Provided by: trafficserver_9.2.4+ds-2_amd64 
NAME
records.config - the records.config file (by default, located in /usr/local/etc/trafficserver/) is a list
of configurable variables used by the Traffic Server software. Many of the variables in records.config
are set automatically when you set configuration options with traffic_ctl config set. After you modify
records.config, run the command traffic_ctl config reload to apply the changes
Note: The configuration directory, containing the SYSCONFDIR value specified at build time relative to
the installation prefix, contains Traffic Server configuration files. The $TS_ROOT environment variable
can be used alter the installation prefix at run time. The directory must allow read/write access for
configuration reloads.
FORMAT
Each variable has the following format:
CONFIG variable_name DATATYPE variable_value
Data Type
A variable's type is defined by the DATATYPE and must be one of:
┌────────┬───────────────────────────────────────┐
│ Type │ Description │
├────────┼───────────────────────────────────────┤
│ FLOAT │ Floating point, expressed as a │
│ │ decimal number without units or │
│ │ exponents. │
├────────┼───────────────────────────────────────┤
│ INT │ Integers, expressed with or without │
│ │ unit prefixes (as described below). │
├────────┼───────────────────────────────────────┤
│ STRING │ String of characters up to the first │
│ │ newline. No quoting necessary. │
└────────┴───────────────────────────────────────┘
Values
The variable_value must conform to the variable's type. For STRING, this is simply any character data
until the first newline.
For integer (INT) variables, values are expressed as any normal integer, e.g. 32768. They can also be
expressed using more human readable values using standard unit prefixes, e.g. 32K. The following prefixes
are supported for all INT type configurations:
┌────────┬─────────────┬──────────────────────────────┐
│ Prefix │ Description │ Equivalent in Bytes │
├────────┼─────────────┼──────────────────────────────┤
│ K │ Kilobytes │ 1,024 bytes │
├────────┼─────────────┼──────────────────────────────┤
│ M │ Megabytes │ 1,048,576 bytes (10242) │
├────────┼─────────────┼──────────────────────────────┤
│ G │ Gigabytes │ 1,073,741,824 bytes (10243) │
├────────┼─────────────┼──────────────────────────────┤
│ T │ Terabytes │ 1,099,511,627,776 bytes │
│ │ │ (10244) │
└────────┴─────────────┴──────────────────────────────┘
Floating point variables (FLOAT) must be expressed as a regular decimal number. Unit prefixes are not
supported, nor are alternate notations (scientific, exponent, etc.).
Additional Attributes
Deprecated
A variable marked as Deprecated is still functional but should be avoided as it may be removed in a
future release without warning.
Reloadable
A variable marked as Reloadable can be updated via the command:
traffic_ctl config reload
This updates configuration parameters without restarting Traffic Server or interrupting the processing of
requests.
Overridable
A variable marked as Overridable can be changed on a per-remap basis using plugins (like the
Configuration Remap Plugin), affecting operations within the current transaction only.
EXAMPLES
In the following example, the variable proxy.config.proxy_name is a STRING datatype with the value
my_server. This means that the name of the Traffic Server proxy is my_server.
CONFIG proxy.config.proxy_name STRING my_server
If the server name should be that_server the line would be
CONFIG proxy.config.proxy_name STRING that_server
In the following example, the variable proxy.config.arm.enabled is a yes/no flag. A value of 0 (zero)
disables the option; a value of 1 enables the option.
CONFIG proxy.config.arm.enabled INT 0
In the following example, the variable sets the time to wait for a DNS response to 10 seconds.
CONFIG proxy.config.hostdb.lookup_timeout INT 10
The last examples configures a 64GB RAM cache, using a human readable prefix.
CONFIG proxy.config.cache.ram_cache.size INT 64G
ENVIRONMENT OVERRIDES
Every records.config configuration variable can be overridden by a corresponding environment variable.
This can be useful in situations where you need a static records.config but still want to tweak one or
two settings. The override variable is formed by converting the records.config variable name to upper
case, and replacing any dot separators with an underscore.
Overriding a variable from the environment is permanent and will not be affected by future configuration
changes made in records.config or applied with traffic_ctl.
For example, we could override the proxy.config.product_company variable like this:
$ PROXY_CONFIG_PRODUCT_COMPANY=example traffic_manager &
$ traffic_ctl config get proxy.config.product_company
CONFIGURATION VARIABLES
The following list describes the configuration variables available in the records.config file.
System Variables
proxy.config.product_company
Scope CONFIG.TP Type STRING.TP Default Apache Software Foundation.UNINDENT The name of the organization
developing Traffic Server.
proxy.config.product_vendor
Scope CONFIG.TP Type STRING.TP Default Apache.UNINDENT The name of the vendor providing Traffic Server.
proxy.config.product_name
Scope CONFIG.TP Type STRING.TP Default |TS|.UNINDENT The name of the product.
proxy.config.proxy_name
Scope CONFIG.TP Type STRING.TP Default build_machine.TP Reloadable Yes.UNINDENT The name of the Traffic
Server node.
proxy.config.bin_path
Scope CONFIG.TP Type STRING.TP Default bin.UNINDENT The location of the Traffic Server bin directory.
proxy.config.proxy_binary
Scope CONFIG.TP Type STRING.TP Default traffic_server.UNINDENT The name of the executable that runs the
traffic_server process.
If you want to set Environment Variables for traffic_server process, use a wrapper script like
below.
CONFIG proxy.config.proxy_binary STRING start_traffic_server.sh
#!/bin/sh
export ASAN_OPTIONS=detect_leaks=1
/opt/ats/bin/traffic_server "$@"
proxy.config.proxy_binary_opts
Scope CONFIG.TP Type STRING.TP Default -M.UNINDENT The command-line options for starting Traffic Server.
proxy.config.manager_binary
Scope CONFIG.TP Type STRING.TP Default traffic_manager.UNINDENT The name of the executable that runs the
traffic_manager process.
proxy.config.memory.max_usage
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.UNINDENT Throttle incoming connections if resident
memory usage exceeds this value. Setting the option to 0 disables the feature.
proxy.config.env_prep
Scope CONFIG.TP Type STRING.TP Default *NONE*.UNINDENT The script executed before the traffic_manager
process spawns the traffic_server process.
proxy.config.syslog_facility
Scope CONFIG.TP Type STRING.TP Default LOG_DAEMON.UNINDENT The facility used to record system log files.
Refer to Understanding Traffic Server Logs for more in-depth discussion of the contents and
interpretations of log files.
proxy.config.output.logfile
Scope CONFIG.TP Type STRING.TP Default traffic.out.UNINDENT This is used for log rolling configuration
so Traffic Server knows the path of the output file that should be rolled. This configuration
takes the name of the file receiving traffic_server and traffic_manager process output that is set
via the --bind_stdout and --bind_stderr command-line options. proxy.config.output.logfile is used
only to identify the name of the output file for log rolling purposes and does not override the
values set via --bind_stdout and --bind_stderr.
If a filename is passed to this option, then it will be interpreted relative to
proxy.config.log.logfile_dir. If a different location is desired, then pass an absolute path to
this configuration.
proxy.config.output.logfile_perm
Scope CONFIG.TP Type STRING.TP Default rw-r--r--.UNINDENT The log file permissions for the file
receiving Traffic Server output, the path of which is configured via the --bind_stdout and
--bind_stderr command-line options. The standard UNIX file permissions are used (owner, group,
other). Permissible values are:
┌───────┬─────────────────────┐
│ Value │ Description │
├───────┼─────────────────────┤
│ - │ No permissions. │
├───────┼─────────────────────┤
│ r │ Read permission. │
├───────┼─────────────────────┤
│ w │ Write permission. │
├───────┼─────────────────────┤
│ x │ Execute permission. │
└───────┴─────────────────────┘
Permissions are subject to the umask settings for the Traffic Server process. This means that a
umask setting of 002 will not allow write permission for others, even if specified in the
configuration file. Permissions for existing log files are not changed when the configuration is
modified.
proxy.config.output.logfile.rolling_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies how the output log is rolled.
You can specify the following values:
────────────────────────────────────────────────────────────
│ Value │ Description │
├───────┼──────────────────────────────────────────────────┤
│ 0 │ Disables output log rolling. │
├───────┼──────────────────────────────────────────────────┤
│ 1 │ Enables output log rolling at │
│ │ specific intervals (specified with │
│ │ the │
│ │ proxy.config.output.logfile.rolling_interval_sec │
│ │ variable). The clock starts ticking │
│ │ on Traffic Server boot. │
├───────┼──────────────────────────────────────────────────┤
│ 2 │ Enables output log rolling when the output log │
│ │ reaches a specific size (specified with │
│ │ proxy.config.output.logfile.rolling_size_mb). │
├───────┼──────────────────────────────────────────────────┤
│ 3 │ Enables output log rolling at specific intervals │
│ │ or when the output log reaches a specific size │
│ │ (whichever occurs first). │
└───────┴──────────────────────────────────────────────────┘
proxy.config.output.logfile.rolling_interval_sec
Scope CONFIG.TP Type INT.TP Default 3600.TP Units seconds.TP Reloadable Yes.UNINDENT Specifies how often
the output log is rolled, in seconds. The timer starts on Traffic Server startup.
proxy.config.output.logfile.rolling_size_mb
Scope CONFIG.TP Type INT.TP Default 100.TP Units megabytes.TP Reloadable Yes.UNINDENT Specifies at what
size to roll the output log at.
proxy.config.output.logfile.rolling_min_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the minimum count of rolled
output logs to keep. This value will be used to decide the order of auto-deletion (if enabled). A
default value of 0 means auto-deletion will try to keep output logs as much as possible. See Log
Rotation and Retention for guidance.
Thread Variables
proxy.config.exec_thread.autoconfig
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT When enabled (the default, 1), Traffic Server scales
threads according to the available CPU cores. See the config option below.
proxy.config.exec_thread.autoconfig.scale
Scope CONFIG.TP Type FLOAT.TP Default 1.0.UNINDENT Factor by which Traffic Server scales the number of
threads. The multiplier is usually the number of available CPU cores. By default this is scaling
factor is 1.0.
proxy.config.exec_thread.limit
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT The number of threads Traffic Server will create if
proxy.config.exec_thread.autoconfig is set to 0, otherwise this option is ignored.
proxy.config.exec_thread.listen
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT If enabled (1) all the exec_threads listen for incoming
connections. proxy.config.accept_threads should be disabled to enable this variable.
proxy.config.accept_threads
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT The number of accept threads. If disabled (0), then
accepts will be done in each of the worker threads.
──────────────────────────────────────────────────────────────────────
accept_threads exec_thread.listen Effect
──────────────────────────────────────────────────────────────────────
0 0 All worker threads accept
new connections and share
listen fd.
──────────────────────────────────────────────────────────────────────
1 0 New connections are accepted
on a dedicated accept thread
and distributed to worker
threads in round robin
fashion.
──────────────────────────────────────────────────────────────────────
0 1 All worker threads listen on
the same port using
SO_REUSEPORT. Each thread
has its own listen fd and
new connections are accepted
on all the threads.
┌────────────────┬────────────────────┬──────────────────────────────┐
│ │ │ │
--
NETWORK
proxy.config.net.additional_accepts
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.UNINDENT This config addresses an issue that
can sometimes happen if threads are caught in a net accept while loop, become busy exclusviely
accepting connections, and are prevented from doing other work. This can cause an increase in
latency and average event loop time. When set to 0, a thread accepts only 1 connection per event
loop. When set to any other positive integer x, a thread will accept up to x+1 connections per
event loop. When set to -1 (default), a thread will accept connections as long as there are
connections waiting in its listening queue.is equivalent to "accept all", and setting to 0 is
equivalent to "accept one".
proxy.config.net.connections_throttle
Scope CONFIG.TP Type INT.TP Default 30000.UNINDENT The total number of client and origin server
connections that the server can handle simultaneously. This is in fact the max number of file
descriptors that the traffic_server process can have open at any given time. Roughly 10% of these
connections are reserved for origin server connections, i.e. from the default, only ~27,000 client
connections can be handled. This should be tuned according to your memory size, and expected work
load. If this is set to 0, the throttling logic is disabled.
proxy.config.net.max_connections_in
Scope CONFIG.TP Type INT.TP Default 30000.UNINDENT The total number of client requests that Traffic
Server can handle simultaneously. This should be tuned according to your memory size, and
expected work load (network, cpu etc). This limit includes both idle (keep alive) connections and
active requests that Traffic Server can handle at any given instant. The delta between
proxy.config.net.max_connections_in and proxy.config.net.max_requests_in is the amount of maximum
idle (keepalive) connections Traffic Server will maintain.
proxy.config.net.max_requests_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT The total number of concurrent requests or active client
connections that the Traffic Server can handle simultaneously. This should be tuned according to
your memory size, and expected work load (network, cpu etc). When set to 0, active request
tracking is disabled and max requests has no separate limit and the total connections follow
proxy.config.net.connections_throttle
proxy.config.net.default_inactivity_timeout
Scope CONFIG.TP Type INT.TP Default 86400.TP Reloadable Yes.UNINDENT The connection inactivity timeout
(in seconds) to apply when Traffic Server detects that no inactivity timeout has been applied by
the HTTP state machine. When this timeout is applied, the
proxy.process.net.default_inactivity_timeout_applied metric is incremented.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.net.inactivity_check_frequency
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT How frequent (in seconds) to check for inactive
connections. If you deal with a lot of concurrent connections, increasing this setting can reduce
pressure on the system.
proxy.local.incoming_ip_to_bind
Scope LOCAL.TP Type STRING.TP Default 0.0.0.0 [::].UNINDENT Controls the global default IP addresses to
which to bind proxy server ports. The value is a space separated list of IP addresses, one per
supported IP address family (currently IPv4 and IPv6).
Unless explicitly specified in proxy.config.http.server_ports, the server port will be bound to
one of these addresses, selected by IP address family. The built in default is any address. This
is used if no address for a family is specified. This setting is useful if most or all server
ports should be bound to the same address.
NOTE:
This is ignored for inbound transparent server ports because they must be able to accept connections
on arbitrary IP addresses.
Example
Set the global default for IPv4 to 192.168.101.18 and leave the global default for IPv6 as any address:
LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.18
Example
Set the global default for IPv4 to 191.68.101.18 and the global default for IPv6 to fc07:192:168:101::17:
LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.18 [fc07:192:168:101::17]
proxy.local.outgoing_ip_to_bind
Scope LOCAL.TP Type STRING.TP Default 0.0.0.0 [::].UNINDENT This controls the global default for the
local IP address for outbound connections to origin servers. The value is a list of space
separated IP addresses, one per supported IP address family (currently IPv4 and IPv6).
Unless explicitly specified in proxy.config.http.server_ports, one of these addresses, selected by
IP address family, will be used as the local address for outbound connections. This setting is
useful if most or all of the server ports should use the same outbound IP addresses.
NOTE:
This is ignored for outbound transparent ports as the local outbound address will be the same as the
client local address.
Example
Set the default local outbound IP address for IPv4 connections to 192.168.101.18.:
LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.18
Example
Set the default local outbound IP address to 192.168.101.17 for IPv4 and fc07:192:168:101::17 for IPv6.:
LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.17 [fc07:192:168:101::17]
proxy.config.net.event_period
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT How often, in milli-seconds, to schedule IO event
processing. This is unlikely to be necessary to tune, and we discourage setting it to a value
smaller than 10ms (on Linux).
proxy.config.net.accept_period
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT How often, in milli-seconds, to schedule accept()
processing. This is unlikely to be necessary to tune, and we discourage setting it to a value
smaller than 10ms (on Linux).
proxy.config.net.retry_delay
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT How long to wait until we retry
various events that would otherwise block the network processing threads (e.g. locks). We
discourage setting this to a value smaller than 10ms (on Linux).
proxy.config.net.throttle_delay
Scope CONFIG.TP Type INT.TP Default 50.TP Reloadable Yes.UNINDENT When we trigger a throttling scenario,
this how long our accept() are delayed.
LOCAL MANAGER
proxy.node.config.manager_log_filename
Scope CONFIG.TP Type STRING.TP Default manager.log.UNINDENT The name of the file to which
traffic_manager logs will be emitted.
If this is set to stdout or stderr, then all traffic_manager logging will go to the stdout or
stderr stream, respectively.
proxy.config.admin.user_id
Scope CONFIG.TP Type STRING.TP Default nobody.UNINDENT Designates the non-privileged account to run the
traffic_server process as, which also has the effect of setting ownership of configuration and log
files.
If the user_id is prefixed with pound character (#), the remainder of the string is considered to
be a numeric user identifier. If the value is set to #-1, Traffic Server will not change the user
during startup.
IMPORTANT:
Attempting to set this option to root or #0 is now forbidden, as a measure to increase security. Doing
so will cause a fatal failure upon startup in traffic_server. However, there are two ways to bypass
this restriction:
• Specify -DBIG_SECURITY_HOLE in CXXFLAGS during compilation.
