Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

proxy-server.conf (5)

Name

proxy-server.conf - configuration file for the OpenStack Swift proxy server

Synopsis

proxy-server.conf

Description

proxy-server.conf(5)            OpenStack Swift           proxy-server.conf(5)



NAME
       proxy-server.conf  -  configuration  file for the OpenStack Swift proxy
       server




SYNOPSIS
       proxy-server.conf




DESCRIPTION
       This is the configuration file used by the proxy server and other proxy
       middlewares.

       The  configuration file follows the python-pastedeploy syntax. The file
       is divided into sections, which are enclosed by square  brackets.  Each
       section will contain a certain number of key/value parameters which are
       described later.

       Any line that begins with a '#' symbol is ignored.

       You can find more information  about  python-pastedeploy  configuration
       format at http://pythonpaste.org/deploy/#config-format




GLOBAL SECTION
       This  is indicated by section named [DEFAULT]. Below are the parameters
       that are acceptable within this section.


       bind_ip
              IP address the proxy server  should  bind  to.  The  default  is
              0.0.0.0 which will make it bind to all available addresses.

       bind_port
              TCP port the proxy server should bind to. The default is 80.

       bind_timeout
              Timeout to bind socket. The default is 30.

       backlog
              TCP backlog.  Maximum number of allowed pending connections. The
              default value is 4096.

       admin_key
              Key to use for admin calls that are  HMAC  signed.   Default  is
              empty, which will disable admin calls to /info.

       disallowed_sections
              Allows  the  ability to withhold sections from showing up in the
              public calls to /info.  You can withhold subsections by separat-
              ing  the  dict  level with a ".".  The following would cause the
              sections 'container_quotas' and 'tempurl' to not be listed,  and
              the  key  max_failed_deletes  would be removed from bulk_delete.
              Default value is  'swift.valid_api_versions'  which  allows  all
              registered  features  to  be  listed  via  HTTP GET /info except
              swift.valid_api_versions information

       workers
              The number of pre-forked processes that will accept connections.
              Zero  means  no  fork.   The default is auto which will make the
              server try to match the number of effective cpu cores if  python
              multiprocessing  is available (included with most python distri-
              butions >= 2.6) or fallback to  one.   It's  worth  noting  that
              individual workers will use many eventlet co-routines to service
              multiple concurrent requests.

       max_clients
              Maximum number of clients one worker can process  simultaneously
              (it will actually accept(2) N + 1). Setting this to one (1) will
              only handle one request at a  time,  without  accepting  another
              request concurrently.  The default is 1024.

       user   The  system  user that the proxy server will run as. The default
              is swift.

       expose_info
              Enables exposing configuration settings via HTTP GET /info.  The
              default is true.

       swift_dir
              Swift configuration directory. The default is /etc/swift.

       cert_file
              Location  of  the  SSL  certificate  file.  The  default path is
              /etc/swift/proxy.crt. This is disabled by default.

       key_file
              Location of the SSL certificate key file. The  default  path  is
              /etc/swift/proxy.key. This is disabled by default.

       expiring_objects_container_divisor
              The default is 86400.

       expiring_objects_account_name
              The default is 'expiring_objects'.

       log_name
              Label used when logging. The default is swift.

       log_facility
              Syslog log facility. The default is LOG_LOCAL0.

       log_level
              Logging level. The default is INFO.

       log_address
              Logging address. The default is /dev/log.

       log_max_line_length
              To  cap  the length of log lines to the value given. No limit if
              set to 0, the default.

       log_headers
              The default is false.

       log_custom_handlers
              Comma separated list of functions to call to  setup  custom  log
              handlers.   functions  get  passed:  conf, name, log_to_console,
              log_route, fmt, logger, adapted_logger. The default is empty.

       log_udp_host
              If set, log_udp_host will override log_address.

       log_udp_port
              UDP log port, the default is 514.

       log_statsd_host
              StatsD server. IPv4/IPv6 addresses and hostnames are  supported.
              If  a  hostname  resolves  to an IPv4 and IPv6 address, the IPv4
              address will be used.

       log_statsd_port
              The default is 8125.

       log_statsd_default_sample_rate
              The default is 1.

       log_statsd_sample_rate_factor
              The default is 1.

       log_statsd_metric_prefix
              The default is empty.

       client_timeout
              Time to wait while receiving each chunk of data from a client or
              another backend node. The default is 60.

       eventlet_debug
              Debug mode for eventlet library. The default is false.

       trans_id_suffix
              This  optional  suffix (default is empty) that would be appended
              to the swift transaction id allows one to easily figure out from
              which  cluster  that X-Trans-Id belongs to.  This is very useful
              when one is managing more than one swift cluster.

       cors_allow_origin
              Use    a    comma     separated     list     of     full     url
              (http://foo.bar:1234,https://foo.bar)

       strict_cors_mode
              The default is true.




