Skip to content

Instantly share code, notes, and snippets.

@devilankur18

devilankur18/emq.config

Created April 4, 2018 14:41
Show Gist options
  • Save devilankur18/3af9af02ac23feed4cbd78dcea159774 to your computer and use it in GitHub Desktop.
Save devilankur18/3af9af02ac23feed4cbd78dcea159774 to your computer and use it in GitHub Desktop.
Download ZIP
deploy elasticbeanstalk on ec2 instance, with auto join cluster and auto scale
Raw
emq.config
files:
# If this file is edited, it must be removed from EC2 instance prior to deploy.
"/opt/elasticbeanstalk/hooks/appdeploy/pre/09_emq_install.sh" :
mode: "000775"
owner: root
group: users
content: |
#!/bin/bash -xe
export NODE_USERNAME=emq
# To uninstall emqttd
# rpm -e emqttd-2.3-1.el6.x86_64
# If emqtt is not detected, install it.
if which emqttd; then
echo "Skipping installation of emqttd -- emqttd already installed."
echo "emqttd process: `emqttd pid`"
else
cd /tmp
rm -rf emqttd-centos6.8-v2.3.6-1.el6.x86_64.rpm
# wget http://emqtt.io/downloads/latest/centos6-rpm
wget http://emqtt.io/static/brokers/emqttd-centos6.8-v2.3.6-1.el6.x86_64.rpm
# Install the rpm
rpm -ivh --force emqttd-centos6.8-v2.3.6-1.el6.x86_64.rpm
fi
if emqttd pid; then
echo "Skipping configuration of emqttd, service already running."
echo "emqttd process: `emqttd pid`"
else
# Setup file
export NODE_NAME=`curl http://169.254.169.254/latest/meta-data/local-ipv4`
#sed -i 's/emq@HOSTNAME/$NODE_USERNAME@$NODE_HOSTNAME/g' /etc/emqttd/emq.conf
cat /tmp/emq.conf | while read line; do echo $(eval echo `echo $line`); done > /etc/emqttd/emq.conf
service emqttd stop
pkill beam || echo "Process was not running."
service emqttd start
fi
# Join cluster
# INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id`
SG_ID=`curl http://169.254.169.254/latest/meta-data/security-groups`
NODE_IPS=`aws ec2 describe-instances --region=us-east-1 --filters "Name=instance.group-name,Values=$SG_ID" --query 'Reservations[].Instances[].[PrivateIpAddress]' --output text`
#for node_ip in $(aws ec2 describe-instances --region=us-east-1 --filters "Name=instance.group-name,Values=$SG_ID" --query 'Reservations[].Instances[].[PrivateIpAddress]' --output text);
for node_ip in $NODE_IPS
do
emqttd_ctl cluster join $NODE_USERNAME@$node_ip || echo 'Already handled'
done
"/tmp/emq.conf" :
content: |
##====================================================================
## EMQ Configuration R2
##====================================================================
##--------------------------------------------------------------------
## Cluster
##--------------------------------------------------------------------
## Cluster name.
cluster.name = runlive
## Cluster auto-discovery strategy.
##
## Value: Enum
## - manual: Manual join command
## - static: Static node list
## - mcast: IP Multicast
## - dns: DNS A Record
## - etcd: etcd
## - k8s: Kubernates
##
## Default: manual
cluster.discovery = manual
## Enable cluster autoheal from network partition.
##
## Value: on | off
##
## Default: on
cluster.autoheal = on
## Autoclean down node. A down node will be removed from the cluster
## if this value > 0.
##
## Value: Duration
## -h: hour, e.g. '2h' for 2 hours
## -m: minute, e.g. '5m' for 5 minutes
## -s: second, e.g. '30s' for 30 seconds
##
## Default: 5m
cluster.autoclean = 5m
##--------------------------------------------------------------------
## Cluster using static node list
## Node list of the cluster.
##
## Value: String
## cluster.static.seeds = [email protected],[email protected]
##--------------------------------------------------------------------
## Cluster using IP Multicast.
## IP Multicast Address.
##
## Value: IP Address
## cluster.mcast.addr = 239.192.0.1
## Multicast Ports.
##
## Value: Port List
## cluster.mcast.ports = 4369,4370
## Multicast Iface.
##
## Value: Iface Address
##
## Default: 0.0.0.0
## cluster.mcast.iface = 0.0.0.0
## Multicast Ttl.
##
## Value: 0-255
## cluster.mcast.ttl = 255
## Multicast loop.
##
## Value: on | off
## cluster.mcast.loop = on
##--------------------------------------------------------------------
## Cluster using DNS A records.
## DNS name.
##
## Value: String
## cluster.dns.name = localhost
## The App name is used to build 'node.name' with IP address.
##
## Value: String
## cluster.dns.app = emq
##--------------------------------------------------------------------
## Cluster using etcd
## Etcd server list, seperated by ','.
##
## Value: String
## cluster.etcd.server = http://127.0.0.1:2379
## The prefix helps build nodes path in etcd. Each node in the cluster
## will create a path in etcd: v2/keys/<prefix>/<cluster.name>/<node.name>
##
## Value: String
## cluster.etcd.prefix = emqcl
## The TTL for node's path in etcd.
##
## Value: Duration
##
## Default: 1m, 1 minute
## cluster.etcd.node_ttl = 1m
##--------------------------------------------------------------------
## Cluster using Kubernates
## Kubernates API server list, seperated by ','.
##
## Value: String
## cluster.k8s.apiserver = http://10.110.111.204:8080
## The service name helps lookup EMQ nodes in the cluster.
##
## Value: String
## cluster.k8s.service_name = emq
## The address type is used to extract host from k8s service.
##
## Value: ip | dns
## cluster.k8s.address_type = ip
## The app name helps build 'node.name'.
##
## Value: String
## cluster.k8s.app_name = emq
##--------------------------------------------------------------------
## Node Args
##--------------------------------------------------------------------
## Node name.
##
## See: http://erlang.org/doc/reference_manual/distributed.html
##
## Value: <name>@<host>
##
## Default: [email protected]
## node.name = [email protected]
node.name = emq@$NODE_NAME
## Cookie for distributed node communication.
##
## Value: String
node.cookie = emqsecretcookie
## Enable SMP support of Erlang VM.
##
## Value: enable | auto | disable
node.smp = auto
## Heartbeat monitoring of an Erlang runtime system. Comment the line to disable
## heartbeat, or set the value as 'on'
##
## Value: on
##
## vm.args: -heart
## node.heartbeat = on
## Enable kernel poll.
##
## Value: on | off
##
## Default: on
node.kernel_poll = on
## Sets the number of threads in async thread pool. Valid range is 0-1024.
##
## See: http://erlang.org/doc/man/erl.html
##
## Value: 0-1024
##
## vm.args: +A Number
node.async_threads = 32
## Sets the maximum number of simultaneously existing processes for this
## system if a Number is passed as value.
##
## See: http://erlang.org/doc/man/erl.html
##
## Value: Number [1024-134217727]
##
## vm.args: +P Number
node.process_limit = 256000
## Sets the maximum number of simultaneously existing ports for this system
## if a Number is passed as value.
##
## See: http://erlang.org/doc/man/erl.html
##
## Value: Number [1024-134217727]
##
## vm.args: +Q Number
node.max_ports = 65536
## Set the distribution buffer busy limit (dist_buf_busy_limit).
##
## See: http://erlang.org/doc/man/erl.html
##
## Value: Number [1KB-2GB]
##
## vm.args: +zdbbl size
node.dist_buffer_size = 8MB
## Sets the maximum number of ETS tables. Note that mnesia and SSL will
## create temporary ETS tables.
##
## Value: Number
##
## vm.args: +e Number
node.max_ets_tables = 256000
## Tweak GC to run more often.
##
## Value: Number [0-65535]
##
## vm.args: -env ERL_FULLSWEEP_AFTER Number
node.fullsweep_after = 1000
## Crash dump log file.
##
## Value: Log file
node.crash_dump = /var/log/emqttd/crash.dump
## Specify the erlang distributed protocol.
##
## Value: Enum
## - inet_tcp: the default; handles TCP streams with IPv4 addressing.
## - inet6_tcp: handles TCP with IPv6 addressing.
## - inet_tls: using TLS for Erlang Distribution.
##
## vm.args: -proto_dist inet_tcp
node.proto_dist = inet_tcp
## Specify SSL Options in the file if using SSL for Erlang Distribution.
##
## Value: File
##
## vm.args: -ssl_dist_optfile <File>
## node.ssl_dist_optfile = /etc/emqttd/ssl_dist.conf
## Sets the net_kernel tick time. TickTime is specified in seconds.
## Notice that all communicating nodes are to have the same TickTime
## value specified.
##
## See: http://www.erlang.org/doc/man/kernel_app.html#net_ticktime
##
## Value: Number
##
## vm.args: -kernel net_ticktime Number
node.dist_net_ticktime = 60
## Sets the port range for the listener socket of a distributed Erlang node.
## Note that if there are firewalls between clustered nodes, this port segment
## for nodes’ communication should be allowed.
##
## See: http://www.erlang.org/doc/man/kernel_app.html
##
## Value: Port [1024-65535]
node.dist_listen_min = 6369
node.dist_listen_max = 6379
##--------------------------------------------------------------------
## Log
##--------------------------------------------------------------------
## Sets the log dir.
##
## Value: Folder
log.dir = /var/log/emqttd
## Where to emit the console logs.
##
## Value: off | file | console | both
## - off: disabled
## - file: write to file
## - console: write to stdout
## - both: file and stdout
log.console = console
## Sets the severity level of console log.
##
## Value: debug | info | notice | warning | error | critical | alert | emergency
##
## Default: error
log.console.level = error
## The file where console logs will be writed to, when 'log.console' is set as 'file'.
##
## Value: File Name
## log.console.file = /var/log/emqttd/console.log
## Maximum file size for console log.
##
## Value: Number(bytes)
## log.console.size = 10485760
## The rotation count for console log.
##
## Value: Number
## log.console.count = 5
## The file where info logs will be writed to.
##
## Value: File Name
## log.info.file = /var/log/emqttd/info.log
## Maximum file size for info log.
##
## Value: Number(bytes)
## log.info.size = 10485760
## The rotation count for info log.
##
## Value: Number
## log.info.count = 5
## The file where error logs will be writed to.
##
## Value: File Name
log.error.file = /var/log/emqttd/error.log
## Maximum file size for error log.
##
## Value: Number(bytes)
log.error.size = 10485760
## The rotation count for error log.
##
## Value: Number
log.error.count = 5
## Enable the crash log.
##
## Value: on | off
log.crash = on
## The file for crash log.
##
## Value: File Name
log.crash.file = /var/log/emqttd/crash.log
## Enable syslog.
##
## Values: on | off
log.syslog = on
## Sets the severity level for syslog.
##
## Value: debug | info | notice | warning | error | critical | alert | emergency
log.syslog.level = error
##--------------------------------------------------------------------
## Allow Anonymous Authentication and Default ACL
##--------------------------------------------------------------------
## Allow Anonymous Authentication.
##
## Notice: Disable the option for production deployment.
##
## Value: true | false
mqtt.allow_anonymous = true
## Default behaviour when ACL nomatch.
##
## Value: allow | deny
mqtt.acl_nomatch = allow
## Default ACL File.
##
## Value: File Name
mqtt.acl_file = /etc/emqttd/acl.conf
## Whether to cache ACL for publish messages.
##
## Value: true | false
mqtt.cache_acl = true
##--------------------------------------------------------------------
## MQTT Protocol
##--------------------------------------------------------------------
## Maximum length of MQTT clientId allowed.
##
## Value: Number [23-65535]
mqtt.max_clientid_len = 1024
## Maximum MQTT packet size allowed.
##
## Value: Bytes
##
## Default: 64K
mqtt.max_packet_size = 64KB
## Check if the websocket protocol header is valid.
## Turn off the option when developing WeChat App.
##
## Value: on | off
mqtt.websocket_protocol_header = on
## The backoff for MQTT keepalive timeout.
## EMQ will kick a MQTT connection out until 'Keepalive * backoff * 2' timeout.
##
## Value: Float > 0.5
mqtt.keepalive_backoff = 0.75
##--------------------------------------------------------------------
## MQTT Connection
##--------------------------------------------------------------------
## Force GC the MQTT connections. Value 0 will disable the Force GC.
##
## Value: Number >= 0
mqtt.conn.force_gc_count = 100
##--------------------------------------------------------------------
## MQTT Client
##--------------------------------------------------------------------
## MQTT client idle timeout, specified in seconds.
##
## Value: Duration
mqtt.client.idle_timeout = 30s
## TODO: Maximum publish rate of MQTT messages per second.
##
## Value: Number
## mqtt.client.max_publish_rate = 5
## Enable per client statistics.
##
## Value: on | off
mqtt.client.enable_stats = off
##--------------------------------------------------------------------
## MQTT Session
##--------------------------------------------------------------------
## Maximum number of subscriptions allowed, 0 means no limit.
##
## Value: Number
mqtt.session.max_subscriptions = 0
