# Configuration

# cluster

# cluster.name

TypeDefault
stringemqxcl
# Description

Cluster name.

# cluster.proto_dist

TypeOptional ValueDefault
enuminet_tcp, inet6_tcp, inet_tlsinet_tcp
# Description

Distributed Erlang cluster protocol type. Available values are:

  • inet_tcp: using IPv4
  • inet6_tcp: using IPv6
  • inet_tls: using TLS, required to be used with node.ssl_dist_optfile configuration

# cluster.discovery

TypeOptional ValueDefault
enummanual, static, mcast, dns, etcd, k8smanual
# Description

Cluster node discovery method. Available values are:

  • manual: join the cluster manually
  • static: Configure static nodes. Configure several fixed nodes, and the new node joins the cluster by connecting one of the fixed nodes.
  • mcast: Use UDP multicast to discover nodes.
  • dns: Use DNS A records to discover nodes.
  • etcd: Use etcd to discover nodes.
  • k8s: Use Kubernetes to discover nodes.

# cluster.autoheal

TypeOptional ValueDefault
enumon, offon
# Description

Enable or disable the automatic recovery mechanism of cluster brain splitting.

# cluster.autoclean

TypeDefault
duration5m
# Description

Specify how long to delete short-line nodes from the cluster.

# cluster.static.seeds

TypeDefaultExample
string-emqx1@192.168.0.100,emqx2@192.168.0.101
# Description

When using static clustering, specify a fixed list of nodes, separated by commas , between multiple nodes.

# cluster.mcast.addr

TypeDefault
ipaddr239.192.0.1
# Description

When using the mcast cluster, specify the multicast address.

# cluster.mcast.ports

TypeDefault
string4369
# Description

When using the mcast cluster, specify the multicast port. If there are multiple ports, separate them with commas ,.

# cluster.mcast.iface

TypeDefault
ipaddr0.0.0.0
# Description

When using mcast cluster, specify which local IP address the node discovery service needs to bind to.

# cluster.mcast.ttl

TypeDefault
integer255
# Description

When using mcast cluster, specify the Time-To-Live value of multicast.

# cluster.mcast.loop

TypeOptional ValueDefault
enumon, offon
# Description

When using mcast clustering, set whether multicast packets are delivered to the local loopback address.

# cluster.dns.name

TypeDefaultExample
string-mycluster.com
# Description

When using the dns cluster, specify the name of the DNS A record. emqx will access the DNS A record to obtain a list of IP addresses, and then splice the APP name specified in cluster.dns.app to get a list of all nodes in the cluster.

# Example

Set cluster.dns.app = emqx, and configure a DNS: mycluster.com, which points to 3 IP addresses:

192.168.0.100
192.168.0.101
192.168.0.102

Then get the list of cluster nodes as follows:

emqx@192.168.0.100
emqx@192.168.0.101
emqx@192.168.0.102

# cluster.dns.app

TypeDefaultExample
string-emqx
# Description

When using dns cluster, it is used to splice the IP list obtained from cluster.dns.name to get a list of node names.

# cluster.etcd.server

TypeDefaultExample
string-http://127.0.0.1:2379
# Description

When using etcd cluster, specify the address of etcd service. If there are multiple services, use commas to separate them.

# cluster.etcd.prefix

TypeDefaultExample
string-emqxcl
# Description

When using etcd cluster, specify the prefix of etcd path. Each node creates a path in etcd:

v2/keys/<prefix>/<cluster.name>/<node.name>

# cluster.etcd.node_ttl

TypeDefaultExample
duration-1m
# Description

When using etcd cluster, specify the expiration time of the node path in etcd.

# cluster.etcd.ssl.keyfile

TypeDefaultExample
string-etc/certs/client-key.pem
# Description

When using SSL to connect to etcd, specify the client's private key file.

# cluster.etcd.ssl.certfile

TypeDefaultExample
string-etc/certs/client.pem
# Description

When using SSL to connect to etcd, specify the SSL client certificate file.

# cluster.etcd.ssl.cacertfile

TypeDefaultExample
string-etc/certs/ca.pem
# Description

When using SSL to connect to etcd, specify the CA certificate file for SSL.

# cluster.k8s.apiserver

TypeDefaultExample
string-http://10.110.111.204:8080
# Description

When using the k8s cluster, specify the Kubernetes API Server. If there are multiple Servers, separate them with commas ,.

# cluster.k8s.service_name

TypeDefaultExample
string-emqx
# Description

When using k8s cluster, specify the service name of EMQ X Broker in Kubernetes.

# cluster.k8s.address_type

TypeOptional ValueDefault
enumip, dns, hostnameip
# Description

When using k8s cluster, address_type is used to obtain the host list from the response of the Kubernetes interface.

# Example

Specifying cluster.k8s.address_type as ip, it will get the list of IP addresses of emqx services from the Kubernetes interface:

172.16.122.31
172.16.122.32
172.16.122.33

Then splice with the app name specified by cluster.k8s.app_name configuration to get a list of emqx nodes:

emqx@172.16.122.31
emqx@172.16.122.32
emqx@172.16.122.33

# cluster.k8s.app_name

TypeDefaultExample
string-emqx
# Description

When using k8s clustering, app_name is used to splice with the obtained Host list to get the node list.

# cluster.k8s.suffix

TypeDefaultExample
string-pod.cluster.local
# Description

When using the k8s method and specifying cluster.k8s.address_type as the dns type, you can set the suffix of the emqx node name, and splice with cluster.k8s.namespace to get a list of node names.

# cluster.k8s.namespace

TypeDefaultExample
string-default
# Description

When using the k8s method and specifying cluster.k8s.address_type as the dns type, you can set the namespace of the emqx node name, and splice with cluster.k8s.suffix to get a list of node names.

# Example

Setting cluster.k8s.address_type to dns, you will get the dns list of emqx service from the Kubernetes interface:

172-16-122-31
172-16-122-32
172-16-122-33

Then splice with cluster.k8s.app_name = emqxcluster.k8s.suffix = pod.cluster.localcluster.k8s.namespace = default to get a list of emqx node names in the form of dns:

emqx@172-16-122-31.default.pod.cluster.local
emqx@172-16-122-32.default.pod.cluster.local
emqx@172-16-122-33.default.pod.cluster.local

# node.name

TypeDefault
stringemqx@127.0.0.1
# Description

The node name. The format is <name> @ <host>. Where <host> can be an IP address or FQDN. See http://erlang.org/doc/reference_manual/distributed.html (opens new window) for details

TypeDefault
stringemqxsecretcookie
# Description

The cookie value used by the distributed Erlang cluster.

# node.data_dir

TypeDefault
folder./data
# Description

The node's data directory, which is used to store Mnesia data files.

# node.heartbeat

TypeOptional ValueDefault
enumon, offoff
# Description

System tuning parameters. This configuration will override the -heart parameter in the vm.args file.

Enable or disable Erlang runtime detection mechanism, and restart automatically when the runtime terminates. Use with care to avoid restarting the monitored process when emqx is closed manually.

