yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(quic): update emqx_schema for quic

This commit is contained in:
William Yang 2021-06-11 11:12:07 +02:00
parent bb6459ba3a
commit 68844cefd9
2 changed files with 143 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

220
apps/emqx/etc/emqx.conf
View File

@ -2184,43 +2184,43 @@ listener.quic.external.max_connections = 16
## Value: Number
listener.quic.external.max_conn_rate = 1000
## Simulate the {active, N} option for the MQTT/QUIC connections.
##
## Value: Number
listener.quic.external.active_n = 100
# ## Simulate the {active, N} option for the MQTT/QUIC connections.
# ##
# ## Value: Number
# listener.quic.external.active_n = 100
## Zone of the external MQTT/QUIC listener belonged to.
##
## Value: String
listener.quic.external.zone = external
## The access control rules for the MQTT/QUIC listener.
##
## See: listener.tcp.$name.access.<no>
##
## Value: ACL Rule
listener.quic.external.access.1 = "allow all"
# ## The access control rules for the MQTT/QUIC listener.
# ##
# ## See: listener.tcp.$name.access.<no>
# ##
# ## Value: ACL Rule
# listener.quic.external.access.1 = "allow all"
## Sets the timeout for proxy protocol.
##
## See: listener.tcp.$name.proxy_protocol_timeout
##
## Value: Duration
## listener.quic.external.proxy_protocol_timeout = 3s
# ## Sets the timeout for proxy protocol.
# ##
# ## See: listener.tcp.$name.proxy_protocol_timeout
# ##
# ## Value: Duration
# ## listener.quic.external.proxy_protocol_timeout = 3s
## TLS versions only to protect from POODLE attack.
##
## See: listener.ssl.$name.tls_versions
##
## Value: String, seperated by ','
## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
## listener.quic.external.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
# ## TLS versions only to protect from POODLE attack.
# ##
# ## See: listener.ssl.$name.tls_versions
# ##
# ## Value: String, seperated by ','
# ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
# ## listener.quic.external.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
## Path to the file containing the user's private PEM-encoded key.
##
## See: listener.ssl.$name.keyfile
##
## Value: File
# ## Path to the file containing the user's private PEM-encoded key.
# ##
# ## See: listener.ssl.$name.keyfile
# ##
# ## Value: File
listener.quic.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
## Path to a file containing the user certificate.
@ -2230,100 +2230,100 @@ listener.quic.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
## Value: File
listener.quic.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
## Path to the file containing PEM-encoded CA certificates.
##
## See: listener.ssl.$name.cacert
##
## Value: File
## listener.quic.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
# ## Path to the file containing PEM-encoded CA certificates.
# ##
# ## See: listener.ssl.$name.cacert
# ##
# ## Value: File
# ## listener.quic.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
## Maximum number of non-self-issued intermediate certificates that
## can follow the peer certificate in a valid certification path.
##
## See: listener.ssl.external.depth
##
## Value: Number
## listener.quic.external.depth = 10
# ## Maximum number of non-self-issued intermediate certificates that
# ## can follow the peer certificate in a valid certification path.
# ##
# ## See: listener.ssl.external.depth
# ##
# ## Value: Number
# ## listener.quic.external.depth = 10
## String containing the user's password. Only used if the private keyfile
## is password-protected.
##
## See: listener.ssl.$name.key_password
##
## Value: String
## listener.quic.external.key_password = yourpass
# ## String containing the user's password. Only used if the private keyfile
# ## is password-protected.
# ##
# ## See: listener.ssl.$name.key_password
# ##
# ## Value: String
# ## listener.quic.external.key_password = yourpass
## See: listener.ssl.$name.dhfile
##
## Value: File
## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
# ## See: listener.ssl.$name.dhfile
# ##
# ## Value: File
# ## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
## See: listener.ssl.$name.verify
##
## Value: verify_peer | verify_none
## listener.quic.external.verify = verify_peer
# ## See: listener.ssl.$name.verify
# ##
# ## Value: verify_peer | verify_none
# ## listener.quic.external.verify = verify_peer
## See: listener.ssl.$name.fail_if_no_peer_cert
##
## Value: false | true
## listener.quic.external.fail_if_no_peer_cert = true
# ## See: listener.ssl.$name.fail_if_no_peer_cert
# ##
# ## Value: false | true
# ## listener.quic.external.fail_if_no_peer_cert = true
## See: listener.ssl.$name.ciphers
##
## Value: Ciphers
# ## See: listener.ssl.$name.ciphers
# ##
# ## Value: Ciphers
listener.quic.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
## Ciphers for TLS PSK.
## Note that 'listener.quic.external.ciphers' and 'listener.quic.external.psk_ciphers' cannot
## be configured at the same time.
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
## listener.quic.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
# ## Ciphers for TLS PSK.
# ## Note that 'listener.quic.external.ciphers' and 'listener.quic.external.psk_ciphers' cannot
# ## be configured at the same time.
# ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
# ## listener.quic.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
## See: listener.ssl.$name.secure_renegotiate
##
## Value: on | off
## listener.quic.external.secure_renegotiate = off
# ## See: listener.ssl.$name.secure_renegotiate
# ##
# ## Value: on | off
# ## listener.quic.external.secure_renegotiate = off
## See: listener.ssl.$name.reuse_sessions
##
## Value: on | off
## listener.quic.external.reuse_sessions = on
# ## See: listener.ssl.$name.reuse_sessions
# ##
# ## Value: on | off
# ## listener.quic.external.reuse_sessions = on
## See: listener.ssl.$name.honor_cipher_order
##
## Value: on | off
## listener.quic.external.honor_cipher_order = on
# ## See: listener.ssl.$name.honor_cipher_order
# ##
# ## Value: on | off
# ## listener.quic.external.honor_cipher_order = on
## See: listener.ssl.$name.peer_cert_as_username
##
## Value: cn | dn | crt | pem | md5
## listener.quic.external.peer_cert_as_username = cn
# ## See: listener.ssl.$name.peer_cert_as_username
# ##
# ## Value: cn | dn | crt | pem | md5
# ## listener.quic.external.peer_cert_as_username = cn
## See: listener.ssl.$name.peer_cert_as_clientid
##
## Value: cn | dn | crt | pem | md5
## listener.quic.external.peer_cert_as_clientid = cn
# ## See: listener.ssl.$name.peer_cert_as_clientid
# ##
# ## Value: cn | dn | crt | pem | md5
# ## listener.quic.external.peer_cert_as_clientid = cn
## TCP backlog for the QUIC connection.
##
## See: listener.tcp.$name.backlog
##
## Value: Number >= 0
listener.quic.external.backlog = 1024
# ## TCP backlog for the QUIC connection.
# ##
# ## See: listener.tcp.$name.backlog
# ##
# ## Value: Number >= 0
# listener.quic.external.backlog = 1024
## The TCP send timeout for the QUIC connection.
##
## See: listener.tcp.$name.send_timeout
##
## Value: Duration
listener.quic.external.send_timeout = 15s
# ## The TCP send timeout for the QUIC connection.
# ##
# ## See: listener.tcp.$name.send_timeout
# ##
# ## Value: Duration
# listener.quic.external.send_timeout = 15s
## Close the QUIC connection if send timeout.
##
## See: listener.tcp.$name.send_timeout_close
##
## Value: on | off
listener.quic.external.send_timeout_close = on
# ## Close the QUIC connection if send timeout.
# ##
# ## See: listener.tcp.$name.send_timeout_close
# ##
# ## Value: on | off
# listener.quic.external.send_timeout_close = on
## The TCP receive buffer(os kernel) for the QUIC connections.
##
@ -2424,19 +2424,19 @@ listener.quic.external.send_timeout_close = on
## Whether a WebSocket message is allowed to contain multiple MQTT packets
##
## Value: single | multiple
listener.quic.external.mqtt_piggyback = multiple
#listener.quic.external.mqtt_piggyback = multiple
## Enable origin check in header for secure websocket connection
##
## Value: true | false (default false)
listener.quic.external.check_origin_enable = false
#listener.quic.external.check_origin_enable = false
## Allow origin to be absent in header in secure websocket connection when check_origin_enable is true
##
## Value: true | false (default true)
listener.quic.external.allow_origin_absence = true
#listener.quic.external.allow_origin_absence = true
## Comma separated list of allowed origin in header for secure websocket connection
##
## Value: http://url eg. https://localhost:8084, https://127.0.0.1:8084
listener.quic.external.check_origins = "https://localhost:8084, https://127.0.0.1:8084"
#listener.quic.external.check_origins = "https://localhost:8084, https://127.0.0.1:8084"
## CONFIG_SECTION_END=listeners ================================================

34
apps/emqx/src/emqx_schema.erl
View File

@ -282,6 +282,7 @@ fields("listener") ->
, {"ssl", ref("ssl_listener")}
, {"ws", ref("ws_listener")}
, {"wss", ref("wss_listener")}
, {"quic", ref("quic_listener")}
];
fields("tcp_listener") ->
@ -296,6 +297,9 @@ fields("ws_listener") ->
fields("wss_listener") ->
[ {"$name", ref("wss_listener_settings")}];
fields("quic_listener") ->
[ {"$name", ref("quic_listener_settings")}];
fields("listener_settings") ->
[ {"endpoint", t(union(ip_port(), integer()))}
, {"acceptors", t(integer(), undefined, 8)}
@ -356,6 +360,32 @@ fields("wss_listener_settings") ->
Settings = lists:ukeymerge(1, Ssl, fields("ws_listener_settings")),
lists:keydelete("high_watermark", 1, Settings);
fields("quic_listener_settings") ->
Unsupported = [ "max_connections"
, "max_conn_rate"
, "active_n"
, "access"
, "proxy_protocol"
, "proxy_protocol_timeout"
, "backlog"
, "send_timeout"
, "send_timeout_close"
, "recvbuf"
, "sndbuf"
, "buffer"
, "high_watermark"
, "tune_buffer"
, "nodelay"
, "reuseaddr"
],
lists:foldl(fun(K, Acc) ->
lists:keydelete(K, 1, Acc)
end,
[ {"certfile", t(string(), "emqx.certfile", undefined)}
, {"keyfile", t(string(), "emqx.keyfile", undefined)}
| fields("listener_settings")],
Unsupported);
fields("access") ->
[ {"$id", t(string(), undefined, undefined)}];
@ -772,7 +802,9 @@ tr_listeners(Conf) ->
lists:flatten([TcpListeners("tcp", Name) || Name <- keys("listener.tcp", Conf)]
++ [TcpListeners("ws", Name) || Name <- keys("listener.ws", Conf)]
++ [SslListeners("ssl", Name) || Name <- keys("listener.ssl", Conf)]
++ [SslListeners("wss", Name) || Name <- keys("listener.wss", Conf)]).
++ [SslListeners("wss", Name) || Name <- keys("listener.wss", Conf)]
++ [SslListeners("quic", Name) || Name <- keys("listener.quic", Conf)]
).
tr_modules(Conf) ->
Subscriptions = fun() ->