gorouter job from cf/287
Gorouter maintains a dynamic routing table based on updates received from NATS and (when enabled) the Routing API. This routing table maps URLs to backends. The router finds the URL in the routing table that most closely matches the host header of the request and load balances across the associated backends.
The port used to emit dropsonde messages to the Metron agent.
IPs of each NATS cluster member
- |+ - 192.168.50.123 - 192.168.52.123
Password for NATS authentication
TCP port of NATS servers
User name for NATS authentication
Timeout in seconds for Router -> Endpoint roundtrip.
Certificate chain used for client authentication to TLS-registered backends. In PEM format.
(optional, boolean) By default, Gorouter forwards requests to backends over unencrypted connections and will ignore routes registered with a TLS port, preferring a non-tls port when both are present. When this property is set to true, Gorouter will connect to backends using TLS when routes are registered with a TLS port, ignoring non-tls ports when both are present.
Maximum concurrent TCP connections per backend. When set to 0 there is no limit
Private key used for client authentication to TLS-registered backends. In PEM format.
Algorithm used to distribute requests for a route across backends. Supported values are round-robin and least-connection
String of concatenated certificate authorities in PEM format, used to validate certificates provided by remote systems. By default, Gorouter will trust certificates signed by well-known CAs and by CA certificates installed on the filesystem.
An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format. The selected cipher suite will be negotiated according to the order of this list during a TLS handshake. See https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L369-L390 for golang supported cipher suites. The first four of these are supported for TLSv1.0/1.1 only. See https://www.openssl.org/docs/man1.1.0/apps/ciphers.html for a mapping of OpenSSL and RFC suite names.
none - Gorouter will not request client certificates in TLS handshakes, and will ignore them if presented. Incompatible with
sanitize_set. request - Gorouter will request client certificates in TLS handshakes, and will validate them when presented, but will not require them. require - Gorouter will fail a TLS handshake if the client does not provide a certificate signed by a CA it trusts. For use with Gorouters responsible for app domains only; incompatible with Gorouters responsible for the CF system domain as not all clients provide client certificates.
Address at which to serve debug info
Disables the http listener on port specified by router.port. This cannot be set to true if enable_ssl is false.
Host to ping for confirmation of DNS resolution, only used when Routing API is enabled
Delay in seconds after shut down is initiated before server stops listening. During this time the server will reject requests to the /health endpoint. This accommodates requests forwarded by a load balancer until it considers the router unhealthy.
Enables streaming of access log to syslog.
Enables support for the popular PROXY protocol, allowing downstream load balancers that do not support HTTP to pass along client information.
When enabled, Gorouter will listen on port 443 and terminate TLS for requests received on this port.
An array of headers that access log events will be annotated with
Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request
How to handle the x-forwarded-client-cert (XFCC) HTTP header. Possible values are: - always_forward: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. Use this value when your load balancer is forwarding the client certificate and requests are not forwarded to Gorouter over mTLS. In the case where the connection between load balancer and Gorouter is mTLS, the client certificate received by Gorouter in the TLS handshake will not be forwarded. - forward: Forward the XFCC header received from the client only when the client connection is mTLS. This is a more secure version of
always_forward. The client certificate received by Gorouter in the TLS handshake will not be forwarded. Requires
require. - sanitize_set: Strip any instances of XFCC headers from the client request. When the client connection is mTLS, the client certificate received by Gorouter in the TLS handshake will be forwarded in this header. Values will be base64 encoded PEM. Use this value when Gorouter is the first component to terminate TLS. Requires
(optional, integer) Duration in seconds to maintain an open connection when client supports keep-alive. This property must be configured with regards to how an IaaS-provided load balancer behaves in order to prevent connections from being closed prematurely. Generally, this timeout must be greater than that of the load balancer. As examples, GCP has a default timeout of 600 seconds so a value greater than 600 is recommended and AWS ELB has a default timeout of 60 seconds so a value greater than 60 is recommended. However, depending on the IaaS, this timeout may need to be shorter than the load balancer’s timeout, e.g., Azure’s load balancer times out at 240 seconds (by default) without sending a TCP RST to clients, so a value lower than this is recommended in order to force it to send the TCP RST.
DEPRECATED. Use /health endpoint on port specified by status.port. User-Agent for the health check agent (usually the Load Balancer).
Routes with these isolation segments will be registered. Used in combination with routing_table_sharding_mode.
Time period in seconds to wait until declaring the router instance started after starting the listener socket. This allows an external load balancer time to register the instance as healthy.
Log level for router
Maximum total idle keepalive connections to backends. When 0, support for keepalive connections is disabled. Maximum idle connections per backend is 100.
Minimum accepted version of TLS protocol. All versions above this will also be accepted. Valid values are TLSv1.0, TLSv1.1, and TLSv1.2.
Number of CPUs to utilize, the default (-1) will equal the number of available CPUs
Listening Port for Router.
On startup, the router will delay listening for requests by this duration to increase likelihood that it has a complete routing table before serving requests. The router also broadcasts the same duration as a recommended interval to registering clients via NATS. This must be less than 60, otherwise monit will mark the process as failed.
Route Services are told where to send requests after processing using the X-CF-Forwarded-Url header. When this property is true, the scheme for this URL is https. When false, the scheme is http. As requests from Route Services to applications on CF transit load balancers and gorouter, disable this property for deployments that have TLS termination disabled.
Support for route services is disabled when no value is configured. A robust passphrase is recommended.
To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again.
Expiry time of a route service signature in seconds
all: all routes will be registered. shared-and-segments: both routes for the configured isolation segments and those that do not have an isolation segment specified will be registered. segments: only routes for the configured isolation segments will be registered.
Set secure flag on http cookies
Skip validation of TLS certificates received from route services and UAA
Password for HTTP basic auth to the /varz and /routes endpoints.
Port for the /health, /varz, and /routes endpoints.
Username for HTTP basic auth to the /varz and /routes endpoints.
Suspend pruning of routes when NATs is unavailable and maintain the current routing table. WARNING: This strategy favors availability over consistency and there is a possibility of routing to an incorrect endpoint in the case of port re-use. To be used with caution.”
Array of private keys and certificates used for TLS handshakes with downstream clients. Each element in the array is an object containing fields ‘private_key’ and ‘cert_chain’, each of which supports a PEM block. Required if router.enable_ssl is true.
- |+ tls_pem: - cert_chain: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- private_key: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
If the X-Vcap-Trace request header is set and has this value, trace headers are added to the response.
Enables the addition of the X-B3-Trace-Id header to incoming requests. If the header already exists on the incoming request, it will not be overwritten.
Enables writing access log to local disk.
When false, Routing API requires OAuth tokens for authentication.
When enabled, GoRouter will fetch HTTP routes from the Routing API in addition to routes obtained via NATS.
Port on which Routing API is running.
URL where the routing API can be reached internally
Certificate authority for communication between clients and uaa.
Secure Port on which UAA is running.
UAA token endpoint host name. Do not include a scheme in this value; TCP Router will always use TLS to connect to UAA.
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be