• Set the user_id=#-1 and start trafficserver as root.
proxy.config.admin.api.restricted
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This setting specifies whether the management API should
be restricted to root processes. If this is set to 0, then on platforms that support passing
process credentials, non-root processes will be allowed to make read-only management API calls.
Any management API calls that modify server state (eg. setting a configuration variable) will
still be restricted to root processes.
This setting is not reloadable, since it is must be applied when traffic_manager initializes.
proxy.config.track_config_files
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) tracking configuration file
updates. This setting is enabled by default, meaning that configuration files are monitored for
changes. Having tracking enabled is a dependency for traffic_ctl config status to function.
However, tracking the files is implemented via a frequent call to stat() which may be problematic
in some deployments. If the call to stat() on configuration files causes problems, then it can be
avoided by setting this value to 0 at the cost of disabling the config status feature for
traffic_ctl.
This setting is not reloadable, since it is must be applied when traffic_manager initializes.
proxy.node.config.manager_exponential_sleep_ceiling
Scope CONFIG.TP Type INT.TP Default 60.UNINDENT In case of traffic_manager is unable to start
traffic_server, this setting specifies the maximum amount of seconds that the traffic_manager
process should wait until it tries again to restart traffic_server. In case of traffic_manager
failing to start traffic_server, it will retry exponentially until it reaches the ceiling time.
proxy.node.config.manager_retry_cap
Scope CONFIG.TP Type INT.TP Default 5.UNINDENT This setting specifies the number of times that
traffic_manager will retry to restart traffic_server once the maximum ceiling time is reached.
NOTE:
If set to 0, no cap will take place.
ALARM CONFIGURATION
proxy.config.alarm.abs_path
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The absolute path to the
directory containing the alarm script. If this is not set, the script will be located relative to
proxy.config.bin_path.
proxy.config.alarm.script_runtime
Scope CONFIG.TP Type INT.TP Default 5.TP Reloadable Yes.UNINDENT The number of seconds that Traffic
Server allows the alarm script to run before aborting it.
HTTP ENGINE
proxy.config.http.server_ports
Scope CONFIG.TP Type STRING.TP Default 8080 8080:ipv6.UNINDENT Ports used for proxying HTTP traffic.
This is a list, separated by space or comma, of port descriptors. Each descriptor is a sequence
of keywords and values separated by colons. Not all keywords have values, those that do are
specifically noted. Keywords with values can have an optional = character separating the keyword
and value. The case of keywords is ignored. The order of keywords is irrelevant but unspecified
results may occur if incompatible options are used (noted below). Options without values are
idempotent. Options with values use the last (right most) value specified, except for ip-out as
detailed later.
Quick reference chart:
┌────────────┬─────────────────┬──────────────────────────────┐
│ Name │ Note │ Definition │
├────────────┼─────────────────┼──────────────────────────────┤
│ number │ Required │ The local port. │
├────────────┼─────────────────┼──────────────────────────────┤
│ blind │ │ Blind (CONNECT) port. │
├────────────┼─────────────────┼──────────────────────────────┤
│ compress │ Not Implemented │ Compressed. │
├────────────┼─────────────────┼──────────────────────────────┤
│ ipv4 │ Default │ Bind to IPv4 address family. │
├────────────┼─────────────────┼──────────────────────────────┤
│ ipv6 │ │ Bind to IPv6 address family. │
├────────────┼─────────────────┼──────────────────────────────┤
│ ip-in │ Value │ Local inbound IP address. │
├────────────┼─────────────────┼──────────────────────────────┤
│ ip-out │ Value │ Local outbound IP address. │
├────────────┼─────────────────┼──────────────────────────────┤
│ ip-resolve │ Value │ IP address resolution style. │
├────────────┼─────────────────┼──────────────────────────────┤
│ proto │ Value │ List of supported session │
│ │ │ protocols. │
├────────────┼─────────────────┼──────────────────────────────┤
│ pp │ │ Enable Proxy Protocol. │
├────────────┼─────────────────┼──────────────────────────────┤
│ ssl │ │ SSL terminated. │
├────────────┼─────────────────┼──────────────────────────────┤
│ quic │ │ QUIC terminated. │
├────────────┼─────────────────┼──────────────────────────────┤
│ tr-full │ │ Fully transparent (inbound │
│ │ │ and outbound) │
├────────────┼─────────────────┼──────────────────────────────┤
│ tr-in │ │ Inbound transparent. │
├────────────┼─────────────────┼──────────────────────────────┤
│ tr-out │ │ Outbound transparent. │
├────────────┼─────────────────┼──────────────────────────────┤
│ tr-pass │ │ Pass through enabled. │
├────────────┼─────────────────┼──────────────────────────────┤
│ mptcp │ │ Multipath TCP. │
└────────────┴─────────────────┴──────────────────────────────┘
number Local IP port to bind. This is the port to which ATS clients will connect.
blind Accept only the CONNECT method on this port.
Not compatible with: tr-in, ssl and quic.
compress
Compress the connection. Retained only by inertia, should be considered "not implemented".
ipv4 Use IPv4. This is the default and is included primarily for completeness. This forced if the ip-in
option is used with an IPv4 address.
ipv6 Use IPv6. This is forced if the ip-in option is used with an IPv6 address.
ssl Require SSL termination for inbound connections. SSL must be configured for this option to provide
a functional server port.
Not compatible with: blind and quic.
quic Require QUIC termination for inbound connections. SSL must be configured for this option to
provide a functional server port. THIS IS EXPERIMENTAL SUPPORT AND NOT READY FOR PRODUCTION USE.
Not compatible with: blind and ssl.
proto Specify the session level protocols supported. These should be separated by semi-colons. For TLS
proxy ports the default value is all available protocols. For non-TLS proxy ports the default is
HTTP only. HTTP/3 is only available on QUIC ports.
pp Enables Proxy Protocol on the port. If Proxy Protocol is enabled on the port, all incoming
requests must be prefaced with the PROXY header. See Proxy Protocol for more details on how to
configure this option properly.
tr-full
Fully transparent. This is a convenience option and is identical to specifying both tr-in and
tr-out.
Not compatible with: Any option not compatible with tr-in or tr-out.
tr-in Inbound transparent. The proxy port will accept connections to any IP address on the port. To have
IPv6 inbound transparent you must use this and the ipv6 option. This overrides
proxy.local.incoming_ip_to_bind for this port.
Not compatible with: ip-in, blind
tr-out Outbound transparent. If ATS connects to an origin server for a transaction on this port, it will
use the client's address as its local address. This overrides proxy.local.outgoing_ip_to_bind for
this port.
Not compatible with: ip-out, ip-resolve
tr-pass
Transparent pass through. This option is useful only for inbound transparent proxy ports. If the
parsing of the expected HTTP header fails, then the transaction is switched to a blind tunnel
instead of generating an error response to the client. It effectively enables
proxy.config.http.use_client_target_addr for the transaction as there is no other place to obtain
the origin server address.
ip-in Set the local IP address for the port. This is the address to which clients will connect. This
forces the IP address family for the port. The ipv4 or ipv6 can be used but it is optional and is
an error for it to disagree with the IP address family of this value. An IPv6 address must be
enclosed in square brackets. If this option is omitted proxy.local.incoming_ip_to_bind is used.
Not compatible with: tr-in.
ip-out Set the local IP address for outbound connections. This is the address used by ATS locally when it
connects to an origin server for transactions on this port. If this is omitted
proxy.local.outgoing_ip_to_bind is used.
This option can used multiple times, once for each IP address family. The address used is selected
by the IP address family of the origin server address.
Not compatible with: tr-out.
ip-resolve
Set the host resolution style for transactions on this proxy port.
Not compatible with: tr-out - this option requires a value of client;none which is forced and
should not be explicitly specified.
mptcp Enable Multipath TCP on this proxy port.
Requires custom Linux kernel available at https://multipath-tcp.org.
Example
Listen on port 80 on any address for IPv4 and IPv6.:
80 80:ipv6
Example
Listen transparently on any IPv4 address on port 8080, and transparently on port 8080 on local address
fc01:10:10:1::1 (which implies ipv6).:
IPv4:tr-FULL:8080 TR-full:IP-in=[fc02:10:10:1::1]:8080
Example
Listen on port 8080 for IPv6, fully transparent. Set up an SSL port on 443. These ports will use the IP
address from proxy.local.incoming_ip_to_bind. Listen on IP address 192.168.17.1, port 80, IPv4, and
connect to origin servers using the local address 10.10.10.1 for IPv4 and fc01:10:10:1::1 for IPv6.:
8080:ipv6:tr-full 443:ssl ip-in=192.168.17.1:80:ip-out=[fc01:10:10:1::1]:ip-out=10.10.10.1
Example
Listen on port 9090 for TLS enabled HTTP/2 or HTTP connections, accept no other session protocols.:
9090:proto=http2;http:ssl
Example
Listen on port 9090 for TLS disabled HTTP/2 and enabled HTTP connections, accept no other session
protocols.:
9090:proto=http:ssl
Example
Listen on port 4433 for QUIC connections.:
4433:quic
proxy.config.http.connect_ports
Scope CONFIG.TP Type STRING.TP Default 443.UNINDENT The range of origin server ports that can be used
for tunneling via CONNECT.
Traffic Server allows tunnels only to the specified ports. Supports both wildcards (*) and ranges
(e.g. 0-1023).
NOTE:
These are the ports on the origin server, not Traffic Server proxy ports.
proxy.config.http.forward_connect_method
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT The default, Traffic
Server behavior for handling a CONNECT method request is to establish a tunnel to the requested
destination. This configuration alters the behavior so that Traffic Server forwards the CONNECT
method to the next hop, and establishes the tunnel after receiving a positive response. This
behavior is useful in a proxy hierarchy, and is equivalent to setting
proxy.local.http.parent_proxy.disable_connect_tunneling to 0 when parent proxying is enabled.
proxy.config.http.insert_request_via_str
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set how the Via
field is handled on a request to the origin server.
┌───────┬───────────────────────────────────────┐
│ Value │ Effect │
├───────┼───────────────────────────────────────┤
│ 0 │ Do not modify or set this Via header. │
├───────┼───────────────────────────────────────┤
│ 1 │ Add the basic protocol and proxy │
│ │ identifier. │
├───────┼───────────────────────────────────────┤
│ 2 │ Add basic transaction codes. │
├───────┼───────────────────────────────────────┤
│ 3 │ Add detailed transaction codes. │
├───────┼───────────────────────────────────────┤
│ 4 │ Add full user agent connection │
│ │ protocol tags. │
└───────┴───────────────────────────────────────┘
NOTE:
The Via transaction codes can be decoded with the Via Decoder Ring.
proxy.config.http.request_via_str
Scope CONFIG.TP Type STRING.TP Default ApacheTrafficServer/${PACKAGE_VERSION}.TP Reloadable Yes.TP
Overridable Yes.UNINDENT Set the server and version string in the Via request header to the origin
server which is inserted when the value of proxy.config.http.insert_request_via_str is not 0.
Note that the actual default value is defined with "ApacheTrafficServer/" PACKAGE_VERSION in a C++
source code, and you must write such as ApacheTrafficServer/6.0.0 if you really set a value with
the version in records.config file. If you want to hide the version, you can set this value to
ApacheTrafficServer.
proxy.config.http.insert_response_via_str
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set how the Via
field is handled on the response to the client.
┌───────┬───────────────────────────────────────┐
│ Value │ Effect │
├───────┼───────────────────────────────────────┤
│ 0 │ Do not modify or set this Via header. │
├───────┼───────────────────────────────────────┤
│ 1 │ Add the basic protocol and proxy │
│ │ identifier. │
├───────┼───────────────────────────────────────┤
│ 2 │ Add basic transaction codes. │
├───────┼───────────────────────────────────────┤
│ 3 │ Add detailed transaction codes. │
├───────┼───────────────────────────────────────┤
│ 4 │ Add full upstream connection protocol │
│ │ tags. │
└───────┴───────────────────────────────────────┘
NOTE:
The Via transaction code can be decoded with the Via Decoder Ring.
proxy.config.http.response_via_str
Scope CONFIG.TP Type STRING.TP Default ApacheTrafficServer/${PACKAGE_VERSION}.TP Reloadable Yes.TP
Overridable Yes.UNINDENT Set the server and version string in the Via response header to the
client which is inserted when the value of proxy.config.http.insert_response_via_str is not 0.
Note that the actual default value is defined with "ApacheTrafficServer/" PACKAGE_VERSION in a C++
source code, and you must write such as ApacheTrafficServer/6.0.0 if you really set a value with
the version in records.config file. If you want to hide the version, you can set this value to
ApacheTrafficServer.
proxy.config.http.send_100_continue_response
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT You can specify one of the following:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Traffic Server will buffer the │
│ │ request until the post body has been │
│ │ received and then send the request to │
│ │ the origin server. │
├───────┼───────────────────────────────────────┤
│ 1 │ Immediately return a 100 Continue │
│ │ from Traffic Server without waiting │
│ │ for the post body. │
└───────┴───────────────────────────────────────┘
proxy.config.http.response_server_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT You can specify one
of the following:
┌───────┬────────────────────────────────────────┐
│ Value │ Description │
├───────┼────────────────────────────────────────┤
│ 0 │ No Server header is added to the │
│ │ response. │
├───────┼────────────────────────────────────────┤
│ 1 │ The Server header is added according │
│ │ to │
│ │ proxy.config.http.response_server_str. │
├───────┼────────────────────────────────────────┤
│ 2 │ The Server header is added only if the │
│ │ response from origin does not have one │
│ │ already. │
└───────┴────────────────────────────────────────┘
proxy.config.http.response_server_str
Scope CONFIG.TP Type STRING.TP Default ATS/${PACKAGE_VERSION}.TP Reloadable Yes.TP Overridable
Yes.UNINDENT The Server string that Traffic Server will insert in a response header (if requested,
see above). Note that the actual default value is defined with "ATS/" PACKAGE_VERSION in the C++
source, and you must write such as ATS/6.0.0 if you really set a value with the version in
records.config. If you want to hide the version, you can set this value to ATS.
proxy.config.http.insert_age_in_response
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT This option
specifies whether Traffic Server should insert an Age header in the response. The value is the
cache's estimate of the amount of time since the response was generated or revalidated by the
origin server.
┌───────┬─────────────────────────┐
│ Value │ Description │
├───────┼─────────────────────────┤
│ 0 │ No Age header is added. │
├───────┼─────────────────────────┤
│ 1 │ Age header is added. │
└───────┴─────────────────────────┘
proxy.config.http.chunking_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies whether
Traffic Server can generate a chunked response:
─────────────────────────────────────────────────
Value Description
─────────────────────────────────────────────────
0 Never respond with chunked encoding.
─────────────────────────────────────────────────
1 Always respond with chunked encoding.
─────────────────────────────────────────────────
2 Generate a chunked response if the
origin server has previously returned
HTTP/1.1.
─────────────────────────────────────────────────
3 Generate a chunked response if the
client request is HTTP/1.1 and the
origin server has previously returned
HTTP/1.1.
