1QDROUTERD.CONF(5) QDROUTERD.CONF(5)
2
6 qdrouterd.conf - configuration file for the dispatch router.
7
9 Provides the initial configuration when qdrouterd(8) starts. The
10 configuration of a running router can be modified using qdmanage(8).
11
13 The configuration file is made up of sections with this syntax:
14 sectionName {
16 attributeName: attributeValue
17 attributeName: attributeValue
18 ...
19 }
20 For example you can define a router using the router section
22 router {
24 mode: standalone
25 id: Router.A
26 ...
27 }
28 or define a listener using the listener section
30 listener {
32 host: 0.0.0.0
33 port: 20102
34 saslMechanisms: ANONYMOUS
35 ...
36 }
37 or define a connector using the connector section
39 connector {
41 role: inter-router
42 host: 0.0.0.0
43 port: 20003
44 saslMechanisms: ANONYMOUS
45 ...
46 }
47 An sslProfile section with SSL credentials can be included in multiple
49 listener or connector entities. Here’s an example, note how the
50 sslProfile attribute of listener sections references the name attribute
51 of sslProfile sections.
52 sslProfile {
54 name: my-ssl
55 caCertFile: ca-certificate-1.pem
56 certFile: server-certificate-1.pem
57 privateKeyFile: server-private-key.pem
58 }
59 listener {
61 sslProfile: my-ssl
62 host: 0.0.0.0
63 port: 20102
64 saslMechanisms: ANONYMOUS
65 }
66
68 router
69 Tracks peer routers and computes routes to destinations. This entity is
70 mandatory. The router will not start without this entity.
71 id (string)
73 Router’s unique identity. This field may not contain whitespace or
74 control characters. If not specified, a random identity will be
75 assigned at startup.
76 mode (One of [standalone, interior, edge], default=standalone)
78 In standalone mode, the router operates as a single component. It
79 does not participate in the routing protocol and therefore will not
80 cooperate with other routers. In interior mode, the router operates
81 in cooperation with other interior routers in an interconnected
82 network. In edge mode, the router can make a connection to an
83 interior router and join a network without causing that network to
84 recompute paths.
85 helloIntervalSeconds (integer, default=1)
87 Interval in seconds between HELLO messages sent to neighbor
88 routers.
89 helloMaxAgeSeconds (integer, default=3)
91 Time in seconds after which a neighbor is declared lost if no HELLO
92 is received.
93 raIntervalSeconds (integer, default=30)
95 Interval in seconds between Router-Advertisements sent to all
96 routers in a stable network.
97 raIntervalFluxSeconds (integer, default=4)
99 Interval in seconds between Router-Advertisements sent to all
100 routers during topology fluctuations.
101 remoteLsMaxAgeSeconds (integer, default=60)
103 Time in seconds after which link state is declared stale if no RA
104 is received.
105 workerThreads (integer, default=4)
107 The number of threads that will be created to process message
108 traffic and other application work (timers, non-amqp file
109 descriptors, etc.) .
110 debugDumpFile (path)
112 The absolute path to the location for the debug dump file. The
113 router writes debug-level information to this file if the logger is
114 not available.
115 saslConfigDir (path)
117 Absolute path to the SASL configuration file.
118 saslConfigName (string, default=qdrouterd)
120 Name of the SASL configuration. This string + .conf is the name of
121 the configuration file.
122 allowResumableLinkRoute (boolean, default=True)
124 Whether links can be routed where timeout is non-zero or
125 expiry-policy is not link-detach
126 timestampsInUTC (boolean)
128 Use UTC time rather than localtime in logs.
129 timestampFormat (string)
131 Format string to use for timestamps in logs.
132 allowUnsettledMulticast (boolean)
134 (DEPRECATED) If true, allow senders to send unsettled deliveries to
135 multicast addresses. These deliveries shall be settled by the
136 ingress router. If false, unsettled deliveries to multicast
137 addresses shall be rejected.
138 defaultDistribution (One of [multicast, closest, balanced,
140 unavailable], default=balanced)
141 Default forwarding treatment for any address without a specified
142 treatment. multicast - one copy of each message delivered to all
143 subscribers; closest - messages delivered to only the closest
144 subscriber; balanced - messages delivered to one subscriber with
145 load balanced across subscribers; unavailable - this address is
146 unavailable, messages sent and link attaches to the address will be
147 rejected.
148 metadata (string)
150 Optional metadata text to describe or label this router. This text
151 does not affect the function of the router, but it can be used by
152 external tools (such as the console or orchestration software) to
153 control how the router is displayed.
154 helloInterval (integer, default=1)
156 (DEPRECATED) Interval in seconds between HELLO messages sent to
157 neighbor routers. This attribute has been deprecated. Use
158 helloIntervalSeconds instead.
159 helloMaxAge (integer, default=3)
161 (DEPRECATED) Time in seconds after which a neighbor is declared
162 lost if no HELLO is received. This attribute has been deprecated.
