Skip to content

Instantly share code, notes, and snippets.

@zhongwencool

zhongwencool/gist:8e26a48dcf2c51028f206ee8d1abd12d

Created June 14, 2022 07:08
Show Gist options
  • Save zhongwencool/8e26a48dcf2c51028f206ee8d1abd12d to your computer and use it in GitHub Desktop.
Save zhongwencool/8e26a48dcf2c51028f206ee8d1abd12d to your computer and use it in GitHub Desktop.
Download ZIP
emqx_example.conf
Raw
gistfile1.txt
## Title
## Body
## @path listeners
listeners {
## @doc TCP listeners
## @path listeners.tcp
## @type map_struct()
# tcp.name =
## @path listeners.tcp.$name
# {
## @doc IP address and port for the listening socket.
## @path listeners.tcp.$name.bind
## @type union() emqx_schema:ip_port() | integer()
## @default 1883
# bind = 1883
## @doc The size of the listener's receiving pool.
## @path listeners.tcp.$name.acceptors
## @type pos_integer()
## @default 16
# acceptors = 16
## @doc The maximum number of concurrent connections allowed by the listener.
## @path listeners.tcp.$name.max_connections
## @type union() infinity | pos_integer()
## @default infinity
# max_connections = infinity
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message
## is delivered to the subscriber. The mountpoint is a way that users can use
## to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint`
## set to `some_tenant`, then the client actually subscribes to the topic
## `some_tenant/t`. Similarly, if another client B (connected to the same listener
## as the client A) sends a message to topic `t`, the message is routed
## to all the clients subscribed `some_tenant/t`, so client A will receive the
## message, with topic name `t`.</br>
## Set to `""` to disable the feature.</br>
##
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path listeners.tcp.$name.mountpoint
## @type binary()
## @default ""
# mountpoint = ""
## @doc The configuration zone to which the listener belongs.
## @path listeners.tcp.$name.zone
## @type atom()
## @default default
# zone = default
## @doc Type of the rate limit.
## @path listeners.tcp.$name.limiter
## @type map_struct()
## @default {}
# limiter.ratelimit_name =
## @path listeners.tcp.$name.limiter.$ratelimit_name
## @type emqx_limiter_schema:bucket_name()
# $ratelimit_name =
## @doc The access control rules for this listener.</br>See: https://github.com/emqtt/esockd#allowdeny
## @path listeners.tcp.$name.access_rules
## @type array()
## @default ["allow all"]
# access_rules = ["allow all"]
## @doc Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.</br>
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
## @path listeners.tcp.$name.proxy_protocol
## @type boolean()
## @default false
# proxy_protocol = false
## @doc Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
## @path listeners.tcp.$name.proxy_protocol_timeout
## @type emqx_schema:duration()
## @default 3s
# proxy_protocol_timeout = 3s
## @doc Per-listener authentication override.
## Authentication can be one single authenticator instance or a chain of authenticators as an array.
## When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.</br>
## @path listeners.tcp.$name.authentication
## @type array()
# authentication = []
## @path listeners.tcp.$name.tcp_options
# tcp_options {
## @doc Specify the {active, N} option for this Socket.</br>
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path listeners.tcp.$name.tcp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc TCP backlog defines the maximum length that the queue of
## pending connections can grow to.
## @path listeners.tcp.$name.tcp_options.backlog
## @type integer()
## @default 1024
# backlog = 1024
## @doc The TCP send timeout for the connections.
## @path listeners.tcp.$name.tcp_options.send_timeout
## @type emqx_schema:duration()
## @default 15s
# send_timeout = 15s
## @doc Close the connection if send timeout.
## @path listeners.tcp.$name.tcp_options.send_timeout_close
## @type boolean()
## @default true
# send_timeout_close = true
## @doc The TCP receive buffer (OS kernel) for the connections.
## @path listeners.tcp.$name.tcp_options.recbuf
## @type emqx_schema:bytesize()
# recbuf = 2KB
## @doc The TCP send buffer (OS kernel) for the connections.
## @path listeners.tcp.$name.tcp_options.sndbuf
## @type emqx_schema:bytesize()
# sndbuf = 4KB
## @doc The size of the user-space buffer used by the driver.
## @path listeners.tcp.$name.tcp_options.buffer
## @type emqx_schema:bytesize()
# buffer = 4KB
## @doc The socket is set to a busy state when the amount of data queued internally
## by the VM socket implementation reaches this limit.
## @path listeners.tcp.$name.tcp_options.high_watermark
## @type emqx_schema:bytesize()
## @default 1MB
# high_watermark = 1MB
## @doc The TCP_NODELAY flag for the connections.
## @path listeners.tcp.$name.tcp_options.nodelay
## @type boolean()
## @default false
# nodelay = false
## @doc The SO_REUSEADDR flag for the connections.
## @path listeners.tcp.$name.tcp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
# }
## @doc SSL listeners
## @path listeners.ssl
## @type map_struct()
# ssl.name =
## @path listeners.ssl.$name
# {
## @doc IP address and port for the listening socket.
## @path listeners.ssl.$name.bind
## @type union() emqx_schema:ip_port() | integer()
## @default 8883
# bind = 8883
## @doc The size of the listener's receiving pool.
## @path listeners.ssl.$name.acceptors
## @type pos_integer()
## @default 16
# acceptors = 16
## @doc The maximum number of concurrent connections allowed by the listener.
## @path listeners.ssl.$name.max_connections
## @type union() infinity | pos_integer()
## @default infinity
# max_connections = infinity
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message
## is delivered to the subscriber. The mountpoint is a way that users can use
## to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint`
## set to `some_tenant`, then the client actually subscribes to the topic
## `some_tenant/t`. Similarly, if another client B (connected to the same listener
## as the client A) sends a message to topic `t`, the message is routed
## to all the clients subscribed `some_tenant/t`, so client A will receive the
## message, with topic name `t`.</br>
## Set to `""` to disable the feature.</br>
##
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path listeners.ssl.$name.mountpoint
## @type binary()
## @default ""
# mountpoint = ""
## @doc The configuration zone to which the listener belongs.
## @path listeners.ssl.$name.zone
## @type atom()
## @default default
# zone = default
## @doc Type of the rate limit.
## @path listeners.ssl.$name.limiter
## @type map_struct()
## @default {}
# limiter.ratelimit_name =
## @path listeners.ssl.$name.limiter.$ratelimit_name
## @type emqx_limiter_schema:bucket_name()
# $ratelimit_name =
## @doc The access control rules for this listener.</br>See: https://github.com/emqtt/esockd#allowdeny
## @path listeners.ssl.$name.access_rules
## @type array()
## @default ["allow all"]
# access_rules = ["allow all"]
## @doc Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.</br>
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
## @path listeners.ssl.$name.proxy_protocol
## @type boolean()
## @default false
# proxy_protocol = false
## @doc Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
## @path listeners.ssl.$name.proxy_protocol_timeout
## @type emqx_schema:duration()
## @default 3s
# proxy_protocol_timeout = 3s
## @doc Per-listener authentication override.
## Authentication can be one single authenticator instance or a chain of authenticators as an array.
## When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.</br>
## @path listeners.ssl.$name.authentication
## @type array()
## @link listeners.tcp.$name.authentication
# authentication = []
## @path listeners.ssl.$name.tcp_options
## @link listeners.tcp.$name.tcp_options
# tcp_options {
## @doc Specify the {active, N} option for this Socket.</br>
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path listeners.ssl.$name.tcp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc TCP backlog defines the maximum length that the queue of
## pending connections can grow to.
## @path listeners.ssl.$name.tcp_options.backlog
## @type integer()
## @default 1024
# backlog = 1024
## @doc The TCP send timeout for the connections.
## @path listeners.ssl.$name.tcp_options.send_timeout
## @type emqx_schema:duration()
## @default 15s
# send_timeout = 15s
## @doc Close the connection if send timeout.
## @path listeners.ssl.$name.tcp_options.send_timeout_close
## @type boolean()
## @default true
# send_timeout_close = true
## @doc The TCP receive buffer (OS kernel) for the connections.
## @path listeners.ssl.$name.tcp_options.recbuf
## @type emqx_schema:bytesize()
# recbuf = 2KB
## @doc The TCP send buffer (OS kernel) for the connections.
## @path listeners.ssl.$name.tcp_options.sndbuf
## @type emqx_schema:bytesize()
# sndbuf = 4KB
## @doc The size of the user-space buffer used by the driver.
## @path listeners.ssl.$name.tcp_options.buffer
## @type emqx_schema:bytesize()
# buffer = 4KB
## @doc The socket is set to a busy state when the amount of data queued internally
## by the VM socket implementation reaches this limit.
## @path listeners.ssl.$name.tcp_options.high_watermark
## @type emqx_schema:bytesize()
## @default 1MB
# high_watermark = 1MB
## @doc The TCP_NODELAY flag for the connections.
## @path listeners.ssl.$name.tcp_options.nodelay
## @type boolean()
## @default false
# nodelay = false
## @doc The SO_REUSEADDR flag for the connections.
## @path listeners.ssl.$name.tcp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @path listeners.ssl.$name.ssl_options
# ssl_options {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path listeners.ssl.$name.ssl_options.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path listeners.ssl.$name.ssl_options.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path listeners.ssl.$name.ssl_options.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path listeners.ssl.$name.ssl_options.verify
## @type enum: verify_peer | verify_none
## @default verify_none
# verify = verify_none
## @doc Enable TLS session reuse.
## @path listeners.ssl.$name.ssl_options.reuse_sessions
## @type boolean()
## @default true
# reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path listeners.ssl.$name.ssl_options.depth
## @type integer()
## @default 10
# depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path listeners.ssl.$name.ssl_options.password
## @type string()
# password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path listeners.ssl.$name.ssl_options.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
# versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path listeners.ssl.$name.ssl_options.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
# ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path listeners.ssl.$name.ssl_options.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
# user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path listeners.ssl.$name.ssl_options.secure_renegotiate
## @type boolean()
## @default true
# secure_renegotiate = true
## @doc Path to a file containing PEM-encoded Diffie-Hellman parameters
## to be used by the server if a cipher suite using Diffie-Hellman
## key exchange is negotiated. If not specified, default parameters
## are used.</br>
## NOTE: The <code>dhfile</code> option is not supported by TLS 1.3.
## @path listeners.ssl.$name.ssl_options.dhfile
## @type string()
# dhfile =
## @doc Used together with {verify, verify_peer} by an TLS/DTLS server.
## If set to true, the server fails if the client does not have a
## certificate to send, that is, sends an empty certificate.
## If set to false, it fails only if the client sends an invalid
## certificate (an empty certificate is considered valid).
## @path listeners.ssl.$name.ssl_options.fail_if_no_peer_cert
## @type boolean()
## @default false
# fail_if_no_peer_cert = false
## @doc An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
## @path listeners.ssl.$name.ssl_options.honor_cipher_order
## @type boolean()
## @default true
# honor_cipher_order = true
## @doc In protocols that support client-initiated renegotiation,
## the cost of resources of such an operation is higher for the server than the client.
## This can act as a vector for denial of service attacks.
## The SSL application already takes measures to counter-act such attempts,
## but client-initiated renegotiation can be strictly disabled by setting this option to false.
## The default value is true. Note that disabling renegotiation can result in
## long-lived connections becoming unusable due to limits on
## the number of messages the underlying cipher suite can encipher.
## @path listeners.ssl.$name.ssl_options.client_renegotiation
## @type boolean()
## @default true
# client_renegotiation = true
# }
# }
## @doc HTTP websocket listeners
## @path listeners.ws
## @type map_struct()
# ws.name =
## @path listeners.ws.$name
# {
## @doc IP address and port for the listening socket.
## @path listeners.ws.$name.bind
## @type union() emqx_schema:ip_port() | integer()
## @default 8083
# bind = 8083
## @doc The size of the listener's receiving pool.
## @path listeners.ws.$name.acceptors
## @type pos_integer()
## @default 16
# acceptors = 16
## @doc The maximum number of concurrent connections allowed by the listener.
## @path listeners.ws.$name.max_connections
## @type union() infinity | pos_integer()
## @default infinity
# max_connections = infinity
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message
## is delivered to the subscriber. The mountpoint is a way that users can use
## to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint`
## set to `some_tenant`, then the client actually subscribes to the topic
## `some_tenant/t`. Similarly, if another client B (connected to the same listener
## as the client A) sends a message to topic `t`, the message is routed
## to all the clients subscribed `some_tenant/t`, so client A will receive the
## message, with topic name `t`.</br>
## Set to `""` to disable the feature.</br>
##
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path listeners.ws.$name.mountpoint
## @type binary()
## @default ""
# mountpoint = ""
## @doc The configuration zone to which the listener belongs.
## @path listeners.ws.$name.zone
## @type atom()
## @default default
# zone = default
## @doc Type of the rate limit.
## @path listeners.ws.$name.limiter
## @type map_struct()
## @default {}
# limiter.ratelimit_name =
## @path listeners.ws.$name.limiter.$ratelimit_name
## @type emqx_limiter_schema:bucket_name()
# $ratelimit_name =
## @doc The access control rules for this listener.</br>See: https://github.com/emqtt/esockd#allowdeny
## @path listeners.ws.$name.access_rules
## @type array()
## @default ["allow all"]
# access_rules = ["allow all"]
## @doc Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.</br>
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
## @path listeners.ws.$name.proxy_protocol
## @type boolean()
## @default false
# proxy_protocol = false
## @doc Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
## @path listeners.ws.$name.proxy_protocol_timeout
## @type emqx_schema:duration()
## @default 3s
# proxy_protocol_timeout = 3s
## @doc Per-listener authentication override.
## Authentication can be one single authenticator instance or a chain of authenticators as an array.
## When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.</br>
## @path listeners.ws.$name.authentication
## @type array()
## @link listeners.tcp.$name.authentication
# authentication = []
## @path listeners.ws.$name.tcp_options
## @link listeners.tcp.$name.tcp_options
# tcp_options {
## @doc Specify the {active, N} option for this Socket.</br>
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path listeners.ws.$name.tcp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc TCP backlog defines the maximum length that the queue of
