## RESTHeart Configuration File. --- #### Listeners # Listeners allow to specify the protocol, ip, port and to use. # The supported protocols are: http, https and ajp. You can setup a listener per protocol (up to 3). # WARNING: RESTHeart uses basic authentication; usernames and passwords are sent over the net on each request. # Using the http listener is not secure: users credentials can be sniffed by a man-in-the-middle attack. # Use the http listener only on trusted environments. https-listener: true https-host: 0.0.0.0 https-port: 4443 http-listener: true http-host: 0.0.0.0 http-port: 8080 ajp-listener: false ajp-host: 0.0.0.0 ajp-port: 8009 #### Instance # The name of this restheart instance. displayed in log, also allows to implement instance specific custom code # For instance, an email notifier hook can send emails to a test email address in development environments instance-name: {{{ instance-name }}} # Optional base URL for the instance. When RESTHeart is exposed via a reverse-proxy # or an API gateway it allows mapping the Location header correctly. #instance-base-url: http://localhost #### default representation format (PLAIN_JSON or HAL) default-representation-format: {{{ default-representation-format }}} #### use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility ansi-console: true #### Allow unescaped characters in URL # Starting with Undertow 1.4.23 URLs validation became much stricter. # However, this is breaking existing clients. Now you can decide which behaviour you prefer allow-unescaped-characters-in-url: true #### SSL Configuration # Configure the keystore to enable the https listener. # RESTHeart comes with a self-signed certificate that makes straightforward enabling https. # Specify use-embedded-keystore: true to use it (this is the default setting). # Using the self-signed certificate leads to issues with some clients; # for instance, with curl you need to specify the "--insecure" option or you'll get an error message. use-embedded-keystore: true # To use your own certificate you need to import it (and eventually the CA certificates chain) into a java keystore # and specify use-embedded-keystore: false and the keystore-file,keystore-password and certpassword configuration properties. # Refer to the java keystore documentation for that. #keystore-file: /path/to/keystore/file #keystore-password: password #certpassword: password #### MongoDB # Specify the mongodb connection using a Mongo Client URI. # The format of the URI is: # mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]] # # The URI option authSource allows to specify the authetication database, example: # mongodb://user:secret@127.0.0.1/?authSource=authdb # # More information at http://api.mongodb.org/java/current/com/mongodb/MongoClientURI.html # Be sure that the following credentials match with the # MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD in docker-compose.yml # WARNING: change in both files the below default credentials! mongo-uri: {{{ mongo-uri }}} # Use mongo-mounts to bind URls to mongodb resources using the out-of-the-box URL rewrite feature. # The where URI can be an absolute path (eg. /api) or path template (eg. /{foo}/bar/*). # The values of the path templates properties are available: # - in the what property (e.g. what: /{foo}_db/coll) # - programmatically from RequestContext.getPathTemplateParamenters() method. # It is not possible to mix absolute paths and path templates: where URIs need to be # either all absolute paths or all path templates. mongo-mounts: - what: "*" where: / #### Static Web Resources # Static web resources to bind to the specified URL. # The 'what' property is the path of the directory containing the resources. # The path is either absolute (starting with /) or relative to the restheart.jar directory # If embedded is true, the resources are either included in the restheart.jar or in the classpath static-resources-mounts: - what: browser where: /browser welcome-file: browser.html secured: false embedded: true ### Initializer # A custom initializer implmenting the org.restheart.init.Initializer interface # Can be used to inizialize data or add global transformers, checkers or security predicates # See org.restheart.init.TestInitializer for a simple example #initializer-class: org.restheart.init.TestInitializer #### Application Logic # RESTHeart has a pipeline architecture where specialized undertow handlers are chained to serve the requests. # In order to provide additional application