163 Use helloMaxAgeSeconds instead.
164 raInterval (integer, default=30)
166 (DEPRECATED) Interval in seconds between Router-Advertisements sent
167 to all routers in a stable network. This attribute has been
168 deprecated. Use raIntervalSeconds instead.
169 raIntervalFlux (integer, default=4)
171 (DEPRECATED) Interval in seconds between Router-Advertisements sent
172 to all routers during topology fluctuations. This attribute has
173 been deprecated. Use raIntervalFluxSeconds instead.
174 remoteLsMaxAge (integer, default=60)
176 (DEPRECATED) Time in seconds after which link state is declared
177 stale if no RA is received. This attribute has been deprecated. Use
178 remoteLsMaxAgeSeconds instead.
179 debugDump (path)
181 (DEPRECATED) The absolute path to the location for the debug dump
182 file. The router writes debug-level information to this file if the
183 logger is not available. This attribute has been deprecated. Use
184 debugDumpFile instead.
185 saslConfigPath (path)
187 (DEPRECATED) Absolute path to the SASL configuration file. This
188 attribute has been deprecated. Use saslConfigDir instead.
189 sslProfile
191 Attributes for setting TLS/SSL configuration for connections.
192 ciphers (string)
194 Specifies the enabled ciphers so the SSL Ciphers can be hardened.
195 In other words, use this field to disable weak ciphers. The ciphers
196 are specified in the format understood by the OpenSSL library. For
197 example, ciphers can be set to
198 ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; — The
199 full list of allowed ciphers can be viewed using the openssl
200 ciphers command
201 protocols (string)
203 The TLS protocols that this sslProfile can use. You can specify a
204 list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify
205 multiple protocols, separate the protocols with a space. For
206 example, to permit the sslProfile to use TLS v1.1 and TLS v1.2
207 only, you would set the value to TLSv1.1 TLSv1.2. If you do not
208 specify a value, the sslProfile uses the TLS protocol specified by
209 the system-wide configuration.
210 caCertFile (path)
212 The absolute path to the database that contains the public
213 certificates of trusted certificate authorities (CA).
214 certFile (path)
216 The absolute path to the file containing the PEM-formatted public
217 certificate to be used on the local end of any connections using
218 this profile.
219 privateKeyFile (path)
221 The absolute path to the file containing the PEM-formatted private
222 key for the above certificate.
223 passwordFile (path)
225 (DEPRECATED) If the above private key is password protected, this
226 is the absolute path to the file containing the password that
227 unlocks the certificate key. This file should be permission
228 protected to limit access. This has been deprecated. Use the file:
229 prefix in the password field to specify the absolute path of the
230 file containing the password. If both password and passwordFile are
231 provided, the passwordFile is ignored
232 password (string)
234 The password that unlocks the certificate key. You can specify the
235 password by specifying an environment variable that stores the
236 password, a file that stores the password, or by entering the
237 password in clear text. To use an environment variable, specify
238 password: env:<var>. Use this option with caution, because the
239 environment of other processes is visible on certain platforms (for
240 example, ps on certain Unix OSs). To use a file, specify password:
241 file:<absolute-path-to-file>. This option is the most secure,
242 because permissions can be set on the file that contains the
243 password. To specify the password in clear text, specify password:
244 pass:<password>, or password: literal:<password>, or password:
245 <password>. This option is insecure, so it should only be used if
246 security is not a concern. If both password and passwordFile are
247 provided, the passwordFile is ignored.
248 uidFormat (string)
250 A list of x509 client certificate fields that will be used to build
251 a string that will uniquely identify the client certificate owner.
252 For e.g. a value of cou indicates that the uid will consist of c -
253 common name concatenated with o - organization-company name
254 concatenated with u - organization unit; or a value of o2 indicates
255 that the uid will consist of o (organization name) concatenated
256 with 2 (the sha256 fingerprint of the entire certificate) . Allowed
257 values can be any combination of c( ISO3166 two character country
258 code), s(state or province), l(Locality; generally - city),
259 o(Organization - Company Name), u(Organization Unit - typically
260 certificate type or brand), n(CommonName - typically a user name
261 for client certificates) and 1(sha1 certificate fingerprint, as
262 displayed in the fingerprints section when looking at a certificate
263 with say a web browser is the hash of the entire certificate) and 2
264 (sha256 certificate fingerprint) and 5 (sha512 certificate
265 fingerprint). The user identifier (uid) that is generated based on
266 the uidFormat is a string which has a semi-colon as a separator
267 between the components
268 uidNameMappingFile (string)
270 The absolute path to the file containing the unique id to display
271 name mapping
272 certDb (path)
274 (DEPRECATED) The absolute path to the database that contains the
275 public certificates of trusted certificate authorities (CA). This
276 attribute has been deprecated. Use caCertFile instead.
277 keyFile (path)
279 (DEPRECATED) The absolute path to the file containing the
280 PEM-formatted private key for the above certificate. This attribute
281 has been deprecated. Use privateKeyFile instead.
282 displayNameFile (string)
284 (DEPRECATED) The absolute path to the file containing the unique id
285 to display name mapping This attribute has been deprecated. Use
286 uidNameMappingFile instead.
