1QDROUTERD.CONF(5) QDROUTERD.CONF(5)
2
6 qdrouterd.conf - configuration file for the dispatch router.
7
9 Provides the initial configuration when qdrouterd(8) starts. The
10 configuration of a running router can be modified using qdmanage(8).
11
13 The configuration file is made up of sections with this syntax:
14 sectionName {
16 attributeName: attributeValue
17 attributeName: attributeValue
18 ...
19 }
20 For example you can define a router using the router section
22 router {
24 mode: standalone
25 id: Router.A
26 ...
27 }
28 or define a listener using the listener section
30 listener {
32 host: 0.0.0.0
33 port: 20102
34 saslMechanisms: ANONYMOUS
35 ...
36 }
37 or define a connector using the connector section
39 connector {
41 role: inter-router
42 host: 0.0.0.0
43 port: 20003
44 saslMechanisms: ANONYMOUS
45 ...
46 }
47 An sslProfile section with SSL credentials can be included in multiple
49 listener or connector entities. Here’s an example, note how the
50 sslProfile attribute of listener sections references the name attribute
51 of sslProfile sections.
52 sslProfile {
54 name: my-ssl
55 caCertFile: ca-certificate-1.pem
56 certFile: server-certificate-1.pem
57 privateKeyFile: server-private-key.pem
58 }
59 listener {
61 sslProfile: my-ssl
62 host: 0.0.0.0
63 port: 20102
64 saslMechanisms: ANONYMOUS
65 }
66
68 router
69 Tracks peer routers and computes routes to destinations. This entity is
70 mandatory. The router will not start without this entity.
71 id (string)
73 Router’s unique identity. This field may not contain whitespace or
74 control characters. If not specified, a random identity will be
75 assigned at startup.
76 mode (One of [standalone, interior, edge], default=standalone)
78 In standalone mode, the router operates as a single component. It
79 does not participate in the routing protocol and therefore will not
80 cooperate with other routers. In interior mode, the router operates
81 in cooperation with other interior routers in an interconnected
82 network. In edge mode, the router can make a connection to an
83 interior router and join a network without causing that network to
84 recompute paths.
85 helloIntervalSeconds (integer, default=1)
87 Interval in seconds between HELLO messages sent to neighbor
88 routers.
89 helloMaxAgeSeconds (integer, default=3)
91 Time in seconds after which a neighbor is declared lost if no HELLO
92 is received.
93 raIntervalSeconds (integer, default=30)
95 Interval in seconds between Router-Advertisements sent to all
96 routers in a stable network.
97 raIntervalFluxSeconds (integer, default=4)
99 Interval in seconds between Router-Advertisements sent to all
100 routers during topology fluctuations.
101 remoteLsMaxAgeSeconds (integer, default=60)
103 Time in seconds after which link state is declared stale if no RA
104 is received.
105 workerThreads (integer, default=4)
107 The number of threads that will be created to process message
108 traffic and other application work (timers, non-amqp file
109 descriptors, etc.) .
110 debugDumpFile (path)
112 The absolute path to the location for the debug dump file. The
113 router writes debug-level information to this file if the logger is
114 not available.
115 saslConfigDir (path)
117 Absolute path to the SASL configuration file.
118 saslConfigName (string, default=qdrouterd)
120 Name of the SASL configuration. This string + .conf is the name of
121 the configuration file.
122 allowResumableLinkRoute (boolean, default=True)
124 Whether links can be routed where timeout is non-zero or
125 expiry-policy is not link-detach
126 timestampsInUTC (boolean)
128 Use UTC time rather than localtime in logs.
129 timestampFormat (string)
131 Format string to use for timestamps in logs.
132 allowUnsettledMulticast (boolean)
134 (DEPRECATED) If true, allow senders to send unsettled deliveries to
135 multicast addresses. These deliveries shall be settled by the
136 ingress router. If false, unsettled deliveries to multicast
137 addresses shall be rejected.
138 defaultDistribution (One of [multicast, closest, balanced,
140 unavailable], default=balanced)
141 Default forwarding treatment for any address without a specified
142 treatment. multicast - one copy of each message delivered to all
143 subscribers; closest - messages delivered to only the closest
144 subscriber; balanced - messages delivered to one subscriber with
145 load balanced across subscribers; unavailable - this address is
146 unavailable, messages sent and link attaches to the address will be
147 rejected.
148 metadata (string)
150 Optional metadata text to describe or label this router. This text
151 does not affect the function of the router, but it can be used by
152 external tools (such as the console or orchestration software) to
153 control how the router is displayed.
154 helloInterval (integer, default=1)
156 (DEPRECATED) Interval in seconds between HELLO messages sent to
157 neighbor routers. This attribute has been deprecated. Use
158 helloIntervalSeconds instead.
159 helloMaxAge (integer, default=3)
161 (DEPRECATED) Time in seconds after which a neighbor is declared
162 lost if no HELLO is received. This attribute has been deprecated.
163 Use helloMaxAgeSeconds instead.
164 raInterval (integer, default=30)
166 (DEPRECATED) Interval in seconds between Router-Advertisements sent
167 to all routers in a stable network. This attribute has been
168 deprecated. Use raIntervalSeconds instead.
169 raIntervalFlux (integer, default=4)
171 (DEPRECATED) Interval in seconds between Router-Advertisements sent
172 to all routers during topology fluctuations. This attribute has
173 been deprecated. Use raIntervalFluxSeconds instead.
174 remoteLsMaxAge (integer, default=60)
176 (DEPRECATED) Time in seconds after which link state is declared
177 stale if no RA is received. This attribute has been deprecated. Use
178 remoteLsMaxAgeSeconds instead.
