##--------------------------------------------------------------------
## Node Args
##--------------------------------------------------------------------

## Node name
node.name = emqx@127.0.0.1

## Cookie for distributed node
node.cookie = emqx_dist_cookie

## SMP support: enable, auto, disable
node.smp = auto

## Enable kernel poll
node.kernel_poll = on

## async thread pool
node.async_threads = 32

## Erlang Process Limit
node.process_limit = 256000

## Sets the maximum number of simultaneously existing ports for this system
node.max_ports = 65536

## Set the distribution buffer busy limit (dist_buf_busy_limit)
node.dist_buffer_size = 32MB

## Max ETS Tables.
## Note that mnesia and SSL will create temporary ets tables.
node.max_ets_tables = 256000

## Tweak GC to run more often
node.fullsweep_after = 1000

## Crash dump
node.crash_dump = log/crash.dump

## Distributed node ticktime
node.dist_net_ticktime = 60

## Distributed node port range
## node.dist_listen_min = 6369
## node.dist_listen_max = 6369

##--------------------------------------------------------------------
## RPC Args
##--------------------------------------------------------------------

## TCP server port.
rpc.tcp_server_port = 6369

## Default TCP port for outgoing connections
rpc.tcp_client_port = 5369

## Client connect timeout
rpc.connect_timeout = 5000

## Client and Server send timeout
rpc.send_timeout = 5000

## Authentication timeout
rpc.authentication_timeout = 5000

## Default receive timeout for call() functions
rpc.call_receive_timeout = 15000

## Socket keepalive configuration
rpc.socket_keepalive_idle = 5

## Seconds between probes
rpc.socket_keepalive_interval = 5

## Probes lost to close the connection
rpc.socket_keepalive_count = 2

## TODO: sndbuf, rcvbuf and buffer

##--------------------------------------------------------------------
## Log
##--------------------------------------------------------------------

## Set the log dir
log.dir = log

## Console log. Enum: off, file, console, both
log.console = console

## Syslog. Enum: on, off
log.syslog = on 

##  syslog level. Enum: debug, info, notice, warning, error, critical, alert, emergency
log.syslog.level = error

## Console log level. Enum: debug, info, notice, warning, error, critical, alert, emergency
log.console.level = debug

## Console log file
## log.console.file = log/console.log

## Error log file
log.error.file = log/error.log

## Enable the crash log. Enum: on, off
log.crash = on

log.crash.file = log/crash.log

##--------------------------------------------------------------------
## Allow Anonymous and Default ACL
##--------------------------------------------------------------------

## Allow Anonymous authentication
mqtt.allow_anonymous = true

## Default ACL File
## mqtt.acl_file = acl.conf

## Cache ACL for PUBLISH
mqtt.cache_acl = true

##--------------------------------------------------------------------
## MQTT Protocol
##--------------------------------------------------------------------

## Max ClientId Length Allowed.
mqtt.max_clientid_len = 1024

## Max Packet Size Allowed, 64K by default.
mqtt.max_packet_size = 64KB

##--------------------------------------------------------------------
## MQTT Client
##--------------------------------------------------------------------

## Client Idle Timeout (Second)
mqtt.client.idle_timeout = 30s

## Max publish rate of Messages
mqtt.client.max_publish_rate = 5

## Enable client Stats: seconds or off
mqtt.client.enable_stats = 60s

##--------------------------------------------------------------------
## MQTT Session
##--------------------------------------------------------------------

## Max Number of Subscriptions, 0 means no limit.
mqtt.session.max_subscriptions = 0

## Upgrade QoS?
mqtt.session.upgrade_qos = off

## Max Size of the Inflight Window for QoS1 and QoS2 messages in the “inflight”.
## 0 means no limit
mqtt.session.max_inflight = 32

## Retry Interval for redelivering QoS1/2 messages.
mqtt.session.retry_interval = 20s

## Client -> Broker: Max Packets Awaiting PUBREL, 0 means no limit
mqtt.session.max_awaiting_rel = 100

## Awaiting PUBREL Timeout
mqtt.session.await_rel_timeout = 20s

## Expired after 1 day:
## w - week
## d - day
## h - hour
## m - minute
## s - second
mqtt.session.expiry_interval = 2h

## Enable session Stats: Seconds or 'off'
mqtt.session.enable_stats = 60s

##--------------------------------------------------------------------
## MQTT Message Queue
##--------------------------------------------------------------------

## Type: simple | priority
mqtt.mqueue.type = simple

## Topic Priority: 0~255, Default is 0
## mqtt.mqueue.priority = topic/1=10,topic/2=8

## Max queue length. Enqueued messages when persistent client disconnected,
## or inflight window is full. 0 means no limit.
mqtt.mqueue.max_length = 0

## Low-water mark of queued messages
mqtt.mqueue.low_watermark = 20%

## High-water mark of queued messages
mqtt.mqueue.high_watermark = 60%

## Queue Qos0 messages?
mqtt.mqueue.store_qos0 = true

##--------------------------------------------------------------------
## MQTT Broker and PubSub
##--------------------------------------------------------------------

## System Interval of publishing broker $SYS Messages
mqtt.broker.sys_interval = 60

## PubSub Pool Size. Default should be scheduler numbers.
mqtt.pubsub.pool_size = 8

mqtt.pubsub.by_clientid = true

## Subscribe Asynchronously
mqtt.pubsub.async = true

##--------------------------------------------------------------------
## MQTT Bridge
##--------------------------------------------------------------------

## Bridge Queue Size
mqtt.bridge.max_queue_len = 10000

## Ping Interval of bridge node. Unit: Second
mqtt.bridge.ping_down_interval = 1

##-------------------------------------------------------------------
## MQTT Plugins
##-------------------------------------------------------------------

## Dir of plugins' config
mqtt.plugins.etc_dir = etc/plugins/

## File to store loaded plugin names.
mqtt.plugins.loaded_file = data/loaded_plugins

##--------------------------------------------------------------------
## MQTT Listeners
##--------------------------------------------------------------------

##--------------------------------------------------------------------
## External TCP Listener

## External TCP Listener: 1883, 127.0.0.1:1883, ::1:1883
listener.tcp.external = 0.0.0.0:1883

## Size of acceptor pool
listener.tcp.external.acceptors = 8

## Maximum number of concurrent clients
listener.tcp.external.max_clients = 1024

#listener.tcp.external.zone = external

#listener.tcp.external.mountpoint = external/

## Rate Limit. Format is 'burst,rate', Unit is KB/Sec
#listener.tcp.external.rate_limit = 100,10

#listener.tcp.external.access.1 = allow 192.168.0.0/24

listener.tcp.external.access.2 = allow all

## TCP Socket Options
listener.tcp.external.backlog = 1024

#listener.tcp.external.recbuf = 4KB

#listener.tcp.external.sndbuf = 4KB

listener.tcp.external.buffer = 4KB

listener.tcp.external.nodelay = true

##--------------------------------------------------------------------
## Internal TCP Listener

## Internal TCP Listener: 11883, 127.0.0.1:11883, ::1:11883
listener.tcp.internal = 127.0.0.1:11883

## Size of acceptor pool
listener.tcp.internal.acceptors = 4

## Maximum number of concurrent clients
listener.tcp.internal.max_clients = 1024

#listener.tcp.internal.zone = internal

#listener.tcp.external.mountpoint = internal/

## Rate Limit. Format is 'burst,rate', Unit is KB/Sec
## listener.tcp.internal.rate_limit = 1000,100

## TCP Socket Options
listener.tcp.internal.backlog = 512

listener.tcp.internal.tune_buffer = on

listener.tcp.internal.buffer = 1MB

listener.tcp.internal.recbuf = 4KB

listener.tcp.internal.sndbuf = 1MB

listener.tcp.internal.nodelay = true

##--------------------------------------------------------------------
## External SSL Listener

## SSL Listener: 8883, 127.0.0.1:8883, ::1:8883
listener.ssl.external = 8883

## Size of acceptor pool
listener.ssl.external.acceptors = 4

## Maximum number of concurrent clients
listener.ssl.external.max_clients = 1024

## Authentication Zone
## listener.ssl.external.zone = external

## listener.ssl.external.mountpoint = inbound/

## Rate Limit. Format is 'burst,rate', Unit is KB/Sec
## listener.ssl.external.rate_limit = 100,10

listener.ssl.external.access.1 = allow all

### SSL Options. See http://erlang.org/doc/man/ssl.html

### TLS only for POODLE attack
listener.ssl.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1

### This is the single most important configuration option of an Erlang SSL application.
### Ciphers (and their ordering) define the way the client and server encrypt information
### over the wire, from the initial Diffie-Helman key exchange, the session key encryption
### algorithm and the message digest algorithm. Selecting a good cipher suite is critical
### for the application’s data security, confidentiality and performance.
### The cipher list above offers:
### 
### A good balance between compatibility with older browsers. It can get stricter for Machine-To-Machine scenarios.
### Perfect Forward Secrecy.
### No old/insecure encryption and HMAC algorithms
###
### Most of it was copied from Mozilla’s Server Side TLS article
listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA

listener.ssl.external.handshake_timeout = 15s

### The Ephemeral Diffie-Helman key exchange is a very effective way of
### ensuring Forward Secrecy by exchanging a set of keys that never hit
### the wire. Since the DH key is effectively signed by the private key,
### it needs to be at least as strong as the private key. In addition, 
### the default DH groups that most of the OpenSSL installations have 
### are only a handful (since they are distributed with the OpenSSL
### package that has been built for the operating system it’s running on)
### and hence predictable (not to mention, 1024 bits only).

### In order to escape this situation, first we need to generate a fresh,
### strong DH group, store it in a file and then use the option above,
### to force our SSL application to use the new DH group. Fortunately,
### OpenSSL provides us with a tool to do that. Simply run:
### openssl dhparam -out dh-params.pem 2048
# listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem

listener.ssl.external.keyfile = certs/key.pem

listener.ssl.external.certfile = certs/cert.pem

##listener.ssl.external.cacertfile = certs/cacert.pem

##listener.ssl.external.verify = verify_peer

##listener.ssl.external.fail_if_no_peer_cert = true

### SSL parameter renegotiation is a feature that allows a client and 
### a server to renegotiate the parameters of the SSL connection on the fly.
### RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
### you drop support for the insecure renegotiation, prone to MitM attacks. 
listener.ssl.external.secure_renegotiate = off

### A performance optimization setting, it allows clients to reuse 
### pre-existing sessions, instead of initializing new ones.
### Read more about it here.
listener.ssl.external.reuse_sessions = on

### An important security setting, it forces the cipher to be set based on
### the server-specified order instead of the client-specified order,
### hence enforcing the (usually more properly configured) security
### ordering of the server administrator.
listener.ssl.external.honor_cipher_order = on

### Use the CN or DN value from the client certificate as a username.
### Notice: 'verify' should be configured as 'verify_peer'
### listener.ssl.external.peer_cert_as_username = cn

##--------------------------------------------------------------------
## External HTTP and WebSocket Listener

listener.http.external = 8083

listener.http.external.acceptors = 4

listener.http.external.max_clients = 64

## listener.http.external.zone = external

listener.http.external.access.1 = allow all

## TCP Options
listener.http.external.backlog = 1024

listener.http.external.recbuf = 4KB

listener.http.external.sndbuf = 4KB

listener.http.external.buffer = 4KB

listener.http.external.nodelay = true

##--------------------------------------------------------------------
## External HTTPS and WSS Listener

listener.https.external = 8084

listener.https.external.acceptors = 4

listener.https.external.max_clients = 64

## listener.https.external.zone = external

listener.https.external.access.1 = allow all

## SSL Options
listener.https.external.handshake_timeout = 15s

listener.https.external.keyfile = certs/key.pem

listener.https.external.certfile = certs/cert.pem

listener.https.external.cacertfile = certs/cacert.pem

listener.https.external.verify = verify_peer

listener.https.external.fail_if_no_peer_cert = true

##-------------------------------------------------------------------
## System Monitor
##-------------------------------------------------------------------

## Long GC, don't monitor in production mode for:
## https://github.com/erlang/otp/blob/feb45017da36be78d4c5784d758ede619fa7bfd3/erts/emulator/beam/erl_gc.c#L421
sysmon.long_gc = false

## Long Schedule(ms)
sysmon.long_schedule = 240

## 8M words. 32MB on 32-bit VM, 64MB on 64-bit VM.
sysmon.large_heap = 8MB

## Busy Port
sysmon.busy_port = false

## Busy Dist Port
sysmon.busy_dist_port = true