┌───────┬───────────────────────────────────────┐
│ │ │
proxy.config.http.chunking.size│ │ │
│ │ │
--
PARENT PROXY CONFIGURATION
proxy.config.http.parent_proxy.retry_time
Scope CONFIG.TP Type INT.TP Default 300.TP Reloadable Yes.TP Overridable Yes.UNINDENT The amount of time
allowed between connection retries to a parent cache that is unavailable.
proxy.config.http.parent_proxy.max_trans_retries
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Limits the number of simultaneous transactions that may
retry a parent once the parents retry_time has expired.
proxy.config.http.parent_proxy.fail_threshold
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.TP Overridable Yes.UNINDENT The number of times
the connection to the parent cache can fail before Traffic Server considers the parent
unavailable.
proxy.config.http.parent_proxy.total_connect_attempts
Scope CONFIG.TP Type INT.TP Default 4.TP Reloadable Yes.TP Overridable Yes.UNINDENT The total number of
connection attempts for a specific transaction allowed to a parent cache before Traffic Server
bypasses the parent or fails the request (depending on the go_direct option in the parent.config
file). The number of parents tried is proxy.config.http.parent_proxy.fail_threshold /
proxy.config.http.parent_proxy.total_connect_attempts
proxy.config.http.parent_proxy.per_parent_connect_attempts
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.TP Overridable Yes.UNINDENT The total number of
connection attempts allowed per parent for a specific transaction, if multiple parents are used.
proxy.config.http.parent_proxy.connect_attempts_timeout
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT The timeout value
(in seconds) for parent cache connection attempts.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.parent_proxy.mark_down_hostdb
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Enables (1) or
disables (0) marking parent proxies down in hostdb when a connection error is detected. Normally
parent selection manages parent proxies and will mark them as unavailable as needed. But when
parents are defined in dns with multiple ip addresses, it may be useful to mark the failing ip
down in hostdb. In this case you would enable these updates.
proxy.config.http.forward.proxy_auth_to_parent
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Configures Traffic
Server to send proxy authentication headers on to the parent cache.
proxy.config.http.no_dns_just_forward_to_parent
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Don't try to resolve DNS, forward all
DNS requests to the parent. This is off (0) by default.
proxy.local.http.parent_proxy.disable_connect_tunneling
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT
proxy.config.http.parent_proxy.self_detect
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT For each host that has been specified in a parent or
secondary_parent list in the parent.config file, determine if the host is the same as the current
host. Obvious examples include localhost and 127.0.0.1. If a match is found, take an action
depending upon the value below.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Disables the feature by not checking │
│ │ for matches. │
├───────┼───────────────────────────────────────┤
│ 1 │ Remove the matching host from the │
│ │ list. │
├───────┼───────────────────────────────────────┤
│ 2 │ Mark the host down. This is the │
│ │ default. │
└───────┴───────────────────────────────────────┘
proxy.config.http.parent_proxy.enable_parent_timeout_markdowns
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Enables (1) or
disables (0) parent proxy mark downs due to inactivity timeouts. By default parent proxies are
not marked down due to inactivity timeouts, the transaction will retry using another parent
instead. The default for this configuration keeps this behavior and is disabled (0). This
setting is overridable using one of the two plugins header_rewrite or conf_remap to enable
inactivity timeout markdowns and should be done so rather than enabling this globally. This
setting should not be used in conjunction with
proxy.config.http.parent_proxy.disable_parent_markdowns
proxy.config.http.parent_proxy.disable_parent_markdowns
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Enables (1) or
disables (0) parent proxy markdowns. This is useful if parent entries in a parent.config line are
VIP's and one doesn't wish to mark down a VIP which may have several origin or parent proxies
behind the load balancer. This setting is overridable using one of the header_rewrite or the
conf_remap plugins to override the default setting and this method should be used rather than
disabling markdowns globally. This setting should not be used in conjunction with
proxy.config.http.parent_proxy.enable_parent_timeout_markdowns
HTTP CONNECTION TIMEOUTS
proxy.config.http.keep_alive_no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
Traffic Server keeps connections to clients open for a subsequent request after a transaction
ends. A value of 0 will set proxy.config.net.default_inactivity_timeout as the timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.keep_alive_no_activity_timeout_out
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
Traffic Server keeps connections to origin servers open for a subsequent transfer of data after a
transaction ends. A value of 0 will set proxy.config.net.default_inactivity_timeout as the
timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
Traffic Server keeps connections to clients open if a transaction stalls.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_no_activity_timeout_out
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
Traffic Server keeps connections to origin servers open if the transaction stalls.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.websocket.no_activity_timeout
Scope CONFIG.TP Type INT.TP Default 600.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
Traffic Server keeps connections open if a websocket stalls.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.websocket.active_timeout
Scope CONFIG.TP Type INT.TP Default 3600.TP Reloadable Yes.TP Overridable Yes.UNINDENT The maximum
amount of time Traffic Server keeps websocket connections open.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_active_timeout_in
Scope CONFIG.TP Type INT.TP Default 900.TP Reloadable Yes.TP Overridable Yes.UNINDENT The maximum amount
of time Traffic Server can remain connected to a client. If the transfer to the client is not
complete before this timeout expires, then Traffic Server closes the connection.
The value of 0 specifies that there is no timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.transaction_active_timeout_out
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT The maximum amount
of time Traffic Server waits for fulfillment of a connection request to an origin server. If
Traffic Server does not complete the transfer to the origin server before this timeout expires,
then Traffic Server terminates the connection request.
The default value of 0 specifies that there is no timeout.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.accept_no_activity_timeout
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.UNINDENT The timeout interval in seconds
before Traffic Server closes a connection that has no activity.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.background_fill_active_timeout
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
Traffic Server continues a background fill before giving up and dropping the origin server
connection.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.background_fill_completed_threshold
Scope CONFIG.TP Type FLOAT.TP Default 0.0.TP Reloadable Yes.TP Overridable Yes.UNINDENT The proportion
of total document size already transferred when a client aborts at which the proxy continues
fetching the document from the origin server to get it into the cache (a background fill).
HTTP REDIRECTION
proxy.config.http.number_of_redirections
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT This setting
determines the maximum number of times Trafficserver does a redirect follow location on receiving
a 3XX Redirect response for a given client request.
NOTE:
When proxy.config.http.number_of_redirections is set to a positive value and Traffic Server has
previously cached a 3XX Redirect response, the cached response will continue to be refreshed and
returned until the response is no longer in the cache.
NOTE:
In previous versions proxy.config.http.redirection_enabled had to be set to 1 before this setting was
evaluated. Now setting proxy.config.http.number_of_redirections to a value greater than zero is
sufficient to cause Traffic Server to follow redirects.
proxy.config.http.redirect_host_no_port
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT This setting enables Trafficserver to
not include the port in the Host header in the redirect follow request for default/standard ports
(e.g. 80 for HTTP and 443 for HTTPS). Note that the port is still included in the Host header if
it's non-default.
proxy.config.http.redirect_use_orig_cache_key
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT This setting enables
Trafficserver to allow using original request cache key (for example, set using a TS API) during a
3xx redirect follow. The default behavior (0) is to use the URL specified by Location header in
the 3xx response as the cache key.
proxy.config.http.post_copy_size
Scope CONFIG.TP Type INT.TP Default 2048.TP Reloadable Yes.UNINDENT This setting determines the maximum
size in bytes of uploaded content to be buffered for HTTP methods such as POST and PUT.
proxy.config.http.redirect.actions
Scope CONFIG.TP Type STRING.TP Default routable:follow.TP Reloadable Yes.UNINDENT This setting
determines how redirects should be handled. The setting consists of a comma-separated list of
key-value pairs, where the keys are named IP address ranges and the values are actions.
The following are valid keys:
┌───────────┬───────────────────────────────────────┐
│ Key │ Description │
├───────────┼───────────────────────────────────────┤
│ self │ Addresses of the host's interfaces │
├───────────┼───────────────────────────────────────┤
│ loopback │ IPv4 127.0.0.0/8 and IPv6 ::1 │
├───────────┼───────────────────────────────────────┤
│ private │ IPv4 10.0.0.0/8 100.64.0.0/10 │
│ │ 172.16.0.0/12 192.168.0.0/16 and IPv6 │
│ │ fc00::/7 │
├───────────┼───────────────────────────────────────┤
│ multicast │ IPv4 224.0.0.0/4 and IPv6 ff00::/8 │
├───────────┼───────────────────────────────────────┤
│ linklocal │ IPv4 169.254.0.0/16 and IPv6 │
│ │ fe80::/10 │
├───────────┼───────────────────────────────────────┤
│ routable │ All publicly routable addresses │
├───────────┼───────────────────────────────────────┤
│ default │ All address ranges not configured │
│ │ specifically │
└───────────┴───────────────────────────────────────┘
The following are valid values:
┌────────┬───────────────────────────────────────────┐
│ Value │ Description │
├────────┼───────────────────────────────────────────┤
│ return │ Do not process the redirect, send it │
│ │ as the proxy response. │
├────────┼───────────────────────────────────────────┤
│ reject │ Do not process the redirect, send a │
│ │ 403 as the proxy response. │
├────────┼───────────────────────────────────────────┤
│ follow │ Internally follow the redirect up to │
│ │ proxy.config.http.number_of_redirections. │
│ │ Use this setting with caution! │
└────────┴───────────────────────────────────────────┘
WARNING:
Following a redirect to other than routable addresses can be dangerous, as it allows the controller of
an origin to arrange a probe the Traffic Server host. Enabling these redirects makes Traffic Server
open to third party attacks and probing and therefore should be considered only in known safe
environments.
For example, a setting of loopback:reject,private:reject,routable:follow,default:return would send 403 as
the proxy response to loopback and private addresses, routable addresses would be followed up to
proxy.config.http.number_of_redirections, and redirects to all other ranges will be sent as the proxy
response.
The action for self has the highest priority when an address would match multiple keys, and the action
for default has the lowest priority. Other keys represent disjoint sets of addresses that will not
conflict. If duplicate keys are present in the setting, the right-most key-value pair is used.
The default value is routable:follow, which means "follow routable redirects, return all other
redirects". Note that proxy.config.http.number_of_redirections must be positive also, otherwise redirects
will be returned rather than followed.
ORIGIN SERVER CONNECT ATTEMPTS
proxy.config.http.connect_attempts_max_retries
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.TP Overridable Yes.UNINDENT The maximum number
of connection retries Traffic Server can make when the origin server is not responding. Each
retry attempt lasts for proxy.config.http.connect_attempts_timeout seconds. Once the maximum
number of retries is reached, the origin is marked dead (as controlled by
proxy.config.http.connect.dead.policy. After this, the setting
proxy.config.http.connect_attempts_max_retries_dead_server is used to limit the number of retry
attempts to the known dead origin.
proxy.config.http.connect_attempts_max_retries_dead_server
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Maximum number of
connection attempts Traffic Server can make while an origin is marked dead per request. Typically
this value is smaller than proxy.config.http.connect_attempts_max_retries so an error is returned
to the client faster and also to reduce the load on the dead origin. The timeout interval
proxy.config.http.connect_attempts_timeout in seconds is used with this setting.
proxy.config.http.connect.dead.policy
Scope CONFIG.TP Type INT.TP Default 2.TP Overridable Yes.UNINDENT Controls what origin server connection
failures contribute to marking a server dead. When set to 2, any connection failure during the TCP
and TLS handshakes will contribute to marking the server dead. When set to 1, only TCP handshake
failures will contribute to marking a server dead. When set to 0, no connection failures will be
used towards marking a server dead.
proxy.config.http.server_max_connections
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Limits the number of socket connections
across all origin servers to the value specified. To disable, set to zero (0).
This value is used in determining when and if to prune active origin sessions. Without this value
set, connections to origins can consume all the way up to proxy.config.net.connections_throttle
connections, which in turn can starve incoming requests from available connections.
proxy.config.http.per_server.connection.max
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set a limit for the
number of concurrent connections to an upstream server group. A value of 0 disables checking. If a
transaction attempts to connect to a group which already has the maximum number of concurrent
connections the transaction either rechecks after a delay or a 503
(HTTP_STATUS_SERVICE_UNAVAILABLE) error response is sent to the user agent. To configure
Number of transactions that can be delayed concurrently
See proxy.config.http.per_server.connection.queue_size.
How long to delay before rechecking
See proxy.config.http.per_server.connection.queue_delay.
Upstream server group definition
See proxy.config.http.per_server.connection.match.
Frequency of alerts
See proxy.config.http.per_server.connection.alert_delay.
proxy.config.http.per_server.connection.match
Scope CONFIG.TP Type STRING.TP Default both.TP Reloadable Yes.TP Overridable Yes.UNINDENT Control the
definition of an upstream server group for proxy.config.http.per_server.connection.max. This must
be one of the following keywords.
ip Group by IP address. Each IP address is a group.
port Group by IP address and port. Each distinct IP address and port pair is a group.
host Group by host name. The host name is the post remap FQDN used to resolve the upstream address.
both Group by IP address, port, and host name. Each distinct combination is a group.
To disable upstream server grouping, set proxy.config.http.per_server.connection.max to 0.
NOTE:
This setting is independent of the setting for upstream session sharing matching.
proxy.config.http.per_server.connection.queue_size
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Controls the number of transactions
that can be waiting on an upstream server group.
-1 Unlimited.
0 Never wait. If the connection maximum has been reached immediately respond with an error.
A positive number
If there are less than this many waiting transactions, delay this transaction and try again.
Otherwise respond immediately with an error.
proxy.config.http.per_server.connection.queue_delay
Scope CONFIG.TP Type INT.TP Default 100.TP Units milliseconds.TP Reloadable Yes.UNINDENT If a
transaction is delayed due to too many connections in an upstream server group, delay this amount
of time before checking again.
proxy.config.http.per_server.connection.alert_delay
Scope CONFIG.TP Type INT.TP Default 60.TP Units seconds.TP Reloadable Yes.UNINDENT Throttle alerts per
upstream server group to be no more often than this many seconds. Summary data is provided per
alert to allow log scrubbing to generate accurate data.
proxy.config.http.per_server.connection.min
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set a target for the
minimum number of active connections to an upstream server group. When an outbound connection is
in keep alive state and the inactivity timer expires, if there are fewer than this many
connections in the group a new connection the timer is reset instead of closing the connection.
Useful when the origin supports keep-alive, removing the time needed to set up a new connection
from the next request at the expense of added (inactive) connections.
proxy.config.http.connect_attempts_rr_retries
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.TP Overridable Yes.UNINDENT The maximum number
of failed connection attempts allowed before a round-robin entry is marked as 'down' if a server
has round-robin DNS entries.
proxy.config.http.connect_attempts_timeout
Scope CONFIG.TP Type INT.TP Default 30.TP Reloadable Yes.TP Overridable Yes.UNINDENT The timeout value
(in seconds) for time to set up a connection to the origin. After the connection is established
the value of proxy.config.http.transaction_no_activity_timeout_out is used to established timeouts
on the data over the connection.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.post_connect_attempts_timeout
Scope CONFIG.TP Type INT.TP Default 1800.TP Reloadable Yes.TP Overridable Yes.UNINDENT The timeout value
(in seconds) for an origin server connection when the client request is a POST or PUT request.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.http.post.check.content_length.enabled
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) checking the Content-Length:
Header for a POST request.
proxy.config.http.down_server.cache_time
Scope CONFIG.TP Type INT.TP Default 60.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how long
(in seconds) Traffic Server remembers that an origin server was unreachable.
proxy.config.http.uncacheable_requests_bypass_parent
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server bypasses the parent proxy for a request that is not cacheable.
CONGESTION CONTROL
proxy.config.http.flow_control.enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Transaction buffering / flow control
is enabled if this is set to a non-zero value. Otherwise no flow control is done.
proxy.config.http.flow_control.high_water
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.TP Overridable Yes.UNINDENT The high water mark for
transaction buffer control. External source I/O is halted when the total buffer space in use by
the transaction exceeds this value.
proxy.config.http.flow_control.low_water
Scope CONFIG.TP Type INT.TP Default 0.TP Units bytes.TP Overridable Yes.UNINDENT The low water mark for
transaction buffer control. External source I/O is resumed when the total buffer space in use by
the transaction is no more than this value.
proxy.config.http.websocket.max_number_of_connections
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.UNINDENT When enabled >= (0), Traffic Server
will enforce a maximum number of simultaneous websocket connections.
NEGATIVE RESPONSE CACHING
proxy.config.http.negative_caching_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server caches negative responses (such as 404 Not Found) when a requested page does not
exist. The next time a client requests the same page, Traffic Server serves the negative response
directly from cache.
When disabled (0), Traffic Server will only cache the response if the response has Cache-Control
headers.
The following negative responses are cached by Traffic Server by default:
──────────────────────────────────────────────
HTTP Response Code Description
──────────────────────────────────────────────
204 No Content
──────────────────────────────────────────────
305 Use Proxy
──────────────────────────────────────────────
403 Forbidden
──────────────────────────────────────────────
404 Not Found
──────────────────────────────────────────────
414 URI Too Long
──────────────────────────────────────────────
500 Internal Server Error
──────────────────────────────────────────────
501 Not Implemented
──────────────────────────────────────────────
502 Bad Gateway
──────────────────────────────────────────────
503 Service Unavailable
──────────────────────────────────────────────
504 Gateway Timeout
──────────────────────────────────────────────
│ │ │
--
PROXY USER VARIABLES │ │ │
--
SECURITY │ │ │
--
CACHE CONTROL
proxy.config.cache.enable_read_while_writer
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Specifies when to enable the ability to
read a cached object while another connection is completing the write to cache for that same
object. The goal here is to avoid multiple origin connections for the same cacheable object upon a
cache miss. The possible values of this config are:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Never read while writing. │
├───────┼───────────────────────────────────────┤
│ 1 │ Always read while writing. │
├───────┼───────────────────────────────────────┤
│ 2 │ Always read while writing, but allow │
│ │ non-cached Range requests through to │
│ │ the origin server. │
└───────┴───────────────────────────────────────┘
The 2 option is useful to avoid delaying requests which can not easily be satisfied by the
partially written response.
Several other configuration values need to be set for this to be usable. See Reducing Origin
Server Requests (Avoiding the Thundering Herd).
proxy.config.cache.read_while_writer.max_retries
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT Specifies how many retries
trafficserver attempts to trigger read_while_writer on failing to obtain the write VC mutex or
until the first fragment is downloaded for the object being downloaded. The retry duration is
specified using the setting proxy.config.cache.read_while_writer_retry.delay
proxy.config.cache.read_while_writer_retry.delay
Scope CONFIG.TP Type INT.TP Default 50.TP Reloadable Yes.UNINDENT Specifies the delay in msec,
trafficserver waits to reattempt read_while_writer on failing to obtain the write VC mutex or
until the first fragment is downloaded for the object being downloaded. Note that trafficserver
implements a progressive delay in reattempting, by doubling the configured duration from the third
reattempt onwards.
proxy.config.cache.force_sector_size
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Forces the use of a specific hardware
sector size, e.g. 4096, for all disks.
SSDs and "advanced format" drives claim a sector size of 512; however, it is safe to force a
higher size than the hardware supports natively as we count atomicity in 512 byte increments.
