From 092c5455c81af924cf17b9c34fec70c8b32d5a9d Mon Sep 17 00:00:00 2001 From: Shawn <506895667@qq.com> Date: Fri, 2 Jul 2021 12:59:24 +0800 Subject: [PATCH] feat(config): change configs of zone and listener to hocon format --- apps/emqx/etc/emqx.conf | 2655 ++++++++++++++++++++------------------- 1 file changed, 1329 insertions(+), 1326 deletions(-) diff --git a/apps/emqx/etc/emqx.conf b/apps/emqx/etc/emqx.conf index d179b9a11..54b4b1078 100644 --- a/apps/emqx/etc/emqx.conf +++ b/apps/emqx/etc/emqx.conf @@ -718,1592 +718,1595 @@ mqtt.strict_mode = false ## Value: String ## mqtt.response_information = example -## CONFIG_SECTION_BGN=zones =================================================== - ##-------------------------------------------------------------------- ## External Zone +zone.external { + ## Idle timeout of the external MQTT connections. + ## + ## Value: duration + idle_timeout = 15s -## Idle timeout of the external MQTT connections. -## -## Value: duration -zone.external.idle_timeout = 15s + ## Enable ACL check. + ## + ## Value: Flag + enable_acl = on -## Enable ACL check. -## -## Value: Flag -zone.external.enable_acl = on + ## Enable ban check. + ## + ## Value: Flag + enable_ban = on -## Enable ban check. -## -## Value: Flag -zone.external.enable_ban = on + ## Enable per connection statistics. + ## + ## Value: on | off + enable_stats = on -## Enable per connection statistics. -## -## Value: on | off -zone.external.enable_stats = on + ## The action when acl check reject current operation + ## + ## Value: ignore | disconnect + ## Default: ignore + acl_deny_action = ignore -## The action when acl check reject current operation -## -## Value: ignore | disconnect -## Default: ignore -zone.external.acl_deny_action = ignore + ## Force the MQTT connection process GC after this number of + ## messages | bytes passed through. + ## + ## Numbers delimited by `|'. Zero or negative is to disable. + force_gc_policy = "16000|16MB" -## Force the MQTT connection process GC after this number of -## messages | bytes passed through. -## -## Numbers delimited by `|'. Zero or negative is to disable. -zone.external.force_gc_policy = "16000|16MB" + ## Max message queue length and total heap size to force shutdown + ## connection/session process. + ## Message queue here is the Erlang process mailbox, but not the number + ## of queued MQTT messages of QoS 1 and 2. + ## + ## Numbers delimited by `|'. Zero or negative is to disable. + ## + ## Default: + ## - "10000|64MB" on ARCH_64 system + ## - "1000|32MB" on ARCH_32 sytem + #force_shutdown_policy = "10000|64MB" -## Max message queue length and total heap size to force shutdown -## connection/session process. -## Message queue here is the Erlang process mailbox, but not the number -## of queued MQTT messages of QoS 1 and 2. -## -## Numbers delimited by `|'. Zero or negative is to disable. -## -## Default: -## - "10000|64MB" on ARCH_64 system -## - "1000|32MB" on ARCH_32 sytem -#zone.external.force_shutdown_policy = "10000|64MB" + ## Maximum MQTT packet size allowed. + ## + ## Value: Bytes + ## Default: 1MB + ## max_packet_size = 64KB -## Maximum MQTT packet size allowed. -## -## Value: Bytes -## Default: 1MB -## zone.external.max_packet_size = 64KB + ## Maximum length of MQTT clientId allowed. + ## + ## Value: Number [23-65535] + ## max_clientid_len = 1024 -## Maximum length of MQTT clientId allowed. -## -## Value: Number [23-65535] -## zone.external.max_clientid_len = 1024 + ## Maximum topic levels allowed. 0 means no limit. + ## + ## Value: Number + ## max_topic_levels = 7 -## Maximum topic levels allowed. 0 means no limit. -## -## Value: Number -## zone.external.max_topic_levels = 7 + ## Maximum QoS allowed. + ## + ## Value: 0 | 1 | 2 + ## max_qos_allowed = 2 -## Maximum QoS allowed. -## -## Value: 0 | 1 | 2 -## zone.external.max_qos_allowed = 2 + ## Maximum Topic Alias, 0 means no limit. + ## + ## Value: 0-65535 + ## max_topic_alias = 65535 -## Maximum Topic Alias, 0 means no limit. -## -## Value: 0-65535 -## zone.external.max_topic_alias = 65535 + ## Whether the Server supports retained messages. + ## + ## Value: boolean + ## retain_available = true -## Whether the Server supports retained messages. -## -## Value: boolean -## zone.external.retain_available = true + ## Whether the Server supports Wildcard Subscriptions + ## + ## Value: boolean + ## wildcard_subscription = false -## Whether the Server supports Wildcard Subscriptions -## -## Value: boolean -## zone.external.wildcard_subscription = false + ## Whether the Server supports Shared Subscriptions + ## + ## Value: boolean + ## shared_subscription = false -## Whether the Server supports Shared Subscriptions -## -## Value: boolean -## zone.external.shared_subscription = false + ## Server Keep Alive + ## + ## Value: Number + ## server_keepalive = 0 -## Server Keep Alive -## -## Value: Number -## zone.external.server_keepalive = 0 + ## The backoff for MQTT keepalive timeout. The broker will kick a connection out + ## until 'Keepalive * backoff * 2' timeout. + ## + ## Value: Float > 0.5 + keepalive_backoff = 0.75 -## The backoff for MQTT keepalive timeout. The broker will kick a connection out -## until 'Keepalive * backoff * 2' timeout. -## -## Value: Float > 0.5 -zone.external.keepalive_backoff = 0.75 + ## Maximum number of subscriptions allowed, 0 means no limit. + ## + ## Value: Number + max_subscriptions = 0 -## Maximum number of subscriptions allowed, 0 means no limit. -## -## Value: Number -zone.external.max_subscriptions = 0 + ## Force to upgrade QoS according to subscription. + ## + ## Value: on | off + upgrade_qos = off -## Force to upgrade QoS according to subscription. -## -## Value: on | off -zone.external.upgrade_qos = off + ## Maximum size of the Inflight Window storing QoS1/2 messages delivered but unacked. + ## + ## Value: Number + max_inflight = 32 -## Maximum size of the Inflight Window storing QoS1/2 messages delivered but unacked. -## -## Value: Number -zone.external.max_inflight = 32 + ## Retry interval for QoS1/2 message delivering. + ## + ## Value: Duration + retry_interval = 30s -## Retry interval for QoS1/2 message delivering. -## -## Value: Duration -zone.external.retry_interval = 30s + ## Maximum QoS2 packets (Client -> Broker) awaiting PUBREL, 0 means no limit. + ## + ## Value: Number + max_awaiting_rel = 100 -## Maximum QoS2 packets (Client -> Broker) awaiting PUBREL, 0 means no limit. -## -## Value: Number -zone.external.max_awaiting_rel = 100 + ## The QoS2 messages (Client -> Broker) will be dropped if awaiting PUBREL timeout. + ## + ## Value: Duration + await_rel_timeout = 300s -## The QoS2 messages (Client -> Broker) will be dropped if awaiting PUBREL timeout. -## -## Value: Duration -zone.external.await_rel_timeout = 300s + ## Default session expiry interval for MQTT V3.1.1 connections. + ## + ## Value: Duration + ## -d: day + ## -h: hour + ## -m: minute + ## -s: second + ## + ## Default: 2h, 2 hours + session_expiry_interval = 2h -## Default session expiry interval for MQTT V3.1.1 connections. -## -## Value: Duration -## -d: day -## -h: hour -## -m: minute -## -s: second -## -## Default: 2h, 2 hours -zone.external.session_expiry_interval = 2h + ## Maximum queue length. Enqueued messages when persistent client disconnected, + ## or inflight window is full. 0 means no limit. + ## + ## Value: Number >= 0 + max_mqueue_len = 1000 -## Maximum queue length. Enqueued messages when persistent client disconnected, -## or inflight window is full. 0 means no limit. -## -## Value: Number >= 0 -zone.external.max_mqueue_len = 1000 + ## Topic priorities. + ## 'none' to indicate no priority table (by default), hence all messages + ## are treated equal + ## + ## Priority number [1-255] + ## Example: "topic/1=10,topic/2=8" + ## NOTE: comma and equal signs are not allowed for priority topic names + ## NOTE: messages for topics not in the priority table are treated as + ## either highest or lowest priority depending on the configured + ## value for mqueue_default_priority + ## + mqueue_priorities = none -## Topic priorities. -## 'none' to indicate no priority table (by default), hence all messages -## are treated equal -## -## Priority number [1-255] -## Example: "topic/1=10,topic/2=8" -## NOTE: comma and equal signs are not allowed for priority topic names -## NOTE: messages for topics not in the priority table are treated as -## either highest or lowest priority depending on the configured -## value for mqueue_default_priority -## -zone.external.mqueue_priorities = none + ## Default to highest priority for topics not matching priority table + ## + ## Value: highest | lowest + mqueue_default_priority = highest -## Default to highest priority for topics not matching priority table -## -## Value: highest | lowest -zone.external.mqueue_default_priority = highest + ## Whether to enqueue QoS0 messages. + ## + ## Value: false | true + mqueue_store_qos0 = true -## Whether to enqueue QoS0 messages. -## -## Value: false | true -zone.external.mqueue_store_qos0 = true + ## Whether to turn on flapping detect + ## + ## Value: on | off + enable_flapping_detect = off -## Whether to turn on flapping detect -## -## Value: on | off -zone.external.enable_flapping_detect = off + ## Message limit for the a external MQTT connection. + ## + ## Value: Number,Duration + ## Example: 100 messages per 10 seconds. + #rate_limit.conn_messages_in = "100,10s" -## Message limit for the a external MQTT connection. -## -## Value: Number,Duration -## Example: 100 messages per 10 seconds. -#zone.external.rate_limit.conn_messages_in = "100,10s" + ## Bytes limit for a external MQTT connections. + ## + ## Value: Number,Duration + ## Example: 100KB incoming per 10 seconds. + #rate_limit.conn_bytes_in = "100KB,10s" -## Bytes limit for a external MQTT connections. -## -## Value: Number,Duration -## Example: 100KB incoming per 10 seconds. -#zone.external.rate_limit.conn_bytes_in = "100KB,10s" + ## Whether to alarm the congested connections. + ## + ## Sometimes the mqtt connection (usually an MQTT subscriber) may get "congested" because + ## there're too many packets to sent. The socket trys to buffer the packets until the buffer is + ## full. If more packets comes after that, the packets will be "pending" in a queue + ## and we consider the connection is "congested". + ## + ## Enable this to send an alarm when there's any bytes pending in the queue. You could set + ## the `listener.tcp..sndbuf` to a larger value if the alarm is triggered too often. + ## + ## The name of the alarm is of format "conn_congestion//". + ## Where the is the client-id of the congested MQTT connection. + ## And the is the username or "unknown_user" of not provided by the client. + ## Default: off + #conn_congestion.alarm = off -## Whether to alarm the congested connections. -## -## Sometimes the mqtt connection (usually an MQTT subscriber) may get "congested" because -## there're too many packets to sent. The socket trys to buffer the packets until the buffer is -## full. If more packets comes after that, the packets will be "pending" in a queue -## and we consider the connection is "congested". -## -## Enable this to send an alarm when there's any bytes pending in the queue. You could set -## the `listener.tcp..sndbuf` to a larger value if the alarm is triggered too often. -## -## The name of the alarm is of format "conn_congestion//". -## Where the is the client-id of the congested MQTT connection. -## And the is the username or "unknown_user" of not provided by the client. -## Default: off -#zone.external.conn_congestion.alarm = off + ## Won't clear the congested alarm in how long time. + ## The alarm is cleared only when there're no pending bytes in the queue, and also it has been + ## `min_alarm_sustain_duration` time since the last time we considered the connection is "congested". + ## + ## This is to avoid clearing and sending the alarm again too often. + ## Default: 1m + #conn_congestion.min_alarm_sustain_duration = 1m -## Won't clear the congested alarm in how long time. -## The alarm is cleared only when there're no pending bytes in the queue, and also it has been -## `min_alarm_sustain_duration` time since the last time we considered the connection is "congested". -## -## This is to avoid clearing and sending the alarm again too often. -## Default: 1m -#zone.external.conn_congestion.min_alarm_sustain_duration = 1m + ## Messages quota for the each of external MQTT connection. + ## This value consumed by the number of recipient on a message. + ## + ## Value: Number, Duration + ## + ## Example: 100 messages per 1s + #quota.conn_messages_routing = "100,1s" -## Messages quota for the each of external MQTT connection. -## This value consumed by the number of recipient on a message. -## -## Value: Number, Duration -## -## Example: 100 messages per 1s -#zone.external.quota.conn_messages_routing = "100,1s" + ## Messages quota for the all of external MQTT connections. + ## This value consumed by the number of recipient on a message. + ## + ## Value: Number, Duration + ## + ## Example: 200000 messages per 1s + #quota.overall_messages_routing = "200000,1s" -## Messages quota for the all of external MQTT connections. -## This value consumed by the number of recipient on a message. -## -## Value: Number, Duration -## -## Example: 200000 messages per 1s -#zone.external.quota.overall_messages_routing = "200000,1s" + ## All the topics will be prefixed with the mountpoint path if this option is enabled. + ## + ## Variables in mountpoint path: + ## - %c: clientid + ## - %u: username + ## + ## Value: String + ## mountpoint = "devicebound/" -## All the topics will be prefixed with the mountpoint path if this option is enabled. -## -## Variables in mountpoint path: -## - %c: clientid -## - %u: username -## -## Value: String -## zone.external.mountpoint = "devicebound/" + ## Whether use username replace client id + ## + ## Value: boolean + ## Default: false + use_username_as_clientid = false -## Whether use username replace client id -## -## Value: boolean -## Default: false -zone.external.use_username_as_clientid = false + ## Whether to ignore loop delivery of messages.(for mqtt v3.1.1) + ## + ## Value: true | false + ignore_loop_deliver = false -## Whether to ignore loop delivery of messages.(for mqtt v3.1.1) -## -## Value: true | false -zone.external.ignore_loop_deliver = false + ## Whether to parse the MQTT frame in strict mode + ## + ## Value: true | false + strict_mode = false -## Whether to parse the MQTT frame in strict mode -## -## Value: true | false -zone.external.strict_mode = false - -## Specify the response information returned to the client -## -## Value: String -## zone.external.response_information = example + ## Specify the response information returned to the client + ## + ## Value: String + #response_information = example +} ##-------------------------------------------------------------------- ## Internal Zone +zone.internal { + ## Allow anonymous authentication by default if no auth plugins loaded. + ## Notice: Disable the option in production deployment! + ## + ## Value: true | false + allow_anonymous = true -zone.internal.allow_anonymous = true + ## Enable per connection stats. + ## + ## Value: Flag + enable_stats = on -## Enable per connection stats. -## -## Value: Flag -zone.internal.enable_stats = on + ## Enable ACL check. + ## + ## Value: Flag + enable_acl = off -## Enable ACL check. -## -## Value: Flag -zone.internal.enable_acl = off + ## The action when acl check reject current operation + ## + ## Value: ignore | disconnect + ## Default: ignore + acl_deny_action = ignore -## The action when acl check reject current operation -## -## Value: ignore | disconnect -## Default: ignore -zone.internal.acl_deny_action = ignore + ## See zone.$name.force_gc_policy + ## force_gc_policy = "128000|128MB" -## See zone.$name.force_gc_policy -## zone.internal.force_gc_policy = "128000|128MB" + ## See zone.$name.wildcard_subscription. + ## + ## Value: boolean + ## wildcard_subscription = true -## See zone.$name.wildcard_subscription. -## -## Value: boolean -## zone.internal.wildcard_subscription = true + ## See zone.$name.shared_subscription. + ## + ## Value: boolean + ## shared_subscription = true -## See zone.$name.shared_subscription. -## -## Value: boolean -## zone.internal.shared_subscription = true + ## See zone.$name.max_subscriptions. + ## + ## Value: Integer + max_subscriptions = 0 -## See zone.$name.max_subscriptions. -## -## Value: Integer -zone.internal.max_subscriptions = 0 + ## See zone.$name.max_inflight + ## + ## Value: Number + max_inflight = 128 -## See zone.$name.max_inflight -## -## Value: Number -zone.internal.max_inflight = 128 + ## See zone.$name.max_awaiting_rel + ## + ## Value: Number + max_awaiting_rel = 1000 -## See zone.$name.max_awaiting_rel -## -## Value: Number -zone.internal.max_awaiting_rel = 1000 + ## See zone.$name.max_mqueue_len + ## + ## Value: Number >= 0 + max_mqueue_len = 10000 -## See zone.$name.max_mqueue_len -## -## Value: Number >= 0 -zone.internal.max_mqueue_len = 10000 + ## Whether to enqueue Qos0 messages. + ## + ## Value: false | true + mqueue_store_qos0 = true -## Whether to enqueue Qos0 messages. -## -## Value: false | true -zone.internal.mqueue_store_qos0 = true + ## Whether to turn on flapping detect + ## + ## Value: on | off + enable_flapping_detect = off -## Whether to turn on flapping detect -## -## Value: on | off -zone.internal.enable_flapping_detect = off + ## See zone.$name.force_shutdown_policy + ## + ## Default: + ## - "10000|64MB" on ARCH_64 system + ## - "1000|32MB" on ARCH_32 sytem + #force_shutdown_policy = 10000|64MB -## See zone.$name.force_shutdown_policy -## -## Default: -## - "10000|64MB" on ARCH_64 system -## - "1000|32MB" on ARCH_32 sytem -#zone.internal.force_shutdown_policy = 10000|64MB + ## All the topics will be prefixed with the mountpoint path if this option is enabled. + ## + ## Variables in mountpoint path: + ## - %c: clientid + ## - %u: username + ## + ## Value: String + ## mountpoint = "cloudbound/" -## All the topics will be prefixed with the mountpoint path if this option is enabled. -## -## Variables in mountpoint path: -## - %c: clientid -## - %u: username -## -## Value: String -## zone.internal.mountpoint = "cloudbound/" + ## Whether to ignore loop delivery of messages.(for mqtt v3.1.1) + ## + ## Value: true | false + ignore_loop_deliver = false -## Whether to ignore loop delivery of messages.(for mqtt v3.1.1) -## -## Value: true | false -zone.internal.ignore_loop_deliver = false + ## Whether to parse the MQTT frame in strict mode + ## + ## Value: true | false + strict_mode = false -## Whether to parse the MQTT frame in strict mode -## -## Value: true | false -zone.internal.strict_mode = false + ## Specify the response information returned to the client + ## + ## Value: String + ## response_information = example -## Specify the response information returned to the client -## -## Value: String -## zone.internal.response_information = example - -## Allow the zone's clients to bypass authentication step -## -## Value: true | false -zone.internal.bypass_auth_plugins = true - -## CONFIG_SECTION_END=zones ==================================================== - -## CONFIG_SECTION_BGN=listeners ================================================ + ## Allow the zone's clients to bypass authentication step + ## + ## Value: true | false + bypass_auth_plugins = true +} ##-------------------------------------------------------------------- ## MQTT/TCP - External TCP Listener for MQTT Protocol +listener.tcp.external { + ## listener.tcp.$name.endpoint is the IP address and port that the MQTT/TCP + ## listener will bind. + ## + ## Value: IP:Port | Port + ## + ## Examples: 1883, "127.0.0.1:1883", "::1:1883" + endpoint = "0.0.0.0:1883" -## listener.tcp.$name is the IP address and port that the MQTT/TCP -## listener will bind. -## -## Value: IP:Port | Port -## -## Examples: 1883, "127.0.0.1:1883", "::1:1883" -listener.tcp.external.endpoint = "0.0.0.0:1883" + ## The acceptor pool for external MQTT/TCP listener. + ## + ## Value: Number + acceptors = 8 -## The acceptor pool for external MQTT/TCP listener. -## -## Value: Number -listener.tcp.external.acceptors = 8 + ## Maximum number of concurrent MQTT/TCP connections. + ## + ## Value: Number + max_connections = 1024000 -## Maximum number of concurrent MQTT/TCP connections. -## -## Value: Number -listener.tcp.external.max_connections = 1024000 + ## Maximum external connections per second. + ## + ## Value: Number + max_conn_rate = 1000 -## Maximum external connections per second. -## -## Value: Number -listener.tcp.external.max_conn_rate = 1000 + ## Specify the {active, N} option for the external MQTT/TCP Socket. + ## + ## Value: Number + active_n = 100 -## Specify the {active, N} option for the external MQTT/TCP Socket. -## -## Value: Number -listener.tcp.external.active_n = 100 + ## Zone of the external MQTT/TCP listener belonged to. + ## + ## See: zone.$name.* + ## + ## Value: String + zone = external -## Zone of the external MQTT/TCP listener belonged to. -## -## See: zone.$name.