## pending connections can grow to.
## @path listeners.ws.$name.tcp_options.backlog
## @type integer()
## @default 1024
# backlog = 1024
## @doc The TCP send timeout for the connections.
## @path listeners.ws.$name.tcp_options.send_timeout
## @type emqx_schema:duration()
## @default 15s
# send_timeout = 15s
## @doc Close the connection if send timeout.
## @path listeners.ws.$name.tcp_options.send_timeout_close
## @type boolean()
## @default true
# send_timeout_close = true
## @doc The TCP receive buffer (OS kernel) for the connections.
## @path listeners.ws.$name.tcp_options.recbuf
## @type emqx_schema:bytesize()
# recbuf = 2KB
## @doc The TCP send buffer (OS kernel) for the connections.
## @path listeners.ws.$name.tcp_options.sndbuf
## @type emqx_schema:bytesize()
# sndbuf = 4KB
## @doc The size of the user-space buffer used by the driver.
## @path listeners.ws.$name.tcp_options.buffer
## @type emqx_schema:bytesize()
# buffer = 4KB
## @doc The socket is set to a busy state when the amount of data queued internally
## by the VM socket implementation reaches this limit.
## @path listeners.ws.$name.tcp_options.high_watermark
## @type emqx_schema:bytesize()
## @default 1MB
# high_watermark = 1MB
## @doc The TCP_NODELAY flag for the connections.
## @path listeners.ws.$name.tcp_options.nodelay
## @type boolean()
## @default false
# nodelay = false
## @doc The SO_REUSEADDR flag for the connections.
## @path listeners.ws.$name.tcp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @path listeners.ws.$name.websocket
# websocket {
## @doc WebSocket's MQTT protocol path. So the address of EMQX Broker's WebSocket is:
## <code>ws://{ip}:{port}/mqtt</code>
## @path listeners.ws.$name.websocket.mqtt_path
## @type string()
## @default "/mqtt"
# mqtt_path = "/mqtt"
## @doc Whether a WebSocket message is allowed to contain multiple MQTT packets.
## @path listeners.ws.$name.websocket.mqtt_piggyback
## @type enum: single | multiple
## @default multiple
# mqtt_piggyback = multiple
## @doc If <code>true</code>, compress WebSocket messages using <code>zlib</code>.</br>
## The configuration items under <code>deflate_opts</code> belong to the compression-related parameter configuration.
## @path listeners.ws.$name.websocket.compress
## @type boolean()
## @default false
# compress = false
## @doc Close transport-layer connections from the clients that have not sent MQTT CONNECT
## message within this interval.
## @path listeners.ws.$name.websocket.idle_timeout
## @type emqx_schema:duration()
## @default 7200s
# idle_timeout = 7200s
## @doc The maximum length of a single MQTT packet.
## @path listeners.ws.$name.websocket.max_frame_size
## @type union() infinity | integer()
## @default infinity
# max_frame_size = infinity
## @doc If <code>true</code>, the server will return an error when
## the client does not carry the <code>Sec-WebSocket-Protocol</code> field.
## </br>Note: WeChat applet needs to disable this verification.
## @path listeners.ws.$name.websocket.fail_if_no_subprotocol
## @type boolean()
## @default true
# fail_if_no_subprotocol = true
## @doc Comma-separated list of supported subprotocols.
## @path listeners.ws.$name.websocket.supported_subprotocols
## @type emqx_schema:comma_separated_list()
## @default "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
# supported_subprotocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
## @doc If <code>true</code>, <code>origin</code> HTTP header will be
## validated against the list of allowed origins configured in <code>check_origins</code>
## parameter.
## @path listeners.ws.$name.websocket.check_origin_enable
## @type boolean()
## @default false
# check_origin_enable = false
## @doc If <code>false</code> and <code>check_origin_enable</code> is
## <code>true</code>, the server will reject requests that don't have <code>origin</code>
## HTTP header.
## @path listeners.ws.$name.websocket.allow_origin_absence
## @type boolean()
## @default true
# allow_origin_absence = true
## @doc List of allowed origins.</br>See <code>check_origin_enable</code>.
## @path listeners.ws.$name.websocket.check_origins
## @type emqx_schema:comma_separated_binary()
## @default []
# check_origins = "http://localhost:18083, http://127.0.0.1:18083"
## @doc HTTP header used to pass information about the client IP address.
## Relevant when the EMQX cluster is deployed behind a load-balancer.
## @path listeners.ws.$name.websocket.proxy_address_header
## @type string()
## @default "x-forwarded-for"
# proxy_address_header = "x-forwarded-for"
## @doc HTTP header used to pass information about the client port.
## Relevant when the EMQX cluster is deployed behind a load-balancer.
## @path listeners.ws.$name.websocket.proxy_port_header
## @type string()
## @default "x-forwarded-port"
# proxy_port_header = "x-forwarded-port"
## @path listeners.ws.$name.websocket.deflate_opts
# deflate_opts {
## @doc Compression level.
## @path listeners.ws.$name.websocket.deflate_opts.level
## @type enum: none | default | best_compression | best_speed
# level =
## @doc Specifies the size of the compression state.</br>
## Lower values decrease memory usage per connection.
## @path listeners.ws.$name.websocket.deflate_opts.mem_level
## @type 1..9
## @default 8
# mem_level = 8
## @doc Specifies the compression strategy.
## @path listeners.ws.$name.websocket.deflate_opts.strategy
## @type enum: default | filtered | huffman_only | rle
## @default default
# strategy = default
## @doc Takeover means the compression state is retained between server messages.
## @path listeners.ws.$name.websocket.deflate_opts.server_context_takeover
## @type enum: takeover | no_takeover
## @default takeover
# server_context_takeover = takeover
## @doc Takeover means the compression state is retained between client messages.
## @path listeners.ws.$name.websocket.deflate_opts.client_context_takeover
## @type enum: takeover | no_takeover
## @default takeover
# client_context_takeover = takeover
## @doc Specifies the size of the compression context for the server.
## @path listeners.ws.$name.websocket.deflate_opts.server_max_window_bits
## @type 8..15
## @default 15
# server_max_window_bits = 15
## @doc Specifies the size of the compression context for the client.
## @path listeners.ws.$name.websocket.deflate_opts.client_max_window_bits
## @type 8..15
## @default 15
# client_max_window_bits = 15
# }
# }
# }
## @doc HTTPS websocket listeners
## @path listeners.wss
## @type map_struct()
# wss.name =
## @path listeners.wss.$name
# {
## @doc IP address and port for the listening socket.
## @path listeners.wss.$name.bind
## @type union() emqx_schema:ip_port() | integer()
## @default 8084
# bind = 8084
## @doc The size of the listener's receiving pool.
## @path listeners.wss.$name.acceptors
## @type pos_integer()
## @default 16
# acceptors = 16
## @doc The maximum number of concurrent connections allowed by the listener.
## @path listeners.wss.$name.max_connections
## @type union() infinity | pos_integer()
## @default infinity
# max_connections = infinity
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message
## is delivered to the subscriber. The mountpoint is a way that users can use
## to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint`
## set to `some_tenant`, then the client actually subscribes to the topic
## `some_tenant/t`. Similarly, if another client B (connected to the same listener
## as the client A) sends a message to topic `t`, the message is routed
## to all the clients subscribed `some_tenant/t`, so client A will receive the
## message, with topic name `t`.</br>
## Set to `""` to disable the feature.</br>
##
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path listeners.wss.$name.mountpoint
## @type binary()
## @default ""
# mountpoint = ""
## @doc The configuration zone to which the listener belongs.
## @path listeners.wss.$name.zone
## @type atom()
## @default default
# zone = default
## @doc Type of the rate limit.
## @path listeners.wss.$name.limiter
## @type map_struct()
## @default {}
# limiter.ratelimit_name =
## @path listeners.wss.$name.limiter.$ratelimit_name
## @type emqx_limiter_schema:bucket_name()
# $ratelimit_name =
## @doc The access control rules for this listener.</br>See: https://github.com/emqtt/esockd#allowdeny
## @path listeners.wss.$name.access_rules
## @type array()
## @default ["allow all"]
# access_rules = ["allow all"]
## @doc Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.</br>
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
## @path listeners.wss.$name.proxy_protocol
## @type boolean()
## @default false
# proxy_protocol = false
## @doc Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
## @path listeners.wss.$name.proxy_protocol_timeout
## @type emqx_schema:duration()
## @default 3s
# proxy_protocol_timeout = 3s
## @doc Per-listener authentication override.
## Authentication can be one single authenticator instance or a chain of authenticators as an array.
## When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.</br>
## @path listeners.wss.$name.authentication
## @type array()
## @link listeners.tcp.$name.authentication
# authentication = []
## @path listeners.wss.$name.tcp_options
## @link listeners.tcp.$name.tcp_options
# tcp_options {
## @doc Specify the {active, N} option for this Socket.</br>
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path listeners.wss.$name.tcp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc TCP backlog defines the maximum length that the queue of
## pending connections can grow to.
## @path listeners.wss.$name.tcp_options.backlog
## @type integer()
## @default 1024
# backlog = 1024
## @doc The TCP send timeout for the connections.
## @path listeners.wss.$name.tcp_options.send_timeout
## @type emqx_schema:duration()
## @default 15s
# send_timeout = 15s
## @doc Close the connection if send timeout.
## @path listeners.wss.$name.tcp_options.send_timeout_close
## @type boolean()
## @default true
# send_timeout_close = true
## @doc The TCP receive buffer (OS kernel) for the connections.
## @path listeners.wss.$name.tcp_options.recbuf
## @type emqx_schema:bytesize()
# recbuf = 2KB
## @doc The TCP send buffer (OS kernel) for the connections.
## @path listeners.wss.$name.tcp_options.sndbuf
## @type emqx_schema:bytesize()
# sndbuf = 4KB
## @doc The size of the user-space buffer used by the driver.
## @path listeners.wss.$name.tcp_options.buffer
## @type emqx_schema:bytesize()
# buffer = 4KB
## @doc The socket is set to a busy state when the amount of data queued internally
## by the VM socket implementation reaches this limit.
## @path listeners.wss.$name.tcp_options.high_watermark
## @type emqx_schema:bytesize()
## @default 1MB
# high_watermark = 1MB
## @doc The TCP_NODELAY flag for the connections.
## @path listeners.wss.$name.tcp_options.nodelay
## @type boolean()
## @default false
# nodelay = false
## @doc The SO_REUSEADDR flag for the connections.
## @path listeners.wss.$name.tcp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @path listeners.wss.$name.ssl_options
# ssl_options {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path listeners.wss.$name.ssl_options.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path listeners.wss.$name.ssl_options.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path listeners.wss.$name.ssl_options.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path listeners.wss.$name.ssl_options.verify
## @type enum: verify_peer | verify_none
## @default verify_none
# verify = verify_none
## @doc Enable TLS session reuse.
## @path listeners.wss.$name.ssl_options.reuse_sessions
## @type boolean()
## @default true
# reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path listeners.wss.$name.ssl_options.depth
## @type integer()
## @default 10
# depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path listeners.wss.$name.ssl_options.password
## @type string()
# password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path listeners.wss.$name.ssl_options.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
# versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path listeners.wss.$name.ssl_options.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
# ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path listeners.wss.$name.ssl_options.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
# user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path listeners.wss.$name.ssl_options.secure_renegotiate
## @type boolean()
## @default true
# secure_renegotiate = true
## @doc Path to a file containing PEM-encoded Diffie-Hellman parameters
## to be used by the server if a cipher suite using Diffie-Hellman
## key exchange is negotiated. If not specified, default parameters
## are used.</br>
## NOTE: The <code>dhfile</code> option is not supported by TLS 1.3.
## @path listeners.wss.$name.ssl_options.dhfile
## @type string()
# dhfile =
## @doc Used together with {verify, verify_peer} by an TLS/DTLS server.
## If set to true, the server fails if the client does not have a
## certificate to send, that is, sends an empty certificate.
## If set to false, it fails only if the client sends an invalid
## certificate (an empty certificate is considered valid).
## @path listeners.wss.$name.ssl_options.fail_if_no_peer_cert
## @type boolean()
## @default false
# fail_if_no_peer_cert = false
## @doc An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
## @path listeners.wss.$name.ssl_options.honor_cipher_order
## @type boolean()
## @default true
# honor_cipher_order = true
## @doc In protocols that support client-initiated renegotiation,
## the cost of resources of such an operation is higher for the server than the client.
## This can act as a vector for denial of service attacks.
## The SSL application already takes measures to counter-act such attempts,
## but client-initiated renegotiation can be strictly disabled by setting this option to false.
## The default value is true. Note that disabling renegotiation can result in
## long-lived connections becoming unusable due to limits on
## the number of messages the underlying cipher suite can encipher.
## @path listeners.wss.$name.ssl_options.client_renegotiation
## @type boolean()
## @default true
# client_renegotiation = true
## @doc Maximum time duration allowed for the handshake to complete
## @path listeners.wss.$name.ssl_options.handshake_timeout
## @type emqx_schema:duration()
## @default 15s
# handshake_timeout = 15s
# }
## @path listeners.wss.$name.websocket
## @link listeners.ws.$name.websocket
# websocket {
## @doc WebSocket's MQTT protocol path. So the address of EMQX Broker's WebSocket is:
## <code>ws://{ip}:{port}/mqtt</code>
## @path listeners.wss.$name.websocket.mqtt_path
## @type string()
## @default "/mqtt"
# mqtt_path = "/mqtt"
## @doc Whether a WebSocket message is allowed to contain multiple MQTT packets.
## @path listeners.wss.$name.websocket.mqtt_piggyback
## @type enum: single | multiple
## @default multiple
# mqtt_piggyback = multiple
## @doc If <code>true</code>, compress WebSocket messages using <code>zlib</code>.</br>
## The configuration items under <code>deflate_opts</code> belong to the compression-related parameter configuration.
## @path listeners.wss.$name.websocket.compress
## @type boolean()
## @default false
# compress = false
## @doc Close transport-layer connections from the clients that have not sent MQTT CONNECT
## message within this interval.
## @path listeners.wss.$name.websocket.idle_timeout
## @type emqx_schema:duration()
## @default 7200s
# idle_timeout = 7200s
## @doc The maximum length of a single MQTT packet.
## @path listeners.wss.$name.websocket.max_frame_size
## @type union() infinity | integer()
## @default infinity
# max_frame_size = infinity
## @doc If <code>true</code>, the server will return an error when
## the client does not carry the <code>Sec-WebSocket-Protocol</code> field.
## </br>Note: WeChat applet needs to disable this verification.
## @path listeners.wss.$name.websocket.fail_if_no_subprotocol
## @type boolean()
## @default true
# fail_if_no_subprotocol = true
## @doc Comma-separated list of supported subprotocols.
## @path listeners.wss.$name.websocket.supported_subprotocols
## @type emqx_schema:comma_separated_list()
## @default "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
# supported_subprotocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
## @doc If <code>true</code>, <code>origin</code> HTTP header will be
## validated against the list of allowed origins configured in <code>check_origins</code>
## parameter.
## @path listeners.wss.$name.websocket.check_origin_enable
## @type boolean()
## @default false
# check_origin_enable = false
## @doc If <code>false</code> and <code>check_origin_enable</code> is
## <code>true</code>, the server will reject requests that don't have <code>origin</code>
## HTTP header.
## @path listeners.wss.$name.websocket.allow_origin_absence
## @type boolean()
## @default true
# allow_origin_absence = true
## @doc List of allowed origins.</br>See <code>check_origin_enable</code>.
## @path listeners.wss.$name.websocket.check_origins
## @type emqx_schema:comma_separated_binary()
## @default []
# check_origins = "http://localhost:18083, http://127.0.0.1:18083"
## @doc HTTP header used to pass information about the client IP address.
## Relevant when the EMQX cluster is deployed behind a load-balancer.
## @path listeners.wss.$name.websocket.proxy_address_header
## @type string()
## @default "x-forwarded-for"
# proxy_address_header = "x-forwarded-for"
## @doc HTTP header used to pass information about the client port.
## Relevant when the EMQX cluster is deployed behind a load-balancer.
## @path listeners.wss.$name.websocket.proxy_port_header
## @type string()
## @default "x-forwarded-port"
# proxy_port_header = "x-forwarded-port"
## @path listeners.wss.$name.websocket.deflate_opts
## @link listeners.ws.$name.websocket.deflate_opts
# deflate_opts {
## @doc Compression level.
## @path listeners.wss.$name.websocket.deflate_opts.level
## @type enum: none | default | best_compression | best_speed
# level =
## @doc Specifies the size of the compression state.</br>
## Lower values decrease memory usage per connection.
## @path listeners.wss.$name.websocket.deflate_opts.mem_level
## @type 1..9
## @default 8
# mem_level = 8
## @doc Specifies the compression strategy.
## @path listeners.wss.$name.websocket.deflate_opts.strategy
## @type enum: default | filtered | huffman_only | rle
## @default default
# strategy = default
## @doc Takeover means the compression state is retained between server messages.
## @path listeners.wss.$name.websocket.deflate_opts.server_context_takeover
## @type enum: takeover | no_takeover
## @default takeover
# server_context_takeover = takeover
## @doc Takeover means the compression state is retained between client messages.
## @path listeners.wss.$name.websocket.deflate_opts.client_context_takeover
## @type enum: takeover | no_takeover
## @default takeover
# client_context_takeover = takeover
## @doc Specifies the size of the compression context for the server.
## @path listeners.wss.$name.websocket.deflate_opts.server_max_window_bits
## @type 8..15
## @default 15
# server_max_window_bits = 15
## @doc Specifies the size of the compression context for the client.
## @path listeners.wss.$name.websocket.deflate_opts.client_max_window_bits
## @type 8..15
## @default 15
# client_max_window_bits = 15
# }
# }
# }
## @doc QUIC listeners
## @path listeners.quic
## @type map_struct()
# quic.name =
## @path listeners.quic.$name
# {
## @doc Enable QUIC listener.
## @path listeners.quic.$name.enabled
## @type boolean()
## @default true
# enabled = true
## @doc Path to the certificate file.
## @path listeners.quic.$name.certfile
## @type string()
# certfile =
## @doc Path to the secret key file.
## @path listeners.quic.$name.keyfile
## @type string()
# keyfile =
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
##
## NOTE: QUIC listener supports only 'tlsv1.3' ciphers</br>
## @path listeners.quic.$name.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]
# ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]
## @doc Close transport-layer connections from the clients that have not sent MQTT CONNECT
## message within this interval.
## @path listeners.quic.$name.idle_timeout
## @type emqx_schema:duration()
## @default 15s
# idle_timeout = 15s
## @doc IP address and port for the listening socket.
## @path listeners.quic.$name.bind
## @type union() emqx_schema:ip_port() | integer()
## @default 14567
# bind = 14567
## @doc The size of the listener's receiving pool.
## @path listeners.quic.$name.acceptors
## @type pos_integer()
## @default 16
# acceptors = 16
## @doc The maximum number of concurrent connections allowed by the listener.
## @path listeners.quic.$name.max_connections
## @type union() infinity | pos_integer()
## @default infinity
# max_connections = infinity
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message
## is delivered to the subscriber. The mountpoint is a way that users can use
## to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint`
## set to `some_tenant`, then the client actually subscribes to the topic
## `some_tenant/t`. Similarly, if another client B (connected to the same listener
## as the client A) sends a message to topic `t`, the message is routed
## to all the clients subscribed `some_tenant/t`, so client A will receive the
## message, with topic name `t`.</br>
## Set to `""` to disable the feature.</br>
##
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path listeners.quic.$name.mountpoint
## @type binary()
## @default ""
# mountpoint = ""
## @doc The configuration zone to which the listener belongs.
## @path listeners.quic.$name.zone
## @type atom()
## @default default
# zone = default
## @doc Type of the rate limit.
## @path listeners.quic.$name.limiter
## @type map_struct()
## @default {}
# limiter.ratelimit_name =
## @path listeners.quic.$name.limiter.$ratelimit_name
## @type emqx_limiter_schema:bucket_name()
# $ratelimit_name =
# }
}
## @doc A zone is a set of configs grouped by the zone <code>name</code>.
## For flexible configuration mapping, the <code>name</code> can be set to a listener's <code>zone</code> config.
## NOTE: A built-in zone named <code>default</code> is auto created and can not be deleted.
## @doc A zone is a set of configs grouped by the zone <code>name</code>.
## For flexible configuration mapping, the <code>name</code> can be set to a listener's <code>zone</code> config.
## NOTE: A built-in zone named <code>default</code> is auto created and can not be deleted.
## @path zones
## @type map_struct()
# zones.name =
## @path zones.$name
# {
## @path zones.$name.mqtt
# mqtt {
## @doc After the TCP connection is established, if the MQTT CONNECT packet from the client is not received within the time specified by <code>idle_timeout</code>, the connection will be disconnected.
## @path zones.$name.mqtt.idle_timeout
## @type union() infinity | emqx_schema:duration()
# idle_timeout =
## @doc Maximum MQTT packet size allowed.
## @path zones.$name.mqtt.max_packet_size
## @type emqx_schema:bytesize()
# max_packet_size =
## @doc Maximum allowed length of MQTT Client ID.
## @path zones.$name.mqtt.max_clientid_len
## @type 23..65535
# max_clientid_len =
## @doc Maximum topic levels allowed.
## @path zones.$name.mqtt.max_topic_levels
## @type 1..65535
# max_topic_levels =
## @doc Maximum QoS allowed.
## @path zones.$name.mqtt.max_qos_allowed
## @type qos()
# max_qos_allowed =
## @doc Maximum topic alias, 0 means no topic alias supported.
## @path zones.$name.mqtt.max_topic_alias
## @type 0..65535
# max_topic_alias =
## @doc Whether to enable support for MQTT retained message.
## @path zones.$name.mqtt.retain_available
## @type boolean()
# retain_available =
## @doc Whether to enable support for MQTT wildcard subscription.
## @path zones.$name.mqtt.wildcard_subscription
## @type boolean()
# wildcard_subscription =
## @doc Whether to enable support for MQTT shared subscription.
## @path zones.$name.mqtt.shared_subscription
## @type boolean()
# shared_subscription =
## @doc Ignore loop delivery of messages for MQTT v3.1.1/v3.1.0, similar to <code>No Local</code> subscription option in MQTT 5.0
## @path zones.$name.mqtt.ignore_loop_deliver
## @type boolean()
# ignore_loop_deliver =
## @doc Parse MQTT messages in strict mode.
## When set to true, invalid utf8 strings in for example client ID, topic name, etc. will cause the client to be disconnected
## @path zones.$name.mqtt.strict_mode
## @type boolean()
# strict_mode =
## @doc Specify the response information returned to the client. This feature is disabled if is set to "". Applies only to clients using MQTT 5.0.
## @path zones.$name.mqtt.response_information
## @type string()
# response_information =
## @doc The keep alive that EMQX requires the client to use. If configured as <code>disabled</code>, it means that the keep alive specified by the client will be used. Requires <code>Server Keep Alive</code> in MQTT 5.0, so it is only applicable to clients using MQTT 5.0 protocol.
## @path zones.$name.mqtt.server_keepalive
## @type union() integer() | disabled
# server_keepalive =
## @doc The backoff multiplier used by the broker to determine the client keep alive timeout. If EMQX doesn't receive any packet in <code>Keep Alive * Backoff * 2</code> seconds, EMQX will close the current connection.
## @path zones.$name.mqtt.keepalive_backoff
## @type float()
# keepalive_backoff =
## @doc Maximum number of subscriptions allowed per client.
## @path zones.$name.mqtt.max_subscriptions
## @type union() 1..inf | infinity
# max_subscriptions =
## @doc Force upgrade of QoS level according to subscription.
## @path zones.$name.mqtt.upgrade_qos
## @type boolean()
# upgrade_qos =
## @doc Maximum number of QoS 1 and QoS 2 messages that are allowed to be delivered simultaneously before completing the acknowledgment.
## @path zones.$name.mqtt.max_inflight
## @type 1..65535
# max_inflight =
## @doc Retry interval for QoS 1/2 message delivering.
## @path zones.$name.mqtt.retry_interval
## @type emqx_schema:duration()
# retry_interval =
## @doc Maximum QoS 2 packets (Client -> Broker) awaiting PUBREL.
## @path zones.$name.mqtt.max_awaiting_rel
## @type union() integer() | infinity
# max_awaiting_rel =
## @doc The QoS 2 messages (Client -> Broker) will be dropped if awaiting PUBREL timeout.
## @path zones.$name.mqtt.await_rel_timeout
## @type emqx_schema:duration()
# await_rel_timeout =
## @doc Specifies how long the session will expire after the connection is disconnected, only for non-MQTT 5.0 connections.
## @path zones.$name.mqtt.session_expiry_interval
## @type emqx_schema:duration()
# session_expiry_interval =
## @doc Maximum queue length. Enqueued messages when persistent client disconnected, or inflight window is full.
## @path zones.$name.mqtt.max_mqueue_len
## @type union() non_neg_integer() | infinity
# max_mqueue_len =
## @doc Topic priorities. Priority number [1-255]
## There's no priority table by default, hence all messages are treated equal.
##
## **NOTE**: Comma and equal signs are not allowed for priority topic names.
## **NOTE**: Messages for topics not in the priority table are treated as either highest or lowest priority depending on the configured value for <code>mqtt.mqueue_default_priority</code>.
##
## **Examples**:
## To configure <code>"topic/1" > "topic/2"</code>:
## <code>mqueue_priorities: {"topic/1": 10, "topic/2": 8}</code>
## @path zones.$name.mqtt.mqueue_priorities
## @type union() map() | disabled
# mqueue_priorities =
## @doc Default topic priority, which will be used by topics not in <code>Topic Priorities</code> (<code>mqueue_priorities</code>).
## @path zones.$name.mqtt.mqueue_default_priority
## @type enum: highest | lowest
# mqueue_default_priority =
## @doc Specifies whether to store QoS 0 messages in the message queue while the connection is down but the session remains.
## @path zones.$name.mqtt.mqueue_store_qos0
## @type boolean()
# mqueue_store_qos0 =
## @doc Whether to user Client ID as Username.
## This setting takes effect later than <code>Use Peer Certificate as Username</code> (<code>peer_cert_as_username</code>) and <code>Use peer certificate as Client ID</code> (<code>peer_cert_as_clientid</code>).
## @path zones.$name.mqtt.use_username_as_clientid
## @type boolean()
# use_username_as_clientid =
## @doc Use the CN, DN field in the peer certificate or the entire certificate content as Username. Only works for the TLS connection.
## Supported configurations are the following:
## - <code>cn</code>: Take the CN field of the certificate as Username
## - <code>dn</code>: Take the DN field of the certificate as Username
## - <code>crt</code>: Take the content of the <code>DER</code> or <code>PEM</code> certificate as Username
## - <code>pem</code>: Convert <code>DER</code> certificate content to <code>PEM</code> format as Username
## - <code>md5</code>: Take the MD5 value of the content of the <code>DER</code> or <code>PEM</code> certificate as Username
## @path zones.$name.mqtt.peer_cert_as_username
## @type enum: disabled | cn | dn | crt | pem | md5
# peer_cert_as_username =
## @doc Use the CN, DN field in the peer certificate or the entire certificate content as Client ID. Only works for the TLS connection.
## Supported configurations are the following:
## - <code>cn</code>: Take the CN field of the certificate as Client ID
## - <code>dn</code>: Take the DN field of the certificate as Client ID
## - <code>crt</code>: Take the content of the <code>DER</code> or <code>PEM</code> certificate as Client ID
## - <code>pem</code>: Convert <code>DER</code> certificate content to <code>PEM</code> format as Client ID
## - <code>md5</code>: Take the MD5 value of the content of the <code>DER</code> or <code>PEM</code> certificate as Client ID
## @path zones.$name.mqtt.peer_cert_as_clientid
## @type enum: disabled | cn | dn | crt | pem | md5
# peer_cert_as_clientid =
# }
## @path zones.$name.stats
# stats {
## @doc Enable/disable statistic data collection.
## @path zones.$name.stats.enable
## @type boolean()
# enable =
# }
## @path zones.$name.flapping_detect
# flapping_detect {
## @doc Enable flapping connection detection feature.
## @path zones.$name.flapping_detect.enable
## @type boolean()
# enable =
## @doc The maximum number of disconnects allowed for a MQTT Client in `window_time`
## @path zones.$name.flapping_detect.max_count
## @type integer()
# max_count =
## @doc The time window for flapping detection.
## @path zones.$name.flapping_detect.window_time
## @type emqx_schema:duration()
# window_time =
## @doc How long the flapping clientid will be banned.
## @path zones.$name.flapping_detect.ban_time
## @type emqx_schema:duration()
# ban_time =
# }
## @path zones.$name.force_shutdown
# force_shutdown {
## @doc Enable `force_shutdown` feature.
## @path zones.$name.force_shutdown.enable
## @type boolean()
# enable =
## @doc Maximum message queue length.
## @path zones.$name.force_shutdown.max_message_queue_len
## @type 0..inf
# max_message_queue_len =
## @doc Total heap size
## @path zones.$name.force_shutdown.max_heap_size
## @type emqx_schema:wordsize()
# max_heap_size =
# }
## @path zones.$name.conn_congestion
# conn_congestion {
## @doc Enable or disable connection congestion alarm.
## @path zones.$name.conn_congestion.enable_alarm
## @type boolean()
# enable_alarm =
## @doc Minimal time before clearing the alarm.
##
## The alarm is cleared only when there's no pending data in
## the queue, and at least `min_alarm_sustain_duration`
## milliseconds passed since the last time we considered the connection "congested".
##
## This is to avoid clearing and raising the alarm again too often.
## @path zones.$name.conn_congestion.min_alarm_sustain_duration
## @type emqx_schema:duration()
# min_alarm_sustain_duration =
# }
## @path zones.$name.force_gc
# force_gc {
## @doc Enable forced garbage collection.
## @path zones.$name.force_gc.enable
## @type boolean()
# enable =
## @doc GC the process after this many received messages.
## @path zones.$name.force_gc.count
## @type 0..inf
# count =
## @doc GC the process after specified number of bytes have passed through.
## @path zones.$name.force_gc.bytes
## @type emqx_schema:bytesize()
# bytes =
# }
## @path zones.$name.overload_protection
# overload_protection {
## @doc React on system overload or not
## @path zones.$name.overload_protection.enable
## @type boolean()
# enable =
## @doc Some unimportant tasks could be delayed for execution, here set the delays in ms
## @path zones.$name.overload_protection.backoff_delay
## @type 0..inf
# backoff_delay =
## @doc Skip forceful GC if necessary
## @path zones.$name.overload_protection.backoff_gc
## @type boolean()
# backoff_gc =
## @doc Skip process hibernation if necessary
## @path zones.$name.overload_protection.backoff_hibernation
## @type boolean()
# backoff_hibernation =
## @doc Close new incoming connections if necessary
## @path zones.$name.overload_protection.backoff_new_conn
## @type boolean()
# backoff_new_conn =
# }
# }
## @doc Global MQTT configuration.
## The configs here work as default values which can be overridden in <code>zone</code> configs
## @path mqtt
mqtt {
## @doc After the TCP connection is established, if the MQTT CONNECT packet from the client is not received within the time specified by <code>idle_timeout</code>, the connection will be disconnected.
## @path mqtt.idle_timeout
## @type union() infinity | emqx_schema:duration()
## @default 15s
idle_timeout = 15s
## @doc Maximum MQTT packet size allowed.
## @path mqtt.max_packet_size
## @type emqx_schema:bytesize()
## @default 1MB
max_packet_size = 1MB
## @doc Maximum allowed length of MQTT Client ID.
## @path mqtt.max_clientid_len
## @type 23..65535
## @default 65535
max_clientid_len = 65535
## @doc Maximum topic levels allowed.
## @path mqtt.max_topic_levels
## @type 1..65535
## @default 65535
max_topic_levels = 65535
## @doc Maximum QoS allowed.
## @path mqtt.max_qos_allowed
## @type qos()
## @default 2
max_qos_allowed = 2
## @doc Maximum topic alias, 0 means no topic alias supported.
## @path mqtt.max_topic_alias
## @type 0..65535
## @default 65535
max_topic_alias = 65535
## @doc Whether to enable support for MQTT retained message.
## @path mqtt.retain_available
## @type boolean()
## @default true
retain_available = true
## @doc Whether to enable support for MQTT wildcard subscription.
## @path mqtt.wildcard_subscription
## @type boolean()
## @default true
wildcard_subscription = true
## @doc Whether to enable support for MQTT shared subscription.
## @path mqtt.shared_subscription
## @type boolean()
## @default true
shared_subscription = true
## @doc Ignore loop delivery of messages for MQTT v3.1.1/v3.1.0, similar to <code>No Local</code> subscription option in MQTT 5.0
## @path mqtt.ignore_loop_deliver
## @type boolean()
## @default false
ignore_loop_deliver = false
## @doc Parse MQTT messages in strict mode.
## When set to true, invalid utf8 strings in for example client ID, topic name, etc. will cause the client to be disconnected
## @path mqtt.strict_mode
## @type boolean()
## @default false
strict_mode = false
## @doc Specify the response information returned to the client. This feature is disabled if is set to "". Applies only to clients using MQTT 5.0.
## @path mqtt.response_information
## @type string()
## @default ""
response_information = ""
## @doc The keep alive that EMQX requires the client to use. If configured as <code>disabled</code>, it means that the keep alive specified by the client will be used. Requires <code>Server Keep Alive</code> in MQTT 5.0, so it is only applicable to clients using MQTT 5.0 protocol.
## @path mqtt.server_keepalive
## @type union() integer() | disabled
## @default disabled
server_keepalive = disabled
## @doc The backoff multiplier used by the broker to determine the client keep alive timeout. If EMQX doesn't receive any packet in <code>Keep Alive * Backoff * 2</code> seconds, EMQX will close the current connection.
## @path mqtt.keepalive_backoff
## @type float()
## @default 0.75
keepalive_backoff = 0.75
## @doc Maximum number of subscriptions allowed per client.
## @path mqtt.max_subscriptions
## @type union() 1..inf | infinity
## @default infinity
max_subscriptions = infinity
## @doc Force upgrade of QoS level according to subscription.
## @path mqtt.upgrade_qos
## @type boolean()
## @default false
upgrade_qos = false
## @doc Maximum number of QoS 1 and QoS 2 messages that are allowed to be delivered simultaneously before completing the acknowledgment.
## @path mqtt.max_inflight
## @type 1..65535
## @default 32
max_inflight = 32
## @doc Retry interval for QoS 1/2 message delivering.
## @path mqtt.retry_interval
## @type emqx_schema:duration()
## @default 30s
retry_interval = 30s
## @doc Maximum QoS 2 packets (Client -> Broker) awaiting PUBREL.
## @path mqtt.max_awaiting_rel
## @type union() integer() | infinity
## @default 100
max_awaiting_rel = 100
## @doc The QoS 2 messages (Client -> Broker) will be dropped if awaiting PUBREL timeout.
## @path mqtt.await_rel_timeout
## @type emqx_schema:duration()
## @default 300s
await_rel_timeout = 300s
## @doc Specifies how long the session will expire after the connection is disconnected, only for non-MQTT 5.0 connections.
## @path mqtt.session_expiry_interval
## @type emqx_schema:duration()
## @default 2h
session_expiry_interval = 2h
## @doc Maximum queue length. Enqueued messages when persistent client disconnected, or inflight window is full.
## @path mqtt.max_mqueue_len
## @type union() non_neg_integer() | infinity
## @default 1000
max_mqueue_len = 1000
## @doc Topic priorities. Priority number [1-255]
## There's no priority table by default, hence all messages are treated equal.
##
## **NOTE**: Comma and equal signs are not allowed for priority topic names.
## **NOTE**: Messages for topics not in the priority table are treated as either highest or lowest priority depending on the configured value for <code>mqtt.mqueue_default_priority</code>.
##
## **Examples**:
## To configure <code>"topic/1" > "topic/2"</code>:
## <code>mqueue_priorities: {"topic/1": 10, "topic/2": 8}</code>
## @path mqtt.mqueue_priorities
## @type union() map() | disabled
## @default disabled
mqueue_priorities = disabled
## @doc Default topic priority, which will be used by topics not in <code>Topic Priorities</code> (<code>mqueue_priorities</code>).
## @path mqtt.mqueue_default_priority
## @type enum: highest | lowest
## @default lowest
mqueue_default_priority = lowest
## @doc Specifies whether to store QoS 0 messages in the message queue while the connection is down but the session remains.
## @path mqtt.mqueue_store_qos0
## @type boolean()
## @default true
mqueue_store_qos0 = true
## @doc Whether to user Client ID as Username.
## This setting takes effect later than <code>Use Peer Certificate as Username</code> (<code>peer_cert_as_username</code>) and <code>Use peer certificate as Client ID</code> (<code>peer_cert_as_clientid</code>).
## @path mqtt.use_username_as_clientid
## @type boolean()
## @default false
use_username_as_clientid = false
## @doc Use the CN, DN field in the peer certificate or the entire certificate content as Username. Only works for the TLS connection.
## Supported configurations are the following:
## - <code>cn</code>: Take the CN field of the certificate as Username
## - <code>dn</code>: Take the DN field of the certificate as Username
## - <code>crt</code>: Take the content of the <code>DER</code> or <code>PEM</code> certificate as Username
## - <code>pem</code>: Convert <code>DER</code> certificate content to <code>PEM</code> format as Username
## - <code>md5</code>: Take the MD5 value of the content of the <code>DER</code> or <code>PEM</code> certificate as Username
## @path mqtt.peer_cert_as_username
## @type enum: disabled | cn | dn | crt | pem | md5
## @default disabled
peer_cert_as_username = disabled
## @doc Use the CN, DN field in the peer certificate or the entire certificate content as Client ID. Only works for the TLS connection.
## Supported configurations are the following:
## - <code>cn</code>: Take the CN field of the certificate as Client ID
## - <code>dn</code>: Take the DN field of the certificate as Client ID
## - <code>crt</code>: Take the content of the <code>DER</code> or <code>PEM</code> certificate as Client ID
## - <code>pem</code>: Convert <code>DER</code> certificate content to <code>PEM</code> format as Client ID
## - <code>md5</code>: Take the MD5 value of the content of the <code>DER</code> or <code>PEM</code> certificate as Client ID
## @path mqtt.peer_cert_as_clientid
## @type enum: disabled | cn | dn | crt | pem | md5
## @default disabled
peer_cert_as_clientid = disabled
}
## @doc Default authentication configs for all MQTT listeners.
##
## For per-listener overrides see <code>authentication</code> in listener configs
##
## This option can be configured with:
## <ul>
## <li><code>[]</code>: The default value, it allows *ALL* logins</li>
## <li>one: For example <code>{enable:true,backend:"built_in_database",mechanism="password_based"}</code></li>
## <li>chain: An array of structs.</li>
## </ul>
##
## When a chain is configured, the login credentials are checked against the backends per the configured order, until an 'allow' or 'deny' decision can be made.
##
## If there is no decision after a full chain exhaustion, the login is rejected.
## @doc Default authentication configs for all MQTT listeners.
##
## For per-listener overrides see <code>authentication</code> in listener configs
##
## This option can be configured with:
## <ul>
## <li><code>[]</code>: The default value, it allows *ALL* logins</li>
## <li>one: For example <code>{enable:true,backend:"built_in_database",mechanism="password_based"}</code></li>
## <li>chain: An array of structs.</li>
## </ul>
##
## When a chain is configured, the login credentials are checked against the backends per the configured order, until an 'allow' or 'deny' decision can be made.
##
## If there is no decision after a full chain exhaustion, the login is rejected.
## @path authentication
## @type array()
## @link listeners.tcp.$name.authentication
authentication = []
## @doc Authorization a.k.a. ACL.</br>
## In EMQX, MQTT client access control is extremely flexible.</br>
## An out-of-the-box set of authorization data sources are supported.
## For example,</br>
## 'file' source is to support concise and yet generic ACL rules in a file;</br>
## 'built_in_database' source can be used to store per-client customizable rule sets,
## natively in the EMQX node;</br>
## 'http' source to make EMQX call an external HTTP API to make the decision;</br>
## 'PostgreSQL' etc. to look up clients or rules from external databases;</br>
## @path authorization
authorization {
## @doc Default access control action if the user or client matches no ACL rules,
## or if no such user or client is found by the configurable authorization
## sources such as built_in_database, an HTTP API, or a query against PostgreSQL.
## Find more details in 'authorization.sources' config.
## @path authorization.no_match
## @type enum: allow | deny
## @default allow
no_match = allow
## @doc The action when the authorization check rejects an operation.
## @path authorization.deny_action
## @type enum: ignore | disconnect
## @default ignore
deny_action = ignore
## @path authorization.cache
cache {
## @doc Enable or disable the authorization cache.
## @path authorization.cache.enable
## @type boolean()
## @default true
enable = true
## @doc Maximum number of cached items.
## @path authorization.cache.max_size
## @type 1..1048576
## @default 32
max_size = 32
## @doc Time to live for the cached data.
## @path authorization.cache.ttl
## @type emqx_schema:duration()
## @default 1m
ttl = 1m
}
## @doc Authorization data sources.</br>
## An array of authorization (ACL) data providers.
## It is designed as an array, not a hash-map, so the sources can be
## ordered to form a chain of access controls.</br>
##
## When authorizing a 'publish' or 'subscribe' action, the configured
## sources are checked in order. When checking an ACL source,
## in case the client (identified by username or client ID) is not found,
## it moves on to the next source. And it stops immediately
## once an 'allow' or 'deny' decision is returned.</br>
##
## If the client is not found in any of the sources,
## the default action configured in 'authorization.no_match' is applied.</br>
##
## NOTE:
## The source elements are identified by their 'type'.
## It is NOT allowed to configure two or more sources of the same type.
## @path authorization.sources
## @type array()
## @default []
sources = []
}
## @path node
node {
## @doc Unique name of the EMQX node. It must follow <code>%name%@FQDN</code> or
## <code>%name%@IPv4</code> format.
## @path node.name
## @type string()
## @default "emqx@127.0.0.1"
name = "emqx@127.0.0.1"
## @doc Secret cookie is a random string that should be the same on all nodes in
## the given EMQX cluster, but unique per EMQX cluster. It is used to prevent EMQX nodes that
## belong to different clusters from accidentally connecting to each other.
## @path node.cookie
## @type string()
## @default emqxsecretcookie
cookie = emqxsecretcookie
## @doc Path to the persistent data directory.</br>
## Possible auto-created subdirectories are:</br>
## - `mnesia/<node_name>`: EMQX's built-in database directory.</br>
## For example, `mnesia/emqx@127.0.0.1`.</br>
## There should be only one such subdirectory.</br>
## Meaning, in case the node is to be renamed (to e.g. `emqx@10.0.1.1`),</br>
## the old dir should be deleted first.</br>
## - `configs`: Generated configs at boot time, and cluster/local override configs.</br>
## - `patches`: Hot-patch beam files are to be placed here.</br>
## - `trace`: Trace log files.</br>
##
## **NOTE**: One data dir cannot be shared by two or more EMQX nodes.
## @path node.data_dir
## @type string()
# data_dir =
## @doc List of configuration files that are read during startup. The order is
## significant: later configuration files override the previous ones.
## @path node.config_files
## @type [string()]
# config_files =
## @doc Periodic garbage collection interval.
## @path node.global_gc_interval
## @type emqx_schema:duration()
## @default 15m
global_gc_interval = 15m
## @doc Location of the crash dump file.
## @path node.crash_dump_file
## @type emqx_conf_schema:file()
## @default "log/erl_crash.dump"
crash_dump_file = "log/erl_crash.dump"
## @doc The number of seconds that the broker is allowed to spend writing a crash dump.
## @path node.crash_dump_seconds
## @type emqx_schema:duration_s()
## @default 30s
crash_dump_seconds = 30s
## @doc The maximum size of a crash dump file in bytes.
## @path node.crash_dump_bytes
## @type emqx_schema:bytesize()
## @default 100MB
crash_dump_bytes = 100MB
## @doc This is the approximate time an EMQX node may be unresponsive until it is considered down and thereby disconnected.
## @path node.dist_net_ticktime
## @type emqx_schema:duration_s()
## @default 2m
dist_net_ticktime = 2m
## @doc Maximum depth of the call stack printed in error messages and
## <code>process_info</code>.
## @path node.backtrace_depth
## @type integer()
## @default 23
backtrace_depth = 23
## @doc List of Erlang applications that shall be rebooted when the EMQX broker joins the cluster.
## @path node.applications
## @type emqx_schema:comma_separated_atoms()
## @default []
applications = []
## @doc <code>etc</code> dir for the node
## @path node.etc_dir
## @type string()
# etc_dir =
## @path node.cluster_call
cluster_call {
## @doc Time interval to retry after a failed call.
## @path node.cluster_call.retry_interval
## @type emqx_schema:duration()
## @default 1m
retry_interval = 1m
## @doc Retain the maximum number of completed transactions (for queries).
## @path node.cluster_call.max_history
## @type 1..500
## @default 100
max_history = 100
## @doc Time interval to clear completed but stale transactions.
## Ensure that the number of completed transactions is less than the <code>max_history</code>.
## @path node.cluster_call.cleanup_interval
## @type emqx_schema:duration()
## @default 5m
cleanup_interval = 5m
}
## @doc Select the backend for the embedded database.</br>
## <code>rlog</code> is the default backend,
## that is suitable for very large clusters.</br>
## <code>mnesia</code> is a backend that offers decent performance in small clusters.
## @path node.db_backend
## @type enum: mnesia | rlog
## @default rlog
db_backend = rlog
## @doc Select a node role.</br>
## <code>core</code> nodes provide durability of the data, and take care of writes.
## It is recommended to place core nodes in different racks or different availability zones.</br>
## <code>replicant</code> nodes are ephemeral worker nodes. Removing them from the cluster
## doesn't affect database redundancy</br>
## It is recommended to have more replicant nodes than core nodes.</br>
## Note: this parameter only takes effect when the <code>backend</code> is set
## to <code>rlog</code>.
## @path node.db_role
## @type enum: core | replicant
## @default core
db_role = core
## @doc Protocol used for pushing transaction logs to the replicant nodes.
## @path node.rpc_module
## @type enum: gen_rpc | rpc
## @default gen_rpc
rpc_module = gen_rpc
## @doc In sync mode the core node waits for an ack from the replicant nodes before sending the next
## transaction log entry.
## @path node.tlog_push_mode
## @type enum: sync | async
## @default async
tlog_push_mode = async
}
## @path cluster
cluster {
## @doc Human-friendly name of the EMQX cluster.
## @path cluster.name
## @type atom()
## @default emqxcl
name = emqxcl
## @doc Service discovery method for the cluster nodes.
## @path cluster.discovery_strategy
## @type enum: manual | static | mcast | dns | etcd | k8s
## @default manual
discovery_strategy = manual
## @doc List of core nodes that the replicant will connect to.</br>
## Note: this parameter only takes effect when the <code>backend</code> is set
## to <code>rlog</code> and the <code>role</code> is set to <code>replicant</code>.</br>
## This value needs to be defined for manual or static cluster discovery mechanisms.</br>
## If an automatic cluster discovery mechanism is being used (such as <code>etcd</code>),
## there is no need to set this value.
## @path cluster.core_nodes
## @type emqx_schema:comma_separated_atoms()
## @default []
core_nodes = []
## @doc Remove disconnected nodes from the cluster after this interval.
## @path cluster.autoclean
## @type emqx_schema:duration()
## @default 5m
autoclean = 5m
## @doc If <code>true</code>, the node will try to heal network partitions automatically.
## @path cluster.autoheal
## @type boolean()
## @default true
autoheal = true
## @doc The Erlang distribution protocol for the cluster.
## @path cluster.proto_dist
## @type enum: inet_tcp | inet6_tcp | inet_tls
## @default inet_tcp
proto_dist = inet_tcp
## @path cluster.static
static {
## @doc List EMQX node names in the static cluster. See <code>node.name</code>.
## @path cluster.static.seeds
## @type array()
## @default []
seeds = []
}
## @path cluster.mcast
mcast {
## @doc Multicast IPv4 address.
## @path cluster.mcast.addr
## @type string()
## @default "239.192.0.1"
addr = "239.192.0.1"
## @doc List of UDP ports used for service discovery.</br>
## Note: probe messages are broadcast to all the specified ports.
## @path cluster.mcast.ports
## @type array()
## @default [4369,4370]
ports = [4369,4370]
## @doc Local IP address the node discovery service needs to bind to.
## @path cluster.mcast.iface
## @type string()
## @default "0.0.0.0"
iface = "0.0.0.0"
## @doc Time-to-live (TTL) for the outgoing UDP datagrams.
## @path cluster.mcast.ttl
## @type 0..255
## @default 255
ttl = 255
## @doc If <code>true</code>, loop UDP datagrams back to the local socket.
## @path cluster.mcast.loop
## @type boolean()
## @default true
loop = true
## @doc Size of the kernel-level buffer for outgoing datagrams.
## @path cluster.mcast.sndbuf
## @type emqx_schema:bytesize()
## @default 16KB
sndbuf = 16KB
## @doc Size of the kernel-level buffer for incoming datagrams.
## @path cluster.mcast.recbuf
## @type emqx_schema:bytesize()
## @default 16KB
recbuf = 16KB
## @doc Size of the user-level buffer.
## @path cluster.mcast.buffer
## @type emqx_schema:bytesize()
## @default 32KB
buffer = 32KB
}
## @path cluster.dns
dns {
## @doc The domain name of the EMQX cluster.
## @path cluster.dns.name
## @type string()
## @default localhost
name = localhost
## @doc The symbolic name of the EMQX service.
## @path cluster.dns.app
## @type string()
## @default emqx
app = emqx
}
## @path cluster.etcd
etcd {
## @doc List of endpoint URLs of the etcd cluster
## @path cluster.etcd.server
## @type emqx_schema:comma_separated_list()
# server =
## @doc Key prefix used for EMQX service discovery.
## @path cluster.etcd.prefix
## @type string()
## @default emqxcl
prefix = emqxcl
## @doc Expiration time of the etcd key associated with the node.
## It is refreshed automatically, as long as the node is alive.
## @path cluster.etcd.node_ttl
## @type emqx_schema:duration()
## @default 1m
node_ttl = 1m
## @path cluster.etcd.ssl
ssl {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path cluster.etcd.ssl.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path cluster.etcd.ssl.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path cluster.etcd.ssl.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path cluster.etcd.ssl.verify
## @type enum: verify_peer | verify_none
## @default verify_none
verify = verify_none
## @doc Enable TLS session reuse.
## @path cluster.etcd.ssl.reuse_sessions
## @type boolean()
## @default true
reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path cluster.etcd.ssl.depth
## @type integer()
## @default 10
depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path cluster.etcd.ssl.password
## @type string()
password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path cluster.etcd.ssl.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path cluster.etcd.ssl.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path cluster.etcd.ssl.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path cluster.etcd.ssl.secure_renegotiate
## @type boolean()
## @default true
secure_renegotiate = true
## @doc Enable TLS.
## @path cluster.etcd.ssl.enable
## @type boolean()
## @default false
enable = false
## @doc Specify the host name to be used in TLS Server Name Indication extension.</br>
## For instance, when connecting to "server.example.net", the genuine server
## which accepts the connection and performs TLS handshake may differ from the
## host the TLS client initially connects to, e.g. when connecting to an IP address
## or when the host has multiple resolvable DNS records </br>
## If not specified, it will default to the host name string which is used
## to establish the connection, unless it is IP addressed used.</br>
## The host name is then also used in the host name verification of the peer
## certificate.</br> The special value 'disable' prevents the Server Name
## Indication extension from being sent and disables the hostname
## verification check.
## @path cluster.etcd.ssl.server_name_indication
## @type union() disable | string()
server_name_indication = disable
}
}
## @path cluster.k8s
k8s {
## @doc Kubernetes API endpoint URL.
## @path cluster.k8s.apiserver
## @type string()
## @default "http://10.110.111.204:8080"
apiserver = "http://10.110.111.204:8080"
## @doc EMQX broker service name.
## @path cluster.k8s.service_name
## @type string()
## @default emqx
service_name = emqx
## @doc Address type used for connecting to the discovered nodes.
## @path cluster.k8s.address_type
## @type enum: ip | dns | hostname
## @default ip
address_type = ip
## @doc This parameter should be set to the part of the <code>node.name</code>
## before the '@'.</br>
## For example, if the <code>node.name</code> is <code>emqx@127.0.0.1</code>, then this parameter
## should be set to <code>emqx</code>.
## @path cluster.k8s.app_name
## @type string()
## @default emqx
app_name = emqx
## @doc Kubernetes namespace.
## @path cluster.k8s.namespace
## @type string()
## @default default
namespace = default
## @doc Node name suffix.</br>
## Note: this parameter is only relevant when <code>address_type</code> is <code>dns</code>
## or <code>hostname</code>.
## @path cluster.k8s.suffix
## @type string()
## @default "pod.local"
suffix = "pod.local"
}
}
## @path log
log {
## @path log.console_handler
console_handler {
## @doc Enable this log handler.
## @path log.console_handler.enable
## @type boolean()
## @default false
enable = false
## @doc The log level for the current log handler.
## Defaults to warning.
## @path log.console_handler.level
## @type emqx_conf_schema:log_level()
## @default warning
level = warning
## @doc The time offset to be used when formatting the timestamp.
## Can be one of:
## - <code>system</code>: the time offset used by the local system
## - <code>utc</code>: the UTC time offset
## - <code>+-[hh]:[mm]</code>: user specified time offset, such as "-02:00" or "+00:00"
## Defaults to: <code>system</code>.
## @path log.console_handler.time_offset
## @type string()
## @default system
time_offset = system
## @doc Set the maximum length of a single log message. If this length is exceeded, the log message will be truncated.
## @path log.console_handler.chars_limit
## @type union() unlimited | 100..inf
## @default unlimited
chars_limit = unlimited
## @doc Choose log formatter. <code>text</code> for free text, and <code>json</code> for structured logging.
## @path log.console_handler.formatter
## @type enum: text | json
## @default text
formatter = text
## @doc Print logs in a single line if set to true. Otherwise, log messages may span multiple lines.
## @path log.console_handler.single_line
## @type boolean()
## @default true
single_line = true
## @doc As long as the number of buffered log events is lower than this value,
## all log events are handled asynchronously. This means that the client process sending the log event,
## by calling a log function in the Logger API, does not wait for a response from the handler
## but continues executing immediately after the event is sent.
## It is not affected by the time it takes the handler to print the event to the log device.
## If the message queue grows larger than this value,
## the handler starts handling log events synchronously instead,
## meaning that the client process sending the event must wait for a response.
## When the handler reduces the message queue to a level below the sync_mode_qlen threshold,
## asynchronous operation is resumed.
## @path log.console_handler.sync_mode_qlen
## @type non_neg_integer()
## @default 100
sync_mode_qlen = 100
## @doc When the number of buffered log events is larger than this value, the new log events are dropped.
## When drop mode is activated or deactivated, a message is printed in the logs.
## @path log.console_handler.drop_mode_qlen
## @type pos_integer()
## @default 3000
drop_mode_qlen = 3000
## @doc If the number of buffered log events grows larger than this threshold, a flush (delete) operation takes place.
## To flush events, the handler discards the buffered log messages without logging.
## @path log.console_handler.flush_qlen
## @type pos_integer()
## @default 8000
flush_qlen = 8000
## @path log.console_handler.overload_kill
overload_kill {
## @doc Enable log handler overload kill feature.
## @path log.console_handler.overload_kill.enable
## @type boolean()
## @default true
enable = true
## @doc Maximum memory size that the log handler process is allowed to use.
## @path log.console_handler.overload_kill.mem_size
## @type emqx_schema:bytesize()
## @default 30MB
mem_size = 30MB
## @doc Maximum allowed queue length.
## @path log.console_handler.overload_kill.qlen
## @type pos_integer()
## @default 20000
qlen = 20000
## @doc If the handler is terminated, it restarts automatically after a delay specified in milliseconds. The value `infinity` prevents restarts.
## @path log.console_handler.overload_kill.restart_after
## @type union() emqx_schema:duration_ms() | infinity
## @default 5s
restart_after = 5s
}
## @path log.console_handler.burst_limit
burst_limit {
## @doc Enable log burst control feature.
## @path log.console_handler.burst_limit.enable
## @type boolean()
## @default true
enable = true
## @doc Maximum number of log events to handle within a `window_time` interval. After the limit is reached, successive events are dropped until the end of the `window_time`.
## @path log.console_handler.burst_limit.max_count
## @type pos_integer()
## @default 10000
max_count = 10000
## @doc See <code>max_count</code>.
## @path log.console_handler.burst_limit.window_time
## @type emqx_schema:duration()
## @default 1s
window_time = 1s
}
## @doc Type of supervisor reports that are logged. Defaults to <code>error</code>
## - <code>error</code>: only log errors in the Erlang processes.
## - <code>progress</code>: log process startup.
## @path log.console_handler.supervisor_reports
## @type enum: error | progress
## @default error
supervisor_reports = error
## @doc Maximum depth for Erlang term log formatting and Erlang process message queue inspection.
## @path log.console_handler.max_depth
## @type union() unlimited | non_neg_integer()
## @default 100
max_depth = 100
}
## @doc File-based log handlers.
## @path log.file_handlers
## @type map_struct()
# file_handlers.name =
## @path log.file_handlers.$name
# {
## @doc Name the log file.
## @path log.file_handlers.$name.file
## @type emqx_conf_schema:file()
# file =
## @path log.file_handlers.$name.rotation
# rotation {
## @doc Enable log rotation feature.
## @path log.file_handlers.$name.rotation.enable
## @type boolean()
## @default true
# enable = true
## @doc Maximum number of log files.
## @path log.file_handlers.$name.rotation.count
## @type 1..2048
## @default 10
# count = 10
# }
## @doc This parameter controls log file rotation. The value `infinity` means the log file will grow indefinitely, otherwise the log file will be rotated once it reaches `max_size` in bytes.
## @path log.file_handlers.$name.max_size
## @type union() infinity | emqx_schema:bytesize()
## @default 50MB
# max_size = 50MB
## @doc Enable this log handler.
## @path log.file_handlers.$name.enable
## @type boolean()
## @default true
# enable = true
## @doc The log level for the current log handler.
## Defaults to warning.
## @path log.file_handlers.$name.level
## @type emqx_conf_schema:log_level()
## @default warning
# level = warning
## @doc The time offset to be used when formatting the timestamp.
## Can be one of:
## - <code>system</code>: the time offset used by the local system
## - <code>utc</code>: the UTC time offset
## - <code>+-[hh]:[mm]</code>: user specified time offset, such as "-02:00" or "+00:00"
## Defaults to: <code>system</code>.
## @path log.file_handlers.$name.time_offset
## @type string()
## @default system
# time_offset = system
## @doc Set the maximum length of a single log message. If this length is exceeded, the log message will be truncated.
## @path log.file_handlers.$name.chars_limit
## @type union() unlimited | 100..inf
## @default unlimited
# chars_limit = unlimited
## @doc Choose log formatter. <code>text</code> for free text, and <code>json</code> for structured logging.
## @path log.file_handlers.$name.formatter
## @type enum: text | json
## @default text
# formatter = text
## @doc Print logs in a single line if set to true. Otherwise, log messages may span multiple lines.
## @path log.file_handlers.$name.single_line
## @type boolean()
## @default true
# single_line = true
## @doc As long as the number of buffered log events is lower than this value,
## all log events are handled asynchronously. This means that the client process sending the log event,
## by calling a log function in the Logger API, does not wait for a response from the handler
## but continues executing immediately after the event is sent.
## It is not affected by the time it takes the handler to print the event to the log device.
## If the message queue grows larger than this value,
## the handler starts handling log events synchronously instead,
## meaning that the client process sending the event must wait for a response.
## When the handler reduces the message queue to a level below the sync_mode_qlen threshold,
## asynchronous operation is resumed.
## @path log.file_handlers.$name.sync_mode_qlen
## @type non_neg_integer()
## @default 100
# sync_mode_qlen = 100
## @doc When the number of buffered log events is larger than this value, the new log events are dropped.
## When drop mode is activated or deactivated, a message is printed in the logs.
## @path log.file_handlers.$name.drop_mode_qlen
## @type pos_integer()
## @default 3000
# drop_mode_qlen = 3000
## @doc If the number of buffered log events grows larger than this threshold, a flush (delete) operation takes place.
## To flush events, the handler discards the buffered log messages without logging.
## @path log.file_handlers.$name.flush_qlen
## @type pos_integer()
## @default 8000
# flush_qlen = 8000
## @path log.file_handlers.$name.overload_kill
## @link log.console_handler.overload_kill
# overload_kill {
## @doc Enable log handler overload kill feature.
## @path log.file_handlers.$name.overload_kill.enable
## @type boolean()
## @default true
# enable = true
## @doc Maximum memory size that the log handler process is allowed to use.
## @path log.file_handlers.$name.overload_kill.mem_size
## @type emqx_schema:bytesize()
## @default 30MB
# mem_size = 30MB
## @doc Maximum allowed queue length.
## @path log.file_handlers.$name.overload_kill.qlen
## @type pos_integer()
## @default 20000
# qlen = 20000
## @doc If the handler is terminated, it restarts automatically after a delay specified in milliseconds. The value `infinity` prevents restarts.
## @path log.file_handlers.$name.overload_kill.restart_after
## @type union() emqx_schema:duration_ms() | infinity
## @default 5s
# restart_after = 5s
# }
## @path log.file_handlers.$name.burst_limit
## @link log.console_handler.burst_limit
# burst_limit {
## @doc Enable log burst control feature.
## @path log.file_handlers.$name.burst_limit.enable
## @type boolean()
## @default true
# enable = true
## @doc Maximum number of log events to handle within a `window_time` interval. After the limit is reached, successive events are dropped until the end of the `window_time`.
## @path log.file_handlers.$name.burst_limit.max_count
## @type pos_integer()
## @default 10000
# max_count = 10000
## @doc See <code>max_count</code>.
## @path log.file_handlers.$name.burst_limit.window_time
## @type emqx_schema:duration()
## @default 1s
# window_time = 1s
# }
## @doc Type of supervisor reports that are logged. Defaults to <code>error</code>
## - <code>error</code>: only log errors in the Erlang processes.
## - <code>progress</code>: log process startup.
## @path log.file_handlers.$name.supervisor_reports
## @type enum: error | progress
## @default error
# supervisor_reports = error
## @doc Maximum depth for Erlang term log formatting and Erlang process message queue inspection.
## @path log.file_handlers.$name.max_depth
## @type union() unlimited | non_neg_integer()
## @default 100
# max_depth = 100
# }
}
## @path rpc
rpc {
## @doc In <code>sync</code> mode the sending side waits for the ack from the receiving side.
## @path rpc.mode
## @type enum: sync | async
## @default async
mode = async
## @doc Transport protocol used for inter-broker communication
## @path rpc.driver
## @type enum: tcp | ssl
## @default tcp
driver = tcp
## @doc The maximum number of batch messages sent in asynchronous mode.
## Note that this configuration does not work in synchronous mode.
## @path rpc.async_batch_size
## @type integer()
## @default 256
async_batch_size = 256
## @doc <code>manual</code>: discover ports by <code>tcp_server_port</code>.</br>
## <code>stateless</code>: discover ports in a stateless manner, using the following algorithm.
## If node name is <code>emqxN@127.0.0.1</code>, where the N is an integer,
## then the listening port will be 5370 + N.
## @path rpc.port_discovery
## @type enum: manual | stateless
## @default stateless
port_discovery = stateless
## @doc Listening port used by RPC local service.</br>
## Note that this config only takes effect when rpc.port_discovery is set to manual.
## @path rpc.tcp_server_port
## @type integer()
## @default 5369
tcp_server_port = 5369
## @doc Listening port used by RPC local service.</br>
## Note that this config only takes effect when rpc.port_discovery is set to manual
## and <code>driver</code> is set to <code>ssl</code>.
## @path rpc.ssl_server_port
## @type integer()
## @default 5369
ssl_server_port = 5369
## @doc Set the maximum number of RPC communication channels initiated by this node to each remote node.
## @path rpc.tcp_client_num
## @type 1..256
## @default 10
tcp_client_num = 10
## @doc Timeout for establishing an RPC connection.
## @path rpc.connect_timeout
## @type emqx_schema:duration()
## @default 5s
connect_timeout = 5s
## @doc Path to TLS certificate file used to validate identity of the cluster nodes.
## Note that this config only takes effect when <code>rpc.driver</code> is set to <code>ssl</code>.
## @path rpc.certfile
## @type emqx_conf_schema:file()
# certfile =
## @doc Path to the private key file for the <code>rpc.certfile</code>.</br>
## Note: contents of this file are secret, so it's necessary to set permissions to 600.
## @path rpc.keyfile
## @type emqx_conf_schema:file()
# keyfile =
## @doc Path to certification authority TLS certificate file used to validate <code>rpc.certfile</code>.</br>
## Note: certificates of all nodes in the cluster must be signed by the same CA.
## @path rpc.cacertfile
## @type emqx_conf_schema:file()
# cacertfile =
## @doc Timeout for sending the RPC request.
## @path rpc.send_timeout
## @type emqx_schema:duration()
## @default 5s
send_timeout = 5s
## @doc Timeout for the remote node authentication.
## @path rpc.authentication_timeout
## @type emqx_schema:duration()
## @default 5s
authentication_timeout = 5s
## @doc Timeout for the reply to a synchronous RPC.
## @path rpc.call_receive_timeout
## @type emqx_schema:duration()
## @default 15s
call_receive_timeout = 15s
## @doc How long the connections between the brokers should remain open after the last message is sent.
## @path rpc.socket_keepalive_idle
## @type emqx_schema:duration_s()
## @default 15m
socket_keepalive_idle = 15m
## @doc The interval between keepalive messages.
## @path rpc.socket_keepalive_interval
## @type emqx_schema:duration_s()
## @default 75s
socket_keepalive_interval = 75s
## @doc How many times the keepalive probe message can fail to receive a reply
## until the RPC connection is considered lost.
## @path rpc.socket_keepalive_count
## @type integer()
## @default 9
socket_keepalive_count = 9
## @doc TCP tuning parameters. TCP sending buffer size.
## @path rpc.socket_sndbuf
## @type emqx_schema:bytesize()
## @default 1MB
socket_sndbuf = 1MB
## @doc TCP tuning parameters. TCP receiving buffer size.
## @path rpc.socket_recbuf
## @type emqx_schema:bytesize()
## @default 1MB
socket_recbuf = 1MB
## @doc TCP tuning parameters. Socket buffer size in user mode.
## @path rpc.socket_buffer
## @type emqx_schema:bytesize()
## @default 1MB
socket_buffer = 1MB
}
## @doc Message broker options.
## @path broker
broker {
## @doc Enable session registry
## @path broker.enable_session_registry
## @type boolean()
## @default true
enable_session_registry = true
## @doc Session locking strategy in a cluster.
## - `local`: only lock the session on the current node
## - `one`: select only one remote node to lock the session
## - `quorum`: select some nodes to lock the session
## - `all`: lock the session on all the nodes in the cluster
## @path broker.session_locking_strategy
## @type enum: local | leader | quorum | all
## @default quorum
session_locking_strategy = quorum
## @doc Dispatch strategy for shared subscription.
## - `random`: dispatch the message to a random selected subscriber
## - `round_robin`: select the subscribers in a round-robin manner
## - `sticky`: always use the last selected subscriber to dispatch, until the subscriber disconnects.
## - `hash`: select the subscribers by the hash of `clientIds`
## @path broker.shared_subscription_strategy
## @type enum: random | round_robin | sticky | local | hash_topic | hash_clientid
## @default round_robin
shared_subscription_strategy = round_robin
## @doc Enable/disable shared dispatch acknowledgement for QoS 1 and QoS 2 messages.
## This should allow messages to be dispatched to a different subscriber in the group in case the picked (based on `shared_subscription_strategy`) subscriber is offline.
## @path broker.shared_dispatch_ack_enabled
## @type boolean()
## @default false
shared_dispatch_ack_enabled = false
## @doc Enable batch clean for deleted routes.
## @path broker.route_batch_clean
## @type boolean()
## @default true
route_batch_clean = true
## @path broker.perf
perf {
## @doc Performance tuning for subscribing/unsubscribing a wildcard topic.
## Change this parameter only when there are many wildcard topics.
##
## NOTE: when changing from/to `global` lock, it requires all nodes in the cluster to be stopped before the change.
## - `key`: mnesia transactional updates with per-key locks. Recommended for a single-node setup.
## - `tab`: mnesia transactional updates with table lock. Recommended for a cluster setup.
## - `global`: updates are protected with a global lock. Recommended for large clusters.
## @path broker.perf.route_lock_type
## @type enum: key | tab | global
## @default key
route_lock_type = key
## @doc Enable trie path compaction.
## Enabling it significantly improves wildcard topic subscribe rate, if wildcard topics have unique prefixes like: 'sensor/{{id}}/+/', where ID is unique per subscriber.
## Topic match performance (when publishing) may degrade if messages are mostly published to topics with large number of levels.
##
## NOTE: This is a cluster-wide configuration. It requires all nodes to be stopped before changing it.
## @path broker.perf.trie_compaction
## @type boolean()
## @default true
trie_compaction = true
}
## @doc Per group dispatch strategy for shared subscription.
## This config is a map from shared subscription group name to the strategy
## name. The group name should be of format `[A-Za-z0-9]`. i.e. no
## special characters are allowed.
## @path broker.shared_subscription_group
## @type map_struct()
# shared_subscription_group.name =
## @path broker.shared_subscription_group.$name
# {
## @doc Dispatch strategy for shared subscription.
## - `random`: dispatch the message to a random selected subscriber
## - `round_robin`: select the subscribers in a round-robin manner
## - `sticky`: always use the last selected subscriber to dispatch,
## until the subscriber disconnects.
## - `hash`: select the subscribers by the hash of `clientIds`
## - `local`: send to a random local subscriber. If local
## subscriber was not found, send to a random subscriber cluster-wide
## @path broker.shared_subscription_group.$name.strategy
## @type enum: random | round_robin | sticky | local | hash_topic | hash_clientid
## @default random
# strategy = random
# }
}
## @doc System topics configuration.
## @path sys_topics
sys_topics {
## @doc Time interval of publishing `$SYS` messages.
## @path sys_topics.sys_msg_interval
## @type union() disabled | emqx_schema:duration()
## @default 1m
sys_msg_interval = 1m
## @doc Time interval for publishing following heartbeat messages:
## - `$SYS/brokers/<node>/uptime`
## - `$SYS/brokers/<node>/datetime`
## @path sys_topics.sys_heartbeat_interval
## @type union() disabled | emqx_schema:duration()
## @default 30s
sys_heartbeat_interval = 30s
## @path sys_topics.sys_event_messages
sys_event_messages {
## @doc Enable to publish client connected event messages
## @path sys_topics.sys_event_messages.client_connected
## @type boolean()
## @default true
client_connected = true
## @doc Enable to publish client disconnected event messages.
## @path sys_topics.sys_event_messages.client_disconnected
## @type boolean()
## @default true
client_disconnected = true
## @doc Enable to publish event message that client subscribed a topic successfully.
## @path sys_topics.sys_event_messages.client_subscribed
## @type boolean()
## @default false
client_subscribed = false
## @doc Enable to publish event message that client unsubscribed a topic successfully.
## @path sys_topics.sys_event_messages.client_unsubscribed
## @type boolean()
## @default false
client_unsubscribed = false
}
}
## @path force_shutdown
force_shutdown {
## @doc Enable `force_shutdown` feature.
## @path force_shutdown.enable
## @type boolean()
## @default true
enable = true
## @doc Maximum message queue length.
## @path force_shutdown.max_message_queue_len
## @type 0..inf
## @default 1000
max_message_queue_len = 1000
## @doc Total heap size
## @path force_shutdown.max_heap_size
## @type emqx_schema:wordsize()
## @default 32MB
max_heap_size = 32MB
}
## @path overload_protection
overload_protection {
## @doc React on system overload or not
## @path overload_protection.enable
## @type boolean()
## @default false
enable = false
## @doc Some unimportant tasks could be delayed for execution, here set the delays in ms
## @path overload_protection.backoff_delay
## @type 0..inf
## @default 1
backoff_delay = 1
## @doc Skip forceful GC if necessary
## @path overload_protection.backoff_gc
## @type boolean()
## @default false
backoff_gc = false
## @doc Skip process hibernation if necessary
## @path overload_protection.backoff_hibernation
## @type boolean()
## @default true
backoff_hibernation = true
## @doc Close new incoming connections if necessary
## @path overload_protection.backoff_new_conn
## @type boolean()
## @default true
backoff_new_conn = true
}
## @path force_gc
force_gc {
## @doc Enable forced garbage collection.
## @path force_gc.enable
## @type boolean()
## @default true
enable = true
## @doc GC the process after this many received messages.
## @path force_gc.count
## @type 0..inf
## @default 16000
count = 16000
## @doc GC the process after specified number of bytes have passed through.
## @path force_gc.bytes
## @type emqx_schema:bytesize()
## @default 16MB
bytes = 16MB
}
## @path conn_congestion
conn_congestion {
## @doc Enable or disable connection congestion alarm.
## @path conn_congestion.enable_alarm
## @type boolean()
## @default true
enable_alarm = true
## @doc Minimal time before clearing the alarm.
##
## The alarm is cleared only when there's no pending data in
## the queue, and at least `min_alarm_sustain_duration`
## milliseconds passed since the last time we considered the connection "congested".
##
## This is to avoid clearing and raising the alarm again too often.
## @path conn_congestion.min_alarm_sustain_duration
## @type emqx_schema:duration()
## @default 1m
min_alarm_sustain_duration = 1m
}
## @path stats
stats {
## @doc Enable/disable statistic data collection.
## @path stats.enable
## @type boolean()
## @default true
enable = true
}
## @path sysmon
sysmon {
## @path sysmon.vm
vm {
## @doc The time interval for the periodic process limit check.
## @path sysmon.vm.process_check_interval
## @type emqx_schema:duration()
## @default 30s
process_check_interval = 30s
## @doc The threshold, as percentage of processes, for how many
## processes can simultaneously exist at the local node before the corresponding
## alarm is raised.
## @path sysmon.vm.process_high_watermark
## @type emqx_schema:percent()
## @default "80%"
process_high_watermark = "80%"
## @doc The threshold, as percentage of processes, for how many
## processes can simultaneously exist at the local node before the corresponding
## alarm is cleared.
## @path sysmon.vm.process_low_watermark
## @type emqx_schema:percent()
## @default "60%"
process_low_watermark = "60%"
## @doc Enable Long GC monitoring.
## @path sysmon.vm.long_gc
## @type union() disabled | emqx_schema:duration()
## @default disabled
long_gc = disabled
## @doc Enable Long Schedule monitoring.
## @path sysmon.vm.long_schedule
## @type union() disabled | emqx_schema:duration()
## @default 240ms
long_schedule = 240ms
## @doc Enable Large Heap monitoring.
## @path sysmon.vm.large_heap
## @type union() disabled | emqx_schema:bytesize()
## @default 32MB
large_heap = 32MB
## @doc Enable Busy Distribution Port monitoring.
## @path sysmon.vm.busy_dist_port
## @type boolean()
## @default true
busy_dist_port = true
## @doc Enable Busy Port monitoring.
## @path sysmon.vm.busy_port
## @type boolean()
## @default true
busy_port = true
}
## @path sysmon.os
os {
## @doc The time interval for the periodic CPU check.
## @path sysmon.os.cpu_check_interval
## @type emqx_schema:duration()
## @default 60s
cpu_check_interval = 60s
## @doc The threshold, as percentage of system CPU load,
## for how much system cpu can be used before the corresponding alarm is raised.
## @path sysmon.os.cpu_high_watermark
## @type emqx_schema:percent()
## @default "80%"
cpu_high_watermark = "80%"
## @doc The threshold, as percentage of system CPU load,
## for how much system cpu can be used before the corresponding alarm is cleared.
## @path sysmon.os.cpu_low_watermark
## @type emqx_schema:percent()
## @default "60%"
cpu_low_watermark = "60%"
## @doc The time interval for the periodic memory check.
## @path sysmon.os.mem_check_interval
## @type union() disabled | emqx_schema:duration()
## @default 60s
mem_check_interval = 60s
## @doc The threshold, as percentage of system memory,
## for how much system memory can be allocated before the corresponding alarm is raised.
## @path sysmon.os.sysmem_high_watermark
## @type emqx_schema:percent()
## @default "70%"
sysmem_high_watermark = "70%"
## @doc The threshold, as percentage of system memory,
## for how much system memory can be allocated by one Erlang process before
## the corresponding alarm is raised.
## @path sysmon.os.procmem_high_watermark
## @type emqx_schema:percent()
## @default "5%"
procmem_high_watermark = "5%"
}
## @path sysmon.top
top {
## @doc The number of top processes per monitoring group
## @path sysmon.top.num_items
## @type non_neg_integer()
## @default 10
num_items = 10
## @doc Specifies how often process top should be collected
## @path sysmon.top.sample_interval
## @type emqx_schema:duration()
## @default 2s
sample_interval = 2s
## @doc Stop collecting data when the number of processes
## in the VM exceeds this value
## @path sysmon.top.max_procs
## @type non_neg_integer()
## @default 1000000
max_procs = 1000000
## @doc Hostname of the PostgreSQL database that collects the data points
## @path sysmon.top.db_hostname
## @type string()
## @default []
db_hostname = []
## @doc Port of the PostgreSQL database that collects the data points
## @path sysmon.top.db_port
## @type integer()
## @default 5432
db_port = 5432
## @doc Username of the PostgreSQL database
## @path sysmon.top.db_username
## @type string()
## @default "system_monitor"
db_username = "system_monitor"
## @doc EMQX user password in the PostgreSQL database
## @path sysmon.top.db_password
## @type binary()
## @default "system_monitor_password"
db_password = "system_monitor_password"
## @doc PostgreSQL database name
## @path sysmon.top.db_name
## @type string()
## @default postgres
db_name = postgres
}
}
## @path alarm
alarm {
## @doc The actions triggered when the alarm is activated.</br>
## Currently, the following actions are supported: <code>log</code> and <code>publish</code>.
## <code>log</code> is to write the alarm to log (console or file).
## <code>publish</code> is to publish the alarm as an MQTT message to the system topics:
## <code>$SYS/brokers/emqx@xx.xx.xx.x/alarms/activate</code> and
## <code>$SYS/brokers/emqx@xx.xx.xx.x/alarms/deactivate</code>
## @path alarm.actions
## @type array()
## @default [log, publish]
actions = [log, publish]
## @doc The maximum total number of deactivated alarms to keep as history.</br>
## When this limit is exceeded, the oldest deactivated alarms are deleted to cap the total number.
## @path alarm.size_limit
## @type 1..3000
## @default 1000
size_limit = 1000
## @doc Retention time of deactivated alarms. Alarms are not deleted immediately
## when deactivated, but after the retention time.
## @path alarm.validity_period
## @type emqx_schema:duration()
## @default 24h
validity_period = 24h
}
## @path flapping_detect
flapping_detect {
## @doc Enable flapping connection detection feature.
## @path flapping_detect.enable
## @type boolean()
## @default false
enable = false
## @doc The maximum number of disconnects allowed for a MQTT Client in `window_time`
## @path flapping_detect.max_count
## @type integer()
## @default 15
max_count = 15
## @doc The time window for flapping detection.
## @path flapping_detect.window_time
## @type emqx_schema:duration()
## @default 1m
window_time = 1m
## @doc How long the flapping clientid will be banned.
## @path flapping_detect.ban_time
## @type emqx_schema:duration()
## @default 5m
ban_time = 5m
}
## @path persistent_session_store
persistent_session_store {
## @doc Use the database to store information about persistent sessions.
## This makes it possible to migrate a client connection to another
## cluster node if a node is stopped.
## @path persistent_session_store.enabled
## @type boolean()
## @default false
enabled = false
## @doc Save information about the persistent sessions on disc.
## If this option is enabled, persistent sessions will survive full restart of the cluster.
## Otherwise, all the data will be stored in RAM, and it will be lost when all the nodes in the cluster are stopped.
## @path persistent_session_store.on_disc
## @type boolean()
## @default true
on_disc = true
## @doc Maintain a copy of the data in RAM for faster access.
## @path persistent_session_store.ram_cache
## @type boolean()
## @default false
ram_cache = false
## @doc Database management system used to store information about persistent sessions and messages.
## - `builtin`: Use the embedded database (mria)
## @path persistent_session_store.backend
## @type union() broker:persistent_session_builtin
## @default
# { messages {ram_cache = "false"} session {ram_cache = "true"} session_messages {ram_cache = "true"} type = "builtin"}
backend =
{ messages {ram_cache = "false"} session {ram_cache = "true"} session_messages {ram_cache = "true"} type = "builtin"}
## @doc The time messages that was not delivered to a persistent session
## is stored before being garbage collected if the node the previous
## session was handled on restarts of is stopped.
## @path persistent_session_store.max_retain_undelivered
## @type emqx_schema:duration()
## @default 1h
max_retain_undelivered = 1h
## @doc The starting interval for garbage collection of undelivered messages to
## a persistent session. This affects how often the "max_retain_undelivered"
## is checked for removal.
## @path persistent_session_store.message_gc_interval
## @type emqx_schema:duration()
## @default 1h
message_gc_interval = 1h
## @doc The starting interval for garbage collection of transient data for
## persistent session messages. This does not affect the lifetime length
## of persistent session messages.
## @path persistent_session_store.session_message_gc_interval
## @type emqx_schema:duration()
## @default 1m
session_message_gc_interval = 1m
}
## @path trace
trace {
## @doc Determine the format of the payload format in the trace file.</br>
## `text`: Text-based protocol or plain text protocol.
## It is recommended when payload is JSON encoded.</br>
## `hex`: Binary hexadecimal encode. It is recommended when payload is a custom binary protocol.</br>
## `hidden`: payload is obfuscated as `******`
## @path trace.payload_encode
## @type enum: hex | text | hidden
## @default text
payload_encode = text
}
## @path bridges
bridges {
## @doc WebHook to an HTTP server.
## @path bridges.webhook
## @type map_struct()
# webhook.name =
## @path bridges.webhook.$name
# {
## @doc Enable or disable this bridge
## @path bridges.webhook.$name.enable
## @type boolean()
## @default true
# enable = true
## @doc The direction of this bridge, MUST be 'egress'
## @path bridges.webhook.$name.direction
## @type singleton
## @default egress
# direction = egress
## @doc The timeout when connecting to the HTTP server.
## @path bridges.webhook.$name.connect_timeout
## @type emqx_schema:duration_ms()
## @default 15s
# connect_timeout = 15s
## @doc Max retry times if error on sending request.
## @path bridges.webhook.$name.max_retries
## @type non_neg_integer()
## @default 5
# max_retries = 5
## @doc Interval between retries.
## @path bridges.webhook.$name.retry_interval
## @type emqx_schema:duration()
## @default 1s
# retry_interval = 1s
## @doc The type of the pool. Can be one of `random`, `hash`.
## @path bridges.webhook.$name.pool_type
## @type emqx_connector_http:pool_type()
## @default random
# pool_type = random
## @doc The pool size.
## @path bridges.webhook.$name.pool_size
## @type pos_integer()
## @default 8
# pool_size = 8
## @doc Whether to send HTTP requests continuously, when set to 0, it means that after each HTTP request is sent, you need to wait for the server to return and then continue to send the next request.
## @path bridges.webhook.$name.enable_pipelining
## @type pos_integer()
## @default 100
# enable_pipelining = 100
## @path bridges.webhook.$name.request
# request {
## @doc HTTP method.
## @path bridges.webhook.$name.request.method
## @type enum: post | put | get | delete
# method =
## @doc URL path.
## @path bridges.webhook.$name.request.path
## @type binary()
# path =
## @doc HTTP request body.
## @path bridges.webhook.$name.request.body
## @type binary()
# body =
## @doc List of HTTP headers.
## @path bridges.webhook.$name.request.headers
## @type map()
# headers =
## @doc HTTP request timeout.
## @path bridges.webhook.$name.request.request_timeout
## @type emqx_schema:duration_ms()
# request_timeout =
# }
## @path bridges.webhook.$name.ssl
## @link cluster.etcd.ssl
# ssl {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path bridges.webhook.$name.ssl.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path bridges.webhook.$name.ssl.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path bridges.webhook.$name.ssl.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path bridges.webhook.$name.ssl.verify
## @type enum: verify_peer | verify_none
## @default verify_none
# verify = verify_none
## @doc Enable TLS session reuse.
## @path bridges.webhook.$name.ssl.reuse_sessions
## @type boolean()
## @default true
# reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path bridges.webhook.$name.ssl.depth
## @type integer()
## @default 10
# depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path bridges.webhook.$name.ssl.password
## @type string()
# password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path bridges.webhook.$name.ssl.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
# versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path bridges.webhook.$name.ssl.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
# ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path bridges.webhook.$name.ssl.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
# user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path bridges.webhook.$name.ssl.secure_renegotiate
## @type boolean()
## @default true
# secure_renegotiate = true
## @doc Enable TLS.
## @path bridges.webhook.$name.ssl.enable
## @type boolean()
## @default false
# enable = false
## @doc Specify the host name to be used in TLS Server Name Indication extension.</br>
## For instance, when connecting to "server.example.net", the genuine server
## which accepts the connection and performs TLS handshake may differ from the
## host the TLS client initially connects to, e.g. when connecting to an IP address
## or when the host has multiple resolvable DNS records </br>
## If not specified, it will default to the host name string which is used
## to establish the connection, unless it is IP addressed used.</br>
## The host name is then also used in the host name verification of the peer
## certificate.</br> The special value 'disable' prevents the Server Name
## Indication extension from being sent and disables the hostname
## verification check.
## @path bridges.webhook.$name.ssl.server_name_indication
## @type union() disable | string()
# server_name_indication = disable
# }
## @doc The URL of the HTTP Bridge.</br>
## Template with variables is allowed in the path, but variables cannot be used in the scheme, host,
## or port part.</br>
## For example, <code> http://localhost:9901/${topic} </code> is allowed, but
## <code> http://${host}:9901/message </code> or <code> http://localhost:${port}/message </code>
## is not allowed.
## @path bridges.webhook.$name.url
## @type binary()
# url =
## @doc The MQTT topic filter to be forwarded to the HTTP server. All MQTT 'PUBLISH' messages with the topic
## matching the local_topic will be forwarded.</br>
## NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is
## configured, then both the data got from the rule and the MQTT messages that match local_topic
## will be forwarded.
## @path bridges.webhook.$name.local_topic
## @type binary()
# local_topic =
## @doc The method of the HTTP request. All the available methods are: post, put, get, delete.</br>
## Template with variables is allowed.</br>
## @path bridges.webhook.$name.method
## @type enum: post | put | get | delete
## @default post
# method = post
## @doc The headers of the HTTP request.</br>
## Template with variables is allowed.
## @path bridges.webhook.$name.headers
## @type map()
## @default
# { accept = "application/json" "cache-control" = "no-cache" connection = "keep-alive" "content-type" = "application/json" "keep-alive" = "timeout=5"}
# headers =
# { accept = "application/json" "cache-control" = "no-cache" connection = "keep-alive" "content-type" = "application/json" "keep-alive" = "timeout=5"}
## @doc The body of the HTTP request.</br>
## Template with variables is allowed.
## @path bridges.webhook.$name.body
## @type binary()
## @default "${payload}"
# body = "${payload}"
## @doc HTTP request timeout.
## @path bridges.webhook.$name.request_timeout
## @type emqx_schema:duration_ms()
## @default 15s
# request_timeout = 15s
# }
## @doc MQTT bridges to/from another MQTT broker
## @path bridges.mqtt
## @type map_struct()
}
## @path retainer
retainer {
## @doc Enable retainer feature
## @path retainer.enable
## @type boolean()
## @default true
enable = true
## @doc Message retention time. 0 means message will never be expired.
## @path retainer.msg_expiry_interval
## @type emqx_schema:duration_ms()
## @default 0s
msg_expiry_interval = 0s
## @doc Periodic interval for cleaning up expired messages.
## Never clear if the value is 0.
## @path retainer.msg_clear_interval
## @type emqx_schema:duration_ms()
## @default 0s
msg_clear_interval = 0s
## @path retainer.flow_control
flow_control {
## @doc Size of the batch when reading messages from storage. 0 means no limit.
## @path retainer.flow_control.batch_read_number
## @type non_neg_integer()
## @default 0
batch_read_number = 0
## @doc The number of retained messages can be delivered per batch.
## @path retainer.flow_control.batch_deliver_number
## @type 0..1000
## @default 0
batch_deliver_number = 0
## @doc The rate limiter name for retained messages' delivery.
## Limiter helps to avoid delivering too many messages to the client at once, which may cause the client to block or crash, or drop messages due to exceeding the size of the message queue.
## The names of the available rate limiters are taken from the existing rate limiters under `limiter.batch`.
## If this field is empty, limiter is not used.
## @path retainer.flow_control.batch_deliver_limiter
## @type emqx_limiter_schema:bucket_name()
# batch_deliver_limiter =
}
## @doc Maximum retained message size.
## @path retainer.max_payload_size
## @type emqx_schema:bytesize()
## @default 1MB
max_payload_size = 1MB
## @doc When the retained flag of the `PUBLISH` message is set and Payload is empty,
## whether to continue to publish the message.
## See:
## http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718038
## @path retainer.stop_publish_clear_msg
## @type boolean()
## @default false
stop_publish_clear_msg = false
## @path retainer.backend
backend {
## @doc Backend type.
## @path retainer.backend.type
## @type singleton
## @default built_in_database
type = built_in_database
## @doc Specifies whether the messages are stored in RAM or persisted on disc.
## @path retainer.backend.storage_type
## @type enum: ram | disc
## @default ram
storage_type = ram
## @doc Maximum number of retained messages. 0 means no limit.
## @path retainer.backend.max_retained_messages
## @type non_neg_integer()
## @default 0
max_retained_messages = 0
## @doc Retainer index specifications: list of arrays of positive ascending integers. Each array specifies an index. Numbers in an index specification are 1-based word positions in topics. Words from specified positions will be used for indexing.</br>For example, it is good to have <code>[2, 4]</code> index to optimize <code>+/X/+/Y/...</code> topic wildcard subscriptions.
