chore(schema): reformat schema fields descriptions
This commit is contained in:
Zaiming Shi
parent
b1cf5bc1d4
commit
5bd67a49de
|
|
@ -88,23 +88,26 @@ roots(high) ->
|
|||
}
|
||||
, {"zones",
|
||||
sc(map("name", ref("zone")),
|
||||
#{ desc => "A zone is a set of configs grouped by the zone <code>name</code>. <br>"
|
||||
"For flexible configuration mapping, the <code>name</code> "
|
||||
"can be set to a listener's <code>zone</code> config.<br>"
|
||||
"NOTE: A builtin zone named <code>default</code> is auto created "
|
||||
"and can not be deleted."
|
||||
#{ desc =>
|
||||
"""A zone is a set of configs grouped by the zone <code>name</code>.<br>
|
||||
For flexible configuration mapping, the <code>name</code>
|
||||
can be set to a listener's <code>zone</code> config.<br>
|
||||
NOTE: A builtin zone named <code>default</code> is auto created
|
||||
and can not be deleted."""
|
||||
})}
|
||||
, {"mqtt",
|
||||
sc(ref("mqtt"),
|
||||
#{ desc => "Global MQTT configuration.<br>"
|
||||
"The configs here work as default values which can be overriden "
|
||||
"in <code>zone</code> configs"
|
||||
#{ desc =>
|
||||
"""Global MQTT configuration.<br>
|
||||
The configs here work as default values which can be overriden
|
||||
in <code>zone</code> configs"""
|
||||
})}
|
||||
, {"authentication",
|
||||
sc(hoconsc:lazy(hoconsc:array(map())),
|
||||
#{ desc => "Default authentication configs for all MQTT listeners.<br>"
|
||||
"For per-listener overrides see <code>authentication</code> "
|
||||
"in listener configs"
|
||||
#{ desc =>
|
||||
"""Default authentication configs for all MQTT listeners.<br>
|
||||
For per-listener overrides see <code>authentication</code>
|
||||
in listener configs"""
|
||||
})}
|
||||
, {"authorization",
|
||||
sc(ref("authorization"),
|
||||
|
|
@ -956,7 +959,7 @@ common_ssl_opts_schema(Defaults) ->
|
|||
#{ sensitive => true
|
||||
, nullable => true
|
||||
, desc =>
|
||||
"""String containing the user's password. Only used if the private
|
||||
"""String containing the user's password. Only used if the private
|
||||
keyfile is password-protected."""
|
||||
})
|
||||
}
|
||||
|
|
@ -967,7 +970,7 @@ keyfile is password-protected."""
|
|||
"""All TLS/DTLS versions to be supported.<br>
|
||||
NOTE: PSK ciphers are suppresed by 'tlsv1.3' version config<br>
|
||||
In case PSK cipher suites are intended, make sure to configured
|
||||
<code>['tlsv1.2', 'tlsv1.1']</code> here<br>.
|
||||
<code>['tlsv1.2', 'tlsv1.1']</code> here.
|
||||
"""
|
||||
})
|
||||
}
|
||||
|
|
@ -982,9 +985,9 @@ In case PSK cipher suites are intended, make sure to configured
|
|||
sc(boolean(),
|
||||
#{ default => Df("secure_renegotiate", true)
|
||||
, desc => """
|
||||
SSL parameter renegotiation is a feature that allows a client and a server
|
||||
to renegotiate the parameters of the SSL connection on the fly.
|
||||
RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
|
||||
SSL parameter renegotiation is a feature that allows a client and a server
|
||||
to renegotiate the parameters of the SSL connection on the fly.
|
||||
RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
|
||||
you drop support for the insecure renegotiation, prone to MitM attacks.
|
||||
"""
|
||||
})
|
||||
|
|
@ -1003,9 +1006,9 @@ server_ssl_opts_schema(Defaults, IsRanchListener) ->
|
|||
#{ default => D("dhfile")
|
||||
, nullable => true
|
||||
, desc =>
|
||||
"""Path to a file containing PEM-encoded Diffie Hellman parameters
|
||||
to be used by the server if a cipher suite using Diffie Hellman
|
||||
key exchange is negotiated. If not specified, default parameters
|
||||
"""Path to a file containing PEM-encoded Diffie Hellman parameters
|
||||
to be used by the server if a cipher suite using Diffie Hellman
|
||||
key exchange is negotiated. If not specified, default parameters
|
||||
are used.<br>
|
||||
NOTE: The dhfile option is not supported by TLS 1.3."""
|
||||
})
|
||||
|
|
@ -1015,10 +1018,10 @@ NOTE: The dhfile option is not supported by TLS 1.3."""
|
|||
#{ default => Df("fail_if_no_peer_cert", false)
|
||||
, desc =>
|
||||
"""
|
||||
Used together with {verify, verify_peer} by an TLS/DTLS server.
|
||||
If set to true, the server fails if the client does not have a
|
||||
certificate to send, that is, sends an empty certificate.
|
||||
If set to false, it fails only if the client sends an invalid
|
||||
Used together with {verify, verify_peer} by an TLS/DTLS server.
|
||||
If set to true, the server fails if the client does not have a
|
||||
certificate to send, that is, sends an empty certificate.
|
||||
If set to false, it fails only if the client sends an invalid
|
||||
certificate (an empty certificate is considered valid).
|
||||
"""
|
||||
})
|
||||
|
|
@ -1032,13 +1035,13 @@ certificate (an empty certificate is considered valid).
|
|||
sc(boolean(),
|
||||
#{ default => Df("client_renegotiation", true)
|
||||
, desc => """
|
||||
In protocols that support client-initiated renegotiation,
|
||||
the cost of resources of such an operation is higher for the server than the client.
|
||||
This can act as a vector for denial of service attacks.
|
||||
The SSL application already takes measures to counter-act such attempts,
|
||||
but client-initiated renegotiation can be strictly disabled by setting this option to false.
|
||||
The default value is true. Note that disabling renegotiation can result in
|
||||
long-lived connections becoming unusable due to limits on
|
||||
In protocols that support client-initiated renegotiation,
|
||||
the cost of resources of such an operation is higher for the server than the client.
|
||||
This can act as a vector for denial of service attacks.
|
||||
The SSL application already takes measures to counter-act such attempts,
|
||||
but client-initiated renegotiation can be strictly disabled by setting this option to false.
|
||||
The default value is true. Note that disabling renegotiation can result in
|
||||
long-lived connections becoming unusable due to limits on
|
||||
the number of messages the underlying cipher suite can encipher.
|
||||
"""
|
||||
})
|
||||
|
|
@ -1060,15 +1063,15 @@ client_ssl_opts_schema(Defaults) ->
|
|||
#{ default => disable
|
||||
, desc =>
|
||||
"""Specify the host name to be used in TLS Server Name Indication extension.<br>
|
||||
For instance, when connecting to \"server.example.net\", the genuine server
|
||||
which accedpts the connection and performs TSL handshake may differ from the
|
||||
host the TLS client initially connects to, e.g. when connecting to an IP address
|
||||
For instance, when connecting to \"server.example.net\", the genuine server
|
||||
which accedpts the connection and performs TSL handshake may differ from the
|
||||
host the TLS client initially connects to, e.g. when connecting to an IP address
|
||||
or when the host has multiple resolvable DNS records <br>
|
||||
If not specified, it will default to the host name string which is used
|
||||
If not specified, it will default to the host name string which is used
|
||||
to establish the connection, unless it is IP addressed used.<br>
|
||||
The host name is then also used in the host name verification of the peer
|
||||
The host name is then also used in the host name verification of the peer
|
||||
certificate.<br> The special value 'disable' prevents the Server Name
|
||||
Indication extension from being sent and disables the hostname
|
||||
Indication extension from being sent and disables the hostname
|
||||
verification check."""
|
||||
})}
|
||||
].
|
||||
|
|
@ -1090,22 +1093,22 @@ ciphers_schema(Default) ->
|
|||
end
|
||||
, validator => fun validate_ciphers/1
|
||||
, desc =>
|
||||
"""TLS cipher suite names separated by comma, or as an array of strings
|
||||
<code>\"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256\"</code> or
|
||||
"""TLS cipher suite names separated by comma, or as an array of strings
|
||||
<code>\"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256\"</code> or
|
||||
<code>[\"TLS_AES_256_GCM_SHA384\",\"TLS_AES_128_GCM_SHA256\"]</code].
|
||||
<br>
|
||||
Ciphers (and their ordering) define the way in which the
|
||||
client and server encrypts information over the wire.
|
||||
Selecting a good cipher suite is critical for the
|
||||
application's data security, confidentiality and performance.
|
||||
The names should be in OpenSSL sting format (not RFC format).
|
||||
Default values and examples proveded by EMQ X config
|
||||
Ciphers (and their ordering) define the way in which the
|
||||
client and server encrypts information over the wire.
|
||||
Selecting a good cipher suite is critical for the
|
||||
application's data security, confidentiality and performance.
|
||||
The names should be in OpenSSL sting format (not RFC format).
|
||||
Default values and examples proveded by EMQ X config
|
||||
documentation are all in OpenSSL format.<br>
|
||||
|
||||
NOTE: Certain cipher suites are only compatible with
|
||||
specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
|
||||
incompatible cipher suites will be silently dropped.
|
||||
For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
|
||||
NOTE: Certain cipher suites are only compatible with
|
||||
specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
|
||||
incompatible cipher suites will be silently dropped.
|
||||
For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
|
||||
configuring cipher suites for other versions will have no effect.
|
||||
<br>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue