1QDROUTERD.CONF(5) QDROUTERD.CONF(5)
2
6 qdrouterd.conf - configuration file for the dispatch router.
7
9 Provides the initial configuration when qdrouterd(8) starts. The
10 configuration of a running router can be modified using qdmanage(8).
11
13 The configuration file is made up of sections with this syntax:
14 sectionName {
16 attributeName: attributeValue
17 attributeName: attributeValue
18 ...
19 }
20 For example you can define a router using the router section
22 router {
24 mode: standalone
25 id: Router.A
26 ...
27 }
28 or define a listener using the listener section
30 listener {
32 host: 0.0.0.0
33 port: 20102
34 saslMechanisms: ANONYMOUS
35 ...
36 }
37 or define a connector using the connector section
39 connector {
41 role: inter-router
42 host: 0.0.0.0
43 port: 20003
44 saslMechanisms: ANONYMOUS
45 ...
46 }
47 An sslProfile section with SSL credentials can be included in multiple
49 listener or connector entities. Here’s an example, note how the
50 sslProfile attribute of listener sections references the name attribute
51 of sslProfile sections.
52 sslProfile {
54 name: my-ssl
55 caCertFile: ca-certificate-1.pem
56 certFile: server-certificate-1.pem
57 privateKeyFile: server-private-key.pem
58 }
59 listener {
61 sslProfile: my-ssl
62 host: 0.0.0.0
63 port: 20102
64 saslMechanisms: ANONYMOUS
65 }
66
68 router
69 Tracks peer routers and computes routes to destinations. This entity is
70 mandatory. The router will not start without this entity.
71 id (string)
73 Router’s unique identity. This field may not contain whitespace or
74 control characters. If not specified, a random identity will be
75 assigned at startup.
76 mode (One of [standalone, interior, edge], default=standalone)
78 In standalone mode, the router operates as a single component. It
79 does not participate in the routing protocol and therefore will not
80 cooperate with other routers. In interior mode, the router operates
81 in cooperation with other interior routers in an interconnected
82 network. In edge mode, the router can make a connection to an
83 interior router and join a network without causing that network to
84 recompute paths.
85 helloIntervalSeconds (integer, default=1)
87 Interval in seconds between HELLO messages sent to neighbor
88 routers.
89 helloMaxAgeSeconds (integer, default=3)
91 Time in seconds after which a neighbor is declared lost if no HELLO
92 is received.
93 raIntervalSeconds (integer, default=30)
95 Interval in seconds between Router-Advertisements sent to all
96 routers in a stable network.
97 raIntervalFluxSeconds (integer, default=4)
99 Interval in seconds between Router-Advertisements sent to all
100 routers during topology fluctuations.
101 remoteLsMaxAgeSeconds (integer, default=60)
103 Time in seconds after which link state is declared stale if no RA
104 is received.
105 workerThreads (integer, default=4)
107 The number of threads that will be created to process message
108 traffic and other application work (timers, non-amqp file
109 descriptors, etc.) .
110 debugDumpFile (path)
112 The absolute path to the location for the debug dump file. The
113 router writes debug-level information to this file if the logger is
114 not available.
115 saslConfigDir (path)
117 Absolute path to the SASL configuration file.
118 saslConfigName (string, default=qdrouterd)
120 Name of the SASL configuration. This string + .conf is the name of
121 the configuration file.
122 allowResumableLinkRoute (boolean, default=True)
124 Whether links can be routed where timeout is non-zero or
125 expiry-policy is not link-detach
126 timestampsInUTC (boolean)
128 Use UTC time rather than localtime in logs.
129 timestampFormat (string)
131 Format string to use for timestamps in logs.
132 allowUnsettledMulticast (boolean)
134 (DEPRECATED) If true, allow senders to send unsettled deliveries to
135 multicast addresses. These deliveries shall be settled by the
136 ingress router. If false, unsettled deliveries to multicast
137 addresses shall be rejected.
138 defaultDistribution (One of [multicast, closest, balanced,
140 unavailable], default=balanced)
141 Default forwarding treatment for any address without a specified
142 treatment. multicast - one copy of each message delivered to all
143 subscribers; closest - messages delivered to only the closest
144 subscriber; balanced - messages delivered to one subscriber with
145 load balanced across subscribers; unavailable - this address is
146 unavailable, messages sent and link attaches to the address will be
147 rejected.
148 metadata (string)
150 Optional metadata text to describe or label this router. This text
151 does not affect the function of the router, but it can be used by
152 external tools (such as the console or orchestration software) to
153 control how the router is displayed.
154 helloInterval (integer, default=1)
156 (DEPRECATED) Interval in seconds between HELLO messages sent to
157 neighbor routers. This attribute has been deprecated. Use
158 helloIntervalSeconds instead.
159 helloMaxAge (integer, default=3)
161 (DEPRECATED) Time in seconds after which a neighbor is declared
162 lost if no HELLO is received. This attribute has been deprecated.
163 Use helloMaxAgeSeconds instead.
164 raInterval (integer, default=30)
166 (DEPRECATED) Interval in seconds between Router-Advertisements sent
167 to all routers in a stable network. This attribute has been
168 deprecated. Use raIntervalSeconds instead.
169 raIntervalFlux (integer, default=4)
171 (DEPRECATED) Interval in seconds between Router-Advertisements sent
172 to all routers during topology fluctuations. This attribute has
173 been deprecated. Use raIntervalFluxSeconds instead.
174 remoteLsMaxAge (integer, default=60)
176 (DEPRECATED) Time in seconds after which link state is declared
177 stale if no RA is received. This attribute has been deprecated. Use
178 remoteLsMaxAgeSeconds instead.
179 debugDump (path)
181 (DEPRECATED) The absolute path to the location for the debug dump
182 file. The router writes debug-level information to this file if the
183 logger is not available. This attribute has been deprecated. Use
184 debugDumpFile instead.
185 saslConfigPath (path)
187 (DEPRECATED) Absolute path to the SASL configuration file. This
188 attribute has been deprecated. Use saslConfigDir instead.
189 sslProfile
191 Attributes for setting TLS/SSL configuration for connections.
192 ciphers (string)
194 Specifies the enabled ciphers so the SSL Ciphers can be hardened.
195 In other words, use this field to disable weak ciphers. The ciphers
196 are specified in the format understood by the OpenSSL library. For
197 example, ciphers can be set to
198 ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; — The
199 full list of allowed ciphers can be viewed using the openssl
200 ciphers command
201 protocols (string)
203 The TLS protocols that this sslProfile can use. You can specify a
204 list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify
205 multiple protocols, separate the protocols with a space. For
206 example, to permit the sslProfile to use TLS v1.1 and TLS v1.2
207 only, you would set the value to TLSv1.1 TLSv1.2. If you do not
208 specify a value, the sslProfile uses the TLS protocol specified by
209 the system-wide configuration.
210 caCertFile (path)
212 The absolute path to the database that contains the public
213 certificates of trusted certificate authorities (CA).
214 certFile (path)
216 The absolute path to the file containing the PEM-formatted public
217 certificate to be used on the local end of any connections using
218 this profile.
219 privateKeyFile (path)
221 The absolute path to the file containing the PEM-formatted private
222 key for the above certificate.
223 passwordFile (path)
225 (DEPRECATED) If the above private key is password protected, this
226 is the absolute path to the file containing the password that
227 unlocks the certificate key. This file should be permission
228 protected to limit access. This has been deprecated. Use the file:
229 prefix in the password field to specify the absolute path of the
230 file containing the password. If both password and passwordFile are
231 provided, the passwordFile is ignored
232 password (string)
234 The password that unlocks the certificate key. You can specify the
235 password by specifying an environment variable that stores the
236 password, a file that stores the password, or by entering the
237 password in clear text. To use an environment variable, specify
238 password: env:<var>. Use this option with caution, because the
239 environment of other processes is visible on certain platforms (for
240 example, ps on certain Unix OSs). To use a file, specify password:
241 file:<absolute-path-to-file>. This option is the most secure,
242 because permissions can be set on the file that contains the
243 password. To specify the password in clear text, specify password:
244 pass:<password>, or password: literal:<password>, or password:
245 <password>. This option is insecure, so it should only be used if
246 security is not a concern. If both password and passwordFile are
247 provided, the passwordFile is ignored.
248 uidFormat (string)
250 A list of x509 client certificate fields that will be used to build
251 a string that will uniquely identify the client certificate owner.
252 For e.g. a value of cou indicates that the uid will consist of c -
253 common name concatenated with o - organization-company name
254 concatenated with u - organization unit; or a value of o2 indicates
255 that the uid will consist of o (organization name) concatenated
256 with 2 (the sha256 fingerprint of the entire certificate) . Allowed
257 values can be any combination of c( ISO3166 two character country
258 code), s(state or province), l(Locality; generally - city),
259 o(Organization - Company Name), u(Organization Unit - typically
260 certificate type or brand), n(CommonName - typically a user name
261 for client certificates) and 1(sha1 certificate fingerprint, as
262 displayed in the fingerprints section when looking at a certificate
263 with say a web browser is the hash of the entire certificate) and 2
264 (sha256 certificate fingerprint) and 5 (sha512 certificate
265 fingerprint). The user identifier (uid) that is generated based on
266 the uidFormat is a string which has a semi-colon as a separator
267 between the components
268 uidNameMappingFile (string)
270 The absolute path to the file containing the unique id to display
271 name mapping
272 certDb (path)
274 (DEPRECATED) The absolute path to the database that contains the
275 public certificates of trusted certificate authorities (CA). This
276 attribute has been deprecated. Use caCertFile instead.
277 keyFile (path)
279 (DEPRECATED) The absolute path to the file containing the
280 PEM-formatted private key for the above certificate. This attribute
281 has been deprecated. Use privateKeyFile instead.
282 displayNameFile (string)
284 (DEPRECATED) The absolute path to the file containing the unique id
285 to display name mapping This attribute has been deprecated. Use
286 uidNameMappingFile instead.
287 authServicePlugin
289 EXPERIMENTAL. Attributes for setting SASL plugin.
290 authService (string)
292 (DEPRECATED) Address of a service to delegate authentication to.
293 This attribute has been deprecated. Use the host and port
294 attributes instead.
295 host (string)
297 A host name, IPV4 or IPV6 literal, of the service to delegate to.
298 port (string, default=amqp)
300 Port number of the service delegated host.
301 realm (string)
303 Value to set for hostname field on sasl-init
304 sslProfile (string)
306 Name of the sslProfile to use for the authentication service.
307 saslInitHostname (string)
309 (DEPRECATED) Value to set for hostname field on sasl-init This
310 attribute has been deprecated. Use realm instead.
311 authSslProfile (string)
313 (DEPRECATED) Name of the sslProfile to use for the authentication
314 service. This attribute has been deprecated. Use sslProfile
315 instead.
316 listener
318 Listens for incoming connections to the router.
319 host (string)
321 A host name, IPV4 or IPV6 literal, or the empty string. The empty
322 string listens on all local addresses. A host name listens on all
323 addresses associated with the name. An IPV6 literal address (or
324 wildcard [::]) listens only for IPV6. An IPV4 literal address (or
325 wildcard 0.0.0.0) listens only for IPV4.
326 port (string, default=amqp)
328 Port number or symbolic service name. If 0, the router shall assign
329 an ephemeral port to the listener and log the port number with a
330 log of the form SERVER (notice) Listening on <host>:<assigned-port>
331 (<listener-name>)
332 socketAddressFamily (One of [IPv4, IPv6])
334 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
335 Protocol version 6. If not specified, the protocol family will be
336 automatically determined from the address.
337 role (One of [normal, inter-router, route-container, edge],
339 default=normal)
340 The role of an established connection. In the normal role, the
341 connection is assumed to be used for AMQP clients that are doing
342 normal message delivery over the connection. In the inter-router
343 role, the connection is assumed to be to another router in the
344 network. Inter-router discovery and routing protocols can only be
345 used over inter-router connections. route-container role can be
346 used for router-container connections, for example, a router-broker
347 connection. In the edge role, the connection is assumed to be
348 between an edge router and an interior router.
349 cost (integer, default=1)
351 For the inter-router role only. This value assigns a cost metric to
352 the inter-router connection. The default (and minimum) value is
353 one. Higher values represent higher costs. The cost is used to
354 influence the routing algorithm as it attempts to use the path with
355 the lowest total cost from ingress to egress.
356 sslProfile (string)
358 Name of the sslProfile.
359 saslMechanisms (string)
361 Space separated list of accepted SASL authentication mechanisms.
362 authenticatePeer (boolean)
364 yes: Require the peer’s identity to be authenticated; no: Do not
365 require any authentication.
366 saslPlugin (string)
368 EXPERIMENTAL. Name of the a sasl plugin configuration section to
369 use for this listener (e.g. authServicePlugin).
370 requireEncryption (boolean)
372 yes: Require the connection to the peer to be encrypted; no: Permit
373 non-encrypted communication with the peer
374 requireSsl (boolean)
376 yes: Require the use of SSL or TLS on the connection; no: Allow
377 clients to connect without SSL or TLS.
378 trustedCertsFile (path)
380 (DEPRECATED) Use sslProfile caCertFile instead.
381 maxFrameSize (integer, default=16384)
383 The maximum frame size in octets that will be used in the
384 connection-open negotiation with a connected peer. The frame size
385 is the largest contiguous set of uninterrupted data that can be
386 sent for a message delivery over the connection. Interleaving of
387 messages on different links is done at frame granularity. Policy
388 settings, if specified, will overwrite this value. Defaults to
389 16384.
390 maxSessions (integer, default=32768)
392 The maximum number of sessions that can be simultaneously active on
393 the connection. Setting this value to zero selects the default
394 number of sessions. Policy settings, if specified, will overwrite
395 this value. Defaults to 32768.
396 maxSessionFrames (integer)
398 Session incoming window measured in transfer frames for sessions
399 created on this connection. This is the number of transfer frames
400 that may simultaneously be in flight for all links in the session.
401 Setting this value to zero selects the default session window size.
402 Policy settings, if specified, will overwrite this value. The
403 numerical product of maxFrameSize and maxSessionFrames may not
404 exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1
405 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
406 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
407 window).
408 idleTimeoutSeconds (integer, default=16)
410 The idle timeout, in seconds, for connections through this
411 listener. If no frames are received on the connection for this time
412 interval, the connection shall be closed.
413 initialHandshakeTimeoutSeconds (integer)
415 The timeout, in seconds, for the initial handshake for connections
416 coming in through listeners. If the time interval expires before
417 the peer sends the AMQP OPEN frame, the connection shall be closed.
418 A value of zero (the default) disables this timeout.
419 stripAnnotations (One of [in, out, both, no], default=both)
421 [in, out, both, no] in: Strip the dispatch router specific
422 annotations only on ingress; out: Strip the dispatch router
423 specific annotations only on egress; both: Strip the dispatch
424 router specific annotations on both ingress and egress; no - do not
425 strip dispatch router specific annotations
426 linkCapacity (integer)
428 The capacity of links within this connection, in terms of message
429 deliveries. The capacity is the number of messages that can be
430 in-flight concurrently for each link.
431 multiTenant (boolean)
433 If true, apply multi-tenancy to endpoints connected at this
434 listener. The address space is defined by the virtual host
435 (hostname field in the Open).
436 failoverUrls (string)
438 A comma-separated list of failover urls to be supplied to connected
439 clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port]
440 healthz (boolean, default=True)
442 Provide a simple HTTP based liveness test (using path /healthz).
443 Assumes listener is enabled for http.
444 metrics (boolean, default=True)
446 Export metrics in prometheus text format for the router (using path
447 /metrics). Assumes listener is enabled for http.
448 websockets (boolean, default=True)
450 For an http enabled listener, determines whether websockets access
451 is enabled (true by default).
452 http (boolean)
454 Accept HTTP connections that can upgrade to AMQP over WebSocket.
455 Plain AMQP connections are not accepted on this listener.
456 httpRootDir (path)
458 Absolute path to a directory from which to serve static HTML files.
459 Defaults to the stand-alone console installation directory
460 (typically /usr/share/qpid-dispatch/console).
461 messageLoggingComponents (string, default=none)
463 A comma separated list that indicates which components of the
464 message should be logged. Defaults to none (log nothing). If you
465 want all properties and application properties of the message
466 logged use all. Specific components of the message can be logged by
467 indicating the components via a comma separated list. The
468 components are message-id, user-id, to, subject, reply-to,
469 correlation-id, content-type, content-encoding,
470 absolute-expiry-time, creation-time, group-id, group-sequence,
471 reply-to-group-id, app-properties. The application-data part of the
472 bare message will not be logged. No spaces are allowed
473 policyVhost (string)
475 A listener may optionally define a virtual host to index to a
476 specific policy to restrict the remote container to access only
477 specific resources. This attribute defines the name of the policy
478 vhost for this listener. If multi-tenancy is enabled for the
479 listener, this vhost will override the peer-supplied vhost for the
480 purposes of identifying the desired policy settings for the
481 connections.
482 openProperties (properties)
484 A JSON map containing connection properties. These will be sent to
485 the peer on connection open. All map keys are restricted to strings
486 containing only valid ASCII characters, Keys must not start with
487 prefixes qd. or x-opt-qd.. The following key values are also
488 reserved: product, version, failover-server-list, network-host,
489 port, scheme hostname
490 protocolFamily (One of [IPv4, IPv6])
492 (DEPRECATED) [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6:
493 Internet Protocol version 6. If not specified, the protocol family
494 will be automatically determined from the address. This attribute
495 has been deprecated. Use socketAddressFamily instead.
496 trustedCerts (path)
498 (DEPRECATED) (DEPRECATED) Use sslProfile caCertFile instead. This
499 attribute has been deprecated. Use trustedCertsFile instead.
500 failoverList (string)
502 (DEPRECATED) A comma-separated list of failover urls to be supplied
503 to connected clients. Form:
504 [(amqp|amqps|ws|wss)://]host_or_ip[:port] This attribute has been
505 deprecated. Use failoverUrls instead.
506 httpRoot (path)
508 (DEPRECATED) Absolute path to a directory from which to serve
509 static HTML files. Defaults to the stand-alone console installation
510 directory (typically /usr/share/qpid-dispatch/console). This
511 attribute has been deprecated. Use httpRootDir instead.
512 logMessage (string, default=none)
514 (DEPRECATED) A comma separated list that indicates which components
515 of the message should be logged. Defaults to none (log nothing). If
516 you want all properties and application properties of the message
517 logged use all. Specific components of the message can be logged by
518 indicating the components via a comma separated list. The
519 components are message-id, user-id, to, subject, reply-to,
520 correlation-id, content-type, content-encoding,
521 absolute-expiry-time, creation-time, group-id, group-sequence,
522 reply-to-group-id, app-properties. The application-data part of the
523 bare message will not be logged. No spaces are allowed This
524 attribute has been deprecated. Use messageLoggingComponents
525 instead.
526 connector
528 Establishes an outgoing connection from the router.
529 host (string, default=127.0.0.1)
531 IP address: ipv4 or ipv6 literal or a host name
532 port (string, default=amqp)
534 Port number or symbolic service name.
535 protocolFamily (One of [IPv4, IPv6])
537 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
538 Protocol version 6. If not specified, the protocol family will be
539 automatically determined from the address.
540 role (One of [normal, inter-router, route-container, edge],
542 default=normal)
543 The role of an established connection. In the normal role, the
544 connection is assumed to be used for AMQP clients that are doing
545 normal message delivery over the connection. In the inter-router
546 role, the connection is assumed to be to another router in the
547 network. Inter-router discovery and routing protocols can only be
548 used over inter-router connections. route-container role can be
549 used for router-container connections, for example, a router-broker
550 connection. In the edge role, the connection is assumed to be
551 between and edge router and an interior router.
552 cost (integer, default=1)
554 For the inter-router role only. This value assigns a cost metric to
555 the inter-router connection. The default (and minimum) value is
556 one. Higher values represent higher costs. The cost is used to
557 influence the routing algorithm as it attempts to use the path with
558 the lowest total cost from ingress to egress.
559 sslProfile (string)
561 Name of the sslProfile.
562 saslMechanisms (string)
564 Space separated list of accepted SASL authentication mechanisms.
565 allowRedirect (boolean, default=True)
567 Allow the peer to redirect this connection to another address.
568 maxFrameSize (integer, default=16384)
570 The maximum frame size in octets that will be used in the
571 connection-open negotiation with a connected peer. The frame size
572 is the largest contiguous set of uninterrupted data that can be
573 sent for a message delivery over the connection. Interleaving of
574 messages on different links is done at frame granularity. Policy
575 settings will not overwrite this value. Defaults to 16384.
576 maxSessions (integer, default=32768)
578 The maximum number of sessions that can be simultaneously active on
579 the connection. Setting this value to zero selects the default
580 number of sessions. Policy settings will not overwrite this value.
581 Defaults to 32768.
582 maxSessionFrames (integer)
584 Session incoming window measured in transfer frames for sessions
585 created on this connection. This is the number of transfer frames
586 that may simultaneously be in flight for all links in the session.
587 Setting this value to zero selects the default session window size.
588 Policy settings will not overwrite this value. The numerical
589 product of maxFrameSize and maxSessionFrames may not exceed 231-1.
590 If (maxFrameSize x maxSessionFrames) exceeds 231-1 then
591 maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
592 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
593 window).
594 idleTimeoutSeconds (integer, default=16)
596 The idle timeout, in seconds, for connections through this
597 connector. If no frames are received on the connection for this
598 time interval, the connection shall be closed.
599 stripAnnotations (One of [in, out, both, no], default=both)
601 [in, out, both, no] in: Strip the dispatch router specific
602 annotations only on ingress; out: Strip the dispatch router
603 specific annotations only on egress; both: Strip the dispatch
604 router specific annotations on both ingress and egress; no - do not
605 strip dispatch router specific annotations
606 linkCapacity (integer)
608 The capacity of links within this connection, in terms of message
609 deliveries. The capacity is the number of messages that can be
610 in-flight concurrently for each link.
611 verifyHostname (boolean, default=True)
613 yes: Ensures that when initiating a connection (as a client) the
614 host name in the URL to which this connector connects to matches
615 the host name in the digital certificate that the peer sends back
616 as part of the SSL connection; no: Does not perform host name
617 verification
618 saslUsername (string)
620 The user name that the connector is using to connect to a peer.
621 saslPassword (string)
623 The password that the connector is using to connect to a peer. You
624 can specify the password by specifying an environment variable that
625 stores the password, a file that stores the password, or by
626 entering the password in clear text. To use an environment
627 variable, specify saslPassword: env:<var>. Use this option with
628 caution, because the environment of other processes is visible on
629 certain platforms (for example, ps on certain Unix OSs). To use a
630 file, specify saslPassword: file:<absolute-path-to-file>. This
631 option is the most secure, because permissions can be set on the
632 file that contains the password. To specify the password in clear
633 text, specify saslPassword: pass:<password> or saslPassword:
634 <password>. This option is insecure, so it should only be used if
635 security is not a concern.
636 messageLoggingComponents (string, default=none)
638 A comma separated list that indicates which components of the
639 message should be logged (no spaces allowed between list
640 components). Defaults to none (log nothing). If you want all
641 properties and application properties of the message logged use
642 all. Specific components of the message can be logged by indicating
643 the components via a comma separated list. The components are
644 message-id, user-id, to, subject, reply-to, correlation-id,
645 content-type, content-encoding, absolute-expiry-time,
646 creation-time, group-id, group-sequence, reply-to-group-id,
647 app-properties. The application-data part of the bare message will
648 not be logged. This log message is written to the MESSAGE logging
649 module. In the log entity, set module property to MESSAGE or
650 DEFAULT and enable to trace+ to see this log message
651 policyVhost (string)
653 A connector may optionally define a policy to restrict the remote
654 container to access only specific resources. This attribute defines
655 the name of the policy vhost for this connector. Within the vhost
656 the connector will use the vhost policy settings from user group
657 $connector. If the vhost policy is absent or if the user group
658 $connector within that policy is absent then the connector will
659 fail to start. In policy specified via connector attribute
660 policyVhost the following vhostUserGroupSettings attributes are
661 unused: users, remoteHosts, maxFrameSize, maxSessionWindow,
662 maxSessions.
663 openProperties (properties)
665 A JSON map containing connection properties. These will be sent to
666 the peer on connection open. All map keys are restricted to strings
667 containing only valid ASCII characters, Keys must not start with
668 prefixes qd. or x-opt-qd.. The following key values are also
669 reserved: product, version, failover-server-list, network-host,
670 port, scheme hostname
671 verifyHostName (boolean, default=True)
673 (DEPRECATED) yes: Ensures that when initiating a connection (as a
674 client) the host name in the URL to which this connector connects
675 to matches the host name in the digital certificate that the peer
676 sends back as part of the SSL connection; no: Does not perform host
677 name verification This attribute has been deprecated. Use
678 verifyHostname instead.
679 logMessage (string, default=none)
681 (DEPRECATED) A comma separated list that indicates which components
682 of the message should be logged (no spaces allowed between list
683 components). Defaults to none (log nothing). If you want all
684 properties and application properties of the message logged use
685 all. Specific components of the message can be logged by indicating
686 the components via a comma separated list. The components are
687 message-id, user-id, to, subject, reply-to, correlation-id,
688 content-type, content-encoding, absolute-expiry-time,
689 creation-time, group-id, group-sequence, reply-to-group-id,
690 app-properties. The application-data part of the bare message will
691 not be logged. This log message is written to the MESSAGE logging
692 module. In the log entity, set module property to MESSAGE or
693 DEFAULT and enable to trace+ to see this log message This attribute
694 has been deprecated. Use messageLoggingComponents instead.
695 log
697 Configure logging for a particular module. You can use the UPDATE
698 operation to change log settings while the router is running.
699 module (One of [ROUTER, ROUTER_CORE, ROUTER_HELLO, ROUTER_LS,
701 ROUTER_MA, MESSAGE, SERVER, AGENT, AUTHSERVICE, CONTAINER, ERROR,
702 POLICY, HTTP, CONN_MGR, PYTHON, PROTOCOL, DEFAULT], required)
703 Module to configure. The special module DEFAULT specifies defaults
704 for all modules.
705 enable (string)
707 Levels are: trace, debug, info, notice, warning, error, critical.
708 The enable string is a comma-separated list of levels. A level may
709 have a trailing + to enable that level and above. For example
710 trace,debug,warning+ means enable trace, debug, warning, error and
711 critical. The value none means disable logging for the module.
712 includeTimestamp (boolean)
714 Include timestamp in log messages.
715 includeSource (boolean)
717 Include source file and line number in log messages.
718 outputFile (string)
720 Where to send log messages. Can be stderr, stdout, syslog or a file
721 name.
722 timestamp (boolean)
724 (DEPRECATED) Include timestamp in log messages. This attribute has
725 been deprecated. Use includeTimestamp instead.
726 source (boolean)
728 (DEPRECATED) Include source file and line number in log messages.
