Configuration Manual

listeners

Type	`Struct(listeners)`

listeners

tcp

Type	`Map($name->OneOf(Struct(mqtt_tcp_listener),String("marked_for_deletion")))`
Description	TCP listeners.

mqtt_tcp_listener

bind
Type String
Default 1883
Description
IP address and port for the listening socket.
acceptors
Type Integer(1..+inf)
Default 16
Description
The size of the listener's receiving pool.
max_connections
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum number of concurrent connections allowed by the listener.

mountpoint

Type	`String`
Default	`""`
Description	Adds a static or templated prefix (e.g., `n1/` or `${username}/`) to topics used by clients in `SUBSCRIBE` and `UNSUBSCRIBE` requests, `PUBLISH` messages, and Will Message (if supplied in the `CONNECT` packet). Removes this prefix from topics of messages published to the respective subscriptions. The supported placeholders are: `${username}` `${clientid}` `${zone}` `${client_attrs.NAME}` For example, with `mountpoint="${username}/"` a client using `u1` as username will have: Client SUBSCRIBE `sensors/#` -> `u1/sensors/#` internally in the broker. Broker PUBLISH `u1/sensors/data` -> `sensors/data` sent to the client. The prefix mount/unmount is applied to: Will in `CONNECT` `PUBLISH` `SUBSCRIBE` `UNSUBSCRIBE` Note: mounting occurs after authorization/ACL checks.

zone

Type	`String`
Default	`default`
Description	The configuration zone to which the listener belongs. Clients connected to this listener will inherit zone-settings created under this zone name. A zone can override the configs under below root names: `mqtt` `force_shutdown` `force_gc` `flapping_detect` `durable_sessions`

enable_authn

Type	`Enum(true,false,quick_deny_anonymous)`
Default	`true`
Description	Set `true` (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to `false`, any client (with or without username/password) is allowed to connect. When set to `quick_deny_anonymous`, it behaves like when set to `true`, but clients will be denied immediately without going through any authenticators if `username` is not provided. This is useful to fence off anonymous clients early.

max_conn_rate

Type	`String`
Default	`infinity`
Description	Used to limit the rate at which the current listener accepts connections. Once the limit is reached, EMQX will pause fetching connections from the Accept queue, thereby delaying or rejecting new connections. For example: `1000/s`: Only accepts 1000 connections per second. `1000/10s`: Only accepts 1000 connections every 10 seconds.

messages_rate

Type String

Description

Used to limit the number of messages a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

For example:

500/s: Only 500 messages will be received per second, and the remaining messages will be delayed.
500/10s: Only 500 messages will be received every 10 seconds and the remaining messages will be delayed.

bytes_rate

Type String

Description

Used to limit the number of bytes a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

The unit of the bytes could be: B, KB, MB, GB.

For example:

500KB/s: Only 500 kilobytes per second will be received, and the remaining bytes will be delayed.
500MB/10s: Only 500 megabytes will be received every 10 seconds, and the remaining bytes will be delayed.

access_rules

Type	`Array(String)`
Default	`["allow all"]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

proxy_protocol
Type Boolean
Default false
Description
Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.
See: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/ A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

tcp_options

Type	`Struct(tcp_opts)`

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

ssl

Type	`Map($name->OneOf(Struct(mqtt_ssl_listener),String("marked_for_deletion")))`
Description	SSL listeners.

mqtt_ssl_listener

bind
Type String
Default 8883
Description
IP address and port for the listening socket.
acceptors
Type Integer(1..+inf)
Default 16
Description
The size of the listener's receiving pool.
max_connections
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum number of concurrent connections allowed by the listener.

mountpoint

Type	`String`
Default	`""`
Description	Adds a static or templated prefix (e.g., `n1/` or `${username}/`) to topics used by clients in `SUBSCRIBE` and `UNSUBSCRIBE` requests, `PUBLISH` messages, and Will Message (if supplied in the `CONNECT` packet). Removes this prefix from topics of messages published to the respective subscriptions. The supported placeholders are: `${username}` `${clientid}` `${zone}` `${client_attrs.NAME}` For example, with `mountpoint="${username}/"` a client using `u1` as username will have: Client SUBSCRIBE `sensors/#` -> `u1/sensors/#` internally in the broker. Broker PUBLISH `u1/sensors/data` -> `sensors/data` sent to the client. The prefix mount/unmount is applied to: Will in `CONNECT` `PUBLISH` `SUBSCRIBE` `UNSUBSCRIBE` Note: mounting occurs after authorization/ACL checks.

zone

Type	`String`
Default	`default`
Description	The configuration zone to which the listener belongs. Clients connected to this listener will inherit zone-settings created under this zone name. A zone can override the configs under below root names: `mqtt` `force_shutdown` `force_gc` `flapping_detect` `durable_sessions`

enable_authn

Type	`Enum(true,false,quick_deny_anonymous)`
Default	`true`
Description	Set `true` (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to `false`, any client (with or without username/password) is allowed to connect. When set to `quick_deny_anonymous`, it behaves like when set to `true`, but clients will be denied immediately without going through any authenticators if `username` is not provided. This is useful to fence off anonymous clients early.

max_conn_rate

Type	`String`
Default	`infinity`
Description	Used to limit the rate at which the current listener accepts connections. Once the limit is reached, EMQX will pause fetching connections from the Accept queue, thereby delaying or rejecting new connections. For example: `1000/s`: Only accepts 1000 connections per second. `1000/10s`: Only accepts 1000 connections every 10 seconds.

messages_rate

Type String

Description

Used to limit the number of messages a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

For example:

500/s: Only 500 messages will be received per second, and the remaining messages will be delayed.
500/10s: Only 500 messages will be received every 10 seconds and the remaining messages will be delayed.

bytes_rate

Type String

Description

Used to limit the number of bytes a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

The unit of the bytes could be: B, KB, MB, GB.

For example:

500KB/s: Only 500 kilobytes per second will be received, and the remaining bytes will be delayed.
500MB/10s: Only 500 megabytes will be received every 10 seconds, and the remaining bytes will be delayed.

access_rules

Type	`Array(String)`
Default	`["allow all"]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

proxy_protocol
Type Boolean
Default false
Description
Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.
See: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/ A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

tcp_options

Type	`Struct(tcp_opts)`

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

ssl_options

Type	`Struct(listener_ssl_opts)`

listener_ssl_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

String containing the user's password. Only used if the private key file is password-protected.
A string holding some sensitive information, such as a password. When secret starts with file://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before using file:// secrets.

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

ws

Type	`Map($name->OneOf(Struct(mqtt_ws_listener),String("marked_for_deletion")))`
Description	HTTP websocket listeners.

mqtt_ws_listener

bind
Type String
Default 8083
Description
IP address and port for the listening socket.
acceptors
Type Integer(1..+inf)
Default 16
Description
The size of the listener's receiving pool.
max_connections
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum number of concurrent connections allowed by the listener.

mountpoint

Type	`String`
Default	`""`
Description	Adds a static or templated prefix (e.g., `n1/` or `${username}/`) to topics used by clients in `SUBSCRIBE` and `UNSUBSCRIBE` requests, `PUBLISH` messages, and Will Message (if supplied in the `CONNECT` packet). Removes this prefix from topics of messages published to the respective subscriptions. The supported placeholders are: `${username}` `${clientid}` `${zone}` `${client_attrs.NAME}` For example, with `mountpoint="${username}/"` a client using `u1` as username will have: Client SUBSCRIBE `sensors/#` -> `u1/sensors/#` internally in the broker. Broker PUBLISH `u1/sensors/data` -> `sensors/data` sent to the client. The prefix mount/unmount is applied to: Will in `CONNECT` `PUBLISH` `SUBSCRIBE` `UNSUBSCRIBE` Note: mounting occurs after authorization/ACL checks.

zone

Type	`String`
Default	`default`
Description	The configuration zone to which the listener belongs. Clients connected to this listener will inherit zone-settings created under this zone name. A zone can override the configs under below root names: `mqtt` `force_shutdown` `force_gc` `flapping_detect` `durable_sessions`

enable_authn

Type	`Enum(true,false,quick_deny_anonymous)`
Default	`true`
Description	Set `true` (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to `false`, any client (with or without username/password) is allowed to connect. When set to `quick_deny_anonymous`, it behaves like when set to `true`, but clients will be denied immediately without going through any authenticators if `username` is not provided. This is useful to fence off anonymous clients early.

max_conn_rate

Type	`String`
Default	`infinity`
Description	Used to limit the rate at which the current listener accepts connections. Once the limit is reached, EMQX will pause fetching connections from the Accept queue, thereby delaying or rejecting new connections. For example: `1000/s`: Only accepts 1000 connections per second. `1000/10s`: Only accepts 1000 connections every 10 seconds.

messages_rate

Type String

Description

Used to limit the number of messages a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

For example:

500/s: Only 500 messages will be received per second, and the remaining messages will be delayed.
500/10s: Only 500 messages will be received every 10 seconds and the remaining messages will be delayed.

bytes_rate

Type String

Description

Used to limit the number of bytes a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

The unit of the bytes could be: B, KB, MB, GB.

For example:

500KB/s: Only 500 kilobytes per second will be received, and the remaining bytes will be delayed.
500MB/10s: Only 500 megabytes will be received every 10 seconds, and the remaining bytes will be delayed.

access_rules

Type	`Array(String)`
Default	`["allow all"]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

proxy_protocol
Type Boolean
Default false
Description
Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.
See: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/ A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

tcp_options

Type	`Struct(tcp_opts)`

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

websocket

Type	`Struct(ws_opts)`

ws_opts

mqtt_path

Type	`String`
Default	`"/mqtt"`
Description	WebSocket's MQTT protocol path. By default, the full URL for the WebSocket client to connect is: `ws://{host}:{port}/mqtt`. Append `/[...]` to the end of the path to make EMQX accept any subpath. For example, specifying `mqtt/[...]` would allow clients to connect at paths like `mqtt/org1` or `mqtt/group2`, etc. NOTE: An unmatched path will cause the client to be rejected immediately at the HTTP layer, meaning it will not be traceable at the MQTT layer.

mqtt_piggyback
Type Enum(single,multiple)
Default multiple
Description
Whether a WebSocket message is allowed to contain multiple MQTT packets.
compress
Type Boolean
Default false
Description
If true, compress WebSocket messages using zlib.

The configuration items under deflate_opts belong to the compression-related parameter configuration.

idle_timeout

Type	`Duration`
Default	`"7200s"`
Description	The timeout for waiting for the WebSocket upgrade request. After the timeout, the connection will be closed. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

max_frame_size
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum length of a single MQTT packet.
fail_if_no_subprotocol
Type Boolean
Default true
Description
If true, the server will return an error when the client does not carry the Sec-WebSocket-Protocol field.
Note: WeChat applet needs to disable this verification.
supported_subprotocols
Type String
Default "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
Description
Comma-separated list of supported subprotocols.
check_origin_enable
Type Boolean
Default false
Description
If true, origin HTTP header will be validated against the list of allowed origins configured in check_origins parameter.
allow_origin_absence
Type Boolean
Default true
Description
If false and check_origin_enable is true, the server will reject requests that don't have origin HTTP header.
check_origins
Type String
Default "http://localhost:18083, http://127.0.0.1:18083"
Description
List of allowed origins.
See check_origin_enable.

proxy_address_header

Type	`String`
Default	`"x-forwarded-for"`
Description	The HTTP request header that carries the original client's IP address, EMQX will take the leftmost IP in the header as the original client's IP. This option is typically used when EMQX is deployed behind a WebSocket proxy.

proxy_port_header

Type	`String`
Default	`"x-forwarded-port"`
Description	The HTTP request header that carries the original client's source port, EMQX will take the leftmost port in the header as the original client's source port. This option is typically used when EMQX is deployed behind a WebSocket proxy.

deflate_opts
Type Struct(deflate_opts)
deflate_opts
- level
  Type Enum(none,default,best_compression,best_speed)
  Description
  Compression level.
- mem_level
  Type Integer(1..9)
  Default 8
  Description
  Specifies the size of the compression state.
  Lower values decrease memory usage per connection.
- strategy
  Type Enum(default,filtered,huffman_only,rle)
  Default default
  Description
  Specifies the compression strategy.
- server_context_takeover
  Type Enum(takeover,no_takeover)
  Default takeover
  Description
  Takeover means the compression state is retained between server messages.
- client_context_takeover
  Type Enum(takeover,no_takeover)
  Default takeover
  Description
  Takeover means the compression state is retained between client messages.
- server_max_window_bits
  Type Integer(8..15)
  Default 15
  Description
  Specifies the size of the compression context for the server.
- client_max_window_bits
  Type Integer(8..15)
  Default 15
  Description
  Specifies the size of the compression context for the client.
validate_utf8
Type Boolean
Default true
Description
Whether to verify that the payload of text and close frames is valid UTF-8. Disabling it can save resources and improve performance.

wss

Type	`Map($name->OneOf(Struct(mqtt_wss_listener),String("marked_for_deletion")))`
Description	HTTPS websocket listeners.

mqtt_wss_listener

bind
Type String
Default 8084
Description
IP address and port for the listening socket.
acceptors
Type Integer(1..+inf)
Default 16
Description
The size of the listener's receiving pool.
max_connections
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum number of concurrent connections allowed by the listener.

mountpoint

Type	`String`
Default	`""`
Description	Adds a static or templated prefix (e.g., `n1/` or `${username}/`) to topics used by clients in `SUBSCRIBE` and `UNSUBSCRIBE` requests, `PUBLISH` messages, and Will Message (if supplied in the `CONNECT` packet). Removes this prefix from topics of messages published to the respective subscriptions. The supported placeholders are: `${username}` `${clientid}` `${zone}` `${client_attrs.NAME}` For example, with `mountpoint="${username}/"` a client using `u1` as username will have: Client SUBSCRIBE `sensors/#` -> `u1/sensors/#` internally in the broker. Broker PUBLISH `u1/sensors/data` -> `sensors/data` sent to the client. The prefix mount/unmount is applied to: Will in `CONNECT` `PUBLISH` `SUBSCRIBE` `UNSUBSCRIBE` Note: mounting occurs after authorization/ACL checks.

zone

Type	`String`
Default	`default`
Description	The configuration zone to which the listener belongs. Clients connected to this listener will inherit zone-settings created under this zone name. A zone can override the configs under below root names: `mqtt` `force_shutdown` `force_gc` `flapping_detect` `durable_sessions`

enable_authn

Type	`Enum(true,false,quick_deny_anonymous)`
Default	`true`
Description	Set `true` (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to `false`, any client (with or without username/password) is allowed to connect. When set to `quick_deny_anonymous`, it behaves like when set to `true`, but clients will be denied immediately without going through any authenticators if `username` is not provided. This is useful to fence off anonymous clients early.

max_conn_rate

Type	`String`
Default	`infinity`
Description	Used to limit the rate at which the current listener accepts connections. Once the limit is reached, EMQX will pause fetching connections from the Accept queue, thereby delaying or rejecting new connections. For example: `1000/s`: Only accepts 1000 connections per second. `1000/10s`: Only accepts 1000 connections every 10 seconds.

messages_rate

Type String

Description

Used to limit the number of messages a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

For example:

500/s: Only 500 messages will be received per second, and the remaining messages will be delayed.
500/10s: Only 500 messages will be received every 10 seconds and the remaining messages will be delayed.

bytes_rate

Type String

Description

Used to limit the number of bytes a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

The unit of the bytes could be: B, KB, MB, GB.

For example:

500KB/s: Only 500 kilobytes per second will be received, and the remaining bytes will be delayed.
500MB/10s: Only 500 megabytes will be received every 10 seconds, and the remaining bytes will be delayed.

access_rules

Type	`Array(String)`
Default	`["allow all"]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

proxy_protocol
Type Boolean
Default false
Description
Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.
See: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/ A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

tcp_options

Type	`Struct(tcp_opts)`

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

ssl_options

Type	`Struct(listener_wss_opts)`

listener_wss_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

websocket

Type	`Struct(ws_opts)`

ws_opts

mqtt_path

Type	`String`
Default	`"/mqtt"`
Description	WebSocket's MQTT protocol path. By default, the full URL for the WebSocket client to connect is: `ws://{host}:{port}/mqtt`. Append `/[...]` to the end of the path to make EMQX accept any subpath. For example, specifying `mqtt/[...]` would allow clients to connect at paths like `mqtt/org1` or `mqtt/group2`, etc. NOTE: An unmatched path will cause the client to be rejected immediately at the HTTP layer, meaning it will not be traceable at the MQTT layer.

mqtt_piggyback
Type Enum(single,multiple)
Default multiple
Description
Whether a WebSocket message is allowed to contain multiple MQTT packets.
compress
Type Boolean
Default false
Description
If true, compress WebSocket messages using zlib.