PIPELINE SECTION
       This is indicated by section name [pipeline:main]. Below are the param-
       eters that are acceptable within this section.


       pipeline
              It is used when you need apply a number of filters. It is a list
              of  filters  ended  by  an  application.  The normal pipeline is
              "catch_errors gatekeeper healthcheck  proxy-logging  cache  con-
              tainer_sync  bulk  tempurl  ratelimit  tempauth container-quotas
              account-quotas slo  dlo  versioned_writes  proxy-logging  proxy-
              server".

              Note: The double proxy-logging in the pipeline is not a mistake.
              The left-most proxy-logging is there to log requests  that  were
              handled  in  middleware  and never made it through to the right-
              most middleware (and proxy server). Double logging is  prevented
              for normal requests. See proxy-logging docs.




FILTER SECTION
       Any  section that has its name prefixed by "filter:" indicates a filter
       section.  Filters are used to specify configuration parameters for spe-
       cific  swift  middlewares.  Below are the filters available and respec-
       tive acceptable parameters.

       [filter:healthcheck]

          use    Entry point for paste.deploy for the healthcheck  middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#healthcheck.

          disable_path
                 An optional filesystem path which, if present, will cause the
                 healthcheck  URL  to  return "503 Service Unavailable" with a
                 body of "DISABLED BY FILE".



       [filter:tempauth]

          use    Entry point for paste.deploy  for  the  tempauth  middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#tempauth.

          set log_name
                 Label used when logging. The default is tempauth.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers.  The  default  is
                 False.

          reseller_prefix
                 The reseller prefix will verify a token begins with this pre-
                 fix before even attempting to validate it. Also, with  autho-
                 rization,  only  Swift storage accounts with this prefix will
                 be authorized by this middleware.  Useful  if  multiple  auth
                 systems  are  in  use  for  one Swift cluster. The default is
                 AUTH.

          auth_prefix
                 The auth prefix will cause requests beginning with this  pre-
                 fix  to be routed to the auth subsystem, for granting tokens,
                 etc. The default is /auth/.

          require_group
                 The require_group parameter names a group that must  be  pre-
                 sented  by  either  X-Auth-Token  or X-Service-Token. Usually
                 this parameter is used only with multiple  reseller  prefixes
                 (e.g.,  SERVICE_require_group=blah).  By default, no group is
                 needed. Do not use .admin.

          token_life
                 This is the time in seconds before  the  token  expires.  The
                 default is 86400.

          allow_overrides
                 This  allows  middleware higher in the WSGI pipeline to over-
                 ride auth processing, useful for middleware such  as  tempurl
                 and  formpost.  If you know you're not going to use such mid-
                 dleware and you want a bit of extra  security,  you  can  set
                 this to false. The default is true.

          storage_url_scheme
                 This specifies what scheme to return with storage urls: http,
                 https, or default (chooses based on what the server  is  run-
                 ning  as)  This  can  be  useful with an SSL load balancer in
                 front of a non-SSL server.

          user_<account>_<user>
                 Lastly, you need to list  all  the  accounts/users  you  want
                 here.  The  format  is: user_<account>_<user> = <key> [group]
                 [group] [...] [storage_url] or if  you  want  underscores  in
                 <account>  or  <user>,  you  can  base64 encode them (with no
                 equal      signs)      and       use       this       format:
                 user64_<account_b64>_<user_b64> = <key> [group] [group] [...]
                 [storage_url]

                 There are special groups of: .reseller_admin who can do  any-
                 thing to any account for this auth and also .admin who can do
                 anything within the account.

                 If neither of these groups are specified, the user  can  only
                 access  containers that have been explicitly allowed for them
                 by a .admin or .reseller_admin.  The trailing optional  stor-
                 age_url  allows  you to specify an alternate url to hand back
                 to the user  upon  authentication.  If  not  specified,  this
                 defaults      to      http[s]://<ip>:<port>/v1/<reseller_pre-
                 fix>_<account>  where  http  or  https  depends  on   whether
                 cert_file  is  specified  in  the [DEFAULT] section, <ip> and
                 <port> are based  on  the  [DEFAULT]  section's  bind_ip  and
                 bind_port    (falling    back   to   127.0.0.1   and   8080),
                 <reseller_prefix> is from this section, and <account> is from
                 the user_<account>_<user> name.

