWiki.
The current default value with OpenSSL is:
X25519:P-256:X448:P-521:P-384
This configuration works with OpenSSL v1.0.2 and above.
proxy.config.ssl.client.groups_list
Scope CONFIG.TP Type STRING.TP Default <See notes under
proxy.config.ssl.server.groups_list.>.UNINDENT Configures the list of supported
groups provided by OpenSSL which Traffic Server will use for the "key_share" and
"supported groups" extension of TLSv1.3 connections. The value is a colon separated
list of group NIDs or names, for example "P-521:P-384:P-256". For instructions, see
"Groups" section of TLS1.3 - OpenSSLWiki.
This configuration works with OpenSSL v1.0.2 and above.
proxy.config.ssl.TLSv1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLSv1.0. If
not specified, disabled by default.
proxy.config.ssl.TLSv1_1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLS v1.1. If
not specified, disabled by default. [Requires OpenSSL v1.0.1 and higher]
NOTE:
In order to enable TLS v1 or v1.1, additional ciphers must be added to
proxy.config.ssl.client.cipher_suite. For example this list would restore the SHA1
(insecure!) cipher suites suitable for these deprecated TLS versions:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
proxy.config.ssl.TLSv1_2
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLS v1.2. If
not specified, enabled by default. [Requires OpenSSL v1.0.1 and higher]
proxy.config.ssl.TLSv1_3
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLS v1.3. If
not specified, enabled by default. [Requires OpenSSL v1.1.1 and higher]
proxy.config.ssl.client.certification_level
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Sets the client certification level:
┌──────┬──────────────────────────────────┐
│Value │ Description │
└──────┴──────────────────────────────────┘
│0 │ Client certificates are ignored. │
│ │ Traffic Server does not verify │
│ │ client certificates during the │
│ │ SSL handshake. Access to Traffic │
│ │ Server depends on Traffic Server │
│ │ configuration options (such as │
│ │ access control lists). │
├──────┼──────────────────────────────────┤
│1 │ Client certificates are │
│ │ optional. If a client has a │
│ │ certificate, then the │
│ │ certificate is validated. If the │
│ │ client does not have a │
│ │ certificate, then the client is │
│ │ still allowed access to Traffic │
│ │ Server unless access is denied │
│ │ through other Traffic Server │
│ │ configuration options. │
├──────┼──────────────────────────────────┤
│2 │ Client certificates are │
│ │ required. The client must be │
│ │ authenticated during the SSL │
│ │ handshake. Clients without a │
│ │ certificate are not allowed to │
│ │ access Traffic Server. │
└──────┴──────────────────────────────────┘
proxy.config.ssl.server.multicert.filename
Scope CONFIG.TP Type STRING.TP Default ssl_multicert.config.TP Deprecated Yes.UNINDENT
The location of the ssl_multicert.config file, relative to the Traffic Server
configuration directory. In the following example, if the Traffic Server
configuration directory is /etc/trafficserver, the Traffic Server SSL configuration
file and the corresponding certificates are located in /etc/trafficserver/ssl:
CONFIG proxy.config.ssl.server.multicert.filename STRING ssl/ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver/ssl
proxy.config.ssl.server.multicert.exit_on_load_fail
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT By default (1), Traffic Server will not
start unless all the SSL certificates listed in the ssl_multicert.config file
successfully load. If false (0), SSL certificate load failures will not prevent
Traffic Server from starting.
proxy.config.ssl.server.cert.path
Scope CONFIG.TP Type STRING.TP Default /config.UNINDENT The location of the SSL
certificates and chains used for accepting and validation new SSL sessions. If this
is a relative path, it is appended to the Traffic Server installation PREFIX. All
certificates and certificate chains listed in ssl_multicert.config will be loaded
relative to this path.
proxy.config.ssl.server.private_key.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The location of the SSL certificate
private keys. Change this variable only if the private key is not located in the
SSL certificate file. All private keys listed in ssl_multicert.config will be
loaded relative to this path.
proxy.config.ssl.server.cert_chain.filename
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The name of a file containing a
global certificate chain that should be used with every server certificate. This
file is only used if there are certificates defined in ssl_multicert.config.
Unless this is an absolute path, it is loaded relative to the path specified by
proxy.config.ssl.server.cert.path.
proxy.config.ssl.server.dhparams_file
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The name of a file containing a set
of Diffie-Hellman key exchange parameters. If not specified, 2048-bit DH parameters
from RFC 5114 are used. These parameters are only used if a DHE (or EDH) cipher
suite has been selected.
proxy.config.ssl.CA.cert.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The location of the certificate
authority file that client certificates will be verified against.
proxy.config.ssl.CA.cert.filename
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The filename of the certificate
authority that client certificates will be verified against.
proxy.config.ssl.server.ticket_key.filename
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The filename of the default and
global ticket key for SSL sessions. The location is relative to the
proxy.config.ssl.server.cert.path directory. One way to generate this would be to
run head -c48 /dev/urandom | openssl enc -base64 | head -c48 > file.ticket. Also
note that OpenSSL session tickets are sensitive to the version of the
ca-certificates. Once the file is changed with new tickets, use traffic_ctl config
reload to begin using them.
proxy.config.ssl.servername.filename
Scope CONFIG.TP Type STRING.TP Default sni.yaml.TP Deprecated Yes.UNINDENT The filename
of the sni.yaml configuration file. If relative, it is relative to the
configuration directory.
proxy.config.ssl.max_record_size
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies the maximum
number of bytes to write into a SSL record when replying over a SSL session. In
some circumstances this setting can improve response latency by reducing buffering
at the SSL layer. This setting can have a value between 0 and 16383 (max TLS record
size).
The default of 0 means to always write all available data into a single SSL record.