* -## -## Value: String -listener.tcp.external.zone = external + ## The access control rules for the MQTT/TCP listener. + ## + ## See: https://github.com/emqtt/esockd#allowdeny + ## + ## Value: ACL Rule + ## + ## Example: "allow 192.168.0.0/24" + access.1 = "allow all" -## The access control rules for the MQTT/TCP listener. -## -## See: https://github.com/emqtt/esockd#allowdeny -## -## Value: ACL Rule -## -## Example: "allow 192.168.0.0/24" -listener.tcp.external.access.1 = "allow all" + ## Enable the Proxy Protocol V1/2 if the EMQ X cluster is deployed + ## behind HAProxy or Nginx. + ## + ## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/ + ## + ## Value: on | off + ## proxy_protocol = on -## Enable the Proxy Protocol V1/2 if the EMQ X cluster is deployed -## behind HAProxy or Nginx. -## -## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/ -## -## Value: on | off -## listener.tcp.external.proxy_protocol = on + ## Sets the timeout for proxy protocol. EMQ X will close the TCP connection + ## if no proxy protocol packet recevied within the timeout. + ## + ## Value: Duration + ## proxy_protocol_timeout = 3s -## Sets the timeout for proxy protocol. EMQ X will close the TCP connection -## if no proxy protocol packet recevied within the timeout. -## -## Value: Duration -## listener.tcp.external.proxy_protocol_timeout = 3s + ## Enable the option for X.509 certificate based authentication. + ## EMQX will use the common name of certificate as MQTT username. + ## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info + ## + ## Value: cn + ## peer_cert_as_username = cn -## Enable the option for X.509 certificate based authentication. -## EMQX will use the common name of certificate as MQTT username. -## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info -## -## Value: cn -## listener.tcp.external.peer_cert_as_username = cn + ## Enable the option for X.509 certificate based authentication. + ## EMQX will use the common name of certificate as MQTT clientid. + ## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info + ## + ## Value: cn + ## peer_cert_as_clientid = cn -## Enable the option for X.509 certificate based authentication. -## EMQX will use the common name of certificate as MQTT clientid. -## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info -## -## Value: cn -## listener.tcp.external.peer_cert_as_clientid = cn + ## The TCP backlog defines the maximum length that the queue of pending + ## connections can grow to. + ## + ## Value: Number >= 0 + backlog = 1024 -## The TCP backlog defines the maximum length that the queue of pending -## connections can grow to. -## -## Value: Number >= 0 -listener.tcp.external.backlog = 1024 + ## The TCP send timeout for external MQTT connections. + ## + ## Value: Duration + send_timeout = 15s -## The TCP send timeout for external MQTT connections. -## -## Value: Duration -listener.tcp.external.send_timeout = 15s + ## Close the TCP connection if send timeout. + ## + ## Value: on | off + send_timeout_close = on -## Close the TCP connection if send timeout. -## -## Value: on | off -listener.tcp.external.send_timeout_close = on + ## The TCP receive buffer(os kernel) for MQTT connections. + ## + ## See: http://erlang.org/doc/man/inet.html + ## + ## Value: Bytes + ## recbuf = 2KB -## The TCP receive buffer(os kernel) for MQTT connections. -## -## See: http://erlang.org/doc/man/inet.html -## -## Value: Bytes -## listener.tcp.external.recbuf = 2KB + ## The TCP send buffer(os kernel) for MQTT connections. + ## + ## See: http://erlang.org/doc/man/inet.html + ## + ## Value: Bytes + ## sndbuf = 2KB -## The TCP send buffer(os kernel) for MQTT connections. -## -## See: http://erlang.org/doc/man/inet.html -## -## Value: Bytes -## listener.tcp.external.sndbuf = 2KB + ## The size of the user-level software buffer used by the driver. + ## Not to be confused with options sndbuf and recbuf, which correspond + ## to the Kernel socket buffers. It is recommended to have val(buffer) + ## >= max(val(sndbuf),val(recbuf)) to avoid performance issues because + ## of unnecessary copying. val(buffer) is automatically set to the above + ## maximum when values sndbuf or recbuf are set. + ## + ## See: http://erlang.org/doc/man/inet.html + ## + ## Value: Bytes + ## buffer = 2KB -## The size of the user-level software buffer used by the driver. -## Not to be confused with options sndbuf and recbuf, which correspond -## to the Kernel socket buffers. It is recommended to have val(buffer) -## >= max(val(sndbuf),val(recbuf)) to avoid performance issues because -## of unnecessary copying. val(buffer) is automatically set to the above -## maximum when values sndbuf or recbuf are set. -## -## See: http://erlang.org/doc/man/inet.html -## -## Value: Bytes -## listener.tcp.external.buffer = 2KB + ## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. + ## + ## Value: on | off + ## tune_buffer = off -## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. -## -## Value: on | off -## listener.tcp.external.tune_buffer = off + ## The socket is set to a busy state when the amount of data queued internally + ## by the ERTS socket implementation reaches this limit. + ## + ## Value: on | off + ## Defaults to 1MB + ## high_watermark = 1MB -## The socket is set to a busy state when the amount of data queued internally -## by the ERTS socket implementation reaches this limit. -## -## Value: on | off -## Defaults to 1MB -## listener.tcp.external.high_watermark = 1MB + ## The TCP_NODELAY flag for MQTT connections. Small amounts of data are + ## sent immediately if the option is enabled. + ## + ## Value: true | false + nodelay = true -## The TCP_NODELAY flag for MQTT connections. Small amounts of data are -## sent immediately if the option is enabled. -## -## Value: true | false -listener.tcp.external.nodelay = true - -## The SO_REUSEADDR flag for TCP listener. -## -## Value: true | false -listener.tcp.external.reuseaddr = true + ## The SO_REUSEADDR flag for TCP listener. + ## + ## Value: true | false + reuseaddr = true +} ##-------------------------------------------------------------------- ## Internal TCP Listener for MQTT Protocol -## The IP address and port that the internal MQTT/TCP protocol listener -## will bind. -## -## Value: IP:Port, Port -## -## Examples: 11883, "127.0.0.1:11883", "::1:11883" -listener.tcp.internal.endpoint = "127.0.0.1:11883" +listener.tcp.internal { + ## The IP address and port that the internal MQTT/TCP protocol listener + ## will bind. + ## + ## Value: IP:Port, Port + ## + ## Examples: 11883, "127.0.0.1:11883", "::1:11883" + endpoint = "127.0.0.1:11883" -## The acceptor pool for internal MQTT/TCP listener. -## -## Value: Number -listener.tcp.internal.acceptors = 4 + ## The acceptor pool for internal MQTT/TCP listener. + ## + ## Value: Number + acceptors = 4 -## Maximum number of concurrent MQTT/TCP connections. -## -## Value: Number -listener.tcp.internal.max_connections = 1024000 + ## Maximum number of concurrent MQTT/TCP connections. + ## + ## Value: Number + max_connections = 1024000 -## Maximum internal connections per second. -## -## Value: Number -listener.tcp.internal.max_conn_rate = 1000 + ## Maximum internal connections per second. + ## + ## Value: Number + max_conn_rate = 1000 -## Specify the {active, N} option for the internal MQTT/TCP Socket. -## -## Value: Number -listener.tcp.internal.active_n = 1000 + ## Specify the {active, N} option for the internal MQTT/TCP Socket. + ## + ## Value: Number + active_n = 1000 -## Zone of the internal MQTT/TCP listener belonged to. -## -## Value: String -listener.tcp.internal.zone = internal + ## Zone of the internal MQTT/TCP listener belonged to. + ## + ## Value: String + zone = internal -## The TCP backlog of internal MQTT/TCP Listener. -## -## See: listener.tcp.$name.backlog -## -## Value: Number >= 0 -listener.tcp.internal.backlog = 512 + ## The TCP backlog of internal MQTT/TCP Listener. + ## + ## See: listener.tcp.$name.backlog + ## + ## Value: Number >= 0 + backlog = 512 -## The TCP send timeout for internal MQTT connections. -## -## See: listener.tcp.$name.send_timeout -## -## Value: Duration -listener.tcp.internal.send_timeout = 5s + ## The TCP send timeout for internal MQTT connections. + ## + ## See: listener.tcp.$name.send_timeout + ## + ## Value: Duration + send_timeout = 5s -## Close the MQTT/TCP connection if send timeout. -## -## See: listener.tcp.$name.send_timeout_close -## -## Value: on | off -listener.tcp.internal.send_timeout_close = on + ## Close the MQTT/TCP connection if send timeout. + ## + ## See: listener.tcp.$name.send_timeout_close + ## + ## Value: on | off + send_timeout_close = on -## The TCP receive buffer(os kernel) for internal MQTT connections. -## -## See: listener.tcp.$name.recbuf -## -## Value: Bytes -listener.tcp.internal.recbuf = 64KB + ## The TCP receive buffer(os kernel) for internal MQTT connections. + ## + ## See: listener.tcp.$name.recbuf + ## + ## Value: Bytes + recbuf = 64KB -## The TCP send buffer(os kernel) for internal MQTT connections. -## -## See: http://erlang.org/doc/man/inet.html -## -## Value: Bytes -listener.tcp.internal.sndbuf = 64KB + ## The TCP send buffer(os kernel) for internal MQTT connections. + ## + ## See: http://erlang.org/doc/man/inet.html + ## + ## Value: Bytes + sndbuf = 64KB -## The size of the user-level software buffer used by the driver. -## -## See: listener.tcp.$name.buffer -## -## Value: Bytes -## listener.tcp.internal.buffer = 16KB + ## The size of the user-level software buffer used by the driver. + ## + ## See: listener.tcp.$name.buffer + ## + ## Value: Bytes + ## buffer = 16KB -## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. -## -## See: listener.tcp.$name.tune_buffer -## -## Value: on | off -## listener.tcp.internal.tune_buffer = off + ## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. + ## + ## See: listener.tcp.$name.tune_buffer + ## + ## Value: on | off + ## tune_buffer = off -## The TCP_NODELAY flag for internal MQTT connections. -## -## See: listener.tcp.$name.nodelay -## -## Value: true | false -listener.tcp.internal.nodelay = false + ## The TCP_NODELAY flag for internal MQTT connections. + ## + ## See: listener.tcp.$name.nodelay + ## + ## Value: true | false + nodelay = false -## The SO_REUSEADDR flag for MQTT/TCP Listener. -## -## Value: true | false -listener.tcp.internal.reuseaddr = true + ## The SO_REUSEADDR flag for MQTT/TCP Listener. + ## + ## Value: true | false + reuseaddr = true +} ##-------------------------------------------------------------------- ## MQTT/SSL - External SSL Listener for MQTT Protocol +listener.ssl.external { + ## listener.ssl.$name is the IP address and port that the MQTT/SSL + ## listener will bind. + ## + ## Value: IP:Port | Port + ## + ## Examples: 8883, "127.0.0.1:8883", "::1:8883" + endpoint = 8883 -## listener.ssl.$name is the IP address and port that the MQTT/SSL -## listener will bind. -## -## Value: IP:Port | Port -## -## Examples: 8883, "127.0.0.1:8883", "::1:8883" -listener.ssl.external.endpoint = 8883 + ## The acceptor pool for external MQTT/SSL listener. + ## + ## Value: Number + acceptors = 16 -## The acceptor pool for external MQTT/SSL listener. -## -## Value: Number -listener.ssl.external.acceptors = 16 + ## Maximum number of concurrent MQTT/SSL connections. + ## + ## Value: Number + max_connections = 102400 -## Maximum number of concurrent MQTT/SSL connections. -## -## Value: Number -listener.ssl.external.max_connections = 102400 + ## Maximum MQTT/SSL connections per second. + ## + ## Value: Number + max_conn_rate = 500 -## Maximum MQTT/SSL connections per second. -## -## Value: Number -listener.ssl.external.max_conn_rate = 500 + ## Specify the {active, N} option for the internal MQTT/SSL Socket. + ## + ## Value: Number + active_n = 100 -## Specify the {active, N} option for the internal MQTT/SSL Socket. -## -## Value: Number -listener.ssl.external.active_n = 100 + ## Zone of the external MQTT/SSL listener belonged to. + ## + ## Value: String + zone = external -## Zone of the external MQTT/SSL listener belonged to. -## -## Value: String -listener.ssl.external.zone = external + ## The access control rules for the MQTT/SSL listener. + ## + ## See: listener.tcp.