zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-05 06:27:51 +02:00
Code Issues Projects Releases Packages Wiki Activity
google-nomulus/java/google/registry/proxy/config/default-config.yaml
jianglai 628aacd754 Cache server certificates for up to 30 min 
The server certificates and corresponding keys are encrypted by KMS and stored on GCS. This allows us to easily replace expiring certs without having to roll out a new proxy release. However currently the certificate is obtained as a singleton and used in all connections served by a proxy instance. This means that if we were to upload a new cert, all existing instances will not use it.

This CL makes it so that we only cache the certificate for 30 min, after which a new cert is fetched and decrypted. Local certificates used for testing are still singletons.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=206976318
2018-08-10 13:46:48 -04:00

216 lines
7.3 KiB
YAML
Raw Blame History

# This is the default configuration file for the proxy. Do not make changes to
# it unless you are writing new features that requires you to. To customize an
# individual deployment or environment, create a proxy-config.yaml file in the
# same directory overriding only the values you wish to change. You may need
# to override some of these values to configure and enable some services used in
# production environments.
# GCP project ID
projectId: your-gcp-project-id
# OAuth scope that the GoogleCredential will be constructed with. This list
# should include all service scopes that the proxy depends on.
gcpScopes:
# The default OAuth scope granted to GCE instances. Local development instance
# needs this scope to mimic running on GCE. Currently it is used to access
# Cloud KMS and Stackdriver Monitoring APIs.
- https://www.googleapis.com/auth/cloud-platform
# The OAuth scope required to be included in the access token for the GAE app
# to authenticate.
- https://www.googleapis.com/auth/userinfo.email
# Access token is valid for 30 minutes.
#
# Document says that the token should be good for 60 minutes, but in practice
# we've run into problems with token becoming invalid before supposed expiration
# time. 30 minutes seems to be a good compromise which guarantees token validity
# without making many more API calls to the OAuth server.
# See also: Data store
# (https://developers.google.com/api-client-library/java/google-api-java-client/oauth2#data_store).
accessTokenValidPeriodSeconds: 1800
# Access token is refreshed 1 minutes before expiry.
#
# This is the default refresh time used by
# com.google.api.client.auth.oauth2.Credential#intercept.
accessTokenRefreshBeforeExpirySeconds: 60
# Server certificate is cached for 30 minutes.
#
# Encrypted server server certificate and private keys are stored on GCS. They
# are cached and shared for all connections for 30 minutes. We not not cache
# the certificate indefinitely because if we upload a new one to GCS, all
# existing instances need to be killed if they cache the old one indefinitely.
serverCertificateCacheSeconds: 1800
gcs:
# GCS bucket that stores the encrypted PEM file.
bucket: your-gcs-bucket
# Name of the encrypted PEM file.
sslPemFilename: your-pem-filename
# Strings used to construct the KMS crypto key URL.
# See: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
kms:
# Location where your key ring is stored (global, us-east1, etc).
location: your-kms-location
# Name of the KeyRing that contains the CryptoKey file.
keyRing: your-kms-keyRing
# Name of the CryptoKey used to encrypt the PEM file.
cryptoKey: your-kms-cryptoKey
epp:
port: 30002
relayHost: registry-project-id.appspot.com
relayPath: /_dr/epp
# Maximum input message length in bytes.
#
# The first 4 bytes in a message is the total length of message, in bytes.
#
# We accept a message up to 1 GB, which should be plentiful, if not over the
# top. In fact we should probably limit this to a more reasonable number, as a
# 1 GB message will likely cause the proxy to go out of memory.
#
# See also: RFC 5734 4 Data Unit Format
# (https://tools.ietf.org/html/rfc5734#section-4).
maxMessageLengthBytes: 1073741824
# Length of the header field in bytes.
#
# Note that value of the header field is the total length (in bytes) of the
# message, including the header itself, the length of the epp xml instance is
# therefore 4 bytes shorter than this value.
headerLengthBytes: 4
# Time after which an idle connection will be closed.
#
# The RFC gives registry discretionary power to set a timeout period. 1 hr
# should be reasonable enough for any registrar to login and submit their
# request.
readTimeoutSeconds: 3600
# Hostname of the EPP server.
# TODO(b/64510444) Remove this after nomulus no longer check sni header.
serverHostname: epp.yourdomain.tld
# Quota configuration for EPP
quota:
# Token database refresh period. Set to 0 to disable refresh.
#
# After the set time period, inactive userIds will be deleted.
refreshSeconds: 0
# Default quota for any userId not matched in customQuota.
defaultQuota:
# List of identifiers, e. g. IP address, certificate hash.
#
# userId for defaultQuota should always be an empty list. Any value
# in the list will be discarded.
#
# There should be no duplicate userIds, either within this list, or
# across quota groups within customQuota. Any duplication will result
# in an error when constructing QuotaConfig.
userId: []
# Number of tokens allotted to the matched user. Set to -1 to allow
# infinite quota.
tokenAmount: 100
# Token refill period. Set to 0 to disable refill.
#
# After the set time period, the token for the user will be
# reset to tokenAmount.
refillSeconds: 0
# List of custom quotas for specific userId. Use the same schema as
# defaultQuota for list entries.
customQuota: []
whois:
port: 30001
relayHost: registry-project-id.appspot.com
relayPath: /_dr/whois
# Maximum input message length in bytes.
#
# Domain name cannot be longer than 256 characters. 512-character message
# length should be safe for most cases, including registrar queries.
#
# See also: RFC 1035 2.3.4 Size limits
# (http://www.freesoft.org/CIE/RFC/1035/9.htm).
maxMessageLengthBytes: 512
# Whois protocol is transient, the client should not establish a long lasting
# idle connection.
readTimeoutSeconds: 60
# Quota configuration for WHOIS
quota:
# Token database refresh period. Set to 0 to disable refresh.
#
# After the set time period, inactive token buckets will be deleted.
refreshSeconds: 3600
# Default quota for any userId not matched in customQuota.
defaultQuota:
# List of identifiers, e. g. IP address, certificate hash.
#
# userId for defaultQuota should always be an empty list.
userId: []
# Number of tokens allotted to the matched user. Set to -1 to allow
# infinite quota.
tokenAmount: 100
# Token refill period. Set to 0 to disable refill.
#
# After the set time period, the token for the given user will be
# reset to tokenAmount.
refillSeconds: 600
# List of custom quotas for specific userId. Use the same schema as
# defaultQuota for list entries.
customQuota: []
healthCheck:
port: 30000
# Health checker request message, defined in GCP load balancer backend.
checkRequest: HEALTH_CHECK_REQUEST
# Health checker response message, defined in GCP load balancer backend.
checkResponse: HEALTH_CHECK_RESPONSE
httpsRelay:
port: 443
# Maximum size of an HTTP message in bytes.
maxMessageLengthBytes: 524288
webWhois:
httpPort: 30010
httpsPort: 30011
# The 302 redirect destination of HTTPS web WHOIS GET requests.
# HTTP web WHOIS GET requests will be 301 redirected to HTTPS first.
redirectHost: whois.yourdomain.tld
metrics:
# Max queries per second for the Google Cloud Monitoring V3 (aka Stackdriver)
# API. The limit can be adjusted by contacting Cloud Support.
stackdriverMaxQps: 30
# Max number of points that can be sent to Stackdriver in a single
# TimeSeries.Create API call.
stackdriverMaxPointsPerRequest: 200
# How often metrics are written.
writeIntervalSeconds: 60
Reference in a new issue View git blame Copy permalink