feature(project): add etc/emqx.d

.gitignore

@@ -12,32 +12,23 @@ ebin
 test/ebin/*.beam
 .exrc
 plugins/*/ebin
-log/
 *.swp
 *.so
 .erlang.mk/
 cover/
-emqx.d
 eunit.coverdata
 test/ct.cover.spec
-logs
 ct.coverdata
 .idea/
-emqx.iml
-_rel/
 data/
 _build
 .rebar3
 rebar3.crashdump
 .DS_Store
-emqx.iml
-bbmustache/
 etc/gen.emqx.conf
 compile_commands.json
 cuttlefish
-rebar.lock
 xrefr
-erlang.mk
 *.coverdata
 etc/emqx.conf.rendered
 Mnesia.*/

etc/emqx.d/acl.conf

@@ -0,0 +1,26 @@
+%%--------------------------------------------------------------------
+%% [ACL](https://docs.emqx.io/broker/v3/en/config.html)
+%%
+%% -type(who() :: all | binary() |
+%%                {ipaddr, esockd_access:cidr()} |
+%%                {client, binary()} |
+%%                {user, binary()}).
+%%
+%% -type(access() :: subscribe | publish | pubsub).
+%%
+%% -type(topic() :: binary()).
+%%
+%% -type(rule() :: {allow, all} |
+%%                 {allow, who(), access(), list(topic())} |
+%%                 {deny, all} |
+%%                 {deny, who(), access(), list(topic())}).
+%%--------------------------------------------------------------------
+
+{allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.
+
+{allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.
+
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+
+{allow, all}.
+

etc/emqx.d/emqx_auth_clientid.conf

@@ -0,0 +1,18 @@
+##--------------------------------------------------------------------
+## ClientId Authentication Plugin
+##--------------------------------------------------------------------
+
+## Examples
+##auth.client.1.clientid = id
+##auth.client.1.password = passwd
+##auth.client.2.clientid = dev:devid
+##auth.client.2.password = passwd2
+##auth.client.3.clientid = app:appid
+##auth.client.3.password = passwd3
+##auth.client.4.clientid = client~!@#$%^&*()_+
+##auth.client.4.password = passwd~!@#$%^&*()_+
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256
+auth.client.password_hash = sha256

etc/emqx.d/emqx_auth_http.conf

@@ -0,0 +1,162 @@
+##--------------------------------------------------------------------
+## HTTP Auth/ACL Plugin
+##--------------------------------------------------------------------
+
+##--------------------------------------------------------------------
+## Authentication request.
+
+## HTTP URL API path for authentication request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/auth, https://[::1]:8991/mqtt/auth
+auth.http.auth_req = http://127.0.0.1:8991/mqtt/auth
+
+## Value: post | get
+auth.http.auth_req.method = post
+
+## It only works when method=post
+## Value: json | x-www-form-urlencoded
+auth.http.auth_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %p: sockport of server accepted
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: Params
+auth.http.auth_req.params = clientid=%c,username=%u,password=%P
+
+##--------------------------------------------------------------------
+## Superuser request.
+
+## HTTP URL API path for Superuser request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/superuser, https://[::1]:8991/mqtt/superuser
+#auth.http.super_req = http://127.0.0.1:8991/mqtt/superuser
+
+## Value: post | get
+#auth.http.super_req.method = post
+
+## It only works when method=pos
+## Value: json | x-www-form-urlencoded
+#auth.http.super_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %p: sockport of server accepted
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: Params
+#auth.http.super_req.params = clientid=%c,username=%u
+
+##--------------------------------------------------------------------
+## ACL request.
+
+## HTTP URL API path for ACL request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/acl, https://[::1]:8991/mqtt/acl
+auth.http.acl_req = http://127.0.0.1:8991/mqtt/acl
+
+## Value: post | get
+auth.http.acl_req.method = get
+
+## It only works when method=post
+## Value: json | x-www-form-urlencoded
+auth.http.acl_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %A: 1 | 2, 1 = sub, 2 = pub
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %m: mountpoint
+##  - %t: topic
+##
+## Value: Params
+auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
+
+##------------------------------------------------------------------------------
+## Http Reqeust options
+
+## Time-out time for the http request, 0 is never timeout.
+##
+## Value: Duration
+## -h: hour, e.g. '2h' for 2 hours
+## -m: minute, e.g. '5m' for 5 minutes
+## -s: second, e.g. '30s' for 30 seconds
+##
+## Default: 0
+## auth.http.request.timeout = 0
+
+## Connection time-out time, used during the initial request
+## when the client is connecting to the server
+##
+## Value: Duration
+##
+## Default is same with the timeout option
+## auth.http.request.connect_timeout = 0
+
+## Re-send http reuqest times
+##
+## Value: integer
+##
+## Default: 3
+auth.http.request.retry_times = 3
+
+## The interval for re-sending the http request
+##
+## Value: Duration
+##
+## Default: 1s
+auth.http.request.retry_interval = 1s
+
+## The 'Exponential Backoff' mechanism for re-sending request. The actually
+## re-send time interval is `interval * backoff ^ times`
+##
+## Value: float
+##
+## Default: 2.0
+auth.http.request.retry_backoff = 2.0
+
+##------------------------------------------------------------------------------
+## SSL options
+
+## Path to the file containing PEM-encoded CA certificates. The CA certificates
+## are used during server authentication and when building the client certificate chain.
+##
+## Value: File
+## auth.http.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+
+## The path to a file containing the client's certificate.
+##
+## Value: File
+## auth.http.ssl.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
+
+## Path to a file containing the client's private PEM-encoded key.
+##
+## Value: File
+## auth.http.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+
+##--------------------------------------------------------------------
+## HTTP Request Headers
+##
+## Example: auth.http.header.Accept-Encoding = *
+##
+## Value: String
+## auth.http.header.Accept = */*

etc/emqx.d/emqx_auth_jwt.conf

@@ -0,0 +1,39 @@
+##--------------------------------------------------------------------
+## JWT Auth Plugin
+##--------------------------------------------------------------------
+
+## HMAC Hash Secret.
+##
+## Value: String
+auth.jwt.secret = emqxsecret
+
+## From where the JWT string can be got
+##
+## Value: username | password
+## Default: password
+auth.jwt.from = password
+
+## RSA or ECDSA public key file.
+##
+## Value: File
+## auth.jwt.pubkey = etc/certs/jwt_public_key.pem
+
+## Enable to verify claims fields
+##
+## Value: on | off
+auth.jwt.verify_claims = off
+
+## The checklist of claims to validate
+##
+## Value: String
+## auth.jwt.verify_claims.$name = expected
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+# auth.jwt.verify_claims.username = %u
+
+## The Signature format
+##   - `der`: The erlang default format
+##   - `raw`: Compatible with others platform maybe
+#auth.jwt.signature_format = der

etc/emqx.d/emqx_auth_mnesia.conf

@@ -0,0 +1,20 @@
+## Examples:
+##auth.mnesia.1.login = admin
+##auth.mnesia.1.password = public
+##auth.mnesia.1.is_superuser = true
+##auth.mnesia.2.login = feng@emqtt.io
+##auth.mnesia.2.password = public
+##auth.mnesia.2.is_superuser = false
+##auth.mnesia.3.login = name~!@#$%^&*()_+
+##auth.mnesia.3.password = pwsswd~!@#$%^&*()_+
+##auth.mnesia.3.is_superuser = false
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 
+auth.mnesia.password_hash = sha256
+
+## Auth as username or auth as clientid.
+##
+## Value: username | clientid
+auth.mnesia.as = username

etc/emqx.d/emqx_auth_mysql.conf

@@ -0,0 +1,116 @@
+##--------------------------------------------------------------------
+## MySQL Auth/ACL Plugin
+##--------------------------------------------------------------------
+
+## MySQL server address.
+##
+## Value: Port | IP:Port
+##
+## Examples: 3306, 127.0.0.1:3306, localhost:3306
+auth.mysql.server = 127.0.0.1:3306
+
+## MySQL pool size.
+##
+## Value: Number
+auth.mysql.pool = 8
+
+## MySQL username.
+##
+## Value: String
+## auth.mysql.username =
+
+## MySQL password.
+##
+## Value: String
+## auth.mysql.password =
+
+## MySQL database.
+##
+## Value: String
+auth.mysql.database = mqtt
+
+## MySQL query timeout
+##
+## Value: Duration
+## auth.mysql.query_timeout = 5s
+
+## Variables: %u = username, %c = clientid
+
+## Authentication query.
+##
+## Note that column names should be 'password' and 'salt' (if used).
+## In case column names differ in your DB - please use aliases,
+## e.g. "my_column_name as password".
+##
+## Value: SQL
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+auth.mysql.auth_query = select password from mqtt_user where username = '%u' limit 1
+## auth.mysql.auth_query = select password_hash as password from mqtt_user where username = '%u' limit 1
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 | bcrypt
+auth.mysql.password_hash = sha256
+
+## sha256 with salt prefix
+## auth.mysql.password_hash = salt,sha256
+
+## bcrypt with salt only prefix
+## auth.mysql.password_hash = salt,bcrypt
+
+## sha256 with salt suffix
+## auth.mysql.password_hash = sha256,salt
+
+## pbkdf2 with macfun iterations dklen
+## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
+## auth.mysql.password_hash = pbkdf2,sha256,1000,20
+
+## Superuser query.
+##
+## Value: SQL
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
+
+## ACL query.
+##
+## Value: SQL
+##
+## Variables:
+##  - %a: ipaddr
+##  - %u: username
+##  - %c: clientid
+##
+## Note: You can add the 'ORDER BY' statement to control the rules match order
+auth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
+
+## Mysql ssl configuration.
+##
+## Value: on | off
+auth.mysql.ssl = off
+
+## CA certificate.
+##
+## Value: File
+## auth.mysql.ssl.cafile  = path to your ca file
+
+## Client ssl certificate.
+##
+## Value: File
+## auth.mysql.ssl.certfile = path to your clientcert file
+
+## Client ssl keyfile.
+##
+## Value: File
+## auth.mysql.ssl.keyfile = path to your clientkey file

etc/emqx.d/emqx_auth_username.conf

@@ -0,0 +1,16 @@
+##--------------------------------------------------------------------
+## Username Authentication Plugin
+##--------------------------------------------------------------------
+
+## Examples:
+##auth.user.1.username = admin
+##auth.user.1.password = public
+##auth.user.2.username = feng@emqtt.io
+##auth.user.2.password = public
+##auth.user.3.username = name~!@#$%^&*()_+
+##auth.user.3.password = pwsswd~!@#$%^&*()_+
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 
+auth.user.password_hash = sha256

etc/emqx.d/emqx_bridge_mqtt.conf

@@ -0,0 +1,172 @@
+##====================================================================
+## Configuration for EMQ X MQTT Broker Bridge
+##====================================================================
+
+##--------------------------------------------------------------------
+## Bridges to aws
+##--------------------------------------------------------------------
+
+## Bridge address: node name for local bridge, host:port for remote.
+##
+## Value: String
+## Example: emqx@127.0.0.1,  127.0.0.1:1883
+bridge.mqtt.aws.address = 127.0.0.1:1883
+
+## Protocol version of the bridge.
+##
+## Value: Enum
+## - mqttv5
+## - mqttv4
+## - mqttv3
+bridge.mqtt.aws.proto_ver = mqttv4
+
+## Start type of the bridge.
+##
+## Value: enum
+## manual
+## auto
+bridge.mqtt.aws.start_type = manual
+
+## Whether to enable bridge mode for mqtt bridge
+##
+## This option is prepared for the mqtt broker which does not
+## support bridge_mode such as the mqtt-plugin of the rabbitmq
+##
+## Value: boolean
+#bridge.mqtt.aws.bridge_mode = false
+
+## The ClientId of a remote bridge.
+##
+## Placeholders:
+##  ${node}: Node name
+##
+## Value: String
+bridge.mqtt.aws.clientid = bridge_aws
+
+## The Clean start flag of a remote bridge.
+##
+## Value: boolean
+## Default: true
+##
+## NOTE: Some IoT platforms require clean_start
+##       must be set to 'true'
+bridge.mqtt.aws.clean_start = true
+
+## The username for a remote bridge.
+##
+## Value: String
+bridge.mqtt.aws.username = user
+
+## The password for a remote bridge.
+##
+## Value: String
+bridge.mqtt.aws.password = passwd
+
+## Topics that need to be forward to AWS IoTHUB
+##
+## Value: String
+## Example: topic1/#,topic2/#
+bridge.mqtt.aws.forwards = topic1/#,topic2/#
+
+## Forward messages to the mountpoint of an AWS IoTHUB
+##
+## Value: String
+bridge.mqtt.aws.forward_mountpoint = bridge/aws/${node}/
+
+## Need to subscribe to AWS topics
+##
+## Value: String
+## bridge.mqtt.aws.subscription.1.topic = cmd/topic1
+
+## Need to subscribe to AWS topics QoS.
+##
+## Value: Number
+## bridge.mqtt.aws.subscription.1.qos = 1
+
+## A mountpoint that receives messages from AWS IoTHUB
+##
+## Value: String
+## bridge.mqtt.aws.receive_mountpoint = receive/aws/
+
+
+## Bribge to remote server via SSL.
+##
+## Value: on | off
+bridge.mqtt.aws.ssl = off
+
+## PEM-encoded CA certificates of the bridge.
+##
+## Value: File
+bridge.mqtt.aws.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+
+## Client SSL Certfile of the bridge.
+##
+## Value: File
+bridge.mqtt.aws.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
+
+## Client SSL Keyfile of the bridge.
+##
+## Value: File
+bridge.mqtt.aws.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+
+## SSL Ciphers used by the bridge.
+##
+## Value: String
+bridge.mqtt.aws.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+
+## Ciphers for TLS PSK.
+## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
+## be configured at the same time.
+## See 'https://tools.ietf.org/html/rfc4279#section-2'.
+#bridge.mqtt.aws.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+
+## Ping interval of a down bridge.
+##
+## Value: Duration
+## Default: 10 seconds
+bridge.mqtt.aws.keepalive = 60s
+
+## TLS versions used by the bridge.
+##
+## Value: String
+bridge.mqtt.aws.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+
+## Bridge reconnect time.
+##
+## Value: Duration
+## Default: 30 seconds
+bridge.mqtt.aws.reconnect_interval = 30s
+
+## Retry interval for bridge QoS1 message delivering.
+##
+## Value: Duration
+bridge.mqtt.aws.retry_interval = 20s
+
+## Publish messages in batches, only RPC Bridge supports
+##
+## Value: Integer
+## default: 32
+bridge.mqtt.aws.batch_size = 32
+
+## Inflight size.
+##
+## Value: Integer
+bridge.mqtt.aws.max_inflight_size = 32
+
+## Base directory for replayq to store messages on disk
+## If this config entry is missing or set to undefined,
+## replayq works in a mem-only manner.
+##
+## Value: String
+bridge.mqtt.aws.queue.replayq_dir = {{ platform_data_dir }}/replayq/emqx_aws_bridge/
+
+## Replayq segment size
+##
+## Value: Bytesize
+bridge.mqtt.aws.queue.replayq_seg_bytes = 10MB
+
+## Replayq max total size
+##
+## Value: Bytesize
+bridge.mqtt.aws.queue.max_total_size = 5GB
+

