Configuration Manual
listeners
Type Struct(listeners)tcp
Type Map($name->OneOf(Struct(mqtt_tcp_listener),String("marked_for_deletion")))Description TCP listeners.
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet.
Set to""to disable the feature.Variables in mountpoint string:
${clientid}: clientid${username}: username
enable_authn
Type Enum(true,false,quick_deny_anonymous)Default trueDescription Set
true(default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set tofalse, any client (with or without username/password) is allowed to connect. When set toquick_deny_anonymous, it behaves like when set totrue, but clients will be denied immediately without going through any authenticators ifusernameis not provided. This is useful to fence off anonymous clients early.max_conn_rate
Type StringDescription Maximum connection rate.
This is used to limit the connection rate for this node. Once the limit is reached, new connections will be deferred or refused.
For example:1000/s:: Only accepts 1000 connections per second1000/10s:: Only accepts 1000 connections every 10 seconds.
messages_rate
Type StringDescription Messages publish rate.
This is used to limit the inbound message numbers for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
For example:500/s:: Only the first 500 messages are sent per second and other messages are buffered.500/10s:: Only the first 500 messages are sent even 10 second and other messages are buffered.
bytes_rate
Type StringDescription Data publish rate.
This is used to limit the inbound bytes rate for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
The unit of the bytes could be:KB MB GB.
For example:500KB/s:: Only the first 500 kilobytes are sent per second and other messages are buffered.500MB/10s:: Only the first 500 megabytes are sent even 10 second and other messages are buffered.
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.tcp_options
Type Struct(tcp_opts)send_timeout
Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark
Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive
Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
ssl
Type Map($name->OneOf(Struct(mqtt_ssl_listener),String("marked_for_deletion")))Description SSL listeners.
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet.
Set to""to disable the feature.Variables in mountpoint string:
${clientid}: clientid${username}: username
enable_authn
Type Enum(true,false,quick_deny_anonymous)Default trueDescription Set
true(default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set tofalse, any client (with or without username/password) is allowed to connect. When set toquick_deny_anonymous, it behaves like when set totrue, but clients will be denied immediately without going through any authenticators ifusernameis not provided. This is useful to fence off anonymous clients early.max_conn_rate
Type StringDescription Maximum connection rate.
This is used to limit the connection rate for this node. Once the limit is reached, new connections will be deferred or refused.
For example:1000/s:: Only accepts 1000 connections per second1000/10s:: Only accepts 1000 connections every 10 seconds.
messages_rate
Type StringDescription Messages publish rate.
This is used to limit the inbound message numbers for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
For example:500/s:: Only the first 500 messages are sent per second and other messages are buffered.500/10s:: Only the first 500 messages are sent even 10 second and other messages are buffered.
bytes_rate
Type StringDescription Data publish rate.
This is used to limit the inbound bytes rate for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
The unit of the bytes could be:KB MB GB.
For example:500KB/s:: Only the first 500 kilobytes are sent per second and other messages are buffered.500MB/10s:: Only the first 500 megabytes are sent even 10 second and other messages are buffered.
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.tcp_options
Type Struct(tcp_opts)send_timeout
Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark
Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive
Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
ssl_options
Type Struct(listener_ssl_opts)cacertfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert
Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation
Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout
Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp
Type Struct(ocsp)refresh_interval
Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout
Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ws
Type Map($name->OneOf(Struct(mqtt_ws_listener),String("marked_for_deletion")))Description HTTP websocket listeners.
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet.
Set to""to disable the feature.Variables in mountpoint string:
${clientid}: clientid${username}: username
enable_authn
Type Enum(true,false,quick_deny_anonymous)Default trueDescription Set
true(default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set tofalse, any client (with or without username/password) is allowed to connect. When set toquick_deny_anonymous, it behaves like when set totrue, but clients will be denied immediately without going through any authenticators ifusernameis not provided. This is useful to fence off anonymous clients early.max_conn_rate
Type StringDescription Maximum connection rate.
This is used to limit the connection rate for this node. Once the limit is reached, new connections will be deferred or refused.
For example:1000/s:: Only accepts 1000 connections per second1000/10s:: Only accepts 1000 connections every 10 seconds.
messages_rate
Type StringDescription Messages publish rate.
This is used to limit the inbound message numbers for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
For example:500/s:: Only the first 500 messages are sent per second and other messages are buffered.500/10s:: Only the first 500 messages are sent even 10 second and other messages are buffered.
bytes_rate
Type StringDescription Data publish rate.
This is used to limit the inbound bytes rate for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
The unit of the bytes could be:KB MB GB.
For example:500KB/s:: Only the first 500 kilobytes are sent per second and other messages are buffered.500MB/10s:: Only the first 500 megabytes are sent even 10 second and other messages are buffered.
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.tcp_options
Type Struct(tcp_opts)send_timeout
Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark
Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive
Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
websocket
Type Struct(ws_opts)idle_timeout
Type DurationDefault 7200sDescription Close transport-layer connections from the clients that have not sent MQTT CONNECT message within this interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
wss
Type Map($name->OneOf(Struct(mqtt_wss_listener),String("marked_for_deletion")))Description HTTPS websocket listeners.
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet.
Set to""to disable the feature.Variables in mountpoint string:
${clientid}: clientid${username}: username
enable_authn
Type Enum(true,false,quick_deny_anonymous)Default trueDescription Set
true(default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set tofalse, any client (with or without username/password) is allowed to connect. When set toquick_deny_anonymous, it behaves like when set totrue, but clients will be denied immediately without going through any authenticators ifusernameis not provided. This is useful to fence off anonymous clients early.max_conn_rate
Type StringDescription Maximum connection rate.
This is used to limit the connection rate for this node. Once the limit is reached, new connections will be deferred or refused.
For example:1000/s:: Only accepts 1000 connections per second1000/10s:: Only accepts 1000 connections every 10 seconds.
messages_rate
Type StringDescription Messages publish rate.
This is used to limit the inbound message numbers for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
For example:500/s:: Only the first 500 messages are sent per second and other messages are buffered.500/10s:: Only the first 500 messages are sent even 10 second and other messages are buffered.
bytes_rate
Type StringDescription Data publish rate.
This is used to limit the inbound bytes rate for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
The unit of the bytes could be:KB MB GB.
For example:500KB/s:: Only the first 500 kilobytes are sent per second and other messages are buffered.500MB/10s:: Only the first 500 megabytes are sent even 10 second and other messages are buffered.
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.tcp_options
Type Struct(tcp_opts)send_timeout
Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark
Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive
Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
ssl_options
Type Struct(listener_wss_opts)cacertfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert
Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation
Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout
Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
websocket
Type Struct(ws_opts)idle_timeout
Type DurationDefault 7200sDescription Close transport-layer connections from the clients that have not sent MQTT CONNECT message within this interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
quic
Type Map($name->OneOf(Struct(mqtt_quic_listener),String("marked_for_deletion")))Description QUIC listeners.
ciphers
Type Array(String)Default [TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256]Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"NOTE: QUIC listener supports only 'tlsv1.3' ciphers
ssl_options
Type Struct(listener_quic_ssl_opts)Description TLS options for QUIC transport
cacertfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet.
Set to""to disable the feature.Variables in mountpoint string:
${clientid}: clientid${username}: username
enable_authn
Type Enum(true,false,quick_deny_anonymous)Default trueDescription Set
true(default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set tofalse, any client (with or without username/password) is allowed to connect. When set toquick_deny_anonymous, it behaves like when set totrue, but clients will be denied immediately without going through any authenticators ifusernameis not provided. This is useful to fence off anonymous clients early.max_conn_rate
Type StringDescription Maximum connection rate.
This is used to limit the connection rate for this node. Once the limit is reached, new connections will be deferred or refused.
For example:1000/s:: Only accepts 1000 connections per second1000/10s:: Only accepts 1000 connections every 10 seconds.
messages_rate
Type StringDescription Messages publish rate.
This is used to limit the inbound message numbers for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
For example:500/s:: Only the first 500 messages are sent per second and other messages are buffered.500/10s:: Only the first 500 messages are sent even 10 second and other messages are buffered.
bytes_rate
Type StringDescription Data publish rate.
This is used to limit the inbound bytes rate for this node. Once the limit is reached, the restricted client will slow down and even be hung for a while.
The unit of the bytes could be:KB MB GB.
For example:500KB/s:: Only the first 500 kilobytes are sent per second and other messages are buffered.500MB/10s:: Only the first 500 megabytes are sent even 10 second and other messages are buffered.
mqtt
Type Struct(mqtt)Description Global MQTT configuration. The configs here work as default values which can be overridden in
zoneconfigsidle_timeout
Type OneOf(String("infinity"),Duration)Default 15sDescription Configure the duration of time that a connection can remain idle (i.e., without any data transfer) before being:
- Automatically disconnected if no CONNECT package is received from the client yet.
- Put into hibernation mode to save resources if some CONNECT packages are already received. Note: Please set the parameter with caution as long idle time will lead to resource waste.
shared_subscription_strategy
Type Enum(random,round_robin,round_robin_per_group,sticky,local,hash_topic,hash_clientid)Default round_robinDescription Dispatch strategy for shared subscription.
random: Randomly select a subscriber for dispatch;round_robin: Messages from a single publisher are dispatched to subscribers in turn;round_robin_per_group: All messages are dispatched to subscribers in turn;local: Randomly select a subscriber on the current node, if there are no subscribers on the current node, then randomly select within the cluster;sticky: Continuously dispatch messages to the initially selected subscriber until their session ends;hash_clientid: Hash the publisher's client ID to select a subscriber;hash_topic: Hash the publishing topic to select a subscriber.
keepalive_multiplier
Type NumberDefault 1.5Description Keep-Alive Timeout = Keep-Alive interval × Keep-Alive Multiplier. The default value 1.5 is following the MQTT 5.0 specification. This multiplier is adjustable, providing system administrators flexibility for tailoring to their specific needs. For instance, if a client's 10-second Keep-Alive interval PINGREQ gets delayed by an extra 10 seconds, changing the multiplier to 2 lets EMQX tolerate this delay.
retry_interval
Type DurationDefault 30sDescription Retry interval for QoS 1/2 message delivering.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.peer_cert_as_username
Type Enum(disabled,cn,dn,crt,pem,md5)Default disabledDescription Use the CN, DN field in the peer certificate or the entire certificate content as Username. Only works for the TLS connection. Supported configurations are the following:
cn: CN field of the certificatedn: DN field of the certificatecrt: Content of theDERorPEMcertificatepem: ConvertDERcertificate content toPEMformat and use as Usernamemd5: MD5 value of theDERorPEMcertificate
peer_cert_as_clientid
Type Enum(disabled,cn,dn,crt,pem,md5)Default disabledDescription Use the CN, DN field in the peer certificate or the entire certificate content as Client ID. Only works for the TLS connection. Supported configurations are the following:
cn: CN field of the certificatedn: DN field of the certificatecrt:DERorPEMcertificatepem: ConvertDERcertificate content toPEMformat and use as Client IDmd5: MD5 value of theDERorPEMcertificate
session_expiry_interval
Type DurationDefault 2hDescription Specifies how long the session will expire after the connection is disconnected, only for non-MQTT 5.0 connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_awaiting_rel
Type OneOf(Integer(0..+inf),String("infinity"))Default 100Description For each publisher session, the maximum number of outstanding QoS 2 messages pending on the client to send PUBREL. After reaching this limit, new QoS 2 PUBLISH requests will be rejected with
147(0x93)until either PUBREL is received or timed out.mqueue_priorities
Type OneOf(String("disabled"),Map)Default disabledDescription Topic priorities. Priority number [1-255] There's no priority table by default, hence all messages are treated equal.
NOTE: Comma and equal signs are not allowed for priority topic names. NOTE: Messages for topics not in the priority table are treated as either highest or lowest priority depending on the configured value for
mqtt.mqueue_default_priority.Examples: To configure
"topic/1" > "topic/2":mqueue_priorities: {"topic/1": 10, "topic/2": 8}await_rel_timeout
Type DurationDefault 300sDescription For client to broker QoS 2 message, the time limit for the broker to wait before the
PUBRELmessage is received. The wait is aborted after timed out, meaning the packet ID is freed for newPUBLISHrequests. Receiving a stalePUBRELcauses a warning level log. Note, the message is delivered to subscribers before entering the wait for PUBREL.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
authentication
Type Array(OneOf(Struct(builtin_db),Struct(mysql),Struct(postgresql),Struct(mongo_single),Struct(mongo_rs),Struct(mongo_sharded),Struct(redis_single),Struct(redis_cluster),Struct(redis_sentinel),Struct(http_get),Struct(http_post),Struct(jwt_hmac),Struct(jwt_public_key),Struct(jwt_jwks),Struct(scram),Struct(ldap),Struct(ldap_deprecated),Struct(gcp_device)))Default []Description Default authentication configs for all MQTT listeners.
For per-listener overrides see
authenticationin listener configsThis option can be configured with:
[]: The default value, it allows *ALL* logins- one: For example
{enable:true,backend:"built_in_database",mechanism="password_based"} - chain: An array of structs.
When a chain is configured, the login credentials are checked against the backends per the configured order, until an 'allow' or 'deny' decision can be made.
If there is no decision after a full chain exhaustion, the login is rejected.
query_timeout
Type DurationDefault 5sDescription Timeout for the SQL query.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
filter
Type MapDefault {}Description Conditional expression that defines the filter condition in the query. Filter supports the following placeholders:
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
filter
Type MapDefault {}Description Conditional expression that defines the filter condition in the query. Filter supports the following placeholders:
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
filter
Type MapDefault {}Description Conditional expression that defines the filter condition in the query. Filter supports the following placeholders:
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
request_timeout
Type DurationDefault 5sDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request
Type Struct(request)Description Configure HTTP request parameters.
request_timeout
Type DurationDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
request_timeout
Type DurationDefault 5sDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request
Type Struct(request)Description Configure HTTP request parameters.
request_timeout
Type DurationDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
verify_claims
Type MapDefault []Description A list of custom claims to validate, which is a list of name/value pairs. Values can use the following placeholders:
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required inverify_claims.
verify_claims
Type MapDefault []Description A list of custom claims to validate, which is a list of name/value pairs. Values can use the following placeholders:
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required inverify_claims.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL options.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
verify_claims
Type MapDefault []Description A list of custom claims to validate, which is a list of name/value pairs. Values can use the following placeholders:
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required inverify_claims.
query_timeout
Type DurationDefault 5sDescription Timeout for the LDAP query.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.request_timeout
Type DurationDefault 10sDescription Sets the maximum time in milliseconds that is used for each individual request.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
query_timeout
Type DurationDefault 5sDescription Timeout for the LDAP query.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.request_timeout
Type DurationDefault 10sDescription Sets the maximum time in milliseconds that is used for each individual request.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
authorization
Type Struct(authorization)Description Authorization a.k.a. ACL.
In EMQX, MQTT client access control is extremely flexible.
An out-of-the-box set of authorization data sources are supported. For example,
'file' source is to support concise and yet generic ACL rules in a file;
'built_in_database' source can be used to store per-client customizable rule sets, natively in the EMQX node;
'http' source to make EMQX call an external HTTP API to make the decision;
'PostgreSQL' etc. to look up clients or rules from external databasesno_match
Type Enum(allow,deny)Default allowDescription Default access control action if the user or client matches no ACL rules, or if no such user or client is found by the configurable authorization sources such as built_in_database, an HTTP API, or a query against PostgreSQL. Find more details in 'authorization.sources' config.
cache
Type Struct(authz_cache)ttl
Type DurationDefault 1mDescription Time to live for the cached data.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
sources
Type Array(OneOf(Struct(file),Struct(builtin_db),Struct(http_get),Struct(http_post),Struct(redis_single),Struct(redis_sentinel),Struct(redis_cluster),Struct(mysql),Struct(postgresql),Struct(mongo_single),Struct(mongo_rs),Struct(mongo_sharded),Struct(ldap)))Default [ { enable = true path = "${EMQX_ETC_DIR}/acl.conf" type = file } ]Description Authorization data sources.
An array of authorization (ACL) data providers. It is designed as an array, not a hash-map, so the sources can be ordered to form a chain of access controls.When authorizing a 'publish' or 'subscribe' action, the configured sources are checked in order. When checking an ACL source, in case the client (identified by username or client ID) is not found, it moves on to the next source. And it stops immediately once an 'allow' or 'deny' decision is returned.
If the client is not found in any of the sources, the default action configured in 'authorization.no_match' is applied.
NOTE: The source elements are identified by their 'type'. It is NOT allowed to configure two or more sources of the same type.
path
Type StringDescription Path to the file which contains the ACL rules. If the file provisioned before starting EMQX node, it can be placed anywhere as long as EMQX has read access to it. That is, EMQX will treat it as read only.
In case the rule-set is created or updated from EMQX Dashboard or HTTP API, a new file will be created and placed in
authzsubdirectory inside EMQX'sdata_dir, and the old file will not be used anymore.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request
Type Struct(request)Description Configure HTTP request parameters.
request_timeout
Type DurationDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request
Type Struct(request)Description Configure HTTP request parameters.
request_timeout
Type DurationDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
filter
Type MapDefault {}Description Conditional expression that defines the filter condition in the query. Filter supports the following placeholders
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
filter
Type MapDefault {}Description Conditional expression that defines the filter condition in the query. Filter supports the following placeholders
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
filter
Type MapDefault {}Description Conditional expression that defines the filter condition in the query. Filter supports the following placeholders
${username}: Will be replaced at runtime withUsernameused by the client when connecting${clientid}: Will be replaced at runtime withClient IDused by the client when connecting
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
query_timeout
Type DurationDefault 5sDescription Timeout for the LDAP query.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.request_timeout
Type DurationDefault 10sDescription Sets the maximum time in milliseconds that is used for each individual request.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
node
Type Struct(node)data_dir
Type StringDescription Path to the persistent data directory.
Possible auto-created subdirectories are:mnesia/<node_name>: EMQX's built-in database directory.
For example,mnesia/emqx@127.0.0.1.
There should be only one such subdirectory.
Meaning, in case the node is to be renamed (to e.g.emqx@10.0.1.1),
the old dir should be deleted first.configs: Generated configs at boot time, and cluster/local override configs.patches: Hot-patch beam files are to be placed here.trace: Trace log files.
NOTE: One data dir cannot be shared by two or more EMQX nodes.
role
Aliases db_role Type Enum(core,replicant)Default coreDescription Select a node role.
corenodes provide durability of the data, and take care of writes. It is recommended to place core nodes in different racks or different availability zones.
replicantnodes are ephemeral worker nodes. Removing them from the cluster doesn't affect database redundancy
It is recommended to have more replicant nodes than core nodes.
Note: this parameter only takes effect when thebackendis set torlog.
cluster
Type Struct(cluster)discovery_strategy
Type Enum(manual,static,dns,etcd,k8s)Default manualDescription Service discovery method for the cluster nodes. Possible values are:
- manual: Use
emqx ctl clustercommand to manage cluster. - static: Configure static nodes list by setting
seedsin config file. - dns: Use DNS A record to discover peer nodes.
- etcd: Use etcd to discover peer nodes.
- k8s: Use Kubernetes API to discover peer pods.
- manual: Use
autoclean
Type DurationDefault 24hDescription Remove disconnected nodes from the cluster after this interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.etcd
Type Struct(cluster_etcd)node_ttl
Type DurationDefault 1mDescription Expiration time of the etcd key associated with the node. It is refreshed automatically, as long as the node is alive.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl_options
Aliases ssl Type Struct(ssl_client_opts)Description Options for the TLS connection to the etcd cluster.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
log
Type Struct(log)console
Aliases console_handler Type Struct(console_handler)time_offset
Type StringDefault systemDescription The time offset to be used when formatting the timestamp. Can be one of:
system: the time offset used by the local systemutc: the UTC time offset+-[hh]:[mm]: user specified time offset, such as "-02:00" or "+00:00" Defaults to:system. This config has no effect for when formatter isjsonas the timestamp in JSON is milliseconds since epoch.
file
Aliases file_handlers Type OneOf(Struct(log_file_handler),Map($handler_name->Struct(log_file_handler)))Default {level = warning}Description File-based log handlers.
time_offset
Type StringDefault systemDescription The time offset to be used when formatting the timestamp. Can be one of:
system: the time offset used by the local systemutc: the UTC time offset+-[hh]:[mm]: user specified time offset, such as "-02:00" or "+00:00" Defaults to:system. This config has no effect for when formatter isjsonas the timestamp in JSON is milliseconds since epoch.
time_offset
Type StringDefault systemDescription The time offset to be used when formatting the timestamp. Can be one of:
system: the time offset used by the local systemutc: the UTC time offset+-[hh]:[mm]: user specified time offset, such as "-02:00" or "+00:00" Defaults to:system. This config has no effect for when formatter isjsonas the timestamp in JSON is milliseconds since epoch.
audit
Type Struct(log_audit_handler)Default {enable = false, level = info}Description Audit file-based log handler.
time_offset
Type StringDefault systemDescription The time offset to be used when formatting the timestamp. Can be one of:
system: the time offset used by the local systemutc: the UTC time offset+-[hh]:[mm]: user specified time offset, such as "-02:00" or "+00:00" Defaults to:system. This config has no effect for when formatter isjsonas the timestamp in JSON is milliseconds since epoch.
rpc
Type Struct(rpc)connect_timeout
Type DurationDefault 5sDescription Timeout for establishing an RPC connection.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.send_timeout
Type DurationDefault 5sDescription Timeout for sending the RPC request.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication_timeout
Type DurationDefault 5sDescription Timeout for the remote node authentication.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.call_receive_timeout
Type DurationDefault 15sDescription Timeout for the reply to a synchronous RPC.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_keepalive_idle
Type Duration(s)Default 15mDescription How long the connections between the brokers should remain open after the last message is sent.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_keepalive_interval
Type Duration(s)Default 75sDescription The interval between keepalive messages.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"
force_shutdown
Type Struct(force_shutdown)max_mailbox_size
Aliases max_message_queue_len Type Integer(0..inf)Default 1000Description In EMQX, each online client corresponds to an individual Erlang process. The configuration value establishes a mailbox size limit for these processes. If the mailbox size surpasses this limit, the client will be automatically terminated.
sysmon
Type Struct(sysmon)vm
Type Struct(sysmon_vm)process_check_interval
Type DurationDefault 30sDescription The time interval for the periodic process limit check.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
os
Type Struct(sysmon_os)cpu_check_interval
Type DurationDefault 60sDescription The time interval for the periodic CPU check. Disabled on Windows platform.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
alarm
Type Struct(alarm)actions
Type Array(String)Default [log, publish]Description The actions triggered when the alarm is activated.
Currently, the following actions are supported:logandpublish.logis to write the alarm to log (console or file).publishis to publish the alarm as an MQTT message to the system topics:$SYS/brokers/emqx@xx.xx.xx.x/alarms/activateand$SYS/brokers/emqx@xx.xx.xx.x/alarms/deactivatevalidity_period
Type DurationDefault 24hDescription Retention time of deactivated alarms. Alarms are not deleted immediately when deactivated, but after the retention time.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
flapping_detect
Type Struct(flapping_detect)window_time
Type DurationDefault 1mDescription The time window for flapping detection.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ban_time
Type DurationDefault 5mDescription How long the flapping clientid will be banned.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
bridges
Type Struct(bridges)webhook
Type Map($name->Struct(config))Description WebHook to an HTTP server.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
url
Type StringDescription The URL of the HTTP Bridge.
Template with variables is allowed in the path, but variables cannot be used in the scheme, host, or port part.
For example,http://localhost:9901/${topic}is allowed, buthttp://${host}:9901/messageorhttp://localhost:${port}/messageis not allowed.local_topic
Type StringDescription The MQTT topic filter to be forwarded to the HTTP server. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.body
Type StringDescription The body of the HTTP request.
If not provided, the body will be a JSON object of all the available fields.
There, 'all the available fields' means the context of a MQTT message when this webhook is triggered by receiving a MQTT message (thelocal_topicis set), or the context of the event when this webhook is triggered by a rule (i.e. this webhook is used as an action of a rule).
Template with variables is allowed.request_timeout
Type DurationDescription Deprecated since v5.0.26.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.resource_opts
Type Struct(v1_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
mqtt
Type Map($name->Struct(config))Description MQTT bridges to/from another MQTT broker
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
bridge_mode
Type BooleanDefault falseDescription If enable bridge mode. NOTE: This setting is only for MQTT protocol version older than 5.0, and the remote MQTT broker MUST support this feature. If bridge_mode is set to true, the bridge will indicate to the remote broker that it is a bridge not an ordinary client. This means that loop detection will be more effective and that retained messages will be propagated correctly.
password
Type SecretDescription The password of the MQTT protocol
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.retry_interval
Type StringDefault 15sDescription Message retry interval. Delay for the MQTT bridge to retry sending the QoS1/QoS2 messages in case of ACK not received. Time interval is a string that contains a number followed by time unit:
-msfor milliseconds,sfor seconds,mfor minutes,hfor hours;
or combination of whereof:1h5m0s
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
ingress
Type Struct(ingress)Description The ingress config defines how this bridge receive messages from the remote MQTT broker, and then send them to the local broker.
Template with variables is allowed in 'remote.qos', 'local.topic', 'local.qos', 'local.retain', 'local.payload'.
NOTE: if this bridge is used as the input of a rule, and also 'local.topic' is configured, then messages got from the remote broker will be sent to both the 'local.topic' and the rule.pool_size
Type Integer(1..+inf)Default 8Description Size of the pool of MQTT clients that will ingest messages from the remote broker.
This value will be respected only if 'remote.topic' is a shared subscription topic or topic-filter (for example$share/name1/topic1or$share/name2/topic2/#), otherwise only a single MQTT client will be used. Each MQTT client will be assigned 'clientid' of the form '${clientid_prefix}:${bridge_name}:ingress:${node}:${n}' where 'n' is the number of a client inside the pool. NOTE: Non-shared subscription will not work well when EMQX is clustered.
egress
Type Struct(egress)Description The egress config defines how this bridge forwards messages from the local broker to the remote broker.
Template with variables is allowed in 'remote.topic', 'local.qos', 'local.retain', 'local.payload'.
NOTE: if this bridge is used as the action of a rule, and also 'local.topic' is configured, then both the data got from the rule and the MQTT messages that matches 'local.topic' will be forwarded.
hstreamdb
Type Map($name->Struct(config))Description HStreamDB Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to the HStreamDB. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
grpc_timeout
Type DurationDefault 30sDescription HStreamDB gRPC Timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
mysql
Type Map($name->Struct(config))Description MySQL Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to MySQL. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
tdengine
Type Map($name->Struct(config))Description TDengine Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to TDengine. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
dynamo
Type Map($name->Struct(config))Description Dynamo Bridge Config
template
Type StringDefault ""Description Template, the default value is empty. When this value is empty the whole message will be stored in the database.
The template can be any valid JSON with placeholders and make sure all keys for table are here, example:
{"id" : "${id}", "clientid" : "${clientid}", "data" : "${payload.data}"}local_topic
Type StringDescription The MQTT topic filter to be forwarded to DynamoDB. All MQTT
PUBLISHmessages with the topic matching thelocal_topicwill be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and alsolocal_topicis configured, then both the data got from the rule and the MQTT messages that matchlocal_topicwill be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
aws_secret_access_key
Type SecretDescription AWS Secret Access Key for connecting to DynamoDB.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
rocketmq
Type Map($name->Struct(config))Description RocketMQ Bridge Config
template
Type StringDefault ""Description Template, the default value is empty. When this value is empty the whole message will be stored in the RocketMQ.
The template can be any valid string with placeholders, example:
- ${id}, ${username}, ${clientid}, ${timestamp}
- {"id" : ${id}, "username" : ${username}}resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
secret_key
Type SecretDefault ""Description RocketMQ server
secretKey.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.security_token
Type SecretDefault ""Description RocketMQ Server Security Token
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.sync_timeout
Type DurationDefault 3sDescription Timeout of RocketMQ driver synchronous call.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_interval
Type DurationDefault 3sDescription RocketMQ Topic Route Refresh Interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
cassandra
Type Map($name->Struct(config))Description Cassandra Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Cassandra. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
opents
Type Map($name->Struct(config))Description OpenTSDB Bridge Config
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
oracle
Type Map($name->Struct(config))Description Oracle Bridge Config
sql
Type StringDefault "insert into t_mqtt_msgs(msgid, topic, qos, payload) values (${id}, ${topic}, ${qos}, ${payload})"Description SQL Template. The template string can contain placeholders for message metadata and payload field. The placeholders are inserted without any checking and special formatting, so it is important to ensure that the inserted values are formatted and escaped correctly.
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Oracle Database. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
iotdb
Type Map($name->Struct(config))Description Apache IoTDB Bridge Config
authentication
Type OneOf(Struct(auth_basic))Default auth_basicDescription Authentication configuration
password
Type SecretDescription The password as configured at the IoTDB REST interface
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
kafka
Type Map($name->Struct(kafka_producer))Description Kafka Producer Bridge Config
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_metadata_refresh_interval
Type DurationDefault 3sDescription Minimum time interval the client has to wait before refreshing Kafka broker and topic metadata. Setting too small value may add extra load on Kafka.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.metadata_request_timeout
Type DurationDefault 5sDescription Maximum wait time when fetching metadata from Kafka.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication
Type OneOf(String("none"),Struct(auth_username_password),Struct(auth_gssapi_kerberos))Default noneDescription Authentication configs.
password
Type SecretDescription SASL authentication password.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
socket_opts
Type Struct(socket_opts)Description Extra socket options.
tcp_keepalive
Type StringDefault noneDescription Enable TCP keepalive for Kafka bridge connections. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: TCP keepalive probes are sent after the connection is idle for 240 seconds, and the probes are sent every 30 seconds until a response is received, if it misses 5 consecutive responses, the connection should be closed. Default: 'none'
ssl
Type Struct(ssl_client_opts)cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("auto"),String("disable"),String)Default autoDescription Server Name Indication (SNI) setting for TLS handshake.
auto: Allow the client to automatically determine the appropriate SNI.disable: If you wish to prevent the client from sending the SNI.- Other string values will be sent as-is.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
kafka
Aliases parameters Type Struct(producer_kafka_opts)Description Kafka producer configs.
message
Type Struct(kafka_message)Description Template to render a Kafka message.
timestamp
Type StringDefault "${.timestamp}"Description Which timestamp to use. The timestamp is expected to be a millisecond precision Unix epoch which can be in string format, e.g.
1661326462115or'1661326462115'. When the desired data field for this template is not found, or if the found data is not a valid integer, the current system timestamp will be used.
max_batch_bytes
Type BytesizeDefault 896KBDescription Maximum bytes to collect in a Kafka message batch. Most of the Kafka brokers default to a limit of 1 MB batch size. EMQX's default value is less than 1 MB in order to compensate Kafka message encoding overheads (especially when each individual message is very small). When a single message is over the limit, it is still sent (as a single element batch).
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.required_acks
Type Enum(all_isr,leader_only,none)Default all_isrDescription Required acknowledgements for Kafka partition leader to wait for its followers before it sends back the acknowledgement to EMQX Kafka producer
all_isr: Require all in-sync replicas to acknowledge.leader_only: Require only the partition-leader's acknowledgement.none: No need for Kafka to acknowledge at all.partition_count_refresh_interval
Type Duration(s)Default 60sDescription The time interval for Kafka producer to discover increased number of partitions. After the number of partitions is increased in Kafka, EMQX will start taking the discovered partitions into account when dispatching messages per
partition_strategy.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_inflight
Type Integer(1..+inf)Default 10Description Maximum number of batches allowed for Kafka producer (per-partition) to send before receiving acknowledgement from Kafka. Greater value typically means better throughput. However, there can be a risk of message reordering when this value is greater than 1.
buffer
Type Struct(producer_buffer)Description Configure producer message buffer.
Tell Kafka producer how to buffer messages when EMQX has more messages to send than Kafka can keep up, or when Kafka is down.
mode
Type Enum(memory,disk,hybrid)Default memoryDescription Message buffer mode.
memory: Buffer all messages in memory. The messages will be lost in case of EMQX node restartdisk: Buffer all messages on disk. The messages on disk are able to survive EMQX node restart.hybrid: Buffer message in memory first, when up to certain limit (seesegment_bytesconfig for more information), then start offloading messages to disk, Likememorymode, the messages will be lost in case of EMQX node restart.per_partition_limit
Type BytesizeDefault 2GBDescription Number of bytes allowed to buffer for each Kafka partition. When this limit is exceeded, old messages will be dropped in a trade for credits for new messages to be buffered.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.segment_bytes
Type BytesizeDefault 100MBDescription Applicable when buffer mode is set to
diskorhybrid. This value is to specify the size of each on-disk buffer file.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.
sync_query_timeout
Type DurationDefault 5sDescription This parameter defines the timeout limit for synchronous queries. It applies only when the bridge query mode is configured to 'sync'.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
kafka_consumer
Type Map($name->Struct(kafka_consumer))Description Kafka Consumer Bridge Config
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_metadata_refresh_interval
Type DurationDefault 3sDescription Minimum time interval the client has to wait before refreshing Kafka broker and topic metadata. Setting too small value may add extra load on Kafka.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.metadata_request_timeout
Type DurationDefault 5sDescription Maximum wait time when fetching metadata from Kafka.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication
Type OneOf(String("none"),Struct(auth_username_password),Struct(auth_gssapi_kerberos))Default noneDescription Authentication configs.
password
Type SecretDescription SASL authentication password.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
socket_opts
Type Struct(socket_opts)Description Extra socket options.
tcp_keepalive
Type StringDefault noneDescription Enable TCP keepalive for Kafka bridge connections. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: TCP keepalive probes are sent after the connection is idle for 240 seconds, and the probes are sent every 30 seconds until a response is received, if it misses 5 consecutive responses, the connection should be closed. Default: 'none'
ssl
Type Struct(ssl_client_opts)cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("auto"),String("disable"),String)Default autoDescription Server Name Indication (SNI) setting for TLS handshake.
auto: Allow the client to automatically determine the appropriate SNI.disable: If you wish to prevent the client from sending the SNI.- Other string values will be sent as-is.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
kafka
Type Struct(consumer_kafka_opts)Description Kafka consumer configs.
max_batch_bytes
Type BytesizeDefault 896KBDescription Set how many bytes to pull from Kafka in each fetch request. Please note that if the configured value is smaller than the message size in Kafka, it may negatively impact the fetch performance.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.offset_commit_interval_seconds
Type Duration(s)Default 5sDescription Defines the time interval between two offset commit requests sent for each consumer group.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
topic_mapping
Type Array(Struct(consumer_topic_mapping))Description Defines the mapping between Kafka topics and MQTT topics. Must contain at least one item.
payload_template
Type StringDefault "${.}"Description The template for transforming the incoming Kafka message. By default, it will use JSON format to serialize inputs from the Kafka message. Such fields are:
headers: an object containing string key-value pairs.key: Kafka message key (uses the chosen key encoding).offset: offset for the message.topic: Kafka topic.ts: message timestamp.ts_type: message timestamp type, which is one ofcreate,appendorundefined.value: Kafka message value (uses the chosen value encoding).
key_encoding_mode
Type Enum(none,base64)Default noneDescription Defines how the key from the Kafka message is encoded before being forwarded via MQTT.
noneUses the key from the Kafka message unchanged. Note: in this case, the key must be a valid UTF-8 string.base64Uses base-64 encoding on the received key.value_encoding_mode
Type Enum(none,base64)Default noneDescription Defines how the value from the Kafka message is encoded before being forwarded via MQTT.
noneUses the value from the Kafka message unchanged. Note: in this case, the value must be a valid UTF-8 string.base64Uses base-64 encoding on the received value.
pulsar_producer
Type Map($name->Struct(pulsar_producer))Description Pulsar Producer Bridge Config
authentication
Type OneOf(String("none"),Struct(auth_basic),Struct(auth_token))Default noneDescription Authentication configs.
password
Type SecretDescription Basic authentication password.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
jwt
Type SecretDescription JWT authentication token.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
sync_timeout
Type DurationDefault 3sDescription Maximum wait time for receiving a receipt from Pulsar when publishing synchronously.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_batch_bytes
Type BytesizeDefault 900KBDescription Maximum bytes to collect in a Pulsar message batch. Most of the Pulsar brokers default to a limit of 5 MB batch size. EMQX's default value is less than 5 MB in order to compensate Pulsar message encoding overheads (especially when each individual message is very small). When a single message is over the limit, it is still sent (as a single element batch).
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.strategy
Type Enum(random,roundrobin,key_dispatch)Default randomDescription Partition strategy is to tell the producer how to dispatch messages to Pulsar partitions.
random: Randomly pick a partition for each message.roundrobin: Pick each available producer in turn for each message.key_dispatch: Hash Pulsar message key of the first message in a batch to a partition number.buffer
Type Struct(producer_buffer)Description Configure producer message buffer.
Tell Pulsar producer how to buffer messages when EMQX has more messages to send than Pulsar can keep up, or when Pulsar is down.
mode
Type Enum(memory,disk,hybrid)Default memoryDescription Message buffer mode.
memory: Buffer all messages in memory. The messages will be lost in case of EMQX node restartdisk: Buffer all messages on disk. The messages on disk are able to survive EMQX node restart.hybrid: Buffer message in memory first, when up to certain limit (seesegment_bytesconfig for more information), then start offloading messages to disk, Likememorymode, the messages will be lost in case of EMQX node restart.per_partition_limit
Type BytesizeDefault 2GBDescription Number of bytes allowed to buffer for each Pulsar partition. When this limit is exceeded, old messages will be dropped in a trade for credits for new messages to be buffered.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.segment_bytes
Type BytesizeDefault 100MBDescription Applicable when buffer mode is set to
diskorhybrid. This value is to specify the size of each on-disk buffer file.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.
resource_opts
Type Struct(producer_resource_opts)Description Creation options.
health_check_interval
Type DurationDefault 1sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
gcp_pubsub
Type Map($name->Struct(config_producer))Description EMQX Enterprise Config
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_timeout
Type DurationDescription Deprecated since e5.0.1.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.service_account_json
Type MapDescription JSON containing the GCP Service Account credentials to be used with PubSub. When a GCP Service Account is created (as described in https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount), you have the option of downloading the credentials in JSON form. That's the file needed.
local_topic
Type StringDescription The MQTT topic filter to be forwarded to GCP PubSub. All MQTT 'PUBLISH' messages with the topic matching
local_topicwill be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.
gcp_pubsub_consumer
Type Map($name->Struct(config_consumer))Description EMQX Enterprise Config
resource_opts
Type Struct(consumer_resource_opts)Description Creation options.
health_check_interval
Type DurationDefault 30sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_timeout
Type DurationDescription Deprecated since e5.0.1.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.service_account_json
Type MapDescription JSON containing the GCP Service Account credentials to be used with PubSub. When a GCP Service Account is created (as described in https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount), you have the option of downloading the credentials in JSON form. That's the file needed.
consumer
Type Struct(consumer)Description Local MQTT publish and GCP PubSub consumer configs.
topic_mapping
Type Array(Struct(consumer_topic_mapping))Description Defines the mapping between GCP PubSub topics and MQTT topics. Must contain at least one item.
payload_template
Type StringDefault "${.}"Description The template for transforming the incoming GCP PubSub message. By default, it will use JSON format to serialize inputs from the GCP PubSub message. Available fields are:
message_id: the message ID assigned by GCP PubSub.publish_time: message timestamp assigned by GCP PubSub.topic: GCP PubSub topic.value: the payload of the GCP PubSub message. Omitted if there's no payload.attributes: an object containing string key-value pairs. Omitted if there are no attributes.ordering_key: GCP PubSub message ordering key. Omitted if there's none.
mongodb_rs
Type Map($name->Struct(mongodb_rs))Description MongoDB Bridge Config
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(creation_opts)Description Creation options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
mongodb_sharded
Type Map($name->Struct(mongodb_sharded))Description MongoDB Bridge Config
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(creation_opts)Description Creation options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
mongodb_single
Type Map($name->Struct(mongodb_single))Description MongoDB Bridge Config
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(creation_opts)Description Creation options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
influxdb_api_v1
Type Map($name->Struct(influxdb_api_v1))Description InfluxDB Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to the InfluxDB. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.write_syntax
Type StringDescription Conf of InfluxDB line protocol to write data points. It is a text-based format that provides the measurement, tag set, field set, and timestamp of a data point, and placeholder supported. See also InfluxDB 2.3 Line Protocol and InfluxDB 1.8 Line Protocol
TLDR:<measurement>[,<tag_key>=<tag_value>[,<tag_key>=<tag_value>]] <field_key>=<field_value>[,<field_key>=<field_value>] [<timestamp>]Please note that a placeholder for an integer value must be annotated with a suffix
i. For example${payload.int_value}i.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription InfluxDB password.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
influxdb_api_v2
Type Map($name->Struct(influxdb_api_v2))Description InfluxDB Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to the InfluxDB. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.write_syntax
Type StringDescription Conf of InfluxDB line protocol to write data points. It is a text-based format that provides the measurement, tag set, field set, and timestamp of a data point, and placeholder supported. See also InfluxDB 2.3 Line Protocol and InfluxDB 1.8 Line Protocol
TLDR:<measurement>[,<tag_key>=<tag_value>[,<tag_key>=<tag_value>]] <field_key>=<field_value>[,<field_key>=<field_value>] [<timestamp>]Please note that a placeholder for an integer value must be annotated with a suffix
i. For example${payload.int_value}i.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
token
Type SecretDescription InfluxDB token.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
redis_single
Type Map($name->Struct(redis_single))Description Redis Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Redis. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts_redis_single)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
redis_sentinel
Type Map($name->Struct(redis_sentinel))Description Redis Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Redis. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts_redis_sentinel)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
redis_cluster
Type Map($name->Struct(redis_cluster))Description Redis Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Redis. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts_redis_cluster)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
pgsql
Type Map($name->Struct(config))Description PostgreSQL Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to PostgreSQL. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
timescale
Type Map($name->Struct(config))Description Timescale Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to PostgreSQL. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
matrix
Type Map($name->Struct(config))Description Matrix Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to PostgreSQL. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
clickhouse
Type Map($name->Struct(config))Description Clickhouse Bridge Config
sql
Type StringDefault "INSERT INTO mqtt_test(payload, arrived) VALUES ('${payload}', ${timestamp})"Description The template string can contain ${field} placeholders for message metadata and payload field. Make sure that the inserted values are formatted and escaped correctly. Prepared Statement is not supported.
batch_value_separator
Type StringDefault ", "Description The default value ',' works for the VALUES format. You can also use other separator if other format is specified. See INSERT INTO Statement.
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Clickhouse. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the Clickhouse server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
sqlserver
Type Map($name->Struct(config))Description Microsoft SQL Server Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to Microsoft SQL Server. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
rabbitmq
Type Map($name->Struct(config))Description RabbitMQ Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to RabbitMQ. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded. NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.timeout
Type DurationDefault 5sDescription The timeout for waiting on the connection to be established.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.publish_confirmation_timeout
Type DurationDefault 30sDescription The timeout for waiting on the connection to be established.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat
Type DurationDefault 30sDescription The interval for sending heartbeat messages to the RabbitMQ server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.delivery_mode
Type Enum(non_persistent,persistent)Default non_persistentDescription The delivery mode for messages published to RabbitMQ. Delivery mode non_persistent (1) is suitable for messages that don't require persistence across RabbitMQ restarts, whereas delivery mode persistent (2) is designed for messages that must survive RabbitMQ restarts.
payload_template
Type StringDefault "${.}"Description The template for formatting the payload of the message before sending it to RabbitMQ. Template placeholders, such as ${field1.sub_field}, will be substituted with the respective field's value. When left empty, the entire input message will be used as the payload, formatted as a JSON text. This behavior is equivalent to specifying ${.} as the payload template.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
kinesis_producer
Type Map($name->Struct(config_producer))Description Amazon Kinesis Producer Bridge Config
resource_opts
Type Struct(creation_opts)Default {}Description Creation options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
aws_secret_access_key
Type SecretDescription AWS Secret Access Key for connecting to Amazon Kinesis.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.local_topic
Type StringDescription The MQTT topic filter to be forwarded to Amazon Kinesis. All MQTT
PUBLISHmessages with the topic matching thelocal_topicwill be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and alsolocal_topicis configured, then both the data got from the rule and the MQTT messages that matchlocal_topicwill be forwarded.
greptimedb
Type Map($name->Struct(greptimedb))Description GreptimeDB Bridge Config
local_topic
Type StringDescription The MQTT topic filter to be forwarded to the GreptimeDB. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.write_syntax
Type StringDescription Conf of GreptimeDB gRPC protocol to write data points. Write syntax is a text-based format that provides the measurement, tag set, field set, and timestamp of a data point, and placeholder supported, which is the same as InfluxDB line protocol. See also InfluxDB 2.3 Line Protocol and GreptimeDB 1.8 Line Protocol
TLDR:<measurement>[,<tag_key>=<tag_value>[,<tag_key>=<tag_value>]] <field_key>=<field_value>[,<field_key>=<field_value>] [<timestamp>]Please note that a placeholder for an integer value must be annotated with a suffix
i. For example${payload.int_value}i.resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
password
Type SecretDescription GreptimeDB password.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
azure_event_hub_producer
Type Map($name->Struct(config_producer))Description EMQX Enterprise Config
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_metadata_refresh_interval
Type DurationDefault 3sDescription Minimum time interval the client has to wait before refreshing Azure Event Hubs Kafka broker and topic metadata. Setting too small value may add extra load on Azure Event Hubs.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.metadata_request_timeout
Type DurationDefault 5sDescription Maximum wait time when fetching metadata from Azure Event Hubs.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication
Type Struct(auth_username_password)Default {}Description Authentication configs.
password
Type SecretDescription The Connection String for connecting to Azure Event Hubs. Should be the "connection string-primary key" of a Namespace shared access policy.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
socket_opts
Type Struct(socket_opts)Description Extra socket options.
tcp_keepalive
Type StringDefault noneDescription Enable TCP keepalive for Kafka bridge connections. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: TCP keepalive probes are sent after the connection is idle for 240 seconds, and the probes are sent every 30 seconds until a response is received, if it misses 5 consecutive responses, the connection should be closed. Default: 'none'
ssl
Type Struct(ssl_client_opts)Default {enable = true}cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("auto"),String("disable"),String)Default autoDescription Server Name Indication (SNI) setting for TLS handshake.
auto: The client will use"servicebus.windows.net"as SNI.disable: If you wish to prevent the client from sending the SNI.- Other string values it will be sent as-is.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
kafka
Aliases parameters Type Struct(producer_kafka_opts)Description Azure Event Hubs producer configs.
required_acks
Type Enum(all_isr,leader_only)Default all_isrDescription Required acknowledgements for Azure Event Hubs partition leader to wait for its followers before it sends back the acknowledgement to EMQX Azure Event Hubs producer
all_isr: Require all in-sync replicas to acknowledge.leader_only: Require only the partition-leader's acknowledgement.partition_count_refresh_interval
Type Duration(s)Default 60sDescription The time interval for Azure Event Hubs producer to discover increased number of partitions. After the number of partitions is increased in Azure Event Hubs, EMQX will start taking the discovered partitions into account when dispatching messages per
partition_strategy.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_inflight
Type Integer(1..+inf)Default 10Description Maximum number of batches allowed for Azure Event Hubs producer (per-partition) to send before receiving acknowledgement from Azure Event Hubs. Greater value typically means better throughput. However, there can be a risk of message reordering when this value is greater than 1.
buffer
Type Struct(producer_buffer)Description Configure producer message buffer.
Tell Azure Event Hubs producer how to buffer messages when EMQX has more messages to send than Azure Event Hubs can keep up, or when Azure Event Hubs is down.
mode
Type Enum(memory,disk,hybrid)Default memoryDescription Message buffer mode.
memory: Buffer all messages in memory. The messages will be lost in case of EMQX node restartdisk: Buffer all messages on disk. The messages on disk are able to survive EMQX node restart.hybrid: Buffer message in memory first, when up to certain limit (seesegment_bytesconfig for more information), then start offloading messages to disk, Likememorymode, the messages will be lost in case of EMQX node restart.per_partition_limit
Type BytesizeDefault 2GBDescription Number of bytes allowed to buffer for each Kafka partition. When this limit is exceeded, old messages will be dropped in a trade for credits for new messages to be buffered.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.segment_bytes
Type BytesizeDefault 100MBDescription Applicable when buffer mode is set to
diskorhybrid. This value is to specify the size of each on-disk buffer file.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.
sync_query_timeout
Type DurationDefault 5sDescription This parameter defines the timeout limit for synchronous queries. It applies only when the bridge query mode is configured to 'sync'.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
connectors
Type Struct(connectors)http
Type Map($name->Struct(config_connector))Description HTTP Connector Config
url
Type StringDescription The URL of the HTTP Bridge.
Template with variables is allowed in the path, but variables cannot be used in the scheme, host, or port part.
For example,http://localhost:9901/${topic}is allowed, buthttp://${host}:9901/messageorhttp://localhost:${port}/messageis not allowed.connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.retry_interval
Type DurationDescription Deprecated since 5.0.4.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
azure_event_hub_producer
Type Map($name->Struct(config_connector))Description Azure Event Hub Connector Config
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_metadata_refresh_interval
Type DurationDefault 3sDescription Minimum time interval the client has to wait before refreshing Azure Event Hubs Kafka broker and topic metadata. Setting too small value may add extra load on Azure Event Hubs.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.metadata_request_timeout
Type DurationDefault 5sDescription Maximum wait time when fetching metadata from Azure Event Hubs.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication
Type Struct(auth_username_password)Default {}Description Authentication configs.
password
Type SecretDescription The Connection String for connecting to Azure Event Hubs. Should be the "connection string-primary key" of a Namespace shared access policy.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
socket_opts
Type Struct(socket_opts)Description Extra socket options.
tcp_keepalive
Type StringDefault noneDescription Enable TCP keepalive for Kafka bridge connections. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: TCP keepalive probes are sent after the connection is idle for 240 seconds, and the probes are sent every 30 seconds until a response is received, if it misses 5 consecutive responses, the connection should be closed. Default: 'none'
ssl
Type Struct(ssl_client_opts)Default {enable = true}cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("auto"),String("disable"),String)Default autoDescription Server Name Indication (SNI) setting for TLS handshake.
auto: The client will use"servicebus.windows.net"as SNI.disable: If you wish to prevent the client from sending the SNI.- Other string values it will be sent as-is.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
confluent_producer
Type Map($name->Struct(config_connector))Description Confluent Connector Config
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_metadata_refresh_interval
Type DurationDefault 3sDescription Minimum time interval the client has to wait before refreshing Confluent Kafka broker and topic metadata. Setting too small value may add extra load on Confluent.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.metadata_request_timeout
Type DurationDefault 5sDescription Maximum wait time when fetching metadata from Confluent.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication
Type Struct(auth_username_password)Default {}Description Authentication configs.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
socket_opts
Type Struct(socket_opts)Description Extra socket options.
tcp_keepalive
Type StringDefault noneDescription Enable TCP keepalive for Kafka bridge connections. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: TCP keepalive probes are sent after the connection is idle for 240 seconds, and the probes are sent every 30 seconds until a response is received, if it misses 5 consecutive responses, the connection should be closed. Default: 'none'
ssl
Type Struct(ssl_client_opts)Default {enable = true}cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("auto"),String("disable"),String)Default autoDescription Server Name Indication (SNI) setting for TLS handshake.
auto: The client will use"servicebus.windows.net"as SNI.disable: If you wish to prevent the client from sending the SNI.- Other string values it will be sent as-is.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
gcp_pubsub_producer
Type Map($name->Struct(config_connector))Description GCP PubSub Producer Connector Config
connect_timeout
Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_timeout
Type DurationDescription Deprecated since e5.0.1.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.service_account_json
Type MapDescription JSON containing the GCP Service Account credentials to be used with PubSub. When a GCP Service Account is created (as described in https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount), you have the option of downloading the credentials in JSON form. That's the file needed.
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
kafka_producer
Type Map($name->Struct(config_connector))Description Kafka Connector Config
connect_timeout
Type DurationDefault 5sDescription Maximum wait time for TCP connection establishment (including authentication time if enabled).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_metadata_refresh_interval
Type DurationDefault 3sDescription Minimum time interval the client has to wait before refreshing Kafka broker and topic metadata. Setting too small value may add extra load on Kafka.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.metadata_request_timeout
Type DurationDefault 5sDescription Maximum wait time when fetching metadata from Kafka.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.authentication
Type OneOf(String("none"),Struct(auth_username_password),Struct(auth_gssapi_kerberos))Default noneDescription Authentication configs.
password
Type SecretDescription SASL authentication password.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
socket_opts
Type Struct(socket_opts)Description Extra socket options.
tcp_keepalive
Type StringDefault noneDescription Enable TCP keepalive for Kafka bridge connections. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: TCP keepalive probes are sent after the connection is idle for 240 seconds, and the probes are sent every 30 seconds until a response is received, if it misses 5 consecutive responses, the connection should be closed. Default: 'none'
ssl
Type Struct(ssl_client_opts)cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("auto"),String("disable"),String)Default autoDescription Server Name Indication (SNI) setting for TLS handshake.
auto: Allow the client to automatically determine the appropriate SNI.disable: If you wish to prevent the client from sending the SNI.- Other string values will be sent as-is.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
matrix
Type Map($name->Struct(config_connector))Description Matrix Connector Config
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
mongodb
Type Map($name->Struct(config_connector))Description MongoDB Connector Config
parameters
Type OneOf(Struct(connector_single),Struct(connector_sharded),Struct(connector_rs))Description Set of parameters specific for the given type of this MongoDB connector,
mongo_typecan be one ofsingle(Standalone),sharded(Sharded) orrs(Replica Set).servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The MongoDB default port 27017 is used if[:Port]is not specified.
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.topology
Type Struct(topology)overflow_ttl
Type DurationDescription Period of time before workers that exceed the configured pool size ("overflow") to be terminated.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.overflow_check_period
Type DurationDescription Period for checking if there are more workers than configured ("overflow").
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.local_threshold_ms
Type DurationDescription The size of the latency window for selecting among multiple suitable MongoDB instances.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.connect_timeout_ms
Type DurationDescription The duration to attempt a connection before timing out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.socket_timeout_ms
Type DurationDescription The duration to attempt to send or to receive on a socket before the attempt times out.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_selection_timeout_ms
Type DurationDescription Specifies how long to block for server selection before throwing an exception.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.wait_queue_timeout_ms
Type DurationDescription The maximum duration that a worker can wait for a connection to become available.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.heartbeat_frequency_ms
Type DurationDefault 200sDescription Controls when the driver checks the state of the MongoDB deployment. Specify the interval between checks, counted from the end of the previous check until the beginning of the next one. If the number of connections is increased (which will happen, for example, if you increase the pool size), you may need to increase this period as well to avoid creating too many log entries in the MongoDB log file.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_heartbeat_frequency_ms
Type DurationDescription Controls the minimum amount of time to wait between heartbeats.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
mysql
Type Map($name->Struct(config_connector))Description MySQL Connector Config
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
pgsql
Type Map($name->Struct(config_connector))Description PostgreSQL Connector Config
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
redis
Type Map($name->Struct(config_connector))Description Redis Connector Config
parameters
Type OneOf(Struct(redis_single_connector),Struct(redis_sentinel_connector),Struct(redis_cluster_connector))Description Set of parameters specific for the given type of this Redis connector,
redis_typecan be one ofsingle,clusterorsentinel.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
servers
Type StringDescription A Node list for Cluster to connect to. The nodes should be separated with commas, such as:
Node[,Node].For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form:Host[:Port]. The Redis default port 6379 is used if[:Port]is not specified.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.
resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
syskeeper_forwarder
Type Map($name->Struct(config))Description Syskeeper Connector Config
ack_timeout
Type DurationDefault 10sDescription The maximum time to wait for an acknowledgement from the proxy server
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
syskeeper_proxy
Type Map($name->Struct(config))Description Syskeeper Proxy Connector Config
handshake_timeout
Type DurationDefault 10sDescription The maximum to wait for the handshake when a connection is created
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.resource_opts
Type Struct(connector_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
timescale
Type Map($name->Struct(config_connector))Description Timescale Connector Config
password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.ssl
Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
actions
Type Struct(actions)http
Aliases webhook Type Map($name->Struct(http_action))Description HTTP Action Config
parameters
Type Struct(parameters_opts)Description The parameters for HTTP action.
body
Type StringDescription The body of the HTTP request.
If not provided, the body will be a JSON object of all the available fields.
There, 'all the available fields' means the context of a MQTT message when this webhook is triggered by receiving a MQTT message (thelocal_topicis set), or the context of the event when this webhook is triggered by a rule (i.e. this webhook is used as an action of a rule).
Template with variables is allowed.request_timeout
Type DurationDescription Deprecated since v5.0.26.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
resource_opts
Type Struct(action_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
mysql
Type Map($name->Struct(mysql_action))Description Action to interact with a MySQL connector
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
mongodb
Type Map($name->Struct(mongodb_action))Description MongoDB Action Config
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
redis
Type Map($name->Struct(redis_action))Description Redis Action Config
parameters
Type Struct(action_parameters)Description The parameters of the action.
redis_type
Type Enum(single,sentinel,cluster)Description Single mode. Must be set to 'single' when Redis server is running in single mode. Sentinel mode. Must be set to 'sentinel' when Redis server is running in sentinel mode. Cluster mode. Must be set to 'cluster' when Redis server is running in clustered mode.
resource_opts
Type Struct(action_resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_size
Type Integer(1..+inf)Default 1Description This parameter defines the upper limit of the batch count. Setting this value to 1 effectively disables batching, as it indicates that only one item will be processed per batch. Note on Redis Cluster Mode: In the context of Redis Cluster Mode, it is important to note that batching is not supported. Consequently, the batch_size is always set to 1, reflecting the mode inherent limitation in handling batch operations.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
azure_event_hub_producer
Type Map($name->Struct(actions))Description Azure Event Hub Actions Config
parameters
Aliases kafka Type Struct(producer_kafka_opts)Description Azure Event Hubs producer configs.
required_acks
Type Enum(all_isr,leader_only)Default all_isrDescription Required acknowledgements for Azure Event Hubs partition leader to wait for its followers before it sends back the acknowledgement to EMQX Azure Event Hubs producer
all_isr: Require all in-sync replicas to acknowledge.leader_only: Require only the partition-leader's acknowledgement.partition_count_refresh_interval
Type Duration(s)Default 60sDescription The time interval for Azure Event Hubs producer to discover increased number of partitions. After the number of partitions is increased in Azure Event Hubs, EMQX will start taking the discovered partitions into account when dispatching messages per
partition_strategy.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_inflight
Type Integer(1..+inf)Default 10Description Maximum number of batches allowed for Azure Event Hubs producer (per-partition) to send before receiving acknowledgement from Azure Event Hubs. Greater value typically means better throughput. However, there can be a risk of message reordering when this value is greater than 1.
buffer
Type Struct(producer_buffer)Description Configure producer message buffer.
Tell Azure Event Hubs producer how to buffer messages when EMQX has more messages to send than Azure Event Hubs can keep up, or when Azure Event Hubs is down.
mode
Type Enum(memory,disk,hybrid)Default memoryDescription Message buffer mode.
memory: Buffer all messages in memory. The messages will be lost in case of EMQX node restartdisk: Buffer all messages on disk. The messages on disk are able to survive EMQX node restart.hybrid: Buffer message in memory first, when up to certain limit (seesegment_bytesconfig for more information), then start offloading messages to disk, Likememorymode, the messages will be lost in case of EMQX node restart.per_partition_limit
Type BytesizeDefault 2GBDescription Number of bytes allowed to buffer for each Kafka partition. When this limit is exceeded, old messages will be dropped in a trade for credits for new messages to be buffered.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.segment_bytes
Type BytesizeDefault 100MBDescription Applicable when buffer mode is set to
diskorhybrid. This value is to specify the size of each on-disk buffer file.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.
sync_query_timeout
Type DurationDefault 5sDescription This parameter defines the timeout limit for synchronous queries. It applies only when the bridge query mode is configured to 'sync'.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
resource_opts
Type Struct(resource_opts)Default {}health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
confluent_producer
Type Map($name->Struct(actions))Description Confluent Actions Config
parameters
Aliases kafka Type Struct(producer_kafka_opts)Description Confluent producer configs.
max_batch_bytes
Type BytesizeDefault 896KBDescription Maximum bytes to collect in a Confluent message batch. Most of the Kafka brokers default to a limit of 1 MB batch size. EMQX's default value is less than 1 MB in order to compensate Kafka message encoding overheads (especially when each individual message is very small). When a single message is over the limit, it is still sent (as a single element batch).
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.required_acks
Type Enum(all_isr,leader_only,none)Default all_isrDescription Required acknowledgements for Confluent partition leader to wait for its followers before it sends back the acknowledgement to EMQX Confluent producer
all_isr: Require all in-sync replicas to acknowledge.leader_only: Require only the partition-leader's acknowledgement.partition_count_refresh_interval
Type Duration(s)Default 60sDescription The time interval for Confluent producer to discover increased number of partitions. After the number of partitions is increased in Confluent, EMQX will start taking the discovered partitions into account when dispatching messages per
partition_strategy.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_inflight
Type Integer(1..+inf)Default 10Description Maximum number of batches allowed for Confluent producer (per-partition) to send before receiving acknowledgement from Confluent. Greater value typically means better throughput. However, there can be a risk of message reordering when this value is greater than 1.
buffer
Type Struct(producer_buffer)Description Configure producer message buffer.
Tell Confluent producer how to buffer messages when EMQX has more messages to send than Confluent can keep up, or when Confluent is down.
mode
Type Enum(memory,disk,hybrid)Default memoryDescription Message buffer mode.
memory: Buffer all messages in memory. The messages will be lost in case of EMQX node restartdisk: Buffer all messages on disk. The messages on disk are able to survive EMQX node restart.hybrid: Buffer message in memory first, when up to certain limit (seesegment_bytesconfig for more information), then start offloading messages to disk, Likememorymode, the messages will be lost in case of EMQX node restart.per_partition_limit
Type BytesizeDefault 2GBDescription Number of bytes allowed to buffer for each Kafka partition. When this limit is exceeded, old messages will be dropped in a trade for credits for new messages to be buffered.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.segment_bytes
Type BytesizeDefault 100MBDescription Applicable when buffer mode is set to
diskorhybrid. This value is to specify the size of each on-disk buffer file.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.
sync_query_timeout
Type DurationDefault 5sDescription This parameter defines the timeout limit for synchronous queries. It applies only when the action query mode is configured to 'sync'.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
resource_opts
Type Struct(resource_opts)Default {}health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
gcp_pubsub_producer
Type Map($name->Struct(producer_action))Description GCP PubSub Producer Action Config
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
kafka_producer
Type Map($name->Struct(kafka_producer_action))Description Kafka Producer Action Config
parameters
Aliases kafka Type Struct(producer_kafka_opts)Description Kafka producer configs.
message
Type Struct(kafka_message)Description Template to render a Kafka message.
timestamp
Type StringDefault "${.timestamp}"Description Which timestamp to use. The timestamp is expected to be a millisecond precision Unix epoch which can be in string format, e.g.
1661326462115or'1661326462115'. When the desired data field for this template is not found, or if the found data is not a valid integer, the current system timestamp will be used.
max_batch_bytes
Type BytesizeDefault 896KBDescription Maximum bytes to collect in a Kafka message batch. Most of the Kafka brokers default to a limit of 1 MB batch size. EMQX's default value is less than 1 MB in order to compensate Kafka message encoding overheads (especially when each individual message is very small). When a single message is over the limit, it is still sent (as a single element batch).
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.required_acks
Type Enum(all_isr,leader_only,none)Default all_isrDescription Required acknowledgements for Kafka partition leader to wait for its followers before it sends back the acknowledgement to EMQX Kafka producer
all_isr: Require all in-sync replicas to acknowledge.leader_only: Require only the partition-leader's acknowledgement.none: No need for Kafka to acknowledge at all.partition_count_refresh_interval
Type Duration(s)Default 60sDescription The time interval for Kafka producer to discover increased number of partitions. After the number of partitions is increased in Kafka, EMQX will start taking the discovered partitions into account when dispatching messages per
partition_strategy.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.max_inflight
Type Integer(1..+inf)Default 10Description Maximum number of batches allowed for Kafka producer (per-partition) to send before receiving acknowledgement from Kafka. Greater value typically means better throughput. However, there can be a risk of message reordering when this value is greater than 1.
buffer
Type Struct(producer_buffer)Description Configure producer message buffer.
Tell Kafka producer how to buffer messages when EMQX has more messages to send than Kafka can keep up, or when Kafka is down.
mode
Type Enum(memory,disk,hybrid)Default memoryDescription Message buffer mode.
memory: Buffer all messages in memory. The messages will be lost in case of EMQX node restartdisk: Buffer all messages on disk. The messages on disk are able to survive EMQX node restart.hybrid: Buffer message in memory first, when up to certain limit (seesegment_bytesconfig for more information), then start offloading messages to disk, Likememorymode, the messages will be lost in case of EMQX node restart.per_partition_limit
Type BytesizeDefault 2GBDescription Number of bytes allowed to buffer for each Kafka partition. When this limit is exceeded, old messages will be dropped in a trade for credits for new messages to be buffered.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.segment_bytes
Type BytesizeDefault 100MBDescription Applicable when buffer mode is set to
diskorhybrid. This value is to specify the size of each on-disk buffer file.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.
sync_query_timeout
Type DurationDefault 5sDescription This parameter defines the timeout limit for synchronous queries. It applies only when the bridge query mode is configured to 'sync'.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
resource_opts
Type Struct(resource_opts)Default {}health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
matrix
Type Map($name->Struct(pgsql_action))Description Matrix Action Config
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
pgsql
Type Map($name->Struct(pgsql_action))Description PostgreSQL Action Config
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
syskeeper_forwarder
Type Map($name->Struct(config))Description Syskeeper Forwarder Action Config
resource_opts
Type Struct(creation_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.start_timeout
Type DurationDefault 5sDescription Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default infinityDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
timescale
Type Map($name->Struct(pgsql_action))Description Timescale Action Config
resource_opts
Type Struct(resource_opts)Default {}Description Resource options.
health_check_interval
Type DurationDefault 15sDescription Health check interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.request_ttl
Aliases request_timeout Type OneOf(Duration,String("infinity"))Default 45sDescription Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.
batch_time
Type DurationDefault 0msDescription Maximum waiting interval when accumulating a batch at a low message rates for more efficient resource usage.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
retainer
Type Struct(retainer)msg_expiry_interval
Type DurationDefault 0sDescription Message retention time. This config is only applicable for messages without the Message Expiry Interval message property. 0 means message will never expire.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.msg_clear_interval
Type DurationDefault 0sDescription Interval for EMQX to scan expired messages and delete them. Never scan if the value is 0.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.backend
Type Struct(mnesia_config)Description Settings for the database storing the retained messages.
index_specs
Type Array(Integer)Default [ [1, 2, 3], [1, 3], [2, 3], [3] ]Description Retainer index specifications: list of arrays of positive ascending integers. Each array specifies an index. Numbers in an index specification are 1-based word positions in topics. Words from specified positions will be used for indexing.
For example, it is good to have[2, 4]index to optimize+/X/+/Y/...topic wildcard subscriptions.
plugins
Type Struct(plugins)install_dir
Type StringDefault pluginsDescription The installation directory for the external plugins. The plugin beam files and configuration files should reside in the subdirectory named as
emqx_foo_bar-0.1.0.
NOTE: For security reasons, this directory should NOT be writable by anyone exceptemqx(or any user which runs EMQX).check_interval
Type DurationDescription Deprecated since 5.0.24.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
dashboard
Type Struct(dashboard)listeners
Type Struct(listeners)Description HTTP(s) listeners are identified by their protocol type and are used to serve dashboard UI and restful HTTP API. Listeners must have a unique combination of port number and IP address. For example, an HTTP listener can listen on all configured IP addresses on a given port for a machine by specifying the IP address 0.0.0.0. Alternatively, the HTTP listener can specify a unique IP address for each listener, but use the same port.
http
Type Struct(http)Description TCP listeners
send_timeout
Type DurationDefault 10sDescription Send timeout for the socket.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
https
Type Struct(https)Description SSL listeners
ssl_options
Type Struct(ssl_options)Description SSL/TLS options for the dashboard listener.
cacertfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.client_renegotiation
Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout
Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
send_timeout
Type DurationDefault 10sDescription Send timeout for the socket.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
token_expired_time
Type DurationDefault 60mDescription JWT token expiration time. Default is 60 minutes
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.sso
Type Struct(sso)ldap
Type Struct(ldap)query_timeout
Type DurationDefault 5sDescription Timeout for the LDAP query.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.password
Type SecretDescription The password associated with the bridge, used for authentication with the external database.
A string holding some sensitive information, such as a password. When secret starts withfile://, the rest of the string is interpreted as a path to a file containing the secret itself: whole content of the file except any trailing whitespace characters is considered a secret value. Note: when clustered, all EMQX nodes should have the same file present before usingfile://secrets.filter
Type StringDefault "(& (objectClass=person) (uid=${username}))"Description The filter for matching users in LDAP is by default
(&(objectClass=person)(uid=${username})). For Active Directory, it should be set to(&(objectClass=user)(sAMAccountName=${username}))by default. Please refer to LDAP Filters for more details.request_timeout
Type DurationDefault 10sDescription Sets the maximum time in milliseconds that is used for each individual request.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl)Default {enable = false}Description SSL connection settings.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
gateway
Type Struct(gateway)coap
Type Struct(coap)heartbeat
Type DurationDefault 30sDescription The gateway server required minimum heartbeat interval. When connection mode is enabled, this parameter is used to set the minimum heartbeat interval for the connection to be alive
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.notify_type
Type Enum(non,con,qos)Default qosDescription The Notification Message will be delivered to the CoAP client if a new message received on an observed topic. The type of delivered coap message can be set to:
- non: Non-confirmable;
- con: Confirmable;
- qos: Mapping from QoS type of received message, QoS0 -> non, QoS1,2 -> con
- non: Non-confirmable;
subscribe_qos
Type Enum(qos0,qos1,qos2,coap)Default coapDescription The Default QoS Level indicator for subscribe request. This option specifies the QoS level for the CoAP Client when establishing a subscription membership, if the subscribe request is not carried
qosoption. The indicator can be set to:- qos0, qos1, qos2: Fixed default QoS level
- coap: Dynamic QoS level by the message type of subscribe request
- qos0: If the subscribe request is non-confirmable
- qos1: If the subscribe request is confirmable
- qos0: If the subscribe request is non-confirmable
- qos0, qos1, qos2: Fixed default QoS level
publish_qos
Type Enum(qos0,qos1,qos2,coap)Default coapDescription The Default QoS Level indicator for publish request. This option specifies the QoS level for the CoAP Client when publishing a message to EMQX PUB/SUB system, if the publish request is not carried
qosoption. The indicator can be set to:- qos0, qos1, qos2: Fixed default QoS level
- coap: Dynamic QoS level by the message type of publish request
- qos0: If the publish request is non-confirmable
- qos1: If the publish request is confirmable
- qos0: If the publish request is non-confirmable
- qos0, qos1, qos2: Fixed default QoS level
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
listeners
Type Struct(udp_listeners)udp
Type Map($name->Struct(udp_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls
Type Map($name->Struct(dtls_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls_options
Type Struct(dtls_opts)Description DTLS socket options
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
mqttsn
Type Struct(mqttsn)enable_qos3
Type BooleanDefault trueDescription Allows connectionless clients to publish messages with a Qos of -1. This feature is defined for very simple client implementations which do not support any other features except this one. There is no connection setup nor tear down, no registration nor subscription. The client just sends its 'PUBLISH' messages to a GW
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
listeners
Type Struct(udp_listeners)udp
Type Map($name->Struct(udp_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls
Type Map($name->Struct(dtls_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls_options
Type Struct(dtls_opts)Description DTLS socket options
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
exproto
Type Struct(exproto)server
Type Struct(exproto_grpc_server)Description Configurations for starting the
ConnectionAdapterservicessl_options
Type Struct(ssl_server_opts)Description SSL configuration for the gRPC server.
cacertfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert
Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation
Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout
Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
handler
Type Struct(exproto_grpc_handler)Description Configurations for request to
ConnectionHandlerserviceservice_name
Type OneOf(String("ConnectionHandler"),String("ConnectionUnaryHandler"))Default ConnectionUnaryHandlerDescription The service name to handle the connection events. In the initial version, we expected to use streams to improve the efficiency of requests in
ConnectionHandler. But unfortunately, events between different streams are out of order. It causes theOnSocketCreatedevent to may arrive later thanOnReceivedBytes. So we added theConnectionUnaryHandlerservice since v5.0.25 and forced the use of Unary in it to avoid ordering problems.ssl_options
Type Struct(ssl_client_opts)Description SSL configuration for the gRPC client.
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
listeners
Type Struct(tcp_udp_listeners)tcp
Type Map($name->Struct(tcp_listener))Description A map from listener names to listener settings.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl
Type Map($name->Struct(ssl_listener))Description A map from listener names to listener settings.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl_options
Type Struct(listener_ssl_opts)Description SSL Socket options.
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
udp
Type Map($name->Struct(udp_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls
Type Map($name->Struct(dtls_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls_options
Type Struct(dtls_opts)Description DTLS socket options
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
ocpp
Type Struct(ocpp)mountpoint
Type StringDefault "ocpp/"Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
default_heartbeat_interval
Type Duration(s)Default 60sDescription The default Heartbeat time interval
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.message_format_checking
Type OneOf(String("all"),String("upstream_only"),String("dnstream_only"),String("disable"))Default disableDescription Whether to enable message format legality checking. EMQX checks the message format of the upload stream and download stream against the format defined in json-schema. When the check fails, emqx will reply with a corresponding answer message.
The checking strategy can be one of the following values:
all: check all messagesupstream_only: check upload stream messages onlydnstream_only: check download stream messages onlydisable: don't check any messages
listeners
Type Struct(ws_listeners)ws
Type Map($name->Struct(ws_listener))Description Websocket listener.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
websocket
Type Struct(websocket)idle_timeout Type DurationDefault 7200sDescription Close transport-layer connections from the clients that have not sent MQTT CONNECT message within this interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
wss
Type Map($name->Struct(wss_listener))Description Websocket over TLS listener.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl_options
Type Struct(listener_wss_opts)Description SSL Socket options.
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
websocket
Type Struct(websocket)idle_timeout Type DurationDefault 7200sDescription Close transport-layer connections from the clients that have not sent MQTT CONNECT message within this interval.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
gbt32960
Type Struct(gbt32960)mountpoint
Type StringDefault "gbt32960/${clientid}/"Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
retry_interval
Type DurationDefault 8sDescription Re-send time interval
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.listeners
Type Struct(tcp_listeners)tcp
Type Map($name->Struct(tcp_listener))Description A map from listener names to listener settings.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl
Type Map($name->Struct(ssl_listener))Description A map from listener names to listener settings.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl_options
Type Struct(listener_ssl_opts)Description SSL Socket options.
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
lwm2m
Type Struct(lwm2m)lifetime_min
Type DurationDefault 15sDescription Minimum value of lifetime allowed to be set by the LwM2M client.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.lifetime_max
Type DurationDefault 86400sDescription Maximum value of lifetime allowed to be set by the LwM2M client.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.qmode_time_window
Type Duration(s)Default 22sDescription The value of the time window during which the network link is considered valid by the LwM2M Gateway in QMode mode. For example, after receiving an update message from a client, any messages within this time window are sent directly to the LwM2M client, and all messages beyond this time window are temporarily stored in memory.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.update_msg_publish_condition
Type Enum(always,contains_object_list)Default contains_object_listDescription Policy for publishing UPDATE event message.
- always: send update events as long as the UPDATE request is received.
- contains_object_list: send update events only if the UPDATE request carries any Object List
- always: send update events as long as the UPDATE request is received.
translators
Type Struct(lwm2m_translators)Description Topic configuration for LwM2M's gateway publishing and subscription.
mountpoint
Type StringDefault "lwm2m/${endpoint_name}/"Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
listeners
Type Struct(udp_listeners)udp
Type Map($name->Struct(udp_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls
Type Map($name->Struct(dtls_listener))Description A map from listener names to listener settings.
mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
dtls_options
Type Struct(dtls_opts)Description DTLS socket options
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
stomp
Type Struct(stomp)mountpoint
Type StringDefault ""Description When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
listeners
Type Struct(tcp_listeners)tcp
Type Map($name->Struct(tcp_listener))Description A map from listener names to listener settings.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl
Type Map($name->Struct(ssl_listener))Description A map from listener names to listener settings.
tcp_options
Type Struct(tcp_opts)Description Setting the TCP socket options.
send_timeout Type DurationDefault 15sDescription The TCP send timeout for the connections.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.high_watermark Type BytesizeDefault 1MBDescription The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.keepalive Type StringDefault noneDescription Enable TCP keepalive for MQTT connections over TCP or SSL. The value is three comma separated numbers in the format of 'Idle,Interval,Probes'
- Idle: The number of seconds a connection needs to be idle before the server begins to send out keep-alive probes (Linux default 7200).
- Interval: The number of seconds between TCP keep-alive probes (Linux default 75).
- Probes: The maximum number of TCP keep-alive probes to send before giving up and killing the connection if no response is obtained from the other end (Linux default 9). For example "240,30,5" means: EMQX should start sending TCP keepalive probes after the connection is in idle for 240 seconds, and the probes are sent every 30 seconds until a response is received from the MQTT client, if it misses 5 consecutive responses, EMQX should close the connection. Default: 'none'
proxy_protocol_timeout
Type DurationDefault 3sDescription Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.mountpoint
Type StringDescription When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to
twithlisteners.tcp.\<name>.mountpointset tosome_tenant, then the client actually subscribes to the topicsome_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topict, the message is routed to all the clients subscribedsome_tenant/t, so client A will receive the message, with topic namet. Set to""to disable the feature. Supported placeholders in mountpoint string:${clientid}: clientid${username}: username${endpoint_name}: endpoint name
ssl_options
Type Struct(listener_ssl_opts)Description SSL Socket options.
cacertfile Type StringDefault "${EMQX_ETC_DIR}/certs/cacert.pem"Description Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDefault "${EMQX_ETC_DIR}/certs/cert.pem"Description PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.fail_if_no_peer_cert Type BooleanDefault falseDescription Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).
client_renegotiation Type BooleanDefault trueDescription In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.
Has no effect when TLS version is configured (or negotiated) to 1.3handshake_timeout Type DurationDefault 15sDescription Maximum time duration allowed for the handshake to complete
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ocsp Type Struct(ocsp)refresh_interval Type DurationDefault 5mDescription The period to refresh the OCSP response for the server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.refresh_http_timeout Type DurationDefault 15sDescription The timeout for the HTTP request when checking OCSP responses.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
idle_timeout
Type DurationDefault 30sDescription The idle time of the client connection process. It has two purposes:
- A newly created client process that does not receive any client requests after that time will be closed directly.
- A running client process that does not receive any client requests after this time will go into hibernation to save resources.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
prometheus
Type OneOf(Struct(recommend_setting),Struct(legacy_deprecated_setting))Default {}push_gateway
Type Struct(push_gateway)Description Push Gateway is optional, should not be configured if prometheus is to scrape EMQX.
interval
Type DurationDefault 15sDescription Data reporting interval
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.job_name
Type StringDefault "${name}/instance/${name}~${host}"Description Job Name that is pushed to the Push Gateway. Available variables:
- ${name}: Name of EMQX node.
- ${host}: Host name of EMQX node.
For example, when the EMQX node name isemqx@127.0.0.1then thenamevariable takes valueemqxand thehostvariable takes value127.0.0.1. Default value is:${name}/instance/${name}~${host}
- ${name}: Name of EMQX node.
interval
Type DurationDefault 15sDescription Deprecated since 5.4.0, use
prometheus.push_gateway.intervalinstead
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
exhook
Type Struct(exhook)servers
Type Array(Struct(server))Default []Description List of exhook servers
request_timeout
Type DurationDefault 5sDescription The timeout of request gRPC server
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl
Type Struct(ssl_conf)cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
slow_subs
Type Struct(slow_subs)threshold
Type DurationDefault 500msDescription The latency threshold for statistics
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.expire_interval
Type DurationDefault 300sDescription The eviction time of the record, which in the statistics record table
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
opentelemetry
Type Struct(opentelemetry)metrics
Type Struct(otel_metrics)Description Open Telemetry Metrics configuration.
interval
Aliases scheduled_delay Type DurationDefault 10sDescription The delay interval between two consecutive exports of Open Telemetry signals.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
logs
Type Struct(otel_logs)Description Open Telemetry Logs configuration. If enabled, EMQX installs a log handler that formats events according to Open Telemetry log data model and exports them to the configured Open Telemetry collector or backend.
scheduled_delay
Type DurationDefault 1sDescription The delay interval between two consecutive exports of Open Telemetry signals.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
traces
Type Struct(otel_traces)Description Open Telemetry Traces configuration.
scheduled_delay
Type DurationDefault 5sDescription The delay interval between two consecutive exports of Open Telemetry signals.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
exporter
Type Struct(otel_exporter)Description Open Telemetry Exporter
ssl_options
Type Struct(ssl_client_opts)Default {enable = false}Description SSL configuration for the Open Telemetry exporter
cacertfile
Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile
Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth
Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers
Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate
Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after
Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication
Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
api_key
Type Struct(api_key)bootstrap_file
Type StringDefault ""Description The bootstrap file provides API keys for EMQX. EMQX will load these keys on startup to authorize API requests. It contains colon-separated values in the format:
api_key:api_secret:role. Each line specifies an API key and its associated secret, and the role of this key. The 'role' part should be the pre-defined access scope group name, for example,administratororviewer. The 'role' is introduced in 5.4, to be backward compatible, if it is missing, the key is implicitly grantedadministratorrole.
license
Type Struct(key_license)Description Defines the EMQX Enterprise license.
EMQX Enterprise is initially provided with a default trial license. This license, issued in December 2023, is valid for a period of 5 years. It supports up to 25 concurrent connections, catering to early-stage development and testing needs.
For deploying EMQX Enterprise in a production environment, a different license is required. You can apply for a production license by visiting https://www.emqx.com/apply-licenses/emqx?version=5
key
Type OneOf(String("default"),String)Default defaultDescription This configuration parameter is designated for the license key and supports below input formats:
- Direct Key: Enter the secret key directly as a string value.
- File Path: Specify the path to a file that contains the secret key. Ensure the path starts with
file://. - "default": Use string value
"default"to apply the default trial license.
Note: An invalid license key or an incorrect file path may prevent EMQX from starting successfully. If a file path is used, EMQX attempts to reload the license key from the file every 2 minutes. Any failure in reloading the license file will be recorded as an error level log message, and EMQX continues to apply the license loaded previously.
file_transfer
Type Struct(file_transfer)enable
Type BooleanDefault falseDescription Enable the File Transfer feature.
Enabling File Transfer implies reserving special MQTT topics in order to serve the protocol.
This toggle also affects the availability of the File Transfer REST API and storage-dependent background activities (e.g. garbage collection).init_timeout
Type DurationDefault 10sDescription Timeout for EMQX to initialize the file transfer.
After reaching the timeout (e.g. due to system is overloaded), the PUBACK message forinitwill contain error code (0x80).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.store_segment_timeout
Type DurationDefault 5mDescription Timeout for storing a file segment.
After reaching the timeout (e.g. due to system overloaded), the PUBACK message will contain error code (0x80).
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.assemble_timeout
Type DurationDefault 5mDescription Timeout for assembling and exporting file segments into a final file.
After reaching the timeout (e.g. due to system is overloaded), the PUBACK message forfinwill contain error code (0x80)
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.storage
Type Struct(storage_backend)Default { local {} }Description Storage settings for file transfer.
local
Type Struct(local_storage)Description Local file system backend to store uploaded fragments and temporary data.
segments
Type Struct(local_storage_segments)Default { gc {} }Description Settings for local segments storage, which include uploaded transfer fragments and temporary data.
gc
Type Struct(local_storage_segments_gc)Description Garbage collection settings for the intermediate and temporary files in the local file system.
interval Type DurationDefault 1hDescription Interval of periodic garbage collection.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.maximum_segments_ttl Type Duration(s)Default 24hDescription Maximum TTL of a segment kept in the local file system.
This is a hard limit: no segment will outlive this TTL, even if some file transfer specifies a TTL more than that.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.minimum_segments_ttl Type Duration(s)Default 5mDescription Minimum TTL of a segment kept in the local file system.
This is a hard limit: no segment will be garbage collected before reaching this TTL, even if some file transfer specifies a TTL less than that.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.
exporter
Type Struct(local_storage_exporter_backend)Default { local {} }Description Exporter for the local file system storage backend.
Exporter defines where and how fully transferred and assembled files are stored.s3
Type Struct(s3_exporter)Description Exporter to the S3 API compatible object storage.
url_expire_time Type Duration(s)Default 1hDescription The time in seconds for which the signed URLs to the S3 objects are valid.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.min_part_size Type BytesizeDefault 5mbDescription The minimum part size for multipart uploads.
Uploaded data will be accumulated in memory until this size is reached.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.max_part_size Type BytesizeDefault 5gbDescription The maximum part size for multipart uploads.
S3 uploader won't try to upload parts larger than this size.
A string that represents a number of bytes, for example:10B,640kb,4MB,1GB. Units are interpreted as powers of 1024, and the unit part is case-insensitive.transport_options Type Struct(transport_options)Description Options for the HTTP transport layer used by the S3 client.
connect_timeout Type DurationDefault 15sDescription The timeout when connecting to the HTTP server.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.ssl Type Struct(ssl_client_opts)Default {enable = false}Description SSL connection settings.
cacertfile Type StringDescription Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.certfile Type StringDescription PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.depth Type Integer(0..+inf)Default 10Description Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.ciphers Type Array(String)Default []Description This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g.
"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"or["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.
NOTE: Certain cipher suites are only compatible with specific TLS
versions('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in theversions, configuring cipher suites for other versions will have no effect.NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled fromversions.
PSK cipher suites:"RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384, RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256, RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA, RSA-PSK-DES-CBC3-SHA,RSA-PSK-RC4-SHA"secure_renegotiate Type BooleanDefault trueDescription SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.
Has no effect when TLS version is configured (or negotiated) to 1.3hibernate_after Type DurationDefault 5sDescription Hibernate the SSL process after idling for amount of time reducing its memory footprint.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.server_name_indication Type OneOf(String("disable"),String)Description Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "server.example.net", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP address used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.
request_timeout Type DurationDescription HTTP request timeout.
A string that represents a time duration, for example:10s,2.5m,1h30m,1W2D, or2345ms, which is the smallest unit. When precision is specified, finer portions of the duration may be ignored: writing1200msforDuration(s)is equivalent to writing1s. The unit part is case-insensitive.