ApiSix配置详解

背景介绍

ApiSix官方介绍
ApiSix安装

配置详情

在centos上使用yum命令安装apisix之后, /usr/local 下会出现apisix的文件夹
apisix使用Nginx反向代理, 因而apisix配置导向nginx配置
apisix的配置文件在/usr/local/apisix/conf/config.yaml

以下是一个标准的apisix yaml配置, 笔者将相关配置详解写在注释后

apisix:
  node_listen: 9080              # APISIX的启动端口
  enable_admin: true             # 是否启用admin
  enable_admin_cors: true         # 允许CORS访问
  enable_debug: false             # debug模式
  enable_dev_mode: false          # True的时候nginx只会启动一个worker进程
  enable_reuseport: true          # True的时候nginx配置启动SO_REUSEPORT.
  enable_ipv6: true				  # ipv6
  config_center: etcd             # etcd: 使用etcd做配置同步
                                  # yaml: 获取 `/usr/local/apisix/conf/apisix.yaml` 以同步配置

  #proxy_protocol:                 # 代理协议配置, 以下不做详解
  #  listen_http_port: 9181        # The port with proxy protocol for http, it differs from node_listen and port_admin.
                                   # This port can only receive http request with proxy protocol, but node_listen & port_admin
                                   # can only receive http request. If you enable proxy protocol, you must use this port to
                                   # receive http request with proxy protocol
  #  listen_https_port: 9182       # The port with proxy protocol for https
  #  enable_tcp_pp: true           # Enable the proxy protocol for tcp proxy, it works for stream_proxy.tcp option
  #  enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the upstream server

  proxy_cache:                     # Proxy Caching configuration
    cache_ttl: 10s                 # The default caching time if the upstream does not specify the cache time
    zones:                         # The parameters of a cache
    - name: disk_cache_one         # The name of the cache, administrator can be specify
                                   # which cache to use by name in the admin api
      memory_size: 50m             # The size of shared memory, it's used to store the cache index
      disk_size: 1G                # The size of disk, it's used to store the cache data
      disk_path: "/tmp/disk_cache_one" # The path to store the cache data
      cache_levels: "1:2"           # The hierarchy levels of a cache
  #  - name: disk_cache_two
  #    memory_size: 50m
  #    disk_size: 1G
  #    disk_path: "/tmp/disk_cache_two"
  #    cache_levels: "1:2"

  allow_admin:                  # 参考http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
    - 192.168.0.0/16              # 如果列表为空, 所有ip都能接受(笔者测试失败)
    - 127.0.0.0/16

  #   - "::/64"					 # ipv6配置
  # port_admin: 9180              # use a separate port
  # https_admin: true             # 使用https协议访问admin, apisix默认会读取conf/apisix_admin_api.crt和conf/apisix_admin_api.key作为证书.
  admin_api_mtls:               # 以下配置与port_admin和https_admin相关
    admin_ssl_cert: ""             # 自签名服务器端证书路径
    admin_ssl_cert_key: ""         # 自签名服务器端密钥路径
    admin_ssl_ca_cert: ""          # 自签名CA证书路径.CA用来签名所有admin api调用者的证书

  # 使用admin api所用的默认token
  # 注意: 为了保护admin API, 强烈建议更改这个值
  # 关闭这个配置意味着admin api不需要任何认证
  admin_key:
    -
      name: "admin"
      key: edd1c9f034335f136f87ad84b625c8f1
      role: admin                 # admin: 管理所有的配置数据
                                  # viewer: 只能查看所有的配置数据
    -
      name: "viewer"
      key: 4054f7cf07e344346cd3f287985e76a2
      role: viewer

  delete_uri_tail_slash: false    # delete the '/' at the end of the URI
  router:
    http: 'radixtree_uri'         # radixtree_uri: 基于基数树的uri匹配
                                  # radixtree_host_uri: 基于基数树的uri+host匹配
    ssl: 'radixtree_sni'          # radixtree_sni: 基于基数树的sni匹配
  # stream_proxy:                 # TCP/UDP proxy TCP/UDP代理, 下不详述
  #   tcp:                        # TCP proxy port list
  #     - 9100
  #     - 9101
  #   udp:                        # UDP proxy port list
  #     - 9200
  #     - 9211
  # dns_resolver:                   # If not set, read from `/etc/resolv.conf`
  #  - 1.1.1.1
  #  - 8.8.8.8
  dns_resolver_valid: 30          # dns结果有效时间30s
  resolver_timeout: 5             # 解析超时时间
  ssl:
    enable: true
    enable_http2: true
    listen_port: 9443
    ssl_protocols: "TLSv1.2 TLSv1.3"
    ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
    key_encrypt_salt: "edd1c9f0985e76a2"    #  如果不设置, 会保留原始的ssl key到etcd
                                            #  如果设置了, 必须是长度为16的字符串, 并且该字符串会对ssl key 以AES-128-CBC算法加密
                                            #  !!! 千万不要在保存ssl之后更改, 否则将不能解密保存的ssl keys !!
#  discovery: eureka               # 服务发现中心
nginx_config:                     # 用以渲染生成nginx_config.conf模板的配置
  error_log: "logs/error.log"
  error_log_level: "warn"         # warn,error可选值
  worker_rlimit_nofile: 20480     # 每个worker process可以打开的文件数量, 应当大于worker_connections
  worker_shutdown_timeout: 240s     # 正常关闭worker进程的超时时间
  event:
    worker_connections: 10620
  http:
    access_log: "logs/access.log"
    keepalive_timeout: 60s         # keep-alive 客户端连接在服务端的超时时间
    client_header_timeout: 60s     # 读取客户端请求头的超时事件, 一旦超时, 返回408给客户端
    client_body_timeout: 60s       # 读取客户端请求体的超时事件, 一旦超时, 返回408给客户端
    send_timeout: 10s              # 发送响应给客户端的超时时间, 超时之后, 连接会被关闭
    underscores_in_headers: "on"   # 默认允许在请求头中使用下划线
    real_ip_header: "X-Real-IP"    # 参考http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
    real_ip_from:                  # 参考http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
      - 127.0.0.1
      - 'unix:'
    #lua_shared_dicts:              # 在nginx.conf中添加定制的共享缓存, 定制共享缓存的格式是:`cache-key: cache-size`
    #  ipc_shared_dict: 100m        

etcd:
  host:                           # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
    - "http://127.0.0.1:2379"     # multiple etcd address
  prefix: "/apisix"               # apisix configurations prefix
  timeout: 30                     # 30 seconds
  # user: root                     # root username for etcd
  # password: 5tHkHhYkjr6cQY        # root password for etcd
#eureka:
#  host:                           # 可以在同一个erueka集群中定义多个eureka地址
#    - "http://127.0.0.1:8761"
#  prefix: "/eureka/"
#  fetch_interval: 30              # 默认获取间隔30秒
#  weight: 100                     # 默认weight 100
#  timeout:
#    connect: 2000                 # 默认 2000ms
#    send: 2000                    # 默认 2000ms
#    read: 5000                    # 默认 5000ms

plugins:                          # apisix可使用的插件列表
  - example-plugin
  - limit-req
  - limit-count
  - limit-conn
  - key-auth
  - basic-auth
  - prometheus
  - node-status
  - jwt-auth
  - zipkin
  - ip-restriction
  - grpc-transcode
  - serverless-pre-function
  - serverless-post-function
  - openid-connect
  - proxy-rewrite
  - redirect
  - response-rewrite
  - fault-injection
  - udp-logger
  - wolf-rbac
  - proxy-cache
  - tcp-logger
  - proxy-mirror
  - kafka-logger
  - cors
  - consumer-restriction
  - syslog
  - batch-requests
  - http-logger
  - skywalking
  - echo
  - authz-keycloak
  - uri-blocker
  - request-validation

stream_plugins:							# apisix可使用的流插件
  - mqtt-proxy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

更改配置完成之后使用命令 apisix reload 使配置生效, 或者apisix stop; apisix start 重新启动apisix