                 Here are example entries, required for running the tests:

                 user_admin_admin = admin .admin .reseller_admin
                 user_test_tester = testing .admin
                 user_test2_tester2 = testing2 .admin
                 user_test_tester3 = testing3


       [filter:authtoken]

       To  enable Keystone authentication you need to have the auth token mid-
       dleware first to be configured. Here is an example below, please  refer
       to  the  keystone's  documentation for details about the different set-
       tings.

       You'll need to have as well the  keystoneauth  middleware  enabled  and
       have  it  in  your main pipeline so instead of having tempauth in there
       you can change it to: authtoken keystoneauth

                 paste.filter_factory   =   keystonemiddleware.auth_token:fil-
                 ter_factory
                 auth_uri = http://keystonehost:5000
                 auth_url = http://keystonehost:35357
                 auth_plugin = password
                 project_domain_id = default
                 user_domain_id = default
                 project_name = service
                 username = swift
                 password = password

                 #  delay_auth_decision  defaults  to False, but leaving it as
                 false will
                 # prevent other auth systems, staticweb,  tempurl,  formpost,
                 and ACLs from
                 # working. This value must be explicitly set to True.
                 delay_auth_decision = False
                 cache = swift.cache
                 include_service_catalog = False



       [filter:keystoneauth]

       Keystone authentication middleware.


          use    Entry point for paste.deploy for the keystoneauth middleware.
                 This is the reference to the installed python egg.   This  is
                 normally egg:swift#keystoneauth.

          reseller_prefix
                 The reseller_prefix option lists account namespaces that this
                 middleware is responsible for. The prefix  is  placed  before
                 the  Keystone project id.  For example, for project 12345678,
                 and prefix AUTH, the account is  named  AUTH_12345678  (i.e.,
                 path is /v1/AUTH_12345678/...).  Several prefixes are allowed
                 by specifying a comma-separated list as in:  "reseller_prefix
                 =  AUTH,  SERVICE".  The  empty  string  indicates  a  single
                 blank/empty prefix. If an empty prefix is required in a  list
                 of  prefixes,  a  value  of  '' (two single quote characters)
                 indicates a blank/empty prefix. Except  for  the  blank/empty
                 prefix,  an  underscore  ('_')  character  is appended to the
                 value unless already present.

          operator_roles
                 The user must have at least one role named by  operator_roles
                 on a project in order to create, delete and modify containers
                 and objects and to set and read privileged  headers  such  as
                 ACLs.   If  there  are several reseller prefix items, you can
                 prefix the parameter so it applies  only  to  those  accounts
                 (for  example the parameter SERVICE_operator_roles applies to
                 the /v1/SERVICE_<project> path). If you omit the prefix,  the
                 option   applies  to  all  reseller  prefix  items.  For  the
                 blank/empty prefix, prefix with ''  (do  not  put  underscore
                 after the two single quote characters).

          reseller_admin_role
                 The  reseller admin role has the ability to create and delete
                 accounts.

          allow_overrides
                 This allows middleware higher in the WSGI pipeline  to  over-
                 ride  auth  processing, useful for middleware such as tempurl
                 and formpost. If you know you're not going to use  such  mid-
                 dleware  and  you  want  a bit of extra security, you can set
                 this to false.

          service_roles
                 If the service_roles parameter is present, an X-Service-Token
                 must be present in the request that when validated, grants at
                 least one role listed in the parameter.  The  X-Service-Token
                 may  be scoped to any project.  If there are several reseller
                 prefix items, you can prefix the parameter so it applies only
                 to  those  accounts  (for  example the parameter SERVICE_ser-
                 vice_roles applies to the /v1/SERVICE_<project> path). If you
                 omit  the  prefix,  the option applies to all reseller prefix
                 items. For the blank/empty prefix, prefix with '' (do not put
                 underscore  after  the  two  single  quote  characters).   By
                 default, no service_roles are required.

          default_domain_id
                 For backwards compatibility, keystoneauth will match names in
                 cross-tenant  access  control  lists  (ACLs)  when  both  the
                 requesting user and the tenant are in the default domain  i.e
                 the  domain  to  which  existing  tenants  are  migrated. The
                 default_domain_id value configured here should be the same as
                 the  value  used  during  migration  of  tenants  to keystone
                 domains.

          allow_names_in_acls
                 For a new installation, or an installation in which  keystone
                 projects  may  move between domains, you should disable back-
                 wards  compatible  name   matching   in   ACLs   by   setting
                 allow_names_in_acls to false:



       [filter:cache]

       Caching middleware that manages caching in swift.


          use    Entry  point  for  paste.deploy  for the memcache middleware.
                 This is the reference to the installed python egg.   This  is
                 normally egg:swift#memcache.

          set log_name
                 Label used when logging. The default is memcache.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables  the  ability  to log request headers. The default is
                 False.

          memcache_max_connections
                 Sets the maximum number  of  connections  to  each  memcached
                 server per worker.

          memcache_servers
                 If  not  set  in  the  configuration file, the value for mem-
                 cache_servers will be read from /etc/swift/memcache.conf (see
                 memcache.conf-sample)  or  lacking that file, it will default
                 to 127.0.0.1:11211. You can specify  multiple  servers  sepa-
                 rated  with  commas,  as  in:  10.1.2.3:11211,10.1.2.4:11211.
                 (IPv6  addresses  must  follow  rfc3986  section-3.2.2,  i.e.
                 [::1]:11211)

          memcache_serialization_support
                 This  sets  how  memcache values are serialized and deserial-
                 ized:

                 0 = older, insecure pickle serialization
                 1 = json serialization but pickles can still be  read  (still
                 insecure)
                 2 = json serialization only (secure and the default)

                 To  avoid an instant full cache flush, existing installations
                 should upgrade with 0, then set to 1 and reload,  then  after
                 some  time (24 hours) set to 2 and reload. In the future, the
                 ability to use pickle serialization will be removed.

                 If not set in the configuration  file,  the  value  for  mem-
                 cache_serialization_support will be read from /etc/swift/mem-
                 cache.conf if it exists  (see  memcache.conf-sample).  Other-
                 wise, the default value as indicated above will be used.



       [filter:ratelimit]

       Rate  limits  requests  on both an Account and Container level.  Limits
       are configurable.


          use    Entry point for paste.deploy for  the  ratelimit  middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#ratelimit.

          set log_name
                 Label used when logging. The default is ratelimit.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers.  The  default  is
                 False.

          clock_accuracy
                 This  should represent how accurate the proxy servers' system
                 clocks are with each other.  1000 means that all the proxies'
                 clock  are  accurate  to each other within 1 millisecond.  No
                 ratelimit should be  higher  than  the  clock  accuracy.  The
                 default is 1000.

          max_sleep_time_seconds
                 App  will  immediately return a 498 response if the necessary
                 sleep time ever exceeds the given max_sleep_time_seconds. The
                 default is 60 seconds.

          log_sleep_time_seconds
                 To allow visibility into rate limiting set this value > 0 and
                 all sleeps greater than the number will be logged. If set  to
                 0 means disabled. The default is 0.

          rate_buffer_seconds
                 Number of seconds the rate counter can drop and be allowed to
                 catch up (at a faster than listed rate). A larger number will
                 result  in larger spikes in rate but better average accuracy.
                 The default is 5.

          account_ratelimit
                 If   set,   will   limit   PUT   and   DELETE   requests   to
                 /account_name/container_name.  Number is in requests per sec-
                 ond. If set to 0 means disabled. The default is 0.

          container_ratelimit_size
                 When set with container_limit_x = r: for containers  of  size
                 x,  limit  requests  per second to r. Will limit PUT, DELETE,
                 and POST requests to /a/c/o. The default is ''.

          container_listing_ratelimit_size
                 Similarly to the above container-level write limits, the fol-
                 lowing will limit container GET (listing) requests.




       [filter:domain_remap]

       Middleware  that  translates container and account parts of a domain to
       path  parameters  that  the  proxy  server   understands.    The   con-
       tainer.account.storageurl/object     gets     translated     to    con-
       tainer.account.storageurl/path_root/account/container/object        and
       account.storageurl/path_root/container/object    gets   translated   to
       account.storageurl/path_root/account/container/object


          use    Entry point for paste.deploy for the domain_remap middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#domain_remap.

          set log_name
                 Label used when logging. The default is domain_remap.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers.  The  default  is
                 False.

          storage_domain
                 The domain to be used by the middleware.

          path_root
                 The path root value for the storage URL. The default is v1.

          reseller_prefixes
                 Browsers  can  convert  a  host header to lowercase, so check
                 that reseller prefix on the account is the correct case. This
                 is  done by comparing the items in the reseller_prefixes con-
                 fig option to the found prefix.  If  they  match  except  for
                 case, the item from reseller_prefixes will be used instead of
                 the found reseller  prefix.  When  none  match,  the  default
                 reseller  prefix  is used. When no default reseller prefix is
                 configured, any request with an account prefix  not  in  that
                 list will be ignored by this middleware.  Defaults to 'AUTH'.

          default_reseller_prefix
                 The  default  reseller  prefix. This is used when none of the
                 configured reseller_prefixes match. When not set, no reseller
                 prefix is added.



       [filter:catch_errors]

          use    Entry point for paste.deploy for the catch_errors middleware.
                 This is the reference to the installed python egg.   This  is
                 normally egg:swift#catch_errors.

          set log_name
                 Label used when logging. The default is catch_errors.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables  the  ability  to log request headers. The default is
                 False.



