Custom configurations

The custom configurations of MOSN.

This topic describes custom configurations of MOSN.

Duration String

  • A string that consists of a decimal digit and a time unit suffix. Valid time units: ns, us (or µs), ms, s, m, and h. For example, 1 h, 3s, and 500 ms.

metadata

metadata is used for matching MOSN routes and cluster hosts.

{
  "filter_metadata":{
    "mosn.lb":{}
  }
}

mosn.lb corresponds to any string-string content.

tls_context

{
  "status":"",
  "type":"",
  "server_name":"",
  "ca_cert":"",
  "cert_chain":"",
  "private_key":"",
  "verify_client":"",
  "require_client_cert":"",
  "insecure_skip":"",
  "cipher_suites":"",
  "ecdh_curves":"",
  "min_version":"",
  "max_version":"",
  "alpn":"",
  "fall_back":"",
  "extend_verify":"",
  "sds_source":{}
}
  • status: Boolean. Indicates whether TLS is enabled. Default value: false.
  • type: String. Specifies the type of tls_context. tls_context supports extension implementation. Different types correspond to different implementation methods. Default value:“” (empty string).
  • server_name: Used to verify the hostname of the certificate returned by the server when insecure_skip is not configured. Valid when configured at a cluster.
  • ca_cert: The root certificate issued by a trusted certificate authority (CA).
  • cert_chain: The TLS certificate chain.
  • private_key: The private key of a certificate.
  • verify_client: Boolean. Specifies whether to verify a client certificate. Valid when configured at a listener.
  • require_client_cert: Boolean. Specifies whether the client certificate is required.
  • insecure_skip: Boolean. Specifies whether to skip server certificate verification. Valid when configured at a cluster.
  • cipher_suites: Specifies the cipher suites to be supported by TLS connections. If this parameter is specified, TLS connections support only the specified cipher suites and use them according to the order of how they are specified. Separate different cipher suites with a comma. Valid values:

    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-WITH-CHACHA20-POLY1305
    ECDHE-RSA-WITH-CHACHA20-POLY1305
    ECDHE-RSA-AES256-CBC-SHA
    ECDHE-RSA-AES128-CBC-SHA
    ECDHE-ECDSA-AES256-CBC-SHA
    ECDHE-ECDSA-AES128-CBC-SHA
    RSA-AES256-CBC-SHA
    RSA-AES128-CBC-SHA
    ECDHE-RSA-3DES-EDE-CBC-SHA
    RSA-3DES-EDE-CBC-SHA
    ECDHE-RSA-SM4-SM3
    ECDHE-ECDSA-SM4-SM3
    
  • ecdh_curves: If this parameter is used, TLS connections support only the specified curves.

    • Valid values: x25519, p256, p384, and p521.
  • min_version: The earliest TLS version supported.

    • Valid values: TLS1.0, TLS1.1, and TLS1.2. Default value: TLS1.0.
    • Available TLS versions will be automatically identified by default.
  • max_version: The latest TLS version supported.

    • Valid values: TLS1.0, TLS1.1, and TLS1.2. Default value: TLS1.2.
    • Available TLS versions will be automatically identified by default.
  • alpn: Specifies the protocol supported by ALPN on TLS connections.

    • Valid values: H2, HTTP/1.1, and SOFA.
  • fall_back: Boolean. Specifies whether to fall back when certificate verification fails, without returning an error. This is equivalent to the case when TLS is not enabled. Valid values: True and False.

  • extend_verify: JSON. Specifies the extension of tls_context when type is not empty.

  • sds_source: Specifies parameters required for accessing the SDS API. If sds_source is configured, the ca_cert, cert_chain, and private_key parameters will be ignored, but other configurations will remain valid.

sds_source

{
  "CertificateConfig":{},
  "ValidationConfig":{}
}
  • CertificateConfig: Specifies how to obtain the values of cert_chain and private_key.
  • ValidationConfig: Specifies how to obtain the value of ca_cert.
  • For details about the configurations, see envoy: sds_secret_config.
Last modified July 1, 2020: MOSN v0.14.0 released (77f074a)