Merge pull request #4178 from zmstone/resolve-conflict-v4.3.0-to-v5.0
Resolve conflict v4.3.0 to v5.0
This commit is contained in:
Zaiming Shi
GitHub
commit
4463ccf76c
|
|
@ -24,9 +24,9 @@ services:
|
|||
image: emqx_pgsql:${PGSQL_TAG}
|
||||
restart: always
|
||||
environment:
|
||||
POSTGRES_DB: postgres
|
||||
POSTGRES_USER: postgres
|
||||
POSTGRES_PASSWORD: postgres
|
||||
POSTGRES_DB: mqtt
|
||||
POSTGRES_USER: root
|
||||
POSTGRES_PASSWORD: public
|
||||
ports:
|
||||
- "5432:5432"
|
||||
command:
|
||||
|
|
|
|||
|
|
@ -194,15 +194,9 @@ jobs:
|
|||
run: |
|
||||
docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml build --no-cache
|
||||
docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml up -d
|
||||
if [ "$PGSQL_TAG" = "12" ] || [ "$PGSQL_TAG" = "13" ]; then
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = "tlsv1.3,tlsv1.2"|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
else
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = "tlsv1.2,tlsv1.1"|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
fi
|
||||
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = root|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = public|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = mqtt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.ssl.enable[ \t]*=.*|auth.pgsql.ssl.enable = on|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
sed -i 's|^[#[:space:]]*auth.pgsql.cacertfile[ \t]*=.*|auth.pgsql.cacertfile = /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/root.crt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
|
||||
- name: setup
|
||||
|
|
|
|||
|
|
@ -41,5 +41,5 @@ tmp/
|
|||
_packages
|
||||
elvis
|
||||
emqx_dialyzer_*_plt
|
||||
apps/emqx_dashboard/priv/www
|
||||
*/emqx_dashboard/priv/www
|
||||
dist.zip
|
||||
|
|
|
|||
1
Makefile
1
Makefile
|
|
@ -2,6 +2,7 @@ REBAR_VERSION = 3.14.3-emqx-4
|
|||
DASHBOARD_VERSION = v4.3.0
|
||||
REBAR = $(CURDIR)/rebar3
|
||||
BUILD = $(CURDIR)/build
|
||||
export EMQX_ENTERPRISE=false
|
||||
export PKG_VSN ?= $(shell $(CURDIR)/pkg-vsn.sh)
|
||||
|
||||
PROFILE ?= emqx
|
||||
|
|
|
|||
|
|
@ -74,11 +74,10 @@ translate_env(EnvName) ->
|
|||
(_) ->
|
||||
true
|
||||
end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
|
||||
TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
|
||||
NTLSOpts = [{versions, TlsVers},
|
||||
{ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
|
||||
Ciphers ++ ssl:cipher_suites(all, TlsVer)
|
||||
end, [], TlsVers)} | TLSOpts],
|
||||
NTLSOpts = [ {versions, emqx_tls_lib:default_versions()}
|
||||
, {ciphers, emqx_tls_lib:default_ciphers()}
|
||||
| TLSOpts
|
||||
],
|
||||
[{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
|
||||
end,
|
||||
PoolOpts = [{host, Host},
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ auth.pgsql.username = root
|
|||
## PostgreSQL password.
|
||||
##
|
||||
## Value: String
|
||||
# auth.pgsql.password =
|
||||
#auth.pgsql.password =
|
||||
|
||||
## PostgreSQL database.
|
||||
##
|
||||
|
|
@ -39,13 +39,13 @@ auth.pgsql.encoding = utf8
|
|||
## Value: on | off
|
||||
auth.pgsql.ssl.enable = off
|
||||
|
||||
## TLS version
|
||||
## You can configure multi-version use "," split,
|
||||
## default value is :tlsv1.2
|
||||
## Example:
|
||||
## tlsv1.1,tlsv1.2,tlsv1.3
|
||||
## TLS version.
|
||||
##
|
||||
#auth.pgsql.ssl.tls_versions = tlsv1.2
|
||||
## Available enum values:
|
||||
## tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
|
||||
##
|
||||
## Value: String, seperated by ','
|
||||
#auth.pgsql.ssl.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1
|
||||
|
||||
## SSL keyfile.
|
||||
##
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@
|
|||
]}.
|
||||
|
||||
{mapping, "auth.pgsql.ssl.tls_versions", "emqx_auth_pgsql.server", [
|
||||
{default, "tlsv1.2"},
|
||||
{default, "tlsv1.3,tlsv1.2,tlsv1.1"},
|
||||
{datatype, string}
|
||||
]}.
|
||||
|
||||
|
|
@ -92,9 +92,9 @@
|
|||
SslOpts = fun(Prefix) ->
|
||||
Filter([{keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
|
||||
{certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
|
||||
{cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined),
|
||||
{cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
|
||||
{versions, [list_to_existing_atom(Value)
|
||||
||Value <- string:tokens(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf), " ,")]}}])
|
||||
|| Value <- string:tokens(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf), " ,")]}])
|
||||
end,
|
||||
|
||||
%% FIXME: compatible with 4.0-4.2 version format, plan to delete in 5.0
|
||||
|
|
|
|||
|
|
@ -53,13 +53,13 @@ The following is the basic configuration of RPC bridging. A simplest RPC bridgin
|
|||
|
||||
```
|
||||
## Bridge Address: Use node name (nodename@host) for rpc bridging, and host:port for mqtt connection
|
||||
bridge.mqtt.emqx2.address = emqx2@192.168.1.2
|
||||
bridge.mqtt.emqx2.address = "emqx2@192.168.1.2"
|
||||
|
||||
## Forwarding topics of the message
|
||||
bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
|
||||
bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
|
||||
|
||||
## bridged mountpoint
|
||||
bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
|
||||
bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
|
||||
```
|
||||
|
||||
If the messages received by the local node emqx1 matches the topic `sersor1/#` or `sensor2/#`, these messages will be forwarded to the `sensor1/#` or `sensor2/#` topic of the remote node emqx2.
|
||||
|
|
@ -82,66 +82,66 @@ EMQ X MQTT bridging principle: Create an MQTT client on the EMQ X broker, and co
|
|||
|
||||
```
|
||||
## Bridge Address: Use node name for rpc bridging, use host:port for mqtt connection
|
||||
bridge.mqtt.emqx2.address = 192.168.1.2:1883
|
||||
bridge.mqtt.emqx2.address = "192.168.1.2:1883"
|
||||
|
||||
## Bridged Protocol Version
|
||||
## Enumeration value: mqttv3 | mqttv4 | mqttv5
|
||||
bridge.mqtt.emqx2.proto_ver = mqttv4
|
||||
bridge.mqtt.emqx2.proto_ver = "mqttv4"
|
||||
|
||||
## mqtt client's clientid
|
||||
bridge.mqtt.emqx2.clientid = bridge_emq
|
||||
bridge.mqtt.emqx2.clientid = "bridge_emq"
|
||||
|
||||
## mqtt client's clean_start field
|
||||
## Note: Some MQTT Brokers need to set the clean_start value as `true`
|
||||
bridge.mqtt.emqx2.clean_start = true
|
||||
|
||||
## mqtt client's username field
|
||||
bridge.mqtt.emqx2.username = user
|
||||
bridge.mqtt.emqx2.username = "user"
|
||||
|
||||
## mqtt client's password field
|
||||
bridge.mqtt.emqx2.password = passwd
|
||||
bridge.mqtt.emqx2.password = "passwd"
|
||||
|
||||
## Whether the mqtt client uses ssl to connect to a remote serve or not
|
||||
bridge.mqtt.emqx2.ssl = off
|
||||
|
||||
## CA Certificate of Client SSL Connection (PEM format)
|
||||
bridge.mqtt.emqx2.cacertfile = etc/certs/cacert.pem
|
||||
bridge.mqtt.emqx2.cacertfile = "etc/certs/cacert.pem"
|
||||
|
||||
## SSL certificate of Client SSL connection
|
||||
bridge.mqtt.emqx2.certfile = etc/certs/client-cert.pem
|
||||
bridge.mqtt.emqx2.certfile = "etc/certs/client-cert.pem"
|
||||
|
||||
## Key file of Client SSL connection
|
||||
bridge.mqtt.emqx2.keyfile = etc/certs/client-key.pem
|
||||
bridge.mqtt.emqx2.keyfile = "etc/certs/client-key.pem"
|
||||
|
||||
## SSL encryption
|
||||
bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
|
||||
bridge.mqtt.emqx2.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"
|
||||
|
||||
## TTLS PSK password
|
||||
## Note 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot be configured at the same time
|
||||
##
|
||||
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
||||
## bridge.mqtt.emqx2.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
|
||||
## bridge.mqtt.emqx2.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
|
||||
|
||||
## Client's heartbeat interval
|
||||
bridge.mqtt.emqx2.keepalive = 60s
|
||||
|
||||
## Supported TLS version
|
||||
bridge.mqtt.emqx2.tls_versions = tlsv1.2,tlsv1.1,tlsv1
|
||||
bridge.mqtt.emqx2.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
|
||||
## Forwarding topics of the message
|
||||
bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
|
||||
bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
|
||||
|
||||
## Bridged mountpoint
|
||||
bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
|
||||
bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
|
||||
|
||||
## Subscription topic for bridging
|
||||
bridge.mqtt.emqx2.subscription.1.topic = cmd/topic1
|
||||
bridge.mqtt.emqx2.subscription.1.topic = "cmd/topic1"
|
||||
|
||||
## Subscription qos for bridging
|
||||
bridge.mqtt.emqx2.subscription.1.qos = 1
|
||||
|
||||
## Subscription topic for bridging
|
||||
bridge.mqtt.emqx2.subscription.2.topic = cmd/topic2
|
||||
bridge.mqtt.emqx2.subscription.2.topic = "cmd/topic2"
|
||||
|
||||
## Subscription qos for bridging
|
||||
bridge.mqtt.emqx2.subscription.2.qos = 1
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ In EMQ X, bridge is configured by modifying ``etc/emqx.conf``. EMQ X distinguish
|
|||
.. code-block::
|
||||
|
||||
## Bridge address: node name for local bridge, host:port for remote.
|
||||
bridge.mqtt.aws.address = 127.0.0.1:1883
|
||||
bridge.mqtt.aws.address = "127.0.0.1:1883"
|
||||
|
||||
This configuration declares a bridge named ``aws`` and specifies that it is bridged to the MQTT broker of 127.0.0.1:1883 by MQTT mode.
|
||||
|
||||
|
|
@ -69,13 +69,13 @@ The following is the basic configuration of RPC bridging. A simplest RPC bridgin
|
|||
.. code-block::
|
||||
|
||||
## Bridge Address: Use node name (nodename@host) for rpc bridging, and host:port for mqtt connection
|
||||
bridge.mqtt.emqx2.address = emqx2@192.168.1.2
|
||||
bridge.mqtt.emqx2.address = "emqx2@192.168.1.2"
|
||||
|
||||
## Forwarding topics of the message
|
||||
bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
|
||||
bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
|
||||
|
||||
## bridged mountpoint
|
||||
bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
|
||||
bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
|
||||
|
||||
If the messages received by the local node emqx1 matches the topic ``sersor1/#`` or ``sensor2/#``\ , these messages will be forwarded to the ``sensor1/#`` or ``sensor2/#`` topic of the remote node emqx2.
|
||||
|
||||
|
|
@ -86,10 +86,10 @@ If the messages received by the local node emqx1 matches the topic ``sersor1/#``
|
|||
Limitations of RPC bridging:
|
||||
|
||||
|
||||
#.
|
||||
#.
|
||||
The RPC bridge of emqx can only forward local messages to the remote node, and cannot synchronize the messages of the remote node to the local node;
|
||||
|
||||
#.
|
||||
#.
|
||||
RPC bridge can only bridge two EMQ X broker together and cannot bridge EMQ X broker to other MQTT brokers.