4096-sized drives formatted for Windows will have partitions aligned on 63 512-byte sector
boundaries, so they will be unaligned. There are workarounds, but you need to do some research on
your particular drive. Some drives have a one-time option to switch the partition boundary, while
others might require reformatting or repartitioning.
To be safe in Linux, you could just use the entire drive: /dev/sdb instead of /dev/sdb1 and
Traffic Server will do the right thing. Misaligned partitions on Linux are auto-detected.
For example: If /sys/block/sda/sda1/alignment_offset is non-zero, ATS will offset reads/writes to
that disk by that alignment. If Linux knows about any existing partition misalignments, ATS will
compensate.
Partitions formatted to support hardware sector size of more than 512 (e.g. 4096) will result in
all objects stored in the cache to be integral multiples of 4096 bytes, which will result in some
waste for small files.
proxy.config.http.cache.http
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Enables (1) or
disables (0) caching of HTTP requests.
proxy.config.http.cache.post_method
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Enables (1) or
disables (0) caching of HTTP POST requests.
proxy.config.http.cache.generation
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.TP Overridable Yes.UNINDENT If set to a value
other than -1, the value if this configuration option is combined with the cache key at cache
lookup time. Changing this value has the effect of an instantaneous, zero-cost cache purge since
it will cause all subsequent cache keys to change. Since this is an overridable configuration, it
can be used to purge the entire cache, or just a specific remap.config rule.
proxy.config.http.doc_in_cache_skip_dns
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When enabled (1), do
not perform origin server DNS resolution if a fresh copy of the requested document is available in
the cache. This setting has no effect if HTTP caching is disabled or if there are IP based ACLs
configured.
Note that plugins, particularly authorization plugins, which use the TS_HTTP_OS_DNS_HOOK hook may
require this configuration variable to be disabled (0) in order to function properly. This will
ensure that the hook will be evaluated and plugin execution will occur even when there is a fresh
copy of the requested object in the cache (which would normally allow the DNS lookup to be
skipped, thus eliminating the hook evaluation).
The downside is that the performance gain by skipping otherwise unnecessary DNS lookups is lost.
Because the variable is overridable, you may retain this performance benefit for portions of your
cache which do not require the use of TS_HTTP_OS_DNS_HOOK plugins, by ensuring that the setting is
first disabled within only the relevant transactions. Refer to the documentation on Configuration
Remap Plugin for more information.
proxy.config.http.cache.ignore_client_no_cache
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server ignores client requests to bypass the cache. Specifically, Pragma: no-cache,
Cache-Control: no-cache and Cache-Control: no-store in requests are ignored.
proxy.config.http.cache.ims_on_client_no_cache
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server issues a conditional request to the origin server if an incoming request has a
No-Cache header.
proxy.config.http.cache.ignore_server_no_cache
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT When enabled (1),
Traffic Server ignores origin server requests to bypass the cache. Specifically, Pragma: no-cache,
Cache-Control: no-cache and Cache-Control: no-store in responses are ignored.
proxy.config.http.cache.cache_responses_to_cookies
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies how
cookies are cached:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Do not cache any responses to │
│ │ cookies. │
├───────┼───────────────────────────────────────┤
│ 1 │ Cache for any content-type. │
├───────┼───────────────────────────────────────┤
│ 2 │ Cache only for image types. │
├───────┼───────────────────────────────────────┤
│ 3 │ Cache for all but text content-types. │
├───────┼───────────────────────────────────────┤
│ 4 │ Cache for all but text content-types; │
│ │ except origin server response without │
│ │ Set-Cookie or with Cache-Control: │
│ │ public. │
└───────┴───────────────────────────────────────┘
proxy.config.http.cache.ignore_authentication
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT When enabled (1), Traffic Server
ignores WWW-Authentication headers in responses and the responses are cached.
proxy.config.http.cache.cache_urls_that_look_dynamic
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Enables (1) or
disables (0) caching of URLs that look dynamic, i.e.: URLs that end in .asp or contain a question
mark (?), a semicolon (;), or cgi. For a full list, please refer to
HttpTransact::url_looks_dynamic
proxy.config.http.cache.when_to_revalidate
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies when to
revalidate content:
─────────────────────────────────────────────────
Value Description
─────────────────────────────────────────────────
0 Use cache directives or heuristic
(the default value).
─────────────────────────────────────────────────
1 Stale if heuristic.
─────────────────────────────────────────────────
2 Always stale (always revalidate).
─────────────────────────────────────────────────
3 Never stale.
─────────────────────────────────────────────────
4 Use cache directives or heuristic (0)
unless the request has an
If-Modified-Since header.
┌───────┬───────────────────────────────────────┐
│ │ │
--
RAM CACHE
proxy.config.cache.ram_cache.size
Scope CONFIG.TP Type INT.TP Default -1.UNINDENT By default the RAM cache size is automatically
determined, based on disk cache size; approximately 10 MB of RAM cache per GB of disk cache.
Alternatively, it can be set to a fixed value such as 20GB (21474836480)
proxy.config.cache.ram_cache_cutoff
Scope CONFIG.TP Type INT.TP Default 4194304.UNINDENT Objects greater than this size will not be kept in
the RAM cache. This should be set high enough to keep objects accessed frequently in memory in
order to improve performance. 4MB (4194304)
proxy.config.cache.ram_cache.algorithm
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Two distinct RAM caches are supported, the default (1)
being the simpler LRU (Least Recently Used) cache. As an alternative, the CLFUS (Clocked Least
Frequently Used by Size) is also available, by changing this configuration to 0.
proxy.config.cache.ram_cache.use_seen_filter
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enabling this option will filter inserts into the RAM
cache to ensure that they have been seen at least once. For the LRU, this provides scan
resistance. Note that CLFUS already requires that a document have history before it is inserted,
so for CLFUS, setting this option means that a document must be seen three times before it is
added to the RAM cache.
proxy.config.cache.ram_cache.compress
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT The CLFUS RAM cache also supports an optional in-memory
compression. This is not to be confused with Content-Encoding: gzip compression. The RAM cache
compression is intended to try to save space in the RAM, and is not visible to the User-Agent
(client).
Possible values are:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ No compression │
├───────┼───────────────────────────────────────┤
│ 1 │ Fastlz (extremely fast, relatively │
│ │ low compression) │
├───────┼───────────────────────────────────────┤
│ 2 │ Libz (moderate speed, reasonable │
│ │ compression) │
├───────┼───────────────────────────────────────┤
│ 3 │ Liblzma (very slow, high compression) │
└───────┴───────────────────────────────────────┘
Compression runs on task threads. To use more cores for RAM cache compression, increase
proxy.config.task_threads.
HEURISTIC EXPIRATION
proxy.config.http.cache.heuristic_min_lifetime
Scope CONFIG.TP Type INT.TP Default 3600.TP Reloadable Yes.TP Overridable Yes.UNINDENT The minimum
amount of time, in seconds, an HTTP object without an expiration date can remain fresh in the
cache before is considered to be stale.
proxy.config.http.cache.heuristic_max_lifetime
Scope CONFIG.TP Type INT.TP Default 86400.TP Reloadable Yes.TP Overridable Yes.UNINDENT The maximum
amount of time, in seconds, an HTTP object without an expiration date can remain fresh in the
cache before is considered to be stale.
proxy.config.http.cache.heuristic_lm_factor
Scope CONFIG.TP Type FLOAT.TP Default 0.10.TP Reloadable Yes.TP Overridable Yes.UNINDENT The aging
factor for freshness computations. Traffic Server stores an object for this percentage of the time
that elapsed since it last changed.
DYNAMIC CONTENT & CONTENT NEGOTIATION
proxy.config.http.cache.open_read_retry_time
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The number of milliseconds a cacheable request will wait before requesting the object from cache if an
equivalent request is in flight.
proxy.config.http.cache.max_open_read_retries
Scope CONFIG.TP Type INT.TP Default -1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The number of times to attempt fetching an object from cache if there was an equivalent request in
flight.
proxy.config.http.cache.max_open_write_retries
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT
The number of times to attempt a cache open write upon failure to get a write lock.
This config is ignored when proxy.config.http.cache.open_write_fail_action is set to 5.
proxy.config.http.cache.open_write_fail_action
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT
This setting indicates the action taken on failing to obtain the cache open write lock on either a
cache miss or a cache hit stale. This typically happens when there is more than one request to the
same cache object simultaneously. During such a scenario, all but one (which goes to the origin)
request is served either a stale copy or an error depending on this setting.
───────────────────────────────────────────────────────
Value Description
───────────────────────────────────────────────────────
0 Default. Disable cache and go to
origin server.
───────────────────────────────────────────────────────
1 Return a 502 error on a cache miss.
───────────────────────────────────────────────────────
2 Serve stale if object's age is under
proxy.config.http.cache.max_stale_age.
Otherwise, go to origin server.
───────────────────────────────────────────────────────
3 Return a 502 error on a cache miss or
serve stale on a cache revalidate if
object's age is under
proxy.config.http.cache.max_stale_age.
Otherwise, go to origin server.
───────────────────────────────────────────────────────
4 Return a 502 error on either a cache
miss or on a revalidation.
───────────────────────────────────────────────────────
5 Retry Cache Read on a Cache Write Lock
failure. This option together with
proxy.config.cache.enable_read_while_writer
configuration allows to collapse
concurrent requests without a need for
any plugin. Make sure to configure
the Read While Writer feature
correctly. Note that this option may
result in CACHE_LOOKUP_COMPLETE HOOK
being called back more than once.
┌───────┬─────────────────────────────────────────────┐
│ │ │
--
DNS │ │ │
--
HOSTDB
proxy.config.hostdb.lookup_timeout
Scope CONFIG.TP Type INT.TP Default 30.TP Units seconds.TP Reloadable Yes.UNINDENT Time to wait for a
DNS response in seconds.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.hostdb.serve_stale_for
Scope CONFIG.TP Type INT.TP Default *NONE*.TP Units seconds.TP Reloadable Yes.UNINDENT The number of
seconds for which to use a stale NS record while initiating a background fetch for the new data.
If not set then stale records are not served.
proxy.config.hostdb.max_size
Scope CONFIG.TP Type INT.TP Default 10737418240.TP Units bytes.UNINDENT The maximum amount of space (in
bytes) allocated to hostdb. Setting this value to -1 will disable size limit enforcement.
proxy.config.hostdb.max_count
Scope CONFIG.TP Type INT.TP Default -1.UNINDENT The maximum number of entries that can be stored in
hostdb. A value of -1 disables item count limit enforcement.
NOTE:
For values above 200000, you must increase proxy.config.hostdb.max_size by at least 44 bytes per
entry.
proxy.config.hostdb.round_robin_max_count
Scope CONFIG.TP Type INT.TP Default 16.UNINDENT The maximum count of DNS answers per round robin hostdb
record. The default variable is 16.
proxy.config.hostdb.ttl_mode
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT A host entry will eventually time out
and be discarded. This variable controls how that time is calculated. A DNS request will return a
TTL value and an internal value can be set with proxy.config.hostdb.timeout. This variable
determines which value will be used.
┌───────┬───────────────────────────────────────┐
│ Value │ TTL │
├───────┼───────────────────────────────────────┤
│ 0 │ The TTL from the DNS response. │
├───────┼───────────────────────────────────────┤
│ 1 │ The internal timeout value. │
├───────┼───────────────────────────────────────┤
│ 2 │ The smaller of the DNS and internal │
│ │ TTL values. The internal timeout │
│ │ value becomes a maximum TTL. │
├───────┼───────────────────────────────────────┤
│ 3 │ The larger of the DNS and internal │
│ │ TTL values. The internal timeout │
│ │ value become a minimum TTL. │
└───────┴───────────────────────────────────────┘
proxy.config.hostdb.timeout
Scope CONFIG.TP Type INT.TP Default 86400.TP Units seconds.TP Reloadable Yes.UNINDENT Internal time to
live value for host DB entries in seconds.
See proxy.config.hostdb.ttl_mode for when this value is used. See Timeout Settings for more
discussion on Traffic Server timeouts.
proxy.config.hostdb.fail.timeout
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Time to live value for "failed" hostdb lookups.
NOTE:
HostDB considers any response that does not contain a response to the query a failure. This means
"failure" responses (such as SOA) are subject to this timeout
proxy.config.hostdb.strict_round_robin
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Set host resolution to use strict round
robin.
When this and proxy.config.hostdb.timed_round_robin are both disabled (set to 0), Traffic Server
always uses the same origin server for the same client, for as long as the origin server is
available. Otherwise if this is set then IP address is rotated on every request. This setting
takes precedence over proxy.config.hostdb.timed_round_robin.
proxy.config.hostdb.timed_round_robin
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Set host resolution to use timed round
robin.
When this and proxy.config.hostdb.strict_round_robin are both disabled (set to 0), Traffic Server
always uses the same origin server for the same client, for as long as the origin server is
available. Otherwise if this is set to N the IP address is rotated if more than N seconds have
passed since the first time the current address was used.
proxy.config.hostdb.host_file.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT Set the file path for an external host file.
If this is set (non-empty) then the file is presumed to be a hosts file in the standard . It is
read and the entries there added to the HostDB. The file is periodically checked for a more recent
modification date in which case it is reloaded. The interval is set with
proxy.config.hostdb.host_file.interval.
While not technically reloadable, the value is read every time the file is to be checked so that
if changed the new value will be used on the next check and the file will be treated as modified.
proxy.config.hostdb.host_file.interval
Scope CONFIG.TP Type INT.TP Default 86400.TP Units seconds.TP Reloadable Yes.UNINDENT Set the file
changed check timer for proxy.config.hostdb.host_file.path.
The file is checked every this many seconds to see if it has changed. If so the HostDB is updated
with the new values in the file.
proxy.config.hostdb.partitions
Scope CONFIG.TP Type INT.TP Default 64.UNINDENT The number of partitions for hostdb. If you are seeing
lock contention within hostdb's cache (due to a large number of records) you can increase the
number of partitions
proxy.config.hostdb.ip_resolve
Scope CONFIG.TP Type STRING.TP Default NULL.TP Overridable Yes.UNINDENT Set the host resolution style.
This is an ordered list of keywords separated by semicolons that specify how a host name is to be
resolved to an IP address. The keywords are case insensitive.
┌─────────┬───────────────────────────────────────┐
│ Keyword │ Description │
├─────────┼───────────────────────────────────────┤
│ ipv4 │ Resolve to an IPv4 address. │
├─────────┼───────────────────────────────────────┤
│ ipv6 │ Resolve to an IPv6 address. │
├─────────┼───────────────────────────────────────┤
│ client │ Resolve to the same family as the │
│ │ client IP address. │
├─────────┼───────────────────────────────────────┤
│ only │ Stop resolving. │
└─────────┴───────────────────────────────────────┘
The order of the keywords is critical. When a host name needs to be resolved it is resolved in
same order as the keywords. If a resolution fails, the next option in the list is tried. The
keyword only means to give up resolution entirely. The keyword list has a maximum length of three
keywords, more are never needed. By default there is an implicit ipv4;ipv6 attached to the end of
the string unless the keyword only appears.
Example
Use the incoming client family, then try IPv4 and IPv6.
client;ipv4;ipv6
Because of the implicit resolution this can also be expressed as just
client
Example
Resolve only to IPv4.
ipv4;only
Example
Resolve only to the same family as the client (do not permit cross family transactions).
client;only
This value is a global default that can be overridden by proxy.config.http.server_ports.
NOTE:
This style is used as a convenience for the administrator. During a resolution the resolution order
will be one family, then possibly the other. This is determined by changing client to ipv4 or ipv6
based on the client IP address and then removing duplicates.
IMPORTANT:
This option has no effect on outbound transparent connections The local IP address used in the
connection to the origin server is determined by the client, which forces the IP address family of the
address used for the origin server. In effect, outbound transparent connections always use a
resolution style of "client".
proxy.config.hostdb.verify_after
Scope CONFIG.TP Type INT.TP Default 720.UNINDENT Set the interval (in seconds) in which to re-query DNS
regardless of TTL status.
proxy.config.hostdb.filename
Scope CONFIG.TP Type STRING.TP Default host.db.UNINDENT The filename to persist hostdb to on disk.
proxy.config.cache.hostdb.sync_frequency
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Set the frequency (in seconds) to sync hostdb to disk. If
set to zero (default as of v9.0.0), we won't sync to disk ever.
Note: hostdb is synced to disk on a per-partition basis (of which there are 64). This means that
the minimum time to sync all data to disk is proxy.config.cache.hostdb.sync_frequency * 64
LOGGING CONFIGURATION
proxy.config.log.logging_enabled
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT Enables and disables event logging:
┌───────┬───────────────────────────────────────┐
│ Value │ Effect │
├───────┼───────────────────────────────────────┤
│ 0 │ Logging disabled. │
├───────┼───────────────────────────────────────┤
│ 1 │ Log errors only. │
├───────┼───────────────────────────────────────┤
│ 2 │ Log transactions only. │
├───────┼───────────────────────────────────────┤
│ 3 │ Dual logging (errors and │
│ │ transactions). │
└───────┴───────────────────────────────────────┘
Refer to Logging for more information on event logging.
proxy.config.log.max_secs_per_buffer
Scope CONFIG.TP Type INT.TP Default 5.TP Reloadable Yes.UNINDENT The maximum amount of time before data
in the buffer is flushed to disk.
NOTE:
The effective lower bound to this config is whatever proxy.config.log.periodic_tasks_interval is set
to.
proxy.config.log.max_space_mb_for_logs
Scope CONFIG.TP Type INT.TP Default 25000.TP Units megabytes.TP Reloadable Yes.UNINDENT The amount of
space allocated to the logging directory (in MB). The headroom amount specified by
proxy.config.log.max_space_mb_headroom is taken from this space allocation.
NOTE:
All files in the logging directory contribute to the space used, even if they are not log files.
proxy.config.log.max_space_mb_headroom
Scope CONFIG.TP Type INT.TP Default 1000.TP Units megabytes.TP Reloadable Yes.UNINDENT The tolerance for
the log space limit (in megabytes). If the variable proxy.config.log.auto_delete_rolled_files is
set to 1 (enabled), then auto-deletion of log files is triggered when the amount of free space
available in the logging directory is less than the value specified here.
proxy.config.log.hostname
Scope CONFIG.TP Type STRING.TP Default localhost.TP Reloadable Yes.UNINDENT The hostname of the machine
running Traffic Server.
proxy.config.log.logfile_dir
Scope CONFIG.TP Type STRING.TP Default var/log/trafficserver.TP Reloadable Yes.UNINDENT The path to the
logging directory. This can be an absolute path or a path relative to the PREFIX directory in
which Traffic Server is installed.
NOTE:
The directory you specify must already exist.
proxy.config.log.logfile_perm
Scope CONFIG.TP Type STRING.TP Default rw-r--r--.TP Reloadable Yes.UNINDENT The log file permissions.
The standard UNIX file permissions are used (owner, group, other). Permissible values are:
┌───────┬─────────────────────┐
│ Value │ Description │
├───────┼─────────────────────┤
│ - │ No permissions. │
├───────┼─────────────────────┤
│ r │ Read permission. │
├───────┼─────────────────────┤
│ w │ Write permission. │
├───────┼─────────────────────┤
│ x │ Execute permission. │
└───────┴─────────────────────┘
Permissions are subject to the umask settings for the Traffic Server process. This means that a
umask setting of 002 will not allow write permission for others, even if specified in the
configuration file. Permissions for existing log files are not changed when the configuration is
modified.
proxy.config.log.rolling_enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Specifies how log files are rolled. You
can specify the following values:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Disables log file rolling. │
├───────┼───────────────────────────────────────┤
│ 1 │ Enables log file rolling at specific │
│ │ intervals during the day (specified │
│ │ with the │
│ │ proxy.config.log.rolling_interval_sec │
│ │ and │
│ │ proxy.config.log.rolling_offset_hr │
│ │ variables). │
├───────┼───────────────────────────────────────┤
│ 2 │ Enables log file rolling when log │
│ │ files reach a specific size │
│ │ (specified with │
│ │ proxy.config.log.rolling_size_mb). │
├───────┼───────────────────────────────────────┤
│ 3 │ Enables log file rolling at specific │
│ │ intervals during the day or when log │
│ │ files reach a specific size │
│ │ (whichever occurs first). │
├───────┼───────────────────────────────────────┤
│ 4 │ Enables log file rolling at specific │
│ │ intervals during the day when log │
│ │ files reach a specific size (i.e. at │
│ │ a specified time if the file is of │
│ │ the specified size). │
└───────┴───────────────────────────────────────┘
proxy.config.log.rolling_interval_sec
Scope CONFIG.TP Type INT.TP Default 86400.TP Reloadable Yes.UNINDENT The log file rolling interval, in
seconds. The minimum value is 60 (1 minute). The maximum, and default, value is 86400 seconds (one
day).
NOTE:
If you start Traffic Server within a few minutes of the next rolling time, then rolling might not
occur until the next rolling time.
proxy.config.log.rolling_offset_hr
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT The file rolling offset hour. The hour
of the day that starts the log rolling period.
proxy.config.log.rolling_size_mb
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT The size, in megabytes, that log files
must reach before rolling takes place. The minimum value for this setting is 10.
proxy.config.log.rolling_min_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the minimum count of rolled
(event) logs to keep. This value will be used to decide the order of auto-deletion (if enabled). A
default value of 0 means auto-deletion will try to keep logs as much as possible. This value can
be and should be overridden in logging.yaml. See Log Rotation and Retention for guidance.
proxy.config.log.rolling_max_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the maximum count of rolled
output logs to keep. This value will be used by the auto-deletion (if enabled) to trim the number
of rolled log files every time the log is rolled. A default value of 0 means auto-deletion will
not try to limit the number of output logs. See Log Rotation and Retention for an use-case for
this option.
proxy.config.log.rolling_allow_empty
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT While rolling default behavior is to
rename, close and re-open the log file only when/if there is something to log to the log file.
This option opens a new log file right after rolling even if there is nothing to log (i.e. nothing
to be logged due to lack of requests to the server) which may lead to 0-sized log files while
rolling. See Log Rotation and Retention for an use-case for this option.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ No empty log files created and rolled │
│ │ if there was nothing to log │
├───────┼───────────────────────────────────────┤
│ 1 │ Allow empty log files to be created │
│ │ and rolled even if there was nothing │
│ │ to log │
└───────┴───────────────────────────────────────┘
proxy.config.log.auto_delete_rolled_files
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Enables (1) or disables (0) automatic
deletion of rolled files.
proxy.config.log.sampling_frequency
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Configures Traffic Server to log only a
sample of transactions rather than every transaction. You can specify the following values:
┌───────┬───────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────┤
│ 1 │ Log every transaction. │
├───────┼───────────────────────────────┤
│ 2 │ Log every second transaction. │
├───────┼───────────────────────────────┤
│ 3 │ Log every third transaction. │
├───────┼───────────────────────────────┤
│ n │ ... and so on... │
└───────┴───────────────────────────────┘
proxy.config.log.periodic_tasks_interval
Scope CONFIG.TP Type INT.TP Default 5.TP Units seconds.TP Reloadable Yes.UNINDENT How often Traffic
Server executes log related periodic tasks, in seconds
proxy.config.log.proxy.config.log.throttling_interval_msec
Scope CONFIG.TP Type INT.TP Default 60000.TP Units milliseconds.TP Reloadable Yes.UNINDENT The minimum
amount of milliseconds between repeated throttled Traffic Server log events. A value of 0 implies
no throttling. Note that for performance reasons only certain logs are compiled with throttling
applied to them.
Throttling is applied to all log events for a particular message which is emitted within its
throttling interval. That is, once a throttled log is emitted, none will be emitted until the next
log event for that message which occurs outside of this configured interval. As mentioned above,
this message is applied not broadly but rather to potentially noisy log messages, such as ones
that might occur thousands of times a second under certain error conditions. Once the next log
event occurs outside of its interval, a summary message is printed conveying how many messages of
that type were throttled since the last time it was emitted.
It is possible that a log is emitted, followed by more of its type in an interval, then none are
emitted after that. Be aware this would result in no summary log message for that interval until
the message is emitted again outside of the throttled interval.
proxy.config.http.slow.log.threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT If set to a
non-zero value N then any connection that takes longer than N milliseconds from accept to
completion will cause its timing stats to be written to the debugging log file. This is
identifying data about the transaction and all of the transaction milestones.
proxy.config.http2.connection.slow.log.threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT If set to a
non-zero value N then any HTTP/2 connection that takes longer than N milliseconds from open to
close will cause its timing stats to be written to the debugging log file. This is identifying
data about the transaction and all of the transaction milestones.
proxy.config.http2.stream.slow.log.threshold
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT If set to a
non-zero value N then any HTTP/2 stream that takes longer than N milliseconds from open to close
will cause its timing stats to be written to the debugging log file. This is identifying data
about the transaction and all of the transaction milestones.
proxy.config.log.config.filename
Scope CONFIG.TP Type STRING.TP Default logging.yaml.TP Reloadable Yes.TP Deprecated Yes.UNINDENT This
configuration value specifies the path to the logging.yaml configuration file. If this is a
relative path, Traffic Server loads it relative to the SYSCONFDIR directory.
proxy.config.log.max_line_size
Scope CONFIG.TP Type INT.TP Default 9216.TP Units bytes.UNINDENT This controls the maximum line length
for ASCII formatted log entries. This applies to ASCII_PIPE and ASCII file logs, unless
proxy.config.log.ascii_buffer_size is also specified and the value of ascii_buffer_size is larger
than max_line_size: in that case, max_line_size only applies to ASCII_PIPE logs while
ascii_buffer_size will apply to ASCII (non-pipe) log files.
proxy.config.log.ascii_buffer_size
Scope CONFIG.TP Type INT.TP Default 36864.TP Units bytes.UNINDENT This controls the maximum line length
for ASCII formatted log entries that are non-pipe log files. If this value is smaller than
proxy.config.log.max_line_size, then the latter will be used for both ASCII and ASCII_PIPE log
files. If both max_line_size and ascii_buffer_size are set, then max_line_size will be used for
ASCII_PIPE logs while ascii_buffer_size will be used for ASCII (non-pipe) log files. This all
might seem complicated, but just keep in mind that the intention of ascii_buffer_size is to simply
provide a way for the user to configure different ASCII and ASCII_PIPE maximum line lengths.
proxy.config.log.log_buffer_size
Scope CONFIG.TP Type INT.TP Default 9216.TP Units bytes.TP Reloadable Yes.UNINDENT This is an orthogonal
mechanism from proxy.config.log.max_line_size and proxy.config.log.ascii_buffer_size for limiting
line length size by constraining the log entry buffer to a particular amount of memory. Unlike
the above two configurations, log_buffer_size applies to both binary and ASCII log file entries.
For ASCII log files, if a maximum log size is set via both the above mechanisms and by
log_buffer_size, then the smaller of the two configurations will be applied to the line length.
DIAGNOSTIC LOGGING CONFIGURATION
proxy.config.diags.output.diag
Scope CONFIG.TP Type STRING.TP Default E.UNINDENT
proxy.config.diags.output.debug
Scope CONFIG.TP Type STRING.TP Default E.UNINDENT
proxy.config.diags.output.status
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.note
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.warning
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.error
Scope CONFIG.TP Type STRING.TP Default SL.UNINDENT
proxy.config.diags.output.fatal
Scope CONFIG.TP Type STRING.TP Default SL.UNINDENT
proxy.config.diags.output.alert
Scope CONFIG.TP Type STRING.TP Default L.UNINDENT
proxy.config.diags.output.emergency
Scope CONFIG.TP Type STRING.TP Default SL.UNINDENT The diagnostic output configuration variables control
where Traffic Server should log diagnostic output. Messages at each diagnostic level can be
directed to any combination of diagnostic destinations. Valid diagnostic message destinations
are:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ O │ Log to standard output. │
├───────┼───────────────────────────────────────┤
│ E │ Log to standard error. │
├───────┼───────────────────────────────────────┤
│ S │ Log to syslog. │
├───────┼───────────────────────────────────────┤
│ L │ Log to diags.log (with the filename │
│ │ configurable via │
│ │ proxy.config.diags.logfile.filename). │
└───────┴───────────────────────────────────────┘
Example
To log debug diagnostics to both syslog and diags.log:
CONFIG proxy.config.diags.output.debug STRING SL
proxy.config.diags.show_location
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Annotates diagnostic messages with the source code
location. Set to 1 to enable for Debug() messages only. Set to 2 to enable for all messages.
proxy.config.diags.debug.enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT When set to 1, enables logging for
diagnostic messages whose log level is diag or debug.
When set to 2, interprets the proxy.config.diags.debug.client_ip setting determine whether
diagnostic messages are logged.
proxy.config.diags.debug.client_ip
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT if proxy.config.diags.debug.enabled is set to 2,
this value is tested against the source IP of the incoming connection. If there is a match, all
the diagnostic messages for that connection and the related outgoing connection will be logged.
proxy.config.diags.debug.tags
Scope CONFIG.TP Type STRING.TP Default http|dns.UNINDENT Each Traffic Server diag and debug level
message is annotated with a subsystem tag. This configuration contains an anchored regular
expression that filters the messages based on the tag. The expressions are prefix matched which
creates an implicit .* at the end. Therefore the default value http|dns will match tags such as
http, http_hdrs, dns, and dns_recv.
Some commonly used debug tags are:
┌────────────┬───────────────────────────────────────┐
│ Tag │ Subsystem usage │
├────────────┼───────────────────────────────────────┤
│ dns │ DNS query resolution │
├────────────┼───────────────────────────────────────┤
│ http_hdrs │ Logs the headers for HTTP requests │
│ │ and responses │
├────────────┼───────────────────────────────────────┤
│ privileges │ Privilege elevation │
├────────────┼───────────────────────────────────────┤
│ ssl │ TLS termination and certificate │
│ │ processing │
└────────────┴───────────────────────────────────────┘
Traffic Server plugins will typically log debug messages using the TSDebug() API, passing the
plugin name as the debug tag.
proxy.config.diags.debug.throttling_interval_msec
Scope CONFIG.TP Type INT.TP Default 0.TP Units milliseconds.TP Reloadable Yes.UNINDENT The minimum
amount of milliseconds between repeated Traffic Server diag and debug log events. A value of 0
implies no throttling. All diags and debug logs are compiled with throttling applied to them.
For details about how log throttling works, see log.throttling_interval_msec.
proxy.config.diags.logfile.filename
Scope CONFIG.TP Type STRING.TP Default diags.log.UNINDENT The name of the file to which Traffic Server
diagnostic logs will be emitted. For information on the diagnostic log file, see diags.log. For
the configurable parameters concerning what log content is emitted to diags.log, see the
Diagnostic Output Configuration Variables above.
If this is set to stdout or stderr, then all diagnostic logging will go to the stdout or stderr
stream, respectively.
proxy.config.error.logfile.filename
Scope CONFIG.TP Type STRING.TP Default error.log.UNINDENT The name of the file to which Traffic Server
transaction error logs will be emitted. For more information on these log messages, see
error.log.
If this is set to stdout or stderr, then all transaction error logging will go to the stdout or
stderr stream, respectively.
proxy.config.diags.logfile_perm
Scope CONFIG.TP Type STRING.TP Default rw-r--r--.UNINDENT The log file permissions. The standard UNIX
file permissions are used (owner, group, other). Permissible values are:
┌───────┬─────────────────────┐
│ Value │ Description │
├───────┼─────────────────────┤
│ - │ No permissions. │
├───────┼─────────────────────┤
│ r │ Read permission. │
├───────┼─────────────────────┤
│ w │ Write permission. │
├───────┼─────────────────────┤
│ x │ Execute permission. │
└───────┴─────────────────────┘
Permissions are subject to the umask settings for the Traffic Server process. This means that a
umask setting of 002 will not allow write permission for others, even if specified in the
configuration file. Permissions for existing log files are not changed when the configuration is
modified.
proxy.config.diags.logfile.rolling_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies how the diagnostics log is
rolled. You can specify the following values:
┌───────┬───────────────────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────────────────┤
│ 0 │ Disables diagnostics log rolling. │
├───────┼───────────────────────────────────────────────────┤
│ 1 │ Enables diagnostics log rolling at │
│ │ specific intervals (specified with │
│ │ proxy.config.diags.logfile.rolling_interval_sec). │
│ │ The "clock" starts ticking on Traffic │
│ │ Server startup. │
├───────┼───────────────────────────────────────────────────┤
│ 2 │ Enables diagnostics log rolling when the │
│ │ diagnostics log reaches a specific size │
│ │ (specified with │
│ │ proxy.config.diags.logfile.rolling_size_mb). │
├───────┼───────────────────────────────────────────────────┤
│ 3 │ Enables diagnostics log rolling at specific │
│ │ intervals or when the diagnostics log reaches a │
│ │ specific size (whichever occurs first). │
└───────┴───────────────────────────────────────────────────┘
proxy.config.diags.logfile.rolling_interval_sec
Scope CONFIG.TP Type INT.TP Default 3600.TP Units seconds.TP Reloadable Yes.UNINDENT Specifies how often
the diagnostics log is rolled, in seconds. The timer starts on Traffic Server startup.
proxy.config.diags.logfile.rolling_size_mb
Scope CONFIG.TP Type INT.TP Default 100.TP Units megabytes.TP Reloadable Yes.UNINDENT Specifies at what
size to roll the diagnostics log at.
proxy.config.diags.logfile.rolling_min_count
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Specifies the minimum count of rolled
diagnostic logs to keep. This value will be used to decide the order of auto-deletion (if
enabled). A default value of 0 means auto-deletion will try to keep diagnostic logs as much as
possible. See Log Rotation and Retention for guidance.
REVERSE PROXY
proxy.config.reverse_proxy.enabled
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Enables (1) or disables (0) HTTP
reverse proxy.
proxy.config.header.parse.no_host_url_redirect
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The URL to which to redirect
requests with no host headers (reverse proxy).