287 authServicePlugin
289 EXPERIMENTAL. Attributes for setting SASL plugin.
290 authService (string)
292 (DEPRECATED) Address of a service to delegate authentication to.
293 This attribute has been deprecated. Use the host and port
294 attributes instead.
295 host (string)
297 A host name, IPV4 or IPV6 literal, of the service to delegate to.
298 port (string, default=amqp)
300 Port number of the service delegated host.
301 realm (string)
303 Value to set for hostname field on sasl-init
304 sslProfile (string)
306 Name of the sslProfile to use for the authentication service.
307 saslInitHostname (string)
309 (DEPRECATED) Value to set for hostname field on sasl-init This
310 attribute has been deprecated. Use realm instead.
311 authSslProfile (string)
313 (DEPRECATED) Name of the sslProfile to use for the authentication
314 service. This attribute has been deprecated. Use sslProfile
315 instead.
316 listener
318 Listens for incoming connections to the router.
319 host (string)
321 A host name, IPV4 or IPV6 literal, or the empty string. The empty
322 string listens on all local addresses. A host name listens on all
323 addresses associated with the name. An IPV6 literal address (or
324 wildcard [::]) listens only for IPV6. An IPV4 literal address (or
325 wildcard 0.0.0.0) listens only for IPV4.
326 port (string, default=amqp)
328 Port number or symbolic service name. If 0, the router shall assign
329 an ephemeral port to the listener and log the port number with a
330 log of the form SERVER (notice) Listening on <host>:<assigned-port>
331 (<listener-name>)
332 socketAddressFamily (One of [IPv4, IPv6])
334 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
335 Protocol version 6. If not specified, the protocol family will be
336 automatically determined from the address.
337 role (One of [normal, inter-router, route-container, edge],
339 default=normal)
340 The role of an established connection. In the normal role, the
341 connection is assumed to be used for AMQP clients that are doing
342 normal message delivery over the connection. In the inter-router
343 role, the connection is assumed to be to another router in the
344 network. Inter-router discovery and routing protocols can only be
345 used over inter-router connections. route-container role can be
346 used for router-container connections, for example, a router-broker
347 connection. In the edge role, the connection is assumed to be
348 between an edge router and an interior router.
349 cost (integer, default=1)
351 For the inter-router role only. This value assigns a cost metric to
352 the inter-router connection. The default (and minimum) value is
353 one. Higher values represent higher costs. The cost is used to
354 influence the routing algorithm as it attempts to use the path with
355 the lowest total cost from ingress to egress.
356 sslProfile (string)
358 Name of the sslProfile.
359 saslMechanisms (string)
361 Space separated list of accepted SASL authentication mechanisms.
362 authenticatePeer (boolean)
364 yes: Require the peer’s identity to be authenticated; no: Do not
365 require any authentication.
366 saslPlugin (string)
368 EXPERIMENTAL. Name of the a sasl plugin configuration section to
369 use for this listener (e.g. authServicePlugin).
370 requireEncryption (boolean)
372 yes: Require the connection to the peer to be encrypted; no: Permit
373 non-encrypted communication with the peer
374 requireSsl (boolean)
376 yes: Require the use of SSL or TLS on the connection; no: Allow
377 clients to connect without SSL or TLS.
378 trustedCertsFile (path)
380 This optional setting can be used to reduce the set of available
381 CAs for client authentication. If used, this setting must provide
382 the absolute path to a PEM file that contains the trusted
383 certificates.
384 maxFrameSize (integer, default=16384)
386 The maximum frame size in octets that will be used in the
387 connection-open negotiation with a connected peer. The frame size
388 is the largest contiguous set of uninterrupted data that can be
389 sent for a message delivery over the connection. Interleaving of
390 messages on different links is done at frame granularity. Policy
391 settings, if specified, will overwrite this value. Defaults to
392 16384.
393 maxSessions (integer, default=32768)
395 The maximum number of sessions that can be simultaneously active on
396 the connection. Setting this value to zero selects the default
397 number of sessions. Policy settings, if specified, will overwrite
398 this value. Defaults to 32768.
399 maxSessionFrames (integer)
401 Session incoming window measured in transfer frames for sessions
402 created on this connection. This is the number of transfer frames
403 that may simultaneously be in flight for all links in the session.
404 Setting this value to zero selects the default session window size.
405 Policy settings, if specified, will overwrite this value. The
406 numerical product of maxFrameSize and maxSessionFrames may not
407 exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1
408 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
409 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
410 window).
411 idleTimeoutSeconds (integer, default=16)
413 The idle timeout, in seconds, for connections through this
414 listener. If no frames are received on the connection for this time
415 interval, the connection shall be closed.
416 initialHandshakeTimeoutSeconds (integer)
418 The timeout, in seconds, for the initial handshake for connections
419 coming in through listeners. If the time interval expires before
420 the peer sends the AMQP OPEN frame, the connection shall be closed.
