 1c3b75c291
			
		
	
	1c3b75c291
	
	
	
		
			
			RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
		
			
				
	
	
		
			239 lines
		
	
	
		
			9.3 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			239 lines
		
	
	
		
			9.3 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| [DEFAULT]
 | |
| # bind_ip = 0.0.0.0
 | |
| # bind_port = 80
 | |
| # backlog = 4096
 | |
| # swift_dir = /etc/swift
 | |
| # workers = 1
 | |
| # user = swift
 | |
| # Set the following two lines to enable SSL. This is for testing only.
 | |
| # cert_file = /etc/swift/proxy.crt
 | |
| # key_file = /etc/swift/proxy.key
 | |
| # expiring_objects_container_divisor = 86400
 | |
| # You can specify default log routing here if you want:
 | |
| # log_name = swift
 | |
| # log_facility = LOG_LOCAL0
 | |
| # log_level = INFO
 | |
| # You can enable default statsD logging here and/or override it in sections
 | |
| # below:
 | |
| # log_statsd_host = localhost
 | |
| # log_statsd_port = 8125
 | |
| # log_statsd_default_sample_rate = 1
 | |
| # log_statsd_metric_prefix =
 | |
| 
 | |
| [pipeline:main]
 | |
| pipeline = catch_errors healthcheck cache ratelimit tempauth proxy-server
 | |
| 
 | |
| [app:proxy-server]
 | |
| use = egg:swift#proxy
 | |
| # You can override the default log routing for this app here:
 | |
| # set log_name = proxy-server
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set access_log_name = proxy-server
 | |
| # set access_log_facility = LOG_LOCAL0
 | |
| # set access_log_level = INFO
 | |
| # set log_headers = False
 | |
| # recheck_account_existence = 60
 | |
| # recheck_container_existence = 60
 | |
| # object_chunk_size = 8192
 | |
| # client_chunk_size = 8192
 | |
| # node_timeout = 10
 | |
| # client_timeout = 60
 | |
| # conn_timeout = 0.5
 | |
| # How long without an error before a node's error count is reset. This will
 | |
| # also be how long before a node is reenabled after suppression is triggered.
 | |
| # error_suppression_interval = 60
 | |
| # How many errors can accumulate before a node is temporarily ignored.
 | |
| # error_suppression_limit = 10
 | |
| # If set to 'true' any authorized user may create and delete accounts; if
 | |
| # 'false' no one, even authorized, can.
 | |
| # allow_account_management = false
 | |
| # Set object_post_as_copy = false to turn on fast posts where only the metadata
 | |
| # changes are stored anew and the original data file is kept in place. This
 | |
| # makes for quicker posts; but since the container metadata isn't updated in
 | |
| # this mode, features like container sync won't be able to sync posts.
 | |
| # object_post_as_copy = true
 | |
| # If set to 'true' authorized accounts that do not yet exist within the Swift
 | |
| # cluster will be automatically created.
 | |
| # account_autocreate = false
 | |
| # If set to a positive value, trying to create a container when the account
 | |
| # already has at least this maximum containers will result in a 403 Forbidden.
 | |
| # Note: This is a soft limit, meaning a user might exceed the cap for
 | |
| # recheck_account_existence before the 403s kick in.
 | |
| # max_containers_per_account = 0
 | |
| # This is a comma separated list of account hashes that ignore the
 | |
| # max_containers_per_account cap.
 | |
| # max_containers_whitelist =
 | |
| # comma separated list of Host headers the proxy will be deny requests to
 | |
| # deny_host_headers =
 | |
| # prefix used when automatically creating accounts
 | |
| # auto_create_account_prefix = .
 | |
| # depth of the proxy put queue
 | |
| # put_queue_depth = 10
 | |
| 
 | |
| [filter:tempauth]
 | |
| use = egg:swift#tempauth
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = tempauth
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set log_headers = False
 | |
| # The reseller prefix will verify a token begins with this prefix before even
 | |
| # attempting to validate it. Also, with authorization, only Swift storage
 | |
| # accounts with this prefix will be authorized by this middleware. Useful if
 | |
| # multiple auth systems are in use for one Swift cluster.
 | |
| # reseller_prefix = AUTH
 | |
| # The auth prefix will cause requests beginning with this prefix to be routed
 | |
| # to the auth subsystem, for granting tokens, etc.
 | |
| # auth_prefix = /auth/
 | |
| # token_life = 86400
 | |
| # This is a comma separated list of hosts allowed to send X-Container-Sync-Key
 | |
| # requests.
 | |
| # allowed_sync_hosts = 127.0.0.1
 | |
| # This allows middleware higher in the WSGI pipeline to override auth
 | |
| # processing, useful for middleware such as tempurl and formpost. If you know
 | |
| # you're not going to use such middleware and you want a bit of extra security,
 | |
| # you can set this to false.
 | |
| # allow_overrides = true
 | |
| # Lastly, you need to list all the accounts/users you want here. The format is:
 | |
| #   user_<account>_<user> = <key> [group] [group] [...] [storage_url]
 | |
| # There are special groups of:
 | |
| #   .reseller_admin = can do anything to any account for this auth
 | |
| #   .admin = can do anything within the account
 | |
| # If neither of these groups are specified, the user can only access containers
 | |
| # that have been explicitly allowed for them by a .admin or .reseller_admin.
 | |
| # The trailing optional storage_url allows you to specify an alternate url to
 | |
| # hand back to the user upon authentication. If not specified, this defaults to
 | |
| # http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https
 | |
| # depends on whether cert_file is specified in the [DEFAULT] section, <ip> and
 | |
| # <port> are based on the [DEFAULT] section's bind_ip and bind_port (falling
 | |
| # back to 127.0.0.1 and 8080), <reseller_prefix> is from this section, and
 | |
| # <account> is from the user_<account>_<user> name.
 | |
| # Here are example entries, required for running the tests:
 | |
| user_admin_admin = admin .admin .reseller_admin
 | |
| user_test_tester = testing .admin
 | |
| user_test2_tester2 = testing2 .admin
 | |
| user_test_tester3 = testing3
 | |
| 
 | |
| [filter:healthcheck]
 | |
| use = egg:swift#healthcheck
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = healthcheck
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set log_headers = False
 | |
| 
 | |
| [filter:cache]
 | |
| use = egg:swift#memcache
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = cache
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set log_headers = False
 | |
| # Default for memcache_servers is to try to read the property from
 | |
| # memcache.conf (see memcache.conf-sample) or lacking that file, it will
 | |
| # default to the value below. You can specify multiple servers separated with
 | |
| # commas, as in: 10.1.2.3:11211,10.1.2.4:11211
 | |
| # memcache_servers = 127.0.0.1:11211
 | |
| 
 | |
| [filter:ratelimit]
 | |
| use = egg:swift#ratelimit
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = ratelimit
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set log_headers = False
 | |
| # clock_accuracy should represent how accurate the proxy servers' system clocks
 | |
| # are with each other. 1000 means that all the proxies' clock are accurate to
 | |
| # each other within 1 millisecond.  No ratelimit should be higher than the
 | |
| # clock accuracy.
 | |
| # clock_accuracy = 1000
 | |
| # max_sleep_time_seconds = 60
 | |
| # log_sleep_time_seconds of 0 means disabled
 | |
| # log_sleep_time_seconds = 0
 | |
| # allows for slow rates (e.g. running up to 5 sec's behind) to catch up.
 | |
| # rate_buffer_seconds = 5
 | |
| # account_ratelimit of 0 means disabled
 | |
| # account_ratelimit = 0
 | |
| 
 | |
| # these are comma separated lists of account names
 | |
| # account_whitelist = a,b
 | |
| # account_blacklist = c,d
 | |
| 
 | |
| # with container_limit_x = r
 | |
| # for containers of size x limit requests per second to r.  The container
 | |
| # rate will be linearly interpolated from the values given. With the values
 | |
| # below, a container of size 5 will get a rate of 75.
 | |
| # container_ratelimit_0 = 100
 | |
| # container_ratelimit_10 = 50
 | |
| # container_ratelimit_50 = 20
 | |
| 
 | |
| [filter:catch_errors]
 | |
| use = egg:swift#catch_errors
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = catch_errors
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set log_headers = False
 | |
| 
 | |
| [filter:cname_lookup]
 | |
| # Note: this middleware requires python-dnspython
 | |
| use = egg:swift#cname_lookup
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = cname_lookup
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set log_headers = False
 | |
| # storage_domain = example.com
 | |
| # lookup_depth = 1
 | |
| 
 | |
| # Note: Put staticweb just after your auth filter(s) in the pipeline
 | |
| [filter:staticweb]
 | |
| use = egg:swift#staticweb
 | |
| # Seconds to cache container x-container-meta-web-* header values.
 | |
| # cache_timeout = 300
 | |
| # You can override the default log routing for this filter here:
 | |
| # set log_name = staticweb
 | |
| # set log_facility = LOG_LOCAL0
 | |
| # set log_level = INFO
 | |
| # set access_log_name = staticweb
 | |
| # set access_log_facility = LOG_LOCAL0
 | |
| # set access_log_level = INFO
 | |
| # set log_headers = False
 | |
| 
 | |
| # Note: Put tempurl just before your auth filter(s) in the pipeline
 | |
| [filter:tempurl]
 | |
| use = egg:swift#tempurl
 | |
| #
 | |
| # The headers to remove from incoming requests. Simply a whitespace delimited
 | |
| # list of header names and names can optionally end with '*' to indicate a
 | |
| # prefix match. incoming_allow_headers is a list of exceptions to these
 | |
| # removals.
 | |
| # incoming_remove_headers = x-timestamp
 | |
| #
 | |
| # The headers allowed as exceptions to incoming_remove_headers. Simply a
 | |
| # whitespace delimited list of header names and names can optionally end with
 | |
| # '*' to indicate a prefix match.
 | |
| # incoming_allow_headers =
 | |
| #
 | |
| # The headers to remove from outgoing responses. Simply a whitespace delimited
 | |
| # list of header names and names can optionally end with '*' to indicate a
 | |
| # prefix match. outgoing_allow_headers is a list of exceptions to these
 | |
| # removals.
 | |
| # outgoing_remove_headers = x-object-meta-*
 | |
| #
 | |
| # The headers allowed as exceptions to outgoing_remove_headers. Simply a
 | |
| # whitespace delimited list of header names and names can optionally end with
 | |
| # '*' to indicate a prefix match.
 | |
| # outgoing_allow_headers = x-object-meta-public-*
 | |
| 
 | |
| # Note: Put formpost just before your auth filter(s) in the pipeline
 | |
| [filter:formpost]
 | |
| use = egg:swift#formpost
 | |
| 
 | |
| # Note: Just needs to be placed before the proxy-server in the pipeline.
 | |
| [filter:name_check]
 | |
| use = egg:swift#name_check
 | |
| # forbidden_chars = '"`<>
 | |
| # maximum_length = 255
 |