179 debugDump (path)
181 (DEPRECATED) The absolute path to the location for the debug dump
182 file. The router writes debug-level information to this file if the
183 logger is not available. This attribute has been deprecated. Use
184 debugDumpFile instead.
185 saslConfigPath (path)
187 (DEPRECATED) Absolute path to the SASL configuration file. This
188 attribute has been deprecated. Use saslConfigDir instead.
189 sslProfile
191 Attributes for setting TLS/SSL configuration for connections.
192 ciphers (string)
194 Specifies the enabled ciphers so the SSL Ciphers can be hardened.
195 In other words, use this field to disable weak ciphers. The ciphers
196 are specified in the format understood by the OpenSSL library. For
197 example, ciphers can be set to
198 ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; — The
199 full list of allowed ciphers can be viewed using the openssl
200 ciphers command
201 protocols (string)
203 The TLS protocols that this sslProfile can use. You can specify a
204 list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify
205 multiple protocols, separate the protocols with a space. For
206 example, to permit the sslProfile to use TLS v1.1 and TLS v1.2
207 only, you would set the value to TLSv1.1 TLSv1.2. If you do not
208 specify a value, the sslProfile uses the TLS protocol specified by
209 the system-wide configuration.
210 caCertFile (path)
212 The absolute path to the database that contains the public
213 certificates of trusted certificate authorities (CA).
214 certFile (path)
216 The absolute path to the file containing the PEM-formatted public
217 certificate to be used on the local end of any connections using
218 this profile.
219 privateKeyFile (path)
221 The absolute path to the file containing the PEM-formatted private
222 key for the above certificate.
223 passwordFile (path)
225 (DEPRECATED) If the above private key is password protected, this
226 is the absolute path to the file containing the password that
227 unlocks the certificate key. This file should be permission
228 protected to limit access. This has been deprecated. Use the file:
229 prefix in the password field to specify the absolute path of the
230 file containing the password. If both password and passwordFile are
231 provided, the passwordFile is ignored
232 password (string)
234 The password that unlocks the certificate key. You can specify the
235 password by specifying an environment variable that stores the
236 password, a file that stores the password, or by entering the
237 password in clear text. To use an environment variable, specify
238 password: env:<var>. Use this option with caution, because the
239 environment of other processes is visible on certain platforms (for
240 example, ps on certain Unix OSs). To use a file, specify password:
241 file:<absolute-path-to-file>. This option is the most secure,
242 because permissions can be set on the file that contains the
243 password. To specify the password in clear text, specify password:
244 pass:<password>, or password: literal:<password>, or password:
245 <password>. This option is insecure, so it should only be used if
246 security is not a concern. If both password and passwordFile are
247 provided, the passwordFile is ignored.
248 uidFormat (string)
250 A list of x509 client certificate fields that will be used to build
251 a string that will uniquely identify the client certificate owner.
252 For e.g. a value of cou indicates that the uid will consist of c -
253 common name concatenated with o - organization-company name
254 concatenated with u - organization unit; or a value of o2 indicates
255 that the uid will consist of o (organization name) concatenated
256 with 2 (the sha256 fingerprint of the entire certificate) . Allowed
257 values can be any combination of c( ISO3166 two character country
258 code), s(state or province), l(Locality; generally - city),
259 o(Organization - Company Name), u(Organization Unit - typically
260 certificate type or brand), n(CommonName - typically a user name
261 for client certificates) and 1(sha1 certificate fingerprint, as
262 displayed in the fingerprints section when looking at a certificate
263 with say a web browser is the hash of the entire certificate) and 2
264 (sha256 certificate fingerprint) and 5 (sha512 certificate
265 fingerprint). The user identifier (uid) that is generated based on
266 the uidFormat is a string which has a semi-colon as a separator
267 between the components
268 uidNameMappingFile (string)
270 The absolute path to the file containing the unique id to display
271 name mapping
272 certDb (path)
274 (DEPRECATED) The absolute path to the database that contains the
275 public certificates of trusted certificate authorities (CA). This
276 attribute has been deprecated. Use caCertFile instead.
277 keyFile (path)
279 (DEPRECATED) The absolute path to the file containing the
280 PEM-formatted private key for the above certificate. This attribute
281 has been deprecated. Use privateKeyFile instead.
282 displayNameFile (string)
284 (DEPRECATED) The absolute path to the file containing the unique id
285 to display name mapping This attribute has been deprecated. Use
286 uidNameMappingFile instead.
287 authServicePlugin
289 EXPERIMENTAL. Attributes for setting SASL plugin.
290 authService (string)
292 (DEPRECATED) Address of a service to delegate authentication to.
293 This attribute has been deprecated. Use the host and port
294 attributes instead.
295 host (string)
297 A host name, IPV4 or IPV6 literal, of the service to delegate to.
298 port (string, default=amqp)
300 Port number of the service delegated host.
301 realm (string)
303 Value to set for hostname field on sasl-init
304 sslProfile (string)
306 Name of the sslProfile to use for the authentication service.
307 saslInitHostname (string)
309 (DEPRECATED) Value to set for hostname field on sasl-init This
310 attribute has been deprecated. Use realm instead.
311 authSslProfile (string)
313 (DEPRECATED) Name of the sslProfile to use for the authentication
314 service. This attribute has been deprecated. Use sslProfile
315 instead.
316 listener
318 Listens for incoming connections to the router.
319 host (string)
321 A host name, IPV4 or IPV6 literal, or the empty string. The empty
322 string listens on all local addresses. A host name listens on all
323 addresses associated with the name. An IPV6 literal address (or
324 wildcard [::]) listens only for IPV6. An IPV4 literal address (or
325 wildcard 0.0.0.0) listens only for IPV4.
326 port (string, default=amqp)
328 Port number or symbolic service name. If 0, the router shall assign
329 an ephemeral port to the listener and log the port number with a
330 log of the form SERVER (notice) Listening on <host>:<assigned-port>
331 (<listener-name>)
332 socketAddressFamily (One of [IPv4, IPv6])
334 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
335 Protocol version 6. If not specified, the protocol family will be
336 automatically determined from the address.
337 role (One of [normal, inter-router, route-container, edge],
339 default=normal)
340 The role of an established connection. In the normal role, the
341 connection is assumed to be used for AMQP clients that are doing
342 normal message delivery over the connection. In the inter-router
343 role, the connection is assumed to be to another router in the
344 network. Inter-router discovery and routing protocols can only be
345 used over inter-router connections. route-container role can be
346 used for router-container connections, for example, a router-broker
347 connection. In the edge role, the connection is assumed to be
348 between an edge router and an interior router.
349 cost (integer, default=1)
351 For the inter-router role only. This value assigns a cost metric to
352 the inter-router connection. The default (and minimum) value is
353 one. Higher values represent higher costs. The cost is used to
354 influence the routing algorithm as it attempts to use the path with
355 the lowest total cost from ingress to egress.
356 sslProfile (string)
358 Name of the sslProfile.
359 saslMechanisms (string)
361 Space separated list of accepted SASL authentication mechanisms.
362 authenticatePeer (boolean)
364 yes: Require the peer’s identity to be authenticated; no: Do not
365 require any authentication.
366 saslPlugin (string)
368 EXPERIMENTAL. Name of the a sasl plugin configuration section to
369 use for this listener (e.g. authServicePlugin).
370 requireEncryption (boolean)
372 yes: Require the connection to the peer to be encrypted; no: Permit
373 non-encrypted communication with the peer
374 requireSsl (boolean)
376 yes: Require the use of SSL or TLS on the connection; no: Allow
377 clients to connect without SSL or TLS.
378 trustedCertsFile (path)
380 (DEPRECATED) Use sslProfile caCertFile instead.
381 maxFrameSize (integer, default=16384)
383 The maximum frame size in octets that will be used in the
384 connection-open negotiation with a connected peer. The frame size
385 is the largest contiguous set of uninterrupted data that can be
386 sent for a message delivery over the connection. Interleaving of
387 messages on different links is done at frame granularity. Policy
388 settings, if specified, will overwrite this value. Defaults to
389 16384.
390 maxSessions (integer, default=32768)
392 The maximum number of sessions that can be simultaneously active on
393 the connection. Setting this value to zero selects the default
394 number of sessions. Policy settings, if specified, will overwrite
395 this value. Defaults to 32768.
396 maxSessionFrames (integer)
398 Session incoming window measured in transfer frames for sessions
399 created on this connection. This is the number of transfer frames
400 that may simultaneously be in flight for all links in the session.
401 Setting this value to zero selects the default session window size.
402 Policy settings, if specified, will overwrite this value. The
403 numerical product of maxFrameSize and maxSessionFrames may not
404 exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1
405 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
406 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
407 window).
408 idleTimeoutSeconds (integer, default=16)
410 The idle timeout, in seconds, for connections through this
411 listener. If no frames are received on the connection for this time
412 interval, the connection shall be closed.
413 initialHandshakeTimeoutSeconds (integer)
415 The timeout, in seconds, for the initial handshake for connections
416 coming in through listeners. If the time interval expires before
417 the peer sends the AMQP OPEN frame, the connection shall be closed.
418 A value of zero (the default) disables this timeout.
419 stripAnnotations (One of [in, out, both, no], default=both)
421 [in, out, both, no] in: Strip the dispatch router specific
422 annotations only on ingress; out: Strip the dispatch router
423 specific annotations only on egress; both: Strip the dispatch
424 router specific annotations on both ingress and egress; no - do not
425 strip dispatch router specific annotations
426 linkCapacity (integer)
428 The capacity of links within this connection, in terms of message
429 deliveries. The capacity is the number of messages that can be
430 in-flight concurrently for each link.
431 multiTenant (boolean)
433 If true, apply multi-tenancy to endpoints connected at this
434 listener. The address space is defined by the virtual host
435 (hostname field in the Open).
436 failoverUrls (string)
438 A comma-separated list of failover urls to be supplied to connected
439 clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port]
440 healthz (boolean, default=True)
442 Provide a simple HTTP based liveness test (using path /healthz).
443 Assumes listener is enabled for http.
444 metrics (boolean, default=True)
446 Export metrics in prometheus text format for the router (using path
447 /metrics). Assumes listener is enabled for http.
448 websockets (boolean, default=True)
450 For an http enabled listener, determines whether websockets access
451 is enabled (true by default).
452 http (boolean)
454 Accept HTTP connections that can upgrade to AMQP over WebSocket.
455 Plain AMQP connections are not accepted on this listener.
456 httpRootDir (path)
458 Absolute path to a directory from which to serve static HTML files.
459 Defaults to the stand-alone console installation directory
460 (typically /usr/share/qpid-dispatch/console).