## @path retainer.backend.index_specs
## @type [[integer()]]
## @default
# [ [1, 2, 3], [1, 3], [2, 3], [3]]
index_specs =
[ [2, 4], [1, 3]]
}
}
## @path statsd
statsd {
## @doc Turn Statsd data pushing on or off
## @path statsd.enable
## @type boolean()
## @default false
enable = false
## @doc URL of Statsd server
## @path statsd.server
## @type emqx_schema:ip_port()
## @default "127.0.0.1:8125"
server = "127.0.0.1:8125"
## @doc Data collection interval in second.
## @path statsd.sample_time_interval
## @type emqx_schema:duration_ms()
## @default 10s
sample_time_interval = 10s
## @doc Data reporting interval, in second.
## @path statsd.flush_time_interval
## @type emqx_schema:duration_ms()
## @default 10s
flush_time_interval = 10s
}
## @path auto_subscribe
auto_subscribe {
## @doc After the device logs in successfully, the subscription is automatically completed for the device through the pre-defined subscription representation. Supports the use of placeholders.
## @path auto_subscribe.topics
## @type array()
## @default []
topics = []
}
## @path delayed
delayed {
## @doc Enable this feature
## @path delayed.enable
## @type boolean()
## @default true
enable = true
## @doc Maximum number of delayed messages (0 is no limit).
## @path delayed.max_delayed_messages
## @type integer()
## @default 0
max_delayed_messages = 0
}
## @path telemetry
telemetry {
## @doc Enable telemetry.
## @path telemetry.enable
## @type boolean()
## @default true
enable = true
}
## @doc List of topic rewrite rules.
## @doc List of topic rewrite rules.
## @path rewrite
## @type array()
rewrite = []
## @doc List of topics whose metrics are reported.
## @doc List of topics whose metrics are reported.
## @path topic_metrics
## @type array()
topic_metrics = []
## @path plugins
plugins {
## @doc An array of plugins in the desired states.</br>
## The plugins are started in the defined order
## @path plugins.states
## @type array()
## @default []
states = []
## @doc The installation directory for the external plugins.
## The plugin beam files and configuration files should reside in
## the subdirectory named as <code>emqx_foo_bar-0.1.0</code>.
## </br>
## NOTE: For security reasons, this directory should **NOT** be writable
## by anyone except <code>emqx</code> (or any user which runs EMQX).
## @path plugins.install_dir
## @type string()
## @default plugins
install_dir = plugins
## @doc Check interval: check if the status of the plugins in the cluster is consistent, </br>
## if the results of 3 consecutive checks are not consistent, then alarm.
## @path plugins.check_interval
## @type emqx_schema:duration()
## @default 5s
check_interval = 5s
}
## @path dashboard
dashboard {
## @path dashboard.listeners
listeners {
## @path dashboard.listeners.http
http {
## @doc Ignore or enable this listener
## @path dashboard.listeners.http.enable
## @type boolean()
## @default true
enable = true
## @doc Port without IP(18083) or port with specified IP(127.0.0.1:18083).
## @path dashboard.listeners.http.bind
## @type union() non_neg_integer() | emqx_schema:ip_port()
## @default 18083
bind = "0.0.0.0:18083"
## @doc Socket acceptor pool size for TCP protocols.
## @path dashboard.listeners.http.num_acceptors
## @type integer()
## @default 4
num_acceptors = 4
## @doc Maximum number of simultaneous connections.
## @path dashboard.listeners.http.max_connections
## @type integer()
## @default 512
max_connections = 512
## @doc Defines the maximum length that the queue of pending connections can grow to.
## @path dashboard.listeners.http.backlog
## @type integer()
## @default 1024
backlog = 1024
## @doc Send timeout for the socket.
## @path dashboard.listeners.http.send_timeout
## @type emqx_schema:duration()
## @default 5s
send_timeout = 5s
## @doc Enable IPv6 support, default is false, which means IPv4 only.
## @path dashboard.listeners.http.inet6
## @type boolean()
## @default false
inet6 = false
## @doc Disable IPv4-to-IPv6 mapping for the listener.
## @path dashboard.listeners.http.ipv6_v6only
## @type boolean()
## @default false
ipv6_v6only = false
}
## @path dashboard.listeners.https
https {
## @doc Ignore or enable this listener
## @path dashboard.listeners.https.enable
## @type boolean()
## @default false
enable = false
## @doc Port without IP(18083) or port with specified IP(127.0.0.1:18083).
## @path dashboard.listeners.https.bind
## @type union() non_neg_integer() | emqx_schema:ip_port()
## @default 18084
bind = "0.0.0.0:18084"
## @doc Socket acceptor pool size for TCP protocols.
## @path dashboard.listeners.https.num_acceptors
## @type integer()
## @default 4
num_acceptors = 4
## @doc Maximum number of simultaneous connections.
## @path dashboard.listeners.https.max_connections
## @type integer()
## @default 512
max_connections = 512
## @doc Defines the maximum length that the queue of pending connections can grow to.
## @path dashboard.listeners.https.backlog
## @type integer()
## @default 1024
backlog = 1024
## @doc Send timeout for the socket.
## @path dashboard.listeners.https.send_timeout
## @type emqx_schema:duration()
## @default 5s
send_timeout = 5s
## @doc Enable IPv6 support, default is false, which means IPv4 only.
## @path dashboard.listeners.https.inet6
## @type boolean()
## @default false
inet6 = false
## @doc Disable IPv4-to-IPv6 mapping for the listener.
## @path dashboard.listeners.https.ipv6_v6only
## @type boolean()
## @default false
ipv6_v6only = false
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path dashboard.listeners.https.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path dashboard.listeners.https.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path dashboard.listeners.https.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path dashboard.listeners.https.verify
## @type enum: verify_peer | verify_none
## @default verify_none
verify = verify_none
## @doc Enable TLS session reuse.
## @path dashboard.listeners.https.reuse_sessions
## @type boolean()
## @default true
reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path dashboard.listeners.https.depth
## @type integer()
## @default 10
depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path dashboard.listeners.https.password
## @type string()
password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path dashboard.listeners.https.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path dashboard.listeners.https.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path dashboard.listeners.https.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path dashboard.listeners.https.secure_renegotiate
## @type boolean()
## @default true
secure_renegotiate = true
## @doc Path to a file containing PEM-encoded Diffie-Hellman parameters
## to be used by the server if a cipher suite using Diffie-Hellman
## key exchange is negotiated. If not specified, default parameters
## are used.</br>
## NOTE: The <code>dhfile</code> option is not supported by TLS 1.3.
## @path dashboard.listeners.https.dhfile
## @type string()
# dhfile =
## @doc An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
## @path dashboard.listeners.https.honor_cipher_order
## @type boolean()
## @default true
honor_cipher_order = true
## @doc In protocols that support client-initiated renegotiation,
## the cost of resources of such an operation is higher for the server than the client.
## This can act as a vector for denial of service attacks.
## The SSL application already takes measures to counter-act such attempts,
## but client-initiated renegotiation can be strictly disabled by setting this option to false.
## The default value is true. Note that disabling renegotiation can result in
## long-lived connections becoming unusable due to limits on
## the number of messages the underlying cipher suite can encipher.
## @path dashboard.listeners.https.client_renegotiation
## @type boolean()
## @default true
client_renegotiation = true
## @doc Maximum time duration allowed for the handshake to complete
## @path dashboard.listeners.https.handshake_timeout
## @type emqx_schema:duration()
## @default 15s
handshake_timeout = 15s
}
}
## @doc The default username of the automatically created dashboard user.
## @path dashboard.default_username
## @type binary()
## @default admin
default_username = admin
## @doc The initial default password for dashboard 'admin' user.
## For safety, it should be changed as soon as possible.
## @path dashboard.default_password
## @type binary()
## @default public
default_password = public
## @doc How often to update metrics displayed in the dashboard.
## Note: `sample_interval` should be a divisor of 60.
## @path dashboard.sample_interval
## @type emqx_schema:duration_s()
## @default 10s
sample_interval = 10s
## @doc JWT token expiration time.
## @path dashboard.token_expired_time
## @type emqx_schema:duration()
## @default 60m
token_expired_time = 60m
## @doc Support Cross-Origin Resource Sharing (CORS).
## Allows a server to indicate any origins (domain, scheme, or port) other than
## its own from which a browser should permit loading resources.
## @path dashboard.cors
## @type boolean()
## @default false
cors = false
## @doc Internationalization language support.
## @path dashboard.i18n_lang
## @type enum: en | zh
## @default en
i18n_lang = en
}
## @path gateway
gateway {
## @path gateway.stomp
stomp {
## @path gateway.stomp.frame
frame {
## @doc The maximum number of Header
## @path gateway.stomp.frame.max_headers
## @type non_neg_integer()
## @default 10
max_headers = 10
## @doc The maximum string length of the Header Value
## @path gateway.stomp.frame.max_headers_length
## @type non_neg_integer()
## @default 1024
max_headers_length = 1024
## @doc Maximum number of bytes of Body allowed per Stomp packet
## @path gateway.stomp.frame.max_body_length
## @type integer()
## @default 65536
max_body_length = 65536
}
## @doc
## @path gateway.stomp.mountpoint
## @type binary()
## @default ""
mountpoint = ""
## @path gateway.stomp.listeners
listeners {
## @doc
## @path gateway.stomp.listeners.tcp
## @type map_struct()
# tcp.name =
## @path gateway.stomp.listeners.tcp.$name
# {
## @doc Size of the acceptor pool.
## @path gateway.stomp.listeners.tcp.$name.acceptors
## @type integer()
## @default 16
# acceptors = 16
## @path gateway.stomp.listeners.tcp.$name.tcp_options
## @link listeners.tcp.$name.tcp_options
# tcp_options {
## @doc Specify the {active, N} option for this Socket.</br>
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path gateway.stomp.listeners.tcp.$name.tcp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc TCP backlog defines the maximum length that the queue of
## pending connections can grow to.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.backlog
## @type integer()
## @default 1024
# backlog = 1024
## @doc The TCP send timeout for the connections.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.send_timeout
## @type emqx_schema:duration()
## @default 15s
# send_timeout = 15s
## @doc Close the connection if send timeout.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.send_timeout_close
## @type boolean()
## @default true
# send_timeout_close = true
## @doc The TCP receive buffer (OS kernel) for the connections.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.recbuf
## @type emqx_schema:bytesize()
# recbuf = 2KB
## @doc The TCP send buffer (OS kernel) for the connections.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.sndbuf
## @type emqx_schema:bytesize()
# sndbuf = 4KB
## @doc The size of the user-space buffer used by the driver.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.buffer
## @type emqx_schema:bytesize()
# buffer = 4KB
## @doc The socket is set to a busy state when the amount of data queued internally
## by the VM socket implementation reaches this limit.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.high_watermark
## @type emqx_schema:bytesize()
## @default 1MB
# high_watermark = 1MB
## @doc The TCP_NODELAY flag for the connections.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.nodelay
## @type boolean()
## @default false
# nodelay = false
## @doc The SO_REUSEADDR flag for the connections.
## @path gateway.stomp.listeners.tcp.$name.tcp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @doc Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
## @path gateway.stomp.listeners.tcp.$name.proxy_protocol
## @type boolean()
## @default false
# proxy_protocol = false
## @doc Timeout for proxy protocol.
## EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
## @path gateway.stomp.listeners.tcp.$name.proxy_protocol_timeout
## @type emqx_gateway_schema:duration()
## @default 15s
# proxy_protocol_timeout = 15s
## @doc Enable the listener.
## @path gateway.stomp.listeners.tcp.$name.enable
## @type boolean()
## @default true
# enable = true
## @doc The IP address and port that the listener will bind.
## @path gateway.stomp.listeners.tcp.$name.bind
## @type union() emqx_gateway_schema:ip_port() | integer()
# bind =
## @doc Maximum number of concurrent connections.
## @path gateway.stomp.listeners.tcp.$name.max_connections
## @type integer()
## @default 1024
# max_connections = 1024
## @doc Maximum connections per second.
## @path gateway.stomp.listeners.tcp.$name.max_conn_rate
## @type integer()
## @default 1000
# max_conn_rate = 1000
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.stomp.listeners.tcp.$name.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
# authentication =
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature.
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path gateway.stomp.listeners.tcp.$name.mountpoint
## @type binary()
# mountpoint =
## @doc The access control rules for this listener.
## See: https://github.com/emqtt/esockd#allowdeny
## @path gateway.stomp.listeners.tcp.$name.access_rules
## @type array()
## @default []
# access_rules = []
# }
## @doc
## @path gateway.stomp.listeners.ssl
## @type map_struct()
# ssl.name =
## @path gateway.stomp.listeners.ssl.$name
# {
## @doc Size of the acceptor pool.
## @path gateway.stomp.listeners.ssl.$name.acceptors
## @type integer()
## @default 16
# acceptors = 16
## @path gateway.stomp.listeners.ssl.$name.tcp_options
## @link listeners.tcp.$name.tcp_options
# tcp_options {
## @doc Specify the {active, N} option for this Socket.</br>
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path gateway.stomp.listeners.ssl.$name.tcp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc TCP backlog defines the maximum length that the queue of
## pending connections can grow to.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.backlog
## @type integer()
## @default 1024
# backlog = 1024
## @doc The TCP send timeout for the connections.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.send_timeout
## @type emqx_schema:duration()
## @default 15s
# send_timeout = 15s
## @doc Close the connection if send timeout.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.send_timeout_close
## @type boolean()
## @default true
# send_timeout_close = true
## @doc The TCP receive buffer (OS kernel) for the connections.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.recbuf
## @type emqx_schema:bytesize()
# recbuf = 2KB
## @doc The TCP send buffer (OS kernel) for the connections.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.sndbuf
## @type emqx_schema:bytesize()
# sndbuf = 4KB
## @doc The size of the user-space buffer used by the driver.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.buffer
## @type emqx_schema:bytesize()
# buffer = 4KB
## @doc The socket is set to a busy state when the amount of data queued internally
## by the VM socket implementation reaches this limit.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.high_watermark
## @type emqx_schema:bytesize()
## @default 1MB
# high_watermark = 1MB
## @doc The TCP_NODELAY flag for the connections.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.nodelay
## @type boolean()
## @default false
# nodelay = false
## @doc The SO_REUSEADDR flag for the connections.
## @path gateway.stomp.listeners.ssl.$name.tcp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @doc Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
## @path gateway.stomp.listeners.ssl.$name.proxy_protocol
## @type boolean()
## @default false
# proxy_protocol = false
## @doc Timeout for proxy protocol.
## EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
## @path gateway.stomp.listeners.ssl.$name.proxy_protocol_timeout
## @type emqx_gateway_schema:duration()
## @default 15s
# proxy_protocol_timeout = 15s
## @doc Enable the listener.
## @path gateway.stomp.listeners.ssl.$name.enable
## @type boolean()
## @default true
# enable = true
## @doc The IP address and port that the listener will bind.
## @path gateway.stomp.listeners.ssl.$name.bind
## @type union() emqx_gateway_schema:ip_port() | integer()
# bind =
## @doc Maximum number of concurrent connections.
## @path gateway.stomp.listeners.ssl.$name.max_connections
## @type integer()
## @default 1024
# max_connections = 1024
## @doc Maximum connections per second.
## @path gateway.stomp.listeners.ssl.$name.max_conn_rate
## @type integer()
## @default 1000
# max_conn_rate = 1000
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.stomp.listeners.ssl.$name.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature.
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path gateway.stomp.listeners.ssl.$name.mountpoint
## @type binary()
# mountpoint =
## @doc The access control rules for this listener.
## See: https://github.com/emqtt/esockd#allowdeny
## @path gateway.stomp.listeners.ssl.$name.access_rules
## @type array()
## @default []
# access_rules = []
## @path gateway.stomp.listeners.ssl.$name.ssl_options
## @link listeners.ssl.$name.ssl_options
# ssl_options {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.verify
## @type enum: verify_peer | verify_none
## @default verify_none
# verify = verify_none
## @doc Enable TLS session reuse.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.reuse_sessions
## @type boolean()
## @default true
# reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.depth
## @type integer()
## @default 10
# depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.password
## @type string()
# password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
# versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path gateway.stomp.listeners.ssl.$name.ssl_options.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
# ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
# user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.secure_renegotiate
## @type boolean()
## @default true
# secure_renegotiate = true
## @doc Path to a file containing PEM-encoded Diffie-Hellman parameters
## to be used by the server if a cipher suite using Diffie-Hellman
## key exchange is negotiated. If not specified, default parameters
## are used.</br>
## NOTE: The <code>dhfile</code> option is not supported by TLS 1.3.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.dhfile
## @type string()
# dhfile =
## @doc Used together with {verify, verify_peer} by an TLS/DTLS server.
## If set to true, the server fails if the client does not have a
## certificate to send, that is, sends an empty certificate.
## If set to false, it fails only if the client sends an invalid
## certificate (an empty certificate is considered valid).
## @path gateway.stomp.listeners.ssl.$name.ssl_options.fail_if_no_peer_cert
## @type boolean()
## @default false
# fail_if_no_peer_cert = false
## @doc An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.honor_cipher_order
## @type boolean()
## @default true
# honor_cipher_order = true
## @doc In protocols that support client-initiated renegotiation,
## the cost of resources of such an operation is higher for the server than the client.
## This can act as a vector for denial of service attacks.
## The SSL application already takes measures to counter-act such attempts,
## but client-initiated renegotiation can be strictly disabled by setting this option to false.
## The default value is true. Note that disabling renegotiation can result in
## long-lived connections becoming unusable due to limits on
## the number of messages the underlying cipher suite can encipher.
## @path gateway.stomp.listeners.ssl.$name.ssl_options.client_renegotiation
## @type boolean()
## @default true
# client_renegotiation = true
# }
# }
}
## @doc Whether to enable this gateway
## @path gateway.stomp.enable
## @type boolean()
## @default true
enable = true
## @doc Whether to enable client process statistic
## @path gateway.stomp.enable_stats
## @type boolean()
## @default true
enable_stats = true
## @doc The idle time of the client connection process. It has two purposes:
## 1. A newly created client process that does not receive any client requests after that time will be closed directly.
## 2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.
## @path gateway.stomp.idle_timeout
## @type emqx_gateway_schema:duration()
## @default 30s
idle_timeout = 30s
## @path gateway.stomp.clientinfo_override
clientinfo_override {
## @doc Template for overriding username.
## @path gateway.stomp.clientinfo_override.username
## @type binary()
# username =
## @doc Template for overriding password.
## @path gateway.stomp.clientinfo_override.password
## @type binary()
# password =
## @doc Template for overriding clientid.
## @path gateway.stomp.clientinfo_override.clientid
## @type binary()
# clientid =
}
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.stomp.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
}
## @path gateway.mqttsn
mqttsn {
## @doc MQTT-SN Gateway ID.
## When the <code>broadcast</code> option is enabled, the gateway will broadcast ADVERTISE message with this value
## @path gateway.mqttsn.gateway_id
## @type integer()
## @default 1
gateway_id = 1
## @doc Whether to periodically broadcast ADVERTISE messages
## @path gateway.mqttsn.broadcast
## @type boolean()
## @default false
broadcast = false
## @doc Allows connectionless clients to publish messages with a Qos of -1.
## This feature is defined for very simple client implementations which do not support any other features except this one. There is no connection setup nor tear down, no registration nor subscription. The client just sends its 'PUBLISH' messages to a GW
## @path gateway.mqttsn.enable_qos3
## @type boolean()
## @default true
enable_qos3 = true
## @doc Whether to initiate all subscribed topic name registration messages to the client after the Session has been taken over by a new channel
## @path gateway.mqttsn.subs_resume
## @type boolean()
## @default false
subs_resume = false
## @doc The pre-defined topic IDs and topic names.
## A 'pre-defined' topic ID is a topic ID whose mapping to a topic name is known in advance by both the client's application and the gateway
## @path gateway.mqttsn.predefined
## @type array()
## @default []
predefined = []
## @doc
## @path gateway.mqttsn.mountpoint
## @type binary()
## @default ""
mountpoint = ""
## @path gateway.mqttsn.listeners
listeners {
## @doc
## @path gateway.mqttsn.listeners.udp
## @type map_struct()
# udp.name =
## @path gateway.mqttsn.listeners.udp.$name
# {
## @path gateway.mqttsn.listeners.udp.$name.udp_options
# udp_options {
## @doc Specify the {active, N} option for the socket.
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path gateway.mqttsn.listeners.udp.$name.udp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc Size of the kernel-space receive buffer for the socket.