|
||||
|
||||
EMQ X MQTT Bridge Configuration
|
||||
|
|
@ -102,66 +102,66 @@ EMQ X MQTT bridging principle: Create an MQTT client on the EMQ X broker, and co
|
|||
.. code-block::
|
||||
|
||||
## Bridge Address: Use node name for rpc bridging, use host:port for mqtt connection
|
||||
bridge.mqtt.emqx2.address = 192.168.1.2:1883
|
||||
bridge.mqtt.emqx2.address = "192.168.1.2:1883"
|
||||
|
||||
## Bridged Protocol Version
|
||||
## Enumeration value: mqttv3 | mqttv4 | mqttv5
|
||||
bridge.mqtt.emqx2.proto_ver = mqttv4
|
||||
bridge.mqtt.emqx2.proto_ver = "mqttv4"
|
||||
|
||||
## mqtt client's clientid
|
||||
bridge.mqtt.emqx2.clientid = bridge_emq
|
||||
bridge.mqtt.emqx2.clientid = "bridge_emq"
|
||||
|
||||
## mqtt client's clean_start field
|
||||
## Note: Some MQTT Brokers need to set the clean_start value as `true`
|
||||
bridge.mqtt.emqx2.clean_start = true
|
||||
|
||||
## mqtt client's username field
|
||||
bridge.mqtt.emqx2.username = user
|
||||
bridge.mqtt.emqx2.username = "user"
|
||||
|
||||
## mqtt client's password field
|
||||
bridge.mqtt.emqx2.password = passwd
|
||||
bridge.mqtt.emqx2.password = "passwd"
|
||||
|
||||
## Whether the mqtt client uses ssl to connect to a remote serve or not
|
||||
bridge.mqtt.emqx2.ssl = off
|
||||
|
||||
## CA Certificate of Client SSL Connection (PEM format)
|
||||
bridge.mqtt.emqx2.cacertfile = etc/certs/cacert.pem
|
||||
bridge.mqtt.emqx2.cacertfile = "etc/certs/cacert.pem"
|
||||
|
||||
## SSL certificate of Client SSL connection
|
||||
bridge.mqtt.emqx2.certfile = etc/certs/client-cert.pem
|
||||
bridge.mqtt.emqx2.certfile = "etc/certs/client-cert.pem"
|
||||
|
||||
## Key file of Client SSL connection
|
||||
bridge.mqtt.emqx2.keyfile = etc/certs/client-key.pem
|
||||
|
||||
## SSL encryption
|
||||
bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
|
||||
bridge.mqtt.emqx2.keyfile = "etc/certs/client-key.pem"
|
||||
|
||||
## TTLS PSK password
|
||||
## Note 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot be configured at the same time
|
||||
##
|
||||
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
||||
## bridge.mqtt.emqx2.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
|
||||
## bridge.mqtt.emqx2.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
|
||||
|
||||
## Client's heartbeat interval
|
||||
bridge.mqtt.emqx2.keepalive = 60s
|
||||
|
||||
## Supported TLS version
|
||||
bridge.mqtt.emqx2.tls_versions = tlsv1.2,tlsv1.1,tlsv1
|
||||
bridge.mqtt.emqx2.tls_versions = "tlsv1.2"
|
||||
|
||||
## SSL encryption
|
||||
bridge.mqtt.emqx2.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"
|
||||
|
||||
## Forwarding topics of the message
|
||||
bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
|
||||
bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
|
||||
|
||||
## Bridged mountpoint
|
||||
bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
|
||||
bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
|
||||
|
||||
## Subscription topic for bridging
|
||||
bridge.mqtt.emqx2.subscription.1.topic = cmd/topic1
|
||||
bridge.mqtt.emqx2.subscription.1.topic = "cmd/topic1"
|
||||
|
||||
## Subscription qos for bridging
|
||||
bridge.mqtt.emqx2.subscription.1.qos = 1
|
||||
|
||||
## Subscription topic for bridging
|
||||
bridge.mqtt.emqx2.subscription.2.topic = cmd/topic2
|
||||
bridge.mqtt.emqx2.subscription.2.topic = "cmd/topic2"
|
||||
|
||||
## Subscription qos for bridging
|
||||
bridge.mqtt.emqx2.subscription.2.qos = 1
|
||||
|
|
@ -190,7 +190,7 @@ The bridge of EMQ X has a message caching mechanism. The caching mechanism is ap
|
|||
bridge.mqtt.emqx2.queue.batch_bytes_limit = 1000MB
|
||||
|
||||
## The path for placing replayq queue. If it is not specified, then replayq will run in `mem-only` mode and messages will not be cached on disk.
