title | summary |
---|---|
TiProxy Configuration File |
Learn how to configure TiProxy. |
This document introduces the configuration parameters related to the deployment and use of TiProxy. The following is an example configuration:
[proxy]
addr = "0.0.0.0:6000"
max-connections = 100
[api]
addr = "0.0.0.0:3080"
[ha]
virtual-ip = "10.0.1.10/24"
interface = "eth0"
[security]
[security.cluster-tls]
skip-ca = true
[security.sql-tls]
skip-ca = true
This section introduces the configuration parameters of TiProxy.
Tip:
If you need to adjust the value of a configuration item, refer to Modify the configuration. Normally the modification leads to a restart. Because TiProxy supports hot-reloading, you can skip restart by executing
tiup cluster reload --skip-restart
.
Configuration for SQL port.
- Default value:
0.0.0.0:6000
- Support hot-reload: no
- SQL gateway address. The format is
<ip>:<port>
.
- Default value:
""
- Support hot-reload: no
- Specifies the address that clients use to connect to this TiProxy instance. This configuration item is automatically set when you deploy TiProxy using TiUP or TiDB Operator. If not set, the external IP address of the TiProxy instance is used.
- Default value:
0
- Support hot-reload: yes
- Unit: second
- When TiProxy shuts down, the HTTP status returns unhealthy but the SQL port still accepts new connections for
graceful-wait-before-shutdown
seconds. After that, it rejects new connections and drains clients. It is recommended to set it to0
when there are no other proxies (e.g. NLB) between the client and TiProxy.
- Default value:
15
- Support hot-reload: yes
- Unit: second
- When TiProxy shuts down, it closes connections when they have completed their current transactions (also known as draining clients) within
graceful-close-conn-timeout
seconds. After that, all the connections are closed at once.graceful-close-conn-timeout
happens aftergraceful-wait-before-shutdown
. It is recommended to set this timeout longer than the lifecycle of a transaction.
- Default value:
0
- Support hot-reload: yes
- Each TiProxy instance can accept
max-connections
connections at most.0
means no limitation.
- Default value:
32768
- Support hot-reload: yes, but only for new connections
- Range:
[1024, 16777216]
- This configuration item lets you decide the connection buffer size. Each connection uses one read buffer and one write buffer. It is a tradeoff between memory and performance. A larger buffer might yield better performance results but consume more memory. When it is
0
, TiProxy uses the default buffer size.
- Default value:
127.0.0.1:2379
- Support hot-reload: no
- The PD addresses TiProxy connects to. TiProxy discovers TiDB instances by fetching the TiDB list from the PD. It is set automatically when TiProxy is deployed by TiUP or TiDB Operator.
- Default value:
""
- Support hot-reload: yes, but only for new connections
- Possible values:
""
,"v2"
- Enable the PROXY protocol on the port. By enabling the PROXY protocol, TiProxy can pass the real client IP address to TiDB.
"v2"
indicates using the PROXY protocol version 2, and""
indicates disabling the PROXY protocol. If the PROXY protocol is enabled on TiProxy, you need to also enable the PROXY protocol on the TiDB server.
Configurations for HTTP gateway.
- Default value:
0.0.0.0:3080
- Support hot-reload: no
- API gateway address. You can specify
ip:port
.
- Default value:
""
- Support hot-reload: no
- Possible values:
""
,"v2"
- Enable the PROXY protocol on the port.
"v2"
indicates using the PROXY protocol version 2, and""
indicates disabling the PROXY protocol.
Configurations for the load balancing policy of TiProxy.
- Default value:
""
- Support hot-reload: yes
- Specifies the label name used for label-based load balancing. TiProxy matches the label values of TiDB servers based on this label name and prioritizes routing requests to TiDB servers with the same label value as itself.
- The default value of
label-name
is an empty string, indicating that label-based load balancing is not used. To enable this load balancing policy, you need to set this configuration item to a non-empty string and configure bothlabels
in TiProxy andlabels
in TiDB. For more information, see Label-based load balancing.
- Default value:
resource
- Support hot-reload: yes
- Possible values:
resource
,location
,connection
- Specifies the load balancing policy. For the meaning of each possible value, see TiProxy load balancing policies.
High availability configurations for TiProxy.
- Default value:
""
- Support hot-reload: no
- Specifies the virtual IP address in the CIDR format, such as
"10.0.1.10/24"
. In a cluster with multiple TiProxy instances, only one instance binds to the virtual IP. If this instance goes offline, another TiProxy instance will automatically bind to the IP, ensuring clients can always connect to an available TiProxy through the virtual IP.
Note:
- Virtual IP is only supported on Linux operating systems.
- The Linux user running TiProxy must have permission to bind IP addresses.
- The virtual IP and the IPs of all TiProxy instances must be within the same CIDR range.
- Default value:
""
- Support hot-reload: no
- Specifies the network interface to bind the virtual IP to, such as
"eth0"
. The virtual IP will be bound to a TiProxy instance only when bothha.virtual-ip
andha.interface
are set.
- Default value:
{}
- Support hot-reload: yes
- Specifies server labels. For example,
{ zone = "us-west-1", dc = "dc1" }
.
- Default value:
info
- Support hot-reload: yes
- Possible values:
debug
,info
,warn
,error
,panic
- Specify the log level. With the
panic
level, TiProxy will panic on errors.
-
Default value:
tidb
-
You can specify:
tidb
: format used by TiDB. For details, refer to Unified Log Format.json
: structured JSON format.console
: human-readable log format.
- Default value:
""
- Support hot-reload: yes
- Log file path. Non empty value will enable logging to file. When TiProxy is deployed with TiUP, the filename is set automatically.
- Default value:
300
- Support hot-reload: yes
- Unit: MB
- Specifies the maximum size for log files. A log file will be rotated if its size exceeds this limit.
- Default value:
3
- Support hot-reload: yes
- Specifies the maximum number of days to keep old log files. Outdated log files are deleted after surpassing this period.
- Default value:
3
- Support hot-reload: yes
- Specifies the maximum number of log files to be retained. Surplus log files will be automatically deleted when an excessive number is reached.
There are four TLS objects in the [security]
section with different names. They share the same configuration format and fields, but they are interpreted differently depending on their names.
[security]
[sql-tls]
skip-ca = true
[server-tls]
auto-certs = true
All TLS options are hot-reloaded.
TLS object fields:
ca
: specifies the CAcert
: specifies the certificatekey
: specifies the private keyauto-certs
: mostly used for tests. It generates certificates if no certificate or key is specified.skip-ca
: skips verifying certificates using CA on client object or skips server-side verification on server object.min-tls-version
: sets the minimum TLS version. Possible values are1.0
、1.1
、1.2
, and1.3
. The default value is1.2
, which allows v1.2 or higher TLS versions.rsa-key-size
: sets the RSA key size whenauto-certs
is enabled.autocert-expire-duration
: sets the default expiration duration for auto-generated certificates.
Objects are classified into client or server objects by their names.
For client TLS object:
- You must set either
ca
orskip-ca
to skip verifying server certificates. - Optionally, you can set
cert
orkey
to pass server-side client verification. - Useless fields: auto-certs.
For server TLS object:
- You can set either
cert
orkey
orauto-certs
to support TLS connections. Otherwise, TiProxy doesn't support TLS connections. - Optionally, if
ca
is not empty, it enables server-side client verification. The client must provide their certificates. Alternatively, if bothskip-ca
is true andca
is not empty, the server will only verify client certificates if they provide one.
A client TLS object. It is used to access TiDB or PD.
- Default value:
false
- Support hot-reload: yes, but only for new connections
- Require TLS between TiProxy and TiDB servers. If the TiDB server does not support TLS, clients will report an error when connecting to TiProxy.
A client TLS object. It is used to access TiDB SQL port (4000).
A server TLS object. It is used to provide TLS on SQL port (6000).
A server TLS object. It is used to provide TLS on HTTP status port (3080).