951 lines
28 KiB
Plaintext
951 lines
28 KiB
Plaintext
##--------------------------------------------------------------------
|
||
## Listeners
|
||
##--------------------------------------------------------------------
|
||
|
||
##--------------------------------------------------------------------
|
||
## MQTT/TCP - External TCP Listener for MQTT Protocol
|
||
|
||
## listener.tcp.$name is the IP address and port that the MQTT/TCP
|
||
## listener will bind.
|
||
##
|
||
## Value: IP:Port | Port
|
||
##
|
||
## Examples: 1883, 127.0.0.1:1883, ::1:1883
|
||
listener.tcp.external = 0.0.0.0:1883
|
||
|
||
## The acceptor pool for external MQTT/TCP listener.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.external.acceptors = 8
|
||
|
||
## Maximum number of concurrent MQTT/TCP connections.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.external.max_connections = 1024000
|
||
|
||
## Maximum external connections per second.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.external.max_conn_rate = 1000
|
||
|
||
## Specify the {active, N} option for the external MQTT/TCP Socket.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.external.active_n = 100
|
||
|
||
## Zone of the external MQTT/TCP listener belonged to.
|
||
##
|
||
## See: zone.$name.*
|
||
##
|
||
## Value: String
|
||
listener.tcp.external.zone = external
|
||
|
||
## The access control rules for the MQTT/TCP listener.
|
||
##
|
||
## See: https://github.com/emqtt/esockd#allowdeny
|
||
##
|
||
## Value: ACL Rule
|
||
##
|
||
## Example: allow 192.168.0.0/24
|
||
listener.tcp.external.access.1 = allow all
|
||
|
||
## Enable the Proxy Protocol V1/2 if the EMQ X cluster is deployed
|
||
## behind HAProxy or Nginx.
|
||
##
|
||
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
|
||
##
|
||
## Value: on | off
|
||
## listener.tcp.external.proxy_protocol = on
|
||
|
||
## Sets the timeout for proxy protocol. EMQ X will close the TCP connection
|
||
## if no proxy protocol packet recevied within the timeout.
|
||
##
|
||
## Value: Duration
|
||
## listener.tcp.external.proxy_protocol_timeout = 3s
|
||
|
||
## Enable the option for X.509 certificate based authentication.
|
||
## EMQX will use the common name of certificate as MQTT username.
|
||
##
|
||
## Value: cn | dn | crt
|
||
## listener.tcp.external.peer_cert_as_username = cn
|
||
|
||
## The TCP backlog defines the maximum length that the queue of pending
|
||
## connections can grow to.
|
||
##
|
||
## Value: Number >= 0
|
||
listener.tcp.external.backlog = 1024
|
||
|
||
## The TCP send timeout for external MQTT connections.
|
||
##
|
||
## Value: Duration
|
||
listener.tcp.external.send_timeout = 15s
|
||
|
||
## Close the TCP connection if send timeout.
|
||
##
|
||
## Value: on | off
|
||
listener.tcp.external.send_timeout_close = on
|
||
|
||
## The TCP receive buffer(os kernel) for MQTT connections.
|
||
##
|
||
## See: http://erlang.org/doc/man/inet.html
|
||
##
|
||
## Value: Bytes
|
||
## listener.tcp.external.recbuf = 2KB
|
||
|
||
## The TCP send buffer(os kernel) for MQTT connections.
|
||
##
|
||
## See: http://erlang.org/doc/man/inet.html
|
||
##
|
||
## Value: Bytes
|
||
## listener.tcp.external.sndbuf = 2KB
|
||
|
||
## The size of the user-level software buffer used by the driver.
|
||
## Not to be confused with options sndbuf and recbuf, which correspond
|
||
## to the Kernel socket buffers. It is recommended to have val(buffer)
|
||
## >= max(val(sndbuf),val(recbuf)) to avoid performance issues because
|
||
## of unnecessary copying. val(buffer) is automatically set to the above
|
||
## maximum when values sndbuf or recbuf are set.
|
||
##
|
||
## See: http://erlang.org/doc/man/inet.html
|
||
##
|
||
## Value: Bytes
|
||
## listener.tcp.external.buffer = 2KB
|
||
|
||
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
|
||
##
|
||
## Value: on | off
|
||
## listener.tcp.external.tune_buffer = off
|
||
|
||
## The socket is set to a busy state when the amount of data queued internally
|
||
## by the ERTS socket implementation reaches this limit.
|
||
##
|
||
## Value: on | off
|
||
## Defaults to 1MB
|
||
## listener.tcp.external.high_watermark = 1MB
|
||
|
||
## The TCP_NODELAY flag for MQTT connections. Small amounts of data are
|
||
## sent immediately if the option is enabled.
|
||
##
|
||
## Value: true | false
|
||
listener.tcp.external.nodelay = true
|
||
|
||
## The SO_REUSEADDR flag for TCP listener.
|
||
##
|
||
## Value: true | false
|
||
listener.tcp.external.reuseaddr = true
|
||
|
||
##--------------------------------------------------------------------
|
||
## Internal TCP Listener for MQTT Protocol
|
||
|
||
## The IP address and port that the internal MQTT/TCP protocol listener
|
||
## will bind.
|
||
##
|
||
## Value: IP:Port, Port
|
||
##
|
||
## Examples: 11883, 127.0.0.1:11883, ::1:11883
|
||
listener.tcp.internal = 127.0.0.1:11883
|
||
|
||
## The acceptor pool for internal MQTT/TCP listener.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.internal.acceptors = 4
|
||
|
||
## Maximum number of concurrent MQTT/TCP connections.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.internal.max_connections = 1024000
|
||
|
||
## Maximum internal connections per second.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.internal.max_conn_rate = 1000
|
||
|
||
## Specify the {active, N} option for the internal MQTT/TCP Socket.
|
||
##
|
||
## Value: Number
|
||
listener.tcp.internal.active_n = 1000
|
||
|
||
## Zone of the internal MQTT/TCP listener belonged to.
|
||
##
|
||
## Value: String
|
||
listener.tcp.internal.zone = internal
|
||
|
||
## The TCP backlog of internal MQTT/TCP Listener.
|
||
##
|
||
## See: listener.tcp.$name.backlog
|
||
##
|
||
## Value: Number >= 0
|
||
listener.tcp.internal.backlog = 512
|
||
|
||
## The TCP send timeout for internal MQTT connections.
|
||
##
|
||
## See: listener.tcp.$name.send_timeout
|
||
##
|
||
## Value: Duration
|
||
listener.tcp.internal.send_timeout = 5s
|
||
|
||
## Close the MQTT/TCP connection if send timeout.
|
||
##
|
||
## See: listener.tcp.$name.send_timeout_close
|
||
##
|
||
## Value: on | off
|
||
listener.tcp.internal.send_timeout_close = on
|
||
|
||
## The TCP receive buffer(os kernel) for internal MQTT connections.
|
||
##
|
||
## See: listener.tcp.$name.recbuf
|
||
##
|
||
## Value: Bytes
|
||
listener.tcp.internal.recbuf = 64KB
|
||
|
||
## The TCP send buffer(os kernel) for internal MQTT connections.
|
||
##
|
||
## See: http://erlang.org/doc/man/inet.html
|
||
##
|
||
## Value: Bytes
|
||
listener.tcp.internal.sndbuf = 64KB
|
||
|
||
## The size of the user-level software buffer used by the driver.
|
||
##
|
||
## See: listener.tcp.$name.buffer
|
||
##
|
||
## Value: Bytes
|
||
## listener.tcp.internal.buffer = 16KB
|
||
|
||
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
|
||
##
|
||
## See: listener.tcp.$name.tune_buffer
|
||
##
|
||
## Value: on | off
|
||
## listener.tcp.internal.tune_buffer = off
|
||
|
||
## The TCP_NODELAY flag for internal MQTT connections.
|
||
##
|
||
## See: listener.tcp.$name.nodelay
|
||
##
|
||
## Value: true | false
|
||
listener.tcp.internal.nodelay = false
|
||
|
||
## The SO_REUSEADDR flag for MQTT/TCP Listener.
|
||
##
|
||
## Value: true | false
|
||
listener.tcp.internal.reuseaddr = true
|
||
|
||
##--------------------------------------------------------------------
|
||
## MQTT/SSL - External SSL Listener for MQTT Protocol
|
||
|
||
## listener.ssl.$name is the IP address and port that the MQTT/SSL
|
||
## listener will bind.
|
||
##
|
||
## Value: IP:Port | Port
|
||
##
|
||
## Examples: 8883, 127.0.0.1:8883, ::1:8883
|
||
listener.ssl.external = 8883
|
||
|
||
## The acceptor pool for external MQTT/SSL listener.
|
||
##
|
||
## Value: Number
|
||
listener.ssl.external.acceptors = 16
|
||
|
||
## Maximum number of concurrent MQTT/SSL connections.
|
||
##
|
||
## Value: Number
|
||
listener.ssl.external.max_connections = 102400
|
||
|
||
## Maximum MQTT/SSL connections per second.
|
||
##
|
||
## Value: Number
|
||
listener.ssl.external.max_conn_rate = 500
|
||
|
||
## Specify the {active, N} option for the internal MQTT/SSL Socket.
|
||
##
|
||
## Value: Number
|
||
listener.ssl.external.active_n = 100
|
||
|
||
## Zone of the external MQTT/SSL listener belonged to.
|
||
##
|
||
## Value: String
|
||
listener.ssl.external.zone = external
|
||
|
||
## The access control rules for the MQTT/SSL listener.
|
||
##
|
||
## See: listener.tcp.$name.access
|
||
##
|
||
## Value: ACL Rule
|
||
listener.ssl.external.access.1 = allow all
|
||
|
||
## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
|
||
## HAProxy or Nginx.
|
||
##
|
||
## See: listener.tcp.$name.proxy_protocol
|
||
##
|
||
## Value: on | off
|
||
## listener.ssl.external.proxy_protocol = on
|
||
|
||
## Sets the timeout for proxy protocol.
|
||
##
|
||
## See: listener.tcp.$name.proxy_protocol_timeout
|
||
##
|
||
## Value: Duration
|
||
## listener.ssl.external.proxy_protocol_timeout = 3s
|
||
|
||
## TLS versions only to protect from POODLE attack.
|
||
##
|
||
## See: http://erlang.org/doc/man/ssl.html
|
||
##
|
||
## Value: String, seperated by ','
|
||
## listener.ssl.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1
|
||
|
||
## TLS Handshake timeout.
|
||
##
|
||
## Value: Duration
|
||
listener.ssl.external.handshake_timeout = 15s
|
||
|
||
## Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path.
