MDCB Configuration options
Tyk MDCB Configuration
The Tyk MDCB server is configured primarily via the tyk_sink.conf
file, this file resides in /opt/tyk-sink
on most systems, but can also live anywhere and be directly targeted with the -c
flag.
Environment Variables
Environment variables (env var) can be used to override the settings defined in the configuration file. Where an environment variable is specified, its value will take precedence over the value in the configuration file.
Default Ports
Application | Port |
---|---|
MongoDB | 27017 |
Redis | 6379 |
Tyk Dashboard | |
Developer Portal | 3000 |
Admin Dashboard | 3000 |
Admin Dashboard API | 3000 |
Tyk Gateway | |
Management API | 8080 |
MDCB | |
RPC Listen | 9091 |
Healthcheck | 8181 |
listen_port
EV: TYK_MDCB_LISTENPORT
Type: int
The rpc port which worker gateways will connect to. Open this port to accept connections via your firewall.
If this value is not set, the MDCB application will apply a default value of 9091.
healthcheck_port
EV: TYK_MDCB_HEALTHCHECKPORT
Type: int
This port lets MDCB allow standard health checks.
If this value is not set, the MDCB component will apply a default value of 8181.
enable_http_profiler
EV: TYK_MDCB_HTTPPROFILE
Type: bool
Enable debugging of your Tyk MDCB by exposing profiling information.
server_options
MDCB HTTP server configuration
server_options.use_ssl
EV: TYK_MDCB_SERVEROPTIONS_USESSL
Type: bool
If use_ssl is set to true, you need to enter the cert_file and key_file path names for certificate.
server_options.certificate
cert data to expose the http server
server_options.certificate.cert_file
EV: TYK_MDCB_SERVEROPTIONS_CERTIFICATE_CERTFILE
Type: string
Filesystem location for pem encoded certificate
server_options.certificate.key_file
EV: TYK_MDCB_SERVEROPTIONS_CERTIFICATE_KEYFILE
Type: string
Filesystem location for pem encoded private key
server_options.min_version
EV: TYK_MDCB_SERVEROPTIONS_MINVERSION
Type: uint16
The min_version
setting should be the minimum TLS protocol version required from the client.
For TLS 1.0 use 769
For TLS 1.1 use 770
For TLS 1.2 use 771
For TLS 1.3 use 772
server_options.ssl_ciphers
EV: TYK_MDCB_SERVEROPTIONS_CIPHERS
Type: []string
Is the list of names supported cipher suites (IANA) for TLS versions up to TLS 1.2. This defaults to a list of secure cipher suites.
server_options.ssl_certificates
EV: TYK_MDCB_SERVEROPTIONS_SSLCERTIFICATES
Type: []string
SSL certificates used by your MDCB server. A list of certificate IDs or path to files.
security.private_certificate_encoding_secret
EV: TYK_MDCB_SECURITY.PRIVATECERTIFICATEENCODINGSECRET
Type: string
Allows MDCB to use Mutual TLS. This requires to set server_options.use_ssl
to true. See Mutual TLS for more details.
storage
This section describes your centralised Redis DB. This will act as your master key store for all of your clusters.
storage.type
EV: TYK_MDCB_STORAGE_TYPE
Type: string
Currently, the only storage type supported is Redis.
storage.host
EV: TYK_MDCB_STORAGE_HOST
Type: string
Hostname of your Redis server
storage.port
EV: TYK_MDCB_STORAGE_PORT
Type: int
The port the Redis server is listening on.
storage.master_name
EV: TYK_MDCB_STORAGE_MASTERNAME
Type: string
It defines the sentinel master name
storage.sentinel_password
EV: TYK_MDCB_STORAGE_SENTINELPASSWORD
Type: string
If set, redis sentinel will authenticate using this password.
storage.username
EV: TYK_MDCB_STORAGE_USERNAME
Type: string
If set, a redis connection will be established with this user. If not set then it will defaults to the default redis user
storage.password
EV: TYK_MDCB_STORAGE_PASSWORD
Type: string
Optional auth password for Redis db
storage.database
EV: TYK_MDCB_STORAGE_DATABASE
Type: int
By default, the database is 0. Setting the database is not supported with redis cluster. As such, if you have storage.redis_cluster:true
, then this value should be omitted or explicitly set to 0.
storage.optimisation_max_idle
EV: TYK_MDCB_STORAGE_MAXIDLE
Type: int
MDCB will open a pool of connections to Redis. This setting will configure how many connections are maintained in the pool when idle (no traffic). Set the max_idle
value to something large, we usually leave it at around 2000 for HA deployments.
storage.optimisation_max_active
EV: TYK_MDCB_STORAGE_MAXACTIVE
Type: int
In order to not over commit connections to the Redis server, we may limit the total number of active connections to Redis. We recommend for production use to set this to around 4000.