$name.access + ## + ## Value: ACL Rule + access.1 = "allow all" -## The access control rules for the MQTT/SSL listener. -## -## See: listener.tcp.$name.access -## -## Value: ACL Rule -listener.ssl.external.access.1 = "allow all" + ## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind + ## HAProxy or Nginx. + ## + ## See: listener.tcp.$name.proxy_protocol + ## + ## Value: on | off + ## proxy_protocol = on -## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind -## HAProxy or Nginx. -## -## See: listener.tcp.$name.proxy_protocol -## -## Value: on | off -## listener.ssl.external.proxy_protocol = on + ## Sets the timeout for proxy protocol. + ## + ## See: listener.tcp.$name.proxy_protocol_timeout + ## + ## Value: Duration + ## proxy_protocol_timeout = 3s -## Sets the timeout for proxy protocol. -## -## See: listener.tcp.$name.proxy_protocol_timeout -## -## Value: Duration -## listener.ssl.external.proxy_protocol_timeout = 3s + ## TLS versions only to protect from POODLE attack. + ## + ## See: http://erlang.org/doc/man/ssl.html + ## + ## Value: String, seperated by ',' + ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier + ## tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1" -## TLS versions only to protect from POODLE attack. -## -## See: http://erlang.org/doc/man/ssl.html -## -## Value: String, seperated by ',' -## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier -## listener.ssl.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1" + ## TLS Handshake timeout. + ## + ## Value: Duration + handshake_timeout = 15s -## TLS Handshake timeout. -## -## Value: Duration -listener.ssl.external.handshake_timeout = 15s + ## Maximum number of non-self-issued intermediate certificates that + ## can follow the peer certificate in a valid certification path. + ## + ## Value: Number + ## depth = 10 -## Maximum number of non-self-issued intermediate certificates that -## can follow the peer certificate in a valid certification path. -## -## Value: Number -## listener.ssl.external.depth = 10 + ## String containing the user's password. Only used if the private keyfile + ## is password-protected. + ## + ## Value: String + ## key_password = yourpass -## String containing the user's password. Only used if the private keyfile -## is password-protected. -## -## Value: String -## listener.ssl.external.key_password = yourpass + ## Path to the file containing the user's private PEM-encoded key. + ## + ## See: http://erlang.org/doc/man/ssl.html + ## + ## Value: File + keyfile = "{{ platform_etc_dir }}/certs/key.pem" -## Path to the file containing the user's private PEM-encoded key. -## -## See: http://erlang.org/doc/man/ssl.html -## -## Value: File -listener.ssl.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem" + ## Path to a file containing the user certificate. + ## + ## See: http://erlang.org/doc/man/ssl.html + ## + ## Value: File + certfile = "{{ platform_etc_dir }}/certs/cert.pem" -## Path to a file containing the user certificate. -## -## See: http://erlang.org/doc/man/ssl.html -## -## Value: File -listener.ssl.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem" + ## Path to the file containing PEM-encoded CA certificates. The CA certificates + ## are used during server authentication and when building the client certificate chain. + ## + ## Value: File + ## cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem" -## Path to the file containing PEM-encoded CA certificates. The CA certificates -## are used during server authentication and when building the client certificate chain. -## -## Value: File -## listener.ssl.external.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem" + ## The Ephemeral Diffie-Helman key exchange is a very effective way of + ## ensuring Forward Secrecy by exchanging a set of keys that never hit + ## the wire. Since the DH key is effectively signed by the private key, + ## it needs to be at least as strong as the private key. In addition, + ## the default DH groups that most of the OpenSSL installations have + ## are only a handful (since they are distributed with the OpenSSL + ## package that has been built for the operating system it’s running on) + ## and hence predictable (not to mention, 1024 bits only). + ## In order to escape this situation, first we need to generate a fresh, + ## strong DH group, store it in a file and then use the option above, + ## to force our SSL application to use the new DH group. Fortunately, + ## OpenSSL provides us with a tool to do that. Simply run: + ## openssl dhparam -out dh-params.pem 2048 + ## + ## Value: File + ## dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem" -## The Ephemeral Diffie-Helman key exchange is a very effective way of -## ensuring Forward Secrecy by exchanging a set of keys that never hit -## the wire. Since the DH key is effectively signed by the private key, -## it needs to be at least as strong as the private key. In addition, -## the default DH groups that most of the OpenSSL installations have -## are only a handful (since they are distributed with the OpenSSL -## package that has been built for the operating system it’s running on) -## and hence predictable (not to mention, 1024 bits only). -## In order to escape this situation, first we need to generate a fresh, -## strong DH group, store it in a file and then use the option above, -## to force our SSL application to use the new DH group. Fortunately, -## OpenSSL provides us with a tool to do that. Simply run: -## openssl dhparam -out dh-params.pem 2048 -## -## Value: File -## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem" + ## A server only does x509-path validation in mode verify_peer, + ## as it then sends a certificate request to the client (this + ## message is not sent if the verify option is verify_none). + ## You can then also want to specify option fail_if_no_peer_cert. + ## More information at: http://erlang.org/doc/man/ssl.html + ## + ## Value: verify_peer | verify_none + ## verify = verify_peer -## A server only does x509-path validation in mode verify_peer, -## as it then sends a certificate request to the client (this -## message is not sent if the verify option is verify_none). -## You can then also want to specify option fail_if_no_peer_cert. -## More information at: http://erlang.org/doc/man/ssl.html -## -## Value: verify_peer | verify_none -## listener.ssl.external.verify = verify_peer + ## Used together with {verify, verify_peer} by an SSL server. If set to true, + ## the server fails if the client does not have a certificate to send, that is, + ## sends an empty certificate. + ## + ## Value: true | false + ## fail_if_no_peer_cert = true -## Used together with {verify, verify_peer} by an SSL server. If set to true, -## the server fails if the client does not have a certificate to send, that is, -## sends an empty certificate. -## -## Value: true | false -## listener.ssl.external.fail_if_no_peer_cert = true + ## This is the single most important configuration option of an Erlang SSL + ## application. Ciphers (and their ordering) define the way the client and + ## server encrypt information over the wire, from the initial Diffie-Helman + ## key exchange, the session key encryption ## algorithm and the message + ## digest algorithm. Selecting a good cipher suite is critical for the + ## application’s data security, confidentiality and performance. + ## + ## The cipher list above offers: + ## + ## A good balance between compatibility with older browsers. + ## It can get stricter for Machine-To-Machine scenarios. + ## Perfect Forward Secrecy. + ## No old/insecure encryption and HMAC algorithms + ## + ## Most of it was copied from Mozilla’s Server Side TLS article + ## + ## Value: Ciphers + ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA" -## This is the single most important configuration option of an Erlang SSL -## application. Ciphers (and their ordering) define the way the client and -## server encrypt information over the wire, from the initial Diffie-Helman -## key exchange, the session key encryption ## algorithm and the message -## digest algorithm. Selecting a good cipher suite is critical for the -## application’s data security, confidentiality and performance. -## -## The cipher list above offers: -## -## A good balance between compatibility with older browsers. -## It can get stricter for Machine-To-Machine scenarios. -## Perfect Forward Secrecy. -## No old/insecure encryption and HMAC algorithms -## -## Most of it was copied from Mozilla’s Server Side TLS article -## -## Value: Ciphers -listener.ssl.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA" + ## Ciphers for TLS PSK. + ## Note that 'ciphers' and 'psk_ciphers' cannot + ## be configured at the same time. + ## See 'https://tools.ietf.org/html/rfc4279#section-2'. + #psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA" -## Ciphers for TLS PSK. -## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot -## be configured at the same time. -## See 'https://tools.ietf.org/html/rfc4279#section-2'. -#listener.ssl.external.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA" + ## SSL parameter renegotiation is a feature that allows a client and a server + ## to renegotiate the parameters of the SSL connection on the fly. + ## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, + ## you drop support for the insecure renegotiation, prone to MitM attacks. + ## + ## Value: on | off + ## secure_renegotiate = off -## SSL parameter renegotiation is a feature that allows a client and a server -## to renegotiate the parameters of the SSL connection on the fly. -## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, -## you drop support for the insecure renegotiation, prone to MitM attacks. -## -## Value: on | off -## listener.ssl.external.secure_renegotiate = off + ## A performance optimization setting, it allows clients to reuse + ## pre-existing sessions, instead of initializing new ones. + ## Read more about it here. + ## + ## See: http://erlang.org/doc/man/ssl.html + ## + ## Value: on | off + ## reuse_sessions = on -## A performance optimization setting, it allows clients to reuse -## pre-existing sessions, instead of initializing new ones. -## Read more about it here. -## -## See: http://erlang.org/doc/man/ssl.html -## -## Value: on | off -## listener.ssl.external.reuse_sessions = on + ## An important security setting, it forces the cipher to be set based + ## on the server-specified order instead of the client-specified order, + ## hence enforcing the (usually more properly configured) security + ## ordering of the server administrator. + ## + ## Value: on | off + ## honor_cipher_order = on -## An important security setting, it forces the cipher to be set based -## on the server-specified order instead of the client-specified order, -## hence enforcing the (usually more properly configured) security -## ordering of the server administrator. -## -## Value: on | off -## listener.ssl.external.honor_cipher_order = on + ## Use the CN, DN or CRT field from the client certificate as a username. + ## Notice that 'verify' should be set as 'verify_peer'. + ## 'pem' encodes CRT in base64, and md5 is the md5 hash of CRT. + ## + ## Value: cn | dn | crt | pem | md5 + ## peer_cert_as_username = cn -## Use the CN, DN or CRT field from the client certificate as a username. -## Notice that 'verify' should be set as 'verify_peer'. -## 'pem' encodes CRT in base64, and md5 is the md5 hash of CRT. -## -## Value: cn | dn | crt | pem | md5 -## listener.ssl.external.peer_cert_as_username = cn + ## Use the CN, DN or CRT field from the client certificate as a username. + ## Notice that 'verify' should be set as 'verify_peer'. + ## 'pem' encodes CRT in base64, and md5 is the md5 hash of CRT. + ## + ## Value: cn | dn | crt | pem | md5 + ## peer_cert_as_clientid = cn -## Use the CN, DN or CRT field from the client certificate as a username. -## Notice that 'verify' should be set as 'verify_peer'. -## 'pem' encodes CRT in base64, and md5 is the md5 hash of CRT. -## -## Value: cn | dn | crt | pem | md5 -## listener.ssl.external.peer_cert_as_clientid = cn + ## TCP backlog for the SSL connection. + ## + ## See listener.tcp.$name.backlog + ## + ## Value: Number >= 0 + ## backlog = 1024 -## TCP backlog for the SSL connection. -## -## See listener.tcp.$name.backlog -## -## Value: Number >= 0 -## listener.ssl.external.backlog = 1024 + ## The TCP send timeout for the SSL connection. + ## + ## See listener.tcp.$name.send_timeout + ## + ## Value: Duration + ## send_timeout = 15s -## The TCP send timeout for the SSL connection. -## -## See listener.tcp.$name.send_timeout -## -## Value: Duration -## listener.ssl.external.send_timeout = 15s + ## Close the SSL connection if send timeout. + ## + ## See: listener.tcp.$name.send_timeout_close + ## + ## Value: on | off + ## send_timeout_close = on -## Close the SSL connection if send timeout. -## -## See: listener.tcp.$name.send_timeout_close -## -## Value: on | off -## listener.ssl.external.send_timeout_close = on + ## The TCP receive buffer(os kernel) for the SSL connections. + ## + ## See: listener.tcp.$name.recbuf + ## + ## Value: Bytes + ## recbuf = 4KB -## The TCP receive buffer(os kernel) for the SSL connections. -## -## See: listener.tcp.$name.recbuf -## -## Value: Bytes -## listener.ssl.external.recbuf = 4KB + ## The TCP send buffer(os kernel) for internal MQTT connections. + ## + ## See: listener.tcp.$name.sndbuf + ## + ## Value: Bytes + ## sndbuf = 4KB -## The TCP send buffer(os kernel) for internal MQTT connections. -## -## See: listener.tcp.$name.sndbuf -## -## Value: Bytes -## listener.ssl.external.sndbuf = 4KB + ## The size of the user-level software buffer used by the driver. + ## + ## See: listener.tcp.$name.buffer + ## + ## Value: Bytes + ## buffer = 4KB -## The size of the user-level software buffer used by the driver. -## -## See: listener.tcp.$name.buffer -## -## Value: Bytes -## listener.ssl.external.buffer = 4KB + ## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. + ## + ## See: listener.tcp.$name.tune_buffer + ## + ## Value: on | off + ## tune_buffer = off -## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. -## -## See: listener.tcp.$name.tune_buffer -## -## Value: on | off -## listener.ssl.external.tune_buffer = off + ## The TCP_NODELAY flag for SSL connections. + ## + ## See: listener.tcp.$name.nodelay + ## + ## Value: true | false + ## nodelay = true -## The TCP_NODELAY flag for SSL connections. -## -## See: listener.tcp.$name.nodelay -## -## Value: true | false -## listener.ssl.external.nodelay = true - -## The SO_REUSEADDR flag for MQTT/SSL Listener. -## -## Value: true | false -listener.ssl.external.reuseaddr = true + ## The SO_REUSEADDR flag for MQTT/SSL Listener. + ## + ## Value: true | false + reuseaddr = true +} ##-------------------------------------------------------------------- ## External WebSocket listener for MQTT protocol -## listener.ws.$name is the IP address and port that the MQTT/WebSocket -## listener will bind. -## -## Value: IP:Port | Port -## -## Examples: 8083, "127.0.0.1:8083", "::1:8083" -listener.ws.external.endpoint = 8083 +listener.ws.external { + ## $name is the IP address and port that the MQTT/WebSocket + ## listener will bind. + ## + ## Value: IP:Port | Port + ## + ## Examples: 8083, "127.0.0.1:8083", "::1:8083" + endpoint = 8083 -## The path of WebSocket MQTT endpoint -## -## Value: URL Path -listener.ws.external.mqtt_path = "/mqtt" + ## The path of WebSocket MQTT endpoint + ## + ## Value: URL Path + mqtt_path = "/mqtt" -## The acceptor pool for external MQTT/WebSocket listener. -## -## Value: Number -listener.ws.external.acceptors = 4 + ## The acceptor pool for external MQTT/WebSocket listener. + ## + ## Value: Number + acceptors = 4 -## Maximum number of concurrent MQTT/WebSocket connections. -## -## Value: Number -listener.ws.external.max_connections = 102400 + ## Maximum number of concurrent MQTT/WebSocket connections. + ## + ## Value: Number + max_connections = 102400 -## Maximum MQTT/WebSocket connections per second. -## -## Value: Number -listener.ws.external.max_conn_rate = 1000 + ## Maximum MQTT/WebSocket connections per second. + ## + ## Value: Number + max_conn_rate = 1000 -## Simulate the {active, N} option for the MQTT/WebSocket connections. -## -## Value: Number -listener.ws.external.active_n = 100 + ## Simulate the {active, N} option for the MQTT/WebSocket connections. + ## + ## Value: Number + active_n = 100 -## Zone of the external MQTT/WebSocket listener belonged to. -## -## Value: String -listener.ws.external.zone = external + ## Zone of the external MQTT/WebSocket listener belonged to. + ## + ## Value: String + zone = external -## The access control for the MQTT/WebSocket listener. -## -## See: listener.ws.$name.access -## -## Value: ACL Rule -listener.ws.external.access.1 = "allow all" + ## The access control for the MQTT/WebSocket listener. + ## + ## See: $name.access + ## + ## Value: ACL Rule + access.1 = "allow all" -## If set to true, the server fails if the client does not have a Sec-WebSocket-Protocol to send. -## Set to false for WeChat MiniApp. -## -## Value: true | false -## listener.ws.external.fail_if_no_subprotocol = true + ## If set to true, the server fails if the client does not have a Sec-WebSocket-Protocol to send. + ## Set to false for WeChat MiniApp. + ## + ## Value: true | false + ## fail_if_no_subprotocol = true -## Supported subprotocols -## -## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5 -## listener.ws.external.supported_subprotocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5" + ## Supported subprotocols + ## + ## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5 + ## supported_subprotocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5" -## Specify which HTTP header for real source IP if the EMQ X cluster is -## deployed behind NGINX or HAProxy. -## -## Default: X-Forwarded-For -## listener.ws.external.proxy_address_header = X-Forwarded-For + ## Specify which HTTP header for real source IP if the EMQ X cluster is + ## deployed behind NGINX or HAProxy. + ## + ## Default: X-Forwarded-For + ## proxy_address_header = X-Forwarded-For -## Specify which HTTP header for real source port if the EMQ X cluster is -## deployed behind NGINX or HAProxy. -## -## Default: X-Forwarded-Port -## listener.ws.external.proxy_port_header = X-Forwarded-Port + ## Specify which HTTP header for real source port if the EMQ X cluster is + ## deployed behind NGINX or HAProxy. + ## + ## Default: X-Forwarded-Port + ## proxy_port_header = X-Forwarded-Port -## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind -## HAProxy or Nginx. -## -## See: listener.ws.$name.proxy_protocol -## -## Value: on | off -## listener.ws.external.proxy_protocol = on + ## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind + ## HAProxy or Nginx. + ## + ## See: $name.proxy_protocol + ## + ## Value: on | off + ## proxy_protocol = on -## Sets the timeout for proxy protocol. -## -## See: listener.ws.$name.proxy_protocol_timeout -## -## Value: Duration -## listener.ws.external.proxy_protocol_timeout = 3s + ## Sets the timeout for proxy protocol. + ## + ## See: $name.proxy_protocol_timeout + ## + ## Value: Duration + ## proxy_protocol_timeout = 3s -## Enable the option for X.509 certificate based authentication. -## EMQX will use the common name of certificate as MQTT username. -## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info -## -## Value: cn -## listener.ws.external.peer_cert_as_username = cn + ## Enable the option for X.509 certificate based authentication. + ## EMQX will use the common name of certificate as MQTT username. + ## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info + ## + ## Value: cn + ## peer_cert_as_username = cn -## Enable the option for X.509 certificate based authentication. -## EMQX will use the common name of certificate as MQTT clientid. -## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info -## -## Value: cn -## listener.ws.external.peer_cert_as_clientid = cn + ## Enable the option for X.509 certificate based authentication. + ## EMQX will use the common name of certificate as MQTT clientid. + ## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info + ## + ## Value: cn + ## peer_cert_as_clientid = cn -## The TCP backlog of external MQTT/WebSocket Listener. -## -## See: listener.ws.$name.backlog -## -## Value: Number >= 0 -listener.ws.external.backlog = 1024 + ## The TCP backlog of external MQTT/WebSocket Listener. + ## + ## See: $name.backlog + ## + ## Value: Number >= 0 + backlog = 1024 -## The TCP send timeout for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.send_timeout -## -## Value: Duration -listener.ws.external.send_timeout = 15s + ## The TCP send timeout for external MQTT/WebSocket connections. + ## + ## See: $name.send_timeout + ## + ## Value: Duration + send_timeout = 15s -## Close the MQTT/WebSocket connection if send timeout. -## -## See: listener.ws.$name.send_timeout_close -## -## Value: on | off -listener.ws.external.send_timeout_close = on + ## Close the MQTT/WebSocket connection if send timeout. + ## + ## See: $name.send_timeout_close + ## + ## Value: on | off + send_timeout_close = on -## The TCP receive buffer(os kernel) for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.recbuf -## -## Value: Bytes -## listener.ws.external.recbuf = 2KB + ## The TCP receive buffer(os kernel) for external MQTT/WebSocket connections. + ## + ## See: $name.recbuf + ## + ## Value: Bytes + ## recbuf = 2KB -## The TCP send buffer(os kernel) for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.sndbuf -## -## Value: Bytes -## listener.ws.external.sndbuf = 2KB + ## The TCP send buffer(os kernel) for external MQTT/WebSocket connections. + ## + ## See: $name.sndbuf + ## + ## Value: Bytes + ## sndbuf = 2KB -## The size of the user-level software buffer used by the driver. -## -## See: listener.ws.