URL REMAP RULES
proxy.config.url_remap.filename
Scope CONFIG.TP Type STRING.TP Default remap.config.TP Deprecated Yes.UNINDENT Sets the name of the
remap.config file.
proxy.config.url_remap.remap_required
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT Set this variable to 1 if you want
Traffic Server to serve requests only from origin servers listed in the mapping rules of the
remap.config file. If a request does not match, then the browser will receive an error.
proxy.config.url_remap.pristine_host_hdr
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Set this variable to
1 if you want to retain the client host header in a request during remapping.
SSL TERMINATION
proxy.config.ssl.server.cipher_suite
Scope CONFIG.TP Type STRING.TP Default <see notes>.UNINDENT Configures the set of encryption, digest,
authentication, and key exchange algorithms provided by OpenSSL which Traffic Server will use for
SSL connections. For the list of algorithms and instructions on constructing an appropriately
formatting cipher_suite string, see OpenSSL Ciphers.
The current default is:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-CCM8:AES128-CCM8:AES256-CCM:AES128-CCM:AES256-SHA256:AES128-SHA2
proxy.config.ssl.client.cipher_suite
Scope CONFIG.TP Type STRING.TP Default <See notes under proxy.config.ssl.server.cipher_suite.>.UNINDENT
Configures the cipher_suite which Traffic Server will use for SSL connections to origin or next
hop. This currently defaults to:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:RSA-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:RSA-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:RSA-PSK-AES128-GCM-SHA256:RSA-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:AES128-SHA256:CAMELLIA128-SHA256
proxy.config.ssl.server.TLSv1_3.cipher_suites
Scope CONFIG.TP Type STRING.TP Default <See notes>.UNINDENT Configures the pair of the AEAD algorithm
and hash algorithm to be used with HKDF provided by OpenSSL which Traffic Server will use for
TLSv1.3 connections. For the list of algorithms and instructions, see The -ciphersuites section of
OpenSSL Ciphers.
The current default value is:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
This configuration works with OpenSSL v1.1.1 and above.
proxy.config.ssl.server.honor_cipher_order
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT By default (1) Traffic Server will use the server's
cipher suites preferences instead of the client preferences. By disabling it (0) Traffic Server
will use client's cipher suites preferences.
proxy.config.ssl.server.prioritize_chacha
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT By enabling it (1) Traffic Server will temporarily
reprioritize ChaCha20-Poly1305 ciphers to the top of the server cipher list if a ChaCha20-Poly1305
cipher is at the top of the client cipher list.
This configuration works with OpenSSL v1.1.1 and above.
proxy.config.ssl.client.TLSv1_3.cipher_suites
Scope CONFIG.TP Type STRING.TP Default <See notes under
proxy.config.ssl.server.tls.cipher_suites>.UNINDENT Configures the cipher_suites which Traffic
Server will use for TLSv1.3 connections to origin or next hop. This configuration works with
OpenSSL v1.1.1 and above.
The current default is:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
proxy.config.ssl.server.groups_list
Scope CONFIG.TP Type STRING.TP Default <See notes>.UNINDENT Configures the list of supported groups
provided by OpenSSL which Traffic Server will be used to determine the set of shared groups. The
value is a colon separated list of group NIDs or names, for example "P-521:P-384:P-256". For
instructions, see "Groups" section of TLS1.3 - OpenSSLWiki.
The current default value with OpenSSL is:
X25519:P-256:X448:P-521:P-384
This configuration works with OpenSSL v1.0.2 and above.
proxy.config.ssl.client.groups_list
Scope CONFIG.TP Type STRING.TP Default <See notes under proxy.config.ssl.server.groups_list.>.UNINDENT
Configures the list of supported groups provided by OpenSSL which Traffic Server will use for the
"key_share" and "supported groups" extension of TLSv1.3 connections. The value is a colon
separated list of group NIDs or names, for example "P-521:P-384:P-256". For instructions, see
"Groups" section of TLS1.3 - OpenSSLWiki.
This configuration works with OpenSSL v1.0.2 and above.
proxy.config.ssl.TLSv1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLSv1.0. If not specified,
disabled by default.
proxy.config.ssl.TLSv1_1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLS v1.1. If not specified,
disabled by default. [Requires OpenSSL v1.0.1 and higher]
NOTE:
In order to enable TLS v1 or v1.1, additional ciphers must be added to
proxy.config.ssl.client.cipher_suite. For example this list would restore the SHA1 (insecure!) cipher
suites suitable for these deprecated TLS versions:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
proxy.config.ssl.TLSv1_2
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLS v1.2. If not specified,
enabled by default. [Requires OpenSSL v1.0.1 and higher]
proxy.config.ssl.TLSv1_3
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLS v1.3. If not specified,
enabled by default. [Requires OpenSSL v1.1.1 and higher]
proxy.config.ssl.client.certification_level
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Sets the client certification level:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Client certificates are ignored. │
│ │ Traffic Server does not verify client │
│ │ certificates during the SSL │
│ │ handshake. Access to Traffic Server │
│ │ depends on Traffic Server │
│ │ configuration options (such as access │
│ │ control lists). │
├───────┼───────────────────────────────────────┤
│ 1 │ Client certificates are optional. If │
│ │ a client has a certificate, then the │
│ │ certificate is validated. If the │
│ │ client does not have a certificate, │
│ │ then the client is still allowed │
│ │ access to Traffic Server unless │
│ │ access is denied through other │
│ │ Traffic Server configuration options. │
├───────┼───────────────────────────────────────┤
│ 2 │ Client certificates are required. The │
│ │ client must be authenticated during │
│ │ the SSL handshake. Clients without a │
│ │ certificate are not allowed to access │
│ │ Traffic Server. │
└───────┴───────────────────────────────────────┘
proxy.config.ssl.server.multicert.filename
Scope CONFIG.TP Type STRING.TP Default ssl_multicert.config.TP Deprecated Yes.UNINDENT The location of
the ssl_multicert.config file, relative to the Traffic Server configuration directory. In the
following example, if the Traffic Server configuration directory is /etc/trafficserver, the
Traffic Server SSL configuration file and the corresponding certificates are located in
/etc/trafficserver/ssl:
CONFIG proxy.config.ssl.server.multicert.filename STRING ssl/ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver/ssl
proxy.config.ssl.server.multicert.exit_on_load_fail
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT By default (1), Traffic Server will not start unless all
the SSL certificates listed in the ssl_multicert.config file successfully load. If false (0), SSL
certificate load failures will not prevent Traffic Server from starting.
proxy.config.ssl.server.cert.path
Scope CONFIG.TP Type STRING.TP Default /config.UNINDENT The location of the SSL certificates and chains
used for accepting and validation new SSL sessions. If this is a relative path, it is appended to
the Traffic Server installation PREFIX. All certificates and certificate chains listed in
ssl_multicert.config will be loaded relative to this path.
proxy.config.ssl.server.private_key.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The location of the SSL certificate private keys.
Change this variable only if the private key is not located in the SSL certificate file. All
private keys listed in ssl_multicert.config will be loaded relative to this path.
proxy.config.ssl.server.cert_chain.filename
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The name of a file containing a global certificate
chain that should be used with every server certificate. This file is only used if there are
certificates defined in ssl_multicert.config. Unless this is an absolute path, it is loaded
relative to the path specified by proxy.config.ssl.server.cert.path.
proxy.config.ssl.server.dhparams_file
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The name of a file containing a set of
Diffie-Hellman key exchange parameters. If not specified, 2048-bit DH parameters from RFC 5114 are
used. These parameters are only used if a DHE (or EDH) cipher suite has been selected.
proxy.config.ssl.CA.cert.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The location of the certificate authority file that
client certificates will be verified against.
proxy.config.ssl.CA.cert.filename
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The filename of the certificate authority that
client certificates will be verified against.
proxy.config.ssl.server.ticket_key.filename
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The filename of the default and global ticket key
for SSL sessions. The location is relative to the proxy.config.ssl.server.cert.path directory. One
way to generate this would be to run head -c48 /dev/urandom | openssl enc -base64 | head -c48 >
file.ticket. Also note that OpenSSL session tickets are sensitive to the version of the
ca-certificates. Once the file is changed with new tickets, use traffic_ctl config reload to begin
using them.
proxy.config.ssl.servername.filename
Scope CONFIG.TP Type STRING.TP Default sni.yaml.TP Deprecated Yes.UNINDENT The filename of the sni.yaml
configuration file. If relative, it is relative to the configuration directory.
proxy.config.ssl.max_record_size
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies the maximum number of bytes
to write into a SSL record when replying over a SSL session. In some circumstances this setting
can improve response latency by reducing buffering at the SSL layer. This setting can have a value
between 0 and 16383 (max TLS record size).
The default of 0 means to always write all available data into a single SSL record.
A value of -1 means TLS record size is dynamically determined. The strategy employed is to use
small TLS records that fit into a single TCP segment for the first ~1 MB of data, but, increase
the record size to 16 KB after that to optimize throughput. The record size is reset back to a
single segment after ~1 second of inactivity and the record size ramping mechanism is repeated
again.
proxy.config.ssl.origin_session_cache
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT This configuration enables the SSL session cache for the
origin server when set to 1.
Setting to 0 disables SSL session cache for the origin server.
proxy.config.ssl.origin_session_cache.size
Scope CONFIG.TP Type INT.TP Default 10240.UNINDENT This configuration specifies the maximum number of
entries the SSL session cache for the origin server may contain.
Setting a value less than or equal to 0 effectively disables SSL session cache for the origin
server.
proxy.config.ssl.session_cache
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Enables the SSL session cache:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Disables the session cache entirely. │
├───────┼───────────────────────────────────────┤
│ 1 │ Enables the session cache using │
│ │ OpenSSL's implementation. │
├───────┼───────────────────────────────────────┤
│ 2 │ Default. Enables the session cache │
│ │ using Traffic Server's │
│ │ implementation. This implementation │
│ │ should perform much better than the │
│ │ OpenSSL implementation. │
└───────┴───────────────────────────────────────┘
proxy.config.ssl.session_cache.timeout
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies the lifetime of SSL session
cache entries in seconds. If it is 0, then the SSL library will use a default value, typically 300
seconds. Note: This option has no affect when using the Traffic Server session cache (option 2 in
proxy.config.ssl.session_cache)
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.ssl.session_cache.auto_clear
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT This will set the OpenSSL auto clear flag. Auto clear is
enabled by default with 1 it can be disabled by changing this setting to 0.
proxy.config.ssl.session_cache.size
Scope CONFIG.TP Type INT.TP Default 102400.UNINDENT This configuration specifies the maximum number of
entries the SSL session cache may contain.
proxy.config.ssl.session_cache.num_buckets
Scope CONFIG.TP Type INT.TP Default 256.UNINDENT This configuration specifies the number of buckets to
use with the Traffic Server SSL session cache implementation. The TS implementation is a fixed
size hash map where each bucket is protected by a mutex.
proxy.config.ssl.session_cache.skip_cache_on_bucket_contention
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies the behavior of the Traffic
Server SSL session cache implementation during lock contention on each bucket:
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Default. Don't skip session caching │
│ │ when bucket lock is contented. │
├───────┼───────────────────────────────────────┤
│ 1 │ Disable the SSL session cache for a │
│ │ connection during lock contention. │
└───────┴───────────────────────────────────────┘
proxy.config.ssl.server.session_ticket.enable
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Set to 1 to enable Traffic Server to process TLS tickets
for TLS session resumption.
proxy.config.ssl.server.session_ticket.number
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT This configuration control the number of TLSv1.3 session
tickets that are issued. Take into account that setting the value to 0 will disable session
caching for TLSv1.3 connections.
Lowering this setting to 1 can be interesting when proxy.config.ssl.session_cache is enabled
because otherwise for every new TLSv1.3 connection two session IDs will be inserted in the session
cache. On the other hand, if proxy.config.ssl.session_cache is disabled, using the default value
is recommended. In those scenarios, increasing the number of tickets could be potentially
beneficial for clients performing multiple requests over concurrent TLS connections as per RFC
8446 clients SHOULDN'T reuse TLS Tickets.
For more information see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html
[Requires OpenSSL v1.1.1 and higher]
proxy.config.ssl.hsts_max_age
Scope CONFIG.TP Type INT.TP Default -1.TP Overridable Yes.UNINDENT This configuration specifies the
max-age value that will be used when adding the Strict-Transport-Security header. The value is in
seconds. A value of 0 will set the max-age value to 0 and should remove the HSTS entry from the
client. A value of -1 will disable this feature and not set the header. This option is only used
for HTTPS requests and the header will not be set on HTTP requests.
proxy.config.ssl.hsts_include_subdomains
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Enables (1) or disables (0) adding the
includeSubdomain value to the Strict-Transport-Security header. proxy.config.ssl.hsts_max_age
needs to be set to a non -1 value for this configuration to take effect.
proxy.config.ssl.allow_client_renegotiation
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT This configuration specifies whether the client is able
to initiate renegotiation of the SSL connection. The default of 0, means the client can't
initiate renegotiation.
proxy.config.ssl.cert.load_elevated
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) elevation of traffic_server
privileges during loading of SSL certificates. By enabling this, SSL certificate files' access
rights can be restricted to help reduce the vulnerability of certificates.
This feature requires Traffic Server to be built with POSIX capabilities enabled.
proxy.config.ssl.handshake_timeout_in
Scope CONFIG.TP Type INT.TP Default 30.UNINDENT When enabled this limits the total duration for the
incoming side SSL handshake.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.ssl.keylog_file
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT If configured, TLS session keys
for TLS connections will be logged to the specified file. This file is formatted in such a way
that it can be conveniently imported into tools such as Wireshark to decrypt packet captures.
This should only be used for debugging purposes since the data in the keylog file can be used to
decrypt the otherwise encrypted traffic. A NULL value for this disables the feature.
This feature is disabled by default.
Client-Related Configuration
proxy.config.ssl.client.verify.server.policy
Scope CONFIG.TP Type STRING.TP Default PERMISSIVE.TP Reloadable Yes.TP Overridable Yes.UNINDENT
Configures Traffic Server to verify the origin server certificate with the Certificate Authority
(CA). This configuration takes a value of DISABLED, PERMISSIVE, or ENFORCED
You can override this global setting on a per domain basis in the sni.yaml file using the
verify_server_policy attribute.
You can also override via the conf_remap plugin. Those changes will take precedence over the
changes in sni.yaml.
DISABLED
Server Certificate will not be verified
PERMISSIVE
The provided certificate will be verified and the connection will be established irrespective of
the verification result. If verification fails the name of the server will be logged.
ENFORCED
Certificate will be verified and the connection will not be established if verification fails.
proxy.config.ssl.client.verify.server.properties
Scope CONFIG.TP Type STRING.TP Default ALL.TP Reloadable Yes.TP Overridable Yes.UNINDENT Configures
Traffic Server for what the default verify callback should check during origin server
verification.
You can override this global setting on a per domain basis in the sni.yaml file using the
verify_server_properties attribute.
You can also override via the conf_remap plugin. Those changes will take precedence over the
changes in .:file:sni.yaml
NONE Check nothing in the standard callback. Rely entirely on plugins to check the certificate.
SIGNATURE
Check only for a valid signature.
NAME Check only that the SNI name is in the certificate.
ALL Check both the signature and the name.
proxy.config.ssl.client.cert.filename
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.TP Overridable Yes.UNINDENT The filename
of SSL client certificate installed on Traffic Server.
proxy.config.ssl.client.cert.path
Scope CONFIG.TP Type STRING.TP Default /config.TP Reloadable Yes.UNINDENT The location of the SSL client
certificate installed on Traffic Server.
proxy.config.ssl.client.private_key.filename
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.TP Overridable Yes.UNINDENT The filename
of the Traffic Server private key. Change this variable only if the private key is not located in
the Traffic Server SSL client certificate file.
proxy.config.ssl.client.private_key.path
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT The location of the Traffic
Server private key. Change this variable only if the private key is not located in the SSL client
certificate file.
proxy.config.ssl.client.CA.cert.filename
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.TP Overridable Yes.UNINDENT The filename
of the certificate authority against which the origin server will be verified.
proxy.config.ssl.client.CA.cert.path
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT Specifies the location of the
certificate authority file against which the origin server will be verified.
proxy.config.ssl.client.sni_policy
Scope CONFIG.TP Type STRING.TP Default NULL.TP Overridable Yes.UNINDENT Indicate how the SNI value for
the TLS connection to the origin is selected.
host This is the default. The value of the Host field in the proxy request is used.
server_name
The SNI value of the inbound TLS connection is used.
remap The remapped upstream name is used.
verify_with_name_source
The value of the Host field in the proxy request is used. In addition, if the names in the server
certificate of the upstream are checked, they are checked against the remapped upstream name, not
the SNI.
@... If the policy starts with the @ character, it is treated as a literal, less the leading @. E.g. if
the policy is "@apache.org" the SNI will be "apache.org".
We have two names that could be used in the transaction host header and the SNI value to the origin.
These could be the host header from the client or the remap host name. Unless you have pristine host
header enabled, these are likely the same values. If sni_policy = host, both the sni and the value of
the Host field to origin will be the same. If sni_policy = remap, the sni value will be the remap host
name and the host header will be the host header from the client.
In addition, We may want to set the SNI and host headers the same (makes some common web servers happy),
but the server certificate for the upstream may have a name that corresponds to the remap name. So
instead of using the SNI name for the name check, we may want to use the remap name. So if sni_policy =
verify_with_name_source, the sni will be the host header value and the name to check in the server
certificate will be the remap header value.
proxy.config.ssl.client.scheme_proto_mismatch_policy
Scope CONFIG.TP Type INT.TP Default 2.TP Overridable Yes.UNINDENT This option controls how Traffic
Server behaves when the client side connection protocol and the client request's scheme do not
match. For example, if enforcement is enabled by setting this value to 2 and the client connection
is a cleartext HTTP connection but the scheme of the URL is https://, then Traffic Server will
emit a warning and return an immediate 400 HTTP response without proxying the request to the
origin.
The default value is 2, meaning that Traffic Server will enforce that the protocol matches the
scheme.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Disable verification that the │
│ │ protocol and scheme match. │
├───────┼───────────────────────────────────────┤
│ 1 │ Check that the protocol and scheme │
│ │ match, but only emit a warning if │
│ │ they do not. │
├───────┼───────────────────────────────────────┤
│ 2 │ Check that the protocol and scheme │
│ │ match and, if they do not, emit a │
│ │ warning and return an immediate HTTP │
│ │ 400 response. │
└───────┴───────────────────────────────────────┘
proxy.config.ssl.client.TLSv1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLSv1.0 in the ATS client
context. If not specified, enabled by default
proxy.config.ssl.client.TLSv1_1
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) TLSv1_1 in the ATS client
context. If not specified, enabled by default
proxy.config.ssl.client.TLSv1_2
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLSv1_2 in the ATS client
context. If not specified, enabled by default
proxy.config.ssl.client.TLSv1_3
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) TLSv1_3 in the ATS client
context. If not specified, enabled by default
proxy.config.ssl.async.handshake.enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables the use of OpenSSL async job during the TLS
handshake. Traffic Server must be build against OpenSSL 1.1 or greater or this to take affect.
Can be useful if using a crypto engine that communicates off chip. The thread will be rescheduled
for other work until the crypto engine operation completes. A test crypto engine that inserts a 5
second delay on private key operations can be found at contrib/openssl/async_engine.c.
proxy.config.ssl.engine.conf_file
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT Specify the location of the OpenSSL config file
used to load dynamic crypto engines. This setting assumes an absolute path. An example config
file is at contrib/openssl/load_engine.cnf.
TLS v1.3 0-RTT Configuration
NOTE:
TLS v1.3 must be enabled in order to utilize 0-RTT early data.
proxy.config.ssl.server.max_early_data
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Specifies the maximum amount of early data in bytes that
is permitted to be sent on a single connection.
The minimum value that enables early data, and the suggested value for this option are both 16384
(16KB).
Setting to 0 effectively disables 0-RTT.
proxy.config.ssl.server.allow_early_data_params
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Set to 1 to allow HTTP parameters on early data requests.
SNI Routing
proxy.config.tunnel.activity_check_period
Scope CONFIG.TP Type INT.TP Default 0.TP Units seconds.UNINDENT Frequency of checking the activity of
SNI Routing Tunnel. Set to 0 to disable monitoring of the activity of the SNI tunnels. The
feature is disabled by default.
proxy.config.tunnel.prewarm
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enable Pre-warming TLS Tunnel. The feature is disabled by
default.
proxy.config.tunnel.prewarm.max_stats_size
Scope CONFIG.TP Type INT.TP Default 100.UNINDENT Max size of dynamic stats for Pre-warming TLS Tunnel.
proxy.config.tunnel.prewarm.algorithm
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Version of pre-warming algorithm.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 1 │ Periodical pre-warming only │
├───────┼───────────────────────────────────────┤
│ 2 │ Event based pre-warming + Periodical │
│ │ pre-warming │
└───────┴───────────────────────────────────────┘
proxy.config.tunnel.prewarm.event_period
Scope CONFIG.TP Type INT.TP Default 1000.TP Units milliseconds.UNINDENT Frequency of periodical
pre-warming in milli-seconds.
OCSP STAPLING CONFIGURATION
proxy.config.ssl.ocsp.enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enable OCSP stapling.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Disables OCSP Stapling. │
├───────┼───────────────────────────────────────┤
│ 1 │ Allows Traffic Server to request SSL │
│ │ certificate revocation status from an │
│ │ OCSP responder. │
└───────┴───────────────────────────────────────┘
proxy.config.ssl.ocsp.cache_timeout
Scope CONFIG.TP Type INT.TP Default 3600.UNINDENT Number of seconds before an OCSP response expires in
the stapling cache.
proxy.config.ssl.ocsp.request_timeout
Scope CONFIG.TP Type INT.TP Default 10.TP Units seconds.UNINDENT Timeout (in seconds) for queries to
OCSP responders.
proxy.config.ssl.ocsp.update_period
Scope CONFIG.TP Type INT.TP Default 60.TP Units seconds.UNINDENT Update period (in seconds) for stapling
caches.
proxy.config.ssl.ocsp.response.path
Scope CONFIG.TP Type STRING.TP Default NULL.UNINDENT The directory path of the prefetched OCSP stapling
responses. Change this variable only if you intend to use and administratively maintain prefetched
OCSP stapling responses. All stapling responses listed in ssl_multicert.config will be loaded
relative to this path.
HTTP/2 CONFIGURATION
proxy.config.http2.max_concurrent_streams_in
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT The maximum number of concurrent
streams per inbound connection.
NOTE:
Reloading this value affects only new HTTP/2 connections, not the ones already established.
proxy.config.http2.min_concurrent_streams_in
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT The minimum number of concurrent
streams per inbound connection. This is used when proxy.config.http2.max_active_streams_in is set
larger than 0.
proxy.config.http2.max_active_streams_in
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Limits the maximum number of connection
wide active streams. When connection wide active streams are larger than this value,
SETTINGS_MAX_CONCURRENT_STREAMS will be reduced to proxy.config.http2.min_concurrent_streams_in.
To disable, set to zero (0).
proxy.config.http2.initial_window_size_in
Scope CONFIG.TP Type INT.TP Default 65535.TP Units bytes.TP Reloadable Yes.UNINDENT The initial window
size for inbound connections.
proxy.config.http2.max_frame_size
Scope CONFIG.TP Type INT.TP Default 16384.TP Units bytes.TP Reloadable Yes.UNINDENT Indicates the size
of the largest frame payload that the sender is willing to receive.
proxy.config.http2.header_table_size
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT The maximum size of the header
compression table used to decode header blocks. This value will be advertised as
SETTINGS_HEADER_TABLE_SIZE.
proxy.config.http2.header_table_size_limit
Scope CONFIG.TP Type INT.TP Default 65536.TP Reloadable Yes.UNINDENT The maximum size of the header
compression table ATS actually use when ATS encodes headers. Setting 0 means ATS doesn't insert
headers into HPACK Dynamic Table, however, headers still can be encoded as indexable
representations. The upper limit is 65536.
proxy.config.http2.max_header_list_size
Scope CONFIG.TP Type INT.TP Default 131072.TP Reloadable Yes.UNINDENT This advisory setting informs a
peer of the maximum size of header list that the sender is prepared to accept blocks. The default
value, which is the unsigned int maximum value in Traffic Server, implies unlimited size.
proxy.config.http2.stream_priority_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enable the experimental HTTP/2 Stream
Priority feature.
proxy.config.http2.active_timeout_in
Scope CONFIG.TP Type INT.TP Default 0.TP Units seconds.TP Reloadable Yes.UNINDENT This is the active
timeout of the http2 connection. It is set when the connection is opened and keeps ticking
regardless of activity level.
The value of 0 specifies that there is no timeout.
proxy.config.http2.accept_no_activity_timeout
Scope CONFIG.TP Type INT.TP Default 120.TP Units seconds.TP Reloadable Yes.UNINDENT Specifies how long
Traffic Server keeps connections to clients open if no activity is received on the connection.
Lowering this timeout can ease pressure on the proxy if misconfigured or misbehaving clients are
opening a large number of connections without submitting requests.
proxy.config.http2.no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 120.TP Units seconds.TP Reloadable Yes.UNINDENT Specifies how long
Traffic Server keeps connections to clients open if a transaction stalls. Lowering this timeout
can ease pressure on the proxy if misconfigured or misbehaving clients are opening a large number
of connections without submitting requests.
proxy.config.http2.zombie_debug_timeout_in
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This timeout enables the zombie
debugging feature. If it is non-zero, it sets a zombie event to go off that many seconds in the
future when the HTTP2 session reaches one but not both of the terminating events, i.e received a
close event (via client goaway or timeout) and the number of active streams has gone to zero. If
the event is executed, the Traffic Server process will assert. This mechanism is useful to debug
potential leaks in the HTTP2 Stream and Session processing.
proxy.config.http2.push_diary_size
Scope CONFIG.TP Type INT.TP Default 256.TP Reloadable Yes.UNINDENT Indicates the maximum number of
HTTP/2 server pushes that are remembered per HTTP/2 connection to avoid duplicate pushes on the
same connection. If the maximum number is reached, new entries are not remembered.
proxy.config.http2.stream_error_rate_threshold
Scope CONFIG.TP Type FLOAT.TP Default 0.1.TP Reloadable Yes.UNINDENT This is the maximum stream error
rate Traffic Server allows on an HTTP/2 connection. Traffic Server gracefully closes connections
that have stream error rates above this setting by sending GOAWAY frames.
proxy.config.http2.stream_error_sampling_threshold
Scope CONFIG.TP Type INT.TP Default 10.TP Reloadable Yes.UNINDENT This is the threshold of sampling
stream number to start checking the stream error rate.
proxy.config.http2.max_settings_per_frame
Scope CONFIG.TP Type INT.TP Default 7.TP Reloadable Yes.UNINDENT Specifies how many settings in an
HTTP/2 SETTINGS frame Traffic Server accepts. Clients exceeded this limit will be immediately
disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.max_settings_per_minute
Scope CONFIG.TP Type INT.TP Default 14.TP Reloadable Yes.UNINDENT Specifies how many settings in HTTP/2
SETTINGS frames Traffic Server accept for a minute. Clients exceeded this limit will be
immediately disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.max_settings_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 14.TP Reloadable Yes.UNINDENT Specifies how many SETTINGS frames
Traffic Server receives for a minute at maximum. Clients exceeded this limit will be immediately
disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.max_ping_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 60.TP Reloadable Yes.UNINDENT Specifies how many number of PING
frames Traffic Server receives for a minute at maximum. Clients exceeded this limit will be
immediately disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.max_priority_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.UNINDENT Specifies how many number of PRIORITY
frames Traffic Server receives for a minute at maximum. Clients exceeded this limit will be
immediately disconnected with an error code of ENHANCE_YOUR_CALM. If this is set to 0, the limit
logic is disabled. This limit only will be enforced if proxy.config.http2.stream_priority_enabled
is set to 1.
proxy.config.http2.max_rst_stream_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 200.TP Reloadable Yes.UNINDENT Specifies how many RST_STREAM frames
Traffic Server receives per minute at maximum. Clients exceeding this limit will be immediately
disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.max_continuation_frames_per_minute
Scope CONFIG.TP Type INT.TP Default 120.TP Reloadable Yes.UNINDENT Specifies how many CONTINUATION
frames Traffic Server receives per minute at maximum. Clients exceeding this limit will be
immediately disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.min_avg_window_update
Scope CONFIG.TP Type FLOAT.TP Default 2560.0.TP Reloadable Yes.UNINDENT Specifies the minimum average
window increment Traffic Server allows. The average will be calculated based on the last 5
WINDOW_UPDATE frames. Clients that send smaller window increments lower than this limit will be
immediately disconnected with an error code of ENHANCE_YOUR_CALM.
proxy.config.http2.write_buffer_block_size
Scope CONFIG.TP Type INT.TP Default 262144.TP Units bytes.TP Reloadable Yes.UNINDENT Specifies the size
of a buffer block that is used for buffering outgoing HTTP/2 frames. The size will be rounded up
based on power of 2.
proxy.config.http2.write_size_threshold
Scope CONFIG.TP Type FLOAT.TP Default 0.5.TP Reloadable Yes.UNINDENT Specifies the size threshold for
triggering write operation for sending HTTP/2 frames. The default value is 0.5 and it measn write
operation is going to be triggered when half or more of the buffer is occupied.
proxy.config.http2.write_time_threshold
Scope CONFIG.TP Type INT.TP Default 100.TP Units milliseconds.TP Reloadable Yes.UNINDENT Specifies the
time threshold for triggering write operation for sending HTTP/2 frames. Write operation will be
triggered at least once every this configured number of millisecond regardless of pending data
size.
proxy.config.http2.default_buffer_water_mark
Scope CONFIG.TP Type INT.TP Default -1.TP Units bytes.TP Reloadable Yes.UNINDENT Specifies the high
water mark for all HTTP/2 frames on an outoging connection. Default is -1 to preserve existing
water marking behavior.
You can override this global setting on a per domain basis in the sni.yaml file using the
http2_buffer_water_mark attribute.
HTTP/3 CONFIGURATION
There is no configuration available yet on this release.
QUIC CONFIGURATION
All configurations for QUIC are still experimental and may be changed or removed in the future without
prior notice.
proxy.config.quic.qlog_dir
Scope CONFIG.TP Type STRING.TP Default NULL.TP Reloadable Yes.UNINDENT
The qlog is enabled when this configuration is not NULL. And will dump the qlog to this dir.
proxy.config.quic.instance_id
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT A static key used for calculating
Stateless Reset Token. All instances in a cluster need to share the same value.
proxy.config.quic.connection_table.size
Scope CONFIG.TP Type INT.TP Default 65521.UNINDENT A size of hash table that stores connection
information.
proxy.config.quic.proxy.config.quic.num_alt_connection_ids
Scope CONFIG.TP Type INT.TP Default 65521.TP Reloadable Yes.UNINDENT A number of alternate Connection
IDs that Traffic Server provides to a peer. It has to be at least 8.
proxy.config.quic.stateless_retry_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables Stateless Retry.
proxy.config.quic.client.vn_exercise_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables version negotiation exercise on
origin server connections.
proxy.config.quic.client.cm_exercise_enabled
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enables connection migration exercise
on origin server connections.
proxy.config.quic.server.supported_groups
Scope CONFIG.TP Type STRING.TP Default "P-256:X25519:P-384:P-521".TP Reloadable Yes.UNINDENT Configures
the list of supported groups provided by OpenSSL which will be used to determine the set of shared
groups on QUIC origin server connections.
proxy.config.quic.client.supported_groups
Scope CONFIG.TP Type STRING.TP Default "P-256:X25519:P-384:P-521".TP Reloadable Yes.UNINDENT Configures
the list of supported groups provided by OpenSSL which will be used to determine the set of shared
groups on QUIC client connections.
proxy.config.quic.client.session_file
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.UNINDENT Only available for traffic_quic.
