Configuration File Reference - Amazon DCV Connection Gateway

Configuration File Reference

This section provides a reference for all the parameters that can be specified in the Connection Gateway configuration file. For an introduction to the configuration of Amazon DCV Connection Gateway, see Configuring the Amazon DCV Connection Gateway.

The Amazon DCV Connection Gateway configuration file is located at /etc/dcv-connection-gateway/dcv-connection-gateway.conf. The file uses the TOML format and is organized in sections which control different aspects of the Connection Gateway

You can edit the configuration file using your preferred text editor.

Note

Some of the configuration parameters can be reloaded while the gateway is running without causing disruptions for the existing connections. Others parameters instead require a restart of the service. This is denoted by the Requires Restart column in the table below.

[gateway] section

Parameter name Required Default value Requires Restart Description
bind-addr Yes Yes

This setting is deprecated, use web-listen-endpoints and quic-listen-endpoints instead.

The socket address the gateway will be listening on for incoming DCV client connections. The value must be a valid IP address syntax.

cert-file No No The path to a PEM file containing the certificate to be used by the gateway. If not specified, the Connection Gateway will use generate self-signed certificates. When this parameter is specified, cert-key-file must be used as well.
cert-key-file No No The path to the private key file of the certificate. When this parameter is specified, cert-file must be used as well.
ciphers-tls No ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS13_CHACHA20_POLY1305_SHA256", "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256"] No The TLS ciphers used for the TLS communication with the clients.
enable-quic-connections-stats No true Yes Whether or not to enable UDP metrics emission for the connection between DCV client and the Connection Gateway every 60 seconds.

See Metrics of connection stats

enable-tcp-connections-stats No true Yes Whether or not to enable TCP metrics emission for the connection between DCV client and the Connection Gateway every 60 seconds.

See Metrics of connection stats

graceful-shutdown-timeout No 10 Yes When receiving a shutdown signal, the Connection Gateway waits for the specified number of seconds before closing all connections and exiting.
minimum-tls-version No "tls12" No The minimum TLS version used for the TLS communication with the clients. The value can be "tls12" or "tls13".
quic-idle-timeout No 10 Yes The timeout in seconds after which an inactive QUIC connection with a client is closed by the Connection Gateway.
quic-listen-endpoints No [] Yes The list of endpoints the gateway will be listening on for incoming UDP connections from DCV clients. An endpoint is defined as a ip-address[:port] pair, where ip-address is a valid IPv4 or IPv6 address and port is a UDP port. The port field in the endpoint is optional, and if not specified the quic-port parameter will be assumed as port. If this parameter is not set or set to an empty list, QUIC support will be disabled.
quic-max-connections No 1000 Yes The maximum number of concurrent QUIC connections the Connection Gateway is going to accept. After that limit, a new incoming connection will be rejected.
quic-port No 8443 Yes The default UDP port that will be associated to an endpoint without the port field in quic-listen-endpoints.
tcp-idle-timeout No 10 Yes The timeout in seconds after which an inactive TCP connection with a client is closed by the Connection Gateway.
tcp-max-connections No 1000 Yes The maximum number of concurrent TCP connections the Connection Gateway is going to accept. After that limit, a new incoming connection will be rejected.
web-listen-endpoints Yes Yes The list of endpoints the gateway will be listening on for incoming WebSocket and HTTP connections from DCV clients. An endpoint is defined as a ip-address[:port] pair, where ip-address is a valid IPv4 or IPv6 address and port is a TCP port. The port field in the endpoint is optional, and if not specified the web-port parameter will be assumed as port.
web-port No 8443 Yes The default TCP port that will be associated to an endpoint without the port field in web-listen-endpoints.

[log] section

Parameter name Required Default value Requires Restart Description
directory No /var/log/dcv-connection-gateway Yes The directory where gateway log files are going to be written.
level No info No The log level verbosity. Possible values are sorted by increasing verbosity: error, warning, info, debug, trace.
max-file-size No 10485760 Yes When a log file size reaches the specfied size in bytes, it will be rotated. A new log file will be created and further log events will be placed in the new file.
rolling-frequency No every-day Yes The temporal frequency with which log files will be rotated. Valid values are: every-day, every-hour, every-minute.
rotate No 9 Yes The maximum number of log files preserved in the rotation. Each time a rotation happens and this number is reached, the oldest log file will be deleted.

[health-check] section

Parameter name Required Default value Requires Restart Description
bind-addr No Yes The socket address the gateway will be listening on for incoming health check requests. The value must be a valid IP address syntax. If this parameter is not specified, the health check service will be disabled.
port No 8888 Yes The TCP port the gateway will be listening on for incoming health check requests. The value must be a valid port number.

[dcv] section

Parameter name Required Default value Requires Restart Description
ca-file No No If this setting is active, the certificates presented by the DCV servers will be validated only against the Certificate-Authority's certificate specified in this file.
ciphers-tls No ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS13_CHACHA20_POLY1305_SHA256", "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256"] No The TLS ciphers used for the TLS communication with the Amazon DCV server hosts.
enable-quic-connections-stats No true Yes Whether or not to enable UDP metrics emission for the connection between Connection Gateway and the Amazon DCV server every 60 seconds.

See Metrics of connection stats

enable-tcp-connections-stats No true Yes Whether or not to enable TCP metrics emission for the connection between Connection Gateway and the Amazon DCV server every 60 seconds.

See Metrics of connection stats

minimum-tls-version No "tls12" No The minimum TLS version used for the TLS communication with the Amazon DCV server hosts. The value can be "tls12" or "tls13".
tls-strict No true No Whether to enable or not the verification against a trusted Certificate-Authority for the certificate presented by the Amazon DCV server. The value can be true or false.

[resolver] section

Parameter name Required Default value Requires Restart Description
ca-file No No If this setting is active, the certificates presented by the resolver will be validated only against the Certificate-Authority's certificate specified in this file.
cert-file No No The path to a PEM file containing the certificate the gateway will present to the Session Resolver end-point. This setting is required if the Session Manager requires mutual TLS authentication. When this parameter is specified, cert-key-file must be used as well.
cert-key-file No No The path to the private key file of the certificate. When this parameter is specified, cert-file must be used as well.
ciphers-tls No ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS13_CHACHA20_POLY1305_SHA256", "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256"] No The TLS ciphers used for the TLS communication with the Session Resolver.
minimum-tls-version No "tls12" No The minimum TLS version used for the TLS communication with the resolver. The value can be "tls12" or "tls13".
http-establish-timeout No 10 No The timeout in seconds used when establishing connections with the resolver.
tls-strict No true No Whether to enable or not the verification against a trusted Certificate-Authority for the certificate presented by the Session Resolver. The value can be true or false.
url Yes No The url of the Session Resolver. The url host must be a domain name, ip addresses are not supported.

[web-resources] section

Parameter name Required Default value Requires Restart Description
ca-file No No If this setting is active, the certificates presented by the web resources server will be validated only against the Certificate-Authority's certificate specified in this file.
ciphers-tls No ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS13_CHACHA20_POLY1305_SHA256", "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256"] No The TLS ciphers used for the TLS communication with the Web Resources server.
local-resources-http-headers No { "strict-transport-security" = "max-age=31536000", "content-security-policy" = "upgrade-insecure-requests;", "x-content-type-options" = "nosniff", "x-frame-options" = "SAMEORIGIN" } Yes The HTTP headers that are set on the static web resources used when connecting via web-based Client.
local-resources-path No Yes Local path where the DCV web resources are stored. Web-based DCV connections will be served these resources.
minimum-tls-version No "tls12" No The minimum TLS version used for the TLS communication with the Web Resources Server. The value can be "tls12" or "tls13".
http-establish-timeout No 10 No The timeout in seconds used when establishing HTTP connections with the Web Resources server.
tls-strict No true No Whether to enable or not the verification against a trusted Certificate-Authority for the certificate presented by the Web Resources server. The value can be true or false.
url No No The url of the Web Resources Server. The url host must be a domain name, ip addresses are not supported. If not specified, the gateway will not forward requests for static web resources.

[metrics-reporter-statsd] section

Parameter name Required Default value Requires Restart Description
host No Yes The IP where the statsd service is located and metrics can be pushed to. If this parameter is not specified, the StatsD metric reporter will be disabled.
port No 8125 Yes The UDP port of the statsd service.