The configuration items under deflate_opts belong to the compression-related parameter configuration.

idle_timeout

Type	`Duration`
Default	`"7200s"`
Description	The timeout for waiting for the WebSocket upgrade request. After the timeout, the connection will be closed. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

max_frame_size
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum length of a single MQTT packet.
fail_if_no_subprotocol
Type Boolean
Default true
Description
If true, the server will return an error when the client does not carry the Sec-WebSocket-Protocol field.
Note: WeChat applet needs to disable this verification.
supported_subprotocols
Type String
Default "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
Description
Comma-separated list of supported subprotocols.
check_origin_enable
Type Boolean
Default false
Description
If true, origin HTTP header will be validated against the list of allowed origins configured in check_origins parameter.
allow_origin_absence
Type Boolean
Default true
Description
If false and check_origin_enable is true, the server will reject requests that don't have origin HTTP header.
check_origins
Type String
Default "http://localhost:18083, http://127.0.0.1:18083"
Description
List of allowed origins.
See check_origin_enable.

proxy_address_header

Type	`String`
Default	`"x-forwarded-for"`
Description	The HTTP request header that carries the original client's IP address, EMQX will take the leftmost IP in the header as the original client's IP. This option is typically used when EMQX is deployed behind a WebSocket proxy.

proxy_port_header

Type	`String`
Default	`"x-forwarded-port"`
Description	The HTTP request header that carries the original client's source port, EMQX will take the leftmost port in the header as the original client's source port. This option is typically used when EMQX is deployed behind a WebSocket proxy.

deflate_opts
Type Struct(deflate_opts)
deflate_opts
- level
  Type Enum(none,default,best_compression,best_speed)
  Description
  Compression level.
- mem_level
  Type Integer(1..9)
  Default 8
  Description
  Specifies the size of the compression state.
  Lower values decrease memory usage per connection.
- strategy
  Type Enum(default,filtered,huffman_only,rle)
  Default default
  Description
  Specifies the compression strategy.
- server_context_takeover
  Type Enum(takeover,no_takeover)
  Default takeover
  Description
  Takeover means the compression state is retained between server messages.
- client_context_takeover
  Type Enum(takeover,no_takeover)
  Default takeover
  Description
  Takeover means the compression state is retained between client messages.
- server_max_window_bits
  Type Integer(8..15)
  Default 15
  Description
  Specifies the size of the compression context for the server.
- client_max_window_bits
  Type Integer(8..15)
  Default 15
  Description
  Specifies the size of the compression context for the client.
validate_utf8
Type Boolean
Default true
Description
Whether to verify that the payload of text and close frames is valid UTF-8. Disabling it can save resources and improve performance.

quic

Type	`Map($name->OneOf(Struct(mqtt_quic_listener),String("marked_for_deletion")))`
Description	QUIC listeners.

mqtt_quic_listener

ciphers

Type	`Array(String)`
Default	`[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"` NOTE: QUIC listener supports only 'tlsv1.3' ciphers

ssl_options

Type	`Struct(listener_quic_ssl_opts)`
Description	TLS options for QUIC transport

listener_quic_ssl_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.

password

Type Secret

Description

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

bind
Type String
Default 14567
Description
IP address and port for the listening socket.
acceptors
Type Integer(1..+inf)
Default 16
Description
The size of the listener's receiving pool.
max_connections
Type OneOf(String("infinity"),Integer(1..+inf))
Default infinity
Description
The maximum number of concurrent connections allowed by the listener.

mountpoint

Type	`String`
Default	`""`
Description	Adds a static or templated prefix (e.g., `n1/` or `${username}/`) to topics used by clients in `SUBSCRIBE` and `UNSUBSCRIBE` requests, `PUBLISH` messages, and Will Message (if supplied in the `CONNECT` packet). Removes this prefix from topics of messages published to the respective subscriptions. The supported placeholders are: `${username}` `${clientid}` `${zone}` `${client_attrs.NAME}` For example, with `mountpoint="${username}/"` a client using `u1` as username will have: Client SUBSCRIBE `sensors/#` -> `u1/sensors/#` internally in the broker. Broker PUBLISH `u1/sensors/data` -> `sensors/data` sent to the client. The prefix mount/unmount is applied to: Will in `CONNECT` `PUBLISH` `SUBSCRIBE` `UNSUBSCRIBE` Note: mounting occurs after authorization/ACL checks.

zone

Type	`String`
Default	`default`
Description	The configuration zone to which the listener belongs. Clients connected to this listener will inherit zone-settings created under this zone name. A zone can override the configs under below root names: `mqtt` `force_shutdown` `force_gc` `flapping_detect` `durable_sessions`

enable_authn

Type	`Enum(true,false,quick_deny_anonymous)`
Default	`true`
Description	Set `true` (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to `false`, any client (with or without username/password) is allowed to connect. When set to `quick_deny_anonymous`, it behaves like when set to `true`, but clients will be denied immediately without going through any authenticators if `username` is not provided. This is useful to fence off anonymous clients early.

max_conn_rate

Type	`String`
Default	`infinity`
Description	Used to limit the rate at which the current listener accepts connections. Once the limit is reached, EMQX will pause fetching connections from the Accept queue, thereby delaying or rejecting new connections. For example: `1000/s`: Only accepts 1000 connections per second. `1000/10s`: Only accepts 1000 connections every 10 seconds.

messages_rate

Type String

Description

Used to limit the number of messages a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

For example:

500/s: Only 500 messages will be received per second, and the remaining messages will be delayed.
500/10s: Only 500 messages will be received every 10 seconds and the remaining messages will be delayed.

bytes_rate

Type String

Description

Used to limit the number of bytes a single client can send to EMQX per second.

Once the limit is reached, EMQX will pause reading data from the receive-buffer, thus slowing down or even temporarily hanging the sender.

The unit of the bytes could be: B, KB, MB, GB.

For example:

500KB/s: Only 500 kilobytes per second will be received, and the remaining bytes will be delayed.
500MB/10s: Only 500 megabytes will be received every 10 seconds, and the remaining bytes will be delayed.

mqtt

Type	`Struct(mqtt)`
Description	Global MQTT configuration. The configs here work as default values which can be overridden in `zone` configs

mqtt

idle_timeout

Type	`OneOf(String("infinity"),Duration)`
Default	`"15s"`
Description	Configure the duration of time that a connection can remain idle (i.e., without any data transfer) before being: Automatically disconnected if no CONNECT package is received from the client yet. Put into hibernation mode to save resources if some CONNECT packages are already received. Note: Please set the parameter with caution as long idle time will lead to resource waste.

max_packet_size

Type	`Bytesize`
Default	`"1MB"`
Description	Maximum MQTT packet size allowed. Default: 1 MB, Maximum: 256 MB A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

max_clientid_len
Type Integer(23..65535)
Default 65535
Description
Maximum allowed length of MQTT Client ID.
max_topic_levels
Type Integer(1..65535)
Default 128
Description
Maximum topic levels allowed.
max_topic_alias
Type Integer(0..65535)
Default 65535
Description
Maximum topic alias, 0 means no topic alias supported.
retain_available
Type Boolean
Default true
Description
Whether to enable support for MQTT retained message.
wildcard_subscription
Type Boolean
Default true
Description
Whether to enable support for MQTT wildcard subscription.
shared_subscription
Type Boolean
Default true
Description
Whether to enable support for MQTT shared subscription.

shared_subscription_strategy

Type	`Enum(random,round_robin,round_robin_per_group,sticky,local,hash_topic,hash_clientid)`
Default	`round_robin`
Description	Dispatch strategy for shared subscription. `random`: Randomly select a subscriber for dispatch; `round_robin`: Clients in a shared subscription group will consume messages in turn, and the progress of the loop is recorded independently in each publisher, so two adjacent messages from different publishers may be consumed by the same client in the subscription group; `round_robin_per_group`: Clients in a shared subscription group will consume messages in turn, and the progress of the loop is recorded independently in each node, so two adjacent messages from different nodes may be consumed by the same client in the subscription group; `local`: Randomly select a subscriber on the current node, if there are no subscribers on the current node, then randomly select within the cluster; `sticky`: Continuously dispatch messages to the initially selected subscriber until their session ends. The initial selection is made based on `mqtt_shared_subscription_initial_sticky_pick`; `hash_clientid`: Hash the publisher's client ID to select a subscriber; `hash_topic`: Hash the publishing topic to select a subscriber.

shared_subscription_initial_sticky_pick

Type	`Enum(random,local,hash_topic,hash_clientid)`
Default	`random`
Description	The strategy to use for the initial subscriber pick when shared_subscription_strategy is `sticky`. `random`: Randomly select the subscriber; `local`: Randomly select a subscriber on the current node, if there are no subscribers on the current node, then randomly select within the cluster; `hash_clientid`: Hash the publisher's client ID to select a subscriber; `hash_topic`: Hash the publishing topic to select a subscriber.

exclusive_subscription
Type Boolean
Default false
Description
Whether to enable support for MQTT exclusive subscription.
ignore_loop_deliver
Type Boolean
Default false
Description
Whether the messages sent by the MQTT v3.1.1/v3.1.0 client will be looped back to the publisher itself, similar to No Local in MQTT 5.0.

strict_mode

Type	`Boolean`
Default	`false`
Description	Whether to parse MQTT messages in strict mode. In strict mode, invalid utf8 strings in for example client ID, topic name, etc. will cause the client to be disconnected.

response_information

Type	`String`
Default	`""`
Description	UTF-8 string, for creating the response topic, for example, if set to `reqrsp/`, the publisher/subscriber will communicate using the topic prefix `reqrsp/`. To disable this feature, input `""` in the text box below. Only applicable to MQTT 5.0 clients.

server_keepalive

Type	`OneOf(Integer(1..+inf),String("disabled"))`
Default	`disabled`
Description	The keep alive duration required by EMQX. To use the setting from the client side, choose disabled from the drop-down list. Only applicable to MQTT 5.0 clients.

keepalive_multiplier

Type	`Number`
Default	`1.5`
Description	Keep-Alive Timeout = Keep-Alive interval × Keep-Alive Multiplier. The default value 1.5 is following the MQTT 5.0 specification. This multiplier is adjustable, providing system administrators flexibility for tailoring to their specific needs. For instance, if a client's 10-second Keep-Alive interval PINGREQ gets delayed by an extra 10 seconds, changing the multiplier to 2 lets EMQX tolerate this delay.

keepalive_check_interval

Type	`Duration`
Default	`"30s"`
Description	The frequency of checking for incoming MQTT packets determines how often the server will check for new MQTT packets. If a certain amount of time passes without any packets being sent from the client, this time will be added up. Once the accumulated time exceeds `keepalive-interval * keepalive-multiplier`, the connection will be terminated. The default is set to 30 seconds, with a minimum value of 1 second and a maximum value of `keepalive-interval / 2`. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

retry_interval
Type OneOf(String("infinity"),Duration)
Default infinity
Description
Retry interval for QoS 1/2 message delivering.
use_username_as_clientid
Type Boolean
Default false
Description
Whether to use Username as Client ID. This setting takes effect later than peer_cert_as_username and peer_cert_as_clientid.

peer_cert_as_username

Type	`Enum(disabled,cn,dn,crt,pem,md5)`
Default	`disabled`
Description	Use the CN, DN field in the peer certificate or the entire certificate content as Username. Only works for the TLS connection. Supported configurations are the following: `cn`: CN field of the certificate `dn`: DN field of the certificate `crt`: Content of the `DER` or `PEM` certificate `pem`: Convert `DER` certificate content to `PEM` format and use as Username `md5`: MD5 value of the `DER` or `PEM` certificate

peer_cert_as_clientid

Type	`Enum(disabled,cn,dn,crt,pem,md5)`
Default	`disabled`
Description	Use the CN, DN field in the peer certificate or the entire certificate content as Client ID. Only works for the TLS connection. Supported configurations are the following: `cn`: CN field of the certificate `dn`: DN field of the certificate `crt`: `DER` or `PEM` certificate `pem`: Convert `DER` certificate content to `PEM` format and use as Client ID `md5`: MD5 value of the `DER` or `PEM` certificate

client_attrs_init

Type	`Array(Struct(client_attrs_init))`
Default	`[]`
Description	Specify how to initialize client attributes. Each client attribute can be initialized as `client_attrs.{NAME}`, where `{NAME}` is the name of the attribute specified in the config field `set_as_attr`. The initialized client attribute will be stored in the `client_attrs` property with the specified name, and can be used as a variable to render a template for mountpoint, authentication and authorization requests. For example, use `${client_attrs.tns}` to render an HTTP POST body when `set_as_attr = tns`, or render listener config `moutpoint = ${client_attrs.tns}/` for topic namespacing.

client_attrs_init

expression

Type String

Description

A one line expression to evaluate a set of predefined string functions (like in the rule engine SQL statements). The expression can be a function call with nested calls as its arguments, or direct variable reference. So far, it does not provide user-defined variable binding (like var a=1) or user-defined functions. As an example, to extract the prefix of client ID delimited by a dot: nth(1, tokens(clientid, '.')).

The variables pre-bound variables are:

clientid: MQTT Client ID.
username: MQTT Client's username.
user_property.{NAME}: User properties in the CONNECT packet. For TLS clients, connected directly or via proxy-protocol (v2) enabled load balancer, some extra variables can be used:
cn: Client's TLS certificate common name.
dn: Client's TLS certificate distinguished name (the subject).
peersni: TLS server name indication sent by the client.

You can read more about variform expressions in EMQX docs.

set_as_attr
Type String
Description
The name of the client attribute extracted from the client data. The extracted attribute will be stored in the client_attrs property with this name.

clientid_override

Type	`OneOf(String("disabled"),String)`
Default	`disabled`
Description	A one line expression to evaluate a set of predefined string functions (like in the rule engine SQL statements). The expression can be a function call with nested calls as its arguments, or direct variable reference. So far, it does not provide user-defined variable binding (like `var a=1`) or user-defined functions. As an example, to extract the prefix of username delimited by a dot: `nth(1, tokens(username, '.'))`. The variables pre-bound variables are: `clientid`: The original MQTT Client ID. `username`: MQTT Client's username. `client_attrs.{NAME}`: Client attributes initialized by per config `client_attrs_init`. For TLS clients, connected directly or via proxy-protocol (v2) enabled load balancer, some extra variables can be used: `cn`: Client's TLS certificate common name. `dn`: Client's TLS certificate distinguished name (the subject). `peersni`: TLS server name indication sent by the client. You can read more about variform expressions in EMQX docs.

session_expiry_interval

Type	`Duration`
Default	`"2h"`
Description	Specifies how long the session will expire after the connection is disconnected, only for non-MQTT 5.0 connections. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

message_expiry_interval

Type	`OneOf(Duration,String("infinity"))`
Default	`infinity`
Description	The expiry interval of MQTT messages. For MQTT 5.0 clients, this configuration will only take effect when the `Message-Expiry-Interval` property is not set in the message; otherwise, the value of the `Message-Expiry-Interval` property will be used. For MQTT versions older than 5.0, this configuration will always take effect. Please note that setting `message_expiry_interval` greater than `session_expiry_interval` is meaningless, as all messages will be cleared when the session expires.

max_awaiting_rel

Type	`OneOf(Integer(0..+inf),String("infinity"))`
Default	`100`
Description	For each publisher session, the maximum number of outstanding QoS 2 messages pending on the client to send PUBREL. After reaching this limit, new QoS 2 PUBLISH requests will be rejected with `147(0x93)` until either PUBREL is received or timed out.

max_qos_allowed
Type Integer(0..2)
Default 2
Description
Maximum QoS allowed.

mqueue_priorities

Type	`OneOf(String("disabled"),Map)`
Default	`disabled`
Description	Topic priority list. Prioritize messages in the message queue by topic. The priority range is `[1, 255]`. The larger the value, the higher the priority. Messages with higher priority will be sent first. Topics not in this list will use the default priority (specified by `mqueue_default_priority`). By default, this list is empty, which means all topics have the same priority. Note: commas and equal signs are not supported in topic names. For example, if you want `topic/1` to have a higher priority than `topic/2`, you can configure it like this: `mqueue_priorities: {"topic/1": 10, "topic/2": 8}`

mqueue_default_priority
Type Enum(highest,lowest)
Default lowest
Description
Default topic priority, which will be used by topics not in Topic Priorities (mqueue_priorities).
mqueue_store_qos0
Type Boolean
Default true
Description
Specifies whether to store QoS 0 messages in the message queue while the connection is down but the session remains.
max_mqueue_len
Type OneOf(Integer(0..+inf),String("infinity"))
Default 1000
Description
Maximum queue length. Enqueued messages when persistent client disconnected, or inflight window is full.
max_inflight
Type Integer(1..65535)
Default 32
Description
Maximum number of QoS 1 and QoS 2 messages that are allowed to be delivered simultaneously before completing the acknowledgment.
max_subscriptions
Type OneOf(Integer(1..inf),String("infinity"))
Default infinity
Description
Maximum number of subscriptions allowed per client.
upgrade_qos
Type Boolean
Default false
Description
Force upgrade of QoS level according to subscription.

await_rel_timeout

Type	`Duration`
Default	`"300s"`
Description	For client to broker QoS 2 message, the time limit for the broker to wait before the `PUBREL` message is received. The wait is aborted after timed out, meaning the packet ID is freed for new `PUBLISH` requests. Receiving a stale `PUBREL` causes a warning level log. Note, the message is delivered to subscribers before entering the wait for PUBREL. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

authentication

Type	`Array(OneOf(Struct(builtin_db),Struct(mysql),Struct(postgresql),Struct(mongo_single),Struct(mongo_rs),Struct(mongo_sharded),Struct(redis_single),Struct(redis_cluster),Struct(redis_sentinel),Struct(http_get),Struct(http_post),Struct(jwt_hmac),Struct(jwt_public_key),Struct(jwt_jwks),Struct(scram),Struct(ldap),Struct(ldap_deprecated)))`
Default	`[]`
Description	Default authentication configs for all MQTT listeners. For per-listener overrides see `authentication` in listener configs This option can be configured with: `[]`: The default value, it allows ALL logins one: For example `{enable:true,backend:"built_in_database",mechanism="password_based"}` chain: An array of structs. When a chain is configured, the login credentials are checked against the backends per the configured order, until an 'allow' or 'deny' decision can be made. If there is no decision after a full chain exhaustion, the login is rejected.

builtin_db

password_hash_algorithm
Type OneOf(Struct(bcrypt_rw),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash creation and verification.
bcrypt_rw
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
- salt_rounds
  Type Integer(5..10)
  Default 10
  Description
  Work factor for BCRYPT password generation.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("built_in_database")
Description
Backend type.
user_id_type
Type Enum(clientid,username)
Default username
Description
Specify whether to use clientid or username for authentication.

bootstrap_file

Type	`String`
Default	`"${EMQX_ETC_DIR}/auth-built-in-db-bootstrap.csv"`
Description	The bootstrap file imports users into the built-in database. It will not import a user ID that already exists in the database. The file content format is determined by `bootstrap_type`.

bootstrap_type

Type	`Enum(hash,plain)`
Default	`plain`
Description	Specify which type of content the bootstrap file has. `plain`: Expected data fields: `user_id`, `password`, `is_superuser` `user_id`: Can be Client ID or username, depending on built-in database authentication's `user_id_type` config. `password`: User's plaintext password. `is_superuser`: Boolean, user's administrative status. `hash`: Expected data fields: `user_id`,`password_hash`,`salt`,`is_superuser` Definitions similar to `plain` type, with `password_hash` and `salt` added for security. The content can be either in CSV, or JSON format. Here is a CSV example: `user_id,password_hash,salt,is_superuser\nmy_user,b6c743545a7817ae8c8f624371d5f5f0373234bb0ff36b8ffbf19bce0e06ab75,de1024f462fb83910fd13151bd4bd235,true` And JSON content should be decoded into an array of objects, for example: `[{"user_id": "my_user","password": "s3cr3tp@ssw0rd","is_superuser": true}]`. The hash string for `password_hash` depends on how `password_hash_algorithm` is configured for the built-in database authentication mechanism. For example, if it's configured as `password_hash_algorithm {name = sha256, salt_position = suffix}`, then the salt is appended to the password before hashed. Here is the equivalent Python expression: `hashlib.sha256(password + salt).hexdigest()`.

mysql

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("mysql")
Description
Backend type.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
query
Type String
Description
SQL used to query data for authentication, such as password hash.

query_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for the SQL query. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MySQL default port 3306 is used if [:Port] is not specified.
database
Type String
Description
Database name.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Default root
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts with file://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before using file:// secrets.

auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.

postgresql

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("postgresql")
Description
Backend type.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
query
Type String
Description
SQL used to query data for authentication, such as password hash.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The PostgreSQL default port 5432 is used if [:Port] is not specified.

disable_prepared_statements

Type	`Boolean`
Default	`false`
Description	Disables the usage of prepared statements in the connections. Some endpoints, like PGBouncer or Supabase in Transaction mode, do not support session features such as prepared statements. For such connections, this option should be enabled.

database
Type String
Description
Database name.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mongo_single

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("mongodb")
Description
Backend type.
collection
Type String
Description
Collection used to store authentication data.

filter

Type	`Map`
Default	`{}`
Description	Conditional expression that defines the filter condition in the query. Filter supports the following placeholders: `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting

password_hash_field
Type String
Default password_hash
Description
Document field that contains password hash.
salt_field
Type String
Default salt
Description
Document field that contains the password salt.
is_superuser_field
Type String
Default is_superuser
Description
Document field that defines if the user has superuser privileges.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
mongo_type
Type String("single")
Default single
Description
Standalone instance. Must be set to 'single' when MongoDB server is running in standalone mode.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MongoDB default port 27017 is used if [:Port] is not specified.
w_mode
Type Enum(unsafe,safe)
Default unsafe
Description
Write mode.
srv_record
Type Boolean
Default false
Description
Use DNS SRV record.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

use_legacy_protocol

Type	`Enum(auto,true,false)`
Default	`auto`
Description	Whether to use MongoDB's legacy protocol for communicating with the database. The default is to attempt to automatically determine if the newer protocol is supported.

auth_source
Type String
Description
Database name associated with the user's credentials.
database
Type String
Description
Database name.

topology

Type	`Struct(topology)`

topology

max_overflow

Type	`Integer(0..+inf)`
Default	`0`
Description	The maximum number of additional workers that can be created when all workers in the pool are busy. This helps to manage temporary spikes in workload by allowing more concurrent connections to the MongoDB server.

overflow_ttl

Type Duration

Description

Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

overflow_check_period

Type Duration

Description

Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

local_threshold_ms

Type Duration

Description

The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

connect_timeout_ms

Type Duration

Description

The duration to attempt a connection before timing out.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

socket_timeout_ms

Type Duration

Description

The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

server_selection_timeout_ms

Type Duration

Description

Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

wait_queue_timeout_ms

Type Duration

Description

The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

heartbeat_frequency_ms

Type	`Duration`
Default	`"200s"`
Description	Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

min_heartbeat_frequency_ms

Type Duration

Description

Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mongo_rs

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("mongodb")
Description
Backend type.
collection
Type String
Description
Collection used to store authentication data.

filter

Type	`Map`
Default	`{}`
Description	Conditional expression that defines the filter condition in the query. Filter supports the following placeholders: `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting

password_hash_field
Type String
Default password_hash
Description
Document field that contains password hash.
salt_field
Type String
Default salt
Description
Document field that contains the password salt.
is_superuser_field
Type String
Default is_superuser
Description
Document field that defines if the user has superuser privileges.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
mongo_type
Type String("rs")
Default rs
Description
Replica set. Must be set to 'rs' when MongoDB server is running in 'replica set' mode.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The MongoDB default port 27017 is used if `[:Port]` is not specified.

w_mode
Type Enum(unsafe,safe)
Default unsafe
Description
Write mode.
r_mode
Type Enum(master,slave_ok)
Default master
Description
Read mode.
replica_set_name
Type String
Description
Name of the replica set.
srv_record
Type Boolean
Default false
Description
Use DNS SRV record.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

use_legacy_protocol

Type	`Enum(auto,true,false)`
Default	`auto`
Description	Whether to use MongoDB's legacy protocol for communicating with the database. The default is to attempt to automatically determine if the newer protocol is supported.

auth_source
Type String
Description
Database name associated with the user's credentials.
database
Type String
Description
Database name.

topology

Type	`Struct(topology)`

topology

max_overflow

Type	`Integer(0..+inf)`
Default	`0`
Description	The maximum number of additional workers that can be created when all workers in the pool are busy. This helps to manage temporary spikes in workload by allowing more concurrent connections to the MongoDB server.

overflow_ttl

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

overflow_check_period

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

local_threshold_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

connect_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

socket_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

server_selection_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

wait_queue_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

heartbeat_frequency_ms

Type	`Duration`
Default	`"200s"`
Description	Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

min_heartbeat_frequency_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mongo_sharded

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("mongodb")
Description
Backend type.
collection
Type String
Description
Collection used to store authentication data.

filter

Type	`Map`
Default	`{}`
Description	Conditional expression that defines the filter condition in the query. Filter supports the following placeholders: `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting

password_hash_field
Type String
Default password_hash
Description
Document field that contains password hash.
salt_field
Type String
Default salt
Description
Document field that contains the password salt.
is_superuser_field
Type String
Default is_superuser
Description
Document field that defines if the user has superuser privileges.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
mongo_type
Type String("sharded")
Default sharded
Description
Sharded cluster. Must be set to 'sharded' when MongoDB server is running in 'sharded' mode.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The MongoDB default port 27017 is used if `[:Port]` is not specified.

w_mode
Type Enum(unsafe,safe)
Default unsafe
Description
Write mode.
srv_record
Type Boolean
Default false
Description
Use DNS SRV record.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

use_legacy_protocol

Type	`Enum(auto,true,false)`
Default	`auto`
Description	Whether to use MongoDB's legacy protocol for communicating with the database. The default is to attempt to automatically determine if the newer protocol is supported.

auth_source
Type String
Description
Database name associated with the user's credentials.
database
Type String
Description
Database name.

topology

Type	`Struct(topology)`

topology

max_overflow

Type	`Integer(0..+inf)`
Default	`0`
Description	The maximum number of additional workers that can be created when all workers in the pool are busy. This helps to manage temporary spikes in workload by allowing more concurrent connections to the MongoDB server.

overflow_ttl

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

overflow_check_period

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

local_threshold_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

connect_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

socket_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

server_selection_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

wait_queue_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

heartbeat_frequency_ms

Type	`Duration`
Default	`"200s"`
Description	Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

min_heartbeat_frequency_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

redis_single

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("redis")
Description
Backend type.
cmd
Type String
Description
The Redis Command used to query data for authentication such as password hash, currently only supports HGET and HMGET.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The Redis default port 6379 is used if [:Port] is not specified.
redis_type
Type String("single")
Default single
Description
Single mode. Must be set to 'single' when Redis server is running in single mode.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

database
Type Integer(0..+inf)
Default 0
Description
Redis database ID.
auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

redis_cluster

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("redis")
Description
Backend type.
cmd
Type String
Description
The Redis Command used to query data for authentication such as password hash, currently only supports HGET and HMGET.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The Redis default port 6379 is used if `[:Port]` is not specified.

redis_type
Type String("cluster")
Default cluster
Description
Cluster mode. Must be set to 'cluster' when Redis server is running in clustered mode.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

redis_sentinel

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("redis")
Description
Backend type.
cmd
Type String
Description
The Redis Command used to query data for authentication such as password hash, currently only supports HGET and HMGET.
password_hash_algorithm
Type OneOf(Struct(bcrypt),Struct(pbkdf2),Struct(simple))
Default {name = sha256, salt_position = prefix}
Description
Options for password hash verification.
bcrypt
- name
  Type String("bcrypt")
  Description
  BCRYPT password hashing.
pbkdf2
- name
  Type String("pbkdf2")
  Description
  PBKDF2 password hashing. Hashes are computed according to the PKCS #5 standard, and represented as hexadecimal strings.
- mac_fun
  Type Enum(md4,md5,ripemd160,sha,sha224,sha256,sha384,sha512)
  Description
  Specifies which HMAC function to use in PBKDF2 algorithm. Note that md4, md5, ripemd160 are no longer supported since 5.8.3.
- iterations
  Type Integer(1..+inf)
  Description
  Number of iterations of PBKDF2 algorithm.
- dk_length
  Type Integer(1..+inf)
  Description
  Derived key length for PBKDF2 hashing algorithm, in bytes. If not specified, calculated automatically based on mac_fun.
simple
- name
  Type Enum(plain,md5,sha,sha256,sha512)
  Description
  Simple password hashing algorithm.
- salt_position
  Type Enum(disable,prefix,suffix)
  Default prefix
  Description
  Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The Redis default port 6379 is used if `[:Port]` is not specified.

redis_type
Type String("sentinel")
Default sentinel
Description
Sentinel mode. Must be set to 'sentinel' when Redis server is running in sentinel mode.
sentinel
Type String
Description
The cluster name in Redis sentinel mode.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

database
Type Integer(0..+inf)
Default 0
Description
Redis database ID.
auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

http_get

method
Type String("get")
Description
HTTP request method.
headers
Type Map
Default {accept = "application/json", cache-control = "no-cache", connection = "keep-alive", keep-alive = "timeout=30, max=1000"}
Description
List of HTTP headers (without content-type).
mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("http")
Description
Backend type.
url
Type String
Description
URL of the HTTP server.
body
Type Map
Description
HTTP request body.

request_timeout

Type	`Duration`
Default	`"5s"`
Description	HTTP request timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

request

Type	`Struct(request)`
Description	Configure HTTP request parameters.

request

method
Type String
Description
HTTP method.
path
Type String
Description
URL path.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
body
Type String
Description
HTTP request body.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
headers
Type Map
Description
List of HTTP headers.
max_retries
Type Integer(0..+inf)
Description
Max retry times if error on sending request.

request_timeout

Type Duration

Description

HTTP request timeout.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

pool_size
Type Integer(1..+inf)
Default 8
Description
The pool size.

connect_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout when connecting to the HTTP server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

retry_interval

Type Duration

Description

Deprecated since 5.0.4.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

max_retries
Type Integer(0..+inf)
Description
Deprecated since 5.0.4.

enable_pipelining

Type	`Integer(1..+inf)`
Default	`100`
Description	The maximum number of HTTP requests that can be sent before an HTTP response is received. Setting this to 1 is equivalent to turning off HTTP pipelining, and the EMQX must receive a response to the previous HTTP request before sending the next HTTP request.

http_post

method
Type String("post")
Description
HTTP request method.

headers

Type	`Map`
Default	`{accept = "application/json", cache-control = "no-cache", connection = "keep-alive", content-type = "application/json", keep-alive = "timeout=30, max=1000"}`
Description	List of HTTP Headers.

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("http")
Description
Backend type.
url
Type String
Description
URL of the HTTP server.
body
Type Map
Description
HTTP request body.

request_timeout

Type	`Duration`
Default	`"5s"`
Description	HTTP request timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

request

Type	`Struct(request)`
Description	Configure HTTP request parameters.

request

method
Type String
Description
HTTP method.
path
Type String
Description
URL path.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
body
Type String
Description
HTTP request body.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
headers
Type Map
Description
List of HTTP headers.
max_retries
Type Integer(0..+inf)
Description
Max retry times if error on sending request.

request_timeout

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

pool_size
Type Integer(1..+inf)
Default 8
Description
The pool size.

connect_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout when connecting to the HTTP server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

retry_interval

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

max_retries
Type Integer(0..+inf)
Description
Deprecated since 5.0.4.

enable_pipelining

Type	`Integer(1..+inf)`
Default	`100`
Description	The maximum number of HTTP requests that can be sent before an HTTP response is received. Setting this to 1 is equivalent to turning off HTTP pipelining, and the EMQX must receive a response to the previous HTTP request before sending the next HTTP request.

jwt_hmac

algorithm
Type Enum(hmac-based)
Description
JWT signing algorithm, Supports HMAC (configured as hmac-based) and RSA, ECDSA (configured as public-key).
secret
Type String
Description
The key to verify the JWT using HMAC algorithm.
secret_base64_encoded
Type Boolean
Default false
Description
Whether secret is base64 encoded.
mechanism
Type String("jwt")
Description
Authentication mechanism.

acl_claim_name

Type	`String`
Default	`acl`
Description	The JWT claim designated for accessing ACL (Access Control List) rules can be specified, such as using the `acl` claim. A typical decoded JWT with this claim might appear as: `{"username": "user1", "acl": ...}`. Supported ACL Rule Formats: Object Format: Utilizes action types pub (publish), sub (subscribe), or all (both publish and subscribe). The value is a list of topic filters. Example: `{"pub": ["topic1"], "sub": [], "all": ["${username}/#"]}`. This example signifies that the token owner can publish to topic1 and perform both publish and subscribe actions on topics starting with their username. Note: In this format, if no topic matches, the action is denied, and the authorization process terminates. Array Format (resembles File-Based ACL Rules): Example: `[{"permission": "allow", "action": "all", "topic": "${username}/#"}]`. Additionally, the `pub` or `publish` action rules can be extended with `qos` and `retain` field, and `sub` or `subscribe` action rules can be extended with a `qos` field. Note: Here, if no rule matches, the action is not immediately denied. The process continues to other configured authorization sources, and ultimately falls back to the default permission in config `authorization.no_match`. The ACL claim utilizes MQTT topic wildcard matching rules for publishing or subscribing. A special syntax for the 'subscribe' action allows the use of `eq` for an exact match. For instance, `eq t/#` permits or denies subscription to `t/#`, but not to `t/1`.

verify_claims

Type	`Map`
Default	`{}`
Description	A list of custom claims to validate. The allowed formats are the following: A map where claim names are map keys and expected values are map values: `{ claim_name = "${username}", ...}`. A list of maps with `name` (claim name) and `value` (expected claim value) keys: `[{name = "claim_name", value = "${username}"}, ...]`. Values can use the following placeholders: `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in `verify_claims`.

disconnect_after_expire
Type Boolean
Default true
Description
Disconnect the client after the token expires.
from
Type Enum(username,password)
Default password
Description
Field to take JWT from.

jwt_public_key

algorithm
Type Enum(public-key)
Description
JWT signing algorithm, Supports HMAC (configured as hmac-based) and RSA, ECDSA (configured as public-key).
public_key
Type String
Description
The public key used to verify the JWT.
mechanism
Type String("jwt")
Description
Authentication mechanism.

acl_claim_name

Type	`String`
Default	`acl`
Description	The JWT claim designated for accessing ACL (Access Control List) rules can be specified, such as using the `acl` claim. A typical decoded JWT with this claim might appear as: `{"username": "user1", "acl": ...}`. Supported ACL Rule Formats: Object Format: Utilizes action types pub (publish), sub (subscribe), or all (both publish and subscribe). The value is a list of topic filters. Example: `{"pub": ["topic1"], "sub": [], "all": ["${username}/#"]}`. This example signifies that the token owner can publish to topic1 and perform both publish and subscribe actions on topics starting with their username. Note: In this format, if no topic matches, the action is denied, and the authorization process terminates. Array Format (resembles File-Based ACL Rules): Example: `[{"permission": "allow", "action": "all", "topic": "${username}/#"}]`. Additionally, the `pub` or `publish` action rules can be extended with `qos` and `retain` field, and `sub` or `subscribe` action rules can be extended with a `qos` field. Note: Here, if no rule matches, the action is not immediately denied. The process continues to other configured authorization sources, and ultimately falls back to the default permission in config `authorization.no_match`. The ACL claim utilizes MQTT topic wildcard matching rules for publishing or subscribing. A special syntax for the 'subscribe' action allows the use of `eq` for an exact match. For instance, `eq t/#` permits or denies subscription to `t/#`, but not to `t/1`.

verify_claims

Type	`Map`
Default	`{}`
Description	A list of custom claims to validate. The allowed formats are the following: A map where claim names are map keys and expected values are map values: `{ claim_name = "${username}", ...}`. A list of maps with `name` (claim name) and `value` (expected claim value) keys: `[{name = "claim_name", value = "${username}"}, ...]`. Values can use the following placeholders: `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in `verify_claims`.

disconnect_after_expire
Type Boolean
Default true
Description
Disconnect the client after the token expires.
from
Type Enum(username,password)
Default password
Description
Field to take JWT from.

jwt_jwks

use_jwks
Type Enum(true)
Description
Whether to use JWKS.
endpoint
Type String
Description
JWKS endpoint, it's a read-only endpoint that returns the server's public key set in the JWKS format.
headers
Type Map
Default {Accept = "application/json"}
Description
List of HTTP headers to send with the JWKS request.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
refresh_interval
Type Integer
Default 300
Description
JWKS refresh interval.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL options.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mechanism
Type String("jwt")
Description
Authentication mechanism.

acl_claim_name

Type	`String`
Default	`acl`
Description	The JWT claim designated for accessing ACL (Access Control List) rules can be specified, such as using the `acl` claim. A typical decoded JWT with this claim might appear as: `{"username": "user1", "acl": ...}`. Supported ACL Rule Formats: Object Format: Utilizes action types pub (publish), sub (subscribe), or all (both publish and subscribe). The value is a list of topic filters. Example: `{"pub": ["topic1"], "sub": [], "all": ["${username}/#"]}`. This example signifies that the token owner can publish to topic1 and perform both publish and subscribe actions on topics starting with their username. Note: In this format, if no topic matches, the action is denied, and the authorization process terminates. Array Format (resembles File-Based ACL Rules): Example: `[{"permission": "allow", "action": "all", "topic": "${username}/#"}]`. Additionally, the `pub` or `publish` action rules can be extended with `qos` and `retain` field, and `sub` or `subscribe` action rules can be extended with a `qos` field. Note: Here, if no rule matches, the action is not immediately denied. The process continues to other configured authorization sources, and ultimately falls back to the default permission in config `authorization.no_match`. The ACL claim utilizes MQTT topic wildcard matching rules for publishing or subscribing. A special syntax for the 'subscribe' action allows the use of `eq` for an exact match. For instance, `eq t/#` permits or denies subscription to `t/#`, but not to `t/1`.

verify_claims

Type	`Map`
Default	`{}`
Description	A list of custom claims to validate. The allowed formats are the following: A map where claim names are map keys and expected values are map values: `{ claim_name = "${username}", ...}`. A list of maps with `name` (claim name) and `value` (expected claim value) keys: `[{name = "claim_name", value = "${username}"}, ...]`. Values can use the following placeholders: `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in `verify_claims`.

disconnect_after_expire
Type Boolean
Default true
Description
Disconnect the client after the token expires.
from
Type Enum(username,password)
Default password
Description
Field to take JWT from.

scram

mechanism
Type String("scram")
Description
Authentication mechanism.
backend
Type String("built_in_database")
Description
Backend type.
algorithm
Type Enum(sha256,sha512)
Default sha256
Description
Hashing algorithm.
iteration_count
Type Integer(0..+inf)
Default 4096
Description
Iteration count.

ldap

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("ldap")
Description
Backend type.

query_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for the LDAP query. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The LDAP default port 389 is used if [:Port] is not specified.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

base_dn
Type String
Description
The name of the base object entry (or possibly the root) relative to which the Search is to be performed.

filter

Type	`String`
Default	`"(objectClass=mqttUser)"`
Description	The filter that defines the conditions that must be fulfilled in order for the Search to match a given entry. The syntax of the filter follows RFC 4515 and also supports placeholders.

request_timeout

Type	`Duration`
Default	`"10s"`
Description	Sets the maximum time in milliseconds that is used for each individual request. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

ssl

Type	`Struct(ssl)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

method
Type OneOf(Struct(hash_method),Struct(bind_method))
Description
Authentication method.
hash_method
- type
  Type Enum(hash)
  Default hash
  Description
  Authentication method type.
- password_attribute
  Type String
  Default userPassword
  Description
  Indicates which attribute is used to represent the user's password.
- is_superuser_attribute
  Type String
  Default isSuperuser
  Description
  Indicates which attribute is used to represent whether the user is a superuser.
bind_method
- type
  Type Enum(bind)
  Default bind
  Description
  Authentication method type.
- bind_password
  Type String
  Default "${password}"
  Description
  The template for password to bind.

ldap_deprecated

mechanism
Type String("password_based")
Description
Authentication mechanism.
backend
Type String("ldap")
Description
Backend type.

query_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for the LDAP query. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The LDAP default port 389 is used if [:Port] is not specified.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

base_dn
Type String
Description
The name of the base object entry (or possibly the root) relative to which the Search is to be performed.

filter

Type	`String`
Default	`"(objectClass=mqttUser)"`
Description	The filter that defines the conditions that must be fulfilled in order for the Search to match a given entry. The syntax of the filter follows RFC 4515 and also supports placeholders.

request_timeout

Type	`Duration`
Default	`"10s"`
Description	Sets the maximum time in milliseconds that is used for each individual request. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

ssl

Type	`Struct(ssl)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

password_attribute
Type String
Default userPassword
Description
Indicates which attribute is used to represent the user's password.
is_superuser_attribute
Type String
Default isSuperuser
Description
Indicates which attribute is used to represent whether the user is a superuser.

authorization

Type Struct(authorization)

Description

Authorization a.k.a. ACL.
In EMQX, MQTT client access control is extremely flexible.
An out-of-the-box set of authorization data sources are supported. For example,
'file' source is to support concise and yet generic ACL rules in a file;
'built_in_database' source can be used to store per-client customizable rule sets, natively in the EMQX node;
'http' source to make EMQX call an external HTTP API to make the decision;
'PostgreSQL' etc. to look up clients or rules from external databases

authorization

no_match

Type	`Enum(allow,deny)`
Default	`allow`
Description	Default access control action if the user or client matches no ACL rules, or if no such user or client is found by the configurable authorization sources such as built_in_database, an HTTP API, or a query against PostgreSQL. Find more details in 'authorization.sources' config.

deny_action
Type Enum(ignore,disconnect)
Default ignore
Description
The action when the authorization check rejects an operation.

cache

Type	`Struct(authz_cache)`

authz_cache

max_size
Type Integer(1..1048576)
Default 32
Description
Maximum number of cached items.

ttl

Type	`Duration`
Default	`"1m"`
Description	Time to live for the cached data. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

excludes
Type Array(String)
Default []
Description
Exclude caching ACL check results for topics matching the given patterns.

sources

Type	`Array(OneOf(Struct(file),Struct(builtin_db),Struct(http_get),Struct(http_post),Struct(redis_single),Struct(redis_sentinel),Struct(redis_cluster),Struct(mysql),Struct(postgresql),Struct(mongo_single),Struct(mongo_rs),Struct(mongo_sharded),Struct(ldap)))`
Default	`[{enable = true, path = "${EMQX_ETC_DIR}/acl.conf", type = file}]`
Description	Authorization data sources. An array of authorization (ACL) data providers. It is designed as an array, not a hash-map, so the sources can be ordered to form a chain of access controls. When authorizing a 'publish' or 'subscribe' action, the configured sources are checked in order. When checking an ACL source, in case the client (identified by username or client ID) is not found, it moves on to the next source. And it stops immediately once an 'allow' or 'deny' decision is returned. If the client is not found in any of the sources, the default action configured in 'authorization.no_match' is applied. NOTE: The source elements are identified by their 'type'. It is NOT allowed to configure two or more sources of the same type.

file

type
Type String("file")
Description
Backend type.

path

Type String

Description

Path to the file which contains the ACL rules. If the file provisioned before starting EMQX node, it can be placed anywhere as long as EMQX has read access to it. That is, EMQX will treat it as read only.

In case the rule-set is created or updated from EMQX Dashboard or HTTP API, a new file will be created and placed in authz subdirectory inside EMQX's data_dir, and the old file will not be used anymore.

builtin_db

type
Type String("built_in_database")
Description
Backend type.
max_rules
Type Integer(1..+inf)
Default 100
Description
Maximum number of rules per client/user. Note that performance may decrease as number of rules increases.

http_get

type
Type String("http")
Description
Backend type.
url
Type String
Description
URL of the auth server.
request_timeout
Type String
Default "30s"
Description
HTTP request timeout.
body
Type Map($name->String)
Description
HTTP request body.

connect_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout when connecting to the HTTP server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

max_retries
Type Integer(0..+inf)
Description
Deprecated since 5.0.4.

retry_interval

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

pool_size
Type Integer(1..+inf)
Default 8
Description
The pool size.

enable_pipelining

Type	`Integer(1..+inf)`
Default	`100`
Description	The maximum number of HTTP requests that can be sent before an HTTP response is received. Setting this to 1 is equivalent to turning off HTTP pipelining, and the EMQX must receive a response to the previous HTTP request before sending the next HTTP request.

request

Type	`Struct(request)`
Description	Configure HTTP request parameters.

request

method
Type String
Description
HTTP method.
path
Type String
Description
URL path.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
body
Type String
Description
HTTP request body.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
headers
Type Map
Description
List of HTTP headers.
max_retries
Type Integer(0..+inf)
Description
Max retry times if error on sending request.

request_timeout

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

method
Type String("get")
Description
HTTP method.
headers
Type Map
Default {accept = "application/json", cache-control = "no-cache", connection = "keep-alive", keep-alive = "timeout=30, max=1000"}
Description
List of HTTP headers (without content-type).

http_post

type
Type String("http")
Description
Backend type.
url
Type String
Description
URL of the auth server.
request_timeout
Type String
Default "30s"
Description
HTTP request timeout.
body
Type Map($name->String)
Description
HTTP request body.

connect_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout when connecting to the HTTP server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

max_retries
Type Integer(0..+inf)
Description
Deprecated since 5.0.4.

retry_interval

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

pool_size
Type Integer(1..+inf)
Default 8
Description
The pool size.

enable_pipelining

Type	`Integer(1..+inf)`
Default	`100`
Description	The maximum number of HTTP requests that can be sent before an HTTP response is received. Setting this to 1 is equivalent to turning off HTTP pipelining, and the EMQX must receive a response to the previous HTTP request before sending the next HTTP request.

request

Type	`Struct(request)`
Description	Configure HTTP request parameters.

request

method
Type String
Description
HTTP method.
path
Type String
Description
URL path.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
body
Type String
Description
HTTP request body.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.
headers
Type Map
Description
List of HTTP headers.
max_retries
Type Integer(0..+inf)
Description
Max retry times if error on sending request.

request_timeout

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

method
Type String("post")
Description
HTTP method.

headers

Type	`Map`
Default	`{accept = "application/json", cache-control = "no-cache", connection = "keep-alive", content-type = "application/json", keep-alive = "timeout=30, max=1000"}`
Description	List of HTTP Headers.

redis_single

type
Type String("redis")
Description
Backend type.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The Redis default port 6379 is used if [:Port] is not specified.
redis_type
Type String("single")
Default single
Description
Single mode. Must be set to 'single' when Redis server is running in single mode.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

database
Type Integer(0..+inf)
Default 0
Description
Redis database ID.
auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

cmd
Type String
Description
Database query used to retrieve authorization data.

redis_sentinel

type
Type String("redis")
Description
Backend type.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The Redis default port 6379 is used if `[:Port]` is not specified.

redis_type
Type String("sentinel")
Default sentinel
Description
Sentinel mode. Must be set to 'sentinel' when Redis server is running in sentinel mode.
sentinel
Type String
Description
The cluster name in Redis sentinel mode.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

database
Type Integer(0..+inf)
Default 0
Description
Redis database ID.
auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

cmd
Type String
Description
Database query used to retrieve authorization data.

redis_cluster

type
Type String("redis")
Description
Backend type.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The Redis default port 6379 is used if `[:Port]` is not specified.

redis_type
Type String("cluster")
Default cluster
Description
Cluster mode. Must be set to 'cluster' when Redis server is running in clustered mode.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

cmd
Type String
Description
Database query used to retrieve authorization data.

mysql

type
Type String("mysql")
Description
Backend type.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MySQL default port 3306 is used if [:Port] is not specified.
database
Type String
Description
Database name.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Default root
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

prepare_statement
Type Map
Description
Key-value list of SQL prepared statements.
query
Type String
Description
Database query used to retrieve authorization data.

postgresql

type
Type String("postgresql")
Description
Backend type.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The PostgreSQL default port 5432 is used if [:Port] is not specified.

disable_prepared_statements

Type	`Boolean`
Default	`false`
Description	Disables the usage of prepared statements in the connections. Some endpoints, like PGBouncer or Supabase in Transaction mode, do not support session features such as prepared statements. For such connections, this option should be enabled.

database
Type String
Description
Database name.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

auto_reconnect
Type Boolean
Description
Deprecated since v5.0.15.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

prepare_statement
Type Map
Description
Key-value list of SQL prepared statements.
query
Type String
Description
Database query used to retrieve authorization data.

mongo_single

type
Type String("mongodb")
Description
Backend type.
collection
Type String
Description
MongoDB collection containing the authorization data.

filter

Type	`Map`
Default	`{}`
Description	Conditional expression that defines the filter condition in the query. Filter supports the following placeholders `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting

limit
Type Integer(1..+inf)
Default 1000
Description
Limit the number of records to fetch.
skip
Type Integer(0..+inf)
Default 0
Description
Number of authorization records to skip.
mongo_type
Type String("single")
Default single
Description
Standalone instance. Must be set to 'single' when MongoDB server is running in standalone mode.
server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MongoDB default port 27017 is used if [:Port] is not specified.
w_mode
Type Enum(unsafe,safe)
Default unsafe
Description
Write mode.
srv_record
Type Boolean
Default false
Description
Use DNS SRV record.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

use_legacy_protocol

Type	`Enum(auto,true,false)`
Default	`auto`
Description	Whether to use MongoDB's legacy protocol for communicating with the database. The default is to attempt to automatically determine if the newer protocol is supported.

auth_source
Type String
Description
Database name associated with the user's credentials.
database
Type String
Description
Database name.

topology

Type	`Struct(topology)`

topology

max_overflow

Type	`Integer(0..+inf)`
Default	`0`
Description	The maximum number of additional workers that can be created when all workers in the pool are busy. This helps to manage temporary spikes in workload by allowing more concurrent connections to the MongoDB server.

overflow_ttl

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

overflow_check_period

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

local_threshold_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

connect_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

socket_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

server_selection_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

wait_queue_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

heartbeat_frequency_ms

Type	`Duration`
Default	`"200s"`
Description	Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

min_heartbeat_frequency_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mongo_rs

type
Type String("mongodb")
Description
Backend type.
collection
Type String
Description
MongoDB collection containing the authorization data.

filter

Type	`Map`
Default	`{}`
Description	Conditional expression that defines the filter condition in the query. Filter supports the following placeholders `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting

limit
Type Integer(1..+inf)
Default 1000
Description
Limit the number of records to fetch.
skip
Type Integer(0..+inf)
Default 0
Description
Number of authorization records to skip.
mongo_type
Type String("rs")
Default rs
Description
Replica set. Must be set to 'rs' when MongoDB server is running in 'replica set' mode.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The MongoDB default port 27017 is used if `[:Port]` is not specified.

w_mode
Type Enum(unsafe,safe)
Default unsafe
Description
Write mode.
r_mode
Type Enum(master,slave_ok)
Default master
Description
Read mode.
replica_set_name
Type String
Description
Name of the replica set.
srv_record
Type Boolean
Default false
Description
Use DNS SRV record.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

use_legacy_protocol

Type	`Enum(auto,true,false)`
Default	`auto`
Description	Whether to use MongoDB's legacy protocol for communicating with the database. The default is to attempt to automatically determine if the newer protocol is supported.

auth_source
Type String
Description
Database name associated with the user's credentials.
database
Type String
Description
Database name.

topology

Type	`Struct(topology)`

topology

max_overflow

Type	`Integer(0..+inf)`
Default	`0`
Description	The maximum number of additional workers that can be created when all workers in the pool are busy. This helps to manage temporary spikes in workload by allowing more concurrent connections to the MongoDB server.

overflow_ttl

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

overflow_check_period

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

local_threshold_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

connect_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

socket_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

server_selection_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

wait_queue_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

heartbeat_frequency_ms

Type	`Duration`
Default	`"200s"`
Description	Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

min_heartbeat_frequency_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mongo_sharded

type
Type String("mongodb")
Description
Backend type.
collection
Type String
Description
MongoDB collection containing the authorization data.

filter

Type	`Map`
Default	`{}`
Description	Conditional expression that defines the filter condition in the query. Filter supports the following placeholders `${username}`: Will be replaced at runtime with `Username` used by the client when connecting `${clientid}`: Will be replaced at runtime with `Client ID` used by the client when connecting

limit
Type Integer(1..+inf)
Default 1000
Description
Limit the number of records to fetch.
skip
Type Integer(0..+inf)
Default 0
Description
Number of authorization records to skip.
mongo_type
Type String("sharded")
Default sharded
Description
Sharded cluster. Must be set to 'sharded' when MongoDB server is running in 'sharded' mode.

servers

Type	`String`
Description	A Node list for Cluster to connect to. The nodes should be separated with commas, such as: `Node[,Node].` For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: `Host[:Port]`. The MongoDB default port 27017 is used if `[:Port]` is not specified.

w_mode
Type Enum(unsafe,safe)
Default unsafe
Description
Write mode.
srv_record
Type Boolean
Default false
Description
Use DNS SRV record.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

use_legacy_protocol

Type	`Enum(auto,true,false)`
Default	`auto`
Description	Whether to use MongoDB's legacy protocol for communicating with the database. The default is to attempt to automatically determine if the newer protocol is supported.

auth_source
Type String
Description
Database name associated with the user's credentials.
database
Type String
Description
Database name.

topology

Type	`Struct(topology)`

topology

max_overflow

Type	`Integer(0..+inf)`
Default	`0`
Description	The maximum number of additional workers that can be created when all workers in the pool are busy. This helps to manage temporary spikes in workload by allowing more concurrent connections to the MongoDB server.

overflow_ttl

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

overflow_check_period

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

local_threshold_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

connect_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

socket_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

server_selection_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

wait_queue_timeout_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

heartbeat_frequency_ms

Type	`Duration`
Default	`"200s"`
Description	Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

min_heartbeat_frequency_ms

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

ldap

type
Type String("ldap")
Description
Backend type.
publish_attribute
Type String
Default mqttPublishTopic
Description
Indicates which attribute is used to represent the allowed topics list of the publish.
subscribe_attribute
Type String
Default mqttSubscriptionTopic
Description
Indicates which attribute is used to represent the allowed topics list of the subscribe.
all_attribute
Type String
Default mqttPubSubTopic
Description
Indicates which attribute is used to represent the both allowed topics list of publish and subscribe.

query_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for the LDAP query. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

server
Type String
Description
The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The LDAP default port 389 is used if [:Port] is not specified.
pool_size
Type Integer(1..+inf)
Default 8
Description
Size of the connection pool towards the bridge target service.
username
Type String
Description
The username associated with the bridge in the external database used for authentication or identification purposes.

password

Type Secret

Description

base_dn
Type String
Description
The name of the base object entry (or possibly the root) relative to which the Search is to be performed.

filter

Type	`String`
Default	`"(objectClass=mqttUser)"`
Description	The filter that defines the conditions that must be fulfilled in order for the Search to match a given entry. The syntax of the filter follows RFC 4515 and also supports placeholders.

request_timeout

Type	`Duration`
Default	`"10s"`
Description	Sets the maximum time in milliseconds that is used for each individual request. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

ssl

Type	`Struct(ssl)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

node

Type	`Struct(node)`

node

name
Type String
Default "emqx@127.0.0.1"
Description
Unique name of the EMQX node. It must follow %name%@FQDN or %name%@IPv4 format.

Type	`String`
Description	Secret cookie is a random string that should be the same on all nodes in the given EMQX cluster, but unique per EMQX cluster. It is used to prevent EMQX nodes that belong to different clusters from accidentally connecting to each other.

max_ports
Type Integer(1024..134217727)
Default 1048576
Description
Maximum number of simultaneously open files and sockets for this Erlang system. For more information, see: https://www.erlang.org/doc/man/erl.html
dist_buffer_size
Type Integer(1..2097151)
Default 8192
Description
Erlang's distribution buffer busy limit in kilobytes.

data_dir

Type String

Description

Path to the persistent data directory.
Possible auto-created subdirectories are:

mnesia/<node_name>: EMQX's built-in database directory.
For example, mnesia/emqx@127.0.0.1.
There should be only one such subdirectory.
Meaning, in case the node is to be renamed (to e.g. emqx@10.0.1.1),
the old dir should be deleted first.
configs: Generated configs at boot time, and cluster/local override configs.
patches: Hot-patch beam files are to be placed here.
trace: Trace log files.

NOTE: One data dir cannot be shared by two or more EMQX nodes.

global_gc_interval
Type OneOf(String("disabled"),Duration)
Default "15m"
Description
Periodic garbage collection interval. Set to disabled to have it disabled.

role

Aliases	db_role
Type	`Enum(core)`
Default	`core`
Description	Select a node role. `core` nodes provide durability of the data, and take care of writes. It is recommended to place core nodes in different racks or different availability zones. `replicant` nodes are ephemeral worker nodes. Removing them from the cluster doesn't affect database redundancy It is recommended to have more replicant nodes than core nodes. Note: this parameter only takes effect when the `backend` is set to `rlog`.

cluster

Type	`Struct(cluster)`

cluster

name
Type String
Default emqxcl
Description
Human-friendly name of the EMQX cluster.

discovery_strategy

Type	`Enum(manual,static,singleton,dns,etcd,k8s)`
Default	`manual`
Description	Service discovery method for the cluster nodes. Possible values are: manual: Use `emqx ctl cluster` command to manage cluster. static: Configure static nodes list by setting `seeds` in config file. dns: Use DNS A record to discover peer nodes. etcd: Use etcd to discover peer nodes. k8s: Use Kubernetes API to discover peer pods.

autoclean

Type	`Duration`
Default	`"24h"`
Description	Remove disconnected nodes from the cluster after this interval. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

autoheal
Type Boolean
Default true
Description
If true, the node will try to heal network partitions automatically.

proto_dist

Type	`Enum(inet_tcp,inet6_tcp,inet_tls,inet6_tls)`
Default	`inet_tcp`
Description	The Erlang distribution protocol for the cluster. inet_tcp: IPv4 TCP inet_tls: IPv4 TLS, works together with `etc/ssl_dist.conf` inet6_tcp: IPv6 TCP inet6_tls: IPv6 TLS, works together with `etc/ssl_dist.conf`

static
Type Struct(cluster_static)
cluster_static
- seeds
  Type OneOf(String,Array(String))
  Default []
  Description
  List EMQX node names in the static cluster. See node.name.
dns
Type Struct(cluster_dns)
cluster_dns
- name
  Type String
  Default localhost
  Description
  The domain name from which to discover peer EMQX nodes' IP addresses. Applicable when cluster.discovery_strategy = dns
- record_type
  Type Enum(a,aaaa,srv)
  Default a
  Description
  DNS record type.

etcd

Type	`Struct(cluster_etcd)`

cluster_etcd

server
Type String
Description
List of endpoint URLs of the etcd cluster
prefix
Type String
Default emqxcl
Description
Key prefix used for EMQX service discovery.

node_ttl

Type	`Duration`
Default	`"1m"`
Description	Expiration time of the etcd key associated with the node. It is refreshed automatically, as long as the node is alive. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

ssl_options

Aliases	ssl
Type	`Struct(ssl_client_opts)`
Description	Options for the TLS connection to the etcd cluster.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

k8s

Type	`Struct(cluster_k8s)`

cluster_k8s

apiserver
Type String
Default "https://kubernetes.default.svc:443"
Description
Kubernetes API endpoint URL.
service_name
Type String
Default emqx
Description
EMQX broker service name.

address_type

Type	`Enum(ip,dns,hostname)`
Default	`ip`
Description	Address type used for connecting to the discovered nodes. Setting `cluster.k8s.address_type` to `ip` will make EMQX to discover IP addresses of peer nodes from Kubernetes API.

namespace
Type String
Default default
Description
Kubernetes namespace.
suffix
Type String
Default "pod.local"
Description
Node name suffix.
Note: this parameter is only relevant when address_type is dns or hostname.

log

Type Struct(log)

Description

EMQX provides support for two primary log handlers: file and console, with an additional audit handler specifically designed to always direct logs to files. The system's default log handling behavior can be configured via the environment variable EMQX_DEFAULT_LOG_HANDLER, which accepts the following settings:

file: Directs log output exclusively to files.
console: Channels log output solely to the console.

It's noteworthy that EMQX_DEFAULT_LOG_HANDLER is set to file when EMQX is initiated via systemd's emqx.service file. In scenarios outside systemd initiation, console serves as the default log handler.

log

console

Aliases	console_handler
Type	`Struct(console_handler)`

console_handler

level
Type Enum(debug,info,notice,warning,error,critical,alert,emergency,all)
Default warning
Description
The log level for the current log handler. Defaults to warning.
enable
Type Boolean
Default false
Description
Enable this log handler.
formatter
Aliases format
Type Enum(text,json)
Default text
Description
Choose log formatter. text for free text, and json for structured logging.

timestamp_format

Type	`Enum(auto,epoch,rfc3339)`
Default	`auto`
Description	Pick a timestamp format: `auto`: automatically choose the best format based on log formatter. `epoch` for JSON and `rfc3339` for text. `epoch`: Unix epoch time in microseconds. `rfc3339`: RFC3339 format.

time_offset

Type	`String`
Default	`system`
Description	The time offset to be used when formatting the timestamp. Can be one of: `system`: the time offset used by the local system `utc`: the UTC time offset `+-[hh]:[mm]`: user specified time offset, such as "-02:00" or "+00:00" Defaults to: `system`. This config has no effect for when formatter is `json` as the timestamp in JSON is milliseconds since epoch.

payload_encode

Type	`Enum(hex,text,hidden)`
Default	`text`
Description	Determine the format of the payload format in the trace file. `text`: Text-based protocol or plain text protocol. It is recommended when payload is JSON encoded. `hex`: Binary hexadecimal encode. It is recommended when payload is a custom binary protocol. `hidden`: payload is obfuscated as `******`

file

Aliases	file_handlers
Type	`OneOf(Struct(log_file_handler),Map($handler_name->Struct(log_file_handler)))`
Default	`{level = warning}`
Description	File-based log handlers.

log_file_handler

path
Aliases file, to
Type String
Default "${EMQX_LOG_DIR}/emqx.log"
Description
Name the log file.
rotation_count
Aliases rotation
Type Integer(1..128)
Default 10
Description
Maximum number of log files.

rotation_size

Aliases	max_size
Type	`OneOf(String("infinity"),Bytesize)`
Default	`"50MB"`
Description	This parameter controls log file rotation. The value `infinity` means the log file will grow indefinitely, otherwise the log file will be rotated once it reaches `rotation_size` in bytes.

level
Type Enum(debug,info,notice,warning,error,critical,alert,emergency,all)
Default warning
Description
The log level for the current log handler. Defaults to warning.
formatter
Aliases format
Type Enum(text,json)
Default text
Description
Choose log formatter. text for free text, and json for structured logging.

timestamp_format

Type	`Enum(auto,epoch,rfc3339)`
Default	`auto`
Description	Pick a timestamp format: `auto`: automatically choose the best format based on log formatter. `epoch` for JSON and `rfc3339` for text. `epoch`: Unix epoch time in microseconds. `rfc3339`: RFC3339 format.

time_offset

Type	`String`
Default	`system`
Description	The time offset to be used when formatting the timestamp. Can be one of: `system`: the time offset used by the local system `utc`: the UTC time offset `+-[hh]:[mm]`: user specified time offset, such as "-02:00" or "+00:00" Defaults to: `system`. This config has no effect for when formatter is `json` as the timestamp in JSON is milliseconds since epoch.

payload_encode

Type	`Enum(hex,text,hidden)`
Default	`text`
Description	Determine the format of the payload format in the trace file. `text`: Text-based protocol or plain text protocol. It is recommended when payload is JSON encoded. `hex`: Binary hexadecimal encode. It is recommended when payload is a custom binary protocol. `hidden`: payload is obfuscated as `******`

log_file_handler

path
Aliases file, to
Type String
Default "${EMQX_LOG_DIR}/emqx.log"
Description
Name the log file.
rotation_count
Aliases rotation
Type Integer(1..128)
Default 10
Description
Maximum number of log files.

rotation_size

Aliases	max_size
Type	`OneOf(String("infinity"),Bytesize)`
Default	`"50MB"`
Description	This parameter controls log file rotation. The value `infinity` means the log file will grow indefinitely, otherwise the log file will be rotated once it reaches `rotation_size` in bytes.

level
Type Enum(debug,info,notice,warning,error,critical,alert,emergency,all)
Default warning
Description
The log level for the current log handler. Defaults to warning.
formatter
Aliases format
Type Enum(text,json)
Default text
Description
Choose log formatter. text for free text, and json for structured logging.

timestamp_format

Type	`Enum(auto,epoch,rfc3339)`
Default	`auto`
Description	Pick a timestamp format: `auto`: automatically choose the best format based on log formatter. `epoch` for JSON and `rfc3339` for text. `epoch`: Unix epoch time in microseconds. `rfc3339`: RFC3339 format.

time_offset

Type	`String`
Default	`system`
Description	The time offset to be used when formatting the timestamp. Can be one of: `system`: the time offset used by the local system `utc`: the UTC time offset `+-[hh]:[mm]`: user specified time offset, such as "-02:00" or "+00:00" Defaults to: `system`. This config has no effect for when formatter is `json` as the timestamp in JSON is milliseconds since epoch.

payload_encode

Type	`Enum(hex,text,hidden)`
Default	`text`
Description	Determine the format of the payload format in the trace file. `text`: Text-based protocol or plain text protocol. It is recommended when payload is JSON encoded. `hex`: Binary hexadecimal encode. It is recommended when payload is a custom binary protocol. `hidden`: payload is obfuscated as `******`

throttling

Type	`Struct(log_throttling)`

log_throttling

time_window

Type	`Duration(s)`
Default	`"1m"`
Description	This configuration setting controls the logging behavior for throttled messages, including, but not limited to messages like 'authorization_permission_denied'. Within each defined time window, only one instance of a throttled message will be logged to prevent log flooding. At the conclusion of each time window, a summary log will be generated, detailing the occurrence of any throttled messages during that period. It's important to note that the shortest effective time window for this setting is 1 second (`1s`). Should a value lower than `1s` be specified, it will automatically be adjusted to `1s`. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

rpc

Type	`Struct(rpc)`

rpc

mode
Type Enum(sync,async)
Default async
Description
In sync mode the sending side waits for the ack from the receiving side.
protocol
Aliases driver
Type Enum(tcp,ssl)
Default tcp
Description
Transport protocol used for inter-broker communication
async_batch_size
Type Integer
Default 256
Description
The maximum number of batch messages sent in asynchronous mode. Note that this configuration does not work in synchronous mode.

port_discovery

Type	`Enum(manual,stateless)`
Default	`stateless`
Description	`manual`: discover ports by `server_port`. `stateless`: discover ports in a stateless manner, using the following algorithm. If node name is `emqxN@127.0.0.1`, where the N is an integer, then the listening port will be 5370 + N. NOTE: when `port_discovery` is `manual`, `server_port` configuration has no effect.

server_port

Aliases	tcp_server_port, ssl_server_port
Type	`Integer(1..+inf)`
Default	`5369`
Description	Listening port used by RPC local service. Note that this config only takes effect when rpc.port_discovery is set to manual.

client_num
Aliases tcp_client_num
Type Integer(1..256)
Default 10
Description
Set the maximum number of RPC communication channels initiated by this node to each remote node.

connect_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for establishing an RPC connection. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

certfile
Type String
Description
Path to TLS certificate file used to validate identity of the cluster nodes. Note that this config only takes effect when rpc.driver is set to ssl.
keyfile
Type String
Description
Path to the private key file for the rpc.certfile.
Note: contents of this file are secret, so it's necessary to set permissions to 600.
cacertfile
Type String
Description
Path to certification authority TLS certificate file used to validate rpc.certfile.
Note: certificates of all nodes in the cluster must be signed by the same CA.

send_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for sending the RPC request. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

authentication_timeout

Type	`Duration`
Default	`"5s"`
Description	Timeout for the remote node authentication. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

call_receive_timeout

Type	`Duration`
Default	`"15s"`
Description	Timeout for the reply to a synchronous RPC. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

socket_keepalive_idle

Type	`Duration(s)`
Default	`"15m"`
Description	Corresponds to the `TCP_KEEPIDLE` socket option. The time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

socket_keepalive_interval

Type	`Duration(s)`
Default	`"75s"`
Description	Corresponds to the `TCP_KEEPINTVL` socket option. The time (in seconds) between individual keepalive probes. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

socket_keepalive_count

Type	`Integer`
Default	`9`
Description	Corresponds to the `TCP_KEEPCNT` socket option. The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end.

socket_sndbuf

Type	`Bytesize`
Default	`"1MB"`
Description	TCP tuning parameters. TCP sending buffer size. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

socket_recbuf

Type	`Bytesize`
Default	`"1MB"`
Description	TCP tuning parameters. TCP receiving buffer size. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

socket_buffer

Type	`Bytesize`
Default	`"1MB"`
Description	TCP tuning parameters. Socket buffer size in user mode. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

insecure_fallback
Type Boolean
Default true
Description
Enable compatibility with old RPC authentication.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

tls_versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

listen_address
Type String
Default "0.0.0.0"
Description
Indicates the IP address for the RPC server to listen on. For example, use "0.0.0.0" for IPv4 or "::" for IPv6.

ipv6_only

Type	`Boolean`
Default	`false`
Description	This setting is effective only when `rpc.listen_address` is assigned an IPv6 address. If set to `true`, the RPC client will exclusively use IPv6 for connections. Otherwise, the client might opt for IPv4, even if the server is on IPv6.

sys_topics

Type	`Struct(sys_topics)`
Description	System topics configuration.

sys_topics

sys_msg_interval

Type	`OneOf(String("disabled"),Duration)`
Default	`"1m"`
Description	Time interval for publishing following system messages: `$SYS/brokers` `$SYS/brokers/<node>/version` `$SYS/brokers/<node>/sysdescr` `$SYS/brokers/<node>/stats/<name>` `$SYS/brokers/<node>/metrics/<name>`

sys_heartbeat_interval
Type OneOf(String("disabled"),Duration)
Default "30s"
Description
Time interval for publishing following heartbeat messages:

$SYS/brokers/<node>/uptime

$SYS/brokers/<node>/datetime
sys_event_messages
Type Struct(event_names)
Description
Client events messages.
event_names
- client_connected
  Type Boolean
  Default true
  Description
  Enable to publish client connected event messages
- client_disconnected
  Type Boolean
  Default true
  Description
  Enable to publish client disconnected event messages.
- client_subscribed
  Type Boolean
  Default false
  Description
  Enable to publish event message that client subscribed a topic successfully.
- client_unsubscribed
  Type Boolean
  Default false
  Description
  Enable to publish event message that client unsubscribed a topic successfully.

force_shutdown

Type	`Struct(force_shutdown)`

force_shutdown

max_mailbox_size

Aliases	max_message_queue_len
Type	`Integer(0..inf)`
Default	`1000`
Description	EMQX creates at least one lightweight process for each client connection. Each process has its own message queue (aka mailbox) to hold messages from other processes (e.g. MQTT messages) so that the process can read messages from the message queue (mailbox) at any time. If the system is busy or the process hangs due to a busy socket (see `high_watermark`), the message queue can accumulate many messages. To avoid excessive memory usage, EMQX will force a process to shut down when the length of its message queue exceeds `max_mailbox_size`.

max_heap_size

Type	`Bytesize`
Default	`"32MB"`
Description	The maximum heap size of the process. If the `force_shutdown` is enabled, processes that exceed this limit will automatically exit or be forcibly killed. Messages in the process message queue (mailbox) are also part of the heap. The shutdown of a process can be divided into the following two situations: The process actively checks the current heap size during its own operation, and actively exits after finding that it exceeds the limit. The underlying scheduling system checks the current heap size after performing garbage collection for the process, and forcibly kills the process after finding that it exceeds the limit. Note: The Error logs generated by the above two will be different. The log generated by the former is similar to `...errorContext: connection_shutdown, reason: #{max => 2097152, reason => proc_heap_too_large, value => 2787348}..`, and the log generated by the latter is similar to `...Context: maximum heap size reached...`. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

durable_storage

Type	`Struct(durable_storage)`
Description	Configuration related to the EMQX durable storages. EMQX uses durable storages to offload various data, such as MQTT messages, to disc.

durable_storage

messages

Type	`OneOf(Struct(builtin_local))`
Default	`{backend = builtin_local}`
Description	Configuration related to the durable storage of MQTT messages.

builtin_local

backend
Type String("builtin_local")
Default builtin_local
Description
Backend type.
data_dir
Type String
Description
File system directory where the database is located.

By default, it is equal to node.data_dir.

n_shards

Type	`Integer(1..+inf)`
Default	`16`
Description	The built-in durable storage partitions data into shards. This configuration parameter defines the number of shards. Please note that it takes effect only during the initialization of the durable storage database. Changing this configuration parameter after the database has been already created won't take any effect.

layout

Type	`OneOf(Struct(layout_builtin_wildcard_optimized_v2),Struct(layout_builtin_wildcard_optimized),Struct(layout_builtin_reference))`
Default	`{type = wildcard_optimized_v2}`
Description	Storage layout is a method of arranging messages from various topics and clients on disc. Depending on the type of workload and the topic structure, different types of strategies for storing the data can be employed to maximize efficiency of reading messages from the durable storage.

layout_builtin_wildcard_optimized_v2

type
Type String("wildcard_optimized_v2")
Default wildcard_optimized_v2
Description
Wildcard-optimized layout type.

layout_builtin_wildcard_optimized

type
Type String("wildcard_optimized")
Default wildcard_optimized
Description
Wildcard-optimized layout type.

layout_builtin_reference

type
Type String("reference")
Default reference
Description
Reference layout type.

force_gc

Type	`Struct(force_gc)`

force_gc

count
Type Integer(0..inf)
Default 16000
Description
GC the process after this many received messages.

bytes

Type	`Bytesize`
Default	`"16MB"`
Description	GC the process after specified number of bytes have passed through. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sysmon

Type	`Struct(sysmon)`

sysmon

vm

Type	`Struct(sysmon_vm)`

sysmon_vm

process_check_interval

Type	`Duration`
Default	`"30s"`
Description	The time interval for the periodic process count limit check, used together with `process_high_watermark` and `process_low_watermark`. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

process_high_watermark
Type String
Default "80%"
Description
The threshold, as percentage of processes, for how many processes can simultaneously exist at the local node before the corresponding alarm is raised.
process_low_watermark
Type String
Default "60%"
Description
The threshold, as percentage of processes, for how many processes can simultaneously exist at the local node before the corresponding alarm is cleared.

long_gc

Type	`OneOf(String("disabled"),Duration)`
Default	`disabled`
Description	When an Erlang process spends long time to perform garbage collection, a warning level `long_gc` log is emitted, and an MQTT message is published to the system topic `$SYS/sysmon/long_gc`.

long_schedule

Type	`OneOf(String("disabled"),Duration)`
Default	`"240ms"`
Description	When the Erlang VM detect a task scheduled for too long, a warning level 'long_schedule' log is emitted, and an MQTT message is published to the system topic `$SYS/sysmon/long_schedule`.

large_heap

Type	`OneOf(String("disabled"),Bytesize)`
Default	`"32MB"`
Description	When the heap memory occupied by a process exceeds the size specified by `large_heap`, the system will write a warning level `large_heap` log, and an MQTT message will be published to the system topic `$SYS/sysmon/large_heap`.

busy_dist_port

Type	`Boolean`
Default	`true`
Description	When the RPC connection used to communicate with other nodes in the cluster is overloaded, there will be a `busy_dist_port` warning log, and an MQTT message is published to system topic `$SYS/sysmon/busy_dist_port`.

busy_port
Type Boolean
Default true
Description
When a port (e.g. TCP socket) is overloaded, there will be a busy_port warning log, and an MQTT message is published to the system topic $SYS/sysmon/busy_port.

os

Type	`Struct(sysmon_os)`

sysmon_os

cpu_check_interval

Type	`Duration`
Default	`"60s"`
Description	The time interval for the periodic CPU check. Disabled on Windows platform. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

cpu_high_watermark
Type String
Default "80%"
Description
The threshold, as percentage of system CPU load, for how much system cpu can be used before the corresponding alarm is raised. Disabled on Windows platform
cpu_low_watermark
Type String
Default "60%"
Description
The threshold, as percentage of system CPU load, for how much system cpu can be used before the corresponding alarm is cleared. Disabled on Windows platform
mem_check_interval
Type OneOf(String("disabled"),Duration)
Default "60s"
Description
The time interval for the periodic memory check. Disabled on Windows platform.
sysmem_high_watermark
Type String
Default "70%"
Description
The threshold, as percentage of system memory, for how much system memory can be allocated before the corresponding alarm is raised. Disabled on Windows platform

procmem_high_watermark

Type	`String`
Default	`"5%"`
Description	The threshold, as percentage of system memory, for how much system memory can be allocated by one Erlang process before the corresponding alarm is raised. Disabled on Windows platform.

mnesia_tm_mailbox_size_alarm_threshold

Type	`Integer(1..+inf)`
Default	`500`
Description	The threshold above which an alarm is raised for the mailbox size of the mnesia transaction manager. This process handles all transactions in EMQX's internal database mnesia. There are several reasons that could give raise to this alarm. A few things to check for or consider: Lower `max_conn_rate`, so that clients join at a slower pace; Increase CPU / RAM resources for EMQX; Lower retained message rate from the client side; Check if intra-cluster network bandwidth is reaching a maximum.

broker_pool_mailbox_size_alarm_threshold

Type	`Integer(1..+inf)`
Default	`500`
Description	The threshold above which an alarm is raised for the maximum mailbox size among the broker pool workers. Broker pool workers handle adding and removing subscriptions, and replication of routing information. There are several reasons that could give raise to this alarm. A few things to check for or consider: Increase CPU / RAM resources for EMQX; Review the subscriptions that clients are doing, for example, try to compact topic filters; Check if intra-cluster network bandwidth is reaching a maximum.

alarm

Type	`Struct(alarm)`

alarm

actions

Type	`Array(Enum(log,publish))`
Default	`[log, publish]`
Description	The actions triggered when the alarm is activated. Currently, the following actions are supported: `log` and `publish`. `log` is to write the alarm to log (console or file). `publish` is to publish the alarm as an MQTT message to the system topics: `$SYS/brokers/emqx@xx.xx.xx.x/alarms/activate` and `$SYS/brokers/emqx@xx.xx.xx.x/alarms/deactivate`

size_limit

Type	`Integer(1..3000)`
Default	`1000`
Description	The maximum number of historical alarms that can be stored. When the maximum number is reached, the oldest historical alarms will be deleted to store new historical alarms.

validity_period

Type	`Duration`
Default	`"24h"`
Description	The validity period of historical alarms. Calculated from the time of activation of the historical alarm instead of the time of cancelation. If it exists longer than the validity period, the alarm will be deleted. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

flapping_detect

Type	`Struct(flapping_detect)`

flapping_detect

enable
Type Boolean
Default false
Description
Enable flapping connection detection feature.

window_time

Type	`Duration`
Default	`"1m"`
Description	The time window for flapping detection. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

max_count
Type Integer(0..+inf)
Default 15
Description
The maximum number of disconnects allowed for a MQTT Client in window_time

ban_time

Type	`Duration`
Default	`"5m"`
Description	How long the flapping clientid will be banned. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

durable_sessions

Type	`Struct(durable_sessions)`

durable_sessions

enable

Type	`Boolean`
Default	`false`
Description	Use durable storage for client sessions persistence. If enabled, sessions configured to outlive client connections, along with their corresponding messages, will be durably stored and survive broker downtime. :::warning Messages sent to the durable sessions are saved on disc. This inevitably limits the overall throughput of the system. :::

batch_size

Type	`Integer(1..+inf)`
Default	`100`
Description	This value affects the flow control for the persistent sessions. Persistent session queries the durable message storage in batches. This value specifies size of the batch. Note: larger batches generally improve the throughput and overall performance of the system, but increase RAM usage per client.

idle_poll_interval

Type	`Duration`
Default	`"10s"`
Description	Expiry interval for poll requests sent by durable sessions to the storage. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

heartbeat_interval

Type	`Duration`
Default	`"5000ms"`
Description	Durable sessions back up their state on disc every heartbeat interval. Heartbeat interval is also taken into account during garbage collection of expired sessions. It is added to the session expiry time as a safety margin when precise time of session termination is not precisely known. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

session_gc_interval

Type	`Duration`
Default	`"10m"`
Description	The interval at which session garbage collection is executed for persistent sessions. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

session_gc_batch_size
Type Integer(1..+inf)
Default 100
Description
The size of each batch of expired persistent sessions to be garbage collected per iteration.

message_retention_period

Type	`Duration`
Default	`"1d"`
Description	Broker keeps messages sent to the durable sessions for this period of time. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

connectors

Type	`Struct(connectors)`

connectors

http

Type	`Map($name->Struct(config_connector))`
Description	HTTP Connector Config

config_connector

tags
Type Array(String)
Description
Tags to annotate this config entry.
description
Type String
Default ""
Description
Descriptive text.

url

Type	`String`
Description	The URL of the HTTP action. Template with variables is allowed in the path, but variables cannot be used in the scheme, host, or port part. For example, `http://localhost:9901/${topic}` is allowed, but `http://${host}:9901/message` or `http://localhost:${port}/message` is not allowed.

headers

Type	`Map`
Default	`{accept = "application/json", cache-control = "no-cache", connection = "keep-alive", content-type = "application/json", keep-alive = "timeout=5"}`
Description	The headers of the HTTP request. Template with variables is allowed.

connect_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout when connecting to the HTTP server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

retry_interval

Type Duration

Description

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

pool_type
Type Enum(random,hash)
Default random
Description
The type of the pool. Can be one of random, hash.
pool_size
Type Integer(1..+inf)
Default 8
Description
The pool size.

enable_pipelining

Type	`Integer(1..+inf)`
Default	`100`
Description	The maximum number of HTTP requests that can be sent before an HTTP response is received. Setting this to 1 is equivalent to turning off HTTP pipelining, and the EMQX must receive a response to the previous HTTP request before sending the next HTTP request.

request
Type Map
Description
Deprecated since 5.3.2.

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

resource_opts

Type	`Struct(connector_resource_opts)`
Default	`{}`
Description	Resource options.

connector_resource_opts

health_check_interval

Type	`Duration`
Default	`"15s"`
Description	Health check interval. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

start_after_created
Type Boolean
Default true
Description
Whether start the resource right after created.

start_timeout

Type	`Duration`
Default	`"5s"`
Description	Time interval to wait for an auto-started resource to become healthy before responding resource creation requests. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

mqtt

Type	`Map($name->Struct(config_connector))`
Description	MQTT Connector Config

config_connector

tags
Type Array(String)
Description
Tags to annotate this config entry.
description
Type String
Default ""
Description
Descriptive text.

pool_size

Type	`Integer(1..+inf)`
Default	`8`
Description	Size of the pool of MQTT clients that will publish messages to the remote broker. Each MQTT client will be assigned 'clientid' of the form '${clientid_prefix}:${bridge_name}:egress:${node}:${n}' where 'n' is the number of a client inside the pool. This option does not take effect if `static_clientids` is not empty. When static client IDs is in use, pool size is always derived from the number of assigned IDs for each node.

resource_opts

Type	`Struct(resource_opts)`
Default	`{}`
Description	Resource options.

resource_opts

health_check_interval

Type	`Duration`
Default	`"15s"`
Description	Health check interval. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

start_after_created
Type Boolean
Default true
Description
Whether start the resource right after created.

start_timeout

Type	`Duration`
Default	`"5s"`
Description	Time interval to wait for an auto-started resource to become healthy before responding resource creation requests. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

mode
Type Enum(cluster_shareload)
Description
Deprecated since v5.1.0 & e5.1.0.
server
Type String
Description
The host and port of the remote MQTT broker
clientid_prefix
Type String
Description
Optional prefix to prepend to the clientid used by egress bridges. Does not apply if static_clientids is used.

static_clientids

Type	`Array(Struct(static_clientid_entry))`
Default	`[]`
Description	Entries mapping EMQX node names to static client IDs. If any entries are defined, then only EMQX nodes matching those entries will start MQTT clients with the corresponding clientids.

static_clientid_entry

node
Type String
Description
Node name (e.g.: emqx@10.0.0.1).
ids
Type Array(String)
Description
Array of static client IDs assigned to this node.

reconnect_interval
Type String
Description
Deprecated since v5.0.16.
proto_ver
Type Enum(v3,v4,v5)
Default v4
Description
The MQTT protocol version

bridge_mode

Type	`Boolean`
Default	`false`
Description	If enable bridge mode. NOTE: This setting is only for MQTT protocol version older than 5.0, and the remote MQTT broker MUST support this feature. If bridge_mode is set to true, the bridge will indicate to the remote broker that it is a bridge not an ordinary client. This means that loop detection will be more effective and that retained messages will be propagated correctly.

username
Type String
Description
The username of the MQTT protocol

password

Type Secret

Description

The password of the MQTT protocol
A string holding some sensitive information, such as a password. When secret starts with file://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before using file:// secrets.

clean_start
Type Boolean
Default true
Description
Whether to start a clean session when reconnecting a remote broker for ingress bridge

keepalive

Type	`String`
Default	`"160s"`
Description	MQTT Keepalive. Time interval is a string that contains a number followed by time unit: - `ms` for milliseconds, `s` for seconds, `m` for minutes, `h` for hours; or combination of whereof: `1h5m0s`

connect_timeout

Type	`Duration(s)`
Default	`"10s"`
Description	Timeout for connecting to the remote broker. The connection worker process is blocked up to this amount of time when attempting the initial connection. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

retry_interval

Type	`String`
Default	`"15s"`
Description	Message retry interval. Delay for the MQTT bridge to retry sending the QoS1/QoS2 messages in case of ACK not received. Time interval is a string that contains a number followed by time unit: - `ms` for milliseconds, `s` for seconds, `m` for minutes, `h` for hours; or combination of whereof: `1h5m0s`

max_inflight
Type Integer(0..+inf)
Default 32
Description
Max inflight (sent, but un-acked) messages of the MQTT protocol

ssl

Type	`Struct(ssl_client_opts)`
Default	`{enable = false}`
Description	SSL connection settings.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

actions

Type	`Struct(actions)`

actions

http

Aliases	webhook
Type	`Map($name->Struct(http_action))`
Description	HTTP Action Config

http_action

connector
Type String
Description
Name of the connector specified by the action, used for external resource selection.
tags
Type Array(String)
Description
Tags to annotate this config entry.
description
Type String
Default ""
Description
Descriptive text.

parameters

Type	`Struct(parameters_opts)`
Description	The parameters for HTTP action.

parameters_opts

path

Type	`String`
Description	The URL path for this Action. This path will be appended to the Connector's `url` configuration to form the full URL address. Template with variables is allowed in this option. For example, `/room/${room_no}` A string for `${.path.to.var}` style value interpolation, where the leading dot is optional, and `${.}` represents all values as an object.

method
Type Enum(post,put,get,delete)
Default post
Description
The method of the HTTP request. All the available methods are: post, put, get, delete.
Template with variables is allowed.

headers

Type	`Map`
Default	`{accept = "application/json", cache-control = "no-cache", connection = "keep-alive", content-type = "application/json", keep-alive = "timeout=5"}`
Description	The headers of the HTTP request. Template with variables is allowed.

body

Type String

Description

The body of the HTTP request.
If not provided, the body will be a JSON object of all the available fields.
There, 'all the available fields' means the context of a MQTT message when this webhook is triggered by receiving a MQTT message (the local_topic is set), or the context of the event when this webhook is triggered by a rule (i.e. this webhook is used as an action of a rule).
Template with variables is allowed.
A string for ${.path.to.var} style value interpolation, where the leading dot is optional, and ${.} represents all values as an object.

max_retries
Type Integer(0..+inf)
Default 2
Description
HTTP request max retry times if failed.

request_timeout

Type Duration

Description

Deprecated since v5.0.26.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

resource_opts

Type	`Struct(action_resource_opts)`
Default	`{}`
Description	Resource options.

action_resource_opts

worker_pool_size

Type	`Integer(1..1024)`
Default	`16`
Description	The number of buffer workers. Only applicable for egress type bridges. For bridges only have ingress direction data flow, it can be set to 0 otherwise must be greater than 0.

health_check_interval

Type	`Duration`
Default	`"15s"`
Description	Health check interval. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

query_mode
Type Enum(sync,async)
Default async
Description
Query mode. Optional 'sync/async', default 'async'.

request_ttl

Aliases	request_timeout
Type	`OneOf(Duration,String("infinity"))`
Default	`"45s"`
Description	Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.

inflight_window

Aliases	async_inflight_window
Type	`Integer(1..+inf)`
Default	`100`
Description	Query inflight window. When query_mode is set to async, this config has to be set to 1 if messages from the same MQTT client have to be strictly ordered.

max_buffer_bytes

Aliases	max_queue_bytes
Type	`Bytesize`
Default	`"256MB"`
Description	Maximum number of bytes to buffer for each buffer worker. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

mqtt

Type	`Map($name->Struct(mqtt_publisher_action))`
Description	MQTT Publisher Action Config

mqtt_publisher_action

local_topic

Type	`String`
Description	MQTT topic or topic filter as data source (action input). If rule action is used as data source, this config should be left empty, otherwise messages will be duplicated in the remote system.

parameters

Type	`Struct(action_parameters)`
Description	Action specific configs.

action_parameters

topic

Type	`String`
Description	Forward to which topic of the remote broker. Template with variables is allowed. A string for `${.path.to.var}` style value interpolation, where the leading dot is optional, and `${.}` represents all values as an object.

qos
Type OneOf(Integer(0..2),String)
Default 1
Description
The QoS of the MQTT message to be sent.
Template with variables is allowed.
retain
Type OneOf(Boolean,String)
Default false
Description
The 'retain' flag of the MQTT message to be sent.
Template with variables is allowed.

payload

Type	`String`
Description	The payload of the MQTT message to be sent. Template with variables is allowed. A string for `${.path.to.var}` style value interpolation, where the leading dot is optional, and `${.}` represents all values as an object.

connector
Type String
Description
Name of the connector specified by the action, used for external resource selection.
tags
Type Array(String)
Description
Tags to annotate this config entry.
description
Type String
Default ""
Description
Descriptive text.

resource_opts

Type	`Struct(action_resource_opts)`
Default	`{}`
Description	Resource options.

action_resource_opts

worker_pool_size

Type	`Integer(1..1024)`
Default	`16`
Description	The number of buffer workers. Only applicable for egress type bridges. For bridges only have ingress direction data flow, it can be set to 0 otherwise must be greater than 0.

health_check_interval

Type	`Duration`
Default	`"15s"`
Description	Health check interval. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

query_mode
Type Enum(sync,async)
Default async
Description
Query mode. Optional 'sync/async', default 'async'.

request_ttl

Aliases	request_timeout
Type	`OneOf(Duration,String("infinity"))`
Default	`"45s"`
Description	Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.

inflight_window

Aliases	async_inflight_window
Type	`Integer(1..+inf)`
Default	`100`
Description	Query inflight window. When query_mode is set to async, this config has to be set to 1 if messages from the same MQTT client have to be strictly ordered.

max_buffer_bytes

Aliases	max_queue_bytes
Type	`Bytesize`
Default	`"256MB"`
Description	Maximum number of bytes to buffer for each buffer worker. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sources

Type	`Struct(sources)`

sources

mqtt

Type	`Map($name->Struct(mqtt_subscriber_source))`
Description	MQTT Subscriber Source Config

mqtt_subscriber_source

parameters

Type	`Struct(ingress_parameters)`

ingress_parameters

no_local

Type	`Boolean`
Default	`false`
Description	Whether to set the no-local flag when subscribing to the remote topic. If set to true, and you use the same connector to publish messages to a topic you also subscribe to, this prevents the server from forwarding your own published messages back to you. Only takes effect when using MQTT protocol version 5. Note that if you use a pool of workers larger than 1 you will still receive duplicated messages back.

topic
Type String
Description
Receive messages from which topic of the remote broker
qos
Type Integer(0..2)
Default 1
Description
The QoS level to be used when subscribing to the remote broker

connector
Type String
Description
Name of the connector specified by the action, used for external resource selection.
tags
Type Array(String)
Description
Tags to annotate this config entry.
description
Type String
Default ""
Description
Descriptive text.

resource_opts

Type	`Struct(source_resource_opts)`
Default	`{}`
Description	Resource options.

source_resource_opts

health_check_interval

Type	`Duration`
Default	`"15s"`
Description	Health check interval. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

retainer

Type	`Struct(retainer)`

retainer

msg_expiry_interval

Type	`Duration`
Default	`"0s"`
Description	Expired retained messages will not be delivered again, and a setting of 0 means that retained messages will never expire. However, if the `Message-Expiry-Interval` property is specified in the MQTT message, the value of that property prevails. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

msg_expiry_interval_override

Type	`OneOf(String("disabled"),Duration)`
Default	`disabled`
Description	If set, this value will take precedence over any `Message-Expiry-Interval` property specified in retained MQTT messages, allowing messages to expire earlier if necessary. This override only applies to the garbage collection process: it does not affect the expiry time of messages being written nor that of already written messages while iterating over them. Therefore, messages that are candidate for garbage collection when overridden may still be visible when subscribing to retained topics.

allow_never_expire

Type	`Boolean`
Default	`true`
Description	If true, retained messages set to never expire (i.e., whose `Message-Expiry-Interval = 0`) are not affected by the expiry time override. This configuration only takes effect when `msg_expiry_interval_override` is set.

msg_clear_interval

Type	`Duration`
Default	`"0s"`
Description	The time interval for checking and clearing expired retained messages. This can prevent expired retained messages from being stored for a long time. If `msg_clear_interval` is set to 0, that is, expired retained messages are not actively checked regularly, EMQX will only check and delete expired retained messages when preparing for delivery. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

max_payload_size

Type	`Bytesize`
Default	`"1MB"`
Description	The maximum size of retained messages allowed to be stored. EMQX will refuse to store retained messages larger than this size and output an Error log with the keyword 'retain_failed_for_payload_size_exceeded_limit'. 0 means unlimited retained message size. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

stop_publish_clear_msg

Type	`Boolean`
Default	`false`
Description	When the retained flag of the `PUBLISH` message is set and Payload is empty, whether to continue to publish the message. See: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718038

delivery_rate
Aliases deliver_rate
Type String
Default "1000/s"
Description
The maximum rate of delivering retained messages
max_publish_rate
Type String
Default "1000/s"
Description
The maximum rate of publishing retained messages. Messages that are published over the limit are delivered but not stored as retained.

backend

Type	`Struct(mnesia_config)`
Description	Settings for the database storing the retained messages.

mnesia_config

type
Type String("built_in_database")
Default built_in_database
Description
Backend type.
storage_type
Type Enum(ram,disc)
Default ram
Description
Specifies whether the messages are stored in RAM or persisted on disc.
max_retained_messages
Type Integer(0..+inf)
Default 0
Description
Maximum number of retained messages. 0 means no limit.

index_specs

Type	`Array(Integer)`
Default	`[[1, 2, 3], [1, 3], [2, 3], [3]]`
Description	Retainer index specifications: list of arrays of positive ascending integers. Each array specifies an index. Numbers in an index specification are 1-based word positions in topics. Words from specified positions will be used for indexing. For example, it is good to have `[2, 4]` index to optimize `+/X/+/Y/...` topic wildcard subscriptions.

telemetry
Type Struct(telemetry)
telemetry
- enable
  Type Boolean
  Description
  Set to false disable telemetry data report
delayed
Type Struct(delayed)
delayed
- max_delayed_messages
  Type Integer
  Default 0
  Description
  Maximum number of delayed messages (0 is no limit).

plugins

Type	`Struct(plugins)`

plugins

states
Type Array(Struct(state))
Default []
Description
An array of plugins in the desired states.
The plugins are started in the defined order
state
- name_vsn
  Type String
  Description
  The {name}-{version} of the plugin.
  It should match the plugin application name-version as plugin release package name
  For example: my_plugin-0.1.0.

install_dir

Type	`String`
Default	`plugins`
Description	The installation directory for the external plugins. The plugin beam files and configuration files should reside in the subdirectory named as `emqx_foo_bar-0.1.0`. NOTE: For security reasons, this directory should NOT be writable by anyone except `emqx` (or any user which runs EMQX).

check_interval

Type Duration

Description

Deprecated since 5.0.24.
A string that represents a time duration, for example: 10s, 2.5m, 1h30m, 1W2D, or 2345ms, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored.

For example, if a configuration item of type Duration(s) is set to 1200ms, the final effective value will be 1s instead of 1.2s.

Duration is equivalent to Duration(ms). The unit part is case-insensitive.

dashboard

Type	`Struct(dashboard)`

dashboard

listeners

Type Struct(listeners)

Description

HTTP(s) listeners are identified by their protocol type and are used to serve dashboard UI and restful HTTP API. Listeners must have a unique combination of port number and IP address. For example, an HTTP listener can listen on all configured IP addresses on a given port for a machine by specifying the IP address 0.0.0.0. Alternatively, the HTTP listener can specify a unique IP address for each listener, but use the same port.

listeners

http

Type	`Struct(http)`
Description	TCP listeners

http

bind

Type	`String`
Default	`0`
Description	Bind the listener to a specified address and port number, for example `127.0.0.1:18083`. If configured with just the port number (e.g. `18083`) it's equivalent to binding to all addresses `0.0.0.0`. The listener is disabled if `bind` is `0`.

num_acceptors
Type Integer
Default 2
Description
Socket acceptor pool size for TCP protocols. Default is the number of schedulers online
max_connections
Type Integer
Default 512
Description
The maximum number of concurrent connections allowed by the listener.
backlog
Type Integer
Default 1024
Description
Defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"10s"`
Description	Send timeout for the socket. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

inet6
Type Boolean
Default false
Description
Enable IPv6 support, default is false, which means IPv4 only.
ipv6_v6only
Type Boolean
Default false
Description
Disable IPv4-to-IPv6 mapping for the listener. The configuration is only valid when the inet6 is true.
proxy_header
Type Boolean
Default false
Description
Enable support for HAProxy header. Be aware once enabled regular HTTP requests can't be handled anymore.

https

Type	`Struct(https)`
Description	SSL listeners

https

bind

Type	`String`
Default	`0`
Description	Bind the listener to a specified address and port number, for example `127.0.0.1:18083`. If configured with just the port number (e.g. `18083`) it's equivalent to binding to all addresses `0.0.0.0`. The listener is disabled if `bind` is `0`.

ssl_options

Type	`Struct(ssl_options)`
Description	SSL/TLS options for the dashboard listener.

ssl_options

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

num_acceptors
Type Integer
Default 2
Description
Socket acceptor pool size for TCP protocols. Default is the number of schedulers online
max_connections
Type Integer
Default 512
Description
The maximum number of concurrent connections allowed by the listener.
backlog
Type Integer
Default 1024
Description
Defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"10s"`
Description	Send timeout for the socket. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

inet6
Type Boolean
Default false
Description
Enable IPv6 support, default is false, which means IPv4 only.
ipv6_v6only
Type Boolean
Default false
Description
Disable IPv4-to-IPv6 mapping for the listener. The configuration is only valid when the inet6 is true.
proxy_header
Type Boolean
Default false
Description
Enable support for HAProxy header. Be aware once enabled regular HTTP requests can't be handled anymore.

default_password

Type	`String`
Default	`public`
Description	The password used to initialize a database record for `admin` user. NOTE: Changing the default password after it has been initialized (boot up for the fist time) has no effect. Once initialized, the default password `public` must be changed from dashboard or CLI as soon as possible.

token_expired_time

Type	`Duration`
Default	`"60m"`
Description	JWT token expiration time. Default is 60 minutes A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

cors

Type	`Boolean`
Default	`false`
Description	Support Cross-Origin Resource Sharing (CORS). Allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

swagger_support
Type Boolean
Default true
Description
Enable or disable support for swagger API documentation.

gateway

Type	`Struct(gateway)`

gateway

coap

Type	`Struct(coap)`

coap

heartbeat

Type	`Duration(s)`
Default	`"30s"`
Description	The gateway server required minimum heartbeat interval. When connection mode is enabled, this parameter is used to set the minimum heartbeat interval for the connection to be alive A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

connection_required

Type	`Boolean`
Default	`false`
Description	Enable or disable connection mode. Connection mode is a feature of non-standard protocols. When connection mode is enabled, it is necessary to maintain the creation, authentication and alive of connection resources

notify_type

Type	`Enum(non,con,qos)`
Default	`qos`
Description	The Notification Message will be delivered to the CoAP client if a new message received on an observed topic. The type of delivered coap message can be set to: non: Non-confirmable; con: Confirmable; qos: Mapping from QoS type of received message, QoS0 -> non, QoS1,2 -> con

subscribe_qos

Type	`Enum(qos0,qos1,qos2,coap)`
Default	`coap`
Description	The Default QoS Level indicator for subscribe request. This option specifies the QoS level for the CoAP Client when establishing a subscription membership, if the subscribe request is not carried `qos` option. The indicator can be set to: qos0, qos1, qos2: Fixed default QoS level coap: Dynamic QoS level by the message type of subscribe request qos0: If the subscribe request is non-confirmable qos1: If the subscribe request is confirmable

publish_qos

Type	`Enum(qos0,qos1,qos2,coap)`
Default	`coap`
Description	The Default QoS Level indicator for publish request. This option specifies the QoS level for the CoAP Client when publishing a message to EMQX PUB/SUB system, if the publish request is not carried `qos` option. The indicator can be set to: qos0, qos1, qos2: Fixed default QoS level coap: Dynamic QoS level by the message type of publish request qos0: If the publish request is non-confirmable qos1: If the publish request is confirmable

mountpoint

Type	`String`
Default	`""`
Description	When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to `t` with `listeners.tcp.\<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature. Supported placeholders in mountpoint string: `${clientid}`: clientid `${username}`: username `${endpoint_name}`: endpoint name

listeners

Type	`Struct(udp_listeners)`

udp_listeners

udp

Type	`Map($name->Struct(udp_listener))`
Description	A map from listener names to listener settings.

udp_listener

health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t. Set to "" to disable the feature. Supported placeholders in mountpoint string:

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls

Type	`Map($name->Struct(dtls_listener))`
Description	A map from listener names to listener settings.

dtls_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.
health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls_options

Type	`Struct(dtls_opts)`
Description	DTLS socket options

dtls_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["dtlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

enable_stats
Type Boolean
Default true
Description
Whether to enable client process statistic

idle_timeout

Type	`Duration`
Default	`"30s"`
Description	The idle time of the client connection process. It has two purposes: A newly created client process that does not receive any client requests after that time will be closed directly. A running client process that does not receive any client requests after this time will go into hibernation to save resources. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

clientinfo_override
Type Struct(clientinfo_override)
Description
ClientInfo override.
clientinfo_override
- username
  Type String
  Description
  Template for overriding username.
- password
  Type String
  Description
  Template for overriding password.
- clientid
  Type String
  Description
  Template for overriding clientid.

exproto

Type	`Struct(exproto)`

exproto

server

Type	`Struct(exproto_grpc_server)`
Description	Configurations for starting the `ConnectionAdapter` service

exproto_grpc_server

bind
Type String
Description
Listening address and port for the gRPC server.

ssl_options

Type	`Struct(ssl_server_opts)`
Description	SSL configuration for the gRPC server.

ssl_server_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

handler

Type	`Struct(exproto_grpc_handler)`
Description	Configurations for request to `ConnectionHandler` service

exproto_grpc_handler

address
Type String
Description
gRPC server address.

service_name

Type	`OneOf(String("ConnectionHandler"),String("ConnectionUnaryHandler"))`
Default	`ConnectionUnaryHandler`
Description	The service name to handle the connection events. In the initial version, we expected to use streams to improve the efficiency of requests in `ConnectionHandler`. But unfortunately, events between different streams are out of order. It causes the `OnSocketCreated` event to may arrive later than `OnReceivedBytes`. So we added the `ConnectionUnaryHandler` service since v5.0.25 and forced the use of Unary in it to avoid ordering problems.

ssl_options

Type	`Struct(ssl_client_opts)`
Description	SSL configuration for the gRPC client.

ssl_client_opts

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

mountpoint

Type	`String`
Default	`""`
Description	When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to `t` with `listeners.tcp.\<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature. Supported placeholders in mountpoint string: `${clientid}`: clientid `${username}`: username `${endpoint_name}`: endpoint name

listeners

Type	`Struct(tcp_udp_listeners)`

tcp_udp_listeners

tcp

Type	`Map($name->Struct(tcp_listener))`
Description	A map from listener names to listener settings.

tcp_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.

tcp_options

Type	`Struct(tcp_opts)`
Description	Setting the TCP socket options.

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

proxy_protocol

Type	`Boolean`
Default	`false`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

ssl

Type	`Map($name->Struct(ssl_listener))`
Description	A map from listener names to listener settings.

ssl_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.

tcp_options

Type	`Struct(tcp_opts)`
Description	Setting the TCP socket options.

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

proxy_protocol

Type	`Boolean`
Default	`false`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

ssl_options

Type	`Struct(listener_ssl_opts)`
Description	SSL Socket options.

listener_ssl_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

udp

Type	`Map($name->Struct(udp_listener))`
Description	A map from listener names to listener settings.

udp_listener

health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls

Type	`Map($name->Struct(dtls_listener))`
Description	A map from listener names to listener settings.

dtls_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.
health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls_options

Type	`Struct(dtls_opts)`
Description	DTLS socket options

dtls_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["dtlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

enable_stats
Type Boolean
Default true
Description
Whether to enable client process statistic

idle_timeout

Type	`Duration`
Default	`"30s"`
Description	The idle time of the client connection process. It has two purposes: A newly created client process that does not receive any client requests after that time will be closed directly. A running client process that does not receive any client requests after this time will go into hibernation to save resources. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

clientinfo_override
Type Struct(clientinfo_override)
Description
ClientInfo override.
clientinfo_override
- username
  Type String
  Description
  Template for overriding username.
- password
  Type String
  Description
  Template for overriding password.
- clientid
  Type String
  Description
  Template for overriding clientid.

lwm2m

Type	`Struct(lwm2m)`

lwm2m

xml_dir
Type String
Description
The Directory for LwM2M Resource definition.

lifetime_min

Type	`Duration`
Default	`"15s"`
Description	Minimum value of lifetime allowed to be set by the LwM2M client. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

lifetime_max

Type	`Duration`
Default	`"86400s"`
Description	Maximum value of lifetime allowed to be set by the LwM2M client. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

qmode_time_window

Type	`Duration(s)`
Default	`"22s"`
Description	The value of the time window during which the network link is considered valid by the LwM2M Gateway in QMode mode. For example, after receiving an update message from a client, any messages within this time window are sent directly to the LwM2M client, and all messages beyond this time window are temporarily stored in memory. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

auto_observe
Type Boolean
Default false
Description
Automatically observe the object list of REGISTER packet.

update_msg_publish_condition

Type	`Enum(always,contains_object_list)`
Default	`contains_object_list`
Description	Policy for publishing UPDATE event message. always: send update events as long as the UPDATE request is received. contains_object_list: send update events only if the UPDATE request carries any Object List

translators

Type	`Struct(lwm2m_translators)`
Description	Topic configuration for LwM2M's gateway publishing and subscription.

lwm2m_translators

command

Type	`Struct(translator)`
Description	The topic for receiving downstream commands. For each new LwM2M client that succeeds in going online, the gateway creates a subscription relationship to receive downstream commands and send it to the LwM2M client

translator

topic
Type String
Description
Topic Name
qos
Type Integer(0..2)
Default 0
Description
QoS Level

response
Type Struct(translator)
Description
The topic for gateway to publish the acknowledge events from LwM2M client
translator
- topic
  Type String
  Description
  Topic Name
- qos
  Type Integer(0..2)
  Default 0
  Description
  QoS Level

notify

Type	`Struct(translator)`
Description	The topic for gateway to publish the notify events from LwM2M client. After succeed observe a resource of LwM2M client, Gateway will send the notify events via this topic, if the client reports any resource changes

translator

topic
Type String
Description
Topic Name
qos
Type Integer(0..2)
Default 0
Description
QoS Level

register
Type Struct(translator)
Description
The topic for gateway to publish the register events from LwM2M client.
translator
- topic
  Type String
  Description
  Topic Name
- qos
  Type Integer(0..2)
  Default 0
  Description
  QoS Level
update
Type Struct(translator)
Description
The topic for gateway to publish the update events from LwM2M client
translator
- topic
  Type String
  Description
  Topic Name
- qos
  Type Integer(0..2)
  Default 0
  Description
  QoS Level

mountpoint

Type	`String`
Default	`"lwm2m/${endpoint_name}/"`
Description	When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to `t` with `listeners.tcp.\<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature. Supported placeholders in mountpoint string: `${clientid}`: clientid `${username}`: username `${endpoint_name}`: endpoint name

listeners

Type	`Struct(udp_listeners)`

udp_listeners

udp

Type	`Map($name->Struct(udp_listener))`
Description	A map from listener names to listener settings.

udp_listener

health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls

Type	`Map($name->Struct(dtls_listener))`
Description	A map from listener names to listener settings.

dtls_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.
health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls_options

Type	`Struct(dtls_opts)`
Description	DTLS socket options

dtls_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["dtlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

enable_stats
Type Boolean
Default true
Description
Whether to enable client process statistic

idle_timeout

Type	`Duration`
Default	`"30s"`
Description	The idle time of the client connection process. It has two purposes: A newly created client process that does not receive any client requests after that time will be closed directly. A running client process that does not receive any client requests after this time will go into hibernation to save resources. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

clientinfo_override
Type Struct(clientinfo_override)
Description
ClientInfo override.
clientinfo_override
- username
  Type String
  Description
  Template for overriding username.
- password
  Type String
  Description
  Template for overriding password.
- clientid
  Type String
  Description
  Template for overriding clientid.

mqttsn

Type	`Struct(mqttsn)`

mqttsn

gateway_id
Type Integer
Default 1
Description
MQTT-SN Gateway ID. When the broadcast option is enabled, the gateway will broadcast ADVERTISE message with this value
broadcast
Type Boolean
Default false
Description
Whether to periodically broadcast ADVERTISE messages

enable_qos3

Type	`Boolean`
Default	`true`
Description	Allows connectionless clients to publish messages with a Qos of -1. This feature is defined for very simple client implementations which do not support any other features except this one. There is no connection setup nor tear down, no registration nor subscription. The client just sends its 'PUBLISH' messages to a GW

subs_resume
Type Boolean
Default false
Description
Whether to initiate all subscribed topic name registration messages to the client after the Session has been taken over by a new channel

predefined

Type	`Array(Struct(mqttsn_predefined))`
Default	`[]`
Description	The pre-defined topic IDs and topic names. A 'pre-defined' topic ID is a topic ID whose mapping to a topic name is known in advance by both the client's application and the gateway

mqttsn_predefined

id
Type Integer(1..1024)
Description
Topic ID. Range: 1-65535
topic
Type String
Description
Topic Name

mountpoint

Type	`String`
Default	`""`
Description	When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to `t` with `listeners.tcp.\<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature. Supported placeholders in mountpoint string: `${clientid}`: clientid `${username}`: username `${endpoint_name}`: endpoint name

listeners

Type	`Struct(udp_listeners)`

udp_listeners

udp

Type	`Map($name->Struct(udp_listener))`
Description	A map from listener names to listener settings.

udp_listener

health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls

Type	`Map($name->Struct(dtls_listener))`
Description	A map from listener names to listener settings.

dtls_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.
health_check
Type Struct(udp_health_check)
Description
Some Cloud platform use a request-reply mechanism to check whether a UDP port is healthy, here can configure this pair.
udp_health_check
- request
  Type String
  Description
  The content of the request.
- reply
  Type String
  Description
  The content to reply.

udp_options

Type	`Struct(udp_opts)`

udp_opts

active_n
Type Integer
Default 100
Description
Specify the {active, N} option for the socket. See: https://erlang.org/doc/man/inet.html#setopts-2

recbuf

Type	`Bytesize`
Description	Size of the kernel-space receive buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	Size of the kernel-space send buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Description	Size of the user-space buffer for the socket. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

reuseaddr
Type Boolean
Default true
Description
Allow local reuse of port numbers.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

dtls_options

Type	`Struct(dtls_opts)`
Description	DTLS socket options

dtls_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["dtlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

enable_stats
Type Boolean
Default true
Description
Whether to enable client process statistic

idle_timeout

Type	`Duration`
Default	`"30s"`
Description	The idle time of the client connection process. It has two purposes: A newly created client process that does not receive any client requests after that time will be closed directly. A running client process that does not receive any client requests after this time will go into hibernation to save resources. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

clientinfo_override
Type Struct(clientinfo_override)
Description
ClientInfo override.
clientinfo_override
- username
  Type String
  Description
  Template for overriding username.
- password
  Type String
  Description
  Template for overriding password.
- clientid
  Type String
  Description
  Template for overriding clientid.

stomp

Type	`Struct(stomp)`

stomp

frame
Type Struct(stomp_frame)
stomp_frame
- max_headers
  Type Integer(0..+inf)
  Default 10
  Description
  The maximum number of Header
- max_headers_length
  Type Integer(0..+inf)
  Default 1024
  Description
  The maximum string length of the Header Value
- max_body_length
  Type Integer
  Default 65536
  Description
  Maximum number of bytes of Body allowed per Stomp packet

mountpoint

Type	`String`
Default	`""`
Description	When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to `t` with `listeners.tcp.\<name>.mountpoint` set to `some_tenant`, then the client actually subscribes to the topic `some_tenant/t`. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic `t`, the message is routed to all the clients subscribed `some_tenant/t`, so client A will receive the message, with topic name `t`. Set to `""` to disable the feature. Supported placeholders in mountpoint string: `${clientid}`: clientid `${username}`: username `${endpoint_name}`: endpoint name

listeners

Type	`Struct(tcp_listeners)`

tcp_listeners

tcp

Type	`Map($name->Struct(tcp_listener))`
Description	A map from listener names to listener settings.

tcp_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.

tcp_options

Type	`Struct(tcp_opts)`
Description	Setting the TCP socket options.

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

proxy_protocol

Type	`Boolean`
Default	`false`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

ssl

Type	`Map($name->Struct(ssl_listener))`
Description	A map from listener names to listener settings.

ssl_listener

acceptors
Type Integer
Default 16
Description
Size of the acceptor pool.

tcp_options

Type	`Struct(tcp_opts)`
Description	Setting the TCP socket options.

tcp_opts

active_n
Type Integer(0..+inf)
Default 100
Description
Specify the {active, N} option for this Socket.
See: https://erlang.org/doc/man/inet.html#setopts-2
backlog
Type Integer(1..+inf)
Default 1024
Description
TCP backlog defines the maximum length that the queue of pending connections can grow to.

send_timeout

Type	`Duration`
Default	`"15s"`
Description	The maximum time a process is suspended for sending data to a busy socket. After the timeout, the TCP connection and the process will be closed. The process is unsuspended only when the socket is unbusy, that is, the data accumulated in the Erlang internal buffer drops from the high watermark (specified by `high_watermark`) to the low watermark (default 4 KB). Therefore, `(high_watermark - 4 KB) / send_timeout` must be a suitable message outflow speed, otherwise the suspended process will never be able to recover before the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

send_timeout_close
Type Boolean
Default true
Description
Close the connection if send timeout.

recbuf

Type	`Bytesize`
Description	The TCP receive buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The TCP send buffer (OS kernel) for the connections. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

buffer

Type	`Bytesize`
Default	`"4KB"`
Description	The size of the user-space buffer used by the driver. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

high_watermark

Type	`Bytesize`
Default	`"1MB"`
Description	When EMQX tries to send more data than the OS has allocated for the socket's send buffer, the remaining data will be temporarily stored in Erlang's internal buffer and then sent in the background. If the amount of data queued in the internal buffer exceeds `high_watermark`, the corresponding socket will be marked as busy. The process sending data to this busy socket will be suspended until the socket is no longer busy, or the suspension time exceeds `send_timeout`. The socket will only be unbusy when the data in the internal buffer is below the low watermark. While the process is suspended, the message queue of the process may accumulate, see `max_mailbox_len` for details. A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

nodelay
Type Boolean
Default true
Description
The TCP_NODELAY flag for the connections. When set to true, data is sent immediately, regardless of size.

nolinger

Type	`Boolean`
Default	`false`
Description	When enabled, `SO_LINGER` flag is set as `(onoff=1, linger=0)`, which means the TCP socket is to be closed immediately by sending a TCP-RST packet, discarding any unsent data and skipping the graceful close steps, including CLOSE_WAIT, FIN_WAIT, and TIME_WAIT.

reuseaddr
Type Boolean
Default true
Description
The SO_REUSEADDR flag for the connections.

keepalive

Type	`String`
Default	`none`
Description	Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes' Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200). Interval: The number of seconds between TCP keep-alive probes (Linux default 75). Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'

proxy_protocol

Type	`Boolean`
Default	`false`
Description	If a reverse proxy is deployed for EMQX, and the PROXY protocol is enabled at the proxy to pass the client's real IP, this option needs to be turned on so that EMQX can extract the client's real IP from the PROXY protocol header. EMQX will automatically detect the version of the PROXY protocol and support V1 and V2. For a detailed description of the PROXY protocol, please refer to: https://www.haproxy.com/blog/haproxy/proxy-protocol/

proxy_protocol_timeout

Type	`Duration`
Default	`"3s"`
Description	Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

bind
Type String
Description
The IP address and port that the listener will bind.
max_connections
Type OneOf(Integer(1..+inf),String("infinity"))
Default 1024
Description
The maximum number of concurrent connections allowed by the listener.
max_conn_rate
Type Integer
Default 1000
Description
Maximum connections per second.
enable_authn
Type Boolean
Default true
Description
Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.

mountpoint

Type String

Description

${clientid}: clientid
${username}: username
${endpoint_name}: endpoint name

access_rules

Type	`Array(String)`
Default	`[]`
Description	An access rule list consisting of string rules to restrict or allow access from some addresses. The rules that appear earlier in the list are matched first. The format is `allow \| deny <address> \| <CIDR> \| all`. For example: `["deny 192.168.1.1", "allow 192.168.1.0/24", "deny all"]`

ssl_options

Type	`Struct(listener_ssl_opts)`
Description	SSL Socket options.

listener_ssl_opts

cacertfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cacert.pem"`
Description	Trusted PEM format CA certificates bundle file. The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload). NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Default	`"${EMQX_ETC_DIR}/certs/cert.pem"`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Default "${EMQX_ETC_DIR}/certs/key.pem"
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

dhfile

Type	`String`
Description	Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used. NOTE: The `dhfile` option is not supported by TLS 1.3.

fail_if_no_peer_cert

Type	`Boolean`
Default	`false`
Description	This option is only effective if `verify` is set to `verify_peer`. If set to `true`, EMQX will reject the connection if the client fails to provide a certificate. If set to `false`, EMQX will accept clients which don't present a certificate.

honor_cipher_order

Type	`Boolean`
Default	`true`
Description	An important security setting. If this setting is enabled, the server will prioritize the cipher suites it prefers most from the list of cipher suites supported by the client, thus ignoring the client's preferences. The server's cipher suites are specified by `ciphers`, with preference decreasing from left to right. It is often better to use the server's preferences, as it is more likely that the server will be configured correctly.

client_renegotiation

Type	`Boolean`
Default	`true`
Description	In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher. Has no effect when TLS version is configured (or negotiated) to 1.3

handshake_timeout

Type	`Duration`
Default	`"15s"`
Description	Maximum time duration allowed for the handshake to complete A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

gc_after_handshake
Type Boolean
Default false
Description
Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

ocsp

Type	`Struct(ocsp)`

ocsp

enable_ocsp_stapling
Type Boolean
Default false
Description
Whether to enable Online Certificate Status Protocol (OCSP) stapling for the listener. If set to true, requires defining the OCSP responder URL and issuer PEM path.
responder_url
Type String
Description
URL for the OCSP responder to check the server certificate against.
issuer_pem
Type String
Description
PEM-encoded certificate of the OCSP issuer for the server certificate.

refresh_interval

Type	`Duration`
Default	`"5m"`
Description	The period to refresh the OCSP response for the server. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

refresh_http_timeout

Type	`Duration`
Default	`"15s"`
Description	The timeout for the HTTP request when checking OCSP responses. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable_crl_check
Type Boolean
Default false
Description
Whether to enable CRL verification for this listener.

enable_stats
Type Boolean
Default true
Description
Whether to enable client process statistic

idle_timeout

Type	`Duration`
Default	`"30s"`
Description	The idle time of the client connection process. It has two purposes: A newly created client process that does not receive any client requests after that time will be closed directly. A running client process that does not receive any client requests after this time will go into hibernation to save resources. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

clientinfo_override
Type Struct(clientinfo_override)
Description
ClientInfo override.
clientinfo_override
- username
  Type String
  Description
  Template for overriding username.
- password
  Type String
  Description
  Template for overriding password.
- clientid
  Type String
  Description
  Template for overriding clientid.

prometheus

Type	`OneOf(Struct(recommend_setting),Struct(legacy_deprecated_setting))`
Default	`{}`

recommend_setting

enable_basic_auth
Type Boolean
Default false
Description
Enable or disable basic authentication for prometheus scrape api, not for Push Gateway

push_gateway

Type	`Struct(push_gateway)`
Description	Push Gateway is optional, should not be configured if prometheus is to scrape EMQX.

push_gateway

enable
Type Boolean
Default false
Description
Enable or disable Pushgateway

method

Type	`Enum(put,post)`
Default	`put`
Description	The HTTP Method of pushing metrics to Pushgateway. Available options: `put`: All metrics with the grouping key specified in the URL are replaced by the metrics pushed with PUT. `post`: POST works exactly like the PUT method but only metrics with the same name as the newly pushed metrics are replaced. The default value is `put`.

url
Type String
Default "http://127.0.0.1:9091"
Description
URL of Pushgateway server. Pushgateway is optional, should not be configured if prometheus is to scrape EMQX.

interval

Type	`Duration`
Default	`"15s"`
Description	Data reporting interval A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

headers
Type Map
Default {}
Description
An HTTP Headers when pushing to Push Gateway.
For example, { Authorization = "some-authz-tokens"}

job_name

Type	`String`
Default	`"${name}/instance/${name}~${host}"`
Description	Job Name that is pushed to the Push Gateway. Available variables: ${cluster_name}: Name of EMQX cluster. ${name}: Name of EMQX node. ${host}: Host name of EMQX node. For example, when the EMQX node name is `emqx@127.0.0.1` then the `name` variable takes value `emqx` and the `host` variable takes value `127.0.0.1`. Default value is: `${name}/instance/${name}~${host}`

collectors

Type	`Struct(collectors)`
Description	The internal advanced metrics of the virtual machine are initially disabled and are usually only enabled during performance testing. Enabling them will increase the CPU load.

collectors

vm_dist
Type Enum(disabled,enabled)
Default disabled
Description
Enable or disable VM distribution collector, collects information about the sockets and processes involved in the Erlang distribution mechanism.
mnesia
Type Enum(enabled,disabled)
Default disabled
Description
Collects Mnesia metrics mainly using mnesia:system_info/1
vm_statistics
Type Enum(enabled,disabled)
Default disabled
Description
Enable or disable VM statistics collector.
vm_system_info
Type Enum(enabled,disabled)
Default disabled
Description
Enable or disable VM system info collector.
vm_memory
Type Enum(enabled,disabled)
Default disabled
Description
Collects information about memory dynamically allocated by the Erlang emulator using erlang:memory/0 .
vm_msacc
Type Enum(enabled,disabled)
Default disabled
Description
Enable or disable VM microstate accounting metrics collector.

legacy_deprecated_setting

push_gateway_server
Type String
Default "http://127.0.0.1:9091"
Description
Deprecated since 5.4.0, use prometheus.push_gateway.url instead

interval

Type	`Duration`
Default	`"15s"`
Description	Deprecated since 5.4.0, use `prometheus.push_gateway.interval` instead A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

headers
Type Map
Default {}
Description
Deprecated since 5.4.0, use prometheus.push_gateway.headers instead
job_name
Type String
Default "${name}/instance/${name}~${host}"
Description
Deprecated since 5.4.0, use prometheus.push_gateway.job_name instead
enable
Type Boolean
Default false
Description
Deprecated since 5.4.0, use prometheus.push_gateway.url instead
vm_dist_collector
Type Enum(disabled,enabled)
Default disabled
Description
Deprecated since 5.4.0, use prometheus.collectors.vm_dist instead
mnesia_collector
Type Enum(enabled,disabled)
Default disabled
Description
Deprecated since 5.4.0, use prometheus.collectors.mnesia instead
vm_statistics_collector
Type Enum(enabled,disabled)
Default disabled
Description
Deprecated since 5.4.0, use prometheus.collectors.vm_statistics instead
vm_system_info_collector
Type Enum(enabled,disabled)
Default disabled
Description
Deprecated, use prometheus.collectors.vm_system_info instead
vm_memory_collector
Type Enum(enabled,disabled)
Default disabled
Description
Deprecated since 5.4.0, use prometheus.collectors.vm_memory instead
vm_msacc_collector
Type Enum(enabled,disabled)
Default disabled
Description
Deprecated since 5.4.0, use prometheus.collectors.vm_msacc instead

exhook

Type	`Struct(exhook)`

exhook

servers

Type	`Array(Struct(server))`
Default	`[]`
Description	List of exhook servers

server

name
Type String
Description
Name of the exhook server
url
Type String
Description
URL of the gRPC server

request_timeout

Type	`Duration`
Default	`"5s"`
Description	The timeout of request gRPC server A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

failed_action
Type Enum(deny,ignore)
Default deny
Description
The value that is returned when the request to the gRPC server fails for any reason

ssl

Type	`Struct(ssl_conf)`

ssl_conf

cacertfile

Type String

Description

cacerts
Type Boolean
Description
Deprecated since 5.1.4.

certfile

Type	`String`
Description	PEM format certificates chain file. The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.

keyfile
Type String
Description
PEM format private key file.
verify
Type Enum(verify_peer,verify_none)
Default verify_none
Description
Enable or disable peer verification.
reuse_sessions
Type Boolean
Default true
Description
Enable TLS session reuse.
Has no effect when TLS version is configured (or negotiated) to 1.3

depth

Type	`Integer(0..+inf)`
Default	`10`
Description	Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, Intermediate-CA, ROOT-CA; if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.

password

Type Secret

Description

versions

Type	`Array(String)`
Default	`["tlsv1.3", "tlsv1.2"]`
Description	All TLS/DTLS versions to be supported. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config. In case PSK cipher suites are intended, make sure to configure `['tlsv1.2', 'tlsv1.1']` here.

ciphers

Type	`Array(String)`
Default	`[]`
Description	This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. `"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"` or `["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"]`. Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance. The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format. NOTE: Certain cipher suites are only compatible with specific TLS `versions` ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the `versions`, configuring cipher suites for other versions will have no effect. NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config If PSK cipher suites are intended, 'tlsv1.3' should be disabled from `versions`. PSK cipher suites: `"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"`

secure_renegotiate

Type	`Boolean`
Default	`true`
Description	Whether to reject TLS renegotiation attempts that are not compliant with RFC 5746. By default, `secure_renegotiate` is set to `true`, which forces secure renegotiation. If set to `false`, secure renegotiation will still be used, but will fall back to insecure renegotiation if the peer does not support RFC 5746, which increases the risk of a MitM attack. Has no effect when TLS version is configured (or negotiated) to 1.3.

log_level

Type	`Enum(emergency,alert,critical,error,warning,notice,info,debug,none,all)`
Default	`notice`
Description	The minimum level of logging allowed for SSL output. The default is `notice`, set to a lower `debug` level for more detailed logging that can be used to investigate SSL handshake issues.

hibernate_after

Type	`Duration`
Default	`"5s"`
Description	Specifies the amount of time that an SSL process will hibernate after being idle, thus reducing its memory footprint. The hibernating process will be woken up when a new message arrives. Hibernating and waking up too often can cause CPU utilization to increase, as they both perform garbage collection on the process. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

enable
Type Boolean
Default false
Description
Enable TLS.

server_name_indication

Type OneOf(String("disable"),String)

Description

socket_options

Type	`Struct(socket_options)`
Default	`{keepalive = true, nodelay = true}`

socket_options

keepalive

Type	`Boolean`
Default	`true`
Description	Enables/disables periodic transmission on a connected socket when no other data is exchanged. If the other end does not respond, the connection is considered broken and an error message is sent to the controlling process.

nodelay
Type Boolean
Default true
Description
If true, option TCP_NODELAY is turned on for the socket, which means that also small amounts of data are sent immediately

recbuf

Type	`Bytesize`
Description	The minimum size of receive buffer to use for the socket A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

sndbuf

Type	`Bytesize`
Description	The minimum size of send buffer to use for the socket A string that represents a number of bytes, for example: `10B`, `640kb`, `4MB`, `1GB`. Units are binary standardized, i.e., 1MB equals 1024KB. units are not case sensitive, i.e., 1kb equals 1KB.

auto_reconnect

Type	`OneOf(String("false"),Duration)`
Default	`"60s"`
Description	Whether to automatically reconnect (initialize) the gRPC server. When gRPC is not available, Exhook tries to request the gRPC service at that interval and reinitialize the list of mounted hooks.

pool_size
Type Integer(1..+inf)
Default 8
Description
The process pool size for gRPC client

psk_authentication

Type	`Struct(psk_authentication)`

psk_authentication

enable
Type Boolean
Default false
Description
Whether to enable TLS PSK support

init_file

Type	`String`
Description	If init_file is specified, EMQX will import PSKs from the file into the built-in database at startup for use by the runtime. The file has to be structured line-by-line, each line must be in the format of `PSKIdentity:SharedSecret`. For example: `mydevice1:c2VjcmV0`

separator
Type String
Default ":"
Description
The separator between PSKIdentity and SharedSecret in the PSK file
chunk_size
Type Integer
Default 50
Description
The size of each chunk used to import to the built-in database from PSK file

slow_subs

Type	`Struct(slow_subs)`

slow_subs

enable
Type Boolean
Default false
Description
Enable Slow Subscriptions

threshold

Type	`Duration`
Default	`"500ms"`
Description	The Client ID and topic of the consumer whose message latency is greater than this threshold will be recorded in the slow subscription list. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

expire_interval

Type	`Duration`
Default	`"300s"`
Description	The expiration time of the slow subscription record, if the record is not updated within the expiration time, then the record will be deleted. A string that represents a time duration, for example: `10s`, `2.5m`, `1h30m`, `1W2D`, or `2345ms`, which is the smallest unit. Each configuration item has its own minimum precision. The part of the setting value that exceeds the precision will be ignored. For example, if a configuration item of type `Duration(s)` is set to `1200ms`, the final effective value will be `1s` instead of `1.2s`. `Duration` is equivalent to `Duration(ms)`. The unit part is case-insensitive.

top_k_num
Type Integer(1..+inf)
Default 10
Description
The maximum number of slow-subscription records, up to a maximum of 1000.

stats_type

Type	`Enum(whole,internal,response)`
Default	`whole`
Description	Message latency calculation method: `whole`: The time from when the message arrives at the EMQX (the EMQX gets the message from the receive-buffer) until the message completes delivery. `internal`: The time from when the message arrives at the EMQX (the EMQX gets the message from the receive-buffer) to when the message begins to be delivered (the EMQX attempts to write the message to the send-buffer). `response`: The time from the start of message delivery to the completion. Note: The completion delivery time refers to the time when QoS 1 and 2 messages complete the MQTT message response process, i.e., the time when QoS 1 message receives the PUBACK packet and QoS 2 message receives the PUBCOMP packet. Since there is no response packet for QoS 0 message, the completion delivery time of the QoS 0 message will be replaced by the time when the message starts to be delivered. Therefore, when using the `response` method to calculate the latency, the latency of a QoS 0 message will always be equal to 0.

api_key

Type	`Struct(api_key)`

api_key

bootstrap_file

Type	`String`
Default	`""`
Description	The bootstrap file provides API keys for EMQX. EMQX will load these keys on startup to authorize API requests. It contains colon-separated values in the format: `api_key:api_secret:role`. Each line specifies an API key and its associated secret, and the role of this key. The 'role' part should be the pre-defined access scope group name, for example, `administrator` or `viewer`. The 'role' is introduced in 5.4, to be backward compatible, if it is missing, the key is implicitly granted `administrator` role.

Configuration Manual ​

listeners

tcp

bind

acceptors

max_connections

mountpoint

zone

enable_authn

max_conn_rate

messages_rate

bytes_rate

access_rules

proxy_protocol

proxy_protocol_timeout

tcp_options

active_n

backlog

send_timeout

send_timeout_close

recbuf

sndbuf

buffer

high_watermark

nodelay

nolinger

reuseaddr

keepalive

ssl

bind

acceptors

max_connections

mountpoint

zone

enable_authn

max_conn_rate

messages_rate

bytes_rate

access_rules

proxy_protocol

proxy_protocol_timeout

tcp_options

active_n

backlog

send_timeout

send_timeout_close

recbuf

sndbuf

buffer

high_watermark

nodelay

nolinger

reuseaddr

keepalive

ssl_options

cacertfile

cacerts

certfile

keyfile

verify

reuse_sessions

depth

password

versions

ciphers

secure_renegotiate

log_level

hibernate_after

dhfile

fail_if_no_peer_cert

honor_cipher_order

client_renegotiation

handshake_timeout

gc_after_handshake

ocsp

enable_ocsp_stapling

responder_url

issuer_pem

refresh_interval

refresh_http_timeout

Configuration Manual