Tyk Gateway Configuration Options
Last updated: 37 minutes read.
You can use environment variables to override the config file for the Tyk Gateway. The Gateway configuration file can be found in the tyk-gateway
folder and by default is called tyk.conf
, though it can be renamed and specified using the --conf
flag. Environment variables are created from the dot notation versions of the JSON objects contained with the config files.
To understand how the environment variables notation works, see Environment Variables.
All the Gateway environment variables have the prefix TYK_GW_
. The environment variables will take precedence over the values in the configuration file.
tyk lint
In v2.4 we have added a new tyk lint
command which will validate your tyk.conf
file and validate it for syntax correctness, misspelled attribute names or format of values. The Syntax can be:
tyk lint
or tyk --conf=path lint
If --conf
is not used, the first of the following paths to exist is used:
./tyk.conf
/etc/tyk/tyk.conf
hostname
ENV: TYK_GW_HOSTNAME
Type: string
Force your Gateway to work only on a specific domain name. Can be overridden by API custom domain.
listen_address
ENV: TYK_GW_LISTENADDRESS
Type: string
If your machine has multiple network devices or IPs you can force the Gateway to use the IP address you want.
listen_port
ENV: TYK_GW_LISTENPORT
Type: int
Setting this value will change the port that Tyk listens on. Default: 8080.
control_api_hostname
ENV: TYK_GW_CONTROLAPIHOSTNAME
Type: string
Custom hostname for the Control API
control_api_port
ENV: TYK_GW_CONTROLAPIPORT
Type: int
Set to run your Gateway Control API on a separate port, and protect it behind a firewall if needed. Please make sure you follow this guide when setting the control port https://tyk.io/docs/planning-for-production/#change-your-control-port.
secret
ENV: TYK_GW_SECRET
Type: string
This should be changed as soon as Tyk is installed on your system. This value is used in every interaction with the Tyk Gateway API. It should be passed along as the X-Tyk-Authorization header in any requests made. Tyk assumes that you are sensible enough not to expose the management endpoints publicly and to keep this configuration value to yourself.
node_secret
ENV: TYK_GW_NODESECRET
Type: string
The shared secret between the Gateway and the Dashboard to ensure that API Definition downloads, heartbeat and Policy loads are from a valid source.
pid_file_location
ENV: TYK_GW_PIDFILELOCATION
Type: string
Linux PID file location. Do not change unless you know what you are doing. Default: /var/run/tyk/tyk-gateway.pid
allow_insecure_configs
ENV: TYK_GW_ALLOWINSECURECONFIGS
Type: bool
Can be set to disable Dashboard message signature verification. When set to true
, public_key_path
can be ignored.
public_key_path
ENV: TYK_GW_PUBLICKEYPATH
Type: string
While communicating with the Dashboard. By default, all messages are signed by a private/public key pair. Set path to public key.
allow_remote_config
ENV: TYK_GW_ALLOWREMOTECONFIG
Type: bool
Allow your Dashboard to remotely set Gateway configuration via the Nodes screen.
security
Global Certificate configuration
security.private_certificate_encoding_secret
ENV: TYK_GW_SECURITY_PRIVATECERTIFICATEENCODINGSECRET
Type: string
Set the AES256 secret which is used to encode certificate private keys when they uploaded via certificate storage
security.control_api_use_mutual_tls
ENV: TYK_GW_SECURITY_CONTROLAPIUSEMUTUALTLS
Type: bool
Enable Gateway Control API to use Mutual TLS. Certificates can be set via security.certificates.control_api
section
security.pinned_public_keys
ENV: TYK_GW_SECURITY_PINNEDPUBLICKEYS
Type: map[string]string
Specify public keys used for Certificate Pinning on global level.
security.certificates.upstream
ENV: TYK_GW_SECURITY_CERTIFICATES_UPSTREAM
Type: map[string]string
Specify upstream mutual TLS certificates at a global level in the following format: `{ “
security.certificates.control_api
ENV: TYK_GW_SECURITY_CERTIFICATES_CONTROLAPI
Type: []string
Certificates used for Control API Mutual TLS
security.certificates.dashboard_api
ENV: TYK_GW_SECURITY_CERTIFICATES_DASHBOARD
Type: []string
Used for communicating with the Dashboard if it is configured to use Mutual TLS
security.certificates.mdcb_api
ENV: TYK_GW_SECURITY_CERTIFICATES_MDCB
Type: []string
Certificates used for MDCB Mutual TLS
http_server_options
Gateway HTTP server configuration
http_server_options.read_timeout
ENV: TYK_GW_HTTPSERVEROPTIONS_READTIMEOUT
Type: int
API Consumer -> Gateway network read timeout. Not setting this config, or setting this to 0, defaults to 120 seconds
http_server_options.write_timeout
ENV: TYK_GW_HTTPSERVEROPTIONS_WRITETIMEOUT
Type: int
API Consumer -> Gateway network write timeout. Not setting this config, or setting this to 0, defaults to 120 seconds
http_server_options.use_ssl
ENV: TYK_GW_HTTPSERVEROPTIONS_USESSL
Type: bool
Set to true to enable SSL connections
http_server_options.enable_http2
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEHTTP2
Type: bool
Enable HTTP2 protocol handling
http_server_options.enable_strict_routes
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES
Type: bool
EnableStrictRoutes changes the routing to avoid nearest-neighbour requests on overlapping routes
- if disabled,
/apple
will route to/app
, the current default behavior, - if enabled,
/app
only responds to/app
,/app/
and/app/*
but not/apple
Regular expressions and parameterized routes will be left alone regardless of this setting.
http_server_options.ssl_insecure_skip_verify
ENV: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
Type: bool
Disable TLS verification. Required if you are using self-signed certificates.
http_server_options.enable_websockets
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEWEBSOCKETS
Type: bool
Enabled WebSockets and server side events support
http_server_options.certificates
ENV: TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES
Type: CertsData
Deprecated. SSL certificates used by Gateway server.
http_server_options.ssl_certificates
ENV: TYK_GW_HTTPSERVEROPTIONS_SSLCERTIFICATES
Type: []string
SSL certificates used by your Gateway server. A list of certificate IDs or path to files.
http_server_options.server_name
ENV: TYK_GW_HTTPSERVEROPTIONS_SERVERNAME
Type: string
Start your Gateway HTTP server on specific server name
http_server_options.min_version
ENV: TYK_GW_HTTPSERVEROPTIONS_MINVERSION
Type: uint16
Minimum TLS version. Possible values: https://tyk.io/docs/basic-config-and-security/security/tls-and-ssl/#values-for-tls-versions
http_server_options.max_version
ENV: TYK_GW_HTTPSERVEROPTIONS_MAXVERSION
Type: uint16
Maximum TLS version.
http_server_options.skip_client_ca_announcement
ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPCLIENTCAANNOUNCEMENT
Type: bool
When mTLS enabled, this option allows to skip client CA announcement in the TLS handshake. This option is useful when you have a lot of ClientCAs and you want to reduce the handshake overhead, as some clients can hit TLS handshake limits. This option does not give any hints to the client, on which certificate to pick (but this is very rare situation when it is required)
http_server_options.flush_interval
ENV: TYK_GW_HTTPSERVEROPTIONS_FLUSHINTERVAL
Type: int
Set this to the number of seconds that Tyk uses to flush content from the proxied upstream connection to the open downstream connection. This option needed be set for streaming protocols like Server Side Events, or gRPC streaming.
http_server_options.skip_url_cleaning
ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPURLCLEANING
Type: bool
Allow the use of a double slash in a URL path. This can be useful if you need to pass raw URLs to your API endpoints.
For example: http://myapi.com/get/http://example.com
.
http_server_options.skip_target_path_escaping
ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPTARGETPATHESCAPING
Type: bool
Disable automatic character escaping, allowing to path original URL data to the upstream.
http_server_options.ssl_ciphers
ENV: TYK_GW_HTTPSERVEROPTIONS_CIPHERS
Type: []string
Custom SSL ciphers. See list of ciphers here https://tyk.io/docs/basic-config-and-security/security/tls-and-ssl/#specify-tls-cipher-suites-for-tyk-gateway--tyk-dashboard
http_server_options.max_request_body_size
ENV: TYK_GW_HTTPSERVEROPTIONS_MAXREQUESTBODYSIZE
Type: int64
MaxRequestBodySize configures a maximum size limit for request body size (in bytes) for all APIs on the Gateway.
Tyk Gateway will evaluate all API requests against this size limit and will respond with HTTP 413 status code if the body of the request is larger.
Two methods are used to perform the comparison:
- If the API Request contains the
Content-Length
header, this is directly compared againstMaxRequestBodySize
. - If the
Content-Length
header is not provided, the Request body is read in chunks to compare total size againstMaxRequestBodySize
.
A value of zero (default) means that no maximum is set and API requests will not be tested.
See more information about setting request size limits here: https://tyk.io/docs/basic-config-and-security/control-limit-traffic/request-size-limits/#maximum-request-sizes
version_header
ENV: TYK_GW_VERSIONHEADER
Type: string
Expose version header with a given name. Works only for versioned APIs.
suppress_redis_signal_reload
ENV: TYK_GW_SUPPRESSREDISSIGNALRELOAD
Type: bool
Disable dynamic API and Policy reloads, e.g. it will load new changes only on procecss start.
reload_interval
ENV: TYK_GW_RELOADINTERVAL
Type: int64
ReloadInterval defines a duration in seconds within which the gateway responds to a reload event. The value defaults to 1, values lower than 1 are ignored.
hash_keys
ENV: TYK_GW_HASHKEYS
Type: bool
Enable Key hashing
disable_key_actions_by_username
ENV: TYK_GW_DISABLEKEYACTIONSBYUSERNAME
Type: bool
DisableKeyActionsByUsername disables key search by username.
When this is set to true
you are able to search for keys only by keyID or key hash (if hash_keys
is also set to true
)
Note that if hash_keys
is also set to true
then the keyID will not be provided for APIs secured using basic auth. In this scenario the only search option would be to use key hash
If you are using the Tyk Dashboard, you must configure this setting with the same value in both Gateway and Dashboard
hash_key_function
ENV: TYK_GW_HASHKEYFUNCTION
Type: string
Specify the Key hashing algorithm. Possible values: murmur64, murmur128, sha256.
basic_auth_hash_key_function
ENV: TYK_GW_BASICAUTHHASHKEYFUNCTION
Type: string
Specify the Key hashing algorithm for “basic auth”. Possible values: murmur64, murmur128, sha256, bcrypt. Will default to “bcrypt” if not set.
hash_key_function_fallback
ENV: TYK_GW_HASHKEYFUNCTIONFALLBACK
Type: []string
Specify your previous key hashing algorithm if you migrated from one algorithm to another.
enable_hashed_keys_listing
ENV: TYK_GW_ENABLEHASHEDKEYSLISTING
Type: bool
Allows the listing of hashed API keys
min_token_length
ENV: TYK_GW_MINTOKENLENGTH
Type: int
Minimum API token length
template_path
ENV: TYK_GW_TEMPLATEPATH
Type: string
Path to error and webhook templates. Defaults to the current binary path.
policies
The policies section allows you to define where Tyk can find its policy templates. Policy templates are similar to key definitions in that they allow you to set quotas, access rights and rate limits for keys. Policies are loaded when Tyk starts and if changed require a hot-reload so they are loaded into memory. A policy can be defined in a file (Open Source installations) or from the same database as the Dashboard.
policies.policy_source
ENV: TYK_GW_POLICIES_POLICYSOURCE
Type: string
Set this value to file
to look in the file system for a definition file. Set to service
to use the Dashboard service.
policies.policy_connection_string
ENV: TYK_GW_POLICIES_POLICYCONNECTIONSTRING
Type: string
This option is required if policies.policy_source
is set to service
.
Set this to the URL of your Tyk Dashboard installation. The URL needs to be formatted as: http://dashboard_host:port.
policies.policy_record_name
ENV: TYK_GW_POLICIES_POLICYRECORDNAME
Type: string
This option only applies in OSS deployment when the policies.policy_source
is either set
to file
or an empty string. If policies.policy_path
is not set, then Tyk will load policies
from the JSON file specified by policies.policy_record_name
.
policies.allow_explicit_policy_id
ENV: TYK_GW_POLICIES_ALLOWEXPLICITPOLICYID
Type: bool
In a Pro installation, Tyk will load Policy IDs and use the internal object-ID as the ID of the policy. This is not portable in cases where the data needs to be moved from installation to installation.
If you set this value to true
, then the id parameter in a stored policy (or imported policy using the Dashboard API), will be used instead of the internal ID.
This option should only be used when moving an installation to a new database.
policies.policy_path
ENV: TYK_GW_POLICIES_POLICYPATH
Type: string
This option only applies in OSS deployment when the policies.policy_source
is either set
to file
or an empty string. If policies.policy_path
is set, then Tyk will load policies
from all the JSON files under the directory specified by the policies.policy_path
option.
In this configuration, Tyk Gateway will allow policy management through the Gateway API.
ports_whitelist
ENV: TYK_GW_PORTWHITELIST
Type: PortsWhiteList
Defines the ports that will be available for the API services to bind to in the following format: "{“":“”}"
. Remember to escape JSON strings.
This is a map of protocol to PortWhiteList. This allows per protocol
configurations.
disable_ports_whitelist
ENV: TYK_GW_DISABLEPORTWHITELIST
Type: bool
Disable port whilisting, essentially allowing you to use any port for your API.
app_path
ENV: TYK_GW_APPPATH
Type: string
If Tyk is being used in its standard configuration (Open Source installations), then API definitions are stored in the apps folder (by default in /opt/tyk-gateway/apps). This location is scanned for .json files and re-scanned at startup or reload. See the API section of the Tyk Gateway API for more details.
use_db_app_configs
ENV: TYK_GW_USEDBAPPCONFIGS
Type: bool
If you are a Tyk Pro user, this option will enable polling the Dashboard service for API definitions. On startup Tyk will attempt to connect and download any relevant application configurations from from your Dashboard instance. The files are exactly the same as the JSON files on disk with the exception of a BSON ID supplied by the Dashboard service.
db_app_conf_options
This section defines API loading and shard options. Enable these settings to selectively load API definitions on a node from your Dashboard service.
db_app_conf_options.connection_string
ENV: TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING
Type: string
Set the URL to your Dashboard instance (or a load balanced instance). The URL needs to be formatted as: http://dashboard_host:port
db_app_conf_options.connection_timeout
ENV: TYK_GW_DBAPPCONFOPTIONS_CONNECTIONTIMEOUT
Type: int
Set a timeout value, in seconds, for your Dashboard connection. Default value is 30.
db_app_conf_options.node_is_segmented
ENV: TYK_GW_DBAPPCONFOPTIONS_NODEISSEGMENTED
Type: bool
Set to true
to enable filtering (sharding) of APIs.
db_app_conf_options.tags
ENV: TYK_GW_DBAPPCONFOPTIONS_TAGS
Type: []string
The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR
operations.
If you include a non-filter tag (e.g. an identifier such as node-id-1
, this will become available to your Dashboard analytics).
storage
This section defines your Redis configuration.
storage.type
ENV: TYK_GW_STORAGE_TYPE
Type: string
This should be set to redis
(lowercase)
storage.host
ENV: TYK_GW_STORAGE_HOST
Type: string
The Redis host, by default this is set to localhost
, but for production this should be set to a cluster.
storage.port
ENV: TYK_GW_STORAGE_PORT
Type: int
The Redis instance port.
storage.addrs
ENV: TYK_GW_STORAGE_ADDRS
Type: []string
If you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].
storage.master_name
ENV: TYK_GW_STORAGE_MASTERNAME
Type: string
Redis sentinel master name
storage.sentinel_password
ENV: TYK_GW_STORAGE_SENTINELPASSWORD
Type: string
Redis sentinel password
storage.username
ENV: TYK_GW_STORAGE_USERNAME
Type: string
Redis user name
storage.password
ENV: TYK_GW_STORAGE_PASSWORD
Type: string
If your Redis instance has a password set for access, you can set it here.
storage.database
ENV: TYK_GW_STORAGE_DATABASE
Type: int
Redis database
storage.optimisation_max_idle
ENV: TYK_GW_STORAGE_MAXIDLE
Type: int
Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
storage.optimisation_max_active
ENV: TYK_GW_STORAGE_MAXACTIVE
Type: int
Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
storage.timeout
ENV: TYK_GW_STORAGE_TIMEOUT
Type: int
Set a custom timeout for Redis network operations. Default value 5 seconds.
storage.enable_cluster
ENV: TYK_GW_STORAGE_ENABLECLUSTER
Type: bool
Enable Redis Cluster support
storage.use_ssl
ENV: TYK_GW_STORAGE_USESSL
Type: bool
Enable SSL/TLS connection between your Tyk Gateway & Redis.
storage.ssl_insecure_skip_verify
ENV: TYK_GW_STORAGE_SSLINSECURESKIPVERIFY
Type: bool
Disable TLS verification
storage.ca_file
ENV: TYK_GW_STORAGE_CAFILE
Type: string
Path to the CA file.
storage.cert_file
ENV: TYK_GW_STORAGE_CERTFILE
Type: string
Path to the cert file.
storage.key_file
ENV: TYK_GW_STORAGE_KEYFILE
Type: string
Path to the key file.
storage.tls_max_version
ENV: TYK_GW_STORAGE_TLSMAXVERSION
Type: string
Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
storage.tls_min_version
ENV: TYK_GW_STORAGE_TLSMINVERSION
Type: string
Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
disable_dashboard_zeroconf
ENV: TYK_GW_DISABLEDASHBOARDZEROCONF
Type: bool
Disable the capability of the Gateway to autodiscover
the Dashboard through heartbeat messages via Redis.
The goal of zeroconf is auto-discovery, so you do not have to specify the Tyk Dashboard address in your Gatewaytyk.conf
file.
In some specific cases, for example, when the Dashboard is bound to a public domain, not accessible inside an internal network, or similar, disable_dashboard_zeroconf
can be set to true
, in favour of directly specifying a Tyk Dashboard address.
slave_options
The slave_options
allow you to configure the RPC slave connection required for MDCB installations.
These settings must be configured for every RPC slave/worker node.
slave_options.use_rpc
ENV: TYK_GW_SLAVEOPTIONS_USERPC
Type: bool
Set to true
to connect a worker Gateway using RPC.
slave_options.use_ssl
ENV: TYK_GW_SLAVEOPTIONS_USESSL
Type: bool
Set this option to true
to use an SSL RPC connection.
slave_options.ssl_insecure_skip_verify
ENV: TYK_GW_SLAVEOPTIONS_SSLINSECURESKIPVERIFY
Type: bool
Set this option to true
to allow the certificate validation (certificate chain and hostname) to be skipped.
This can be useful if you use a self-signed certificate.
slave_options.connection_string
ENV: TYK_GW_SLAVEOPTIONS_CONNECTIONSTRING
Type: string
Use this setting to add the URL for your MDCB or load balancer host.
slave_options.rpc_key
ENV: TYK_GW_SLAVEOPTIONS_RPCKEY
Type: string
Your organisation ID to connect to the MDCB installation.
slave_options.api_key
ENV: TYK_GW_SLAVEOPTIONS_APIKEY
Type: string
This the API key of a user used to authenticate and authorize the Gateway’s access through MDCB. The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised. The suggested security settings are read for Real-time notifications and the remaining options set to deny.
slave_options.enable_rpc_cache
ENV: TYK_GW_SLAVEOPTIONS_ENABLERPCCACHE
Type: bool
Set this option to true
to enable RPC caching for keys.
slave_options.disable_keyspace_sync
ENV: TYK_GW_SLAVEOPTIONS_DISABLEKEYSPACESYNC
Type: bool
Set this option to true
if you don’t want to monitor changes in the keys from a primary Gateway.
slave_options.group_id
ENV: TYK_GW_SLAVEOPTIONS_GROUPID
Type: string
This is the zone
that this instance inhabits, e.g. the cluster/data-centre the Gateway lives in.
The group ID must be the same across all the Gateways of a data-centre/cluster which are also sharing the same Redis instance.
This ID should also be unique per cluster (otherwise another Gateway cluster can pick up your keyspace events and your cluster will get zero updates).
slave_options.call_timeout
ENV: TYK_GW_SLAVEOPTIONS_CALLTIMEOUT
Type: int
Call Timeout allows to specify a time in seconds for the maximum allowed duration of a RPC call.
slave_options.ping_timeout
ENV: TYK_GW_SLAVEOPTIONS_PINGTIMEOUT
Type: int
The maximum time in seconds that a RPC ping can last.
slave_options.rpc_pool_size
ENV: TYK_GW_SLAVEOPTIONS_RPCPOOLSIZE
Type: int
The number of RPC connections in the pool. Basically it creates a set of connections that you can re-use as needed. Defaults to 5.
slave_options.key_space_sync_interval
ENV: TYK_GW_SLAVEOPTIONS_KEYSPACESYNCINTERVAL
Type: float32
You can use this to set a period for which the Gateway will check if there are changes in keys that must be synchronized. If this value is not set then it will default to 10 seconds.
slave_options.rpc_cert_cache_expiration
ENV: TYK_GW_SLAVEOPTIONS_RPCCERTCACHEEXPIRATION
Type: float32
RPCCertCacheExpiration defines the expiration time of the rpc cache that stores the certificates, defined in seconds
slave_options.rpc_global_cache_expiration
ENV: TYK_GW_SLAVEOPTIONS_RPCGLOBALCACHEEXPIRATION
Type: float32
RPCKeysCacheExpiration defines the expiration time of the rpc cache that stores the keys, defined in seconds
slave_options.synchroniser_enabled
ENV: TYK_GW_SLAVEOPTIONS_SYNCHRONISERENABLED
Type: bool
SynchroniserEnabled enable this config if MDCB has enabled the synchoniser. If disabled then it will ignore signals to synchonise recources
management_node
ENV: TYK_GW_MANAGEMENTNODE
Type: bool
If set to true
, distributed rate limiter will be disabled for this node, and it will be excluded from any rate limit calculation.
Note
If you set db_app_conf_options.node_is_segmented
to true
for multiple Gateway nodes, you should ensure that management_node
is set to false
.
This is to ensure visibility for the management node across all APIs.
auth_override
This is used as part of the RPC / Hybrid back-end configuration in a Tyk Enterprise installation and isn’t used anywhere else.
enable_fixed_window_rate_limiter
ENV: TYK_GW_ENABLEFIXEDWINDOWRATELIMITER
Type: bool
EnableFixedWindow enables fixed window rate limiting.
enable_redis_rolling_limiter
ENV: TYK_GW_ENABLEREDISROLLINGLIMITER
Type: bool
Redis based rate limiter with sliding log. Provides 100% rate limiting accuracy, but require two additional Redis roundtrips for each request.
enable_sentinel_rate_limiter
ENV: TYK_GW_ENABLESENTINELRATELIMITER
Type: bool
To enable, set to true
. The sentinel-based rate limiter delivers a smoother performance curve as rate-limit calculations happen off-thread, but a stricter time-out based cool-down for clients. For example, when a throttling action is triggered, they are required to cool-down for the period of the rate limit.
Disabling the sentinel based rate limiter will make rate-limit calculations happen on-thread and therefore offers a staggered cool-down and a smoother rate-limit experience for the client.
For example, you can slow your connection throughput to regain entry into your rate limit. This is more of a “throttle” than a “block”.
The standard rate limiter offers similar performance as the sentinel-based limiter. This is disabled by default.
enable_rate_limit_smoothing
ENV: TYK_GW_ENABLERATELIMITSMOOTHING
Type: bool
EnableRateLimitSmoothing enables or disables rate limit smoothing. The rate smoothing is only supported on the Redis Rate Limiter, or the Sentinel Rate Limiter, as both algorithms implement a sliding log.
enable_non_transactional_rate_limiter
ENV: TYK_GW_ENABLENONTRANSACTIONALRATELIMITER
Type: bool
An enhancement for the Redis and Sentinel rate limiters, that offers a significant improvement in performance by not using transactions on Redis rate-limit buckets.
drl_notification_frequency
ENV: TYK_GW_DRLNOTIFICATIONFREQUENCY
Type: int
How frequently a distributed rate limiter synchronises information between the Gateway nodes. Default: 2 seconds.
drl_threshold
ENV: TYK_GW_DRLTHRESHOLD
Type: float64
A distributed rate limiter is inaccurate on small rate limits, and it will fallback to a Redis or Sentinel rate limiter on an individual user basis, if its rate limiter lower then threshold.
A Rate limiter threshold calculated using the following formula: rate_threshold = drl_threshold * number_of_gateways
.
So you have 2 Gateways, and your threshold is set to 5, if a user rate limit is larger than 10, it will use the distributed rate limiter algorithm.
Default: 5
drl_enable_sentinel_rate_limiter
ENV: TYK_GW_DRLENABLESENTINELRATELIMITER
Type: bool
Controls which algorthm to use as a fallback when your distributed rate limiter can’t be used.
enforce_org_data_age
ENV: TYK_GW_ENFORCEORGDATAAGE
Type: bool
Allows you to dynamically configure analytics expiration on a per organisation level
enforce_org_data_detail_logging
ENV: TYK_GW_ENFORCEORGDATADETAILLOGGING
Type: bool
Allows you to dynamically configure detailed logging on a per organisation level
enforce_org_quotas
ENV: TYK_GW_ENFORCEORGQUOTAS
Type: bool
Allows you to dynamically configure organisation quotas on a per organisation level
monitor
The monitor section is useful if you wish to enforce a global trigger limit on organisation and user quotas. This feature will trigger a webhook event to fire when specific triggers are reached. Triggers can be global (set in the node), by organisation (set in the organisation session object) or by key (set in the key session object)
While Organisation-level and Key-level triggers can be tiered (e.g. trigger at 10%, trigger at 20%, trigger at 80%), in the node-level configuration only a global value can be set. If a global value and specific trigger level are the same the trigger will only fire once:
"monitor": {
"enable_trigger_monitors": true,
"configuration": {
"method": "POST",
"target_path": "http://domain.com/notify/quota-trigger",
"template_path": "templates/monitor_template.json",
"header_map": {
"some-secret": "89787855"
},
"event_timeout": 10
},
"global_trigger_limit": 80.0,
"monitor_user_keys": false,
"monitor_org_keys": true
},
monitor.enable_trigger_monitors
ENV: TYK_GW_MONITOR_ENABLETRIGGERMONITORS
Type: bool
Set this to true
to have monitors enabled in your configuration for the node.
monitor.configuration.method
ENV: TYK_GW_MONITOR_CONFIG_METHOD
Type: string
The method to use for the webhook.
monitor.configuration.target_path
ENV: TYK_GW_MONITOR_CONFIG_TARGETPATH
Type: string
The target path on which to send the request.
monitor.configuration.template_path
ENV: TYK_GW_MONITOR_CONFIG_TEMPLATEPATH
Type: string
The template to load in order to format the request.
monitor.configuration.header_map
ENV: TYK_GW_MONITOR_CONFIG_HEADERLIST
Type: map[string]string
Headers to set when firing the webhook.
monitor.configuration.event_timeout
ENV: TYK_GW_MONITOR_CONFIG_EVENTTIMEOUT
Type: int64
The cool-down for the event so it does not trigger again (in seconds).
monitor.global_trigger_limit
ENV: TYK_GW_MONITOR_GLOBALTRIGGERLIMIT
Type: float64
The trigger limit, as a percentage of the quota that must be reached in order to trigger the event, any time the quota percentage is increased the event will trigger.
monitor.monitor_user_keys
ENV: TYK_GW_MONITOR_MONITORUSERKEYS
Type: bool
Apply the monitoring subsystem to user keys.
monitor.monitor_org_keys
ENV: TYK_GW_MONITOR_MONITORORGKEYS
Type: bool
Apply the monitoring subsystem to organisation keys.
max_idle_connections
ENV: TYK_GW_MAXIDLECONNS
Type: int
Maximum idle connections, per API, between Tyk and Upstream. By default not limited.
max_idle_connections_per_host
ENV: TYK_GW_MAXIDLECONNSPERHOST
Type: int
Maximum idle connections, per API, per upstream, between Tyk and Upstream. Default:100
max_conn_time
ENV: TYK_GW_MAXCONNTIME
Type: int64
Maximum connection time. If set it will force gateway reconnect to the upstream.
close_connections
ENV: TYK_GW_CLOSECONNECTIONS
Type: bool
If set, disable keepalive between User and Tyk
enable_custom_domains
ENV: TYK_GW_ENABLECUSTOMDOMAINS
Type: bool
Allows you to use custom domains
allow_master_keys
ENV: TYK_GW_ALLOWMASTERKEYS
Type: bool
If AllowMasterKeys is set to true, session objects (key definitions) that do not have explicit access rights set will be allowed by Tyk. This means that keys that are created have access to ALL APIs, which in many cases is unwanted behaviour unless you are sure about what you are doing.
service_discovery.default_cache_timeout
ENV: TYK_GW_SERVICEDISCOVERY_DEFAULTCACHETIMEOUT
Type: int
Service discovery cache timeout
proxy_ssl_insecure_skip_verify
ENV: TYK_GW_PROXYSSLINSECURESKIPVERIFY
Type: bool
Globally ignore TLS verification between Tyk and your Upstream services
proxy_enable_http2
ENV: TYK_GW_PROXYENABLEHTTP2
Type: bool
Enable HTTP2 support between Tyk and your upstream service. Required for gRPC.
proxy_ssl_min_version
ENV: TYK_GW_PROXYSSLMINVERSION
Type: uint16
Minimum TLS version for connection between Tyk and your upstream service.
proxy_ssl_max_version
ENV: TYK_GW_PROXYSSLMAXVERSION
Type: uint16
Maximum TLS version for connection between Tyk and your upstream service.
proxy_ssl_ciphers
ENV: TYK_GW_PROXYSSLCIPHERSUITES
Type: []string
Allow list of ciphers for connection between Tyk and your upstream service.
proxy_default_timeout
ENV: TYK_GW_PROXYDEFAULTTIMEOUT
Type: float64
This can specify a default timeout in seconds for upstream API requests. Default: 30 seconds
proxy_ssl_disable_renegotiation
ENV: TYK_GW_PROXYSSLDISABLERENEGOTIATION
Type: bool
Disable TLS renegotiation.
proxy_close_connections
ENV: TYK_GW_PROXYCLOSECONNECTIONS
Type: bool
Disable keepalives between Tyk and your upstream service.
Set this value to true
to force Tyk to close the connection with the server, otherwise the connections will remain open for as long as your OS keeps TCP connections open.
This can cause a file-handler limit to be exceeded. Setting to false can have performance benefits as the connection can be reused.
uptime_tests
Tyk nodes can provide uptime awareness, uptime testing and analytics for your underlying APIs uptime and availability. Tyk can also notify you when a service goes down.
uptime_tests.disable
ENV: TYK_GW_UPTIMETESTS_DISABLE
Type: bool
To disable uptime tests on this node, set this value to true
.
uptime_tests.poller_group
ENV: TYK_GW_UPTIMETESTS_POLLERGROUP
Type: string
If you have multiple Gateway clusters connected to the same Redis instance, you need to set a unique poller group for each cluster.
uptime_tests.config.failure_trigger_sample_size
ENV: TYK_GW_UPTIMETESTS_CONFIG_FAILURETRIGGERSAMPLESIZE
Type: int
The sample size to trigger a HostUp
or HostDown
event. For example, a setting of 3 will require at least three failures to occur before the uptime test is triggered.
uptime_tests.config.time_wait
ENV: TYK_GW_UPTIMETESTS_CONFIG_TIMEWAIT
Type: int
The value in seconds between tests runs. All tests will run simultaneously. This value will set the time between those tests. So a value of 60 will run all uptime tests every 60 seconds.
uptime_tests.config.checker_pool_size
ENV: TYK_GW_UPTIMETESTS_CONFIG_CHECKERPOOLSIZE
Type: int
The goroutine pool size to keep idle for uptime tests. If you have many uptime tests running at a high time period, then increase this value.
uptime_tests.config.enable_uptime_analytics
ENV: TYK_GW_UPTIMETESTS_CONFIG_ENABLEUPTIMEANALYTICS
Type: bool
Set this value to true
to have the node capture and record analytics data regarding the uptime tests.
health_check
This section enables the configuration of the health-check API endpoint and the size of the sample data cache (in seconds).
health_check.enable_health_checks
ENV: TYK_GW_HEALTHCHECK_ENABLEHEALTHCHECKS
Type: bool
Setting this value to true
will enable the health-check endpoint on /Tyk/health.
health_check.health_check_value_timeouts
ENV: TYK_GW_HEALTHCHECK_HEALTHCHECKVALUETIMEOUT
Type: int64
This setting defaults to 60 seconds. This is the time window that Tyk uses to sample health-check data. You can set a higher value for more accurate data (a larger sample period), or a lower value for less accurate data. The reason this value is configurable is because sample data takes up space in your Redis DB to store the data to calculate samples. On high-availability systems this may not be desirable and smaller values may be preferred.
health_check_endpoint_name
ENV: TYK_GW_HEALTHCHECKENDPOINTNAME
Type: string
Enables you to rename the /hello endpoint
oauth_refresh_token_expire
ENV: TYK_GW_OAUTHREFRESHEXPIRE
Type: int64
Change the expiry time of a refresh token. By default 14 days (in seconds).
oauth_token_expire
ENV: TYK_GW_OAUTHTOKENEXPIRE
Type: int32
Change the expiry time of OAuth tokens (in seconds).
oauth_token_expired_retain_period
ENV: TYK_GW_OAUTHTOKENEXPIREDRETAINPERIOD
Type: int32
Specifies how long expired tokens are stored in Redis. The value is in seconds and the default is 0. Using the default means expired tokens are never removed from Redis.
oauth_redirect_uri_separator
ENV: TYK_GW_OAUTHREDIRECTURISEPARATOR
Type: string
Character which should be used as a separator for OAuth redirect URI URLs. Default: ;.
oauth_error_status_code
ENV: TYK_GW_OAUTHERRORSTATUSCODE
Type: int
Configures the OAuth error status code returned. If not set, it defaults to a 403 error.
enable_key_logging
ENV: TYK_GW_ENABLEKEYLOGGING
Type: bool
By default all key IDs in logs are hidden. Set to true
if you want to see them for debugging reasons.
ssl_force_common_name_check
ENV: TYK_GW_SSLFORCECOMMONNAMECHECK
Type: bool
Force the validation of the hostname against the common name, even if TLS verification is disabled.
enable_analytics
ENV: TYK_GW_ENABLEANALYTICS
Type: bool
Tyk is capable of recording every hit to your API to a database with various filtering parameters. Set this value to true
and fill in the sub-section below to enable logging.
Note
For performance reasons, Tyk will store traffic data to Redis initially and then purge the data from Redis to MongoDB or other data stores on a regular basis as determined by the purge_delay setting in your Tyk Pump configuration.
analytics_config
This section defines options on what analytics data to store.
analytics_config.type
ENV: TYK_GW_ANALYTICSCONFIG_TYPE
Type: string
Set empty for a Self-Managed installation or rpc
for multi-cloud.
analytics_config.ignored_ips
ENV: TYK_GW_ANALYTICSCONFIG_IGNOREDIPS
Type: []string
Adding IP addresses to this list will cause Tyk to ignore these IPs in the analytics data. These IP addresses will not produce an analytics log record. This is useful for health checks and other samplers that might skew usage data. The IP addresses must be provided as a JSON array, with the values being single IPs. CIDR values are not supported.
analytics_config.enable_detailed_recording
ENV: TYK_GW_ANALYTICSCONFIG_ENABLEDETAILEDRECORDING
Type: bool
Set this value to true
to have Tyk store the inbound request and outbound response data in HTTP Wire format as part of the Analytics data.
Please note, this will greatly increase your analytics DB size and can cause performance degradation on analytics processing by the Dashboard.
This setting can be overridden with an organisation flag, enabed at an API level, or on individual Key level.
analytics_config.enable_geo_ip
ENV: TYK_GW_ANALYTICSCONFIG_ENABLEGEOIP
Type: bool
Tyk can store GeoIP information based on MaxMind DB’s to enable GeoIP tracking on inbound request analytics. Set this value to true
and assign a DB using the geo_ip_db_path
setting.
analytics_config.geo_ip_db_path
ENV: TYK_GW_ANALYTICSCONFIG_GEOIPDBLOCATION
Type: string
Path to a MaxMind GeoIP database The analytics GeoIP DB can be replaced on disk. It will cleanly auto-reload every hour.
analytics_config.normalise_urls
This section describes methods that enable you to normalise inbound URLs in your analytics to have more meaningful per-path data.
analytics_config.normalise_urls.enabled
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_ENABLED
Type: bool
Set this to true
to enable normalisation.
analytics_config.normalise_urls.normalise_uuids
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISEUUIDS
Type: bool
Each UUID will be replaced with a placeholder {uuid}
analytics_config.normalise_urls.normalise_ulids
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISEULIDS
Type: bool
Each ULID will be replaced with a placeholder {ulid}
analytics_config.normalise_urls.normalise_numbers
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISENUMBERS
Type: bool
Set this to true to have Tyk automatically match for numeric IDs, it will match with a preceding slash so as not to capture actual numbers:
analytics_config.normalise_urls.custom_patterns
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_CUSTOM
Type: []string
This is a list of custom patterns you can add. These must be valid regex strings. Tyk will replace these values with a {var} placeholder.
analytics_config.pool_size
ENV: TYK_GW_ANALYTICSCONFIG_POOLSIZE
Type: int
Number of workers used to process analytics. Defaults to number of CPU cores.
analytics_config.records_buffer_size
ENV: TYK_GW_ANALYTICSCONFIG_RECORDSBUFFERSIZE
Type: uint64
Number of records in analytics queue, per worker. Default: 1000.
analytics_config.storage_expiration_time
ENV: TYK_GW_ANALYTICSCONFIG_STORAGEEXPIRATIONTIME
Type: int
You can set a time (in seconds) to configure how long analytics are kept if they are not processed. The default is 60 seconds. This is used to prevent the potential infinite growth of Redis analytics storage.
analytics_config.enable_multiple_analytics_keys
ENV: TYK_GW_ANALYTICSCONFIG_ENABLEMULTIPLEANALYTICSKEYS
Type: bool
Set this to true
to have Tyk automatically divide the analytics records in multiple analytics keys.
This is especially useful when storage.enable_cluster
is set to true
since it will distribute the analytic keys across all the cluster nodes.
analytics_config.purge_interval
ENV: TYK_GW_ANALYTICSCONFIG_PURGEINTERVAL
Type: float32
You can set the interval length on how often the tyk Gateway will purge analytics data. This value is in seconds and defaults to 10 seconds.
analytics_config.serializer_type
ENV: TYK_GW_ANALYTICSCONFIG_SERIALIZERTYPE
Type: string
Determines the serialization engine for analytics. Available options: msgpack, and protobuf. By default, msgpack.
enable_separate_analytics_store
ENV: TYK_GW_ENABLESEPERATEANALYTICSSTORE
Type: bool
Enable separate analytics storage. Used together with analytics_storage
.
analytics_storage.type
ENV: TYK_GW_ANALYTICSSTORAGE_TYPE
Type: string
This should be set to redis
(lowercase)
analytics_storage.host
ENV: TYK_GW_ANALYTICSSTORAGE_HOST
Type: string
The Redis host, by default this is set to localhost
, but for production this should be set to a cluster.
analytics_storage.port
ENV: TYK_GW_ANALYTICSSTORAGE_PORT
Type: int
The Redis instance port.
analytics_storage.addrs
ENV: TYK_GW_ANALYTICSSTORAGE_ADDRS
Type: []string
If you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].
analytics_storage.master_name
ENV: TYK_GW_ANALYTICSSTORAGE_MASTERNAME
Type: string
Redis sentinel master name
analytics_storage.sentinel_password
ENV: TYK_GW_ANALYTICSSTORAGE_SENTINELPASSWORD
Type: string
Redis sentinel password
analytics_storage.username
ENV: TYK_GW_ANALYTICSSTORAGE_USERNAME
Type: string
Redis user name
analytics_storage.password
ENV: TYK_GW_ANALYTICSSTORAGE_PASSWORD
Type: string
If your Redis instance has a password set for access, you can set it here.
analytics_storage.database
ENV: TYK_GW_ANALYTICSSTORAGE_DATABASE
Type: int
Redis database
analytics_storage.optimisation_max_idle
ENV: TYK_GW_ANALYTICSSTORAGE_MAXIDLE
Type: int
Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
analytics_storage.optimisation_max_active
ENV: TYK_GW_ANALYTICSSTORAGE_MAXACTIVE
Type: int
Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
analytics_storage.timeout
ENV: TYK_GW_ANALYTICSSTORAGE_TIMEOUT
Type: int
Set a custom timeout for Redis network operations. Default value 5 seconds.
analytics_storage.enable_cluster
ENV: TYK_GW_ANALYTICSSTORAGE_ENABLECLUSTER
Type: bool
Enable Redis Cluster support
analytics_storage.use_ssl
ENV: TYK_GW_ANALYTICSSTORAGE_USESSL
Type: bool
Enable SSL/TLS connection between your Tyk Gateway & Redis.
analytics_storage.ssl_insecure_skip_verify
ENV: TYK_GW_ANALYTICSSTORAGE_SSLINSECURESKIPVERIFY
Type: bool
Disable TLS verification
analytics_storage.ca_file
ENV: TYK_GW_ANALYTICSSTORAGE_CAFILE
Type: string
Path to the CA file.
analytics_storage.cert_file
ENV: TYK_GW_ANALYTICSSTORAGE_CERTFILE
Type: string
Path to the cert file.
analytics_storage.key_file
ENV: TYK_GW_ANALYTICSSTORAGE_KEYFILE
Type: string
Path to the key file.
analytics_storage.tls_max_version
ENV: TYK_GW_ANALYTICSSTORAGE_TLSMAXVERSION
Type: string
Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
analytics_storage.tls_min_version
ENV: TYK_GW_ANALYTICSSTORAGE_TLSMINVERSION
Type: string
Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
liveness_check.check_duration
ENV: TYK_GW_LIVENESSCHECK_CHECKDURATION
Type: time.Duration
Frequencies of performing interval healthchecks for Redis, Dashboard, and RPC layer. Expressed in Nanoseconds. For example: 1000000000 -> 1s. Default: 10 seconds.
dns_cache
This section enables the global configuration of the expireable DNS records caching for your Gateway API endpoints. By design caching affects only http(s), ws(s) protocols APIs and doesn’t affect any plugin/middleware DNS queries.
"dns_cache": {
"enabled": true, //Turned off by default
"ttl": 60, //Time in seconds before the record will be removed from cache
"multiple_ips_handle_strategy": "random" //A strategy, which will be used when dns query will reply with more than 1 ip address per single host.
}
dns_cache.enabled
ENV: TYK_GW_DNSCACHE_ENABLED
Type: bool
Setting this value to true
will enable caching of DNS queries responses used for API endpoint’s host names. By default caching is disabled.
dns_cache.ttl
ENV: TYK_GW_DNSCACHE_TTL
Type: int64
This setting allows you to specify a duration in seconds before the record will be removed from cache after being added to it on the first DNS query resolution of API endpoints.
Setting ttl
to -1
prevents record from being expired and removed from cache on next check interval.
dns_cache.multiple_ips_handle_strategy
ENV: TYK_GW_DNSCACHE_MULTIPLEIPSHANDLESTRATEGY
Type: string
A strategy which will be used when a DNS query will reply with more than 1 IP Address per single host. As a DNS query response IP Addresses can have a changing order depending on DNS server balancing strategy (eg: round robin, geographically dependent origin-ip ordering, etc) this option allows you to not to limit the connection to the first host in a cached response list or prevent response caching.
pick_first
will instruct your Tyk Gateway to connect to the first IP in a returned IP list and cache the response.random
will instruct your Tyk Gateway to connect to a random IP in a returned IP list and cache the response.no_cache
will instruct your Tyk Gateway to connect to the first IP in a returned IP list and fetch each addresses list without caching on each API endpoint DNS query.
disable_regexp_cache
ENV: TYK_GW_DISABLEREGEXPCACHE
Type: bool
If set to true
this allows you to disable the regular expression cache. The default setting is false
.
regexp_cache_expire
ENV: TYK_GW_REGEXPCACHEEXPIRE
Type: int32
If you set disable_regexp_cache
to false
, you can use this setting to limit how long the regular expression cache is kept for in seconds.
The default is 60 seconds. This must be a positive value. If you set to 0 this uses the default value.
local_session_cache
Tyk can cache some data locally, this can speed up lookup times on a single node and lower the number of connections and operations being done on Redis. It will however introduce a slight delay when updating or modifying keys as the cache must expire. This does not affect rate limiting.
local_session_cache.disable_cached_session_state
ENV: TYK_GW_LOCALSESSIONCACHE_DISABLECACHESESSIONSTATE
Type: bool
By default sessions are set to cache. Set this to true
to stop Tyk from caching keys locally on the node.
enable_separate_cache_store
ENV: TYK_GW_ENABLESEPERATECACHESTORE
Type: bool
Enable to use a separate Redis for cache storage
cache_storage.type
ENV: TYK_GW_CACHESTORAGE_TYPE
Type: string
This should be set to redis
(lowercase)
cache_storage.host
ENV: TYK_GW_CACHESTORAGE_HOST
Type: string
The Redis host, by default this is set to localhost
, but for production this should be set to a cluster.
cache_storage.port
ENV: TYK_GW_CACHESTORAGE_PORT
Type: int
The Redis instance port.
cache_storage.addrs
ENV: TYK_GW_CACHESTORAGE_ADDRS
Type: []string
If you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].
cache_storage.master_name
ENV: TYK_GW_CACHESTORAGE_MASTERNAME
Type: string
Redis sentinel master name
cache_storage.sentinel_password
ENV: TYK_GW_CACHESTORAGE_SENTINELPASSWORD
Type: string
Redis sentinel password
cache_storage.username
ENV: TYK_GW_CACHESTORAGE_USERNAME
Type: string
Redis user name
cache_storage.password
ENV: TYK_GW_CACHESTORAGE_PASSWORD
Type: string
If your Redis instance has a password set for access, you can set it here.
cache_storage.database
ENV: TYK_GW_CACHESTORAGE_DATABASE
Type: int
Redis database
cache_storage.optimisation_max_idle
ENV: TYK_GW_CACHESTORAGE_MAXIDLE
Type: int
Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
cache_storage.optimisation_max_active
ENV: TYK_GW_CACHESTORAGE_MAXACTIVE
Type: int
Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
cache_storage.timeout
ENV: TYK_GW_CACHESTORAGE_TIMEOUT
Type: int
Set a custom timeout for Redis network operations. Default value 5 seconds.
cache_storage.enable_cluster
ENV: TYK_GW_CACHESTORAGE_ENABLECLUSTER
Type: bool
Enable Redis Cluster support
cache_storage.use_ssl
ENV: TYK_GW_CACHESTORAGE_USESSL
Type: bool
Enable SSL/TLS connection between your Tyk Gateway & Redis.
cache_storage.ssl_insecure_skip_verify
ENV: TYK_GW_CACHESTORAGE_SSLINSECURESKIPVERIFY
Type: bool
Disable TLS verification
cache_storage.ca_file
ENV: TYK_GW_CACHESTORAGE_CAFILE
Type: string
Path to the CA file.
cache_storage.cert_file
ENV: TYK_GW_CACHESTORAGE_CERTFILE
Type: string
Path to the cert file.
cache_storage.key_file
ENV: TYK_GW_CACHESTORAGE_KEYFILE
Type: string
Path to the key file.
cache_storage.tls_max_version
ENV: TYK_GW_CACHESTORAGE_TLSMAXVERSION
Type: string
Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
cache_storage.tls_min_version
ENV: TYK_GW_CACHESTORAGE_TLSMINVERSION
Type: string
Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
enable_bundle_downloader
ENV: TYK_GW_ENABLEBUNDLEDOWNLOADER
Type: bool
Enable downloading Plugin bundles Example:
"enable_bundle_downloader": true,
"bundle_base_url": "http://my-bundle-server.com/bundles/",
"public_key_path": "/path/to/my/pubkey",
bundle_base_url
ENV: TYK_GW_BUNDLEBASEURL
Type: string
Is a base URL that will be used to download the bundle. In this example we have bundle-latest.zip
specified in the API settings, Tyk will fetch the following URL: http://my-bundle-server.com/bundles/bundle-latest.zip (see the next section for details).
bundle_insecure_skip_verify
ENV: TYK_GW_BUNDLEINSECURESKIPVERIFY
Type: bool
Disable TLS validation for bundle URLs
enable_jsvm
ENV: TYK_GW_ENABLEJSVM
Type: bool
Set to true if you are using JSVM custom middleware or virtual endpoints.
jsvm_timeout
ENV: TYK_GW_JSVMTIMEOUT
Type: int
Set the execution timeout for JSVM plugins and virtal endpoints
disable_virtual_path_blobs
ENV: TYK_GW_DISABLEVIRTUALPATHBLOBS
Type: bool
Disable virtual endpoints and the code will not be loaded into the VM when the API definition initialises. This is useful for systems where you want to avoid having third-party code run.
tyk_js_path
ENV: TYK_GW_TYKJSPATH
Type: string
Path to the JavaScript file which will be pre-loaded for any JSVM middleware or virtual endpoint. Useful for defining global shared functions.
middleware_path
ENV: TYK_GW_MIDDLEWAREPATH
Type: string
Path to the plugins dirrectory. By default is ``./middleware`.
coprocess_options
Configuration options for Python and gRPC plugins.
coprocess_options.enable_coprocess
ENV: TYK_GW_COPROCESSOPTIONS_ENABLECOPROCESS
Type: bool
Enable gRPC and Python plugins
coprocess_options.coprocess_grpc_server
ENV: TYK_GW_COPROCESSOPTIONS_COPROCESSGRPCSERVER
Type: string
Address of gRPC user
coprocess_options.grpc_recv_max_size
ENV: TYK_GW_COPROCESSOPTIONS_GRPCRECVMAXSIZE
Type: int
Maximum message which can be received from a gRPC server
coprocess_options.grpc_send_max_size
ENV: TYK_GW_COPROCESSOPTIONS_GRPCSENDMAXSIZE
Type: int
Maximum message which can be sent to gRPC server
coprocess_options.grpc_authority
ENV: TYK_GW_COPROCESSOPTIONS_GRPCAUTHORITY
Type: string
Authority used in GRPC connection
coprocess_options.python_path_prefix
ENV: TYK_GW_COPROCESSOPTIONS_PYTHONPATHPREFIX
Type: string
Sets the path to built-in Tyk modules. This will be part of the Python module lookup path. The value used here is the default one for most installations.
coprocess_options.python_version
ENV: TYK_GW_COPROCESSOPTIONS_PYTHONVERSION
Type: string
If you have multiple Python versions installed you can specify your version.
ignore_endpoint_case
ENV: TYK_GW_IGNOREENDPOINTCASE
Type: bool
Ignore the case of any endpoints for APIs managed by Tyk. Setting this to true
will override any individual API and Ignore, Blacklist and Whitelist plugin endpoint settings.
ignore_canonical_mime_header_key
ENV: TYK_GW_IGNORECANONICALMIMEHEADERKEY
Type: bool
When enabled Tyk ignores the canonical format of the MIME header keys.
For example when a request header with a “my-header” key is injected using “global_headers”, the upstream would typically get it as “My-Header”. When this flag is enabled it will be sent as “my-header” instead.
Current support is limited to JavaScript plugins, global header injection, virtual endpoint and JQ transform header rewrites. This functionality doesn’t affect headers that are sent by the HTTP client and the default formatting will apply in this case.
For technical details refer to the CanonicalMIMEHeaderKey functionality in the Go documentation.
log_level
ENV: TYK_GW_LOGLEVEL
Type: string
You can now set a logging level (log_level). The following levels can be set: debug, info, warn, error.
If not set or left empty, it will default to info
.
tracing
Section for configuring OpenTracing support Deprecated: use OpenTelemetry instead.
tracing.name
ENV: TYK_GW_TRACER_NAME
Type: string
The name of the tracer to initialize. For instance appdash, to use appdash tracer
tracing.enabled
ENV: TYK_GW_TRACER_ENABLED
Type: bool
Enable tracing
tracing.options
ENV: TYK_GW_TRACER_OPTIONS
Type: map[string]interface{}
Tracing configuration. Refer to the Tracing Docs for the full list of options.
opentelemetry
Section for configuring OpenTelemetry.
opentelemetry.enabled
ENV: TYK_GW_OPENTELEMETRY_ENABLED
Type: bool
A flag that can be used to enable or disable the trace exporter.
opentelemetry.exporter
ENV: TYK_GW_OPENTELEMETRY_EXPORTER
Type: string
The type of the exporter to sending data in OTLP protocol. This should be set to the same type of the OpenTelemetry collector. Valid values are “grpc”, or “http”. Defaults to “grpc”.
opentelemetry.endpoint
ENV: TYK_GW_OPENTELEMETRY_ENDPOINT
Type: string
OpenTelemetry collector endpoint to connect to. Defaults to “localhost:4317”.
opentelemetry.headers
ENV: TYK_GW_OPENTELEMETRY_HEADERS
Type: map[string]string
A map of headers that will be sent with HTTP requests to the collector.
opentelemetry.connection_timeout
ENV: TYK_GW_OPENTELEMETRY_CONNECTIONTIMEOUT
Type: int
Timeout for establishing a connection to the collector. Defaults to 1 second.
opentelemetry.resource_name
ENV: TYK_GW_OPENTELEMETRY_RESOURCENAME
Type: string
Name of the resource that will be used to identify the resource. Defaults to “tyk”.
opentelemetry.span_processor_type
ENV: TYK_GW_OPENTELEMETRY_SPANPROCESSORTYPE
Type: string
Type of the span processor to use. Valid values are “simple” or “batch”. Defaults to “batch”.
opentelemetry.context_propagation
ENV: TYK_GW_OPENTELEMETRY_CONTEXTPROPAGATION
Type: string
Type of the context propagator to use. Valid values are:
- “tracecontext”: tracecontext is a propagator that supports the W3C Trace Context format (https://www.w3.org/TR/trace-context/).
- “b3”: b3 is a propagator serializes SpanContext to/from B3 multi Headers format. Defaults to “tracecontext”.
opentelemetry.tls
TLS configuration for the exporter.
opentelemetry.tls.enable
ENV: TYK_GW_OPENTELEMETRY_TLS_ENABLE
Type: bool
Flag that can be used to enable TLS. Defaults to false (disabled).
opentelemetry.tls.insecure_skip_verify
ENV: TYK_GW_OPENTELEMETRY_TLS_INSECURESKIPVERIFY
Type: bool
Flag that can be used to skip TLS verification if TLS is enabled. Defaults to false.
opentelemetry.tls.ca_file
ENV: TYK_GW_OPENTELEMETRY_TLS_CAFILE
Type: string
Path to the CA file.
opentelemetry.tls.cert_file
ENV: TYK_GW_OPENTELEMETRY_TLS_CERTFILE
Type: string
Path to the cert file.
opentelemetry.tls.key_file
ENV: TYK_GW_OPENTELEMETRY_TLS_KEYFILE
Type: string
Path to the key file.
opentelemetry.tls.max_version
ENV: TYK_GW_OPENTELEMETRY_TLS_MAXVERSION
Type: string
Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
opentelemetry.tls.min_version
ENV: TYK_GW_OPENTELEMETRY_TLS_MINVERSION
Type: string
Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
opentelemetry.sampling
Defines the configurations to use in the sampler.
opentelemetry.sampling.type
ENV: TYK_GW_OPENTELEMETRY_SAMPLING_TYPE
Type: string
Refers to the policy used by OpenTelemetry to determine whether a particular trace should be sampled or not. It’s determined at the start of a trace and the decision is propagated down the trace. Valid Values are: AlwaysOn, AlwaysOff and TraceIDRatioBased. It defaults to AlwaysOn.
opentelemetry.sampling.rate
ENV: TYK_GW_OPENTELEMETRY_SAMPLING_RATE
Type: float64
Parameter for the TraceIDRatioBased sampler type and represents the percentage of traces to be sampled. The value should fall between 0.0 (0%) and 1.0 (100%). For instance, if the sampling rate is set to 0.5, the sampler will aim to sample approximately 50% of the traces. By default, it’s set to 0.5.
opentelemetry.sampling.parent_based
ENV: TYK_GW_OPENTELEMETRY_SAMPLING_PARENTBASED
Type: bool
Rule that ensures that if we decide to record data for a particular operation, we’ll also record data for all the subsequent work that operation causes (its “child spans”). This approach helps in keeping the entire story of a transaction together. Typically, ParentBased is used in conjunction with TraceIDRatioBased. Using it with AlwaysOn or AlwaysOff might not be as effective since, in those cases, you’re either recording everything or nothing, and there are no intermediary decisions to consider. The default value for this option is false.
newrelic.app_name
ENV: TYK_GW_NEWRELIC_APPNAME
Type: string
New Relic Application name
newrelic.license_key
ENV: TYK_GW_NEWRELIC_LICENSEKEY
Type: string
New Relic License key
newrelic.enable_distributed_tracing
ENV: TYK_GW_NEWRELIC_ENABLEDISTRIBUTEDTRACING
Type: bool
Enable distributed tracing
enable_http_profiler
ENV: TYK_GW_HTTPPROFILE
Type: bool
Enable debugging of your Tyk Gateway by exposing profiling information through https://tyk.io/docs/troubleshooting/tyk-gateway/profiling/
use_redis_log
ENV: TYK_GW_USEREDISLOG
Type: bool
Enables the real-time Gateway log view in the Dashboard.
use_sentry
ENV: TYK_GW_USESENTRY
Type: bool
Enable Sentry logging
sentry_code
ENV: TYK_GW_SENTRYCODE
Type: string
Sentry API code
sentry_log_level
ENV: TYK_GW_SENTRYLOGLEVEL
Type: string
Log verbosity for Sentry logging
use_syslog
ENV: TYK_GW_USESYSLOG
Type: bool
Enable Syslog log output
syslog_transport
ENV: TYK_GW_SYSLOGTRANSPORT
Type: string
Syslong transport to use. Values: tcp or udp.
syslog_network_addr
ENV: TYK_GW_SYSLOGNETWORKADDR
Type: string
Graylog server address
use_graylog
ENV: TYK_GW_USEGRAYLOG
Type: bool
Use Graylog log output
graylog_network_addr
ENV: TYK_GW_GRAYLOGNETWORKADDR
Type: string
Graylog server address
use_logstash
ENV: TYK_GW_USELOGSTASH
Type: bool
Use logstash log output
logstash_transport
ENV: TYK_GW_LOGSTASHTRANSPORT
Type: string
Logstash network transport. Values: tcp or udp.
logstash_network_addr
ENV: TYK_GW_LOGSTASHNETWORKADDR
Type: string
Logstash server address
track_404_logs
ENV: TYK_GW_TRACK404LOGS
Type: bool
Show 404 HTTP errors in your Gateway application logs
statsd_connection_string
ENV: TYK_GW_STATSDCONNECTIONSTRING
Type: string
Address of StatsD server. If set enable statsd monitoring.
statsd_prefix
ENV: TYK_GW_STATSDPREFIX
Type: string
StatsD prefix
event_handlers
ENV: TYK_GW_EVENTHANDLERS
Type: apidef.EventHandlerMetaConfig
Event System
hide_generator_header
ENV: TYK_GW_HIDEGENERATORHEADER
Type: bool
HideGeneratorHeader will mask the ‘X-Generator’ and ‘X-Mascot-…’ headers, if set to true.
force_global_session_lifetime
ENV: TYK_GW_FORCEGLOBALSESSIONLIFETIME
Type: bool
Enable global API token expiration. Can be needed if all your APIs using JWT or oAuth 2.0 auth methods with dynamically generated keys.
session_lifetime_respects_key_expiration
ENV: TYK_GW_SESSIONLIFETIMERESPECTSKEYEXPIRATION
Type: bool
SessionLifetimeRespectsKeyExpiration respects the key expiration time when the session lifetime is less than the key expiration. That is, Redis waits the key expiration for physical removal.
global_session_lifetime
ENV: TYK_GW_GLOBALSESSIONLIFETIME
Type: int64
global session lifetime, in seconds.
kv.KV
ENV: TYK_GW_KV_KV
Type: struct
See more details https://tyk.io/docs/tyk-configuration-reference/kv-store/
kv.consul.address
ENV: TYK_GW_KV_CONSUL_ADDRESS
Type: string
Address is the address of the Consul server
kv.consul.scheme
ENV: TYK_GW_KV_CONSUL_SCHEME
Type: string
Scheme is the URI scheme for the Consul server
kv.consul.datacenter
ENV: TYK_GW_KV_CONSUL_DATACENTER
Type: string
The datacenter to use. If not provided, the default agent datacenter is used.
kv.consul.http_auth.username
ENV: TYK_GW_KV_CONSUL_HTTPAUTH_USERNAME
Type: string
Username to use for HTTP Basic Authentication
kv.consul.http_auth.password
ENV: TYK_GW_KV_CONSUL_HTTPAUTH_PASSWORD
Type: string
Password to use for HTTP Basic Authentication
kv.consul.tls_config.address
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_ADDRESS
Type: string
Address
kv.consul.tls_config.ca_file
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CAFILE
Type: string
CA file
kv.consul.tls_config.ca_path
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CAPATH
Type: string
CA Path
kv.consul.tls_config.cert_file
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CERTFILE
Type: string
Cert file
kv.consul.tls_config.key_file
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_KEYFILE
Type: string
Key file
kv.consul.tls_config.insecure_skip_verify
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_INSECURESKIPVERIFY
Type: bool
Disable TLS validation
kv.vault.token
ENV: TYK_GW_KV_VAULT_TOKEN
Type: string
Token is the vault root token
kv.vault.kv_version
ENV: TYK_GW_KV_VAULT_KVVERSION
Type: int
KVVersion is the version number of Vault. Usually defaults to 2
secrets
ENV: TYK_GW_SECRETS
Type: map[string]string
Secrets are key-value pairs that can be accessed in the dashboard via “secrets://”
override_messages
Override the default error code and or message returned by middleware. The following message IDs can be used to override the message and error codes:
AuthToken message IDs
auth.auth_field_missing
auth.key_not_found
OIDC message IDs
oauth.auth_field_missing
oauth.auth_field_malformed
oauth.key_not_found
oauth.client_deleted
Sample Override Message Setting
"override_messages": {
"oauth.auth_field_missing" : {
"code": 401,
"message": "Token is not authorized"
}
}
cloud
ENV: TYK_GW_CLOUD
Type: bool
Cloud flag shows the Gateway runs in Tyk-cloud.
jwt_ssl_insecure_skip_verify
ENV: TYK_GW_JWTSSLINSECURESKIPVERIFY
Type: bool
Skip TLS verification for JWT JWKs url validation
resource_sync
ResourceSync configures mitigation strategy in case sync fails.
resource_sync.retry_attempts
ENV: TYK_GW_RESOURCESYNC_RETRYATTEMPTS
Type: int
RetryAttempts defines the number of retries that the Gateway should perform during a resource sync (APIs or policies), defaulting to zero which means no retries are attempted.
resource_sync.interval
ENV: TYK_GW_RESOURCESYNC_INTERVAL
Type: int
Interval configures the interval in seconds between each retry on a resource sync error.
oas_config
OAS holds the configuration for various OpenAPI-specific functionalities
oas_config.validate_examples
ENV: TYK_GW_OAS_VALIDATEEXAMPLES
Type: bool
ValidateExamples enables validation of values provided in example
and examples
fields against the declared schemas in the OpenAPI Document. Defaults to false.
oas_config.validate_schema_defaults
ENV: TYK_GW_OAS_VALIDATESCHEMADEFAULTS
Type: bool
ValidateSchemaDefaults enables validation of values provided in default
fields against the declared schemas in the OpenAPI Document. Defaults to false.