ditto { version = "3.8.12" extensions { jwt-authorization-subjects-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider } jwt-authentication-result-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider extension-config = { role = regular jwt-authorization-subjects-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider extension-config = { role = regular } } } } jwt-authentication-result-provider-devops = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider extension-config = { role = devops jwt-authorization-subjects-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider extension-config = { role = devops } } } } signal-enrichment-provider { extension-class = org.eclipse.ditto.gateway.service.endpoints.utils.DefaultGatewaySignalEnrichmentProvider extension-config = { cache { enabled = true maximum-size = 20000 expire-after-create = 2m } } } http-bind-flow-provider = org.eclipse.ditto.gateway.service.endpoints.routes.LoggingHttpBindFlowProvider websocket-config-provider = org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpWebSocketConfigProvider gateway-authentication-directive-factory = org.eclipse.ditto.gateway.service.endpoints.directives.auth.DittoGatewayAuthenticationDirectiveFactory http-request-actor-props-factory = org.eclipse.ditto.gateway.service.endpoints.actors.DefaultHttpRequestActorPropsFactory sse-event-sniffer = org.eclipse.ditto.gateway.service.endpoints.routes.sse.NoOpSseEventSniffer streaming-authorization-enforcer = org.eclipse.ditto.gateway.service.streaming.NoOpAuthorizationEnforcer incoming-websocket-event-sniffer = org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpIncomingWebSocketEventSniffer outgoing-websocket-event-sniffer = org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpOutgoingWebSocketEventSniffer custom-api-routes-provider = org.eclipse.ditto.gateway.service.endpoints.routes.NoopCustomApiRoutesProvider sse-connection-supervisor = org.eclipse.ditto.gateway.service.endpoints.routes.sse.NoOpSseConnectionSupervisor websocket-connection-supervisor = "org.eclipse.ditto.gateway.service.endpoints.routes.websocket.NoOpWebSocketSupervisor" connections-retrieval-actor-props-factory = org.eclipse.ditto.gateway.service.endpoints.actors.DefaultConnectionsRetrievalActorPropsFactory } service-name = "gateway" mapping-strategy.implementation = "org.eclipse.ditto.gateway.service.util.GatewayMappingStrategies" gateway { http { hostname = "" hostname = ${?HOSTNAME} hostname = ${?BIND_HOSTNAME} port = 8080 port = ${?HTTP_PORT} port = ${?PORT} coordinated-shutdown-timeout = 65s coordinated-shutdown-timeout = ${?COORDINATED_SHUTDOWN_REQUEST_TIMEOUT} schema-versions = [2] protocol-headers = ["X-Forwarded-Proto", "x_forwarded_proto"] forcehttps = false forcehttps = ${?FORCE_HTTPS} redirect-to-https = false redirect-to-https = ${?REDIRECT_TO_HTTPS} redirect-to-https-blocklist-pattern = "/api.*|/ws.*|/status.*|/overall.*" enablecors = false enablecors = ${?ENABLE_CORS} request-timeout = 60s request-timeout = ${?REQUEST_TIMEOUT} additional-accepted-media-types = ${?ADDITIONAL_ACCEPTED_MEDIA_TYPES} query-params-as-headers = [ "accept" "channel" "correlation-id" "requested-acks" "declared-acks" "response-required" "timeout" "live-channel-timeout-strategy" "allow-policy-lockout" "condition" "live-channel-condition" "at-historical-revision" "at-historical-timestamp" "dry-run" ] } streaming { session-counter-scrape-interval = 30s parallelism = 64 parallelism = ${?GATEWAY_STREAMING_PARALLELISM} search-idle-timeout = 60s search-idle-timeout = ${?GATEWAY_STREAMING_SEARCH_IDLE_TIMEOUT} subscription-refresh-delay = 5m subscription-refresh-delay = ${?GATEWAY_STREAMING_SUBSCRIPTION_REFRESH_DELAY} acknowledgement { forwarder-fallback-timeout = 65s } websocket { subscriber { backpressure-queue-size = 100 } publisher { backpressure-buffer-size = 200 } throttling-rejection-factor = 1.25 throttling { enabled = false } streaming-authorization-enforcer = "org.eclipse.ditto.gateway.service.streaming.NoOpAuthorizationEnforcer" } sse { throttling { enabled = false } streaming-authorization-enforcer = "org.eclipse.ditto.gateway.service.streaming.NoOpAuthorizationEnforcer" } } command { default-timeout = ${ditto.gateway.http.request-timeout} max-timeout = 1m smart-channel-buffer = 10s connections-retrieve-limit = 100 } message { default-timeout = 10s max-timeout = 1m } claim-message { default-timeout = 1m max-timeout = 10m } dns { address = none address = ${?DNS_SERVER} } authentication { http { proxy { enabled = false enabled = ${?AUTH_HTTP_PROXY_ENABLED} hostname = ${?AUTH_HTTP_PROXY_HOST} port = ${?AUTH_HTTP_PROXY_PORT} username = ${?AUTH_HTTP_PROXY_USERNAME} password = ${?AUTH_HTTP_PROXY_PASSWORD} } } oauth { protocol = "https" protocol = ${?OAUTH_PROTOCOL} allowed-clock-skew = 10s allowed-clock-skew = ${?OAUTH_ALLOWED_CLOCK_SKEW} openid-connect-issuers = { google = { issuer = "accounts.google.com" } } token-integration-subject = "integration:{{policy-entry:label}}:{{jwt:aud}}" token-integration-subject = ${?OAUTH_TOKEN_INTEGRATION_SUBJECT} } # PRE-AUTHENTICATION = open access for /api/2/ pre-authentication { enabled = true } devops { secured = false devops-authentication-method = "basic" password = "ditto-devops-secret" password = ${?DEVOPS_PASSWORD} status-secured = false status-authentication-method = "basic" statusPassword = "ditto-status-secret" statusPassword = ${?STATUS_PASSWORD} } } health-check { enabled = true enabled = ${?HEALTH_CHECK_ENABLED} interval = 60s interval = ${?HEALTH_CHECK_INTERVAL} service.timeout = 10s service.timeout = ${?HEALTH_CHECK_SERVICE_TIMEOUT} cluster-roles = { enabled = true enabled = ${?HEALTH_CHECK_ROLES_ENABLED} expected = [ "policies" "things" "search" "gateway" "connectivity" ] } } public-health { cache-timeout = 20s cache-timeout = ${?GATEWAY_STATUS_HEALTH_EXTERNAL_TIMEOUT} } cloud-events { empty-schema-allowed = true data-types = [ "application/json" "application/vnd.eclipse.ditto+json" ] } cache { publickeys { maxentries = 32 expiry = 60m maximum-size = ${ditto.gateway.cache.publickeys.maxentries} expire-after-write = ${ditto.gateway.cache.publickeys.expiry} } } statistics { ask-timeout = 5s ask-timeout = ${?STATISTICS_UPDATE_INTERVAL} update-interval = 15s update-interval = ${?STATISTICS_UPDATE_INTERVAL} details-expire-after = 3s details-expire-after = ${?STATISTICS_DETAILS_EXPIRE_AFTER} shards = [ { region = "thing" role = "things" root = "/user/thingsRoot" } { region = "policy" role = "policies" root = "/user/policiesRoot" } { region = "search-wildcard-updater" role = "search" root = "/user/thingsWildcardSearchRoot/searchUpdaterRoot" } ] } } tracing { filter = { includes = ["**"] excludes = ["GET /ws/2"] } } } secrets { devops_password { name = "devops_password" name = ${?DEVOPS_PASSWORD_NAME} } status_password { name = "status_password" name = ${?STATUS_PASSWORD_NAME} } } pekko.http.client { user-agent-header = eclipse-ditto/${ditto.version} } pekko { actor { default-dispatcher { executor = "org.eclipse.ditto.internal.utils.metrics.service.executor.InstrumentedForkJoinExecutorServiceConfigurator" } deployment { /gatewayRoot/proxy { router = round-robin-pool resizer { lower-bound = 5 upper-bound = 100 messages-per-resize = 50 } } } } cluster { sharding { role = ${ditto.service-name} passivation { strategy = "off" } } roles = ["gateway"] } coordinated-shutdown { phases { service-requests-done { timeout = 70s } } } http { server { server-header = "" request-timeout = ${ditto.gateway.http.request-timeout} idle-timeout = 610s max-connections = 4096 raw-request-uri-header = on parsing { max-uri-length = 8k max-content-length = 1m uri-parsing-mode = relaxed } websocket { periodic-keep-alive-mode = ping periodic-keep-alive-max-idle = 30s } termination-deadline-exceeded-response { status = 502 } } host-connection-pool { max-open-requests = 1024 idle-timeout = 60s } } management.health-checks.readiness-checks { gateway-http-readiness = "org.eclipse.ditto.gateway.service.health.GatewayHttpReadinessCheck" } management.health-checks.liveness-checks { subsystem-health = "org.eclipse.ditto.internal.utils.health.SubsystemHealthCheck" } } authentication-dispatcher { type = Dispatcher executor = "org.eclipse.ditto.internal.utils.metrics.service.executor.InstrumentedThreadPoolExecutorServiceConfigurator" thread-pool-executor { core-pool-size-min = 4 core-pool-size-factor = 2.0 core-pool-size-max = 8 } throughput = 100 } signal-enrichment-cache-dispatcher { type = Dispatcher executor = "org.eclipse.ditto.internal.utils.metrics.service.executor.InstrumentedThreadPoolExecutorServiceConfigurator" }