461 messageLoggingComponents (string, default=none)
463 A comma separated list that indicates which components of the
464 message should be logged. Defaults to none (log nothing). If you
465 want all properties and application properties of the message
466 logged use all. Specific components of the message can be logged by
467 indicating the components via a comma separated list. The
468 components are message-id, user-id, to, subject, reply-to,
469 correlation-id, content-type, content-encoding,
470 absolute-expiry-time, creation-time, group-id, group-sequence,
471 reply-to-group-id, app-properties. The application-data part of the
472 bare message will not be logged. No spaces are allowed
473 policyVhost (string)
475 A listener may optionally define a virtual host to index to a
476 specific policy to restrict the remote container to access only
477 specific resources. This attribute defines the name of the policy
478 vhost for this listener. If multi-tenancy is enabled for the
479 listener, this vhost will override the peer-supplied vhost for the
480 purposes of identifying the desired policy settings for the
481 connections.
482 openProperties (properties)
484 A JSON map containing connection properties. These will be sent to
485 the peer on connection open. All map keys are restricted to strings
486 containing only valid ASCII characters, Keys must not start with
487 prefixes qd. or x-opt-qd.. The following key values are also
488 reserved: product, version, failover-server-list, network-host,
489 port, scheme hostname
490 protocolFamily (One of [IPv4, IPv6])
492 (DEPRECATED) [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6:
493 Internet Protocol version 6. If not specified, the protocol family
494 will be automatically determined from the address. This attribute
495 has been deprecated. Use socketAddressFamily instead.
496 trustedCerts (path)
498 (DEPRECATED) (DEPRECATED) Use sslProfile caCertFile instead. This
499 attribute has been deprecated. Use trustedCertsFile instead.
500 failoverList (string)
502 (DEPRECATED) A comma-separated list of failover urls to be supplied
503 to connected clients. Form:
504 [(amqp|amqps|ws|wss)://]host_or_ip[:port] This attribute has been
505 deprecated. Use failoverUrls instead.
506 httpRoot (path)
508 (DEPRECATED) Absolute path to a directory from which to serve
509 static HTML files. Defaults to the stand-alone console installation
510 directory (typically /usr/share/qpid-dispatch/console). This
511 attribute has been deprecated. Use httpRootDir instead.
512 logMessage (string, default=none)
514 (DEPRECATED) A comma separated list that indicates which components
515 of the message should be logged. Defaults to none (log nothing). If
516 you want all properties and application properties of the message
517 logged use all. Specific components of the message can be logged by
518 indicating the components via a comma separated list. The
519 components are message-id, user-id, to, subject, reply-to,
520 correlation-id, content-type, content-encoding,
521 absolute-expiry-time, creation-time, group-id, group-sequence,
522 reply-to-group-id, app-properties. The application-data part of the
523 bare message will not be logged. No spaces are allowed This
524 attribute has been deprecated. Use messageLoggingComponents
525 instead.
526 connector
528 Establishes an outgoing connection from the router.
529 host (string, default=127.0.0.1)
531 IP address: ipv4 or ipv6 literal or a host name
532 port (string, default=amqp)
534 Port number or symbolic service name.
535 protocolFamily (One of [IPv4, IPv6])
537 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
538 Protocol version 6. If not specified, the protocol family will be
539 automatically determined from the address.
540 role (One of [normal, inter-router, route-container, edge],
542 default=normal)
543 The role of an established connection. In the normal role, the
544 connection is assumed to be used for AMQP clients that are doing
545 normal message delivery over the connection. In the inter-router
546 role, the connection is assumed to be to another router in the
547 network. Inter-router discovery and routing protocols can only be
548 used over inter-router connections. route-container role can be
549 used for router-container connections, for example, a router-broker
550 connection. In the edge role, the connection is assumed to be
551 between and edge router and an interior router.
552 cost (integer, default=1)
554 For the inter-router role only. This value assigns a cost metric to
555 the inter-router connection. The default (and minimum) value is
556 one. Higher values represent higher costs. The cost is used to
557 influence the routing algorithm as it attempts to use the path with
558 the lowest total cost from ingress to egress.
559 sslProfile (string)
561 Name of the sslProfile.
562 saslMechanisms (string)
564 Space separated list of accepted SASL authentication mechanisms.
565 allowRedirect (boolean, default=True)
567 Allow the peer to redirect this connection to another address.
568 maxFrameSize (integer, default=16384)
570 The maximum frame size in octets that will be used in the
571 connection-open negotiation with a connected peer. The frame size
572 is the largest contiguous set of uninterrupted data that can be
573 sent for a message delivery over the connection. Interleaving of
574 messages on different links is done at frame granularity. Policy
575 settings will not overwrite this value. Defaults to 16384.
576 maxSessions (integer, default=32768)
578 The maximum number of sessions that can be simultaneously active on
579 the connection. Setting this value to zero selects the default
580 number of sessions. Policy settings will not overwrite this value.
581 Defaults to 32768.
582 maxSessionFrames (integer)
584 Session incoming window measured in transfer frames for sessions
585 created on this connection. This is the number of transfer frames
586 that may simultaneously be in flight for all links in the session.
587 Setting this value to zero selects the default session window size.
588 Policy settings will not overwrite this value. The numerical
589 product of maxFrameSize and maxSessionFrames may not exceed 231-1.
590 If (maxFrameSize x maxSessionFrames) exceeds 231-1 then
591 maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
592 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
593 window).
594 idleTimeoutSeconds (integer, default=16)
596 The idle timeout, in seconds, for connections through this
597 connector. If no frames are received on the connection for this
598 time interval, the connection shall be closed.
599 stripAnnotations (One of [in, out, both, no], default=both)
601 [in, out, both, no] in: Strip the dispatch router specific
602 annotations only on ingress; out: Strip the dispatch router
603 specific annotations only on egress; both: Strip the dispatch
604 router specific annotations on both ingress and egress; no - do not
605 strip dispatch router specific annotations
606 linkCapacity (integer)
608 The capacity of links within this connection, in terms of message
609 deliveries. The capacity is the number of messages that can be
610 in-flight concurrently for each link.
611 verifyHostname (boolean, default=True)
613 yes: Ensures that when initiating a connection (as a client) the
614 host name in the URL to which this connector connects to matches
615 the host name in the digital certificate that the peer sends back
616 as part of the SSL connection; no: Does not perform host name
617 verification
618 saslUsername (string)
620 The user name that the connector is using to connect to a peer.
621 saslPassword (string)
623 The password that the connector is using to connect to a peer. You
624 can specify the password by specifying an environment variable that
625 stores the password, a file that stores the password, or by
626 entering the password in clear text. To use an environment
627 variable, specify saslPassword: env:<var>. Use this option with
628 caution, because the environment of other processes is visible on
629 certain platforms (for example, ps on certain Unix OSs). To use a
630 file, specify saslPassword: file:<absolute-path-to-file>. This
631 option is the most secure, because permissions can be set on the
632 file that contains the password. To specify the password in clear
633 text, specify saslPassword: pass:<password> or saslPassword:
634 <password>. This option is insecure, so it should only be used if
635 security is not a concern.
636 messageLoggingComponents (string, default=none)
638 A comma separated list that indicates which components of the
639 message should be logged (no spaces allowed between list
640 components). Defaults to none (log nothing). If you want all
641 properties and application properties of the message logged use
642 all. Specific components of the message can be logged by indicating
643 the components via a comma separated list. The components are
644 message-id, user-id, to, subject, reply-to, correlation-id,
645 content-type, content-encoding, absolute-expiry-time,
646 creation-time, group-id, group-sequence, reply-to-group-id,
647 app-properties. The application-data part of the bare message will
648 not be logged. This log message is written to the MESSAGE logging
649 module. In the log entity, set module property to MESSAGE or
650 DEFAULT and enable to trace+ to see this log message
651 policyVhost (string)
653 A connector may optionally define a policy to restrict the remote
654 container to access only specific resources. This attribute defines
655 the name of the policy vhost for this connector. Within the vhost
656 the connector will use the vhost policy settings from user group
657 $connector. If the vhost policy is absent or if the user group
658 $connector within that policy is absent then the connector will
659 fail to start. In policy specified via connector attribute
660 policyVhost the following vhostUserGroupSettings attributes are
661 unused: users, remoteHosts, maxFrameSize, maxSessionWindow,
662 maxSessions.
663 openProperties (properties)
665 A JSON map containing connection properties. These will be sent to
666 the peer on connection open. All map keys are restricted to strings
667 containing only valid ASCII characters, Keys must not start with
668 prefixes qd. or x-opt-qd.. The following key values are also
669 reserved: product, version, failover-server-list, network-host,
670 port, scheme hostname
671 verifyHostName (boolean, default=True)
673 (DEPRECATED) yes: Ensures that when initiating a connection (as a
674 client) the host name in the URL to which this connector connects
675 to matches the host name in the digital certificate that the peer
676 sends back as part of the SSL connection; no: Does not perform host
677 name verification This attribute has been deprecated. Use
678 verifyHostname instead.
679 logMessage (string, default=none)
681 (DEPRECATED) A comma separated list that indicates which components
682 of the message should be logged (no spaces allowed between list
683 components). Defaults to none (log nothing). If you want all
684 properties and application properties of the message logged use
685 all. Specific components of the message can be logged by indicating
686 the components via a comma separated list. The components are
687 message-id, user-id, to, subject, reply-to, correlation-id,
688 content-type, content-encoding, absolute-expiry-time,
689 creation-time, group-id, group-sequence, reply-to-group-id,
690 app-properties. The application-data part of the bare message will
691 not be logged. This log message is written to the MESSAGE logging
692 module. In the log entity, set module property to MESSAGE or
693 DEFAULT and enable to trace+ to see this log message This attribute
694 has been deprecated. Use messageLoggingComponents instead.
695 httpListener
697 Ingress HTTP bridge.
698 host (string, default=0.0.0.0)
700 A host name, IPV4 or IPV6 literal, or the empty string. The empty
701 string listens on all local addresses. A host name listens on all
702 addresses associated with the name. An IPV6 literal address (or
703 wildcard [::]) listens only for IPV6. An IPV4 literal address (or
704 wildcard 0.0.0.0) listens only for IPV4.
705 address (string)
707 Address of this http bridge
708 port (string)
710 Port number or symbolic service name. If 0, the router shall assign
711 an ephemeral port to the listener and log the port number with a
712 log of the form SERVER (notice) Listening on <host>:<assigned-port>
713 (<listener-name>)
714 siteId (string)
716 Used to identify where request is handled.
717 sslProfile (string)
719 Name of the sslProfile..
720 protocolVersion (One of [HTTP1, HTTP2], default=HTTP1)
722 The version of the HTTP protocol supported by this listener.
723 aggregation (One of [multipart, json])
725 Aggregation mode for responses when used in conjunction with
726 multicast address.
727 eventChannel (boolean)
729 Enables restricted event mode where no responses are sent to
730 request and only post is allowed
731 httpConnector
733 Egress HTTP bridge.
734 address (string)
736 Address of this bridge
737 host (string, default=127.0.0.1)
739 IP address: ipv4 or ipv6 literal or a host name
740 siteId (string)
742 Used to identify where request originates.
743 port (string)
745 Port number or symbolic service name.
746 protocolVersion (One of [HTTP1, HTTP2], default=HTTP1)
748 The version of the HTTP protocol supported by this connector.
749 aggregation (One of [multipart, json])
751 Aggregation mode for responses when used in conjunction with
752 multicast address.
