diff --git a/etc/emq.conf b/etc/emq.conf index 4cb8fc04b..ef16ecc6b 100644 --- a/etc/emq.conf +++ b/etc/emq.conf @@ -841,10 +841,21 @@ listener.ssl.external.access.1 = allow all ## Value: Duration listener.ssl.external.handshake_timeout = 15s +## Path to the file containing the user's private PEM-encoded key. +## More information at: http://erlang.org/doc/man/ssl.html +## +## Value: File listener.ssl.external.keyfile = {{ platform_etc_dir }}/certs/key.pem +## Path to a file containing the user certificate. +## +## Value: File listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem +## Path to a file containing PEM-encoded CA certificates. The CA certificates +## are used during server authentication and when building the client certificate chain. +## +## Value: File ## listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem ## The Ephemeral Diffie-Helman key exchange is a very effective way of @@ -860,114 +871,238 @@ listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem ## to force our SSL application to use the new DH group. Fortunately, ## OpenSSL provides us with a tool to do that. Simply run: ## openssl dhparam -out dh-params.pem 2048 +## +## Value: File ## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem +## A server only does x509-path validation in mode verify_peer, +## as it then sends a certificate request to the client (this +## message is not sent if the verify option is verify_none). +## You can then also want to specify option fail_if_no_peer_cert. +## More information at: http://erlang.org/doc/man/ssl.html +## +## Value: verify_peer | verify_none ## listener.ssl.external.verify = verify_peer +## Used together with {verify, verify_peer} by an SSL server. If set to true, +## the server fails if the client does not have a certificate to send, that is, +## sends an empty certificate. +## +## Value: true | false ## listener.ssl.external.fail_if_no_peer_cert = true -### This is the single most important configuration option of an Erlang SSL application. -### Ciphers (and their ordering) define the way the client and server encrypt information -### over the wire, from the initial Diffie-Helman key exchange, the session key encryption -### algorithm and the message digest algorithm. Selecting a good cipher suite is critical -### for the application’s data security, confidentiality and performance. -### The cipher list above offers: -### -### A good balance between compatibility with older browsers. It can get stricter for Machine-To-Machine scenarios. -### Perfect Forward Secrecy. -### No old/insecure encryption and HMAC algorithms -### -### Most of it was copied from Mozilla’s Server Side TLS article +## This is the single most important configuration option of an Erlang SSL application. +## Ciphers (and their ordering) define the way the client and server encrypt information +## over the wire, from the initial Diffie-Helman key exchange, the session key encryption +## algorithm and the message digest algorithm. Selecting a good cipher suite is critical +## for the application’s data security, confidentiality and performance. +## The cipher list above offers: +## +## A good balance between compatibility with older browsers. It can get stricter for Machine-To-Machine scenarios. +## Perfect Forward Secrecy. +## No old/insecure encryption and HMAC algorithms +## +## Most of it was copied from Mozilla’s Server Side TLS article +## +## Value: Ciphers ## listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA -### SSL parameter renegotiation is a feature that allows a client and -### a server to renegotiate the parameters of the SSL connection on the fly. -### RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, -### you drop support for the insecure renegotiation, prone to MitM attacks. +## SSL parameter renegotiation is a feature that allows a client and +## a server to renegotiate the parameters of the SSL connection on the fly. +## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, +## you drop support for the insecure renegotiation, prone to MitM attacks. +## +## Value: on | off ## listener.ssl.external.secure_renegotiate = off -### A performance optimization setting, it allows clients to reuse -### pre-existing sessions, instead of initializing new ones. -### Read more about it here. +## A performance optimization setting, it allows clients to reuse +## pre-existing sessions, instead of initializing new ones. +## Read more about it here. +## More information at: http://erlang.org/doc/man/ssl.html +## +## Value: on | off ## listener.ssl.external.reuse_sessions = on -### An important security setting, it forces the cipher to be set based on -### the server-specified order instead of the client-specified order, -### hence enforcing the (usually more properly configured) security -### ordering of the server administrator. +## An important security setting, it forces the cipher to be set based +## on the server-specified order instead of the client-specified order, +## hence enforcing the (usually more properly configured) security +## ordering of the server administrator. +## +## Value: on | off ## listener.ssl.external.honor_cipher_order = on -### Use the CN or DN value from the client certificate as a username. -### Notice: 'verify' should be configured as 'verify_peer' +## Use the CN or DN value from the client certificate as a username. +## Notice that 'verify' should be set as 'verify_peer'. +## +## Value: cn | dn ## listener.ssl.external.peer_cert_as_username = cn -## SSL Socket Options +## TCP backlog for the SSL connection. +## See 'listener.tcp.external.backlog' +## +## Value: Number >= 0 ## listener.ssl.external.backlog = 1024 +## The TCP send timeout for the SSL connection. +## See 'listener.tcp.external.send_timeout' +## +## Value: Duration ## listener.ssl.external.send_timeout = 15s +## See 'listener.tcp.external.send_timeout_close' +## +## Value: on | off ## listener.ssl.external.send_timeout_close = on +## See 'listener.tcp.external.recbuf' +## +## Value: Bytes ## listener.ssl.external.recbuf = 4KB +## See 'listener.tcp.external.sndbuf' +## +## Value: Bytes ## listener.ssl.external.sndbuf = 4KB +## See 'listener.tcp.external.buffer' +## +## Value: Bytes ## listener.ssl.external.buffer = 4KB +## See 'listener.tcp.external.nodelay' +## +## Value: true | false ## listener.ssl.external.nodelay = true ##-------------------------------------------------------------------- -## External MQTT/WebSocket Listener +## External WebSocket Listener for MQTT Protocol +## listener.ws. is the IP address and port that the MQTT/Websocket +## listener will bind. +## +## Value: IP:Port | Port +## +## Examples: 8083, 127.0.0.1:8083, ::1:8083 listener.ws.external = 8083 +## The acceptor pool for external MQTT/Websocket listener. +## +## Value: Number listener.ws.external.acceptors = 4 +## Maximum number of concurrent MQTT/Websocket connections. +## +## Value: Number listener.ws.external.max_clients = 64 +## TODO: Zone of the external MQTT/Websocket listener belonged to. +## +## Value: String ## listener.ws.external.zone = external +## Mountpoint of the MQTT/Websocket Listener. All the topics of +## this listener will be prefixed with the mount point if this +## option is enabled. +## +## Value: String +## listener.ws.external.mountpoint = external/ + +## The access control rules for the MQTT/Websocket listener. +## +## Value: ACL Rule listener.ws.external.access.1 = allow all -## Proxy Protocol V1/2 +## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind +## HAProxy or Nginx. +## +## Value: on | off ## listener.ws.external.proxy_protocol = on + +## See 'listener.tcp.external.proxy_protocol_timeout' +## +## Value: Duration ## listener.ws.external.proxy_protocol_timeout = 3s ## TCP Options listener.ws.external.backlog = 1024 +## See 'listener.tcp.external.send_timeout' +## +## Value: Duration listener.ws.external.send_timeout = 15s +## See 'listener.tcp.external.send_timeout_close' +## +## Value: on | off listener.ws.external.send_timeout_close = on -listener.ws.external.recbuf = 4KB +## See 'listener.tcp.external.recbuf' +## +## Value: Bytes +## listener.ws.external.recbuf = 4KB -listener.ws.external.sndbuf = 4KB +## See 'listener.tcp.external.sndbuf' +## +## Value: Bytes +## listener.ws.external.sndbuf = 4KB -listener.ws.external.buffer = 4KB +## See 'listener.tcp.external.buffer' +## +## Value: Bytes +## listener.ws.external.buffer = 4KB +## See 'listener.tcp.external.nodelay' +## +## Value: true | false listener.ws.external.nodelay = true ##-------------------------------------------------------------------- -## External MQTT/WebSocket/SSL Listener +## External WebSocket/SSL listener for MQTT Protocol +## listener.wss. is the IP address and port that the MQTT/Websocket/SSL +## listener will bind. +## +## Value: IP:Port | Port +## +## Examples: 8084, 127.0.0.1:8084, ::1:8084 listener.wss.external = 8084 +## The acceptor pool for external MQTT/Websocket/SSL listener. +## +## Value: Number listener.wss.external.acceptors = 4 +## Maximum number of concurrent MQTT/Webwocket/SSL connections. +## +## Value: Number listener.wss.external.max_clients = 64 +## TODO: Zone of the external MQTT/Websocket/SSL listener belonged to. +## +## Value: String ## listener.wss.external.zone = external +## See 'listener.ssl.external.mountpoint' +## +## Value: String +## listener.wss.external.mountpoint = inbound/ + +## See 'listener.ssl.external.acess.1' +## +## Value: ACL Rule listener.wss.external.access.1 = allow all -## Proxy Protocol V1/2 +## See 'listener.ssl.external.proxy_protocol' +## +## Value: on | off ## listener.wss.external.proxy_protocol = on + +## See 'listener.ssl.external.proxy_protocol_timeout' +## +## Value: Duration ## listener.wss.external.proxy_protocol_timeout = 3s -## SSL Option -### SSL Options. See http://erlang.org/doc/man/ssl.html - +## SSL Options. Same to 'listener.ssl.*' listener.wss.external.handshake_timeout = 15s listener.wss.external.keyfile = {{ platform_etc_dir }}/certs/key.pem @@ -976,10 +1111,23 @@ listener.wss.external.certfile = {{ platform_etc_dir }}/certs/cert.pem ## listener.wss.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem +## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem + ## listener.wss.external.verify = verify_peer ## listener.wss.external.fail_if_no_peer_cert = true +## listener.wss.external.ciphers = + +## listener.wss.external.secure_renegotiate = off + +## listener.wss.external.reuse_sessions = on + +## listener.wss.external.honor_cipher_order = on + +## listener.wss.external.peer_cert_as_username = cn + +## TCP Options. Same to 'listener.tcp.*' listener.wss.external.backlog = 1024 listener.wss.external.send_timeout = 15s diff --git a/priv/emq.schema b/priv/emq.schema index aaefce4c2..ca242c4c7 100644 --- a/priv/emq.schema +++ b/priv/emq.schema @@ -702,8 +702,8 @@ end}. %%-------------------------------------------------------------------- {mapping, "mqtt.broker.sys_interval", "emqttd.broker_sys_interval", [ - {default, 60}, - {datatype, integer} + {datatype, {duration, ms}}, + {default, "1m"} ]}. %%-------------------------------------------------------------------- @@ -735,8 +735,8 @@ end}. ]}. {mapping, "mqtt.bridge.ping_down_interval", "emqttd.bridge", [ - {default, 1}, - {datatype, integer} + {datatype, {duration, ms}}, + {default, "1s"} ]}. {translation, "emqttd.bridge", fun(Conf) ->