Configuration

Configuration file for Tempesta FW is a simple text file. The file location is passed to Tempesta FW kernel module as parameter and can’t be changed until the module is unloaded. See Run & stop for complete instructions.

The configuration file is C-program-like: you must define something before using it. E.g. a server group must be defined before it’s first use in load balancing rules:

srv_group static {
	server 10.10.0.1;
}
sched_http_rules {
	match static uri prefix "/static/";
}

Configuration directives are described on Tempesta FW Wiki pages and the brief description is provided as a sample configration file.

Install Tempesta FW from sources or binary packages. Don’t forget to check the system requirements.

You can use this configuration file to quickly start Tempesta FW in a configuration like we’ve showed in the FOSDEM talk:

# cat etc/tempesta_fw.conf 
listen 192.168.100.4:443 proto=https;
listen 192.168.100.4:80;

# Example include usage
# !include /etc/tempesta/sites/*

srv_group default {
    server 127.0.0.1:8080 conns_n=4;
}

vhost my_hostname {
    tls_certificate /root/tempesta/etc/tfw-root.crt;
    tls_certificate_key /root/tempesta/etc/tfw-root.key;

    proxy_pass default;
}

cache 1;
cache_fulfill * *;

block_action attack reply;

http_chain {
    -> my_hostname;
}

192.168.100.4 is the listening IP address for Tempesta FW. Read more about this configuration option in the Handling clients chapter.

This address must be resolved from my_hostname host name. The host name is important for TLS SNI, so use the real name of you machine. You can find the details how to configure Tempesta TLS in the TLS chapter. Note that you need to place your certificate and the private key into the Tempesta FW configuration directory. In this case Tempesta FW was built from sources, so the configuration directory is located right in the tempesta/etc directory. You can generate self-signed certificates with OpenSSL.

127.0.0.1:8080 is the address of the backend (upstream) server. Tempesta FW is a pure HTTPS accelerator, so it requires some HTTP server to get content from. Read more about backend configuration in the Servers chapter.

The cache options cache and cache_fulfill specify that all the content will be cached by Tempesta FW. You can find the details how to configure the options in the Caching chapter.

!include /etc/tempesta/sites/*

The include directive allows you to create separate configuration files, making large configurations easier to read and manage. It’s especially useful for organizing TF blocking hashes, server groups, or other dynamic configuration elements that may need to be updated on-the-fly.

The directive recursively replaces the line containing it with the contents of the specified files, exactly as they are. It does not follow the context of the configuration or validate variables — it simply reads the files as plain text.

Note

The directive accepts a directory containing configuration files to include. It expects files with a .conf extension.

Warning

A semicolon at the end of the include line is not required, and the path must point to a directory, not a single file.

In most of the cases you just need to

tempesta.sh --start

Check Run & Stop page for more instructions about the Linux settings and relative path of the startup script.