logic, custom hanlders pipes can be bound under the /_logic URL. # The custom hanlder must extends the org.restheart.handlers.ApplicationLogicHandler class # Use application-logic-mounts to configure custom handlers. # In the following example two built-in application logic handlers are defined: # PingHandler bound to /_logic/ping that implements a simple ping service # GetRoleHandler bound to /_logic/roles that returns the current user authentication status and eventually its roles # CacheInvalidator bound to /_logic/ic that invalidates a db or collection cache entry application-logic-mounts: - what: org.restheart.handlers.applicationlogic.PingHandler where: /ping secured: false args: msg: "ciao from the restheart team" - what: org.restheart.handlers.applicationlogic.GetRoleHandler where: /roles secured: false args: url: /_logic/roles - what: org.restheart.handlers.applicationlogic.CacheInvalidator where: /ic secured: true - what: org.restheart.handlers.applicationlogic.CsvLoaderHandler where: /csv secured: true ### Metadata Named Singletons # Metadata implementation can rely on singletons, this section configures the # singleton factory #org.restheart.metadata.NamedSingletonsFactory metadata-named-singletons: # checkers group used by handler: # org.restheart.handlers.metadata.CheckMetadataHandler # More information in checkers javadoc - group: checkers interface: org.restheart.metadata.checkers.Checker singletons: - name: jsonSchema class: org.restheart.metadata.checkers.JsonSchemaChecker - name: checkContent class: org.restheart.metadata.checkers.JsonPathConditionsChecker - name: checkContentSize class: org.restheart.metadata.checkers.ContentSizeChecker # transformers group used by handlers: # org.restheart.handlers.metadata.RequestTransformerMetadataHandler and # org.restheart.handlers.metadata.ResponseTransformerMetadataHandler # More information in transformers javadoc - group: transformers interface: org.restheart.metadata.transformers.Transformer singletons: - name: addRequestProperties class: org.restheart.metadata.transformers.RequestPropsInjecterTransformer - name: filterProperties class: org.restheart.metadata.transformers.FilterTransformer - name: stringsToOids class: org.restheart.metadata.transformers.ValidOidsStringsAsOidsTransformer - name: oidsToStrings class: org.restheart.metadata.transformers.OidsAsStringsTransformer - name: writeResult class: org.restheart.metadata.transformers.WriteResultTransformer - name: hashProperties class: org.restheart.metadata.transformers.HashTransformer # hooks group used by handler: # org.restheart.handlers.metadata.HookHandler # More information in hook javadoc - group: hooks interface: org.restheart.metadata.hooks.Hook singletons: - name: snooper class: org.restheart.metadata.hooks.SnooperHook ### Security # The security is configured by setting: # idm: the Identity Manager responsible of authentication # access-manager: the Access Manager responsible of authorization # auth-mechanism: the additional Authentication Mechanism to use # The RESTHeart security is pluggable and you can provide you own # implementation of both IDM and AM. the provided default # implementations of IDM and AM are SimpleFileIdentityManager, # DbIdentityManager, JwtIdentityManager and SimpleAccessManager. # conf-file paths are either absolute (starting with /) # or relative to the restheart.jar directory idm: implementation-class: org.restheart.security.impl.SimpleFileIdentityManager conf-file: ./etc/security.yml access-manager: implementation-class: org.restheart.security.impl.SimpleAccessManager conf-file: ./etc/security.yml # RESTHeart uses the BasicAuthenticationMechanism by default. # A different mechanism can be specified via the auth-mechanism configuration option # the implementation-class must specify a factory class implementing # the interface org.restheart.security.AuthenticationMechanismFactory # See http://undertow.io/undertow-docs/undertow-docs-2.0.0/index.html#security # JwtAuthenticationManagerFactory and IdentityAuthenticationManagerFactory # for example implementations # Identity Authentication Manager # All requests are bound to the specified user #auth-mechanism: # implementation-class: org.restheart.security.impl.IdentityAuthenticationManagerFactory # username: a # pwd: a # Jwt Authentication Manager # Authentication via Json Web Token https://jwt.io # algorithm: RSA (RS256 | RS384 |RS512) or HMAC (HS256 | HS384 | HS512) # key: for RSA the base64 encoded of the public key; for HMAC, the secret key # base64Encoded: set to true if the jwt token is base64 encoded. optional, default valud: false # usernameClaim: the claim that holds the username. optional, default value: 'sub' (jwt subject). # rolesClaim: the claim that holds the roles as string or array of strings # issuer: verify the issues (iss claim). optional, default value matches: null (don't check iss) # audience: verify the audience (aud claim). optional, default value matches: null (don't check aud) #auth-mechanism: # implementation-class: org.restheart.security.impl.JwtAuthenticationManagerFactory # algorithm: HS256 # key: secret # base64Encoded: false # usernameClaim: sub # rolesClaim: roles # issuer: myIssuer # audience: myAudience # Authentication Token # Note: you need to pay attention to the authentitcation token in case of multi-node deployments (horizontal scalability). # In this case, you need to either disable it or use a load balancer with the sticky session option # or use a distributed auth token cache implementation (not provided in the current version). auth-token-enabled: {{{ auth-token-enabled }}} auth-token-ttl: {{{ auth-token-ttl }}} # Check if aggregation variables use operators. allowing operators in aggregation variables # is risky. requester can inject operators modifying the query aggregation-check-operators: true #### Logging # enable-log-console: true => log messages to the console (default value: true) # enable-log-file: true => log messages to a file (default value: true) # log-file-path: to specify the log file path (default value: restheart.log in system temporary directory) # log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO) # requests-log-level: log the request-response. 0 => no log, 1 => light log, 2 => detailed dump # requests-log-trace-headers: add the HTTP headers you want to be put on the MDC for logback. Use with %X{header-name} in logback.xml. # Useful for tracing support in the logs. Leave empty to deactivate this feature. # metrics-gathering-level: metrics gathering for which level? OFF => no gathering, ROOT => gathering at root level, # DATABASE => at db level, COLLECTION => at collection level # WARNING: use requests-log-level level 2 only for development purposes, it logs user credentials (Authorization and Auth-Token headers) enable-log-file: true log-file-path: /var/log/restheart.log enable-log-console: true log-level: INFO requests-log-level: 1 metrics-gathering-level: DATABASE requests-log-trace-headers: # - x-b3-traceid # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation # - x-b3-spanid # - x-b3-parentspanid # - x-b3-sampled # ^^ # - uber-trace-id # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity # - traceparent # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md # - tracestate # ^^ #### ETag policy # the following configuration defines the default etag check policy # the policy applies for dbs, collections (also applies to file buckets) and documents # valid values are REQUIRED, REQUIRED_FOR_DELETE, OPTIONAL etag-check-policy: db: REQUIRED_FOR_DELETE coll: REQUIRED_FOR_DELETE doc: OPTIONAL #### Performace Settings ## Read Performance # default-pagesize is the number of documents returned when the pagesize query # parameter is not specified # see https://restheart.org/learn/query-documents/#paging default-pagesize: {{{ default-pagesize }}} # max-pagesize sets the maximum allowed value of the pagesize query parameter # generally, the greater the pagesize, the more json serializan overhead occurs # the rule of thumb is not exeeding 1000 max-pagesize: 1000 # cursor-batch-size sets the mongodb cursor batchSize # see https://docs.mongodb.com/manual/reference/method/cursor.batchSize/ # cursor-batch-size should be smaller or equal to the max-pagesize # the rule of thumb is setting cursor-batch-size equal to max-pagesize # a small cursor-batch-size (e.g. 101, the default mongodb batchSize) # speeds up requests with small pagesize cursor-batch-size: 1000 ## Eager DB Cursor Preallocation Policy # In big collections, reading a far page involves skipping the db cursor for many documents resulting in a performance bottleneck # For instance, with default pagesize of 100, a GET with page=50.000 involves 500.000 skips on the db cursor. # The eager db cursor preallocation engine boosts up performaces (in some use cases, up to 1000%). the following options control its behavior. eager-cursor-allocation-pool-size: 100 eager-cursor-allocation-linear-slice-width: 1000 eager-cursor-allocation-linear-slice-delta: 100 eager-cursor-allocation-linear-slice-heights: [ 4, 2, 1 ] eager-cursor-allocation-random-max-cursors: 20 eager-cursor-allocation-random-slice-min-width: 1000 # In order to save bandwitdth RESTHeart can force requests to support the giz encoding (if not, requests will be rejected) force-gzip-encoding: false # local-cache allows to cache the db and collection properties to drammatically improve performaces. # Without caching, a GET on a document would requires two additional queries to retrieve the db and the collection properties. # Pay attention to local caching only in case of multi-node deployments (horizontal scalability). # In this case a change in a db or collection properties would reflect on other nodes at worst after the TTL (cache entries time to live). # In most of the cases Dbs and collections properties only change at development time. local-cache-enabled: true # TTL in milliseconds; specify a value < 0 to never expire cached entries local-cache-ttl: 1000 schema-cache-enabled: true # TTL in milliseconds; specify a value < 0 to never expire cached entries schema-cache-ttl: 60000 # Limit for the maximum number of concurrent requests being served requests-limit: 1000 # Time limit in milliseconds for processing queries on the server (without network latency). 0 means no time limit query-time-limit: 0 # Time limit in milliseconds for processing aggregations on the server (without network latency). 0 means no time limit aggregation-time-limit: 0 # Number of I/O threads created for non-blocking tasks. at least 2. suggested value: core*2 io-threads: 2 # Number of threads created for blocking tasks (such as ones involving db access). suggested value: core*16 worker-threads: 8 # Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call buffer-size: 16384 buffers-per-region: 20 # Should the buffer pool use direct buffers, this instructs the JVM to use native (if possible) I/O operations on the buffers direct-buffers: true #### Connetction Options ## see http://undertow.io/undertow-docs/undertow-docs-2.0.0/index.html#common-listener-options connection-options: # The maximum size of a HTTP header block, in bytes. # If a client sends more data that this as part of the request header then the connection will be closed. # Defaults to 1Mbyte. MAX_HEADER_SIZE: 1048576 # The default maximum size of a request entity. # Defaults to unlimited. MAX_ENTITY_SIZE: -1 #The default maximum size of the HTTP entity body when using the mutiltipart parser. # Generall this will be larger than MAX_ENTITY_SIZE # If this is not specified it will be the same as MAX_ENTITY_SIZE MULTIPART_MAX_ENTITY_SIZE: -1 # The idle timeout in milliseconds after which the channel will be closed. # If the underlying channel already has a read or write timeout set # the smaller of the two values will be used for read/write timeouts. # Defaults to unlimited (-1). IDLE_TIMEOUT: -1 # The maximum allowed time of reading HTTP request in milliseconds. # -1 or missing value disables this functionality. REQUEST_PARSE_TIMEOUT: -1 # The amount of time the connection can be idle with no current requests # before it is closed; # Defaults to unlimited (-1). NO_REQUEST_TIMEOUT: -1 # The maximum number of query parameters that are permitted in a request. # If a client sends more than this number the connection will be closed. # This limit is necessary to protect against hash based denial of service attacks. # Defaults to 1000. MAX_PARAMETERS: 1000 # The maximum number of headers that are permitted in a request. # If a client sends more than this number the connection will be closed. # This limit is necessary to protect against hash based denial of service attacks. # Defaults to 200. MAX_HEADERS: 200 # The maximum number of cookies that are permitted in a request. # If a client sends more than this number the connection will be closed. # This limit is necessary to protect against hash based denial of service attacks. # Defaults to 200. MAX_COOKIES: 200 # The charset to use to decode the URL and query parameters. # Defaults to UTF-8. URL_CHARSET: UTF-8 # If this is true then a Connection: keep-alive header will be added to responses, # even when it is not strictly required by the specification. # Defaults to true ALWAYS_SET_KEEP_ALIVE: true # If this is true then a Date header will be added to all responses. # The HTTP spec says this header should be added to all responses, # unless the server does not have an accurate clock. # Defaults to true ALWAYS_SET_DATE: true