The Extensible Service Proxy
(ESP) is an
NGINX-based proxy that enables
Cloud Endpoints to provide API management features. You configure
ESP by specifying options when you start the ESP
Docker container. When the ESP container starts, it runs a script
called start_esp
, which writes the NGINX configuration file by using the
options that you specified and launches ESP.
You specify ESP startup options in the docker run
command, for example:
sudo docker run \ --detach \ DOCKER_ARGUMENTS \ gcr.io/endpoints-release/endpoints-runtime:1 \ --service=SERVICE_NAME \ --rollout_strategy=managed \ --backend=YOUR_API_CONTAINER_NAME:8080
If you are deploying ESP to Kubernetes, you specify the startup
options in your deployment manifest file in the args
field, for example:
containers: - name: esp image: gcr.io/endpoints-release/endpoints-runtime:1 args: [ "--http_port=8081", "--backend=127.0.0.1:8080", "--service=SERVICE_NAME", "--rollout_strategy=managed" ]
The following table describes ESP's startup options.
Short option | Long option | Description |
---|---|---|
-s SERVICE_NAME |
--service SERVICE_NAME |
Sets the name of the Endpoints service. |
-R ROLLOUT_STRATEGY |
--rollout_strategy ROLLOUT_STRATEGY |
Available in ESP version 1.7.0 and later. Specify either
|
-v CONFIG_ID |
--version CONFIG_ID |
Sets the service configuration ID to be used by ESP. See
Getting the service name
and configuration ID for the information you need to set this option.
When you specify --rollout_strategy=fixed or when you don't
include the --rollout_strategy option, you must include the
--version option and specify a configuration ID. In this case,
every time you deploy a new Endpoints configuration, you must
restart ESP with the new configuration ID.
|
-p HTTP1_PORT |
--http_port HTTP1_PORT |
Sets the ports that ESP exposes for HTTP/1.x connections.1 |
-P HTTP2_PORT |
--http2_port HTTP2_PORT |
Sets the ports that ESP exposes for HTTP/2 connections.1 |
-S SSL_PORT |
--ssl_port SSL_PORT |
Sets the ports that ESP exposes for HTTPS connections.1 |
-a BACKEND |
--backend BACKEND |
Sets the address for the HTTP/1.x application backend server. The default
value for the backend address is http://127.0.0.1:8081 .You can specify a protocol prefix, for example: --backend=https://127.0.0.1:8000 If you don't specify a protocol prefix, the default is http .If your backend server is running on Compute Engine in a container, you can specify the container name and the port, for example: --backend=my-api-container:8000 |
-N STATUS_PORT |
--status_port STATUS_PORT |
Sets the status port (default: 8090 ).
|
none | --disable_cloud_trace_auto_sampling |
By default, ESP samples 1 request out of every 1000 or 1 request out of every 10 seconds is enabled with Cloud Trace. Set this flag to disable such auto sampling. Cloud Trace can still be enabled from request HTTP headers with trace context regardless of this flag value. See Tracing your API for more information. |
-n NGINX_CONFIG |
--nginx_config NGINX_CONFIG |
Sets the location for the custom NGINX configuration file. If you specify this option, ESP fetches the specified configuration file and then immediately launches NGINX with the provided custom configuration file. See Using a custom nginx config for GKE for more information. |
-k SERVICE_ACCOUNT_KEY |
--service_account_key SERVICE_ACCOUNT_KEY |
Sets the service account credentials JSON file. If provided, ESP uses the service account to generate an access token to call Service Infrastructure APIs. The only time you need to specify this option is when ESP is running on platforms other than Google Cloud, such as your local desktop, Kubernetes, or another cloud provider. See Creating a service account for more information. |
-z HEALTHZ_PATH |
--healthz HEALTHZ_PATH |
Define a health checking endpoint on the same ports as the application
backend. For example, -z healthz makes ESP return
code 200 for
location /healthz , instead of forwarding the request to the
backend. Default: not used.
|
none | --dns DNS_RESOLVER |
Specify a dns resolver. For example, --dns 169.254.169.254 uses
the GCP Metadata server as the DNS resolver. If not specified, default is
8.8.8.8 .
|
1 These ports are optional and must be distinct from each other.
If you don't specify any port option, ESP accepts HTTP/1.x
connections on port 8080
.