storage.enable_cluster
EV: TYK_MDCB_STORAGE_ENABLECLUSTER
Type: bool
If you are using Redis cluster, enable it here to enable the slots mode.
storage.hosts
EV: TYK_MDCB_STORAGE_HOSTS
Type: map[string]string
Add your Redis hosts here as a map of hostname:port. This field is required when storage.enable_cluster is set to true. example:{
"server1": "6379",
"server2": "6380",
"server3": "6381"
}
storage.addrs
EV: TYK_MDCB_STORAGE_ADDRS
Type: []string
It can be either a single address or a seed list of host:port addresses of cluster/sentinel nodes. It overrides the value of hosts.
storage.redis_use_ssl
EV: TYK_MDCB_STORAGE_REDISUSESSL
Type: bool
If set, MDCB will assume the connection to Redis is encrypted. (use with Redis providers that support in-transit encryption)
storage.redis_ssl_insecure_skip_verify
EV: TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY
Type: bool
Allows usage of self-signed certificates when connecting to an encrypted Redis database.
analytics
configuration of the store of analytics
analytics.type
EV: TYK_MDCB_ANALYTICSCONFIG_TYPE
Type: DBType
Determines the storage type. It could be mongo
, postgres
or sqlite
. By default, the value is mongo
.
analytics.connection_string
EV: TYK_MDCB_ANALYTICSCONFIG_CONNECTIONSTRING
Type: string
This is used to configure the conenction string for the storage.
analytics.table_sharding
EV: TYK_MDCB_ANALYTICSCONFIG_TABLESHARDING
Type: bool
Enable table sharding for SQL Analytics
analytics.batch_size
EV: TYK_MDCB_ANALYTICSCONFIG_BATCHSIZE
Type: int
Max Batch size for SQL Analytics
analytics.postgres.prefer_simple_protocol
EV: TYK_MDCB_ANALYTICSCONFIG_POSTGRES_PREFERSIMPLEPROTOCOL
Type: bool
disables implicit prepared statement usage
analytics.mysql.default_string_size
EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DEFAULTSTRINGSIZE
Type: uint
default size for string fields. By default set to: 256
analytics.mysql.disable_datetime_precision
EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DISABLEDATETIMEPRECISION
Type: bool
disable datetime precision, which not supported before MySQL 5.6
analytics.mysql.dont_support_rename_index
EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DONTSUPPORTRENAMEINDEX
Type: bool
drop & create when rename index, rename index not supported before MySQL 5.7, MariaDB
analytics.mysql.dont_support_rename_column
EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DONTSUPPORTRENAMECOLUMN
Type: bool
change
when rename column, rename column not supported before MySQL 8, MariaDB
analytics.mysql.skip_initialize_with_version
EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_SKIPINITIALIZEWITHVERSION
Type: bool
auto configure based on currently MySQL version
analytics.mongo_url
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOURL
Type: string
Connection string for MongoDB.
analytics.mongo_use_ssl
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOUSESSL
Type: bool
A Boolean setting for Mongo SSL support. Set to true to enable SSL.
analytics.mongo_ssl_insecure_skip_verify
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLINSECURESKIPVERIFY
Type: bool
This setting allows the use of self-signed certificates when connecting to an encrypted MongoDB database.
analytics.mongo_ssl_allow_invalid_hostnames
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLALLOWINVALIDHOSTNAMES
Type: bool
Ignore hostname check when it differs from the original (for example with SSH tunneling). The rest of the TLS verification will still be performed
analytics.mongo_ssl_ca_file
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLCAFILE
Type: string
Path to the PEM file with trusted root certificates
analytics.mongo_ssl_pem_keyfile
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLPEMKEYFILE
Type: string
Path to the PEM file which contains both client certificate and private key. This is required for Mutual TLS.
analytics.mongo_session_consistency
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSESSIONCONSISTENCY
Type: string
Set the consistency mode for the session, it defaults to Strong
. The valid values are:
- eventual monotonic
analytics.mongo_batch_size
EV: TYK_MDCB_ANALYTICSCONFIG_MONGOBATCHSIZE
Type: int
Sets the batch size for mongo results.
hash_keys
EV: TYK_MDCB_HASHKEYS
Type: bool
Set to true if you are using a hashed configuration installation of Tyk, otherwise set to false.
session_timeout
EV: TYK_MDCB_SESSIONTIMEOUT
Type: int64
Number of seconds before the gateways are forced to re-login. Default is 86400 (24 hours).
forward_analytics_to_pump
EV: TYK_MDCB_FORWARDANALYTICSTOPUMP
Type: bool
Instead of sending analytics directly to MongoDB, MDCB can send analytics to Redis. This will allow [tyk-pump] (https://github.com/TykTechnologies/tyk-pump) to pull analytics from Redis and send to your own data sinks.
enable_multiple_analytics_keys
EV: TYK_MDCB_ENABLEMULTIPLEANALYTICSKEYS
Type: bool
Instead of saving all the analytics in one key, this will enable to save the analytics in multiple keys. It’s specially useful when you are using Redis cluster. This will work only if forward_analytics_to_pump
is true and tyk-pump is v1.2.1+ .
dont_store_selective
EV: TYK_MDCB_DONTSTORESELECTIVE
Type: bool
set to true if you don’t want to store selective analytics
dont_store_aggregate
EV: TYK_MDCB_DONTSTOREAGGREGATES
Type: bool
Set to true to don’t store aggregate analytics
org_session_expiration
EV: TYK_MDCB_ORGCACHEEXPIRATION
Type: int
Sets the organization cache expiration in minutes. By default, 60 minutes. This will only work with tyk-sink 1.9+
org_session_cleanup
EV: TYK_MDCB_ORGCACHECLEANUP
Type: int
Sets the organization cache cleanup interval in minutes. By default, 60 minutes. This will only work with tyk-sink 1.9+.
license
EV: TYK_MDCB_LICENSE
Type: string
Enter your license in this section so MDCB can start.
track_all_paths
EV: TYK_MDCB_TRACKALLPATHS
Type: bool
Currently, analytics for an endpoint is stored only if Track Endpoint plugin is enabled on that endpoint. If track_all_paths
is enabled, it will store analytics for all the endpoints, irrespective of Track Endpoint plugin.
store_analytics_per_minute
EV: TYK_MDCB_STOREANALYTICSPERMINUTE
Type: bool
Enable to generate aggregated per minute. By default it will generate aggregate data per hour. If this option is enabled, aggregate data will be generated per minute.
ignore_tag_prefix_list
EV: TYK_MDCB_IGNORETAGPREFIXLIST
Type: []string
if set to true then it will not store analytics for tags having prefix specified in the list. Note: Prefix “key-” is added in the list by default. This tag is added by gateway for keys.
threshold_len_tag_list
EV: TYK_MDCB_THRESHOLDLENTAGLIST
Type: int
If number of tags in a document grows beyond threshold_len_tag_list
, pump will throw a warning, it works for mongo aggregate pump. The warning will print top 5 common tag prefix. Default value is 1000. To disable alerts set it to -1.
omit_analytics_index_creation
EV: TYK_MDCB_OMITANALYTICSINDEXCREATION
Type: bool
Set to true to disable the Mongo storages default index creation. More detailed behaviour explained at https://tyk.io/docs/tyk-pump/tyk-pump-configuration/tyk-pump-dashboard-config/#omitting-indexes.
enable_separate_analytics_store
EV: TYK_MDCB_ENABLESEPERATEANALYTICSSTORE
Type: bool
Set it to true if you are using a separated analytic storage in the master gateway. If forward_analytics_to_pump
is true, it will forward the analytics to the separated storage specified in analytics_storage
.
analytics_storage
This section describes your separated analytic Redis DB. It has the same fields as storage
. It requires enable_separate_analytics_store
set to true.
analytics_storage.type
EV: TYK_MDCB_ANALYTICSSTORAGE_TYPE
Type: string
Currently, the only storage type supported is Redis.
analytics_storage.host
EV: TYK_MDCB_ANALYTICSSTORAGE_HOST
Type: string
Hostname of your Redis server
analytics_storage.port
EV: TYK_MDCB_ANALYTICSSTORAGE_PORT
Type: int
The port the Redis server is listening on.
analytics_storage.master_name
EV: TYK_MDCB_ANALYTICSSTORAGE_MASTERNAME
Type: string
It defines the sentinel master name
analytics_storage.sentinel_password
EV: TYK_MDCB_ANALYTICSSTORAGE_SENTINELPASSWORD
Type: string
If set, redis sentinel will authenticate using this password.
analytics_storage.username
EV: TYK_MDCB_ANALYTICSSTORAGE_USERNAME
Type: string
If set, a redis connection will be established with this user. If not set then it will defaults to the default redis user
analytics_storage.password
EV: TYK_MDCB_ANALYTICSSTORAGE_PASSWORD
Type: string
Optional auth password for Redis db
analytics_storage.database
EV: TYK_MDCB_ANALYTICSSTORAGE_DATABASE
Type: int
By default, the database is 0. Setting the database is not supported with redis cluster. As such, if you have storage.redis_cluster:true
, then this value should be omitted or explicitly set to 0.
analytics_storage.optimisation_max_idle
EV: TYK_MDCB_ANALYTICSSTORAGE_MAXIDLE
Type: int
MDCB will open a pool of connections to Redis. This setting will configure how many connections are maintained in the pool when idle (no traffic). Set the max_idle
value to something large, we usually leave it at around 2000 for HA deployments.
analytics_storage.optimisation_max_active
EV: TYK_MDCB_ANALYTICSSTORAGE_MAXACTIVE
Type: int
In order to not over commit connections to the Redis server, we may limit the total number of active connections to Redis. We recommend for production use to set this to around 4000.
analytics_storage.enable_cluster
EV: TYK_MDCB_ANALYTICSSTORAGE_ENABLECLUSTER
Type: bool
If you are using Redis cluster, enable it here to enable the slots mode.
analytics_storage.hosts
EV: TYK_MDCB_ANALYTICSSTORAGE_HOSTS
Type: map[string]string
Add your Redis hosts here as a map of hostname:port. This field is required when storage.enable_cluster is set to true. example:{
"server1": "6379",
"server2": "6380",
"server3": "6381"
}
analytics_storage.addrs
EV: TYK_MDCB_ANALYTICSSTORAGE_ADDRS
Type: []string
It can be either a single address or a seed list of host:port addresses of cluster/sentinel nodes. It overrides the value of hosts.
analytics_storage.redis_use_ssl
EV: TYK_MDCB_ANALYTICSSTORAGE_REDISUSESSL
Type: bool
If set, MDCB will assume the connection to Redis is encrypted. (use with Redis providers that support in-transit encryption)
analytics_storage.redis_ssl_insecure_skip_verify
EV: TYK_MDCB_ANALYTICSSTORAGE_REDISSSLINSECURESKIPVERIFY
Type: bool
Allows usage of self-signed certificates when connecting to an encrypted Redis database.
log_level
EV: TYK_MDCB_LOGLEVEL
Type: string
You can now set a logging level (log_level). The following levels can be set: debug, info, warn, error.
If not set or left empty, it will default to info
.
enable_key_logging
EV: TYK_MDCB_ENABLEKEYLOGGING
Type: bool
EnableKeyLogging prints the unhashed keys without obfuscating them in the logs
sync_worker_config
Configuration of the MDCB Synchroniser functionality introduced in MDCB v2.0.0
sync_worker_config.enabled
EV: TYK_MDCB_SYNCWORKER_ENABLED
Type: bool
Enable the MDCB Synchroniser
sync_worker_config.hash_keys
EV: TYK_MDCB_SYNCWORKER_HASHKEYS
Type: bool
Allows the worker to synchronize hashed API keys. Set this to true if hash_keys
is true in dashboard and gateway configuration.
sync_worker_config.max_batch_size
EV: TYK_MDCB_SYNCWORKER_MAXBATCHSIZE
Type: int
The maximum number of keys that we can fetch per batch. Default value: 1000 keys per batch.
sync_worker_config.time_between_batches
EV: TYK_MDCB_SYNCWORKER_TIMEBETWEENBATCHES
Type: int
Specifies a cooldown time between batches in seconds. 0 / disabled by default.
sync_worker_config.max_workers
EV: TYK_MDCB_SYNCWORKER_MAXWORKERS
Type: int
Specifies the maximum number of Groups (worker GW clusters) that can be synchronised by MDCB at the same time. Increasing this value can affect the operation of MDCB so it is recommended that you only modify this value if you need to synchronise a higher number of datacenters. Default value: 1000.
sync_worker_config.warmup_time
EV: TYK_MDCB_SYNCWORKER_WARMUPTIME
Type: int
Specifies the time (in seconds) that MDCB should wait before starting to synchronise workers with the controller. This is to allow the worker nodes to load APIs and policies from local Redis before synchronising the other resources. Default value: 2 seconds.
sync_worker_config.group_key_ttl
EV: TYK_MDCB_SYNCWORKER_GROUPKEYTTL
Type: int
Specifies the group key TTL in seconds. This key is used to prevent a group of gateways from re-syncing when is not required. On login (GroupLogin call), if the key doesn’t exist then the sync process is triggered. If the key exists then the TTL just gets renewed. In case the cluster of gateways is down, the key will expire and get removed and if they connect again a sync process will be triggered. Default value: 180 seconds. Min value: 30 seconds.
enable_ownership
EV: TYK_MDCB_ENABLEOWNERSHIP
Type: bool
Enables API Ownership in MDCB. It allows the gateways in the data plane cluster to load only APIs that are accessible by the user and user group associated with the slave_options.api_key
that is used to connect to MDCB (defined in tyk.config
of the gateway).
This will be enforced if enable_ownership
is also enabled in the Dashboard and your API definition has been associated with a user or user_group
Defaults to false
.