$name.buffer -## -## Value: Bytes -## listener.ws.external.buffer = 2KB + ## The size of the user-level software buffer used by the driver. + ## + ## See: $name.buffer + ## + ## Value: Bytes + ## buffer = 2KB -## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. -## -## See: listener.ws.$name.tune_buffer -## -## Value: on | off -## listener.ws.external.tune_buffer = off + ## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled. + ## + ## See: $name.tune_buffer + ## + ## Value: on | off + ## tune_buffer = off -## The TCP_NODELAY flag for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.nodelay -## -## Value: true | false -listener.ws.external.nodelay = true + ## The TCP_NODELAY flag for external MQTT/WebSocket connections. + ## + ## See: $name.nodelay + ## + ## Value: true | false + nodelay = true -## The compress flag for external MQTT/WebSocket connections. -## -## If this Value is set true,the websocket message would be compressed -## -## Value: true | false -## listener.ws.external.compress = true + ## The compress flag for external MQTT/WebSocket connections. + ## + ## If this Value is set true,the websocket message would be compressed + ## + ## Value: true | false + ## compress = true -## The level of deflate options for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.level -## -## Value: none | default | best_compression | best_speed -## listener.ws.external.deflate_opts.level = default + ## The level of deflate options for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.level + ## + ## Value: none | default | best_compression | best_speed + ## deflate_opts.level = default -## The mem_level of deflate options for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.mem_level -## -## Valid range is 1-9 -## listener.ws.external.deflate_opts.mem_level = 8 + ## The mem_level of deflate options for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.mem_level + ## + ## Valid range is 1-9 + ## deflate_opts.mem_level = 8 -## The strategy of deflate options for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.strategy -## -## Value: default | filtered | huffman_only | rle -## listener.ws.external.deflate_opts.strategy = default + ## The strategy of deflate options for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.strategy + ## + ## Value: default | filtered | huffman_only | rle + ## deflate_opts.strategy = default -## The deflate option for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.server_context_takeover -## -## Value: takeover | no_takeover -## listener.ws.external.deflate_opts.server_context_takeover = takeover + ## The deflate option for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.server_context_takeover + ## + ## Value: takeover | no_takeover + ## deflate_opts.server_context_takeover = takeover -## The deflate option for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.client_context_takeover -## -## Value: takeover | no_takeover -## listener.ws.external.deflate_opts.client_context_takeover = takeover + ## The deflate option for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.client_context_takeover + ## + ## Value: takeover | no_takeover + ## deflate_opts.client_context_takeover = takeover -## The deflate options for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.server_max_window_bits -## -## Valid range is 8-15 -## listener.ws.external.deflate_opts.server_max_window_bits = 15 + ## The deflate options for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.server_max_window_bits + ## + ## Valid range is 8-15 + ## deflate_opts.server_max_window_bits = 15 -## The deflate options for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.deflate_opts.client_max_window_bits -## -## Valid range is 8-15 -## listener.ws.external.deflate_opts.client_max_window_bits = 15 + ## The deflate options for external MQTT/WebSocket connections. + ## + ## See: $name.deflate_opts.client_max_window_bits + ## + ## Valid range is 8-15 + ## deflate_opts.client_max_window_bits = 15 -## The idle timeout for external MQTT/WebSocket connections. -## -## See: listener.ws.$name.idle_timeout -## -## Value: Duration -## listener.ws.external.idle_timeout = 60s + ## The idle timeout for external MQTT/WebSocket connections. + ## + ## See: $name.idle_timeout + ## + ## Value: Duration + ## idle_timeout = 60s -## The max frame size for external MQTT/WebSocket connections. -## -## -## Value: Number -## listener.ws.external.max_frame_size = 0 + ## The max frame size for external MQTT/WebSocket connections. + ## + ## + ## Value: Number + ## max_frame_size = 0 -## Whether a WebSocket message is allowed to contain multiple MQTT packets -## -## Value: single | multiple -listener.ws.external.mqtt_piggyback = multiple + ## Whether a WebSocket message is allowed to contain multiple MQTT packets + ## + ## Value: single | multiple + mqtt_piggyback = multiple -## By default, EMQX web socket connection does not restrict connections to specific origins. -## It also, by default, does not enforce the presence of origin in request headers for WebSocket connections. -## Because of this, a malicious user could potentially hijack an existing web-socket connection to EMQX. + ## By default, EMQX web socket connection does not restrict connections to specific origins. + ## It also, by default, does not enforce the presence of origin in request headers for WebSocket connections. + ## Because of this, a malicious user could potentially hijack an existing web-socket connection to EMQX. -## To prevent this, users can set allowed origin headers in their ws connection to EMQX. -## WS configs are set in listener.ws.external.* -## WSS configs are set in listener.wss.external.* + ## To prevent this, users can set allowed origin headers in their ws connection to EMQX. + ## Example for WS connection + ## To enables origin check in header for websocket connnection, + ## set `check_origin_enable = true`. By default it is false, + ## When it is set to true and no origin is present in the header of a ws connection request, the request fails. -## Example for WS connection -## To enables origin check in header for websocket connnection, -## set `listener.ws.external.check_origin_enable = true`. By default it is false, -## When it is set to true and no origin is present in the header of a ws connection request, the request fails. + ## To allow origins to be absent in header in the websocket connection when check_origin_enable is true, + ## set `allow_origin_absence = true` -## To allow origins to be absent in header in the websocket connection when check_origin_enable is true, -## set `listener.ws.external.allow_origin_absence = true` + ## Enabling origin check implies there are specific valid origins allowed for ws connection. + ## To set the list of allowed origins in header for websocket connection + ## check_origins = http://localhost:18083(localhost dashboard url), http://yourapp.com` + ## check_origins config allows a comma separated list of origins so you can specify as many origins are you want. + ## With these configs, you can allow only connections from only authorized origins to your broker -## Enabling origin check implies there are specific valid origins allowed for ws connection. -## To set the list of allowed origins in header for websocket connection -## listener.ws.external.check_origins = http://localhost:18083(localhost dashboard url), http://yourapp.com` -## check_origins config allows a comma separated list of origins so you can specify as many origins are you want. -## With these configs, you can allow only connections from only authorized origins to your broker + ## Enable origin check in header for websocket connection + ## + ## Value: true | false (default false) + check_origin_enable = false -## Enable origin check in header for websocket connection -## -## Value: true | false (default false) -listener.ws.external.check_origin_enable = false + ## Allow origin to be absent in header in websocket connection when check_origin_enable is true + ## + ## Value: true | false (default true) + allow_origin_absence = true -## Allow origin to be absent in header in websocket connection when check_origin_enable is true -## -## Value: true | false (default true) -listener.ws.external.allow_origin_absence = true - -## Comma separated list of allowed origin in header for websocket connection -## -## Value: http://url eg. local http dashboard url - http://localhost:18083, http://127.0.0.1:18083 -listener.ws.external.check_origins = "http://localhost:18083, http://127.0.0.1:18083" + ## Comma separated list of allowed origin in header for websocket connection + ## + ## Value: http://url eg. local http dashboard url - http://localhost:18083, http://127.0.0.1:18083 + check_origins = "http://localhost:18083, http://127.0.0.1:18083" +} ##-------------------------------------------------------------------- ## External WebSocket/SSL listener for MQTT Protocol +listener.wss.external { + ## listener.wss.$name.endpoint is the IP address and port that the MQTT/WebSocket/SSL + ## listener will bind. + ## + ## Value: IP:Port | Port + ## + ## Examples: 8084, "127.0.0.1:8084", "::1:8084" + endpoint = 8084 -## listener.wss.$name.endpoint is the IP address and port that the MQTT/WebSocket/SSL -## listener will bind. -## -## Value: IP:Port | Port -## -## Examples: 8084, "127.0.0.1:8084", "::1:8084" -listener.wss.external.endpoint = 8084 + ## The path of WebSocket MQTT endpoint + ## + ## Value: URL Path + mqtt_path = "/mqtt" -## The path of WebSocket MQTT endpoint -## -## Value: URL Path -listener.wss.external.mqtt_path = "/mqtt" + ## The acceptor pool for external MQTT/WebSocket/SSL listener. + ## + ## Value: Number + acceptors = 4 -## The acceptor pool for external MQTT/WebSocket/SSL listener. -## -## Value: Number -listener.wss.external.acceptors = 4 + ## Maximum number of concurrent MQTT/Webwocket/SSL connections. + ## + ## Value: Number + max_connections = 16 -## Maximum number of concurrent MQTT/Webwocket/SSL connections. -## -## Value: Number -listener.wss.external.max_connections = 16 + ## Maximum MQTT/WebSocket/SSL connections per second. + ## + ## See: listener.tcp.$name.max_conn_rate + ## + ## Value: Number + max_conn_rate = 1000 -## Maximum MQTT/WebSocket/SSL connections per second. -## -## See: listener.tcp.$name.max_conn_rate -## -## Value: Number -listener.wss.external.max_conn_rate = 1000 + ## Simulate the {active, N} option for the MQTT/WebSocket/SSL connections. + ## + ## Value: Number + active_n = 100 -## Simulate the {active, N} option for the MQTT/WebSocket/SSL connections. -## -## Value: Number -listener.wss.external.active_n = 100 + ## Zone of the external MQTT/WebSocket/SSL listener belonged to. + ## + ## Value: String + zone = external -## Zone of the external MQTT/WebSocket/SSL listener belonged to. -## -## Value: String -listener.wss.external.zone = external + ## The access control rules for the MQTT/WebSocket/SSL listener. + ## + ## See: listener.tcp.$name.access. + ## + ## Value: ACL Rule + access.1 = "allow all" -## The access control rules for the MQTT/WebSocket/SSL listener. -## -## See: listener.tcp.$name.access. -## -## Value: ACL Rule -listener.wss.external.access.1 = "allow all" + ## If set to true, the server fails if the client does not have a Sec-WebSocket-Protocol to send. + ## Set to false for WeChat MiniApp. + ## + ## Value: true | false + ## fail_if_no_subprotocol = true -## If set to true, the server fails if the client does not have a Sec-WebSocket-Protocol to send. -## Set to false for WeChat MiniApp. -## -## Value: true | false -## listener.wss.external.fail_if_no_subprotocol = true + ## Supported subprotocols + ## + ## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5 + ## supported_subprotocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5" -## Supported subprotocols -## -## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5 -## listener.wss.external.supported_subprotocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5" + ## Specify which HTTP header for real source IP if the EMQ X cluster is + ## deployed behind NGINX or HAProxy. + ## + ## Default: X-Forwarded-For + ## proxy_address_header = X-Forwarded-For -## Specify which HTTP header for real source IP if the EMQ X cluster is -## deployed behind NGINX or HAProxy. -## -## Default: X-Forwarded-For -## listener.wss.external.proxy_address_header = X-Forwarded-For + ## Specify which HTTP header for real source port if the EMQ X cluster is + ## deployed behind NGINX or HAProxy. + ## + ## Default: X-Forwarded-Port + ## proxy_port_header = X-Forwarded-Port -## Specify which HTTP header for real source port if the EMQ X cluster is -## deployed behind NGINX or HAProxy. -## -## Default: X-Forwarded-Port -## listener.wss.external.proxy_port_header = X-Forwarded-Port + ## Enable the Proxy Protocol V1/2 support. + ## + ## See: listener.tcp.$name.proxy_protocol + ## + ## Value: on | off + ## proxy_protocol = on -## Enable the Proxy Protocol V1/2 support. -## -## See: listener.tcp.$name.proxy_protocol -## -## Value: on | off -## listener.wss.external.proxy_protocol = on + ## Sets the timeout for proxy protocol. + ## + ## See: listener.tcp.$name.proxy_protocol_timeout + ## + ## Value: Duration + ## proxy_protocol_timeout = 3s -## Sets the timeout for proxy protocol. -## -## See: listener.tcp.$name.proxy_protocol_timeout -## -## Value: Duration -## listener.wss.external.proxy_protocol_timeout = 3s + ## TLS versions only to protect from POODLE attack. + ## + ## See: listener.ssl.$name.tls_versions + ## + ## Value: String, seperated by ',' + ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier + ## tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1" -## TLS versions only to protect from POODLE attack. -## -## See: listener.ssl.$name.tls_versions -## -## Value: String, seperated by ',' -## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier -## listener.wss.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1" + ## Path to the file containing the user's private PEM-encoded key. + ## + ## See: listener.ssl.$name.keyfile + ## + ## Value: File + keyfile = "{{ platform_etc_dir }}/certs/key.pem" -## Path to the file containing the user's private PEM-encoded key. -## -## See: listener.ssl.$name.keyfile -## -## Value: File -listener.wss.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem" + ## Path to a file containing the user certificate. + ## + ## See: listener.ssl.$name.certfile + ## + ## Value: File + certfile = "{{ platform_etc_dir }}/certs/cert.pem" -## Path to a file containing the user certificate. -## -## See: listener.ssl.$name.certfile -## -## Value: File -listener.wss.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem" + ## Path to the file containing PEM-encoded CA certificates. + ## + ## See: listener.ssl.$name.cacert + ## + ## Value: File + ## cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem" -## Path to the file containing PEM-encoded CA certificates. -## -## See: listener.ssl.$name.cacert -## -## Value: File -## listener.wss.external.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem" + ## Maximum number of non-self-issued intermediate certificates that + ## can follow the peer certificate in a valid certification path. + ## + ## See: listener.ssl.external.depth + ## + ## Value: Number + ## depth = 10 -## Maximum number of non-self-issued intermediate certificates that -## can follow the peer certificate in a valid certification path. -## -## See: listener.ssl.external.depth -## -## Value: Number -## listener.wss.external.depth = 10 + ## String containing the user's password. Only used if the private keyfile + ## is password-protected. + ## + ## See: listener.ssl.$name.key_password + ## + ## Value: String + ## key_password = yourpass -## String containing the user's password. Only used if the private keyfile -## is password-protected. -## -## See: listener.ssl.$name.key_password -## -## Value: String -## listener.wss.external.key_password = yourpass + ## See: listener.ssl.$name.dhfile + ## + ## Value: File + ## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem" -## See: listener.ssl.$name.dhfile -## -## Value: File -## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem" + ## See: listener.ssl.$name.verify + ## + ## Value: verify_peer | verify_none + ## verify = verify_peer -## See: listener.ssl.$name.verify -## -## Value: verify_peer | verify_none -## listener.wss.external.verify = verify_peer + ## See: listener.ssl.$name.fail_if_no_peer_cert + ## + ## Value: false | true + ## fail_if_no_peer_cert = true -## See: listener.ssl.$name.fail_if_no_peer_cert -## -## Value: false | true -## listener.wss.external.fail_if_no_peer_cert = true + ## See: listener.ssl.$name.ciphers + ## + ## Value: Ciphers + ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA" -## See: listener.ssl.$name.ciphers -## -## Value: Ciphers -listener.wss.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA" + ## Ciphers for TLS PSK. + ## Note that 'ciphers' and 'psk_ciphers' cannot + ## be configured at the same time. + ## See 'https://tools.ietf.org/html/rfc4279#section-2'. + ## psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA" -## Ciphers for TLS PSK. -## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot -## be configured at the same time. -## See 'https://tools.ietf.org/html/rfc4279#section-2'. -## listener.wss.external.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA" + ## See: listener.ssl.$name.secure_renegotiate + ## + ## Value: on | off + ## secure_renegotiate = off -## See: listener.ssl.$name.secure_renegotiate -## -## Value: on | off -## listener.wss.external.secure_renegotiate = off + ## See: listener.ssl.$name.reuse_sessions + ## + ## Value: on | off + ## reuse_sessions = on -## See: listener.ssl.$name.reuse_sessions -## -## Value: on | off -## listener.wss.external.reuse_sessions = on + ## See: listener.ssl.$name.honor_cipher_order + ## + ## Value: on | off + ## honor_cipher_order = on -## See: listener.ssl.$name.honor_cipher_order -## -## Value: on | off -## listener.wss.external.honor_cipher_order = on + ## See: listener.ssl.$name.peer_cert_as_username + ## + ## Value: cn | dn | crt | pem | md5 + ## peer_cert_as_username = cn -## See: listener.ssl.$name.peer_cert_as_username -## -## Value: cn | dn | crt | pem | md5 -## listener.wss.external.peer_cert_as_username = cn + ## See: listener.ssl.$name.peer_cert_as_clientid + ## + ## Value: cn | dn | crt | pem | md5 + ## peer_cert_as_clientid = cn -## See: listener.ssl.$name.peer_cert_as_clientid -## -## Value: cn | dn | crt | pem | md5 -## listener.wss.external.peer_cert_as_clientid = cn + ## TCP backlog for the WebSocket/SSL connection. + ## + ## See: listener.tcp.$name.backlog + ## + ## Value: Number >= 0 + backlog = 1024 -## TCP backlog for the WebSocket/SSL connection. -## -## See: listener.tcp.$name.backlog -## -## Value: Number >= 0 -listener.wss.external.backlog = 1024 + ## The TCP send timeout for the WebSocket/SSL connection. + ## + ## See: listener.tcp.$name.send_timeout + ## + ## Value: Duration + send_timeout = 15s -## The TCP send timeout for the WebSocket/SSL connection. -## -## See: listener.tcp.$name.send_timeout -## -## Value: Duration -listener.wss.external.send_timeout = 15s + ## Close the WebSocket/SSL connection if send timeout. + ## + ## See: listener.tcp.$name.send_timeout_close + ## + ## Value: on | off + send_timeout_close = on -## Close the WebSocket/SSL connection if send timeout. -## -## See: listener.tcp.$name.send_timeout_close -## -## Value: on | off -listener.wss.external.send_timeout_close = on + ## The TCP receive buffer(os kernel) for the WebSocket/SSL connections. + ## + ## See: listener.tcp.$name.recbuf + ## + ## Value: Bytes + ## recbuf = 4KB -## The TCP receive buffer(os kernel) for the WebSocket/SSL connections. -## -## See: listener.tcp.$name.recbuf -## -## Value: Bytes -## listener.wss.external.recbuf = 4KB + ## The TCP send buffer(os kernel) for the WebSocket/SSL connections. + ## + ## See: listener.tcp.$name.sndbuf + ## + ## Value: Bytes + ## sndbuf = 4KB -## The TCP send buffer(os kernel) for the WebSocket/SSL connections. -## -## See: listener.tcp.$name.sndbuf -## -## Value: Bytes -## listener.wss.external.sndbuf = 4KB + ## The size of the user-level software buffer used by the driver. + ## + ## See: listener.tcp.$name.buffer + ## + ## Value: Bytes + ## buffer = 4KB -## The size of the user-level software buffer used by the driver. -## -## See: listener.tcp.$name.buffer -## -## Value: Bytes -## listener.wss.external.buffer = 4KB + ## The TCP_NODELAY flag for WebSocket/SSL connections. + ## + ## See: listener.tcp.$name.nodelay + ## + ## Value: true | false + ## nodelay = true -## The TCP_NODELAY flag for WebSocket/SSL connections. -## -## See: listener.tcp.$name.nodelay -## -## Value: true | false -## listener.wss.external.nodelay = true + ## The compress flag for external WebSocket/SSL connections. + ## + ## If this Value is set true,the websocket message would be compressed + ## + ## Value: true | false + ## compress = true -## The compress flag for external WebSocket/SSL connections. -## -## If this Value is set true,the websocket message would be compressed -## -## Value: true | false -## listener.wss.external.compress = true + ## The level of deflate options for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.level + ## + ## Value: none | default | best_compression | best_speed + ## deflate_opts.level = default -## The level of deflate options for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.level -## -## Value: none | default | best_compression | best_speed -## listener.wss.external.deflate_opts.level = default + ## The mem_level of deflate options for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.mem_level + ## + ## Valid range is 1-9 + ## deflate_opts.mem_level = 8 -## The mem_level of deflate options for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.mem_level -## -## Valid range is 1-9 -## listener.wss.external.deflate_opts.mem_level = 8 + ## The strategy of deflate options for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.strategy + ## + ## Value: default | filtered | huffman_only | rle + ## deflate_opts.strategy = default -## The strategy of deflate options for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.strategy -## -## Value: default | filtered | huffman_only | rle -## listener.wss.external.deflate_opts.strategy = default + ## The deflate option for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.server_context_takeover + ## + ## Value: takeover | no_takeover + ## deflate_opts.server_context_takeover = takeover -## The deflate option for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.server_context_takeover -## -## Value: takeover | no_takeover -## listener.wss.external.deflate_opts.server_context_takeover = takeover + ## The deflate option for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.client_context_takeover + ## + ## Value: takeover | no_takeover + ## deflate_opts.client_context_takeover = takeover -## The deflate option for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.client_context_takeover -## -## Value: takeover | no_takeover -## listener.wss.external.deflate_opts.client_context_takeover = takeover + ## The deflate options for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.server_max_window_bits + ## + ## Valid range is 8-15 + ## deflate_opts.server_max_window_bits = 15 -## The deflate options for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.server_max_window_bits -## -## Valid range is 8-15 -## listener.wss.external.deflate_opts.server_max_window_bits = 15 + ## The deflate options for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.deflate_opts.client_max_window_bits + ## + ## Valid range is 8-15 + ## deflate_opts.client_max_window_bits = 15 -## The deflate options for external WebSocket/SSL connections. -## -## See: listener.wss.$name.deflate_opts.client_max_window_bits -## -## Valid range is 8-15 -## listener.wss.external.deflate_opts.client_max_window_bits = 15 + ## The idle timeout for external WebSocket/SSL connections. + ## + ## See: listener.wss.$name.idle_timeout + ## + ## Value: Duration + ## idle_timeout = 60s -## The idle timeout for external WebSocket/SSL connections. -## -## See: listener.wss.$name.idle_timeout -## -## Value: Duration -## listener.wss.external.idle_timeout = 60s - -## The max frame size for external WebSocket/SSL connections. -## -## Value: Number -## listener.wss.external.max_frame_size = 0 - -## Whether a WebSocket message is allowed to contain multiple MQTT packets -## -## Value: single | multiple -listener.wss.external.mqtt_piggyback = multiple -## Enable origin check in header for secure websocket connection -## -## Value: true | false (default false) -listener.wss.external.check_origin_enable = false -## Allow origin to be absent in header in secure websocket connection when check_origin_enable is true -## -## Value: true | false (default true) -listener.wss.external.allow_origin_absence = true -## Comma separated list of allowed origin in header for secure websocket connection -## -## Value: http://url eg. https://localhost:8084, https://127.0.0.1:8084 -listener.wss.external.check_origins = "https://localhost:8084, https://127.0.0.1:8084" + ## The max frame size for external WebSocket/SSL connections. + ## + ## Value: Number + ## max_frame_size = 0 + ## Whether a WebSocket message is allowed to contain multiple MQTT packets + ## + ## Value: single | multiple + mqtt_piggyback = multiple + ## Enable origin check in header for secure websocket connection + ## + ## Value: true | false (default false) + check_origin_enable = false + ## Allow origin to be absent in header in secure websocket connection when check_origin_enable is true + ## + ## Value: true | false (default true) + allow_origin_absence = true + ## Comma separated list of allowed origin in header for secure websocket connection + ## + ## Value: http://url eg. https://localhost:8084, https://127.0.0.1:8084 + check_origins = "https://localhost:8084, https://127.0.0.1:8084" +} ##-------------------------------------------------------------------- ## External QUIC listener for MQTT Protocol -## listener.quic.$name.endpoint is the IP address and port that the MQTT/QUIC -## listener will bind. -## -## Value: IP:Port | Port -## -## Examples: 14567, 127.0.0.1:14567, ::1:14567 -listener.quic.external.endpoint = 14567 +listener.quic.external { + ## listener.quic.$name.endpoint is the IP address and port that the MQTT/QUIC + ## listener will bind. + ## + ## Value: IP:Port | Port + ## + ## Examples: 14567, 127.0.0.1:14567, ::1:14567 + endpoint = 14567 -## The acceptor pool for external MQTT/QUIC listener. -## -## Value: Number -listener.quic.external.acceptors = 4 + ## The acceptor pool for external MQTT/QUIC listener. + ## + ## Value: Number + acceptors = 4 -## Maximum number of concurrent MQTT/Webwocket/SSL connections. -## -## Value: Number -listener.quic.external.max_connections = 16 + ## Maximum number of concurrent MQTT/Webwocket/SSL connections. + ## + ## Value: Number + max_connections = 16 -## Maximum MQTT/QUIC connections per second. -## -## See: listener.tcp.$name.max_conn_rate -## -## Value: Number -listener.quic.external.max_conn_rate = 1000 + ## Maximum MQTT/QUIC connections per second. + ## + ## See: listener.tcp.$name.max_conn_rate + ## + ## Value: Number + max_conn_rate = 1000 -## Simulate the {active, N} option for the MQTT/QUIC connections. -## @todo -## Value: Number -## listener.quic.external.active_n = 100 + ## Simulate the {active, N} option for the MQTT/QUIC connections. + ## @todo + ## Value: Number + ## active_n = 100 -## Zone of the external MQTT/QUIC listener belonged to. -## -## Value: String -listener.quic.external.zone = external + ## Zone of the external MQTT/QUIC listener belonged to. + ## + ## Value: String + zone = external -## Path to the file containing the user's private PEM-encoded key. -## -## See: listener.ssl.$name.keyfile -## -## Value: File -listener.quic.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem" + ## Path to the file containing the user's private PEM-encoded key. + ## + ## See: listener.ssl.$name.keyfile + ## + ## Value: File + keyfile = "{{ platform_etc_dir }}/certs/key.pem" -## Path to a file containing the user certificate. -## -## See: listener.ssl.$name.certfile -## -## Value: File -listener.quic.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem" + ## Path to a file containing the user certificate. + ## + ## See: listener.ssl.$name.certfile + ## + ## Value: File + certfile = "{{ platform_etc_dir }}/certs/cert.pem" -## Path to the file containing PEM-encoded CA certificates. -## @todo -## See: listener.ssl.$name.cacert -## -## Value: File -## listener.quic.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem + ## Path to the file containing PEM-encoded CA certificates. + ## @todo + ## See: listener.ssl.$name.cacert + ## + ## Value: File + ## cacertfile = {{ platform_etc_dir }}/certs/cacert.pem -## String containing the user's password. Only used if the private keyfile -## is password-protected. -## @todo -## See: listener.ssl.$name.key_password -## -## Value: String -## listener.quic.external.key_password = yourpass + ## String containing the user's password. Only used if the private keyfile + ## is password-protected. + ## @todo + ## See: listener.ssl.$name.key_password + ## + ## Value: String + ## key_password = yourpass -## See: listener.ssl.$name.verify -## @todo -## Value: verify_peer | verify_none -## listener.quic.external.verify = verify_peer + ## See: listener.ssl.$name.verify + ## @todo + ## Value: verify_peer | verify_none + ## verify = verify_peer -## See: listener.ssl.$name.fail_if_no_peer_cert -## @todo -## Value: false | true -## listener.quic.external.fail_if_no_peer_cert = true + ## See: listener.ssl.$name.fail_if_no_peer_cert + ## @todo + ## Value: false | true + ## fail_if_no_peer_cert = true -## See: listener.ssl.$name.ciphers -## @todo -## Value: Ciphers -listener.quic.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256" + ## See: listener.ssl.$name.ciphers + ## @todo + ## Value: Ciphers + ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256" -## Ciphers for TLS PSK. -## @todo -## Note that 'listener.quic.external.ciphers' and 'listener.quic.external.psk_ciphers' cannot -## be configured at the same time. -## See 'https://tools.ietf.org/html/rfc4279#section-2'. -## listener.quic.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA + ## Ciphers for TLS PSK. + ## @todo + ## Note that 'ciphers' and 'psk_ciphers' cannot + ## be configured at the same time. + ## See 'https://tools.ietf.org/html/rfc4279#section-2'. + ## psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA -## See: listener.ssl.$name.honor_cipher_order -## @todo -## Value: on | off -## listener.quic.external.honor_cipher_order = on + ## See: listener.ssl.$name.honor_cipher_order + ## @todo + ## Value: on | off + ## honor_cipher_order = on -## The send timeout for the QUIC stream. -## @todo -## -## Value: Duration -# listener.quic.external.send_timeout = 15s + ## The send timeout for the QUIC stream. + ## @todo + ## + ## Value: Duration + # send_timeout = 15s -## Close the QUIC connection if send timeout. -## @todo -## See: listener.tcp.$name.send_timeout_close -## -## Value: on | off -## listener.quic.external.send_timeout_close = on + ## Close the QUIC connection if send timeout. + ## @todo + ## See: listener.tcp.$name.send_timeout_close + ## + ## Value: on | off + ## send_timeout_close = on -## The receive buffer for the QUIC connections. -## @todo -## See: listener.tcp.$name.recbuf -## -## Value: Bytes -## listener.quic.external.recbuf = 4KB + ## The receive buffer for the QUIC connections. + ## @todo + ## See: listener.tcp.$name.recbuf + ## + ## Value: Bytes + ## recbuf = 4KB -## The TCP send buffer(os kernel) for the QUIC connections. -## @todo -## See: listener.tcp.$name.sndbuf -## -## Value: Bytes -## listener.quic.external.sndbuf = 4KB + ## The TCP send buffer(os kernel) for the QUIC connections. + ## @todo + ## See: listener.tcp.$name.sndbuf + ## + ## Value: Bytes + ## sndbuf = 4KB -## The size of the user-level software buffer used by the driver. -## @todo -## See: listener.tcp.$name.buffer -## -## Value: Bytes -## listener.quic.external.buffer = 4KB + ## The size of the user-level software buffer used by the driver. + ## @todo + ## See: listener.tcp.$name.buffer + ## + ## Value: Bytes + ## buffer = 4KB -## The idle timeout for external QUIC connections. -## @todo -## See: listener.quic.$name.idle_timeout -## -## Value: Duration -## listener.quic.external.idle_timeout = 60s + ## The idle timeout for external QUIC connections. + ## @todo + ## See: listener.quic.$name.idle_timeout + ## + ## Value: Duration + ## idle_timeout = 60s -## The max frame size for external QUIC connections. -## @todo -## Value: Number -## listener.quic.external.max_frame_size = 0 - -## CONFIG_SECTION_END=listeners ================================================ + ## The max frame size for external QUIC connections. + ## @todo + ## Value: Number + ## max_frame_size = 0 +} ## CONFIG_SECTION_BGN=modules ==================================================