421 A value of zero (the default) disables this timeout.
422 stripAnnotations (One of [in, out, both, no], default=both)
424 [in, out, both, no] in: Strip the dispatch router specific
425 annotations only on ingress; out: Strip the dispatch router
426 specific annotations only on egress; both: Strip the dispatch
427 router specific annotations on both ingress and egress; no - do not
428 strip dispatch router specific annotations
429 linkCapacity (integer)
431 The capacity of links within this connection, in terms of message
432 deliveries. The capacity is the number of messages that can be
433 in-flight concurrently for each link.
434 multiTenant (boolean)
436 If true, apply multi-tenancy to endpoints connected at this
437 listener. The address space is defined by the virtual host
438 (hostname field in the Open).
439 failoverUrls (string)
441 A comma-separated list of failover urls to be supplied to connected
442 clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port]
443 healthz (boolean, default=True)
445 Provide a simple HTTP based liveness test (using path /healthz).
446 Assumes listener is enabled for http.
447 metrics (boolean, default=True)
449 Export metrics in prometheus text format for the router (using path
450 /metrics). Assumes listener is enabled for http.
451 websockets (boolean, default=True)
453 For an http enabled listener, determines whether websockets access
454 is enabled (true by default).
455 http (boolean)
457 Accept HTTP connections that can upgrade to AMQP over WebSocket.
458 Plain AMQP connections are not accepted on this listener.
459 httpRootDir (path)
461 Absolute path to a directory from which to serve static HTML files.
462 Defaults to the stand-alone console installation directory
463 (typically /usr/share/qpid-dispatch/console).
464 messageLoggingComponents (string, default=none)
466 A comma separated list that indicates which components of the
467 message should be logged. Defaults to none (log nothing). If you
468 want all properties and application properties of the message
469 logged use all. Specific components of the message can be logged by
470 indicating the components via a comma separated list. The
471 components are message-id, user-id, to, subject, reply-to,
472 correlation-id, content-type, content-encoding,
473 absolute-expiry-time, creation-time, group-id, group-sequence,
474 reply-to-group-id, app-properties. The application-data part of the
475 bare message will not be logged. No spaces are allowed
476 policyVhost (string)
478 A listener may optionally define a virtual host to index to a
479 specific policy to restrict the remote container to access only
480 specific resources. This attribute defines the name of the policy
481 vhost for this listener. If multi-tenancy is enabled for the
482 listener, this vhost will override the peer-supplied vhost for the
483 purposes of identifying the desired policy settings for the
484 connections.
485 protocolFamily (One of [IPv4, IPv6])
487 (DEPRECATED) [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6:
488 Internet Protocol version 6. If not specified, the protocol family
489 will be automatically determined from the address. This attribute
490 has been deprecated. Use socketAddressFamily instead.
491 trustedCerts (path)
493 (DEPRECATED) This optional setting can be used to reduce the set of
494 available CAs for client authentication. If used, this setting must
495 provide the absolute path to a PEM file that contains the trusted
496 certificates. This attribute has been deprecated. Use
497 trustedCertsFile instead.
498 failoverList (string)
500 (DEPRECATED) A comma-separated list of failover urls to be supplied
501 to connected clients. Form:
502 [(amqp|amqps|ws|wss)://]host_or_ip[:port] This attribute has been
503 deprecated. Use failoverUrls instead.
504 httpRoot (path)
506 (DEPRECATED) Absolute path to a directory from which to serve
507 static HTML files. Defaults to the stand-alone console installation
508 directory (typically /usr/share/qpid-dispatch/console). This
509 attribute has been deprecated. Use httpRootDir instead.
510 logMessage (string, default=none)
512 (DEPRECATED) A comma separated list that indicates which components
513 of the message should be logged. Defaults to none (log nothing). If
514 you want all properties and application properties of the message
515 logged use all. Specific components of the message can be logged by
516 indicating the components via a comma separated list. The
517 components are message-id, user-id, to, subject, reply-to,
518 correlation-id, content-type, content-encoding,
519 absolute-expiry-time, creation-time, group-id, group-sequence,
520 reply-to-group-id, app-properties. The application-data part of the
521 bare message will not be logged. No spaces are allowed This
522 attribute has been deprecated. Use messageLoggingComponents
523 instead.
524 connector
526 Establishes an outgoing connection from the router.
527 host (string, default=127.0.0.1)
529 IP address: ipv4 or ipv6 literal or a host name
530 port (string, default=amqp)
532 Port number or symbolic service name.
533 protocolFamily (One of [IPv4, IPv6])
535 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
536 Protocol version 6. If not specified, the protocol family will be
537 automatically determined from the address.
538 role (One of [normal, inter-router, route-container, edge],
540 default=normal)
541 The role of an established connection. In the normal role, the
542 connection is assumed to be used for AMQP clients that are doing
543 normal message delivery over the connection. In the inter-router
544 role, the connection is assumed to be to another router in the
545 network. Inter-router discovery and routing protocols can only be
546 used over inter-router connections. route-container role can be
547 used for router-container connections, for example, a router-broker
548 connection. In the edge role, the connection is assumed to be
549 between and edge router and an interior router.
