<!DOCTYPE html> <html lang="en-US" itemscope itemtype="http://schema.org/Article"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- OneTrust Cookies Consent Notice start for konghq.com --> <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="2c4de954-6bec-4e93-8086-64cb113f151a"> </script> <script type="text/javascript"> function OptanonWrapper() { } </script> <!-- OneTrust Cookies Consent Notice end for konghq.com --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer', 'GTM-NL48VKT');</script> <!-- End Google Tag Manager --> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Configuration Reference for Kong Gateway - v3.8.x | Kong Docs</title> <meta name="description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta name="author" content="KongHQ"> <meta property="og:title" content="Configuration Reference for Kong Gateway - v3.8.x | Kong Docs"> <meta property="og:site_name" content="Kong Docs"> <!-- use share link for facebook --> <meta property="og:url" content="https://docs.konghq.com"> <meta property="og:description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta property="og:type" content="website"> <meta property="og:locale" content="en_US"> <meta property="og:image" content="https://docs.konghq.com/assets/images/share.png"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@thekonginc"> <meta name="twitter:creator" content="@thekonginc"> <meta name="twitter:url" content="https://docs.konghq.com"> <meta name="twitter:description" content="Documentation for Kong, the Cloud Connectivity Company for APIs and Microservices."> <meta name="twitter:image" content="https://docs.konghq.com/assets/images/share.png"> <meta property="fb:admins" content="227304446"> <meta property="fb:admins" content="576641408"> <meta name="google-site-verification" content="CrU3zp02dNKTe8NSAipL4NCPkrIjDXG8fViTZ-MIzP4"> <script type="application/ld+json"> { "@context": "http://schema.org", "@type": "Organization", "name": "KongHQ", "url": "https://docs.konghq.com", "logo": "https://docs.konghq.com/assets/images/logo.png", "sameAs": [ "https://www.facebook.com/konginc", "https://twitter.com/thekonginc", "https://plus.google.com/+mashape" ] } </script> <!-- Preload assets --> <link rel="dns-prefetch" href="https://cloud.typography.com"> <link rel="dns-prefetch" href="https://dev.visualwebsiteoptimizer.com"> <link rel="dns-prefetch" href="https://cdn.segment.com"> <link rel="icon" type="image/x-icon" href="/assets/images/favicon.ico"> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@docsearch/css@3"> <link rel="canonical" href="https://docs.konghq.com/gateway/latest/reference/configuration/"> <link rel="alternate" hreflang="x-default" href="https://docs.konghq.com/gateway/3.8.x/reference/configuration/"> <link rel="alternate" hreflang="ja" href="https://docs.jp.konghq.com/gateway/3.8.x/reference/configuration/"> <meta name="robots" content="follow,noindex"> <!-- FontAwesome icon font --> <script src="https://kit.fontawesome.com/1332a92967.js" crossorigin="anonymous"> </script> <script src="/vite/assets/application-D8sXFsvE.js" crossorigin="anonymous" type="module"></script> <link href="/vite/assets/_commonjsHelpers-Cpj98o6Y.js" rel="modulepreload" as="script" crossorigin="anonymous"> <link rel="stylesheet" href="/vite/assets/application-C5Quk452.css" media="screen"> </head> <body id="" data-spy="scroll" data-target="#scroll-sidebar" data-offset="350"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NL48VKT" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <header class="navbar-v2 closed"> <a class="skip-main" href="#main">Skip to content</a> <!-- uncomment the promo-banner div when adding a new promo banner--> <!--also uncomment the promo banner sections in app/assets/stylesheets/header.less and application.js--> <!-- <div id="promo-banner"> <div class="container"> <div class="closebanner"></div> <strong>2024 API Summit Hackathon: Experiment with API Innovation & AI. Submit by Sept 11 &nbsp;&mdash;<a href="https://konghq.com/conferences/kong-summit/hackathon?utm_medium=website&utm_source=docs-konghq-com&utm_campaign=docs-banner">Enter Now &rarr;</a> </strong> </div> </div> --> <div class="navbar-content"> <a href="https://konghq.com" class="navbar-brand col col-xl-auto" target="_blank" rel="noopener noreferrer"> <img src="/assets/images/logos/konglogo-dark-theme.svg" alt="Kong Logo" id="kong-logo"> </a> <span class="logo-divider">|</span> <a href="/" class="navbar-brand col col-xl-auto"> <img src="/assets/images/logos/docslogo-dark-theme.svg" alt="Kong Docs Logo" id="kong-docs-logo"> </a> <div class="separator mobile"></div> <div class="search-input-wrapper" id="getkong-algolia-search-input"> </div> <div class="search-results-wrapper"></div> <div class="navbar-items" role="navigation" aria-label="Main menu"> <ul class="navbar-items" role="menubar"> <li id="top-module-list" aria-haspopup="true" role="menuitem" aria-expanded="false" class="navbar-item main-menu-item with-submenu active"> <span tabindex="0" id="docs-link" class="main-menu-item-title">Docs</span> <span class="caret"></span> <ul class="navbar-item-submenu" role="menu"> <div class="submenu-section"> <li role="menuitem" class="docs-dropdown-li"> <a href="/api/" class="docs-dropdown-li__link" tabindex="-1"> <div class="docs-dropdown-li__card"> <span class="heading">Explore the API Specs</span> <div class="docs-dropdown-li__card-link"> <img src="/assets/images/landing-page/view-all-api-specs.png" alt="View all API Specs"> <span class="docs-dropdown-li__card-image"> View all API Specs <img src="/assets/images/landing-page/arrow-right.svg" alt="View all API Specs arrow image"> </span> </div> </div> </a> </li> <li role="menuitem" class="docs-dropdown-li" tabindex="-1"> <div class="docs-dropdown-li__section"> <div class="docs-dropdown-li__section-title"> <span class="heading">Documentation</span> </div> <div class="docs-dropdown-li__section-items"> <a class="item item-all" href="/api/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">API Specs</div> </div> </a> <a class="item" href="/gateway/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Gateway</div> <div class="item__description-desc">Lightweight, fast, and flexible cloud-native API gateway</div> </div> </a> <a class="item" href="/konnect/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Konnect</div> <div class="item__description-desc">Single platform for SaaS end-to-end connectivity</div> </div> </a> <a class="item" href="/gateway/latest/ai-gateway/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong AI Gateway</div> <div class="item__description-desc">Multi-LLM AI Gateway for GenAI infrastructure</div> </div> </a> <a class="item" href="/mesh/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Mesh</div> <div class="item__description-desc">Enterprise service mesh based on Kuma and Envoy</div> </div> </a> <a class="item" href="/deck/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">decK</div> <div class="item__description-desc">Helps manage Kong’s configuration in a declarative fashion</div> </div> </a> <a class="item" href="/kubernetes-ingress-controller/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Ingress Controller</div> <div class="item__description-desc">Works inside a Kubernetes cluster and configures Kong to proxy traffic</div> </div> </a> <a class="item" href="/gateway-operator/latest/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">Kong Gateway Operator</div> <div class="item__description-desc">Manage your Kong deployments on Kubernetes using YAML Manifests</div> </div> </a> <a class="item" href="https://docs.insomnia.rest/" tabindex="-1" target="_blank" rel="noopener nofollow noreferrer "> <div class="item__description"> <div class="item__description-title">Insomnia</div> <div class="item__description-desc">Collaborative API development platform</div> </div> </a> </div> </div> </li> </div> </ul> </li> <li role="menuitem" aria-haspopup="true" aria-expanded="false" class="navbar-item main-menu-item with-submenu navbar-item-hub"> <span id="plugin-link" class="main-menu-item-title" tabindex="0">Plugin Hub</span> <span class="caret"></span> <ul class="navbar-item-submenu" role="menu"> <div class="submenu-section"> <li role="menuitem" class="docs-dropdown-li"> <a href="/hub/" class="docs-dropdown-li__link" tabindex="-1"> <div class="docs-dropdown-li__card"> <span class="heading">Explore the Plugin Hub</span> <div class="docs-dropdown-li__card-link"> <img src="/assets/images/landing-page/view-all-plugins.svg" alt="View all plugins"> <span class="docs-dropdown-li__card-image"> View all plugins <img src="/assets/images/landing-page/arrow-right.svg" alt="View all plugins arrow image"> </span> </div> </div> </a> </li> <li role="menuitem" class="docs-dropdown-li"> <div class="docs-dropdown-li__section"> <div class="docs-dropdown-li__section-title"> <span class="heading">Functionality</span> <a href="/hub/" class="view-all" tabindex="-1"> View all <img src="/assets/images/landing-page/arrow-right.svg" alt="View all arrow image"> </a> </div> <div class="docs-dropdown-li__section-items"> <a class="item item-all" href="/hub/" tabindex="-1"> <div class="item__description"> <div class="item__description-title">View all plugins</div> </div> </a> <a class="item" href="/hub/?category=ai" tabindex="-1"> <div> <img src="/assets/images/nav/hub/ai.svg" alt="AI's icon"> </div> <div class="item__description"> <div class="item__description-title">AI</div> <div class="item__description-desc">Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins</div> </div> </a> <a class="item" href="/hub/?category=authentication" tabindex="-1"> <div> <img src="/assets/images/nav/hub/lock_person.svg" alt="Authentication's icon"> </div> <div class="item__description"> <div class="item__description-title">Authentication</div> <div class="item__description-desc">Protect your services with an authentication layer</div> </div> </a> <a class="item" href="/hub/?category=security" tabindex="-1"> <div> <img src="/assets/images/nav/hub/shield.svg" alt="Security's icon"> </div> <div class="item__description"> <div class="item__description-title">Security</div> <div class="item__description-desc">Protect your services with additional security layer</div> </div> </a> <a class="item" href="/hub/?category=traffic-control" tabindex="-1"> <div> <img src="/assets/images/nav/hub/route.svg" alt="Traffic Control's icon"> </div> <div class="item__description"> <div class="item__description-title">Traffic Control</div> <div class="item__description-desc">Manage, throttle and restrict inbound and outbound API traffic</div> </div> </a> <a class="item" href="/hub/?category=serverless" tabindex="-1"> <div> <img src="/assets/images/nav/hub/serverless.svg" alt="Serverless's icon"> </div> <div class="item__description"> <div class="item__description-title">Serverless</div> <div class="item__description-desc">Invoke serverless functions in combination with other plugins</div> </div> </a> <a class="item" href="/hub/?category=analytics-monitoring" tabindex="-1"> <div> <img src="/assets/images/nav/hub/bar_chart.svg" alt="Analytics &amp; Monitoring's icon"> </div> <div class="item__description"> <div class="item__description-title">Analytics &amp; Monitoring</div> <div class="item__description-desc">Visualize, inspect and monitor APIs and microservices traffic</div> </div> </a> <a class="item" href="/hub/?category=transformations" tabindex="-1"> <div> <img src="/assets/images/nav/hub/swap_horiz.svg" alt="Transformations's icon"> </div> <div class="item__description"> <div class="item__description-title">Transformations</div> <div class="item__description-desc">Transform request and responses on the fly on Kong</div> </div> </a> <a class="item" href="/hub/?category=logging" tabindex="-1"> <div> <img src="/assets/images/nav/hub/list_alt.svg" alt="Logging's icon"> </div> <div class="item__description"> <div class="item__description-title">Logging</div> <div class="item__description-desc">Log request and response data using the best transport for your infrastructure</div> </div> </a> </div> </div> </li> </div> </ul> </li> <li role="menuitem" class="main-menu-item"> <a href="https://support.konghq.com/" class="navbar-item" target="_blank" rel="noopener nofollow noreferrer ">Support</a> </li> <li role="menuitem" class="main-menu-item"> <a href="https://konghq.com/community/" class="navbar-item" target="_blank" rel="noopener noreferrer">Community</a> </li> <li role="menuitem" class="main-menu-item"> <a href="https://education.konghq.com" class="navbar-item" target="_blank" rel="noopener nofollow noreferrer ">Kong Academy</a> </li> </ul> <a id="top-cta" href="https://konghq.com/contact-sales?utm_source=docs.konghq.com" class="navbar-button" target="_blank" rel="noopener nofollow noreferrer "> Get a Demo </a> <a id="konnect-cta" href="https://konghq.com/products/kong-konnect/register?utm_medium=referral&amp;utm_source=docs&amp;utm_campaign=gateway-konnect&amp;utm_content=top-nav" class="navbar-button" target="_blank" rel="noopener nofollow noreferrer "> Start Free Trial </a> </div> <div id="navbar-menu-toggle-button" class="small-screen-button" aria-label="Toggle navigation"> <div></div> <div></div> <div></div> </div> </div> </header> <div class="page v2 " data-url="/gateway/3.8.x/reference/configuration/"> <div class="page--header-background page--header-background-doc"></div> <div class="container"> <header class="page-header page-header-doc"> <div class="page-header-product-version"> <div class="edition"> Kong Gateway </div> <div class="version"> 3.8.x </div> </div> <div class="page-header--nav"> <i class="sidebar-toggle"></i> <ul class="breadcrumbs"> <li class="breadcrumb-item"> <a href="/"> <img src="/assets/images/icons/hub-layout/icn-breadcrumbs.svg" alt="Home icon"> </a> </li> <li class="breadcrumb-item"> <a href="/gateway/3.8.x/">Kong Gateway</a> </li> <li class="breadcrumb-item"> Reference </li> <li class="breadcrumb-item"> <a href="/gateway/3.8.x/reference/configuration/">Configuration Reference for Kong Gateway</a> </li> </ul> <div class="github-links"> <div class="github-links--edit"> <a href="https://github.com/Kong/kong/edit/master/kong.conf.default" target="_blank" rel="noopener nofollow noreferrer "> <img src="/assets/images/icons/third-party/logo-github-white.svg" alt="github-edit-page">Edit this page </a> </div> <div class="github-links--issues"> <a href="https://github.com/Kong/docs.konghq.com/issues/" target="_blank" rel="noopener nofollow noreferrer "> <img src="/assets/images/icons/documentation/icn-monitoring-white.svg" alt="report-issue">Report an issue</a> </div> </div> </div> </header> <aside class="docs-sidebar"> <i class="fa fa-times close-sidebar"></i> <div class="sidebar-title-container"> <div class="docsets-dropdown dropdown"> <button class="dropdown-button" id="module-dropdown" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" tabindex="0"> <span> Kong Gateway </span> <span class="caret"></span> </button> <ul class="dropdown-menu dropdown-menu-right with-submenu" id="module-list" role="menu" aria-labelledby="module-dropdown" aria-hidden="true"> <li role="menuitem" tabindex="-1" class="active"> <a href="/gateway/latest/" class="active">Kong Gateway</a> </li> <li role="menuitem" tabindex="-1"> <a href="/konnect/">Kong Konnect</a> </li> <li role="menuitem" tabindex="-1"> <a href="/mesh/latest/">Kong Mesh</a> </li> <li role="menuitem" tabindex="-1"> <a href="/hub/?category=ai">Kong AI Gateway</a> </li> <li role="menuitem" tabindex="-1"> <a href="/hub/">Plugin Hub</a> </li> <li role="menuitem" tabindex="-1"> <a href="/deck/">decK</a> </li> <li role="menuitem" tabindex="-1"> <a href="/kubernetes-ingress-controller/latest/">Kong Ingress Controller</a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway-operator/latest/">Kong Gateway Operator</a> </li> <li> <a href="https://docs.insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer ">Insomnia</a> </li> <li role="menuitem" tabindex="-1"> <a href="https://kuma.io/docs/" target="_blank" rel="noopener nofollow noreferrer ">Kuma</a> </li> <hr> <li role="menuitem" tabindex="-1"> <a href="/contributing/">Docs contribution guidelines</a> </li> </ul> </div> <div class="versions-dropdown dropdown"> <button class="dropdown-button" id="version-dropdown" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false" tabindex="0"> <span> Version 3.8.x </span> <span class="caret"></span> </button> <ul class="dropdown-menu dropdown-menu-right" id="version-list" role="menu" aria-labelledby="version-dropdown" aria-hidden="true"> <li role="menuitem" tabindex="-1"> <a href="/gateway/unreleased/reference/configuration/" data-version-id="3.10.x"> <em>unreleased</em> </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.9.x/reference/configuration/" data-version-id="3.9.x"> 3.9.x <em>(latest)</em> </a> </li> <li class="active" role="menuitem" tabindex="-1"> <a href="/gateway/3.8.x/reference/configuration/" class="active" data-version-id="3.8.x"> 3.8.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.7.x/reference/configuration/" data-version-id="3.7.x"> 3.7.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.6.x/reference/configuration/" data-version-id="3.6.x"> 3.6.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.5.x/reference/configuration/" data-version-id="3.5.x"> 3.5.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.4.x/reference/configuration/" data-version-id="3.4.x"> 3.4.x (LTS) </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.3.x/reference/configuration/" data-version-id="3.3.x"> 3.3.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.2.x/reference/configuration/" data-version-id="3.2.x"> 3.2.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/3.1.x/reference/configuration/" data-version-id="3.1.x"> 3.1.x </a> </li> <li role="menuitem" tabindex="-1"> <a href="/gateway/2.8.x/reference/configuration/" data-version-id="2.8.x"> 2.8.x (LTS) </a> </li> <li role="menuitem" tabindex="-1"> <a href="https://legacy-gateway--kongdocs.netlify.app/" target="_blank" rel="noopener nofollow noreferrer "> Archive (3.0.x and pre-2.8.x) </a> </li> </ul> </div> </div> <ul class="sidebar-container" role="tree" aria-label="Documentation"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-introduction-subtree"> <img src="/assets/images/icons/documentation/icn-flag.svg" alt=""> Introduction <button class="sidebar-tree-toggle" aria-label="toggle Introduction subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-introduction-subtree" role="group" aria-label="Introduction"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/"> Overview of Kong Gateway </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-2-support-subtree"> Support <button class="sidebar-tree-toggle" aria-label="toggle Support subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-2-support-subtree" role="group" aria-label="Support"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/support-policy/"> Version Support Policy </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/support/third-party/"> Third Party Dependencies </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/support/browser/"> Browser Support </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/support/vulnerability-patching-process/"> Vulnerability Patching Process </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/support/sbom/"> Software Bill of Materials </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/stability/"> Stability </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/changelog/"> Release Notes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-5-breaking-changes-subtree"> Breaking Changes <button class="sidebar-tree-toggle" aria-label="toggle Breaking Changes subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-5-breaking-changes-subtree" role="group" aria-label="Breaking Changes"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/"> Kong Gateway 3.8.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/37x/"> Kong Gateway 3.7.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/36x/"> Kong Gateway 3.6.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/35x/"> Kong Gateway 3.5.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/34x/"> Kong Gateway 3.4.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/33x/"> Kong Gateway 3.3.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/32x/"> Kong Gateway 3.2.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/31x/"> Kong Gateway 3.1.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/30x/"> Kong Gateway 3.0.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/breaking-changes/28x/"> Kong Gateway 2.8.x or earlier </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-6-key-concepts-subtree"> Key Concepts <button class="sidebar-tree-toggle" aria-label="toggle Key Concepts subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-6-key-concepts-subtree" role="group" aria-label="Key Concepts"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/services/"> Services </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/routes/"> Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/consumers/"> Consumers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/upstreams/"> Upstreams </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/plugins/"> Plugins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/consumer-groups/"> Consumer Groups </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-1-7-how-kong-works-subtree"> How Kong Works <button class="sidebar-tree-toggle" aria-label="toggle How Kong Works subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-1-7-how-kong-works-subtree" role="group" aria-label="How Kong Works"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/how-kong-works/routing-traffic/"> Routing Traffic </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/how-kong-works/load-balancing/"> Load Balancing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/how-kong-works/health-checks/"> Health Checks and Circuit Breakers </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/glossary/"> Glossary </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-2-get-started-with-kong-subtree"> <img src="/assets/images/icons/documentation/icn-learning.svg" alt=""> Get Started with Kong <button class="sidebar-tree-toggle" aria-label="toggle Get Started with Kong subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-2-get-started-with-kong-subtree" role="group" aria-label="Get Started with Kong"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/"> Get Kong </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/services-and-routes/"> Services and Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/rate-limiting/"> Rate Limiting </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/proxy-caching/"> Proxy Caching </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/key-authentication/"> Key Authentication </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/load-balancing/"> Load-Balancing </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-install-kong-subtree"> <img src="/assets/images/icons/documentation/icn-deployment-color.svg" alt=""> Install Kong <button class="sidebar-tree-toggle" aria-label="toggle Install Kong subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-install-kong-subtree" role="group" aria-label="Install Kong"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-2-kubernetes-subtree"> Kubernetes <button class="sidebar-tree-toggle" aria-label="toggle Kubernetes subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-2-kubernetes-subtree" role="group" aria-label="Kubernetes"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/kubernetes/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/kubernetes/proxy/"> Install Kong Gateway </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/kubernetes/admin/"> Configure the Admin API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/kubernetes/manager/"> Install Kong Manager </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-3-docker-subtree"> Docker <button class="sidebar-tree-toggle" aria-label="toggle Docker subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-3-docker-subtree" role="group" aria-label="Docker"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/docker/"> Using docker run </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/docker/build-custom-images/"> Build your own Docker images </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-4-linux-subtree"> Linux <button class="sidebar-tree-toggle" aria-label="toggle Linux subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-4-linux-subtree" role="group" aria-label="Linux"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/linux/amazon-linux/"> Amazon Linux </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/linux/debian/"> Debian </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/linux/rhel/"> Red Hat </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/linux/ubuntu/"> Ubuntu </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-3-5-post-installation-subtree"> Post-installation <button class="sidebar-tree-toggle" aria-label="toggle Post-installation subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-3-5-post-installation-subtree" role="group" aria-label="Post-installation"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/post-install/set-up-data-store/"> Set up a data store </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/post-install/enterprise-license/"> Apply Enterprise license </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/install/post-install/kong-manager/"> Enable Kong Manager </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-kong-in-production-subtree"> <img src="/assets/images/icons/documentation/icn-deployment-color.svg" alt=""> Kong in Production <button class="sidebar-tree-toggle" aria-label="toggle Kong in Production subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-kong-in-production-subtree" role="group" aria-label="Kong in Production"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-1-deployment-topologies-subtree"> Deployment Topologies <button class="sidebar-tree-toggle" aria-label="toggle Deployment Topologies subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-1-deployment-topologies-subtree" role="group" aria-label="Deployment Topologies"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/deployment-topologies/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/deployment-topologies/kubernetes/"> Kubernetes Topologies </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-1-3-hybrid-mode-subtree"> Hybrid Mode <button class="sidebar-tree-toggle" aria-label="toggle Hybrid Mode subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-1-3-hybrid-mode-subtree" role="group" aria-label="Hybrid Mode"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/deployment-topologies/hybrid-mode/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/deployment-topologies/hybrid-mode/setup/"> Deploy Kong Gateway in Hybrid mode </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/deployment-topologies/db-less-and-declarative-config/"> DB-less Deployment </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/deployment-topologies/traditional/"> Traditional </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-2-running-kong-subtree"> Running Kong <button class="sidebar-tree-toggle" aria-label="toggle Running Kong subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-2-running-kong-subtree" role="group" aria-label="Running Kong"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/running-kong/kong-user/"> Running Kong as a non-root user </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/running-kong/secure-admin-api/"> Securing the Admin API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/running-kong/systemd/"> Using systemd </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-3-access-control-subtree"> Access Control <button class="sidebar-tree-toggle" aria-label="toggle Access Control subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-3-access-control-subtree" role="group" aria-label="Access Control"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/access-control/start-securely/"> Start Kong Gateway Securely </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/access-control/register-admin-api/"> Programatically Creating Admins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/access-control/enable-rbac/"> Enabling RBAC </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-4-licenses-subtree"> Licenses <button class="sidebar-tree-toggle" aria-label="toggle Licenses subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-4-licenses-subtree" role="group" aria-label="Licenses"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/licenses/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/licenses/download/"> Download your License </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/licenses/deploy/"> Deploy Enterprise License </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/licenses/examples/"> Using the License API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/licenses/report/"> Monitor Licenses Usage </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-5-networking-subtree"> Networking <button class="sidebar-tree-toggle" aria-label="toggle Networking subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-5-networking-subtree" role="group" aria-label="Networking"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/networking/default-ports/"> Default Ports </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/networking/dns-considerations/"> DNS Considerations </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/networking/firewall/"> Network and Firewall </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/networking/cp-dp-proxy/"> CP/DP Communication through a Forward Proxy </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-5-5-postgresql-tls-subtree"> PostgreSQL TLS <button class="sidebar-tree-toggle" aria-label="toggle PostgreSQL TLS subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-5-5-postgresql-tls-subtree" role="group" aria-label="PostgreSQL TLS"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/networking/configure-postgres-tls/"> Configure PostgreSQL TLS </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/networking/troubleshoot-postgres-tls/"> Troubleshooting PostgreSQL TLS </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/kong-conf/"> Kong Configuration File </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/environment-variables/"> Environment Variables </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/website-api-serving/"> Serving a Website and APIs from Kong </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-9-monitoring-subtree"> Monitoring <button class="sidebar-tree-toggle" aria-label="toggle Monitoring subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-9-monitoring-subtree" role="group" aria-label="Monitoring"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/monitoring/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/monitoring/prometheus/"> Prometheus </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/monitoring/statsd/"> StatsD </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/monitoring/datadog/"> Datadog </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/monitoring/healthcheck-probes/"> Health Check Probes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/monitoring/ai-metrics/"> Expose and graph AI Metrics </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-10-tracing-subtree"> Tracing <button class="sidebar-tree-toggle" aria-label="toggle Tracing subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-10-tracing-subtree" role="group" aria-label="Tracing"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/tracing/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/tracing/write-custom-trace-exporter/"> Writing a Custom Trace Exporter </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/tracing/api/"> Tracing API Reference </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/sizing-guidelines/"> Resource Sizing Guidelines </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/blue-green/"> Blue-Green Deployments </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/canary/"> Canary Deployments </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/clustering/"> Clustering Reference </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-15-performance-subtree"> Performance <button class="sidebar-tree-toggle" aria-label="toggle Performance subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-15-performance-subtree" role="group" aria-label="Performance"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/performance/performance-testing/"> Performance Testing Benchmarks </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/performance/benchmark/"> Establish a Performance Benchmark </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/performance/brotli/"> Improve performance with Brotli compression </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-16-logging-and-debugging-subtree"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/logging/"> Logging and Debugging </a> <button class="sidebar-tree-toggle" aria-label="toggle Logging and Debugging subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-16-logging-and-debugging-subtree" role="group" aria-label="Logging and Debugging"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/logging/log-reference/"> Log Reference </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/logging/update-log-level-dynamically/"> Dynamic log level updates </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/logging/customize-gateway-logs/"> Customize Gateway Logs </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/debug-request/"> Debug Requests </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/logging/ai-analytics/"> AI Gateway Analytics </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/configuring-a-grpc-service/"> Configure a gRPC service </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/key-concepts/routes/expressions/"> Use the Expressions Router </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-19-upgrade-and-migration-subtree"> Upgrade and Migration <button class="sidebar-tree-toggle" aria-label="toggle Upgrade and Migration subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-19-upgrade-and-migration-subtree" role="group" aria-label="Upgrade and Migration"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/"> Upgrading Kong Gateway 3.x.x </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/backup-and-restore/"> Backup and Restore </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-4-19-3-upgrade-strategies-subtree"> Upgrade