       [filter:cname_lookup]

       Note: this middleware requires python-dnspython


          use    Entry point for paste.deploy for the cname_lookup middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#cname_lookup.

          set log_name
                 Label used when logging. The default is cname_lookup.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers.  The  default  is
                 False.

          storage_domain
                 The domain to be used by the middleware.

          lookup_depth
                 How  deep  in  the  CNAME  chain  to  look for something that
                 matches the storage domain.  The default is 1.



       [filter:staticweb]

       Note: Put staticweb just after your auth filter(s) in the pipeline


          use    Entry point for paste.deploy for  the  staticweb  middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#staticweb.

          set log_name
                 Label used when logging. The default is staticweb.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables the ability to log request headers.  The  default  is
                 False.



       [filter:tempurl]

       Note: Put tempurl before slo, dlo, and your auth filter(s) in the pipe-
       line


          use    Entry point for paste.deploy for the tempurl middleware. This
                 is  the  reference to the installed python egg.  This is nor-
                 mally egg:swift#tempurl.

          methods
                 The methods allowed with Temp URLs. The default is 'GET  HEAD
                 PUT POST DELETE'.

          incoming_remove_headers
                 The headers to remove from incoming requests. Simply a white-
                 space delimited list of header names and names can optionally
                 end with '*' to indicate a prefix match. incoming_allow_head-
                 ers is a list of exceptions to these removals.

          incoming_allow_headers
                 The headers allowed as exceptions to incoming_remove_headers.
                 Simply  a whitespace delimited list of header names and names
                 can optionally end with '*' to indicate a prefix match.

          outgoing_remove_headers
                 The headers to  remove  from  outgoing  responses.  Simply  a
                 whitespace  delimited  list  of  header  names  and names can
                 optionally end with '*' to indicate a  prefix  match.  outgo-
                 ing_allow_headers is a list of exceptions to these removals.

          outgoing_allow_headers
                 The headers allowed as exceptions to outgoing_remove_headers.
                 Simply a whitespace delimited list of header names and  names
                 can optionally end with '*' to indicate a prefix match.



       [filter:formpost]

       Note: Put formpost just before your auth filter(s) in the pipeline


          use    Entry  point  for  paste.deploy  for the formpost middleware.
                 This is the reference to the installed python egg.   This  is
                 normally egg:swift#formpost.




       [filter:name_check]

       Note: Just needs to be placed before the proxy-server in the pipeline.


          use    Entry  point  for paste.deploy for the name_check middleware.
                 This is the reference to the installed python egg.   This  is
                 normally egg:swift#name_check.

          forbidden_chars
                 Characters that will not be allowed in a name. The default is
                 '"`<>.

          maximum_length
                 Maximum number of characters that can be  in  the  name.  The
                 default is 255.

          forbidden_regexp
                 Python  regular  expressions  of  substrings that will not be
                 allowed in a name. The default is /./|/../|/.$|/..$.



       [filter:list-endpoints]

          use    Entry point for paste.deploy for the  list_endpoints  middle-
                 ware.  This  is  the  reference  to the installed python egg.
                 This is normally egg:swift#list_endpoints.

          list_endpoints_path
                 The default is '/endpoints/'.



       [filter:proxy-logging]

       Logging for the proxy server now lives  in  this  middleware.   If  the
       access_* variables are not set, logging directives from [DEFAULT] with-
       out "access_" will be used.


          use    Entry point for paste.deploy for  the  proxy_logging  middle-
                 ware.  This  is  the  reference  to the installed python egg.
                 This is normally egg:swift#proxy_logging.

          access_log_name
                 Label used when logging. The default is proxy-server.

          access_log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          access_log_level
                 Logging level. The default is INFO.

          access_log_address
                 Default is /dev/log.

          access_log_udp_host
                 If set, access_log_udp_host will override access_log_address.
                 Default is unset.

          access_log_udp_port
                 Default is 514.

          access_log_statsd_host
                 You  can  use  log_statsd_*  from [DEFAULT], or override them
                 here.  StatsD server. IPv4/IPv6 addresses and  hostnames  are
                 supported.  If  a  hostname  resolves  to  an  IPv4  and IPv6
                 address, the IPv4 address will be used.

          access_log_statsd_port
                 Default is 8125.

          access_log_statsd_default_sample_rate
                 Default is 1.

          access_log_statsd_sample_rate_factor
                 The default is 1.

          access_log_statsd_metric_prefix
                 Default is "" (empty-string)

          access_log_headers
                 Default is False.

          access_log_headers_only
                 If access_log_headers is True and access_log_headers_only  is
                 set  only  these  headers are logged. Multiple headers can be
                 defined as comma separated list like  this:  access_log_head-
                 ers_only = Host, X-Object-Meta-Mtime

          reveal_sensitive_prefix
                 By default, the X-Auth-Token is logged. To obscure the value,
                 set reveal_sensitive_prefix to the number  of  characters  to
                 log.  For example, if set to 12, only the first 12 characters
                 of the token appear in the log. An unauthorized access of the
                 log  file  won't  allow unauthorized usage of the token. How-
                 ever, the first 12 or so characters is unique enough that you
                 can  trace/debug  token usage. Set to 0 to suppress the token
                 completely (replaced by '...' in the log). The default is  16
                 chars.   Note:  reveal_sensitive_prefix  will  not affect the
                 value logged with access_log_headers=True.

          log_statsd_valid_http_methods
                 What HTTP methods are allowed for StatsD logging (comma-sep);
                 request  methods  not in this list will have "BAD_METHOD" for
                 the   <verb>   portion   of   the   metric.     Default    is
                 "GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS".



       [filter:bulk]

       Note: Put before both ratelimit and auth in the pipeline.


          use    Entry point for paste.deploy for the bulk middleware. This is
                 the reference to the installed python egg.  This is  normally
                 egg:swift#bulk.

          max_containers_per_extraction
                 The default is 10000.

          max_failed_extractions
                 The default is 1000.

          max_deletes_per_request
                 The default is 10000.

          max_failed_deletes
                 The default is 1000.

                 In  order  to  keep  a connection active during a potentially
                 long bulk request, Swift may return whitespace  prepended  to
                 the  actual response body. This whitespace will be yielded no
                 more than every yield_frequency seconds.  The default is 10.

          yield_frequency


          delete_container_retry_count
                 Note: This parameter is used during a bulk delete of  objects
                 and their container. This would frequently fail because it is
                 very likely that all replicated objects have not been deleted
                 by  the time the middleware got a successful response. It can
                 be configured the number of retries. And the number  of  sec-
                 onds  to  wait  between  each  retry  will  be 1.5**retry The
                 default is 0.



       [filter:slo]

       Note: Put after auth and staticweb in the pipeline.


          use    Entry point for paste.deploy for the slo middleware. This  is
                 the  reference to the installed python egg.  This is normally
                 egg:swift#slo.

          max_manifest_segments
                 The default is 1000.

          max_manifest_size
                 The default is 2097152.

          min_segment_size
                 The default is 1048576

          rate_limit_after_segment
                 Start rate-limiting object segments after the Nth segment  of
                 a segmented object. The default is 10 segments.

          rate_limit_segments_per_sec
                 Once segment rate-limiting kicks in for an object, limit seg-
                 ments served to N per second. The default is 1.

          max_get_time
                 Time limit on GET requests (seconds). The default is 86400.



       [filter:dlo]

       Note: Put after auth and staticweb in the pipeline.  If you  don't  put
       it in the pipeline, it will be inserted for you.


          use    Entry  point for paste.deploy for the dlo middleware. This is
                 the reference to the installed python egg.  This is  normally
                 egg:swift#dlo.

          rate_limit_after_segment
                 Start  rate-limiting object segments after the Nth segment of
                 a segmented object. The default is 10 segments.

          rate_limit_segments_per_sec
                 Once segment rate-limiting kicks in for an object, limit seg-
                 ments served to N per second. The default is 1.

          max_get_time
                 Time limit on GET requests (seconds). The default is 86400.



       [filter:container-quotas]

       Note: Put after auth in the pipeline.


          use    Entry point for paste.deploy for the container_quotas middle-
                 ware. This is the reference  to  the  installed  python  egg.
                 This is normally egg:swift#container_quotas.



       [filter:account-quotas]

       Note: Put after auth in the pipeline.


          use    Entry  point  for paste.deploy for the account_quotas middle-
                 ware. This is the reference  to  the  installed  python  egg.
                 This is normally egg:swift#account_quotas.



       [filter:gatekeeper]

       Note: this middleware requires python-dnspython


          use    Entry  point  for paste.deploy for the gatekeeper middleware.
                 This is the reference to the installed python egg.   This  is
                 normally egg:swift#gatekeeper.

          set log_name
                 Label used when logging. The default is gatekeeper.

          set log_facility
                 Syslog log facility. The default is LOG_LOCAL0.

          set log_level
                 Logging level. The default is INFO.

          set log_address
                 Logging address. The default is /dev/log.

          set log_headers
                 Enables  the  ability  to log request headers. The default is
                 False.



       [filter:container_sync]

       Note: this middleware requires python-dnspython


          use    Entry point for paste.deploy for the  container_sync  middle-
                 ware.  This  is  the  reference  to the installed python egg.
                 This is normally egg:swift#container_sync.

          allow_full_urls
                 Set this to false if you want to disallow any full url values
                 to  be set for any new X-Container-Sync-To headers. This will
                 keep any new full urls from coming in, but won't  change  any
                 existing  values already in the cluster.  Updating those will
                 have to be done manually, as knowing what the true realm end-
                 point  should  be  cannot  always  be guessed. The default is
                 true.

          current
                 Set this to specify this clusters  //realm/cluster  as  "cur-
                 rent" in /info



       [filter:xprofile]

       Note:  Put  it  at the beginning of the pipeline to profile all middle-
       ware. But it is safer to put this after healthcheck.


          use    Entry point for paste.deploy  for  the  xprofile  middleware.
                 This  is  the reference to the installed python egg.  This is
                 normally egg:swift#xprofile.

          profile_module
                 This option enable  you  to  switch  profilers  which  should
                 inherit  from  python  standard  profiler. Currently the sup-
                 ported value can be 'cProfile', 'eventlet.green.profile' etc.

          log_filename_prefix
                 This prefix will be used to combine process ID and  timestamp
                 to  name the profile data file.  Make sure the executing user
                 has permission to write into this path (missing path segments
                 will  be  created, if necessary).  If you enable profiling in
                 more than one type of daemon, you must override  it  with  an
                 unique   value   like,  the  default  is  /var/log/swift/pro-
                 file/account.profile.

          dump_interval
                 The profile data will be dumped to local disk based on  above
                 naming rule in this interval. The default is 5.0.

          dump_timestamp
                 Be  careful,  this  option  will enable profiler to dump data
                 into the file with time stamp which means there will be  lots
                 of files piled up in the directory.  The default is false

          path   This  is  the  path of the URL to access the mini web UI. The
                 default is __profile__.

          flush_at_shutdown
                 Clear the data when the wsgi server shutdown. The default  is
                 false.

          unwind Unwind the iterator of applications. Default is false.



       [filter:versioned_writes]

       Note:  Put  after slo, dlo in the pipeline.  If you don't put it in the
       pipeline, it will be inserted automatically.


          use    Entry point for paste.deploy for the versioned_writes middle-
                 ware.  This  is  the  reference  to the installed python egg.
                 This is normally egg:swift#versioned_writes.

          allow_versioned_writes
                 Enables using versioned writes middleware and  exposing  con-
                 figuration  settings  via  HTTP  GET /info.  WARNING: Setting
                 this option bypasses the "allow_versions" option in the  con-
                 tainer  configuration  file,  which will be eventually depre-
                 cated. See documentation for more details.



APP SECTION
       This is indicated by section name  [app:proxy-server].  Below  are  the
       parameters that are acceptable within this section.

       use    Entry  point  for paste.deploy for the proxy server. This is the
              reference  to  the  installed  python  egg.   This  is  normally
              egg:swift#proxy.

       set log_name
              Label used when logging. The default is proxy-server.

       set log_facility
              Syslog log facility. The default is LOG_LOCAL0.

       set log_level
              Logging level. The default is INFO.

       set log_address
              Logging address. The default is /dev/log.

       log_handoffs
              Log when handoff locations are used.  Default is True.

       recheck_account_existence
              Cache  timeout  in  seconds  to send memcached for account exis-
              tence. The default is 60 seconds.

       recheck_container_existence
              Cache timeout in seconds to send memcached for  container  exis-
              tence. The default is 60 seconds.

       object_chunk_size
              Chunk size to read from object servers. The default is 8192.

       client_chunk_size
              Chunk size to read from clients. The default is 8192.

       node_timeout
              Request timeout to external services. The default is 10 seconds.

       recoverable_node_timeout
              How  long the proxy server will wait for an initial response and
              to read a chunk of data from the object  servers  while  serving
              GET / HEAD requests.  Timeouts from these requests can be recov-
              ered from so setting this to something lower  than  node_timeout
              would provide quicker error recovery while allowing for a longer
              timeout  for  non-recoverable  requests  (PUTs).   Defaults   to
              node_timeout,  should  be overridden if node_timeout is set to a
              high number to prevent client timeouts from  firing  before  the
              proxy server has a chance to retry.

       conn_timeout
              Connection timeout to external services. The default is 0.5 sec-
              onds.

       post_quorum_timeout
              How long to wait for requests to finish after a quorum has  been
              established. The default is 0.5 seconds.

       error_suppression_interval
              Time in seconds that must elapse since the last error for a node
              to be considered no longer error limited. The default is 60 sec-
              onds.