A value of -1 means TLS record size is dynamically determined. The strategy
employed is to use small TLS records that fit into a single TCP segment for the
first ~1 MB of data, but, increase the record size to 16 KB after that to optimize
throughput. The record size is reset back to a single segment after ~1 second of
inactivity and the record size ramping mechanism is repeated again.
proxy.config.ssl.origin_session_cache
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT This configuration enables the SSL session
cache for the origin server when set to 1.
Setting to 0 disables SSL session cache for the origin server.
proxy.config.ssl.origin_session_cache.size
Scope CONFIG.TP Type INT.TP Default 10240.UNINDENT This configuration specifies the
maximum number of entries the SSL session cache for the origin server may contain.
Setting a value less than or equal to 0 effectively disables SSL session cache for
the origin server.
proxy.config.ssl.session_cache
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Enables the SSL session cache:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disables the session cache │
│ │ entirely. │
├──────┼──────────────────────────────────┤
│1 │ Enables the session cache using │
│ │ OpenSSL's implementation. │
├──────┼──────────────────────────────────┤
│2 │ Default. Enables the session │
│ │ cache using Traffic Server's │
│ │ implementation. This │
│ │ implementation should perform │
│ │ much better than the OpenSSL │
│ │ implementation. │
└──────┴──────────────────────────────────┘
proxy.config.ssl.session_cache.timeout
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies the lifetime
of SSL session cache entries in seconds. If it is 0, then the SSL library will use
a default value, typically 300 seconds. Note: This option has no affect when using
the Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.ssl.session_cache.auto_clear
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT This will set the OpenSSL auto clear flag.
Auto clear is enabled by default with 1 it can be disabled by changing this setting
to 0.
proxy.config.ssl.session_cache.size
Scope CONFIG.TP Type INT.TP Default 102400.UNINDENT This configuration specifies the
maximum number of entries the SSL session cache may contain.
proxy.config.ssl.session_cache.num_buckets
Scope CONFIG.TP Type INT.TP Default 256.UNINDENT This configuration specifies the number
of buckets to use with the Traffic Server SSL session cache implementation. The TS
implementation is a fixed size hash map where each bucket is protected by a mutex.
proxy.config.ssl.session_cache.skip_cache_on_bucket_contention
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies the behavior
of the Traffic Server SSL session cache implementation during lock contention on
each bucket:
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Default. Don't skip session │
│ │ caching when bucket lock is │
│ │ contented. │
├──────┼──────────────────────────────────┤
│1 │ Disable the SSL session cache │
│ │ for a connection during lock │
│ │ contention. │
└──────┴──────────────────────────────────┘
proxy.config.ssl.server.session_ticket.enable
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Set to 1 to enable Traffic Server to
process TLS tickets for TLS session resumption.
proxy.config.ssl.server.session_ticket.number
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT This configuration control the number of
TLSv1.3 session tickets that are issued. Take into account that setting the value
to 0 will disable session caching for TLSv1.3 connections.
Lowering this setting to 1 can be interesting when proxy.config.ssl.session_cache
is enabled because otherwise for every new TLSv1.3 connection two session IDs will
be inserted in the session cache. On the other hand, if
proxy.config.ssl.session_cache is disabled, using the default value is
recommended. In those scenarios, increasing the number of tickets could be
potentially beneficial for clients performing multiple requests over concurrent TLS
connections as per RFC 8446 clients SHOULDN'T reuse TLS Tickets.
For more information see
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html [Requires
OpenSSL v1.1.1 and higher]
proxy.config.ssl.hsts_max_age
Scope CONFIG.TP Type INT.TP Default -1.TP Overridable Yes.UNINDENT This configuration
specifies the max-age value that will be used when adding the
Strict-Transport-Security header. The value is in seconds. A value of 0 will set
the max-age value to 0 and should remove the HSTS entry from the client. A value
of -1 will disable this feature and not set the header. This option is only used
for HTTPS requests and the header will not be set on HTTP requests.
proxy.config.ssl.hsts_include_subdomains
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Enables (1) or disables
(0) adding the includeSubdomain value to the Strict-Transport-Security header.
proxy.config.ssl.hsts_max_age needs to be set to a non -1 value for this
configuration to take effect.
proxy.config.ssl.allow_client_renegotiation
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies whether the
client is able to initiate renegotiation of the SSL connection. The default of 0,
means the client can't initiate renegotiation.
proxy.config.ssl.cert.load_elevated
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) elevation of
traffic_server privileges during loading of SSL certificates. By enabling this,
SSL certificate files' access rights can be restricted to help reduce the
vulnerability of certificates.
This feature requires Traffic Server to be built with POSIX capabilities enabled.
proxy.config.ssl.handshake_timeout_in
Scope CONFIG.TP Type INT.TP Default 30.UNINDENT When enabled this limits the total
duration for the incoming side SSL handshake.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.ssl.keylog_file
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT If configured, TLS
session keys for TLS connections will be logged to the specified file. This file is
formatted in such a way that it can be conveniently imported into tools such as
Wireshark to decrypt packet captures. This should only be used for debugging
purposes since the data in the keylog file can be used to decrypt the otherwise
encrypted traffic. A NULL value for this disables the feature.
This feature is disabled by default.
Client-Related Configuration
proxy.config.ssl.client.verify.server.policy
Scope CONFIG.TP Type STRING.TP Default PERMISSIVE.TP Reloadable Yes.TP Overridable
Yes.UNINDENT Configures Traffic Server to verify the origin server certificate with
the Certificate Authority (CA). This configuration takes a value of DISABLED,
PERMISSIVE, or ENFORCED
You can override this global setting on a per domain basis in the sni.yaml file
using the verify_server_policy attribute.
You can also override via the conf_remap plugin. Those changes will take precedence
over the changes in sni.yaml.
DISABLED
Server Certificate will not be verified
PERMISSIVE
The provided certificate will be verified and the connection will be established
irrespective of the verification result. If verification fails the name of the
server will be logged.
ENFORCED
Certificate will be verified and the connection will not be established if
verification fails.
proxy.config.ssl.client.verify.server.properties
Scope CONFIG.TP Type STRING.TP Default ALL.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Configures Traffic Server for what the default verify callback should check during
origin server verification.
You can override this global setting on a per domain basis in the sni.yaml file
using the verify_server_properties attribute.
You can also override via the conf_remap plugin. Those changes will take precedence
over the changes in .:file:sni.yaml
NONE Check nothing in the standard callback. Rely entirely on plugins to check the
certificate.
SIGNATURE
Check only for a valid signature.
NAME Check only that the SNI name is in the certificate.
ALL Check both the signature and the name.
proxy.config.ssl.client.cert.filename
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The filename of SSL client certificate installed on Traffic Server.
proxy.config.ssl.client.cert.path
Scope CONFIG.TP Type STRING.TP Default /config.TP Reloadable Yes.UNINDENT The location of
the SSL client certificate installed on Traffic Server.
proxy.config.ssl.client.private_key.filename
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The filename of the Traffic Server private key. Change this variable only if the
private key is not located in the Traffic Server SSL client certificate file.
proxy.config.ssl.client.private_key.path
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The location of
the Traffic Server private key. Change this variable only if the private key is not
located in the SSL client certificate file.
proxy.config.ssl.client.CA.cert.filename
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The filename of the certificate authority against which the origin server will be
verified.
proxy.config.ssl.client.CA.cert.path
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT Specifies the
location of the certificate authority file against which the origin server will be
verified.
proxy.config.ssl.client.sni_policy
Scope CONFIG.TP Type STRING.TP Default NULL.TP Overridable Yes.UNINDENT Indicate how the
SNI value for the TLS connection to the origin is selected.
host This is the default. The value of the Host field in the proxy request is used.
server_name
The SNI value of the inbound TLS connection is used.
remap The remapped upstream name is used.
verify_with_name_source
The value of the Host field in the proxy request is used. In addition, if the names
in the server certificate of the upstream are checked, they are checked against the
remapped upstream name, not the SNI.
@... If the policy starts with the @ character, it is treated as a literal, less the
leading @. E.g. if the policy is "@apache.org" the SNI will be "apache.org".
We have two names that could be used in the transaction host header and the SNI value to
the origin. These could be the host header from the client or the remap host name. Unless
you have pristine host header enabled, these are likely the same values. If sni_policy =
host, both the sni and the value of the Host field to origin will be the same. If
sni_policy = remap, the sni value will be the remap host name and the host header will be
the host header from the client.
In addition, We may want to set the SNI and host headers the same (makes some common web
servers happy), but the server certificate for the upstream may have a name that
corresponds to the remap name. So instead of using the SNI name for the name check, we may
want to use the remap name. So if sni_policy = verify_with_name_source, the sni will be
the host header value and the name to check in the server certificate will be the remap
header value.
proxy.config.ssl.client.scheme_proto_mismatch_policy
Scope CONFIG.TP Type INT.TP Default 2.TP Overridable Yes.UNINDENT This option controls
how Traffic Server behaves when the client side connection protocol and the client
request's scheme do not match. For example, if enforcement is enabled by setting
this value to 2 and the client connection is a cleartext HTTP connection but the
scheme of the URL is https://, then Traffic Server will emit a warning and return
an immediate 400 HTTP response without proxying the request to the origin.
The default value is 2, meaning that Traffic Server will enforce that the protocol
matches the scheme.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disable verification that the │
│ │ protocol and scheme match. │
├──────┼──────────────────────────────────┤
│1 │ Check that the protocol and │
│ │ scheme match, but only emit a │
│ │ warning if they do not. │
├──────┼──────────────────────────────────┤
│2 │ Check that the protocol and │
│ │ scheme match and, if they do │
│ │ not, emit a warning and return │
│ │ an immediate HTTP 400 response. │
└──────┴──────────────────────────────────┘
proxy.config.ssl.client.TLSv1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLSv1.0 in the
ATS client context. If not specified, enabled by default
proxy.config.ssl.client.TLSv1_1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLSv1_1 in the
ATS client context. If not specified, enabled by default
proxy.config.ssl.client.TLSv1_2
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLSv1_2 in the
ATS client context. If not specified, enabled by default
proxy.config.ssl.client.TLSv1_3
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLSv1_3 in the
ATS client context. If not specified, enabled by default
proxy.config.ssl.async.handshake.enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables the use of OpenSSL async job
during the TLS handshake. Traffic Server must be build against OpenSSL 1.1 or
greater or this to take affect. Can be useful if using a crypto engine that
communicates off chip. The thread will be rescheduled for other work until the
crypto engine operation completes. A test crypto engine that inserts a 5 second
delay on private key operations can be found at contrib/openssl/async_engine.c.
proxy.config.ssl.engine.conf_file
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT Specify the location of the OpenSSL
config file used to load dynamic crypto engines. This setting assumes an absolute
path. An example config file is at contrib/openssl/load_engine.cnf.
TLS v1.3 0-RTT Configuration
NOTE:
TLS v1.3 must be enabled in order to utilize 0-RTT early data.
proxy.config.ssl.server.max_early_data
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Specifies the maximum amount of early data
in bytes that is permitted to be sent on a single connection.
The minimum value that enables early data, and the suggested value for this option
are both 16384 (16KB).
Setting to 0 effectively disables 0-RTT.
proxy.config.ssl.server.allow_early_data_params
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Set to 1 to allow HTTP parameters on early
data requests.
SNI Routing
proxy.config.tunnel.activity_check_period
Scope CONFIG.TP Type INT.TP Default 0.TP Units seconds.UNINDENT Frequency of checking the
activity of SNI Routing Tunnel. Set to 0 to disable monitoring of the activity of
the SNI tunnels. The feature is disabled by default.
proxy.config.tunnel.prewarm
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enable Pre-warming TLS Tunnel. The feature
is disabled by default.
proxy.config.tunnel.prewarm.max_stats_size
Scope CONFIG.TP Type INT.TP Default 100.UNINDENT Max size of dynamic stats for
Pre-warming TLS Tunnel.
proxy.config.tunnel.prewarm.algorithm
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Version of pre-warming algorithm.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│1 │ Periodical pre-warming only │
├──────┼──────────────────────────────────┤
│2 │ Event based pre-warming + │
│ │ Periodical pre-warming │
└──────┴──────────────────────────────────┘
proxy.config.tunnel.prewarm.event_period
Scope CONFIG.TP Type INT.TP Default 1000.TP Units milliseconds.UNINDENT Frequency of
periodical pre-warming in milli-seconds.
OCSP STAPLING CONFIGURATION
proxy.config.ssl.ocsp.enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enable OCSP stapling.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Disables OCSP Stapling. │
├──────┼──────────────────────────────────┤
│1 │ Allows Traffic Server to request │
│ │ SSL certificate revocation │
│ │ status from an OCSP responder. │
└──────┴──────────────────────────────────┘
proxy.config.ssl.ocsp.cache_timeout
Scope CONFIG.TP Type INT.TP Default 3600.UNINDENT Number of seconds before an OCSP
response expires in the stapling cache.
proxy.config.ssl.ocsp.request_timeout
Scope CONFIG.TP Type INT.TP Default 10.TP Units seconds.UNINDENT Timeout (in seconds) for
queries to OCSP responders.
proxy.config.ssl.ocsp.update_period
Scope CONFIG.TP Type INT.TP Default 60.TP Units seconds.UNINDENT Update period (in
seconds) for stapling caches.
proxy.config.ssl.ocsp.response.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The directory path of the prefetched
OCSP stapling responses. Change this variable only if you intend to use and
administratively maintain prefetched OCSP stapling responses. All stapling
responses listed in ssl_multicert.config will be loaded relative to this path.
HTTP/2 CONFIGURATION
proxy.config.http2.max_concurrent_streams_in
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT The maximum number of
concurrent streams per inbound connection.
NOTE:
Reloading this value affects only new HTTP/2 connections, not the ones already
established.
proxy.config.http2.min_concurrent_streams_in
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT The minimum number of
concurrent streams per inbound connection. This is used when
proxy.config.http2.max_active_streams_in is set larger than 0.
proxy.config.http2.max_active_streams_in
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Limits the maximum
number of connection wide active streams. When connection wide active streams are
larger than this value, SETTINGS_MAX_CONCURRENT_STREAMS will be reduced to
proxy.config.http2.min_concurrent_streams_in. To disable, set to zero (0).
proxy.config.http2.initial_window_size_in
Scope CONFIG.TP Type INT.TP Default 65535.TP Units bytes.TP Reloadable Yes.UNINDENT The
initial window size for inbound connections.
proxy.config.http2.max_frame_size
Scope CONFIG.TP Type INT.TP Default 16384.TP Units bytes.TP Reloadable Yes.UNINDENT
Indicates the size of the largest frame payload that the sender is willing to
receive.
proxy.config.http2.header_table_size
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT The maximum size of
the header compression table used to decode header blocks. This value will be
advertised as SETTINGS_HEADER_TABLE_SIZE.
proxy.config.http2.header_table_size_limit
Scope CONFIG.TP Type INT.TP Default 65536.TP Reloadable Yes.UNINDENT The maximum size of
the header compression table ATS actually use when ATS encodes headers. Setting 0
means ATS doesn't insert headers into HPACK Dynamic Table, however, headers still
can be encoded as indexable representations. The upper limit is 65536.
proxy.config.http2.max_header_list_size
Scope CONFIG.TP Type INT.TP Default 131072.TP Reloadable Yes.UNINDENT This advisory
setting informs a peer of the maximum size of header list that the sender is
prepared to accept blocks. The default value, which is the unsigned int maximum
value in Traffic Server, implies unlimited size.
proxy.config.http2.stream_priority_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enable the experimental
HTTP/2 Stream Priority feature.
proxy.config.http2.active_timeout_in
Scope CONFIG.TP Type INT.TP Default 0.TP Units seconds.TP Reloadable Yes.UNINDENT This is
the active timeout of the http2 connection. It is set when the connection is opened
and keeps ticking regardless of activity level.
The value of 0 specifies that there is no timeout.
proxy.config.http2.accept_no_activity_timeout
Scope CONFIG.TP Type INT.TP Default 120.TP Units seconds.TP Reloadable Yes.UNINDENT
Specifies how long Traffic Server keeps connections to clients open if no activity
is received on the connection. Lowering this timeout can ease pressure on the proxy
if misconfigured or misbehaving clients are opening a large number of connections
without submitting requests.
proxy.config.http2.no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 120.TP Units seconds.TP Reloadable Yes.UNINDENT
Specifies how long Traffic Server keeps connections to clients open if a
transaction stalls. Lowering this timeout can ease pressure on the proxy if
misconfigured or misbehaving clients are opening a large number of connections
without submitting requests.
proxy.config.http2.zombie_debug_timeout_in
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This timeout enables the
zombie debugging feature. If it is non-zero, it sets a zombie event to go off that
many seconds in the future when the HTTP2 session reaches one but not both of the
terminating events, i.e received a close event (via client goaway or timeout) and
the number of active streams has gone to zero. If the event is executed, the
Traffic Server process will assert. This mechanism is useful to debug potential
leaks in the HTTP2 Stream and Session processing.
proxy.config.http2.push_diary_size
Scope CONFIG.TP Type INT.TP Default 256.TP Reloadable Yes.UNINDENT Indicates the maximum
number of HTTP/2 server pushes that are remembered per HTTP/2 connection to avoid
duplicate pushes on the same connection. If the maximum number is reached, new
entries are not remembered.
proxy.config.http2.stream_error_rate_threshold
Scope CONFIG.TP Type FLOAT.TP Default 0.1.TP Reloadable Yes.UNINDENT This is the maximum
stream error rate Traffic Server allows on an HTTP/2 connection. Traffic Server
gracefully closes connections that have stream error rates above this setting by
sending GOAWAY frames.
proxy.config.http2.stream_error_sampling_threshold
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT This is the threshold
of sampling stream number to start checking the stream error rate.
proxy.config.http2.max_settings_per_frame
Scope CONFIG.TP Type INT.TP Default 7.TP Reloadable Yes.UNINDENT Specifies how many
settings in an HTTP/2 SETTINGS frame Traffic Server accepts. Clients exceeded this
limit will be immediately disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.max_settings_per_minute
Scope CONFIG.TP Type INT.TP Default 14.TP Reloadable Yes.UNINDENT Specifies how many
settings in HTTP/2 SETTINGS frames Traffic Server accept for a minute. Clients
exceeded this limit will be immediately disconnected with an error code of
ENHANCE_YOUR_CALM.
proxy.config.http2.max_settings_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 14.TP Reloadable Yes.UNINDENT Specifies how many
SETTINGS frames Traffic Server receives for a minute at maximum. Clients exceeded
this limit will be immediately disconnected with an error code of
ENHANCE_YOUR_CALM.
proxy.config.http2.max_ping_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 60.TP Reloadable Yes.UNINDENT Specifies how many
number of PING frames Traffic Server receives for a minute at maximum. Clients
exceeded this limit will be immediately disconnected with an error code of
ENHANCE_YOUR_CALM.
proxy.config.http2.max_priority_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.UNINDENT Specifies how many
number of PRIORITY frames Traffic Server receives for a minute at maximum. Clients
exceeded this limit will be immediately disconnected with an error code of
ENHANCE_YOUR_CALM. If this is set to 0, the limit logic is disabled. This limit
only will be enforced if proxy.config.http2.stream_priority_enabled is set to 1.
proxy.config.http2.min_avg_window_update
Scope CONFIG.TP Type FLOAT.TP Default 2560.0.TP Reloadable Yes.UNINDENT Specifies the
minimum average window increment Traffic Server allows. The average will be
calculated based on the last 5 WINDOW_UPDATE frames. Clients that send smaller
window increments lower than this limit will be immediately disconnected with an
error code of ENHANCE_YOUR_CALM.
proxy.config.http2.write_buffer_block_size
Scope CONFIG.TP Type INT.TP Default 262144.TP Units bytes.TP Reloadable Yes.UNINDENT
Specifies the size of a buffer block that is used for buffering outgoing HTTP/2
frames. The size will be rounded up based on power of 2.
proxy.config.http2.write_size_threshold
Scope CONFIG.TP Type FLOAT.TP Default 0.5.TP Reloadable Yes.UNINDENT Specifies the size
threshold for triggering write operation for sending HTTP/2 frames. The default
value is 0.5 and it measn write operation is going to be triggered when half or
more of the buffer is occupied.
proxy.config.http2.write_time_threshold
Scope CONFIG.TP Type INT.TP Default 100.TP Units milliseconds.TP Reloadable Yes.UNINDENT
Specifies the time threshold for triggering write operation for sending HTTP/2
frames. Write operation will be triggered at least once every this configured
number of millisecond regardless of pending data size.
proxy.config.http2.default_buffer_water_mark
Scope CONFIG.TP Type INT.TP Default -1.TP Units bytes.TP Reloadable Yes.UNINDENT
Specifies the high water mark for all HTTP/2 frames on an outoging connection.
Default is -1 to preserve existing water marking behavior.
You can override this global setting on a per domain basis in the sni.yaml file
using the http2_buffer_water_mark attribute.
HTTP/3 CONFIGURATION
There is no configuration available yet on this release.
QUIC CONFIGURATION
All configurations for QUIC are still experimental and may be changed or removed in the
future without prior notice.
proxy.config.quic.qlog_dir
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT
The qlog is enabled when this configuration is not NULL. And will dump the qlog to this
dir.
proxy.config.quic.instance_id
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT A static key used for
calculating Stateless Reset Token. All instances in a cluster need to share the
same value.
proxy.config.quic.connection_table.size
Scope CONFIG.TP Type INT.TP Default 65521.UNINDENT A size of hash table that stores
connection information.
proxy.config.quic.proxy.config.quic.num_alt_connection_ids
Scope CONFIG.TP Type INT.TP Default 65521.TP Reloadable Yes.UNINDENT A number of
alternate Connection IDs that Traffic Server provides to a peer. It has to be at
least 8.
proxy.config.quic.stateless_retry_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables Stateless Retry.
proxy.config.quic.client.vn_exercise_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables version
negotiation exercise on origin server connections.
proxy.config.quic.client.cm_exercise_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables connection
migration exercise on origin server connections.
proxy.config.quic.server.supported_groups
Scope CONFIG.TP Type STRING.TP Default "P-256:X25519:P-384:P-521".TP Reloadable
Yes.UNINDENT Configures the list of supported groups provided by OpenSSL which will
be used to determine the set of shared groups on QUIC origin server connections.
proxy.config.quic.client.supported_groups
Scope CONFIG.TP Type STRING.TP Default "P-256:X25519:P-384:P-521".TP Reloadable
Yes.UNINDENT Configures the list of supported groups provided by OpenSSL which will
be used to determine the set of shared groups on QUIC client connections.
proxy.config.quic.client.session_file
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.UNINDENT Only available for
traffic_quic. If specified, TLS session data will be stored to the file, and will
be used for resuming a session.
proxy.config.quic.no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 30000.TP Reloadable Yes.UNINDENT This value will be
advertised as idle_timeout Transport Parameter.
proxy.config.quic.no_activity_timeout_out
Scope CONFIG.TP Type INT.TP Default 30000.TP Reloadable Yes.UNINDENT This value will be
advertised as idle_timeout Transport Parameter.
proxy.config.quic.preferred_address_ipv4
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.UNINDENT This value will be
advertised as a part of preferred_address Transport Parameter.
proxy.config.quic.preferred_address_ipv6
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.UNINDENT This value will be
advertised as a part of preferred_address Transport Parameter.
proxy.config.quic.initial_max_data_in
Scope CONFIG.TP Type INT.TP Default 65536.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_data Transport Parameter.
proxy.config.quic.initial_max_data_out
Scope CONFIG.TP Type INT.TP Default 65536.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_data Transport Parameter.
proxy.config.quic.max_stream_data_bidi_local_in
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_stream_data_bidi_local Transport Parameter.
proxy.config.quic.max_stream_data_bidi_local_out
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_stream_data_bidi_local Transport Parameter.
proxy.config.quic.max_stream_data_bidi_remote_in
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_stream_data_bidi_remote Transport Parameter.
proxy.config.quic.max_stream_data_bidi_remote_out
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_stream_data_bidi_remote Transport Parameter.
proxy.config.quic.max_stream_data_uni_in
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_stream_data_uni Transport Parameter.
proxy.config.quic.max_stream_data_uni_out
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_stream_data_uni Transport Parameter.
proxy.config.quic.max_streams_bidi_in
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_streams_bidi Transport Parameter.
proxy.config.quic.max_streams_bidi_out
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_streams_bidi Transport Parameter.
proxy.config.quic.max_streams_uni_in
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_streams_uni Transport Parameter.
proxy.config.quic.max_streams_uni_out
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be
advertised as initial_max_streams_uni Transport Parameter.
proxy.config.quic.ack_delay_exponent_in
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT This value will be
advertised as ack_delay_exponent Transport Parameter.
proxy.config.quic.ack_delay_exponent_out
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT This value will be
advertised as ack_delay_exponent Transport Parameter.
proxy.config.quic.max_ack_delay_in
Scope CONFIG.TP Type INT.TP Default 25.TP Reloadable Yes.UNINDENT This value will be
advertised as max_ack_delay Transport Parameter.
proxy.config.quic.max_ack_delay_out
Scope CONFIG.TP Type INT.TP Default 25.TP Reloadable Yes.UNINDENT This value will be
advertised as max_ack_delay Transport Parameter.
proxy.config.quic.loss_detection.packet_threshold
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.loss_detection.time_threshold
Scope CONFIG.TP Type FLOAT.TP Default 1.25.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.loss_detection.granularity
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.loss_detection.initial_rtt
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.congestion_control.max_datagram_size
Scope CONFIG.TP Type INT.TP Default 1200.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.congestion_control.initial_window
Scope CONFIG.TP Type INT.TP Default 12000.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.congestion_control.minimum_window
Scope CONFIG.TP Type INT.TP Default 2400.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.congestion_control.loss_reduction_factor
Scope CONFIG.TP Type FLOAT.TP Default 0.5.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
proxy.config.quic.congestion_control.persistent_congestion_threshold
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.UNINDENT This is just for
debugging. Do not change it from the default value unless you really understand
what this is.
PLUG-IN CONFIGURATION
proxy.config.plugin.plugin_dir
Scope CONFIG.TP Type STRING.TP Default config/plugins.UNINDENT Specifies the location of
Traffic Server plugins.
proxy.config.plugin.dynamic_reload_mode
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) the dynamic
reload feature for remap plugins (remap.config). Global plugins (plugin.config) do
not have dynamic reload feature yet.
proxy.config.plugin.vc.default_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies the buffer index and thus size to use when constructing IO buffers within
the PluginVC. Tuning this can impact performance of intercept plugins. Default is
8, which aligns with the default value of ts:cv:CONFIG
proxy.config.http.default_buffer_size.
proxy.config.plugin.vc.default_buffer_water_mark
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Specifies the buffer water mark size in bytes used to control the flow of data
through IO buffers within the PluginVC. Default is zero to preserve existing
PluginVC water marking behavior.
SOCKS PROCESSOR
proxy.config.socks.socks_needed
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) the SOCKS
processor
proxy.config.socks.socks_version
Scope CONFIG.TP Type INT.TP Default 4.UNINDENT Specifies the SOCKS version (4) or (5)
proxy.config.socks.socks_config_file
Scope CONFIG.TP Type STRING.TP Default socks.config.TP Deprecated Yes.UNINDENT The
socks.config file allows you to specify ranges of IP addresses that will not be
relayed to the SOCKS server. It can also be used to configure AUTH information for
SOCKSv5 servers.
proxy.config.socks.socks_timeout
Scope CONFIG.TP Type INT.TP Default 100.UNINDENT The activity timeout value (in seconds)
for SOCKS server connections.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.socks.server_connect_timeout
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT The timeout value (in seconds) for SOCKS
server connection attempts.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.socks.per_server_connection_attempts
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT The total number of connection attempts
allowed per SOCKS server, if multiple servers are used.
proxy.config.socks.connection_attempts
Scope CONFIG.TP Type INT.TP Default 4.UNINDENT The total number of connection attempts
allowed to a SOCKS server Traffic Server bypasses the server or fails the request
proxy.config.socks.server_retry_timeout
Scope CONFIG.TP Type INT.TP Default 300.UNINDENT The timeout value (in seconds) for SOCKS
server connection retry attempts.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.socks.default_servers
Scope CONFIG.TP Type STRING.TP Default *NONE*.UNINDENT Default list of SOCKS servers and
their ports.
proxy.config.socks.server_retry_time
Scope CONFIG.TP Type INT.TP Default 300.UNINDENT The amount of time allowed between
connection retries to a SOCKS server that is unavailable.
proxy.config.socks.server_fail_threshold
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT The number of times the connection to the
SOCKS server can fail before Traffic Server considers the server unavailable.
proxy.config.socks.accept_enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) the SOCKS
proxy option. As a SOCKS proxy, Traffic Server receives SOCKS traffic (usually on
port 1080) and forwards all requests directly to the SOCKS server.
proxy.config.socks.accept_port
Scope CONFIG.TP Type INT.TP Default 1080.UNINDENT Specifies the port on which Traffic
Server accepts SOCKS traffic.
proxy.config.socks.http_port
Scope CONFIG.TP Type INT.TP Default 80.UNINDENT Specifies the port on which Traffic
Server accepts HTTP proxy requests over SOCKS connections..
SOCKETS
proxy.config.net.defer_accept
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT default: 1 meaning on all Platforms except
Linux: 45 seconds
This directive enables operating system specific optimizations for a listening
socket. defer_accept holds a call to accept(2) back until data has arrived. In
Linux' special case this is up to a maximum of 45 seconds. On FreeBSD, accf_data
module needs to be loaded.
proxy.config.net.listen_backlog
Scope CONFIG.TP Type INT.TP Default -1
:reloadable:.UNINDENT This directive sets the maximum number of pending
connections. If it is set to -1, Traffic Server will automatically set this to a
platform-specific maximum.
proxy.config.net.tcp_congestion_control_in
Scope CONFIG.TP Type STRING.TP Default "".UNINDENT This directive will override the
congestion control algorithm for incoming connections (accept sockets). On Linux,
the allowed values are typically specified in a space separated list in
/proc/sys/net/ipv4/tcp_allowed_congestion_control
proxy.config.net.tcp_congestion_control_out
Scope CONFIG.TP Type STRING.TP Default "".UNINDENT This directive will override the
congestion control algorithm for outgoing connections (connect sockets). On Linux,
the allowed values are typically specified in a space separated list in
/proc/sys/net/ipv4/tcp_allowed_congestion_control
proxy.config.net.sock_send_buffer_size_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Sets the send buffer size for connections
from the client to Traffic Server.
proxy.config.net.sock_recv_buffer_size_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Sets the receive buffer size for
connections from the client to Traffic Server.
proxy.config.net.sock_option_flag_in
Scope CONFIG.TP Type INT.TP Default 0x1.UNINDENT Turns different options "on" for the
socket handling client connections::
TCP_NODELAY (1)
SO_KEEPALIVE (2)
SO_LINGER (4) - with a timeout of 0 seconds
TCP_FASTOPEN (8)
PACKET_MARK (16)
PACKET_TOS (32)
TCP_NOTSENT_LOWAT (64)
NOTE:
This is a bitmask and you need to decide what bits to set. Therefore, you must set the
value to 3 if you want to enable nodelay and keepalive options above.
NOTE:
To allow TCP Fast Open for client sockets on Linux, bit 2 of the net.ipv4.tcp_fastopen
sysctl must be set.
proxy.config.net.sock_send_buffer_size_out
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Sets the send buffer
size for connections from Traffic Server to the origin server.
proxy.config.net.sock_recv_buffer_size_out
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Sets the receive buffer
size for connections from Traffic Server to the origin server.
proxy.config.net.sock_option_flag_out
Scope CONFIG.TP Type INT.TP Default 0x1.TP Overridable Yes.UNINDENT Turns different
options "on" for the origin server socket::
TCP_NODELAY (1)
SO_KEEPALIVE (2)
SO_LINGER (4) - with a timeout of 0 seconds
TCP_FASTOPEN (8)
PACKET_MARK (16)
PACKET_TOS (32)
TCP_NOTSENT_LOWAT (64)
NOTE:
This is a bitmask and you need to decide what bits to set. Therefore, you must set the
value to 3 if you want to enable nodelay and keepalive options above.
When SO_LINGER is enabled, the linger timeout time is set to 0. This is useful when
Traffic Server and the origin server are co-located and large numbers of sockets are
retained in the TIME_WAIT state.
NOTE:
To allow TCP Fast Open for server sockets on Linux, bit 1 of the net.ipv4.tcp_fastopen
sysctl must be set.
proxy.config.net.sock_mss_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Same as the command line option
--accept_mss that sets the MSS for all incoming requests.
proxy.config.net.sock_packet_mark_in
Scope CONFIG.TP Type INT.TP Default 0x0.UNINDENT Set the packet mark on traffic destined
for the client (the packets that make up a client response).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_packet_mark_out
Scope CONFIG.TP Type INT.TP Default 0x0.TP Overridable Yes.UNINDENT Set the packet mark
on traffic destined for the origin (the packets that make up an origin request).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_packet_tos_in
Scope CONFIG.TP Type INT.TP Default 0x0.UNINDENT Set the ToS/DiffServ Field on packets
sent to the client (the packets that make up a client response).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_packet_tos_out
Scope CONFIG.TP Type INT.TP Default 0x0.TP Overridable Yes.UNINDENT Set the ToS/DiffServ
Field on packets sent to the origin (the packets that make up an origin request).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_notsent_lowat
Scope CONFIG.TP Type INT.TP Default 16384.TP Overridable Yes.UNINDENT Set socket option
TCP_NOTSENT_LOWAT to specified value for a connection
proxy.config.net.poll_timeout
Scope CONFIG.TP Type INT.TP Default 10 (or 30 on Solaris).UNINDENT Same as the command
line option --poll_timeout, or -t, which specifies the timeout used for the polling
mechanism used. This timeout is always in milliseconds (ms). This is the timeout to
epoll_wait() on Linux platforms, and to kevent() on BSD type OSs. The default value
is 10 on all platforms.
Changing this configuration can reduce CPU usage on an idle system, since periodic
tasks gets processed at these intervals. On busy servers, this overhead is
diminished, since polled events triggers more frequently. However, increasing the
setting can also introduce additional latency for certain operations, and timed
events. It's recommended not to touch this setting unless your CPU usage is
unacceptable at idle workload. Some alternatives to this could be:
Reduce the number of worker threads (net-threads)
Reduce the number of disk (AIO) threads
Make sure accept threads are enabled
The relevant configurations for this are:
CONFIG proxy.config.exec_thread.autoconfig INT 0
CONFIG proxy.config.exec_thread.limit INT 2
CONFIG proxy.config.accept_threads INT 1
CONFIG proxy.config.cache.threads_per_disk INT 8
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.task_threads
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Specifies the number of task threads to
run. These threads are used for various tasks that should be off-loaded from the
normal network threads. You must have at least one task thread available.
proxy.config.allocator.thread_freelist_size
Scope CONFIG.TP Type INT.TP Default 512.UNINDENT Sets the maximum number of elements that
can be contained in a ProxyAllocator (per-thread) before returning the objects to
the global pool. If set to 0, there is no limit enforced.
proxy.config.allocator.thread_freelist_low_watermark
Scope CONFIG.TP Type INT.TP Default 32.UNINDENT Sets the minimum number of items a
ProxyAllocator (per-thread) will guarantee to be holding at any one time.
proxy.config.allocator.hugepages
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enable (1) the use of huge pages on
supported platforms. (Currently only Linux)
You must also enable hugepages at the OS level. In modern Linux kernels, this can
be done by setting /proc/sys/vm/nr_overcommit_hugepages to a sufficiently large
value. It is reasonable to use (system memory/hugepage size) because these pages
are only created on demand.
For more information on the implications of enabling huge pages, see Wikipedia
<http://en.wikipedia.org/wiki/Page_%28computer_memory%29#Page_size_trade-off>_.
proxy.config.dump_mem_info_frequency
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enable <value>. When
enabled makes Traffic Server dump IO Buffer memory information to traffic.out at
<value> (intervals are in seconds). A zero value implies it is disabled
proxy.config.res_track_memory
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT When enabled makes Traffic Server track
memory usage (allocations and releases). This information is dumped to traffic.out
when the user sends a SIGUSR1 signal or periodically when
proxy.config.dump_mem_info_frequency is enabled.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Memory tracking Disabled │
├──────┼──────────────────────────────────┤
│1 │ Tracks IO Buffer Memory │
│ │ allocations and releases │
├──────┼──────────────────────────────────┤
│2 │ Tracks IO Buffer Memory and │
│ │ OpenSSL Memory allocations and │
│ │ releases │
└──────┴──────────────────────────────────┘
proxy.config.allocator.dontdump_iobuffers
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enable (1) the exclusion of IO buffers
from core files when ATS crashes on supported platforms. (Currently only Linux).
IO buffers are allocated with the MADV_DONTDUMP with madvise() on Linux platforms
that support MADV_DONTDUMP. Enabled by default.
proxy.config.ssl.misc.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index
used for various SSL Operations such as Handshake or Protocol Probe. Default value
is 8 which maps to a 32K buffer
proxy.config.hostdb.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index
used for storing HostDB records. Default value is 8 which maps to a 32K buffer
proxy.config.payload.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index
used for storing request payload buffer for a POST request. Default value is 8
which maps to a 32K buffer
proxy.config.msg.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index
used for storing miscellaneous transactional buffers such as error response body.
Default value is 8 which maps to a 32K buffer
proxy.config.log.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index
used for storing an access log entry. Default value is 8 which maps to a 32K
buffer
proxy.config.http.enabled
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Turn on or off support for HTTP proxying.
This is rarely used, the one exception being if you run Traffic Server with a
protocol plugin, and would like for it to not support HTTP requests at all.
proxy.config.http.allow_half_open
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Turn
on or off support for connection half open for client side. Default is on, so after
client sends FIN, the connection is still there.
proxy.config.http.wait_for_cache
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Accepting inbound connections and starting
the cache are independent operations in Traffic Server. This variable controls the
relative timing of these operations and Traffic Server dependency on cache because
if cache is required then inbound connection accepts should be deferred until the
validity of the cache requirement is determined. Cache initialization failure will
be logged in diags.log.
┌──────┬──────────────────────────────────┐
│Value │ Description │
├──────┼──────────────────────────────────┤
│0 │ Decouple inbound connections and │
│ │ cache initialization. │
│ │ Connections will be accepted as │
│ │ soon as possible and Traffic │
│ │ Server will run regardless of │
│ │ the results of cache │
│ │ initialization. │
├──────┼──────────────────────────────────┤
│1 │ Do not accept inbound │
│ │ connections until cache │
│ │ initialization has finished. │
│ │ Traffic Server will run │
│ │ regardless of the results of │
│ │ cache initialization. │
├──────┼──────────────────────────────────┤
│2 │ Do not accept inbound │
│ │ connections until cache │
│ │ initialization has finished and │
│ │ been sufficiently successful │
│ │ that cache is enabled. This │
│ │ means at least one cache span is │
│ │ usable. If there are no spans in │
│ │ storage.config or none of the │
│ │ spans can be successfully parsed │
│ │ and initialized then Traffic │
│ │ Server will shut down. │
├──────┼──────────────────────────────────┤
│3 │ Do not accept inbound │
│ │ connections until cache │
│ │ initialization has finished and │
│ │ been completely successful. This │
│ │ requires at least one cache span │
│ │ in storage.config and that every │
│ │ span specified is valid and │
│ │ successfully initialized. Any │
│ │ error will cause Traffic Server │
│ │ to shut down. │
└──────┴──────────────────────────────────┘
COPYRIGHT
2023, dev@trafficserver.apache.org