##-------------------------------------------------------------------- ## Node Args ##-------------------------------------------------------------------- ## Node name node.name = emqx@127.0.0.1 ## Cookie for distributed node node.cookie = emqx_dist_cookie ## SMP support: enable, auto, disable node.smp = auto ## Enable kernel poll node.kernel_poll = on ## async thread pool node.async_threads = 32 ## Erlang Process Limit node.process_limit = 256000 ## Sets the maximum number of simultaneously existing ports for this system node.max_ports = 65536 ## Set the distribution buffer busy limit (dist_buf_busy_limit) node.dist_buffer_size = 32MB ## Max ETS Tables. ## Note that mnesia and SSL will create temporary ets tables. node.max_ets_tables = 256000 ## Tweak GC to run more often node.fullsweep_after = 1000 ## Crash dump node.crash_dump = log/crash.dump ## Distributed node ticktime node.dist_net_ticktime = 60 ## Distributed node port range ## node.dist_listen_min = 6369 ## node.dist_listen_max = 6369 ##-------------------------------------------------------------------- ## RPC Args ##-------------------------------------------------------------------- ## TCP server port. rpc.tcp_server_port = 6369 ## Default TCP port for outgoing connections rpc.tcp_client_port = 5369 ## Client connect timeout rpc.connect_timeout = 5000 ## Client and Server send timeout rpc.send_timeout = 5000 ## Authentication timeout rpc.authentication_timeout = 5000 ## Default receive timeout for call() functions rpc.call_receive_timeout = 15000 ## Socket keepalive configuration rpc.socket_keepalive_idle = 5 ## Seconds between probes rpc.socket_keepalive_interval = 5 ## Probes lost to close the connection rpc.socket_keepalive_count = 2 ## TODO: sndbuf, rcvbuf and buffer ##-------------------------------------------------------------------- ## Log ##-------------------------------------------------------------------- ## Set the log dir log.dir = log ## Console log. Enum: off, file, console, both log.console = console ## Syslog. Enum: on, off log.syslog = on ## syslog level. Enum: debug, info, notice, warning, error, critical, alert, emergency log.syslog.level = error ## Console log level. Enum: debug, info, notice, warning, error, critical, alert, emergency log.console.level = debug ## Console log file ## log.console.file = log/console.log ## Error log file log.error.file = log/error.log ## Enable the crash log. Enum: on, off log.crash = on log.crash.file = log/crash.log ##-------------------------------------------------------------------- ## Allow Anonymous and Default ACL ##-------------------------------------------------------------------- ## Allow Anonymous authentication mqtt.allow_anonymous = true ## Default ACL File ## mqtt.acl_file = acl.conf ## Cache ACL for PUBLISH mqtt.cache_acl = true ##-------------------------------------------------------------------- ## MQTT Protocol ##-------------------------------------------------------------------- ## Max ClientId Length Allowed. mqtt.max_clientid_len = 1024 ## Max Packet Size Allowed, 64K by default. mqtt.max_packet_size = 64KB ##-------------------------------------------------------------------- ## MQTT Client ##-------------------------------------------------------------------- ## Client Idle Timeout (Second) mqtt.client.idle_timeout = 30s ## Max publish rate of Messages mqtt.client.max_publish_rate = 5 ## Enable client Stats: seconds or off mqtt.client.enable_stats = 60s ##-------------------------------------------------------------------- ## MQTT Session ##-------------------------------------------------------------------- ## Max Number of Subscriptions, 0 means no limit. mqtt.session.max_subscriptions = 0 ## Upgrade QoS? mqtt.session.upgrade_qos = off ## Max Size of the Inflight Window for QoS1 and QoS2 messages in the “inflight”. ## 0 means no limit mqtt.session.max_inflight = 32 ## Retry Interval for redelivering QoS1/2 messages. mqtt.session.retry_interval = 20s ## Client -> Broker: Max Packets Awaiting PUBREL, 0 means no limit mqtt.session.max_awaiting_rel = 100 ## Awaiting PUBREL Timeout mqtt.session.await_rel_timeout = 20s ## Expired after 1 day: ## w - week ## d - day ## h - hour ## m - minute ## s - second mqtt.session.expiry_interval = 2h ## Enable session Stats: Seconds or 'off' mqtt.session.enable_stats = 60s ##-------------------------------------------------------------------- ## MQTT