Skip to content

Configuration

Jump to bottom Edit New page
Mikhail Babitski edited this page Sep 21, 2023 · 11 revisions

Configuration file for Tempesta FW is a simple text file. The file location is passed to Tempesta FW kernel module as parameter and can't be changed until the module is unloaded. See Run & stop for complete instructions.

The configuration file is C-program-like: you must define something before using it. E.g. a server group must be defined before it's first use in load balancing rules:

srv_group static {
	server 10.10.0.1;
}
sched_http_rules {
	match static uri prefix "/static/";
}

Configuration directives are described on TempestaFW Wiki pages and the brief description is provided as a sample configration file.

Quick start

Install Tempesta FW

Install Tempesta FW from sources or binary packages. Don't forget to check the system requirements.

Configure

You can use this configuration file to quickly start Tempesta FW in a configuration like we've showed in the FOSDEM talk:

# cat etc/tempesta_fw.conf 
listen 192.168.100.4:443 proto=https;
listen 192.168.100.4:80;

# Example include usage
# !include /etc/tempesta/sites/*

srv_group default {
    server 127.0.0.1:8080 conns_n=4;
}

vhost my_hostname {
    tls_certificate /root/tempesta/etc/tfw-root.crt;
    tls_certificate_key /root/tempesta/etc/tfw-root.key;

    proxy_pass default;
}

cache 1;
cache_fulfill * *;

block_action attack reply;

http_chain {
    -> my_hostname;
}

!include /etc/tempesta/sites/* - You can use !include directive to use all Tempesta config files with match the pattern (/etc/tempesta/sites/*) and its subdirectories

192.168.100.4 is the listening IP address for Tempesta FW. Read more about this configuration option in the Handling clients chapter.

This address must be resolved from my_hostname host name. The host name is important for TLS SNI, so use the real name of you machine. You can find the details how to configure Tempesta TLS in the TLS chapter. Note that you need to place your certificate and the private key into the Tempesta FW configuration directory. In this case Tempesta FW was built from sources, so the configuration directory is located right in the tempesta/etc directory. You can generate self-signed certificates with OpenSSL.

127.0.0.1:8080 is the address of the backend (upstream) server. Tempesta FW is a pure HTTPS accelerator, so it requires some HTTP server to get content from. Read more about backend configuration in the Servers chapter.

The cache options cache and cache_fulfill specify that all the content will be cached by Tempesta FW. You can find the details how to configure the options in the Caching chapter.

Run!

In most of the cases you just need to

tempesta.sh --start

Check Run & Stop page for more instructions about the Linux settings and relative path of the startup script.

Add a custom footer

Contents

Clone this wiki locally