|
||
##
|
||
## Value: Number
|
||
## listener.ssl.external.depth = 10
|
||
|
||
## Path to the file containing the user's private PEM-encoded key.
|
||
##
|
||
## See: http://erlang.org/doc/man/ssl.html
|
||
##
|
||
## Value: File
|
||
listener.ssl.external.keyfile = {{ platform_etc_dir }}/certs/key.pem
|
||
|
||
## Path to a file containing the user certificate.
|
||
##
|
||
## See: http://erlang.org/doc/man/ssl.html
|
||
##
|
||
## Value: File
|
||
listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
|
||
|
||
## Path to the file containing PEM-encoded CA certificates. The CA certificates
|
||
## are used during server authentication and when building the client certificate chain.
|
||
##
|
||
## Value: File
|
||
## listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
|
||
|
||
## The Ephemeral Diffie-Helman key exchange is a very effective way of
|
||
## ensuring Forward Secrecy by exchanging a set of keys that never hit
|
||
## the wire. Since the DH key is effectively signed by the private key,
|
||
## it needs to be at least as strong as the private key. In addition,
|
||
## the default DH groups that most of the OpenSSL installations have
|
||
## are only a handful (since they are distributed with the OpenSSL
|
||
## package that has been built for the operating system it’s running on)
|
||
## and hence predictable (not to mention, 1024 bits only).
|
||
## In order to escape this situation, first we need to generate a fresh,
|
||
## strong DH group, store it in a file and then use the option above,
|
||
## to force our SSL application to use the new DH group. Fortunately,
|
||
## OpenSSL provides us with a tool to do that. Simply run:
|
||
## openssl dhparam -out dh-params.pem 2048
|
||
##
|
||
## Value: File
|
||
## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
|
||
|
||
## A server only does x509-path validation in mode verify_peer,
|
||
## as it then sends a certificate request to the client (this
|
||
## message is not sent if the verify option is verify_none).
|
||
## You can then also want to specify option fail_if_no_peer_cert.
|
||
## More information at: http://erlang.org/doc/man/ssl.html
|
||
##
|
||
## Value: verify_peer | verify_none
|
||
## listener.ssl.external.verify = verify_peer
|
||
|
||
## Used together with {verify, verify_peer} by an SSL server. If set to true,
|
||
## the server fails if the client does not have a certificate to send, that is,
|
||
## sends an empty certificate.
|
||
##
|
||
## Value: true | false
|
||
## listener.ssl.external.fail_if_no_peer_cert = true
|
||
|
||
## This is the single most important configuration option of an Erlang SSL
|
||
## application. Ciphers (and their ordering) define the way the client and
|
||
## server encrypt information over the wire, from the initial Diffie-Helman
|
||
## key exchange, the session key encryption ## algorithm and the message
|
||
## digest algorithm. Selecting a good cipher suite is critical for the
|
||
## application’s data security, confidentiality and performance.
|
||
##
|
||
## The cipher list above offers:
|
||
##
|
||
## A good balance between compatibility with older browsers.
|
||
## It can get stricter for Machine-To-Machine scenarios.
|
||
## Perfect Forward Secrecy.
|
||
## No old/insecure encryption and HMAC algorithms
|
||
##
|
||
## Most of it was copied from Mozilla’s Server Side TLS article
|
||
##
|
||
## Value: Ciphers
|
||
listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
|
||
|
||
## Ciphers for TLS PSK.
|
||
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
||
## be configured at the same time.
|
||
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
||
#listener.ssl.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
|
||
|
||
## SSL parameter renegotiation is a feature that allows a client and a server
|
||
## to renegotiate the parameters of the SSL connection on the fly.
|
||
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
|
||
## you drop support for the insecure renegotiation, prone to MitM attacks.
|
||
##
|
||
## Value: on | off
|
||
## listener.ssl.external.secure_renegotiate = off
|
||
|
||
## A performance optimization setting, it allows clients to reuse
|
||
## pre-existing sessions, instead of initializing new ones.
|
||
## Read more about it here.
|
||
##
|
||
## See: http://erlang.org/doc/man/ssl.html
|
||
##
|
||
## Value: on | off
|
||
## listener.ssl.external.reuse_sessions = on
|
||
|
||
## An important security setting, it forces the cipher to be set based
|
||
## on the server-specified order instead of the client-specified order,
|
||
## hence enforcing the (usually more properly configured) security
|
||
## ordering of the server administrator.
|
||
##
|
||
## Value: on | off
|
||
## listener.ssl.external.honor_cipher_order = on
|
||
|
||
## Use the CN, DN or CRT field from the client certificate as a username.
|
||
## Notice that 'verify' should be set as 'verify_peer'.
|
||
##
|
||
## Value: cn | dn | crt
|
||
## listener.ssl.external.peer_cert_as_username = cn
|
||
|
||
## TCP backlog for the SSL connection.
|
||
##
|
||
## See listener.tcp.$name.backlog
|
||
##
|
||
## Value: Number >= 0
|
||
## listener.ssl.external.backlog = 1024
|
||
|
||
## The TCP send timeout for the SSL connection.
|
||
##
|
||
## See listener.tcp.$name.send_timeout
|
||
##
|
||
## Value: Duration
|
||
## listener.ssl.external.send_timeout = 15s
|
||
|
||
## Close the SSL connection if send timeout.
|
||
##
|
||
## See: listener.tcp.$name.send_timeout_close
|
||
##
|
||
## Value: on | off
|
||
## listener.ssl.external.send_timeout_close = on
|
||
|
||
## The TCP receive buffer(os kernel) for the SSL connections.
|
||
##
|
||
## See: listener.tcp.$name.recbuf
|
||
##
|
||
## Value: Bytes
|
||
## listener.ssl.external.recbuf = 4KB
|
||
|
||
## The TCP send buffer(os kernel) for internal MQTT connections.
|
||
##
|
||
## See: listener.tcp.$name.sndbuf
|
||
##
|
||
## Value: Bytes
|
||
## listener.ssl.external.sndbuf = 4KB
|
||
|
||
## The size of the user-level software buffer used by the driver.
|
||
##
|
||
## See: listener.tcp.$name.buffer
|
||
##
|
||
## Value: Bytes
|
||
## listener.ssl.external.buffer = 4KB
|
||
|
||
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
|
||
##
|
||
## See: listener.tcp.$name.tune_buffer
|
||
##
|
||
## Value: on | off
|
||
## listener.ssl.external.tune_buffer = off
|
||
|
||
## The TCP_NODELAY flag for SSL connections.
|
||
##
|
||
## See: listener.tcp.$name.nodelay
|
||
##
|
||
## Value: true | false
|
||
## listener.ssl.external.nodelay = true
|
||
|
||
## The SO_REUSEADDR flag for MQTT/SSL Listener.
|
||
##
|
||
## Value: true | false
|
||
listener.ssl.external.reuseaddr = true
|
||
|
||
##--------------------------------------------------------------------
|
||
## External WebSocket listener for MQTT protocol
|
||
|
||
## listener.ws.$name is the IP address and port that the MQTT/WebSocket
|
||
## listener will bind.
|
||
##
|
||
## Value: IP:Port | Port
|
||
##
|
||
## Examples: 8083, 127.0.0.1:8083, ::1:8083
|
||
listener.ws.external = 8083
|
||
|
||
## The path of WebSocket MQTT endpoint
|
||
##
|
||
## Value: URL Path
|
||
listener.ws.external.mqtt_path = /mqtt
|
||
|
||
## The acceptor pool for external MQTT/WebSocket listener.
|
||
##
|
||
## Value: Number
|
||
listener.ws.external.acceptors = 4
|
||
|
||
## Maximum number of concurrent MQTT/WebSocket connections.
|
||
##
|
||
## Value: Number
|
||
listener.ws.external.max_connections = 102400
|
||
|
||
## Maximum MQTT/WebSocket connections per second.
|
||
##
|
||
## Value: Number
|
||
listener.ws.external.max_conn_rate = 1000
|
||
|
||
## Simulate the {active, N} option for the MQTT/WebSocket connections.
|
||
##
|
||
## Value: Number
|
||
listener.ws.external.active_n = 100
|
||
|
||
## Zone of the external MQTT/WebSocket listener belonged to.
|
||
##
|
||
## Value: String
|
||
listener.ws.external.zone = external
|
||
|
||
## The access control for the MQTT/WebSocket listener.
|
||
##
|
||
## See: listener.ws.$name.access
|
||
##
|
||
## Value: ACL Rule
|
||
listener.ws.external.access.1 = allow all
|
||
|
||
## Verify if the protocol header is valid. Turn off for WeChat MiniApp.
|
||
##
|
||
## Value: on | off
|
||
listener.ws.external.verify_protocol_header = on
|
||
|
||
## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
|
||
## HAProxy or Nginx.
|
||
##
|
||
## See: listener.ws.$name.proxy_protocol
|
||
##
|
||
## Value: on | off
|
||
## listener.ws.external.proxy_protocol = on
|
||
|
||
## Sets the timeout for proxy protocol.
|
||
##
|
||
## See: listener.ws.$name.proxy_protocol_timeout
|
||
##
|
||
## Value: Duration
|
||
## listener.ws.external.proxy_protocol_timeout = 3s
|
||
|
||
## See: listener.ssl.$name.peer_cert_as_username
|
||
##
|
||
## Value: cn
|
||
## listener.ws.external.peer_cert_as_username = cn
|
||
|
||
## See: listener.ssl.$name.peer_cert_as_clientid
|
||
##
|
||
## Value: cn
|
||
## listener.ws.external.peer_cert_as_clientid = cn
|
||
|
||
## The TCP backlog of external MQTT/WebSocket Listener.
|
||
##
|
||
## See: listener.ws.$name.backlog
|
||
##
|
||
## Value: Number >= 0
|
||
listener.ws.external.backlog = 1024
|
||
|
||
## The TCP send timeout for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.send_timeout
|
||
##
|
||
## Value: Duration
|
||
listener.ws.external.send_timeout = 15s
|
||
|
||
## Close the MQTT/WebSocket connection if send timeout.
|
||
##
|
||
## See: listener.ws.$name.send_timeout_close
|
||
##
|
||
## Value: on | off
|
||
listener.ws.external.send_timeout_close = on
|
||
|
||
## The TCP receive buffer(os kernel) for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.recbuf
|
||
##
|
||
## Value: Bytes
|
||
## listener.ws.external.recbuf = 2KB
|
||
|
||
## The TCP send buffer(os kernel) for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.sndbuf
|
||
##
|
||
## Value: Bytes
|
||
## listener.ws.external.sndbuf = 2KB
|
||
|
||
## The size of the user-level software buffer used by the driver.
|
||
##
|
||
## See: listener.ws.$name.buffer
|
||
##
|
||
## Value: Bytes
|
||
## listener.ws.external.buffer = 2KB
|
||
|
||
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
|
||
##
|
||
## See: listener.ws.$name.tune_buffer
|
||
##
|
||
## Value: on | off
|
||
## listener.ws.external.tune_buffer = off
|
||
|
||
## The TCP_NODELAY flag for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.nodelay
|
||
##
|
||
## Value: true | false
|
||
listener.ws.external.nodelay = true
|
||
|
||
## The compress flag for external MQTT/WebSocket connections.
|
||
##
|
||
## If this Value is set true,the websocket message would be compressed
|
||
##
|
||
## Value: true | false
|
||
## listener.ws.external.compress = true
|
||
|
||
## The level of deflate options for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.level
|
||
##
|
||
## Value: none | default | best_compression | best_speed
|
||
## listener.ws.external.deflate_opts.level = default
|
||
|
||
## The mem_level of deflate options for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.mem_level
|
||
##
|
||
## Valid range is 1-9
|
||
## listener.ws.external.deflate_opts.mem_level = 8
|
||
|
||
## The strategy of deflate options for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.strategy
|
||
##
|
||
## Value: default | filtered | huffman_only | rle
|
||
## listener.ws.external.deflate_opts.strategy = default
|
||
|
||
## The deflate option for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.server_context_takeover
|
||
##
|
||
## Value: takeover | no_takeover
|
||
## listener.ws.external.deflate_opts.server_context_takeover = takeover
|
||
|
||
## The deflate option for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.client_context_takeover
|
||
##
|
||
## Value: takeover | no_takeover
|
||
## listener.ws.external.deflate_opts.client_context_takeover = takeover
|
||
|
||
## The deflate options for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.server_max_window_bits
|
||
##
|
||
## Valid range is 8-15
|
||
## listener.ws.external.deflate_opts.server_max_window_bits = 15
|
||
|
||
## The deflate options for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.deflate_opts.client_max_window_bits
|
||
##
|
||
## Valid range is 8-15
|
||
## listener.ws.external.deflate_opts.client_max_window_bits = 15
|
||
|
||
## The idle timeout for external MQTT/WebSocket connections.
|
||
##
|
||
## See: listener.ws.$name.idle_timeout
|
||
##
|
||
## Value: Duration
|
||
## listener.ws.external.idle_timeout = 60s
|
||
|
||
## The max frame size for external MQTT/WebSocket connections.
|
||
##
|
||
##
|
||
## Value: Number
|
||
## listener.ws.external.max_frame_size = 0
|
||
|
||
## Whether a WebSocket message is allowed to contain multiple MQTT packets
|
||
##
|
||
## Value: single | multiple
|
||
listener.ws.external.mqtt_piggyback = multiple
|
||
|
||
##--------------------------------------------------------------------
|
||
## External WebSocket/SSL listener for MQTT Protocol
|
||
|
||
## listener.wss.$name is the IP address and port that the MQTT/WebSocket/SSL
|
||
## listener will bind.
|
||
##
|
||
## Value: IP:Port | Port
|
||
##
|
||
## Examples: 8084, 127.0.0.1:8084, ::1:8084
|
||
listener.wss.external = 8084
|
||
|
||
## The path of WebSocket MQTT endpoint
|
||
##
|
||
## Value: URL Path
|
||
listener.wss.external.mqtt_path = /mqtt
|
||
|
||
## The acceptor pool for external MQTT/WebSocket/SSL listener.
|
||
##
|
||
## Value: Number
|
||
listener.wss.external.acceptors = 4
|
||
|
||
## Maximum number of concurrent MQTT/Webwocket/SSL connections.
|
||
##
|
||
## Value: Number
|
||
listener.wss.external.max_connections = 16
|
||
|
||
## Maximum MQTT/WebSocket/SSL connections per second.
|
||
##
|
||
## See: listener.tcp.$name.max_conn_rate
|
||
##
|
||
## Value: Number
|
||
listener.wss.external.max_conn_rate = 1000
|
||
|
||
## Simulate the {active, N} option for the MQTT/WebSocket/SSL connections.
|
||
##
|
||
## Value: Number
|
||
listener.wss.external.active_n = 100
|
||
|
||
## Zone of the external MQTT/WebSocket/SSL listener belonged to.
|
||
##
|
||
## Value: String
|
||
listener.wss.external.zone = external
|
||
|
||
## The access control rules for the MQTT/WebSocket/SSL listener.
|
||
##
|
||
## See: listener.tcp.$name.access.<no>
|
||
##
|
||
## Value: ACL Rule
|
||
listener.wss.external.access.1 = allow all
|
||
|
||
## See: listener.ws.external.verify_protocol_header
|
||
##
|
||
## Value: on | off
|
||
listener.wss.external.verify_protocol_header = on
|
||
|
||
## Enable the Proxy Protocol V1/2 support.
|
||
##
|
||
## See: listener.tcp.$name.proxy_protocol
|
||
##
|
||
## Value: on | off
|
||
## listener.wss.external.proxy_protocol = on
|
||
|
||
## Sets the timeout for proxy protocol.
|
||
##
|
||
## See: listener.tcp.$name.proxy_protocol_timeout
|
||
##
|
||
## Value: Duration
|
||
## listener.wss.external.proxy_protocol_timeout = 3s
|
||
|
||
## TLS versions only to protect from POODLE attack.
|
||
##
|
||
## See: listener.ssl.$name.tls_versions
|
||
##
|
||
## Value: String, seperated by ','
|
||
## listener.wss.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1
|
||
|
||
## Path to the file containing the user's private PEM-encoded key.
|
||
##
|
||
## See: listener.ssl.$name.keyfile
|
||
##
|
||
## Value: File
|
||
listener.wss.external.keyfile = {{ platform_etc_dir }}/certs/key.pem
|
||
|
||
## Path to a file containing the user certificate.
|
||
##
|
||
## See: listener.ssl.$name.certfile
|
||
##
|
||
## Value: File
|
||
listener.wss.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
|
||
|
||
## Path to the file containing PEM-encoded CA certificates.
|
||
##
|
||
## See: listener.ssl.$name.cacert
|
||
##
|
||
## Value: File
|
||
## listener.wss.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
|
||
|
||
## See: listener.ssl.$name.dhfile
|
||
##
|
||
## Value: File
|
||
## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
|
||
|
||
## See: listener.ssl.$name.vefify
|
||
##
|
||
## Value: vefify_peer | verify_none
|
||
## listener.wss.external.verify = verify_peer
|
||
|
||
## See: listener.ssl.$name.fail_if_no_peer_cert
|
||
##
|
||
## Value: false | true
|
||
## listener.wss.external.fail_if_no_peer_cert = true
|
||
|
||
## See: listener.ssl.$name.ciphers
|
||
##
|
||
## Value: Ciphers
|
||
listener.wss.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
|
||
|
||
## Ciphers for TLS PSK.
|
||
## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot
|
||
## be configured at the same time.
|
||
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
||
## listener.wss.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
|
||
|
||
## See: listener.ssl.$name.secure_renegotiate
|
||
##
|
||
## Value: on | off
|
||
## listener.wss.external.secure_renegotiate = off
|
||
|
||
## See: listener.ssl.$name.reuse_sessions
|
||
##
|
||
## Value: on | off
|
||
## listener.wss.external.reuse_sessions = on
|
||
|
||
## See: listener.ssl.$name.honor_cipher_order
|
||
##
|
||
## Value: on | off
|
||
## listener.wss.external.honor_cipher_order = on
|
||
|
||
## See: listener.ssl.$name.peer_cert_as_username
|
||
##
|
||
## Value: cn | dn | crt
|
||
## listener.wss.external.peer_cert_as_username = cn
|
||
|
||
## TCP backlog for the WebSocket/SSL connection.
|
||
##
|
||
## See: listener.tcp.$name.backlog
|
||
##
|
||
## Value: Number >= 0
|
||
listener.wss.external.backlog = 1024
|
||
|
||
## The TCP send timeout for the WebSocket/SSL connection.
|
||
##
|
||
## See: listener.tcp.$name.send_timeout
|
||
##
|
||
## Value: Duration
|
||
listener.wss.external.send_timeout = 15s
|
||
|
||
## Close the WebSocket/SSL connection if send timeout.
|
||
##
|
||
## See: listener.tcp.$name.send_timeout_close
|
||
##
|
||
## Value: on | off
|
||
listener.wss.external.send_timeout_close = on
|
||
|
||
## The TCP receive buffer(os kernel) for the WebSocket/SSL connections.
|
||
##
|
||
## See: listener.tcp.$name.recbuf
|
||
##
|
||
## Value: Bytes
|
||
## listener.wss.external.recbuf = 4KB
|
||
|
||
## The TCP send buffer(os kernel) for the WebSocket/SSL connections.
|
||
##
|
||
## See: listener.tcp.$name.sndbuf
|
||
##
|
||
## Value: Bytes
|
||
## listener.wss.external.sndbuf = 4KB
|
||
|
||
## The size of the user-level software buffer used by the driver.
|
||
##
|
||
## See: listener.tcp.$name.buffer
|
||
##
|
||
## Value: Bytes
|
||
## listener.wss.external.buffer = 4KB
|
||
|
||
## The TCP_NODELAY flag for WebSocket/SSL connections.
|
||
##
|
||
## See: listener.tcp.$name.nodelay
|
||
##
|
||
## Value: true | false
|
||
## listener.wss.external.nodelay = true
|
||
|
||
## The compress flag for external WebSocket/SSL connections.
|
||
##
|
||
## If this Value is set true,the websocket message would be compressed
|
||
##
|
||
## Value: true | false
|
||
## listener.wss.external.compress = true
|
||
|
||
## The level of deflate options for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.level
|
||
##
|
||
## Value: none | default | best_compression | best_speed
|
||
## listener.wss.external.deflate_opts.level = default
|
||
|
||
## The mem_level of deflate options for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.mem_level
|
||
##
|
||
## Valid range is 1-9
|
||
## listener.wss.external.deflate_opts.mem_level = 8
|
||
|
||
## The strategy of deflate options for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.strategy
|
||
##
|
||
## Value: default | filtered | huffman_only | rle
|
||
## listener.wss.external.deflate_opts.strategy = default
|
||
|
||
## The deflate option for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.server_context_takeover
|
||
##
|
||
## Value: takeover | no_takeover
|
||
## listener.wss.external.deflate_opts.server_context_takeover = takeover
|
||
|
||
## The deflate option for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.client_context_takeover
|
||
##
|
||
## Value: takeover | no_takeover
|
||
## listener.wss.external.deflate_opts.client_context_takeover = takeover
|
||
|
||
## The deflate options for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.server_max_window_bits
|
||
##
|
||
## Valid range is 8-15
|
||
## listener.wss.external.deflate_opts.server_max_window_bits = 15
|
||
|
||
## The deflate options for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.deflate_opts.client_max_window_bits
|
||
##
|
||
## Valid range is 8-15
|
||
## listener.wss.external.deflate_opts.client_max_window_bits = 15
|
||
|
||
## The idle timeout for external WebSocket/SSL connections.
|
||
##
|
||
## See: listener.wss.$name.idle_timeout
|
||
##
|
||
## Value: Duration
|
||
## listener.wss.external.idle_timeout = 60s
|
||
|
||
## The max frame size for external WebSocket/SSL connections.
|
||
##
|
||
## Value: Number
|
||
## listener.wss.external.max_frame_size = 0
|
||
|
||
## Whether a WebSocket message is allowed to contain multiple MQTT packets
|
||
##
|
||
## Value: single | multiple
|
||
listener.wss.external.mqtt_piggyback = multiple
|