Strategies <button class="sidebar-tree-toggle" aria-label="toggle Upgrade Strategies subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-4-19-3-upgrade-strategies-subtree" role="group" aria-label="Upgrade Strategies"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/dual-cluster/"> Dual-Cluster Upgrade </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/in-place/"> In-Place Upgrade </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/blue-green/"> Blue-Green Upgrade </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/rolling-upgrade/"> Rolling Upgrade </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/upgrade/lts-upgrade/"> Upgrade from 2.8 LTS to 3.4 LTS </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/migrate-ce-to-ke/"> Migrate from OSS to Enterprise </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/migrate-cassandra-to-postgres/"> Migration Guidelines Cassandra to PostgreSQL </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/migrate-to-new-dns-client/"> Migrate to the new DNS client </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/production/breaking-changes/"> Breaking Changes </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-kong-gateway-enterprise-subtree"> <img src="/assets/images/icons/documentation/icn-enterprise-blue.svg" alt=""> Kong Gateway Enterprise <button class="sidebar-tree-toggle" aria-label="toggle Kong Gateway Enterprise subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-kong-gateway-enterprise-subtree" role="group" aria-label="Kong Gateway Enterprise"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-2-secrets-management-subtree"> Secrets Management <button class="sidebar-tree-toggle" aria-label="toggle Secrets Management subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-2-secrets-management-subtree" role="group" aria-label="Secrets Management"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/getting-started/"> Getting Started </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/secrets-rotation/"> Secrets Rotation </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/advanced-usage/"> Advanced Usage </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-2-5-backends-subtree"> Backends <button class="sidebar-tree-toggle" aria-label="toggle Backends subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-2-5-backends-subtree" role="group" aria-label="Backends"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/env/"> Environment Variables </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/aws-sm/"> AWS Secrets Manager </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/azure-key-vaults/"> Azure Key Vaults </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/gcp-sm/"> Google Cloud Secret Manager </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/backends/hashicorp-vault/"> HashiCorp Vault </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-2-6-how-to-subtree"> How-To <button class="sidebar-tree-toggle" aria-label="toggle How-To subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-2-6-how-to-subtree" role="group" aria-label="How-To"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/how-to/aws-secrets-manager/"> Securing the Database with AWS Secrets Manager </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/secrets-management/reference-format/"> Reference Format </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-3-dynamic-plugin-ordering-subtree"> Dynamic Plugin Ordering <button class="sidebar-tree-toggle" aria-label="toggle Dynamic Plugin Ordering subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-3-dynamic-plugin-ordering-subtree" role="group" aria-label="Dynamic Plugin Ordering"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/plugin-ordering/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/plugin-ordering/get-started/"> Get Started with Dynamic Plugin Ordering </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/audit-log/"> Audit Logging </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/db-encryption/"> Keyring and Data Encryption </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/workspaces/"> Workspaces </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/consumer-groups/"> Consumer Groups </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/event-hooks/"> Event Hooks </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/cp-outage-handling/"> Configure Data Plane Resilience </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/cp-outage-handling-faq/"> About Control Plane Outage Management </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-5-11-fips-140-2-subtree"> FIPS 140-2 <button class="sidebar-tree-toggle" aria-label="toggle FIPS 140-2 subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-5-11-fips-140-2-subtree" role="group" aria-label="FIPS 140-2"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/fips-support/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/fips-support/install/"> Install the FIPS Compliant Package </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/fips-support/plugins/"> FIPS 140-2 Compliant Plugins </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/aws-iam-auth-to-rds-database/"> Authenticate your Kong Gateway Amazon RDS database with AWS IAM </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/signed-images/"> Verify Signatures for Signed Kong Images </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-enterprise/provenance-verification/"> Verify Build Provenance for Signed Kong Images </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-6-kong-ai-gateway-subtree"> <img src="/assets/images/icons/documentation/icn-ai.svg" alt=""> Kong AI Gateway <button class="sidebar-tree-toggle" aria-label="toggle Kong AI Gateway subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-6-kong-ai-gateway-subtree" role="group" aria-label="Kong AI Gateway"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/ai-gateway/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/get-started/ai-gateway/"> Get started with AI Gateway </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-6-3-llm-provider-integration-guides-subtree"> LLM Provider Integration Guides <button class="sidebar-tree-toggle" aria-label="toggle LLM Provider Integration Guides subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-6-3-llm-provider-integration-guides-subtree" role="group" aria-label="LLM Provider Integration Guides"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/openai/"> OpenAI </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/cohere/"> Cohere </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/azure/"> Azure </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/anthropic/"> Anthropic </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/mistral/"> Mistral </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/llama2/"> Llama2 </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/gemini/"> Vertex/Gemini </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy/how-to/llm-provider-integration-guides/bedrock/"> Amazon Bedrock </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/ai-gateway/ai-analytics/"> AI Gateway Analytics </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/ai-gateway/metrics/"> Expose and graph AI Metrics </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/kong-inc/ai-proxy-advanced/#load-balancing/"> AI Gateway Load Balancing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/hub/?category=ai/"> AI Gateway plugins </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-kong-manager-subtree"> <img src="/assets/images/icons/documentation/icn-manager-color.svg" alt=""> Kong Manager <button class="sidebar-tree-toggle" aria-label="toggle Kong Manager subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-kong-manager-subtree" role="group" aria-label="Kong Manager"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/enable/"> Enable Kong Manager </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-3-get-started-with-kong-manager-subtree"> Get Started with Kong Manager <button class="sidebar-tree-toggle" aria-label="toggle Get Started with Kong Manager subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-3-get-started-with-kong-manager-subtree" role="group" aria-label="Get Started with Kong Manager"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/get-started/services-and-routes/"> Services and Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/get-started/rate-limiting/"> Rate Limiting </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/get-started/proxy-caching/"> Proxy Caching </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/get-started/consumers/"> Authentication with Consumers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/get-started/load-balancing/"> Load Balancing </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-authentication-and-authorization-subtree"> Authentication and Authorization <button class="sidebar-tree-toggle" aria-label="toggle Authentication and Authorization subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-authentication-and-authorization-subtree" role="group" aria-label="Authentication and Authorization"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/super-admin/"> Create a Super Admin </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/workspaces-and-teams/"> Workspaces and Teams </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/reset-password/"> Reset Passwords and RBAC Tokens </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/basic/"> Basic Auth </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-6-ldap-subtree"> LDAP <button class="sidebar-tree-toggle" aria-label="toggle LDAP subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-6-ldap-subtree" role="group" aria-label="LDAP"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/ldap/configure/"> Configure LDAP </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/ldap/service-directory-mapping/"> LDAP Service Directory Mapping </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-7-oidc-subtree"> OIDC <button class="sidebar-tree-toggle" aria-label="toggle OIDC subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-7-oidc-subtree" role="group" aria-label="OIDC"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/oidc/configure/"> Configure OIDC </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/oidc/mapping/"> OIDC Authenticated Group Mapping </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/oidc/migrate/"> Migrate from previous configurations </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/sessions/"> Sessions </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-7-4-9-rbac-subtree"> RBAC <button class="sidebar-tree-toggle" aria-label="toggle RBAC subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-7-4-9-rbac-subtree" role="group" aria-label="RBAC"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/rbac/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/rbac/enable/"> Enable RBAC </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/rbac/add-role/"> Add a Role and Permissions </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/rbac/add-user/"> Create a User </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/auth/rbac/add-admin/"> Create an Admin </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/networking/"> Networking Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/workspaces/"> Workspaces </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/consumer-groups/"> Create Consumer Groups </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/configuring-to-send-email/"> Sending Email </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-manager/troubleshoot/"> Troubleshoot </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-develop-custom-plugins-subtree"> <img src="/assets/images/icons/documentation/icn-dev-portal-color.svg" alt=""> Develop Custom Plugins <button class="sidebar-tree-toggle" aria-label="toggle Develop Custom Plugins subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-develop-custom-plugins-subtree" role="group" aria-label="Develop Custom Plugins"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-2-getting-started-subtree"> Getting Started <button class="sidebar-tree-toggle" aria-label="toggle Getting Started subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-2-getting-started-subtree" role="group" aria-label="Getting Started"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/get-started/"> Introduction </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/get-started/setup/"> Set up the Plugin Project </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/get-started/testing/"> Add Plugin Testing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/get-started/config/"> Add Plugin Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/get-started/http/"> Consume External Services </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/get-started/deploy/"> Deploy Plugins </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/file-structure/"> File Structure </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/custom-logic/"> Implementing Custom Logic </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/configuration/"> Plugin Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/access-the-datastore/"> Accessing the Data Store </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/custom-entities/"> Storing Custom Entities </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/entities-cache/"> Caching Custom Entities </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/admin-api/"> Extending the Admin API </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/tests/"> Writing Tests </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/distribution/"> Installation and Distribution </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-12-proxy-wasm-filters-subtree"> Proxy-Wasm Filters <button class="sidebar-tree-toggle" aria-label="toggle Proxy-Wasm Filters subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-12-proxy-wasm-filters-subtree" role="group" aria-label="Proxy-Wasm Filters"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/wasm/filter-development-guide/"> Create a Proxy-Wasm Filter </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/wasm/filter-configuration/"> Proxy-Wasm Filter Configuration </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-13-plugin-development-kit-subtree"> Plugin Development Kit <button class="sidebar-tree-toggle" aria-label="toggle Plugin Development Kit subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-13-plugin-development-kit-subtree" role="group" aria-label="Plugin Development Kit"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.client/"> kong.client </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.client.tls/"> kong.client.tls </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.cluster/"> kong.cluster </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.ctx/"> kong.ctx </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.ip/"> kong.ip </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.jwe/"> kong.jwe </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.log/"> kong.log </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.nginx/"> kong.nginx </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.node/"> kong.node </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.plugin/"> kong.plugin </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.request/"> kong.request </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.response/"> kong.response </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.router/"> kong.router </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.service/"> kong.service </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.service.request/"> kong.service.request </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.service.response/"> kong.service.response </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.table/"> kong.table </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.telemetry.log/"> kong.telemetry.log </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.tracing/"> kong.tracing </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.vault/"> kong.vault </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.websocket.client/"> kong.websocket.client </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pdk/kong.websocket.upstream/"> kong.websocket.upstream </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-8-14-plugins-in-other-languages-subtree"> Plugins in Other Languages <button class="sidebar-tree-toggle" aria-label="toggle Plugins in Other Languages subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-8-14-plugins-in-other-languages-subtree" role="group" aria-label="Plugins in Other Languages"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pluginserver/go/"> Go </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pluginserver/javascript/"> Javascript </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pluginserver/python/"> Python </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pluginserver/plugins-kubernetes/"> Running Plugins in Containers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/plugin-development/pluginserver/performance/"> External Plugin Performance </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-9-kong-plugins-subtree"> <img src="/assets/images/icons/documentation/icn-api-plugins-color.svg" alt=""> Kong Plugins <button class="sidebar-tree-toggle" aria-label="toggle Kong Plugins subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-9-kong-plugins-subtree" role="group" aria-label="Kong Plugins"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-plugins/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-plugins/authentication/reference/"> Authentication Reference </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-plugins/authentication/allowing-multiple-authentication-methods/"> Allow Multiple Authentication Plugins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-9-4-plugin-queuing-subtree"> Plugin Queuing <button class="sidebar-tree-toggle" aria-label="toggle Plugin Queuing subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-9-4-plugin-queuing-subtree" role="group" aria-label="Plugin Queuing"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-plugins/queue/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/kong-plugins/queue/reference/"> Plugin Queuing Reference </a> </span> </li> </ul> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-10-admin-api-subtree"> <img src="/assets/images/icons/documentation/icn-admin-api-color.svg" alt=""> Admin API <button class="sidebar-tree-toggle" aria-label="toggle Admin API subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-10-admin-api-subtree" role="group" aria-label="Admin API"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/admin-api/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/admin-api/declarative-configuration/"> Declarative Configuration </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-10-3-enterprise-api-subtree"> Enterprise API <button class="sidebar-tree-toggle" aria-label="toggle Enterprise API subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-10-3-enterprise-api-subtree" role="group" aria-label="Enterprise API"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Information/get-endpoints/" target="_blank"> Information Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Information/get-status/" target="_blank"> Health Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/tags/get-tags/" target="_blank"> Tags </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/debug/put-debug-cluster-control-planes-nodes-log-level-log_level/" target="_blank"> Debug Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Services/list-service/" target="_blank"> Services </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Routes/list-route/" target="_blank"> Routes </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Consumers/list-consumer/" target="_blank"> Consumers </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Plugins/list-plugins-with-consumer/" target="_blank"> Plugins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Certificates/list-certificate/" target="_blank"> Certificates </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/CA%20Certificates/list-ca_certificate/" target="_blank"> CA Certificates </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/SNIs/list-sni-with-certificate/" target="_blank"> SNIs </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Upstreams/list-upstream/" target="_blank"> Upstreams </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Targets/list-target-with-upstream/" target="_blank"> Targets </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Vaults/list-vault/" target="_blank"> Vaults </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Keys/list-key/" target="_blank"> Keys </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/filter-chains/get-filter-chains/" target="_blank"> Filter Chains </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/licenses/get-licenses/" target="_blank"> Licenses </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Workspaces/list-workspace/" target="_blank"> Workspaces </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/rbac/get-rbac-users/" target="_blank"> RBAC </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/admins/get-admins/" target="_blank"> Admins </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/consumer_groups/" target="_blank"> Consumer Groups </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Event-hooks/get-event-hooks/" target="_blank"> Event Hooks </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/Keyring/get-keyring/" target="_blank"> Keyring and Data Encryption </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-ee/latest/#/audit-logs/get-audit-requests/" target="_blank"> Audit Logs </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/status/v1/" target="_blank"> Status API </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/api/admin-oss/latest/" target="_blank"> Open Source API </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-11-reference-subtree"> <img src="/assets/images/icons/documentation/icn-references-color.svg" alt=""> Reference <button class="sidebar-tree-toggle" aria-label="toggle Reference subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-11-reference-subtree" role="group" aria-label="Reference"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/configuration/"> kong.conf </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/nginx-directives/"> Injecting Nginx Directives </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/cli/"> CLI </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/key-management/"> Key Management </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label" aria-expanded="false" aria-owns="id-11-5-the-expressions-language-subtree"> The Expressions Language <button class="sidebar-tree-toggle" aria-label="toggle The Expressions Language subtree" tabindex="-1"> <i class="fa fa-chevron-down"></i> </button> </span> <ul class="items" id="id-11-5-the-expressions-language-subtree" role="group" aria-label="The Expressions Language"> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/expressions-language/"> Overview </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/expressions-language/language-references/"> Language References </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/expressions-language/performance/"> Performance Optimizations </a> </span> </li> </ul> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/rate-limiting/"> Rate Limiting Library </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/wasm/"> WebAssembly </a> </span> </li> <li class="sidebar-item" role="none"> <span role="treeitem" class="sidebar-label"> <a class="sidebar-link" tabindex="-1" href="/gateway/3.8.x/reference/faq/"> FAQ </a> </span> </li> </ul> </li> </ul> </aside> <aside class="docs-toc"> <i class="fa fa-times close-sidebar"></i> <i class="fa fa-chevron-right collapse-toc"></i> <i class="far fa-list-alt expand-toc"></i> <div id="oss-ee-toggle" data-current="Enterprise" style="display: none"> <span class="oss-ee-toggle-inner"> <img src="/assets/images/icons/icn-enterprise-black.svg" alt="enterprise-switcher-icon"> <span>Switch to <span id="switch-to-version">OSS</span></span> </span> </div> <div class="docs-toc-title"> <img src="/assets/images/icons/hub-layout/icn-on-this-page.svg" alt="On this page"><a href="#">On this page</a> </div> <ul> <li> <a href="#general-section" class="active scroll-to">General section</a> <ul> <li><a href="#prefix" class="scroll-to">prefix</a></li> <li><a href="#log_level" class="scroll-to">log_level</a></li> <li><a href="#proxy_access_log" class="scroll-to">proxy_access_log</a></li> <li><a href="#proxy_error_log" class="scroll-to">proxy_error_log</a></li> <li><a href="#proxy_stream_access_log" class="scroll-to">proxy_stream_access_log</a></li> <li><a href="#proxy_stream_error_log" class="scroll-to">proxy_stream_error_log</a></li> <li><a href="#admin_access_log" class="scroll-to">admin_access_log</a></li> <li><a href="#admin_error_log" class="scroll-to">admin_error_log</a></li> <li><a href="#status_access_log" class="scroll-to">status_access_log</a></li> <li><a href="#status_error_log" class="scroll-to">status_error_log</a></li> <li><a href="#debug_access_log" class="scroll-to">debug_access_log</a></li> <li><a href="#debug_error_log" class="scroll-to">debug_error_log</a></li> <li><a href="#vaults" class="scroll-to">vaults</a></li> <li><a href="#opentelemetry_tracing" class="scroll-to">opentelemetry_tracing</a></li> <li><a href="#tracing_instrumentations" class="scroll-to">tracing_instrumentations</a></li> <li><a href="#opentelemetry_tracing_sampling_rate" class="scroll-to">opentelemetry_tracing_sampling_rate</a></li> <li><a href="#tracing_sampling_rate" class="scroll-to">tracing_sampling_rate</a></li> <li><a href="#plugins" class="scroll-to">plugins</a></li> <li><a href="#dedicated_config_processing" class="scroll-to">dedicated_config_processing</a></li> <li><a href="#pluginserver_names" class="scroll-to">pluginserver_names</a></li> <li><a href="#pluginserver_xxx_socket" class="scroll-to">pluginserver_XXX_socket</a></li> <li><a href="#pluginserver_xxx_start_cmd" class="scroll-to">pluginserver_XXX_start_cmd</a></li> <li><a href="#pluginserver_xxx_query_cmd" class="scroll-to">pluginserver_XXX_query_cmd</a></li> <li><a href="#port_maps" class="scroll-to">port_maps</a></li> <li><a href="#anonymous_reports" class="scroll-to">anonymous_reports</a></li> <li><a href="#proxy_server" class="scroll-to">proxy_server</a></li> <li><a href="#proxy_server_ssl_verify" class="scroll-to">proxy_server_ssl_verify</a></li> <li><a href="#error_template_html" class="scroll-to">error_template_html</a></li> <li><a href="#error_template_json" class="scroll-to">error_template_json</a></li> <li><a href="#error_template_xml" class="scroll-to">error_template_xml</a></li> <li><a href="#error_template_plain" class="scroll-to">error_template_plain</a></li> </ul> </li> <li> <a href="#hybrid-mode-section" class="scroll-to">Hybrid Mode section</a> <ul> <li><a href="#role" class="scroll-to">role</a></li> <li><a href="#cluster_mtls" class="scroll-to">cluster_mtls</a></li> <li><a href="#cluster_cert" class="scroll-to">cluster_cert</a></li> <li><a href="#cluster_cert_key" class="scroll-to">cluster_cert_key</a></li> <li><a href="#cluster_ca_cert" class="scroll-to">cluster_ca_cert</a></li> <li><a href="#cluster_allowed_common_names" class="scroll-to">cluster_allowed_common_names</a></li> </ul> </li> <li> <a href="#hybrid-mode-data-plane-section" class="scroll-to">Hybrid Mode Data Plane section</a> <ul> <li><a href="#cluster_server_name" class="scroll-to">cluster_server_name</a></li> <li><a href="#cluster_control_plane" class="scroll-to">cluster_control_plane</a></li> <li><a href="#cluster_telemetry_endpoint" class="scroll-to">cluster_telemetry_endpoint</a></li> <li><a href="#cluster_telemetry_server_name" class="scroll-to">cluster_telemetry_server_name</a></li> <li><a href="#cluster_dp_labels" class="scroll-to">cluster_dp_labels</a></li> </ul> </li> <li> <a href="#hybrid-mode-control-plane-section" class="scroll-to">Hybrid Mode Control Plane section</a> <ul> <li><a href="#cluster_listen" class="scroll-to">cluster_listen</a></li> <li><a href="#cluster_telemetry_listen" class="scroll-to">cluster_telemetry_listen</a></li> <li><a href="#cluster_data_plane_purge_delay" class="scroll-to">cluster_data_plane_purge_delay</a></li> <li><a href="#cluster_ocsp" class="scroll-to">cluster_ocsp</a></li> <li><a href="#cluster_use_proxy" class="scroll-to">cluster_use_proxy</a></li> <li><a href="#cluster_max_payload" class="scroll-to">cluster_max_payload</a></li> </ul> </li> <li> <a href="#nginx-section" class="scroll-to">NGINX section</a> <ul> <li><a href="#proxy_listen" class="scroll-to">proxy_listen</a></li> <li><a href="#proxy_url" class="scroll-to">proxy_url</a></li> <li><a href="#stream_listen" class="scroll-to">stream_listen</a></li> <li><a href="#admin_api_uri" class="scroll-to">admin_api_uri</a></li> <li><a href="#admin_listen" class="scroll-to">admin_listen</a></li> <li><a href="#status_listen" class="scroll-to">status_listen</a></li> <li><a href="#debug_listen" class="scroll-to">debug_listen</a></li> <li><a href="#debug_listen_local" class="scroll-to">debug_listen_local</a></li> <li><a href="#nginx_user" class="scroll-to">nginx_user</a></li> <li><a href="#nginx_worker_processes" class="scroll-to">nginx_worker_processes</a></li> <li><a href="#nginx_daemon" class="scroll-to">nginx_daemon</a></li> <li><a href="#mem_cache_size" class="scroll-to">mem_cache_size</a></li> <li><a href="#ssl_cipher_suite" class="scroll-to">ssl_cipher_suite</a></li> <li><a href="#ssl_ciphers" class="scroll-to">ssl_ciphers</a></li> <li><a href="#ssl_protocols" class="scroll-to">ssl_protocols</a></li> <li><a href="#ssl_prefer_server_ciphers" class="scroll-to">ssl_prefer_server_ciphers</a></li> <li><a href="#ssl_dhparam" class="scroll-to">ssl_dhparam</a></li> <li><a href="#ssl_session_tickets" class="scroll-to">ssl_session_tickets</a></li> <li><a href="#ssl_session_timeout" class="scroll-to">ssl_session_timeout</a></li> <li><a href="#ssl_session_cache_size" class="scroll-to">ssl_session_cache_size</a></li> <li><a href="#ssl_cert" class="scroll-to">ssl_cert</a></li> <li><a href="#ssl_cert_key" class="scroll-to">ssl_cert_key</a></li> <li><a href="#client_ssl" class="scroll-to">client_ssl</a></li> <li><a href="#client_ssl_cert" class="scroll-to">client_ssl_cert</a></li> <li><a href="#client_ssl_cert_key" class="scroll-to">client_ssl_cert_key</a></li> <li><a href="#admin_ssl_cert" class="scroll-to">admin_ssl_cert</a></li> <li><a href="#admin_ssl_cert_key" class="scroll-to">admin_ssl_cert_key</a></li> <li><a href="#status_ssl_cert" class="scroll-to">status_ssl_cert</a></li> <li><a href="#status_ssl_cert_key" class="scroll-to">status_ssl_cert_key</a></li> <li><a href="#debug_ssl_cert" class="scroll-to">debug_ssl_cert</a></li> <li><a href="#debug_ssl_cert_key" class="scroll-to">debug_ssl_cert_key</a></li> <li><a href="#headers" class="scroll-to">headers</a></li> <li><a href="#headers_upstream" class="scroll-to">headers_upstream</a></li> <li><a href="#trusted_ips" class="scroll-to">trusted_ips</a></li> <li><a href="#real_ip_header" class="scroll-to">real_ip_header</a></li> <li><a href="#real_ip_recursive" class="scroll-to">real_ip_recursive</a></li> <li><a href="#error_default_type" class="scroll-to">error_default_type</a></li> <li><a href="#upstream_keepalive_pool_size" class="scroll-to">upstream_keepalive_pool_size</a></li> <li><a href="#upstream_keepalive_max_requests" class="scroll-to">upstream_keepalive_max_requests</a></li> <li><a href="#upstream_keepalive_idle_timeout" class="scroll-to">upstream_keepalive_idle_timeout</a></li> <li><a href="#allow_debug_header" class="scroll-to">allow_debug_header</a></li> </ul> </li> <li> <a href="#nginx-injected-directives-section" class="scroll-to">NGINX Injected Directives section</a> <ul> <li><a href="#nginx_main_worker_rlimit_nofile" class="scroll-to">nginx_main_worker_rlimit_nofile</a></li> <li><a href="#nginx_events_worker_connections" class="scroll-to">nginx_events_worker_connections</a></li> <li><a href="#nginx_http_client_header_buffer_size" class="scroll-to">nginx_http_client_header_buffer_size</a></li> <li><a href="#nginx_http_large_client_header_buffers" class="scroll-to">nginx_http_large_client_header_buffers</a></li> <li><a href="#nginx_http_client_max_body_size" class="scroll-to">nginx_http_client_max_body_size</a></li> <li><a href="#nginx_admin_client_max_body_size" class="scroll-to">nginx_admin_client_max_body_size</a></li> <li><a href="#nginx_http_charset" class="scroll-to">nginx_http_charset</a></li> <li><a href="#nginx_http_client_body_buffer_size" class="scroll-to">nginx_http_client_body_buffer_size</a></li> <li><a href="#nginx_admin_client_body_buffer_size" class="scroll-to">nginx_admin_client_body_buffer_size</a></li> <li><a href="#nginx_http_lua_regex_match_limit" class="scroll-to">nginx_http_lua_regex_match_limit</a></li> <li><a href="#nginx_http_lua_regex_cache_max_entries" class="scroll-to">nginx_http_lua_regex_cache_max_entries</a></li> <li><a href="#nginx_http_keepalive_requests" class="scroll-to">nginx_http_keepalive_requests</a></li> </ul> </li> <li> <a href="#datastore-section" class="scroll-to">Datastore section</a> <ul> <li><a href="#database" class="scroll-to">database</a></li> <li><a href="#postgres-settings" class="scroll-to">Postgres settings</a></li> <li><a href="#declarative_config" class="scroll-to">declarative_config</a></li> <li><a href="#declarative_config_string" class="scroll-to">declarative_config_string</a></li> <li><a href="#lmdb_environment_path" class="scroll-to">lmdb_environment_path</a></li> <li><a href="#lmdb_map_size" class="scroll-to">lmdb_map_size</a></li> </ul> </li> <li> <a href="#datastore-cache-section" class="scroll-to">Datastore Cache section</a> <ul> <li><a href="#db_update_frequency" class="scroll-to">db_update_frequency</a></li> <li><a href="#db_update_propagation" class="scroll-to">db_update_propagation</a></li> <li><a href="#db_cache_ttl" class="scroll-to">db_cache_ttl</a></li> <li><a href="#db_cache_neg_ttl" class="scroll-to">db_cache_neg_ttl</a></li> <li><a href="#db_resurrect_ttl" class="scroll-to">db_resurrect_ttl</a></li> <li><a href="#db_cache_warmup_entities" class="scroll-to">db_cache_warmup_entities</a></li> </ul> </li> <li> <a href="#dns-resolver-section" class="scroll-to">DNS Resolver