Cloud Login Install

MDCB Configuration options

Tyk MDCB Configuration

The Tyk MDCB server is configured primarily via the tyk_sink.conf file, this file resides in /opt/tyk-sink on most systems, but can also live anywhere and be directly targeted with the -c flag.

Environment Variables

Environment variables (env var) can be used to override the settings defined in the configuration file. Where an environment variable is specified, its value will take precedence over the value in the configuration file.

Default Ports

Application Port
MongoDB 27017
Redis 6379
Tyk Dashboard
Developer Portal 3000
Admin Dashboard 3000
Admin Dashboard API 3000
Tyk Gateway
Management API 8080
MDCB
RPC Listen 9091
Healthcheck 8181

listen_port

EV: TYK_MDCB_LISTENPORT
Type: int

The rpc port which worker gateways will connect to. Open this port to accept connections via your firewall.
If this value is not set, the MDCB application will apply a default value of 9091.

healthcheck_port

EV: TYK_MDCB_HEALTHCHECKPORT
Type: int

This port lets MDCB allow standard health checks.
If this value is not set, the MDCB component will apply a default value of 8181.

enable_http_profiler

EV: TYK_MDCB_HTTPPROFILE
Type: bool

Enable debugging of your Tyk MDCB by exposing profiling information.

server_options

MDCB HTTP server configuration

server_options.use_ssl

EV: TYK_MDCB_SERVEROPTIONS_USESSL
Type: bool

If use_ssl is set to true, you need to enter the cert_file and key_file path names for certificate.

server_options.certificate

cert data to expose the http server

server_options.certificate.cert_file

EV: TYK_MDCB_SERVEROPTIONS_CERTIFICATE_CERTFILE
Type: string

Filesystem location for pem encoded certificate

server_options.certificate.key_file

EV: TYK_MDCB_SERVEROPTIONS_CERTIFICATE_KEYFILE
Type: string

Filesystem location for pem encoded private key

server_options.min_version

EV: TYK_MDCB_SERVEROPTIONS_MINVERSION
Type: uint16

The min_version setting should be the minimum TLS protocol version required from the client.
For TLS 1.0 use 769
For TLS 1.1 use 770
For TLS 1.2 use 771
For TLS 1.3 use 772

server_options.ssl_ciphers

EV: TYK_MDCB_SERVEROPTIONS_CIPHERS
Type: []string

Is the list of names supported cipher suites (IANA) for TLS versions up to TLS 1.2. This defaults to a list of secure cipher suites.

server_options.ssl_certificates

EV: TYK_MDCB_SERVEROPTIONS_SSLCERTIFICATES
Type: []string

SSL certificates used by your MDCB server. A list of certificate IDs or path to files.

security.private_certificate_encoding_secret

EV: TYK_MDCB_SECURITY.PRIVATECERTIFICATEENCODINGSECRET
Type: string

Allows MDCB to use Mutual TLS. This requires to set server_options.use_ssl to true. See Mutual TLS for more details.

storage

This section describes your centralised Redis DB. This will act as your master key store for all of your clusters.

storage.type

EV: TYK_MDCB_STORAGE_TYPE
Type: string

Currently, the only storage type supported is Redis.

storage.host

EV: TYK_MDCB_STORAGE_HOST
Type: string

Hostname of your Redis server

storage.port

EV: TYK_MDCB_STORAGE_PORT
Type: int

The port the Redis server is listening on.

storage.master_name

EV: TYK_MDCB_STORAGE_MASTERNAME
Type: string

It defines the sentinel master name

storage.sentinel_password

EV: TYK_MDCB_STORAGE_SENTINELPASSWORD
Type: string

If set, redis sentinel will authenticate using this password.

storage.username

EV: TYK_MDCB_STORAGE_USERNAME
Type: string

If set, a redis connection will be established with this user. If not set then it will defaults to the default redis user

storage.password

EV: TYK_MDCB_STORAGE_PASSWORD
Type: string

Optional auth password for Redis db

storage.database

EV: TYK_MDCB_STORAGE_DATABASE
Type: int

By default, the database is 0. Setting the database is not supported with redis cluster. As such, if you have storage.redis_cluster:true, then this value should be omitted or explicitly set to 0.

storage.optimisation_max_idle

EV: TYK_MDCB_STORAGE_MAXIDLE
Type: int

MDCB will open a pool of connections to Redis. This setting will configure how many connections are maintained in the pool when idle (no traffic). Set the max_idle value to something large, we usually leave it at around 2000 for HA deployments.

storage.optimisation_max_active

EV: TYK_MDCB_STORAGE_MAXACTIVE
Type: int

In order to not over commit connections to the Redis server, we may limit the total number of active connections to Redis. We recommend for production use to set this to around 4000.

storage.enable_cluster

EV: TYK_MDCB_STORAGE_ENABLECLUSTER
Type: bool

If you are using Redis cluster, enable it here to enable the slots mode.

storage.hosts

EV: TYK_MDCB_STORAGE_HOSTS
Type: map[string]string

Add your Redis hosts here as a map of hostname:port. This field is required when storage.enable_cluster is set to true. example:
{
"server1": "6379",
"server2": "6380",
"server3": "6381"
}

storage.addrs

EV: TYK_MDCB_STORAGE_ADDRS
Type: []string

It can be either a single address or a seed list of host:port addresses of cluster/sentinel nodes. It overrides the value of hosts.

storage.redis_use_ssl

EV: TYK_MDCB_STORAGE_REDISUSESSL
Type: bool

If set, MDCB will assume the connection to Redis is encrypted. (use with Redis providers that support in-transit encryption)

storage.redis_ssl_insecure_skip_verify

EV: TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY
Type: bool

Allows usage of self-signed certificates when connecting to an encrypted Redis database.

analytics

configuration of the store of analytics

analytics.type

EV: TYK_MDCB_ANALYTICSCONFIG_TYPE
Type: DBType

Determines the storage type. It could be mongo, postgres or sqlite. By default, the value is mongo.

analytics.connection_string

EV: TYK_MDCB_ANALYTICSCONFIG_CONNECTIONSTRING
Type: string

This is used to configure the conenction string for the storage.

analytics.table_sharding

EV: TYK_MDCB_ANALYTICSCONFIG_TABLESHARDING
Type: bool

Enable table sharding for SQL Analytics

analytics.batch_size

EV: TYK_MDCB_ANALYTICSCONFIG_BATCHSIZE
Type: int

Max Batch size for SQL Analytics

analytics.postgres.prefer_simple_protocol

EV: TYK_MDCB_ANALYTICSCONFIG_POSTGRES_PREFERSIMPLEPROTOCOL
Type: bool

disables implicit prepared statement usage

analytics.mysql.default_string_size

EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DEFAULTSTRINGSIZE
Type: uint

default size for string fields. By default set to: 256

analytics.mysql.disable_datetime_precision

EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DISABLEDATETIMEPRECISION
Type: bool

disable datetime precision, which not supported before MySQL 5.6

analytics.mysql.dont_support_rename_index

EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DONTSUPPORTRENAMEINDEX
Type: bool

drop & create when rename index, rename index not supported before MySQL 5.7, MariaDB

analytics.mysql.dont_support_rename_column

EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_DONTSUPPORTRENAMECOLUMN
Type: bool

change when rename column, rename column not supported before MySQL 8, MariaDB

analytics.mysql.skip_initialize_with_version

EV: TYK_MDCB_ANALYTICSCONFIG_MYSQL_SKIPINITIALIZEWITHVERSION
Type: bool

auto configure based on currently MySQL version

analytics.mongo_url

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOURL
Type: string

Connection string for MongoDB.

analytics.mongo_use_ssl

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOUSESSL
Type: bool

A Boolean setting for Mongo SSL support. Set to true to enable SSL.

analytics.mongo_ssl_insecure_skip_verify

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLINSECURESKIPVERIFY
Type: bool

This setting allows the use of self-signed certificates when connecting to an encrypted MongoDB database.

analytics.mongo_ssl_allow_invalid_hostnames

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLALLOWINVALIDHOSTNAMES
Type: bool

Ignore hostname check when it differs from the original (for example with SSH tunneling). The rest of the TLS verification will still be performed

analytics.mongo_ssl_ca_file

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLCAFILE
Type: string

Path to the PEM file with trusted root certificates

analytics.mongo_ssl_pem_keyfile

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSSLPEMKEYFILE
Type: string

Path to the PEM file which contains both client certificate and private key. This is required for Mutual TLS.

analytics.mongo_session_consistency

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOSESSIONCONSISTENCY
Type: string

Set the consistency mode for the session, it defaults to Strong. The valid values are:

  • eventual monotonic

analytics.mongo_batch_size

EV: TYK_MDCB_ANALYTICSCONFIG_MONGOBATCHSIZE
Type: int

Sets the batch size for mongo results.

hash_keys

EV: TYK_MDCB_HASHKEYS
Type: bool

Set to true if you are using a hashed configuration installation of Tyk, otherwise set to false.

session_timeout

EV: TYK_MDCB_SESSIONTIMEOUT
Type: int64

Number of seconds before the gateways are forced to re-login. Default is 86400 (24 hours).

forward_analytics_to_pump

EV: TYK_MDCB_FORWARDANALYTICSTOPUMP
Type: bool

Instead of sending analytics directly to MongoDB, MDCB can send analytics to Redis. This will allow [tyk-pump] (https://github.com/TykTechnologies/tyk-pump) to pull analytics from Redis and send to your own data sinks.

enable_multiple_analytics_keys

EV: TYK_MDCB_ENABLEMULTIPLEANALYTICSKEYS
Type: bool

Instead of saving all the analytics in one key, this will enable to save the analytics in multiple keys. It’s specially useful when you are using Redis cluster. This will work only if forward_analytics_to_pump is true and tyk-pump is v1.2.1+ .

dont_store_selective

EV: TYK_MDCB_DONTSTORESELECTIVE
Type: bool

set to true if you don’t want to store selective analytics

dont_store_aggregate

EV: TYK_MDCB_DONTSTOREAGGREGATES
Type: bool

Set to true to don’t store aggregate analytics

org_session_expiration

EV: TYK_MDCB_ORGCACHEEXPIRATION
Type: int

Sets the organization cache expiration in minutes. By default, 60 minutes. This will only work with tyk-sink 1.9+

org_session_cleanup

EV: TYK_MDCB_ORGCACHECLEANUP
Type: int

Sets the organization cache cleanup interval in minutes. By default, 60 minutes. This will only work with tyk-sink 1.9+.

license

EV: TYK_MDCB_LICENSE
Type: string

Enter your license in this section so MDCB can start.

track_all_paths

EV: TYK_MDCB_TRACKALLPATHS
Type: bool

Currently, analytics for an endpoint is stored only if Track Endpoint plugin is enabled on that endpoint. If track_all_paths is enabled, it will store analytics for all the endpoints, irrespective of Track Endpoint plugin.

store_analytics_per_minute

EV: TYK_MDCB_STOREANALYTICSPERMINUTE
Type: bool

Enable to generate aggregated per minute. By default it will generate aggregate data per hour. If this option is enabled, aggregate data will be generated per minute.

ignore_tag_prefix_list

EV: TYK_MDCB_IGNORETAGPREFIXLIST
Type: []string

if set to true then it will not store analytics for tags having prefix specified in the list. Note: Prefix “key-” is added in the list by default. This tag is added by gateway for keys.

threshold_len_tag_list

EV: TYK_MDCB_THRESHOLDLENTAGLIST
Type: int

If number of tags in a document grows beyond threshold_len_tag_list, pump will throw a warning, it works for mongo aggregate pump. The warning will print top 5 common tag prefix. Default value is 1000. To disable alerts set it to -1.

omit_analytics_index_creation

EV: TYK_MDCB_OMITANALYTICSINDEXCREATION
Type: bool

Set to true to disable the Mongo storages default index creation. More detailed behaviour explained at https://tyk.io/docs/tyk-pump/tyk-pump-configuration/tyk-pump-dashboard-config/#omitting-indexes.

enable_separate_analytics_store

EV: TYK_MDCB_ENABLESEPERATEANALYTICSSTORE
Type: bool

Set it to true if you are using a separated analytic storage in the master gateway. If forward_analytics_to_pump is true, it will forward the analytics to the separated storage specified in analytics_storage.

analytics_storage

This section describes your separated analytic Redis DB. It has the same fields as storage. It requires enable_separate_analytics_store set to true.

analytics_storage.type

EV: TYK_MDCB_ANALYTICSSTORAGE_TYPE
Type: string

Currently, the only storage type supported is Redis.

analytics_storage.host

EV: TYK_MDCB_ANALYTICSSTORAGE_HOST
Type: string

Hostname of your Redis server

analytics_storage.port

EV: TYK_MDCB_ANALYTICSSTORAGE_PORT
Type: int

The port the Redis server is listening on.

analytics_storage.master_name

EV: TYK_MDCB_ANALYTICSSTORAGE_MASTERNAME
Type: string

It defines the sentinel master name

analytics_storage.sentinel_password

EV: TYK_MDCB_ANALYTICSSTORAGE_SENTINELPASSWORD
Type: string

If set, redis sentinel will authenticate using this password.

analytics_storage.username

EV: TYK_MDCB_ANALYTICSSTORAGE_USERNAME
Type: string

If set, a redis connection will be established with this user. If not set then it will defaults to the default redis user

analytics_storage.password

EV: TYK_MDCB_ANALYTICSSTORAGE_PASSWORD
Type: string

Optional auth password for Redis db

analytics_storage.database

EV: TYK_MDCB_ANALYTICSSTORAGE_DATABASE
Type: int

By default, the database is 0. Setting the database is not supported with redis cluster. As such, if you have storage.redis_cluster:true, then this value should be omitted or explicitly set to 0.

analytics_storage.optimisation_max_idle

EV: TYK_MDCB_ANALYTICSSTORAGE_MAXIDLE
Type: int

MDCB will open a pool of connections to Redis. This setting will configure how many connections are maintained in the pool when idle (no traffic). Set the max_idle value to something large, we usually leave it at around 2000 for HA deployments.

analytics_storage.optimisation_max_active

EV: TYK_MDCB_ANALYTICSSTORAGE_MAXACTIVE
Type: int

In order to not over commit connections to the Redis server, we may limit the total number of active connections to Redis. We recommend for production use to set this to around 4000.

analytics_storage.enable_cluster

EV: TYK_MDCB_ANALYTICSSTORAGE_ENABLECLUSTER
Type: bool

If you are using Redis cluster, enable it here to enable the slots mode.

analytics_storage.hosts

EV: TYK_MDCB_ANALYTICSSTORAGE_HOSTS
Type: map[string]string

Add your Redis hosts here as a map of hostname:port. This field is required when storage.enable_cluster is set to true. example:
{
"server1": "6379",
"server2": "6380",
"server3": "6381"
}

analytics_storage.addrs

EV: TYK_MDCB_ANALYTICSSTORAGE_ADDRS
Type: []string

It can be either a single address or a seed list of host:port addresses of cluster/sentinel nodes. It overrides the value of hosts.

analytics_storage.redis_use_ssl

EV: TYK_MDCB_ANALYTICSSTORAGE_REDISUSESSL
Type: bool

If set, MDCB will assume the connection to Redis is encrypted. (use with Redis providers that support in-transit encryption)

analytics_storage.redis_ssl_insecure_skip_verify

EV: TYK_MDCB_ANALYTICSSTORAGE_REDISSSLINSECURESKIPVERIFY
Type: bool

Allows usage of self-signed certificates when connecting to an encrypted Redis database.

log_level

EV: TYK_MDCB_LOGLEVEL
Type: string

You can now set a logging level (log_level). The following levels can be set: debug, info, warn, error. If not set or left empty, it will default to info.

enable_key_logging

EV: TYK_MDCB_ENABLEKEYLOGGING
Type: bool

EnableKeyLogging prints the unhashed keys without obfuscating them in the logs

sync_worker_config

Configuration of the MDCB Synchroniser functionality introduced in MDCB v2.0.0

sync_worker_config.enabled

EV: TYK_MDCB_SYNCWORKER_ENABLED
Type: bool

Enable the MDCB Synchroniser

sync_worker_config.hash_keys

EV: TYK_MDCB_SYNCWORKER_HASHKEYS
Type: bool

Allows the worker to synchronize hashed API keys. Set this to true if hash_keys is true in dashboard and gateway configuration.

sync_worker_config.max_batch_size

EV: TYK_MDCB_SYNCWORKER_MAXBATCHSIZE
Type: int

The maximum number of keys that we can fetch per batch. Default value: 1000 keys per batch.

sync_worker_config.time_between_batches

EV: TYK_MDCB_SYNCWORKER_TIMEBETWEENBATCHES
Type: int

Specifies a cooldown time between batches in seconds. 0 / disabled by default.

sync_worker_config.max_workers

EV: TYK_MDCB_SYNCWORKER_MAXWORKERS
Type: int

Specifies the maximum number of Groups (worker GW clusters) that can be synchronised by MDCB at the same time. Increasing this value can affect the operation of MDCB so it is recommended that you only modify this value if you need to synchronise a higher number of datacenters. Default value: 1000.

sync_worker_config.warmup_time

EV: TYK_MDCB_SYNCWORKER_WARMUPTIME
Type: int

Specifies the time (in seconds) that MDCB should wait before starting to synchronise workers with the controller. This is to allow the worker nodes to load APIs and policies from local Redis before synchronising the other resources. Default value: 2 seconds.

sync_worker_config.group_key_ttl

EV: TYK_MDCB_SYNCWORKER_GROUPKEYTTL
Type: int

Specifies the group key TTL in seconds. This key is used to prevent a group of gateways from re-syncing when is not required. On login (GroupLogin call), if the key doesn’t exist then the sync process is triggered. If the key exists then the TTL just gets renewed. In case the cluster of gateways is down, the key will expire and get removed and if they connect again a sync process will be triggered. Default value: 180 seconds. Min value: 30 seconds.

enable_ownership

EV: TYK_MDCB_ENABLEOWNERSHIP
Type: bool

Enables API Ownership in MDCB. It allows the gateways in the data plane cluster to load only APIs that are accessible by the user and user group associated with the slave_options.api_key that is used to connect to MDCB (defined in tyk.config of the gateway). This will be enforced if enable_ownership is also enabled in the Dashboard and your API definition has been associated with a user or user_group Defaults to false.