Conventions
The following conventions apply to multiple areas of the configuration files for routers and controllers.
Addressing
Listening and dialing addresses in OpenZiti are in the format of <protocol>:<ip-or-host>:<port>
format.
For servers that are listening <ip-or-host>
should be the address of an interface to listen on or "0.0.0.0" for all
IPv4 interfaces or "::" for all IPv6 interfaces. <port>
should be a valid port number that the server should listen
on.
For clients dialing a server the <ip-or-host>
should be an IP address or hostname that resolves to the target
server. <port>
should be the port the server is listening on.
For clients and server, the <protocol>
section is the protocol used to host or initiate the connection. It may be one
of the following values, however tls
is suggested for most scenarios.
tls
tcp
udp
dtls
ws
wss
transwarp
transwarptls
Environment Variables
All values in the configuration file support environment variable replacement. The environment variables are sourced
from the scope of the executing process (i.e. controller, router). The syntax ${VARIABLE}
is used.
Example:
db: ${ZITI_DATA}/db/ctrl.db
Identity
OpenZiti uses a common framework for loading, storing, and processing certificate and private key configuration.
Identity sections all have a similar format. The use of the defined certificates is up to the implementing application.
So see their configuration sections for details on which values are utilized for what. This documentation provides an
overview useful to understand the "default" assumptions. The identity
section may need to be formatted as YAML or JSON, depending on the implementing application. The ziti
CLI and bundled sub-commands, e.g. ziti controller
, ziti router
, expect a configuration file formatted as YAML.
cert
- (required) A string in the format of<engine>:<value>
that defines a x509 client certificatekey
- (required) A string in the format of<engine>:<value>
that defines a private key used forcert
andserver_cert
ifserver_key
is not definedserver_cert
-(optional) A string in the format of<engine>:<value>
that defines a x509 certificate, if not definedcert
is usedserver_key
- (optional) A string in the format of<engine>:<value>
that defines a private key forserver_cert
, if not definedkey
is used ifserver_cert
is definedca
- (optional) A string in the format of<engine>:<value>
that defines x509 certificate chain used to define trusted CAsalt_server_certs
- (optional) An array of objects withserver_cert
andserver_key
values used to add additional server certificates and keys not managed by OpenZiti (i.e. from public CAs like Let's Encrypt). The server name indication (SNI) of incoming requests is compared with all DNS subject alternative names (SAN) of the server certificates inidentity.server_cert
andidentity.alt_server_certs[].server_cert
. The first-matched server certificate is presented to the TLS client. You must use distinct DNS SANs to avoid ambiguity during server certificate selection.
The <engine>:<value>
format is used to define multiple different source types. If the <engine>:
part is omitted, it
is assumed to be file:
. The following engines are supported:
file
- indicates that<value>
is the path to a filepem
- indicates that<value>
is an inline PEM string
Additional PKCS#11 engines such as siometrics.so
and authenta.so
may be used if the library are present on the host
machine. This allows for access to hardware backed private keys.
Example Identity Section (Client & Server use same key):
identity:
cert: "file:ctrl-client.cert.pem"
server_cert: "pem:-----BEGIN CERTIFICATE-----\nMIIEtzCCAp+gAwIBAgICEA0wDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..."
key: ctrl.key.pem
ca: ca-chain.cert.pem
alt_server_certs:
- server_cert: lets_encrypt.cert.pem
- server_key: lets_encrypt.key.pem
Channel
Channel sections control different ways in which connections behave. It is controlled by the channel library. Sections that invoke the channel library support the following options section.
options
- a set of optional connections optionsmaxQueuedConnects
- (optional) the maximum number of connections to be accepted but awaiting initial messagingmaxOutstandingConnects
- (optional) the maximum number of connection accepted and waiting for hello messaging to completeconnectTimeoutMs
- (optional) the maximum number of milliseconds to wait for hello messaging to completewriteTimeout
- (optional) the maximum amount of time to wait when writing data to a connection
Time Units
Configurations that do not specify a unit of time in their name, support a variety of human-readable time units. The
format supports single and combinations of values (e.g. 12s
, 5m20s
, 2h30m22s
).
Supported units:
ns
us
(orµs
)ms
s
m
h
XWeb
The web
section is powered by XWeb. XWeb allows web APIs to be defined in code and
exposed on multiple interfaces/networks through configuration alone.
Example:
web:
- name: all-apis-localhost
bindPoints:
- interface: 127.0.0.1:1280
address: 127.0.0.1:1280
newAddress: localhost:1280
identity:
cert: ctrl-client.cert.pem
server_cert: ctrl-server.cert.pem
key: ctrl.key.pem
ca: ca-chain.cert.pem
options:
idleTimeout: 5000ms
readTimeout: 5000ms
writeTimeout: 100000ms
minTLSVersion: TLS1.2
maxTLSVersion: TLS1.3
apis:
- binding: health-checks
- binding: fabric
- binding: edge-management
- binding: edge-client
The structure of the web
section is an array of API exposure options:
web:
- name: API Exposure 1
...
- name: API Exposure 2
...
Each exposure has the following configuration options:
name
- (required) a name used for logging and error messagingbindPoints
- (required) the interfaces, external addresses, and migration address options for this exposureapis
- (required) a list of APIs and their options from the list aboveoptions
- (optional) a set of options used to tune HTTP/TLS
bindPoints
bindPoints
are used to instruct XWeb on where to listen for new connections. Each exposure can have multiple bind
pints to have the same API listen on one or more interfaces/networks. Additionally, each interface listened on can have
its own external address and migration address.
interface
- (required) the interface and port to listen on ("0.0.0.0" for all IPv4 interfaces, "::" for all IPv6 interfacesidentity
- (optional, root identity) the certificates and keys to use for TLSaddress
- (required) the host:port combination that external devices can use to reach the exposed interface (ip or host name)newAddress
- (optional) when specified,newAddress
will be sent to clients in the HTTP headerziti-ctrl-address
newAddress
should only be specified when clients can use the new host:port combination to reach the specified APIs.
This setting is used to migrate APIs between ip/hostnames.
apis
The apis
section defines which APIs will be hosted on this exposure. Different OpenZiti components support different
APIs. See their documentation for a list of APIs supported.
options
idleTimeout
- (optional) the maximum amount of time to wait for the next request when keep-alives are enabled, if IdleTimeout is zero, the value of ReadTimeout is usedreadTimeout
- (optional) the maximum duration for reading the entire request, including the bodywriteTimeout
- (optional) the maximum duration before timing out writes of the response, it is reset whenever a new request’s header is readminTLSVersion
- (optional) the minimum TLS version to support (TLS1.1, TLS1.2, TLS1.3)maxTLSVersion
- (optional) the maximum TLS version to support (TLS1.1, TLS1.2, TLS1.3)
xgress Components
"xgress" is an internal OpenZiti set of components that facilitate ingress and egress traffic from the OpenZiti mesh overlay network. Ingress traffic is handled by "listeners" and egress traffic is handled by "dialers". Internally, xgress components may be developed that support listeners (ingress), dialers (egress), or both.
Each xgress components are referenced to by binding
name. The following binding
values are currently defined:
proxy
- listener only - allows ingress TCP connections to connect directly to aservice
defined inoptions
proxy_udp
- listener only - allows ingress UDP connections to connect directly to aservice
defined inoptions
transport
- listener, dialer - allows ingress TCP connections to request a circuit for a service and for traffic to dial to an underlay UDP service at a<host>:<port>
addresstransport_udp
- listener, dialer - allows ingress UDP connections to request a circuit for a service and for traffic to dial to an underlay UDP service at a<host>:<port>
addressedge
- listener, dialer - allows multiplexed ingress connections from SDKs and connections to other SDKs hosting services, requires anadvertise
option in theoptions
section to be defined for external linkingtunnel
- a special type of binding used by routers
xgress Options
Each xgress component can have its own options in addition to the following shared options:
mtu
- (optional, 640*1024) unusedrandomDrops
- (optional, false) true/yes/on or false/no/off to randomly drop 1 indrop1InN
payloads, used for testing onlydrop1InN
- (optional, 100) ifrandomDrops
is enabled, will drop 1 in N payloads, used for testing onlytxQueueSize
- (optional, 1) the number of transmit payload to queuetxPortalStartSize
- (optional, 16*1024) integer that sets the starting window sizestxPortalMinSize
- (optional, 16*1024) integer that sets the minimum window sizetxPortalMaxSize
- (optional, 410241024) integer that sets the maximum window sizetxPortalIncreaseThresh
- (optional, 224) the number of successful transmits that triggers the window size to be scaled bytxPortalIncreaseScale
txPortalIncreaseScale
- (optional, 1.0) the scale factor to increase the window size bytxPortalRetxThresh
- (optional, 64) the number of retransmissions that triggers the window size to be scaled bytxPortalRetxScale
txPortalRetxScale
- (optional, 0.75) the factor used to scale the window size whentxPortalRetxThresh
is reachedtxPortalDupAckThresh
- (optional, 64) the number of duplicate ACKs that triggers the window size to be scaled bytxPortalDupAckScale
txPortalDupAckScale
- (optional, 0.9) the factor used to scale the window size whentxPortalDupAckScale
is reachedrxBufferSize
- (optional, 410241024) the size of the receive bufferretxStartMs
- (optional, 200) the number of milliseconds to wait before attempting to retransmitretxScale
- (optional, 1.5) the factor to scaleretxStartMs
based on RTTretxAddMs
- (optional, 0) a number of milliseconds to add toretxStartMs
when calculating new retransmission thresholdsmaxCloseWaitMs
- (optional, 30s) the amount of time to wait for buffers to empty before closing a connectiongetCircuitTimeout
- (optional, 30s) the amount of time to wait for circuit creationcircuitStartTimeout
- (optional, 3m) the amount of time to wait for a circuit to startconnectTimeout
- (optional, 0s) the amount of time to wait for dialed connections to connect, 0/0s = OS default