753 eventChannel (boolean)
755 Enables restricted event mode where no responses are sent to
756 request and only post is allowed
757 hostOverride (string)
759 Used to override the value of the Host header sent to the client.
760 tcpListener
762 Ingress TCP bridge.
763 address (string)
765 Address of this bridge
766 host (string, default=0.0.0.0)
768 A host name, IPV4 or IPV6 literal, or the empty string. The empty
769 string listens on all local addresses. A host name listens on all
770 addresses associated with the name. An IPV6 literal address (or
771 wildcard [::]) listens only for IPV6. An IPV4 literal address (or
772 wildcard 0.0.0.0) listens only for IPV4.
773 port (string)
775 Port number or symbolic service name. If 0, the router shall assign
776 an ephemeral port to the listener and log the port number with a
777 log of the form SERVER (notice) Listening on <host>:<assigned-port>
778 (<listener-name>)
779 siteId (string)
781 Used to identify where connection is handled.
782 tcpConnector
784 Egress TCP bridge.
785 address (string)
787 Address of this bridge
788 host (string)
790 IP address: ipv4 or ipv6 literal or a host name
791 port (string)
793 Port number or symbolic service name.
794 siteId (string)
796 Used to identify origin of connections.
797 log
799 Configure logging for a particular module. You can use the UPDATE
800 operation to change log settings while the router is running.
801 module (One of [ROUTER, ROUTER_CORE, ROUTER_HELLO, ROUTER_LS,
803 ROUTER_MA, MESSAGE, SERVER, AGENT, AUTHSERVICE, CONTAINER, ERROR,
804 POLICY, HTTP, CONN_MGR, PYTHON, PROTOCOL, TCP_ADAPTOR, HTTP_ADAPTOR,
805 DEFAULT], required)
806 Module to configure. The special module DEFAULT specifies defaults
807 for all modules.
808 enable (string)
810 Levels are: trace, debug, info, notice, warning, error, critical.
811 The enable string is a comma-separated list of levels. A level may
812 have a trailing + to enable that level and above. For example
813 trace,debug,warning+ means enable trace, debug, warning, error and
814 critical. The value none means disable logging for the module.
815 includeTimestamp (boolean)
817 Include timestamp in log messages.
818 includeSource (boolean)
820 Include source file and line number in log messages.
821 outputFile (string)
823 Where to send log messages. Can be stderr, stdout, syslog or a file
824 name.
825 timestamp (boolean)
827 (DEPRECATED) Include timestamp in log messages. This attribute has
828 been deprecated. Use includeTimestamp instead.
829 source (boolean)
831 (DEPRECATED) Include source file and line number in log messages.
832 This attribute has been deprecated. Use includeSource instead.
833 output (string)
835 (DEPRECATED) Where to send log messages. Can be stderr, stdout,
836 syslog or a file name. This attribute has been deprecated. Use
837 outputFile instead.
838 address
840 Entity type for address configuration. This is used to configure the
841 treatment of message-routed deliveries within a particular
842 address-space. The configuration controls distribution and address
843 phasing.
844 prefix (string)
846 The address prefix for the configured settings. Cannot be used with
847 a pattern attribute.
848 pattern (string)
850 A wildcarded pattern for address matching. Incoming addresses are
851 matched against this pattern. Matching addresses use the configured
852 settings. The pattern consists of one or more tokens separated by a
853 forward slash /. A token can be one of the following: a *
854 character, a # character, or a sequence of characters that do not
855 include /, *, or #. The * token matches any single token. The #
856 token matches zero or more tokens. * has higher precedence than #,
857 and exact match has the highest precedence. Cannot be used with a
858 prefix attribute.
859 distribution (One of [multicast, closest, balanced, unavailable],
861 default=balanced)
862 Treatment of traffic associated with the address
863 waypoint (boolean)
865 Designates this address space as being used for waypoints. This
866 will cause the proper address-phasing to be used.
867 ingressPhase (integer)
869 Advanced - Override the ingress phase for this address
870 egressPhase (integer)
872 Advanced - Override the egress phase for this address
873 priority (integer)
875 All messages sent to this address which lack an intrinsic priority
876 will be assigned this priority.
877 enableFallback (boolean)
879 If false, undeliverable messages are released. If true,
880 undeliverable messages shall be re-delivered to a fallback
881 destination. The fallback destination uses the same address, but is
882 attached using an autoLink with fallback enabled or a link with the
883 qd.fallback capability.
884 linkRoute
886 Entity type for link-route configuration. This is used to identify
887 remote containers that shall be destinations for routed link-attaches.
888 The link-routing configuration applies to an addressing space defined
889 by a prefix or a pattern.
890 prefix (string)
892 The address prefix for the configured settings. Cannot be used with
893 the pattern attribute.
894 pattern (string)
896 A wildcarded pattern for address matching. Link addresses are
897 matched against this pattern. Matching addresses use the configured
898 settings. The pattern consists of one or more tokens separated by a
899 forward slash /. A token can be one of the following: a *
900 character, a # character, or a sequence of characters that do not
901 include /, *, or #. The * token matches any single token. The #
902 token matches zero or more tokens. * has higher precedence than #,
903 and exact match has the highest precedence. Cannot be used with the
904 prefix attribute.
905 addExternalPrefix (string)
907 add the specified prefix to the address of the remote terminus on
908 the route container link
909 delExternalPrefix (string)
911 remove the specified prefix to the address of the remote terminus
912 on the route container link
913 containerId (string)
915 ContainerID for the target container. Only one of containerId or
916 connection should be specified for a linkRoute. Specifying both
917 will result in the linkRoute not being created.
