sectionName {
attributeName: attributeValue
attributeName: attributeValue
...
}
Provides the initial configuration when qdrouterd(8) starts. The configuration of a running router can be modified using qdmanage(8).
The configuration file is made up of sections with this syntax:
sectionName {
attributeName: attributeValue
attributeName: attributeValue
...
}
For example you can define a router using the router section
router {
mode: standalone
id: Router.A
...
}
or define a listener using the listener section
listener {
host: 0.0.0.0
port: 20102
saslMechanisms: ANONYMOUS
...
}
or define a connector using the connector section
connector {
role: inter-router
host: 0.0.0.0
port: 20003
saslMechanisms: ANONYMOUS
...
}
An sslProfile section with SSL credentials can be included in multiple listener or connector entities. Here’s an example, note how the sslProfile attribute of listener sections references the name attribute of sslProfile sections.
sslProfile {
name: my-ssl
caCertFile: ca-certificate-1.pem
certFile: server-certificate-1.pem
privateKeyFile: server-private-key.pem
}
listener {
sslProfile: my-ssl
host: 0.0.0.0
port: 20102
saslMechanisms: ANONYMOUS
}
Tracks peer routers and computes routes to destinations. This entity is mandatory. The router will not start without this entity.
Router’s unique identity. This field may not contain whitespace or control characters. If not specified, a random identity will be assigned at startup.
In standalone mode, the router operates as a single component. It does not participate in the routing protocol and therefore will not cooperate with other routers. In interior mode, the router operates in cooperation with other interior routers in an interconnected network. In edge mode, the router can make a connection to an interior router and join a network without causing that network to recompute paths.
Interval in seconds between HELLO messages sent to neighbor routers.
Time in seconds after which a neighbor is declared lost if no HELLO is received.
Interval in seconds between Router-Advertisements sent to all routers in a stable network.
Interval in seconds between Router-Advertisements sent to all routers during topology fluctuations.
Time in seconds after which link state is declared stale if no RA is received.
The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, etc.) .
The absolute path to the location for the debug dump file. The router writes debug-level information to this file if the logger is not available.
Absolute path to the SASL configuration file.
Name of the SASL configuration. This string + .conf is the name of the configuration file.
Whether links can be routed where timeout is non-zero or expiry-policy is not link-detach
Use UTC time rather than localtime in logs.
Format string to use for timestamps in logs.
(DEPRECATED) If true, allow senders to send unsettled deliveries to multicast addresses. These deliveries shall be settled by the ingress router. If false, unsettled deliveries to multicast addresses shall be rejected.
Default forwarding treatment for any address without a specified treatment. multicast - one copy of each message delivered to all subscribers; closest - messages delivered to only the closest subscriber; balanced - messages delivered to one subscriber with load balanced across subscribers; unavailable - this address is unavailable, messages sent and link attaches to the address will be rejected.
Optional metadata text to describe or label this router. This text does not affect the function of the router, but it can be used by external tools (such as the console or orchestration software) to control how the router is displayed.
(DEPRECATED) Interval in seconds between HELLO messages sent to neighbor routers. This attribute has been deprecated. Use helloIntervalSeconds instead.
(DEPRECATED) Time in seconds after which a neighbor is declared lost if no HELLO is received. This attribute has been deprecated. Use helloMaxAgeSeconds instead.
(DEPRECATED) Interval in seconds between Router-Advertisements sent to all routers in a stable network. This attribute has been deprecated. Use raIntervalSeconds instead.
(DEPRECATED) Interval in seconds between Router-Advertisements sent to all routers during topology fluctuations. This attribute has been deprecated. Use raIntervalFluxSeconds instead.
(DEPRECATED) Time in seconds after which link state is declared stale if no RA is received. This attribute has been deprecated. Use remoteLsMaxAgeSeconds instead.
(DEPRECATED) The absolute path to the location for the debug dump file. The router writes debug-level information to this file if the logger is not available. This attribute has been deprecated. Use debugDumpFile instead.