|
||||
bridge.mqtt.emqx2.queue.replayq_dir = data/emqx_emqx2_bridge/
|
||||
bridge.mqtt.emqx2.queue.replayq_dir = "data/emqx_emqx2_bridge/"
|
||||
|
||||
## Replayq data segment size
|
||||
bridge.mqtt.emqx2.queue.replayq_seg_bytes = 10MB
|
||||
|
|
|
|||
|
|
@ -128,6 +128,7 @@ bridge.mqtt.aws.keepalive = 60s
|
|||
|
||||
## TLS versions used by the bridge.
|
||||
##
|
||||
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
|
||||
## Value: String
|
||||
bridge.mqtt.aws.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@
|
|||
|
||||
{mapping, "bridge.mqtt.$name.tls_versions", "emqx_bridge_mqtt.bridges", [
|
||||
{datatype, string},
|
||||
{default, "tlsv1,tlsv1.1,tlsv1.2"}
|
||||
{default, "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"}
|
||||
]}.
|
||||
|
||||
{mapping, "bridge.mqtt.$name.reconnect_interval", "emqx_bridge_mqtt.bridges", [
|
||||
|
|
|
|||
|
|
@ -671,12 +671,6 @@ format_data([], Msg) ->
|
|||
format_data(Tokens, Msg) ->
|
||||
emqx_rule_utils:proc_tmpl(Tokens, Msg).
|
||||
|
||||
tls_versions() ->
|
||||
['tlsv1.2','tlsv1.1', tlsv1].
|
||||
|
||||
ciphers(Ciphers) ->
|
||||
string:tokens(str(Ciphers), ", ").
|
||||
|
||||
subscriptions(Subscriptions) ->
|
||||
scan_binary(<<"[", Subscriptions/binary, "].">>).
|
||||
|
||||
|
|
@ -749,6 +743,8 @@ options(Options, PoolName) ->
|
|||
Topic ->
|
||||
[{subscriptions, [{Topic, Get(<<"qos">>)}]} | Subscriptions]
|
||||
end,
|
||||
%% TODO check why only ciphers are configurable but not versions
|
||||
TlsVersions = emqx_tls_lib:default_versions(),
|
||||
[{address, binary_to_list(Address)},
|
||||
{bridge_mode, GetD(<<"bridge_mode">>, true)},
|
||||
{clean_start, true},
|
||||
|
|
@ -761,12 +757,13 @@ options(Options, PoolName) ->
|
|||
{proto_ver, mqtt_ver(Get(<<"proto_ver">>))},
|
||||
{retry_interval, cuttlefish_duration:parse(str(GetD(<<"retry_interval">>, "30s")), s)},
|
||||
{ssl, cuttlefish_flag:parse(str(Get(<<"ssl">>)))},
|
||||
{ssl_opts, [{versions, tls_versions()},
|
||||
{ciphers, ciphers(Get(<<"ciphers">>))},
|
||||
{keyfile, str(Get(<<"keyfile">>))},
|
||||
{certfile, str(Get(<<"certfile">>))},
|
||||
{cacertfile, str(Get(<<"cacertfile">>))}
|
||||
]}] ++ Subscriptions1
|
||||
{ssl_opts, [ {keyfile, str(Get(<<"keyfile">>))}
|
||||
, {certfile, str(Get(<<"certfile">>))}
|
||||
, {cacertfile, str(Get(<<"cacertfile">>))}
|
||||
, {versions, TlsVersions}
|
||||
, {ciphers, emqx_tls_lib:integral_ciphers(TlsVersions, Get(<<"ciphers">>))}
|
||||
]}
|
||||
] ++ Subscriptions1
|
||||
end.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -75,10 +75,7 @@ end}.
|
|||
Ciphers =
|
||||
case cuttlefish:conf_get("coap.dtls.ciphers", Conf, undefined) of
|
||||
undefined ->
|
||||
lists:foldl(
|
||||
fun(TlsVer, Ciphers) ->
|
||||
Ciphers ++ ssl:cipher_suites(all, TlsVer)
|
||||
end, [], ['dtlsv1', 'dtlsv1.2']);
|
||||
lists:append([ssl:cipher_suites(all, V, openssl) || V <- ['dtlsv1.2', 'dtlsv1']]);
|
||||
C ->
|
||||
SplitFun(C)
|
||||
end,
|
||||
|
|
|
|||
|
|
@ -425,8 +425,8 @@ udp_opts() ->
|
|||
|
||||
ssl_opts() ->
|
||||
Certs = certs("key.pem", "cert.pem", "cacert.pem"),
|
||||
[{versions, ['tlsv1.2','tlsv1.1',tlsv1]},
|
||||
{ciphers, ciphers('tlsv1.2')},
|
||||
[{versions, emqx_tls_lib:default_versions()},
|
||||
{ciphers, emqx_tls_lib:default_ciphers()},
|
||||
{verify, verify_peer},
|
||||
{fail_if_no_peer_cert, true},
|
||||
{secure_renegotiate, false},
|
||||
|
|
@ -437,9 +437,6 @@ dtls_opts() ->
|
|||
Opts = ssl_opts(),
|
||||
lists:keyreplace(versions, 1, Opts, {versions, ['dtlsv1.2', 'dtlsv1']}).
|
||||
|
||||
ciphers(Version) ->
|
||||
proplists:get_value(ciphers, emqx_ct_helpers:client_ssl(Version)).
|
||||
|
||||
%%--------------------------------------------------------------------
|
||||
%% Client-Opts
|
||||
|
||||
|
|
|
|||
|
|
@ -58,6 +58,7 @@ stomp.listener.max_connections = 512
|
|||
## TLS versions only to protect from POODLE attack.
|
||||
##
|
||||
## Value: String, seperated by ','
|
||||
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
|
||||
## stomp.listener.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
|
||||
## SSL Handshake timeout.
|
||||
|
|
|
|||
|
|
@ -354,12 +354,11 @@ pool_opts(Params = #{<<"url">> := URL}) ->
|
|||
(_) ->
|
||||
true
|
||||
end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
|
||||
TlsVers = ['tlsv1.2', 'tlsv1.1', tlsv1],
|
||||
NTLSOpts = [{verify, VerifyType},
|
||||
{versions, TlsVers},
|
||||
{ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
|
||||
Ciphers ++ ssl:cipher_suites(all, TlsVer)
|
||||
end, [], TlsVers)} | TLSOpts],
|
||||
NTLSOpts = [ {verify, VerifyType}
|
||||
, {versions, emqx_tls_lib:default_versions()}
|
||||
, {ciphers, emqx_tls_lib:default_ciphers()}
|
||||
| TLSOpts
|
||||
],
|
||||
[{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
|
||||
end,
|
||||
[{host, Host},
|
||||
|
|
@ -397,4 +396,4 @@ test_http_connect(Conf) ->
|
|||
Err:Reason:ST ->
|
||||
?LOG(error, "check http_connectivity failed: ~p, ~0p", [Conf, {Err, Reason, ST}]),
|
||||
false
|
||||
end.
|
||||
end.
|
||||
|
|
|
|||
|
|
@ -75,12 +75,11 @@ translate_env() ->
|
|||
TLSOpts = lists:filter(fun({_K, V}) ->
|
||||
V /= <<>> andalso V /= undefined andalso V /= "" andalso true
|
||||
end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
|
||||
TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
|
||||
NTLSOpts = [{verify, VerifyType},
|
||||
{versions, TlsVers},
|
||||
{ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
|
||||
Ciphers ++ ssl:cipher_suites(all, TlsVer)
|
||||
end, [], TlsVers)} | TLSOpts],
|
||||
NTLSOpts = [ {verify, VerifyType}
|
||||
, {versions, emqx_tls_lib:default_versions()}
|
||||
, {ciphers, emqx_tls_lib:default_ciphers()}
|
||||
| TLSOpts
|
||||
],
|
||||
[{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
|
||||
end,
|
||||
PoolOpts = [{host, Host},
|
||||
|
|
@ -114,4 +113,4 @@ parse_host(Host) ->
|
|||
{ok, _} -> {inet6, Host};
|
||||
{error, _} -> {inet, Host}
|
||||
end
|
||||
end.
|
||||
end.
|
||||
|
|
|
|||
4
bin/emqx
4
bin/emqx
|
|
@ -255,7 +255,7 @@ if [ -z "$NAME_ARG" ]; then
|
|||
# check if there is a node running, inspect its name
|
||||
# shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
|
||||
[ -z "$NODENAME" ] && NODENAME=$(ps -ef | grep -E '\-progname\s.*emqx\s' | grep -o -E '\-name (\S*)' | awk '{print $2}')
|
||||
[ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
|
||||
[ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
|
||||
if [ -z "$NODENAME" ]; then
|
||||
echoerr "vm.args needs to have a -name parameter."
|
||||
echoerr " -sname is not supported."
|
||||
|
|
@ -280,7 +280,7 @@ if [ -z "$COOKIE_ARG" ]; then
|
|||
# check if there is a node running, steal its cookie
|
||||
# shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
|
||||
[ -z "$COOKIE" ] && COOKIE=$(ps -ef | grep -E '\-progname\s.*emqx\s' | grep -o -E '\-setcookie (\S*)' | awk '{print $2}')
|
||||
[ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
|
||||
[ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
|
||||
if [ -z "$COOKIE" ]; then
|
||||
echoerr "vm.args needs to have a -setcookie parameter."
|
||||
echoerr "please check $RUNNER_ETC_DIR/emqx.conf"
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ if [ -z "$NAME_ARG" ]; then
|
|||
# check if there is a node running, inspect its name
|
||||
# shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
|
||||
[ -z "$NODENAME" ] && NODENAME=$(ps -ef | grep -E '\progname\s.*emqx\s' | grep -o -E '\-name (\S*)' | awk '{print $2}')
|
||||
[ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
|
||||
[ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
|
||||
if [ -z "$NODENAME" ]; then
|
||||
echoerr "vm.args needs to have a -name parameter."
|
||||
echoerr " -sname is not supported."
|
||||
|
|
@ -58,7 +58,7 @@ if [ -z "$COOKIE_ARG" ]; then
|
|||
# check if there is a node running, steal its cookie
|
||||
# shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
|
||||
[ -z "$COOKIE" ] && COOKIE=$(ps -ef | grep -E '\-progname\s.*emqx\s' | grep -o -E '\-setcookie (\S*)' | awk '{print $2}')
|
||||
[ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
|
||||
[ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
|
||||
if [ -z "$COOKIE" ]; then
|
||||
echoerr "vm.args needs to have a -setcookie parameter."
|
||||
echoerr "please check $RUNNER_ETC_DIR/emqx.conf"
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
[
|
||||
{config,
|
||||
[
|
||||
#{dirs => ["apps/**/src", "src"],
|
||||
#{dirs => ["src", "apps/**/src", "lib-opensource/**/src"],
|
||||
filter => "*.erl",
|
||||
ruleset => erl_files,
|
||||
rules => [
|
||||
|
|
@ -16,7 +16,7 @@
|
|||
]}}
|
||||
]
|
||||
},
|
||||
#{dirs => ["apps/**/test", "test"],
|
||||
#{dirs => ["test", "apps/**/test", "lib-opensource/**/src"],
|
||||
filter => "*.erl",
|
||||
rules => [
|
||||
{elvis_text_style, line_length, #{ limit => 100
|
||||
|
|
|
|||
|
|
@ -184,12 +184,12 @@ cluster.autoclean = 5m
|
|||
## Value: <name>@<host>
|
||||
##
|
||||
## Default: emqx@127.0.0.1
|
||||
node.name = emqx@127.0.0.1
|
||||
node.name = "emqx@127.0.0.1"
|
||||
|
||||
## Cookie for distributed node communication.
|
||||
##
|
||||
## Value: String
|
||||
node.cookie = emqxsecretcookie
|
||||
node.cookie = "emqxsecretcookie"
|
||||
|
||||
## Data dir for the node
|
||||
##
|
||||
|
|
@ -1317,7 +1317,8 @@ listener.ssl.external.access.1 = "allow all"
|
|||
## See: http://erlang.org/doc/man/ssl.html
|
||||
##
|
||||
## Value: String, seperated by ','
|
||||
## listener.ssl.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
|
||||
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
|
||||
## listener.ssl.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
|
||||
## TLS Handshake timeout.
|
||||
##
|
||||
|
|
@ -1563,7 +1564,7 @@ listener.ws.external.access.1 = "allow all"
|
|||
## Supported subprotocols
|
||||
##
|
||||
## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
|
||||
## listener.ws.external.supported_protocols = mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
|
||||
## listener.ws.external.supported_protocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
|
||||
|
||||
## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
|
||||
## HAProxy or Nginx.
|
||||
|
|
@ -1784,7 +1785,7 @@ listener.wss.external.access.1 = "allow all"
|
|||
## Supported subprotocols
|
||||
##
|
||||
## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
|
||||
## listener.ws.external.supported_protocols = mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
|
||||
## listener.wss.external.supported_protocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
|
||||
|
||||
## Enable the Proxy Protocol V1/2 support.
|
||||
##
|
||||
|
|
@ -1805,7 +1806,8 @@ listener.wss.external.access.1 = "allow all"
|
|||
## See: listener.ssl.$name.tls_versions
|
||||
##
|
||||
## Value: String, seperated by ','
|
||||
## listener.wss.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
|
||||
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
|
||||
## listener.wss.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
|
||||
## Path to the file containing the user's private PEM-encoded key.
|
||||
##
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
#set -euo pipefail
|
||||
set -eu
|
||||
|
||||
VERSION="$1"
|
||||
|
|
@ -10,7 +9,11 @@ cd -P -- "$(dirname -- "$0")"
|
|||
|
||||
DOWNLOAD_URL='https://github.com/emqx/emqx-dashboard-frontend/releases/download'
|
||||
|
||||
DASHBOARD_PATH='apps/emqx_dashboard/priv'
|
||||
if [ "$EMQX_ENTERPRISE" = 'true' ] || [ "$EMQX_ENTERPRISE" == '1' ]; then
|
||||
DASHBOARD_PATH='lib-enterprise/emqx_dashboard/priv'
|
||||
else
|
||||
DASHBOARD_PATH='lib-opensource/emqx_dashboard/priv'
|
||||
fi
|
||||
|
||||
case $(uname) in
|
||||
*Darwin*) SED="sed -E";;
|
||||
|
|
|
|||
|
|
@ -105,7 +105,8 @@ dashboard.listener.http.ipv6_v6only = false
|
|||
## TLS versions only to protect from POODLE attack.
|
||||
##
|
||||
## Value: String, seperated by ','
|
||||
## dashboard.listener.https.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
|
||||
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
|
||||
## dashboard.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
|
||||
## See: 'listener.ssl.<name>.ciphers' in emq.conf
|
||||
##
|
||||
|
|
@ -45,6 +45,7 @@ management.listener.http.ipv6_v6only = false
|
|||
## management.listener.https.keyfile = "etc/certs/key.pem"
|
||||
## management.listener.https.cacertfile = "etc/certs/cacert.pem"
|
||||
## management.listener.https.verify = verify_peer
|
||||
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
|
||||
## management.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||
## management.listener.https.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||
## management.listener.https.fail_if_no_peer_cert = true
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue