1QDROUTERD.CONF(5) QDROUTERD.CONF(5)
2
3
4
6 qdrouterd.conf - configuration file for the dispatch router.
7
9 Provides the initial configuration when qdrouterd(8) starts. The
10 configuration of a running router can be modified using qdmanage(8).
11
13 The configuration file is made up of sections with this syntax:
14
15 sectionName {
16 attributeName: attributeValue
17 attributeName: attributeValue
18 ...
19 }
20
21 For example you can define a router using the router section
22
23 router {
24 mode: standalone
25 id: Router.A
26 ...
27 }
28
29 or define a listener using the listener section
30
31 listener {
32 host: 0.0.0.0
33 port: 20102
34 saslMechanisms: ANONYMOUS
35 ...
36 }
37
38 or define a connector using the connector section
39
40 connector {
41 role: inter-router
42 host: 0.0.0.0
43 port: 20003
44 saslMechanisms: ANONYMOUS
45 ...
46 }
47
48 An sslProfile section with SSL credentials can be included in multiple
49 listener or connector entities. Here’s an example, note how the
50 sslProfile attribute of listener sections references the name attribute
51 of sslProfile sections.
52
53 sslProfile {
54 name: my-ssl
55 caCertFile: ca-certificate-1.pem
56 certFile: server-certificate-1.pem
57 privateKeyFile: server-private-key.pem
58 }
59
60 listener {
61 sslProfile: my-ssl
62 host: 0.0.0.0
63 port: 20102
64 saslMechanisms: ANONYMOUS
65 }
66
68 router
69 Tracks peer routers and computes routes to destinations. This entity is
70 mandatory. The router will not start without this entity.
71
72 id (string)
73 Router’s unique identity. This field may not contain whitespace or
74 control characters. If not specified, a random identity will be
75 assigned at startup.
76
77 mode (One of [standalone, interior, edge], default=standalone)
78 In standalone mode, the router operates as a single component. It
79 does not participate in the routing protocol and therefore will not
80 cooperate with other routers. In interior mode, the router operates
81 in cooperation with other interior routers in an interconnected
82 network. In edge mode, the router can make a connection to an
83 interior router and join a network without causing that network to
84 recompute paths.
85
86 helloIntervalSeconds (integer, default=1)
87 Interval in seconds between HELLO messages sent to neighbor
88 routers.
89
90 helloMaxAgeSeconds (integer, default=3)
91 Time in seconds after which a neighbor is declared lost if no HELLO
92 is received.
93
94 raIntervalSeconds (integer, default=30)
95 Interval in seconds between Router-Advertisements sent to all
96 routers in a stable network.
97
98 raIntervalFluxSeconds (integer, default=4)
99 Interval in seconds between Router-Advertisements sent to all
100 routers during topology fluctuations.
101
102 remoteLsMaxAgeSeconds (integer, default=60)
103 Time in seconds after which link state is declared stale if no RA
104 is received.
105
106 workerThreads (integer, default=4)
107 The number of threads that will be created to process message
108 traffic and other application work (timers, non-amqp file
109 descriptors, etc.) .
110
111 debugDumpFile (path)
112 The absolute path to the location for the debug dump file. The
113 router writes debug-level information to this file if the logger is
114 not available.
115
116 saslConfigDir (path)
117 Absolute path to the SASL configuration file.
118
119 saslConfigName (string, default=qdrouterd)
120 Name of the SASL configuration. This string + .conf is the name of
121 the configuration file.
122
123 allowResumableLinkRoute (boolean, default=True)
124 Whether links can be routed where timeout is non-zero or
125 expiry-policy is not link-detach
126
127 timestampsInUTC (boolean)
128 Use UTC time rather than localtime in logs.
129
130 timestampFormat (string)
131 Format string to use for timestamps in logs.
132
133 allowUnsettledMulticast (boolean)
134 (DEPRECATED) If true, allow senders to send unsettled deliveries to
135 multicast addresses. These deliveries shall be settled by the
136 ingress router. If false, unsettled deliveries to multicast
137 addresses shall be rejected.
138
139 defaultDistribution (One of [multicast, closest, balanced,
140 unavailable], default=balanced)
141 Default forwarding treatment for any address without a specified
142 treatment. multicast - one copy of each message delivered to all
143 subscribers; closest - messages delivered to only the closest
144 subscriber; balanced - messages delivered to one subscriber with
145 load balanced across subscribers; unavailable - this address is
146 unavailable, messages sent and link attaches to the address will be
147 rejected.
148
149 metadata (string)
150 Optional metadata text to describe or label this router. This text
151 does not affect the function of the router, but it can be used by
152 external tools (such as the console or orchestration software) to
153 control how the router is displayed.
154
155 helloInterval (integer, default=1)
156 (DEPRECATED) Interval in seconds between HELLO messages sent to
157 neighbor routers. This attribute has been deprecated. Use
158 helloIntervalSeconds instead.
159
160 helloMaxAge (integer, default=3)
161 (DEPRECATED) Time in seconds after which a neighbor is declared
162 lost if no HELLO is received. This attribute has been deprecated.
163 Use helloMaxAgeSeconds instead.
164
165 raInterval (integer, default=30)
166 (DEPRECATED) Interval in seconds between Router-Advertisements sent
167 to all routers in a stable network. This attribute has been
168 deprecated. Use raIntervalSeconds instead.
169
170 raIntervalFlux (integer, default=4)
171 (DEPRECATED) Interval in seconds between Router-Advertisements sent
172 to all routers during topology fluctuations. This attribute has
173 been deprecated. Use raIntervalFluxSeconds instead.