section</a> <ul> <li><a href="#dns_resolver" class="scroll-to">dns_resolver</a></li> <li><a href="#dns_hostsfile" class="scroll-to">dns_hostsfile</a></li> <li><a href="#dns_order" class="scroll-to">dns_order</a></li> <li><a href="#dns_valid_ttl" class="scroll-to">dns_valid_ttl</a></li> <li><a href="#dns_stale_ttl" class="scroll-to">dns_stale_ttl</a></li> <li><a href="#dns_cache_size" class="scroll-to">dns_cache_size</a></li> <li><a href="#dns_not_found_ttl" class="scroll-to">dns_not_found_ttl</a></li> <li><a href="#dns_error_ttl" class="scroll-to">dns_error_ttl</a></li> <li><a href="#dns_no_sync" class="scroll-to">dns_no_sync</a></li> </ul> </li> <li> <a href="#new-dns-resolver-section" class="scroll-to">New DNS Resolver section</a> <ul> <li><a href="#new_dns_client" class="scroll-to">new_dns_client</a></li> <li><a href="#resolver_address" class="scroll-to">resolver_address</a></li> <li><a href="#resolver_hosts_file" class="scroll-to">resolver_hosts_file</a></li> <li><a href="#resolver_family" class="scroll-to">resolver_family</a></li> <li><a href="#resolver_valid_ttl" class="scroll-to">resolver_valid_ttl</a></li> <li><a href="#resolver_error_ttl" class="scroll-to">resolver_error_ttl</a></li> <li><a href="#resolver_stale_ttl" class="scroll-to">resolver_stale_ttl</a></li> <li><a href="#resolver_lru_cache_size" class="scroll-to">resolver_lru_cache_size</a></li> <li><a href="#resolver_mem_cache_size" class="scroll-to">resolver_mem_cache_size</a></li> </ul> </li> <li> <a href="#vaults-section" class="scroll-to">Vaults section</a> <ul> <li><a href="#vault_env_prefix" class="scroll-to">vault_env_prefix</a></li> <li><a href="#vault_aws_region" class="scroll-to">vault_aws_region</a></li> <li><a href="#vault_aws_endpoint_url" class="scroll-to">vault_aws_endpoint_url</a></li> <li><a href="#vault_aws_assume_role_arn" class="scroll-to">vault_aws_assume_role_arn</a></li> <li><a href="#vault_aws_role_session_name" class="scroll-to">vault_aws_role_session_name</a></li> <li><a href="#vault_aws_sts_endpoint_url" class="scroll-to">vault_aws_sts_endpoint_url</a></li> <li><a href="#vault_aws_ttl" class="scroll-to">vault_aws_ttl</a></li> <li><a href="#vault_aws_neg_ttl" class="scroll-to">vault_aws_neg_ttl</a></li> <li><a href="#vault_aws_resurrect_ttl" class="scroll-to">vault_aws_resurrect_ttl</a></li> <li><a href="#vault_gcp_project_id" class="scroll-to">vault_gcp_project_id</a></li> <li><a href="#vault_gcp_ttl" class="scroll-to">vault_gcp_ttl</a></li> <li><a href="#vault_gcp_neg_ttl" class="scroll-to">vault_gcp_neg_ttl</a></li> <li><a href="#vault_gcp_resurrect_ttl" class="scroll-to">vault_gcp_resurrect_ttl</a></li> <li><a href="#vault_hcv_protocol" class="scroll-to">vault_hcv_protocol</a></li> <li><a href="#vault_hcv_host" class="scroll-to">vault_hcv_host</a></li> <li><a href="#vault_hcv_port" class="scroll-to">vault_hcv_port</a></li> <li><a href="#vault_hcv_namespace" class="scroll-to">vault_hcv_namespace</a></li> <li><a href="#vault_hcv_mount" class="scroll-to">vault_hcv_mount</a></li> <li><a href="#vault_hcv_kv" class="scroll-to">vault_hcv_kv</a></li> <li><a href="#vault_hcv_token" class="scroll-to">vault_hcv_token</a></li> <li><a href="#vault_hcv_auth_method" class="scroll-to">vault_hcv_auth_method</a></li> <li><a href="#vault_hcv_kube_role" class="scroll-to">vault_hcv_kube_role</a></li> <li><a href="#vault_hcv_kube_auth_path" class="scroll-to">vault_hcv_kube_auth_path</a></li> <li><a href="#vault_hcv_kube_api_token_file" class="scroll-to">vault_hcv_kube_api_token_file</a></li> <li><a href="#vault_hcv_approle_auth_path" class="scroll-to">vault_hcv_approle_auth_path</a></li> <li><a href="#vault_hcv_approle_role_id" class="scroll-to">vault_hcv_approle_role_id</a></li> <li><a href="#vault_hcv_approle_secret_id" class="scroll-to">vault_hcv_approle_secret_id</a></li> <li><a href="#vault_hcv_approle_secret_id_file" class="scroll-to">vault_hcv_approle_secret_id_file</a></li> <li><a href="#vault_hcv_approle_response_wrapping" class="scroll-to">vault_hcv_approle_response_wrapping</a></li> <li><a href="#vault_hcv_ttl" class="scroll-to">vault_hcv_ttl</a></li> <li><a href="#vault_hcv_neg_ttl" class="scroll-to">vault_hcv_neg_ttl</a></li> <li><a href="#vault_hcv_resurrect_ttl" class="scroll-to">vault_hcv_resurrect_ttl</a></li> <li><a href="#vault_azure_vault_uri" class="scroll-to">vault_azure_vault_uri</a></li> <li><a href="#vault_azure_client_id" class="scroll-to">vault_azure_client_id</a></li> <li><a href="#vault_azure_tenant_id" class="scroll-to">vault_azure_tenant_id</a></li> <li><a href="#vault_azure_type" class="scroll-to">vault_azure_type</a></li> <li><a href="#vault_azure_ttl" class="scroll-to">vault_azure_ttl</a></li> <li><a href="#vault_azure_neg_ttl" class="scroll-to">vault_azure_neg_ttl</a></li> <li><a href="#vault_azure_resurrect_ttl" class="scroll-to">vault_azure_resurrect_ttl</a></li> </ul> </li> <li> <a href="#tuning--behavior-section" class="scroll-to">Tuning &amp; Behavior section</a> <ul> <li><a href="#worker_consistency" class="scroll-to">worker_consistency</a></li> <li><a href="#worker_state_update_frequency" class="scroll-to">worker_state_update_frequency</a></li> <li><a href="#router_flavor" class="scroll-to">router_flavor</a></li> <li><a href="#lua_max_req_headers" class="scroll-to">lua_max_req_headers</a></li> <li><a href="#lua_max_resp_headers" class="scroll-to">lua_max_resp_headers</a></li> <li><a href="#lua_max_uri_args" class="scroll-to">lua_max_uri_args</a></li> <li><a href="#lua_max_post_args" class="scroll-to">lua_max_post_args</a></li> </ul> </li> <li> <a href="#miscellaneous-section" class="scroll-to">Miscellaneous section</a> <ul> <li><a href="#lua_ssl_trusted_certificate" class="scroll-to">lua_ssl_trusted_certificate</a></li> <li><a href="#lua_ssl_verify_depth" class="scroll-to">lua_ssl_verify_depth</a></li> <li><a href="#lua_ssl_protocols" class="scroll-to">lua_ssl_protocols</a></li> <li><a href="#lua_package_path" class="scroll-to">lua_package_path</a></li> <li><a href="#lua_package_cpath" class="scroll-to">lua_package_cpath</a></li> <li><a href="#lua_socket_pool_size" class="scroll-to">lua_socket_pool_size</a></li> <li><a href="#enforce_rbac" class="scroll-to">enforce_rbac</a></li> <li><a href="#rbac_auth_header" class="scroll-to">rbac_auth_header</a></li> <li><a href="#event_hooks_enabled" class="scroll-to">event_hooks_enabled</a></li> <li><a href="#fips" class="scroll-to">fips</a></li> </ul> </li> <li> <a href="#kong-manager-section" class="scroll-to">Kong Manager section</a> <ul> <li><a href="#admin_gui_listen" class="scroll-to">admin_gui_listen</a></li> <li><a href="#admin_gui_url" class="scroll-to">admin_gui_url</a></li> <li><a href="#admin_gui_path" class="scroll-to">admin_gui_path</a></li> <li><a href="#admin_gui_api_url" class="scroll-to">admin_gui_api_url</a></li> <li><a href="#admin_gui_ssl_protocols" class="scroll-to">admin_gui_ssl_protocols</a></li> <li><a href="#admin_gui_ssl_cert" class="scroll-to">admin_gui_ssl_cert</a></li> <li><a href="#admin_gui_ssl_cert_key" class="scroll-to">admin_gui_ssl_cert_key</a></li> <li><a href="#admin_gui_flags" class="scroll-to">admin_gui_flags</a></li> <li><a href="#admin_gui_access_log" class="scroll-to">admin_gui_access_log</a></li> <li><a href="#admin_gui_error_log" class="scroll-to">admin_gui_error_log</a></li> <li><a href="#admin_gui_auth" class="scroll-to">admin_gui_auth</a></li> <li><a href="#admin_gui_auth_conf" class="scroll-to">admin_gui_auth_conf</a></li> <li><a href="#admin_gui_auth_password_complexity" class="scroll-to">admin_gui_auth_password_complexity</a></li> <li><a href="#admin_gui_session_conf" class="scroll-to">admin_gui_session_conf</a></li> <li><a href="#admin_gui_auth_header" class="scroll-to">admin_gui_auth_header</a></li> <li><a href="#admin_gui_auth_login_attempts" class="scroll-to">admin_gui_auth_login_attempts</a></li> <li><a href="#admin_gui_auth_change_password_attempts" class="scroll-to">admin_gui_auth_change_password_attempts</a></li> <li><a href="#admin_gui_auth_change_password_ttl" class="scroll-to">admin_gui_auth_change_password_ttl</a></li> <li><a href="#admin_gui_header_txt" class="scroll-to">admin_gui_header_txt</a></li> <li><a href="#admin_gui_header_bg_color" class="scroll-to">admin_gui_header_bg_color</a></li> <li><a href="#admin_gui_header_txt_color" class="scroll-to">admin_gui_header_txt_color</a></li> <li><a href="#admin_gui_footer_txt" class="scroll-to">admin_gui_footer_txt</a></li> <li><a href="#admin_gui_footer_bg_color" class="scroll-to">admin_gui_footer_bg_color</a></li> <li><a href="#admin_gui_footer_txt_color" class="scroll-to">admin_gui_footer_txt_color</a></li> <li><a href="#admin_gui_login_banner_title" class="scroll-to">admin_gui_login_banner_title</a></li> <li><a href="#admin_gui_login_banner_body" class="scroll-to">admin_gui_login_banner_body</a></li> </ul> </li> <li> <a href="#konnect-section" class="scroll-to">Konnect section</a> <ul> <li><a href="#konnect_mode" class="scroll-to">konnect_mode</a></li> </ul> </li> <li> <a href="#analytics-for-konnect-section" class="scroll-to">Analytics For Konnect section</a> <ul> <li><a href="#analytics_flush_interval" class="scroll-to">analytics_flush_interval</a></li> <li><a href="#analytics_buffer_size_limit" class="scroll-to">analytics_buffer_size_limit</a></li> <li><a href="#analytics_debug" class="scroll-to">analytics_debug</a></li> </ul> </li> <li> <a href="#admin-smtp-configuration-section" class="scroll-to">Admin Smtp Configuration section</a> <ul> <li><a href="#admin_emails_from" class="scroll-to">admin_emails_from</a></li> <li><a href="#admin_emails_reply_to" class="scroll-to">admin_emails_reply_to</a></li> <li><a href="#admin_invitation_expiry" class="scroll-to">admin_invitation_expiry</a></li> </ul> </li> <li> <a href="#general-smtp-configuration-section" class="scroll-to">General Smtp Configuration section</a> <ul> <li><a href="#smtp_mock" class="scroll-to">smtp_mock</a></li> <li><a href="#smtp_host" class="scroll-to">smtp_host</a></li> <li><a href="#smtp_port" class="scroll-to">smtp_port</a></li> <li><a href="#smtp_starttls" class="scroll-to">smtp_starttls</a></li> <li><a href="#smtp_username" class="scroll-to">smtp_username</a></li> <li><a href="#smtp_password" class="scroll-to">smtp_password</a></li> <li><a href="#smtp_ssl" class="scroll-to">smtp_ssl</a></li> <li><a href="#smtp_auth_type" class="scroll-to">smtp_auth_type</a></li> <li><a href="#smtp_domain" class="scroll-to">smtp_domain</a></li> <li><a href="#smtp_timeout_connect" class="scroll-to">smtp_timeout_connect</a></li> <li><a href="#smtp_timeout_send" class="scroll-to">smtp_timeout_send</a></li> <li><a href="#smtp_timeout_read" class="scroll-to">smtp_timeout_read</a></li> <li><a href="#smtp_admin_emails" class="scroll-to">smtp_admin_emails</a></li> </ul> </li> <li> <a href="#data--admin-audit-section" class="scroll-to">Data &amp; Admin Audit section</a> <ul> <li><a href="#audit_log" class="scroll-to">audit_log</a></li> <li><a href="#audit_log_ignore_methods" class="scroll-to">audit_log_ignore_methods</a></li> <li><a href="#audit_log_ignore_paths" class="scroll-to">audit_log_ignore_paths</a></li> <li><a href="#audit_log_ignore_tables" class="scroll-to">audit_log_ignore_tables</a></li> <li><a href="#audit_log_payload_exclude" class="scroll-to">audit_log_payload_exclude</a></li> <li><a href="#audit_log_record_ttl" class="scroll-to">audit_log_record_ttl</a></li> <li><a href="#audit_log_signing_key" class="scroll-to">audit_log_signing_key</a></li> </ul> </li> <li> <a href="#route-collision-detectionprevention-section" class="scroll-to">Route Collision Detection/Prevention section</a> <ul> <li><a href="#route_validation_strategy" class="scroll-to">route_validation_strategy</a></li> <li><a href="#enforce_route_path_pattern" class="scroll-to">enforce_route_path_pattern</a></li> </ul> </li> <li> <a href="#database-encryption--keyring-management-section" class="scroll-to">Database Encryption &amp; Keyring Management section</a> <ul> <li><a href="#keyring_enabled" class="scroll-to">keyring_enabled</a></li> <li><a href="#keyring_strategy" class="scroll-to">keyring_strategy</a></li> <li><a href="#keyring_public_key" class="scroll-to">keyring_public_key</a></li> <li><a href="#keyring_private_key" class="scroll-to">keyring_private_key</a></li> <li><a href="#keyring_recovery_public_key" class="scroll-to">keyring_recovery_public_key</a></li> <li><a href="#keyring_blob_path" class="scroll-to">keyring_blob_path</a></li> <li><a href="#keyring_vault_host" class="scroll-to">keyring_vault_host</a></li> <li><a href="#keyring_vault_mount" class="scroll-to">keyring_vault_mount</a></li> <li><a href="#keyring_vault_path" class="scroll-to">keyring_vault_path</a></li> <li><a href="#keyring_vault_auth_method" class="scroll-to">keyring_vault_auth_method</a></li> <li><a href="#keyring_vault_token" class="scroll-to">keyring_vault_token</a></li> <li><a href="#keyring_vault_kube_role" class="scroll-to">keyring_vault_kube_role</a></li> <li><a href="#keyring_vault_kube_api_token_file" class="scroll-to">keyring_vault_kube_api_token_file</a></li> <li><a href="#keyring_encrypt_license" class="scroll-to">keyring_encrypt_license</a></li> <li><a href="#untrusted_lua" class="scroll-to">untrusted_lua</a></li> <li><a href="#untrusted_lua_sandbox_requires" class="scroll-to">untrusted_lua_sandbox_requires</a></li> <li><a href="#untrusted_lua_sandbox_environment" class="scroll-to">untrusted_lua_sandbox_environment</a></li> <li><a href="#openresty_path" class="scroll-to">openresty_path</a></li> <li><a href="#node_id" class="scroll-to">node_id</a></li> </ul> </li> <li> <a href="#cluster-fallback-configuration-section" class="scroll-to">Cluster Fallback Configuration section</a> <ul> <li><a href="#cluster_fallback_config_import" class="scroll-to">cluster_fallback_config_import</a></li> <li><a href="#cluster_fallback_config_storage" class="scroll-to">cluster_fallback_config_storage</a></li> <li><a href="#cluster_fallback_export_s3_config" class="scroll-to">cluster_fallback_export_s3_config</a></li> <li><a href="#cluster_fallback_config_export" class="scroll-to">cluster_fallback_config_export</a></li> <li><a href="#cluster_fallback_config_export_delay" class="scroll-to">cluster_fallback_config_export_delay</a></li> </ul> </li> <li> <a href="#webassembly-wasm-section" class="scroll-to">Webassembly (Wasm) section</a> <ul> <li><a href="#wasm" class="scroll-to">wasm</a></li> <li><a href="#wasm_filters_path" class="scroll-to">wasm_filters_path</a></li> <li><a href="#wasm_filters" class="scroll-to">wasm_filters</a></li> </ul> </li> <li><a href="#wasm-injected-directives-section" class="scroll-to">Wasm Injected Directives section</a></li> <li> <a href="#request-debugging-section" class="scroll-to">Request Debugging section</a> <ul> <li><a href="#request_debug" class="scroll-to">request_debug</a></li> <li><a href="#request_debug_token" class="scroll-to">request_debug_token</a></li> </ul> </li> </ul> </aside> <div class="page-content-container page-content-container-doc v2 " id="documentation"> <div class="toggles "> <i class="far fa-list-alt toc-sidebar-toggle"></i> </div> <div class="page-content"> <div class="content show-anchor-links"> <blockquote id="version-notice" class="important"> You are browsing documentation for an older version. See the <a href="/gateway/latest/reference/configuration/">latest documentation here</a>. </blockquote> <h1 tabindex="-1" id="main" class="page-content-title">Configuration Reference for Kong Gateway </h1> <!-- vale off --> <p>Reference for Kong Gateway configuration parameters. Set these parameters in <code class="language-plaintext highlighter-rouge">kong.conf</code>.</p> <p>To learn more about the <code class="language-plaintext highlighter-rouge">kong.conf</code> file, see the guide on using the <a href="/gateway/3.8.x/production/kong-conf/">Kong Configuration File</a>.</p> <p>You can also manage all Kong Gateway configuration parameters using <a href="/gateway/3.8.x/production/environment-variables/">environment variables</a>.</p> <hr> <h2 id="general-section">General section</h2> <h3 id="prefix">prefix</h3> <p>Working directory. Equivalent to Nginx’s prefix path, containing temporary files and logs.</p> <p>Each Kong process must have a separate working directory.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/usr/local/kong/</code></p> <h3 id="log_level">log_level</h3> <p>Log level of the Nginx server. Logs are found at <code class="language-plaintext highlighter-rouge">&lt;prefix&gt;/logs/error.log</code>.</p> <p>See http://nginx.org/en/docs/ngx_core_module.html#error_log for a list of accepted values.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">notice</code></p> <h3 id="proxy_access_log">proxy_access_log</h3> <p>Path for proxy port request access logs. Set this value to <code class="language-plaintext highlighter-rouge">off</code> to disable logging proxy requests.</p> <p>If this value is a relative path, it will be placed under the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/access.log</code></p> <h3 id="proxy_error_log">proxy_error_log</h3> <p>Path for proxy port request error logs.</p> <p>The granularity of these logs is adjusted by the <code class="language-plaintext highlighter-rouge">log_level</code> property.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/error.log</code></p> <h3 id="proxy_stream_access_log">proxy_stream_access_log</h3> <p>Path for TCP streams proxy port access logs.</p> <p>Set to <code class="language-plaintext highlighter-rouge">off</code> to disable logging proxy requests.</p> <p>If this value is a relative path, it will be placed under the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p><code class="language-plaintext highlighter-rouge">basic</code> is defined as <code class="language-plaintext highlighter-rouge">'$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time'</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/access.log basic</code></p> <h3 id="proxy_stream_error_log">proxy_stream_error_log</h3> <p>Path for tcp streams proxy port request error logs. The granularity of these logs is adjusted by the <code class="language-plaintext highlighter-rouge">log_level</code> property.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/error.log</code></p> <h3 id="admin_access_log">admin_access_log</h3> <p>Path for Admin API request access logs.</p> <p>If hybrid mode is enabled and the current node is set to be the control plane, then the connection requests from data planes are also written to this file with server name “kong_cluster_listener”.</p> <p>Set this value to <code class="language-plaintext highlighter-rouge">off</code> to disable logging Admin API requests.</p> <p>If this value is a relative path, it will be placed under the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/admin_access.log</code></p> <h3 id="admin_error_log">admin_error_log</h3> <p>Path for Admin API request error logs.</p> <p>The granularity of these logs is adjusted by the <code class="language-plaintext highlighter-rouge">log_level</code> property.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/error.log</code></p> <h3 id="status_access_log">status_access_log</h3> <p>Path for Status API request access logs.</p> <p>The default value of <code class="language-plaintext highlighter-rouge">off</code> implies that logging for this API is disabled by default.</p> <p>If this value is a relative path, it will be placed under the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="status_error_log">status_error_log</h3> <p>Path for Status API request error logs.</p> <p>The granularity of these logs is adjusted by the <code class="language-plaintext highlighter-rouge">log_level</code> property.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/status_error.log</code></p> <h3 class="badge enterprise" id="debug_access_log">debug_access_log</h3> <p>Path for Debug API request access logs. The default value <code class="language-plaintext highlighter-rouge">off</code> implies that logging for this API is disabled by default.</p> <p>If this value is a relative path, it will be placed under the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="debug_error_log">debug_error_log</h3> <p>Path for Debug API request error logs. The granularity of these logs is adjusted using the <code class="language-plaintext highlighter-rouge">log_level</code> property.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/debug_error.log</code></p> <h3 id="vaults">vaults</h3> <p>Comma-separated list of vaults this node should load.</p> <p>By default, all the bundled vaults are enabled.</p> <p>The specified name(s) will be substituted as such in the Lua namespace: <code class="language-plaintext highlighter-rouge">kong.vaults.{name}.*</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">bundled</code></p> <h3 id="opentelemetry_tracing">opentelemetry_tracing</h3> <p>Deprecated: use <code class="language-plaintext highlighter-rouge">tracing_instrumentations</code> instead.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="tracing_instrumentations">tracing_instrumentations</h3> <p>Comma-separated list of tracing instrumentations this node should load.</p> <p>By default, no instrumentations are enabled.</p> <p>Valid values for this setting are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">off</code>: do not enable instrumentations.</li> <li> <code class="language-plaintext highlighter-rouge">request</code>: only enable request-level instrumentations.</li> <li> <code class="language-plaintext highlighter-rouge">all</code>: enable all the following instrumentations.</li> <li> <code class="language-plaintext highlighter-rouge">db_query</code>: trace database queries.</li> <li> <code class="language-plaintext highlighter-rouge">dns_query</code>: trace DNS queries.</li> <li> <code class="language-plaintext highlighter-rouge">router</code>: trace router execution, including router rebuilding.</li> <li> <code class="language-plaintext highlighter-rouge">http_client</code>: trace OpenResty HTTP client requests.</li> <li> <code class="language-plaintext highlighter-rouge">balancer</code>: trace balancer retries.</li> <li> <code class="language-plaintext highlighter-rouge">plugin_rewrite</code>: trace plugin iterator execution with rewrite phase.</li> <li> <code class="language-plaintext highlighter-rouge">plugin_access</code>: trace plugin iterator execution with access phase.</li> <li> <code class="language-plaintext highlighter-rouge">plugin_header_filter</code>: trace plugin iterator execution with header_filter phase.</li> </ul> <p><strong>Note:</strong> In the current implementation, tracing instrumentations are not enabled in stream mode.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="opentelemetry_tracing_sampling_rate">opentelemetry_tracing_sampling_rate</h3> <p>Deprecated: use <code class="language-plaintext highlighter-rouge">tracing_sampling_rate</code> instead.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1.0</code></p> <h3 id="tracing_sampling_rate">tracing_sampling_rate</h3> <p>Tracing instrumentation sampling rate.</p> <p>Tracer samples a fixed percentage of all spans following the sampling rate.</p> <p>Example: <code class="language-plaintext highlighter-rouge">0.25</code>, this accounts for 25% of all traces.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0.01</code></p> <h3 id="plugins">plugins</h3> <p>Comma-separated list of plugins this node should load.</p> <p>By default, only plugins bundled in official distributions are loaded via the <code class="language-plaintext highlighter-rouge">bundled</code> keyword.</p> <p>Loading a plugin does not enable it by default, but only instructs Kong to load its source code and allows configuration via the various related Admin API endpoints.</p> <p>The specified name(s) will be substituted as such in the Lua namespace: <code class="language-plaintext highlighter-rouge">kong.plugins.{name}.*</code>.</p> <p>When the <code class="language-plaintext highlighter-rouge">off</code> keyword is specified as the only value, no plugins will be loaded.</p> <p><code class="language-plaintext highlighter-rouge">bundled</code> and plugin names can be mixed together, as the following examples suggest:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">plugins = bundled,custom-auth,custom-log</code> will include the bundled plugins plus two custom ones.</li> <li> <code class="language-plaintext highlighter-rouge">plugins = custom-auth,custom-log</code> will <em>only</em> include the <code class="language-plaintext highlighter-rouge">custom-auth</code> and <code class="language-plaintext highlighter-rouge">custom-log</code> plugins.</li> <li> <code class="language-plaintext highlighter-rouge">plugins = off</code> will not include any plugins.</li> </ul> <p><strong>Note:</strong> Kong will not start if some plugins were previously configured (i.e. have rows in the database) and are not specified in this list. Before disabling a plugin, ensure all instances of it are removed before restarting Kong.</p> <p><strong>Note:</strong> Limiting the amount of available plugins can improve P99 latency when experiencing LRU churning in the database cache (i.e. when the configured <code class="language-plaintext highlighter-rouge">mem_cache_size</code>) is full.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">bundled</code></p> <h3 id="dedicated_config_processing">dedicated_config_processing</h3> <p>Enables or disables a special worker process for configuration processing. This process increases memory usage a little bit while allowing to reduce latencies by moving some background tasks, such as CP/DP connection handling, to an additional worker process specific to handling these background tasks.</p> <p>Currently this has effect only on data planes.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="pluginserver_names">pluginserver_names</h3> <p>Comma-separated list of names for pluginserver processes. The actual names are used for log messages and to relate the actual settings.</p> <p><strong>Default:</strong> none</p> <h3 id="pluginserver_xxx_socket">pluginserver_XXX_socket</h3> <p>Path to the unix socket used by the <xxx> pluginserver.</xxx></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">&lt;prefix&gt;/&lt;XXX&gt;.socket</code></p> <h3 id="pluginserver_xxx_start_cmd">pluginserver_XXX_start_cmd</h3> <p>Full command (including any needed arguments) to start the <xxx> pluginserver</xxx></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/usr/local/bin/&lt;XXX&gt;</code></p> <h3 id="pluginserver_xxx_query_cmd">pluginserver_XXX_query_cmd</h3> <p>Full command to “query” the <xxx> pluginserver. Should produce a JSON with the dump info of all plugins it manages</xxx></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/usr/local/bin/query_&lt;XXX&gt;</code></p> <h3 id="port_maps">port_maps</h3> <p>With this configuration parameter, you can let Kong Gateway know the port from which the packets are forwarded to it. This is fairly common when running Kong in a containerized or virtualized environment.</p> <p>For example, <code class="language-plaintext highlighter-rouge">port_maps=80:8000, 443:8443</code> instructs Kong that the port 80 is mapped to 8000 (and the port 443 to 8443), where 8000 and 8443 are the ports that Kong is listening to.</p> <p>This parameter helps Kong set a proper forwarded upstream HTTP request header or to get the proper forwarded port with the Kong PDK (in case other means determining it has failed). It changes routing by a destination port to route by a port from which packets are forwarded to Kong, and similarly it changes the default plugin log serializer to use the port according to this mapping instead of reporting the port Kong is listening to.</p> <p><strong>Default:</strong> none</p> <h3 id="anonymous_reports">anonymous_reports</h3> <p>Send anonymous usage data such as error stack traces to help improve Kong.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="proxy_server">proxy_server</h3> <p>Proxy server defined as an encoded URL. Kong will only use this option if a component is explicitly configured to use a proxy.</p> <p><strong>Default:</strong> none</p> <h3 id="proxy_server_ssl_verify">proxy_server_ssl_verify</h3> <p>Toggles server certificate verification if <code class="language-plaintext highlighter-rouge">proxy_server</code> is in HTTPS.</p> <p>See the <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code> setting to specify a certificate authority.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="error_template_html">error_template_html</h3> <p>Path to the custom html error template to override the default html kong error template.</p> <p>The template may contain up to two <code class="language-plaintext highlighter-rouge">%s</code> placeholders. The first one will expand to the error message. The second one will expand to the request ID. Both placeholders are optional, but recommended.</p> <p>Adding more than two placeholders will result in a runtime error when trying to render the template:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;html&gt; &lt;body&gt; &lt;h1&gt;My custom error template&lt;/h1&gt; &lt;p&gt;error: %s&lt;/p&gt; &lt;p&gt;request_id: %s&lt;/p&gt; &lt;/body&gt; &lt;/html&gt; </code></pre></div></div> <p><strong>Default:</strong> none</p> <h3 id="error_template_json">error_template_json</h3> <p>Path to the custom json error template to override the default json kong error template.</p> <p>Similarly to <code class="language-plaintext highlighter-rouge">error_template_html</code>, the template may contain up to two <code class="language-plaintext highlighter-rouge">%s</code> placeholders for the error message and the request ID respectively.</p> <p><strong>Default:</strong> none</p> <h3 id="error_template_xml">error_template_xml</h3> <p>Path to the custom xml error template to override the default xml kong error template</p> <p>Similarly to <code class="language-plaintext highlighter-rouge">error_template_html</code>, the template may contain up to two <code class="language-plaintext highlighter-rouge">%s</code> placeholders for the error message and the request ID respectively.</p> <p><strong>Default:</strong> none</p> <h3 id="error_template_plain">error_template_plain</h3> <p>Path to the custom plain error template to override the default plain kong error template</p> <p>Similarly to <code class="language-plaintext highlighter-rouge">error_template_html</code>, the template may contain up to two <code class="language-plaintext highlighter-rouge">%s</code> placeholders for the error message and the request ID respectively.</p> <p><strong>Default:</strong> none</p> <hr> <h2 id="hybrid-mode-section">Hybrid Mode section</h2> <h3 id="role">role</h3> <p>Use this setting to enable hybrid mode, This allows running some Kong nodes in a control plane role with a database and have them deliver configuration updates to other nodes running to DB-less running in a data plane role.</p> <p>Valid values for this setting are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">traditional</code>: do not use hybrid mode.</li> <li> <code class="language-plaintext highlighter-rouge">control_plane</code>: this node runs in a control plane role. It can use a database and will deliver configuration updates to data plane nodes.</li> <li> <code class="language-plaintext highlighter-rouge">data_plane</code>: this is a data plane node. It runs DB-less and receives configuration updates from a control plane node.</li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">traditional</code></p> <h3 id="cluster_mtls">cluster_mtls</h3> <p>Sets the verification method between nodes of the cluster.</p> <p>Valid values for this setting are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">shared</code>: use a shared certificate/key pair specified with the <code class="language-plaintext highlighter-rouge">cluster_cert</code> and <code class="language-plaintext highlighter-rouge">cluster_cert_key</code> settings. Note that CP and DP nodes must present the same certificate to establish mTLS connections.</li> <li> <code class="language-plaintext highlighter-rouge">pki</code>: use <code class="language-plaintext highlighter-rouge">cluster_ca_cert</code>, <code class="language-plaintext highlighter-rouge">cluster_server_name</code>, and <code class="language-plaintext highlighter-rouge">cluster_cert</code> for verification. These are different certificates for each DP node, but issued by a cluster-wide common CA certificate: <code class="language-plaintext highlighter-rouge">cluster_ca_cert</code>.</li> <li> <code class="language-plaintext highlighter-rouge">pki_check_cn</code>: similar to <code class="language-plaintext highlighter-rouge">pki</code> but additionally checks for the common name of the data plane certificate specified in <code class="language-plaintext highlighter-rouge">cluster_allowed_common_names</code>.</li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">shared</code></p> <h3 id="cluster_cert">cluster_cert</h3> <p>Cluster certificate to use when establishing secure communication between control and data plane nodes.</p> <p>You can use the <code class="language-plaintext highlighter-rouge">kong hybrid</code> command to generate the certificate/key pair.</p> <p>Under <code class="language-plaintext highlighter-rouge">shared</code> mode, it must be the same for all nodes.</p> <p>Under <code class="language-plaintext highlighter-rouge">pki</code> mode, it should be a different certificate for each DP node.</p> <p>The certificate can be configured on this property with any of the following values:</p> <ul> <li>absolute path to the certificate</li> <li>certificate content</li> <li>base64 encoded certificate content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="cluster_cert_key">cluster_cert_key</h3> <p>Cluster certificate key to use when establishing secure communication between control and data plane nodes.</p> <p>You can use the <code class="language-plaintext highlighter-rouge">kong hybrid</code> command to generate the certificate/key pair.</p> <p>Under <code class="language-plaintext highlighter-rouge">shared</code> mode, it must be the same for all nodes. Under <code class="language-plaintext highlighter-rouge">pki</code> mode it should be a different certificate for each DP node.</p> <p>The certificate key can be configured on this property with either of the following values:</p> <ul> <li>absolute path to the certificate key</li> <li>certificate key content</li> <li>base64 encoded certificate key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="cluster_ca_cert">cluster_ca_cert</h3> <p>The trusted CA certificate file in PEM format used for:</p> <ul> <li>Control plane to verify data plane’s certificate</li> <li>Data plane to verify control plane’s certificate</li> </ul> <p>Required on data plane if <code class="language-plaintext highlighter-rouge">cluster_mtls</code> is set to <code class="language-plaintext highlighter-rouge">pki</code>.