etc/emqx.d/emqx_coap.conf

@@ -0,0 +1,82 @@
+##--------------------------------------------------------------------
+## CoAP Gateway
+##--------------------------------------------------------------------
+
+## The IP and UDP port that CoAP bind with.
+##
+## Default: 0.0.0.0:5683
+##
+## Examples:
+##    coap.bind.udp.x = 0.0.0.0:5683 | :::5683 | 127.0.0.1:5683 | ::1:5683
+##
+coap.bind.udp.1 = 0.0.0.0:5683
+##coap.bind.udp.2 = 0.0.0.0:6683
+
+## Whether to enable statistics for CoAP clients.
+##
+## Value: on | off
+coap.enable_stats = off
+
+
+##------------------------------------------------------------------------------
+## DTLS options
+
+## The DTLS port that CoAP is listening on.
+##
+## Default: 0.0.0.0:5684
+##
+## Examples:
+##    coap.bind.dtls.x = 0.0.0.0:5684 | :::5684 | 127.0.0.1:5684 | ::1:5684
+##
+coap.bind.dtls.1 = 0.0.0.0:5684
+##coap.bind.dtls.2 = 0.0.0.0:6684
+
+## A server only does x509-path validation in mode verify_peer,
+## as it then sends a certificate request to the client (this
+## message is not sent if the verify option is verify_none).
+## You can then also want to specify option fail_if_no_peer_cert.
+## More information at: http://erlang.org/doc/man/ssl.html
+##
+## Value: verify_peer | verify_none
+## coap.dtls.verify = verify_peer
+
+## Private key file for DTLS
+##
+## Value: File
+coap.dtls.keyfile = {{ platform_etc_dir }}/certs/key.pem
+
+## Server certificate for DTLS.
+##
+## Value: File
+coap.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
+
+## PEM-encoded CA certificates for DTLS
+##
+## Value: File
+## coap.dtls.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+
+## Used together with {verify, verify_peer} by an SSL server. If set to true,
+## the server fails if the client does not have a certificate to send, that is,
+## sends an empty certificate.
+##
+## Value: true | false
+## coap.dtls.fail_if_no_peer_cert = false
+
+## This is the single most important configuration option of an Erlang SSL
+## application. Ciphers (and their ordering) define the way the client and
+## server encrypt information over the wire, from the initial Diffie-Helman
+## key exchange, the session key encryption ## algorithm and the message
+## digest algorithm. Selecting a good cipher suite is critical for the
+## application’s data security, confidentiality and performance.
+##
+## The cipher list above offers:
+##
+## A good balance between compatibility with older browsers.
+## It can get stricter for Machine-To-Machine scenarios.
+## Perfect Forward Secrecy.
+## No old/insecure encryption and HMAC algorithms
+##
+## Most of it was copied from Mozilla’s Server Side TLS article
+##
+## Value: Ciphers
+coap.dtls.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA

etc/emqx.d/emqx_dashboard.conf

@@ -0,0 +1,129 @@
+##--------------------------------------------------------------------
+## EMQ X Dashboard
+##--------------------------------------------------------------------
+
+## Default user's login name.
+##
+## Value: String
+dashboard.default_user.login = admin
+
+## Default user's password.
+##
+## Value: String
+dashboard.default_user.password = public
+
+##--------------------------------------------------------------------
+## HTTP Listener
+
+## The port that the Dashboard HTTP listener will bind.
+##
+## Value: Port
+##
+## Examples: 18083
+dashboard.listener.http = 18083
+
+## The acceptor pool for external Dashboard HTTP listener.
+##
+## Value: Number
+dashboard.listener.http.acceptors = 4
+
+## Maximum number of concurrent Dashboard HTTP connections.
+##
+## Value: Number
+dashboard.listener.http.max_clients = 512
+
+## Set up the socket for IPv6.
+##
+## Value: false | true
+dashboard.listener.http.inet6 = false
+
+## Listen on IPv4 and IPv6 (false) or only on IPv6 (true). Use with inet6.
+##
+## Value: false | true
+dashboard.listener.http.ipv6_v6only = false
+
+##--------------------------------------------------------------------
+## HTTPS Listener
+
+## The port that the Dashboard HTTPS listener will bind.
+##
+## Value: Port
+##
+## Examples: 18084
+## dashboard.listener.https = 18084
+
+## The acceptor pool for external Dashboard HTTPS listener.
+##
+## Value: Number
+## dashboard.listener.https.acceptors = 2
+
+## Maximum number of concurrent Dashboard HTTPS connections.
+##
+## Value: Number
+## dashboard.listener.https.max_clients = 512
+
+## Set up the socket for IPv6.
+##
+## Value: false | true
+## dashboard.listener.https.inet6 = false
+
+## Listen on IPv4 and IPv6 (false) or only on IPv6 (true). Use with inet6.
+##
+## Value: false | true
+## dashboard.listener.https.ipv6_v6only = false
+
+## Path to the file containing the user's private PEM-encoded key.
+##
+## Value: File
+## dashboard.listener.https.keyfile = etc/certs/key.pem
+
+## Path to a file containing the user certificate.
+##
+## Value: File
+## dashboard.listener.https.certfile = etc/certs/cert.pem
+
+## Path to the file containing PEM-encoded CA certificates.
+##
+## Value: File
+## dashboard.listener.https.cacertfile = etc/certs/cacert.pem
+
+## See: 'listener.ssl.<name>.dhfile' in emq.conf
+##
+## Value: File
+## dashboard.listener.https.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
+
+## See: 'listener.ssl.<name>.vefify' in emq.conf
+##
+## Value: vefify_peer | verify_none
+## dashboard.listener.https.verify = verify_peer
+
+## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
+##
+## Value: false | true
+## dashboard.listener.https.fail_if_no_peer_cert = true
+
+## TLS versions only to protect from POODLE attack.
+##
+## Value: String, seperated by ','
+## dashboard.listener.https.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+
+## See: 'listener.ssl.<name>.ciphers' in emq.conf
+##
+## Value: Ciphers
+## dashboard.listener.https.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+
+## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
+##
+## Value: on | off
+## dashboard.listener.https.secure_renegotiate = off
+
+## See: 'listener.ssl.<name>.reuse_sessions' in emq.conf
+##
+## Value: on | off
+## dashboard.listener.https.reuse_sessions = on
+
+## See: 'listener.ssl.<name>.honor_cipher_order' in emq.conf
+##
+## Value: on | off
+## dashboard.listener.https.honor_cipher_order = on
+

etc/emqx.d/emqx_management.conf

@@ -0,0 +1,52 @@
+##--------------------------------------------------------------------
+## EMQ X Management Plugin
+##--------------------------------------------------------------------
+
+## Max Row Limit
+management.max_row_limit = 10000
+
+## Application default secret
+##
+## Value: String
+## management.application.default_secret = public
+
+## Default Application ID
+##
+## Value: String
+management.default_application.id = admin
+
+## Default Application Secret
+##
+## Value: String
+management.default_application.secret = public
+
+##--------------------------------------------------------------------
+## HTTP Listener
+
+management.listener.http = 8081
+management.listener.http.acceptors = 2
+management.listener.http.max_clients = 512
+management.listener.http.backlog = 512
+management.listener.http.send_timeout = 15s
+management.listener.http.send_timeout_close = on
+management.listener.http.inet6 = false
+management.listener.http.ipv6_v6only = false
+
+##--------------------------------------------------------------------
+## HTTPS Listener
+
+## management.listener.https = 8081
+## management.listener.https.acceptors = 2
+## management.listener.https.max_clients = 512
+## management.listener.https.backlog = 512
+## management.listener.https.send_timeout = 15s
+## management.listener.https.send_timeout_close = on
+## management.listener.https.certfile = etc/certs/cert.pem
+## management.listener.https.keyfile = etc/certs/key.pem
+## management.listener.https.cacertfile = etc/certs/cacert.pem
+## management.listener.https.verify = verify_peer
+## management.listener.https.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+## management.listener.https.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+## management.listener.https.fail_if_no_peer_cert = true
+## management.listener.https.inet6 = false
+## management.listener.https.ipv6_v6only = false

etc/emqx.d/emqx_recon.conf

@@ -0,0 +1,4 @@
+##--------------------------------------------------------------------
+## Recon Plugin
+##--------------------------------------------------------------------
+

etc/emqx.d/emqx_retainer.conf

@@ -0,0 +1,41 @@
+##--------------------------------------------------------------------
+## EMQ X Retainer
+##--------------------------------------------------------------------
+
+## Where to store the retained messages.
+##
+## Notice that all nodes in the same cluster have to be configured to
+## use the same storage_type.
+##
+## Value: ram | disc | disc_only
+##  - ram: memory only
+##  - disc: both memory and disc
+##  - disc_only: disc only
+##
+## Default: ram
+retainer.storage_type = ram
+
+## Maximum number of retained messages. 0 means no limit.
+##
+## Value: Number >= 0
+retainer.max_retained_messages = 0
+
+## Maximum retained message size.
+##
+## Value: Bytes
+retainer.max_payload_size = 1MB
+
+## Expiry interval of the retained messages. Never expire if the value is 0.
+##
+## Value: Duration
+##  - h: hour
+##  - m: minute
+##  - s: second
+##
+## Examples:
+##  - 2h:  2 hours
+##  - 30m: 30 minutes
+##  - 20s: 20 seconds
+##
+## Defaut: 0
+retainer.expiry_interval = 0

etc/emqx.d/emqx_rule_engine.conf

@@ -0,0 +1,42 @@
+##====================================================================
+## Rule Engine for EMQ X R4.0
+##====================================================================
+
+rule_engine.ignore_sys_message = on
+
+## Event Messages
+##
+## If enabled (on), rule engine publishes the event as an MQTT message
+## with topic='$events/<event-name>' on the occurrence of an emqx event.
+##
+## If disabled, rule engine stops publishing the event messages, but
+## the event message can still be processed by the rule SQL. e.g. rule SQL:
+##
+##   SELECT * FROM "$events/client_connected"
+##
+## will still work even if 'rule_engine.events.client_connected' is set to 'off'
+##
+## EMQ Event to event message mapping:
+##
+##   - client.connected      -> $events/client_connected
+##   - client.disconnected   -> $events/client_disconnected
+##   - session.subscribed    -> $events/session_subscribed
+##   - session.unsubscribed  -> $events/session_unsubscribed
+##   - message.delivered     -> $events/message_delivered
+##   - message.acked         -> $events/message_acked
+##   - message.dropped       -> $events/message_dropped
+##
+## Config Value Format: Toggle, QoS-Level
+##
+## Toggle: on/off
+##
+## QoS-Level: qos0/qos1/qos2
+
+#rule_engine.events.client_connected = on, qos1
+rule_engine.events.client_connected = off
+rule_engine.events.client_disconnected = off
+rule_engine.events.session_subscribed = off
+rule_engine.events.session_unsubscribed = off
+rule_engine.events.message_delivered = off
+rule_engine.events.message_acked = off
+rule_engine.events.message_dropped = off

etc/emqx.d/emqx_sn.conf

@@ -0,0 +1,53 @@
+##--------------------------------------------------------------------
+## MQTT-SN
+##--------------------------------------------------------------------
+
+## The UDP port which emq-sn is listening on.
+##
+## Value: IP:Port | Port
+##
+## Examples: 1884, 127.0.0.1:1884, ::1:1884
+mqtt.sn.port = 1884
+
+## The duration that emqx-sn broadcast ADVERTISE message through.
+##
+## Value: Duration
+mqtt.sn.advertise_duration = 15m
+
+## The MQTT-SN Gateway id in ADVERTISE message.
+##
+## Value: Number
+mqtt.sn.gateway_id = 1
+
+## To control whether write statistics data into ETS table for dashbord to read.
+##
+## Value: on | off
+mqtt.sn.enable_stats = off
+
+## To control whether accept and process the received publish message with qos=-1.
+##
+## Value: on | off
+mqtt.sn.enable_qos3 = off
+
+## MQTT SN idle timeout, specified in seconds.
+##
+## Value: Duration
+mqtt.sn.idle_timeout = 30s
+
+## The pre-defined topic name corresponding to the pre-defined topic id of N.
+## Note that the pre-defined topic id of 0 is reserved.
+mqtt.sn.predefined.topic.0 = reserved
+mqtt.sn.predefined.topic.1 = /predefined/topic/name/hello
+mqtt.sn.predefined.topic.2 = /predefined/topic/name/nice
+
+## Default username for MQTT-SN. This parameter is optional. If specified,
+## emq-sn will connect EMQ core with this username. It is useful if any auth
+## plug-in is enabled.
+##
+## Value: String
+mqtt.sn.username = mqtt_sn_user
+
+## This parameter is optional. Pair with username above.
+##
+## Value: String
+mqtt.sn.password = abc

etc/emqx.d/emqx_stomp.conf

@@ -0,0 +1,123 @@
+##--------------------------------------------------------------------
+## Stomp Plugin
+##--------------------------------------------------------------------
+
+##--------------------------------------------------------------------
+## Stomp listener
+
+## The Port that stomp listener will bind.
+##
+## Value: Port
+stomp.listener = 61613
+
+## The acceptor pool for stomp listener.
+##
+## Value: Number
+stomp.listener.acceptors = 4
+
+## Maximum number of concurrent stomp connections.
+##
+## Value: Number
+stomp.listener.max_connections = 512
+
+## Whether to enable SSL.
+##
+## Value: on | off
+## stomp.listener.ssl = off
+
+## Path to the file containing the user's private PEM-encoded key.
+##
+## Value: File
+## stomp.listener.keyfile = etc/certs/key.pem
+
+## Path to a file containing the user certificate.
+##
+## Value: File
+## stomp.listener.certfile = etc/certs/cert.pem
+
+## Path to the file containing PEM-encoded CA certificates.
+##
+## Value: File
+## stomp.listener.cacertfile = etc/certs/cacert.pem
+
+## See: 'listener.ssl.<name>.dhfile' in emq.conf
+##
+## Value: File
+## stomp.listener.dhfile = etc/certs/dh-params.pem
+
+## See: 'listener.ssl.<name>.vefify' in emq.conf
+##
+## Value: vefify_peer | verify_none
+## stomp.listener.verify = verify_peer
+
+## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
+##
+## Value: false | true
+## stomp.listener.fail_if_no_peer_cert = true
+
+## TLS versions only to protect from POODLE attack.
+##
+## Value: String, seperated by ','
+## stomp.listener.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+
+## SSL Handshake timeout.
+##
+## Value: Duration
+## stomp.listener.handshake_timeout = 15s
+
+## See: 'listener.ssl.<name>.ciphers' in emq.conf
+##
+## Value: Ciphers
+## stomp.listener.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+
+## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
+##
+## Value: on | off
+## stomp.listener.secure_renegotiate = off
+
+## See: 'listener.ssl.<name>.reuse_sessions' in emq.conf
+##
+## Value: on | off
+## stomp.listener.reuse_sessions = on
+
+## See: 'listener.ssl.<name>.honor_cipher_order' in emq.conf
+##
+## Value: on | off
+## stomp.listener.honor_cipher_order = on
+
+##--------------------------------------------------------------------
+## Stomp login user and password
+
+## Default login user
+##
+## Value: String
+stomp.default_user.login = guest
+
+## Default login password
+##
+## Value: String
+stomp.default_user.passcode = guest
+
+## Allow anonymous authentication.
+##
+## Value: true | false
+stomp.allow_anonymous = true
+
+##--------------------------------------------------------------------
+## Stomp frame
+
+## Maximum numbers of frame headers.
+##
+## Value: Number
+stomp.frame.max_headers = 10
+
+## Maximum length of frame header.
+##
+## Value: Number
+stomp.frame.max_header_length = 1024
+
+## Maximum body length of frame.
+##
+## Value: Number
+stomp.frame.max_body_length = 8192
+

etc/emqx.d/emqx_telemetry.conf

@@ -0,0 +1,28 @@
+##--------------------------------------------------------------------
+## Telemetry
+##--------------------------------------------------------------------
+
+## Enable telemetry
+##
+## Value: true | false
+##
+## Default: true
+telemetry.enabled = true
+
+## The destination URL for the telemetry data report
+##
+## Value: String
+##
+## Default: https://telemetry.emqx.io/api/telemetry
+telemetry.url = https://telemetry.emqx.io/api/telemetry
+
+## Interval for reporting telemetry data
+##
+## Value: Duration
+## -d: day
+## -h: hour
+## -m: minute
+## -s: second
+##
+## Default: 7d
+telemetry.report_interval = 7d

etc/emqx.d/emqx_web_hook.conf

@@ -0,0 +1,66 @@
+##====================================================================
+## WebHook
+##====================================================================
+
+## The web services URL for Hook request
+##
+## Value: String
+web.hook.api.url = http://127.0.0.1:8080
+
+##--------------------------------------------------------------------
+## HTTP Request Headers
+##
+## The header params what you extra need
+## Format:
+##    web.hook.headers.<param> = your-param
+## Example:
+## 1. web.hook.headers.token = your-token
+## 2. web.hook.headers.other = others-param
+##
+## Value: String
+## web.hook.headers.token = your-token
+
+##--------------------------------------------------------------------
+## Encode message payload field
+##
+## Value: base64 | base62
+## web.hook.encode_payload = base64
+## Mysql ssl configuration.
+##
+## Value: on | off
+## web.hook.ssl = off
+
+##--------------------------------------------------------------------
+## CA certificate.
+##
+## Value: File
+## web.hook.ssl.cafile  = path to your ca file
+## Client ssl certificate.
+##
+## Value: File
+## web.hook.ssl.certfile = path to your clientcert file
+
+##--------------------------------------------------------------------
+## Client ssl keyfile.
+##
+## Value: File
+## web.hook.ssl.keyfile = path to your clientkey file
+
+##--------------------------------------------------------------------
+## Hook Rules
+## These configuration items represent a list of events should be forwarded
+##
+## Format:
+##   web.hook.rule.<HookName>.<No> = <Spec>
+#web.hook.rule.client.connect.1       = {"action": "on_client_connect"}
+#web.hook.rule.client.connack.1       = {"action": "on_client_connack"}
+#web.hook.rule.client.connected.1     = {"action": "on_client_connected"}
+#web.hook.rule.client.disconnected.1  = {"action": "on_client_disconnected"}
+#web.hook.rule.client.subscribe.1     = {"action": "on_client_subscribe"}
+#web.hook.rule.client.unsubscribe.1   = {"action": "on_client_unsubscribe"}
+#web.hook.rule.session.subscribed.1   = {"action": "on_session_subscribed"}
+#web.hook.rule.session.unsubscribed.1 = {"action": "on_session_unsubscribed"}
+#web.hook.rule.session.terminated.1   = {"action": "on_session_terminated"}
+#web.hook.rule.message.publish.1      = {"action": "on_message_publish"}
+#web.hook.rule.message.delivered.1    = {"action": "on_message_delivered"}
+#web.hook.rule.message.acked.1        = {"action": "on_message_acked"}

etc/emqx.d/ssl_dist.conf

@@ -0,0 +1,11 @@
+%% The options in the {server, Opts} tuple are used when calling ssl:ssl_accept/3,
+%% and the options in the {client, Opts} tuple are used when calling ssl:connect/4.
+%%
+%% More information at: http://erlang.org/doc/apps/ssl/ssl_distribution.html
+[{server,
+  [{certfile, "{{ platform_etc_dir }}/certs/cert.pem"},
+   {keyfile, "{{ platform_etc_dir }}/certs/key.pem"},
+   {secure_renegotiate, true},
+   {depth, 0}]},
+ {client,
+  [{secure_renegotiate, true}]}].