feat(cuttlefish): use hocon as a parsing function (#4008)

* chore(conf): add quotation for hocon * chore(conf): fix paths incompatible with hocon * chore(conf): use hocon as parsing function * chore(docker): add quotation to some env variables for hocon
2021-01-19 19:52:17 +09:00 · 2021-01-19 19:52:17 +09:00 · 455f210b4c
parent d437f9f228
commit 455f210b4c
57 changed files with 389 additions and 409 deletions
--- a/.ci/fvt_tests/docker-compose.yaml
+++ b/.ci/fvt_tests/docker-compose.yaml
@ -8,7 +8,7 @@ services:
    - "EMQX_NAME=emqx"
    - "EMQX_HOST=node1.emqx.io"
    - "EMQX_CLUSTER__DISCOVERY=static"
-    - "EMQX_CLUSTER__STATIC__SEEDS=emqx@node1.emqx.io, emqx@node2.emqx.io"
+    - "EMQX_CLUSTER__STATIC__SEEDS=\"emqx@node1.emqx.io, emqx@node2.emqx.io\""
    - "EMQX_ZONE__EXTERNAL__RETRY_INTERVAL=2s"
    - "EMQX_MQTT__MAX_TOPIC_ALIAS=10"
    command:
@ -34,7 +34,7 @@ services:
    - "EMQX_NAME=emqx"
    - "EMQX_HOST=node2.emqx.io"
    - "EMQX_CLUSTER__DISCOVERY=static"
-    - "EMQX_CLUSTER__STATIC__SEEDS=emqx@node1.emqx.io, emqx@node2.emqx.io"
+    - "EMQX_CLUSTER__STATIC__SEEDS=\"emqx@node1.emqx.io, emqx@node2.emqx.io\""
    - "EMQX_ZONE__EXTERNAL__RETRY_INTERVAL=2s"
    - "EMQX_MQTT__MAX_TOPIC_ALIAS=10"
    command:
--- a/.github/workflows/run_cts_tests.yaml
+++ b/.github/workflows/run_cts_tests.yaml
@ -39,12 +39,12 @@ jobs:
        if: matrix.network_type == 'ipv4'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ldap)
-          sed -i "/auth.ldap.servers/c auth.ldap.servers = $server_address" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
+          sed -i "/auth.ldap.servers/c auth.ldap.servers = \"$server_address\"" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
      - name: setup
        if: matrix.network_type == 'ipv6'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' ldap)
-          sed -i "/auth.ldap.servers/c auth.ldap.servers = $server_address" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
+          sed -i "/auth.ldap.servers/c auth.ldap.servers = \"$server_address\"" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
      - name: run test cases
        run: |
          docker exec -i erlang sh -c "make ensure-rebar3"
@ -79,15 +79,15 @@ jobs:
        if: matrix.connect_type == 'tls'
        run: |
          docker-compose -f .ci/compatibility_tests/docker-compose-mongo-tls.yaml up -d
-          echo 'auth.mongo.ssl = on' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          echo 'auth.mongo.ssl.enable = on' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          echo 'auth.mongo.ssl.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          echo 'auth.mongo.ssl.cacertfile = "/emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem"' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          echo 'auth.mongo.ssl.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          echo 'auth.mongo.ssl.certfile = "/emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem"' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          echo 'auth.mongo.ssl.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          echo 'auth.mongo.ssl.keyfile = "/emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem"' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          # echo 'auth.mongo.ssl = true' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          # echo 'auth.mongo.ssl.enable = true' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          # echo 'auth.mongo.ssl_opts.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          # echo 'auth.mongo.ssl_opts.cacertfile = "/emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem"' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          # echo 'auth.mongo.ssl_opts.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          # echo 'auth.mongo.ssl_opts.certfile = "/emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem"' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-          # echo 'auth.mongo.ssl_opts.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          # echo 'auth.mongo.ssl_opts.keyfile = "/emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem"' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
      - name: setup
        env:
          MONGO_TAG: ${{ matrix.mongo_tag }}
@ -97,12 +97,12 @@ jobs:
        if: matrix.network_type == 'ipv4'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' mongo)
-          sed -i "/auth.mongo.server/c auth.mongo.server = $server_address:27017" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          sed -i "/auth.mongo.server/c auth.mongo.server = \"$server_address:27017\"" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
      - name: setup
        if: matrix.network_type == 'ipv6'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' mongo)
-          sed -i "/auth.mongo.server/c auth.mongo.server = $server_address:27017" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+          sed -i "/auth.mongo.server/c auth.mongo.server = \"$server_address:27017\"" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
      - name: run test cases
        run: |
          docker exec -i erlang sh -c "make ensure-rebar3"
@ -139,9 +139,9 @@ jobs:
          docker-compose -f .ci/compatibility_tests/docker-compose-mysql-tls.yaml up -d
          echo '\n' >> apps/emqx_auth_mongo/etc/emqx_auth_mysql.conf
          echo 'auth.mysql.ssl = on' >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
-          echo "auth.mysql.ssl.cafile = /emqx/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE_data/ca.pem" >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+          echo "auth.mysql.ssl.cafile = \"/emqx/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE_data/ca.pem\"" >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
-          echo "auth.mysql.ssl.certfile = /emqx/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE_data/client-cert.pem" >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+          echo "auth.mysql.ssl.certfile = \"/emqx/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE_data/client-cert.pem\"" >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
-          echo "auth.mysql.ssl.keyfile =  /emqx/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE_data/client-key.pem" >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+          echo "auth.mysql.ssl.keyfile =  \"/emqx/apps/emqx_auth_mysql/test/emqx_auth_mysql_SUITE_data/client-key.pem"\" >> apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
      - name: setup
        env:
          MYSQL_TAG: ${{ matrix.mysql_tag }}
@ -151,12 +151,12 @@ jobs:
        if: matrix.network_type == 'ipv4'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' mysql)
-          sed -i "/auth.mysql.server/c auth.mysql.server = $server_address:3306" apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+          sed -i "/auth.mysql.server/c auth.mysql.server = \"$server_address:3306\"" apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
      - name: setup
        if: matrix.network_type == 'ipv6'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' mysql)
-          sed -i "/auth.mysql.server/c auth.mysql.server = $server_address:3306" apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+          sed -i "/auth.mysql.server/c auth.mysql.server = \"$server_address:3306\"" apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
      - name: run test cases
        run: |
          docker exec -i erlang sh -c "make ensure-rebar3"
@ -196,9 +196,9 @@ jobs:
          docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml up -d
          echo '\n' >> apps/emqx_auth_mongo/etc/emqx_auth_pgsql.conf
          echo 'auth.pgsql.ssl = true' >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          echo "auth.pgsql.ssl_opts.cacertfile = /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/ca.pem" >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          echo "auth.pgsql.ssl_opts.cacertfile = \"/emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/ca.pem\"" >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          echo "auth.pgsql.ssl_opts.certfile = /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/client-cert.pem" >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          echo "auth.pgsql.ssl_opts.certfile = \"/emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/client-cert.pem\"" >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          echo "auth.pgsql.ssl_opts.keyfile =  /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/client-key.pem" >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          echo "auth.pgsql.ssl_opts.keyfile =  \"/emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/client-key.pem\"" >> apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
      - name: setup
        env:
          PGSQL_TAG: ${{ matrix.pgsql_tag }}
@ -208,12 +208,12 @@ jobs:
        if: matrix.network_type == 'ipv4'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pgsql)
-          sed -i "/auth.pgsql.server/c auth.pgsql.server = $server_address:5432" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          sed -i "/auth.pgsql.server/c auth.pgsql.server = \"$server_address:5432\"" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
      - name: setup
        if: matrix.network_type == 'ipv6'
        run: |
          server_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' pgsql)
-          sed -i "/auth.pgsql.server/c auth.pgsql.server = $server_address:5432" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          sed -i "/auth.pgsql.server/c auth.pgsql.server = \"$server_address:5432\"" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
      - name: run test cases
        run: |
          docker exec -i erlang sh -c "make ensure-rebar3"
@ -253,10 +253,10 @@ jobs:
          set -exu
          docker-compose -f .ci/compatibility_tests/docker-compose-redis-${{ matrix.node_type }}-tls.yaml up -d
          echo '\n' >> apps/emqx_auth_mongo/etc/emqx_auth_redis.conf
-          echo 'auth.redis.ssl = on' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          echo 'auth.redis.ssl.enable = on' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
-          echo 'auth.redis.ssl.cafile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          echo 'auth.redis.ssl.cafile = "/emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt"' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
-          echo 'auth.redis.ssl.certfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          echo 'auth.redis.ssl.certfile = "/emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt"' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
-          echo 'auth.redis.ssl.keyfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          echo 'auth.redis.ssl.keyfile = "/emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key"' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf
      - name: setup
        env:
          REDIS_TAG: ${{ matrix.redis_tag }}
@ -274,24 +274,24 @@ jobs:
        if: matrix.node_type == 'singer' && matrix.connect_type == 'tcp'
        run: |
          set -exu
-          sed -i "/auth.redis.server/c auth.redis.server = ${redis_${{ matrix.network_type }}_address}:6379" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          sed -i "/auth.redis.server/c auth.redis.server = \"${redis_${{ matrix.network_type }}_address}:6379\"" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
      - name: setup
        if: matrix.node_type == 'singer' && matrix.connect_type == 'tls' && matrix.redis_tag != '5'
        run: |
          set -exu
-          sed -i "/auth.redis.server/c auth.redis.server = ${redis_${{ matrix.network_type }}_address}:6380" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          sed -i "/auth.redis.server/c auth.redis.server = \"${redis_${{ matrix.network_type }}_address}:6380\"" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
      - name: setup
        if: matrix.node_type == 'cluster' && matrix.connect_type == 'tcp'
        run: |
          set -exu
          sed -i "/auth.redis.type/c auth.redis.type = cluster" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
-          sed -i "/auth.redis.server/c auth.redis.server = ${redis_${{ matrix.network_type }}_address}:7000, ${redis_${{ matrix.network_type }}_address}:7001, ${redis_${{ matrix.network_type }}_address}:7002" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          sed -i "/auth.redis.server/c auth.redis.server = \"${redis_${{ matrix.network_type }}_address}:7000, ${redis_${{ matrix.network_type }}_address}:7001, ${redis_${{ matrix.network_type }}_address}:7002\"" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
      - name: setup
        if: matrix.node_type == 'cluster' && matrix.connect_type == 'tls' && matrix.redis_tag != '5'
        run: |
          set -exu
          sed -i "/auth.redis.type/c auth.redis.type = cluster" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
-          sed -i "/auth.redis.server/c auth.redis.server = ${redis_${{ matrix.network_type }}_address}:8000, ${redis_${{ matrix.network_type }}_address}:8001, ${redis_${{ matrix.network_type }}_address}:8002" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+          sed -i "/auth.redis.server/c auth.redis.server = \"${redis_${{ matrix.network_type }}_address}:8000, ${redis_${{ matrix.network_type }}_address}:8001, ${redis_${{ matrix.network_type }}_address}:8002\"" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
      - name: run test cases
        if: matrix.connect_type == 'tcp' || (matrix.connect_type == 'tls' && matrix.redis_tag != '5')
        run: |
--- a/.github/workflows/run_test_cases.yaml
+++ b/.github/workflows/run_test_cases.yaml
@ -33,11 +33,11 @@ jobs:
            docker-compose -f .ci/apps_tests/docker-compose.yaml up -d
        - name: set config files
          run: |
-            sed -i "/auth.mysql.server/c auth.mysql.server = mysql_server:3306" apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+            sed -i "/auth.mysql.server/c auth.mysql.server = \"mysql_server:3306\"" apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
-            sed -i "/auth.redis.server/c auth.redis.server = redis_server:6379" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+            sed -i "/auth.redis.server/c auth.redis.server = \"redis_server:6379\"" apps/emqx_auth_redis/etc/emqx_auth_redis.conf
-            sed -i "/auth.mongo.server/c auth.mongo.server = mongo_server:27017" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+            sed -i "/auth.mongo.server/c auth.mongo.server = \"mongo_server:27017\"" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
-            sed -i "/auth.pgsql.server/c auth.pgsql.server = pgsql_server:5432" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+            sed -i "/auth.pgsql.server/c auth.pgsql.server = \"pgsql_server:5432\"" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-            sed -i "/auth.ldap.servers/c auth.ldap.servers = ldap_server" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
+            sed -i "/auth.ldap.servers/c auth.ldap.servers = \"ldap_server\"" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
        - name: run tests
          run: |
            docker exec -i erlang bash -c "make xref"
--- a/apps/emqx_auth_http/etc/emqx_auth_http.conf
+++ b/apps/emqx_auth_http/etc/emqx_auth_http.conf
@ -9,8 +9,8 @@
 ##
 ## Value: URL
 ##
-## Examples: http://127.0.0.1:8991/mqtt/auth, https://[::1]:8991/mqtt/auth
+## Examples: "http://127.0.0.1:8991/mqtt/auth", "https://[::1]:8991/mqtt/auth"
-auth.http.auth_req = http://127.0.0.1:8991/mqtt/auth
+auth.http.auth_req.endpoint = "http://127.0.0.1:8991/mqtt/auth"
 ## Value: post | get
 auth.http.auth_req.method = post
@ -31,7 +31,7 @@ auth.http.auth_req.content_type = x-www-form-urlencoded
 ##  - %k: websocket cookie
 ##
 ## Value: Params
-auth.http.auth_req.params = clientid=%c,username=%u,password=%P
+auth.http.auth_req.params = "clientid=%c,username=%u,password=%P"
 ##--------------------------------------------------------------------
 ## Superuser request.
@ -40,8 +40,8 @@ auth.http.auth_req.params = clientid=%c,username=%u,password=%P
 ##
 ## Value: URL
 ##
-## Examples: http://127.0.0.1:8991/mqtt/superuser, https://[::1]:8991/mqtt/superuser
+## Examples: "http://127.0.0.1:8991/mqtt/superuser", "https://[::1]:8991/mqtt/superuser"
-#auth.http.super_req = http://127.0.0.1:8991/mqtt/superuser
+#auth.http.super_req.endpoint = "http://127.0.0.1:8991/mqtt/superuser"
 ## Value: post | get
 #auth.http.super_req.method = post
@ -62,7 +62,7 @@ auth.http.auth_req.params = clientid=%c,username=%u,password=%P
 ##  - %k: websocket cookie
 ##
 ## Value: Params
-#auth.http.super_req.params = clientid=%c,username=%u
+#auth.http.super_req.params = "clientid=%c,username=%u"
 ##--------------------------------------------------------------------
 ## ACL request.
@ -71,8 +71,8 @@ auth.http.auth_req.params = clientid=%c,username=%u,password=%P
 ##
 ## Value: URL
 ##
-## Examples: http://127.0.0.1:8991/mqtt/acl, https://[::1]:8991/mqtt/acl
+## Examples: "http://127.0.0.1:8991/mqtt/acl", "https://[::1]:8991/mqtt/acl"
-auth.http.acl_req = http://127.0.0.1:8991/mqtt/acl
+auth.http.acl_req.endpoint = "http://127.0.0.1:8991/mqtt/acl"
 ## Value: post | get
 auth.http.acl_req.method = get
@ -92,7 +92,7 @@ auth.http.acl_req.content_type = x-www-form-urlencoded
 ##  - %k: websocket cookie
 ##
 ## Value: Params
-auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
+auth.http.acl_req.params = "access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m"
 ##------------------------------------------------------------------------------
 ## Http Reqeust options
@ -144,22 +144,22 @@ auth.http.request.retry_backoff = 2.0
 ## are used during server authentication and when building the client certificate chain.
 ##
 ## Value: File
-## auth.http.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+## auth.http.ssl.cacertfile = "{{ platform_etc_dir }}/certs/ca.pem"
 ## The path to a file containing the client's certificate.
 ##
 ## Value: File
-## auth.http.ssl.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
+## auth.http.ssl.certfile = "{{ platform_etc_dir }}/certs/client-cert.pem"
 ## Path to a file containing the client's private PEM-encoded key.
 ##
 ## Value: File
-## auth.http.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+## auth.http.ssl.keyfile = "{{ platform_etc_dir }}/certs/client-key.pem"
 ##--------------------------------------------------------------------
 ## HTTP Request Headers
 ##
-## Example: auth.http.header.Accept-Encoding = *
+## Example: auth.http.header.Accept-Encoding = "*"
 ##
 ## Value: String
-## auth.http.header.Accept = */*
+## auth.http.header.Accept = "*/*"
--- a/apps/emqx_auth_http/priv/emqx_auth_http.schema
+++ b/apps/emqx_auth_http/priv/emqx_auth_http.schema
@ -1,6 +1,6 @@
 %%-*- mode: erlang -*-
 %% emqx_auth_http config mapping
-{mapping, "auth.http.auth_req", "emqx_auth_http.auth_req", [
+{mapping, "auth.http.auth_req.endpoint", "emqx_auth_http.auth_req", [
  {datatype, string}
 ]}.
@ -19,7 +19,7 @@
 ]}.
 {translation, "emqx_auth_http.auth_req", fun(Conf) ->
-  case cuttlefish:conf_get("auth.http.auth_req", Conf) of
+  case cuttlefish:conf_get("auth.http.auth_req.endpoint", Conf) of
    undefined -> cuttlefish:unset();
    Url ->
      Params = cuttlefish:conf_get("auth.http.auth_req.params", Conf),
@ -30,7 +30,7 @@
  end
 end}.
-{mapping, "auth.http.super_req", "emqx_auth_http.super_req", [
+{mapping, "auth.http.super_req.endpoint", "emqx_auth_http.super_req", [
  {datatype, string}
 ]}.
@ -49,7 +49,7 @@ end}.
 ]}.
 {translation, "emqx_auth_http.super_req", fun(Conf) ->
-  case cuttlefish:conf_get("auth.http.super_req", Conf, undefined) of
+  case cuttlefish:conf_get("auth.http.super_req.endpoint", Conf, undefined) of
    undefined -> cuttlefish:unset();
    Url -> Params = cuttlefish:conf_get("auth.http.super_req.params", Conf),
           [{url, Url}, {method, cuttlefish:conf_get("auth.http.super_req.method", Conf)},
@ -58,7 +58,7 @@ end}.
  end
 end}.
-{mapping, "auth.http.acl_req", "emqx_auth_http.acl_req", [
+{mapping, "auth.http.acl_req.endpoint", "emqx_auth_http.acl_req", [
  {default, undefined},
  {datatype, string}
 ]}.
@ -78,7 +78,7 @@ end}.
 ]}.
 {translation, "emqx_auth_http.acl_req", fun(Conf) ->
-  case cuttlefish:conf_get("auth.http.acl_req", Conf, undefined) of
+  case cuttlefish:conf_get("auth.http.acl_req.endpoint", Conf, undefined) of
    undefined -> cuttlefish:unset();
    Url -> Params = cuttlefish:conf_get("auth.http.acl_req.params", Conf),
           [{url, Url},
--- a/apps/emqx_auth_http/rebar.config
+++ b/apps/emqx_auth_http/rebar.config
@ -22,7 +22,7 @@
 {profiles,
 [{test,
   [{deps,
-     [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}},
+     [
      {emqtt, {git, "https://github.com/emqx/emqtt", {tag, "v1.2.2"}}}
     ]}
   ]}
--- a/apps/emqx_auth_jwt/etc/emqx_auth_jwt.conf
+++ b/apps/emqx_auth_jwt/etc/emqx_auth_jwt.conf
@ -10,13 +10,13 @@ auth.jwt.secret = emqxsecret
 ## RSA or ECDSA public key file.
 ##
 ## Value: File
-#auth.jwt.pubkey = etc/certs/jwt_public_key.pem
+#auth.jwt.pubkey = "etc/certs/jwt_public_key.pem"
 ## The JWKs server address
 ##
 ## see: http://self-issued.info/docs/draft-ietf-jose-json-web-key.html
 ##
-#auth.jwt.jwks = https://127.0.0.1:8080/jwks
+#auth.jwt.jwks.endpoint = "https://127.0.0.1:8080/jwks"
 ## The JWKs refresh interval
 ##
@ -32,7 +32,7 @@ auth.jwt.from = password
 ## Enable to verify claims fields
 ##
 ## Value: on | off
-auth.jwt.verify_claims = off
+auth.jwt.verify_claims.enable = off
 ## The checklist of claims to validate
 ##
@ -42,4 +42,4 @@ auth.jwt.verify_claims = off
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
-#auth.jwt.verify_claims.username = %u
+#auth.jwt.verify_claims.username = "%u"
--- a/apps/emqx_auth_jwt/priv/emqx_auth_jwt.schema
+++ b/apps/emqx_auth_jwt/priv/emqx_auth_jwt.schema
@ -4,7 +4,7 @@
  {datatype, string}
 ]}.
-{mapping, "auth.jwt.jwks", "emqx_auth_jwt.jwks", [
+{mapping, "auth.jwt.jwks.endpoint", "emqx_auth_jwt.jwks", [
  {datatype, string}
 ]}.
@ -26,7 +26,7 @@
  {datatype, {enum, [raw, der]}}
 ]}.
-{mapping, "auth.jwt.verify_claims", "emqx_auth_jwt.verify_claims", [
+{mapping, "auth.jwt.verify_claims.enable", "emqx_auth_jwt.verify_claims", [
  {default, off},
  {datatype, flag}
 ]}.
@ -36,7 +36,7 @@
 ]}.
 {translation, "emqx_auth_jwt.verify_claims", fun(Conf) ->
-    case cuttlefish:conf_get("auth.jwt.verify_claims", Conf) of
+    case cuttlefish:conf_get("auth.jwt.verify_claims.enable", Conf) of
        false -> cuttlefish:unset();
        true ->
            lists:foldr(
--- a/apps/emqx_auth_jwt/rebar.config
+++ b/apps/emqx_auth_jwt/rebar.config
@ -20,6 +20,6 @@
 {profiles,
 [{test,
-   [{deps, [{emqx_ct_helpers, {git, "http://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}]}
+   [{deps, []}
   ]}
 ]}.
--- a/apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
+++ b/apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf
@ -5,7 +5,7 @@
 ## LDAP server list, seperated by ','.
 ##
 ## Value: String
-auth.ldap.servers = 127.0.0.1
+auth.ldap.servers = "127.0.0.1"
 ## LDAP server port.
 ##
@ -20,7 +20,7 @@ auth.ldap.pool = 8
 ## LDAP Bind DN.
 ##
 ## Value: DN
-auth.ldap.bind_dn = cn=root,dc=emqx,dc=io
+auth.ldap.bind_dn = "cn=root,dc=emqx,dc=io"
 ## LDAP Bind Password.
 ##
@ -37,7 +37,7 @@ auth.ldap.timeout = 30s
 ## Variables:
 ##
 ## Value: DN
-auth.ldap.device_dn = ou=device,dc=emqx,dc=io
+auth.ldap.device_dn = "ou=device,dc=emqx,dc=io"
 ## Specified ObjectClass
 ##
@ -63,15 +63,15 @@ auth.ldap.password.attributetype = userPassword
 ## Whether to enable SSL.
 ##
 ## Value: true | false
-auth.ldap.ssl = false
+auth.ldap.ssl.enable = false
-#auth.ldap.ssl.certfile = etc/certs/cert.pem
+#auth.ldap.ssl.certfile = "etc/certs/cert.pem"
-#auth.ldap.ssl.keyfile = etc/certs/key.pem
+#auth.ldap.ssl.keyfile = "etc/certs/key.pem"
-#auth.ldap.ssl.cacertfile = etc/certs/cacert.pem
+#auth.ldap.ssl.cacertfile = "etc/certs/cacert.pem"
-#auth.ldap.ssl.verify = verify_peer
+#auth.ldap.ssl.verify = "verify_peer"
 #auth.ldap.ssl.fail_if_no_peer_cert = true
--- a/apps/emqx_auth_ldap/priv/emqx_auth_ldap.schema
+++ b/apps/emqx_auth_ldap/priv/emqx_auth_ldap.schema
@ -31,7 +31,7 @@
  {datatype, {duration, ms}}
 ]}.
-{mapping, "auth.ldap.ssl", "emqx_auth_ldap.ldap", [
+{mapping, "auth.ldap.ssl.enable", "emqx_auth_ldap.ldap", [
  {default, false},
  {datatype, {enum, [true, false]}}
 ]}.
@ -85,7 +85,7 @@
            {bind_password, BindPassword},
            {pool, Pool},
            {auto_reconnect, 2}],
-    case cuttlefish:conf_get("auth.ldap.ssl", Conf) of
+    case cuttlefish:conf_get("auth.ldap.ssl.enable", Conf) of
        true  -> [{ssl, true}, {sslopts, Filter(SslOpts())}|Opts];
        false -> [{ssl, false}|Opts]
    end
--- a/apps/emqx_auth_ldap/rebar.config
+++ b/apps/emqx_auth_ldap/rebar.config
@ -4,7 +4,7 @@
 {profiles,
 [{test,
-   [{deps, [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}]}
+   [{deps, []}
   ]}
 ]}.
--- a/apps/emqx_auth_mnesia/etc/emqx_auth_mnesia.conf
+++ b/apps/emqx_auth_mnesia/etc/emqx_auth_mnesia.conf
@ -10,12 +10,12 @@ auth.mnesia.password_hash = sha256
 ## Examples
 ##auth.client.1.clientid = id
 ##auth.client.1.password = passwd
-##auth.client.2.clientid = dev:devid
+##auth.client.2.clientid = "dev:devid"
 ##auth.client.2.password = passwd2
-##auth.client.3.clientid = app:appid
+##auth.client.3.clientid = "app:appid"
 ##auth.client.3.password = passwd3
-##auth.client.4.clientid = client~!@#$%^&*()_+
+##auth.client.4.clientid = "client~!@#$%^&*()_+"
-##auth.client.4.password = passwd~!@#$%^&*()_+
+##auth.client.4.password = "passwd~!@#$%^&*()_+"
 ##--------------------------------------------------------------------
 ## Username Authentication
@ -26,5 +26,5 @@ auth.mnesia.password_hash = sha256
 ##auth.user.1.password = public
 ##auth.user.2.username = feng@emqtt.io
 ##auth.user.2.password = public
-##auth.user.3.username = name~!@#$%^&*()_+
+##auth.user.3.username = "name~!@#$%^&*()_+"
-##auth.user.3.password = pwsswd~!@#$%^&*()_+
+##auth.user.3.password = "pwsswd~!@#$%^&*()_+"
--- a/apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
+++ b/apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf
@ -17,7 +17,7 @@ auth.mongo.type = single
 ## Value: String
 ##
 ## Examples: 127.0.0.1:27017,127.0.0.2:27017...
-auth.mongo.server = 127.0.0.1:27017
+auth.mongo.server = "127.0.0.1:27017"
 ## MongoDB pool size
 ##
@ -102,17 +102,17 @@ auth.mongo.topology.max_overflow = 0
 auth.mongo.auth_query.password_hash = sha256
 ## sha256 with salt suffix
-## auth.mongo.auth_query.password_hash = sha256,salt
+## auth.mongo.auth_query.password_hash = "sha256,salt"
 ## sha256 with salt prefix
-## auth.mongo.auth_query.password_hash = salt,sha256
+## auth.mongo.auth_query.password_hash = "salt,sha256"
 ## bcrypt with salt prefix
-## auth.mongo.auth_query.password_hash = salt,bcrypt
+## auth.mongo.auth_query.password_hash = "salt,bcrypt"
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
-## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20
+## auth.mongo.auth_query.password_hash = "pbkdf2,sha256,1000,20"
 ## Authentication query.
 auth.mongo.auth_query.collection = mqtt_user
@ -131,15 +131,15 @@ auth.mongo.auth_query.password_field = password
 ##  - %d: subject of client TLS cert
 ##
 ## auth.mongo.auth_query.selector = {Field}={Placeholder}
-auth.mongo.auth_query.selector = username=%u
+auth.mongo.auth_query.selector = "username=%u"
 ## -------------------------------------------------
 ## Super User Query
 ## -------------------------------------------------
 auth.mongo.super_query.collection = mqtt_user
 auth.mongo.super_query.super_field = is_superuser
-#auth.mongo.super_query.selector = username=%u, clientid=%c
+#auth.mongo.super_query.selector.1 = username=%u, clientid=%c
-auth.mongo.super_query.selector = username=%u
+auth.mongo.super_query.selector = "username=%u"
 ## ACL Selector.
 ##
@ -150,8 +150,8 @@ auth.mongo.super_query.selector = username=%u
 ##
 ## With following 2 selectors configured:
 ##
-## auth.mongo.acl_query.selector.1 = username=%u
+## auth.mongo.acl_query.selector.1 = "username=%u"
-## auth.mongo.acl_query.selector.2 = username=$all
+## auth.mongo.acl_query.selector.2 = "username=$all"
 ##
 ## And if a client connected using username 'ilyas',
 ##   then the following mongo command will be used to
@ -165,8 +165,8 @@ auth.mongo.super_query.selector = username=%u
 ##
 ## Examples:
 ##
-## auth.mongo.acl_query.selector.1 = username=%u,clientid=%c
+## auth.mongo.acl_query.selector.1 = "username=%u,clientid=%c"
-## auth.mongo.acl_query.selector.2 = username=$all
+## auth.mongo.acl_query.selector.2 = "username=$all"
-## auth.mongo.acl_query.selector.3 = clientid=$all
+## auth.mongo.acl_query.selector.3 = "clientid=$all"
 auth.mongo.acl_query.collection = mqtt_acl
-auth.mongo.acl_query.selector = username=%u
+auth.mongo.acl_query.selector = "username=%u"
--- a/apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema
+++ b/apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema
@ -41,7 +41,7 @@
  {datatype, string}
 ]}.
-{mapping, "auth.mongo.ssl", "emqx_auth_mongo.server", [
+{mapping, "auth.mongo.ssl.enable", "emqx_auth_mongo.server", [
  {default, off},
  {datatype, flag}
 ]}.
@ -99,7 +99,7 @@
    true -> [];
    false -> [{r_mode, R}]
  end,
-  Ssl = case cuttlefish:conf_get("auth.mongo.ssl", Conf) of
+  Ssl = case cuttlefish:conf_get("auth.mongo.ssl.enable", Conf) of
    true ->
      Filter  = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
      SslOpts = fun(Prefix) ->
--- a/apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
+++ b/apps/emqx_auth_mysql/etc/emqx_auth_mysql.conf
@ -7,7 +7,7 @@
 ## Value: Port | IP:Port
 ##
 ## Examples: 3306, 127.0.0.1:3306, localhost:3306
-auth.mysql.server = 127.0.0.1:3306
+auth.mysql.server = "127.0.0.1:3306"
 ## MySQL pool size.
 ##
@ -50,7 +50,7 @@ auth.mysql.database = mqtt
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
-auth.mysql.auth_query = select password from mqtt_user where username = '%u' limit 1
+auth.mysql.auth_query = "select password from mqtt_user where username = '%u' limit 1"
 ## auth.mysql.auth_query = select password_hash as password from mqtt_user where username = '%u' limit 1
 ## Password hash.
@ -59,17 +59,17 @@ auth.mysql.auth_query = select password from mqtt_user where username = '%u' lim
 auth.mysql.password_hash = sha256
 ## sha256 with salt prefix
-## auth.mysql.password_hash = salt,sha256
+## auth.mysql.password_hash = "salt,sha256"
 ## bcrypt with salt only prefix
-## auth.mysql.password_hash = salt,bcrypt
+## auth.mysql.password_hash = "salt,bcrypt"
 ## sha256 with salt suffix
-## auth.mysql.password_hash = sha256,salt
+## auth.mysql.password_hash = "sha256,salt"
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
-## auth.mysql.password_hash = pbkdf2,sha256,1000,20
+## auth.mysql.password_hash = "pbkdf2,sha256,1000,20"
 ## Superuser query.
 ##
@ -81,7 +81,7 @@ auth.mysql.password_hash = sha256
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
-auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
+auth.mysql.super_query = "select is_superuser from mqtt_user where username = '%u' limit 1"
 ## ACL query.
 ##
@ -93,12 +93,12 @@ auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u
 ##  - %c: clientid
 ##
 ## Note: You can add the 'ORDER BY' statement to control the rules match order
-auth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
+auth.mysql.acl_query = "select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'"
 ## Mysql ssl configuration.
 ##
 ## Value: on | off
-## auth.mysql.ssl = off
+## auth.mysql.ssl.enable = off
 ## CA certificate.
 ##
--- a/apps/emqx_auth_mysql/priv/emqx_auth_mysql.schema
+++ b/apps/emqx_auth_mysql/priv/emqx_auth_mysql.schema
@ -30,7 +30,7 @@
  {datatype, string}
 ]}.
-{mapping, "auth.mysql.ssl", "emqx_auth_mysql.server", [
+{mapping, "auth.mysql.ssl.enable", "emqx_auth_mysql.server", [
  {default, off},
  {datatype, flag}
 ]}.
@ -82,7 +82,7 @@
              {query_timeout, Timeout},
              {keep_alive, true}],
  Options1 =
-      case cuttlefish:conf_get("auth.mysql.ssl", Conf) of
+      case cuttlefish:conf_get("auth.mysql.ssl.enable", Conf) of
            true ->
                CA = cuttlefish:conf_get("auth.mysql.ssl.cafile", Conf),
                Cert = cuttlefish:conf_get("auth.mysql.ssl.certfile", Conf),
--- a/apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+++ b/apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
@ -6,8 +6,8 @@
 ##
 ## Value: Port | IP:Port
 ##
-## Examples: 5432, 127.0.0.1:5432, localhost:5432
+## Examples: 5432, "127.0.0.1:5432", "localhost:5432"
-auth.pgsql.server = 127.0.0.1:5432
+auth.pgsql.server = "127.0.0.1:5432"
 ## PostgreSQL pool size.
 ##
@ -37,7 +37,7 @@ auth.pgsql.encoding = utf8
 ## Whether to enable SSL connection.
 ##
 ## Value: on | off
-auth.pgsql.ssl = off
+auth.pgsql.ssl.enable = off
 ## SSL keyfile.
 ##
@ -64,7 +64,7 @@ auth.pgsql.ssl = off
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
-auth.pgsql.auth_query = select password from mqtt_user where username = '%u' limit 1
+auth.pgsql.auth_query = "select password from mqtt_user where username = '%u' limit 1"
 ## Password hash.
 ##
@ -72,17 +72,17 @@ auth.pgsql.auth_query = select password from mqtt_user where username = '%u' lim
 auth.pgsql.password_hash = sha256
 ## sha256 with salt prefix
-## auth.pgsql.password_hash = salt,sha256
+## auth.pgsql.password_hash = "salt,sha256"
 ## sha256 with salt suffix
-## auth.pgsql.password_hash = sha256,salt
+## auth.pgsql.password_hash = "sha256,salt"
 ## bcrypt with salt prefix
-## auth.pgsql.password_hash = salt,bcrypt
+## auth.pgsql.password_hash = "salt,bcrypt"
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
-## auth.pgsql.password_hash = pbkdf2,sha256,1000,20
+## auth.pgsql.password_hash = "pbkdf2,sha256,1000,20"
 ## Superuser query.
 ##
@ -94,7 +94,7 @@ auth.pgsql.password_hash = sha256
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
 ##
-auth.pgsql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
+auth.pgsql.super_query = "select is_superuser from mqtt_user where username = '%u' limit 1"
 ## ACL query. Comment this query, the ACL will be disabled.
 ##
@ -106,5 +106,5 @@ auth.pgsql.super_query = select is_superuser from mqtt_user where username = '%u
 ##  - %c: clientid
 ##
 ## Note: You can add the 'ORDER BY' statement to control the rules match order
-auth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
+auth.pgsql.acl_query = "select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'"
--- a/apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema
+++ b/apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema
@ -30,7 +30,7 @@
  {datatype, atom}
 ]}.
-{mapping, "auth.pgsql.ssl", "emqx_auth_pgsql.server", [
+{mapping, "auth.pgsql.ssl.enable", "emqx_auth_pgsql.server", [
  {default, off},
  {datatype, flag}
 ]}.
@ -61,7 +61,7 @@
  Passwd = cuttlefish:conf_get("auth.pgsql.password", Conf, ""),
  DB = cuttlefish:conf_get("auth.pgsql.database", Conf),
  Encoding = cuttlefish:conf_get("auth.pgsql.encoding", Conf),
-  Ssl = cuttlefish:conf_get("auth.pgsql.ssl", Conf),
+  Ssl = cuttlefish:conf_get("auth.pgsql.ssl.enable", Conf),
  Filter  = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
  SslOpts = fun(Prefix) ->
--- a/apps/emqx_auth_redis/etc/emqx_auth_redis.conf
+++ b/apps/emqx_auth_redis/etc/emqx_auth_redis.conf
@ -12,9 +12,9 @@ auth.redis.type = single
 ## Value: Port | IP:Port
 ##
 ## Single Redis Server: 127.0.0.1:6379, localhost:6379
-## Redis Sentinel: 127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379
+## Redis Sentinel: "127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379"
-## Redis Cluster: 127.0.0.1:6379,127.0.0.2:6379,127.0.0.3:6379
+## Redis Cluster: "127.0.0.1:6379,127.0.0.2:6379,127.0.0.3:6379"
-auth.redis.server = 127.0.0.1:6379
+auth.redis.server = "127.0.0.1:6379"
 ## Redis sentinel cluster name.
 ##
@ -52,10 +52,10 @@ auth.redis.database = 0
 ##  - %d: subject of client TLS cert
 ##
 ## Examples:
-##  - HGET mqtt_user:%u password
+##  - "HGET mqtt_user:%u password"
-##  - HMGET mqtt_user:%u password
+##  - "HMGET mqtt_user:%u password"
-##  - HMGET mqtt_user:%u password salt
+##  - "HMGET mqtt_user:%u password salt"
-auth.redis.auth_cmd = HMGET mqtt_user:%u password
+auth.redis.auth_cmd = "HMGET mqtt_user:%u password"
 ## Password hash.
 ##
@ -63,17 +63,17 @@ auth.redis.auth_cmd = HMGET mqtt_user:%u password
 auth.redis.password_hash = plain
 ## sha256 with salt prefix
-## auth.redis.password_hash = salt,sha256
+## auth.redis.password_hash = "salt,sha256"
 ## sha256 with salt suffix
-## auth.redis.password_hash = sha256,salt
+## auth.redis.password_hash = "sha256,salt"
 ## bcrypt with salt prefix
-## auth.redis.password_hash = salt,bcrypt
+## auth.redis.password_hash = "salt,bcrypt"
 ## pbkdf2 with macfun iterations dklen
 ## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
-## auth.redis.password_hash = pbkdf2,sha256,1000,20
+## auth.redis.password_hash = "pbkdf2,sha256,1000,20"
 ## Superuser query command.
 ##
@ -84,7 +84,7 @@ auth.redis.password_hash = plain
 ##  - %c: clientid
 ##  - %C: common name of client TLS cert
 ##  - %d: subject of client TLS cert
-auth.redis.super_cmd = HGET mqtt_user:%u is_superuser
+auth.redis.super_cmd = "HGET mqtt_user:%u is_superuser"
 ## ACL query command.
 ##
@ -93,12 +93,12 @@ auth.redis.super_cmd = HGET mqtt_user:%u is_superuser
 ## Variables:
 ##  - %u: username
 ##  - %c: clientid
-auth.redis.acl_cmd = HGETALL mqtt_acl:%u
+auth.redis.acl_cmd = "HGETALL mqtt_acl:%u"
 ## Redis ssl configuration.
 ##
 ## Value: on | off
-#auth.redis.ssl = off
+#auth.redis.ssl.enable = off
 ## CA certificate.
 ##
--- a/apps/emqx_auth_redis/priv/emqx_auth_redis.schema
+++ b/apps/emqx_auth_redis/priv/emqx_auth_redis.schema
@ -33,7 +33,7 @@
  hidden
 ]}.
-{mapping, "auth.redis.ssl", "emqx_auth_redis.options", [
+{mapping, "auth.redis.ssl.enable", "emqx_auth_redis.options", [
  {default, off},
  {datatype, flag}
 ]}.
@ -54,7 +54,7 @@
 ]}.
 {translation, "emqx_auth_redis.options", fun(Conf) ->
-   Ssl = cuttlefish:conf_get("auth.redis.ssl", Conf, false),
+   Ssl = cuttlefish:conf_get("auth.redis.ssl.enable", Conf, false),
   case Ssl of
       true ->
            CA = cuttlefish:conf_get("auth.redis.ssl.cafile", Conf),
--- a/apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf
+++ b/apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf
@ -9,8 +9,8 @@
 ## Bridge address: node name for local bridge, host:port for remote.
 ##
 ## Value: String
-## Example: emqx@127.0.0.1,  127.0.0.1:1883
+## Example: emqx@127.0.0.1,  "127.0.0.1:1883"
-bridge.mqtt.aws.address = 127.0.0.1:1883
+bridge.mqtt.aws.address = "127.0.0.1:1883"
 ## Protocol version of the bridge.
 ##
@ -65,18 +65,18 @@ bridge.mqtt.aws.password = passwd
 ## Topics that need to be forward to AWS IoTHUB
 ##
 ## Value: String
-## Example: topic1/#,topic2/#
+## Example: "topic1/#,topic2/#"
-bridge.mqtt.aws.forwards = topic1/#,topic2/#
+bridge.mqtt.aws.forwards = "topic1/#,topic2/#"
 ## Forward messages to the mountpoint of an AWS IoTHUB
 ##
 ## Value: String
-bridge.mqtt.aws.forward_mountpoint = bridge/aws/${node}/
+bridge.mqtt.aws.forward_mountpoint = "bridge/aws/${node}/"
 ## Need to subscribe to AWS topics
 ##
 ## Value: String
-## bridge.mqtt.aws.subscription.1.topic = cmd/topic1
+## bridge.mqtt.aws.subscription.1.topic = "cmd/topic1"
 ## Need to subscribe to AWS topics QoS.
 ##
@ -86,7 +86,7 @@ bridge.mqtt.aws.forward_mountpoint = bridge/aws/${node}/
 ## A mountpoint that receives messages from AWS IoTHUB
 ##
 ## Value: String
-## bridge.mqtt.aws.receive_mountpoint = receive/aws/
+## bridge.mqtt.aws.receive_mountpoint = "receive/aws/"
 ## Bribge to remote server via SSL.
@ -97,28 +97,28 @@ bridge.mqtt.aws.ssl = off
 ## PEM-encoded CA certificates of the bridge.
 ##
 ## Value: File
-bridge.mqtt.aws.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+bridge.mqtt.aws.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
 ## Client SSL Certfile of the bridge.
 ##
 ## Value: File
-bridge.mqtt.aws.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
+bridge.mqtt.aws.certfile = "{{ platform_etc_dir }}/certs/client-cert.pem"
 ## Client SSL Keyfile of the bridge.
 ##
 ## Value: File
-bridge.mqtt.aws.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+bridge.mqtt.aws.keyfile = "{{ platform_etc_dir }}/certs/client-key.pem"
 ## SSL Ciphers used by the bridge.
 ##
 ## Value: String
-bridge.mqtt.aws.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+bridge.mqtt.aws.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## Ciphers for TLS PSK.
 ## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#bridge.mqtt.aws.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#bridge.mqtt.aws.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
 ## Ping interval of a down bridge.
 ##
@ -129,7 +129,7 @@ bridge.mqtt.aws.keepalive = 60s
 ## TLS versions used by the bridge.
 ##
 ## Value: String
-bridge.mqtt.aws.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+bridge.mqtt.aws.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
 ## Bridge reconnect time.
 ##
@ -159,7 +159,7 @@ bridge.mqtt.aws.max_inflight = 32
 ## replayq works in a mem-only manner.
 ##
 ## Value: String
-bridge.mqtt.aws.queue.replayq_dir = {{ platform_data_dir }}/replayq/emqx_aws_bridge/
+bridge.mqtt.aws.queue.replayq_dir = "{{ platform_data_dir }}/replayq/emqx_aws_bridge/"
 ## Replayq segment size
 ##
--- a/apps/emqx_coap/etc/emqx_coap.conf
+++ b/apps/emqx_coap/etc/emqx_coap.conf
@ -4,13 +4,13 @@
 ## The IP and UDP port that CoAP bind with.
 ##
-## Default: 0.0.0.0:5683
+## Default: "0.0.0.0:5683"
 ##
 ## Examples:
-##    coap.bind.udp.x = 0.0.0.0:5683 | :::5683 | 127.0.0.1:5683 | ::1:5683
+##    coap.bind.udp.x = "0.0.0.0:5683" | ":::5683" | "127.0.0.1:5683" | "::1:5683"
 ##
-coap.bind.udp.1 = 0.0.0.0:5683
+coap.bind.udp.1 = "0.0.0.0:5683"
-##coap.bind.udp.2 = 0.0.0.0:6683
+##coap.bind.udp.2 = "0.0.0.0:6683"
 ## Whether to enable statistics for CoAP clients.
 ##
@ -23,13 +23,13 @@ coap.enable_stats = off
 ## The DTLS port that CoAP is listening on.
 ##
-## Default: 0.0.0.0:5684
+## Default: "0.0.0.0:5684"
 ##
 ## Examples:
-##    coap.bind.dtls.x = 0.0.0.0:5684 | :::5684 | 127.0.0.1:5684 | ::1:5684
+##    coap.bind.dtls.x = "0.0.0.0:5684" | ":::5684" | "127.0.0.1:5684" | "::1:5684"
 ##
-coap.bind.dtls.1 = 0.0.0.0:5684
+coap.bind.dtls.1 = "0.0.0.0:5684"
-##coap.bind.dtls.2 = 0.0.0.0:6684
+##coap.bind.dtls.2 = "0.0.0.0:6684"
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
@ -43,17 +43,17 @@ coap.bind.dtls.1 = 0.0.0.0:5684
 ## Private key file for DTLS
 ##
 ## Value: File
-coap.dtls.keyfile = {{ platform_etc_dir }}/certs/key.pem
+coap.dtls.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ## Server certificate for DTLS.
 ##
 ## Value: File
-coap.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
+coap.dtls.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
 ## PEM-encoded CA certificates for DTLS
 ##
 ## Value: File
-## coap.dtls.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+## coap.dtls.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
 ## Used together with {verify, verify_peer} by an SSL server. If set to true,
 ## the server fails if the client does not have a certificate to send, that is,
@ -79,4 +79,4 @@ coap.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
-coap.dtls.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+coap.dtls.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
--- a/apps/emqx_coap/rebar.config
+++ b/apps/emqx_coap/rebar.config
@ -21,8 +21,6 @@
 {profiles,
 [{test,
   [{deps,
-     [{er_coap_client, {git, "https://github.com/emqx/er_coap_client", {tag, "v1.0"}}},
+     [{er_coap_client, {git, "https://github.com/emqx/er_coap_client", {tag, "v1.0"}}}]}
      {emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}
     ]}
   ]}
 ]}.
--- a/apps/emqx_dashboard/etc/emqx_dashboard.conf
+++ b/apps/emqx_dashboard/etc/emqx_dashboard.conf
@ -20,7 +20,7 @@ dashboard.default_user.password = public
 ## Value: Port
 ##
 ## Examples: 18083
-dashboard.listener.http = 18083
+dashboard.listener.http.port = 18083
 ## The acceptor pool for external Dashboard HTTP listener.
 ##
@ -50,7 +50,7 @@ dashboard.listener.http.ipv6_v6only = false
 ## Value: Port
 ##
 ## Examples: 18084
-## dashboard.listener.https = 18084
+## dashboard.listener.https.port = 18084
 ## The acceptor pool for external Dashboard HTTPS listener.
 ##
@ -75,22 +75,22 @@ dashboard.listener.http.ipv6_v6only = false
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## Value: File
-## dashboard.listener.https.keyfile = etc/certs/key.pem
+## dashboard.listener.https.keyfile = "etc/certs/key.pem"
 ## Path to a file containing the user certificate.
 ##
 ## Value: File
-## dashboard.listener.https.certfile = etc/certs/cert.pem
+## dashboard.listener.https.certfile = "etc/certs/cert.pem"
 ## Path to the file containing PEM-encoded CA certificates.
 ##
 ## Value: File
-## dashboard.listener.https.cacertfile = etc/certs/cacert.pem
+## dashboard.listener.https.cacertfile = "etc/certs/cacert.pem"
 ## See: 'listener.ssl.<name>.dhfile' in emq.conf
 ##
 ## Value: File
-## dashboard.listener.https.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
+## dashboard.listener.https.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
 ## See: 'listener.ssl.<name>.vefify' in emq.conf
 ##
@ -105,12 +105,12 @@ dashboard.listener.http.ipv6_v6only = false
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
-## dashboard.listener.https.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+## dashboard.listener.https.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
 ## See: 'listener.ssl.<name>.ciphers' in emq.conf
 ##
 ## Value: Ciphers
-## dashboard.listener.https.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+## dashboard.listener.https.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
 ##
--- a/apps/emqx_dashboard/priv/emqx_dashboard.schema
+++ b/apps/emqx_dashboard/priv/emqx_dashboard.schema
@ -9,7 +9,7 @@
  {datatype, string}
 ]}.
-{mapping, "dashboard.listener.http", "emqx_dashboard.listeners", [
+{mapping, "dashboard.listener.http.port", "emqx_dashboard.listeners", [
  {datatype, integer}
 ]}.
@ -37,7 +37,7 @@
  {datatype, {enum, [true, false]}}
 ]}.
-{mapping, "dashboard.listener.https", "emqx_dashboard.listeners", [
+{mapping, "dashboard.listener.https.port", "emqx_dashboard.listeners", [
  {datatype, integer}
 ]}.
@ -138,7 +138,7 @@
    lists:map(
      fun(Proto) ->
        Prefix = "dashboard.listener." ++ atom_to_list(Proto),
-        case cuttlefish:conf_get(Prefix, Conf, undefined) of
+        case cuttlefish:conf_get(Prefix ++ ".port", Conf, undefined) of
            undefined -> [];
            Port      ->
                [{Proto, Port, case Proto of
--- a/apps/emqx_exhook/etc/emqx_exhook.conf
+++ b/apps/emqx_exhook/etc/emqx_exhook.conf
@ -8,8 +8,8 @@
 ## The gRPC server url
 ##
 ## exhook.server.$name.url = url()
-exhook.server.default.url = http://127.0.0.1:9000
+exhook.server.default.url = "http://127.0.0.1:9000"
-#exhook.server.default.ssl.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+#exhook.server.default.ssl.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
-#exhook.server.default.ssl.certfile = {{ platform_etc_dir }}/certs/cert.pem
+#exhook.server.default.ssl.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
-#exhook.server.default.ssl.keyfile = {{ platform_etc_dir }}/certs/key.pem
+#exhook.server.default.ssl.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
--- a/apps/emqx_exhook/rebar.config
+++ b/apps/emqx_exhook/rebar.config
@ -41,7 +41,6 @@
 {profiles,
 [{test,
   [{deps,
-      [{emqx_ct_helper, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "v1.3.1"}}}
+      []}
      ]}
    ]}
 ]}.
--- a/apps/emqx_exproto/etc/emqx_exproto.conf
+++ b/apps/emqx_exproto/etc/emqx_exproto.conf
@ -5,9 +5,9 @@
 exproto.server.http.port = 9100
 exproto.server.https.port = 9101
-exproto.server.https.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+exproto.server.https.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
-exproto.server.https.certfile = {{ platform_etc_dir }}/certs/cert.pem
+exproto.server.https.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
-exproto.server.https.keyfile = {{ platform_etc_dir }}/certs/key.pem
+exproto.server.https.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ##--------------------------------------------------------------------
 ## Listeners
@ -20,12 +20,12 @@ exproto.server.https.keyfile = {{ platform_etc_dir }}/certs/key.pem
 ##
 ## Value: <tcp|ssl|udp|dtls>://<ip>:<port>
 ##
-## Examples: tcp://0.0.0.0:7993 | ssl://127.0.0.1:7994
+## Examples: "tcp://0.0.0.0:7993" | "ssl://127.0.0.1:7994"
-exproto.listener.protoname = tcp://0.0.0.0:7993
+exproto.listener.protoname.endpoint = "tcp://0.0.0.0:7993"
 ## The ConnectionHandler server address
 ##
-exproto.listener.protoname.connection_handler_url = http://127.0.0.1:9001
+exproto.listener.protoname.connection_handler_url = "http://127.0.0.1:9001"
 #exproto.listener.protoname.connection_handler_certfile =
 #exproto.listener.protoname.connection_handler_cacertfile =
@ -62,8 +62,8 @@ exproto.listener.protoname.idle_timeout = 30s
 ##
 ## Value: ACL Rule
 ##
-## Example: allow 192.168.0.0/24
+## Example: "allow 192.168.0.0/24"
-exproto.listener.protoname.access.1 = allow all
+exproto.listener.protoname.access.1 = "allow all"
 ## Enable the Proxy Protocol V1/2 if the EMQ X cluster is deployed
 ## behind HAProxy or Nginx.
@ -146,27 +146,27 @@ exproto.listener.protoname.reuseaddr = true
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: String, seperated by ','
-#exproto.listener.protoname.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+#exproto.listener.protoname.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: File
-#exproto.listener.protoname.keyfile = {{ platform_etc_dir }}/certs/key.pem
+#exproto.listener.protoname.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ## Path to a file containing the user certificate.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: File
-#exproto.listener.protoname.certfile = {{ platform_etc_dir }}/certs/cert.pem
+#exproto.listener.protoname.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
 ## Path to the file containing PEM-encoded CA certificates. The CA certificates
 ## are used during server authentication and when building the client certificate chain.
 ##
 ## Value: File
-#exproto.listener.protoname.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+#exproto.listener.protoname.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
 ## The Ephemeral Diffie-Helman key exchange is a very effective way of
 ## ensuring Forward Secrecy by exchanging a set of keys that never hit
@ -183,7 +183,7 @@ exproto.listener.protoname.reuseaddr = true
 ## openssl dhparam -out dh-params.pem 2048
 ##
 ## Value: File
-#exproto.listener.protoname.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
+#exproto.listener.protoname.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
@ -218,13 +218,13 @@ exproto.listener.protoname.reuseaddr = true
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
-#exproto.listener.protoname.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+#exproto.listener.protoname.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## Ciphers for TLS PSK.
 ## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#exproto.listener.protoname.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#exproto.listener.protoname.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
 ## SSL parameter renegotiation is a feature that allows a client and a server
 ## to renegotiate the parameters of the SSL connection on the fly.
--- a/apps/emqx_exproto/priv/emqx_exproto.schema
+++ b/apps/emqx_exproto/priv/emqx_exproto.schema
@ -44,7 +44,7 @@ end}.
 %%--------------------------------------------------------------------
 %% Listeners
-{mapping, "exproto.listener.$proto", "emqx_exproto.listeners", [
+{mapping, "exproto.listener.$proto.endpoint", "emqx_exproto.listeners", [
  {datatype, string}
 ]}.
@ -340,7 +340,7 @@ end}.
    Listeners = fun(Proto) ->
                    Prefix = string:join(["exproto","listener", Proto], "."),
                    Opts = HandlerOpts(Prefix) ++ ConnOpts(Prefix) ++ LisOpts(Prefix),
-                    case cuttlefish:conf_get(Prefix, Conf, undefined) of
+                    case cuttlefish:conf_get(Prefix ++ ".endpoint", Conf, undefined) of
                        undefined -> [];
                        ListenOn0 ->
                            case ParseListenOn(ListenOn0) of
@ -359,6 +359,6 @@ end}.
                            end
                    end
                end,
-    lists:flatten([Listeners(Proto) || {[_, "listener", Proto], ListenOn}
+    lists:flatten([Listeners(Proto) || {[_, "listener", Proto, "endpoint"], ListenOn}
                                   <- cuttlefish_variable:filter_by_prefix("exproto.listener", Conf)])
 end}.
--- a/apps/emqx_exproto/rebar.config
+++ b/apps/emqx_exproto/rebar.config
@ -44,7 +44,6 @@
 {profiles,
 [{test,
   [{deps,
-     [{emqx_ct_helper, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "v1.3.0"}}}
+     []}
     ]}
   ]}
 ]}.
--- a/apps/emqx_lwm2m/etc/emqx_lwm2m.conf
+++ b/apps/emqx_lwm2m/etc/emqx_lwm2m.conf
@ -21,39 +21,39 @@ lwm2m.lifetime_max = 86400s
 # Placeholders supported:
 #    '%e': Endpoint Name
 #    '%a': IP Address
-lwm2m.mountpoint = lwm2m/%e/
+lwm2m.mountpoint = "lwm2m/%e/"
 # The topic subscribed by the lwm2m client after it is connected
 # Placeholders supported:
 #    '%e': Endpoint Name
 #    '%a': IP Address
-lwm2m.topics.command = dn/#
+lwm2m.topics.command = "dn/#"
 # The topic to which the lwm2m client's response is published
-lwm2m.topics.response = up/resp
+lwm2m.topics.response = "up/resp"
 # The topic to which the lwm2m client's notify message is published
-lwm2m.topics.notify = up/notify
+lwm2m.topics.notify = "up/notify"
 # The topic to which the lwm2m client's register message is published
-lwm2m.topics.register = up/resp
+lwm2m.topics.register = "up/resp"
 # The topic to which the lwm2m client's update message is published
-lwm2m.topics.update = up/resp
+lwm2m.topics.update = "up/resp"
 # Dir where the object definition files can be found
-lwm2m.xml_dir =  {{ platform_etc_dir }}/lwm2m_xml
+lwm2m.xml_dir =  "{{ platform_etc_dir }}/lwm2m_xml"
 ##--------------------------------------------------------------------
 ## UDP Listener options
 ## The IP and port of the LwM2M Gateway
 ##
-## Default: 0.0.0.0:5683
+## Default: "0.0.0.0:5683"
 ## Examples:
-##     lwm2m.bind.udp.x = 0.0.0.0:5683 | :::5683 | 127.0.0.1:5683 | ::1:5683
+##     lwm2m.bind.udp.x = "0.0.0.0:5683" | ":::5683" | "127.0.0.1:5683" | "::1:5683"
-lwm2m.bind.udp.1 = 0.0.0.0:5683
+lwm2m.bind.udp.1 = "0.0.0.0:5683"
-#lwm2m.bind.udp.2 = 0.0.0.0:6683
+#lwm2m.bind.udp.2 = "0.0.0.0:6683"
 ## Socket options, used for performance tuning
 ##
@ -70,13 +70,13 @@ lwm2m.opts.read_packets = 20
 ## The DTLS port that LwM2M is listening on.
 ##
-## Default: 0.0.0.0:5684
+## Default: "0.0.0.0:5684"
 ##
 ## Examples:
-##    lwm2m.bind.dtls.x = 0.0.0.0:5684 | :::5684 | 127.0.0.1:5684 | ::1:5684
+##    lwm2m.bind.dtls.x = "0.0.0.0:5684" | ":::5684" | "127.0.0.1:5684" | "::1:5684"
 ##
-lwm2m.bind.dtls.1 = 0.0.0.0:5684
+lwm2m.bind.dtls.1 = "0.0.0.0:5684"
-#lwm2m.bind.dtls.2 = 0.0.0.0:6684
+#lwm2m.bind.dtls.2 = "0.0.0.0:6684"
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
@ -90,17 +90,17 @@ lwm2m.bind.dtls.1 = 0.0.0.0:5684
 ## Private key file for DTLS
 ##
 ## Value: File
-lwm2m.dtls.keyfile = {{ platform_etc_dir }}/certs/key.pem
+lwm2m.dtls.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ## Server certificate for DTLS.
 ##
 ## Value: File
-lwm2m.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
+lwm2m.dtls.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
 ## PEM-encoded CA certificates for DTLS
 ##
 ## Value: File
-#lwm2m.dtls.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+#lwm2m.dtls.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
 ## Used together with {verify, verify_peer} by an SSL server. If set to true,
 ## the server fails if the client does not have a certificate to send, that is,
@ -126,11 +126,11 @@ lwm2m.dtls.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
-lwm2m.dtls.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+lwm2m.dtls.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## Ciphers for TLS PSK.
 ##
 ## Note that 'lwm2m.dtls.ciphers' and 'lwm2m.dtls.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#lwm2m.dtls.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#lwm2m.dtls.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
--- a/apps/emqx_lwm2m/rebar.config
+++ b/apps/emqx_lwm2m/rebar.config
@ -5,7 +5,6 @@
 {profiles,
 [{test,
   [{deps, [{er_coap_client, {git, "https://github.com/emqx/er_coap_client", {tag, "v1.0"}}},
            {emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}},
            {emqtt, {git, "https://github.com/emqx/emqtt", {tag, "1.2.0"}}}
           ]}
   ]}
--- a/apps/emqx_management/etc/emqx_management.conf
+++ b/apps/emqx_management/etc/emqx_management.conf
@ -23,7 +23,7 @@ management.default_application.secret = public
 ##--------------------------------------------------------------------
 ## HTTP Listener
-management.listener.http = 8081
+management.listener.http.port = 8081
 management.listener.http.acceptors = 2
 management.listener.http.max_clients = 512
 management.listener.http.backlog = 512
@ -35,18 +35,18 @@ management.listener.http.ipv6_v6only = false
 ##--------------------------------------------------------------------
 ## HTTPS Listener
-## management.listener.https = 8081
+## management.listener.https.port = 8081
 ## management.listener.https.acceptors = 2
 ## management.listener.https.max_clients = 512
 ## management.listener.https.backlog = 512
 ## management.listener.https.send_timeout = 15s
 ## management.listener.https.send_timeout_close = on
-## management.listener.https.certfile = etc/certs/cert.pem
+## management.listener.https.certfile = "etc/certs/cert.pem"
-## management.listener.https.keyfile = etc/certs/key.pem
+## management.listener.https.keyfile = "etc/certs/key.pem"
-## management.listener.https.cacertfile = etc/certs/cacert.pem
+## management.listener.https.cacertfile = "etc/certs/cacert.pem"
 ## management.listener.https.verify = verify_peer
-## management.listener.https.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+## management.listener.https.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
-## management.listener.https.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+## management.listener.https.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## management.listener.https.fail_if_no_peer_cert = true
 ## management.listener.https.inet6 = false
 ## management.listener.https.ipv6_v6only = false
--- a/apps/emqx_management/priv/emqx_management.schema
+++ b/apps/emqx_management/priv/emqx_management.schema
@ -21,7 +21,7 @@
  {datatype, string}
 ]}.
-{mapping, "management.listener.http", "emqx_management.listeners", [
+{mapping, "management.listener.http.port", "emqx_management.listeners", [
  {datatype, [integer, ip]}
 ]}.
@ -85,7 +85,7 @@
  {datatype, {enum, [true, false]}}
 ]}.
-{mapping, "management.listener.https", "emqx_management.listeners", [
+{mapping, "management.listener.https.port", "emqx_management.listeners", [
  {datatype, [integer, ip]}
 ]}.
@ -225,7 +225,7 @@ end}.
    lists:foldl(
      fun(Proto, Acc) ->
          Prefix = "management.listener." ++ atom_to_list(Proto),
-          case cuttlefish:conf_get(Prefix, Conf, undefined) of
+          case cuttlefish:conf_get(Prefix ++ ".port", Conf, undefined) of
              undefined -> Acc;
              Port ->
                  [{Proto, Port, TcpOpts(Prefix) ++ Opts(Prefix)
--- a/apps/emqx_prometheus/etc/emqx_prometheus.conf
+++ b/apps/emqx_prometheus/etc/emqx_prometheus.conf
@ -5,7 +5,7 @@
 ## The Prometheus Push Gateway URL address
 ##
 ## Note: You can comment out this line to disable it
-prometheus.push.gateway.server = http://127.0.0.1:9091
+prometheus.push.gateway.server = "http://127.0.0.1:9091"
 ## The metrics data push interval (millisecond)
 ##
--- a/apps/emqx_psk_file/etc/emqx_psk_file.conf
+++ b/apps/emqx_psk_file/etc/emqx_psk_file.conf
@ -1,2 +1,2 @@
-psk.file.path = {{ platform_etc_dir }}/psk.txt
+psk.file.path = "{{ platform_etc_dir }}/psk.txt"
-psk.file.delimiter = :
+psk.file.delimiter = ":"
--- a/apps/emqx_retainer/etc/emqx_retainer.conf
+++ b/apps/emqx_retainer/etc/emqx_retainer.conf
@ -37,5 +37,5 @@ retainer.max_payload_size = 1MB
 ##  - 30m: 30 minutes
 ##  - 20s: 20 seconds
 ##
-## Defaut: 0
+## Default: 0
 retainer.expiry_interval = 0
--- a/apps/emqx_retainer/rebar.config
+++ b/apps/emqx_retainer/rebar.config
@ -18,7 +18,7 @@
 {profiles,
 [{test,
   [{deps,
-     [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}},
+     [
      {emqtt, {git, "https://github.com/emqx/emqtt", {tag, "1.2.3"}}}]}
   ]}
 ]}.
--- a/apps/emqx_rule_engine/etc/emqx_rule_engine.conf
+++ b/apps/emqx_rule_engine/etc/emqx_rule_engine.conf
@ -32,7 +32,7 @@ rule_engine.ignore_sys_message = on
 ##
 ## QoS-Level: qos0/qos1/qos2
-#rule_engine.events.client_connected = on, qos1
+#rule_engine.events.client_connected = "on, qos1"
 rule_engine.events.client_connected = off
 rule_engine.events.client_disconnected = off
 rule_engine.events.session_subscribed = off
--- a/apps/emqx_rule_engine/test/emqx_rule_engine_SUITE.erl
+++ b/apps/emqx_rule_engine/test/emqx_rule_engine_SUITE.erl
@ -2408,7 +2408,7 @@ start_apps() ->
    [start_apps(App, SchemaFile, ConfigFile) ||
        {App, SchemaFile, ConfigFile}
            <- [{emqx, deps_path(emqx, "priv/emqx.schema"),
-                       deps_path(emqx, "etc/emqx.conf")},
+                       deps_path(emqx, "etc/emqx.conf.rendered")},
                {emqx_rule_engine, local_path("priv/emqx_rule_engine.schema"),
                                   local_path("etc/emqx_rule_engine.conf")}]].
@ -2420,7 +2420,7 @@ start_apps(App, SchemaFile, ConfigFile) ->
 read_schema_configs(App, SchemaFile, ConfigFile) ->
    ct:pal("Read configs - SchemaFile: ~p, ConfigFile: ~p", [SchemaFile, ConfigFile]),
    Schema = cuttlefish_schema:files([SchemaFile]),
-    Conf = conf_parse:file(ConfigFile),
+    {ok, Conf} = hocon:load(ConfigFile, #{format => proplists}),
    NewConfig = cuttlefish_generator:map(Schema, Conf),
    Vals = proplists:get_value(App, NewConfig, []),
    [application:set_env(App, Par, Value) || {Par, Value} <- Vals].
--- a/apps/emqx_sn/etc/emqx_sn.conf
+++ b/apps/emqx_sn/etc/emqx_sn.conf
@ -6,7 +6,7 @@
 ##
 ## Value: IP:Port | Port
 ##
-## Examples: 1884, 127.0.0.1:1884, ::1:1884
+## Examples: 1884, "127.0.0.1:1884", "::1:1884"
 mqtt.sn.port = 1884
 ## The duration that emqx-sn broadcast ADVERTISE message through.
@ -37,8 +37,8 @@ mqtt.sn.idle_timeout = 30s
 ## The pre-defined topic name corresponding to the pre-defined topic id of N.
 ## Note that the pre-defined topic id of 0 is reserved.
 mqtt.sn.predefined.topic.0 = reserved
-mqtt.sn.predefined.topic.1 = /predefined/topic/name/hello
+mqtt.sn.predefined.topic.1 = "/predefined/topic/name/hello"
-mqtt.sn.predefined.topic.2 = /predefined/topic/name/nice
+mqtt.sn.predefined.topic.2 = "/predefined/topic/name/nice"
 ## Default username for MQTT-SN. This parameter is optional. If specified,
 ## emq-sn will connect EMQ core with this username. It is useful if any auth
--- a/apps/emqx_sn/priv/emqx_sn.schema
+++ b/apps/emqx_sn/priv/emqx_sn.schema
@ -1,23 +1,19 @@
 %%-*- mode: erlang -*-
 %% emqx_sn config mapping
 {mapping, "mqtt.sn.port", "emqx_sn.port", [
-  {default, "1884"},
+  {default, 1884},
-  {datatype, string}
+  {datatype, [integer, ip]}
 ]}.
 {translation, "emqx_sn.port", fun(Conf) ->
-  case re:split(cuttlefish:conf_get("mqtt.sn.port", Conf, ""), ":", [{return, list}]) of
+  case cuttlefish:conf_get("mqtt.sn.port", Conf, undefined) of
-      [Port] ->
+      Port when is_integer(Port) ->
-          {{0,0,0,0}, list_to_integer(Port)};
+          {{0,0,0,0}, Port};
-      Tokens ->
+      {Ip, Port} ->
-          Port = lists:last(Tokens),
+          case inet:parse_address(Ip) of
-          IP = case inet:parse_address(lists:flatten(lists:join(":", Tokens -- [Port]))) of
+              {ok ,R} -> {R, Port};
-                   {error, Reason} ->
+              _ -> {Ip, Port}
-                       throw({invalid_ip_address, Reason});
+          end
                   {ok, X} -> X
               end,
          Port1 = list_to_integer(Port),
          {IP, Port1}
  end
 end}.
--- a/apps/emqx_sn/rebar.config
+++ b/apps/emqx_sn/rebar.config
@ -2,8 +2,7 @@
 {plugins, [rebar3_proper]}.
 {deps,
- [{esockd, {git, "https://github.com/emqx/esockd", {tag, "5.7.4"}}},
+ [{esockd, {git, "https://github.com/emqx/esockd", {tag, "5.7.4"}}}
  {cuttlefish, {git, "https://github.com/emqx/cuttlefish", {tag, "v3.0.0"}}}
 ]}.
 {edoc_opts, [{preprocess, true}]}.
--- a/apps/emqx_stomp/etc/emqx_stomp.conf
+++ b/apps/emqx_stomp/etc/emqx_stomp.conf
@ -8,7 +8,7 @@
 ## The Port that stomp listener will bind.
 ##
 ## Value: Port
-stomp.listener = 61613
+stomp.listener.port = 61613
 ## The acceptor pool for stomp listener.
 ##
@ -28,22 +28,22 @@ stomp.listener.max_connections = 512
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## Value: File
-## stomp.listener.keyfile = etc/certs/key.pem
+## stomp.listener.keyfile = "etc/certs/key.pem"
 ## Path to a file containing the user certificate.
 ##
 ## Value: File
-## stomp.listener.certfile = etc/certs/cert.pem
+## stomp.listener.certfile = "etc/certs/cert.pem"
 ## Path to the file containing PEM-encoded CA certificates.
 ##
 ## Value: File
-## stomp.listener.cacertfile = etc/certs/cacert.pem
+## stomp.listener.cacertfile = "etc/certs/cacert.pem"
 ## See: 'listener.ssl.<name>.dhfile' in emq.conf
 ##
 ## Value: File
-## stomp.listener.dhfile = etc/certs/dh-params.pem
+## stomp.listener.dhfile = "etc/certs/dh-params.pem"
 ## See: 'listener.ssl.<name>.vefify' in emq.conf
 ##
@ -58,7 +58,7 @@ stomp.listener.max_connections = 512
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
-## stomp.listener.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+## stomp.listener.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
 ## SSL Handshake timeout.
 ##
@ -68,7 +68,7 @@ stomp.listener.max_connections = 512
 ## See: 'listener.ssl.<name>.ciphers' in emq.conf
 ##
 ## Value: Ciphers
-## stomp.listener.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+## stomp.listener.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
 ##
--- a/apps/emqx_stomp/priv/emqx_stomp.schema
+++ b/apps/emqx_stomp/priv/emqx_stomp.schema
@ -1,7 +1,7 @@
 %%-*- mode: erlang -*-
 %% emqx_stomp config mapping
-{mapping, "stomp.listener", "emqx_stomp.listener", [
+{mapping, "stomp.listener.port", "emqx_stomp.listener", [
  {default, 61613},
  {datatype, [integer, ip]}
 ]}.
@ -72,7 +72,7 @@
 ]}.
 {translation, "emqx_stomp.listener", fun(Conf) ->
-  Port = cuttlefish:conf_get("stomp.listener", Conf),
+  Port = cuttlefish:conf_get("stomp.listener.port", Conf),
  Acceptors = cuttlefish:conf_get("stomp.listener.acceptors", Conf),
  MaxConnections = cuttlefish:conf_get("stomp.listener.max_connections", Conf),
  Filter = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
--- a/apps/emqx_telemetry/etc/emqx_telemetry.conf
+++ b/apps/emqx_telemetry/etc/emqx_telemetry.conf
@ -13,8 +13,8 @@ telemetry.enabled = true
 ##
 ## Value: String
 ##
-## Default: https://telemetry.emqx.io/api/telemetry
+## Default: "https://telemetry.emqx.io/api/telemetry"
-telemetry.url = https://telemetry.emqx.io/api/telemetry
+telemetry.url = "https://telemetry.emqx.io/api/telemetry"
 ## Interval for reporting telemetry data
 ##
--- a/apps/emqx_web_hook/etc/emqx_web_hook.conf
+++ b/apps/emqx_web_hook/etc/emqx_web_hook.conf
@ -5,16 +5,16 @@
 ## Webhook URL
 ##
 ## Value: String
-web.hook.url = http://127.0.0.1:8080
+web.hook.url = "http://127.0.0.1:8080"
 ## HTTP Headers
 ##
 ## Example:
-## 1. web.hook.headers.content-type = application/json
+## 1. web.hook.headers.content-type = "application/json"
-## 2. web.hook.headers.accept = *
+## 2. web.hook.headers.accept = "*"
 ##
 ## Value: String
-web.hook.headers.content-type = application/json
+web.hook.headers.content-type = "application/json"
 ## The encoding format of the payload field in the HTTP body
 ## The payload field only appears in the on_message_publish and on_message_delivered actions
@ -54,15 +54,15 @@ web.hook.pool_size = 32
 ##
 ## Format:
 ##   web.hook.rule.<HookName>.<No> = <Spec>
-#web.hook.rule.client.connect.1       = {"action": "on_client_connect"}
+#web.hook.rule.client.connect.1       = "{"action": "on_client_connect"}"
-#web.hook.rule.client.connack.1       = {"action": "on_client_connack"}
+#web.hook.rule.client.connack.1       = "{"action": "on_client_connack"}"
-#web.hook.rule.client.connected.1     = {"action": "on_client_connected"}
+#web.hook.rule.client.connected.1     = "{"action": "on_client_connected"}"
-#web.hook.rule.client.disconnected.1  = {"action": "on_client_disconnected"}
+#web.hook.rule.client.disconnected.1  = "{"action": "on_client_disconnected"}"
-#web.hook.rule.client.subscribe.1     = {"action": "on_client_subscribe"}
+#web.hook.rule.client.subscribe.1     = "{"action": "on_client_subscribe"}"
-#web.hook.rule.client.unsubscribe.1   = {"action": "on_client_unsubscribe"}
+#web.hook.rule.client.unsubscribe.1   = "{"action": "on_client_unsubscribe"}"
-#web.hook.rule.session.subscribed.1   = {"action": "on_session_subscribed"}
+#web.hook.rule.session.subscribed.1   = "{"action": "on_session_subscribed"}"
-#web.hook.rule.session.unsubscribed.1 = {"action": "on_session_unsubscribed"}
+#web.hook.rule.session.unsubscribed.1 = "{"action": "on_session_unsubscribed"}"
-#web.hook.rule.session.terminated.1   = {"action": "on_session_terminated"}
+#web.hook.rule.session.terminated.1   = "{"action": "on_session_terminated"}"
-#web.hook.rule.message.publish.1      = {"action": "on_message_publish"}
+#web.hook.rule.message.publish.1      = "{"action": "on_message_publish"}"
-#web.hook.rule.message.delivered.1    = {"action": "on_message_delivered"}
+#web.hook.rule.message.delivered.1    = "{"action": "on_message_delivered"}"
-#web.hook.rule.message.acked.1        = {"action": "on_message_acked"}
+#web.hook.rule.message.acked.1        = ""{"action": "on_message_acked"}"
--- a/apps/emqx_web_hook/rebar.config
+++ b/apps/emqx_web_hook/rebar.config
@ -24,8 +24,7 @@
 [{test,
   [{erl_opts, [export_all, nowarn_export_all]},
    {deps,
-     [{emqx_ct_helper, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.3.0"}}},
+     [
      {cuttlefish, {git, "https://github.com/emqx/cuttlefish", {tag, "v3.0.0"}}},
      {emqtt, {git, "https://github.com/emqx/emqtt", {tag, "1.2.3"}}}
     ]}
   ]}
--- a/deploy/charts/emqx/values.yaml
+++ b/deploy/charts/emqx/values.yaml
@ -42,7 +42,7 @@ initContainers: {}
 ## EMQX configuration item, see the documentation (https://github.com/emqx/emqx-docker#emq-x-configuration)
 emqxConfig:
-  EMQX_CLUSTER__K8S__APISERVER: "https://kubernetes.default.svc:443"
+  EMQX_CLUSTER__K8S__APISERVER: \"https://kubernetes.default.svc:443\"
  ## The address type is used to extract host from k8s service.
  ## Value: ip | dns | hostname
  ## Note：Hostname is only supported after v4.0-rc.2
--- a/deploy/docker/start.sh
+++ b/deploy/docker/start.sh
@ -38,7 +38,7 @@ tail -f /opt/emqx/log/erlang.log.1 &
 #          and docker dispatching system can known and restart this container.
 IDLE_TIME=0
 MGMT_CONF='/opt/emqx/etc/plugins/emqx_management.conf'
-MGMT_PORT=$(sed -n -r '/^management.listener.http[ \t]=[ \t].*$/p' $MGMT_CONF | sed -r 's/^management.listener.http = (.*)$/\1/g')
+MGMT_PORT=$(sed -n -r '/^management.listener.http.port[ \t]=[ \t].*$/p' $MGMT_CONF | sed -r 's/^management.listener.http.port = (.*)$/\1/g')
 while [ $IDLE_TIME -lt 5 ]; do
    IDLE_TIME=$(expr $IDLE_TIME + 1)
    if curl http://localhost:${MGMT_PORT}/status >/dev/null 2>&1; then
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@ -58,7 +58,7 @@ cluster.autoclean = 5m
 ## Node list of the cluster.
 ##
 ## Value: String
-## cluster.static.seeds = emqx1@127.0.0.1,emqx2@127.0.0.1
+## cluster.static.seeds = "emqx1@127.0.0.1,emqx2@127.0.0.1"
 ##--------------------------------------------------------------------
 ## Cluster using IP Multicast.
@ -66,19 +66,19 @@ cluster.autoclean = 5m
 ## IP Multicast Address.
 ##
 ## Value: IP Address
-## cluster.mcast.addr = 239.192.0.1
+## cluster.mcast.addr = "239.192.0.1"
 ## Multicast Ports.
 ##
 ## Value: Port List
-## cluster.mcast.ports = 4369,4370
+## cluster.mcast.ports = "4369,4370"
 ## Multicast Iface.
 ##
 ## Value: Iface Address
 ##
-## Default: 0.0.0.0
+## Default: "0.0.0.0"
-## cluster.mcast.iface = 0.0.0.0
+## cluster.mcast.iface = "0.0.0.0"
 ## Multicast Ttl.
 ##
@ -109,7 +109,7 @@ cluster.autoclean = 5m
 ## Etcd server list, seperated by ','.
 ##
 ## Value: String
-## cluster.etcd.server = http://127.0.0.1:2379
+## cluster.etcd.server = "http://127.0.0.1:2379"
 ## The prefix helps build nodes path in etcd. Each node in the cluster
 ## will create a path in etcd: v2/keys/<prefix>/<cluster.name>/<node.name>
@ -127,18 +127,18 @@ cluster.autoclean = 5m
 ## Path to a file containing the client's private PEM-encoded key.
 ##
 ## Value: File
-## cluster.etcd.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+## cluster.etcd.ssl.keyfile = "{{ platform_etc_dir }}/certs/client-key.pem"
 ## The path to a file containing the client's certificate.
 ##
 ## Value: File
-## cluster.etcd.ssl.certfile = {{ platform_etc_dir }}/certs/client.pem
+## cluster.etcd.ssl.certfile = "{{ platform_etc_dir }}/certs/client.pem"
 ## Path to the file containing PEM-encoded CA certificates. The CA certificates
 ## are used during server authentication and when building the client certificate chain.
 ##
 ## Value: File
-## cluster.etcd.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+## cluster.etcd.ssl.cacertfile = "{{ platform_etc_dir }}/certs/ca.pem"
 ##--------------------------------------------------------------------
 ## Cluster using Kubernetes
@ -146,7 +146,7 @@ cluster.autoclean = 5m
 ## Kubernetes API server list, seperated by ','.
 ##
 ## Value: String
-## cluster.k8s.apiserver = http://10.110.111.204:8080
+## cluster.k8s.apiserver = "http://10.110.111.204:8080"
 ## The service name helps lookup EMQ nodes in the cluster.
 ##
@ -194,7 +194,7 @@ node.cookie = emqxsecretcookie
 ## Data dir for the node
 ##
 ## Value: Folder
-node.data_dir = {{ platform_data_dir }}
+node.data_dir = "{{ platform_data_dir }}"
 ## Heartbeat monitoring of an Erlang runtime system. Comment the line to disable
 ## heartbeat, or set the value as 'on'
@ -271,14 +271,14 @@ node.global_gc_interval = 15m
 ## Crash dump log file.
 ##
 ## Value: Log file
-node.crash_dump = {{ platform_log_dir }}/crash.dump
+node.crash_dump = "{{ platform_log_dir }}/crash.dump"
 ## Specify SSL Options in the file if using SSL for Erlang Distribution.
 ##
 ## Value: File
 ##
 ## vm.args: -ssl_dist_optfile <File>
-## node.ssl_dist_optfile = {{ platform_etc_dir }}/ssl_dist.conf
+## node.ssl_dist_optfile = "{{ platform_etc_dir }}/ssl_dist.conf"
 ## Sets the net_kernel tick time. TickTime is specified in seconds.
 ## Notice that all communicating nodes are to have the same TickTime
@ -427,7 +427,7 @@ log.level = warning
 ## The dir for log files.
 ##
 ## Value: Folder
-log.dir = {{ platform_log_dir }}
+log.dir = "{{ platform_log_dir }}"
 ## The log filename for logs of level specified in "log.level".
 ##
@ -450,7 +450,7 @@ log.file = emqx.log
 ##
 ## Value: on | off
 ## Default: on
-log.rotation = on
+log.rotation.enable = on
 ## Maximum size of each log file.
 ##
@ -569,7 +569,7 @@ log.rotation.count = 5
 ## Value: MaxBurstCount,TimeWindow
 ## Default: disabled
 ##
-#log.burst_limit = 20000, 1s
+#log.burst_limit = "20000, 1s"
 ##--------------------------------------------------------------------
 ## Authentication/Access Control
@ -589,7 +589,7 @@ acl_nomatch = allow
 ## Default ACL File.
 ##
 ## Value: File Name
-acl_file = {{ platform_etc_dir }}/acl.conf
+acl_file = "{{ platform_etc_dir }}/acl.conf"
 ## Whether to enable ACL cache.
 ##
@ -623,7 +623,7 @@ acl_deny_action = ignore
 ## 3. banned interval: the banned interval if a flapping is detected.
 ##
 ## Value: Integer,Duration,Duration
-flapping_detect_policy = 30, 1m, 5m
+flapping_detect_policy = "30, 1m, 5m"
 ##--------------------------------------------------------------------
 ## MQTT Protocol
@ -722,7 +722,7 @@ zone.external.acl_deny_action = ignore
 ## messages | bytes passed through.
 ##
 ## Numbers delimited by `|'. Zero or negative is to disable.
-zone.external.force_gc_policy = 16000|16MB
+zone.external.force_gc_policy = "16000|16MB"
 ## Max message queue length and total heap size to force shutdown
 ## connection/session process.
@ -732,9 +732,9 @@ zone.external.force_gc_policy = 16000|16MB
 ## Numbers delimited by `|'. Zero or negative is to disable.
 ##
 ## Default:
-##   - 10000|64MB on ARCH_64 system
+##   - "10000|64MB" on ARCH_64 system
-##   - 1000|32MB  on ARCH_32 sytem
+##   - "1000|32MB"  on ARCH_32 sytem
-#zone.external.force_shutdown_policy = 10000|64MB
+#zone.external.force_shutdown_policy = "10000|64MB"
 ## Maximum MQTT packet size allowed.
 ##
@ -840,7 +840,7 @@ zone.external.max_mqueue_len = 1000
 ## are treated equal
 ##
 ## Priority number [1-255]
-## Example: topic/1=10,topic/2=8
+## Example: "topic/1=10,topic/2=8"
 ## NOTE: comma and equal signs are not allowed for priority topic names
 ## NOTE: messages for topics not in the priority table are treated as
 ##       either highest or lowest priority depending on the configured
@ -867,29 +867,29 @@ zone.external.enable_flapping_detect = off
 ##
 ## Value: Number,Duration
 ## Example: 100 messages per 10 seconds.
-#zone.external.rate_limit.conn_messages_in = 100,10s
+#zone.external.rate_limit.conn_messages_in = "100,10s"
 ## Bytes limit for a external MQTT connections.
 ##
 ## Value: Number,Duration
 ## Example: 100KB incoming per 10 seconds.
-#zone.external.rate_limit.conn_bytes_in = 100KB,10s
+#zone.external.rate_limit.conn_bytes_in = "100KB,10s"
 ## Messages quota for the each of external MQTT connection.
 ## This value consumed by the number of recipient on a message.
 ##
 ## Value: Number, Duration
 ##
-## Example: 100 messaegs per 1s
+## Example: 100 messages per 1s
-#zone.external.quota.conn_messages_routing = 100,1s
+#zone.external.quota.conn_messages_routing = "100,1s"
 ## Messages quota for the all of external MQTT connections.
 ## This value consumed by the number of recipient on a message.
 ##
 ## Value: Number, Duration
 ##
-## Example: 200000 messaegs per 1s
+## Example: 200000 messages per 1s
-#zone.external.quota.overall_messages_routing = 200000,1s
+#zone.external.quota.overall_messages_routing = "200000,1s"
 ## All the topics will be prefixed with the mountpoint path if this option is enabled.
 ##
@ -898,7 +898,7 @@ zone.external.enable_flapping_detect = off
 ##  - %u: username
 ##
 ## Value: String
-## zone.external.mountpoint = devicebound/
+## zone.external.mountpoint = "devicebound/"
 ## Whether use username replace client id
 ##
@ -943,7 +943,7 @@ zone.internal.enable_acl = off
 zone.internal.acl_deny_action = ignore
 ## See zone.$name.force_gc_policy
-## zone.internal.force_gc_policy = 128000|128MB
+## zone.internal.force_gc_policy = "128000|128MB"
 ## See zone.$name.wildcard_subscription.
 ##
@ -988,8 +988,8 @@ zone.internal.enable_flapping_detect = off
 ## See zone.$name.force_shutdown_policy
 ##
 ## Default:
-##   - 10000|64MB on ARCH_64 system
+##   - "10000|64MB" on ARCH_64 system
-##   - 1000|32MB  on ARCH_32 sytem
+##   - "1000|32MB"  on ARCH_32 sytem
 #zone.internal.force_shutdown_policy = 10000|64MB
 ## All the topics will be prefixed with the mountpoint path if this option is enabled.
@ -999,7 +999,7 @@ zone.internal.enable_flapping_detect = off
 ##  - %u: username
 ##
 ## Value: String
-## zone.internal.mountpoint = cloudbound/
+## zone.internal.mountpoint = "cloudbound/"
 ## Whether to ignore loop delivery of messages.(for mqtt v3.1.1)
 ##
@ -1033,8 +1033,8 @@ zone.internal.bypass_auth_plugins = true
 ##
 ## Value: IP:Port | Port
 ##
-## Examples: 1883, 127.0.0.1:1883, ::1:1883
+## Examples: 1883, "127.0.0.1:1883", "::1:1883"
-listener.tcp.external = 0.0.0.0:1883
+listener.tcp.external.endpoint = "0.0.0.0:1883"
 ## The acceptor pool for external MQTT/TCP listener.
 ##
@ -1069,8 +1069,8 @@ listener.tcp.external.zone = external
 ##
 ## Value: ACL Rule
 ##
-## Example: allow 192.168.0.0/24
+## Example: "allow 192.168.0.0/24"
-listener.tcp.external.access.1 = allow all
+listener.tcp.external.access.1 = "allow all"
 ## Enable the Proxy Protocol V1/2 if the EMQ X cluster is deployed
 ## behind HAProxy or Nginx.
@ -1165,8 +1165,8 @@ listener.tcp.external.reuseaddr = true
 ##
 ## Value: IP:Port, Port
 ##
-## Examples: 11883, 127.0.0.1:11883, ::1:11883
+## Examples: 11883, "127.0.0.1:11883", "::1:11883"
-listener.tcp.internal = 127.0.0.1:11883
+listener.tcp.internal.endpoint = "127.0.0.1:11883"
 ## The acceptor pool for internal MQTT/TCP listener.
 ##
@ -1262,8 +1262,8 @@ listener.tcp.internal.reuseaddr = true
 ##
 ## Value: IP:Port | Port
 ##
-## Examples: 8883, 127.0.0.1:8883, ::1:8883
+## Examples: 8883, "127.0.0.1:8883", "::1:8883"
-listener.ssl.external = 8883
+listener.ssl.external.endpoint = 8883
 ## The acceptor pool for external MQTT/SSL listener.
 ##
@ -1295,7 +1295,7 @@ listener.ssl.external.zone = external
 ## See: listener.tcp.$name.access
 ##
 ## Value: ACL Rule
-listener.ssl.external.access.1 = allow all
+listener.ssl.external.access.1 = "allow all"
 ## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
 ## HAProxy or Nginx.
@ -1317,7 +1317,7 @@ listener.ssl.external.access.1 = allow all
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: String, seperated by ','
-## listener.ssl.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+## listener.ssl.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
 ## TLS Handshake timeout.
 ##
@ -1341,20 +1341,20 @@ listener.ssl.external.handshake_timeout = 15s
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: File
-listener.ssl.external.keyfile = {{ platform_etc_dir }}/certs/key.pem
+listener.ssl.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ## Path to a file containing the user certificate.
 ##
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: File
-listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
+listener.ssl.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
 ## Path to the file containing PEM-encoded CA certificates. The CA certificates
 ## are used during server authentication and when building the client certificate chain.
 ##
 ## Value: File
-## listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+## listener.ssl.external.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
 ## The Ephemeral Diffie-Helman key exchange is a very effective way of
 ## ensuring Forward Secrecy by exchanging a set of keys that never hit
@ -1371,7 +1371,7 @@ listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## openssl dhparam -out dh-params.pem 2048
 ##
 ## Value: File
-## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
+## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
 ## A server only does x509-path validation in mode verify_peer,
 ## as it then sends a certificate request to the client (this
@ -1406,13 +1406,13 @@ listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## Most of it was copied from Mozilla’s Server Side TLS article
 ##
 ## Value: Ciphers
-listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+listener.ssl.external.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## Ciphers for TLS PSK.
 ## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-#listener.ssl.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+#listener.ssl.external.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
 ## SSL parameter renegotiation is a feature that allows a client and a server
 ## to renegotiate the parameters of the SSL connection on the fly.
@ -1514,13 +1514,13 @@ listener.ssl.external.reuseaddr = true
 ##
 ## Value: IP:Port | Port
 ##
-## Examples: 8083, 127.0.0.1:8083, ::1:8083
+## Examples: 8083, "127.0.0.1:8083", "::1:8083"
-listener.ws.external = 8083
+listener.ws.external.endpoint = 8083
 ## The path of WebSocket MQTT endpoint
 ##
 ## Value: URL Path
-listener.ws.external.mqtt_path = /mqtt
+listener.ws.external.mqtt_path = "/mqtt"
 ## The acceptor pool for external MQTT/WebSocket listener.
 ##
@ -1552,7 +1552,7 @@ listener.ws.external.zone = external
 ## See: listener.ws.$name.access
 ##
 ## Value: ACL Rule
-listener.ws.external.access.1 = allow all
+listener.ws.external.access.1 = "allow all"
 ## Verify if the protocol header is valid. Turn off for WeChat MiniApp.
 ##
@ -1712,13 +1712,13 @@ listener.ws.external.mqtt_piggyback = multiple
 ##
 ## Value: IP:Port | Port
 ##
-## Examples: 8084, 127.0.0.1:8084, ::1:8084
+## Examples: 8084, "127.0.0.1:8084", "::1:8084"
-listener.wss.external = 8084
+listener.wss.external.endpoint = 8084
 ## The path of WebSocket MQTT endpoint
 ##
 ## Value: URL Path
-listener.wss.external.mqtt_path = /mqtt
+listener.wss.external.mqtt_path = "/mqtt"
 ## The acceptor pool for external MQTT/WebSocket/SSL listener.
 ##
@ -1752,7 +1752,7 @@ listener.wss.external.zone = external
 ## See: listener.tcp.$name.access.<no>
 ##
 ## Value: ACL Rule
-listener.wss.external.access.1 = allow all
+listener.wss.external.access.1 = "allow all"
 ## See: listener.ws.external.verify_protocol_header
 ##
@ -1778,28 +1778,28 @@ listener.wss.external.verify_protocol_header = on
 ## See: listener.ssl.$name.tls_versions
 ##
 ## Value: String, seperated by ','
-## listener.wss.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+## listener.wss.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
 ## Path to the file containing the user's private PEM-encoded key.
 ##
 ## See: listener.ssl.$name.keyfile
 ##
 ## Value: File
-listener.wss.external.keyfile = {{ platform_etc_dir }}/certs/key.pem
+listener.wss.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ## Path to a file containing the user certificate.
 ##
 ## See: listener.ssl.$name.certfile
 ##
 ## Value: File
-listener.wss.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
+listener.wss.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
 ## Path to the file containing PEM-encoded CA certificates.
 ##
 ## See: listener.ssl.$name.cacert
 ##
 ## Value: File
-## listener.wss.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+## listener.wss.external.cacertfile = "{{ platform_etc_dir }}/certs/cacert.pem"
 ## Maximum number of non-self-issued intermediate certificates that
 ## can follow the peer certificate in a valid certification path.
@ -1820,7 +1820,7 @@ listener.wss.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## See: listener.ssl.$name.dhfile
 ##
 ## Value: File
-## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
+## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
 ## See: listener.ssl.$name.vefify
 ##
@ -1835,13 +1835,13 @@ listener.wss.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
 ## See: listener.ssl.$name.ciphers
 ##
 ## Value: Ciphers
-listener.wss.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
+listener.wss.external.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## Ciphers for TLS PSK.
 ## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot
 ## be configured at the same time.
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-## listener.wss.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+## listener.wss.external.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
 ## See: listener.ssl.$name.secure_renegotiate
 ##
@ -1991,7 +1991,7 @@ listener.wss.external.mqtt_piggyback = multiple
 ## The file to store loaded module names.
 ##
 ## Value: File
-modules.loaded_file = {{ platform_data_dir }}/loaded_modules
+modules.loaded_file = "{{ platform_data_dir }}/loaded_modules"
 ##--------------------------------------------------------------------
 ## Presence Module
@ -2007,7 +2007,7 @@ module.presence.qos = 1
 ## Subscribe the Topics automatically when client connected.
 ##
 ## Value: String
-## module.subscription.1.topic = connected/%c/%u
+## module.subscription.1.topic = "connected/%c/%u"
 ## Qos of the proxy subscription.
 ##
@ -2040,8 +2040,8 @@ module.presence.qos = 1
 ## Rewrite Module
 ## {rewrite, Topic, Re, Dest}
-## module.rewrite.pub.rule.1 = x/# ^x/y/(.+)$ z/y/$1
+## module.rewrite.pub.rule.1 = "x/# ^x/y/(.+)$ z/y/$1"
-## module.rewrite.sub.rule.1 = y/+/z/# ^y/(.+)/z/(.+)$ y/z/$2
+## module.rewrite.sub.rule.1 = "y/+/z/# ^y/(.+)/z/(.+)$ y/z/$2"
 ##-------------------------------------------------------------------
 ## Plugins
@ -2050,17 +2050,17 @@ module.presence.qos = 1
 ## The etc dir for plugins' config.
 ##
 ## Value: Folder
-plugins.etc_dir = {{ platform_etc_dir }}/plugins/
+plugins.etc_dir = "{{ platform_etc_dir }}/plugins/"
 ## The file to store loaded plugin names.
 ##
 ## Value: File
-plugins.loaded_file = {{ platform_data_dir }}/loaded_plugins
+plugins.loaded_file = "{{ platform_data_dir }}/loaded_plugins"
 ## The directory of extension plugins.
 ##
 ## Value: File
-plugins.expand_plugins_dir = {{ platform_plugins_dir }}/
+plugins.expand_plugins_dir = "{{ platform_plugins_dir }}/"
 ##--------------------------------------------------------------------
 ## Broker
@ -2148,7 +2148,6 @@ sysmon.long_gc = 0
 ## Examples:
 ##  - 2h:  2 hours
 ##  - 30m: 30 minutes
 ##  - 0.1s: 0.1 seconds
 ##  - 100ms: 100 milliseconds
 ##
 ## Default: 0ms
@ -2240,8 +2239,8 @@ vm_mon.process_low_watermark = 60%
 ##  - log
 ##  - publish
 ##
-## Default: log,publish
+## Default: "log,publish"
-alarm.actions = log,publish
+alarm.actions = "log,publish"
 ## The maximum number of deactivated alarms
 ##
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@ -482,7 +482,7 @@ end}.
  {datatype, integer}
 ]}.
-{mapping, "log.rotation", "kernel.logger", [
+{mapping, "log.rotation.enable", "kernel.logger", [
  {default, on},
  {datatype, flag}
 ]}.
@ -576,7 +576,7 @@ end}.
 {translation, "kernel.logger", fun(Conf) ->
    LogTo = cuttlefish:conf_get("log.to", Conf),
    LogLevel = cuttlefish:conf_get("log.level", Conf),
-    LogType = case cuttlefish:conf_get("log.rotation", Conf) of
+    LogType = case cuttlefish:conf_get("log.rotation.enable", Conf) of
                  true -> wrap;
                  false -> halt
              end,
@ -1166,7 +1166,7 @@ end}.
 %%--------------------------------------------------------------------
 %% TCP Listeners
-{mapping, "listener.tcp.$name", "emqx.listeners", [
+{mapping, "listener.tcp.$name.endpoint", "emqx.listeners", [
  {datatype, [integer, ip]}
 ]}.
@ -1267,7 +1267,7 @@ end}.
 %%--------------------------------------------------------------------
 %% SSL Listeners
-{mapping, "listener.ssl.$name", "emqx.listeners", [
+{mapping, "listener.ssl.$name.endpoint", "emqx.listeners", [
  {datatype, [integer, ip]}
 ]}.
@ -1431,7 +1431,7 @@ end}.
 %%--------------------------------------------------------------------
 %% MQTT/WebSocket Listeners
-{mapping, "listener.ws.$name", "emqx.listeners", [
+{mapping, "listener.ws.$name.endpoint", "emqx.listeners", [
  {datatype, [integer, ip]}
 ]}.
@ -1585,7 +1585,7 @@ end}.
 %%--------------------------------------------------------------------
 %% MQTT/WebSocket/SSL Listeners
-{mapping, "listener.wss.$name", "emqx.listeners", [
+{mapping, "listener.wss.$name.endpoint", "emqx.listeners", [
  {datatype, [integer, ip]}
 ]}.
@ -1801,7 +1801,6 @@ end}.
 ]}.
 {translation, "emqx.listeners", fun(Conf) ->
    Filter  = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
    Atom = fun(undefined) -> undefined; (S) -> list_to_atom(S) end,
@ -1922,7 +1921,7 @@ end}.
    TcpListeners = fun(Type, Name) ->
                      Prefix = string:join(["listener", Type, Name], "."),
-                      ListenOnN = case cuttlefish:conf_get(Prefix, Conf, undefined) of
+                      ListenOnN = case cuttlefish:conf_get(Prefix ++ ".endpoint", Conf, undefined) of
                          undefined -> [];
                          ListenOn  ->
                              case ListenOn of
@ -1939,7 +1938,7 @@ end}.
                   end,
    SslListeners = fun(Type, Name) ->
                       Prefix = string:join(["listener", Type, Name], "."),
-                       case cuttlefish:conf_get(Prefix, Conf, undefined) of
+                       case cuttlefish:conf_get(Prefix ++ ".endpoint", Conf, undefined) of
                           undefined ->
                               [];
                           ListenOn ->
@ -1948,12 +1947,11 @@ end}.
                                                        {ssl_options, SslOpts(Prefix)} | LisOpts(Prefix)]}]
                       end
                   end,
-
+    lists:flatten([TcpListeners(Type, Name) || {["listener", Type, Name, "endpoint"], ListenOn}
    lists:flatten([TcpListeners(Type, Name) || {["listener", Type, Name], ListenOn}
                                               <- cuttlefish_variable:filter_by_prefix("listener.tcp", Conf)
                                               ++ cuttlefish_variable:filter_by_prefix("listener.ws", Conf)]
                  ++
-                  [SslListeners(Type, Name) || {["listener", Type, Name], ListenOn}
+                  [SslListeners(Type, Name) || {["listener", Type, Name, "endpoint"], ListenOn}
                                               <- cuttlefish_variable:filter_by_prefix("listener.ssl", Conf)
                                               ++ cuttlefish_variable:filter_by_prefix("listener.wss", Conf)])
 end}.
--- a/rebar.config
+++ b/rebar.config
@ -47,7 +47,7 @@
    , {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.7.4"}}}
    , {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.7.5"}}}
    , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "2.5.0"}}}
-    , {cuttlefish, {git, "https://github.com/emqx/cuttlefish", {tag, "v3.0.0"}}}
+    , {cuttlefish, {git, "https://github.com/emqx/cuttlefish", {branch, "hocon"}}}
    , {minirest, {git, "https://github.com/emqx/minirest", {tag, "0.3.3"}}}
    , {ecpool, {git, "https://github.com/emqx/ecpool", {tag, "0.5.0"}}}
    , {replayq, {git, "https://github.com/emqx/replayq", {tag, "v0.2.0"}}}
--- a/rebar.config.erl
+++ b/rebar.config.erl
@ -29,7 +29,7 @@ plugins() ->
 test_deps() ->
    [ {bbmustache, "1.10.0"}
-    , {emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.3.2"}}}
+    , {emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {branch, "hocon"}}}
    , meck
    ].
--- a/test/emqx_listeners_SUITE.erl
+++ b/test/emqx_listeners_SUITE.erl
@ -67,14 +67,16 @@ mustache_vars() ->
 generate_config() ->
    Schema = cuttlefish_schema:files([local_path(["priv", "emqx.schema"])]),
    ConfFile = render_config_file(),
-    Conf = conf_parse:file(ConfFile),
+    {ok, Conf} = hocon:load(ConfFile, #{format => proplists}),
    cuttlefish_generator:map(Schema, Conf).
 set_app_env({App, Lists}) ->
    lists:foreach(fun({acl_file, _Var}) ->
                      application:set_env(App, acl_file, local_path(["etc", "acl.conf"]));
                     ({plugins_loaded_file, _Var}) ->
-                      application:set_env(App, plugins_loaded_file, local_path(["test", "emqx_SUITE_data","loaded_plugins"]));
+                      application:set_env(App,
                                          plugins_loaded_file,
                                          local_path(["test", "emqx_SUITE_data","loaded_plugins"]));
                     ({Par, Var}) ->
                      application:set_env(App, Par, Var)
                  end, Lists).
--- a/test/emqx_plugins_SUITE_data/emqx_mini_plugin/rebar.config
+++ b/test/emqx_plugins_SUITE_data/emqx_mini_plugin/rebar.config
@ -15,11 +15,3 @@
 {cover_enabled, true}.
 {cover_opts, [verbose]}.
 {cover_export_enabled, true}.
 {profiles,
    [{test, [
        {deps, [ {emqx_ct_helper, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "v1.1.4"}}}
               , {cuttlefish, {git, "https://github.com/emqx/cuttlefish", {tag, "v3.0.0"}}}
               ]}
    ]}
 ]}.
`@ -1,2 +1,2 @@`
	`psk.file.path = {{ platform_etc_dir }}/psk.txt`	`psk.file.path = "{{ platform_etc_dir }}/psk.txt"`
	`psk.file.delimiter = :`	`psk.file.delimiter = ":"`