# Configuration File Reference
This section provides a reference for all the parameters that can be specified in the Connection Gateway configuration file. For an introduction to the configuration of Amazon DCV Connection Gateway, see [Configuring the Amazon DCV Connection Gateway](setting-up-configuring.md).
The Amazon DCV Connection Gateway configuration file is located at `/etc/dcv-connection-gateway/dcv-connection-gateway.conf`. The file uses the [TOML format](https://toml.io) and is organized in sections which control different aspects of the Connection Gateway
You can edit the configuration file using your preferred text editor.
**Note**
Some of the configuration parameters can be [reloaded](sm-integration.md) while the gateway is running without causing disruptions for the existing connections. Others parameters instead require a restart of the service. This is denoted by the `Requires Restart` column in the table below.
**Topics**
+ [`[gateway]` section](#config-gateway)
+ [`[log]` section](#config-log)
+ [`[health-check]` section](#config-health)
+ [`[dcv]` section](#config-dcv)
+ [`[resolver]` section](#config-resolver)
+ [`[web-resources]` section](#config-web-resources)
+ [`[metrics-reporter-statsd]` section](#config-statsd)
## `[gateway]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| bind-addr | Yes | | Yes | This setting is **deprecated**, use `web-listen-endpoints` and `quic-listen-endpoints` instead.
The socket address the gateway will be listening on for incoming DCV client connections. The value must be a valid IP address syntax. |
| cert-file | No | | No | The path to a PEM file containing the certificate to be used by the gateway. If not specified, the Connection Gateway will use generate self-signed certificates. When this parameter is specified, cert-key-file must be used as well. |
| cert-key-file | No | | No | The path to the private key file of the certificate. When this parameter is specified, cert-file must be used as well. |
| ciphers-tls | No | ["TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384", "TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256", "TLS13\_CHACHA20\_POLY1305\_SHA256", "TLS13\_AES\_256\_GCM\_SHA384", "TLS13\_AES\_128\_GCM\_SHA256"] | No | The TLS ciphers used for the TLS communication with the clients. |
| enable-quic-connections-stats | No | true | Yes | Whether or not to enable UDP metrics emission for the connection between DCV client and the Connection Gateway every 60 seconds.See [Metrics of connection stats](metrics.md#metrics-connection-stats) |
| enable-tcp-connections-stats | No | true | Yes | Whether or not to enable TCP metrics emission for the connection between DCV client and the Connection Gateway every 60 seconds.See [Metrics of connection stats](metrics.md#metrics-connection-stats) |
| graceful-shutdown-timeout | No | 10 | Yes | When receiving a shutdown signal, the Connection Gateway waits for the specified number of seconds before closing all connections and exiting. |
| minimum-tls-version | No | "tls12" | No | The minimum TLS version used for the TLS communication with the clients. The value can be "tls12" or "tls13". |
| quic-idle-timeout | No | 10 | Yes | The timeout in seconds after which an inactive QUIC connection with a client is closed by the Connection Gateway. |
| quic-listen-endpoints | No | [] | Yes | The list of endpoints the gateway will be listening on for incoming UDP connections from DCV clients. An endpoint is defined as a {{ip-address}}[:{{port}}] pair, where {{ip-address}} is a valid IPv4 or IPv6 address and {{port}} is a UDP port. The {{port}} field in the endpoint is optional, and if not specified the quic-port parameter will be assumed as port. If this parameter is not set or set to an empty list, QUIC support will be disabled. |
| quic-max-connections | No | 1000 | Yes | The maximum number of concurrent QUIC connections the Connection Gateway is going to accept. After that limit, a new incoming connection will be rejected. |
| quic-port | No | 8443 | Yes | The default UDP port that will be associated to an endpoint without the port field in quic-listen-endpoints. |
| tcp-idle-timeout | No | 10 | Yes | The timeout in seconds after which an inactive TCP connection with a client is closed by the Connection Gateway. |
| tcp-max-connections | No | 1000 | Yes | The maximum number of concurrent TCP connections the Connection Gateway is going to accept. After that limit, a new incoming connection will be rejected. |
| web-listen-endpoints | Yes | | Yes | The list of endpoints the gateway will be listening on for incoming WebSocket and HTTP connections from DCV clients. An endpoint is defined as a {{ip-address}}[:{{port}}] pair, where {{ip-address}} is a valid IPv4 or IPv6 address and {{port}} is a TCP port. The {{port}} field in the endpoint is optional, and if not specified the web-port parameter will be assumed as port. |
| web-port | No | 8443 | Yes | The default TCP port that will be associated to an endpoint without the port field in web-listen-endpoints. |
## `[log]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| directory | No | /var/log/dcv-connection-gateway | Yes | The directory where gateway log files are going to be written. |
| level | No | info | No | The log level verbosity. Possible values are sorted by increasing verbosity: error, warning, info, debug, trace. |
| max-file-size | No | 10485760 | Yes | When a log file size reaches the specfied size in bytes, it will be rotated. A new log file will be created and further log events will be placed in the new file. |
| rolling-frequency | No | every-day | Yes | The temporal frequency with which log files will be rotated. Valid values are: every-day, every-hour, every-minute. |
| rotate | No | 9 | Yes | The maximum number of log files preserved in the rotation. Each time a rotation happens and this number is reached, the oldest log file will be deleted. |
## `[health-check]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| bind-addr | No | | Yes | The socket address the gateway will be listening on for incoming health check requests. The value must be a valid IP address syntax. If this parameter is not specified, the health check service will be disabled. |
| port | No | 8888 | Yes | The TCP port the gateway will be listening on for incoming health check requests. The value must be a valid port number. |
## `[dcv]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| ca-file | No | | No | If this setting is active, the certificates presented by the DCV servers will be validated only against the Certificate-Authority's certificate specified in this file. |
| ciphers-tls | No | ["TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384", "TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256", "TLS13\_CHACHA20\_POLY1305\_SHA256", "TLS13\_AES\_256\_GCM\_SHA384", "TLS13\_AES\_128\_GCM\_SHA256"] | No | The TLS ciphers used for the TLS communication with the Amazon DCV server hosts. |
| enable-quic-connections-stats | No | true | Yes | Whether or not to enable UDP metrics emission for the connection between Connection Gateway and the Amazon DCV server every 60 seconds.See [Metrics of connection stats](metrics.md#metrics-connection-stats) |
| enable-tcp-connections-stats | No | true | Yes | Whether or not to enable TCP metrics emission for the connection between Connection Gateway and the Amazon DCV server every 60 seconds.See [Metrics of connection stats](metrics.md#metrics-connection-stats) |
| minimum-tls-version | No | "tls12" | No | The minimum TLS version used for the TLS communication with the Amazon DCV server hosts. The value can be "tls12" or "tls13". |
| tls-strict | No | true | No | Whether to enable or not the verification against a trusted Certificate-Authority for the certificate presented by the Amazon DCV server. The value can be true or false. |
## `[resolver]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| ca-file | No | | No | If this setting is active, the certificates presented by the resolver will be validated only against the Certificate-Authority's certificate specified in this file. |
| cert-file | No | | No | The path to a PEM file containing the certificate the gateway will present to the Session Resolver end-point. This setting is required if the Session Manager requires mutual TLS authentication. When this parameter is specified, cert-key-file must be used as well. |
| cert-key-file | No | | No | The path to the private key file of the certificate. When this parameter is specified, cert-file must be used as well. |
| ciphers-tls | No | ["TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384", "TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256", "TLS13\_CHACHA20\_POLY1305\_SHA256", "TLS13\_AES\_256\_GCM\_SHA384", "TLS13\_AES\_128\_GCM\_SHA256"] | No | The TLS ciphers used for the TLS communication with the Session Resolver. |
| minimum-tls-version | No | "tls12" | No | The minimum TLS version used for the TLS communication with the resolver. The value can be "tls12" or "tls13". |
| http-establish-timeout | No | 10 | No | The timeout in seconds used when establishing connections with the resolver. |
| tls-strict | No | true | No | Whether to enable or not the verification against a trusted Certificate-Authority for the certificate presented by the Session Resolver. The value can be true or false. |
| url | Yes | | No | The url of the Session Resolver. The url host must be a domain name, ip addresses are not supported. |
## `[web-resources]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| ca-file | No | | No | If this setting is active, the certificates presented by the web resources server will be validated only against the Certificate-Authority's certificate specified in this file. |
| ciphers-tls | No | ["TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384", "TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256", "TLS13\_CHACHA20\_POLY1305\_SHA256", "TLS13\_AES\_256\_GCM\_SHA384", "TLS13\_AES\_128\_GCM\_SHA256"] | No | The TLS ciphers used for the TLS communication with the Web Resources server. |
| local-resources-http-headers | No | { "strict-transport-security" = "max-age=31536000", "content-security-policy" = "upgrade-insecure-requests;", "x-content-type-options" = "nosniff", "x-frame-options" = "SAMEORIGIN" } | Yes | The HTTP headers that are set on the static web resources used when connecting via web-based Client. |
| local-resources-path | No | | Yes | Local path where the DCV web resources are stored. Web-based DCV connections will be served these resources. |
| minimum-tls-version | No | "tls12" | No | The minimum TLS version used for the TLS communication with the Web Resources Server. The value can be "tls12" or "tls13". |
| http-establish-timeout | No | 10 | No | The timeout in seconds used when establishing HTTP connections with the Web Resources server. |
| tls-strict | No | true | No | Whether to enable or not the verification against a trusted Certificate-Authority for the certificate presented by the Web Resources server. The value can be true or false. |
| url | No | | No | The url of the Web Resources Server. The url host must be a domain name, ip addresses are not supported. If not specified, the gateway will not forward requests for static web resources. |
## `[metrics-reporter-statsd]` section
| Parameter name | Required | Default value | Requires Restart | Description |
| --- | --- | --- | --- | --- |
| endpoints | No | | Yes | The IP where the statsd service is located and metrics can be pushed to. If this parameter is not specified, the StatsD metric reporter will be disabled. Syntax as ["IP:Port"]. |
| port | No | 8125 | Yes | The UDP port of the statsd service. |