729 This attribute has been deprecated. Use includeSource instead.
730 output (string)
732 (DEPRECATED) Where to send log messages. Can be stderr, stdout,
733 syslog or a file name. This attribute has been deprecated. Use
734 outputFile instead.
735 address
737 Entity type for address configuration. This is used to configure the
738 treatment of message-routed deliveries within a particular
739 address-space. The configuration controls distribution and address
740 phasing.
741 prefix (string)
743 The address prefix for the configured settings. Cannot be used with
744 a pattern attribute.
745 pattern (string)
747 A wildcarded pattern for address matching. Incoming addresses are
748 matched against this pattern. Matching addresses use the configured
749 settings. The pattern consists of one or more tokens separated by a
750 forward slash /. A token can be one of the following: a *
751 character, a # character, or a sequence of characters that do not
752 include /, *, or #. The * token matches any single token. The #
753 token matches zero or more tokens. * has higher precedence than #,
754 and exact match has the highest precedence. Cannot be used with a
755 prefix attribute.
756 distribution (One of [multicast, closest, balanced, unavailable],
758 default=balanced)
759 Treatment of traffic associated with the address
760 waypoint (boolean)
762 Designates this address space as being used for waypoints. This
763 will cause the proper address-phasing to be used.
764 ingressPhase (integer)
766 Advanced - Override the ingress phase for this address
767 egressPhase (integer)
769 Advanced - Override the egress phase for this address
770 priority (integer)
772 All messages sent to this address which lack an intrinsic priority
773 will be assigned this priority.
774 enableFallback (boolean)
776 If false, undeliverable messages are released. If true,
777 undeliverable messages shall be re-delivered to a fallback
778 destination. The fallback destination uses the same address, but is
779 attached using an autoLink with fallback enabled or a link with the
780 qd.fallback capability.
781 linkRoute
783 Entity type for link-route configuration. This is used to identify
784 remote containers that shall be destinations for routed link-attaches.
785 The link-routing configuration applies to an addressing space defined
786 by a prefix or a pattern.
787 prefix (string)
789 The address prefix for the configured settings. Cannot be used with
790 the pattern attribute.
791 pattern (string)
793 A wildcarded pattern for address matching. Link addresses are
794 matched against this pattern. Matching addresses use the configured
795 settings. The pattern consists of one or more tokens separated by a
796 forward slash /. A token can be one of the following: a *
797 character, a # character, or a sequence of characters that do not
798 include /, *, or #. The * token matches any single token. The #
799 token matches zero or more tokens. * has higher precedence than #,
800 and exact match has the highest precedence. Cannot be used with the
801 prefix attribute.
802 addExternalPrefix (string)
804 add the specified prefix to the address of the remote terminus on
805 the route container link
806 delExternalPrefix (string)
808 remove the specified prefix to the address of the remote terminus
809 on the route container link
810 containerId (string)
812 ContainerID for the target container. Only one of containerId or
813 connection should be specified for a linkRoute. Specifying both
814 will result in the linkRoute not being created.
815 connection (string)
817 The name from a connector or listener. Only one of containerId or
818 connection should be specified for a linkRoute. Specifying both
819 will result in the linkRoute not being created.
820 distribution (One of [linkBalanced], default=linkBalanced)
822 Treatment of traffic associated with the address
823 direction (One of [in, out], required)
825 The permitted direction of links: in means client senders; out
826 means client receivers
827 dir (One of [in, out], required)
829 (DEPRECATED) The permitted direction of links: in means client
830 senders; out means client receivers This attribute has been
831 deprecated. Use direction instead.
832 autoLink
834 Entity type for configuring auto-links. Auto-links are links whose
835 lifecycle is managed by the router. These are typically used to attach
836 to waypoints on remote containers (brokers, etc.).
837 address (string, required)
839 The address of the provisioned object
840 direction (One of [in, out], required)
842 The direction of the link to be created. In means into the router,
843 out means out of the router.
844 phase (integer)
846 The address phase for this link. Defaults to 0 for out links and 1
847 for in links.
848 containerId (string)
850 ContainerID for the target container. Only one of containerId or
851 connection should be specified for an autoLink. Specifying both
852 will result in the autoLink not being created
853 connection (string)
855 The name from a connector or listener. Only one of containerId or
856 connection should be specified for an autoLink. Specifying both
857 will result in the autoLink not being created
858 externalAddress (string)
860 If present, an alternate address of the node on the remote
861 container. This is used if the node has a different address than
862 the address used internally by the router to route deliveries.
863 fallback (boolean)
865 If true, this auto-link is attached to a fallback destination for
866 an address.
867 addr (string, required)
869 (DEPRECATED) The address of the provisioned object This attribute
870 has been deprecated. Use address instead.
871 dir (One of [in, out], required)
873 (DEPRECATED) The direction of the link to be created. In means into
874 the router, out means out of the router. This attribute has been
875 deprecated. Use direction instead.
876 externalAddr (string)
878 (DEPRECATED) If present, an alternate address of the node on the
879 remote container. This is used if the node has a different address
880 than the address used internally by the router to route deliveries.
881 This attribute has been deprecated. Use externalAddress instead.
882 exchange
884 [EXPERIMENTAL] Defines a topic exchange.
885 address (string, required)
887 The address of the exchange. Used by the message publisher as the
888 target for sending messages.
889 phase (integer)
891 The address phase for the exchange. Defaults to 0.
892 alternateAddress (string)
894 The address to forward the message to if no bindings are matched.
895 alternatePhase (integer)
897 The address phase for the alternateAddress. Defaults to 0.
898 matchMethod (One of [amqp, mqtt], default=amqp)
900 Key matching algorithm used. amqp uses the legacy AMQP topic
901 exchange wildcard match method as described in the pre-1.0 drafts.
902 mqtt uses the MQTT topic filter wildcard match method.
903 binding
905 [EXPERIMENTAL] Defines a keyed next hop binding for a topic exchange.
906 The subject field of the messages arriving at the exchange is compared
907 against the binding’s key value using the exchange’s matchMethod. If
908 the subject matches the key the message is forwarded to the
909 nextHopAddress. The nextHopAddress overrides the message’s original
910 destination.
911 exchangeName (string, required)
913 The name of the exchange to bind.
914 bindingKey (string)
916 Pattern to compare against incoming message’s subject. The key is a
917 string of zero or more tokens and wildcards. The format depends on
918 the matchMethod configured for the exchange. For AMQP each token is
919 delimited by the . character and wild-card tokens * matches a
920 single token and
921 matches zero or more tokens. For MQTT each token is delimited by
923 the / character and wildcard tokens + matches a single token and
924 matches zero or more tokens at the end of the topic. If a key is
926 not provided the binding will match all messages arriving at the
927 exchange (fanout behavior).
928 nextHopAddress (string, required)
930 The address to forward the message to when the message’s topic
931 string matches the binding key pattern. This address is used by
932 message consumers as the source of incoming messages.
933 nextHopPhase (integer)
935 The address phase used when forwarding messages that match this
936 binding.
937 console
939 (DEPRECATED) Start a websocket/tcp proxy and http file server to serve
940 the web console
941 listener (string)
943 The name of the listener to send the proxied tcp traffic to.
944 wsport (integer, default=5673)
946 port on which to listen for websocket traffic
947 proxy (string, required)
949 The full path to the proxy program to run.
950 home (string, required)
952 The full path to the html/css/js files for the console.
953 args (string)
955 Optional args to pass the proxy program for logging,
956 authentication, etc.
957 policy
959 Defines global connection limit
960 maxConnections (integer, default=65535)
962 The maximum number of concurrent client connections allowed for
963 this router. This limit is always enforced, even if no other policy
964 settings have been defined. The limit is applied to all incoming
965 connections regardless of remote host, authenticated user, or
966 targeted vhost.
967 maxMessageSize (integer)
969 The maximum size in bytes of AMQP message transfers allowed for
970 this router as messages enter the router network. This limit is
971 applied to transfers over user connections and to transfers to
972 interior routers from edge routers. This limit is not applied to
973 interior-to-interior router connections. This limit may be
974 overridden by vhost or by vhost user group settings. A value of
975 zero disables this limit. Administrators are advised not set
976 interior router maximum message sizes so low that edge router
977 management requests or responses are blocked. Administrators are
978 also advised to set edge router maximum message sizes lower than
979 the attached interior router maximum message size.
980 enableVhostPolicy (boolean)
982 Enables the router to enforce the connection denials and resource
983 limits defined in the configured vhost policies.
984 enableVhostNamePatterns (boolean)
986 Enable vhost name patterns. When false vhost hostnames are treated
987 as literal strings. When true vhost hostnames are treated as match
988 patterns.
989 policyDir (path)
991 The absolute path to a directory that holds vhost policy definition
992 files in JSON format (*.json). The router processes all of the
993 vhost policies in each JSON file that is in this directory.
994 defaultVhost (string)
996 The name of the default vhost policy. This policy rule set is
997 applied to a connection for which a vhost policy has not otherwise
998 been configured. Processing for the default vhost is enabled by
999 default and set to select vhost $default. To disable default vhost
1000 processing set defaultVhost to blank or do not define a vhost named
1001 $default.
1002 vhost
1004 AMQP virtual host policy definition of users, user groups, allowed
1005 remote hosts, and AMQP restrictions.
1006 hostname (string, required)
1008 The hostname of the vhost. This vhost policy will be applied to any
1009 client connection that is directed to this hostname.
1010 aliases (string)
1012 Alternate hostnames that share this vhost configuration. Hosts
1013 named in this attribute are treated as if this vhost was defined
1014 with the alias name in the vhost hostname attribute. This attribute
1015 is implemented to help with multitenant configurations where
1016 multiple vhosts share a common configuration. The string is a
1017 comma- or space-separated list of literal hostnames or hostname
1018 patterns. A vhost aliases hostname must be unique across all vhost
1019 hostnames and all of their aliases.
1020 maxConnections (integer, default=65535)
1022 The global maximum number of concurrent client connections allowed
1023 for this vhost.
1024 maxConnectionsPerUser (integer, default=65535)
1026 The maximum number of concurrent client connections allowed for any
1027 user.
1028 maxConnectionsPerHost (integer, default=65535)
1030 The maximum number of concurrent client connections allowed for any
1031 remote host (the host from which the client is connecting).
1032 allowUnknownUser (boolean)
1034 Whether unknown users (users who are not members of a defined user
1035 group) are allowed to connect to the vhost. Unknown users are
1036 assigned to the $default user group and receive $default settings.
1037 groups (map)
1039 A map where the key is a vhost user group name and the value is a
1040 vhostUserGroupSettings object that holds the settings for that
1041 vhost user group.
1042 id (string, required)
1044 (DEPRECATED) The hostname of the vhost. This vhost policy will be
1045 applied to any client connection that is directed to this hostname.
1046 This attribute has been deprecated. Use hostname instead.
1047 vhostUserGroupSettings
1049 Policy settings for users connecting to a vhost. Configuration files
1050 including this section must use .json format.
1051 maxFrameSize (integer)
1053 The largest frame, in bytes, that may be sent on this connection.
1054 Non-zero policy values overwrite values specified for a listener
1055 object (AMQP Open, max-frame-size).
1056 maxSessionWindow (integer)
1058 The incoming capacity for new AMQP sessions, measured in octets.
1059 Non-zero policy values overwrite values specified for a listener
1060 object (AMQP Begin, incoming-window).
1061 maxSessions (integer)
1063 The maximum number of sessions that may be created on this
1064 connection. Non-zero policy values overwrite values specified for a
1065 listener object (AMQP Open, channel-max).
1066 maxSenders (integer, default=2147483647)
1068 The maximum number of sending links that may be created on this
1069 connection. A value of 0 disables all sender links.
1070 maxReceivers (integer, default=2147483647)
1072 The maximum number of receiving links that may be created on this
1073 connection. A value of 0 disables all receiver links.
1074 allowDynamicSource (boolean)
1076 Whether this connection is allowed to create dynamic receiving
1077 links (links to resources that do not exist on the peer). A value
1078 of true means that users are able to automatically create resources
1079 on the peer system.
1080 allowAnonymousSender (boolean)
1082 Whether this connection is allowed to create sending links if the
1083 sender does not provide a target address. By prohibiting anonymous
1084 senders, the router only needs to verify once, when the link is
1085 created, that the sender is permitted to send messages to the
1086 target address. The router does not need to verify each message
1087 that is sent on the link. A value of true means that users may send
1088 messages to any address. Allowing anonymous senders can also
1089 decrease performance: if the sender does not specify a target
1090 address, then the router must parse each message to determine how
1091 to route it.
1092 allowUserIdProxy (boolean)
1094 Whether this connection is allowed to send messages with a user ID
1095 that is different than the connection’s authenticated user name.
1096 allowWaypointLinks (boolean, default=True)
1098 Whether this connection is allowed to claim waypoint.N capability
1099 for attached links. This allows endpoints to act as waypoints
1100 without needing auto-links.
1101 allowDynamicLinkRoutes (boolean, default=True)
1103 Whether this connection is allowed to dynamically create
1104 connection-scoped link route destinations.
1105 allowAdminStatusUpdate (boolean, default=True)
1107 Whether this connection is allowed to update the admin status of
1108 other connections. Note: Inter-router connections cannot be deleted
1109 at any time.
1110 allowFallbackLinks (boolean, default=True)
1112 Whether this connection is allowed to claim qd.fallback capability
1113 for attached links. This allows endpoints to act as fallback
1114 destinations for addresses that have fallback capability enabled.
1115 sources (string)
1117 A list of source addresses from which users in this group may
1118 receive messages. To specify multiple addresses, separate the
1119 addresses with either a comma or a space. If you do not specify any
1120 addresses, users in this group are not allowed to receive messages
1121 from any addresses. You can use the substitution token ${user} to
1122 specify an address that contains a user’s authenticated user name.
1123 You can use an asterisk (*) wildcard to match one or more
1124 characters in an address. However, this wildcard is only recognized
1125 if it is the last character in the address name. You may specify
1126 attributes sources or sourcePattern but not both at the same time.
1127 targets (string)
1129 A list of target addresses to which users in this group may send
1130 messages. To specify multiple addresses, separate the addresses
1131 with either a comma or a space. If you do not specify any
1132 addresses, users in this group are not allowed to send messages to
1133 any addresses. You can use the substitution token ${user} to
1134 specify an address that contains a user’s authenticated user name.
1135 You can use an asterisk (*) wildcard to match one or more
1136 characters in an address. However, this wildcard is only recognized
1137 if it is the last character in the address name. You may specify
1138 attributes targets or targetPattern but not both at the same time.
1139 sourcePattern (string)
1141 A wildcarded pattern for matching source addresses from which users
1142 in this group may receive messages. The pattern consists of one or
1143 more tokens separated by a forward slash /. A token can be one of
1144 the following: a * character, a # character, or a sequence of
1145 characters that do not include /, *, or #. The * token matches any
1146 single token. The # token matches zero or more tokens. * has higher
1147 precedence than #, and exact match has the highest precedence. To
1148 specify multiple addresses, separate the addresses with either a
1149 comma or a space. You can use the text string ${user} in a token to
1150 specify an address that contains a user’s authenticated user name.
1151 If you do not specify any addresses, users in this group are not
1152 allowed to receive messages from any addresses. You may specify
1153 attributes sources or sourcePattern but not both at the same time.
1154 targetPattern (string)
1156 A wildcarded pattern for matching target addresses to which users
1157 in this group may send messages. The pattern consists of one or
1158 more tokens separated by a forward slash /. A token can be one of
1159 the following: a * character, a # character, or a sequence of
1160 characters that do not include /, *, or #. The * token matches any
1161 single token. The # token matches zero or more tokens. * has higher
1162 precedence than #, and exact match has the highest precedence. To
1163 specify multiple addresses, separate the addresses with either a
1164 comma or a space. You can use the text string ${user} in a token to
1165 specify an address that contains a user’s authenticated user name.
1166 If you do not specify any addresses, users in this group are not
1167 allowed to send messages to any addresses. You may specify
1168 attributes targets or targetPattern but not both at the same time.
1169
1171 qdrouterd(8), qdmanage(8)
1172 http://qpid.apache.org/components/dispatch-router
1174 03/29/2022 QDROUTERD.CONF(5)