## @path gateway.mqttsn.listeners.udp.$name.udp_options.recbuf
## @type emqx_gateway_schema:bytesize()
# recbuf =
## @doc Size of the kernel-space send buffer for the socket.
## @path gateway.mqttsn.listeners.udp.$name.udp_options.sndbuf
## @type emqx_gateway_schema:bytesize()
# sndbuf =
## @doc Size of the user-space buffer for the socket.
## @path gateway.mqttsn.listeners.udp.$name.udp_options.buffer
## @type emqx_gateway_schema:bytesize()
# buffer =
## @doc Allow local reuse of port numbers.
## @path gateway.mqttsn.listeners.udp.$name.udp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @doc Enable the listener.
## @path gateway.mqttsn.listeners.udp.$name.enable
## @type boolean()
## @default true
# enable = true
## @doc The IP address and port that the listener will bind.
## @path gateway.mqttsn.listeners.udp.$name.bind
## @type union() emqx_gateway_schema:ip_port() | integer()
# bind =
## @doc Maximum number of concurrent connections.
## @path gateway.mqttsn.listeners.udp.$name.max_connections
## @type integer()
## @default 1024
# max_connections = 1024
## @doc Maximum connections per second.
## @path gateway.mqttsn.listeners.udp.$name.max_conn_rate
## @type integer()
## @default 1000
# max_conn_rate = 1000
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.mqttsn.listeners.udp.$name.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature.
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path gateway.mqttsn.listeners.udp.$name.mountpoint
## @type binary()
# mountpoint =
## @doc The access control rules for this listener.
## See: https://github.com/emqtt/esockd#allowdeny
## @path gateway.mqttsn.listeners.udp.$name.access_rules
## @type array()
## @default []
# access_rules = []
# }
## @doc
## @path gateway.mqttsn.listeners.dtls
## @type map_struct()
# dtls.name =
## @path gateway.mqttsn.listeners.dtls.$name
# {
## @doc Size of the acceptor pool.
## @path gateway.mqttsn.listeners.dtls.$name.acceptors
## @type integer()
## @default 16
# acceptors = 16
## @path gateway.mqttsn.listeners.dtls.$name.udp_options
## @link gateway.mqttsn.listeners.udp.$name.udp_options
# udp_options {
## @doc Specify the {active, N} option for the socket.
## See: https://erlang.org/doc/man/inet.html#setopts-2
## @path gateway.mqttsn.listeners.dtls.$name.udp_options.active_n
## @type integer()
## @default 100
# active_n = 100
## @doc Size of the kernel-space receive buffer for the socket.
## @path gateway.mqttsn.listeners.dtls.$name.udp_options.recbuf
## @type emqx_gateway_schema:bytesize()
# recbuf =
## @doc Size of the kernel-space send buffer for the socket.
## @path gateway.mqttsn.listeners.dtls.$name.udp_options.sndbuf
## @type emqx_gateway_schema:bytesize()
# sndbuf =
## @doc Size of the user-space buffer for the socket.
## @path gateway.mqttsn.listeners.dtls.$name.udp_options.buffer
## @type emqx_gateway_schema:bytesize()
# buffer =
## @doc Allow local reuse of port numbers.
## @path gateway.mqttsn.listeners.dtls.$name.udp_options.reuseaddr
## @type boolean()
## @default true
# reuseaddr = true
# }
## @doc Enable the listener.
## @path gateway.mqttsn.listeners.dtls.$name.enable
## @type boolean()
## @default true
# enable = true
## @doc The IP address and port that the listener will bind.
## @path gateway.mqttsn.listeners.dtls.$name.bind
## @type union() emqx_gateway_schema:ip_port() | integer()
# bind =
## @doc Maximum number of concurrent connections.
## @path gateway.mqttsn.listeners.dtls.$name.max_connections
## @type integer()
## @default 1024
# max_connections = 1024
## @doc Maximum connections per second.
## @path gateway.mqttsn.listeners.dtls.$name.max_conn_rate
## @type integer()
## @default 1000
# max_conn_rate = 1000
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.mqttsn.listeners.dtls.$name.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
## @doc When publishing or subscribing, prefix all topics with a mountpoint string.
## The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners.
## For example if a client A subscribes to `t` with `listeners.tcp.<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature.
## Variables in mountpoint string:
## - <code>${clientid}</code>: clientid
## - <code>${username}</code>: username
## @path gateway.mqttsn.listeners.dtls.$name.mountpoint
## @type binary()
# mountpoint =
## @doc The access control rules for this listener.
## See: https://github.com/emqtt/esockd#allowdeny
## @path gateway.mqttsn.listeners.dtls.$name.access_rules
## @type array()
## @default []
# access_rules = []
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options
# dtls_options {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.verify
## @type enum: verify_peer | verify_none
## @default verify_none
# verify = verify_none
## @doc Enable TLS session reuse.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.reuse_sessions
## @type boolean()
## @default true
# reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.depth
## @type integer()
## @default 10
# depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.password
## @type string()
# password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.versions
## @type array()
## @default [dtlsv1.2, dtlsv1]
# versions = [dtlsv1.2, dtlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.ciphers
## @type array()
## @default ["ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
# ciphers = ["ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
# user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.secure_renegotiate
## @type boolean()
## @default true
# secure_renegotiate = true
## @doc Path to a file containing PEM-encoded Diffie-Hellman parameters
## to be used by the server if a cipher suite using Diffie-Hellman
## key exchange is negotiated. If not specified, default parameters
## are used.</br>
## NOTE: The <code>dhfile</code> option is not supported by TLS 1.3.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.dhfile
## @type string()
# dhfile =
## @doc Used together with {verify, verify_peer} by an TLS/DTLS server.
## If set to true, the server fails if the client does not have a
## certificate to send, that is, sends an empty certificate.
## If set to false, it fails only if the client sends an invalid
## certificate (an empty certificate is considered valid).
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.fail_if_no_peer_cert
## @type boolean()
## @default false
# fail_if_no_peer_cert = false
## @doc An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.honor_cipher_order
## @type boolean()
## @default true
# honor_cipher_order = true
## @doc In protocols that support client-initiated renegotiation,
## the cost of resources of such an operation is higher for the server than the client.
## This can act as a vector for denial of service attacks.
## The SSL application already takes measures to counter-act such attempts,
## but client-initiated renegotiation can be strictly disabled by setting this option to false.
## The default value is true. Note that disabling renegotiation can result in
## long-lived connections becoming unusable due to limits on
## the number of messages the underlying cipher suite can encipher.
## @path gateway.mqttsn.listeners.dtls.$name.dtls_options.client_renegotiation
## @type boolean()
## @default true
# client_renegotiation = true
# }
# }
}
## @doc Whether to enable this gateway
## @path gateway.mqttsn.enable
## @type boolean()
## @default true
enable = true
## @doc Whether to enable client process statistic
## @path gateway.mqttsn.enable_stats
## @type boolean()
## @default true
enable_stats = true
## @doc The idle time of the client connection process. It has two purposes:
## 1. A newly created client process that does not receive any client requests after that time will be closed directly.
## 2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.
## @path gateway.mqttsn.idle_timeout
## @type emqx_gateway_schema:duration()
## @default 30s
idle_timeout = 30s
## @path gateway.mqttsn.clientinfo_override
## @link gateway.stomp.clientinfo_override
clientinfo_override {
## @doc Template for overriding username.
## @path gateway.mqttsn.clientinfo_override.username
## @type binary()
# username =
## @doc Template for overriding password.
## @path gateway.mqttsn.clientinfo_override.password
## @type binary()
# password =
## @doc Template for overriding clientid.
## @path gateway.mqttsn.clientinfo_override.clientid
## @type binary()
# clientid =
}
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.mqttsn.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
}
## @path gateway.coap
coap {
## @doc The gateway server required minimum heartbeat interval.
## When connection mode is enabled, this parameter is used to set the minimum heartbeat interval for the connection to be alive
## @path gateway.coap.heartbeat
## @type emqx_gateway_schema:duration()
## @default 30s
heartbeat = 30s
## @doc Enable or disable connection mode.
## Connection mode is a feature of non-standard protocols. When connection mode is enabled, it is necessary to maintain the creation, authentication and alive of connection resources
## @path gateway.coap.connection_required
## @type boolean()
## @default false
connection_required = false
## @doc The Notification Message will be delivered to the CoAP client if a new message received on an observed topic.
## The type of delivered coap message can be set to:
## - non: Non-confirmable;
## - con: Confirmable;
## - qos: Mapping from QoS type of received message, QoS0 -> non, QoS1,2 -> con
## @path gateway.coap.notify_type
## @type enum: non | con | qos
## @default qos
notify_type = qos
## @doc The Default QoS Level indicator for subscribe request.
## This option specifies the QoS level for the CoAP Client when establishing a subscription membership, if the subscribe request is not carried `qos` option. The indicator can be set to:
## - qos0, qos1, qos2: Fixed default QoS level
## - coap: Dynamic QoS level by the message type of subscribe request
## * qos0: If the subscribe request is non-confirmable
## * qos1: If the subscribe request is confirmable
## @path gateway.coap.subscribe_qos
## @type enum: qos0 | qos1 | qos2 | coap
## @default coap
subscribe_qos = coap
## @doc The Default QoS Level indicator for publish request.
## This option specifies the QoS level for the CoAP Client when publishing a message to EMQX PUB/SUB system, if the publish request is not carried `qos` option. The indicator can be set to:
## - qos0, qos1, qos2: Fixed default QoS level
## - coap: Dynamic QoS level by the message type of publish request
## * qos0: If the publish request is non-confirmable
## * qos1: If the publish request is confirmable
## @path gateway.coap.publish_qos
## @type enum: qos0 | qos1 | qos2 | coap
## @default coap
publish_qos = coap
## @doc
## @path gateway.coap.mountpoint
## @type binary()
## @default ""
mountpoint = ""
## @path gateway.coap.listeners
## @link gateway.mqttsn.listeners
listeners {
## @doc
## @path gateway.coap.listeners.udp
## @type map_struct()
## @link gateway.mqttsn.listeners.udp.$name
## @doc
## @path gateway.coap.listeners.dtls
## @type map_struct()
## @link gateway.mqttsn.listeners.dtls.$name
}
## @doc Whether to enable this gateway
## @path gateway.coap.enable
## @type boolean()
## @default true
enable = true
## @doc Whether to enable client process statistic
## @path gateway.coap.enable_stats
## @type boolean()
## @default true
enable_stats = true
## @doc The idle time of the client connection process. It has two purposes:
## 1. A newly created client process that does not receive any client requests after that time will be closed directly.
## 2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.
## @path gateway.coap.idle_timeout
## @type emqx_gateway_schema:duration()
## @default 30s
idle_timeout = 30s
## @path gateway.coap.clientinfo_override
## @link gateway.stomp.clientinfo_override
clientinfo_override {
## @doc Template for overriding username.
## @path gateway.coap.clientinfo_override.username
## @type binary()
# username =
## @doc Template for overriding password.
## @path gateway.coap.clientinfo_override.password
## @type binary()
# password =
## @doc Template for overriding clientid.
## @path gateway.coap.clientinfo_override.clientid
## @type binary()
# clientid =
}
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.coap.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
}
## @path gateway.lwm2m
lwm2m {
## @doc The Directory for LwM2M Resource definition
## @path gateway.lwm2m.xml_dir
## @type binary()
## @default "etc/lwm2m_xml"
xml_dir = "etc/lwm2m_xml"
## @doc Minimum value of lifetime allowed to be set by the LwM2M client
## @path gateway.lwm2m.lifetime_min
## @type emqx_gateway_schema:duration()
## @default 15s
lifetime_min = 15s
## @doc Maximum value of lifetime allowed to be set by the LwM2M client
## @path gateway.lwm2m.lifetime_max
## @type emqx_gateway_schema:duration()
## @default 86400s
lifetime_max = 86400s
## @doc The value of the time window during which the network link is considered valid by the LwM2M Gateway in QMode mode.
## For example, after receiving an update message from a client, any messages within this time window are sent directly to the LwM2M client, and all messages beyond this time window are temporarily stored in memory.
## @path gateway.lwm2m.qmode_time_window
## @type emqx_gateway_schema:duration_s()
## @default 22s
qmode_time_window = 22s
## @doc Automatically observe the object list of REGISTER packet
## @path gateway.lwm2m.auto_observe
## @type boolean()
## @default false
auto_observe = false
## @doc Policy for publishing UPDATE event message.
## - always: send update events as long as the UPDATE request is received.
## - contains_object_list: send update events only if the UPDATE request carries any Object List
## @path gateway.lwm2m.update_msg_publish_condition
## @type enum: always | contains_object_list
## @default contains_object_list
update_msg_publish_condition = contains_object_list
## @path gateway.lwm2m.translators
translators {
## @path gateway.lwm2m.translators.command
command {
## @doc Topic Name
## @path gateway.lwm2m.translators.command.topic
## @type binary()
# topic =
## @doc QoS Level
## @path gateway.lwm2m.translators.command.qos
## @type qos()
## @default 0
qos = 0
}
## @path gateway.lwm2m.translators.response
## @link gateway.lwm2m.translators.command
response {
## @doc Topic Name
## @path gateway.lwm2m.translators.response.topic
## @type binary()
# topic =
## @doc QoS Level
## @path gateway.lwm2m.translators.response.qos
## @type qos()
## @default 0
qos = 0
}
## @path gateway.lwm2m.translators.notify
## @link gateway.lwm2m.translators.command
notify {
## @doc Topic Name
## @path gateway.lwm2m.translators.notify.topic
## @type binary()
# topic =
## @doc QoS Level
## @path gateway.lwm2m.translators.notify.qos
## @type qos()
## @default 0
qos = 0
}
## @path gateway.lwm2m.translators.register
## @link gateway.lwm2m.translators.command
register {
## @doc Topic Name
## @path gateway.lwm2m.translators.register.topic
## @type binary()
# topic =
## @doc QoS Level
## @path gateway.lwm2m.translators.register.qos
## @type qos()
## @default 0
qos = 0
}
## @path gateway.lwm2m.translators.update
## @link gateway.lwm2m.translators.command
update {
## @doc Topic Name
## @path gateway.lwm2m.translators.update.topic
## @type binary()
# topic =
## @doc QoS Level
## @path gateway.lwm2m.translators.update.qos
## @type qos()
## @default 0
qos = 0
}
}
## @doc
## @path gateway.lwm2m.mountpoint
## @type binary()
## @default "lwm2m/${endpoint_name}/"
mountpoint = "lwm2m/${endpoint_name}/"
## @path gateway.lwm2m.listeners
## @link gateway.mqttsn.listeners
listeners {
## @doc
## @path gateway.lwm2m.listeners.udp
## @type map_struct()
## @link gateway.mqttsn.listeners.udp.$name
## @doc
## @path gateway.lwm2m.listeners.dtls
## @type map_struct()
## @link gateway.mqttsn.listeners.dtls.$name
}
## @doc Whether to enable this gateway
## @path gateway.lwm2m.enable
## @type boolean()
## @default true
enable = true
## @doc Whether to enable client process statistic
## @path gateway.lwm2m.enable_stats
## @type boolean()
## @default true
enable_stats = true
## @doc The idle time of the client connection process. It has two purposes:
## 1. A newly created client process that does not receive any client requests after that time will be closed directly.
## 2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.
## @path gateway.lwm2m.idle_timeout
## @type emqx_gateway_schema:duration()
## @default 30s
idle_timeout = 30s
## @path gateway.lwm2m.clientinfo_override
## @link gateway.stomp.clientinfo_override
clientinfo_override {
## @doc Template for overriding username.
## @path gateway.lwm2m.clientinfo_override.username
## @type binary()
# username =
## @doc Template for overriding password.
## @path gateway.lwm2m.clientinfo_override.password
## @type binary()
# password =
## @doc Template for overriding clientid.
## @path gateway.lwm2m.clientinfo_override.clientid
## @type binary()
# clientid =
}
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.lwm2m.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
}
## @path gateway.exproto
exproto {
## @path gateway.exproto.server
server {
## @doc Listening address and port for the gRPC server.
## @path gateway.exproto.server.bind
## @type union() emqx_gateway_schema:ip_port() | integer()
# bind =
## @path gateway.exproto.server.ssl_options
ssl_options {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path gateway.exproto.server.ssl_options.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path gateway.exproto.server.ssl_options.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path gateway.exproto.server.ssl_options.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path gateway.exproto.server.ssl_options.verify
## @type enum: verify_peer | verify_none
## @default verify_none
verify = verify_none
## @doc Enable TLS session reuse.
## @path gateway.exproto.server.ssl_options.reuse_sessions
## @type boolean()
## @default true
reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path gateway.exproto.server.ssl_options.depth
## @type integer()
## @default 10
depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path gateway.exproto.server.ssl_options.password
## @type string()
password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path gateway.exproto.server.ssl_options.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path gateway.exproto.server.ssl_options.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path gateway.exproto.server.ssl_options.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path gateway.exproto.server.ssl_options.secure_renegotiate
## @type boolean()
## @default true
secure_renegotiate = true
## @doc Path to a file containing PEM-encoded Diffie-Hellman parameters
## to be used by the server if a cipher suite using Diffie-Hellman
## key exchange is negotiated. If not specified, default parameters
## are used.</br>
## NOTE: The <code>dhfile</code> option is not supported by TLS 1.3.
## @path gateway.exproto.server.ssl_options.dhfile
## @type string()
# dhfile =
## @doc Used together with {verify, verify_peer} by an TLS/DTLS server.
## If set to true, the server fails if the client does not have a
## certificate to send, that is, sends an empty certificate.
## If set to false, it fails only if the client sends an invalid
## certificate (an empty certificate is considered valid).
## @path gateway.exproto.server.ssl_options.fail_if_no_peer_cert
## @type boolean()
## @default false
fail_if_no_peer_cert = false
## @doc An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
## @path gateway.exproto.server.ssl_options.honor_cipher_order
## @type boolean()
## @default true
honor_cipher_order = true
## @doc In protocols that support client-initiated renegotiation,
## the cost of resources of such an operation is higher for the server than the client.
## This can act as a vector for denial of service attacks.
## The SSL application already takes measures to counter-act such attempts,
## but client-initiated renegotiation can be strictly disabled by setting this option to false.
## The default value is true. Note that disabling renegotiation can result in
## long-lived connections becoming unusable due to limits on
## the number of messages the underlying cipher suite can encipher.
## @path gateway.exproto.server.ssl_options.client_renegotiation
## @type boolean()
## @default true
client_renegotiation = true
## @doc Maximum time duration allowed for the handshake to complete
## @path gateway.exproto.server.ssl_options.handshake_timeout
## @type emqx_schema:duration()
## @default 15s
handshake_timeout = 15s
}
}
## @path gateway.exproto.handler
handler {
## @doc gRPC server address.
## @path gateway.exproto.handler.address
## @type binary()
# address =
## @path gateway.exproto.handler.ssl_options
## @link cluster.etcd.ssl
ssl_options {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path gateway.exproto.handler.ssl_options.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path gateway.exproto.handler.ssl_options.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path gateway.exproto.handler.ssl_options.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path gateway.exproto.handler.ssl_options.verify
## @type enum: verify_peer | verify_none
## @default verify_none
verify = verify_none
## @doc Enable TLS session reuse.
## @path gateway.exproto.handler.ssl_options.reuse_sessions
## @type boolean()
## @default true
reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path gateway.exproto.handler.ssl_options.depth
## @type integer()
## @default 10
depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path gateway.exproto.handler.ssl_options.password
## @type string()
password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path gateway.exproto.handler.ssl_options.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path gateway.exproto.handler.ssl_options.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path gateway.exproto.handler.ssl_options.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path gateway.exproto.handler.ssl_options.secure_renegotiate
## @type boolean()
## @default true
secure_renegotiate = true
## @doc Enable TLS.
## @path gateway.exproto.handler.ssl_options.enable
## @type boolean()
## @default false
enable = false
## @doc Specify the host name to be used in TLS Server Name Indication extension.</br>
## For instance, when connecting to "server.example.net", the genuine server
## which accepts the connection and performs TLS handshake may differ from the
## host the TLS client initially connects to, e.g. when connecting to an IP address
## or when the host has multiple resolvable DNS records </br>
## If not specified, it will default to the host name string which is used
## to establish the connection, unless it is IP addressed used.</br>
## The host name is then also used in the host name verification of the peer
## certificate.</br> The special value 'disable' prevents the Server Name
## Indication extension from being sent and disables the hostname
## verification check.
## @path gateway.exproto.handler.ssl_options.server_name_indication
## @type union() disable | string()
server_name_indication = disable
}
}
## @doc
## @path gateway.exproto.mountpoint
## @type binary()
## @default ""
mountpoint = ""
## @path gateway.exproto.listeners
listeners {
## @doc
## @path gateway.exproto.listeners.tcp
## @type map_struct()
## @link gateway.stomp.listeners.tcp.$name
## @doc
## @path gateway.exproto.listeners.ssl
## @type map_struct()
## @link gateway.stomp.listeners.ssl.$name
## @doc
## @path gateway.exproto.listeners.udp
## @type map_struct()
## @link gateway.mqttsn.listeners.udp.$name
## @doc
## @path gateway.exproto.listeners.dtls
## @type map_struct()
## @link gateway.mqttsn.listeners.dtls.$name
}
## @doc Whether to enable this gateway
## @path gateway.exproto.enable
## @type boolean()
## @default true
enable = true
## @doc Whether to enable client process statistic
## @path gateway.exproto.enable_stats
## @type boolean()
## @default true
enable_stats = true
## @doc The idle time of the client connection process. It has two purposes:
## 1. A newly created client process that does not receive any client requests after that time will be closed directly.
## 2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.
## @path gateway.exproto.idle_timeout
## @type emqx_gateway_schema:duration()
## @default 30s
idle_timeout = 30s
## @path gateway.exproto.clientinfo_override
## @link gateway.stomp.clientinfo_override
clientinfo_override {
## @doc Template for overriding username.
## @path gateway.exproto.clientinfo_override.username
## @type binary()
# username =
## @doc Template for overriding password.
## @path gateway.exproto.clientinfo_override.password
## @type binary()
# password =
## @doc Template for overriding clientid.
## @path gateway.exproto.clientinfo_override.clientid
## @type binary()
# clientid =
}
## @doc Default authentication configs for all the gateway listeners. For per-listener overrides see <code>authentication</code>
## in listener configs
## @path gateway.exproto.authentication
## @type union() authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication
## @link gateway.stomp.listeners.tcp.$name.authentication
# authentication =
}
}
## @path prometheus
prometheus {
## @doc URL of Prometheus server
## @path prometheus.push_gateway_server
## @type string()
## @default "http://127.0.0.1:9091"
push_gateway_server = "http://127.0.0.1:9091"
## @doc Data reporting interval, in milliseconds.
## @path prometheus.interval
## @type emqx_schema:duration_ms()
## @default 15s
interval = 15s
## @doc Turn Prometheus data pushing on or off
## @path prometheus.enable
## @type boolean()
## @default false
enable = false
}
## @path rule_engine
rule_engine {
## @doc When set to 'true' (default), rule-engine will ignore messages published to $SYS topics.
## @path rule_engine.ignore_sys_message
## @type boolean()
## @default true
ignore_sys_message = true
## @doc The rules
## @path rule_engine.rules
## @type map_struct()
## @default {}
# rules.id =
## @path rule_engine.rules.$id
# {
## @doc The name of the rule
## @path rule_engine.rules.$id.name
## @type binary()
## @default ""
# name = foo
## @doc SQL query to transform the messages.
## Example: <code>SELECT * FROM "test/topic" WHERE payload.x = 1</code>
## @path rule_engine.rules.$id.sql
## @type binary()
# sql = "SELECT * FROM \"test/topic\" WHERE payload.x = 1"
## @doc A list of actions of the rule.
## An action can be a string that refers to the channel ID of an EMQX bridge, or an object
## that refers to a function.
## There a some built-in functions like "republish" and "console", and we also support user
## provided functions in the format: "{module}:{function}".
## The actions in the list are executed sequentially.
## This means that if one of the action is executing slowly, all the following actions will not
## be executed until it returns.
## If one of the action crashed, all other actions come after it will still be executed, in the
## original order.
## If there's any error when running an action, there will be an error message, and the 'failure'
## counter of the function action or the bridge channel will increase.
## @path rule_engine.rules.$id.actions
## @type array()
## @default []
# actions =
# [ "webhook:my_webhook", { args {payload = "${payload}", topic = "t/1"} function = republish }, {function = console}]
## @doc Enable or disable the rule
## @path rule_engine.rules.$id.enable
## @type boolean()
## @default true
# enable = true
## @doc The description of the rule
## @path rule_engine.rules.$id.description
## @type binary()
## @default ""
# description = "Some description"
# }
## @doc Default timeout for the `jq` rule engine function
## @path rule_engine.jq_function_default_timeout
## @type emqx_schema:duration_ms()
## @default 10s
jq_function_default_timeout = 10s
}
## @path exhook
exhook {
## @doc List of exhook servers
## @path exhook.servers
## @type array()
## @default []
servers = []
}
## @path psk_authentication
psk_authentication {
## @doc Whether to enable TLS PSK support
## @path psk_authentication.enable
## @type boolean()
## @default false
enable = false
## @doc If init_file is specified, EMQX will import PSKs from the file into the built-in database at startup for use by the runtime.
## The file has to be structured line-by-line, each line must be in the format of <code>PSKIdentity:SharedSecret</code>.
## For example: <code>mydevice1:c2VjcmV0</code>
## @path psk_authentication.init_file
## @type binary()
# init_file =
## @doc The separator between <code>PSKIdentity</code> and <code>SharedSecret</code> in the PSK file
## @path psk_authentication.separator
## @type binary()
## @default ":"
separator = ":"
## @doc The size of each chunk used to import to the built-in database from PSK file
## @path psk_authentication.chunk_size
## @type integer()
## @default 50
chunk_size = 50
}
## @path limiter
limiter {
## @path limiter.bytes_in
bytes_in {
## @doc Enable
## @path limiter.bytes_in.enable
## @type boolean()
## @default true
enable = true
## @doc Rate for this bucket.
## @path limiter.bytes_in.rate
## @type emqx_limiter_schema:rate()
## @default infinity
rate = infinity
## @doc The burst, This value is based on rate.</br>
## This value + rate = the maximum limit that can be achieved when limiter burst.
## @path limiter.bytes_in.burst
## @type emqx_limiter_schema:burst_rate()
## @default 0
burst = 0
## @doc Bucket Configs
## @path limiter.bytes_in.bucket
## @type map_struct()
## @default
# { default {}}
# bucket.bucket_name =
## @path limiter.bytes_in.bucket.$bucket_name
# {
## @doc Rate for this bucket.
## @path limiter.bytes_in.bucket.$bucket_name.rate
## @type emqx_limiter_schema:rate()
## @default infinity
# rate = infinity
## @doc The capacity of this token bucket.
## @path limiter.bytes_in.bucket.$bucket_name.capacity
## @type emqx_limiter_schema:capacity()
## @default infinity
# capacity = infinity
## @doc The initial number of tokens for this bucket.
## @path limiter.bytes_in.bucket.$bucket_name.initial
## @type emqx_limiter_schema:initial()
## @default 0
# initial = 0
## @path limiter.bytes_in.bucket.$bucket_name.per_client
# per_client {
## @doc Rate for this bucket.
## @path limiter.bytes_in.bucket.$bucket_name.per_client.rate
## @type emqx_limiter_schema:rate()
## @default infinity
# rate = infinity
## @doc The initial number of tokens for this bucket.
## @path limiter.bytes_in.bucket.$bucket_name.per_client.initial
## @type emqx_limiter_schema:initial()
## @default 0
# initial = 0
## @doc If the remaining tokens are lower than this value,
## the check/consume will succeed, but it will be forced to wait for a short period of time.
## @path limiter.bytes_in.bucket.$bucket_name.per_client.low_watermark
## @type emqx_limiter_schema:initial()
## @default 0
# low_watermark = 0
## @doc The capacity of per user.
## @path limiter.bytes_in.bucket.$bucket_name.per_client.capacity
## @type emqx_limiter_schema:capacity()
## @default infinity
# capacity = infinity
## @doc Is it possible to split the number of requested tokens?
## @path limiter.bytes_in.bucket.$bucket_name.per_client.divisible
## @type boolean()
## @default false
# divisible = false
## @doc The maximum retry time when acquire failed.
## @path limiter.bytes_in.bucket.$bucket_name.per_client.max_retry_time
## @type emqx_schema:duration()
## @default 10s
# max_retry_time = 10s
## @doc The strategy when all the retries failed.
## @path limiter.bytes_in.bucket.$bucket_name.per_client.failure_strategy
## @type emqx_limiter_schema:failure_strategy()
## @default force
# failure_strategy = force
# }
# }
}
## @path limiter.message_in
## @link limiter.bytes_in
message_in {
## @doc Enable
## @path limiter.message_in.enable
## @type boolean()
## @default true
enable = true
## @doc Rate for this bucket.
## @path limiter.message_in.rate
## @type emqx_limiter_schema:rate()
## @default infinity
rate = infinity
## @doc The burst, This value is based on rate.</br>
## This value + rate = the maximum limit that can be achieved when limiter burst.
## @path limiter.message_in.burst
## @type emqx_limiter_schema:burst_rate()
## @default 0
burst = 0
## @doc Bucket Configs
## @path limiter.message_in.bucket
## @type map_struct()
## @default
# { default {}}
## @link limiter.bytes_in.bucket.$bucket_name
}
## @path limiter.connection
## @link limiter.bytes_in
connection {
## @doc Enable
## @path limiter.connection.enable
## @type boolean()
## @default true
enable = true
## @doc Rate for this bucket.
## @path limiter.connection.rate
## @type emqx_limiter_schema:rate()
## @default infinity
rate = infinity
## @doc The burst, This value is based on rate.</br>
## This value + rate = the maximum limit that can be achieved when limiter burst.
## @path limiter.connection.burst
## @type emqx_limiter_schema:burst_rate()
## @default 0
burst = 0
## @doc Bucket Configs
## @path limiter.connection.bucket
## @type map_struct()
## @default
# { default {}}
## @link limiter.bytes_in.bucket.$bucket_name
}
## @path limiter.message_routing
## @link limiter.bytes_in
message_routing {
## @doc Enable
## @path limiter.message_routing.enable
## @type boolean()
## @default true
enable = true
## @doc Rate for this bucket.
## @path limiter.message_routing.rate
## @type emqx_limiter_schema:rate()
## @default infinity
rate = infinity
## @doc The burst, This value is based on rate.</br>
## This value + rate = the maximum limit that can be achieved when limiter burst.
## @path limiter.message_routing.burst
## @type emqx_limiter_schema:burst_rate()
## @default 0
burst = 0
## @doc Bucket Configs
## @path limiter.message_routing.bucket
## @type map_struct()
## @default
# { default {}}
## @link limiter.bytes_in.bucket.$bucket_name
}
## @path limiter.batch
## @link limiter.bytes_in
batch {
## @doc Enable
## @path limiter.batch.enable
## @type boolean()
## @default true
enable = true
## @doc Rate for this bucket.
## @path limiter.batch.rate
## @type emqx_limiter_schema:rate()
## @default infinity
rate = infinity
## @doc The burst, This value is based on rate.</br>
## This value + rate = the maximum limit that can be achieved when limiter burst.
## @path limiter.batch.burst
## @type emqx_limiter_schema:burst_rate()
## @default 0
burst = 0
## @doc Bucket Configs
## @path limiter.batch.bucket
## @type map_struct()
## @default
# { default {}}
## @link limiter.bytes_in.bucket.$bucket_name
}
}
## @path connectors
connectors {
## @doc MQTT bridges.
## @path connectors.mqtt
## @type map_struct()
# mqtt.name =
## @path connectors.mqtt.$name
# {
## @doc The mode of the MQTT Bridge. Can be one of 'cluster_singleton' or 'cluster_shareload'</br>
##
## - cluster_singleton: create a unique MQTT connection within the emqx cluster.</br>
## In 'cluster_singleton' node, all messages toward the remote broker go through the same
## MQTT connection.</br>
## - cluster_shareload: create an MQTT connection on each node in the emqx cluster.</br>
## In 'cluster_shareload' mode, the incoming load from the remote broker is shared by
## using shared subscription.</br>
## Note that the 'clientid' is suffixed by the node name, this is to avoid
## clientid conflicts between different nodes. And we can only use shared subscription
## topic filters for 'remote_topic' of ingress connections.
## @path connectors.mqtt.$name.mode
## @type enum: cluster_shareload
## @default cluster_shareload
# mode = cluster_shareload
## @doc The host and port of the remote MQTT broker
## @path connectors.mqtt.$name.server
## @type emqx_schema:ip_port()
# server =
## @doc Reconnect interval. Delay for the MQTT bridge to retry establishing the connection in case of transportation failure. Time interval is a string that contains a number followed by time unit:</br>
## - `ms` for milliseconds,
## - `s` for seconds,
## - `m` for minutes,
## - `h` for hours;
## </br>or combination of whereof: `1h5m0s`
## @path connectors.mqtt.$name.reconnect_interval
## @type string()
## @default 15s
# reconnect_interval = 15s
## @doc The MQTT protocol version
## @path connectors.mqtt.$name.proto_ver
## @type enum: v3 | v4 | v5
## @default v4
# proto_ver = v4
## @doc If enable bridge mode.
## NOTE: This setting is only for MQTT protocol version older than 5.0, and the remote MQTT
## broker MUST support this feature.
## @path connectors.mqtt.$name.bridge_mode
## @type boolean()
## @default false
# bridge_mode = false
## @doc The username of the MQTT protocol
## @path connectors.mqtt.$name.username
## @type binary()
## @default emqx
# username = emqx
## @doc The password of the MQTT protocol
## @path connectors.mqtt.$name.password
## @type binary()
## @default emqx
# password = emqx
## @doc The clean-start or the clean-session of the MQTT protocol
## @path connectors.mqtt.$name.clean_start
## @type boolean()
## @default true
# clean_start = true
## @doc MQTT Keepalive. Time interval is a string that contains a number followed by time unit:</br>
## - `ms` for milliseconds,
## - `s` for seconds,
## - `m` for minutes,
## - `h` for hours;
## </br>or combination of whereof: `1h5m0s`
## @path connectors.mqtt.$name.keepalive
## @type string()
## @default 300s
# keepalive = 300s
## @doc Message retry interval. Delay for the MQTT bridge to retry sending the QoS1/QoS2 messages in case of ACK not received. Time interval is a string that contains a number followed by time unit:</br>
## - `ms` for milliseconds,
## - `s` for seconds,
## - `m` for minutes,
## - `h` for hours;
## </br>or combination of whereof: `1h5m0s`
## @path connectors.mqtt.$name.retry_interval
## @type string()
## @default 15s
# retry_interval = 15s
## @doc Max inflight (sent, but un-acked) messages of the MQTT protocol
## @path connectors.mqtt.$name.max_inflight
## @type non_neg_integer()
## @default 32
# max_inflight = 32
## @path connectors.mqtt.$name.replayq
# replayq {
## @doc The dir where the replayq file saved.</br>
## Set to 'false' disables the replayq feature.
## @path connectors.mqtt.$name.replayq.dir
## @type union() boolean() | string()
# dir =
## @doc The size in bytes of a single segment.</br>
## A segment is mapping to a file in the replayq dir. If the current segment is full, a new segment
## (file) will be opened to write.
## @path connectors.mqtt.$name.replayq.seg_bytes
## @type emqx_schema:bytesize()
## @default 100MB
# seg_bytes = 100MB
## @doc In offload mode, the disk queue is only used to offload queue tail segments.</br>
## The messages are cached in the memory first, then it writes to the replayq files after the size of
## the memory cache reaches 'seg_bytes'.
## @path connectors.mqtt.$name.replayq.offload
## @type boolean()
## @default false
# offload = false
# }
## @path connectors.mqtt.$name.ssl
## @link cluster.etcd.ssl
# ssl {
## @doc Trusted PEM format CA certificates bundle file.</br>
## The certificates in this file are used to verify the TLS peer's certificates.
## Append new certificates to the file if new CAs are to be trusted.
## There is no need to restart EMQX to have the updated file loaded, because
## the system regularly checks if file has been updated (and reload).</br>
## NOTE: invalidating (deleting) a certificate from the file will not affect
## already established connections.
## @path connectors.mqtt.$name.ssl.cacertfile
## @type binary()
# cacertfile =
## @doc PEM format certificates chain file.</br>
## The certificates in this file should be in reversed order of the certificate
## issue chain. That is, the host's certificate should be placed in the beginning
## of the file, followed by the immediate issuer certificate and so on.
## Although the root CA certificate is optional, it should be placed at the end of
## the file if it is to be added.
## @path connectors.mqtt.$name.ssl.certfile
## @type binary()
# certfile =
## @doc PEM format private key file.
## @path connectors.mqtt.$name.ssl.keyfile
## @type binary()
# keyfile =
## @doc Enable or disable peer verification.
## @path connectors.mqtt.$name.ssl.verify
## @type enum: verify_peer | verify_none
## @default verify_none
# verify = verify_none
## @doc Enable TLS session reuse.
## @path connectors.mqtt.$name.ssl.reuse_sessions
## @type boolean()
## @default true
# reuse_sessions = true
## @doc Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 10.
## @path connectors.mqtt.$name.ssl.depth
## @type integer()
## @default 10
# depth = 10
## @doc String containing the user's password.
## Only used if the private key file is password-protected.
## @path connectors.mqtt.$name.ssl.password
## @type string()
# password = ""
## @doc All TLS/DTLS versions to be supported.</br>
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.</br>
## In case PSK cipher suites are intended, make sure to configured
## <code>['tlsv1.2', 'tlsv1.1']</code> here.
## @path connectors.mqtt.$name.ssl.versions
## @type array()
## @default [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
# versions = [tlsv1.3, tlsv1.2, tlsv1.1, tlsv1]
## @doc This config holds TLS cipher suite names separated by comma,
## or as an array of strings. e.g.
## <code>"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"</code> or
## <code>["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]</code>.
## </br>
## Ciphers (and their ordering) define the way in which the
## client and server encrypts information over the network connection.
## Selecting a good cipher suite is critical for the
## application's data security, confidentiality and performance.
##
## The names should be in OpenSSL string format (not RFC format).
## All default values and examples provided by EMQX config
## documentation are all in OpenSSL format.</br>
##
## NOTE: Certain cipher suites are only compatible with
## specific TLS <code>versions</code> ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
## incompatible cipher suites will be silently dropped.
## For instance, if only 'tlsv1.3' is given in the <code>versions</code>,
## configuring cipher suites for other versions will have no effect.
## </br>
##
## NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config</br>
## If PSK cipher suites are intended, 'tlsv1.3' should be disabled from <code>versions</code>.</br>
## PSK cipher suites: <code>"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,
## RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,
## RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA,
## RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"</code></br>
## @path connectors.mqtt.$name.ssl.ciphers
## @type array()
## @default ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
# ciphers = ["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_CCM_SHA256", "TLS_AES_128_CCM_8_SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384", "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256", "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA", "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "RSA-PSK-AES256-GCM-SHA384", "RSA-PSK-AES256-CBC-SHA384", "RSA-PSK-AES128-GCM-SHA256", "RSA-PSK-AES128-CBC-SHA256", "RSA-PSK-AES256-CBC-SHA", "RSA-PSK-AES128-CBC-SHA"]
## @doc EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.
## @path connectors.mqtt.$name.ssl.user_lookup_fun
## @type string()
## @default "emqx_tls_psk:lookup"
# user_lookup_fun = "emqx_tls_psk:lookup"
## @doc SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
## @path connectors.mqtt.$name.ssl.secure_renegotiate
## @type boolean()
## @default true
# secure_renegotiate = true
## @doc Enable TLS.
## @path connectors.mqtt.$name.ssl.enable
## @type boolean()
## @default false
# enable = false
## @doc Specify the host name to be used in TLS Server Name Indication extension.</br>
## For instance, when connecting to "server.example.net", the genuine server
## which accepts the connection and performs TLS handshake may differ from the
## host the TLS client initially connects to, e.g. when connecting to an IP address
## or when the host has multiple resolvable DNS records </br>
## If not specified, it will default to the host name string which is used
## to establish the connection, unless it is IP addressed used.</br>
## The host name is then also used in the host name verification of the peer
## certificate.</br> The special value 'disable' prevents the Server Name
## Indication extension from being sent and disables the hostname
## verification check.
## @path connectors.mqtt.$name.ssl.server_name_indication
## @type union() disable | string()
# server_name_indication = disable
# }
# }
}
## @path slow_subs
slow_subs {
## @doc Enable this feature
## @path slow_subs.enable
## @type boolean()
## @default false
enable = false
## @doc The latency threshold for statistics
## @path slow_subs.threshold
## @type emqx_schema:duration_ms()
## @default 500ms
threshold = 500ms
## @doc The eviction time of the record, which in the statistics record table
## @path slow_subs.expire_interval
## @type emqx_schema:duration_ms()
## @default 300s
expire_interval = 300s
## @doc The maximum number of records in the slow subscription statistics record table
## @path slow_subs.top_k_num
## @type pos_integer()
## @default 10
top_k_num = 10
## @doc The method to calculate the latency
## @path slow_subs.stats_type
## @type enum: whole | internal | response
## @default whole
stats_type = whole
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment