Provided by: swift-proxy_2.33.0-0ubuntu1_all bug

NAME

       proxy-server.conf - configuration file for the OpenStack Swift proxy server

SYNOPSIS

       proxy-server.conf

DESCRIPTION

       This is the configuration file used by the proxy server and other proxy middlewares.

       The  configuration  file  follows  the python-pastedeploy syntax. The file is divided into
       sections, which are enclosed by square brackets.  Each  section  will  contain  a  certain
       number of key/value parameters which are described later.

       Any line that begins with a '#' symbol is ignored.

       You   can   find   more  information  about  python-pastedeploy  configuration  format  at
       https://docs.pylonsproject.org/projects/pastedeploy/en/latest/#config-format

GLOBAL SECTION

       This is indicated by section named [DEFAULT]. Below are the parameters that are acceptable
       within this section.

       bind_ip
              IP  address the proxy server should bind to. The default is 0.0.0.0 which will make
              it bind to all available addresses.

       bind_port
              TCP port the proxy server should bind to. The default is 80.

       keep_idle
              Value to set for socket TCP_KEEPIDLE. The default value is 600.

       bind_timeout
              Timeout to bind socket. The default is 30.

       backlog
              TCP backlog.  Maximum number of allowed pending connections. The default  value  is
              4096.

       admin_key
              Key  to  use  for  admin  calls that are HMAC signed.  Default is empty, which will
              disable admin calls to /info.

       disallowed_sections
              Allows the ability to withhold sections from showing up  in  the  public  calls  to
              /info.   You can withhold subsections by separating the dict level with a ".".  The
              following would cause the sections  'container_quotas'  and  'tempurl'  to  not  be
              listed,  and the key max_failed_deletes would be removed from bulk_delete.  Default
              value is 'swift.valid_api_versions' which allows  all  registered  features  to  be
              listed via HTTP GET /info except swift.valid_api_versions information

       workers
              The  number  of  pre-forked  processes that will accept connections.  Zero means no
              fork.  The default is auto which will make the server try to match  the  number  of
              effective  cpu  cores  if  python  multiprocessing is available (included with most
              python distributions >= 2.6) or fallback to one.  It's worth noting that individual
              workers will use many eventlet co-routines to service multiple concurrent requests.

       max_clients
              Maximum  number  of clients one worker can process simultaneously (it will actually
              accept(2) N + 1). Setting this to one (1) will only handle one request at  a  time,
              without accepting another request concurrently.  The default is 1024.

       user   The system user that the proxy server will run as. The default is swift.

       expose_info
              Enables exposing configuration settings via HTTP GET /info. The default is true.

       swift_dir
              Swift configuration directory. The default is /etc/swift.

       cert_file
              Location  of  the  SSL  certificate file. The default path is /etc/swift/proxy.crt.
              This is disabled by default.

       key_file
              Location of the SSL certificate key file. The default path is /etc/swift/proxy.key.
              This is disabled by default.

       expiring_objects_container_divisor
              The default is 86400.

       expiring_objects_account_name
              The default is 'expiring_objects'.

       log_name
              Label used when logging. The default is swift.

       log_facility
              Syslog log facility. The default is LOG_LOCAL0.

       log_level
              Logging level. The default is INFO.

       log_address
              Logging address. The default is /dev/log.

       log_max_line_length
              To  cap  the  length  of  log  lines  to the value given. No limit if set to 0, the
              default.

       log_headers
              The default is false.

       log_custom_handlers
              Comma separated list of functions to call to setup custom log handlers.   functions
              get passed: conf, name, log_to_console, log_route, fmt, logger, adapted_logger. The
              default is empty.

       log_udp_host
              If set, log_udp_host will override log_address.

       log_udp_port
              UDP log port, the default is 514.

       log_statsd_host
              StatsD server. IPv4/IPv6 addresses and  hostnames  are  supported.  If  a  hostname
              resolves to an IPv4 and IPv6 address, the IPv4 address will be used.

       log_statsd_port
              The default is 8125.

       log_statsd_default_sample_rate
              The default is 1.

       log_statsd_sample_rate_factor
              The default is 1.

       log_statsd_metric_prefix
              The default is empty.

       client_timeout
              Time  to  wait  while receiving each chunk of data from a client or another backend
              node. The default is 60.

       eventlet_debug
              Debug mode for eventlet library. The default is false.

       trans_id_suffix
              This optional suffix (default is  empty)  that  would  be  appended  to  the  swift
              transaction  id  allows one to easily figure out from which cluster that X-Trans-Id
              belongs to.  This is very useful when one is managing more than one swift cluster.

       cors_allow_origin
              List of origin hosts that are allowed for CORS requests in  addition  to  what  the
              container    has    set.    Use    a    comma    separated   list   of   full   URL
              (http://foo.bar:1234,https://foo.bar)

       strict_cors_mode
              If True (default) then CORS requests  are  only  allowed  if  their  Origin  header
              matches an allowed origin. Otherwise, any Origin is allowed.

       cors_expose_headers
              Comma separated list of headers to expose through Access-Control-Expose-Headers, in
              addition to the defaults and any headers set in container metadata.

       nice_priority
              Modify scheduling priority of server processes.  Niceness  values  range  from  -20
              (most  favorable  to  the  process)  to  19  (least favorable to the process).  The
              default does not modify priority.

       ionice_class
              Modify I/O scheduling class of server processes.  I/O  niceness  class  values  are
              IOPRIO_CLASS_RT  (realtime),  IOPRIO_CLASS_BE  (best-effort)  and IOPRIO_CLASS_IDLE
              (idle).   The  default  does  not  modify  class  and  priority.   Work  only  with
              ionice_priority.

       ionice_priority
              Modify  I/O  scheduling  priority  of  server processes. I/O niceness priority is a
              number which goes from 0 to 7. The higher the value, the lower the I/O priority  of
              the process. Work only with ionice_class.  Ignored if IOPRIO_CLASS_IDLE is set.

PIPELINE SECTION

       This  is  indicated  by  section  name  [pipeline:main]. Below are the parameters that are
       acceptable within this section.

       pipeline
              It is used when you need apply a number of filters. It is a list of  filters  ended
              by  an  application.  The  normal  pipeline is "catch_errors gatekeeper healthcheck
              proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas
              account-quotas slo dlo versioned_writes proxy-logging proxy-server".

              Note:  The  double  proxy-logging  in  the pipeline is not a mistake. The left-most
              proxy-logging is there to log requests that were handled in  middleware  and  never
              made  it through to the right-most middleware (and proxy server). Double logging is
              prevented for normal requests. See proxy-logging docs.

FILTER SECTION

       Any section that has its name prefixed by "filter:" indicates a filter  section.   Filters
       are  used  to  specify configuration parameters for specific swift middlewares.  Below are
       the filters available and respective acceptable parameters.

       [filter:healthcheck]

          use    Entry point for  paste.deploy  for  the  healthcheck  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#healthcheck.

          disable_path
                 An optional filesystem path which, if present, will cause the healthcheck URL to
                 return "503 Service Unavailable" with a body of "DISABLED BY FILE".

       [filter:tempauth]

          use    Entry point for paste.deploy for the tempauth middleware. This is the  reference
                 to the installed python egg.  This is normally egg:swift#tempauth.

          set log_name
                 Label used when logging. The default is tempauth.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          reseller_prefix
                 The  reseller  prefix  will  verify  a token begins with this prefix before even
                 attempting to validate it. Also, with authorization, only Swift storage accounts
                 with  this prefix will be authorized by this middleware. Useful if multiple auth
                 systems are in use for one Swift cluster. The default is AUTH.

          auth_prefix
                 The auth prefix will cause requests beginning with this prefix to be  routed  to
                 the auth subsystem, for granting tokens, etc. The default is /auth/.

          require_group
                 The  require_group  parameter  names a group that must be presented by either X-
                 Auth-Token or X-Service-Token. Usually this parameter is used only with multiple
                 reseller  prefixes  (e.g., SERVICE_require_group=blah).  By default, no group is
                 needed. Do not use .admin.

          token_life
                 This is the time in seconds before the token expires. The default is 86400.

          allow_overrides
                 This allows middleware higher in the WSGI pipeline to override auth  processing,
                 useful for middleware such as tempurl and formpost. If you know you're not going
                 to use such middleware and you want a bit of extra security, you can set this to
                 false. The default is true.

          storage_url_scheme
                 This  specifies what scheme to return with storage urls: http, https, or default
                 (chooses based on what the server is running as) This can be useful with an  SSL
                 load balancer in front of a non-SSL server.

          user_<account>_<user>
                 Lastly,  you  need  to list all the accounts/users you want here. The format is:
                 user_<account>_<user> = <key> [group] [group] [...] [storage_url] or if you want
                 underscores  in  <account>  or <user>, you can base64 encode them (with no equal
                 signs) and use this  format:  user64_<account_b64>_<user_b64>  =  <key>  [group]
                 [group] [...] [storage_url]

                 There  are special groups of: .reseller_admin who can do anything to any account
                 for this auth and also .admin who can do anything within the account.

                 If neither of these groups are specified, the user can  only  access  containers
                 that  have been explicitly allowed for them by a .admin or .reseller_admin.  The
                 trailing optional storage_url allows you to specify an  alternate  URL  to  hand
                 back  to  the  user  upon  authentication.  If  not  specified, this defaults to
                 http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https depends
                 on  whether cert_file is specified in the [DEFAULT] section, <ip> and <port> are
                 based on  the  [DEFAULT]  section's  bind_ip  and  bind_port  (falling  back  to
                 127.0.0.1  and  8080),  <reseller_prefix> is from this section, and <account> is
                 from the user_<account>_<user> name.