If specified, TLS session data will be stored to the file, and will be used for resuming a
session.
proxy.config.quic.no_activity_timeout_in
Scope CONFIG.TP Type INT.TP Default 30000.TP Reloadable Yes.UNINDENT This value will be advertised as
idle_timeout Transport Parameter.
proxy.config.quic.no_activity_timeout_out
Scope CONFIG.TP Type INT.TP Default 30000.TP Reloadable Yes.UNINDENT This value will be advertised as
idle_timeout Transport Parameter.
proxy.config.quic.preferred_address_ipv4
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.UNINDENT This value will be advertised as a
part of preferred_address Transport Parameter.
proxy.config.quic.preferred_address_ipv6
Scope CONFIG.TP Type STRING.TP Default "".TP Reloadable Yes.UNINDENT This value will be advertised as a
part of preferred_address Transport Parameter.
proxy.config.quic.initial_max_data_in
Scope CONFIG.TP Type INT.TP Default 65536.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_data Transport Parameter.
proxy.config.quic.initial_max_data_out
Scope CONFIG.TP Type INT.TP Default 65536.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_data Transport Parameter.
proxy.config.quic.max_stream_data_bidi_local_in
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_stream_data_bidi_local Transport Parameter.
proxy.config.quic.max_stream_data_bidi_local_out
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_stream_data_bidi_local Transport Parameter.
proxy.config.quic.max_stream_data_bidi_remote_in
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_stream_data_bidi_remote Transport Parameter.
proxy.config.quic.max_stream_data_bidi_remote_out
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_stream_data_bidi_remote Transport Parameter.
proxy.config.quic.max_stream_data_uni_in
Scope CONFIG.TP Type INT.TP Default 4096.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_stream_data_uni Transport Parameter.
proxy.config.quic.max_stream_data_uni_out
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_stream_data_uni Transport Parameter.
proxy.config.quic.max_streams_bidi_in
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_streams_bidi Transport Parameter.
proxy.config.quic.max_streams_bidi_out
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_streams_bidi Transport Parameter.
proxy.config.quic.max_streams_uni_in
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_streams_uni Transport Parameter.
proxy.config.quic.max_streams_uni_out
Scope CONFIG.TP Type INT.TP Default 100.TP Reloadable Yes.UNINDENT This value will be advertised as
initial_max_streams_uni Transport Parameter.
proxy.config.quic.ack_delay_exponent_in
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT This value will be advertised as
ack_delay_exponent Transport Parameter.
proxy.config.quic.ack_delay_exponent_out
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT This value will be advertised as
ack_delay_exponent Transport Parameter.
proxy.config.quic.max_ack_delay_in
Scope CONFIG.TP Type INT.TP Default 25.TP Reloadable Yes.UNINDENT This value will be advertised as
max_ack_delay Transport Parameter.
proxy.config.quic.max_ack_delay_out
Scope CONFIG.TP Type INT.TP Default 25.TP Reloadable Yes.UNINDENT This value will be advertised as
max_ack_delay Transport Parameter.
proxy.config.quic.loss_detection.packet_threshold
Scope CONFIG.TP Type INT.TP Default 3.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.loss_detection.time_threshold
Scope CONFIG.TP Type FLOAT.TP Default 1.25.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.loss_detection.granularity
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.loss_detection.initial_rtt
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.congestion_control.max_datagram_size
Scope CONFIG.TP Type INT.TP Default 1200.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.congestion_control.initial_window
Scope CONFIG.TP Type INT.TP Default 12000.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.congestion_control.minimum_window
Scope CONFIG.TP Type INT.TP Default 2400.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.congestion_control.loss_reduction_factor
Scope CONFIG.TP Type FLOAT.TP Default 0.5.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
proxy.config.quic.congestion_control.persistent_congestion_threshold
Scope CONFIG.TP Type INT.TP Default 2.TP Reloadable Yes.UNINDENT This is just for debugging. Do not
change it from the default value unless you really understand what this is.
PLUG-IN CONFIGURATION
proxy.config.plugin.plugin_dir
Scope CONFIG.TP Type STRING.TP Default config/plugins.UNINDENT Specifies the location of Traffic Server
plugins.
proxy.config.plugin.dynamic_reload_mode
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enables (1) or disables (0) the dynamic reload feature
for remap plugins (remap.config). Global plugins (plugin.config) do not have dynamic reload
feature yet.
proxy.config.plugin.vc.default_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies the buffer
index and thus size to use when constructing IO buffers within the PluginVC. Tuning this can
impact performance of intercept plugins. Default is 8, which aligns with the default value of
ts:cv:CONFIG proxy.config.http.default_buffer_size.
proxy.config.plugin.vc.default_buffer_water_mark
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.TP Overridable Yes.UNINDENT Specifies the buffer
water mark size in bytes used to control the flow of data through IO buffers within the PluginVC.
Default is zero to preserve existing PluginVC water marking behavior.
SOCKS PROCESSOR
proxy.config.socks.socks_needed
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) the SOCKS processor
proxy.config.socks.socks_version
Scope CONFIG.TP Type INT.TP Default 4.UNINDENT Specifies the SOCKS version (4) or (5)
proxy.config.socks.socks_config_file
Scope CONFIG.TP Type STRING.TP Default socks.config.TP Deprecated Yes.UNINDENT The socks.config file
allows you to specify ranges of IP addresses that will not be relayed to the SOCKS server. It can
also be used to configure AUTH information for SOCKSv5 servers.
proxy.config.socks.socks_timeout
Scope CONFIG.TP Type INT.TP Default 100.UNINDENT The activity timeout value (in seconds) for SOCKS
server connections.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.socks.server_connect_timeout
Scope CONFIG.TP Type INT.TP Default 10.UNINDENT The timeout value (in seconds) for SOCKS server
connection attempts.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.socks.per_server_connection_attempts
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT The total number of connection attempts allowed per SOCKS
server, if multiple servers are used.
proxy.config.socks.connection_attempts
Scope CONFIG.TP Type INT.TP Default 4.UNINDENT The total number of connection attempts allowed to a
SOCKS server Traffic Server bypasses the server or fails the request
proxy.config.socks.server_retry_timeout
Scope CONFIG.TP Type INT.TP Default 300.UNINDENT The timeout value (in seconds) for SOCKS server
connection retry attempts.
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.socks.default_servers
Scope CONFIG.TP Type STRING.TP Default *NONE*.UNINDENT Default list of SOCKS servers and their ports.
proxy.config.socks.server_retry_time
Scope CONFIG.TP Type INT.TP Default 300.UNINDENT The amount of time allowed between connection retries
to a SOCKS server that is unavailable.
proxy.config.socks.server_fail_threshold
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT The number of times the connection to the SOCKS server
can fail before Traffic Server considers the server unavailable.
proxy.config.socks.accept_enabled
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enables (1) or disables (0) the SOCKS proxy option. As a
SOCKS proxy, Traffic Server receives SOCKS traffic (usually on port 1080) and forwards all
requests directly to the SOCKS server.
proxy.config.socks.accept_port
Scope CONFIG.TP Type INT.TP Default 1080.UNINDENT Specifies the port on which Traffic Server accepts
SOCKS traffic.
proxy.config.socks.http_port
Scope CONFIG.TP Type INT.TP Default 80.UNINDENT Specifies the port on which Traffic Server accepts HTTP
proxy requests over SOCKS connections..
SOCKETS
proxy.config.net.defer_accept
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT default: 1 meaning on all Platforms except Linux: 45
seconds
This directive enables operating system specific optimizations for a listening socket.
defer_accept holds a call to accept(2) back until data has arrived. In Linux' special case this is
up to a maximum of 45 seconds. On FreeBSD, accf_data module needs to be loaded.
proxy.config.net.listen_backlog
Scope CONFIG.TP Type INT.TP Default -1
:reloadable:.UNINDENT This directive sets the maximum number of pending connections. If it is
set to -1, Traffic Server will automatically set this to a platform-specific maximum.
proxy.config.net.tcp_congestion_control_in
Scope CONFIG.TP Type STRING.TP Default "".UNINDENT This directive will override the congestion control
algorithm for incoming connections (accept sockets). On Linux, the allowed values are typically
specified in a space separated list in /proc/sys/net/ipv4/tcp_allowed_congestion_control
proxy.config.net.tcp_congestion_control_out
Scope CONFIG.TP Type STRING.TP Default "".UNINDENT This directive will override the congestion control
algorithm for outgoing connections (connect sockets). On Linux, the allowed values are typically
specified in a space separated list in /proc/sys/net/ipv4/tcp_allowed_congestion_control
proxy.config.net.sock_send_buffer_size_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Sets the send buffer size for connections from the client
to Traffic Server.
proxy.config.net.sock_recv_buffer_size_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Sets the receive buffer size for connections from the
client to Traffic Server.
proxy.config.net.sock_option_flag_in
Scope CONFIG.TP Type INT.TP Default 0x1.UNINDENT Turns different options "on" for the socket handling
client connections::
TCP_NODELAY (1)
SO_KEEPALIVE (2)
SO_LINGER (4) - with a timeout of 0 seconds
TCP_FASTOPEN (8)
PACKET_MARK (16)
PACKET_TOS (32)
TCP_NOTSENT_LOWAT (64)
NOTE:
This is a bitmask and you need to decide what bits to set. Therefore, you must set the value to 3 if
you want to enable nodelay and keepalive options above.
NOTE:
To allow TCP Fast Open for client sockets on Linux, bit 2 of the net.ipv4.tcp_fastopen sysctl must be
set.
proxy.config.net.sock_send_buffer_size_out
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Sets the send buffer size for
connections from Traffic Server to the origin server.
proxy.config.net.sock_recv_buffer_size_out
Scope CONFIG.TP Type INT.TP Default 0.TP Overridable Yes.UNINDENT Sets the receive buffer size for
connections from Traffic Server to the origin server.
proxy.config.net.sock_option_flag_out
Scope CONFIG.TP Type INT.TP Default 0x1.TP Overridable Yes.UNINDENT Turns different options "on" for the
origin server socket::
TCP_NODELAY (1)
SO_KEEPALIVE (2)
SO_LINGER (4) - with a timeout of 0 seconds
TCP_FASTOPEN (8)
PACKET_MARK (16)
PACKET_TOS (32)
TCP_NOTSENT_LOWAT (64)
NOTE:
This is a bitmask and you need to decide what bits to set. Therefore, you must set the value to 3 if
you want to enable nodelay and keepalive options above.
When SO_LINGER is enabled, the linger timeout time is set to 0. This is useful when Traffic Server and
the origin server are co-located and large numbers of sockets are retained in the TIME_WAIT state.
NOTE:
To allow TCP Fast Open for server sockets on Linux, bit 1 of the net.ipv4.tcp_fastopen sysctl must be
set.
proxy.config.net.sock_mss_in
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Same as the command line option --accept_mss that sets
the MSS for all incoming requests.
proxy.config.net.sock_packet_mark_in
Scope CONFIG.TP Type INT.TP Default 0x0.UNINDENT Set the packet mark on traffic destined for the client
(the packets that make up a client response).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_packet_mark_out
Scope CONFIG.TP Type INT.TP Default 0x0.TP Overridable Yes.UNINDENT Set the packet mark on traffic
destined for the origin (the packets that make up an origin request).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_packet_tos_in
Scope CONFIG.TP Type INT.TP Default 0x0.UNINDENT Set the ToS/DiffServ Field on packets sent to the
client (the packets that make up a client response).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_packet_tos_out
Scope CONFIG.TP Type INT.TP Default 0x0.TP Overridable Yes.UNINDENT Set the ToS/DiffServ Field on
packets sent to the origin (the packets that make up an origin request).
SEE ALSO:
Traffic Shaping
proxy.config.net.sock_notsent_lowat
Scope CONFIG.TP Type INT.TP Default 16384.TP Overridable Yes.UNINDENT Set socket option
TCP_NOTSENT_LOWAT to specified value for a connection
proxy.config.net.poll_timeout
Scope CONFIG.TP Type INT.TP Default 10 (or 30 on Solaris).UNINDENT Same as the command line option
--poll_timeout, or -t, which specifies the timeout used for the polling mechanism used. This
timeout is always in milliseconds (ms). This is the timeout to epoll_wait() on Linux platforms,
and to kevent() on BSD type OSs. The default value is 10 on all platforms.
Changing this configuration can reduce CPU usage on an idle system, since periodic tasks gets
processed at these intervals. On busy servers, this overhead is diminished, since polled events
triggers more frequently. However, increasing the setting can also introduce additional latency
for certain operations, and timed events. It's recommended not to touch this setting unless your
CPU usage is unacceptable at idle workload. Some alternatives to this could be:
Reduce the number of worker threads (net-threads)
Reduce the number of disk (AIO) threads
Make sure accept threads are enabled
The relevant configurations for this are:
CONFIG proxy.config.exec_thread.autoconfig INT 0
CONFIG proxy.config.exec_thread.limit INT 2
CONFIG proxy.config.accept_threads INT 1
CONFIG proxy.config.cache.threads_per_disk INT 8
See Timeout Settings for more discussion on Traffic Server timeouts.
proxy.config.task_threads
Scope CONFIG.TP Type INT.TP Default 2.UNINDENT Specifies the number of task threads to run. These
threads are used for various tasks that should be off-loaded from the normal network threads. You
must have at least one task thread available.
proxy.config.allocator.thread_freelist_size
Scope CONFIG.TP Type INT.TP Default 512.UNINDENT Sets the maximum number of elements that can be
contained in a ProxyAllocator (per-thread) before returning the objects to the global pool. If set
to 0, there is no limit enforced.
proxy.config.allocator.thread_freelist_low_watermark
Scope CONFIG.TP Type INT.TP Default 32.UNINDENT Sets the minimum number of items a ProxyAllocator
(per-thread) will guarantee to be holding at any one time.
proxy.config.allocator.hugepages
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Enable (1) the use of huge pages on supported platforms.
(Currently only Linux)
You must also enable hugepages at the OS level. In modern Linux kernels, this can be done by
setting /proc/sys/vm/nr_overcommit_hugepages to a sufficiently large value. It is reasonable to
use (system memory/hugepage size) because these pages are only created on demand.
For more information on the implications of enabling huge pages, see Wikipedia
<http://en.wikipedia.org/wiki/Page_%28computer_memory%29#Page_size_trade-off>_.
proxy.config.dump_mem_info_frequency
Scope CONFIG.TP Type INT.TP Default 0.TP Reloadable Yes.UNINDENT Enable <value>. When enabled makes
Traffic Server dump IO Buffer memory information to traffic.out at <value> (intervals are in
seconds). A zero value implies it is disabled
proxy.config.res_track_memory
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT When enabled makes Traffic Server track memory usage
(allocations and releases). This information is dumped to traffic.out when the user sends a
SIGUSR1 signal or periodically when proxy.config.dump_mem_info_frequency is enabled.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Memory tracking Disabled │
├───────┼───────────────────────────────────────┤
│ 1 │ Tracks IO Buffer Memory allocations │
│ │ and releases │
├───────┼───────────────────────────────────────┤
│ 2 │ Tracks IO Buffer Memory and OpenSSL │
│ │ Memory allocations and releases │
└───────┴───────────────────────────────────────┘
proxy.config.system_clock
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT For advanced users only. This allows to specify the
underlying system clock used by ATS. The default is CLOCK_REALTIME (0), but a higher performance
option could be CLOCK_REALTIME_COARSE (5). See clock_gettime(2) for more details. On Linux, these
definitions can be found in <linux/time.h>.
proxy.config.allocator.dontdump_iobuffers
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Enable (1) the exclusion of IO buffers from core files
when ATS crashes on supported platforms. (Currently only Linux). IO buffers are allocated with
the MADV_DONTDUMP with madvise() on Linux platforms that support MADV_DONTDUMP. Enabled by
default.
proxy.config.ssl.misc.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index used for various
SSL Operations such as Handshake or Protocol Probe. Default value is 8 which maps to a 32K buffer
proxy.config.hostdb.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index used for storing
HostDB records. Default value is 8 which maps to a 32K buffer
proxy.config.payload.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index used for storing
request payload buffer for a POST request. Default value is 8 which maps to a 32K buffer
proxy.config.msg.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index used for storing
miscellaneous transactional buffers such as error response body. Default value is 8 which maps to
a 32K buffer
proxy.config.log.io.max_buffer_index
Scope CONFIG.TP Type INT.TP Default 8.UNINDENT Configures the max IOBuffer Block index used for storing
an access log entry. Default value is 8 which maps to a 32K buffer
proxy.config.http.enabled
Scope CONFIG.TP Type INT.TP Default 1.UNINDENT Turn on or off support for HTTP proxying. This is rarely
used, the one exception being if you run Traffic Server with a protocol plugin, and would like for
it to not support HTTP requests at all.
proxy.config.http.allow_half_open
Scope CONFIG.TP Type INT.TP Default 1.TP Reloadable Yes.TP Overridable Yes.UNINDENT Turn on or off
support for connection half open for client side. Default is on, so after client sends FIN, the
connection is still there.
proxy.config.http.wait_for_cache
Scope CONFIG.TP Type INT.TP Default 0.UNINDENT Accepting inbound connections and starting the cache are
independent operations in Traffic Server. This variable controls the relative timing of these
operations and Traffic Server dependency on cache because if cache is required then inbound
connection accepts should be deferred until the validity of the cache requirement is determined.
Cache initialization failure will be logged in diags.log.
┌───────┬───────────────────────────────────────┐
│ Value │ Description │
├───────┼───────────────────────────────────────┤
│ 0 │ Decouple inbound connections and │
│ │ cache initialization. Connections │
│ │ will be accepted as soon as possible │
│ │ and Traffic Server will run │
│ │ regardless of the results of cache │
│ │ initialization. │
├───────┼───────────────────────────────────────┤
│ 1 │ Do not accept inbound connections │
│ │ until cache initialization has │
│ │ finished. Traffic Server will run │
│ │ regardless of the results of cache │
│ │ initialization. │
├───────┼───────────────────────────────────────┤
│ 2 │ Do not accept inbound connections │
│ │ until cache initialization has │
│ │ finished and been sufficiently │
│ │ successful that cache is enabled. │
│ │ This means at least one cache span is │
│ │ usable. If there are no spans in │
│ │ storage.config or none of the spans │
│ │ can be successfully parsed and │
│ │ initialized then Traffic Server will │
│ │ shut down. │
├───────┼───────────────────────────────────────┤
│ 3 │ Do not accept inbound connections │
│ │ until cache initialization has │
│ │ finished and been completely │
│ │ successful. This requires at least │
│ │ one cache span in storage.config and │
│ │ that every span specified is valid │
│ │ and successfully initialized. Any │
│ │ error will cause Traffic Server to │
│ │ shut down. │
└───────┴───────────────────────────────────────┘
COPYRIGHT
2024, dev@trafficserver.apache.org
9.2 Apr 16, 2024 RECORDS.CONFIG(5)