(DEPRECATED) Absolute path to the SASL configuration file. This attribute has been deprecated. Use saslConfigDir instead.
Attributes for setting TLS/SSL configuration for connections.
Specifies the enabled ciphers so the SSL Ciphers can be hardened. In other words, use this field to disable weak ciphers. The ciphers are specified in the format understood by the OpenSSL library. For example, ciphers can be set to ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; — The full list of allowed ciphers can be viewed using the openssl ciphers command
The TLS protocols that this sslProfile can use. You can specify a list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify multiple protocols, separate the protocols with a space. For example, to permit the sslProfile to use TLS v1.1 and TLS v1.2 only, you would set the value to TLSv1.1 TLSv1.2. If you do not specify a value, the sslProfile uses the TLS protocol specified by the system-wide configuration.
The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).
The absolute path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.
The absolute path to the file containing the PEM-formatted private key for the above certificate.
(DEPRECATED) If the above private key is password protected, this is the absolute path to the file containing the password that unlocks the certificate key. This file should be permission protected to limit access. This has been deprecated. Use the file: prefix in the password field to specify the absolute path of the file containing the password. If both password and passwordFile are provided, the passwordFile is ignored
The password that unlocks the certificate key. You can specify the password by specifying an environment variable that stores the password, a file that stores the password, or by entering the password in clear text. To use an environment variable, specify password: env:<var>. Use this option with caution, because the environment of other processes is visible on certain platforms (for example, ps on certain Unix OSs). To use a file, specify password: file:<absolute-path-to-file>. This option is the most secure, because permissions can be set on the file that contains the password. To specify the password in clear text, specify password: pass:<password>, or password: literal:<password>, or password: <password>. This option is insecure, so it should only be used if security is not a concern. If both password and passwordFile are provided, the passwordFile is ignored.
A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of cou indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of o2 indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of c( ISO3166 two character country code), s(state or province), l(Locality; generally - city), o(Organization - Company Name), u(Organization Unit - typically certificate type or brand), n(CommonName - typically a user name for client certificates) and 1(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate fingerprint) and 5 (sha512 certificate fingerprint). The user identifier (uid) that is generated based on the uidFormat is a string which has a semi-colon as a separator between the components
The absolute path to the file containing the unique id to display name mapping
(DEPRECATED) The absolute path to the database that contains the public certificates of trusted certificate authorities (CA). This attribute has been deprecated. Use caCertFile instead.
(DEPRECATED) The absolute path to the file containing the PEM-formatted private key for the above certificate. This attribute has been deprecated. Use privateKeyFile instead.
(DEPRECATED) The absolute path to the file containing the unique id to display name mapping This attribute has been deprecated. Use uidNameMappingFile instead.
EXPERIMENTAL. Attributes for setting SASL plugin.
(DEPRECATED) Address of a service to delegate authentication to. This attribute has been deprecated. Use the host and port attributes instead.
A host name, IPV4 or IPV6 literal, of the service to delegate to.
Port number of the service delegated host.
Value to set for hostname field on sasl-init
Name of the sslProfile to use for the authentication service.
(DEPRECATED) Value to set for hostname field on sasl-init This attribute has been deprecated. Use realm instead.
(DEPRECATED) Name of the sslProfile to use for the authentication service. This attribute has been deprecated. Use sslProfile instead.
Listens for incoming connections to the router.
A host name, IPV4 or IPV6 literal, or the empty string. The empty string listens on all local addresses. A host name listens on all addresses associated with the name. An IPV6 literal address (or wildcard [::]) listens only for IPV6. An IPV4 literal address (or wildcard 0.0.0.0) listens only for IPV4.
Port number or symbolic service name. If 0, the router shall assign an ephemeral port to the listener and log the port number with a log of the form SERVER (notice) Listening on <host>:<assigned-port> (<listener-name>)
[IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.
The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. In the edge role, the connection is assumed to be between an edge router and an interior router.
For the inter-router role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.
Name of the sslProfile.
Space separated list of accepted SASL authentication mechanisms.
yes: Require the peer’s identity to be authenticated; no: Do not require any authentication.
EXPERIMENTAL. Name of the a sasl plugin configuration section to use for this listener (e.g. authServicePlugin).
yes: Require the connection to the peer to be encrypted; no: Permit non-encrypted communication with the peer
yes: Require the use of SSL or TLS on the connection; no: Allow clients to connect without SSL or TLS.
(DEPRECATED) Use sslProfile caCertFile instead.
The maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity. Policy settings, if specified, will overwrite this value. Defaults to 16384.
The maximum number of sessions that can be simultaneously active on the connection. Setting this value to zero selects the default number of sessions. Policy settings, if specified, will overwrite this value. Defaults to 32768.
Session incoming window measured in transfer frames for sessions created on this connection. This is the number of transfer frames that may simultaneously be in flight for all links in the session. Setting this value to zero selects the default session window size. Policy settings, if specified, will overwrite this value. The numerical product of maxFrameSize and maxSessionFrames may not exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize). maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited window).
The idle timeout, in seconds, for connections through this listener. If no frames are received on the connection for this time interval, the connection shall be closed.
The timeout, in seconds, for the initial handshake for connections coming in through listeners. If the time interval expires before the peer sends the AMQP OPEN frame, the connection shall be closed. A value of zero (the default) disables this timeout.
[in, out, both, no] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations
The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.
If true, apply multi-tenancy to endpoints connected at this listener. The address space is defined by the virtual host (hostname field in the Open).
A comma-separated list of failover urls to be supplied to connected clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port]
Provide a simple HTTP based liveness test (using path /healthz). Assumes listener is enabled for http.
Export metrics in prometheus text format for the router (using path /metrics). Assumes listener is enabled for http.
For an http enabled listener, determines whether websockets access is enabled (true by default).
Accept HTTP connections that can upgrade to AMQP over WebSocket. Plain AMQP connections are not accepted on this listener.
Absolute path to a directory from which to serve static HTML files. Defaults to the stand-alone console installation directory (typically /usr/share/qpid-dispatch/console).
A comma separated list that indicates which components of the message should be logged. Defaults to none (log nothing). If you want all properties and application properties of the message logged use all. Specific components of the message can be logged by indicating the components via a comma separated list. The components are message-id, user-id, to, subject, reply-to, correlation-id, content-type, content-encoding, absolute-expiry-time, creation-time, group-id, group-sequence, reply-to-group-id, app-properties. The application-data part of the bare message will not be logged. No spaces are allowed
A listener may optionally define a virtual host to index to a specific policy to restrict the remote container to access only specific resources. This attribute defines the name of the policy vhost for this listener. If multi-tenancy is enabled for the listener, this vhost will override the peer-supplied vhost for the purposes of identifying the desired policy settings for the connections.
A JSON map containing connection properties. These will be sent to the peer on connection open. All map keys are restricted to strings containing only valid ASCII characters, Keys must not start with prefixes qd. or x-opt-qd.. The following key values are also reserved: product, version, failover-server-list, network-host, port, scheme hostname
(DEPRECATED) [IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address. This attribute has been deprecated. Use socketAddressFamily instead.
(DEPRECATED) (DEPRECATED) Use sslProfile caCertFile instead. This attribute has been deprecated. Use trustedCertsFile instead.
(DEPRECATED) A comma-separated list of failover urls to be supplied to connected clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port] This attribute has been deprecated. Use failoverUrls instead.
(DEPRECATED) Absolute path to a directory from which to serve static HTML files. Defaults to the stand-alone console installation directory (typically /usr/share/qpid-dispatch/console). This attribute has been deprecated. Use httpRootDir instead.
(DEPRECATED) A comma separated list that indicates which components of the message should be logged. Defaults to none (log nothing). If you want all properties and application properties of the message logged use all. Specific components of the message can be logged by indicating the components via a comma separated list. The components are message-id, user-id, to, subject, reply-to, correlation-id, content-type, content-encoding, absolute-expiry-time, creation-time, group-id, group-sequence, reply-to-group-id, app-properties. The application-data part of the bare message will not be logged. No spaces are allowed This attribute has been deprecated. Use messageLoggingComponents instead.
Establishes an outgoing connection from the router.
IP address: ipv4 or ipv6 literal or a host name
Port number or symbolic service name.
[IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.
The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. In the edge role, the connection is assumed to be between and edge router and an interior router.
For the inter-router role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.
Name of the sslProfile.
Space separated list of accepted SASL authentication mechanisms.
Allow the peer to redirect this connection to another address.
The maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity. Policy settings will not overwrite this value. Defaults to 16384.
The maximum number of sessions that can be simultaneously active on the connection. Setting this value to zero selects the default number of sessions. Policy settings will not overwrite this value. Defaults to 32768.
Session incoming window measured in transfer frames for sessions created on this connection. This is the number of transfer frames that may simultaneously be in flight for all links in the session. Setting this value to zero selects the default session window size. Policy settings will not overwrite this value. The numerical product of maxFrameSize and maxSessionFrames may not exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize). maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited window).
The idle timeout, in seconds, for connections through this connector. If no frames are received on the connection for this time interval, the connection shall be closed.
[in, out, both, no] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations
The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.
yes: Ensures that when initiating a connection (as a client) the host name in the URL to which this connector connects to matches the host name in the digital certificate that the peer sends back as part of the SSL connection; no: Does not perform host name verification
The user name that the connector is using to connect to a peer.
The password that the connector is using to connect to a peer. You can specify the password by specifying an environment variable that stores the password, a file that stores the password, or by entering the password in clear text. To use an environment variable, specify saslPassword: env:<var>. Use this option with caution, because the environment of other processes is visible on certain platforms (for example, ps on certain Unix OSs). To use a file, specify saslPassword: file:<absolute-path-to-file>. This option is the most secure, because permissions can be set on the file that contains the password. To specify the password in clear text, specify saslPassword: pass:<password> or saslPassword: <password>. This option is insecure, so it should only be used if security is not a concern.
A comma separated list that indicates which components of the message should be logged (no spaces allowed between list components). Defaults to none (log nothing). If you want all properties and application properties of the message logged use all. Specific components of the message can be logged by indicating the components via a comma separated list. The components are message-id, user-id, to, subject, reply-to, correlation-id, content-type, content-encoding, absolute-expiry-time, creation-time, group-id, group-sequence, reply-to-group-id, app-properties. The application-data part of the bare message will not be logged. This log message is written to the MESSAGE logging module. In the log entity, set module property to MESSAGE or DEFAULT and enable to trace+ to see this log message
A connector may optionally define a policy to restrict the remote container to access only specific resources. This attribute defines the name of the policy vhost for this connector. Within the vhost the connector will use the vhost policy settings from user group $connector. If the vhost policy is absent or if the user group $connector within that policy is absent then the connector will fail to start. In policy specified via connector attribute policyVhost the following vhostUserGroupSettings attributes are unused: users, remoteHosts, maxFrameSize, maxSessionWindow, maxSessions.
A JSON map containing connection properties. These will be sent to the peer on connection open. All map keys are restricted to strings containing only valid ASCII characters, Keys must not start with prefixes qd. or x-opt-qd.. The following key values are also reserved: product, version, failover-server-list, network-host, port, scheme hostname
(DEPRECATED) yes: Ensures that when initiating a connection (as a client) the host name in the URL to which this connector connects to matches the host name in the digital certificate that the peer sends back as part of the SSL connection; no: Does not perform host name verification This attribute has been deprecated. Use verifyHostname instead.
(DEPRECATED) A comma separated list that indicates which components of the message should be logged (no spaces allowed between list components). Defaults to none (log nothing). If you want all properties and application properties of the message logged use all. Specific components of the message can be logged by indicating the components via a comma separated list. The components are message-id, user-id, to, subject, reply-to, correlation-id, content-type, content-encoding, absolute-expiry-time, creation-time, group-id, group-sequence, reply-to-group-id, app-properties. The application-data part of the bare message will not be logged. This log message is written to the MESSAGE logging module. In the log entity, set module property to MESSAGE or DEFAULT and enable to trace+ to see this log message This attribute has been deprecated. Use messageLoggingComponents instead.
Configure logging for a particular module. You can use the UPDATE
operation to change log settings while the router is running.
Module to configure. The special module DEFAULT specifies defaults for all modules.
Levels are: trace, debug, info, notice, warning, error, critical. The enable string is a comma-separated list of levels. A level may have a trailing + to enable that level and above. For example trace,debug,warning+ means enable trace, debug, warning, error and critical. The value none means disable logging for the module.
Include timestamp in log messages.
Include source file and line number in log messages.
Where to send log messages. Can be stderr, stdout, syslog or a file name.
(DEPRECATED) Include timestamp in log messages. This attribute has been deprecated. Use includeTimestamp instead.
(DEPRECATED) Include source file and line number in log messages. This attribute has been deprecated. Use includeSource instead.
(DEPRECATED) Where to send log messages. Can be stderr, stdout, syslog or a file name. This attribute has been deprecated. Use outputFile instead.
Entity type for address configuration. This is used to configure the treatment of message-routed deliveries within a particular address-space. The configuration controls distribution and address phasing.
The address prefix for the configured settings. Cannot be used with a pattern attribute.
A wildcarded pattern for address matching. Incoming addresses are matched against this pattern. Matching addresses use the configured settings. The pattern consists of one or more tokens separated by a forward slash /. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. Cannot be used with a prefix attribute.
Treatment of traffic associated with the address
Designates this address space as being used for waypoints. This will cause the proper address-phasing to be used.
Advanced - Override the ingress phase for this address
Advanced - Override the egress phase for this address
All messages sent to this address which lack an intrinsic priority will be assigned this priority.
If false, undeliverable messages are released. If true, undeliverable messages shall be re-delivered to a fallback destination. The fallback destination uses the same address, but is attached using an autoLink with fallback enabled or a link with the qd.fallback capability.
Entity type for link-route configuration. This is used to identify remote containers that shall be destinations for routed link-attaches. The link-routing configuration applies to an addressing space defined by a prefix or a pattern.
The address prefix for the configured settings. Cannot be used with the pattern attribute.
A wildcarded pattern for address matching. Link addresses are matched against this pattern. Matching addresses use the configured settings. The pattern consists of one or more tokens separated by a forward slash /. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. Cannot be used with the prefix attribute.
add the specified prefix to the address of the remote terminus on the route container link
remove the specified prefix to the address of the remote terminus on the route container link
ContainerID for the target container. Only one of containerId or connection should be specified for a linkRoute. Specifying both will result in the linkRoute not being created.
The name from a connector or listener. Only one of containerId or connection should be specified for a linkRoute. Specifying both will result in the linkRoute not being created.
Treatment of traffic associated with the address
The permitted direction of links: in means client senders; out means client receivers
(DEPRECATED) The permitted direction of links: in means client senders; out means client receivers This attribute has been deprecated. Use direction instead.
Entity type for configuring auto-links. Auto-links are links whose lifecycle is managed by the router. These are typically used to attach to waypoints on remote containers (brokers, etc.).
The address of the provisioned object
The direction of the link to be created. In means into the router, out means out of the router.
The address phase for this link. Defaults to 0 for out links and 1 for in links.
ContainerID for the target container. Only one of containerId or connection should be specified for an autoLink. Specifying both will result in the autoLink not being created
The name from a connector or listener. Only one of containerId or connection should be specified for an autoLink. Specifying both will result in the autoLink not being created
If present, an alternate address of the node on the remote container. This is used if the node has a different address than the address used internally by the router to route deliveries.
If true, this auto-link is attached to a fallback destination for an address.
(DEPRECATED) The address of the provisioned object This attribute has been deprecated. Use address instead.
(DEPRECATED) The direction of the link to be created. In means into the router, out means out of the router. This attribute has been deprecated. Use direction instead.
(DEPRECATED) If present, an alternate address of the node on the remote container. This is used if the node has a different address than the address used internally by the router to route deliveries. This attribute has been deprecated. Use externalAddress instead.
[EXPERIMENTAL] Defines a topic exchange.
The address of the exchange. Used by the message publisher as the target for sending messages.
The address phase for the exchange. Defaults to 0.
The address to forward the message to if no bindings are matched.
The address phase for the alternateAddress. Defaults to 0.
Key matching algorithm used. amqp uses the legacy AMQP topic exchange wildcard match method as described in the pre-1.0 drafts. mqtt uses the MQTT topic filter wildcard match method.
[EXPERIMENTAL] Defines a keyed next hop binding for a topic exchange. The subject field of the messages arriving at the exchange is compared against the binding’s key value using the exchange’s matchMethod. If the subject matches the key the message is forwarded to the nextHopAddress. The nextHopAddress overrides the message’s original destination.
The name of the exchange to bind.
Pattern to compare against incoming message’s subject. The key is a string of zero or more tokens and wildcards. The format depends on the matchMethod configured for the exchange. For AMQP each token is delimited by the . character and wild-card tokens * matches a single token and matches zero or more tokens. For MQTT each token is delimited by the / character and wildcard tokens + matches a single token and matches zero or more tokens at the end of the topic. If a key is not provided the binding will match all messages arriving at the exchange (fanout behavior).
The address to forward the message to when the message’s topic string matches the binding key pattern. This address is used by message consumers as the source of incoming messages.
The address phase used when forwarding messages that match this binding.
(DEPRECATED) Start a websocket/tcp proxy and http file server to serve the web console
The name of the listener to send the proxied tcp traffic to.
port on which to listen for websocket traffic
The full path to the proxy program to run.
The full path to the html/css/js files for the console.
Optional args to pass the proxy program for logging, authentication, etc.
Defines global connection limit
The maximum number of concurrent client connections allowed for this router. This limit is always enforced, even if no other policy settings have been defined. The limit is applied to all incoming connections regardless of remote host, authenticated user, or targeted vhost.
The maximum size in bytes of AMQP message transfers allowed for this router as messages enter the router network. This limit is applied to transfers over user connections and to transfers to interior routers from edge routers. This limit is not applied to interior-to-interior router connections. This limit may be overridden by vhost or by vhost user group settings. A value of zero disables this limit. Administrators are advised not set interior router maximum message sizes so low that edge router management requests or responses are blocked. Administrators are also advised to set edge router maximum message sizes lower than the attached interior router maximum message size.
Enables the router to enforce the connection denials and resource limits defined in the configured vhost policies.
Enable vhost name patterns. When false vhost hostnames are treated as literal strings. When true vhost hostnames are treated as match patterns.
The absolute path to a directory that holds vhost policy definition files in JSON format (*.json). The router processes all of the vhost policies in each JSON file that is in this directory.
The name of the default vhost policy. This policy rule set is applied to a connection for which a vhost policy has not otherwise been configured. Processing for the default vhost is enabled by default and set to select vhost $default. To disable default vhost processing set defaultVhost to blank or do not define a vhost named $default.
AMQP virtual host policy definition of users, user groups, allowed remote hosts, and AMQP restrictions.
The hostname of the vhost. This vhost policy will be applied to any client connection that is directed to this hostname.
Alternate hostnames that share this vhost configuration. Hosts named in this attribute are treated as if this vhost was defined with the alias name in the vhost hostname attribute. This attribute is implemented to help with multitenant configurations where multiple vhosts share a common configuration. The string is a comma- or space-separated list of literal hostnames or hostname patterns. A vhost aliases hostname must be unique across all vhost hostnames and all of their aliases.
The global maximum number of concurrent client connections allowed for this vhost.
The maximum number of concurrent client connections allowed for any user.
The maximum number of concurrent client connections allowed for any remote host (the host from which the client is connecting).
Whether unknown users (users who are not members of a defined user group) are allowed to connect to the vhost. Unknown users are assigned to the $default user group and receive $default settings.
A map where the key is a vhost user group name and the value is a vhostUserGroupSettings object that holds the settings for that vhost user group.
(DEPRECATED) The hostname of the vhost. This vhost policy will be applied to any client connection that is directed to this hostname. This attribute has been deprecated. Use hostname instead.
Policy settings for users connecting to a vhost. Configuration files including this section must use .json format.
The largest frame, in bytes, that may be sent on this connection. Non-zero policy values overwrite values specified for a listener object (AMQP Open, max-frame-size).
The incoming capacity for new AMQP sessions, measured in octets. Non-zero policy values overwrite values specified for a listener object (AMQP Begin, incoming-window).
The maximum number of sessions that may be created on this connection. Non-zero policy values overwrite values specified for a listener object (AMQP Open, channel-max).
The maximum number of sending links that may be created on this connection. A value of 0 disables all sender links.
The maximum number of receiving links that may be created on this connection. A value of 0 disables all receiver links.
Whether this connection is allowed to create dynamic receiving links (links to resources that do not exist on the peer). A value of true means that users are able to automatically create resources on the peer system.
Whether this connection is allowed to create sending links if the sender does not provide a target address. By prohibiting anonymous senders, the router only needs to verify once, when the link is created, that the sender is permitted to send messages to the target address. The router does not need to verify each message that is sent on the link. A value of true means that users may send messages to any address. Allowing anonymous senders can also decrease performance: if the sender does not specify a target address, then the router must parse each message to determine how to route it.
Whether this connection is allowed to send messages with a user ID that is different than the connection’s authenticated user name.
Whether this connection is allowed to claim waypoint.N capability for attached links. This allows endpoints to act as waypoints without needing auto-links.
Whether this connection is allowed to dynamically create connection-scoped link route destinations.
Whether this connection is allowed to update the admin status of other connections. Note: Inter-router connections cannot be deleted at any time.
Whether this connection is allowed to claim qd.fallback capability for attached links. This allows endpoints to act as fallback destinations for addresses that have fallback capability enabled.
A list of source addresses from which users in this group may receive messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You can use the substitution token ${user}
to specify an address that contains a user’s authenticated user name. You can use an asterisk (*) wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name. You may specify attributes sources or sourcePattern but not both at the same time.
A list of target addresses to which users in this group may send messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You can use the substitution token ${user}
to specify an address that contains a user’s authenticated user name. You can use an asterisk (*) wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name. You may specify attributes targets or targetPattern but not both at the same time.
A wildcarded pattern for matching source addresses from which users in this group may receive messages. The pattern consists of one or more tokens separated by a forward slash /. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string ${user}
in a token to specify an address that contains a user’s authenticated user name. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You may specify attributes sources or sourcePattern but not both at the same time.
A wildcarded pattern for matching target addresses to which users in this group may send messages. The pattern consists of one or more tokens separated by a forward slash /. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string ${user}
in a token to specify an address that contains a user’s authenticated user name. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You may specify attributes targets or targetPattern but not both at the same time.
qdrouterd(8), qdmanage(8)
Apache Qpid, Messaging built on AMQP; Copyright © 2015 The Apache Software Foundation; Licensed under the Apache License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, Proton, Apache, the Apache feather logo, and the Apache Qpid project logo are trademarks of The Apache Software Foundation; All other marks mentioned may be trademarks or registered trademarks of their respective owners