550 cost (integer, default=1)
552 For the inter-router role only. This value assigns a cost metric to
553 the inter-router connection. The default (and minimum) value is
554 one. Higher values represent higher costs. The cost is used to
555 influence the routing algorithm as it attempts to use the path with
556 the lowest total cost from ingress to egress.
557 sslProfile (string)
559 Name of the sslProfile.
560 saslMechanisms (string)
562 Space separated list of accepted SASL authentication mechanisms.
563 allowRedirect (boolean, default=True)
565 Allow the peer to redirect this connection to another address.
566 maxFrameSize (integer, default=16384)
568 The maximum frame size in octets that will be used in the
569 connection-open negotiation with a connected peer. The frame size
570 is the largest contiguous set of uninterrupted data that can be
571 sent for a message delivery over the connection. Interleaving of
572 messages on different links is done at frame granularity. Policy
573 settings will not overwrite this value. Defaults to 16384.
574 maxSessions (integer, default=32768)
576 The maximum number of sessions that can be simultaneously active on
577 the connection. Setting this value to zero selects the default
578 number of sessions. Policy settings will not overwrite this value.
579 Defaults to 32768.
580 maxSessionFrames (integer)
582 Session incoming window measured in transfer frames for sessions
583 created on this connection. This is the number of transfer frames
584 that may simultaneously be in flight for all links in the session.
585 Setting this value to zero selects the default session window size.
586 Policy settings will not overwrite this value. The numerical
587 product of maxFrameSize and maxSessionFrames may not exceed 231-1.
588 If (maxFrameSize x maxSessionFrames) exceeds 231-1 then
589 maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
590 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
591 window).
592 idleTimeoutSeconds (integer, default=16)
594 The idle timeout, in seconds, for connections through this
595 connector. If no frames are received on the connection for this
596 time interval, the connection shall be closed.
597 stripAnnotations (One of [in, out, both, no], default=both)
599 [in, out, both, no] in: Strip the dispatch router specific
600 annotations only on ingress; out: Strip the dispatch router
601 specific annotations only on egress; both: Strip the dispatch
602 router specific annotations on both ingress and egress; no - do not
603 strip dispatch router specific annotations
604 linkCapacity (integer)
606 The capacity of links within this connection, in terms of message
607 deliveries. The capacity is the number of messages that can be
608 in-flight concurrently for each link.
609 verifyHostname (boolean, default=True)
611 yes: Ensures that when initiating a connection (as a client) the
612 host name in the URL to which this connector connects to matches
613 the host name in the digital certificate that the peer sends back
614 as part of the SSL connection; no: Does not perform host name
615 verification
616 saslUsername (string)
618 The user name that the connector is using to connect to a peer.
619 saslPassword (string)
621 The password that the connector is using to connect to a peer. You
622 can specify the password by specifying an environment variable that
623 stores the password, a file that stores the password, or by
624 entering the password in clear text. To use an environment
625 variable, specify saslPassword: env:<var>. Use this option with
626 caution, because the environment of other processes is visible on
627 certain platforms (for example, ps on certain Unix OSs). To use a
628 file, specify saslPassword: file:<absolute-path-to-file>. This
629 option is the most secure, because permissions can be set on the
630 file that contains the password. To specify the password in clear
631 text, specify saslPassword: pass:<password> or saslPassword:
632 <password>. This option is insecure, so it should only be used if
633 security is not a concern.
634 messageLoggingComponents (string, default=none)
636 A comma separated list that indicates which components of the
637 message should be logged (no spaces allowed between list
638 components). Defaults to none (log nothing). If you want all
639 properties and application properties of the message logged use
640 all. Specific components of the message can be logged by indicating
641 the components via a comma separated list. The components are
642 message-id, user-id, to, subject, reply-to, correlation-id,
643 content-type, content-encoding, absolute-expiry-time,
644 creation-time, group-id, group-sequence, reply-to-group-id,
645 app-properties. The application-data part of the bare message will
646 not be logged. This log message is written to the MESSAGE logging
647 module. In the log entity, set module property to MESSAGE or
648 DEFAULT and enable to trace+ to see this log message
649 policyVhost (string)
651 A connector may optionally define a policy to restrict the remote
652 container to access only specific resources. This attribute defines
653 the name of the policy vhost for this connector. Within the vhost
654 the connector will use the vhost policy settings from user group
655 $connector. If the vhost policy is absent or if the user group
656 $connector within that policy is absent then the connector will
657 fail to start. In policy specified via connector attribute
658 policyVhost the following vhostUserGroupSettings attributes are
659 unused: users, remoteHosts, maxFrameSize, maxSessionWindow,
660 maxSessions.
661 verifyHostName (boolean, default=True)
663 (DEPRECATED) yes: Ensures that when initiating a connection (as a
664 client) the host name in the URL to which this connector connects
665 to matches the host name in the digital certificate that the peer
666 sends back as part of the SSL connection; no: Does not perform host
667 name verification This attribute has been deprecated. Use
668 verifyHostname instead.
669 logMessage (string, default=none)
671 (DEPRECATED) A comma separated list that indicates which components
672 of the message should be logged (no spaces allowed between list
673 components). Defaults to none (log nothing). If you want all
674 properties and application properties of the message logged use
675 all. Specific components of the message can be logged by indicating
676 the components via a comma separated list. The components are
677 message-id, user-id, to, subject, reply-to, correlation-id,
678 content-type, content-encoding, absolute-expiry-time,
679 creation-time, group-id, group-sequence, reply-to-group-id,
680 app-properties. The application-data part of the bare message will
681 not be logged. This log message is written to the MESSAGE logging
682 module. In the log entity, set module property to MESSAGE or
683 DEFAULT and enable to trace+ to see this log message This attribute
684 has been deprecated. Use messageLoggingComponents instead.
685 log
687 Configure logging for a particular module. You can use the UPDATE
688 operation to change log settings while the router is running.
689 module (One of [ROUTER, ROUTER_CORE, ROUTER_HELLO, ROUTER_LS,
691 ROUTER_MA, MESSAGE, SERVER, AGENT, AUTHSERVICE, CONTAINER, ERROR,
692 POLICY, HTTP, CONN_MGR, PYTHON, PROTOCOL, DEFAULT], required)
693 Module to configure. The special module DEFAULT specifies defaults
694 for all modules.
695 enable (string)
697 Levels are: trace, debug, info, notice, warning, error, critical.
698 The enable string is a comma-separated list of levels. A level may
699 have a trailing + to enable that level and above. For example
700 trace,debug,warning+ means enable trace, debug, warning, error and
701 critical. The value none means disable logging for the module.
702 includeTimestamp (boolean)
704 Include timestamp in log messages.
705 includeSource (boolean)
707 Include source file and line number in log messages.
708 outputFile (string)
710 Where to send log messages. Can be stderr, stdout, syslog or a file
711 name.
712 timestamp (boolean)
714 (DEPRECATED) Include timestamp in log messages. This attribute has
715 been deprecated. Use includeTimestamp instead.
716 source (boolean)
718 (DEPRECATED) Include source file and line number in log messages.
719 This attribute has been deprecated. Use includeSource instead.
720 output (string)
722 (DEPRECATED) Where to send log messages. Can be stderr, stdout,
723 syslog or a file name. This attribute has been deprecated. Use
724 outputFile instead.
725 address
727 Entity type for address configuration. This is used to configure the
728 treatment of message-routed deliveries within a particular
729 address-space. The configuration controls distribution and address
730 phasing.
731 prefix (string)
733 The address prefix for the configured settings. Cannot be used with
734 a pattern attribute.
735 pattern (string)
737 A wildcarded pattern for address matching. Incoming addresses are
738 matched against this pattern. Matching addresses use the configured
739 settings. The pattern consists of one or more tokens separated by a
740 forward slash /. A token can be one of the following: a *
741 character, a # character, or a sequence of characters that do not
742 include /, *, or #. The * token matches any single token. The #
743 token matches zero or more tokens. * has higher precedence than #,
744 and exact match has the highest precedence. Cannot be used with a
745 prefix attribute.
746 distribution (One of [multicast, closest, balanced, unavailable],
748 default=balanced)
749 Treatment of traffic associated with the address
750 waypoint (boolean)
752 Designates this address space as being used for waypoints. This
753 will cause the proper address-phasing to be used.
754 ingressPhase (integer)
756 Advanced - Override the ingress phase for this address
757 egressPhase (integer)
759 Advanced - Override the egress phase for this address
760 priority (integer)
762 All messages sent to this address which lack an intrinsic priority
763 will be assigned this priority.
764 enableFallback (boolean)
766 If false, undeliverable messages are released. If true,
767 undeliverable messages shall be re-delivered to a fallback
768 destination. The fallback destination uses the same address, but is
769 attached using an autoLink with fallback enabled or a link with the
770 qd.fallback capability.
771 linkRoute
773 Entity type for link-route configuration. This is used to identify
774 remote containers that shall be destinations for routed link-attaches.
775 The link-routing configuration applies to an addressing space defined
776 by a prefix or a pattern.
777 prefix (string)
779 The address prefix for the configured settings. Cannot be used with
780 the pattern attribute.
781 pattern (string)
783 A wildcarded pattern for address matching. Link addresses are
784 matched against this pattern. Matching addresses use the configured
785 settings. The pattern consists of one or more tokens separated by a
786 forward slash /. A token can be one of the following: a *
787 character, a # character, or a sequence of characters that do not
788 include /, *, or #. The * token matches any single token. The #
789 token matches zero or more tokens. * has higher precedence than #,
790 and exact match has the highest precedence. Cannot be used with the
791 prefix attribute.
792 addExternalPrefix (string)
794 add the specified prefix to the address of the remote terminus on
795 the route container link
796 delExternalPrefix (string)
798 remove the specified prefix to the address of the remote terminus
799 on the route container link
800 containerId (string)
802 ContainerID for the target container. Only one of containerId or
803 connection should be specified for a linkRoute. Specifying both
804 will result in the linkRoute not being created.
805 connection (string)
807 The name from a connector or listener. Only one of containerId or
808 connection should be specified for a linkRoute. Specifying both
809 will result in the linkRoute not being created.
810 distribution (One of [linkBalanced], default=linkBalanced)
812 Treatment of traffic associated with the address
813 direction (One of [in, out], required)
815 The permitted direction of links: in means client senders; out
816 means client receivers
817 dir (One of [in, out], required)
819 (DEPRECATED) The permitted direction of links: in means client
820 senders; out means client receivers This attribute has been
821 deprecated. Use direction instead.
822 autoLink
824 Entity type for configuring auto-links. Auto-links are links whose
825 lifecycle is managed by the router. These are typically used to attach
826 to waypoints on remote containers (brokers, etc.).
827 address (string, required)
829 The address of the provisioned object
830 direction (One of [in, out], required)
832 The direction of the link to be created. In means into the router,
833 out means out of the router.
834 phase (integer)
836 The address phase for this link. Defaults to 0 for out links and 1
837 for in links.
838 containerId (string)
840 ContainerID for the target container. Only one of containerId or
841 connection should be specified for an autoLink. Specifying both
842 will result in the autoLink not being created
843 connection (string)
845 The name from a connector or listener. Only one of containerId or
846 connection should be specified for an autoLink. Specifying both
847 will result in the autoLink not being created
848 externalAddress (string)
850 If present, an alternate address of the node on the remote
851 container. This is used if the node has a different address than
852 the address used internally by the router to route deliveries.
853 fallback (boolean)
855 If true, this auto-link is attached to a fallback destination for
856 an address.
857 addr (string, required)
859 (DEPRECATED) The address of the provisioned object This attribute
860 has been deprecated. Use address instead.
861 dir (One of [in, out], required)
863 (DEPRECATED) The direction of the link to be created. In means into
864 the router, out means out of the router. This attribute has been
865 deprecated. Use direction instead.
866 externalAddr (string)
868 (DEPRECATED) If present, an alternate address of the node on the
869 remote container. This is used if the node has a different address
870 than the address used internally by the router to route deliveries.
871 This attribute has been deprecated. Use externalAddress instead.
872 exchange
874 [EXPERIMENTAL] Defines a topic exchange.
875 address (string, required)
877 The address of the exchange. Used by the message publisher as the
878 target for sending messages.
879 phase (integer)
881 The address phase for the exchange. Defaults to 0.
882 alternateAddress (string)
884 The address to forward the message to if no bindings are matched.
885 alternatePhase (integer)
887 The address phase for the alternateAddress. Defaults to 0.
888 matchMethod (One of [amqp, mqtt], default=amqp)
890 Key matching algorithm used. amqp uses the legacy AMQP topic
891 exchange wildcard match method as described in the pre-1.0 drafts.
892 mqtt uses the MQTT topic filter wildcard match method.
893 binding
895 [EXPERIMENTAL] Defines a keyed next hop binding for a topic exchange.
896 The subject field of the messages arriving at the exchange is compared
897 against the binding’s key value using the exchange’s matchMethod. If
898 the subject matches the key the message is forwarded to the
899 nextHopAddress. The nextHopAddress overrides the message’s original
900 destination.
901 exchangeName (string, required)
903 The name of the exchange to bind.
904 bindingKey (string)
906 Pattern to compare against incoming message’s subject. The key is a
907 string of zero or more tokens and wildcards. The format depends on
908 the matchMethod configured for the exchange. For AMQP each token is
909 delimited by the . character and wild-card tokens * matches a
910 single token and
911 matches zero or more tokens. For MQTT each token is delimited by
913 the / character and wildcard tokens + matches a single token and
914 matches zero or more tokens at the end of the topic. If a key is
916 not provided the binding will match all messages arriving at the
917 exchange (fanout behavior).
918 nextHopAddress (string, required)
920 The address to forward the message to when the message’s topic
921 string matches the binding key pattern. This address is used by
922 message consumers as the source of incoming messages.
923 nextHopPhase (integer)
925 The address phase used when forwarding messages that match this
926 binding.
927 console
929 (DEPRECATED) Start a websocket/tcp proxy and http file server to serve
930 the web console
931 listener (string)
933 The name of the listener to send the proxied tcp traffic to.
934 wsport (integer, default=5673)
936 port on which to listen for websocket traffic
937 proxy (string, required)
939 The full path to the proxy program to run.
940 home (string, required)
942 The full path to the html/css/js files for the console.
943 args (string)
945 Optional args to pass the proxy program for logging,
946 authentication, etc.
947 policy
949 Defines global connection limit
950 maxConnections (integer, default=65535)
952 The maximum number of concurrent client connections allowed for
953 this router. This limit is always enforced, even if no other policy
954 settings have been defined. The limit is applied to all incoming
955 connections regardless of remote host, authenticated user, or
956 targeted vhost.