# node.async_threads

TypeOptional ValueDefault
integer0 - 10244
# Description

System tuning parameters. This configuration will override the +A parameter in the vm.args file.

Set the number of threads in the asynchronous thread pool in Erlang runtime, see http://erlang.org/doc/man/erl.html (opens new window) for details.

# node.process_limit

TypeOptional ValueDefault
integer1024 - 1342177272097152
# Description

System tuning parameters. This configuration will override the +P parameter in the vm.args file.

Set the maximum number of processes allowed by Erlang, which will affect the number of connections that emqx nodes can process. See http://erlang.org/doc/man/erl.html (opens new window) for details.

# node.max_ports

TypeOptional ValueDefault
integer1024 - 1342177271048576
# Description

System tuning parameters. This configuration will override the +Q parameter in the vm.args file.

Set the maximum number of ports allowed by Erlang. See http://erlang.org/doc/man/erl.html (opens new window) for details.

# node.dist_buffer_size

TypeOptional ValueDefault
bytesize1KB - 2GB8MB
# Description

System tuning parameters. This configuration will override the +zdbbl parameter in the vm.args file.

Set the maximum cache size used by Erlang distributed communication. See http://erlang.org/doc/man/erl.html (opens new window) for details.

# node.max_ets_tables

TypeDefault
integer262144
# Description

System tuning parameters. This configuration will override the +e parameter in the vm.args file.

Set the maximum number of ETS tables allowed in Erlang runtime. See http://erlang.org/doc/man/erl.html (opens new window) for details.

# node.global_gc_interval

TypeDefault
duration15m
# Description

System tuning parameters, which set how often Erlang runs to force a global garbage collection.

# node.fullsweep_after

TypeOptional ValueDefault
integer0 - 655351000
# Description

System tuning parameters. This configuration will override the -env ERL_FULLSWEEP_AFTER parameter in the vm.args file.

Set how many times the generational GC will run before Erlang runs a fullsweep GC. For details, see http://erlang.org/doc/man/erlang.html#spawn_opt-4 (opens new window).

# node.crash_dump

TypeDefault
stringlog/crash.dump
# Description

Set the storage path and file name of the Erlang crash_dump file.

# node.ssl_dist_optfile

TypeDefault
stringetc/ssl_dist.conf
# Description

This configuration will override the -ssl_dist_optfile parameter in the vm.args file.

If you use SSL to establish an emqx cluster, you need to specify the SSL distributed protocol configuration file. It needs to be used with cluster.proto_dist = inet_tls.

# node.dist_net_ticktime

TypeDefault
integer120
# Description

System tuning parameters. This configuration will override the -kernel net_ticktime parameter in the vm.args file.

Specifying how long time when a node has been unresponsive, it is considered to be down and disconnected. For details, see http://www.erlang.org/doc/man/kernel_app.html#net_ticktime (opens new window).

# node.dist_listen_min

TypeOptional ValueDefault
integer1024 - 655356369
# Description

Set a TCP port range together with node.dist_listen_max. This port ranget is used for distribution to distributed Erlang as a listening port for distributed channels. Note that if a firewall is set between nodes, this port range needs to be placed into the firewall's whitelist.

# node.dist_listen_max

TypeOptional ValueDefault
integer1024 - 655356369
# Description

Set a TCP port range together with node.dist_listen_min. This port range is used for distribution to distributed Erlang as a listening port for distributed channels. Note that if a firewall is set up between nodes, this port rangeneeds to be put in The firewall's whitelist.

# rpc.mode

TypeOptional ValueDefault
enumsync, asyncasync
# Description

RPC mode. Synchronous or asynchronous mode is optional.

# rpc.async_batch_size

TypeDefault
integer256
# Description

The maximum number of batch messages sent in asynchronous mode. Note that this configuration does not work in synchronous mode.

# node.tcp_server_port

TypeOptional ValueDefault
integer1024 - 655355369
# Description

Set the listening port used by RPC local service

# node.tcp_client_port

TypeOptional ValueDefault
integer1024-655355369
# Description

Set the port of the remote RPC service.

# node.tcp_client_num

TypeOptional ValueDefault
integer1 - 256CPU core number / 2
# Description

Set the number of RPC communication channels initiated by this node to each remote node. Set to 1 to ensure the order of messages. Keep the default value (half the number of CPU cores) to improve RPC throughput.

# rpc.connect_timeout

TypeDefault
duration5s
# Description

Timeout for establishing an RPC connection. It means how long will it give up after trying if the remote node does not respond when establishing a connection, .

# rpc.send_timeout

TypeDefault
duration5s
# Description

Timeout for sending, which means how long to give up after sending the message.

# rpc.authentication_timeout

TypeDefault
duration5s
# Description

RPC authentication timeout. It means how long it will give up if the remote node does not respond, .

# rpc.call_receive_timeout

TypeDefault
duration15s
# Description

The timeout period of RPC synchronous mode. It means how long it will take before giving up if the RPC synchronous call fails to receive a reply.

# rpc.socket_keepalive_idle

TypeDefault
duration900s
# Description

It means how long after the last packet was sent, keepalive probe packets are sent.

# rpc.socket_keepalive_interval

TypeDefault
duration75s
# Description

The interval between keepalive detection messages.

# rpc.socket_keepalive_count

TypeDefault
integer9
# Description

For how many times if the keepalive probe message fails to receive a reply, the RPC connection is considered lost.

# rpc.socket_sndbuf

TypeDefault
bytesize1MB
# Description

TCP tuning parameters. TCP sending buffer size.

# rpc.socket_recbuf

TypeDefault
bytesize1MB
# Description

TCP tuning parameters. TCP receiving buffer size.

# rpc.socket_buffer

TypeDefault
bytesize1MB
# Description

TCP tuning parameters. Socket buffer size in user mode.

# log.to

TypeOptional ValueDefault
enumoff, file, console, bothboth
# Description

Where to output the log. The optional values are:

  • off: Disable logging completely
  • file: Only output log to file
  • console: Only output logs to standard output (emqx console)
  • both: output log to file and standard output at the same time (emqx console)

# log.level

TypeOptional ValueDefault
enumdebug, info, notice, warning
error, critical, alert, emergency
warning
# Description

Global log level. This includes the primary log level and all log handlers. For details, see log level and log handlers.

# log.dir

TypeDefault
dir./log
# Description

Log file directory.

# log.file

TypeDefault
stringemqx.log
# Description

The prefix of the log file. For example, if you use the default value (log.file = emqx.log), the log file name will be emqx.log.1, emqx.log.2, ...

# log.chars_limit

TypeDefault
integer-1
# Description

Set the maximum length of a single log message. If this length is exceeded, the log message will be truncated. -1 means no limit.

# log.rotation.size

TypeDefault
bytesize10MB
# Description

Set the size of a single log file. If it exceeds this size, the log file will be rolled to create a new log file.

# log.rotation.count

TypeDefault
integer5
# Description

Set the total number of log files. If this number is exceeded, the next log file will overwrite the first file.

