Provided by: swift-proxy_1.13.1-0ubuntu1.5_all bug

NAME

       proxy-server.conf - configuration file for the openstack-swift proxy server

SYNOPSIS

       proxy-server.conf

DESCRIPTION

       This is the configuration file used by the proxy server and other proxy middlewares.

       The  configuration  file  follows  the python-pastedeploy syntax. The file is divided into
       sections, which are enclosed by square brackets.  Each  section  will  contain  a  certain
       number of key/value parameters which are described later.

       Any line that begins with a '#' symbol is ignored.

       You   can   find   more  information  about  python-pastedeploy  configuration  format  at
       http://pythonpaste.org/deploy/#config-format

GLOBAL SECTION

       This is indicated by section named [DEFAULT]. Below are the parameters that are acceptable
       within this section.

       bind_ip
              IP  address the proxy server should bind to. The default is 0.0.0.0 which will make
              it bind to all available addresses.

       bind_port
              TCP port the proxy server should bind to. The default is 80.

       backlog
              TCP backlog.  Maximum number of allowed pending connections. The default  value  is
              4096.

       workers
              The  number  of  pre-forked  processes that will accept connections.  Zero means no
              fork.  The default is auto which will make the server try to match  the  number  of
              effective  cpu  cores  if  python  multiprocessing is available (included with most
              python distributions >= 2.6) or fallback to one.  It's worth noting that individual
              workers will use many eventlet co-routines to service multiple concurrent requests.

       max_clients
              Maximum  number  of clients one worker can process simultaneously (it will actually
              accept(2) N + 1). Setting this to one (1) will only handle one request at  a  time,
              without accepting another request concurrently.  The default is 1024.

       user   The system user that the proxy server will run as. The default is swift.

       swift_dir
              Swift configuration directory. The default is /etc/swift.

       cert_file
              Location  of  the  SSL  certificate file. The default path is /etc/swift/proxy.crt.
              This is disabled by default.

       key_file
              Location of the SSL certificate key file. The default path is /etc/swift/proxy.key.
              This is disabled by default.

       log_name
              Label used when logging. The default is swift.

       log_facility
              Syslog log facility. The default is LOG_LOCAL0.

       log_level
              Logging level. The default is INFO.

       log_address
              Logging address. The default is /dev/log.

       trans_id_suffix
              This  optional  suffix  (default  is  empty)  that  would  be appended to the swift
              transaction id allows one to easily figure out from which cluster  that  X-Trans-Id
              belongs to.  This is very useful when one is managing more than one swift cluster.

PIPELINE SECTION

       This  is  indicated  by  section  name  [pipeline:main]. Below are the parameters that are
       acceptable within this section.

       pipeline
              It is used when you need apply a number of filters. It is a list of  filters  ended
              by an application. The normal pipeline is "catch_errors healthcheck cache ratelimit
              tempauth proxy-logging proxy-server".

FILTER SECTION

       Any section that has its name prefixed by "filter:" indicates a filter  section.   Filters
       are  used  to  specify configuration parameters for specific swift middlewares.  Below are
       the filters available and respective acceptable parameters.

       [filter:healthcheck]

          use    Entry point for  paste.deploy  for  the  healthcheck  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#healthcheck.

          disable_path
                 An optional filesystem path which, if present, will cause the healthcheck URL to
                 return "503 Service Unavailable" with a body of "DISABLED BY FILE".

       [filter:tempauth]

          use    Entry point for paste.deploy for the tempauth middleware. This is the  reference
                 to the installed python egg.  This is normally egg:swift#tempauth.

          set log_name
                 Label used when logging. The default is tempauth.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          reseller_prefix
                 The  reseller  prefix  will  verify  a token begins with this prefix before even
                 attempting to validate it. Also, with authorization, only Swift storage accounts
                 with  this prefix will be authorized by this middleware. Useful if multiple auth
                 systems are in use for one Swift cluster. The default is AUTH.

          auth_prefix
                 The auth prefix will cause requests beginning with this prefix to be  routed  to
                 the auth subsystem, for granting tokens, etc. The default is /auth/.

          token_life
                 This is the time in seconds before the token expires. The default is 86400.

          user_<account>_<user>
                 Lastly,  you  need  to list all the accounts/users you want here. The format is:
                 user_<account>_<user> = <key> [group] [group] [...] [storage_url]

                 There are special groups of: .reseller_admin who can do anything to any  account
                 for this auth and also .admin who can do anything within the account.

                 If  neither  of  these groups are specified, the user can only access containers
                 that have been explicitly allowed for them by a .admin or .reseller_admin.   The
                 trailing  optional  storage_url  allows  you to specify an alternate url to hand
                 back to the user  upon  authentication.  If  not  specified,  this  defaults  to
                 http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https depends
                 on whether cert_file is specified in the [DEFAULT] section, <ip> and <port>  are
                 based  on  the  [DEFAULT]  section's  bind_ip  and  bind_port  (falling  back to
                 127.0.0.1 and 8080), <reseller_prefix> is from this section,  and  <account>  is
                 from the user_<account>_<user> name.

                 Here are example entries, required for running the tests:

                 user_admin_admin = admin .admin .reseller_admin
                 user_test_tester = testing .admin
                 user_test2_tester2 = testing2 .admin
                 user_test_tester3 = testing3

       [filter:cache]

       Caching middleware that manages caching in swift.

          use    Entry  point for paste.deploy for the memcache middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#memcache.

          set log_name
                 Label used when logging. The default is memcache.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers. The default is False.

          memcache_servers
                 If not set in the configuration file, the value  for  memcache_servers  will  be
                 read  from  /etc/swift/memcache.conf  (see memcache.conf-sample) or lacking that
                 file, it will default to  127.0.0.1:11211.  You  can  specify  multiple  servers
                 separated with commas, as in: 10.1.2.3:11211,10.1.2.4:11211.

          memcache_serialization_support
                 This sets how memcache values are serialized and deserialized:

                 0 = older, insecure pickle serialization
                 1 = json serialization but pickles can still be read (still insecure)
                 2 = json serialization only (secure and the default)

                 To avoid an instant full cache flush, existing installations should upgrade with
                 0, then set to 1 and reload, then after some  time  (24  hours)  set  to  2  and
                 reload. In the future, the ability to use pickle serialization will be removed.

                 If     not     set    in    the    configuration    file,    the    value    for
                 memcache_serialization_support will be read from /etc/swift/memcache.conf if  it
                 exists  (see  memcache.conf-sample).  Otherwise,  the default value as indicated
                 above will be used.

       [filter:ratelimit]

       Rate limits requests on both an Account and Container level.  Limits are configurable.

          use    Entry point for paste.deploy for the ratelimit middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#ratelimit.
          set log_name
                 Label used when logging. The default is ratelimit.
          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.
          set log_level
                 Logging level. The default is INFO.
          set log_address
                 Logging address. The default is /dev/log.
          set log_headers
                 Enables the ability to log request headers. The default is False.
          clock_accuracy
                 This  should  represent  how  accurate the proxy servers' system clocks are with
                 each other.  1000 means that all the proxies' clock are accurate to  each  other
                 within  1  millisecond.   No ratelimit should be higher than the clock accuracy.
                 The default is 1000.
          max_sleep_time_seconds
                 App will immediately return a 498 response if  the  necessary  sleep  time  ever
                 exceeds the given max_sleep_time_seconds. The default is 60 seconds.
          log_sleep_time_seconds
                 To allow visibility into rate limiting set this value > 0 and all sleeps greater
                 than the number will be logged. If set to 0 means disabled. The default is 0.
          rate_buffer_seconds
                 Number of seconds the rate counter can drop and be allowed to  catch  up  (at  a
                 faster  than  listed rate). A larger number will result in larger spikes in rate
                 but better average accuracy. The default is 5.
          account_ratelimit
                 If set, will limit PUT  and  DELETE  requests  to  /account_name/container_name.
                 Number is in requests per second. If set to 0 means disabled. The default is 0.
          account_whitelist
                 Comma  separated  lists  of  account  names  that  will not be rate limited. The
                 default is ''.
          account_blacklist
                 Comma separated lists of account names that will not be allowed. Returns  a  497
                 response.  The default is ''.
          container_ratelimit_size
                 When  set  with  container_limit_x = r: for containers of size x, limit requests
                 per second to r. Will limit PUT,  DELETE,  and  POST  requests  to  /a/c/o.  The
                 default is ''.

       [filter:domain_remap]

       Middleware that translates container and account parts of a domain to path parameters that
       the proxy server understands. The container.account.storageurl/object gets  translated  to
       container.account.storageurl/path_root/account/container/object                        and
       account.storageurl/path_root/container/object         gets          translated          to
       account.storageurl/path_root/account/container/object

          use    Entry  point  for  paste.deploy  for  the  domain_remap  middleware. This is the
                 reference to the installed python egg.  This is normally egg:swift#domain_remap.
          set log_name
                 Label used when logging. The default is domain_remap.
          set log_address
                 Logging address. The default is /dev/log.
          set log_headers
                 Enables the ability to log request headers. The default is False.
          storage_domain
                 The domain to be used by the middleware.
          path_root
                 The path root value for the storage URL. The default is v1.
          reseller_prefixes
                 Browsers can convert a host header to lowercase, so check that  reseller  prefix
                 on  the  account is the correct case. This is done by comparing the items in the
                 reseller_prefixes config option to the found prefix. If they  match  except  for
                 case, the item from reseller_prefixes will be used instead of the found reseller
                 prefix. The reseller_prefixes list is exclusive.  If defined, any  request  with
                 an  account prefix not in that list will be ignored by this middleware. Defaults
                 to 'AUTH'.

       [filter:catch_errors]
          use    Entry point for paste.deploy  for  the  catch_errors  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#catch_errors.
          set log_name
                 Label used when logging. The default is catch_errors.
          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.
          set log_level
                 Logging level. The default is INFO.
          set log_address
                 Logging address. The default is /dev/log.
          set log_headers
                 Enables the ability to log request headers. The default is False.

       [filter:cname_lookup]

       Note: this middleware requires python-dnspython

          use    Entry  point  for  paste.deploy  for  the  cname_lookup  middleware. This is the
                 reference to the installed python egg.  This is normally egg:swift#cname_lookup.
          set log_name
                 Label used when logging. The default is cname_lookup.
          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.
          set log_level
                 Logging level. The default is INFO.
          set log_address
                 Logging address. The default is /dev/log.
          set log_headers
                 Enables the ability to log request headers. The default is False.
          storage_domain
                 The domain to be used by the middleware.
          lookup_depth
                 How deep in the CNAME chain to look  for  something  that  matches  the  storage
                 domain.  The default is 1.

       [filter:staticweb]

       Note: Put staticweb just after your auth filter(s) in the pipeline

          use    Entry point for paste.deploy for the staticweb middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#staticweb.
          cache_timeout
                 Seconds to cache container x-container-meta-web-* header values. The default  is
                 300 seconds.
          set log_name
                 Label used when logging. The default is staticweb.
          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.
          set log_level
                 Logging level. The default is INFO.
          set log_address
                 Logging address. The default is /dev/log.
          set log_headers
                 Enables the ability to log request headers. The default is False.
          set access_log_name
                 Label used when logging. The default is staticweb.
          set access_log_facility
                 Syslog log facility. The default is LOG_LOCAL0.
          set access_log_level
                 Logging level. The default is INFO.

       [filter:tempurl]

       Note: Put tempurl before slo, dlo, and your auth filter(s) in the pipeline

          incoming_remove_headers
                 The headers to remove from incoming requests. Simply a whitespace delimited list
                 of header names and names can optionally end  with  '*'  to  indicate  a  prefix
                 match. incoming_allow_headers is a list of exceptions to these removals.
          incoming_allow_headers
                 The   headers   allowed  as  exceptions  to  incoming_remove_headers.  Simply  a
                 whitespace delimited list of header names and names can optionally end with  '*'
                 to indicate a prefix match.
          outgoing_remove_headers
                 The  headers  to  remove  from outgoing responses. Simply a whitespace delimited
                 list of header names and names can optionally end with '*' to indicate a  prefix
                 match. outgoing_allow_headers is a list of exceptions to these removals.
          outgoing_allow_headers
                 The   headers   allowed  as  exceptions  to  outgoing_remove_headers.  Simply  a
                 whitespace delimited list of header names and names can optionally end with  '*'
                 to indicate a prefix match.
          set log_level

       [filter:formpost]

       Note: Put formpost just before your auth filter(s) in the pipeline

          use    Entry  point for paste.deploy for the formpost middleware. This is the reference
                 to the installed python egg.  This is normally egg:swift#formpost.

       [filter:name_check]

       Note: Just needs to be placed before the proxy-server in the pipeline.

          use    Entry point  for  paste.deploy  for  the  name_check  middleware.  This  is  the
                 reference to the installed python egg.  This is normally egg:swift#name_check.
          forbidden_chars
                 Characters that will not be allowed in a name.
          maximum_length
                 Maximum number of characters that can be in the name.
          forbidden_regexp
                 Python regular expressions of substrings that will not be allowed in a name.

       [filter:proxy-logging]

       Logging  for the proxy server now lives in this middleware.  If the access_* variables are
       not set, logging directives from [DEFAULT] without "access_" will be used.

          use    Entry point for paste.deploy for  the  proxy_logging  middleware.  This  is  the
                 reference    to    the    installed    python    egg.     This    is    normally
                 egg:swift#proxy_logging.
          access_log_name
                 Label used when logging. The default is proxy-server.
          access_log_facility
                 Syslog log facility. The default is LOG_LOCAL0.
          access_log_level
                 Logging level. The default is INFO.
          access_log_address
                 Default is /dev/log.
          access_log_udp_host
                 If set, access_log_udp_host will override access_log_address.  Default is unset.
          access_log_udp_port
                 Default is 514.
          access_log_statsd_host
                 You can use log_statsd_* from [DEFAULT], or  override  them  here.   Default  is
                 localhost.
          access_log_statsd_port
                 Default is 8125.
          access_log_statsd_default_sample_rate
                 Default is 1.
          access_log_statsd_metric_prefix
                 Default is "" (empty-string)
          access_log_headers
                 Default is False.
          log_statsd_valid_http_methods
                 What  HTTP  methods  are allowed for StatsD logging (comma-sep); request methods
                 not in this list will have "BAD_METHOD" for the <verb> portion  of  the  metric.
                 Default is "GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS".

APP SECTION

       This  is  indicated  by section name [app:proxy-server]. Below are the parameters that are
       acceptable within this section.

       use    Entry point for paste.deploy for the proxy server. This is  the  reference  to  the
              installed python egg.  This is normally egg:swift#proxy.

       set log_name
              Label used when logging. The default is proxy-server.

       set log_facility
              Syslog log facility. The default is LOG_LOCAL0.

       set log_level
              Logging level. The default is INFO.

       set log_address
              Logging address. The default is /dev/log.

       log_handoffs
              Log when handoff locations are used.  Default is True.

       recheck_account_existence
              Cache timeout in seconds to send memcached for account existence. The default is 60
              seconds.

       recheck_container_existence
              Cache timeout in seconds to send memcached for container existence. The default  is
              60 seconds.

       object_chunk_size
              Chunk size to read from object servers. The default is 8192.

       client_chunk_size
              Chunk size to read from clients. The default is 8192.

       node_timeout
              Request timeout to external services. The default is 10 seconds.

       client_timeoutt
              Timeout to read one chunk from a client. The default is 60 seconds.

       conn_timeout
              Connection timeout to external services. The default is 0.5 seconds.

       error_suppression_interval
              Time  in  seconds that must elapse since the last error for a node to be considered
              no longer error limited. The default is 60 seconds.

       error_suppression_limit
              Error count to consider a node error limited. The default is 10.

       allow_account_management
              Whether account PUTs and DELETEs are even callable. If set to 'true' any authorized
              user  may  create and delete accounts; if 'false' no one, even authorized, can. The
              default is false.

       object_post_as_copy
              Set object_post_as_copy = false to turn on  fast  posts  where  only  the  metadata
              changes  are  stored as new and the original data file is kept in place. This makes
              for quicker posts; but since the container metadata isn't  updated  in  this  mode,
              features like container sync won't be able to sync posts. The default is True.

       account_autocreate
              If set to 'true' authorized accounts that do not yet exist within the Swift cluster
              will be automatically created. The default is set to false.

       rate_limit_after_segment
              Start rate-limiting object segments after the Nth segment of  a  segmented  object.
              The default is 10 segments.

       rate_limit_segments_per_sec
              Once  segment  rate-limiting kicks in for an object, limit segments served to N per
              second.  The default is 1.

DOCUMENTATION

       More in depth documentation about the swift-proxy-server and  also  Openstack-Swift  as  a
       whole     can     be     found    at    http://swift.openstack.org/admin_guide.html    and
       http://swift.openstack.org

SEE ALSO

       swift-proxy-server(1)