Configure the Aerospike XDR Proxy service
Overviewโ
This page describes how to configure the XDR Proxy service.
Serviceโ
The service section configures Connector's listening ports, TLS and network interface.
The following options are available:
| Option | Required | Default | Description |
|---|---|---|---|
port | no | 8080 | List of ports Connector listens to. |
address | no | 0.0.0.0 | List of interface IP addresses Connector binds to. Use 0.0.0.0 for all interfaces. |
tls | Required, if port not specified. | N/A | See Configuring TLS below. |
manage | no | N/A | See Querying and Managing Metrics and Logs below. |
protocolintroduced in 2.0.0 | no | TCP | The incoming protocol for Connector. See protocol for details. |
io-threads | no | # of processors. | Number of IO threads to read, parse incoming XDR requests and to write acknowledgments to XDR |
worker-threads | no | # of processors | Number of threads that will invoke Connector to dispatch a record. |
max-concurrent-records | no | 32768 | Maximum number of XDR records to concurrently process in Connector. |
cluster-name | no | product-name | Group or cluster this connector instance belongs to. Used for grouping instances in Prometheus. |
enable-tcp-xdr-ack-bufferingintroduced in 3.2.0 | no | true | Enables buffering of XDR acks for protocol TCP. |
For several examples of the service section of the /etc/aerospike-xdr-proxy/aerospike-xdr-proxy.yml, see "Examples" at the bottom of this page.
Protocolโ
The incoming protocol for Connector. Valid values are:
| Protocol | Description |
|---|---|
TCP | Change notification source is Aerospike Database 5.0 or later. This is the default. |
HTTP_1_1 | Change notification source is Aerospike Database prior to 5.0 version. |
HTTP_2 | Change notification source is the ESP connector |
Querying and Managing Metrics and Logsโ
You can use the Management and Metrics API to query and manage the outbound server metrics and logs using a REST endpoint. These settings are for using the manage subsection of the service section to specify the endpoint and (optionally) TLS settings for securing connections.
| Option | Required | Default | Description |
|---|---|---|---|
port | no | none | The port Connector listens to. |
address | no | 0.0.0.0 | The interface IP address Connector binds to. Use 0.0.0.0 for all interfaces. |
tls | Required if port not specified. | N/A | See Configuring TLS below. |
Configuring TLSโ
In the tls option of the service section and the manage section, you can specify TLS settings for making secure connections.
Configuration options are:
| Option | Required | Default | Description |
|---|---|---|---|
port | no | HTTPS/TLS port the server listens to. | |
key-store | no | Keystore configuration containing the server-side certificate and key. See Configuring a TLS Store. | |
trust-store | no | Default java trust store. | Keystore configuration containing the trusted CA certificates. See Configuring a TLS Store. |
protocols | no | TLSv1.2 | List of allowed TLS protocols. |
ciphers | no | Default java ciphers | List of allowed ciphers. |
revoke-certificates | no | Reject TLS certificates with the serial numbers specified in this list | |
allowed-peer-names | no | List of client (aerospike server nodes) peer names for mutual authentication. If set, only those clients (aerospike server nodes) that present certificates matching the peer names will be allowed to connect. | |
mutual-auth | no | false | Should the outbound connector mutually authenticate the Aerospike server. |
Configuring a TLS storeโ
The key-store and trust-store options are for describing how TLS keystores and truststores are configured. All relative file paths are considered relative to the directory in which Configuration file is located.
See Setting Up TLS Keystores for Aerospike Connect for information about creating keystores.
| Option | Required | Default | Description |
|---|---|---|---|
store-file | yes | Store file. | |
store-password-file | yes | Read store password from this file. | |
key-password-file | no | Read key password from this file. | |
store-type | no | JKS | Keystore type. Valid values are JKS, JCEKS, PKCS12, PKCS11, DKS, Windows_MY, BKS. |
Examplesโ
Clear-text onlyโ
service:
port: 8080
address: 192.168.5.154
manage:
address: 0.0.0.0
port: 8902
TLS onlyโ
service:
tls:
port: 8443
allowed-peer-names:
- asd.aerospike.com
protocols:
- tlsv1.3
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
manage:
tls:
port: 8903
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
Clear text and TLSโ
service:
port: 8080
address: 192.168.5.154
tls:
port: 8443
allowed-peer-names:
- asd.aerospike.com
protocols:
- tlsv1.3
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass
manage:
address: 0.0.0.0
port: 8902
tls:
port: 8903
trust-store:
store-file: tls/ca.aerospike.com.truststore.jks
store-password-file: tls/storepass
key-store:
store-file: tls/connector.aerospike.com.keystore.jks
store-password-file: tls/storepass
key-password-file: tls/keypass