918 connection (string)
920 The name from a connector or listener. Only one of containerId or
921 connection should be specified for a linkRoute. Specifying both
922 will result in the linkRoute not being created.
923 distribution (One of [linkBalanced], default=linkBalanced)
925 Treatment of traffic associated with the address
926 direction (One of [in, out], required)
928 The permitted direction of links: in means client senders; out
929 means client receivers
930 dir (One of [in, out], required)
932 (DEPRECATED) The permitted direction of links: in means client
933 senders; out means client receivers This attribute has been
934 deprecated. Use direction instead.
935 autoLink
937 Entity type for configuring auto-links. Auto-links are links whose
938 lifecycle is managed by the router. These are typically used to attach
939 to waypoints on remote containers (brokers, etc.).
940 address (string, required)
942 The address of the provisioned object
943 direction (One of [in, out], required)
945 The direction of the link to be created. In means into the router,
946 out means out of the router.
947 phase (integer)
949 The address phase for this link. Defaults to 0 for out links and 1
950 for in links.
951 containerId (string)
953 ContainerID for the target container. Only one of containerId or
954 connection should be specified for an autoLink. Specifying both
955 will result in the autoLink not being created
956 connection (string)
958 The name from a connector or listener. Only one of containerId or
959 connection should be specified for an autoLink. Specifying both
960 will result in the autoLink not being created
961 externalAddress (string)
963 If present, an alternate address of the node on the remote
964 container. This is used if the node has a different address than
965 the address used internally by the router to route deliveries.
966 fallback (boolean)
968 If true, this auto-link is attached to a fallback destination for
969 an address.
970 addr (string, required)
972 (DEPRECATED) The address of the provisioned object This attribute
973 has been deprecated. Use address instead.
974 dir (One of [in, out], required)
976 (DEPRECATED) The direction of the link to be created. In means into
977 the router, out means out of the router. This attribute has been
978 deprecated. Use direction instead.
979 externalAddr (string)
981 (DEPRECATED) If present, an alternate address of the node on the
982 remote container. This is used if the node has a different address
983 than the address used internally by the router to route deliveries.
984 This attribute has been deprecated. Use externalAddress instead.
985 exchange
987 [EXPERIMENTAL] Defines a topic exchange.
988 address (string, required)
990 The address of the exchange. Used by the message publisher as the
991 target for sending messages.
992 phase (integer)
994 The address phase for the exchange. Defaults to 0.
995 alternateAddress (string)
997 The address to forward the message to if no bindings are matched.
998 alternatePhase (integer)
1000 The address phase for the alternateAddress. Defaults to 0.
1001 matchMethod (One of [amqp, mqtt], default=amqp)
1003 Key matching algorithm used. amqp uses the legacy AMQP topic
1004 exchange wildcard match method as described in the pre-1.0 drafts.
1005 mqtt uses the MQTT topic filter wildcard match method.
1006 binding
1008 [EXPERIMENTAL] Defines a keyed next hop binding for a topic exchange.
1009 The subject field of the messages arriving at the exchange is compared
1010 against the binding’s key value using the exchange’s matchMethod. If
1011 the subject matches the key the message is forwarded to the
1012 nextHopAddress. The nextHopAddress overrides the message’s original
1013 destination.
1014 exchangeName (string, required)
1016 The name of the exchange to bind.
1017 bindingKey (string)
1019 Pattern to compare against incoming message’s subject. The key is a
1020 string of zero or more tokens and wildcards. The format depends on
1021 the matchMethod configured for the exchange. For AMQP each token is
1022 delimited by the . character and wild-card tokens * matches a
1023 single token and
1024 matches zero or more tokens. For MQTT each token is delimited by
1026 the / character and wildcard tokens + matches a single token and
1027 matches zero or more tokens at the end of the topic. If a key is
1029 not provided the binding will match all messages arriving at the
1030 exchange (fanout behavior).
1031 nextHopAddress (string, required)
1033 The address to forward the message to when the message’s topic
1034 string matches the binding key pattern. This address is used by
1035 message consumers as the source of incoming messages.
1036 nextHopPhase (integer)
1038 The address phase used when forwarding messages that match this
1039 binding.
1040 console
1042 (DEPRECATED) Start a websocket/tcp proxy and http file server to serve
1043 the web console
1044 listener (string)
1046 The name of the listener to send the proxied tcp traffic to.
1047 wsport (integer, default=5673)
1049 port on which to listen for websocket traffic
1050 proxy (string, required)
1052 The full path to the proxy program to run.
1053 home (string, required)
1055 The full path to the html/css/js files for the console.
1056 args (string)
1058 Optional args to pass the proxy program for logging,
1059 authentication, etc.
1060 policy
1062 Defines global connection limit
1063 maxConnections (integer, default=65535)
1065 The maximum number of concurrent client connections allowed for
1066 this router. This limit is always enforced, even if no other policy
1067 settings have been defined. The limit is applied to all incoming
1068 connections regardless of remote host, authenticated user, or
1069 targeted vhost.
1070 maxMessageSize (integer)
1072 The maximum size in bytes of AMQP message transfers allowed for
1073 this router as messages enter the router network. This limit is
1074 applied to transfers over user connections and to transfers to
1075 interior routers from edge routers. This limit is not applied to
1076 interior-to-interior router connections. This limit may be
1077 overridden by vhost or by vhost user group settings. A value of
1078 zero disables this limit. Administrators are advised not set
1079 interior router maximum message sizes so low that edge router
1080 management requests or responses are blocked. Administrators are
1081 also advised to set edge router maximum message sizes lower than
1082 the attached interior router maximum message size.
1083 enableVhostPolicy (boolean)
1085 Enables the router to enforce the connection denials and resource
1086 limits defined in the configured vhost policies.
1087 enableVhostNamePatterns (boolean)
1089 Enable vhost name patterns. When false vhost hostnames are treated
1090 as literal strings. When true vhost hostnames are treated as match
1091 patterns.
1092 policyDir (path)
1094 The absolute path to a directory that holds vhost policy definition
1095 files in JSON format (*.json). The router processes all of the
1096 vhost policies in each JSON file that is in this directory.
1097 defaultVhost (string)
1099 The name of the default vhost policy. This policy rule set is
1100 applied to a connection for which a vhost policy has not otherwise
1101 been configured. Processing for the default vhost is enabled by
1102 default and set to select vhost $default. To disable default vhost
1103 processing set defaultVhost to blank or do not define a vhost named
1104 $default.
1105 vhost
1107 AMQP virtual host policy definition of users, user groups, allowed
1108 remote hosts, and AMQP restrictions.
1109 hostname (string, required)
1111 The hostname of the vhost. This vhost policy will be applied to any
1112 client connection that is directed to this hostname.
1113 aliases (string)
1115 Alternate hostnames that share this vhost configuration. Hosts
1116 named in this attribute are treated as if this vhost was defined
1117 with the alias name in the vhost hostname attribute. This attribute
1118 is implemented to help with multitenant configurations where
1119 multiple vhosts share a common configuration. The string is a
1120 comma- or space-separated list of literal hostnames or hostname
1121 patterns. A vhost aliases hostname must be unique across all vhost
1122 hostnames and all of their aliases.
1123 maxConnections (integer, default=65535)
1125 The global maximum number of concurrent client connections allowed
1126 for this vhost.
1127 maxConnectionsPerUser (integer, default=65535)
1129 The maximum number of concurrent client connections allowed for any
1130 user.
1131 maxConnectionsPerHost (integer, default=65535)
1133 The maximum number of concurrent client connections allowed for any
1134 remote host (the host from which the client is connecting).
1135 allowUnknownUser (boolean)
1137 Whether unknown users (users who are not members of a defined user
1138 group) are allowed to connect to the vhost. Unknown users are
1139 assigned to the $default user group and receive $default settings.
1140 groups (map)
1142 A map where the key is a vhost user group name and the value is a
1143 vhostUserGroupSettings object that holds the settings for that
1144 vhost user group.
1145 id (string, required)
1147 (DEPRECATED) The hostname of the vhost. This vhost policy will be
1148 applied to any client connection that is directed to this hostname.
1149 This attribute has been deprecated. Use hostname instead.
1150 vhostUserGroupSettings
1152 Policy settings for users connecting to a vhost. Configuration files
1153 including this section must use .json format.
1154 maxFrameSize (integer, default=16384)
1156 The largest frame, in bytes, that may be sent on this connection.
1157 Non-zero policy values overwrite values specified for a listener
1158 object (AMQP Open, max-frame-size).
1159 maxSessionWindow (integer, default=1638400)
1161 The incoming capacity for new AMQP sessions, measured in octets.
1162 Non-zero policy values overwrite values specified for a listener
1163 object (AMQP Begin, incoming-window).
1164 maxSessions (integer, default=32768)
1166 The maximum number of sessions that may be created on this
1167 connection. Non-zero policy values overwrite values specified for a
1168 listener object (AMQP Open, channel-max).
1169 maxSenders (integer, default=2147483647)
1171 The maximum number of sending links that may be created on this
1172 connection. A value of 0 disables all sender links.
1173 maxReceivers (integer, default=2147483647)
1175 The maximum number of receiving links that may be created on this
1176 connection. A value of 0 disables all receiver links.
1177 allowDynamicSource (boolean)
1179 Whether this connection is allowed to create dynamic receiving
1180 links (links to resources that do not exist on the peer). A value
1181 of true means that users are able to automatically create resources
1182 on the peer system.
1183 allowAnonymousSender (boolean)
1185 Whether this connection is allowed to create sending links if the
1186 sender does not provide a target address. By prohibiting anonymous
1187 senders, the router only needs to verify once, when the link is
1188 created, that the sender is permitted to send messages to the
1189 target address. The router does not need to verify each message
1190 that is sent on the link. A value of true means that users may send
1191 messages to any address. Allowing anonymous senders can also
1192 decrease performance: if the sender does not specify a target
1193 address, then the router must parse each message to determine how
1194 to route it.
1195 allowUserIdProxy (boolean)
1197 Whether this connection is allowed to send messages with a user ID
1198 that is different than the connection’s authenticated user name.
1199 allowWaypointLinks (boolean, default=True)
1201 Whether this connection is allowed to claim waypoint.N capability
1202 for attached links. This allows endpoints to act as waypoints
1203 without needing auto-links.
1204 allowDynamicLinkRoutes (boolean, default=True)
1206 Whether this connection is allowed to dynamically create
1207 connection-scoped link route destinations.
1208 allowAdminStatusUpdate (boolean, default=True)
1210 Whether this connection is allowed to update the admin status of
1211 other connections. Note: Inter-router connections cannot be deleted
1212 at any time.
1213 allowFallbackLinks (boolean, default=True)
1215 Whether this connection is allowed to claim qd.fallback capability
1216 for attached links. This allows endpoints to act as fallback
1217 destinations for addresses that have fallback capability enabled.
1218 sources (string)
1220 targets (string)
1222 sourcePattern (string)
1224 targetPattern (string)
1226
1228 qdrouterd(8), qdmanage(8)
1229 http://qpid.apache.org/components/dispatch-router
1231 09/02/2021 QDROUTERD.CONF(5)