957 enableVhostPolicy (boolean)
959 Enables the router to enforce the connection denials and resource
960 limits defined in the configured vhost policies.
961 enableVhostNamePatterns (boolean)
963 Enable vhost name patterns. When false vhost hostnames are treated
964 as literal strings. When true vhost hostnames are treated as match
965 patterns.
966 policyDir (path)
968 The absolute path to a directory that holds vhost policy definition
969 files in JSON format (*.json). The router processes all of the
970 vhost policies in each JSON file that is in this directory.
971 defaultVhost (string)
973 The name of the default vhost policy. This policy rule set is
974 applied to a connection for which a vhost policy has not otherwise
975 been configured. Processing for the default vhost is enabled by
976 default and set to select vhost $default. To disable default vhost
977 processing set defaultVhost to blank or do not define a vhost named
978 $default.
979 vhost
981 AMQP virtual host policy definition of users, user groups, allowed
982 remote hosts, and AMQP restrictions.
983 hostname (string, required)
985 The hostname of the vhost. This vhost policy will be applied to any
986 client connection that is directed to this hostname.
987 maxConnections (integer, default=65535)
989 The global maximum number of concurrent client connections allowed
990 for this vhost.
991 maxConnectionsPerUser (integer, default=65535)
993 The maximum number of concurrent client connections allowed for any
994 user.
995 maxConnectionsPerHost (integer, default=65535)
997 The maximum number of concurrent client connections allowed for any
998 remote host (the host from which the client is connecting).
999 allowUnknownUser (boolean)
1001 Whether unknown users (users who are not members of a defined user
1002 group) are allowed to connect to the vhost. Unknown users are
1003 assigned to the $default user group and receive $default settings.
1004 groups (map)
1006 A map where each key is a vhost name and each value is a map of the
1007 settings for users of that vhost.
1008 id (string, required)
1010 (DEPRECATED) The hostname of the vhost. This vhost policy will be
1011 applied to any client connection that is directed to this hostname.
1012 This attribute has been deprecated. Use hostname instead.
1013 vhostUserGroupSettings
1015 Policy settings for users connecting to a vhost. Configuration files
1016 including this section must use .json format.
1017 maxFrameSize (integer, default=16384)
1019 The largest frame, in bytes, that may be sent on this connection.
1020 Non-zero policy values overwrite values specified for a listener
1021 object (AMQP Open, max-frame-size).
1022 maxSessionWindow (integer, default=1638400)
1024 The incoming capacity for new AMQP sessions, measured in octets.
1025 Non-zero policy values overwrite values specified for a listener
1026 object (AMQP Begin, incoming-window).
1027 maxSessions (integer, default=32768)
1029 The maximum number of sessions that may be created on this
1030 connection. Non-zero policy values overwrite values specified for a
1031 listener object (AMQP Open, channel-max).
1032 maxSenders (integer, default=2147483647)
1034 The maximum number of sending links that may be created on this
1035 connection. A value of 0 disables all sender links.
1036 maxReceivers (integer, default=2147483647)
1038 The maximum number of receiving links that may be created on this
1039 connection. A value of 0 disables all receiver links.
1040 allowDynamicSource (boolean)
1042 Whether this connection is allowed to create dynamic receiving
1043 links (links to resources that do not exist on the peer). A value
1044 of true means that users are able to automatically create resources
1045 on the peer system.
1046 allowAnonymousSender (boolean)
1048 Whether this connection is allowed to create sending links if the
1049 sender does not provide a target address. By prohibiting anonymous
1050 senders, the router only needs to verify once, when the link is
1051 created, that the sender is permitted to send messages to the
1052 target address. The router does not need to verify each message
1053 that is sent on the link. A value of true means that users may send
1054 messages to any address. Allowing anonymous senders can also
1055 decrease performance: if the sender does not specify a target
1056 address, then the router must parse each message to determine how
1057 to route it.
1058 allowUserIdProxy (boolean)
1060 Whether this connection is allowed to send messages with a user ID
1061 that is different than the connection’s authenticated user name.
1062 allowWaypointLinks (boolean, default=True)
1064 Whether this connection is allowed to claim waypoint.N capability
1065 for attached links. This allows endpoints to act as waypoints
1066 without needing auto-links.
1067 allowDynamicLinkRoutes (boolean, default=True)
1069 Whether this connection is allowed to dynamically create
1070 connection-scoped link route destinations.
1071 allowAdminStatusUpdate (boolean, default=True)
1073 Whether this connection is allowed to update the admin status of
1074 other connections. Note: Inter-router connections cannot be deleted
1075 at any time.
1076 allowFallbackLinks (boolean, default=True)
1078 Whether this connection is allowed to claim qd.fallback capability
1079 for attached links. This allows endpoints to act as fallback
1080 destinations for addresses that have fallback capability enabled.
1081 sources (string)
1083 targets (string)
1085 sourcePattern (string)
1087 targetPattern (string)
1089
1091 qdrouterd(8), qdmanage(8)
1092 http://qpid.apache.org/components/dispatch-router
1094 04/13/2020 QDROUTERD.CONF(5)