For HTTPS connections, ESP expects the TLS secrets to be
located at /etc/nginx/ssl/nginx.crt
and /etc/nginx/ssl/nginx.key
.
Sample command-line invocations
The following examples show how to use some of the command-line arguments:
To start ESP to handle requests coming in at HTTP/1.x port 80
and HTTPS port 443
and send the requests to your API backend at
127.0.0.1:8000
:
sudo docker run \ --detach \ DOCKER_ARGUMENTS \ gcr.io/endpoints-release/endpoints-runtime:1 --service=echo-api.endpoints.example-project-12345.cloud.goog \ --rollout_strategy=managed \ --http_port=80 \ --ssl_port=443 \ --backend=127.0.0.1:8000
To start ESP with a custom NGINX configuration by using the service account credentials file to fetch the service config and connect to the service control:
sudo docker run \ --detach \ --volume=$HOME/Downloads:/esp \ DOCKER_ARGUMENTS \ gcr.io/endpoints-release/endpoints-runtime:1 \ --service=echo-api.endpoints.example-project-12345.cloud.goog \ --rollout_strategy=managed \ --service_account_key=/esp/serviceaccount.json \ --nginx_config=/esp/nginx.conf
Note that you must use the Docker flags --volume
or --mount
to mount the
JSON file containing the private key for the service account and the custom
NGINX config file as volumes inside ESP's Docker container. The
preceding example maps the $HOME/Downloads
directory on the local computer to
the esp
directory in the container. When you save the private key file for the
service account, it is typically downloaded to the Downloads
directory. You
can copy the private key file to another directory if you want to. See
Manage data in Docker
for more information.
Adding CORS support to ESP
Please refer to Support CORS for a description of available CORS support options. This section describes using ESP startup flags to support CORS.
To enable CORS support in ESP, include the --cors_preset
option
and set it to either basic
or cors_with_regex
. When you include
--cors_preset=basic
or --cors_preset=cors_with_regex
, ESP:
- Assumes all location paths have the same CORS policy.
- Responds to both simple requests and
preflight
HTTP OPTIONS
requests. - Caches the result of the preflight
OPTIONS
request for up to 20 days (1728000 seconds). Sets the response headers to the following values:
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization Access-Control-Expose-Headers: Content-Length,Content-Range
To override the default value of
Access-Control-Allow-Origin
,
specify one of the following options:
Option | Description |
---|---|
--cors_allow_origin |
Use with --cors_preset=basic to set
Access-Control-Allow-Origin to a specific origin.Example:
--cors_preset=basic
|
--cors_allow_origin_regex |
Use with --cors_preset=cors_with_regex . Allows you to use a
regular expression to set Access-Control-Allow-Origin .Example:
--cors_preset=cors_with_regex
The regular expression in the preceding example allows an origin with either
|
After setting --cors_preset=basic
or --cors_preset=cors_with_regex
to enable
CORS, you can override the default values of the other response headers by
specifying one or more of the following options:
Option | Description |
---|---|
--cors_allow_methods |
Sets
Access-Control-Allow-Methods
to the specified HTTP methods. Specify the HTTP methods as a string with each
HTTP method separated by a comma.Example:
--cors_preset=basic
|
--cors_allow_headers |
Sets
Access-Control-Allow-Headers
to the specified HTTP headers. Specify the HTTP headers as a string with each
HTTP header separated by a comma.Example:
--cors_preset=basic
|
--cors_allow_credentials |
Includes the
Access-Control-Allow-Credentials
header with the value true in responses. By default, the
Access-Control-Allow-Credentials header isn't included in responses.Example:
--cors_preset=basic
|
--cors_expose_headers |
Sets
Access-Control-Expose-Headers
to the specified headers. Specify which headers can be exposed as part of the
response as a string with each header separated by a comma.Example:
--cors_preset=basic
|
If the ESP CORS startup options don't suit the needs of your
application, you can create a custom nginx.conf
file with the CORS support
that your application requires. For more information, see
Creating a custom nginx.conf
to support CORS.
What's next
Learn about:
- Deploying ESP and your API backend to Google Cloud
- Running ESP locally or on another platform
- The
start_esp
script on GitHub