zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-24 11:38:35 +02:00
Code Issues Projects Releases Packages Wiki Activity
google-nomulus/java/google/registry/proxy/config/default-config.yaml
jianglai 983bd27ee0 Read GCP proxy EPP SSL secret from GCS 
This allows us to not ship the proxy with certificates/private keys. The secret is still encrypted by KMS. Reading the secret only happens once when the first EPP request comes in, which should not incur any tangible performance penalty.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=191771680
2018-04-10 16:38:31 -04:00

200 lines
6.7 KiB
YAML
Raw Blame History

# This is the default configuration file for the proxy. Do not make changes to
# it unless you are writing new features that requires you to. To customize an
# individual deployment or environment, create a proxy-config.yaml file in the
# same directory overriding only the values you wish to change. You may need
# to override some of these values to configure and enable some services used in
# production environments.
# GCP project ID
projectId: your-gcp-project-id
# OAuth scope that the GoogleCredential will be constructed with. This list
# should include all service scopes that the proxy depends on.
gcpScopes:
# The default OAuth scope granted to GCE instances. Local development instance
# needs this scope to mimic running on GCE. Currently it is used to access
# Cloud KMS and Stackdriver Monitoring APIs.
- https://www.googleapis.com/auth/cloud-platform
# The OAuth scope required to be included in the access token for the GAE app
# to authenticate.
- https://www.googleapis.com/auth/userinfo.email
# Access token is valid for 30 minutes.
#
# Document says that the token should be good for 60 minutes, but in practice
# we've run into problems with token becoming invalid before supposed expiration
# time. 30 minutes seems to be a good compromise which guarantees token validity
# without making many more API calls to the OAuth server.
# See also: Data store
# (https://developers.google.com/api-client-library/java/google-api-java-client/oauth2#data_store).
accessTokenValidPeriodSeconds: 1800
# Access token is refreshed 1 minutes before expiry.
#
# This is the default refresh time used by
# com.google.api.client.auth.oauth2.Credential#intercept.
accessTokenRefreshBeforeExpirySeconds: 60
gcs:
# GCS bucket that stores the encrypted PEM file.
bucket: your-gcs-bucket
# Name of the encrypted PEM file.
sslPemFilename: your-pem-filename
# Strings used to construct the KMS crypto key URL.
# See: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys
kms:
# Location where your key ring is stored (global, us-east1, etc).
location: your-kms-location
# Name of the KeyRing that contains the CryptoKey file.
keyRing: your-kms-keyRing
# Name of the CryptoKey used to encrypt the PEM file.
cryptoKey: your-kms-cryptoKey
epp:
port: 30002
relayHost: registry-project-id.appspot.com
relayPath: /_dr/epp
# Maximum input message length in bytes.
#
# The first 4 bytes in a message is the total length of message, in bytes.
#
# We accept a message up to 1 GB, which should be plentiful, if not over the
# top. In fact we should probably limit this to a more reasonable number, as a
# 1 GB message will likely cause the proxy to go out of memory.
#
# See also: RFC 5734 4 Data Unit Format
# (https://tools.ietf.org/html/rfc5734#section-4).
maxMessageLengthBytes: 1073741824
# Length of the header field in bytes.
#
# Note that value of the header field is the total length (in bytes) of the
# message, including the header itself, the length of the epp xml instance is
# therefore 4 bytes shorter than this value.
headerLengthBytes: 4
# Time after which an idle connection will be closed.
#
# The RFC gives registry discretionary power to set a timeout period. 1 hr
# should be reasonable enough for any registrar to login and submit their
# request.
readTimeoutSeconds: 3600
# Hostname of the EPP server.
# TODO(b/64510444) Remove this after nomulus no longer check sni header.
serverHostname: epp.yourdomain.tld
# Quota configuration for EPP
quota:
# Token database refresh period. Set to 0 to disable refresh.
#
# After the set time period, inactive userIds will be deleted.
refreshSeconds: 0
# Default quota for any userId not matched in customQuota.
defaultQuota:
# List of identifiers, e. g. IP address, certificate hash.
#
# userId for defaultQuota should always be an empty list. Any value
# in the list will be discarded.
#
# There should be no duplicate userIds, either within this list, or
# across quota groups within customQuota. Any duplication will result
# in an error when constructing QuotaConfig.
userId: []
# Number of tokens allotted to the matched user. Set to -1 to allow
# infinite quota.
tokenAmount: 100
# Token refill period. Set to 0 to disable refill.
#
# After the set time period, the token for the user will be
# reset to tokenAmount.
refillSeconds: 0
# List of custom quotas for specific userId. Use the same schema as
# defaultQuota for list entries.
customQuota: []
whois:
port: 30001
relayHost: registry-project-id.appspot.com
relayPath: /_dr/whois
# Maximum input message length in bytes.
#
# Domain name cannot be longer than 256 characters. 512-character message
# length should be safe for most cases, including registrar queries.
#
# See also: RFC 1035 2.3.4 Size limits
# (http://www.freesoft.org/CIE/RFC/1035/9.htm).
maxMessageLengthBytes: 512
# Whois protocol is transient, the client should not establish a long lasting
# idle connection.
readTimeoutSeconds: 60
# Quota configuration for WHOIS
quota:
# Token database refresh period. Set to 0 to disable refresh.
#
# After the set time period, inactive token buckets will be deleted.
refreshSeconds: 3600
# Default quota for any userId not matched in customQuota.
defaultQuota:
# List of identifiers, e. g. IP address, certificate hash.
#
# userId for defaultQuota should always be an empty list.
userId: []
# Number of tokens allotted to the matched user. Set to -1 to allow
# infinite quota.
tokenAmount: 100
# Token refill period. Set to 0 to disable refill.
#
# After the set time period, the token for the given user will be
# reset to tokenAmount.
refillSeconds: 600
# List of custom quotas for specific userId. Use the same schema as
# defaultQuota for list entries.
customQuota: []
healthCheck:
port: 30000
# Health checker request message, defined in GCP load balancer backend.
checkRequest: HEALTH_CHECK_REQUEST
# Health checker response message, defined in GCP load balancer backend.
checkResponse: HEALTH_CHECK_RESPONSE
httpsRelay:
port: 443
# Maximum size of an HTTP message in bytes.
maxMessageLengthBytes: 524288
metrics:
# Max queries per second for the Google Cloud Monitoring V3 (aka Stackdriver)
# API. The limit can be adjusted by contacting Cloud Support.
stackdriverMaxQps: 30
# Max number of points that can be sent to Stackdriver in a single
# TimeSeries.Create API call.
stackdriverMaxPointsPerRequest: 200
# How often metrics are written.
writeIntervalSeconds: 60
Reference in a new issue View git blame Copy permalink