                 Here are example entries, required for running the tests:

                 user_admin_admin = admin .admin .reseller_admin
                 user_test_tester = testing .admin
                 user_test2_tester2 = testing2 .admin
                 user_test_tester3 = testing3

       [filter:authtoken]

       To enable Keystone authentication you need to have the auth token middleware first  to  be
       configured.  Here  is  an  example below, please refer to the keystone's documentation for
       details about the different settings.

       You'll need to have as well the keystoneauth middleware enabled and have it in  your  main
       pipeline  so  instead  of  having  tempauth  in  there  you  can  change  it to: authtoken
       keystoneauth

       The   auth    credentials    ("project_domain_name",    "user_domain_name",    "username",
       "project_name",  "password")   must  match the Keystone credentials for the Swift service.
       The example values shown here assume a user named "swift" with admin  role  on  a  project
       named  "service",  both  being  in  the  Keystone  domain  with id "default". Refer to the
       KeystoneMiddleware                            documentation                             at
       https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#configuration
       for other examples.

                 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
                 www_authenticate_uri = http://keystonehost:5000
                 auth_url = http://keystonehost:5000
                 auth_plugin = password
                 project_domain_id = default
                 user_domain_id = default
                 project_name = service
                 username = swift
                 password = password

                 # delay_auth_decision defaults to False, but leaving it as false will
                 # prevent other auth systems, staticweb, tempurl, formpost, and ACLs from
                 # working. This value must be explicitly set to True.
                 delay_auth_decision = False
                 cache = swift.cache
                 include_service_catalog = False

       [filter:keystoneauth]

       Keystone authentication middleware.

          use    Entry point for paste.deploy  for  the  keystoneauth  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#keystoneauth.

          reseller_prefix
                 The  reseller_prefix  option  lists  account  namespaces that this middleware is
                 responsible for. The prefix is placed  before  the  Keystone  project  id.   For
                 example,   for   project  12345678,  and  prefix  AUTH,  the  account  is  named
                 AUTH_12345678 (i.e.,  path  is  /v1/AUTH_12345678/...).   Several  prefixes  are
                 allowed  by  specifying  a  comma-separated list as in: "reseller_prefix = AUTH,
                 SERVICE". The empty string indicates a single blank/empty prefix.  If  an  empty
                 prefix  is  required  in  a  list  of  prefixes, a value of '' (two single quote
                 characters) indicates a blank/empty prefix. Except for the  blank/empty  prefix,
                 an underscore ('_') character is appended to the value unless already present.

          operator_roles
                 The  user  must  have  at least one role named by operator_roles on a project in
                 order to create, delete and modify containers and objects and to  set  and  read
                 privileged  headers  such  as ACLs.  If there are several reseller prefix items,
                 you can prefix the parameter so it applies only to those accounts  (for  example
                 the parameter SERVICE_operator_roles applies to the /v1/SERVICE_<project> path).
                 If you omit the prefix, the option applies to all reseller prefix items. For the
                 blank/empty  prefix,  prefix with '' (do not put underscore after the two single
                 quote characters).

          reseller_admin_role
                 The reseller admin role has the ability to create and delete accounts.

          allow_overrides
                 This allows middleware higher in the WSGI pipeline to override auth  processing,
                 useful for middleware such as tempurl and formpost. If you know you're not going
                 to use such middleware and you want a bit of extra security, you can set this to
                 false.

          service_roles
                 If the service_roles parameter is present, an X-Service-Token must be present in
                 the request that when  validated,  grants  at  least  one  role  listed  in  the
                 parameter.  The  X-Service-Token  may  be  scoped  to any project.  If there are
                 several reseller prefix items, you can prefix the parameter so it  applies  only
                 to  those  accounts  (for example the parameter SERVICE_service_roles applies to
                 the /v1/SERVICE_<project> path). If you omit the prefix, the option  applies  to
                 all  reseller  prefix  items. For the blank/empty prefix, prefix with '' (do not
                 put  underscore  after  the  two  single  quote  characters).   By  default,  no
                 service_roles are required.

          default_domain_id
                 For  backwards  compatibility,  keystoneauth  will  match  names in cross-tenant
                 access control lists (ACLs) when both the requesting user and the tenant are  in
                 the  default  domain  i.e the domain to which existing tenants are migrated. The
                 default_domain_id value configured here should be the same  as  the  value  used
                 during migration of tenants to keystone domains.

          allow_names_in_acls
                 For  a  new installation, or an installation in which keystone projects may move
                 between domains, you should disable backwards compatible name matching  in  ACLs
                 by setting allow_names_in_acls to false:

       [filter:cache]

       Caching middleware that manages caching in swift.

          use    Entry  point for paste.deploy for the memcache middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#memcache.

          set log_name
                 Label used when logging. The default is memcache.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          memcache_max_connections
                 Sets the maximum number of connections to each memcached server per worker.

          memcache_servers
                 If not set in the configuration file, the value  for  memcache_servers  will  be
                 read  from  /etc/swift/memcache.conf  (see memcache.conf-sample) or lacking that
                 file, it will default to  127.0.0.1:11211.  You  can  specify  multiple  servers
                 separated  with  commas,  as in: 10.1.2.3:11211,10.1.2.4:11211.  (IPv6 addresses
                 must follow rfc3986 section-3.2.2, i.e. [::1]:11211)

       [filter:ratelimit]

       Rate limits requests on both an Account and Container level.  Limits are configurable.

          use    Entry point for paste.deploy for the ratelimit middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#ratelimit.

          set log_name
                 Label used when logging. The default is ratelimit.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          clock_accuracy
                 This  should  represent  how  accurate the proxy servers' system clocks are with
                 each other.  1000 means that all the proxies' clock are accurate to  each  other
                 within  1  millisecond.   No ratelimit should be higher than the clock accuracy.
                 The default is 1000.

          max_sleep_time_seconds
                 App will immediately return a 498 response if  the  necessary  sleep  time  ever
                 exceeds the given max_sleep_time_seconds. The default is 60 seconds.

          log_sleep_time_seconds
                 To allow visibility into rate limiting set this value > 0 and all sleeps greater
                 than the number will be logged. If set to 0 means disabled. The default is 0.

          rate_buffer_seconds
                 Number of seconds the rate counter can drop and be allowed to  catch  up  (at  a
                 faster  than  listed rate). A larger number will result in larger spikes in rate
                 but better average accuracy. The default is 5.

          account_ratelimit
                 If set, will limit PUT  and  DELETE  requests  to  /account_name/container_name.
                 Number is in requests per second. If set to 0 means disabled. The default is 0.

          container_ratelimit_size
                 When  set  with  container_limit_x = r: for containers of size x, limit requests
                 per second to r. Will limit PUT,  DELETE,  and  POST  requests  to  /a/c/o.  The
                 default is ''.

          container_listing_ratelimit_size
                 Similarly  to  the  above container-level write limits, the following will limit
                 container GET (listing) requests.

       [filter:domain_remap]

       Middleware that translates container and account parts of a domain to path parameters that
       the  proxy server understands.  The container.account.storageurl/object gets translated to
       container.account.storageurl/path_root/account/container/object                        and
       account.storageurl/path_root/container/object          gets          translated         to
       account.storageurl/path_root/account/container/object

          use    Entry point for paste.deploy  for  the  domain_remap  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#domain_remap.

          set log_name
                 Label used when logging. The default is domain_remap.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          storage_domain
                 The  domain  to  be  used  by  the middleware. Multiple domains can be specified
                 separated by a comma.

          path_root
                 The path root value for the storage URL. The default is v1.

          reseller_prefixes
                 Browsers can convert a host header to lowercase, so check that  reseller  prefix
                 on  the  account is the correct case. This is done by comparing the items in the
                 reseller_prefixes config option to the found prefix. If they  match  except  for
                 case, the item from reseller_prefixes will be used instead of the found reseller
                 prefix. When none match, the default reseller prefix is used.  When  no  default
                 reseller  prefix  is  configured, any request with an account prefix not in that
                 list will be ignored by this middleware.  Defaults to 'AUTH'.

          default_reseller_prefix
                 The  default  reseller  prefix.  This  is  used  when  none  of  the  configured
                 reseller_prefixes match. When not set, no reseller prefix is added.

       [filter:catch_errors]

          use    Entry  point  for  paste.deploy  for  the  catch_errors  middleware. This is the
                 reference to the installed python egg.  This is normally egg:swift#catch_errors.

          set log_name
                 Label used when logging. The default is catch_errors.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

       [filter:cname_lookup]

       Note: this middleware requires python-dnspython

          use    Entry point for paste.deploy  for  the  cname_lookup  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#cname_lookup.

          set log_name
                 Label used when logging. The default is cname_lookup.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          storage_domain
                 The domain to be used by the middleware.

          lookup_depth
                 How  deep  in  the  CNAME  chain  to look for something that matches the storage
                 domain.  The default is 1.

          nameservers
                 Specify the nameservers to use to do the CNAME resolution. If unset, the  system
                 configuration  is  used.  Multiple  nameservers  can be specified separated by a
                 comma.  Default is unset.

       [filter:staticweb]

       Note: Put staticweb just after your auth filter(s) in the pipeline

          use    Entry point for paste.deploy for the staticweb middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#staticweb.

          set log_name
                 Label used when logging. The default is staticweb.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

       [filter:tempurl]

       Note: Put tempurl before slo, dlo, and your auth filter(s) in the pipeline

          use    Entry  point  for paste.deploy for the tempurl middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#tempurl.

          methods
                 The methods allowed with Temp URLs. The default is 'GET HEAD PUT POST DELETE'.

          incoming_remove_headers
                 The headers to remove from incoming requests. Simply a whitespace delimited list
                 of  header  names  and  names  can  optionally end with '*' to indicate a prefix
                 match. incoming_allow_headers is a list of exceptions to these removals.

          incoming_allow_headers
                 The  headers  allowed  as  exceptions  to  incoming_remove_headers.   Simply   a
                 whitespace  delimited list of header names and names can optionally end with '*'
                 to indicate a prefix match.

          outgoing_remove_headers
                 The headers to remove from outgoing responses.  Simply  a  whitespace  delimited
                 list  of header names and names can optionally end with '*' to indicate a prefix
                 match. outgoing_allow_headers is a list of exceptions to these removals.

          outgoing_allow_headers
                 The  headers  allowed  as  exceptions  to  outgoing_remove_headers.   Simply   a
                 whitespace  delimited list of header names and names can optionally end with '*'
                 to indicate a prefix match.

       [filter:formpost]

       Note: Put formpost just before your auth filter(s) in the pipeline

          use    Entry point for paste.deploy for the formpost middleware. This is the  reference
                 to the installed python egg.  This is normally egg:swift#formpost.

       [filter:name_check]

       Note: Just needs to be placed before the proxy-server in the pipeline.

          use    Entry  point  for  paste.deploy  for  the  name_check  middleware.  This  is the
                 reference to the installed python egg.  This is normally egg:swift#name_check.

          forbidden_chars
                 Characters that will not be allowed in a name. The default is '"`<>.

          maximum_length
                 Maximum number of characters that can be in the name. The default is 255.

          forbidden_regexp
                 Python regular expressions of substrings that will not be allowed in a name. The
                 default is /./|/../|/.$|/..$.

       [filter:list-endpoints]

          use    Entry  point  for  paste.deploy  for  the list_endpoints middleware. This is the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#list_endpoints.

          list_endpoints_path
                 The default is '/endpoints/'.

       [filter:proxy-logging]

       Logging  for the proxy server now lives in this middleware.  If the access_* variables are
       not set, logging directives from [DEFAULT] without "access_" will be used.

          use    Entry point for paste.deploy for  the  proxy_logging  middleware.  This  is  the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#proxy_logging.

          access_log_name
                 Label used when logging. The default is proxy-server.

          access_log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          access_log_level
                 Logging level. The default is INFO.

          access_log_address
                 Default is /dev/log.

          access_log_udp_host
                 If set, access_log_udp_host will override access_log_address.  Default is unset.

          access_log_udp_port
                 Default is 514.

          access_log_statsd_host
                 You can use log_statsd_* from [DEFAULT], or override them here.  StatsD  server.
                 IPv4/IPv6  addresses  and  hostnames are supported. If a hostname resolves to an
                 IPv4 and IPv6 address, the IPv4 address will be used.

          access_log_statsd_port
                 Default is 8125.

          access_log_statsd_default_sample_rate
                 Default is 1.

          access_log_statsd_sample_rate_factor
                 The default is 1.

          access_log_statsd_metric_prefix
                 Default is "" (empty-string)

          access_log_headers
                 Default is False.

          access_log_headers_only
                 If access_log_headers is True and  access_log_headers_only  is  set  only  these
                 headers are logged. Multiple headers can be defined as comma separated list like
                 this: access_log_headers_only = Host, X-Object-Meta-Mtime

          reveal_sensitive_prefix
                 By  default,  the  X-Auth-Token  is  logged.   To   obscure   the   value,   set
                 reveal_sensitive_prefix to the number of characters to log.  For example, if set
                 to 12, only the first  12  characters  of  the  token  appear  in  the  log.  An
                 unauthorized access of the log file won't allow unauthorized usage of the token.
                 However, the first 12 or so characters is unique enough that you can trace/debug
                 token usage. Set to 0 to suppress the token completely (replaced by '...' in the
                 log). The default is 16 chars.  Note: reveal_sensitive_prefix  will  not  affect
                 the value logged with access_log_headers=True.

          log_statsd_valid_http_methods
                 What  HTTP  methods  are allowed for StatsD logging (comma-sep); request methods
                 not in this list will have "BAD_METHOD" for the <verb> portion  of  the  metric.
                 Default is "GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS".

          log_anonymization_method
                 Hashing  algorithm  for  anonymization.  Must  be one of algorithms supported by
                 Python's hashlib. Default is MD5.

          log_anonymization_salt
                 Salt added as prefix before hashing the value to anonymize. Default is empty (no
                 salt).

          log_msg_template
                 Template used to format access logs. All words surrounded by curly brackets will
                 be substituted with the appropriate values.

                 Some keywords map to timestamps and can be converted to standard  dates  formats
                 using the matching transformers: 'datetime', 'asctime' or 'iso8601'.
                 Other  transformers  for  timestamps  are  's', 'ms', 'us' and 'ns' for seconds,
                 milliseconds, microseconds and nanoseconds.
                 Python's strftime directives can also be used as tranformers (a, A, b, B, c,  d,
                 H, I, j, m, M, p, S, U, w, W, x, X, y, Y, Z).
                 Some keywords map to user data that could be anonymized by using the transformer
                 'anonymized'.
                 Keywords availables are:
                        client_ip              (anonymizable)
                        remote_addr            (anonymizable)
                        method                 (request method)
                        path                   (anonymizable)
                        protocol
                        status_int
                        referer                (anonymizable)
                        user_agent             (anonymizable)
                        auth_token
                        bytes_recvd            (number of bytes received)
                        bytes_sent             (number of bytes sent)
                        client_etag            (anonymizable)
                        transaction_id
                        headers                (anonymizable)
                        request_time           (difference between start and end timestamps)
                        source
                        log_info
                        start_time             (timestamp at the receiving, timestamp)
                        end_time               (timestamp at the end of the treatment, timestamp)
                        ttfb                   (duration between request and first bytes is sent)
                        policy_index
                        account                (account name, anonymizable)
                        container              (container name, anonymizable)
                        object                 (object name, anonymizable)
                        pid                    (PID of the process emitting the log line)

                 Example: '{client_ip.anonymized}  {remote_addr.anonymized}  {start_time.iso8601}
                 {end_time.H}:{end_time.M}       {method}      acc:{account}      cnt:{container}
                 obj:{object.anonymized}'

                 Default:  '{client_ip}   {remote_addr}   {end_time.datetime}   {method}   {path}
                 {protocol}   {status_int}   {referer}  {user_agent}  {auth_token}  {bytes_recvd}
                 {bytes_sent} {client_etag} {transaction_id}  {headers}  {request_time}  {source}
                 {log_info} {start_time} {end_time} {policy_index}'

                 Warning: A bad log message template will raise an error in initialization.

       [filter:bulk]

       Note: Put before both ratelimit and auth in the pipeline.

          use    Entry  point  for paste.deploy for the bulk middleware. This is the reference to
                 the installed python egg.  This is normally egg:swift#bulk.

          max_containers_per_extraction
                 The default is 10000.

          max_failed_extractions
                 The default is 1000.

          max_deletes_per_request
                 The default is 10000.

          max_failed_deletes
                 The default is 1000.

                 In order to keep a connection active during a  potentially  long  bulk  request,
                 Swift  may  return  whitespace  prepended  to  the  actual  response  body. This
                 whitespace will be yielded no more  than  every  yield_frequency  seconds.   The
                 default is 10.

          yield_frequency

          delete_container_retry_count
                 Note:  This  parameter  is  used  during  a  bulk  delete  of  objects and their
                 container. This would frequently  fail  because  it  is  very  likely  that  all
                 replicated  objects  have  not  been  deleted  by  the time the middleware got a
                 successful response. It can be configured the number of retries. And the  number
                 of seconds to wait between each retry will be 1.5**retry The default is 0.

       [filter:slo]

       Note: Put after auth and staticweb in the pipeline.

          use    Entry  point  for  paste.deploy for the slo middleware. This is the reference to
                 the installed python egg.  This is normally egg:swift#slo.

          max_manifest_segments
                 The default is 1000.

          max_manifest_size
                 The default is 2097152.

          min_segment_size
                 The default is 1048576

          rate_limit_after_segment
                 Start rate-limiting object segments after the Nth segment of a segmented object.
                 The default is 10 segments.

          rate_limit_segments_per_sec
                 Once  segment  rate-limiting  kicks in for an object, limit segments served to N
                 per second. The default is 1.

          max_get_time
                 Time limit on GET requests (seconds). The default is 86400.

       [filter:dlo]

       Note: Put after auth and staticweb in the pipeline.  If you don't put it in the  pipeline,
       it will be inserted for you.

          use    Entry  point  for  paste.deploy for the dlo middleware. This is the reference to
                 the installed python egg.  This is normally egg:swift#dlo.

          rate_limit_after_segment
                 Start rate-limiting object segments after the Nth segment of a segmented object.
                 The default is 10 segments.

          rate_limit_segments_per_sec
                 Once  segment  rate-limiting  kicks in for an object, limit segments served to N
                 per second. The default is 1.

          max_get_time
                 Time limit on GET requests (seconds). The default is 86400.

       [filter:container-quotas]

       Note: Put after auth in the pipeline.

          use    Entry point for paste.deploy for the container_quotas middleware.  This  is  the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#container_quotas.

       [filter:account-quotas]

       Note: Put after auth in the pipeline.

          use    Entry point for paste.deploy for the  account_quotas  middleware.  This  is  the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#account_quotas.

       [filter:gatekeeper]

       Note: this middleware requires python-dnspython

          use    Entry point  for  paste.deploy  for  the  gatekeeper  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#gatekeeper.

          set log_name
                 Label used when logging. The default is gatekeeper.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

       [filter:container_sync]

       Note: this middleware requires python-dnspython

          use    Entry  point  for  paste.deploy  for  the container_sync middleware. This is the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#container_sync.

          allow_full_urls
                 Set  this to false if you want to disallow any full URL values to be set for any
                 new X-Container-Sync-To headers. This will keep any new full  urls  from  coming
                 in, but won't change any existing values already in the cluster.  Updating those
                 will have to be done manually, as knowing what the true realm endpoint should be
                 cannot always be guessed. The default is true.

          current
                 Set this to specify this clusters //realm/cluster as "current" in /info

       [filter:xprofile]

       Note:  Put  it at the beginning of the pipeline to profile all middleware. But it is safer
       to put this after healthcheck.

          use    Entry point for paste.deploy for the xprofile middleware. This is the  reference
                 to the installed python egg.  This is normally egg:swift#xprofile.

          profile_module
                 This  option  enable  you  to  switch profilers which should inherit from python
                 standard  profiler.  Currently  the   supported   value   can   be   'cProfile',
                 'eventlet.green.profile' etc.

          log_filename_prefix
                 This prefix will be used to combine process ID and timestamp to name the profile
                 data file.  Make sure the executing user has permission to write into this  path
                 (missing  path segments will be created, if necessary).  If you enable profiling
                 in more than one type of daemon, you must override it with an unique value like,
                 the default is /var/log/swift/profile/account.profile.

          dump_interval
                 The profile data will be dumped to local disk based on above naming rule in this
                 interval. The default is 5.0.

          dump_timestamp
                 Be careful, this option will enable profiler to dump data  into  the  file  with
                 time  stamp  which  means there will be lots of files piled up in the directory.
                 The default is false

          path   This is the path of  the  URL  to  access  the  mini  web  UI.  The  default  is
                 __profile__.

          flush_at_shutdown
                 Clear the data when the wsgi server shutdown. The default is false.

          unwind Unwind the iterator of applications. Default is false.

       [filter:versioned_writes]

       Note: Put after slo, dlo in the pipeline.  If you don't put it in the pipeline, it will be
       inserted automatically.

          use    Entry point for paste.deploy for the versioned_writes middleware.  This  is  the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#versioned_writes.

          allow_versioned_writes
                 Enables using versioned writes middleware and  exposing  configuration  settings
                 via  HTTP GET /info.  WARNING: Setting this option bypasses the "allow_versions"
                 option in the container configuration file, which will be eventually deprecated.
                 See documentation for more details.

APP SECTION

       This  is  indicated  by section name [app:proxy-server]. Below are the parameters that are
       acceptable within this section.

       use    Entry point for paste.deploy for the proxy server. This is  the  reference  to  the
              installed python egg.  This is normally egg:swift#proxy.

       set log_name
              Label used when logging. The default is proxy-server.

       set log_facility
              Syslog log facility. The default is LOG_LOCAL0.

       set log_level
              Logging level. The default is INFO.

       set log_address
              Logging address. The default is /dev/log.

       log_handoffs
              Log when handoff locations are used.  Default is True.

       recheck_account_existence
              Cache timeout in seconds to send memcached for account existence. The default is 60
              seconds.

       recheck_container_existence
              Cache timeout in seconds to send memcached for container existence. The default  is
              60 seconds.

       object_chunk_size
              Chunk size to read from object servers. The default is 65536.

       client_chunk_size
              Chunk size to read from clients. The default is 65536.

       node_timeout
              Request timeout to external services. The default is 10 seconds.

       recoverable_node_timeout
              How  long the proxy server will wait for an initial response and to read a chunk of
              data from the object servers while serving GET  /  HEAD  requests.   Timeouts  from
              these  requests  can  be  recovered  from  so  setting this to something lower than
              node_timeout would provide quicker error  recovery  while  allowing  for  a  longer
              timeout  for  non-recoverable requests (PUTs).  Defaults to node_timeout, should be
              overridden if node_timeout is set to a high number to prevent client timeouts  from
              firing before the proxy server has a chance to retry.

       conn_timeout
              Connection timeout to external services. The default is 0.5 seconds.

       post_quorum_timeout
              How  long  to  wait for requests to finish after a quorum has been established. The
              default is 0.5 seconds.

       error_suppression_interval
              Time in seconds that must elapse since the last error for a node to  be  considered
              no longer error limited. The default is 60 seconds.

       error_suppression_limit
              Error count to consider a node error limited. The default is 10.

       allow_account_management
              Whether account PUTs and DELETEs are even callable. If set to 'true' any authorized
              user may create and delete accounts; if 'false' no one, even authorized,  can.  The
              default is false.

       account_autocreate
              If set to 'true' authorized accounts that do not yet exist within the Swift cluster
              will be automatically created. The default is set to false.

       max_containers_per_account
              If set to a positive value, trying to create a container when the  account  already
              has at least this maximum containers will result in a 403 Forbidden.  Note: This is
              a soft limit, meaning a user might exceed  the  cap  for  recheck_account_existence
              before the 403s kick in.