       error_suppression_limit
              Error count to consider a node error limited. The default is 10.

       allow_account_management
              Whether  account  PUTs  and DELETEs are even callable. If set to
              'true' any authorized user may create and  delete  accounts;  if
              'false' no one, even authorized, can. The default is false.

       object_post_as_copy
              Set object_post_as_copy = false to turn on fast posts where only
              the metadata changes are stored as new  and  the  original  data
              file is kept in place. This makes for quicker posts. The default
              is True.

       account_autocreate
              If set to 'true' authorized  accounts  that  do  not  yet  exist
              within  the  Swift  cluster  will  be automatically created. The
              default is set to false.

       auto_create_account_prefix
              Prefix used when automatically creating accounts. The default is
              '.'.

       max_containers_per_account
              If  set  to  a positive value, trying to create a container when
              the account already has at least this  maximum  containers  will
              result  in a 403 Forbidden.  Note: This is a soft limit, meaning
              a user might exceed the cap for recheck_account_existence before
              the 403s kick in.

       max_containers_whitelist
              This is a comma separated list of account hashes that ignore the
              max_containers_per_account cap.

       deny_host_headers
              Comma separated list of Host headers to  which  the  proxy  will
              deny requests. The default is empty.

       put_queue_depth
              Depth of the proxy put queue. The default is 10.

       sorting_method
              Storage  nodes  can  be chosen at random (shuffle - default), by
              using timing measurements (timing),  or  by  using  an  explicit
              match (affinity).  Using timing measurements may allow for lower
              overall latency, while using affinity allows for finer  control.
              In both the timing and affinity cases, equally-sorting nodes are
              still randomly chosen to spread  load.   The  valid  values  for
              sorting_method are "affinity", "shuffle", and "timing".

       timing_expiry
              If the "timing" sorting_method is used, the timings will only be
              valid for the number of seconds configured by timing_expiry. The
              default is 300.

       request_node_count
              Set  to the number of nodes to contact for a normal request. You
              can use '* replicas' at the end to have it use the number  given
              times  the  number  of  replicas for the ring being used for the
              request. The default is '2 * replicas'.

       read_affinity
              Which backend servers to prefer on reads.  Format  is  r<N>  for
              region  N  or r<N>z<M> for region N, zone M. The value after the
              equals is the  priority;  lower  numbers  are  higher  priority.
              Default  is  empty,  meaning no preference.  Example: first read
              from region 1 zone 1, then region 1 zone  2,  then  anything  in
              region  2,  then  everything  else:  read_affinity  =  r1z1=100,
              r1z2=200, r2=300

       write_affinity
              Which backend servers to prefer on writes. Format  is  r<N>  for
              region  N or r<N>z<M> for region N, zone M. If this is set, then
              when handling an object PUT request, some  number  (see  setting
              write_affinity_node_count)  of  local  backend  servers  will be
              tried before any nonlocal ones. Default  is  empty,  meaning  no
              preference.   Example:  try  to  write to regions 1 and 2 before
              writing to any other nodes: write_affinity = r1, r2

       write_affinity_node_count
              The number of local (as governed by the write_affinity  setting)
              nodes  to  attempt  to contact first, before any non-local ones.
              You can use '* replicas' at the end to have it  use  the  number
              given  times  the number of replicas for the ring being used for
              the request. The default is '2 * replicas'.

       swift_owner_headers
              These are the  headers  whose  values  will  only  be  shown  to
              swift_owners. The exact definition of a swift_owner is up to the
              auth system in use, but usually indicates administrative respon-
              sibilities.   The  default  is  'x-container-read,  x-container-
              write,  x-container-sync-key,  x-container-sync-to,   x-account-
              meta-temp-url-key,  x-account-meta-temp-url-key-2,  x-container-
              meta-temp-url-key,  x-container-meta-temp-url-key-2,  x-account-
              access-control'.


DOCUMENTATION
       More in depth documentation about the swift-proxy-server and also Open-
       Stack  Swift  as  a  whole   can   be   found   at   http://swift.open-
       stack.org/admin_guide.html and http://swift.openstack.org



ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+-----------------------+
       |ATTRIBUTE TYPE |   ATTRIBUTE VALUE     |
       +---------------+-----------------------+
       |Availability   | cloud/openstack/swift |
       +---------------+-----------------------+
       |Stability      | Uncommitted           |
       +---------------+-----------------------+
SEE ALSO
       swift-proxy-server(1)



NOTES
       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source       was      downloaded      from       https://tarballs.open-
       stack.org/swift/swift-2.7.0.tar.gz

       Further information about this software can be found on the open source
       community website at http://www.openstack.org/.



OpenStack                          8/26/2011              proxy-server.conf(5)