</p> <p>If the control plane certificate is issued by a well-known CA, set <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate=system</code> on the data plane and leave this field empty.</p> <p>This field is ignored if <code class="language-plaintext highlighter-rouge">cluster_mtls</code> is set to <code class="language-plaintext highlighter-rouge">shared</code>.</p> <p>The certificate can be configured on this property with any of the following values:</p> <ul> <li>absolute path to the certificate</li> <li>certificate content</li> <li>base64 encoded certificate content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="cluster_allowed_common_names">cluster_allowed_common_names</h3> <p>The list of Common Names that are allowed to connect to control plane. Multiple entries may be supplied in a comma-separated string. When not set, only data plane with the same parent domain as the control plane cert is allowed to connect.</p> <p>This field is ignored if <code class="language-plaintext highlighter-rouge">cluster_mtls</code> is not set to <code class="language-plaintext highlighter-rouge">pki_check_cn</code>.</p> <p><strong>Default:</strong> none</p> <hr> <h2 id="hybrid-mode-data-plane-section">Hybrid Mode Data Plane section</h2> <h3 id="cluster_server_name">cluster_server_name</h3> <p>The server name used in the SNI of the TLS connection from a DP node to a CP node.</p> <p>Must match the Common Name (CN) or Subject Alternative Name (SAN) found in the CP certificate.</p> <p>If <code class="language-plaintext highlighter-rouge">cluster_mtls</code> is set to <code class="language-plaintext highlighter-rouge">shared</code>, this setting is ignored and <code class="language-plaintext highlighter-rouge">kong_clustering</code> is used.</p> <p><strong>Default:</strong> none</p> <h3 id="cluster_control_plane">cluster_control_plane</h3> <p>To be used by data plane nodes only: address of the control plane node from which configuration updates will be fetched, in <code class="language-plaintext highlighter-rouge">host:port</code> format.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="cluster_telemetry_endpoint">cluster_telemetry_endpoint</h3> <p>To be used by data plane nodes only: telemetry address of the control plane node to which telemetry updates will be posted in <code class="language-plaintext highlighter-rouge">host:port</code> format.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="cluster_telemetry_server_name">cluster_telemetry_server_name</h3> <p>The SNI (Server Name Indication extension) to use for Vitals telemetry data.</p> <p><strong>Default:</strong> none</p> <h3 id="cluster_dp_labels">cluster_dp_labels</h3> <p>Comma-separated list of labels for the data plane.</p> <p>Labels are key-value pairs that provide additional context information for each DP.</p> <p>Each label must be configured as a string in the format <code class="language-plaintext highlighter-rouge">key:value</code>.</p> <p>Labels are only compatible with hybrid mode deployments with Kong Konnect (SaaS).</p> <p>This configuration doesn’t work with self-hosted deployments.</p> <p>Keys and values follow the AIP standards: https://kong-aip.netlify.app/aip/129/</p> <p>Example: <code class="language-plaintext highlighter-rouge">deployment:mycloud,region:us-east-1</code></p> <p><strong>Default:</strong> none</p> <hr> <h2 id="hybrid-mode-control-plane-section">Hybrid Mode Control Plane section</h2> <h3 id="cluster_listen">cluster_listen</h3> <p>Comma-separated list of addresses and ports on which the cluster control plane server should listen for data plane connections.</p> <p>The cluster communication port of the control plane must be accessible by all the data planes within the same cluster. This port is mTLS protected to ensure end-to-end security and integrity.</p> <p>This setting has no effect if <code class="language-plaintext highlighter-rouge">role</code> is not set to <code class="language-plaintext highlighter-rouge">control_plane</code>.</p> <p>Connections made to this endpoint are logged to the same location as Admin API access logs.</p> <p>See <code class="language-plaintext highlighter-rouge">admin_access_log</code> config description for more information.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0.0.0.0:8005</code></p> <h3 class="badge enterprise" id="cluster_telemetry_listen">cluster_telemetry_listen</h3> <p>Comma-separated list of addresses and ports on which the cluster control plane server should listen for data plane telemetry connections.</p> <p>The cluster communication port of the control plane must be accessible by all the data planes within the same cluster.</p> <p>This setting has no effect if <code class="language-plaintext highlighter-rouge">role</code> is not set to <code class="language-plaintext highlighter-rouge">control_plane</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0.0.0.0:8006</code></p> <h3 id="cluster_data_plane_purge_delay">cluster_data_plane_purge_delay</h3> <p>How many seconds must pass from the time a DP node becomes offline to the time its entry gets removed from the database, as returned by the /clustering/data-planes Admin API endpoint.</p> <p>This is to prevent the cluster data plane table from growing indefinitely. The default is set to 14 days. That is, if the CP hasn’t heard from a DP for 14 days, its entry will be removed.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1209600</code></p> <h3 id="cluster_ocsp">cluster_ocsp</h3> <p>Whether to check for revocation status of DP certificates using OCSP (Online Certificate Status Protocol).</p> <p>If enabled, the DP certificate should contain the “Certificate Authority Information Access” extension and the OCSP method with URI of which the OCSP responder can be reached from CP.</p> <p>OCSP checks are only performed on CP nodes, it has no effect on DP nodes.</p> <p>Valid values for this setting are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">on</code>: OCSP revocation check is enabled and DP must pass the check in order to establish connection with CP.</li> <li> <code class="language-plaintext highlighter-rouge">off</code>: OCSP revocation check is disabled.</li> <li> <code class="language-plaintext highlighter-rouge">optional</code>: OCSP revocation check will be attempted, however, if the required extension is not found inside DP-provided certificate or communication with the OCSP responder failed, then DP is still allowed through.</li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="cluster_use_proxy">cluster_use_proxy</h3> <p>Whether to turn on HTTP CONNECT proxy support for hybrid mode connections. <code class="language-plaintext highlighter-rouge">proxy_server</code> will be used for hybrid mode connections if this option is turned on.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="cluster_max_payload">cluster_max_payload</h3> <p>This sets the maximum compressed payload size allowed to be sent from CP to DP in hybrid mode.</p> <p>Default is 16MB - 16 * 1024 * 1024.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">16777216</code></p> <hr> <h2 id="nginx-section">NGINX section</h2> <h3 id="proxy_listen">proxy_listen</h3> <p>Comma-separated list of addresses and ports on which the proxy server should listen for HTTP/HTTPS traffic.</p> <p>The proxy server is the public entry point of Kong, which proxies traffic from your consumers to your backend services. This value accepts IPv4, IPv6, and hostnames.</p> <p>Some suffixes can be specified for each pair:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">ssl</code> will require that all connections made through a particular address/port be made with TLS enabled.</li> <li> <code class="language-plaintext highlighter-rouge">http2</code> will allow for clients to open HTTP/2 connections to Kong’s proxy server.</li> <li> <code class="language-plaintext highlighter-rouge">proxy_protocol</code> will enable usage of the PROXY protocol for a given address/port.</li> <li> <code class="language-plaintext highlighter-rouge">deferred</code> instructs to use a deferred accept on Linux (the <code class="language-plaintext highlighter-rouge">TCP_DEFER_ACCEPT</code> socket option).</li> <li> <code class="language-plaintext highlighter-rouge">bind</code> instructs to make a separate bind() call for a given address:port pair.</li> <li> <code class="language-plaintext highlighter-rouge">reuseport</code> instructs to create an individual listening socket for each worker process, allowing the kernel to better distribute incoming connections between worker processes.</li> <li> <code class="language-plaintext highlighter-rouge">backlog=N</code> sets the maximum length for the queue of pending TCP connections. This number should not be too small to prevent clients seeing “Connection refused” errors when connecting to a busy Kong instance. <strong>Note:</strong> On Linux, this value is limited by the setting of the <code class="language-plaintext highlighter-rouge">net.core.somaxconn</code> kernel parameter. In order for the larger <code class="language-plaintext highlighter-rouge">backlog</code> set here to take effect, it is necessary to raise <code class="language-plaintext highlighter-rouge">net.core.somaxconn</code> at the same time to match or exceed the <code class="language-plaintext highlighter-rouge">backlog</code> number set.</li> <li> <code class="language-plaintext highlighter-rouge">ipv6only=on|off</code> specifies whether an IPv6 socket listening on a wildcard address [::] will accept only IPv6 connections or both IPv6 and IPv4 connections.</li> <li> <code class="language-plaintext highlighter-rouge">so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]</code> configures the TCP keepalive behavior for the listening socket. If this parameter is omitted, the operating system’s settings will be in effect for the socket. If it is set to the value <code class="language-plaintext highlighter-rouge">on</code>, the <code class="language-plaintext highlighter-rouge">SO_KEEPALIVE</code> option is turned on for the socket. If it is set to the value <code class="language-plaintext highlighter-rouge">off</code>, the <code class="language-plaintext highlighter-rouge">SO_KEEPALIVE</code> option is turned off for the socket. Some operating systems support setting of TCP keepalive parameters on a per-socket basis using the <code class="language-plaintext highlighter-rouge">TCP_KEEPIDLE</code>,<code class="language-plaintext highlighter-rouge"> TCP_KEEPINTVL</code>, and <code class="language-plaintext highlighter-rouge">TCP_KEEPCNT</code> socket options.</li> </ul> <p>This value can be set to <code class="language-plaintext highlighter-rouge">off</code>, thus disabling the HTTP/HTTPS proxy port for this node.</p> <p>If <code class="language-plaintext highlighter-rouge">stream_listen</code> is also set to <code class="language-plaintext highlighter-rouge">off</code>, this enables control plane mode for this node (in which all traffic proxying capabilities are disabled). This node can then be used only to configure a cluster of Kong nodes connected to the same datastore.</p> <p>Example: <code class="language-plaintext highlighter-rouge">proxy_listen = 0.0.0.0:443 ssl, 0.0.0.0:444 http2 ssl</code></p> <p>See http://nginx.org/en/docs/http/ngx_http_core_module.html#listen for a description of the accepted formats for this and other <code class="language-plaintext highlighter-rouge">*_listen</code> values.</p> <p>See https://www.nginx.com/resources/admin-guide/proxy-protocol/ for more details about the <code class="language-plaintext highlighter-rouge">proxy_protocol</code> parameter.</p> <p>Not all <code class="language-plaintext highlighter-rouge">*_listen</code> values accept all formats specified in nginx’s documentation.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0.0.0.0:8000 reuseport backlog=16384, 0.0.0.0:8443 http2 ssl reuseport backlog=16384</code></p> <h3 id="proxy_url">proxy_url</h3> <p>Kong Proxy URL</p> <p>The lookup, or balancer, address for your Kong Proxy nodes.</p> <p>This value is commonly used in a microservices or service-mesh oriented architecture.</p> <p>Accepted format (parts in parentheses are optional):</p> <p><code class="language-plaintext highlighter-rouge">&lt;scheme&gt;://&lt;IP / HOSTNAME&gt;(:&lt;PORT&gt;(/&lt;PATH&gt;))</code></p> <p>Examples:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">&lt;scheme&gt;://&lt;IP&gt;:&lt;PORT&gt;</code> -&gt; <code class="language-plaintext highlighter-rouge">proxy_url = http://127.0.0.1:8000</code> </li> <li> <code class="language-plaintext highlighter-rouge">SSL &lt;scheme&gt;://&lt;HOSTNAME&gt;</code> -&gt; <code class="language-plaintext highlighter-rouge">proxy_url = https://proxy.domain.tld</code> </li> <li> <code class="language-plaintext highlighter-rouge">&lt;scheme&gt;://&lt;HOSTNAME&gt;/&lt;PATH&gt;</code> -&gt; <code class="language-plaintext highlighter-rouge">proxy_url = http://dev-machine/dev-285</code> </li> </ul> <p>By default, Kong Manager and Kong Portal will use the window request host and append the resolved listener port depending on the requested protocol.</p> <p><strong>Default:</strong> none</p> <h3 id="stream_listen">stream_listen</h3> <p>Comma-separated list of addresses and ports on which the stream mode should listen.</p> <p>This value accepts IPv4, IPv6, and hostnames.</p> <p>Some suffixes can be specified for each pair:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">ssl</code> will require that all connections made through a particular address/port be made with TLS enabled.</li> <li> <code class="language-plaintext highlighter-rouge">proxy_protocol</code> will enable usage of the PROXY protocol for a given address/port.</li> <li> <code class="language-plaintext highlighter-rouge">bind</code> instructs to make a separate bind() call for a given address:port pair.</li> <li> <code class="language-plaintext highlighter-rouge">reuseport</code> instructs to create an individual listening socket for each worker process, allowing the kernel to better distribute incoming connections between worker processes.</li> <li> <code class="language-plaintext highlighter-rouge">backlog=N</code> sets the maximum length for the queue of pending TCP connections. This number should not be too small to prevent clients seeing “Connection refused” errors when connecting to a busy Kong instance. <strong>Note:</strong> On Linux, this value is limited by the setting of the <code class="language-plaintext highlighter-rouge">net.core.somaxconn</code> kernel parameter. In order for the larger <code class="language-plaintext highlighter-rouge">backlog</code> set here to take effect, it is necessary to raise <code class="language-plaintext highlighter-rouge">net.core.somaxconn</code> at the same time to match or exceed the <code class="language-plaintext highlighter-rouge">backlog</code> number set.</li> <li> <code class="language-plaintext highlighter-rouge">ipv6only=on|off</code> specifies whether an IPv6 socket listening on a wildcard address [::] will accept only IPv6 connections or both IPv6 and IPv4 connections</li> <li> <code class="language-plaintext highlighter-rouge">so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]</code> configures the “TCP keepalive” behavior for the listening socket. If this parameter is omitted then the operating system’s settings will be in effect for the socket. If it is set to the value “on”, the SO_KEEPALIVE option is turned on for the socket. If it is set to the value “off”, the SO_KEEPALIVE option is turned off for the socket. Some operating systems support setting of TCP keepalive parameters on a per-socket basis using the<code class="language-plaintext highlighter-rouge"> TCP_KEEPIDLE</code>, <code class="language-plaintext highlighter-rouge">TCP_KEEPINTVL</code>, and <code class="language-plaintext highlighter-rouge">TCP_KEEPCNT</code> socket options.</li> </ul> <p>Examples:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>stream_listen = 127.0.0.1:7000 reuseport backlog=16384 stream_listen = 0.0.0.0:989 reuseport backlog=65536, 0.0.0.0:20 stream_listen = [::1]:1234 backlog=16384 </code></pre></div></div> <p>By default, this value is set to <code class="language-plaintext highlighter-rouge">off</code>, thus disabling the stream proxy port for this node.</p> <p>See http://nginx.org/en/docs/stream/ngx_stream_core_module.html#listen for a description of the formats that Kong might accept in stream_listen.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="admin_api_uri">admin_api_uri</h3> <p>Deprecated: Use admin_gui_api_url instead</p> <p><strong>Default:</strong> none</p> <h3 id="admin_listen">admin_listen</h3> <p>Comma-separated list of addresses and ports on which the Admin interface should listen.</p> <p>The Admin interface is the API allowing you to configure and manage Kong.</p> <p>Access to this interface should be <em>restricted</em> to Kong administrators <em>only</em>. This value accepts IPv4, IPv6, and hostnames.</p> <p>It is highly recommended to avoid exposing the Admin API to public interfaces, by using values such as <code class="language-plaintext highlighter-rouge">0.0.0.0:8001</code></p> <p>See https://docs.konghq.com/gateway/latest/production/running-kong/secure-admin-api/ for more information about how to secure your Admin API.</p> <p>Some suffixes can be specified for each pair:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">ssl</code> will require that all connections made through a particular address/port be made with TLS enabled.</li> <li> <code class="language-plaintext highlighter-rouge">http2</code> will allow for clients to open HTTP/2 connections to Kong’s proxy server.</li> <li> <code class="language-plaintext highlighter-rouge">proxy_protocol</code> will enable usage of the PROXY protocol for a given address/port.</li> <li> <code class="language-plaintext highlighter-rouge">deferred</code> instructs to use a deferred accept on Linux (the <code class="language-plaintext highlighter-rouge">TCP_DEFER_ACCEPT</code> socket option).</li> <li> <code class="language-plaintext highlighter-rouge">bind</code> instructs to make a separate bind() call for a given address:port pair.</li> <li> <code class="language-plaintext highlighter-rouge">reuseport</code> instructs to create an individual listening socket for each worker process, allowing the Kernel to better distribute incoming connections between worker processes.</li> <li> <code class="language-plaintext highlighter-rouge">backlog=N</code> sets the maximum length for the queue of pending TCP connections. This number should not be too small to prevent clients seeing “Connection refused” errors when connecting to a busy Kong instance. <strong>Note:</strong> On Linux, this value is limited by the setting of the <code class="language-plaintext highlighter-rouge">net.core.somaxconn</code> kernel parameter. In order for the larger <code class="language-plaintext highlighter-rouge">backlog</code> set here to take effect, it is necessary to raise <code class="language-plaintext highlighter-rouge">net.core.somaxconn</code> at the same time to match or exceed the <code class="language-plaintext highlighter-rouge">backlog</code> number set.</li> <li> <code class="language-plaintext highlighter-rouge">ipv6only=on|off</code> specifies whether an IPv6 socket listening on a wildcard address [::] will accept only IPv6 connections or both IPv6 and IPv4 connections.</li> <li> <code class="language-plaintext highlighter-rouge">so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]</code> configures the “TCP keepalive” behavior for the listening socket. If this parameter is omitted, the operating system’s settings will be in effect for the socket. If it is set to the value <code class="language-plaintext highlighter-rouge">on</code>, the <code class="language-plaintext highlighter-rouge">SO_KEEPALIVE</code> option is turned on for the socket. If it is set to the value <code class="language-plaintext highlighter-rouge">off</code>, the <code class="language-plaintext highlighter-rouge">SO_KEEPALIVE</code> option is turned off for the socket. Some operating systems support setting of TCP keepalive parameters on a per-socket basis using the <code class="language-plaintext highlighter-rouge">TCP_KEEPIDLE</code>, <code class="language-plaintext highlighter-rouge">TCP_KEEPINTVL</code>, and <code class="language-plaintext highlighter-rouge">TCP_KEEPCNT</code> socket options.</li> </ul> <p>This value can be set to <code class="language-plaintext highlighter-rouge">off</code>, thus disabling the Admin interface for this node, enabling a data plane mode (without configuration capabilities) pulling its configuration changes from the database.</p> <p>Example: <code class="language-plaintext highlighter-rouge">admin_listen = 127.0.0.1:8444 http2 ssl</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">127.0.0.1:8001 reuseport backlog=16384, 127.0.0.1:8444 http2 ssl reuseport backlog=16384</code></p> <h3 id="status_listen">status_listen</h3> <p>Comma-separated list of addresses and ports on which the Status API should listen.</p> <p>The Status API is a read-only endpoint allowing monitoring tools to retrieve metrics, healthiness, and other non-sensitive information of the current Kong node.</p> <p>The following suffix can be specified for each pair:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">ssl</code> will require that all connections made through a particular address/port be made with TLS enabled.</li> <li> <code class="language-plaintext highlighter-rouge">http2</code> will allow for clients to open HTTP/2 connections to Kong’s Status API server.</li> <li> <code class="language-plaintext highlighter-rouge">proxy_protocol</code> will enable usage of the PROXY protocol.</li> </ul> <p>This value can be set to <code class="language-plaintext highlighter-rouge">off</code>, disabling the Status API for this node.</p> <p>Example: <code class="language-plaintext highlighter-rouge">status_listen = 0.0.0.0:8100 ssl http2</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">127.0.0.1:8007 reuseport backlog=16384</code></p> <h3 class="badge enterprise" id="debug_listen">debug_listen</h3> <p>Comma-separated list of addresses and ports on which the Debug API should listen.</p> <p>The following suffix can be specified for each pair:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">ssl</code> will require that all connections made through a particular address/port be made with TLS enabled.</li> <li> <code class="language-plaintext highlighter-rouge">http2</code> will allow for clients to open HTTP/2 connections to Kong’s Debug API server.</li> </ul> <p>This value can be set to <code class="language-plaintext highlighter-rouge">off</code>, disabling the Debug API for this node.</p> <p>Example: <code class="language-plaintext highlighter-rouge">debug_listen = 0.0.0.0:8200 ssl http2</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="debug_listen_local">debug_listen_local</h3> <p>Expose <code class="language-plaintext highlighter-rouge">debug_listen</code> functionalities via a Unix domain socket under the Kong prefix.</p> <p>This option allows local users to use <code class="language-plaintext highlighter-rouge">kong debug</code> command to invoke various debug functionalities without needing to enable <code class="language-plaintext highlighter-rouge">debug_listen</code> ahead of time.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="nginx_user">nginx_user</h3> <p>Defines user and group credentials used by worker processes. If group is omitted, a group whose name equals that of user is used.</p> <p>Example: <code class="language-plaintext highlighter-rouge">nginx_user = nginx www</code></p> <p><strong>Note</strong>: If the <code class="language-plaintext highlighter-rouge">kong</code> user and the <code class="language-plaintext highlighter-rouge">kong</code> group are not available, the default user and group credentials will be <code class="language-plaintext highlighter-rouge">nobody nobody</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">kong kong</code></p> <h3 id="nginx_worker_processes">nginx_worker_processes</h3> <p>Determines the number of worker processes spawned by Nginx.</p> <p>See http://nginx.org/en/docs/ngx_core_module.html#worker_processes for detailed usage of the equivalent Nginx directive and a description of accepted values.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">auto</code></p> <h3 id="nginx_daemon">nginx_daemon</h3> <p>Determines whether Nginx will run as a daemon or as a foreground process. Mainly useful for development or when running Kong inside a Docker environment.</p> <p>See http://nginx.org/en/docs/ngx_core_module.html#daemon.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="mem_cache_size">mem_cache_size</h3> <p>Size of each of the two shared memory caches for traditional mode database entities and runtime data, <code class="language-plaintext highlighter-rouge">kong_core_cache</code> and <code class="language-plaintext highlighter-rouge">kong_cache</code>.</p> <p>The accepted units are <code class="language-plaintext highlighter-rouge">k</code> and <code class="language-plaintext highlighter-rouge">m</code>, with a minimum recommended value of a few MBs.</p> <p><strong>Note</strong>: As this option controls the size of two different cache zones, the total memory Kong uses to cache entities might be double this value.</p> <p>The created zones are shared by all worker processes and do not become larger when more workers are used.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">128m</code></p> <h3 id="ssl_cipher_suite">ssl_cipher_suite</h3> <p>Defines the TLS ciphers served by Nginx.</p> <p>Accepted values are <code class="language-plaintext highlighter-rouge">modern</code>, <code class="language-plaintext highlighter-rouge">intermediate</code>, <code class="language-plaintext highlighter-rouge">old</code>, <code class="language-plaintext highlighter-rouge">fips</code> or <code class="language-plaintext highlighter-rouge">custom</code>.</p> <p>If you want to enable TLSv1.1, this value has to be <code class="language-plaintext highlighter-rouge">old</code>.</p> <p>See https://wiki.mozilla.org/Security/Server_Side_TLS for detailed descriptions of each cipher suite. <code class="language-plaintext highlighter-rouge">fips</code> cipher suites are as described in https://wiki.openssl.org/index.php/FIPS_mode_and_TLS.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">intermediate</code></p> <h3 id="ssl_ciphers">ssl_ciphers</h3> <p>Defines a custom list of TLS ciphers to be served by Nginx. This list must conform to the pattern defined by <code class="language-plaintext highlighter-rouge">openssl ciphers</code>.</p> <p>This value is ignored if <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is not <code class="language-plaintext highlighter-rouge">custom</code>.</p> <p>If you use DHE ciphers, you must also configure the <code class="language-plaintext highlighter-rouge">ssl_dhparam</code> parameter.</p> <p><strong>Default:</strong> none</p> <h3 id="ssl_protocols">ssl_protocols</h3> <p>Enables the specified protocols for client-side connections. The set of supported protocol versions also depends on the version of OpenSSL Kong was built with. This value is ignored if <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is not <code class="language-plaintext highlighter-rouge">custom</code>.</p> <p>If you want to enable TLSv1.1, you should set <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> to <code class="language-plaintext highlighter-rouge">old</code>.</p> <p>See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">TLSv1.2 TLSv1.3</code></p> <h3 id="ssl_prefer_server_ciphers">ssl_prefer_server_ciphers</h3> <p>Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols. This value is ignored if <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is not <code class="language-plaintext highlighter-rouge">custom</code>.</p> <p>See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="ssl_dhparam">ssl_dhparam</h3> <p>Defines DH parameters for DHE ciphers from the predefined groups: <code class="language-plaintext highlighter-rouge">ffdhe2048</code>, <code class="language-plaintext highlighter-rouge">ffdhe3072</code>, <code class="language-plaintext highlighter-rouge">ffdhe4096</code>, <code class="language-plaintext highlighter-rouge">ffdhe6144</code>, <code class="language-plaintext highlighter-rouge">ffdhe8192</code>, from the absolute path to a parameters file, or directly from the parameters content.</p> <p>This value is ignored if <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> is <code class="language-plaintext highlighter-rouge">modern</code> or <code class="language-plaintext highlighter-rouge">intermediate</code>. The reason is that <code class="language-plaintext highlighter-rouge">modern</code> has no ciphers that need this, and <code class="language-plaintext highlighter-rouge">intermediate</code> uses <code class="language-plaintext highlighter-rouge">ffdhe2048</code>.</p> <p>See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam</p> <p><strong>Default:</strong> none</p> <h3 id="ssl_session_tickets">ssl_session_tickets</h3> <p>Enables or disables session resumption through TLS session tickets. This has no impact when used with TLSv1.3.</p> <p>Kong enables this by default for performance reasons, but it has security implications: https://github.com/mozilla/server-side-tls/issues/135</p> <p>See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="ssl_session_timeout">ssl_session_timeout</h3> <p>Specifies a time during which a client may reuse the session parameters. See the rationale: https://github.com/mozilla/server-side-tls/issues/198</p> <p>See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1d</code></p> <h3 id="ssl_session_cache_size">ssl_session_cache_size</h3> <p>Sets the size of the caches that store session parameters.</p> <p>See https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10m</code></p> <h3 id="ssl_cert">ssl_cert</h3> <p>Comma-separated list of certificates for <code class="language-plaintext highlighter-rouge">proxy_listen</code> values with TLS enabled.</p> <p>If more than one certificate is specified, it can be used to provide alternate types of certificates (for example, ECC certificates) that will be served to clients that support them. Note that to properly serve using ECC certificates, it is recommended to also set <code class="language-plaintext highlighter-rouge">ssl_cipher_suite</code> to <code class="language-plaintext highlighter-rouge">modern</code> or <code class="language-plaintext highlighter-rouge">intermediate</code>.</p> <p>Unless this option is explicitly set, Kong will auto-generate a pair of default certificates (RSA + ECC) the first time it starts up and use them for serving TLS requests.</p> <p>Certificates can be configured on this property with any of the following values:</p> <ul> <li>absolute path to the certificate</li> <li>certificate content</li> <li>base64 encoded certificate content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="ssl_cert_key">ssl_cert_key</h3> <p>Comma-separated list of keys for <code class="language-plaintext highlighter-rouge">proxy_listen</code> values with TLS enabled.</p> <p>If more than one certificate was specified for <code class="language-plaintext highlighter-rouge">ssl_cert</code>, then this option should contain the corresponding key for all certificates provided in the same order.</p> <p>Unless this option is explicitly set, Kong will auto-generate a pair of default private keys (RSA + ECC) the first time it starts up and use them for serving TLS requests.</p> <p>Keys can be configured on this property with any of the following values:</p> <ul> <li>absolute path to the certificate key</li> <li>certificate key content</li> <li>base64 encoded certificate key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="client_ssl">client_ssl</h3> <p>Determines if Nginx should attempt to send client-side TLS certificates and perform Mutual TLS Authentication with upstream service when proxying requests.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="client_ssl_cert">client_ssl_cert</h3> <p>If <code class="language-plaintext highlighter-rouge">client_ssl</code> is enabled, the client certificate for the <code class="language-plaintext highlighter-rouge">proxy_ssl_certificate</code> directive.</p> <p>This value can be overwritten dynamically with the <code class="language-plaintext highlighter-rouge">client_certificate</code> attribute of the <code class="language-plaintext highlighter-rouge">Service</code> object.</p> <p>The certificate can be configured on this property with any of the following values:</p> <ul> <li>absolute path to the certificate</li> <li>certificate content</li> <li>base64 encoded certificate content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="client_ssl_cert_key">client_ssl_cert_key</h3> <p>If <code class="language-plaintext highlighter-rouge">client_ssl</code> is enabled, the client TLS key for the <code class="language-plaintext highlighter-rouge">proxy_ssl_certificate_key</code> directive.</p> <p>This value can be overwritten dynamically with the <code class="language-plaintext highlighter-rouge">client_certificate</code> attribute of the <code class="language-plaintext highlighter-rouge">Service</code> object.</p> <p>The certificate key can be configured on this property with any of the following values:</p> <ul> <li>absolute path to the certificate key</li> <li>certificate key content</li> <li>base64 encoded certificate key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="admin_ssl_cert">admin_ssl_cert</h3> <p>Comma-separated list of certificates for <code class="language-plaintext highlighter-rouge">admin_listen</code> values with TLS enabled.</p> <p>See docs for <code class="language-plaintext highlighter-rouge">ssl_cert</code> for detailed usage.</p> <p><strong>Default:</strong> none</p> <h3 id="admin_ssl_cert_key">admin_ssl_cert_key</h3> <p>Comma-separated list of keys for <code class="language-plaintext highlighter-rouge">admin_listen</code> values with TLS enabled.</p> <p>See docs for <code class="language-plaintext highlighter-rouge">ssl_cert_key</code> for detailed usage.</p> <p><strong>Default:</strong> none</p> <h3 id="status_ssl_cert">status_ssl_cert</h3> <p>Comma-separated list of certificates for <code class="language-plaintext highlighter-rouge">status_listen</code> values with TLS enabled.</p> <p>See docs for <code class="language-plaintext highlighter-rouge">ssl_cert</code> for detailed usage.</p> <p><strong>Default:</strong> none</p> <h3 id="status_ssl_cert_key">status_ssl_cert_key</h3> <p>Comma-separated list of keys for <code class="language-plaintext highlighter-rouge">status_listen</code> values with TLS enabled.</p> <p>See docs for <code class="language-plaintext highlighter-rouge">ssl_cert_key</code> for detailed usage.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="debug_ssl_cert">debug_ssl_cert</h3> <p>Comma-separated list of certificates for <code class="language-plaintext highlighter-rouge">debug_listen</code> values with TLS enabled.</p> <p>See docs for <code class="language-plaintext highlighter-rouge">ssl_cert</code> for detailed usage.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="debug_ssl_cert_key">debug_ssl_cert_key</h3> <p>Comma-separated list of keys for <code class="language-plaintext highlighter-rouge">debug_listen</code> values with TLS enabled.</p> <p>See docs for <code class="language-plaintext highlighter-rouge">ssl_cert_key</code> for detailed usage.</p> <p><strong>Default:</strong> none</p> <h3 id="headers">headers</h3> <p>Comma-separated list of headers Kong should inject in client responses.</p> <p>Accepted values are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">Server</code>: Injects <code class="language-plaintext highlighter-rouge">Server: kong/x.y.z</code> on Kong-produced responses (e.g., Admin API, rejected requests from auth plugin).</li> <li> <code class="language-plaintext highlighter-rouge">Via</code>: Injects <code class="language-plaintext highlighter-rouge">Via: kong/x.y.z</code> for successfully proxied requests.</li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Proxy-Latency</code>: Time taken (in milliseconds) by Kong to process a request and run all plugins before proxying the request upstream.</li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Response-Latency</code>: Time taken (in milliseconds) by Kong to produce a response in case of, e.g., a plugin short-circuiting the request, or in case of an error.</li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Upstream-Latency</code>: Time taken (in milliseconds) by the upstream service to send response headers.</li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Admin-Latency</code>: Time taken (in milliseconds) by Kong to process an Admin API request.</li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Upstream-Status</code>: The HTTP status code returned by the upstream service. This is particularly useful for clients to distinguish upstream statuses if the response is rewritten by a plugin.</li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Request-Id</code>: Unique identifier of the request.</li> <li> <code class="language-plaintext highlighter-rouge">server_tokens</code>: Same as specifying both <code class="language-plaintext highlighter-rouge">Server</code> and <code class="language-plaintext highlighter-rouge">Via</code>.</li> <li> <code class="language-plaintext highlighter-rouge">latency_tokens</code>: Same as specifying <code class="language-plaintext highlighter-rouge">X-Kong-Proxy-Latency</code>, <code class="language-plaintext highlighter-rouge">X-Kong-Response-Latency</code>, <code class="language-plaintext highlighter-rouge">X-Kong-Admin-Latency</code>, and <code class="language-plaintext highlighter-rouge">X-Kong-Upstream-Latency</code>.</li> </ul> <p>In addition to these, this value can be set to <code class="language-plaintext highlighter-rouge">off</code>, which prevents Kong from injecting any of the above headers. Note that this does not prevent plugins from injecting headers of their own.</p> <p>Example: <code class="language-plaintext highlighter-rouge">headers = via, latency_tokens</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">server_tokens, latency_tokens, X-Kong-Request-Id</code></p> <h3 id="headers_upstream">headers_upstream</h3> <p>Comma-separated list of headers Kong should inject in requests to upstream.</p> <p>At this time, the only accepted value is:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Request-Id</code>: Unique identifier of the request.</li> </ul> <p>In addition, this value can be set to <code class="language-plaintext highlighter-rouge">off</code>, which prevents Kong from injecting the above header. Note that this does not prevent plugins from injecting headers of their own.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">X-Kong-Request-Id</code></p> <h3 id="trusted_ips">trusted_ips</h3> <p>Defines trusted IP address blocks that are known to send correct <code class="language-plaintext highlighter-rouge">X-Forwarded-*</code> headers.</p> <p>Requests from trusted IPs make Kong forward their <code class="language-plaintext highlighter-rouge">X-Forwarded-*</code> headers upstream.</p> <p>Non-trusted requests make Kong insert its own <code class="language-plaintext highlighter-rouge">X-Forwarded-*</code> headers.</p> <p>This property also sets the <code class="language-plaintext highlighter-rouge">set_real_ip_from</code> directive(s) in the Nginx configuration. It accepts the same type of values (CIDR blocks) but as a comma-separated list.</p> <p>To trust <em>all</em> IPs, set this value to <code class="language-plaintext highlighter-rouge">0.0.0.0/0,::/0</code>.</p> <p>If the special value <code class="language-plaintext highlighter-rouge">unix:</code> is specified, all UNIX-domain sockets will be trusted.</p> <p>See http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from for examples of accepted values.</p> <p><strong>Default:</strong> none</p> <h3 id="real_ip_header">real_ip_header</h3> <p>Defines the request header field whose value will be used to replace the client address.</p> <p>This value sets the <code class="language-plaintext highlighter-rouge">ngx_http_realip_module</code> directive of the same name in the Nginx configuration.</p> <p>If this value receives <code class="language-plaintext highlighter-rouge">proxy_protocol</code>:</p> <ul> <li>at least one of the <code class="language-plaintext highlighter-rouge">proxy_listen</code> entries must have the <code class="language-plaintext highlighter-rouge">proxy_protocol</code> flag enabled.</li> <li>the <code class="language-plaintext highlighter-rouge">proxy_protocol</code> parameter will be appended to the <code class="language-plaintext highlighter-rouge">listen</code> directive of the Nginx template.</li> </ul> <p>See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header for a description of this directive.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">X-Real-IP</code></p> <h3 id="real_ip_recursive">real_ip_recursive</h3> <p>This value sets the <code class="language-plaintext highlighter-rouge">ngx_http_realip_module</code> directive of the same name in the Nginx configuration.</p> <p>See http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive for a description of this directive.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="error_default_type">error_default_type</h3> <p>Default MIME type to use when the request <code class="language-plaintext highlighter-rouge">Accept</code> header is missing and Nginx is returning an error for the request.</p> <p>Accepted values are <code class="language-plaintext highlighter-rouge">text/plain</code>, <code class="language-plaintext highlighter-rouge">text/html</code>, <code class="language-plaintext highlighter-rouge">application/json</code>, and <code class="language-plaintext highlighter-rouge">application/xml</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">text/plain</code></p> <h3 id="upstream_keepalive_pool_size">upstream_keepalive_pool_size</h3> <p>Sets the default size of the upstream keepalive connection pools.</p> <p>Upstream keepalive connection pools are segmented by the <code class="language-plaintext highlighter-rouge">dst ip/dst port/SNI</code> attributes of a connection.</p> <p>A value of <code class="language-plaintext highlighter-rouge">0</code> will disable upstream keepalive connections by default, forcing each upstream request to open a new connection.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">512</code></p> <h3 id="upstream_keepalive_max_requests">upstream_keepalive_max_requests</h3> <p>Sets the default maximum number of requests that can be proxied upstream through one keepalive connection.</p> <p>After the maximum number of requests is reached, the connection will be closed.</p> <p>A value of <code class="language-plaintext highlighter-rouge">0</code> will disable this behavior, and a keepalive connection can be used to proxy an indefinite number of requests.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10000</code></p> <h3 id="upstream_keepalive_idle_timeout">upstream_keepalive_idle_timeout</h3> <p>Sets the default timeout (in seconds) for which an upstream keepalive connection should be kept open. When the timeout is reached while the connection has not been reused, it will be closed.</p> <p>A value of <code class="language-plaintext highlighter-rouge">0</code> will disable this behavior, and an idle keepalive connection may be kept open indefinitely.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">60</code></p> <h3 id="allow_debug_header">allow_debug_header</h3> <p>Enable the <code class="language-plaintext highlighter-rouge">Kong-Debug</code> header function.</p> <p>If it is <code class="language-plaintext highlighter-rouge">on</code>, Kong will add <code class="language-plaintext highlighter-rouge">Kong-Route-Id</code>, <code class="language-plaintext highlighter-rouge">Kong-Route-Name</code>, <code class="language-plaintext highlighter-rouge">Kong-Service-Id</code>, and <code class="language-plaintext highlighter-rouge">Kong-Service-Name</code> debug headers to the response when the client request header <code class="language-plaintext highlighter-rouge">Kong-Debug: 1</code> is present.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <hr> <h2 id="nginx-injected-directives-section">NGINX Injected Directives section</h2> <p>Nginx directives can be dynamically injected in the runtime nginx.conf file without requiring a custom Nginx configuration template.</p> <p>All configuration properties following the naming scheme <code class="language-plaintext highlighter-rouge">nginx_&lt;namespace&gt;_&lt;directive&gt;</code> will result in <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> being injected in the Nginx configuration block corresponding to the property’s <code class="language-plaintext highlighter-rouge">&lt;namespace&gt;</code>.</p> <p>Example: <code class="language-plaintext highlighter-rouge">nginx_proxy_large_client_header_buffers = 8 24k</code></p> <p>Will inject the following directive in Kong’s proxy <code class="language-plaintext highlighter-rouge">server {}</code> block:</p> <p><code class="language-plaintext highlighter-rouge">large_client_header_buffers 8 24k;</code></p> <p>The following namespaces are supported:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">nginx_main_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s configuration <code class="language-plaintext highlighter-rouge">main</code> context.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_events_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s <code class="language-plaintext highlighter-rouge">events {}</code> block.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_http_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s <code class="language-plaintext highlighter-rouge">http {}</code> block.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_proxy_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s proxy <code class="language-plaintext highlighter-rouge">server {}</code> block.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_location_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s proxy <code class="language-plaintext highlighter-rouge">/</code> location block (nested under Kong’s proxy <code class="language-plaintext highlighter-rouge">server {}</code> block).</li> <li> <code class="language-plaintext highlighter-rouge">nginx_upstream_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s proxy <code class="language-plaintext highlighter-rouge">upstream {}</code> block.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_admin_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s Admin API <code class="language-plaintext highlighter-rouge">server {}</code> block.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_status_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s Status API <code class="language-plaintext highlighter-rouge">server {}</code> block (only effective if <code class="language-plaintext highlighter-rouge">status_listen</code> is enabled).</li> <li> <code class="language-plaintext highlighter-rouge">nginx_debug_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s Debug API <code class="language-plaintext highlighter-rouge">server{}</code> block (only effective if <code class="language-plaintext highlighter-rouge">debug_listen</code> or <code class="language-plaintext highlighter-rouge">debug_listen_local</code> is enabled).</li> <li> <code class="language-plaintext highlighter-rouge">nginx_stream_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s stream module <code class="language-plaintext highlighter-rouge">stream {}</code> block (only effective if <code class="language-plaintext highlighter-rouge">stream_listen</code> is enabled).</li> <li> <code class="language-plaintext highlighter-rouge">nginx_sproxy_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s stream module <code class="language-plaintext highlighter-rouge">server {}</code> block (only effective if <code class="language-plaintext highlighter-rouge">stream_listen</code> is enabled).</li> <li> <code class="language-plaintext highlighter-rouge">nginx_supstream_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> in Kong’s stream module <code class="language-plaintext highlighter-rouge">upstream {}</code> block.</li> </ul> <p>As with other configuration properties, Nginx directives can be injected via environment variables when capitalized and prefixed with <code class="language-plaintext highlighter-rouge">KONG_</code>.</p> <p>Example: <code class="language-plaintext highlighter-rouge">KONG_NGINX_HTTP_SSL_PROTOCOLS</code> -&gt; <code class="language-plaintext highlighter-rouge">nginx_http_ssl_protocols</code></p> <p>Will inject the following directive in Kong’s <code class="language-plaintext highlighter-rouge">http {}</code> block:</p> <p><code class="language-plaintext highlighter-rouge">ssl_protocols &lt;value&gt;;</code></p> <p>If different sets of protocols are desired between the proxy and Admin API server, you may specify <code class="language-plaintext highlighter-rouge">nginx_proxy_ssl_protocols</code> and/or <code class="language-plaintext highlighter-rouge">nginx_admin_ssl_protocols</code>, both of which take precedence over the <code class="language-plaintext highlighter-rouge">http {}</code> block.</p> <h3 id="nginx_main_worker_rlimit_nofile">nginx_main_worker_rlimit_nofile</h3> <p>Changes the limit on the maximum number of open files for worker processes.</p> <p>The special and default value of <code class="language-plaintext highlighter-rouge">auto</code> sets this value to <code class="language-plaintext highlighter-rouge">ulimit -n</code> with the upper bound limited to 16384 as a measure to protect against excess memory use, and the lower bound of 1024 as a good default.</p> <p>See http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">auto</code></p> <h3 id="nginx_events_worker_connections">nginx_events_worker_connections</h3> <p>Sets the maximum number of simultaneous connections that can be opened by a worker process.</p> <p>The special and default value of <code class="language-plaintext highlighter-rouge">auto</code> sets this value to <code class="language-plaintext highlighter-rouge">ulimit -n</code> with the upper bound limited to 16384 as a measure to protect against excess memory use, and the lower bound of 1024 as a good default.</p> <p>See http://nginx.org/en/docs/ngx_core_module.html#worker_connections</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">auto</code></p> <h3 id="nginx_http_client_header_buffer_size">nginx_http_client_header_buffer_size</h3> <p>Sets buffer size for reading the client request headers.</p> <p>See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1k</code></p> <h3 id="nginx_http_large_client_header_buffers">nginx_http_large_client_header_buffers</h3> <p>Sets the maximum number and size of buffers used for reading large client request headers.</p> <p>See http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">4 8k</code></p> <h3 id="nginx_http_client_max_body_size">nginx_http_client_max_body_size</h3> <p>Defines the maximum request body size allowed by requests proxied by Kong, specified in the Content-Length request header. If a request exceeds this limit, Kong will respond with a 413 (Request Entity Too Large). Setting this value to 0 disables checking the request body size.</p> <p>See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 id="nginx_admin_client_max_body_size">nginx_admin_client_max_body_size</h3> <p>Defines the maximum request body size for Admin API.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10m</code></p> <h3 id="nginx_http_charset">nginx_http_charset</h3> <p>Adds the specified charset to the “Content-Type” response header field. If this charset is different from the charset specified in the <code class="language-plaintext highlighter-rouge">source_charset</code> directive, a conversion is performed.</p> <p>The parameter <code class="language-plaintext highlighter-rouge">off</code> cancels the addition of charset to the “Content-Type” response header field.</p> <p>See http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">UTF-8</code></p> <h3 id="nginx_http_client_body_buffer_size">nginx_http_client_body_buffer_size</h3> <p>Defines the buffer size for reading the request body. If the client request body is larger than this value, the body will be buffered to disk. Note that when the body is buffered to disk, Kong plugins that access or manipulate the request body may not work, so it is advisable to set this value as high as possible (e.g., set it as high as <code class="language-plaintext highlighter-rouge">client_max_body_size</code> to force request bodies to be kept in memory). Do note that high-concurrency environments will require significant memory allocations to process many concurrent large request bodies.</p> <p>See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">8k</code></p> <h3 id="nginx_admin_client_body_buffer_size">nginx_admin_client_body_buffer_size</h3> <p>Defines the buffer size for reading the request body on Admin API.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10m</code></p> <h3 id="nginx_http_lua_regex_match_limit">nginx_http_lua_regex_match_limit</h3> <p>Global <code class="language-plaintext highlighter-rouge">MATCH_LIMIT</code> for PCRE regex matching. The default of <code class="language-plaintext highlighter-rouge">100000</code> should ensure at worst any regex Kong executes could finish within roughly 2 seconds.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">100000</code></p> <h3 id="nginx_http_lua_regex_cache_max_entries">nginx_http_lua_regex_cache_max_entries</h3> <p>Specifies the maximum number of entries allowed in the worker process level PCRE JIT compiled regex cache.</p> <p>It is recommended to set it to at least (number of regex paths * 2) to avoid high CPU usages if you manually specified <code class="language-plaintext highlighter-rouge">router_flavor</code> to <code class="language-plaintext highlighter-rouge">traditional</code>. <code class="language-plaintext highlighter-rouge">expressions</code> and <code class="language-plaintext highlighter-rouge">traditional_compat</code> router do not make use of the PCRE library and their behavior is unaffected by this setting.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">8192</code></p> <h3 id="nginx_http_keepalive_requests">nginx_http_keepalive_requests</h3> <p>Sets the maximum number of client requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed.</p> <p>Closing connections periodically is necessary to free per-connection memory allocations. Therefore, using too high a maximum number of requests could result in excessive memory usage and is not recommended.</p> <p>See: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10000</code></p> <hr> <h2 id="datastore-section">Datastore section</h2> <p>Kong can run with a database to store coordinated data between Kong nodes in a cluster, or without a database, where each node stores its information independently in memory.</p> <p>When using a database, Kong will store data for all its entities (such as routes, services, consumers, and plugins) in PostgreSQL, and all Kong nodes belonging to the same cluster must connect to the same database.</p> <p>Kong supports PostgreSQL versions 9.5 and above.</p> <p>When not using a database, Kong is said to be in “DB-less mode”: it will keep its entities in memory, and each node needs to have this data entered via a declarative configuration file, which can be specified through the <code class="language-plaintext highlighter-rouge">declarative_config</code> property, or via the Admin API using the <code class="language-plaintext highlighter-rouge">/config</code> endpoint.</p> <p>When using Postgres as the backend storage, you can optionally enable Kong to serve read queries from a separate database instance.</p> <p>When the number of proxies is large, this can greatly reduce the load on the main Postgres instance and achieve better scalability. It may also reduce the latency jitter if the Kong proxy node’s latency to the main Postgres instance is high.</p> <p>The read-only Postgres instance only serves read queries, and write queries still go to the main connection. The read-only Postgres instance can be eventually consistent while replicating changes from the main instance.</p> <p>At least the <code class="language-plaintext highlighter-rouge">pg_ro_host</code> config is needed to enable this feature.</p> <p>By default, all other database config for the read-only connection is inherited from the corresponding main connection config described above but may be optionally overwritten explicitly using the <code class="language-plaintext highlighter-rouge">pg_ro_*</code> config below.</p> <h3 id="database">database</h3> <p>Determines the database (or no database) for this node Accepted values are <code class="language-plaintext highlighter-rouge">postgres</code> and <code class="language-plaintext highlighter-rouge">off</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">postgres</code></p> <h3 id="postgres-settings">Postgres settings</h3> <table> <thead> <tr> <th>name</th> <th>description</th> <th>default</th> </tr> </thead> <tbody> <tr> <td><strong>pg_host</strong></td> <td>Host of the Postgres server.</td> <td><code class="language-plaintext highlighter-rouge">127.0.0.1</code></td> </tr> <tr> <td><strong>pg_port</strong></td> <td>Port of the Postgres server.</td> <td><code class="language-plaintext highlighter-rouge">5432</code></td> </tr> <tr> <td><strong>pg_timeout</strong></td> <td>Defines the timeout (in ms), for connecting, reading and writing.</td> <td><code class="language-plaintext highlighter-rouge">5000</code></td> </tr> <tr> <td><strong>pg_user</strong></td> <td>Postgres user.</td> <td><code class="language-plaintext highlighter-rouge">kong</code></td> </tr> <tr> <td><strong>pg_password</strong></td> <td>Postgres user’s password.</td> <td>none</td> </tr> <tr> <td><strong>pg_iam_auth</strong></td> <td>Determines whether the AWS IAM database Authentication will be used. When switch to <code class="language-plaintext highlighter-rouge">on</code>, the username defined in <code class="language-plaintext highlighter-rouge">pg_user</code> will be used as the database account, and the database connection will be forced to using TLS. <code class="language-plaintext highlighter-rouge">pg_password</code> will not be used when the switch is <code class="language-plaintext highlighter-rouge">on</code>. Note that the corresponding IAM policy must be correct, otherwise connecting will fail.</td> <td><code class="language-plaintext highlighter-rouge">off</code></td> </tr> <tr> <td><strong>pg_iam_auth_assume_role_arn</strong></td> <td>The target AWS IAM role ARN that will be assumed when using AWS IAM database authentication. Typically this is used for operating between multiple roles or cross-accounts. If you are not using assume role you should not specify this value.</td> <td>none</td> </tr> <tr> <td><strong>pg_iam_auth_role_session_name</strong></td> <td>The role session name used for role assuming in AWS IAM Database Authentication. The default value is <code class="language-plaintext highlighter-rouge">KongPostgres</code>.</td> <td><code class="language-plaintext highlighter-rouge">KongPostgres</code></td> </tr> <tr> <td><strong>pg_iam_auth_sts_endpoint_url</strong></td> <td>The custom STS endpoint URL used for role assuming in AWS IAM Database Authentication. Note that this value will override the default STS endpoint URL (which should be <code class="language-plaintext highlighter-rouge">https://sts.amazonaws.com</code>, or <code class="language-plaintext highlighter-rouge">https://sts.&lt;region&gt;.amazonaws.com</code> if you have <code class="language-plaintext highlighter-rouge">AWS_STS_REGIONAL_ENDPOINTS</code> set to <code class="language-plaintext highlighter-rouge">regional</code>). If you are not using private VPC endpoint for STS service, you should not specify this value.</td> <td>none</td> </tr> <tr> <td><strong>pg_database</strong></td> <td>The database name to connect to.</td> <td><code class="language-plaintext highlighter-rouge">kong</code></td> </tr> <tr> <td><strong>pg_schema</strong></td> <td>The database schema to use. If unspecified, Kong will respect the <code class="language-plaintext highlighter-rouge">search_path</code> value of your PostgreSQL instance.</td> <td>none</td> </tr> <tr> <td><strong>pg_ssl</strong></td> <td>Toggles client-server TLS connections between Kong and PostgreSQL. Because PostgreSQL uses the same port for TLS and non-TLS, this is only a hint. If the server does not support TLS, the established connection will be a plain one.</td> <td><code class="language-plaintext highlighter-rouge">off</code></td> </tr> <tr> <td><strong>pg_ssl_version</strong></td> <td>When using ssl between Kong and PostgreSQL, the version of tls to use. Accepted values are <code class="language-plaintext highlighter-rouge">tlsv1_1</code>, <code class="language-plaintext highlighter-rouge">tlsv1_2</code>, <code class="language-plaintext highlighter-rouge">tlsv1_3</code>, or ‘any’. When <code class="language-plaintext highlighter-rouge">any</code> is set, the client negotiates the highest version with the server which can’t be lower than <code class="language-plaintext highlighter-rouge">tlsv1_1</code>.</td> <td><code class="language-plaintext highlighter-rouge">tlsv1_2</code></td> </tr> <tr> <td><strong>pg_ssl_required</strong></td> <td>When <code class="language-plaintext highlighter-rouge">pg_ssl</code> is on this determines if TLS must be used between Kong and PostgreSQL. It aborts the connection if the server does not support SSL connections.</td> <td><code class="language-plaintext highlighter-rouge">off</code></td> </tr> <tr> <td><strong>pg_ssl_verify</strong></td> <td>Toggles server certificate verification if <code class="language-plaintext highlighter-rouge">pg_ssl</code> is enabled. See the <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code> setting to specify a certificate authority.</td> <td><code class="language-plaintext highlighter-rouge">off</code></td> </tr> <tr> <td><strong>pg_ssl_cert</strong></td> <td>The absolute path to the PEM encoded client TLS certificate for the PostgreSQL connection. Mutual TLS authentication against PostgreSQL is only enabled if this value is set.</td> <td>none</td> </tr> <tr> <td><strong>pg_ssl_cert_key</strong></td> <td>If <code class="language-plaintext highlighter-rouge">pg_ssl_cert</code> is set, the absolute path to the PEM encoded client TLS private key for the PostgreSQL connection.</td> <td>none</td> </tr> <tr> <td><strong>pg_max_concurrent_queries</strong></td> <td>Sets the maximum number of concurrent queries that can be executing at any given time. This limit is enforced per worker process; the total number of concurrent queries for this node will be will be: <code class="language-plaintext highlighter-rouge">pg_max_concurrent_queries * nginx_worker_processes</code>. The default value of 0 removes this concurrency limitation.</td> <td><code class="language-plaintext highlighter-rouge">0</code></td> </tr> <tr> <td><strong>pg_semaphore_timeout</strong></td> <td>Defines the timeout (in ms) after which PostgreSQL query semaphore resource acquisition attempts will fail. Such failures will generally result in the associated proxy or Admin API request failing with an HTTP 500 status code. Detailed discussion of this behavior is available in the online documentation.</td> <td><code class="language-plaintext highlighter-rouge">60000</code></td> </tr> <tr> <td><strong>pg_keepalive_timeout</strong></td> <td>Specify the maximal idle timeout (in ms) for the postgres connections in the pool. If this value is set to 0 then the timeout interval is unlimited. If not specified this value will be same as <code class="language-plaintext highlighter-rouge">lua_socket_keepalive_timeout</code> </td> <td>none</td> </tr> <tr> <td><strong>pg_pool_size</strong></td> <td>Specifies the size limit (in terms of connection count) for the Postgres server. Note that this connection pool is intended per Nginx worker rather than per Kong instance. If not specified, the default value is the same as <code class="language-plaintext highlighter-rouge">lua_socket_pool_size</code> </td> <td>none</td> </tr> <tr> <td><strong>pg_backlog</strong></td> <td>If specified, this value will limit the total number of open connections to the Postgres server to <code class="language-plaintext highlighter-rouge">pg_pool_size</code>. If the connection pool is full, subsequent connect operations will be inserted in a queue with size equal to this option’s value. If the number of queued connect operations reaches <code class="language-plaintext highlighter-rouge">pg_backlog</code>, exceeding connections will fail. If not specified, then number of open connections to the Postgres server is not limited.</td> <td>none</td> </tr> <tr> <td><strong>pg_ro_host</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_host</code>, but for the read-only connection. <strong>Note:</strong> Refer to the documentation section above for detailed usage.</td> <td>none</td> </tr> <tr> <td><strong>pg_ro_port</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_port</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_port&gt;</code></td> </tr> <tr> <td><strong>pg_ro_timeout</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_timeout</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_timeout&gt;</code></td> </tr> <tr> <td><strong>pg_ro_user</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_user</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_user&gt;</code></td> </tr> <tr> <td><strong>pg_ro_password</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_password</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_password&gt;</code></td> </tr> <tr> <td><strong>pg_ro_iam_auth</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_iam_auth</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_iam_auth&gt;</code></td> </tr> <tr> <td><strong>pg_ro_iam_auth_assume_role_arn</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_iam_auth_assume_role_arn</code>, but for the read-only connection.</td> <td>none</td> </tr> <tr> <td><strong>pg_ro_iam_auth_role_session_name</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_iam_auth_role_session_name</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">KongPostgres</code></td> </tr> <tr> <td><strong>pg_ro_iam_auth_sts_endpoint_url</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_iam_auth_sts_endpoint_url</code>, but for the read-only connection.</td> <td>none</td> </tr> <tr> <td><strong>pg_ro_database</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_database</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_database&gt;</code></td> </tr> <tr> <td><strong>pg_ro_schema</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_schema</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_schema&gt;</code></td> </tr> <tr> <td><strong>pg_ro_ssl</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_ssl</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_ssl&gt;</code></td> </tr> <tr> <td><strong>pg_ro_ssl_required</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_ssl_required</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_ssl_required&gt;</code></td> </tr> <tr> <td><strong>pg_ro_ssl_verify</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_ssl_verify</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_ssl_verify&gt;</code></td> </tr> <tr> <td><strong>pg_ro_ssl_version</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_ssl_version</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_ssl_version&gt;</code></td> </tr> <tr> <td><strong>pg_ro_max_concurrent_queries</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_max_concurrent_queries</code>, but for the read-only connection. Note: read-only concurrency is not shared with the main (read-write) connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_max_concurrent_queries&gt;</code></td> </tr> <tr> <td><strong>pg_ro_semaphore_timeout</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_semaphore_timeout</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_semaphore_timeout&gt;</code></td> </tr> <tr> <td><strong>pg_ro_keepalive_timeout</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_keepalive_timeout</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_keepalive_timeout&gt;</code></td> </tr> <tr> <td><strong>pg_ro_pool_size</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_pool_size</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_pool_size&gt;</code></td> </tr> <tr> <td><strong>pg_ro_backlog</strong></td> <td>Same as <code class="language-plaintext highlighter-rouge">pg_backlog</code>, but for the read-only connection.</td> <td><code class="language-plaintext highlighter-rouge">&lt;pg_backlog&gt;</code></td> </tr> </tbody> </table> <h3 id="declarative_config">declarative_config</h3> <p>The path to the declarative configuration file which holds the specification of all entities (routes, services, consumers, etc.) to be used when the <code class="language-plaintext highlighter-rouge">database</code> is set to <code class="language-plaintext highlighter-rouge">off</code>.</p> <p>Entities are stored in Kong’s LMDB cache, so you must ensure that enough headroom is allocated to it via the <code class="language-plaintext highlighter-rouge">lmdb_map_size</code> property.</p> <p>If the hybrid mode <code class="language-plaintext highlighter-rouge">role</code> is set to <code class="language-plaintext highlighter-rouge">data_plane</code> and there’s no configuration cache file, this configuration is used before connecting to the control plane node as a user-controlled fallback.</p> <p><strong>Default:</strong> none</p> <h3 id="declarative_config_string">declarative_config_string</h3> <p>The declarative configuration as a string</p> <p><strong>Default:</strong> none</p> <h3 id="lmdb_environment_path">lmdb_environment_path</h3> <p>Directory where the LMDB database files used by DB-less and hybrid mode to store Kong configurations reside.</p> <p>This path is relative under the Kong <code class="language-plaintext highlighter-rouge">prefix</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">dbless.lmdb</code></p> <h3 id="lmdb_map_size">lmdb_map_size</h3> <p>Maximum size of the LMDB memory map, used to store the DB-less and hybrid mode configurations. Default is 2048m.</p> <p>This config defines the limit of LMDB file size; the actual file size growth will be on-demand and proportional to the actual config size.</p> <p>Note this value can be set very large, say a couple of GBs, to accommodate future database growth and Multi-Version Concurrency Control (MVCC) headroom needs.</p> <p>The file size of the LMDB database file should stabilize after a few config reloads/hybrid mode syncs, and the actual memory used by the LMDB database will be smaller than the file size due to dynamic swapping of database pages by the OS.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">2048m</code></p> <hr> <h2 id="datastore-cache-section">Datastore Cache section</h2> <p>In order to avoid unnecessary communication with the datastore, Kong caches entities (such as APIs, consumers, credentials…) for a configurable period of time. It also handles invalidations if such an entity is updated.</p> <p>This section allows for configuring the behavior of Kong regarding the caching of such configuration entities.</p> <h3 id="db_update_frequency">db_update_frequency</h3> <p>Frequency (in seconds) at which to check for updated entities with the datastore.</p> <p>When a node creates, updates, or deletes an entity via the Admin API, other nodes need to wait for the next poll (configured by this value) to eventually purge the old cached entity and start using the new one.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">5</code></p> <h3 id="db_update_propagation">db_update_propagation</h3> <p>Time (in seconds) taken for an entity in the datastore to be propagated to replica nodes of another datacenter.</p> <p>When set, this property will increase the time taken by Kong to propagate the change of an entity.</p> <p>Single-datacenter setups or PostgreSQL servers should suffer no such delays, and this value can be safely set to 0.</p> <p>Postgres setups with read replicas should set this value to the maximum expected replication lag between the writer and reader instances.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 id="db_cache_ttl">db_cache_ttl</h3> <p>Time-to-live (in seconds) of an entity from the datastore when cached by this node.</p> <p>Database misses (no entity) are also cached according to this setting if you do not configure <code class="language-plaintext highlighter-rouge">db_cache_neg_ttl</code>.</p> <p>If set to 0 (default), such cached entities or misses never expire.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 id="db_cache_neg_ttl">db_cache_neg_ttl</h3> <p>Time-to-live (in seconds) of a datastore miss (no entity).</p> <p>If not specified (default), <code class="language-plaintext highlighter-rouge">db_cache_ttl</code> value will be used instead.</p> <p>If set to 0, misses will never expire.</p> <p><strong>Default:</strong> none</p> <h3 id="db_resurrect_ttl">db_resurrect_ttl</h3> <p>Time (in seconds) for which stale entities from the datastore should be resurrected when they cannot be refreshed (e.g., the datastore is unreachable). When this TTL expires, a new attempt to refresh the stale entities will be made.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">30</code></p> <h3 id="db_cache_warmup_entities">db_cache_warmup_entities</h3> <p>Entities to be pre-loaded from the datastore into the in-memory cache at Kong start-up.</p> <p>This speeds up the first access of endpoints that use the given entities.</p> <p>When the <code class="language-plaintext highlighter-rouge">services</code> entity is configured for warmup, the DNS entries for values in its <code class="language-plaintext highlighter-rouge">host</code> attribute are pre-resolved asynchronously as well.</p> <p>Cache size set in <code class="language-plaintext highlighter-rouge">mem_cache_size</code> should be set to a value large enough to hold all instances of the specified entities.</p> <p>If the size is insufficient, Kong will log a warning.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">services</code></p> <hr> <h2 id="dns-resolver-section">DNS Resolver section</h2> <p>By default, the DNS resolver will use the standard configuration files <code class="language-plaintext highlighter-rouge">/etc/hosts</code> and <code class="language-plaintext highlighter-rouge">/etc/resolv.conf</code>. The settings in the latter file will be overridden by the environment variables <code class="language-plaintext highlighter-rouge">LOCALDOMAIN</code> and <code class="language-plaintext highlighter-rouge">RES_OPTIONS</code> if they have been set.</p> <p>Kong will resolve hostnames as either <code class="language-plaintext highlighter-rouge">SRV</code> or <code class="language-plaintext highlighter-rouge">A</code> records (in that order, and <code class="language-plaintext highlighter-rouge">CNAME</code> records will be dereferenced in the process).</p> <p>In case a name is resolved as an <code class="language-plaintext highlighter-rouge">SRV</code> record, it will also override any given port number with the <code class="language-plaintext highlighter-rouge">port</code> field contents received from the DNS server.</p> <p>The DNS options <code class="language-plaintext highlighter-rouge">SEARCH</code> and <code class="language-plaintext highlighter-rouge">NDOTS</code> (from the <code class="language-plaintext highlighter-rouge">/etc/resolv.conf</code> file) will be used to expand short names to fully qualified ones. So it will first try the entire <code class="language-plaintext highlighter-rouge">SEARCH</code> list for the <code class="language-plaintext highlighter-rouge">SRV</code> type, if that fails it will try the <code class="language-plaintext highlighter-rouge">SEARCH</code> list for <code class="language-plaintext highlighter-rouge">A</code>, etc.</p> <p>For the duration of the <code class="language-plaintext highlighter-rouge">ttl</code>, the internal DNS resolver will load balance each request it gets over the entries in the DNS record. For <code class="language-plaintext highlighter-rouge">SRV</code> records, the <code class="language-plaintext highlighter-rouge">weight</code> fields will be honored, but it will only use the lowest <code class="language-plaintext highlighter-rouge">priority</code> field entries in the record.</p> <h3 id="dns_resolver">dns_resolver</h3> <p>Comma-separated list of nameservers, each entry in <code class="language-plaintext highlighter-rouge">ip[:port]</code> format to be used by Kong. If not specified, the nameservers in the local <code class="language-plaintext highlighter-rouge">resolv.conf</code> file will be used.</p> <p>Port defaults to 53 if omitted. Accepts both IPv4 and IPv6 addresses.</p> <p><strong>Default:</strong> none</p> <h3 id="dns_hostsfile">dns_hostsfile</h3> <p>The hosts file to use. This file is read once and its content is static in memory.</p> <p>To read the file again after modifying it, Kong must be reloaded.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/etc/hosts</code></p> <h3 id="dns_order">dns_order</h3> <p>The order in which to resolve different record types. The <code class="language-plaintext highlighter-rouge">LAST</code> type means the type of the last successful lookup (for the specified name). The format is a (case insensitive) comma-separated list.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">LAST,SRV,A,CNAME</code></p> <h3 id="dns_valid_ttl">dns_valid_ttl</h3> <p>By default, DNS records are cached using the TTL value of a response. If this property receives a value (in seconds), it will override the TTL for all records.</p> <p><strong>Default:</strong> none</p> <h3 id="dns_stale_ttl">dns_stale_ttl</h3> <p>Defines, in seconds, how long a record will remain in cache past its TTL. This value will be used while the new DNS record is fetched in the background.</p> <p>Stale data will be used from expiry of a record until either the refresh query completes, or the <code class="language-plaintext highlighter-rouge">dns_stale_ttl</code> number of seconds have passed.</p> <p>This configuration enables Kong to be more resilient during resolver downtime.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">3600</code></p> <h3 id="dns_cache_size">dns_cache_size</h3> <p>Defines the maximum allowed number of DNS records stored in memory cache.</p> <p>Least recently used DNS records are discarded from cache if it is full. Both errors and data are cached; therefore, a single name query can easily take up 10-15 slots.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10000</code></p> <h3 id="dns_not_found_ttl">dns_not_found_ttl</h3> <p>TTL in seconds for empty DNS responses and “(3) name error” responses.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">30</code></p> <h3 id="dns_error_ttl">dns_error_ttl</h3> <p>TTL in seconds for error responses.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1</code></p> <h3 id="dns_no_sync">dns_no_sync</h3> <p>If enabled, then upon a cache-miss every request will trigger its own DNS query.</p> <p>When disabled, multiple requests for the same name/type will be synchronized to a single query.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <hr> <h2 id="new-dns-resolver-section">New DNS Resolver section</h2> <p>This DNS resolver introduces global caching for DNS records across workers, significantly reducing the query load on DNS servers.</p> <p>It provides observable statistics, you can retrieve them through the Admin API <code class="language-plaintext highlighter-rouge">/status/dns</code>.</p> <h3 id="new_dns_client">new_dns_client</h3> <p>Enable or disable the new DNS resolver</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="resolver_address">resolver_address</h3> <p>Comma-separated list of nameservers, each entry in <code class="language-plaintext highlighter-rouge">ip[:port]</code> format to be used by Kong. If not specified, the nameservers in the local <code class="language-plaintext highlighter-rouge">resolv.conf</code> file will be used.</p> <p>Port defaults to 53 if omitted. Accepts both IPv4 and IPv6 addresses.</p> <p>Examples:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>resolver_address = 8.8.8.8 resolver_address = 8.8.8.8, [::1] resolver_address = 8.8.8.8:53, [::1]:53 </code></pre></div></div> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">&lt;name servers parsed from resolv.conf&gt;</code></p> <h3 id="resolver_hosts_file">resolver_hosts_file</h3> <p>The hosts file to use. This file is read once and its content is static in memory.</p> <p>To read the file again after modifying it, Kong must be reloaded.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/etc/hosts</code></p> <h3 id="resolver_family">resolver_family</h3> <p>The supported query types.</p> <p>For a domain name, Kong will only query either IP addresses (A or AAAA) or SRV records, but not both.</p> <p>It will query SRV records only when the domain matches the “_<proto>._<service>.<name>" format, for example, "_ldap._tcp.example.com".</name></service></proto></p> <p>For IP addresses (A or AAAA) resolution, it first attempts IPv4 (A) and then queries IPv6 (AAAA).</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">A,SRV</code></p> <h3 id="resolver_valid_ttl">resolver_valid_ttl</h3> <p>By default, DNS records are cached using the TTL value of a response. This optional parameter (in seconds) allows overriding it.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">&lt;TTL from responses&gt;</code></p> <h3 id="resolver_error_ttl">resolver_error_ttl</h3> <p>TTL in seconds for error responses and empty responses.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1</code></p> <h3 id="resolver_stale_ttl">resolver_stale_ttl</h3> <p>Defines, in seconds, how long a record will remain in cache past its TTL. This value will be used while the new DNS record is fetched in the background.</p> <p>Stale data will be used from expiry of a record until either the refresh query completes, or the <code class="language-plaintext highlighter-rouge">resolver_stale_ttl</code> number of seconds have passed.</p> <p>This configuration enables Kong to be more resilient during the DNS server downtime.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">3600</code></p> <h3 id="resolver_lru_cache_size">resolver_lru_cache_size</h3> <p>The DNS client uses a two-layer cache system: L1 - worker-level LRU Lua VM cache L2 - across-workers shared memory cache</p> <p>This value specifies the maximum allowed number of DNS responses stored in the L1 LRU lua VM cache.</p> <p>A single name query can easily take up 1~10 slots, depending on attempted query types and extended domains from /etc/resolv.conf options <code class="language-plaintext highlighter-rouge">domain</code> or <code class="language-plaintext highlighter-rouge">search</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">10000</code></p> <h3 id="resolver_mem_cache_size">resolver_mem_cache_size</h3> <p>This value specifies the size of the L2 shared memory cache for DNS responses, <code class="language-plaintext highlighter-rouge">kong_dns_cache</code>.</p> <p>Accepted units are <code class="language-plaintext highlighter-rouge">k</code> and <code class="language-plaintext highlighter-rouge">m</code>, with a minimum recommended value of a few MBs.</p> <p>5MB shared memory size could store ~20000 DNS responeses with single A record or ~10000 DNS responeses with 2~3 A records.</p> <p>10MB shared memory size could store ~40000 DNS responeses with single A record or ~20000 DNS responeses with 2~3 A records.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">5m</code></p> <hr> <h2 id="vaults-section">Vaults section</h2> <p>A secret is any sensitive piece of information required for API gateway operations. Secrets may be part of the core Kong Gateway configuration, used in plugins, or part of the configuration associated with APIs serviced by the gateway.</p> <p>Some of the most common types of secrets used by Kong Gateway include:</p> <ul> <li>Data store usernames and passwords, used with PostgreSQL and Redis</li> <li>Private X.509 certificates</li> <li>API keys</li> </ul> <p>Sensitive plugin configuration fields are generally used for authentication, hashing, signing, or encryption. Kong Gateway lets you store certain values in a vault. Here are the vault specific configuration options.</p> <h3 id="vault_env_prefix">vault_env_prefix</h3> <p>Defines the environment variable vault’s default prefix. For example if you have all your secrets stored in environment variables prefixed with <code class="language-plaintext highlighter-rouge">SECRETS_</code>, it can be configured here so that it isn’t necessary to repeat them in Vault references.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_aws_region">vault_aws_region</h3> <p>The AWS region your vault is located in.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_aws_endpoint_url">vault_aws_endpoint_url</h3> <p>The AWS SecretsManager service endpoint url.</p> <p>If not specified, the value used by vault will be the official AWS SecretsManager service url which is <code class="language-plaintext highlighter-rouge">https://secretsmanager.&lt;region&gt;.amazonaws.com</code> You can specify a complete URL(including the “http/https” scheme) to override the endpoint that vault will connect to.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_aws_assume_role_arn">vault_aws_assume_role_arn</h3> <p>The target AWS IAM role ARN that will be assumed. Typically this is used for operating between multiple roles or cross-accounts.</p> <p>If you are not using assume role you should not specify this value.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_aws_role_session_name">vault_aws_role_session_name</h3> <p>The role session name used for role assuming. The default value is <code class="language-plaintext highlighter-rouge">KongVault</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">KongVault</code></p> <h3 class="badge enterprise" id="vault_aws_sts_endpoint_url">vault_aws_sts_endpoint_url</h3> <p>The custom STS endpoint URL used for role assuming in AWS Vault.</p> <p>Note that this value will override the default STS endpoint URL(which should be <code class="language-plaintext highlighter-rouge">https://sts.amazonaws.com</code>, or <code class="language-plaintext highlighter-rouge">https://sts.&lt;region&gt;.amazonaws.com</code> if you have <code class="language-plaintext highlighter-rouge">AWS_STS_REGIONAL_ENDPOINTS</code> set to <code class="language-plaintext highlighter-rouge">regional</code>).</p> <p>If you are not using private VPC endpoint for STS service, you should not specify this value.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_aws_ttl">vault_aws_ttl</h3> <p>Time-to-live (in seconds) of a secret from the AWS vault when cached by this node.</p> <p>AWS vault misses (no secret) are also cached according to this setting if you do not configure <code class="language-plaintext highlighter-rouge">vault_aws_neg_ttl</code>.</p> <p>If set to 0 (default), such cached secrets or misses never expire.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 class="badge enterprise" id="vault_aws_neg_ttl">vault_aws_neg_ttl</h3> <p>Time-to-live (in seconds) of a AWS vault miss (no secret).</p> <p>If not specified (default), <code class="language-plaintext highlighter-rouge">vault_aws_ttl</code> value will be used instead.</p> <p>If set to 0, misses will never expire.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_aws_resurrect_ttl">vault_aws_resurrect_ttl</h3> <p>Time (in seconds) for which stale secrets from the AWS vault should be resurrected for when they cannot be refreshed (e.g., the AWS vault is unreachable). When this TTL expires, a new attempt to refresh the stale secrets will be made.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_gcp_project_id">vault_gcp_project_id</h3> <p>The project ID from your Google API Console.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_gcp_ttl">vault_gcp_ttl</h3> <p>Time-to-live (in seconds) of a secret from the GCP vault when cached by this node.</p> <p>GCP vault misses (no secret) are also cached according to this setting if you do not configure <code class="language-plaintext highlighter-rouge">vault_gcp_neg_ttl</code>.</p> <p>If set to 0 (default), such cached secrets or misses never expire.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 class="badge enterprise" id="vault_gcp_neg_ttl">vault_gcp_neg_ttl</h3> <p>Time-to-live (in seconds) of a AWS vault miss (no secret).</p> <p>If not specified (default), <code class="language-plaintext highlighter-rouge">vault_gcp_ttl</code> value will be used instead.</p> <p>If set to 0, misses will never expire.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_gcp_resurrect_ttl">vault_gcp_resurrect_ttl</h3> <p>Time (in seconds) for which stale secrets from the GCP vault should be resurrected for when they cannot be refreshed (e.g., the GCP vault is unreachable). When this TTL expires, a new attempt to refresh the stale secrets will be made.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_protocol">vault_hcv_protocol</h3> <p>The protocol to connect with. Accepts one of <code class="language-plaintext highlighter-rouge">http</code> or <code class="language-plaintext highlighter-rouge">https</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">http</code></p> <h3 class="badge enterprise" id="vault_hcv_host">vault_hcv_host</h3> <p>The hostname of your HashiCorp vault.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">127.0.0.1</code></p> <h3 class="badge enterprise" id="vault_hcv_port">vault_hcv_port</h3> <p>The port number of your HashiCorp vault.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">8200</code></p> <h3 class="badge enterprise" id="vault_hcv_namespace">vault_hcv_namespace</h3> <p>Namespace for the HashiCorp Vault. Vault Enterprise requires a namespace to successfully connect to it.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_mount">vault_hcv_mount</h3> <p>The mount point.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">secret</code></p> <h3 class="badge enterprise" id="vault_hcv_kv">vault_hcv_kv</h3> <p>The secrets engine version. Accepts <code class="language-plaintext highlighter-rouge">v1</code> or <code class="language-plaintext highlighter-rouge">v2</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">v1</code></p> <h3 class="badge enterprise" id="vault_hcv_token">vault_hcv_token</h3> <p>A token string.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_auth_method">vault_hcv_auth_method</h3> <p>Defines the authentication mechanism when connecting to the Hashicorp Vault service.</p> <p>Accepted values are: <code class="language-plaintext highlighter-rouge">token</code>, <code class="language-plaintext highlighter-rouge">kubernetes</code> or <code class="language-plaintext highlighter-rouge">approle</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">token</code></p> <h3 class="badge enterprise" id="vault_hcv_kube_role">vault_hcv_kube_role</h3> <p>Defines the HashiCorp Vault role for the Kubernetes service account of the running pod. <code class="language-plaintext highlighter-rouge">vault_hcv_auth_method</code> must be set to <code class="language-plaintext highlighter-rouge">kubernetes</code> for this to activate.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_kube_auth_path">vault_hcv_kube_auth_path</h3> <p>Place where the Kubernetes auth method will be accessible: <code class="language-plaintext highlighter-rouge">/v1/auth/&lt;vault_hcv_kube_auth_path&gt;</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">kubernetes</code></p> <h3 class="badge enterprise" id="vault_hcv_kube_api_token_file">vault_hcv_kube_api_token_file</h3> <p>Defines where the Kubernetes service account token should be read from the pod’s filesystem, if using a non-standard container platform setup.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_approle_auth_path">vault_hcv_approle_auth_path</h3> <p>Place where the Approle auth method will be accessible: <code class="language-plaintext highlighter-rouge">/v1/auth/&lt;vault_hcv_approle_auth_path&gt;</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">approle</code></p> <h3 class="badge enterprise" id="vault_hcv_approle_role_id">vault_hcv_approle_role_id</h3> <p>The Role ID of the Approle in HashiCorp Vault.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_approle_secret_id">vault_hcv_approle_secret_id</h3> <p>The Secret ID of the Approle in HashiCorp Vault.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_approle_secret_id_file">vault_hcv_approle_secret_id_file</h3> <p>Defines where the Secret ID should be read from the pod’s filesystem. This is usually used with HashiCorp Vault’s response wrapping.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_approle_response_wrapping">vault_hcv_approle_response_wrapping</h3> <p>Defines whether the Secret ID read from configuration or file is actually a response-wrapping token instead of a real Secret ID.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">false</code></p> <h3 class="badge enterprise" id="vault_hcv_ttl">vault_hcv_ttl</h3> <p>Time-to-live (in seconds) of a secret from the HashiCorp vault when cached by this node.</p> <p>HashiCorp vault misses (no secret) are also cached according to this setting if you do not configure <code class="language-plaintext highlighter-rouge">vault_hcv_neg_ttl</code>.</p> <p>If set to 0 (default), such cached secrets or misses never expire.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 class="badge enterprise" id="vault_hcv_neg_ttl">vault_hcv_neg_ttl</h3> <p>Time-to-live (in seconds) of a HashiCorp vault miss (no secret).</p> <p>If not specified (default), <code class="language-plaintext highlighter-rouge">vault_hcv_ttl</code> value will be used instead.</p> <p>If set to 0, misses will never expire.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_hcv_resurrect_ttl">vault_hcv_resurrect_ttl</h3> <p>Time (in seconds) for which stale secrets from the HashiCorp vault should be resurrected for when they cannot be refreshed (e.g., the HashiCorp vault is unreachable). When this TTL expires, a new attempt to refresh the stale secrets will be made.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_azure_vault_uri">vault_azure_vault_uri</h3> <p>The URI the vault is reachable from.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_azure_client_id">vault_azure_client_id</h3> <p>The client ID from your registered Application. Visit your Azure Dashboard and select <em>App Registrations</em> to check your client ID.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_azure_tenant_id">vault_azure_tenant_id</h3> <p>The DirectoryId and TenantId both equate to the GUID representing the ActiveDirectory Tenant. Depending on context, either term may be used by Microsoft documentation and products, which can be confusing. In other words, the “Tenant ID” IS the “Directory ID”</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_azure_type">vault_azure_type</h3> <p>Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data: keys, secrets, and certificates. Kong currently only supports the <code class="language-plaintext highlighter-rouge">Secrets</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">secrets</code></p> <h3 class="badge enterprise" id="vault_azure_ttl">vault_azure_ttl</h3> <p>Time-to-live (in seconds) of a secret from the Azure Key Vault when cached by this node.</p> <p>Key Vault misses (no secret) are also cached according to this setting if you do not configure <code class="language-plaintext highlighter-rouge">vault_azure_neg_ttl</code>.</p> <p>If set to 0 (default), such cached secrets or misses never expire.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 class="badge enterprise" id="vault_azure_neg_ttl">vault_azure_neg_ttl</h3> <p>Time-to-live (in seconds) of a Azure Key Vault miss (no secret).</p> <p>If not specified (default), <code class="language-plaintext highlighter-rouge">vault_azure_ttl</code> value will be used instead.</p> <p>If set to 0, misses will never expire.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="vault_azure_resurrect_ttl">vault_azure_resurrect_ttl</h3> <p>Time (in seconds) for which stale secrets from the Azure Key Vault should be resurrected for when they cannot be refreshed (e.g., the the vault is unreachable). When this TTL expires, a new attempt to refresh the stale secrets will be made.</p> <p><strong>Default:</strong> none</p> <hr> <h2 id="tuning--behavior-section">Tuning &amp; Behavior section</h2> <h3 id="worker_consistency">worker_consistency</h3> <p>Defines whether this node should rebuild its state synchronously or asynchronously (the balancers and the router are rebuilt on updates that affect them, e.g., updates to routes, services, or upstreams via the admin API or loading a declarative configuration file). (This option is deprecated and will be removed in future releases. The new default is <code class="language-plaintext highlighter-rouge">eventual</code>.)</p> <p>Accepted values are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">strict</code>: the router will be rebuilt synchronously, causing incoming requests to be delayed until the rebuild is finished. (This option is deprecated and will be removed in future releases. The new default is <code class="language-plaintext highlighter-rouge">eventual</code>)</li> <li> <code class="language-plaintext highlighter-rouge">eventual</code>: the router will be rebuilt asynchronously via a recurring background job running every second inside of each worker.</li> </ul> <p>Note that <code class="language-plaintext highlighter-rouge">strict</code> ensures that all workers of a given node will always proxy requests with an identical router, but increased long-tail latency can be observed if frequent routes and services updates are expected.</p> <p>Using <code class="language-plaintext highlighter-rouge">eventual</code> will help prevent long-tail latency issues in such cases, but may cause workers to route requests differently for a short period of time after routes and services updates.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">eventual</code></p> <h3 id="worker_state_update_frequency">worker_state_update_frequency</h3> <p>Defines how often the worker state changes are checked with a background job. When a change is detected, a new router or balancer will be built, as needed. Raising this value will decrease the load on database servers and result in less jitter in proxy latency, but it might take more time to propagate changes to each individual worker.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">5</code></p> <h3 id="router_flavor">router_flavor</h3> <p>Selects the router implementation to use when performing request routing. Incremental router rebuild is available when the flavor is set to either <code class="language-plaintext highlighter-rouge">expressions</code> or <code class="language-plaintext highlighter-rouge">traditional_compatible</code>, which could significantly shorten rebuild time for a large number of routes.</p> <p>Accepted values are:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">traditional_compatible</code>: the DSL-based expression router engine will be used under the hood. However, the router config interface will be the same as <code class="language-plaintext highlighter-rouge">traditional</code>, and expressions are automatically generated at router build time. The <code class="language-plaintext highlighter-rouge">expression</code> field on the <code class="language-plaintext highlighter-rouge">route</code> object is not visible.</li> <li> <code class="language-plaintext highlighter-rouge">expressions</code>: the DSL-based expression router engine will be used under the hood. The traditional router config interface is still visible, and you can also write router Expressions manually and provide them in the <code class="language-plaintext highlighter-rouge">expression</code> field on the <code class="language-plaintext highlighter-rouge">route</code> object.</li> <li> <code class="language-plaintext highlighter-rouge">traditional</code>: the pre-3.0 router engine will be used. The config interface will be the same as pre-3.0 Kong, and the <code class="language-plaintext highlighter-rouge">expression</code> field on the <code class="language-plaintext highlighter-rouge">route</code> object is not visible.</li> </ul> <p>Deprecation warning: In Kong 3.0, <code class="language-plaintext highlighter-rouge">traditional</code> mode should be avoided and only be used if <code class="language-plaintext highlighter-rouge">traditional_compatible</code> does not work as expected.</p> <p>This flavor of the router will be removed in the next major release of Kong.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">traditional_compatible</code></p> <h3 id="lua_max_req_headers">lua_max_req_headers</h3> <p>Maximum number of request headers to parse by default.</p> <p>This argument can be set to an integer between 1 and 1000.</p> <p>When proxying, Kong sends all the request headers, and this setting does not have any effect. It is used to limit Kong and its plugins from reading too many request headers.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">100</code></p> <h3 id="lua_max_resp_headers">lua_max_resp_headers</h3> <p>Maximum number of response headers to parse by default.</p> <p>This argument can be set to an integer between 1 and 1000.</p> <p>When proxying, Kong returns all the response headers, and this setting does not have any effect. It is used to limit Kong and its plugins from reading too many response headers.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">100</code></p> <h3 id="lua_max_uri_args">lua_max_uri_args</h3> <p>Maximum number of request URI arguments to parse by default.</p> <p>This argument can be set to an integer between 1 and 1000.</p> <p>When proxying, Kong sends all the request query arguments, and this setting does not have any effect.</p> <p>It is used to limit Kong and its plugins from reading too many query arguments.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">100</code></p> <h3 id="lua_max_post_args">lua_max_post_args</h3> <p>Maximum number of request post arguments to parse by default.</p> <p>This argument can be set to an integer between 1 and 1000.</p> <p>When proxying, Kong sends all the request post arguments, and this setting does not have any effect.</p> <p>It is used to limit Kong and its plugins from reading too many post arguments.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">100</code></p> <hr> <h2 id="miscellaneous-section">Miscellaneous section</h2> <p>Additional settings inherited from lua-nginx-module allowing for more flexibility and advanced usage.</p> <p>See the lua-nginx-module documentation for more information: https://github.com/openresty/lua-nginx-module</p> <h3 id="lua_ssl_trusted_certificate">lua_ssl_trusted_certificate</h3> <p>Comma-separated list of certificate authorities for Lua cosockets in PEM format.</p> <p>The special value <code class="language-plaintext highlighter-rouge">system</code> attempts to search for the “usual default” provided by each distro, according to an arbitrary heuristic. In the current implementation, the following pathnames will be tested in order, and the first one found will be used:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">/etc/ssl/certs/ca-certificates.crt</code> (Debian/Ubuntu/Gentoo)</li> <li> <code class="language-plaintext highlighter-rouge">/etc/pki/tls/certs/ca-bundle.crt</code> (Fedora/RHEL 6)</li> <li> <code class="language-plaintext highlighter-rouge">/etc/ssl/ca-bundle.pem</code> (OpenSUSE)</li> <li> <code class="language-plaintext highlighter-rouge">/etc/pki/tls/cacert.pem</code> (OpenELEC)</li> <li> <code class="language-plaintext highlighter-rouge">/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem</code> (CentOS/RHEL 7)</li> <li> <code class="language-plaintext highlighter-rouge">/etc/ssl/cert.pem</code> (OpenBSD, Alpine)</li> </ul> <p><code class="language-plaintext highlighter-rouge">system</code> can be used by itself or in conjunction with other CA file paths.</p> <p>When <code class="language-plaintext highlighter-rouge">pg_ssl_verify</code> is enabled, these certificate authority files will be used for verifying Kong’s database connections.</p> <p>Certificates can be configured on this property with any of the following values:</p> <ul> <li><code class="language-plaintext highlighter-rouge">system</code></li> <li>absolute path to the certificate</li> <li>certificate content</li> <li>base64 encoded certificate content</li> </ul> <p>See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">system</code></p> <h3 id="lua_ssl_verify_depth">lua_ssl_verify_depth</h3> <p>Sets the verification depth in the server certificates chain used by Lua cosockets, set by <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code>.</p> <p>This includes the certificates configured for Kong’s database connections.</p> <p>If the maximum depth is reached before reaching the end of the chain, verification will fail. This helps mitigate certificate based DoS attacks.</p> <p>See https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1</code></p> <h3 id="lua_ssl_protocols">lua_ssl_protocols</h3> <p>Defines the TLS versions supported when handshaking with OpenResty’s TCP cosocket APIs.</p> <p>This affects connections made by Lua code, such as connections to the database Kong uses, or when sending logs using a logging plugin. It does <em>not</em> affect connections made to the upstream Service or from downstream clients.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">TLSv1.2 TLSv1.3</code></p> <h3 id="lua_package_path">lua_package_path</h3> <p>Sets the Lua module search path (LUA_PATH). Useful when developing or using custom plugins not stored in the default search path.</p> <p>See https://github.com/openresty/lua-nginx-module#lua_package_path</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">./?.lua;./?/init.lua;</code></p> <h3 id="lua_package_cpath">lua_package_cpath</h3> <p>Sets the Lua C module search path (LUA_CPATH).</p> <p>See https://github.com/openresty/lua-nginx-module#lua_package_cpath</p> <p><strong>Default:</strong> none</p> <h3 id="lua_socket_pool_size">lua_socket_pool_size</h3> <p>Specifies the size limit for every cosocket connection pool associated with every remote server.</p> <p>See https://github.com/openresty/lua-nginx-module#lua_socket_pool_size</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">256</code></p> <h3 class="badge enterprise" id="enforce_rbac">enforce_rbac</h3> <p>Specifies whether Admin API RBAC is enforced.</p> <p>Accepts one of <code class="language-plaintext highlighter-rouge">entity</code>, <code class="language-plaintext highlighter-rouge">both</code>, <code class="language-plaintext highlighter-rouge">on</code>, or <code class="language-plaintext highlighter-rouge">off</code>.</p> <ul> <li> <code class="language-plaintext highlighter-rouge">on</code>: only endpoint-level authorization is enforced.</li> <li> <code class="language-plaintext highlighter-rouge">entity</code>: entity-level authorization applies.</li> <li> <code class="language-plaintext highlighter-rouge">both</code>: enables both endpoint and entity-level authorization.</li> <li> <code class="language-plaintext highlighter-rouge">off</code>: disables both endpoint and entity-level authorization.</li> </ul> <p>When enabled, Kong will deny requests to the Admin API when a nonexistent or invalid RBAC authorization token is passed, or the RBAC user with which the token is associated does not have permissions to access/modify the requested resource.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="rbac_auth_header">rbac_auth_header</h3> <p>Defines the name of the HTTP request header from which the Admin API will attempt to authenticate the RBAC user.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">Kong-Admin-Token</code></p> <h3 class="badge enterprise" id="event_hooks_enabled">event_hooks_enabled</h3> <p>When enabled, event hook entities represent a relationship between an event (source and event) and an action (handler). Similar to web hooks, event hooks can be used to communicate Kong Gateway service events. When a particular event happens on a service, the event hook calls a URL with information about that event. Event hook configurations differ depending on the handler. The events that are triggered send associated data.</p> <p>See: https://docs.konghq.com/gateway/api/admin-ee/latest/#/Event-hooks/get-event-hooks</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="fips">fips</h3> <p>Turn on FIPS mode; this mode is only available on a FIPS build.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <hr> <h2 id="kong-manager-section">Kong Manager section</h2> <p>The Admin GUI for Kong Enterprise.</p> <h3 id="admin_gui_listen">admin_gui_listen</h3> <p>Kong Manager Listeners</p> <p>Comma-separated list of addresses and ports on which Kong will expose Kong Manager. This web application lets you configure and manage Kong, and therefore should be kept secured.</p> <p>Suffixes can be specified for each pair, similarly to the <code class="language-plaintext highlighter-rouge">admin_listen</code> directive.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0.0.0.0:8002, 0.0.0.0:8445 ssl</code></p> <h3 id="admin_gui_url">admin_gui_url</h3> <p>Kong Manager URL</p> <p>The lookup, or balancer, address for Kong Manager.</p> <p>Accepted format (items in parentheses are optional):</p> <p><code class="language-plaintext highlighter-rouge">&lt;scheme&gt;://&lt;IP / HOSTNAME&gt;(:&lt;PORT&gt;)</code></p> <p>Examples:</p> <ul> <li><code class="language-plaintext highlighter-rouge">http://127.0.0.1:8003</code></li> <li><code class="language-plaintext highlighter-rouge">https://kong-admin.test</code></li> <li><code class="language-plaintext highlighter-rouge">http://dev-machine</code></li> </ul> <p>By default, Kong Manager will use the window request host and append the resolved listener port depending on the requested protocol.</p> <p><strong>Default:</strong> none</p> <h3 id="admin_gui_path">admin_gui_path</h3> <p>Kong Manager base path</p> <p>This configuration parameter allows the user to customize the path prefix where Kong Manager is served. When updating this parameter, it’s recommended to update the path in <code class="language-plaintext highlighter-rouge">admin_gui_url</code> as well.</p> <p>Accepted format:</p> <ul> <li>Path must start with a <code class="language-plaintext highlighter-rouge">/</code> </li> <li>Path must not end with a <code class="language-plaintext highlighter-rouge">/</code> (except for the <code class="language-plaintext highlighter-rouge">/</code>)</li> <li>Path can only contain letters, digits, hyphens (<code class="language-plaintext highlighter-rouge">-</code>),</li> </ul> <p>underscores (<code class="language-plaintext highlighter-rouge">_</code>), and slashes (<code class="language-plaintext highlighter-rouge">/</code>)</p> <ul> <li>Path must not contain continuous slashes (e.g., <code class="language-plaintext highlighter-rouge">//</code> and <code class="language-plaintext highlighter-rouge">///</code>)</li> </ul> <p>Examples:</p> <ul> <li><code class="language-plaintext highlighter-rouge">/</code></li> <li><code class="language-plaintext highlighter-rouge">/manager</code></li> <li><code class="language-plaintext highlighter-rouge">/kong-manager</code></li> <li><code class="language-plaintext highlighter-rouge">/kong/manager</code></li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/</code></p> <h3 class="badge free" id="admin_gui_api_url">admin_gui_api_url</h3> <p>Hierarchical part of a URI which is composed optionally of a host, port, and path at which the Admin API accepts HTTP or HTTPS traffic. When this config is disabled, Kong Manager will use the window protocol + host and append the resolved admin_listen HTTP/HTTPS port.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_ssl_protocols">admin_gui_ssl_protocols</h3> <p>Defines the TLS versions supported for Kong Manager</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">TLSv1.2 TLSv1.3</code></p> <h3 id="admin_gui_ssl_cert">admin_gui_ssl_cert</h3> <p>The SSL certificate for <code class="language-plaintext highlighter-rouge">admin_gui_listen</code> values with SSL enabled.</p> <p>values:</p> <ul> <li>absolute path to the certificate</li> <li>certificate content</li> <li>base64 encoded certificate content</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="admin_gui_ssl_cert_key">admin_gui_ssl_cert_key</h3> <p>The SSL key for <code class="language-plaintext highlighter-rouge">admin_gui_listen</code> values with SSL enabled.</p> <p>values:</p> <ul> <li>absolute path to the certificate key</li> <li>certificate key content</li> <li>base64 encoded certificate key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_flags">admin_gui_flags</h3> <p>Alters the layout Admin GUI (JSON) to enable Kong Immunity in the Admin GUI.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">{}</code></p> <h3 id="admin_gui_access_log">admin_gui_access_log</h3> <p>Kong Manager Access Logs</p> <p>Here you can set an absolute or relative path for Kong Manager access logs. When the path is relative, logs are placed in the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p>Setting this value to <code class="language-plaintext highlighter-rouge">off</code> disables access logs for Kong Manager.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/admin_gui_access.log</code></p> <h3 id="admin_gui_error_log">admin_gui_error_log</h3> <p>Kong Manager Error Logs</p> <p>Here you can set an absolute or relative path for Kong Manager access logs. When the path is relative, logs are placed in the <code class="language-plaintext highlighter-rouge">prefix</code> location.</p> <p>Setting this value to <code class="language-plaintext highlighter-rouge">off</code> disables error logs for Kong Manager.</p> <p>Granularity can be adjusted through the <code class="language-plaintext highlighter-rouge">log_level</code> directive.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">logs/admin_gui_error.log</code></p> <h3 class="badge enterprise" id="admin_gui_auth">admin_gui_auth</h3> <p>Kong Manager Authentication Plugin Name</p> <p>Secures access to Kong Manager by specifying an authentication plugin to use.</p> <p>Supported Plugins:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">basic-auth</code>: Basic Authentication plugin</li> <li> <code class="language-plaintext highlighter-rouge">ldap-auth-advanced</code>: LDAP Authentication plugin</li> <li> <code class="language-plaintext highlighter-rouge">openid-connect</code>: OpenID Connect Authentication plugin</li> </ul> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="admin_gui_auth_conf">admin_gui_auth_conf</h3> <p>Kong Manager Authentication Plugin Config (JSON)</p> <p>Specifies the configuration for the authentication plugin specified in <code class="language-plaintext highlighter-rouge">admin_gui_auth</code>.</p> <p>For information about Plugin Configuration consult the associated plugin documentation.</p> <p>Example for <code class="language-plaintext highlighter-rouge">basic-auth</code>:</p> <p><code class="language-plaintext highlighter-rouge">admin_gui_auth_conf = { "hide_credentials": true }</code></p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="admin_gui_auth_password_complexity">admin_gui_auth_password_complexity</h3> <p>Kong Manager Authentication Password Complexity (JSON)</p> <p>When <code class="language-plaintext highlighter-rouge">admin_gui_auth = basic-auth</code>, this property defines the rules required for Kong Manager passwords. Choose from preset rules or write your own.</p> <p>Example using preset rules:</p> <p><code class="language-plaintext highlighter-rouge">admin_gui_auth_password_complexity = { "kong-preset": "min_8" }</code></p> <p>All values for kong-preset require the password to contain characters from at least three of the following categories:</p> <ol> <li> <p>Uppercase characters (A through Z)</p> </li> <li> <p>Lowercase characters (a through z)</p> </li> <li> <p>Base-10 digits (0 through 9)</p> </li> <li> <p>Special characters (for example, &amp;, $, #, %)</p> </li> </ol> <p>Supported preset rules:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">min_8</code>: minimum length of 8</li> <li> <code class="language-plaintext highlighter-rouge">min_12</code>: minimum length of 12</li> <li> <code class="language-plaintext highlighter-rouge">min_20</code>: minimum length of 20</li> </ul> <p>To write your own rules, see https://manpages.debian.org/jessie/passwdqc/passwdqc.conf.5.en.html.</p> <p>NOTE: Only keywords “min”, “max” and “passphrase” are supported.</p> <p>Example:</p> <p><code class="language-plaintext highlighter-rouge">admin_gui_auth_password_complexity = { "min": "disabled,24,11,9,8" }</code></p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="admin_gui_session_conf">admin_gui_session_conf</h3> <p>Kong Manager Session Config (JSON)</p> <p>Specifies the configuration for the Session plugin as used by Kong Manager.</p> <p>For information about plugin configuration, consult the Kong Session plugin documentation.</p> <p>Example:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>admin_gui_session_conf = { "cookie_name": "kookie", \ "secret": "changeme" } </code></pre></div></div> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="admin_gui_auth_header">admin_gui_auth_header</h3> <p>Defines the name of the HTTP request header from which the Admin API will attempt to identify the Kong Admin user.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">Kong-Admin-User</code></p> <h3 class="badge enterprise" id="admin_gui_auth_login_attempts">admin_gui_auth_login_attempts</h3> <p>Number of times a user can attempt to login to Kong Manager. 0 means infinite attempts allowed.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 class="badge enterprise" id="admin_gui_auth_change_password_attempts">admin_gui_auth_change_password_attempts</h3> <p>Number of times a user can attempt to change password.</p> <p>0 means infinite attempts allowed.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">0</code></p> <h3 class="badge enterprise" id="admin_gui_auth_change_password_ttl">admin_gui_auth_change_password_ttl</h3> <p>Length, in seconds, of the TTL for changing password attempts records. Records in the database older than their TTL are automatically purged.</p> <p>Example, 1 days: <code class="language-plaintext highlighter-rouge">1 * 24 * 60 * 60 = 86400.</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">86400</code></p> <h3 class="badge free" id="admin_gui_header_txt">admin_gui_header_txt</h3> <p>Sets the text for the Kong Manager header banner.</p> <p>Header banner is not shown if this config is empty.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_header_bg_color">admin_gui_header_bg_color</h3> <p>Sets the background color for the Kong Manager header banner.</p> <p>Accepts CSS color keyword, #-hexadecimal, or RGB format. Invalid values are ignored by Manager.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_header_txt_color">admin_gui_header_txt_color</h3> <p>Sets the text color for the Kong Manager header banner.</p> <p>Accepts CSS color keyword, #-hexadecimal, or RGB format. Invalid values are ignored by Kong Manager.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_footer_txt">admin_gui_footer_txt</h3> <p>Sets the text for the Kong Manager footer banner. Footer banner is not shown if this config is empty.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_footer_bg_color">admin_gui_footer_bg_color</h3> <p>Sets the background color for the Kong Manager footer banner.</p> <p>Accepts CSS color keyword, #-hexadecimal, or RGB format. Invalid values are ignored by manager.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_footer_txt_color">admin_gui_footer_txt_color</h3> <p>Sets the text color for the Kong Manager footer banner.</p> <p>Accepts CSS color keyword, #-hexadecimal, or RGB format. Invalid values are ignored by Kong Manager.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_login_banner_title">admin_gui_login_banner_title</h3> <p>Sets the title text for the Kong Manager login banner.</p> <p>Login banner is not shown if both <code class="language-plaintext highlighter-rouge">admin_gui_login_banner_title</code> and <code class="language-plaintext highlighter-rouge">admin_gui_login_banner_body</code> are empty.</p> <p><strong>Default:</strong> none</p> <h3 class="badge free" id="admin_gui_login_banner_body">admin_gui_login_banner_body</h3> <p>Sets the body text for the Kong Manager login banner.</p> <p>Login banner is not shown if both <code class="language-plaintext highlighter-rouge">admin_gui_login_banner_title</code> and <code class="language-plaintext highlighter-rouge">admin_gui_login_banner_body</code> are empty.</p> <p><strong>Default:</strong> none</p> <hr> <h2 id="konnect-section">Konnect section</h2> <h3 id="konnect_mode">konnect_mode</h3> <p>When enabled, the dataplane is connected to Konnect</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <hr> <h2 id="analytics-for-konnect-section">Analytics For Konnect section</h2> <h3 id="analytics_flush_interval">analytics_flush_interval</h3> <p>Specify the maximum frequency, in seconds, at which local analytics and licensing data are flushed to the database or Konnect, depending on the installation mode.</p> <p>Kong also triggers a flush when the number of messages in the buffer is less than <code class="language-plaintext highlighter-rouge">analytics_buffer_size_limit</code>, regardless of whether the specified time interval has elapsed.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">1</code></p> <h3 id="analytics_buffer_size_limit">analytics_buffer_size_limit</h3> <p>Max number of messages can be buffered locally before dropping data in case there is no network connection to Konnect.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">100000</code></p> <h3 id="analytics_debug">analytics_debug</h3> <p>Outputs analytics payload to Kong logs.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <hr> <h2 id="admin-smtp-configuration-section">Admin Smtp Configuration section</h2> <h3 class="badge enterprise" id="admin_emails_from">admin_emails_from</h3> <p>The email address for the <code class="language-plaintext highlighter-rouge">From</code> header for admin emails.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">""</code></p> <h3 class="badge enterprise" id="admin_emails_reply_to">admin_emails_reply_to</h3> <p>Email address for the <code class="language-plaintext highlighter-rouge">Reply-To</code> header for admin emails.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="admin_invitation_expiry">admin_invitation_expiry</h3> <p>Expiration time for the admin invitation link (in seconds). 0 means no expiration.</p> <p>Example, 72 hours: <code class="language-plaintext highlighter-rouge">72 * 60 * 60 = 259200</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">259200</code></p> <hr> <h2 id="general-smtp-configuration-section">General Smtp Configuration section</h2> <h3 class="badge enterprise" id="smtp_mock">smtp_mock</h3> <p>This flag will mock the sending of emails. This can be used for testing before the SMTP client is fully configured.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 class="badge enterprise" id="smtp_host">smtp_host</h3> <p>The hostname of the SMTP server to connect to.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">localhost</code></p> <h3 class="badge enterprise" id="smtp_port">smtp_port</h3> <p>The port number on the SMTP server to connect to.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">25</code></p> <h3 class="badge enterprise" id="smtp_starttls">smtp_starttls</h3> <p>When set to <code class="language-plaintext highlighter-rouge">on</code>, STARTTLS is used to encrypt communication with the SMTP server. This is normally used in conjunction with port 587.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="smtp_username">smtp_username</h3> <p>Username used for authentication with SMTP server</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="smtp_password">smtp_password</h3> <p>Password used for authentication with SMTP server</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="smtp_ssl">smtp_ssl</h3> <p>When set to <code class="language-plaintext highlighter-rouge">on</code>, SMTPS is used to encrypt communication with the SMTP server. This is normally used in conjunction with port 465.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="smtp_auth_type">smtp_auth_type</h3> <p>The method used to authenticate with the SMTP server Valid options are <code class="language-plaintext highlighter-rouge">plain</code>, <code class="language-plaintext highlighter-rouge">login</code>, or <code class="language-plaintext highlighter-rouge">nil</code></p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="smtp_domain">smtp_domain</h3> <p>The domain used in the <code class="language-plaintext highlighter-rouge">EHLO</code> connection and part of the <code class="language-plaintext highlighter-rouge">Message-ID</code> header</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">localhost.localdomain</code></p> <h3 class="badge enterprise" id="smtp_timeout_connect">smtp_timeout_connect</h3> <p>The timeout (in milliseconds) for connecting to the SMTP server.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">60000</code></p> <h3 class="badge enterprise" id="smtp_timeout_send">smtp_timeout_send</h3> <p>The timeout (in milliseconds) for sending data to the SMTP server.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">60000</code></p> <h3 class="badge enterprise" id="smtp_timeout_read">smtp_timeout_read</h3> <p>The timeout (in milliseconds) for reading data from the SMTP server.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">60000</code></p> <h3 class="badge enterprise" id="smtp_admin_emails">smtp_admin_emails</h3> <p>Comma separated list of admin emails to receive notifications.</p> <p>Example <code class="language-plaintext highlighter-rouge">admin1@example.com, admin2@example.com</code></p> <p><strong>Default:</strong> none</p> <hr> <h2 id="data--admin-audit-section">Data &amp; Admin Audit section</h2> <p>When enabled, Kong will store detailed audit data regarding Admin API and database access. In most cases, updates to the database are associated with Admin API requests. As such, database object audit log data is tied to a given HTTP request via a unique identifier, providing built-in association of Admin API and database traffic.</p> <h3 id="audit_log">audit_log</h3> <p>When enabled, Kong will log information about Admin API access and database row insertions, updates, and deletions.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="audit_log_ignore_methods">audit_log_ignore_methods</h3> <p>Comma-separated list of HTTP methods that will not generate audit log entries. By default, all HTTP requests will be logged.</p> <p><strong>Default:</strong> none</p> <h3 id="audit_log_ignore_paths">audit_log_ignore_paths</h3> <p>Comma-separated list of request paths that will not generate audit log entries. By default, all HTTP requests will be logged.</p> <p><strong>Default:</strong> none</p> <h3 id="audit_log_ignore_tables">audit_log_ignore_tables</h3> <p>Comma-separated list of database tables that will not generate audit log entries. By default, updates to all database tables will be logged (the term “updates” refers to the creation, update, or deletion of a row).</p> <p><strong>Default:</strong> none</p> <h3 id="audit_log_payload_exclude">audit_log_payload_exclude</h3> <p>Comma-separated list of keys that will be filtered out of the payload. Keys that were filtered will be recorded in the audit log.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">token, secret, password</code></p> <h3 id="audit_log_record_ttl">audit_log_record_ttl</h3> <p>Length, in seconds, of the TTL for audit log records. Records in the database older than their TTL are automatically purged.</p> <p>Example, 30 days: <code class="language-plaintext highlighter-rouge">30 * 24 * 60 * 60 = 2592000</code></p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">2592000</code></p> <h3 id="audit_log_signing_key">audit_log_signing_key</h3> <p>Defines the path to a private RSA signing key that can be used to insert a signature of audit records, adjacent to the record. The corresponding public key should be stored offline, and can be used to validate audit entries in the future. If this value is undefined, no signature will be generated.</p> <p><strong>Default:</strong> none</p> <hr> <h2 id="route-collision-detectionprevention-section">Route Collision Detection/Prevention section</h2> <h3 class="badge enterprise" id="route_validation_strategy">route_validation_strategy</h3> <p>The strategy used to validate routes when creating or updating them.</p> <p>Different strategies are available to tune how to enforce splitting traffic of workspaces.</p> <ul> <li> <code class="language-plaintext highlighter-rouge">smart</code> is the default option and uses the algorithm described in https://docs.konghq.com/gateway/latest/kong-enterprise/workspaces/.</li> <li> <code class="language-plaintext highlighter-rouge">off</code> disables any check.</li> <li> <code class="language-plaintext highlighter-rouge">path</code> enforces routes to comply with the pattern described in config <code class="language-plaintext highlighter-rouge">enforce_route_path_pattern</code>.</li> <li> <code class="language-plaintext highlighter-rouge">static</code> relies on the PostgreSQL database.</li> </ul> <p>Before creating a new route, it checks if the route is unique across all workspaces based on the following params: <code class="language-plaintext highlighter-rouge">paths</code>, <code class="language-plaintext highlighter-rouge">methods</code>, and <code class="language-plaintext highlighter-rouge">hosts</code>. If all fields of the new route overlap with an existing one, a 409 is returned with the route of the collision. The array order is not important for the overlap filter.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">smart</code></p> <h3 class="badge enterprise" id="enforce_route_path_pattern">enforce_route_path_pattern</h3> <p>Specifies the Lua pattern which will be enforced on the <code class="language-plaintext highlighter-rouge">paths</code> attribute of a route object. You can also add a placeholder for the workspace in the pattern, which will be rendered during runtime based on the workspace to which the <code class="language-plaintext highlighter-rouge">route</code> belongs.</p> <p>This setting is only relevant if <code class="language-plaintext highlighter-rouge">route_validation_strategy</code> is set to <code class="language-plaintext highlighter-rouge">path</code>.</p> <p>Example For Pattern <code class="language-plaintext highlighter-rouge">/$(workspace)/v%d/.*</code> valid paths are:</p> <ol> <li> <p><code class="language-plaintext highlighter-rouge">/group1/v1/</code> if route belongs to workspace <code class="language-plaintext highlighter-rouge">group1</code>.</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">/group2/v1/some_path</code> if route belongs to workspace <code class="language-plaintext highlighter-rouge">group2</code>.</p> </li> </ol> <p><strong>Default:</strong> none</p> <hr> <h2 id="database-encryption--keyring-management-section">Database Encryption &amp; Keyring Management section</h2> <p>When enabled, Kong will transparently encrypt sensitive fields, such as consumer credentials, TLS private keys, and RBAC user tokens, among others. A full list of encrypted fields is available from the Kong Enterprise documentation site.</p> <p>Encrypted data is transparently decrypted before being displayed to the Admin API or made available to plugins or core routing logic.</p> <p>While this feature is GA, do note that we currently do not provide normal semantic versioning compatibility guarantees on the keyring feature’s APIs in that Kong may make a breaking change to the feature in a minor version. Also note that mismanagement of keyring data may result in irrecoverable data loss.</p> <h3 class="badge enterprise" id="keyring_enabled">keyring_enabled</h3> <p>When enabled, Kong will encrypt sensitive field values before writing them to the database, and subsequently decrypt them when retrieving data for the Admin API, Developer Portal, or proxy business logic. Symmetric encryption keys are managed based on the strategy defined below.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="keyring_strategy">keyring_strategy</h3> <p>Defines the strategy implementation by which Kong nodes will manage symmetric encryption keys. Please see the Kong Enterprise documentation for a detailed description of each strategy. Acceptable values for this option are <code class="language-plaintext highlighter-rouge">cluster</code> and <code class="language-plaintext highlighter-rouge">vault</code>.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">cluster</code></p> <h3 class="badge enterprise" id="keyring_public_key">keyring_public_key</h3> <p>Defines the public key of an RSA keypair.</p> <p>This keypair is used for symmetric keyring import/export, e.g., for disaster recovery and optional bootstrapping.</p> <p>Values:</p> <ul> <li>absolute path to the public key</li> <li>public key content</li> <li>base64 encoded public key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_private_key">keyring_private_key</h3> <p>Defines the private key of an RSA keypair.</p> <p>This keypair is used for symmetric keyring import/export, e.g., for disaster recovery and optional bootstrapping.</p> <p>Values:</p> <ul> <li>absolute path to the private key</li> <li>private key content</li> <li>base64 encoded private key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_recovery_public_key">keyring_recovery_public_key</h3> <p>Defines the public key to optionally encrypt all keyring materials and back them up in the database.</p> <p>Values:</p> <ul> <li>absolute path to the public key</li> <li>public key content</li> <li>base64 encoded public key content</li> </ul> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_blob_path">keyring_blob_path</h3> <p>Defines the filesystem path at which Kong will back up the initial keyring material.</p> <p>This option is useful largely for development purposes.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_vault_host">keyring_vault_host</h3> <p>Defines the Vault host at which Kong will fetch the encryption material. This value should be defined in the format:</p> <p><code class="language-plaintext highlighter-rouge">&lt;scheme&gt;://&lt;IP / HOSTNAME&gt;:&lt;PORT&gt;</code></p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_vault_mount">keyring_vault_mount</h3> <p>Defines the name of the Vault v2 KV secrets engine at which symmetric keys are found.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_vault_path">keyring_vault_path</h3> <p>Defines the name of the Vault v2 KV path at which symmetric keys are found.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_vault_auth_method">keyring_vault_auth_method</h3> <p>Defines the authentication mechanism when connecting to the Hashicorp Vault service.</p> <p>Accepted values are: <code class="language-plaintext highlighter-rouge">token</code>, or <code class="language-plaintext highlighter-rouge">kubernetes</code>:</p> <ul> <li> <p><code class="language-plaintext highlighter-rouge">token</code>: Uses the static token defined in the <code class="language-plaintext highlighter-rouge">keyring_vault_token</code> configuration property.</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">kubernetes</code>: Uses the Kubernetes authentication mechanism, with the running pod’s mapped service account, to assume the Hashicorp Vault role name that is defined in the <code class="language-plaintext highlighter-rouge">keyring_vault_kube_role</code> configuration property.</p> </li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">token</code></p> <h3 class="badge enterprise" id="keyring_vault_token">keyring_vault_token</h3> <p>Defines the token value used to communicate with the v2 KV Vault HTTP(S) API.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="keyring_vault_kube_role">keyring_vault_kube_role</h3> <p>Defines the Hashicorp Vault role that will be assumed using the Kubernetes service account of the running pod.</p> <p><code class="language-plaintext highlighter-rouge">keyring_vault_auth_method</code> must be set to <code class="language-plaintext highlighter-rouge">kubernetes</code> for this to activate.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">default</code></p> <h3 class="badge enterprise" id="keyring_vault_kube_api_token_file">keyring_vault_kube_api_token_file</h3> <p>Defines where the Kubernetes service account token should be read from the pod’s filesystem, if using a non-standard container platform setup.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">/run/secrets/kubernetes.io/serviceaccount/token</code></p> <h3 class="badge enterprise" id="keyring_encrypt_license">keyring_encrypt_license</h3> <p>Enables keyring encryption for license payloads stored in the database.</p> <p><strong>Warning:</strong> For Kong deployments that rely entirely on the database for license provisioning (i.e. not using <code class="language-plaintext highlighter-rouge">KONG_LICENSE_DATA</code> or <code class="language-plaintext highlighter-rouge">KONG_LICENSE_PATH</code>), enabling this option will delay license activation until after the node’s keyring has been activated.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="untrusted_lua">untrusted_lua</h3> <p>Controls loading of Lua functions from admin-supplied sources such as the Admin API. LuaJIT bytecode loading is always disabled.</p> <p><strong>Warning:</strong> LuaJIT is not designed as a secure runtime for running malicious code, therefore you should properly protect your Admin API endpoint even with sandboxing enabled. The sandbox only provides protection against trivial attackers or unintentional modification of the Kong global environment.</p> <p>Accepted values are: <code class="language-plaintext highlighter-rouge">off</code>, <code class="language-plaintext highlighter-rouge">sandbox</code>, or <code class="language-plaintext highlighter-rouge">on</code>:</p> <ul> <li> <p><code class="language-plaintext highlighter-rouge">off</code>: Disallow loading of any arbitrary Lua functions. The <code class="language-plaintext highlighter-rouge">off</code> option disables any functionality that runs arbitrary Lua code, including the Serverless Functions plugins and any transformation plugin that allows custom Lua functions.</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">sandbox</code>: Allow loading of Lua functions, but use a sandbox when executing them. The sandboxed function has restricted access to the global environment and only has access to standard Lua functions that will generally not cause harm to the Kong Gateway node.</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">on</code>: Functions have unrestricted access to the global environment and can load any Lua modules. This is similar to the behavior in Kong Gateway prior to 2.3.0.</p> </li> </ul> <p>The default <code class="language-plaintext highlighter-rouge">sandbox</code> environment does not allow importing other modules or libraries, or executing anything at the OS level (for example, file read/write). The global environment is also not accessible.</p> <p>Examples of <code class="language-plaintext highlighter-rouge">untrusted_lua = sandbox</code> behavior:</p> <ul> <li>You can’t access or change global values such as <code class="language-plaintext highlighter-rouge">kong.configuration.pg_password</code> </li> <li>You can run harmless Lua: <code class="language-plaintext highlighter-rouge">local foo = 1 + 1</code>. However, OS level functions are not allowed, like: <code class="language-plaintext highlighter-rouge">os.execute(</code>rm -rf /*<code class="language-plaintext highlighter-rouge">)</code>.</li> </ul> <p>For a full allowed/disallowed list, see: https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua</p> <p>To customize the sandbox environment, use the <code class="language-plaintext highlighter-rouge">untrusted_lua_sandbox_requires</code> and <code class="language-plaintext highlighter-rouge">untrusted_lua_sandbox_environment</code> parameters below.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">sandbox</code></p> <h3 id="untrusted_lua_sandbox_requires">untrusted_lua_sandbox_requires</h3> <p>Comma-separated list of modules allowed to be loaded with <code class="language-plaintext highlighter-rouge">require</code> inside the sandboxed environment. Ignored if <code class="language-plaintext highlighter-rouge">untrusted_lua</code> is not <code class="language-plaintext highlighter-rouge">sandbox</code>.</p> <p>For example, say you have configured the Serverless pre-function plugin and it contains the following <code class="language-plaintext highlighter-rouge">requires</code>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>local template = require "resty.template" local split = require "kong.tools.string".split </code></pre></div></div> <p>To run the plugin, add the modules to the allowed list:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>untrusted_lua_sandbox_requires = resty.template, kong.tools.utils </code></pre></div></div> <p><strong>Warning:</strong> Allowing certain modules may create opportunities to escape the sandbox. For example, allowing <code class="language-plaintext highlighter-rouge">os</code> or <code class="language-plaintext highlighter-rouge">luaposix</code> may be unsafe.</p> <p><strong>Default:</strong> none</p> <h3 id="untrusted_lua_sandbox_environment">untrusted_lua_sandbox_environment</h3> <p>Comma-separated list of global Lua variables that should be made available inside the sandboxed environment. Ignored if <code class="language-plaintext highlighter-rouge">untrusted_lua</code> is not <code class="language-plaintext highlighter-rouge">sandbox</code>.</p> <p><strong>Warning</strong>: Certain variables, when made available, may create opportunities to escape the sandbox.</p> <p><strong>Default:</strong> none</p> <h3 id="openresty_path">openresty_path</h3> <p>Path to the OpenResty installation that Kong will use. When this is empty (the default), Kong determines the OpenResty installation by searching for a system-installed OpenResty and falling back to searching $PATH for the nginx binary.</p> <p>Setting this attribute disables the search behavior and explicitly instructs Kong which OpenResty installation to use.</p> <p><strong>Default:</strong> none</p> <h3 id="node_id">node_id</h3> <p>Node ID for the Kong node. Every Kong node in a Kong cluster must have a unique and valid UUID. When empty, node ID is automatically generated.</p> <p><strong>Default:</strong> none</p> <hr> <h2 id="cluster-fallback-configuration-section">Cluster Fallback Configuration section</h2> <h3 class="badge enterprise" id="cluster_fallback_config_import">cluster_fallback_config_import</h3> <p>Enable fallback configuration imports.</p> <p>This should only be enabled for data planes.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="cluster_fallback_config_storage">cluster_fallback_config_storage</h3> <p>Storage definition used by <code class="language-plaintext highlighter-rouge">cluster_fallback_config_import</code> and <code class="language-plaintext highlighter-rouge">cluster_fallback_config_export</code>.</p> <p>Supported storage types:</p> <ul> <li>S3-like storages</li> <li>GCP storage service</li> </ul> <p>To use S3 with a bucket named b and place all configs to with a key prefix named p, set it to: <code class="language-plaintext highlighter-rouge">s3://b/p</code> To use GCP for the same bucket and prefix, set it to: <code class="language-plaintext highlighter-rouge">gcs://b/p</code></p> <p>The credentials (and the endpoint URL for S3-like) for S3 are passed with environment variables: <code class="language-plaintext highlighter-rouge">AWS_ACCESS_KEY_ID</code>, <code class="language-plaintext highlighter-rouge">AWS_SECRET_ACCESS_KEY</code>, and <code class="language-plaintext highlighter-rouge">AWS_CONFIG_STORAGE_ENDPOINT</code> (extension), where <code class="language-plaintext highlighter-rouge">AWS_CONFIG_STORAGE_ENDPOINT</code> is the endpoint that hosts S3-like storage.</p> <p>The credentials for GCP are provided via the environment variable <code class="language-plaintext highlighter-rouge">GCP_SERVICE_ACCOUNT</code>.</p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="cluster_fallback_export_s3_config">cluster_fallback_export_s3_config</h3> <p>Fallback config export S3 configuration.</p> <p>This is used only when <code class="language-plaintext highlighter-rouge">cluster_fallback_config_storage</code> is an S3-like schema.</p> <p>If set, it will add the config table to the Kong exporter config S3 putObject request.</p> <p>The config table should be in JSON format and can be unserialized into a table.</p> <p>It should contain the necessary parameters as described in the documentation: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putObject-property.</p> <p>For example, if you want to set the ServerSideEncryption headers/KMS Key ID for the S3 putObject request, you can set the config table to: <code class="language-plaintext highlighter-rouge">{"ServerSideEncryption": "aws:kms", "SSEKMSKeyId": "your-kms-key-id"}</code></p> <p><strong>Default:</strong> none</p> <h3 class="badge enterprise" id="cluster_fallback_config_export">cluster_fallback_config_export</h3> <p>Enable fallback configuration exports.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 class="badge enterprise" id="cluster_fallback_config_export_delay">cluster_fallback_config_export_delay</h3> <p>The fallback configuration export interval.</p> <p>If the interval is set to 60 and configuration A is exported and there are new configurations B, C, and D in the next 60 seconds, it will wait until 60 seconds passed and export D, skipping B and C.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">60</code></p> <hr> <h2 id="webassembly-wasm-section">Webassembly (Wasm) section</h2> <h3 id="wasm">wasm</h3> <p>Enable/disable wasm support. This must be enabled in order to use wasm filters and filter chains.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">off</code></p> <h3 id="wasm_filters_path">wasm_filters_path</h3> <p>Path to the directory containing wasm filter modules.</p> <p>At startup, Kong discovers available wasm filters by scanning this directory for files with the <code class="language-plaintext highlighter-rouge">.wasm</code> file extension.</p> <p>The name of a wasm filter module is derived from the filename itself, with the .wasm extension removed. So, given the following tree:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/path/to/wasm_filters ├── my_module.wasm ├── my_other_module.wasm └── not_a_wasm_module.txt </code></pre></div></div> <p>The resulting filter modules available for use in Kong will be:</p> <ul> <li><code class="language-plaintext highlighter-rouge">my_module</code></li> <li><code class="language-plaintext highlighter-rouge">my_other_module</code></li> </ul> <p>Notes:</p> <ul> <li>No recursion is performed. Only .wasm files at the top level are registered.</li> <li>This path <em>may</em> be a symlink to a directory.</li> </ul> <p><strong>Default:</strong> none</p> <h3 id="wasm_filters">wasm_filters</h3> <p>Comma-separated list of Wasm filters to be made available for use in filter chains.</p> <p>When the <code class="language-plaintext highlighter-rouge">off</code> keyword is specified as the only value, no filters will be available for use.</p> <p>When the <code class="language-plaintext highlighter-rouge">bundled</code> keyword is specified, all filters bundled with Kong will be available.</p> <p>When the <code class="language-plaintext highlighter-rouge">user</code> keyword is specified, all filters within the <code class="language-plaintext highlighter-rouge">wasm_filters_path</code> will be available.</p> <p><strong>Examples:</strong></p> <ul> <li> <code class="language-plaintext highlighter-rouge">wasm_filters = bundled,user</code> enables <em>all</em> bundled and user-supplied filters</li> <li> <code class="language-plaintext highlighter-rouge">wasm_filters = user</code> enables <em>only</em> user-supplied filters</li> <li> <code class="language-plaintext highlighter-rouge">wasm_filters = filter-a,filter-b</code> enables <em>only</em> filters named <code class="language-plaintext highlighter-rouge">filter-a</code> or <code class="language-plaintext highlighter-rouge">filter-b</code> (whether bundled <em>or</em> user-supplied)</li> </ul> <p>If a conflict occurs where a bundled filter and a user-supplied filter share the same name, a warning will be logged, and the user-supplied filter will be used instead.</p> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">bundled,user</code></p> <hr> <h2 id="wasm-injected-directives-section">Wasm Injected Directives section</h2> <p>The Nginx Wasm module (i.e., ngx_wasm_module) has its own settings, which can be tuned via <code class="language-plaintext highlighter-rouge">wasm_*</code> directives in the Nginx configuration file. Kong supports configuration of these directives via its Nginx directive injection mechanism.</p> <p>The following namespaces are supported:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">nginx_wasm_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> into the <code class="language-plaintext highlighter-rouge">wasm {}</code> block.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_wasm_shm_kv</code>: Injects <code class="language-plaintext highlighter-rouge">shm_kv *</code> into the <code class="language-plaintext highlighter-rouge">wasm {}</code> block, allowing operators to define a general memory zone which is usable by the <code class="language-plaintext highlighter-rouge">get_shared_data</code>/<code class="language-plaintext highlighter-rouge">set_shared_data</code> Proxy-Wasm SDK functions as an in-memory key-value store of data shareable across filters.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_wasm_shm_kv_&lt;name&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">shm_kv &lt;name&gt;</code> into the <code class="language-plaintext highlighter-rouge">wasm {}</code> block, allowing operators to define custom shared memory zones which are usable by the <code class="language-plaintext highlighter-rouge">get_shared_data</code>/<code class="language-plaintext highlighter-rouge">set_shared_data</code> Proxy-Wasm SDK functions as separate namespaces in the <code class="language-plaintext highlighter-rouge">"&lt;name&gt;/&lt;key&gt;"</code> format. For using these functions with non-namespaced keys, the Nginx template needs a <code class="language-plaintext highlighter-rouge">shm_kv *</code> entry, which can be defined using <code class="language-plaintext highlighter-rouge">nginx_wasm_shm_kv</code>.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_wasm_wasmtime_&lt;flag&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">flag &lt;flag&gt;</code> into the <code class="language-plaintext highlighter-rouge">wasmtime {}</code> block, allowing various Wasmtime-specific flags to be set.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_&lt;http|proxy&gt;_&lt;directive&gt;</code>: Injects <code class="language-plaintext highlighter-rouge">&lt;directive&gt;</code> into the <code class="language-plaintext highlighter-rouge">http {}</code> or <code class="language-plaintext highlighter-rouge">server {}</code> blocks, as specified in the Nginx injected directives section.</li> </ul> <p>The documentation for all supported directives can be found in the Nginx Wasm module repository:</p> <p>https://github.com/Kong/ngx_wasm_module/blob/main/docs/DIRECTIVES.md</p> <p>The Wasmtime flag documentation can be found here:</p> <p>https://docs.wasmtime.dev/c-api/config_8h.html</p> <p>There are several noteworthy ngx_wasm_module behaviors which can be tuned via <code class="language-plaintext highlighter-rouge">http {}</code>/<code class="language-plaintext highlighter-rouge">server {}</code> level directive injection (identical behavior in either level), for example:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">nginx_http_proxy_wasm_socket_&lt;connect|read|send&gt;_timeout</code>: sets connection/read/send timeouts for Wasm dispatches.</li> <li> <code class="language-plaintext highlighter-rouge">nginx_http_proxy_wasm_socket_buffer_size</code>: sets a buffer size for reading Wasm dispatch responses.</li> </ul> <p>The values for these settings are inherited from their <code class="language-plaintext highlighter-rouge">nginx_*_lua_*</code> counterparts if they have not been explicitly set. For instance, if you set <code class="language-plaintext highlighter-rouge">nginx_http_lua_socket_connect_timeout</code>, the value of this setting will be propagated to <code class="language-plaintext highlighter-rouge">nginx_http_wasm_socket_connect_timeout</code> unless you <em>also</em> set <code class="language-plaintext highlighter-rouge">nginx_http_wasm_socket_connect_timeout</code>.</p> <p>Some TLS-related settings receive special treatment as well:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">lua_ssl_trusted_certificate</code>: when set, the value is propagated to the <code class="language-plaintext highlighter-rouge">nginx_wasm_tls_trusted_certificate</code> directive.</li> <li> <code class="language-plaintext highlighter-rouge">lua_ssl_verify_depth</code>: when set (to a value greater than zero), several TLS-related <code class="language-plaintext highlighter-rouge">nginx_wasm_*</code> settings are enabled: - <code class="language-plaintext highlighter-rouge">nginx_wasm_tls_verify_cert</code> - <code class="language-plaintext highlighter-rouge">nginx_wasm_tls_verify_host</code> - <code class="language-plaintext highlighter-rouge">nginx_wasm_tls_no_verify_warn</code> </li> </ul> <p>Like other <code class="language-plaintext highlighter-rouge">kong.conf</code> fields, all injected Nginx directives documented here can be set via environment variable. For instance, setting:</p> <p><code class="language-plaintext highlighter-rouge">KONG_NGINX_WASM_TLS_VERIFY_CERT=&lt;value&gt;</code></p> <p>Will inject the following into the <code class="language-plaintext highlighter-rouge">wasm {}</code> block:</p> <p><code class="language-plaintext highlighter-rouge">tls_verify_cert &lt;value&gt;;</code></p> <p>There are several Nginx directives supported by ngx_wasm_module which should not be used because they are irrelevant to or unsupported by Kong, or they may conflict with Kong’s own management of Proxy-Wasm. Use of these directives may result in unintentional breakage:</p> <ul> <li><code class="language-plaintext highlighter-rouge">wasm_call</code></li> <li><code class="language-plaintext highlighter-rouge">module</code></li> <li><code class="language-plaintext highlighter-rouge">proxy_wasm</code></li> <li><code class="language-plaintext highlighter-rouge">resolver_add</code></li> <li><code class="language-plaintext highlighter-rouge">proxy_wasm_request_headers_in_access</code></li> <li><code class="language-plaintext highlighter-rouge">shm_queue</code></li> </ul> <hr> <h2 id="request-debugging-section">Request Debugging section</h2> <p>Request debugging is a mechanism that allows admins to collect the timing of proxy path requests in the response header (X-Kong-Request-Debug-Output) and optionally, the error log.</p> <p>This feature provides insights into the time spent within various components of Kong, such as plugins, DNS resolution, load balancing, and more. It also provides contextual information such as domain names tried during these processes.</p> <h3 id="request_debug">request_debug</h3> <p>When enabled, Kong will provide detailed timing information for its components to the client and the error log if the following headers are present in the proxy request:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug</code>: If the value is set to <code class="language-plaintext highlighter-rouge">*</code>, timing information will be collected and exported for the current request. If this header is not present or contains an unknown value, timing information will not be collected for the current request. You can also specify a list of filters, separated by commas, to filter the scope of the time information that is collected.</li> </ul> <p>The following filters are supported for <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug</code>:</p> <ul> <li> <code class="language-plaintext highlighter-rouge">rewrite</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">rewrite</code> phase.</li> <li> <code class="language-plaintext highlighter-rouge">access</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">access</code> phase.</li> <li> <code class="language-plaintext highlighter-rouge">balancer</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">balancer</code> phase.</li> <li> <code class="language-plaintext highlighter-rouge">response</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">response</code> phase.</li> <li> <code class="language-plaintext highlighter-rouge">header_filter</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">header_filter</code> phase.</li> <li> <code class="language-plaintext highlighter-rouge">body_filter</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">body_filter</code> phase.</li> <li> <code class="language-plaintext highlighter-rouge">log</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">log</code> phase.</li> <li> <p><code class="language-plaintext highlighter-rouge">upstream</code>: Collect timing information from the <code class="language-plaintext highlighter-rouge">upstream</code> phase.</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug-Log</code>: If set to <code class="language-plaintext highlighter-rouge">true</code>, timing information will also be logged in the Kong error log with a log level of <code class="language-plaintext highlighter-rouge">notice</code>. Defaults to <code class="language-plaintext highlighter-rouge">false</code>.</p> </li> <li> <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug-Token</code>: Token for authenticating the client making the debug request to prevent abuse. Debug requests originating from loopback addresses do not require this header.</li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">on</code></p> <h3 id="request_debug_token">request_debug_token</h3> <p>The Request Debug Token is used in the <code class="language-plaintext highlighter-rouge">X-Kong-Request-Debug-Token</code> header to prevent abuse.</p> <p>If this value is not set (the default), a random token will be generated when Kong starts, restarts, or reloads. If a token is specified manually, then the provided token will be used.</p> <p>You can locate the generated debug token in two locations:</p> <ul> <li>Kong error log: Debug token will be logged in the error log (notice level) when Kong starts, restarts, or reloads. The log line will have the: <code class="language-plaintext highlighter-rouge">[request-debug]</code> prefix to aid searching.</li> <li>Filesystem: Debug token will also be stored in a file located at <code class="language-plaintext highlighter-rouge">{prefix}/.request_debug_token</code> and updated when Kong starts, restarts, or reloads.</li> </ul> <p><strong>Default:</strong> <code class="language-plaintext highlighter-rouge">&lt;random&gt;</code></p> </div> </div> </div> <div id="scroll-to-top-button"> <i class="fas fa-chevron-up"></i> </div> <div class="feedback-widget-container"> <input id="feedback-widget-checkbox" type="checkbox"> <label for="feedback-widget-checkbox"> <img src="/assets/images/icons/feedback-widget.svg" alt="Feedback widget"> </label> <div class="feedback-container"> <div class="feedback-thankyou"> Thank you for your feedback. </div> <div class="feedback-comment"> <textarea id="feedback-comment-text" rows="3" placeholder="Please let us know what we can improve on this page..."></textarea> <div class="feedback-comment-buttons"> <button id="feedback-comment-button-back">Back</button> <button id="feedback-comment-button-submit" class="button-primary">Submit</button> </div> </div> <div class="feedback-options"> <div class="feedback-options-title">Was this page useful?</div> <div class="feedback-options-buttons"> <i data-feedback-result="yes" class="feedback-options-button far fa-thumbs-up"></i> <i data-feedback-result="no" class="feedback-options-button far fa-thumbs-down"></i> </div> </div> </div> </div> </div> <div id="image-modal" data-image-expand-disabled=""> <div class="image-modal-backdrop"></div> <div class="image-container"> <img src="" alt=""> <i class="fa fa-times"></i> </div> </div> <div class="modal closed" id="modal" role="dialog" aria-hidden="true" aria-labelledby="title" aria-describedby="description"> <div class="konnect-cta-card"> <div class="title"> Too much on your plate? <a href="#" class="cta-card-close modal-close" id="modal-close"> <img src="/assets/images/icons/documentation/close.svg" alt="close cta icon"> </a> </div> <div class="description"> More features, less infrastructure with Kong Konnect. 1M requests per month for free. </div> <a href="https://konghq.com/products/kong-konnect/register?utm_medium=referral&amp;utm_source=docs&amp;utm_campaign=gateway-konnect&amp;utm_campaign=right-nav-card&amp;utm_content=gateway" class="button" target="_blank" rel="noopener nofollow noreferrer "> Try it for Free </a> </div> </div> <div id="modal-open" class="modal-open"></div> <div class="modal-overlay closed" id="modal-overlay"></div> <footer class="marketing-footer--light-gray"> <section> <ul class="newsletter"> <li class="logo-wrapper"> <div class="logo"> <img src="/assets/images/logos/konglogo-light-theme-primary.svg" alt="Kong"> </div> <div class="footer-title">Powering the API world</div> <p> Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller. </p> <div class="footer-form-container"> <form id="subscribe-form" method="POST" action="/assets/javascripts/subscribe.js"> <input required id="subscribe-input" type="email" name="email" placeholder="Email" aria-required="true" aria-invalid="false"> <input id="footer-form-button" type="submit" form="subscribe-form" value="Subscribe"> </form> <div id="form-response"></div> </div> </li> <li class="footer-columns"> <ul class="footer-columns-product-list"> <li> <nav> <div class="footer-category">Products</div> <ul> <li> <a href="https://konghq.com/products/kong-konnect" target="_blank" rel="noopener nofollow noreferrer ">Kong Konnect</a> </li> <li> <a href="https://konghq.com/products/kong-enterprise" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway Enterprise</a> </li> <li> <a href="https://konghq.com/products/kong-gateway" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway</a> </li> <li> <a href="https://konghq.com/products/kong-mesh" target="_blank" rel="noopener nofollow noreferrer ">Kong Mesh</a> </li> <li> <a href="https://konghq.com/products/kong-ingress-controller" target="_blank" rel="noopener nofollow noreferrer ">Kong Ingress Controller</a> </li> <li> <a href="https://insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kong Insomnia</a> </li> <li> <a href="https://konghq.com/product-updates" target="_blank" rel="noopener nofollow noreferrer ">Product Updates</a> </li> <li> <a href="https://konghq.com/contact-sales" target="_blank" rel="noopener nofollow noreferrer ">Get Started</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Documentation</div> <ul> <li> <a href="/konnect/">Kong Konnect Docs</a> </li> <li> <a href="/gateway/latest/">Kong Gateway Docs</a> </li> <li> <a href="/gateway/latest/kong-enterprise/">Kong Gateway Enterprise Docs</a> </li> <li> <a href="/mesh/latest/">Kong Mesh Docs</a> </li> <li> <a href="https://docs.insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kong Insomnia Docs</a> </li> <li> <a href="/hub/">Kong Konnect Plugin Hub</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Open Source</div> <ul> <li> <a href="https://konghq.com/install/#kong-community" target="_blank" rel="noopener nofollow noreferrer ">Kong Gateway</a> </li> <li> <a href="https://kuma.io/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Kuma</a> </li> <li> <a href="https://insomnia.rest/" target="_blank" rel="noopener nofollow noreferrer noopener nofollow noreferrer">Insomnia</a> </li> <li> <a href="https://konghq.com/community" target="_blank" rel="noopener nofollow noreferrer ">Kong Community</a> </li> </ul> </nav> </li> <li> <nav> <div class="footer-category">Company</div> <ul> <li> <a href="https://konghq.com/company/about-us" target="_blank" rel="noopener nofollow noreferrer ">About Kong</a> </li> <li> <a href="https://konghq.com/customers" target="_blank" rel="noopener nofollow noreferrer ">Customers</a> </li> <li> <a href="https://konghq.com/company/careers" target="_blank" rel="noopener nofollow noreferrer ">Careers</a> </li> <li> <a href="https://konghq.com/press-room" target="_blank" rel="noopener nofollow noreferrer ">Press</a> </li> <li> <a href="https://konghq.com/events" target="_blank" rel="noopener nofollow noreferrer ">Events</a> </li> <li> <a href="https://konghq.com/company/contact-us" target="_blank" rel="noopener nofollow noreferrer ">Contact</a> </li> </ul> </nav> </li> </ul> </li> </ul> </section> <section class="legal"> <div class="container d-flex"> <div class="social"> <div class="social-link"> <a href="https://www.facebook.com/konghq/" title="Facebook" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Facebook" class="fa fa-facebook-official" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://twitter.com/thekonginc" title="Twitter" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Twitter" class="fa fa-twitter" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://www.meetup.com/topics/kong/all/" title="Meetup" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="Meetup" class="fa fa-meetup" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://linkedin.com/company/278819" title="LinkedIn" target="_blank" rel="noopener nofollow noreferrer "><i aria-label="GitHub" class="fa fa-linkedin" aria-hidden="true"></i></a> </div> <div class="social-link"> <a href="https://github.com/kong/kong" target="_blank" class="btn-gh" title="GitHub" rel="noopener nofollow noreferrer "> <i class="fa fa-github" aria-hidden="true" aria-label="GitHub"></i> </a> </div> </div> <ul> <li> <span class="mashape-footer-content"> <a href="https://konghq.com/legal/terms-of-use" target="_blank" rel="noopener nofollow noreferrer ">Terms</a><b>•</b> <a href="https://konghq.com/legal/privacy-policy" target="_blank" rel="noopener nofollow noreferrer ">Privacy</a><b>•</b> <a href="https://konghq.com/compliance" target="_blank" rel="noopener nofollow noreferrer ">Trust and Compliance</a> </span> </li> </ul> <div> <span>© Kong Inc. 2025  </span> </div> </div> </section> </footer> <script> var anchorForId = function (id) { var anchor = document.createElement("a"); anchor.className = "header-link"; anchor.href = "#" + id; anchor.innerHTML = "<i class=\"fa fa-link\"></i>"; anchor.title = `${id} Permalink`; return anchor; }; document.onreadystatechange = function () { if (this.readyState === "complete") { var className = ".show-anchor-links h1, .show-anchor-links h2, .show-anchor-links h3, " + ".show-anchor-links h4, .show-anchor-links h5, .show-anchor-links h6"; var headers = document.querySelectorAll(className); for (var i = 0; i < headers.length; i++) { var header = headers[i]; if (typeof header.id !== "undefined" && header.id !== "") { header.prepend(anchorForId(header.id)); } } } }; </script> <script> !function(){var i="analytics",analytics=window[i]=window[i]||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","screen","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware","register"];analytics.factory=function(e){return function(){if(window[i].initialized)return window[i][e].apply(window[i],arguments);var n=Array.prototype.slice.call(arguments);if(["track","screen","alias","group","page","identify"].indexOf(e)>-1){var c=document.querySelector("link[rel='canonical']");n.push({__t:"bpc",c:c&&c.getAttribute("href")||void 0,p:location.pathname,u:location.href,s:location.search,t:document.title,r:document.referrer})}n.unshift(e);analytics.push(n);return analytics}};for(var n=0;n<analytics.methods.length;n++){var key=analytics.methods[n];analytics[key]=analytics.factory(key)}analytics.load=function(key,n){var t=document.createElement("script");t.type="text/javascript";t.async=!0;t.setAttribute("data-global-segment-analytics-key",i);t.src="https://cdn.segment.com/analytics.js/v1/" + key + "/analytics.min.js";var r=document.getElementsByTagName("script")[0];r.parentNode.insertBefore(t,r);analytics._loadOptions=n};analytics._writeKey="X7EZTdbdUKQ8M6x42SHHPWiEhjsfs1EQ";;analytics.SNIPPET_VERSION="5.2.0"; analytics.load("X7EZTdbdUKQ8M6x42SHHPWiEhjsfs1EQ"); analytics.page(); }}(); </script> <div id="fb-root"></div> <script id="github-bjs" src="https://buttons.github.io/buttons.js" async defer></script> <script type="text/javascript"> var _vwo_code = (function() { var account_id = 125292, settings_tolerance = 2000, library_tolerance = 2500, use_existing_jquery = true, // DO NOT EDIT BELOW THIS LINE f = false, d = document; return { use_existing_jquery: function() { return use_existing_jquery; }, library_tolerance: function() { return library_tolerance; }, finish: function() { if (!f) { f = true; var a = d.getElementById('_vis_opt_path_hides'); if (a) a.parentNode.removeChild(a); } }, finished: function() { return f; }, load: function(a) { var b = d.createElement('script'); b.src = a; b.type = 'text/javascript'; b.innerText; b.onerror = function() { _vwo_code.finish(); }; d.getElementsByTagName('head')[0].appendChild(b); }, init: function() { settings_timer = setTimeout( '_vwo_code.finish()', settings_tolerance ); this.load( '//dev.visualwebsiteoptimizer.com/j.php?a=' + account_id + '&u=' + encodeURIComponent(d.URL) + '&r=' + Math.random() ); var a = d.createElement('style'), b = '', h = d.getElementsByTagName('head')[0]; a.setAttribute('id', '_vis_opt_path_hides'); a.setAttribute('type', 'text/css'); if (a.styleSheet) a.styleSheet.cssText = b; else a.appendChild(d.createTextNode(b)); h.appendChild(a); return settings_timer; } }; })(); _vwo_settings_timer = _vwo_code.init(); </script> <script src="https://cdn.jsdelivr.net/npm/@docsearch/js@3"></script> <script type="text/javascript"> docsearch({ appId: '05Y6TLHNFZ', apiKey: '80483bfe28d9fd036a11a6f6a06454f8', indexName: 'konghq', container: '#getkong-algolia-search-input', disableUserPersonalization: true, placeholder: 'Search the docs...', // Override selected event to allow for local environment navigation transformItems(items) { return items.map((item) => { var modifiedUrl = window.location.protocol + '//' + window.location.host + item.url.split('docs.konghq.com')[1]; return { ...item, url: modifiedUrl }; }); }, translations: { button: { buttonText: 'Search the docs..', buttonAriaLabel: 'Search the docs...' } }, resultsFooterComponent({ state }) { var facetParameters = {}; facetParameters = {"version[0]":"3.8.x","product[0]":"Kong Gateway"}; var queryParams = new URLSearchParams(facetParameters); queryParams.set('query', state.query); return { // The HTML `tag` type: 'a', ref: undefined, constructor: undefined, key: state.query, // Its props props: { href: `/search/?${queryParams.toString()}`, target: '_blank', // Raw text rendered in the HTML element children: 'See more >' }, __v: null, }; }, searchParameters: { optionalFilters: ['product:deck<score=1>', 'product:Plugin Hub<score=2>', 'product:Kong Gateway<score=3>'], facetFilters: [ 'version:3.8.x'] } }); </script> <script> (function() { if (typeof window === 'undefined') return; if (typeof window.signals !== 'undefined') return; var script = document.createElement('script'); script.src = 'https://cdn.cr-relay.com/v1/site/993c7a0d-caec-465c-be46-2d3a78ab60c5/signals.js'; script.async = true; window.signals = Object.assign( [], ['page', 'identify', 'form'].reduce(function (acc, method){ acc[method] = function () { signals.push([method, arguments]); return signals; }; return acc; }, {}) ); document.head.appendChild(script); })(); </script> </div> </body> </html>