       max_containers_whitelist
              This   is   a   comma   separated   list   of   account   hashes  that  ignore  the
              max_containers_per_account cap.

       deny_host_headers
              Comma separated list of Host headers to which the proxy  will  deny  requests.  The
              default is empty.

       sorting_method
              Storage  nodes  can  be  chosen  at  random  (shuffle  -  default), by using timing
              measurements (timing), or by using an  explicit  match  (affinity).   Using  timing
              measurements  may  allow for lower overall latency, while using affinity allows for
              finer control. In both the timing and affinity  cases,  equally-sorting  nodes  are
              still  randomly  chosen  to  spread  load.  The valid values for sorting_method are
              "affinity", "shuffle", and "timing".

       timing_expiry
              If the "timing" sorting_method is used, the timings will  only  be  valid  for  the
              number of seconds configured by timing_expiry. The default is 300.

       concurrent_gets
              If "on" then use replica count number of threads concurrently during a GET/HEAD and
              return with the first successful response. In the  EC  case,  this  parameter  only
              affects an EC HEAD as an EC GET behaves differently. Default is "off".

       concurrency_timeout
              This  parameter controls how long to wait before firing off the next concurrent_get
              thread. A value of 0 would we fully concurrent, any other number will  stagger  the
              firing  of  the  threads.  This  number  should  be between 0 and node_timeout. The
              default is the value of conn_timeout (0.5).

       request_node_count
              Set to the number of nodes to  contact  for  a  normal  request.  You  can  use  '*
              replicas'  at  the end to have it use the number given times the number of replicas
              for the ring being used for the request. The default is '2 * replicas'.

       read_affinity
              Specifies which backend servers to prefer on reads. Format  is  a  comma  separated
              list  of  affinity descriptors of the form <selection>=<priority>.  The <selection>
              may be r<N> for selecting nodes in region N or  r<N>z<M>  for  selecting  nodes  in
              region N, zone M. The <priority> value should be a whole number that represents the
              priority to be given to the selection; lower numbers are higher  priority.  Default
              is empty, meaning no preference.

              Example:  first  read  from region 1 zone 1, then region 1 zone 2, then anything in
              region 2, then everything else:

                 read_affinity = r1z1=100, r1z2=200, r2=300

       write_affinity
              Specifies which backend servers to prefer on writes. Format is  a  comma  separated
              list  of  affinity descriptors of the form r<N> for region N or r<N>z<M> for region
              N, zone M. If this is set, then when handling an object PUT  request,  some  number
              (see  setting  write_affinity_node_count)  of  local  backend servers will be tried
              before any nonlocal ones. Default is empty, meaning no preference.

              Example: try to write to regions 1 and 2 before writing to any other nodes:

                 write_affinity = r1, r2

       write_affinity_node_count
              The number of local (as governed by the write_affinity setting) nodes to attempt to
              contact  first on writes, before any non-local ones. The value should be an integer
              number, or use '* replicas' at the end to have it use the number  given  times  the
              number  of  replicas  for  the ring being used for the request. The default is '2 *
              replicas'.

       swift_owner_headers
              These are the headers whose values will only be shown to  swift_owners.  The  exact
              definition  of a swift_owner is up to the auth system in use, but usually indicates
              administrative responsibilities.  The default  is  'x-container-read,  x-container-
              write,  x-container-sync-key,  x-container-sync-to, x-account-meta-temp-url-key, x-
              account-meta-temp-url-key-2, x-container-meta-temp-url-key,  x-container-meta-temp-
              url-key-2, x-account-access-control'.

       rate_limit_after_segment
              Start  rate-limiting  object  segments after the Nth segment of a segmented object.
              The default is 10 segments.

       rate_limit_segments_per_sec
              Once segment rate-limiting kicks in for an object, limit segments served to  N  per
              second.  The default is 1.

       nice_priority
              Modify  scheduling  priority  of  server  processes. Niceness values range from -20
              (most favorable to the process) to  19  (least  favorable  to  the  process).   The
              default does not modify priority.

       ionice_class
              Modify  I/O  scheduling  class  of  server processes. I/O niceness class values are
              IOPRIO_CLASS_RT (realtime),  IOPRIO_CLASS_BE  (best-effort)  and  IOPRIO_CLASS_IDLE
              (idle).   The  default  does  not  modify  class  and  priority.   Work  only  with
              ionice_priority.

       ionice_priority
              Modify I/O scheduling priority of server processes.  I/O  niceness  priority  is  a
              number  which goes from 0 to 7. The higher the value, the lower the I/O priority of
              the process. Work only with ionice_class.  Ignored if IOPRIO_CLASS_IDLE is set.

DOCUMENTATION

       More in depth documentation about the swift-proxy-server and also  OpenStack  Swift  as  a
       whole   can   be  found  at  https://docs.openstack.org/swift/latest/admin_guide.html  and
       https://docs.openstack.org/swift/latest/

SEE ALSO

       swift-proxy-server(1)