## Force to upgrade QoS according to subscription.
##
## Value: on | off
mqtt.session.upgrade_qos = off
## Maximum size of the Inflight Window storing QoS1/2 messages delivered but unacked.
##
## Value: Number
mqtt.session.max_inflight = 32
## Retry interval for QoS1/2 message delivering.
##
## Value: Duration
mqtt.session.retry_interval = 20s
## Maximum QoS2 packets (Client -> Broker) awaiting PUBREL, 0 means no limit.
##
## Value: Number
mqtt.session.max_awaiting_rel = 1000
## The QoS2 messages (Client -> Broker) will be dropped if awaiting PUBREL timeout.
##
## Value: Duration
mqtt.session.await_rel_timeout = 30s
## Enable per session statistics.
##
## Value: on | off
mqtt.session.enable_stats = on
## Session expiration time.
##
## Value: Duration
## -d: day
## -h: hour
## -m: minute
## -s: second
##
## Default: 2h, 2 hours
mqtt.session.expiry_interval = 2h
## Whether to ignore loop delivery of messages.
##
## Value: true | false
##
## Default: false
mqtt.session.ignore_loop_deliver = false
##--------------------------------------------------------------------
## MQTT Message Queue
##--------------------------------------------------------------------
## Message queue type.
##
## Value: simple | priority
mqtt.mqueue.type = simple
## Topic priority. Default is 0.
##
## Value: Number [0-255]
##
## mqtt.mqueue.priority = topic/1=10,topic/2=8
## Maximum queue length. Enqueued messages when persistent client disconnected,
## or inflight window is full. 0 means no limit.
##
## Value: Number >= 0
mqtt.mqueue.max_length = 1000
## Low-water mark of queued messages.
##
## Value: Percent
mqtt.mqueue.low_watermark = 20%
## High-water mark of queued messages.
##
## Value: Percent
mqtt.mqueue.high_watermark = 60%
## Whether to enqueue Qos0 messages.
##
## Value: false | true
mqtt.mqueue.store_qos0 = true
##--------------------------------------------------------------------
## MQTT Broker and PubSub
##--------------------------------------------------------------------
## System interval of publishing $SYS messages.
##
## Value: Duration
##
## Default: 1m, 1 minute
mqtt.broker.sys_interval = 1m
## The PubSub pool size. Default value should be same as scheduler numbers.
##
## Value: Number > 1
mqtt.pubsub.pool_size = 8
## TODO: Subscribe asynchronously.
##
## Value: true | false
mqtt.pubsub.async = true
##--------------------------------------------------------------------
## MQTT Bridge
##--------------------------------------------------------------------
## The pending message queue size of bridge.
##
## Value: Number
mqtt.bridge.max_queue_len = 10000
## Ping interval of bridge node.
##
## Value: Duration
##
## Default: 1s, 1 second
mqtt.bridge.ping_down_interval = 1s
##-------------------------------------------------------------------
## MQTT Plugins
##-------------------------------------------------------------------
## The etc dir for plugins' config.
##
## Value: Folder
mqtt.plugins.etc_dir =/etc/emqttd/plugins/
## The file to store loaded plugin names.
##
## Value: File
mqtt.plugins.loaded_file = /var/lib/emqttd/loaded_plugins
##--------------------------------------------------------------------
## MQTT Listeners
##--------------------------------------------------------------------
##--------------------------------------------------------------------
## MQTT/TCP - External TCP Listener for MQTT Protocol
## listener.tcp.<name> is the IP address and port that the MQTT/TCP
## listener will bind.
##
## Value: IP:Port | Port
##
## Examples: 1883, 127.0.0.1:1883, ::1:1883
listener.tcp.external = 0.0.0.0:1883
## The acceptor pool for external MQTT/TCP listener.
##
## Value: Number
listener.tcp.external.acceptors = 16
## Maximum number of concurrent MQTT/TCP connections.
##
## Value: Number
listener.tcp.external.max_clients = 102400
## TODO: Zone of the external MQTT/TCP listener belonged to.
##
## Value: String
## listener.tcp.external.zone = external
## Mountpoint of the MQTT/TCP Listener. All the topics of this
## listener will be prefixed with the mount point if this option
## is enabled.
##
## Value: String
## listener.tcp.external.mountpoint = external/
## Rate limit for the external MQTT/TCP connections.
## Format is 'burst,rate'.
##
## Value: burst,rate
## Unit: KB/sec
## listener.tcp.external.rate_limit = 100,10
## The access control rules for the MQTT/TCP listener.
##
## See: https://github.com/emqtt/esockd#allowdeny
##
## Value: ACL Rule
##
## Example: allow 192.168.0.0/24
listener.tcp.external.access.1 = allow all
## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed
## behind HAProxy or Nginx.
##
## See: https://www.haproxy.com/blog/haproxy/proxy-protocol/
##
## Value: on | off
## listener.tcp.external.proxy_protocol = on
## Sets the timeout for proxy protocol. EMQ will close the TCP connection
## if no proxy protocol packet recevied within the timeout.
##
## Value: Duration
## listener.tcp.external.proxy_protocol_timeout = 3s
## Enable the option for X.509 certificate based authentication.
## EMQ will Use the PP2_SUBTYPE_SSL_CN field in Proxy Protocol V2
## as MQTT username.
##
## Value: cn
## listener.tcp.external.peer_cert_as_username = cn
## The TCP backlog defines the maximum length that the queue of pending
## connections can grow to.
##
## Value: Number >= 0
listener.tcp.external.backlog = 1024
## The TCP send timeout for external MQTT connections.
##
## Value: Duration
listener.tcp.external.send_timeout = 15s
## Close the TCP connection if send timeout.
##
## Value: on | off
listener.tcp.external.send_timeout_close = on
## The TCP receive buffer(os kernel) for MQTT connections.
##
## See: http://erlang.org/doc/man/inet.html
##
## Value: Bytes
## listener.tcp.external.recbuf = 4KB
## The TCP send buffer(os kernel) for MQTT connections.
##
## See: http://erlang.org/doc/man/inet.html
##
## Value: Bytes
## listener.tcp.external.sndbuf = 4KB
## The size of the user-level software buffer used by the driver.
## Not to be confused with options sndbuf and recbuf, which correspond
## to the Kernel socket buffers. It is recommended to have val(buffer)
## >= max(val(sndbuf),val(recbuf)) to avoid performance issues because
## of unnecessary copying. val(buffer) is automatically set to the above
## maximum when values sndbuf or recbuf are set.
##
## See: http://erlang.org/doc/man/inet.html
##
## Value: Bytes
## listener.tcp.external.buffer = 4KB
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
##
## Value: on | off
## listener.tcp.external.tune_buffer = off
## The TCP_NODELAY flag for MQTT connections. Small amounts of data are
## sent immediately if the option is enabled.
##
## Value: true | false
listener.tcp.external.nodelay = true
## The SO_REUSEADDR flag for TCP listener.
##
## Value: true | false
listener.tcp.external.reuseaddr = true
##--------------------------------------------------------------------
## Internal TCP Listener for MQTT Protocol
## The IP address and port that the internal MQTT/TCP protocol listener
## will bind.
##
## Value: IP:Port, Port
##
## Examples: 11883, 127.0.0.1:11883, ::1:11883
listener.tcp.internal = 127.0.0.1:11883
## The acceptor pool for internal MQTT/TCP listener.
##
## Value: Number
listener.tcp.internal.acceptors = 4
## Maximum number of concurrent MQTT/TCP connections.
##
## Value: Number
listener.tcp.internal.max_clients = 102400
## TODO: Zone of the internal MQTT/TCP listener belonged to.
##
## Value: String
## listener.tcp.internal.zone = internal
## Mountpoint of the MQTT/TCP Listener.
##
## See: listener.tcp.<name>.mountpoint
##
## Value: String
## listener.tcp.internal.mountpoint = internal/
## Rate limit for the internal MQTT/TCP connections.
##
## See: listener.tcp.<name>.rate_limit
##
## Value: burst,rate
## listener.tcp.internal.rate_limit = 1000,100
## The TCP backlog of internal MQTT/TCP Listener.
##
## See: listener.tcp.<name>.backlog
##
## Value: Number >= 0
listener.tcp.internal.backlog = 512
## The TCP send timeout for internal MQTT connections.
##
## See: listener.tcp.<name>.send_timeout
##
## Value: Duration
listener.tcp.internal.send_timeout = 5s
## Close the MQTT/TCP connection if send timeout.
##
## See: listener.tcp.<name>.send_timeout_close
##
## Value: on | off
listener.tcp.external.send_timeout_close = on
## The TCP receive buffer(os kernel) for internal MQTT connections.
##
## See: listener.tcp.<name>.recbuf
##
## Value: Bytes
## listener.tcp.internal.recbuf = 16KB
## The TCP send buffer(os kernel) for internal MQTT connections.
##
## See: http://erlang.org/doc/man/inet.html
##
## Value: Bytes
## listener.tcp.internal.sndbuf = 16KB
## The size of the user-level software buffer used by the driver.
##
## See: listener.tcp.<name>.buffer
##
## Value: Bytes
## listener.tcp.internal.buffer = 16KB
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
##
## See: listener.tcp.<name>.tune_buffer
##
## Value: on | off
## listener.tcp.internal.tune_buffer = off
## The TCP_NODELAY flag for internal MQTT connections.
##
## See: listener.tcp.<name>.nodelay
##
## Value: true | false
listener.tcp.internal.nodelay = false
## The SO_REUSEADDR flag for MQTT/TCP Listener.
##
## Value: true | false
listener.tcp.internal.reuseaddr = true
##--------------------------------------------------------------------
## MQTT/SSL - External SSL Listener for MQTT Protocol
## listener.ssl.<name> is the IP address and port that the MQTT/SSL
## listener will bind.
##
## Value: IP:Port | Port
##
## Examples: 8883, 127.0.0.1:8883, ::1:8883
listener.ssl.external = 8883
## The acceptor pool for external MQTT/SSL listener.
##
## Value: Number
listener.ssl.external.acceptors = 16
## Maximum number of concurrent MQTT/SSL connections.
##
## Value: Number
listener.ssl.external.max_clients = 1024
## TODO: Zone of the external MQTT/SSL listener belonged to.
##
## Value: String
## listener.ssl.external.zone = external
## Mountpoint of the MQTT/SSL Listener.
##
## Value: String
## listener.ssl.external.mountpoint = inbound/
## The access control rules for the MQTT/SSL listener.
##
## See: listener.tcp.<name>.access
##
## Value: ACL Rule
listener.ssl.external.access.1 = allow all
## Rate limit for the external MQTT/SSL connections.
##
## Value: burst,rate
## listener.ssl.external.rate_limit = 100,10
## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
## HAProxy or Nginx.
##
## See: listener.tcp.<name>.proxy_protocol
##
## Value: on | off
## listener.ssl.external.proxy_protocol = on
## Sets the timeout for proxy protocol.
##
## See: listener.tcp.<name>.proxy_protocol_timeout
##
## Value: Duration
## listener.ssl.external.proxy_protocol_timeout = 3s
## TLS versions only to protect from POODLE attack.
##
## See: http://erlang.org/doc/man/ssl.html
##
## Value: String, seperated by ','
## listener.ssl.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1
## TLS Handshake timeout.
##
## Value: Duration
listener.ssl.external.handshake_timeout = 15s
## Path to the file containing the user's private PEM-encoded key.
##
## See: http://erlang.org/doc/man/ssl.html
##
## Value: File
listener.ssl.external.keyfile = /etc/emqttd/certs/key.pem
## Path to a file containing the user certificate.
##
## See: http://erlang.org/doc/man/ssl.html
##
## Value: File
listener.ssl.external.certfile = /etc/emqttd/certs/cert.pem
## Path to the file containing PEM-encoded CA certificates. The CA certificates
## are used during server authentication and when building the client certificate chain.
##
## Value: File
## listener.ssl.external.cacertfile = /etc/emqttd/certs/cacert.pem
## The Ephemeral Diffie-Helman key exchange is a very effective way of
## ensuring Forward Secrecy by exchanging a set of keys that never hit
## the wire. Since the DH key is effectively signed by the private key,
## it needs to be at least as strong as the private key. In addition,
## the default DH groups that most of the OpenSSL installations have
## are only a handful (since they are distributed with the OpenSSL
## package that has been built for the operating system it’s running on)
## and hence predictable (not to mention, 1024 bits only).
## In order to escape this situation, first we need to generate a fresh,
## strong DH group, store it in a file and then use the option above,
## to force our SSL application to use the new DH group. Fortunately,
## OpenSSL provides us with a tool to do that. Simply run:
## openssl dhparam -out dh-params.pem 2048
##
## Value: File
## listener.ssl.external.dhfile = /etc/emqttd/certs/dh-params.pem
## A server only does x509-path validation in mode verify_peer,
## as it then sends a certificate request to the client (this
## message is not sent if the verify option is verify_none).
## You can then also want to specify option fail_if_no_peer_cert.
## More information at: http://erlang.org/doc/man/ssl.html
##
## Value: verify_peer | verify_none
## listener.ssl.external.verify = verify_peer
## Used together with {verify, verify_peer} by an SSL server. If set to true,
## the server fails if the client does not have a certificate to send, that is,
## sends an empty certificate.
##
## Value: true | false
## listener.ssl.external.fail_if_no_peer_cert = true
## This is the single most important configuration option of an Erlang SSL
## application. Ciphers (and their ordering) define the way the client and
## server encrypt information over the wire, from the initial Diffie-Helman
## key exchange, the session key encryption ## algorithm and the message
## digest algorithm. Selecting a good cipher suite is critical for the
## application’s data security, confidentiality and performance.
##
## The cipher list above offers:
##
## A good balance between compatibility with older browsers.
## It can get stricter for Machine-To-Machine scenarios.
## Perfect Forward Secrecy.
## No old/insecure encryption and HMAC algorithms
##
## Most of it was copied from Mozilla’s Server Side TLS article
##
## Value: Ciphers
## listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
## SSL parameter renegotiation is a feature that allows a client and a server
## to renegotiate the parameters of the SSL connection on the fly.
## RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
## you drop support for the insecure renegotiation, prone to MitM attacks.
##
## Value: on | off
## listener.ssl.external.secure_renegotiate = off
## A performance optimization setting, it allows clients to reuse
## pre-existing sessions, instead of initializing new ones.
## Read more about it here.
##
## See: http://erlang.org/doc/man/ssl.html
##
## Value: on | off
## listener.ssl.external.reuse_sessions = on
## An important security setting, it forces the cipher to be set based
## on the server-specified order instead of the client-specified order,
## hence enforcing the (usually more properly configured) security
## ordering of the server administrator.
##
## Value: on | off
## listener.ssl.external.honor_cipher_order = on
## Use the CN or DN value from the client certificate as a username.
## Notice that 'verify' should be set as 'verify_peer'.
##
## Value: cn | dn
## listener.ssl.external.peer_cert_as_username = cn
## TCP backlog for the SSL connection.
##
## See listener.tcp.<name>.backlog
##
## Value: Number >= 0
## listener.ssl.external.backlog = 1024
## The TCP send timeout for the SSL connection.
##
## See listener.tcp.<name>.send_timeout
##
## Value: Duration
## listener.ssl.external.send_timeout = 15s
## Close the SSL connection if send timeout.
##
## See: listener.tcp.<name>.send_timeout_close
##
## Value: on | off
## listener.ssl.external.send_timeout_close = on
## The TCP receive buffer(os kernel) for the SSL connections.
##
## See: listener.tcp.<name>.recbuf
##
## Value: Bytes
## listener.ssl.external.recbuf = 4KB
## The TCP send buffer(os kernel) for internal MQTT connections.
##
## See: listener.tcp.<name>.sndbuf
##
## Value: Bytes
## listener.ssl.external.sndbuf = 4KB
## The size of the user-level software buffer used by the driver.
##
## See: listener.tcp.<name>.buffer
##
## Value: Bytes
## listener.ssl.external.buffer = 4KB
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
##
## See: listener.tcp.<name>.tune_buffer
##
## Value: on | off
## listener.ssl.external.tune_buffer = off
## The TCP_NODELAY flag for SSL connections.
##
## See: listener.tcp.<name>.nodelay
##
## Value: true | false
## listener.ssl.external.nodelay = true
## The SO_REUSEADDR flag for MQTT/SSL Listener.
##
## Value: true | false
listener.ssl.external.reuseaddr = true
##--------------------------------------------------------------------
## External WebSocket Listener for MQTT Protocol
## listener.ws.<name> is the IP address and port that the MQTT/WebSocket
## listener will bind.
##
## Value: IP:Port | Port
##
## Examples: 8083, 127.0.0.1:8083, ::1:8083
listener.ws.external = 8083
## The acceptor pool for external MQTT/WebSocket listener.
##
## Value: Number
listener.ws.external.acceptors = 4
## Maximum number of concurrent MQTT/WebSocket connections.
##
## Value: Number
listener.ws.external.max_clients = 102400
## TODO: Zone of the external MQTT/WebSocket listener belonged to.
##
## Value: String
## listener.ws.external.zone = external
## Mountpoint of the MQTT/WebSocket Listener.
##
## See: listener.tcp.<name>.mountpoint
##
## Value: String
## listener.ws.external.mountpoint = external/
## The access control for the MQTT/WebSocket listener.
##
## See: listener.tcp.<name>.access
##
## Value: ACL Rule
listener.ws.external.access.1 = allow all
## Use X-Forwarded-For header for real source IP if the EMQ cluster is
## deployed behind NGINX or HAProxy.
##
## Value: String
## listener.ws.external.proxy_address_header = X-Forwarded-For
## Use X-Forwarded-Port header for real source port if the EMQ cluster is
## deployed behind NGINX or HAProxy.
##
## Value: String
## listener.ws.external.proxy_port_header = X-Forwarded-Port
## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
## HAProxy or Nginx.
##
## See: listener.tcp.<name>.proxy_protocol
##
## Value: on | off
## listener.ws.external.proxy_protocol = on
## Sets the timeout for proxy protocol.
##
## See: listener.tcp.<name>.proxy_protocol_timeout
##
## Value: Duration
## listener.ws.external.proxy_protocol_timeout = 3s
## The TCP backlog of external MQTT/WebSocket Listener.
##
## See: listener.tcp.<name>.backlog
##
## Value: Number >= 0
listener.ws.external.backlog = 1024
## The TCP send timeout for external MQTT/WebSocket connections.
##
## See: listener.tcp.<name>.send_timeout
##
## Value: Duration
listener.ws.external.send_timeout = 15s
## Close the MQTT/WebSocket connection if send timeout.
##
## See: listener.tcp.<name>.send_timeout_close
##
## Value: on | off
listener.ws.external.send_timeout_close = on
## The TCP receive buffer(os kernel) for external MQTT/WebSocket connections.
##
## See: listener.tcp.<name>.recbuf
##
## Value: Bytes
## listener.ws.external.recbuf = 4KB
## The TCP send buffer(os kernel) for external MQTT/WebSocket connections.
##
## See: listener.tcp.<name>.sndbuf
##
## Value: Bytes
## listener.ws.external.sndbuf = 4KB
## The size of the user-level software buffer used by the driver.
##
## See: listener.tcp.<name>.buffer
##
## Value: Bytes
## listener.ws.external.buffer = 4KB
## Sets the 'buffer = max(sndbuf, recbuf)' if this option is enabled.
##
## See: listener.tcp.<name>.tune_buffer
##
## Value: on | off
## listener.ws.external.tune_buffer = off
## The TCP_NODELAY flag for external MQTT/WebSocket connections.
##
## See: listener.tcp.<name>.nodelay
##
## Value: true | false
listener.ws.external.nodelay = true
## The SO_REUSEADDR flag for MQTT/WebSocket Listener.
##
## Value: true | false
listener.ws.external.reuseaddr = true
##--------------------------------------------------------------------
## External WebSocket/SSL listener for MQTT Protocol
## listener.wss.<name> is the IP address and port that the MQTT/WebSocket/SSL
## listener will bind.
##
## Value: IP:Port | Port
##
## Examples: 8084, 127.0.0.1:8084, ::1:8084
listener.wss.external = 8084
## The acceptor pool for external MQTT/WebSocket/SSL listener.
##
## Value: Number
listener.wss.external.acceptors = 4
## Maximum number of concurrent MQTT/Webwocket/SSL connections.
##
## Value: Number
listener.wss.external.max_clients = 64
## TODO: Zone of the external MQTT/WebSocket/SSL listener belonged to.
##
## Value: String
## listener.wss.external.zone = external
## Mountpoint of the MQTT/WebSocket/SSL Listener.
##
## See: listener.tcp.<name>.mountpoint
##
## Value: String
## listener.wss.external.mountpoint = inbound/
## The access control rules for the MQTT/WebSocket/SSL listener.
##
## See: listener.tcp.<name>.access.<no>
##
## Value: ACL Rule
listener.wss.external.access.1 = allow all
## See: listener.ws.external.proxy_address_header
##
## Value: String
## listener.wss.external.proxy_address_header = X-Forwarded-For
## See: listener.ws.external.proxy_port_header
##
## Value: String
## listener.wss.external.proxy_port_header = X-Forwarded-Port
## Enable the Proxy Protocol V1/2 support.
##
## See: listener.tcp.<name>.proxy_protocol
##
## Value: on | off
## listener.wss.external.proxy_protocol = on
## Sets the timeout for proxy protocol.
##
## See: listener.tcp.<name>.proxy_protocol_timeout
##
## Value: Duration
## listener.wss.external.proxy_protocol_timeout = 3s
## TLS versions only to protect from POODLE attack.
##
## See: listener.ssl.<name>.tls_versions
##
## Value: String, seperated by ','
## listener.wss.external.tls_versions = tlsv1.2,tlsv1.1,tlsv1
## TLS Handshake timeout.
##
## See: listener.ssl.<name>.handshake_timeout
##
## Value: Duration
listener.wss.external.handshake_timeout = 15s
## Path to the file containing the user's private PEM-encoded key.
##
## See: listener.ssl.<name>.keyfile
##
## Value: File
listener.wss.external.keyfile = /etc/emqttd/certs/key.pem
## Path to a file containing the user certificate.
##
## See: listener.ssl.<name>.certfile
##
## Value: File
listener.wss.external.certfile = /etc/emqttd/certs/cert.pem
## Path to the file containing PEM-encoded CA certificates.
##
## See: listener.ssl.<name>.cacert
##
## Value: File
## listener.wss.external.cacertfile = /etc/emqttd/certs/cacert.pem
## See: listener.ssl.<name>.dhfile
##
## Value: File
## listener.ssl.external.dhfile = /etc/emqttd/certs/dh-params.pem
## See: listener.ssl.<name>.vefify
##
## Value: vefify_peer | verify_none
## listener.wss.external.verify = verify_peer
## See: listener.ssl.<name>.fail_if_no_peer_cert
##
## Value: false | true
## listener.wss.external.fail_if_no_peer_cert = true
## See: listener.ssl.<name>.ciphers
##
## Value: Ciphers
## listener.wss.external.ciphers =
## See: listener.ssl.<name>.secure_renegotiate
##
## Value: on | off
## listener.wss.external.secure_renegotiate = off
## See: listener.ssl.<name>.reuse_sessions
##
## Value: on | off
## listener.wss.external.reuse_sessions = on
## See: listener.ssl.<name>.honor_cipher_order
##
## Value: on | off
## listener.wss.external.honor_cipher_order = on
## See: listener.ssl.<name>.peer_cert_as_username
##
## Value: cn | dn
## listener.wss.external.peer_cert_as_username = cn
## TCP backlog for the WebSocket/SSL connection.
##
## See listener.tcp.<name>.backlog
##
## Value: Number >= 0
listener.wss.external.backlog = 1024
## The TCP send timeout for the WebSocket/SSL connection.
##
## See: listener.tcp.<name>.send_timeout
##
## Value: Duration
listener.wss.external.send_timeout = 15s
## Close the WebSocket/SSL connection if send timeout.
##
## See: listener.tcp.<name>.send_timeout_close
##
## Value: on | off
listener.wss.external.send_timeout_close = on
## The TCP receive buffer(os kernel) for the WebSocket/SSL connections.
##
## See: listener.tcp.<name>.recbuf
##
## Value: Bytes
## listener.wss.external.recbuf = 4KB
## The TCP send buffer(os kernel) for the WebSocket/SSL connections.
##
## See: listener.tcp.<name>.sndbuf
##
## Value: Bytes
## listener.wss.external.sndbuf = 4KB
## The size of the user-level software buffer used by the driver.
##
## See: listener.tcp.<name>.buffer
##
## Value: Bytes
## listener.wss.external.buffer = 4KB
## The TCP_NODELAY flag for WebSocket/SSL connections.
##
## See: listener.tcp.<name>.nodelay
##
## Value: true | false
## listener.wss.external.nodelay = true
## The SO_REUSEADDR flag for WebSocket/SSL listener.
##
## Value: true | false
listener.wss.external.reuseaddr = true
##--------------------------------------------------------------------
## HTTP Management API Listener
## The IP Address and Port that the EMQ HTTP API will bind.
##
## Value: IP:Port | Port
##
## Default: 0.0.0.0:8080
listener.api.mgmt = 0.0.0.0:8090
## The TCP Acceptor pool size.
##
## Value: Number
listener.api.mgmt.acceptors = 4
## Maximum concurrent HTTP clients allowed.
##
## Value: Number
listener.api.mgmt.max_clients = 64
## The access control rules for the listener.
##
## See: https://github.com/emqtt/esockd#allowdeny
##
## Value: ACL Rule
listener.api.mgmt.access.1 = allow all
## The TCP backlog for HTTP API.
##
## Value: Number >= 0
listener.api.mgmt.backlog = 512
## The TCP send timeout for HTTP API.
##
## Value: Duration
listener.api.mgmt.send_timeout = 15s
## Close the TCP connection if send timeout.
##
## Value: on | off
listener.api.mgmt.send_timeout_close = on
##-------------------------------------------------------------------
## System Monitor
##-------------------------------------------------------------------
## Enable Long GC monitoring.
## Notice: don't enable the monitor in production for:
## https://github.com/erlang/otp/blob/feb45017da36be78d4c5784d758ede619fa7bfd3/erts/emulator/beam/erl_gc.c#L421
##
## Value: true | false
sysmon.long_gc = false
## Enable Long Schedule(ms) monitoring.
##
## See: http://erlang.org/doc/man/erlang.html#system_monitor-2
##
## Value: Number
sysmon.long_schedule = 240
## Enable Large Heap monitoring.
##
## See: http://erlang.org/doc/man/erlang.html#system_monitor-2
##
## Value: bytes
##
## Default: 8M words. 32MB on 32-bit VM, 64MB on 64-bit VM.
sysmon.large_heap = 8MB
## Enable Busy Port monitoring.
##
## See: http://erlang.org/doc/man/erlang.html#system_monitor-2
##
## Value: true | false
sysmon.busy_port = false
## Enable Busy Dist Port monitoring.
##
## See: http://erlang.org/doc/man/erlang.html#system_monitor-2
##
## Value: true | false
sysmon.busy_dist_port = true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment