Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
432 lines (389 sloc) 20.2 KB
######################################################################################
# #
# DATA #
# #
######################################################################################
# Specify the directory where the publication server will store its data.
# Note that clustering through a shared data directory is not supported.
# But, we plan to look into a proper clustering solution later.
#
### data_dir = "./data"
# Specify the path to the PID file for Krill.
#
# Defaults to "krill.pid" under the 'data_dir' specified above.
#
### pid_file = "./data/krill.pid"
######################################################################################
# #
# LOGGING #
# #
######################################################################################
# Log level
#
# The maximum log level ("off", "error", "warn", "info", or "debug") for
# which to log messages.
#
# Defaults to "warn"
#
### log_level = "warn"
# Log type
#
# Where to log to. One of "stderr" for stderr, "syslog" for syslog, or "file"
# for a file. If "file" is given, the "log_file" field needs to be given, too.
#
### log_type = "file"
# Syslog facility
#
# The syslog facility to log to if syslog logging is used. Defaults to "daemon".
#
### syslog_facility = "daemon"
# Log file
#
# The path to the file to log to if file logging is used. If the path is
# relative, it is relative to the current working directory from which
# the binary is executed.
#
### log_file = "./krill.log"
######################################################################################
# #
# ACCESS #
# #
######################################################################################
# Admin Token
#
# Define an admin token that can be used to interact with the API. Token use
# is modelled after OAuth 2.0 Bearer Tokens (RFC 6750), which are expected be
# included as an HTTP header in requests by clients.
#
# If you do not specify a value here, the server will insist that you provide
# a token as an environment variable with the key "KRILL_ADMIN_TOKEN".
#
### admin_token =
# Specify the ip addresses and port number that the server will use.
#
# Note: by default Krill uses "127.0.0.1" (IPv4 localhost) as its IP address.
# We recommend that you keep this setting and use a proxy server such as NGINX
# or Apache if you must make your Krill instance accessible remotely.
#
# You can use the 'ip' setting in this config file to override the default. You
# can specify a single IP address or an array of addresses.
#
# If you want to support remote delegated CAs to be children under a CA and/or
# publish their content, then you should set the "service uri" setting described
# below. If you do not set this, then Krill will use the (first) IP address as
# the hostname for this settting.
#
#
### ip = "127.0.0.1" # default
### ip = [ "127.0.0.1", "::1" ] # multiple IP addresses
### port = 3000 # applies to all ip addresses
# Specify the HTTPS mode. Krill supports three modes:
#
# "generate" (DEFAULT)
#
# Krill will generate a key pair and create a self-signed certificate
# if no previous key pair or certificate is found. File names used
# are data_dir/ssl/key.pem and data_dir/ssl/cert.pem respectively.
#
# "existing"
#
# Krill expects an existing key pair and certificate in the same
# locations where it would otherwise store its generated key pair
# and self-signed certificate.
#
# "disable"
#
# Krill will use plain HTTP.
#
# This mode is not recommended as HTTPS adds little overhead, and
# even with a self-signed certificate provides better security
# out of the box.
#
# That said, if you are running an HTTPS proxy server on the same
# host as Krill and Krill is listening on localhost only, then
# using plain HTTP between Krill and your proxy server may be an
# option you would want to use.
#
# We recommend STRONGLY that you do not use this option if your
# Krill instance is configured to bind to a public IP address.
#
# **NOTE**: Even if you use "disable" here, Krill still insists on
# using HTTPS for its service_uri. See below.
#
### https_mode = "generate"
# Specify the base public service URI hostname and port.
#
# The default service URI is set to https://localhost:3000/. This is fine for
# setups where you use Krill to run your own CA only. You do not need to set this
# to enable remote access to the UI or API (e.g. for using the CLI remotely).
# Simply setting up a proxy suffices for this.
#
# However, if you are serving as a parent CA or Publication Server that needs
# to be accessible by remote CAs, then you will need to tell your Krill instance
# what its public (base) URI will be, so that it can include the proper URIs
# in responses to those CAs.
#
# Note that Krill insists on HTTPS for this, even if you elect to use "disable"
# for the https_mode. The reason is that, while RFC 6492 (provisioning) and
# RFC 8181 (publication) allow for plain HTTP and provide security through
# signed messages, we believe it is better if this (remote) traffic is also
# encrypted and one can (and should) use an HTTPS capable proxy in this case.
#
# At present this MUST be an https URI with a hostname and optional port number only.
# It is not allowed to use a Krill specific path prefix. If you have a strong
# motivation for this, then please comment on the following github issue:
# https://github.com/NLnetLabs/krill/issues/263
#
# Krill UI, API and service URIs will be derived as follows:
# <service_uri>api/v1/... (api)
# <service_uri>rfc6492 (for remote children)
# <service_uri>... (various UI resources)
### service_uri = "https://localhost:3000/"
######################################################################################
# #
# METRICS #
# #
######################################################################################
# Krill exposes metrics for use with Prometheus under: <service_uri>/metrics
#
# By default a lot of details are included in these metrics. Generating these metrics
# is not particularly hard on Krill, but in case you have many CAs, children or publishers
# under your Krill instance you may still want to disable certain metrics to reduce
# the amount of data fetched and stored by Prometheus.
#
# Note that you can also get all of this information through the API, so there
# are other ways than using Prometheus to monitor details.
# Always enabled:
#################
#
# krill_server_start unix timestamp in seconds of last Krill server start
# krill_version_major Krill server major version number
# krill_version_minor Krill server minor version number
# krill_version_patch Krill server patch version number
# krill_cas number of cas in Krill
#
# [with multi-user support enabled (default)]
# krill_auth_session_cache_size total number of cached login session tokens
# Per CA details:
#################
#
# There are a number of metrics which use a label like {ca="ca_name"}. You can disable
# all of them by setting:
#
# metrics_hide_ca_details = true
#
# krill_ca_parent_success{ca="ca", parent="parent"} status of last CA to parent connection (0=issue, 1=success)
# krill_ca_parent_last_success_time{ca="ca", parent="parent"} unix timestamp in seconds of last successful CA to parent connection
# krill_ca_ps_success{ca="ca"} status of last CA to Publication Server connection (0=issue, 1=success)
# krill_ca_ps_last_success_time{ca="ca"} unix timestamp in seconds of last successful CA to Publication Server connection
# krill_ca_ps_next_planned_time{ca="ca"} unix timestamp in seconds of next planned CA to Publication Server connection (unless e.g. ROAs are changed)
#
# CA -> Child metrics
# -------------------
#
# NOTE: These metrics are only shown if you have any child CAs under your CA(s) in Krill.
#
# By default Krill will also show metrics on child CAs for each CA. If you left the
# showing CA details enabled, but you wish to hide these details then you can do so
# by setting:
#
# metrics_hide_child_details = true
#
# krill_cas_children{ca="ca"} number of children for CA
# krill_ca_child_success{ca="ca", child="child"} status of last child to CA connection (0=issue, 1=success)
# krill_ca_child_state{ca="ca", child="child"} child state (see 'suspend_child_after_inactive_hours' config) (0=suspended, 1=active)
# krill_ca_child_last_connection{ca="ca", child="child"} unix timestamp in seconds of last child to CA connection
# krill_ca_child_last_success{ca="ca", child="child"} unix timestamp in seconds of last successful child to CA connection
# krill_ca_child_agent_total{ca="ca", user_agent="ua string"} total children per user agent based on their last connection
#
# CA -> ROA metrics
# -----------------
#
# By default Krill will also show metrics on ROAs in relation to known BGP announcements
# for each CA. If you left the showing CA details enabled, but you wish to hide these details
# then you can do so by setting:
#
# metrics_hide_roa_details = true
#
# krill_cas_bgp_announcements_valid{ca="ca"} number of announcements seen for CA resources with RPKI state VALID
# krill_cas_bgp_announcements_invalid_asn{ca="ca"} number of announcements seen for CA resources with RPKI state INVALID (ASN mismatch)
# krill_cas_bgp_announcements_invalid_length{ca="ca"} number of announcements seen for CA resources with RPKI state INVALID (prefix exceeds max length)
# krill_cas_bgp_announcements_not_found{ca="ca"} number of announcements seen for CA resources with RPKI state NOT FOUND (none of the CA's ROAs cover this)
# krill_cas_bgp_roas_too_permissive{ca="ca"} number of ROAs for this CA which allow excess announcements (0 may also indicate that no BGP info is available)
# krill_cas_bgp_roas_redundant{ca="ca"} number of ROAs for this CA which are redundant (0 may also indicate that no BGP info is available)
# krill_cas_bgp_roas_stale{ca="ca"} number of ROAs for this CA for which no announcements are seen (0 may also indicate that no BGP info is available)
# krill_cas_bgp_roas_total{ca="ca"} total number of ROAs for this CA
# Publication Server metrics
############################
# Always enabled if you have an active Publication Server
#########################################################
# krill_repo_publisher number of publishers in repository
# krill_repo_rrdp_last_update unix timestamp in seconds of last update by any publisher
# krill_repo_rrdp_serial RRDP serial
# Per Publisher metrics
#######################
# The following metrics can be disabled by setting:
# metrics_hide_publisher_details = true
#
# krill_repo_objects{publisher="publisher"} number of objects in repository for publisher
# krill_repo_size{publisher="publisher"} size of objects in bytes in repository for publisher
# krill_repo_last_update{publisher="publisher"} unix timestamp in seconds of last update for publisher
######################################################################################
# #
# OTHER SEVER SETTINGS #
# #
######################################################################################
# CA certificate refresh rate
#
# This defines the rate, in seconds, for Krill CAs to to contact their parent CA
# via the RFC 6492 up-down protocol and query for updates in resource entitlements.
#
# Minimum value is 1 hour (3600 seconds), maximum is 3 days. Values below of this range
# are set to the minimum, values above this range are capped at the maximum.
#
# Defaults to 24 hours: 86400 seconds
#
# This value is specified in seconds for compatability with earlier Krill versions.
#
### ca_refresh_seconds = 86400
# CA certificate refresh jitter
#
# In order to avoid that many child CAs contact their parent at the same time
# Krill adds a random extra 'jitter' time between 0 and the number of seconds
# specified using 'ca_refresh_jitter_seconds'.
#
# Defaults to 12 hours: 43200 seconds.
#
# Values are capped to a maximum of: 50% of ca_refresh_seconds
#
### ca_refresh_jitter_seconds = 43200
# Enable loading BGP Dumps from RIS for ROA vs BGP analysis.
#
# bgp_risdumps_enabled = true
# bgp_risdump_v4_uri = http://www.ris.ripe.net/dumps/riswhoisdump.IPv4.gz
# bgp_risdump_v6_uri = http://www.ris.ripe.net/dumps/riswhoisdump.IPv6.gz
# Restrict size of messages sent to the API.
#
# Default 256 kB
#
### post_limit_api = 262144
# Restrict size of messages sent to the RFC 6492 up-down protocol. Only relevant
# if you operate Krill as a parent to other CAs.
#
# Default 1MB (enough for a keyroll with certs of ~400kb, the biggest known cert is 220kB)
#
### post_limit_rfc6492 = 1048576
# Set the timeout for a complete RFC 6492 and RFC 8181 client HTTP request-response
# round-trip to the parent or publisher, excluding the time required to establish
# the connection.
#
# Default is double what it was in Krill <0.9.5 and should be long enough in most
# cases. Change this if you see timeout errors.
#
# Defaults to 4 minutes
#
### post_protocol_msg_timeout_seconds = 240
######################################################################################
# #
# --------======== DANGER ZONE ========-------- #
# #
# Do not change the options below, unless you are really certain that you need to #
# override Krill's default behaviour. #
# #
######################################################################################
# Set the following to true to force Krill to always perform full rechecks
# of its data directories at startup. This is disabled by default because
# if can slow down startup significantly.
#
# By default Krill will do some basic checks at startup already, and if any
# errors are encountered force a full recovery automatically: Krill will try
# to load all its state in its internal memory cache at startup. If there are
# no errors in reloading the latest 'info' about the state, any surplus data
# will be assumed to be the result from an incompletely finished transaction - or -
# a data directory backup which was taken during a transaction. In either case
# additional data is discarded and the last (committed) state is recreated.
#
# Note that this 'recovery' will make Krill fall back to the last possible
# consistent state that it can. But, there may be important changes missing.
# For example any changes in ROAs made after the last recoverable state will
# be missing. You will have to verify the state yourself.
#
# In short: use this option only if you suspect that there is an issue with
# your backed up data. And if you do, you may want to set the ENV variable
# "KRILL_UPGRADE_ONLY" as well, in order to force that Krill exits after doing
# all its data checks and clean ups, and you have a chance to check the logs
# before proceeding.
#
### always_recover_data = false
#
# ROA Aggregation
#
# It is recommended that separate ROAs are used for each authorized prefix, even
# though the RFC allows for multiple prefixes for the same ASN to be combined on
# a single ROA object. The reason for this is that the ROA will become invalid
# if any of the listed prefixes no longer appears on your CA's certificate. Note
# that Krill will automatically clean up over-claiming ROAs when it finds that its
# resources have been shrunk, but there is a possible time window where ROAs can
# be invalid before Krill discovers the shrinkage.
#
# That said, if there would be too many ROAs then this will impact all RPKI
# validators, therefore Krill will by default start aggregating ROAs per ASN
# when more than 100 ROAs would be issued. Conversely, Krill will start de-
# aggregating again when the number of authorizations drops below 90.
#
# This behaviour can be overridden with the following directives:
# roa_aggregate_threshold = 100
# roa_deaggregate_threshold = 90
#
# Republication Intervals
#
# The RPKI uses Manifests (RFC 6486) to communicate the list of current RPKI
# objects (such as ROAs) to RPKI Validators. Manifests are used to protect against
# attacks, or incidents, where Validators only see a partial view of the RPKI
# repository. For this to work properly Validators will need to know how 'fresh'
# the Manifests are - otherwise they would be vulnerable to replay attacks where
# they are presented old versions of Manifests thus withholding them from discovering
# new RPKI objects.
#
# Krill issues manifests with a default next update and validity period of 24 hours,
# plus a random value between 0 and 4 hours. This random value is added in order to
# spread out scheduled next publication times between CAs.
#
# This means that the maximum replay window is 28 hours. Krill checks every 10 minutes
# whether the next update time is less then 8 hours (by default) in the future, and in
# that case it will re-issue them to avoid that Validators would end up with expired
# manifests. This means that an operator has a minimum of just under 8 hours to deal
# with issues with their CA or Publication Server before RPKI Validators would notice.
#
# The default values can be overridden, but with care.. make the next update interval
# too short and this causes too much work for all RPKI validators, puts load on your
# publication server and shortens your window to deal with issues. Make it too long
# and you could be vulnerable to replay attacks. Re-issue to quickly and again you
# cause extra load to RPKI validators and publication server.
#
# All that said.. if you are willing to accept the, in practice, small risk of a replay
# attack then you could for example opt for a 'timing_publish_next_hours' value of
# 48 hours, and a 'timing_publish_hours_before_next' value of 24 hours. That way you
# would have a full day to fix issues.
#
# timing_publish_next_hours = 24 # (must be 2 or higher)
# timing_publish_next_jitter_hours = 4 # must be 0 - timing_publish_next_hours / 2
# timing_publish_hours_before_next = 8 # (must be 1 or higher)
#
# ROA and Delegate Certificate Times
#
# Krill will issue ROAs, and child CA certificates if you have delegated resources
# to child CAs, with a "not after" time of 52 weeks from issuance, and it will
# re-issue those ROAs and certificates 4 weeks before they would expire.
#
# Because of the automatic renewal there should be no real need to use longer
# validity times. In fact using longer times could have a negative impact on
# Validator performance because the Certificate Revocation Lists would become
# bigger.
#
# So, we do NOT recommend overriding the following values, except perhaps for
# testing purposes:
# timing_child_certificate_valid_weeks = 52
# timing_child_certificate_reissue_weeks_before = 4
# timing_roa_valid_weeks = 52
# timing_roa_reissue_weeks_before = 4