diff --git a/apps/emqx/i18n/emqx_schema_i18n.conf b/apps/emqx/i18n/emqx_schema_i18n.conf
index c1df430db..f889ac547 100644
--- a/apps/emqx/i18n/emqx_schema_i18n.conf
+++ b/apps/emqx/i18n/emqx_schema_i18n.conf
@@ -990,4 +990,1100 @@ NOTE: This is a cluster-wide configuration. It requires all nodes to be stopped
zh: """是否开启客户端已成功取消订阅主题事件消息。"""
}
}
+
+
+fields_authorization_no_match {
+ desc {
+ en: """
+Default access control action if the user or client matches no ACL rules,
+or if no such user or client is found by the configurable authorization
+sources such as built_in_database, an HTTP API, or a query against PostgreSQL.
+Find more details in 'authorization.sources' config.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_authorization_deny_action {
+ desc {
+ en: """
+The action when the authorization check rejects an operation.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_cache_enable {
+ desc {
+ en: """
+Enable or disable the authorization cache.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_cache_max_size {
+ desc {
+ en: """
+Maximum number of cached items.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_cache_ttl {
+ desc {
+ en: """
+Time to live for the cached data.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_level {
+ desc {
+ en: """
+Compression level.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_mem_level {
+ desc {
+ en: """
+Specifies the size of the compression state.
+ Lower values decrease memory usage per connection.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_strategy {
+ desc {
+ en: """
+Specifies the compression strategy.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_server_context_takeover {
+ desc {
+ en: """
+Takeover means the compression state is retained
+ between server messages.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_client_context_takeover {
+ desc {
+ en: """
+Takeover means the compression state is retained
+ between client messages.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_server_max_window_bits {
+ desc {
+ en: """
+Specifies the size of the compression context for the server.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_deflate_opts_client_max_window_bits {
+ desc {
+ en: """
+Specifies the size of the compression context for the client.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_enable {
+ desc {
+ en: """
+Enable TLS.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_cacertfile {
+ desc {
+ en: """
+Trusted PEM format CA certificates bundle file.
+The certificates in this file are used to verify the TLS peer's certificates.
+Append new certificates to the file if new CAs are to be trusted.
+There is no need to restart EMQX to have the updated file loaded, because
+the system regularly checks if file has been updated (and reload).
+NOTE: invalidating (deleting) a certificate from the file will not affect
+already established connections.
+
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_certfile {
+ desc {
+ en: """
+PEM format certificates chain file.
+The certificates in this file should be in reversed order of the certificate
+issue chain. That is, the host's certificate should be placed in the beginning
+of the file, followed by the immediate issuer certificate and so on.
+Although the root CA certificate is optional, it should be placed at the end of
+the file if it is to be added.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_keyfile {
+ desc {
+ en: """
+PEM format private key file.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_verify {
+ desc {
+ en: """
+Enable or disable peer verification.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_reuse_sessions {
+ desc {
+ en: """
+Enable TLS session reuse.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_depth {
+ desc {
+ en: """
+Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_password {
+ desc {
+ en: """
+String containing the user's password. Only used if the private
+key file is password-protected.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_versions {
+ desc {
+ en: """
+All TLS/DTLS versions to be supported.
+NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
+In case PSK cipher suites are intended, make sure to configured
+['tlsv1.2', 'tlsv1.1'] here.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+ciphers_schema_0 {
+ desc {
+ en: """
+This config holds TLS cipher suite names separated by comma,
+or as an array of strings. e.g.
+"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or
+["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
+
+Ciphers (and their ordering) define the way in which the
+client and server encrypts information over the network connection.
+Selecting a good cipher suite is critical for the
+application's data security, confidentiality and performance.
+
+The names should be in OpenSSL string format (not RFC format).
+All default values and examples provided by EMQX config
+documentation are all in OpenSSL format.
+
+NOTE: Certain cipher suites are only compatible with
+specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
+incompatible cipher suites will be silently dropped.
+For instance, if only 'tlsv1.3' is given in the versions,
+configuring cipher suites for other versions will have no effect.
+
+
+NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
+If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.
+PSK cipher suites: "RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
+RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
+RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
+RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"
+
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_user_lookup_fun {
+ desc {
+ en: """
+EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+common_ssl_opts_schema_secure_renegotiate {
+ desc {
+ en: """
+SSL parameter renegotiation is a feature that allows a client and a server
+to renegotiate the parameters of the SSL connection on the fly.
+RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
+you drop support for the insecure renegotiation, prone to MitM attacks.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+server_ssl_opts_schema_dhfile {
+ desc {
+ en: """
+Path to a file containing PEM-encoded Diffie-Hellman parameters
+to be used by the server if a cipher suite using Diffie-Hellman
+key exchange is negotiated. If not specified, default parameters
+are used.
+NOTE: The dhfile option is not supported by TLS 1.3.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+server_ssl_opts_schema_fail_if_no_peer_cert {
+ desc {
+ en: """
+Used together with {verify, verify_peer} by an TLS/DTLS server.
+If set to true, the server fails if the client does not have a
+certificate to send, that is, sends an empty certificate.
+If set to false, it fails only if the client sends an invalid
+certificate (an empty certificate is considered valid).
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+server_ssl_opts_schema_honor_cipher_order {
+ desc {
+ en: """
+An important security setting, it forces the cipher to be set based
+ on the server-specified order instead of the client-specified order,
+ hence enforcing the (usually more properly configured) security
+ ordering of the server administrator.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+server_ssl_opts_schema_client_renegotiation {
+ desc {
+ en: """
+In protocols that support client-initiated renegotiation,
+the cost of resources of such an operation is higher for the server than the client.
+This can act as a vector for denial of service attacks.
+The SSL application already takes measures to counter-act such attempts,
+but client-initiated renegotiation can be strictly disabled by setting this option to false.
+The default value is true. Note that disabling renegotiation can result in
+long-lived connections becoming unusable due to limits on
+the number of messages the underlying cipher suite can encipher.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+server_ssl_opts_schema_handshake_timeout {
+ desc {
+ en: """
+Maximum time duration allowed for the handshake to complete
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_listeners_tcp {
+ desc {
+ en: """
+TCP listeners
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_listeners_ssl {
+ desc {
+ en: """
+SSL listeners
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_listeners_ws {
+ desc {
+ en: """
+HTTP websocket listeners
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_listeners_wss {
+ desc {
+ en: """
+HTTPS websocket listeners
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_listeners_quic {
+ desc {
+ en: """
+QUIC listeners
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_mqtt_quic_listener_enabled {
+ desc {
+ en: """
+Enable QUIC listener.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_mqtt_quic_listener_certfile {
+ desc {
+ en: """
+Path to the certificate file.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_mqtt_quic_listener_keyfile {
+ desc {
+ en: """
+Path to the secret key file.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_mqtt_quic_listener_idle_timeout {
+ desc {
+ en: """
+Close transport-layer connections from the clients that have not sent MQTT CONNECT
+message within this interval.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+base_listener_bind {
+ desc {
+ en: """
+IP address and port for the listening socket.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+base_listener_acceptors {
+ desc {
+ en: """
+The size of the listener's receiving pool.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+base_listener_max_connections {
+ desc {
+ en: """
+The maximum number of concurrent connections allowed by the listener.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+base_listener_mountpoint {
+ desc {
+ en: """
+When publishing or subscribing, prefix all topics with a mountpoint string.
+ The prefixed string will be removed from the topic name when the message
+ is delivered to the subscriber. The mountpoint is a way that users can use
+ to implement isolation of message routing between different listeners.
+ For example if a client A subscribes to `t` with `listeners.tcp..mountpoint`
+ set to `some_tenant`, then the client actually subscribes to the topic
+ `some_tenant/t`. Similarly, if another client B (connected to the same listener
+ as the client A) sends a message to topic `t`, the message is routed
+ to all the clients subscribed `some_tenant/t`, so client A will receive the
+ message, with topic name `t`.
+ Set to `""` to disable the feature.
+
+ Variables in mountpoint string:
+ - ${clientid}: clientid
+ - ${username}: username
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+base_listener_zone {
+ desc {
+ en: """
+The configuration zone to which the listener belongs.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+base_listener_limiter {
+ desc {
+ en: """
+Type of the rate limit.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+mqtt_listener_access_rules {
+ desc {
+ en: """
+The access control rules for this listener.
See: https://github.com/emqtt/esockd#allowdeny
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+mqtt_listener_proxy_protocol {
+ desc {
+ en: """
+Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed
+ behind HAProxy or Nginx.
See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+mqtt_listener_proxy_protocol_timeout {
+ desc {
+ en: """
+Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+authentication_0 {
+ desc {
+ en: """
+Per-listener authentication override
+Authentication can be one single authenticator instance or a chain of authenticators as an array.
+When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.
+
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_rate_limit_max_conn_rate {
+ desc {
+ en: """
+Maximum connections per second.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_rate_limit_conn_messages_in {
+ desc {
+ en: """
+Message limit for the external MQTT connections.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_rate_limit_conn_bytes_in {
+ desc {
+ en: """
+Limit the rate of receiving packets for a MQTT connection.
+The rate is counted by bytes of packets per second.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+client_ssl_opts_schema_server_name_indication {
+ desc {
+ en: """
+Specify the host name to be used in TLS Server Name Indication extension.
+For instance, when connecting to "server.example.net", the genuine server
+which accepts the connection and performs TLS handshake may differ from the
+host the TLS client initially connects to, e.g. when connecting to an IP address
+or when the host has multiple resolvable DNS records
+If not specified, it will default to the host name string which is used
+to establish the connection, unless it is IP addressed used.
+The host name is then also used in the host name verification of the peer
+certificate.
The special value 'disable' prevents the Server Name
+Indication extension from being sent and disables the hostname
+verification check.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_active_n {
+ desc {
+ en: """
+Specify the {active, N} option for this Socket.
+ See: https://erlang.org/doc/man/inet.html#setopts-2
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_backlog {
+ desc {
+ en: """
+TCP backlog defines the maximum length that the queue of
+ pending connections can grow to.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_send_timeout {
+ desc {
+ en: """
+The TCP send timeout for the connections.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_send_timeout_close {
+ desc {
+ en: """
+Close the connection if send timeout.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_recbuf {
+ desc {
+ en: """
+The TCP receive buffer (OS kernel) for the connections.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_sndbuf {
+ desc {
+ en: """
+The TCP send buffer (OS kernel) for the connections.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_buffer {
+ desc {
+ en: """
+The size of the user-space buffer used by the driver.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_high_watermark {
+ desc {
+ en: """
+The socket is set to a busy state when the amount of data queued internally
+ by the VM socket implementation reaches this limit.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_nodelay {
+ desc {
+ en: """
+The TCP_NODELAY flag for the connections.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_tcp_opts_reuseaddr {
+ desc {
+ en: """
+The SO_REUSEADDR flag for the connections.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_trace_payload_encode {
+ desc {
+ en: """
+Determine the format of the payload format in the trace file.
+`text`: Text-based protocol or plain text protocol.
+ It is recommended when payload is JSON encoded.
+`hex`: Binary hexadecimal encode. It is recommended when payload is a custom binary protocol.
+`hidden`: payload is obfuscated as `******`
+
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_mqtt_path {
+ desc {
+ en: """
+WebSocket's MQTT protocol path. So the address of
+ EMQX Broker's WebSocket is: ws://{ip}:{port}/mqtt
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_mqtt_piggyback {
+ desc {
+ en: """
+Whether a WebSocket message is allowed to contain multiple MQTT packets.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_compress {
+ desc {
+ en: """
+If true, compress WebSocket messages using zlib.
+The configuration items under deflate_opts belong to the compression-related parameter configuration.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_idle_timeout {
+ desc {
+ en: """
+Close transport-layer connections from the clients that have not sent MQTT CONNECT
+message within this interval.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_max_frame_size {
+ desc {
+ en: """
+The maximum length of a single MQTT packet.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_fail_if_no_subprotocol {
+ desc {
+ en: """
+If true, the server will return an error when
+ the client does not carry the Sec-WebSocket-Protocol field.
+
Note: WeChat applet needs to disable this verification.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_supported_subprotocols {
+ desc {
+ en: """
+Comma-separated list of supported subprotocols.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_check_origin_enable {
+ desc {
+ en: """
+If true, origin HTTP header will be
+ validated against the list of allowed origins configured in check_origins
+ parameter.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_allow_origin_absence {
+ desc {
+ en: """
+If false and check_origin_enable is
+ true, the server will reject requests that don't have origin
+ HTTP header.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_check_origins {
+ desc {
+ en: """
+List of allowed origins.
See check_origin_enable.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_proxy_address_header {
+ desc {
+ en: """
+HTTP header used to pass information about the client IP address.
+ Relevant when the EMQX cluster is deployed behind a load-balancer.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
+fields_ws_opts_proxy_port_header {
+ desc {
+ en: """
+HTTP header used to pass information about the client port.
+ Relevant when the EMQX cluster is deployed behind a load-balancer.
+"""
+ zh: """"""
+ }
+ label: {
+ en: ""
+ zh: ""
+ }
+}
+
}