Message Queue ##-------------------------------------------------------------------- ## Type: simple | priority mqtt.mqueue.type = simple ## Topic Priority: 0~255, Default is 0 ## mqtt.mqueue.priority = topic/1=10,topic/2=8 ## Max queue length. Enqueued messages when persistent client disconnected, ## or inflight window is full. 0 means no limit. mqtt.mqueue.max_length = 0 ## Low-water mark of queued messages mqtt.mqueue.low_watermark = 20% ## High-water mark of queued messages mqtt.mqueue.high_watermark = 60% ## Queue Qos0 messages? mqtt.mqueue.store_qos0 = true ##-------------------------------------------------------------------- ## MQTT Broker and PubSub ##-------------------------------------------------------------------- ## System Interval of publishing broker $SYS Messages mqtt.broker.sys_interval = 60 ## PubSub Pool Size. Default should be scheduler numbers. mqtt.pubsub.pool_size = 8 mqtt.pubsub.by_clientid = true ## Subscribe Asynchronously mqtt.pubsub.async = true ##-------------------------------------------------------------------- ## MQTT Bridge ##-------------------------------------------------------------------- ## Bridge Queue Size mqtt.bridge.max_queue_len = 10000 ## Ping Interval of bridge node. Unit: Second mqtt.bridge.ping_down_interval = 1 ##------------------------------------------------------------------- ## MQTT Plugins ##------------------------------------------------------------------- ## Dir of plugins' config mqtt.plugins.etc_dir = etc/plugins/ ## File to store loaded plugin names. mqtt.plugins.loaded_file = data/loaded_plugins ##-------------------------------------------------------------------- ## MQTT Listeners ##-------------------------------------------------------------------- ##-------------------------------------------------------------------- ## External TCP Listener ## External TCP Listener: 1883, 127.0.0.1:1883, ::1:1883 listener.tcp.external = 0.0.0.0:1883 ## Size of acceptor pool listener.tcp.external.acceptors = 8 ## Maximum number of concurrent clients listener.tcp.external.max_clients = 1024 #listener.tcp.external.zone = external #listener.tcp.external.mountpoint = external/ ## Rate Limit. Format is 'burst,rate', Unit is KB/Sec #listener.tcp.external.rate_limit = 100,10 #listener.tcp.external.access.1 = allow 192.168.0.0/24 listener.tcp.external.access.2 = allow all ## TCP Socket Options listener.tcp.external.backlog = 1024 #listener.tcp.external.recbuf = 4KB #listener.tcp.external.sndbuf = 4KB listener.tcp.external.buffer = 4KB listener.tcp.external.nodelay = true ##-------------------------------------------------------------------- ## Internal TCP Listener ## Internal TCP Listener: 11883, 127.0.0.1:11883, ::1:11883 listener.tcp.internal = 127.0.0.1:11883 ## Size of acceptor pool listener.tcp.internal.acceptors = 4 ## Maximum number of concurrent clients listener.tcp.internal.max_clients = 1024 #listener.tcp.internal.zone = internal #listener.tcp.external.mountpoint = internal/ ## Rate Limit. Format is 'burst,rate', Unit is KB/Sec ## listener.tcp.internal.rate_limit = 1000,100 ## TCP Socket Options listener.tcp.internal.backlog = 512 listener.tcp.internal.tune_buffer = on listener.tcp.internal.buffer = 1MB listener.tcp.internal.recbuf = 4KB listener.tcp.internal.sndbuf = 1MB listener.tcp.internal.nodelay = true ##-------------------------------------------------------------------- ## External SSL Listener ## SSL Listener: 8883, 127.0.0.1:8883, ::1:8883 listener.ssl.external = 8883 ## Size of acceptor pool listener.ssl.external.acceptors = 4 ## Maximum number of concurrent clients listener.ssl.external.max_clients = 1024 ## Authentication Zone ## listener.ssl.external.zone = external ## listener.ssl.external.mountpoint = inbound/ ## Rate Limit. Format is 'burst,rate', Unit is KB/Sec ## listener.ssl.external.rate_limit = 100,10 listener.ssl.external.access.1 = allow all ### SSL Options. See http://erlang.org/doc/man/ssl.html ### TLS only for POODLE attack listener.ssl.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1 ### This is the single most important configuration option of an Erlang SSL application. ### Ciphers (and their ordering) define the way the client and server encrypt information ### over the wire, from the initial Diffie-Helman key exchange, the session key encryption ### algorithm and the message digest algorithm. Selecting a good cipher suite is critical ### for the application’s data security, confidentiality and performance. ### The cipher list above offers: ### ### A good balance between compatibility with older browsers. It can get stricter for Machine-To-Machine scenarios. ### Perfect Forward Secrecy. ### No old/insecure encryption and HMAC algorithms ### ### Most of it was copied from Mozilla’s Server Side TLS article listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA listener.ssl.external.handshake_timeout = 15s ### The Ephemeral Diffie-Helman key exchange is a very effective way of ### ensuring Forward Secrecy by exchanging a set of keys that never hit ### the wire. Since the DH key is effectively signed by the private key, ### it needs to be at least as strong as the private key. In addition, ### the default DH groups that most of the OpenSSL installations have ### are only a handful (since they are distributed with the OpenSSL ### package that has been built for the operating system it’s running on) ### and hence predictable (not to mention, 1024 bits only). ### In order to escape this situation, first we need to generate a fresh, ### strong DH group, store it in a file and then use the option above, ### to force our SSL application to use the new DH group. Fortunately, ### OpenSSL provides us with a tool to do that. Simply run: ### openssl dhparam -out dh-params.pem 2048 # listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem listener.ssl.external.keyfile = certs/key.pem listener.ssl.external.certfile = certs/cert.pem ##listener.ssl.external.cacertfile = certs/cacert.pem ##listener.ssl.external.verify = verify_peer ##listener.ssl.external.fail_if_no_peer_cert = true ### SSL parameter renegotiation is a feature that allows a client and ### a server to renegotiate the parameters of the SSL connection on the fly. ### RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, ### you drop support for the insecure renegotiation, prone to MitM attacks. listener.ssl.external.secure_renegotiate = off ### A performance optimization setting, it allows clients to reuse ### pre-existing sessions, instead of initializing new ones. ### Read more about it here. listener.ssl.external.reuse_sessions = on ### An important security setting, it forces the cipher to be set based on ### the server-specified order instead of the client-specified order, ### hence enforcing the (usually more properly configured) security ### ordering of the server administrator. listener.ssl.external.honor_cipher_order = on ### Use the CN or DN value from the client certificate as a username. ### Notice: 'verify' should be configured as 'verify_peer' ### listener.ssl.external.peer_cert_as_username = cn ##-------------------------------------------------------------------- ## External HTTP and WebSocket Listener listener.http.external = 8083 listener.http.external.acceptors = 4 listener.http.external.max_clients = 64 ## listener.http.external.zone = external listener.http.external.access.1 = allow all ## TCP Options listener.http.external.backlog = 1024 listener.http.external.recbuf = 4KB listener.http.external.sndbuf = 4KB listener.http.external.buffer = 4KB listener.http.external.nodelay = true ##-------------------------------------------------------------------- ## External HTTPS and WSS Listener listener.https.external = 8084 listener.https.external.acceptors = 4 listener.https.external.max_clients = 64 ## listener.https.external.zone = external listener.https.external.access.1 = allow all ## SSL Options listener.https.external.handshake_timeout = 15s listener.https.external.keyfile = certs/key.pem listener.https.external.certfile = certs/cert.pem listener.https.external.cacertfile = certs/cacert.pem listener.https.external.verify = verify_peer listener.https.external.fail_if_no_peer_cert = true ##------------------------------------------------------------------- ## System Monitor ##------------------------------------------------------------------- ## Long GC, don't monitor in production mode for: ## https://github.com/erlang/otp/blob/feb45017da36be78d4c5784d758ede619fa7bfd3/erts/emulator/beam/erl_gc.c#L421 sysmon.long_gc = false ## Long Schedule(ms) sysmon.long_schedule = 240 ## 8M words. 32MB on 32-bit VM, 64MB on 64-bit VM. sysmon.large_heap = 8MB ## Busy Port sysmon.busy_port = false ## Busy Dist Port sysmon.busy_dist_port = true