174
175 remoteLsMaxAge (integer, default=60)
176 (DEPRECATED) Time in seconds after which link state is declared
177 stale if no RA is received. This attribute has been deprecated. Use
178 remoteLsMaxAgeSeconds instead.
179
180 debugDump (path)
181 (DEPRECATED) The absolute path to the location for the debug dump
182 file. The router writes debug-level information to this file if the
183 logger is not available. This attribute has been deprecated. Use
184 debugDumpFile instead.
185
186 saslConfigPath (path)
187 (DEPRECATED) Absolute path to the SASL configuration file. This
188 attribute has been deprecated. Use saslConfigDir instead.
189
190 sslProfile
191 Attributes for setting TLS/SSL configuration for connections.
192
193 ciphers (string)
194 Specifies the enabled ciphers so the SSL Ciphers can be hardened.
195 In other words, use this field to disable weak ciphers. The ciphers
196 are specified in the format understood by the OpenSSL library. For
197 example, ciphers can be set to
198 ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; — The
199 full list of allowed ciphers can be viewed using the openssl
200 ciphers command
201
202 protocols (string)
203 The TLS protocols that this sslProfile can use. You can specify a
204 list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify
205 multiple protocols, separate the protocols with a space. For
206 example, to permit the sslProfile to use TLS v1.1 and TLS v1.2
207 only, you would set the value to TLSv1.1 TLSv1.2. If you do not
208 specify a value, the sslProfile uses the TLS protocol specified by
209 the system-wide configuration.
210
211 caCertFile (path)
212 The absolute path to the database that contains the public
213 certificates of trusted certificate authorities (CA).
214
215 certFile (path)
216 The absolute path to the file containing the PEM-formatted public
217 certificate to be used on the local end of any connections using
218 this profile.
219
220 privateKeyFile (path)
221 The absolute path to the file containing the PEM-formatted private
222 key for the above certificate.
223
224 passwordFile (path)
225 (DEPRECATED) If the above private key is password protected, this
226 is the absolute path to the file containing the password that
227 unlocks the certificate key. This file should be permission
228 protected to limit access. This has been deprecated. Use the file:
229 prefix in the password field to specify the absolute path of the
230 file containing the password. If both password and passwordFile are
231 provided, the passwordFile is ignored
232
233 password (string)
234 The password that unlocks the certificate key. You can specify the
235 password by specifying an environment variable that stores the
236 password, a file that stores the password, or by entering the
237 password in clear text. To use an environment variable, specify
238 password: env:<var>. Use this option with caution, because the
239 environment of other processes is visible on certain platforms (for
240 example, ps on certain Unix OSs). To use a file, specify password:
241 file:<absolute-path-to-file>. This option is the most secure,
242 because permissions can be set on the file that contains the
243 password. To specify the password in clear text, specify password:
244 pass:<password>, or password: literal:<password>, or password:
245 <password>. This option is insecure, so it should only be used if
246 security is not a concern. If both password and passwordFile are
247 provided, the passwordFile is ignored.
248
249 uidFormat (string)
250 A list of x509 client certificate fields that will be used to build
251 a string that will uniquely identify the client certificate owner.
252 For e.g. a value of cou indicates that the uid will consist of c -
253 common name concatenated with o - organization-company name
254 concatenated with u - organization unit; or a value of o2 indicates
255 that the uid will consist of o (organization name) concatenated
256 with 2 (the sha256 fingerprint of the entire certificate) . Allowed
257 values can be any combination of c( ISO3166 two character country
258 code), s(state or province), l(Locality; generally - city),
259 o(Organization - Company Name), u(Organization Unit - typically
260 certificate type or brand), n(CommonName - typically a user name
261 for client certificates) and 1(sha1 certificate fingerprint, as
262 displayed in the fingerprints section when looking at a certificate
263 with say a web browser is the hash of the entire certificate) and 2
264 (sha256 certificate fingerprint) and 5 (sha512 certificate
265 fingerprint). The user identifier (uid) that is generated based on
266 the uidFormat is a string which has a semi-colon as a separator
267 between the components
268
269 uidNameMappingFile (string)
270 The absolute path to the file containing the unique id to display
271 name mapping
272
273 certDb (path)
274 (DEPRECATED) The absolute path to the database that contains the
275 public certificates of trusted certificate authorities (CA). This
276 attribute has been deprecated. Use caCertFile instead.
277
278 keyFile (path)
279 (DEPRECATED) The absolute path to the file containing the
280 PEM-formatted private key for the above certificate. This attribute
281 has been deprecated. Use privateKeyFile instead.
282
283 displayNameFile (string)
284 (DEPRECATED) The absolute path to the file containing the unique id
285 to display name mapping This attribute has been deprecated. Use
286 uidNameMappingFile instead.
287
288 authServicePlugin
289 EXPERIMENTAL. Attributes for setting SASL plugin.
290
291 authService (string)
292 (DEPRECATED) Address of a service to delegate authentication to.
293 This attribute has been deprecated. Use the host and port
294 attributes instead.
295
296 host (string)
297 A host name, IPV4 or IPV6 literal, of the service to delegate to.
298
299 port (string, default=amqp)
300 Port number of the service delegated host.
301
302 realm (string)
303 Value to set for hostname field on sasl-init
304
305 sslProfile (string)
306 Name of the sslProfile to use for the authentication service.
307
308 saslInitHostname (string)
309 (DEPRECATED) Value to set for hostname field on sasl-init This
310 attribute has been deprecated. Use realm instead.
311
312 authSslProfile (string)
313 (DEPRECATED) Name of the sslProfile to use for the authentication
314 service. This attribute has been deprecated. Use sslProfile
315 instead.
316
317 listener
318 Listens for incoming connections to the router.
319
320 host (string)
321 A host name, IPV4 or IPV6 literal, or the empty string. The empty
322 string listens on all local addresses. A host name listens on all
323 addresses associated with the name. An IPV6 literal address (or
324 wildcard [::]) listens only for IPV6. An IPV4 literal address (or
325 wildcard 0.0.0.0) listens only for IPV4.
326
327 port (string, default=amqp)
328 Port number or symbolic service name. If 0, the router shall assign
329 an ephemeral port to the listener and log the port number with a
330 log of the form SERVER (notice) Listening on <host>:<assigned-port>
331 (<listener-name>)
332
333 socketAddressFamily (One of [IPv4, IPv6])
334 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
335 Protocol version 6. If not specified, the protocol family will be
336 automatically determined from the address.
337
338 role (One of [normal, inter-router, route-container, edge],
339 default=normal)
340 The role of an established connection. In the normal role, the
341 connection is assumed to be used for AMQP clients that are doing
342 normal message delivery over the connection. In the inter-router
343 role, the connection is assumed to be to another router in the
344 network. Inter-router discovery and routing protocols can only be
345 used over inter-router connections. route-container role can be
346 used for router-container connections, for example, a router-broker
347 connection. In the edge role, the connection is assumed to be
348 between an edge router and an interior router.
349
350 cost (integer, default=1)
351 For the inter-router role only. This value assigns a cost metric to
352 the inter-router connection. The default (and minimum) value is
353 one. Higher values represent higher costs. The cost is used to
354 influence the routing algorithm as it attempts to use the path with
355 the lowest total cost from ingress to egress.
356
357 sslProfile (string)
358 Name of the sslProfile.
359
360 saslMechanisms (string)
361 Space separated list of accepted SASL authentication mechanisms.
362
363 authenticatePeer (boolean)
364 yes: Require the peer’s identity to be authenticated; no: Do not
365 require any authentication.
366
367 saslPlugin (string)
368 EXPERIMENTAL. Name of the a sasl plugin configuration section to
369 use for this listener (e.g. authServicePlugin).
370
371 requireEncryption (boolean)
372 yes: Require the connection to the peer to be encrypted; no: Permit
373 non-encrypted communication with the peer
374
375 requireSsl (boolean)
376 yes: Require the use of SSL or TLS on the connection; no: Allow
377 clients to connect without SSL or TLS.
378
379 trustedCertsFile (path)
380 (DEPRECATED) Use sslProfile caCertFile instead.
381
382 maxFrameSize (integer, default=16384)
383 The maximum frame size in octets that will be used in the
384 connection-open negotiation with a connected peer. The frame size
385 is the largest contiguous set of uninterrupted data that can be
386 sent for a message delivery over the connection. Interleaving of
387 messages on different links is done at frame granularity. Policy
388 settings, if specified, will overwrite this value. Defaults to
389 16384.
390
391 maxSessions (integer, default=32768)
392 The maximum number of sessions that can be simultaneously active on
393 the connection. Setting this value to zero selects the default
394 number of sessions. Policy settings, if specified, will overwrite
395 this value. Defaults to 32768.
396
397 maxSessionFrames (integer)
398 Session incoming window measured in transfer frames for sessions
399 created on this connection. This is the number of transfer frames
400 that may simultaneously be in flight for all links in the session.
401 Setting this value to zero selects the default session window size.
402 Policy settings, if specified, will overwrite this value. The
403 numerical product of maxFrameSize and maxSessionFrames may not
404 exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1
405 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
406 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
407 window).
408
409 idleTimeoutSeconds (integer, default=16)
410 The idle timeout, in seconds, for connections through this
411 listener. If no frames are received on the connection for this time
412 interval, the connection shall be closed.
413
414 initialHandshakeTimeoutSeconds (integer)
415 The timeout, in seconds, for the initial handshake for connections
416 coming in through listeners. If the time interval expires before
417 the peer sends the AMQP OPEN frame, the connection shall be closed.
418 A value of zero (the default) disables this timeout.
419
420 stripAnnotations (One of [in, out, both, no], default=both)
421 [in, out, both, no] in: Strip the dispatch router specific
422 annotations only on ingress; out: Strip the dispatch router
423 specific annotations only on egress; both: Strip the dispatch
424 router specific annotations on both ingress and egress; no - do not
425 strip dispatch router specific annotations
426
427 linkCapacity (integer)
428 The capacity of links within this connection, in terms of message
429 deliveries. The capacity is the number of messages that can be
430 in-flight concurrently for each link.
431
432 multiTenant (boolean)
433 If true, apply multi-tenancy to endpoints connected at this
434 listener. The address space is defined by the virtual host
435 (hostname field in the Open).
436
437 failoverUrls (string)
438 A comma-separated list of failover urls to be supplied to connected
439 clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port]
440
441 healthz (boolean, default=True)
442 Provide a simple HTTP based liveness test (using path /healthz).
443 Assumes listener is enabled for http.
444
445 metrics (boolean, default=True)
446 Export metrics in prometheus text format for the router (using path
447 /metrics). Assumes listener is enabled for http.
448
449 websockets (boolean, default=True)
450 For an http enabled listener, determines whether websockets access
451 is enabled (true by default).
452
453 http (boolean)
454 Accept HTTP connections that can upgrade to AMQP over WebSocket.
455 Plain AMQP connections are not accepted on this listener.
456
457 httpRootDir (path)
458 Absolute path to a directory from which to serve static HTML files.
459 Defaults to the stand-alone console installation directory
460 (typically /usr/share/qpid-dispatch/console).
461
462 messageLoggingComponents (string, default=none)
463 A comma separated list that indicates which components of the
464 message should be logged. Defaults to none (log nothing). If you
465 want all properties and application properties of the message
466 logged use all. Specific components of the message can be logged by
467 indicating the components via a comma separated list. The
468 components are message-id, user-id, to, subject, reply-to,
469 correlation-id, content-type, content-encoding,
470 absolute-expiry-time, creation-time, group-id, group-sequence,
471 reply-to-group-id, app-properties. The application-data part of the
472 bare message will not be logged. No spaces are allowed
473
474 policyVhost (string)
475 A listener may optionally define a virtual host to index to a
476 specific policy to restrict the remote container to access only
477 specific resources. This attribute defines the name of the policy
478 vhost for this listener. If multi-tenancy is enabled for the
479 listener, this vhost will override the peer-supplied vhost for the
480 purposes of identifying the desired policy settings for the
481 connections.
482
483 openProperties (properties)
484 A JSON map containing connection properties. These will be sent to
485 the peer on connection open. All map keys are restricted to strings
486 containing only valid ASCII characters, Keys must not start with
487 prefixes qd. or x-opt-qd.. The following key values are also
488 reserved: product, version, failover-server-list, network-host,
489 port, scheme hostname
490
491 protocolFamily (One of [IPv4, IPv6])
492 (DEPRECATED) [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6:
493 Internet Protocol version 6. If not specified, the protocol family
494 will be automatically determined from the address. This attribute
495 has been deprecated. Use socketAddressFamily instead.
496
497 trustedCerts (path)
498 (DEPRECATED) (DEPRECATED) Use sslProfile caCertFile instead. This
499 attribute has been deprecated. Use trustedCertsFile instead.
500
501 failoverList (string)
502 (DEPRECATED) A comma-separated list of failover urls to be supplied
503 to connected clients. Form:
504 [(amqp|amqps|ws|wss)://]host_or_ip[:port] This attribute has been
505 deprecated. Use failoverUrls instead.
506
507 httpRoot (path)
508 (DEPRECATED) Absolute path to a directory from which to serve
509 static HTML files. Defaults to the stand-alone console installation
510 directory (typically /usr/share/qpid-dispatch/console). This
511 attribute has been deprecated. Use httpRootDir instead.
512
513 logMessage (string, default=none)
514 (DEPRECATED) A comma separated list that indicates which components
515 of the message should be logged. Defaults to none (log nothing). If
516 you want all properties and application properties of the message
517 logged use all. Specific components of the message can be logged by
518 indicating the components via a comma separated list. The
519 components are message-id, user-id, to, subject, reply-to,
520 correlation-id, content-type, content-encoding,
521 absolute-expiry-time, creation-time, group-id, group-sequence,
522 reply-to-group-id, app-properties. The application-data part of the
523 bare message will not be logged. No spaces are allowed This
524 attribute has been deprecated. Use messageLoggingComponents
525 instead.
526
527 connector
528 Establishes an outgoing connection from the router.
529
530 host (string, default=127.0.0.1)
531 IP address: ipv4 or ipv6 literal or a host name
532
533 port (string, default=amqp)
534 Port number or symbolic service name.
535
536 protocolFamily (One of [IPv4, IPv6])
537 [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet
538 Protocol version 6. If not specified, the protocol family will be
539 automatically determined from the address.
540
541 role (One of [normal, inter-router, route-container, edge],
542 default=normal)
543 The role of an established connection. In the normal role, the
544 connection is assumed to be used for AMQP clients that are doing
545 normal message delivery over the connection. In the inter-router
546 role, the connection is assumed to be to another router in the
547 network. Inter-router discovery and routing protocols can only be
548 used over inter-router connections. route-container role can be
549 used for router-container connections, for example, a router-broker
550 connection. In the edge role, the connection is assumed to be
551 between and edge router and an interior router.
552
553 cost (integer, default=1)
554 For the inter-router role only. This value assigns a cost metric to
555 the inter-router connection. The default (and minimum) value is
556 one. Higher values represent higher costs. The cost is used to
557 influence the routing algorithm as it attempts to use the path with
558 the lowest total cost from ingress to egress.
559
560 sslProfile (string)
561 Name of the sslProfile.
562
563 saslMechanisms (string)
564 Space separated list of accepted SASL authentication mechanisms.
565
566 allowRedirect (boolean, default=True)
567 Allow the peer to redirect this connection to another address.
568
569 maxFrameSize (integer, default=16384)
570 The maximum frame size in octets that will be used in the
571 connection-open negotiation with a connected peer. The frame size
572 is the largest contiguous set of uninterrupted data that can be
573 sent for a message delivery over the connection. Interleaving of
574 messages on different links is done at frame granularity. Policy
575 settings will not overwrite this value. Defaults to 16384.
576
577 maxSessions (integer, default=32768)
578 The maximum number of sessions that can be simultaneously active on
579 the connection. Setting this value to zero selects the default
580 number of sessions. Policy settings will not overwrite this value.
581 Defaults to 32768.
582
583 maxSessionFrames (integer)
584 Session incoming window measured in transfer frames for sessions
585 created on this connection. This is the number of transfer frames
586 that may simultaneously be in flight for all links in the session.
587 Setting this value to zero selects the default session window size.
588 Policy settings will not overwrite this value. The numerical
589 product of maxFrameSize and maxSessionFrames may not exceed 231-1.
590 If (maxFrameSize x maxSessionFrames) exceeds 231-1 then
591 maxSessionFrames is reduced to (2^31-1 / maxFrameSize).
592 maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited
593 window).
594
595 idleTimeoutSeconds (integer, default=16)
596 The idle timeout, in seconds, for connections through this
597 connector. If no frames are received on the connection for this
598 time interval, the connection shall be closed.
599
600 stripAnnotations (One of [in, out, both, no], default=both)
601 [in, out, both, no] in: Strip the dispatch router specific
602 annotations only on ingress; out: Strip the dispatch router
603 specific annotations only on egress; both: Strip the dispatch
604 router specific annotations on both ingress and egress; no - do not
605 strip dispatch router specific annotations
606
607 linkCapacity (integer)
608 The capacity of links within this connection, in terms of message
609 deliveries. The capacity is the number of messages that can be
610 in-flight concurrently for each link.
611
612 verifyHostname (boolean, default=True)
613 yes: Ensures that when initiating a connection (as a client) the
614 host name in the URL to which this connector connects to matches
615 the host name in the digital certificate that the peer sends back
616 as part of the SSL connection; no: Does not perform host name
617 verification
618
619 saslUsername (string)
620 The user name that the connector is using to connect to a peer.
621
622 saslPassword (string)
623 The password that the connector is using to connect to a peer. You
624 can specify the password by specifying an environment variable that
625 stores the password, a file that stores the password, or by
626 entering the password in clear text. To use an environment
627 variable, specify saslPassword: env:<var>. Use this option with
628 caution, because the environment of other processes is visible on
629 certain platforms (for example, ps on certain Unix OSs). To use a
630 file, specify saslPassword: file:<absolute-path-to-file>. This
631 option is the most secure, because permissions can be set on the
632 file that contains the password. To specify the password in clear
633 text, specify saslPassword: pass:<password> or saslPassword:
634 <password>. This option is insecure, so it should only be used if
635 security is not a concern.
636
637 messageLoggingComponents (string, default=none)
638 A comma separated list that indicates which components of the
639 message should be logged (no spaces allowed between list
640 components). Defaults to none (log nothing). If you want all
641 properties and application properties of the message logged use
642 all. Specific components of the message can be logged by indicating
643 the components via a comma separated list. The components are
644 message-id, user-id, to, subject, reply-to, correlation-id,
645 content-type, content-encoding, absolute-expiry-time,
646 creation-time, group-id, group-sequence, reply-to-group-id,
647 app-properties. The application-data part of the bare message will
648 not be logged. This log message is written to the MESSAGE logging
649 module. In the log entity, set module property to MESSAGE or
650 DEFAULT and enable to trace+ to see this log message
651
652 policyVhost (string)
653 A connector may optionally define a policy to restrict the remote
654 container to access only specific resources. This attribute defines
655 the name of the policy vhost for this connector. Within the vhost
656 the connector will use the vhost policy settings from user group
657 $connector. If the vhost policy is absent or if the user group
658 $connector within that policy is absent then the connector will
659 fail to start. In policy specified via connector attribute
660 policyVhost the following vhostUserGroupSettings attributes are
661 unused: users, remoteHosts, maxFrameSize, maxSessionWindow,
662 maxSessions.
663
664 openProperties (properties)
665 A JSON map containing connection properties. These will be sent to
666 the peer on connection open. All map keys are restricted to strings
667 containing only valid ASCII characters, Keys must not start with
668 prefixes qd. or x-opt-qd.. The following key values are also
669 reserved: product, version, failover-server-list, network-host,
670 port, scheme hostname
671
672 verifyHostName (boolean, default=True)
673 (DEPRECATED) yes: Ensures that when initiating a connection (as a
674 client) the host name in the URL to which this connector connects
675 to matches the host name in the digital certificate that the peer
676 sends back as part of the SSL connection; no: Does not perform host
677 name verification This attribute has been deprecated. Use
678 verifyHostname instead.
679
680 logMessage (string, default=none)
681 (DEPRECATED) A comma separated list that indicates which components
682 of the message should be logged (no spaces allowed between list
683 components). Defaults to none (log nothing). If you want all
684 properties and application properties of the message logged use
685 all. Specific components of the message can be logged by indicating
686 the components via a comma separated list. The components are
687 message-id, user-id, to, subject, reply-to, correlation-id,
688 content-type, content-encoding, absolute-expiry-time,
689 creation-time, group-id, group-sequence, reply-to-group-id,
690 app-properties. The application-data part of the bare message will
691 not be logged. This log message is written to the MESSAGE logging
692 module. In the log entity, set module property to MESSAGE or
693 DEFAULT and enable to trace+ to see this log message This attribute
694 has been deprecated. Use messageLoggingComponents instead.
695
696 log
697 Configure logging for a particular module. You can use the UPDATE
698 operation to change log settings while the router is running.
699
700 module (One of [ROUTER, ROUTER_CORE, ROUTER_HELLO, ROUTER_LS,
701 ROUTER_MA, MESSAGE, SERVER, AGENT, AUTHSERVICE, CONTAINER, ERROR,
702 POLICY, HTTP, CONN_MGR, PYTHON, PROTOCOL, DEFAULT], required)
703 Module to configure. The special module DEFAULT specifies defaults
704 for all modules.
705
706 enable (string)
707 Levels are: trace, debug, info, notice, warning, error, critical.
708 The enable string is a comma-separated list of levels. A level may
709 have a trailing + to enable that level and above. For example
710 trace,debug,warning+ means enable trace, debug, warning, error and
711 critical. The value none means disable logging for the module.
712
713 includeTimestamp (boolean)
714 Include timestamp in log messages.
715
716 includeSource (boolean)
717 Include source file and line number in log messages.
718
719 outputFile (string)
720 Where to send log messages. Can be stderr, stdout, syslog or a file
721 name.
722
723 timestamp (boolean)
724 (DEPRECATED) Include timestamp in log messages. This attribute has
725 been deprecated. Use includeTimestamp instead.
726
727 source (boolean)
728 (DEPRECATED) Include source file and line number in log messages.
729 This attribute has been deprecated. Use includeSource instead.
730
731 output (string)
732 (DEPRECATED) Where to send log messages. Can be stderr, stdout,
733 syslog or a file name. This attribute has been deprecated. Use
734 outputFile instead.
735
736 address
737 Entity type for address configuration. This is used to configure the
738 treatment of message-routed deliveries within a particular
739 address-space. The configuration controls distribution and address
740 phasing.
741
742 prefix (string)
743 The address prefix for the configured settings. Cannot be used with
744 a pattern attribute.
745
746 pattern (string)
747 A wildcarded pattern for address matching. Incoming addresses are
748 matched against this pattern. Matching addresses use the configured
749 settings. The pattern consists of one or more tokens separated by a
750 forward slash /. A token can be one of the following: a *
751 character, a # character, or a sequence of characters that do not
752 include /, *, or #. The * token matches any single token. The #
753 token matches zero or more tokens. * has higher precedence than #,
754 and exact match has the highest precedence. Cannot be used with a
755 prefix attribute.
756
757 distribution (One of [multicast, closest, balanced, unavailable],
758 default=balanced)
759 Treatment of traffic associated with the address
760
761 waypoint (boolean)
762 Designates this address space as being used for waypoints. This
763 will cause the proper address-phasing to be used.
764
765 ingressPhase (integer)
766 Advanced - Override the ingress phase for this address
767
768 egressPhase (integer)
769 Advanced - Override the egress phase for this address
770
771 priority (integer)
772 All messages sent to this address which lack an intrinsic priority
773 will be assigned this priority.
774
775 enableFallback (boolean)
776 If false, undeliverable messages are released. If true,
777 undeliverable messages shall be re-delivered to a fallback
778 destination. The fallback destination uses the same address, but is
779 attached using an autoLink with fallback enabled or a link with the
780 qd.fallback capability.
781
782 linkRoute
783 Entity type for link-route configuration. This is used to identify
784 remote containers that shall be destinations for routed link-attaches.
785 The link-routing configuration applies to an addressing space defined
786 by a prefix or a pattern.
787
788 prefix (string)
789 The address prefix for the configured settings. Cannot be used with
790 the pattern attribute.
791
792 pattern (string)
793 A wildcarded pattern for address matching. Link addresses are
794 matched against this pattern. Matching addresses use the configured
795 settings. The pattern consists of one or more tokens separated by a
796 forward slash /. A token can be one of the following: a *
797 character, a # character, or a sequence of characters that do not
798 include /, *, or #. The * token matches any single token. The #
799 token matches zero or more tokens. * has higher precedence than #,
800 and exact match has the highest precedence. Cannot be used with the
801 prefix attribute.
802
803 addExternalPrefix (string)
804 add the specified prefix to the address of the remote terminus on
805 the route container link
806
807 delExternalPrefix (string)
808 remove the specified prefix to the address of the remote terminus
809 on the route container link
810
811 containerId (string)
812 ContainerID for the target container. Only one of containerId or
813 connection should be specified for a linkRoute. Specifying both
814 will result in the linkRoute not being created.
815
816 connection (string)
817 The name from a connector or listener. Only one of containerId or
818 connection should be specified for a linkRoute. Specifying both
819 will result in the linkRoute not being created.
820
821 distribution (One of [linkBalanced], default=linkBalanced)
822 Treatment of traffic associated with the address
823
824 direction (One of [in, out], required)
825 The permitted direction of links: in means client senders; out
826 means client receivers
827
828 dir (One of [in, out], required)
829 (DEPRECATED) The permitted direction of links: in means client
830 senders; out means client receivers This attribute has been
831 deprecated. Use direction instead.
832
833 autoLink
834 Entity type for configuring auto-links. Auto-links are links whose
835 lifecycle is managed by the router. These are typically used to attach
836 to waypoints on remote containers (brokers, etc.).
837
838 address (string, required)
839 The address of the provisioned object
840
841 direction (One of [in, out], required)
842 The direction of the link to be created. In means into the router,
843 out means out of the router.
844
845 phase (integer)
846 The address phase for this link. Defaults to 0 for out links and 1
847 for in links.
848
849 containerId (string)
850 ContainerID for the target container. Only one of containerId or
851 connection should be specified for an autoLink. Specifying both
852 will result in the autoLink not being created
853
854 connection (string)
855 The name from a connector or listener. Only one of containerId or
856 connection should be specified for an autoLink. Specifying both
857 will result in the autoLink not being created
858
859 externalAddress (string)
860 If present, an alternate address of the node on the remote
861 container. This is used if the node has a different address than
862 the address used internally by the router to route deliveries.
863
864 fallback (boolean)
865 If true, this auto-link is attached to a fallback destination for
866 an address.
867
868 addr (string, required)
869 (DEPRECATED) The address of the provisioned object This attribute
870 has been deprecated. Use address instead.
871
872 dir (One of [in, out], required)
873 (DEPRECATED) The direction of the link to be created. In means into
874 the router, out means out of the router. This attribute has been
875 deprecated. Use direction instead.
876
877 externalAddr (string)
878 (DEPRECATED) If present, an alternate address of the node on the
879 remote container. This is used if the node has a different address
880 than the address used internally by the router to route deliveries.
881 This attribute has been deprecated. Use externalAddress instead.
882
883 exchange
884 [EXPERIMENTAL] Defines a topic exchange.
885
886 address (string, required)
887 The address of the exchange. Used by the message publisher as the
888 target for sending messages.
889
890 phase (integer)
891 The address phase for the exchange. Defaults to 0.
892
893 alternateAddress (string)
894 The address to forward the message to if no bindings are matched.
895
896 alternatePhase (integer)
897 The address phase for the alternateAddress. Defaults to 0.
898
899 matchMethod (One of [amqp, mqtt], default=amqp)
900 Key matching algorithm used. amqp uses the legacy AMQP topic
901 exchange wildcard match method as described in the pre-1.0 drafts.
902 mqtt uses the MQTT topic filter wildcard match method.
903
904 binding
905 [EXPERIMENTAL] Defines a keyed next hop binding for a topic exchange.
906 The subject field of the messages arriving at the exchange is compared
907 against the binding’s key value using the exchange’s matchMethod. If
908 the subject matches the key the message is forwarded to the
909 nextHopAddress. The nextHopAddress overrides the message’s original
910 destination.
911
912 exchangeName (string, required)
913 The name of the exchange to bind.
914
915 bindingKey (string)
916 Pattern to compare against incoming message’s subject. The key is a
917 string of zero or more tokens and wildcards. The format depends on
918 the matchMethod configured for the exchange. For AMQP each token is
919 delimited by the . character and wild-card tokens * matches a
920 single token and
921
922 matches zero or more tokens. For MQTT each token is delimited by
923 the / character and wildcard tokens + matches a single token and
924
925 matches zero or more tokens at the end of the topic. If a key is
926 not provided the binding will match all messages arriving at the
927 exchange (fanout behavior).
928
929 nextHopAddress (string, required)
930 The address to forward the message to when the message’s topic
931 string matches the binding key pattern. This address is used by
932 message consumers as the source of incoming messages.
933
934 nextHopPhase (integer)
935 The address phase used when forwarding messages that match this
936 binding.
937
938 console
939 (DEPRECATED) Start a websocket/tcp proxy and http file server to serve
940 the web console
941
942 listener (string)
943 The name of the listener to send the proxied tcp traffic to.
944
945 wsport (integer, default=5673)
946 port on which to listen for websocket traffic
947
948 proxy (string, required)
949 The full path to the proxy program to run.
950
951 home (string, required)
952 The full path to the html/css/js files for the console.
953
954 args (string)
955 Optional args to pass the proxy program for logging,
956 authentication, etc.
957
958 policy
959 Defines global connection limit
960
961 maxConnections (integer, default=65535)
962 The maximum number of concurrent client connections allowed for
963 this router. This limit is always enforced, even if no other policy
964 settings have been defined. The limit is applied to all incoming
965 connections regardless of remote host, authenticated user, or
966 targeted vhost.
967
968 maxMessageSize (integer)
969 The maximum size in bytes of AMQP message transfers allowed for
970 this router as messages enter the router network. This limit is
971 applied to transfers over user connections and to transfers to
972 interior routers from edge routers. This limit is not applied to
973 interior-to-interior router connections. This limit may be
974 overridden by vhost or by vhost user group settings. A value of
975 zero disables this limit. Administrators are advised not set
976 interior router maximum message sizes so low that edge router
977 management requests or responses are blocked. Administrators are
978 also advised to set edge router maximum message sizes lower than
979 the attached interior router maximum message size.
980
981 enableVhostPolicy (boolean)
982 Enables the router to enforce the connection denials and resource
983 limits defined in the configured vhost policies.
984
985 enableVhostNamePatterns (boolean)
986 Enable vhost name patterns. When false vhost hostnames are treated
987 as literal strings. When true vhost hostnames are treated as match
988 patterns.
989
990 policyDir (path)
991 The absolute path to a directory that holds vhost policy definition
992 files in JSON format (*.json). The router processes all of the
993 vhost policies in each JSON file that is in this directory.
994
995 defaultVhost (string)
996 The name of the default vhost policy. This policy rule set is
997 applied to a connection for which a vhost policy has not otherwise
998 been configured. Processing for the default vhost is enabled by
999 default and set to select vhost $default. To disable default vhost
1000 processing set defaultVhost to blank or do not define a vhost named
1001 $default.
1002
1003 vhost
1004 AMQP virtual host policy definition of users, user groups, allowed
1005 remote hosts, and AMQP restrictions.
1006
1007 hostname (string, required)
1008 The hostname of the vhost. This vhost policy will be applied to any
1009 client connection that is directed to this hostname.
1010
1011 aliases (string)
1012 Alternate hostnames that share this vhost configuration. Hosts
1013 named in this attribute are treated as if this vhost was defined
1014 with the alias name in the vhost hostname attribute. This attribute
1015 is implemented to help with multitenant configurations where
1016 multiple vhosts share a common configuration. The string is a
1017 comma- or space-separated list of literal hostnames or hostname
1018 patterns. A vhost aliases hostname must be unique across all vhost
1019 hostnames and all of their aliases.
1020
1021 maxConnections (integer, default=65535)
1022 The global maximum number of concurrent client connections allowed
1023 for this vhost.
1024
1025 maxConnectionsPerUser (integer, default=65535)
1026 The maximum number of concurrent client connections allowed for any
1027 user.
1028
1029 maxConnectionsPerHost (integer, default=65535)
1030 The maximum number of concurrent client connections allowed for any
1031 remote host (the host from which the client is connecting).
1032
1033 allowUnknownUser (boolean)
1034 Whether unknown users (users who are not members of a defined user
1035 group) are allowed to connect to the vhost. Unknown users are
1036 assigned to the $default user group and receive $default settings.
1037
1038 groups (map)
1039 A map where the key is a vhost user group name and the value is a
1040 vhostUserGroupSettings object that holds the settings for that
1041 vhost user group.
1042
1043 id (string, required)
1044 (DEPRECATED) The hostname of the vhost. This vhost policy will be
1045 applied to any client connection that is directed to this hostname.
1046 This attribute has been deprecated. Use hostname instead.
1047
1048 vhostUserGroupSettings
1049 Policy settings for users connecting to a vhost. Configuration files
1050 including this section must use .json format.
1051
1052 maxFrameSize (integer)
1053 The largest frame, in bytes, that may be sent on this connection.
1054 Non-zero policy values overwrite values specified for a listener
1055 object (AMQP Open, max-frame-size).
1056
1057 maxSessionWindow (integer)
1058 The incoming capacity for new AMQP sessions, measured in octets.
1059 Non-zero policy values overwrite values specified for a listener
1060 object (AMQP Begin, incoming-window).
1061
1062 maxSessions (integer)
1063 The maximum number of sessions that may be created on this
1064 connection. Non-zero policy values overwrite values specified for a
1065 listener object (AMQP Open, channel-max).
1066
1067 maxSenders (integer, default=2147483647)
1068 The maximum number of sending links that may be created on this
1069 connection. A value of 0 disables all sender links.
1070
1071 maxReceivers (integer, default=2147483647)
1072 The maximum number of receiving links that may be created on this
1073 connection. A value of 0 disables all receiver links.
1074
1075 allowDynamicSource (boolean)
1076 Whether this connection is allowed to create dynamic receiving
1077 links (links to resources that do not exist on the peer). A value
1078 of true means that users are able to automatically create resources
1079 on the peer system.
1080
1081 allowAnonymousSender (boolean)
1082 Whether this connection is allowed to create sending links if the
1083 sender does not provide a target address. By prohibiting anonymous
1084 senders, the router only needs to verify once, when the link is
1085 created, that the sender is permitted to send messages to the
1086 target address. The router does not need to verify each message
1087 that is sent on the link. A value of true means that users may send
1088 messages to any address. Allowing anonymous senders can also
1089 decrease performance: if the sender does not specify a target
1090 address, then the router must parse each message to determine how
1091 to route it.
1092
1093 allowUserIdProxy (boolean)
1094 Whether this connection is allowed to send messages with a user ID
1095 that is different than the connection’s authenticated user name.
1096
1097 allowWaypointLinks (boolean, default=True)
1098 Whether this connection is allowed to claim waypoint.N capability
1099 for attached links. This allows endpoints to act as waypoints
1100 without needing auto-links.
1101
1102 allowDynamicLinkRoutes (boolean, default=True)
1103 Whether this connection is allowed to dynamically create
1104 connection-scoped link route destinations.
1105
1106 allowAdminStatusUpdate (boolean, default=True)
1107 Whether this connection is allowed to update the admin status of
1108 other connections. Note: Inter-router connections cannot be deleted
1109 at any time.
1110
1111 allowFallbackLinks (boolean, default=True)
1112 Whether this connection is allowed to claim qd.fallback capability
1113 for attached links. This allows endpoints to act as fallback
1114 destinations for addresses that have fallback capability enabled.
1115
1116 sources (string)
1117 A list of source addresses from which users in this group may
1118 receive messages. To specify multiple addresses, separate the
1119 addresses with either a comma or a space. If you do not specify any
1120 addresses, users in this group are not allowed to receive messages
1121 from any addresses. You can use the substitution token ${user} to
1122 specify an address that contains a user’s authenticated user name.
1123 You can use an asterisk (*) wildcard to match one or more
1124 characters in an address. However, this wildcard is only recognized
1125 if it is the last character in the address name. You may specify
1126 attributes sources or sourcePattern but not both at the same time.
1127
1128 targets (string)
1129 A list of target addresses to which users in this group may send
1130 messages. To specify multiple addresses, separate the addresses
1131 with either a comma or a space. If you do not specify any
1132 addresses, users in this group are not allowed to send messages to
1133 any addresses. You can use the substitution token ${user} to
1134 specify an address that contains a user’s authenticated user name.
1135 You can use an asterisk (*) wildcard to match one or more
1136 characters in an address. However, this wildcard is only recognized
1137 if it is the last character in the address name. You may specify
1138 attributes targets or targetPattern but not both at the same time.
1139
1140 sourcePattern (string)
1141 A wildcarded pattern for matching source addresses from which users
1142 in this group may receive messages. The pattern consists of one or
1143 more tokens separated by a forward slash /. A token can be one of
1144 the following: a * character, a # character, or a sequence of
1145 characters that do not include /, *, or #. The * token matches any
1146 single token. The # token matches zero or more tokens. * has higher
1147 precedence than #, and exact match has the highest precedence. To
1148 specify multiple addresses, separate the addresses with either a
1149 comma or a space. You can use the text string ${user} in a token to
1150 specify an address that contains a user’s authenticated user name.
1151 If you do not specify any addresses, users in this group are not
1152 allowed to receive messages from any addresses. You may specify
1153 attributes sources or sourcePattern but not both at the same time.
1154
1155 targetPattern (string)
1156 A wildcarded pattern for matching target addresses to which users
1157 in this group may send messages. The pattern consists of one or
1158 more tokens separated by a forward slash /. A token can be one of
1159 the following: a * character, a # character, or a sequence of
1160 characters that do not include /, *, or #. The * token matches any
1161 single token. The # token matches zero or more tokens. * has higher
1162 precedence than #, and exact match has the highest precedence. To
1163 specify multiple addresses, separate the addresses with either a
1164 comma or a space. You can use the text string ${user} in a token to
1165 specify an address that contains a user’s authenticated user name.
1166 If you do not specify any addresses, users in this group are not
1167 allowed to send messages to any addresses. You may specify
1168 attributes targets or targetPattern but not both at the same time.
1169
1171 qdrouterd(8), qdmanage(8)
1172
1173 http://qpid.apache.org/components/dispatch-router
1174
1175
1176
1177 03/29/2022 QDROUTERD.CONF(5)