# log..file

TypeDefault
string-
# Description

Set a separate log file for a certain log level.

# Example

Separately output info and above logs to info.log.N file:

log.info.file = info.log

Output error and error logs separately to the error.log.N file

log.error.file = error.log

# allow_anonymous

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to allow anonymous users to log in to the system.

Tip

It is recommended to disable this option in the production environment.

# acl_nomatch

TypeOptional ValueDefault
enumallow, denyallow
# Description

When the ACL is not hit, allow or deny the publish/subscribe operation.

# acl_file

TypeDefault
stringetc/acl.conf
# Description

The default path of ACL file.

# enable_acl_cache

TypeOptional ValueDefault
enumon, offon
# Description

Whether to enable ACL caching.

# acl_cache_max_size

TypeDefault
integer32
# Description

Maximum cache number of ACL rule.

# acl_cache_ttl

TypeDefault
duration1m
# Description

Maximum cache time of ACL rule.

# acl_deny_action

TypeOptional ValueDefault
enumignore, disconnectignore
# Description

What to do after the ACL check fails.

  • ignore:No operation
  • disconnect:disconnect.

# flapping_detect_policy

TypeDefault
string30, 1m, 5m
# Description

Specify the Flapping inspection strategy.

Format:,,`.

For example, 30, 1m, 5m, it means that if the client disconnects 30 times within 1 minute, then login is prohibited for the next 5 minutes

# mqtt.max_packet_size

TypeDefault
bytesize1MB
# Description

The maximum allowed length of MQTT messages.

# mqtt.max_clientid_len

TypeDefault
integer65535
# Description

The maximum allowed length of Client ID string.

# mqtt.max_topic_levels

TypeDefault
integer0
# Description

The maximum allowed level of topics for client subscription. 0 means no limit.

# mqtt.max_qos_allowed

TypeOptional ValueDefault
enum0, 1, 22
# Description

The maximum allowed QoS level for client to publish.

# mqtt.max_topic_alias

TypeDefault
integer65535
# Description

The maximum allowed number of topic aliases. 0 means that topic aliases are not supported.

# mqtt.retain_available

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to support Retain message.

# mqtt.wildcard_subscription

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to support subscribing to wildcard topics.

# mqtt.shared_subscription

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to support shared subscriptions.

# mqtt.ignore_loop_deliver

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to ignore the message sent by itself. If it is ignored, it means that EMQ X Broker will not deliver this message to the sender of the message.

# mqtt.strict_mode

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to enable the strict check mode. The strict check mode will check the correctness of the MQTT message in more detail.

# zone.external.idle_timeout

TypeDefault
duration15s
# Description

The daze time after the TCP connection is established. If no packets are received within this time, the connection will be shutdown.

# zone.external.enable_acl

TypeOptional ValueDefault
enumon, offon
# Description

Whether to enable ACL check.

# zone.external.enable_ban

TypeOptional ValueDefault
enumon, offon
# Description

Whether to enable blacklist.

# zone.external.enable_stats

TypeOptional ValueDefault
enumon, offon
# Description

Whether to enable client status statistics.

# zone.external.acl_deny_action

| Type | Optional Value | Default | | ---- | -------------------- - | -------- | | enum | ignore, disconnect | ignore |

# Description

What to do after the ACL check fails.

  • ignore:No any operation.
  • disconnect:disconnect.

# zone.external.force_gc_policy

TypeDefault
string16000|16MB
# Description

When a certain number of messages, or bytes, are received, a garbage collection is forced.

Format: <Number> | <Bytes>.

For example, 16000|16MB means that when 16000 messages are received, or a byte of 16MB flows in, a garbage collection is forced.

# zone.external.force_shutdown_policy

TypeDefault
string-
# Description

When the process message queue length, or the memory bytes reaches a certain value, the process is forced to close.

The "message queue" here refers to the "message mailbox" of the Erlang process, not the "mqueue" of QoS 1 and QoS 2.

Format: <Number> | <Bytes>.

For example, 32000|32MB means that when the process accumulates 32000 messages, or the process occupies memory up to 32MB, the process is closed.

# zone.external.max_packet_size

TypeDefault
bytesize-
# Description

The maximum allowed length of MQTT packet.

# zone.external.max_clientid_len

TypeDefault
integer-
# Description

The maximum length of Client ID string.

# zone.external.max_topic_levels

TypeDefault
integer-
# Description

The maximum allowed level of topics for client subscription. 0 means no limit.

# zone.external.max_qos_allowed

TypeOptional ValueDefault
enum0, 1, 2-
# Description

The maximum QoS level allowed for the client to publish.

# zone.external.max_topic_alias

TypeDefault
integer-
# Description

The maximum number of topic aliases. 0 means that topic aliases are not supported.

# zone.external.retain_available

TypeOptional ValueDefault
enumtrue, false-
# Description

Whether to support Retain message.

# zone.external.wildcard_subscription

TypeOptional ValueDefault
enumtrue, false-
# Description

Whether to support subscribing to wildcard topics.

# zone.external.shared_subscription

TypeOptional ValueDefault
enumtrue, false-
# Description

Whether to support shared subscriptions.

# zone.external.server_keepalive

TypeDefault
integer-
# Description

Keepalive time specified by the server, used for MQTT v5.0 CONNACK messages

# zone.external.keepalive_backoff

TypeOptional ValueDefault
float> 0.50.75
# Description

Keepalive backoff index. If no data packet is received from the client within the time of Keepalive * backoff * 2, it is considered that the client has heartbeat timeout.

# zone.external.max_subscriptions

TypeDefault
integer0
# Description

The maximum number of topics that a single client is allowed to subscribe to. 0 means no limit.

# zone.external.upgrade_qos

TypeOptional ValueDefault
enumon, offoff
# Description

Allow EMQ X Broker to force the QoS level of the message upgrading to the subscribed QoS level when publishing the message.

# zone.external.max_inflight

TypeDefault
integer32
# Description

Inflight window size: The inflight window is used to store unacknowledged QoS 1 and QoS 2 messages.

# zone.external.retry_interval

TypeDefault
duration30s
# Description

Message retransmission interval: EMQ X Broker checks whether message retransmission is required at each interval.

# zone.external.max_awaiting_rel

TypeDefault
integer100
# Description

The maximum receiving window for QoS 2 messages, which configures how many QoS 2 messages from the client can be processed by EMQ X Broker simultaneously. 0 means no limit.

# zone.external.await_rel_timeout

TypeDefault
duration300s
# Description

Time for QoS 2 message processing timeout. If the QoS PUBREL message has not been received after the timeout, the message is dropped from the receiving window.

# zone.external.session_expiry_interval

TypeDefault
duration2h
# Description

The default timeout period of the session, which is mainly used for MQTT v3.1 and v3.1.1 protocols. In MQTT v5.0, this value is usually carried in the client's connection message.

# zone.external.max_mqueue_len

TypeDefault
integer1000
# Description

The maximum length of the message queue. When the flight window is full, or the client is offline, the message will be stored in the queue. 0 means no limit.

# zone.external.mqueue_priorities

TypeOptional ValueDefault
stringnone, <Spec>none
# Description

Queue message priority configuration:

  • none:no prioritization.
  • <Spec>:A message priority table, which configures the priority of messages under a certain topic. For example:
    • topic/1=10: indicates that the message priority of the topic topic/1 is 10.
    • topic/1=10,topic/2=8: indicates that the priority of two topics is configured, which are 10 and 8 respectively.
    • Among them, the higher the priority value, the higher the priority level.

When the length of the message queue is limited, low priority messages will be dropped first.

# zone.external.mqueue_default_priority

TypeOptional ValueDefault
enumhighest, lowesthighest
# Description

The default priority level of the message.

# zone.external.mqueue_store_qos0

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether the message queue stores QoS 0 messages.

# zone.external.enable_flapping_detect

TypeOptional ValueDefault
enumon, offoff
# Description

Whether to enable Flapping check.

# zone.external.mountpoint

TypeDefault
string-
# Description

After topic mount point is configured, all subscribed and published topics will be prefixed by EMQ X Broker.

The available placeholders are:

  • %c:Client ID.
  • %u:Username.

For example, if the mount point is set to user/%c/. , when the client with client ID tom publishes the topic open message, the topic actually routed in EMQ X Broker is user/tom/open.

# zone.external.use_username_as_clientid

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to use the client's Username as its Client ID.

# zone.external.ignore_loop_deliver

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to ignore the message sent by yourself. If ignored, it means that EMQ X Broker will not deliver this message to the sender of the message.

# zone.external.strict_mode

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to enable the strict check mode. The strict check mode will check the correctness of the MQTT message in more detail.

# zone.internal.allow_anonymous

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to allow anonymous users to log in to the system.

# zone.internal.enable_stats

TypeOptional ValueDefault
enumon, offon
# Description

Whether to enable client status statistics.

# zone.internal.enable_acl

TypeOptional ValueDefault
enumon, offoff
# Description

Whether to enable ACL check.

# zone.internal.acl_deny_action

TypeOptional ValueDefault
enumignore, disconnectignore
# Description

What to do after the ACL check fails.

  • ignore:No operation.
  • disconnect:Disconnect.

# zone.internal.force_gc_policy

TypeDefault
string-
# Description

When a certain number of messages, or bytes, are received, a garbage collection is forced.

Format: <Number> | <Bytes>.

For example, 16000|16MB means that when 16000 messages are received, or a byte of 16MB flows in, a garbage collection is forced.

# zone.internal.wildcard_subscription

TypeOptional ValueDefault
enumtrue, false-
# Description

Whether to support subscribing to wildcard topics.

# zone.internal.shared_subscription

TypeOptional ValueDefault
enumtrue, false-
# Description

Whether to support shared subscriptions.

# zone.internal.max_subscriptions

TypeDefault
integer0
# Description

The maximum number of topics that a single client is allowed to subscribe to. 0 means no limit.

# zone.internal.max_inflight

TypeDefault
integer128
# Description

Inflight window size: The flight window is used to store unanswered QoS 1 and QoS 2 messages.

# zone.internal.max_awaiting_rel

TypeDefault
integer1000
# Description

The maximum receiving window for QoS 2 messages, that configures how many QoS 2 messages from the client can be processed by EMQ X Broker simultaneously. 0 means no limit.

# zone.internal.max_mqueue_len

TypeDefault
integer10000
# Description

The maximum length of the message queue. When the flight window is full, or the client is offline, the message will be stored in the queue. 0 means no limit.

# zone.internal.mqueue_store_qos0

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether the message queue stores QoS 0 messages.

# zone.internal.enable_flapping_detect

TypeOptional ValueDefault
enumon, offoff
# Description

Whether to enable Flapping check.

# zone.internal.force_shutdown_policy

TypeDefault
string-
# Description

When the process message queue length, or the memory bytes reaches a certain value, the process is forced to close.

The "message queue" here refers to the "message mailbox" of the Erlang process, not the "mqueue" of QoS 1 and QoS 2.

Format: <Number> | <Bytes>.

For example, 32000|32MB means that when the process accumulates 32000 messages, or the process occupies memory up to 32MB, the process is closed.

# zone.internal.mountpoint

TypeDefault
string-
# Description

After topic mount point is configured, all subscribed and published topics will be prefixed by EMQ X Broker.

The available placeholders are:

  • %c:Client ID.
  • %u:Username.

For example, if the mount point is set to user/%c/. , when the client with client ID tom publishes the topic open message, the topic actually routed in EMQ X Broker is user/tom/open.

# zone.internal.ignore_loop_deliver

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to ignore the message sent by itself. If ignored, it means that EMQ X Broker will not deliver this message to the sender of the message.

# zone.internal.strict_mode

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to enable the strict check mode. The strict check mode will check the correctness of the MQTT message in more detail.

# zone.internal.bypass_auth_plugins

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to allow clients under this zone to bypass the authentication step of the authentication plugin.

# listener.tcp.external

TypeDefault
string0.0.0.0:1883
# Description

Configure the listening address of the MQTT / TCP listener named external.

# Example

1883: monitors IPv4 0.0.0.0: 1883. 127.0.0.1: 1883: monitor address is 1883 port on the 127.0.0.1 network card. :: 1: 1883: monitors the IPv6 address as 1883 port on the :: 1 network card.

# listener.tcp.external.acceptors

TypeDefault
integer8
# Description

The size of the listener's receiving pool.

# listener.tcp.external.max_connections

TypeDefault
integer1024000
# Description

The maximum number of concurrent connections allowed by the listener.

# listener.tcp.external.max_conn_rate

TypeDefault
integer1000
# Description

The maximum access rate allowed by the listener. Unit: pcs / sec

# listener.tcp.external.active_n

TypeDefault
integer100
# Description

The number of times the listener continues to receive TCP packets.

# listener.tcp.external.zone

TypeDefault
stringexternal
# Description

The configuration zone to which the listener belongs.

# listener.tcp.external.rate_limit

TypeDefault
string-
# Description

The rate limit of the listener. The format is <limit>,<duration>.

# Example

100KB,10s:Limit the number of incoming bytes within 10 seconds not to exceed 100 KB.

# listener.tcp.external.access.1

TypeDefault
stringallow all
# Description

List of ACL rules of the listener. It is used to set the white/black list of the connection layer.

# Example

allow all:Allow all TCP connections. allow 192.168.0.0/24:Allow TCP connection with network address 192.168.0.0/24.

At the same time, this configuration can configure multiple rules:

listener.tcp.external.access.1 = deny 192.168.0.1
listener.tcp.external.access.2 = allow all

It means that all TCP connections except 192.168.0.1 are allowed.

# listener.tcp.external.proxy_protocol

TypeOptional ValueDefault
enumon, off-
# Description

Whether the listener enables Proxy Protocol support.

If the EMQ X cluster is deployed behind HAProxy or Nginx, and you need to get the client's real source IP address and port, you need to enable this configuration.

Proxy Protcol : https://www.haproxy.com/blog/haproxy/proxy-protocol (opens new window).

# listener.tcp.external.proxy_protocol_timeout

TypeDefault
duration-
# Description

Set the timeout for Proxy Protocol parsing. If no Proxy Protocol packet is received within this time, EMQ X Broker will close its connection.

# listener.tcp.external.backlog

TypeDefault
integer1024
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# listener.tcp.external.send_timeout

TypeDefault
duration15s
# Description

Timeout for sending TCP packets.

# listener.tcp.external.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after TCP packet sending timeout.

# listener.tcp.external.recbuf

TypeDefault
bytesize-
# Description

TCP receiving buffer size (operating system kernel parameter)

Reference: http://erlang.org/doc/man/inet.html

# listener.tcp.external.sndbuf

TypeDefault
bytesize-
# Description

TCP sending buffer size (operating system kernel parameter).

Reference:http://erlang.org/doc/man/inet.html (opens new window).

# listener.tcp.external.buffer

TypeDefault
bytesize-
# Description

TCP buffer size (user level).

This value is recommended to be greater than or equal to the maximum value of sndbuff and recbuff to avoid some performance problems. Without configuration, it equals to the maximum value of sndbuff and recbuff by default.

Reference: http://erlang.org/doc/man/inet.html (opens new window).

# listener.tcp.external.tune_buffer

TypeOptional ValueDefault
enumon, off-
# Description

If this configuration is enabled, please set the value equal to the maximum value of sndbuff and recbuff.

# listener.tcp.external.nodelay

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the TCP_NODELAY parameter. Enabling this option allows small TCP data packets to be sent immediately.

# listener.tcp.external.reuseaddr

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the SO_REUSEADDR parameter. Enabling this option allows the local port to be reused without waiting for the end of the TIME_WAIT state.

# listener.tcp.internal

TypeDefault
string127.0.0.1:11883
# Description

Configure the listening address of the MQTT / TCP listener named internal.

# Example

11883: listen to 0.0.0.0: 11883 of IPv4. 127.0.0.1:11883: listening address is11883 port on the 127.0.0.1 network card. :: 1: 11883: listen to the 11883 port on the :: 1 network card of IPv6 address.

# listener.tcp.internal.acceptors

TypeDefault
integer4
# Description

The size of the listener's receiving pool.

# listener.tcp.internal.max_connections

TypeDefault
integer1024000
# Description

The maximum number of concurrent connections allowed by the listener.

# listener.tcp.internal.max_conn_rate

TypeDefault
integer1000
# Description

The maximum access rate allowed by the listener. Unit: pcs / sec

# listener.tcp.internal.active_n

TypeDefault
integer1000
# Description

The number of times the listener continues to receive TCP packets.

# listener.tcp.internal.zone

TypeDefault
stringinternal
# Description

The configuration zone to which the listener belongs.

# listener.tcp.internal.rate_limit

TypeDefault
string-
# Description

The rate limit of the listener. The format is <limit>,<duration>.

# Example

100KB,10s:Limit the number of incoming bytes within 10 seconds no tot exceed 100 KB.

# listener.tcp.internal.backlog

TypeDefault
integer512
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# listener.tcp.internal.send_timeout

TypeDefault
duration5s
# Description

Timeout for sending TCP packets.

# listener.tcp.internal.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after TCP packet sending timeout.

# listener.tcp.internal.recbuf

TypeDefault
bytesize64KB
# Description

TCP receiving buffer size (operating system kernel parameter)

# listener.tcp.internal.sndbuf

TypeDefault
bytesize64KB
# Description

TCP sending buffer size (operating system kernel parameter)

# listener.tcp.internal.buffer

TypeDefault
bytesize-
# Description

TCP buffer size (user level).

# listener.tcp.internal.tune_buffer

TypeOptional ValueDefault
enumon, off-
# Description

If this configuration is enabled, please set the value equal to the maximum value of sndbuff and recbuff.

# listener.tcp.internal.nodelay

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

This is the TCP_NODELAY parameter. Enabling this option allows small TCP data packets to be sent immediately.

# listener.tcp.internal.reuseaddr

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the SO_REUSEADDR parameter. Enabling this option allows the local port to be reused without waiting for the end of the TIME_WAIT state.

# listener.ssl.external

TypeDefault
string0.0.0.0:8883
# Description

Configure an SSL listener named external.

# listener.ssl.external.acceptors

TypeDefault
integer16
# Description

The size of the listener's receiving pool.

# listener.ssl.external.max_connections

TypeDefault
integer102400
# Description

The maximum number of concurrent connections allowed by the listener.

# listener.ssl.external.max_conn_rate

TypeDefault
integer500
# Description

The maximum access rate allowed by the listener. Unit: pcs / sec.

# listener.ssl.external.active_n

TypeDefault
integer100
# Description

The number of times the listener continues to receive TCP packets.

# listener.ssl.external.zone

TypeDefault
stringexternal
# Description

The configuration group to which the listener belongs.

# listener.ssl.external.access.1

TypeDefault
stringallow all
# Description

List of ACL rules of the listener. It is used to set the white/black list of the connection layer.

For example:

allow all:Allow all TCP connections. allow 192.168.0.0/24:Allow TCP connection with network address 192.168.0.0/24 to access.

At the same time, the configuration can configure multiple rules:

listener.ssl.external.access.1 = deny 192.168.0.1
listener.ssl.external.access.2 = allow all

# listener.ssl.external.rate_limit

TypeDefault
string-
# Description

Listener rate limit, with the format of <limit>,<duration>.

# listener.ssl.external.proxy_protocol

TypeOptional ValueDefault
enumon, off-
# Description

Whether the listener enables Proxy Protocol support.

If the EMQ X cluster is deployed behind HAProxy or Nginx, and it is required to get the client's real source IP address and port, you need to enable this configuration.

Proxy Protcol reference: https://www.haproxy.com/blog/haproxy/proxy-protocol (opens new window).

# listener.ssl.external.proxy_protocol_timeout

TypeDefault
duration-
# Description

Set the timeout for Proxy Protocol parsing. If no Proxy Protocol packet is received within this time, EMQ X Broker will close its connection.

# listener.ssl.external.tls_versions

TypeDefault
stringtlsv1.2,tlsv1.1,tlsv1
# Description

Specify the SSL version list supported by the server. For details, see http://erlang.org/doc/man/ssl.html (opens new window).

# listener.ssl.external.handshake_timeout

TypeDefault
duration15s
# Description

Specify the timeout period for the SSL handshake process.

# listener.ssl.external.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

Specify SSL private key file (PEM).

# listener.ssl.external.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

Specify SSL certificate file(PEM).

# listener.ssl.external.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

Specify the CA certificate file for SSL (PEM).

# listener.ssl.external.dhfile

TypeDefault
stringetc/certs/dh-params.pem
# Description

If using the Ephemeral Diffie-Hellman algorithm, specify the key file used by the algorithm.

# listener.ssl.external.verify

TypeOptional ValueDefault
enumverify_peer, verify_noneverify_peer
# Description

Specifies whether to verify the client during the handshake.

# listener.ssl.external.fail_if_no_peer_cert

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

If the client does not have a certificate during the SSL handshake, it determines whether to let the handshake fail.

# listener.ssl.external.ciphers

TypeDefault
stringECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
# Description

Specify the cipher suite supported by the server.

# listener.ssl.external.psk_ciphers

TypeDefault
stringPSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
# Description

If using the PSK algorithm, specify the PSK Cipher list supported by the server. Note that only one of 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' can be configured.

# listener.ssl.external.secure_renegotiate

TypeOptional ValueDefault
enumon, offoff
# Description

Specifies whether to reject renegotiation requests if the client does not follow RFC 5746

# listener.ssl.external.reuse_sessions

TypeOptional ValueDefault
enumon, offon
# Description

Specify whether to support SSL session reuse. For details, seehttp://erlang.org/doc/man/ssl.html (opens new window).

# listener.ssl.external.honor_cipher_order

TypeOptional ValueDefault
enumon, offon
# Description

Specify whether to use the server's preferences to select Ciphers.

# listener.ssl.external.peer_cert_as_username

TypeOptional ValueDefault
enumcn, dn, crtcn
# Description

Use the value of the CN, DN, or CRT field in the client certificate as the value of the Username field in the MQTT CONNECT packet. Note that listener.ssl.external.verify should be set to verify_peer.

# listener.ssl.external.backlog

TypeDefault
integer1024
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# listener.ssl.external.send_timeout

TypeDefault
duration15s
# Description

Timeout for sending TCP packets.

# listener.ssl.external.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after TCP packet sending timeout.

# listener.ssl.external.recbuf

TypeDefault
bytesize-
# Description

TCP receiving buffer size (operating system kernel level parameter).

Reference:http://erlang.org/doc/man/inet.html (opens new window).

# listener.ssl.external.sndbuf

TypeDefault
bytesize-
# Description

TCP sending buffer size (operating system kernel level parameter).

Reference:http://erlang.org/doc/man/inet.html (opens new window).

# listener.ssl.external.buffer

TypeDefault
bytesize-
# Description

CP buffer size (user level).

This value is recommended to be greater than or equal to the maximum value of sndbuff and recbuff to avoid some performance problems. Without configuration, it equals to the maximum value of sndbuff and recbuff by default.

Reference:http://erlang.org/doc/man/inet.html (opens new window).

# listener.ssl.external.tune_buffer

TypeOptional ValueDefault
enumon, off-
# Description

If this configuration is enabled, please set the value equal to the maximum value of sndbuff and recbuff.

# listener.ssl.external.nodelay

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the TCP_NODELAY parameter. Enabling this option means that the Nagle algorithm is disabled and small packets will be sent immediately.

# listener.ssl.external.reuseaddr

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the SO_REUSEADDR parameter. Enabling this option allows the local port to be reused without waiting for the end of the TIME_WAIT state.

# listener.ws.external

TypeDefault
string8083
# Description

Configure the listening address of the MQTT/WS listener named external.

# Example

8083: Listen s to 0.0.0.0: 8083 of IPv4. 127.0.0.1:8083: Listening address is 8083 port on the 127.0.0.1 network card. :: 1: 8083: Listen to the 8083 port on the network card :: 1 of IPv6 address.

# listener.ws.external.mqtt_path

TypeDefault
string/mqtt
# Description

WebSocket's MQTT protocol path. So the address of EMQ X Broker's WebSocket is: ws://<ip>:<port>/mqtt.

# listener.ws.external.acceptors

TypeDefault
integer4
# Description

The size of the listener's receiving pool.

# listener.ws.external.max_connections

TypeDefault
integer102400
# Description

The maximum number of concurrent connections allowed by the listener.

# listener.ws.external.max_conn_rate

TypeDefault
integer1000
# Description

The maximum access rate allowed by the listener. Unit: pcs/sec

# listener.ws.external.active_n

TypeDefault
integer100
# Description

The number of times the listener continues to receive TCP packets.

# listener.ws.external.rate_limit

TypeDefault
string100KB,10s
# Description

The rate limit of the listener. The format is <limit>,<duration>.

# Example

100KB,10s: Limit the number of incoming bytes within 10 seconds to not exceed 100 KB.

# listener.ws.external.zone

TypeDefault
stringexternal
# Description

The configuration zone to which the listener belongs.

# listener.ws.external.access.1

TypeDefault
stringallow all
# Description

List of ACL rules of the listener. It is used to set the white/black list of the connection layer.

# listener.ws.external.verify_protocol_header

TypeOptional ValueDefault
enumon, offon
# Description

Whether to verify that the HTTP header carried by WebSocket is correct. WeChat applet needs to disable this verification.

# listener.ws.external.proxy_address_header

TypeOptional ValueDefault
stringX-Forwarded-For-
# Description

If the EMQ X cluster is deployed behind HAProxy or Nginx, you can open the configuration to obtain the real IP address of the client.

# listener.ws.external.proxy_port_header

TypeOptional ValueDefault
stringX-Forwarded-Port-
# Description

If the EMQ X cluster is deployed behind HAProxy or Nginx, you can open the configuration to get the real port of the client.

# listener.ws.external.proxy_protocol

TypeOptional ValueDefault
enumon, off-
# Description

Whether the listener enables Proxy Protocol support.

If the EMQ X cluster is deployed behind HAProxy or Nginx, and you need to get the client's real source IP address and port, you need to open this configuration.

Proxy Protcol reference: https://www.haproxy.com/blog/haproxy/proxy-protocol (opens new window).

# listener.ws.external.proxy_protocol_timeout

TypeDefault
duration-
# Description

Set the timeout for Proxy Protocol parsing. If no Proxy Protocol packet is received within this time, EMQ X Broker will close its connection.

# listener.ws.external.backlog

TypeDefault
integer1024
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# listener.ws.external.send_timeout

TypeDefault
duration15s
# Description

Timeout for sending TCP packets.

# listener.ws.external.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after TCP packet sending timeout.

# listener.ws.external.recbuf

TypeDefault
bytesize-
# Description

TCP receiving buffer size (operating system kernel level parameter)

# listener.ws.external.sndbuf

TypeDefault
bytesize-
# Description

TCP sending buffer size (operating system kernel level parameter)

# listener.ws.external.buffer

TypeDefault
bytesize-
# Description

TCP buffer size (user level).

# listener.ws.external.tune_buffer

TypeOptional ValueDefault
enumon, off-
# Description

If this configuration is enabled, please set the value equal to the maximum value of sndbuff and recbuff.

# listener.ws.external.nodelay

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the TCP_NODELAY parameter. Enabling this option allows small TCP data packets to be sent immediately.

# listener.ws.external.compress

TypeOptional ValueDefault
enumtrue, false-
# Description

Whether to compress WebSocket messages. The implementation of compression depends on zlib (opens new window).

The configuration items under defalte_opts belong to the compression-related parameter configuration, if not necessary, please do not modify it.

# listener.ws.external.deflate_opts.level

TypeOptional ValueDefault
enumnone, default, best_compression, best_speed-
# Description

compression level

# listener.ws.external.deflate_opts.mem_level

TypeOptional ValueDefault
integer1 - 9-
# Description

Compression parameters. It means memory usage limit level, and configure how much memory can be opened to participate in the compression process.

1: The least memory, but will reduce the compression rate. 9: The most memory, and will increase the calculation speed and compression rate.

If not configured, the default is 8.

# listener.ws.external.deflate_opts.strategy

TypeOptional ValueDefault
enumdefault, filtered, huffman_only, rle-
# Description

Compression strategy for tuning compression ratio:

  • default: for ordinary data.
  • filtered: data generated by filters or predictors, suitable for content with strong randomness.
  • huffman_only: Mandatory use of Huffman algorithm. Better than filtered.
  • rle: limit the matching distance to 1 (Run-Lenght Encoding), faster than huffman_only, but mainly used for PNG images.

These strategies only affect the compression ratio and will not have any impact on correctness.

# listener.ws.external.deflate_opts.server_context_takeover

TypeOptional ValueDefault
enumtakeover, no_takeover-
# Description

Whether to allow the server's compression context to be passed between frames.

# listener.ws.external.deflate_opts.client_context_takeover

TypeOptional ValueDefault
enumtakeover, no_takeover-
# Description

Whether to allow the client's compression context to be passed between frames.

# listener.ws.external.deflate_opts.server_max_window_bits

TypeOptional ValueDefault
integer8 - 15-
# Description

Maximum window value on the server side. Setting a larger value will result in better compression ratio, but will consume additional memory.

# listener.ws.external.deflate_opts.client_max_window_bits

TypeOptional ValueDefault
integer8 - 15-
# Description

Client maximum window value. Setting a larger value will result in better compression ratio, but will consume additional memory.

# listener.ws.external.idle_timeout

TypeDefault
duration-
# Description

The daze time after the TCP connection is established. If no packets are received within this time, the connection will be closed.

# listener.ws.external.max_frame_size

TypeDefault
integer-
# Description

The maximum allowed length of a single MQTT packet.

# listener.wss.external

TypeDefault
string0.0.0.0:8084
# Description

Configure a WSS (MQTT/WebSocket/SSL) listener named external.

# listener.wss.external.mqtt_path

TypeDefault
string/mqtt
# Description

WebSocket URL Path.

# listener.wss.external.acceptors

TypeDefault
integer4
# Description

The size of the listener's receiving pool.

# listener.wss.external.max_connections

TypeDefault
integer16
# Description

The maximum number of concurrent connections allowed by the listener.

# listener.wss.external.max_conn_rate

TypeDefault
integer1000
# Description

The maximum access rate allowed by the listener. Unit: pcs/sec.

# listener.wss.external.active_n

TypeDefault
integer100
# Description

The number of times the listener continues to receive TCP packets.

# listener.wss.external.rate_limit

TypeDefault
string-
# Description

The rate limit of the listener. The format is <limit>,<duration>.

# listener.wss.external.zone

TypeDefault
stringexternal
# Description

The configuration group to which the listener belongs.

# listener.wss.external.access.1

TypeDefault
stringallow all
# Description

List of ACL rules of the listener. It is used to set the white/black list of the connection layer.

E.g:

allow all: Allow all TCP connections. allow 192.168.0.0/24: Allow TCP connections with a network address of 192.168.0.0 / 24 to access.

At the same time, the configuration can configure multiple rules:

listener.wss.external.access.1 = deny 192.168.0.1
listener.wss.external.access.2 = allow all

# listener.wss.external.verify_protocol_header

TypeOptional ValueDefault
enumon, offon
# Description

Whether to verify that the HTTP header carried by WebSocket is correct. WeChat applet needs to disable this verification.

# listener.wss.external.proxy_address_header

TypeDefault
stringX-Forwarded-For
# Description

If the EMQ X cluster is deployed in HAProxy or Nginx, you can open the configuration to obtain the real IP address of the client.

# listener.wss.external.proxy_protocol

TypeOptional ValueDefault
enumon, off-
# Description

Whether the listener enables Proxy Protocol support.

If the EMQ X cluster is deployed behind HAProxy or Nginx, and you need to get the client's real source IP address and port, you need to open this configuration.

Proxy Protcol reference:https://www.haproxy.com/blog/haproxy/proxy-protocol (opens new window).

# listener.wss.external.proxy_protocol_timeout

TypeDefault
duration-
# Description

Set the timeout for Proxy Protocol parsing. If no Proxy Protocol packet is received within this time, EMQ X Broker will close its connection.

# listener.wss.external.tls_versions

TypeDefault
stringtlsv1.2,tlsv1.1,tlsv1
# Description

Specify the SSL version list supported by the server. For details, see http://erlang.org/doc/man/ssl.html (opens new window).

# listener.wss.external.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

Specify SSL private key file (PEM).

# listener.wss.external.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

Specify SSL certificate file(PEM).

# listener.wss.external.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

If using SSL, specify the CA certificate file for SSL (PEM).

# listener.wss.external.dhfile

TypeDefault
stringetc/certs/dh-params.pem
# Description

If using the Ephemeral Diffie-Hellman algorithm, specify the key file used by the algorithm.

# listener.wss.external.verify

TypeOptional ValueDefault
enumverify_peer, verify_noneverify_peer
# Description

Specifies whether to verify the client during the handshake.

# listener.wss.external.fail_if_no_peer_cert

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

If the client does not have a certificate during the SSL handshake, it determines whether to let the handshake fail.

# listener.wss.external.ciphers

TypeDefault
stringECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
# Description

Specifies the cipher suite supported by the server.

# listener.wss.external.psk_ciphers

TypeDefault
stringPSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
# Description

If using the PSK algorithm, specify the PSK Cipher list supported by the server. Note that only one of 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' can be configured.

# listener.wss.external.secure_renegotiate

TypeOptional ValueDefault
enumon, offoff
# Description

Specifies whether to reject renegotiation requests if the client does not follow RFC 5746

# listener.wss.external.reuse_sessions

TypeOptional ValueDefault
enumon, offon
# Description

Specifies whether to support SSL session reuse. For details, see http://erlang.org/doc/man/ssl.html (opens new window).

# listener.wss.external.honor_cipher_order

TypeOptional ValueDefault
enumon, offon
# Description

Specify whether to use the server's preferences to select Ciphers.

# listener.wss.external.peer_cert_as_username

TypeOptional ValueDefault
enumcn, dn, crtcn
# Description

Use the value of the CN, DN, or CRT field in the client certificate as the value of the Username field in the MQTT CONNECT packet. Note that listener.wss.external.verify should be set to verify_peer.

# listener.wss.external.backlog

TypeDefault
integer1024
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# listener.wss.external.send_timeout

TypeDefault
duration15s
# Description

Timeout for sending TCP packets.

# listener.wss.external.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after TCP packet sending timeout.

# listener.wss.external.recbuf

TypeDefault
bytesize-
# Description

TCP receiving buffer size (operating system kernel level parameter)

Reference:http://erlang.org/doc/man/inet.html

# listener.wss.external.sndbuf

TypeDefault
bytesize-
# Description

TCP sending buffer size (operating system kernel level parameter)

Reference:http://erlang.org/doc/man/inet.html

# listener.wss.external.buffer

TypeDefault
bytesize-
# Description

TCP buffer size (user level).

This value is recommended to be greater than or equal to the maximum value of sndbuff and recbuff to avoid some performance problems. Without configuration, it equals to the maximum value of sndbuff and recbuff by default.

Reference:http://erlang.org/doc/man/inet.html

# listener.wss.external.tune_buffer

TypeOptional ValueDefault
enumon, off-
# Description

If you open this configuration, please set the value equal to the maximum value of sndbuff and recbuff.

# listener.wss.external.nodelay

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

This is the TCP_NODELAY parameter. Enabling this option allows small TCP data packets to be sent immediately.

# listener.wss.external.compress

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

If this option is set to true, Websocket messages will be compressed.

# listener.wss.external.deflate_opts.level

TypeOptional ValueDefault
enumnone, default, best_compression, best_speeddefault
# Description

Compression level.

# listener.wss.external.deflate_opts.mem_level

TypeOptional ValueDefault
integer1 - 9-
# Description

Compression parameters. It means memory usage limit level, configures how much memory can be opened to participate in the compression process.

1: The least memory, but will reduce the compression rate. 9: The most memory, and will increase the calculation speed and compression rate.

If not configured, the default is 8.

# listener.wss.external.deflate_opts.strategy

TypeOptional ValueDefault
enumdefault, filtered, huffman_only, rle-
# Description

Compression strategy for tuning compression ratio:

  • default: for ordinary data.
  • filtered: data generated by filters or predictors, suitable for content with strong randomness.
  • huffman_only: Mandatory use of Huffman algorithm. Better than filtered.
  • rle: limit the matching distance to 1 (Run-Lenght Encoding), faster than huffman_only, but mainly used for PNG images.

These strategies only affect the compression ratio and will not have any impact on correctness.

# listener.wss.external.deflate_opts.server_context_takeover

TypeOptional ValueDefault
enumtakeover, no_takeover-
# Description

Whether to allow the server's compression context to be passed between frames.

# listener.wss.external.deflate_opts.client_context_takeover

TypeOptional ValueDefault
enumtakeover, no_takeover-
# Description

Whether to allow the client's compression context to be passed between frames.

# listener.wss.external.deflate_opts.server_max_window_bits

TypeOptional ValueDefault
integer8 - 15-
# Description

Maximum window value on the server side. Setting a larger value will result in better compression ratio, but will consume additional memory.

# listener.wss.external.deflate_opts.client_max_window_bits

TypeOptional ValueDefault
integer8 - 15-
# Description

Client maximum window value. Setting a larger value will result in better compression ratio, but will consume additional memory.

# listener.wss.external.idle_timeout

TypeDefault
duration-
# Description

The daze time after the TCP connection is established. If no packets are received within this time, the connection will be closed.

# listener.wss.external.max_frame_size

TypeDefault
integer-
# Description

The maximum length of a single MQTT packet.

# plugins.etc_dir

TypeDefault
stringetc/plugins
# Description

The configuration directory of the plugin.

# plugins.loaded_file

TypeDefault
stringetc/loaded_plugins
# Description

The configuration file path of the plugin startup list.

# plugins.expand_plugins_dir

TypeDefault
stringplugins/
# Description

External plugin storage directory.

# broker.sys_interval

TypeDefault
duration1m
# Description

Set the system topic ($SYS) message release interval.

# broker.sys_heartbeat

TypeDefault
duration30s
# Description

Set the system heartbeat message release interval. The system heartbeat message includes the following two topics:

  • "$SYS/brokers//uptime"
  • "$SYS/brokers//datetime"

# broker.enable_session_registry

TypeOptional ValueDefault
enumon, offon
# Description

Enable or disable global session registration.

# broker.session_locking_strategy

TypeOptional ValueDefault
enumlocal, one, quorum, allquorum
# Description

Set the type of session cluster lock. The session cluster lock is used to prevent the same client from creating multiple sessions on multiple different nodes, which is common when clients frequently switch between nodes for logging.

# broker.shared_subscription_strategy

TypeOptional ValueDefault
enumrandom, round_robin, sticky, hashrandom
# Description

Set a distribution strategy for shared subscriptions. Optional values are:

  • random: Choose randomly among all subscribers
  • round_robin: According to the order of subscription
  • sticky: Always sent to the last selected subscriber
  • hash: According to the hash value of the publisher ClientID

# broker.shared_dispatch_ack_enabled

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Enable or disable the ACK check function for qos1/qos2 messages in shared subscriptions. After enabling, if it is delivered to a subscriber but fails to receive the ACK, it will try to deliver to the next subscriber in the subscription group.

# broker.route_batch_clean

TypeOptional ValueDefault
enumon, offoff
# Description

Enable or disable batch cleanup routing information. Batch cleanup routing can be used in a short period of time when a large number of clients go offline to improve cleanup efficiency.

# sysmon.long_gc

TypeDefault
duration0ms
# Description

Enable garbage collection time monitoring and trigger an alarm when the collection time exceeds the set value, 0 means disabling this monitoring.

# sysmon.long_schedule

TypeDefault
duration240ms
# Description

Enable process scheduling time monitoring and trigger an alarm when the scheduling time exceeds the set value, 0 means disabling this monitoring.

# sysmon.large_heap

TypeDefault
bytesize8MB
# Description

Enable stack size monitoring and trigger an alarm when the stack size is still greater than the set value after the process performs garbage collection. 0 means disabling this monitoring.

# sysmon.busy_port

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Specifies whether to enable inter-process message channel busy monitoring.

# sysmon.busy_dist_port

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Specifies whether to enable cluster RPC channel busy monitoring.

# os_mon.cpu_check_interval

TypeDefault
duration60s
# Description

CPU usage rate check cycle.

# os_mon.cpu_high_watermark

TypeDefault
percent80%
# Description

An alarm will be triggered when the CPU usage exceeds os_mon.cpu_high_watermark.

# os_mon.cpu_low_watermark

TypeDefault
percent60%
# Description

The alarm will be cleared when the CPU usage drops back below os_mon.cpu_low_watermark .

# os_mon.mem_check_interval

TypeDefault
duration60s
# Description

Memory usage check cycle.

# os_mon.sysmem_high_watermark

TypeDefault
percent70%
# Description

When the memory allocated by EMQ X Broker for all processes as a percentage of system memory exceeds os_mon.procmem_high_watermark, an alarm will be triggered.

# os_mon.procmem_high_watermark

TypeDefault
percent5%
# Description

When the memory allocated by EMQ X Broker for a single process as a percentage of system memory exceeds os_mon.procmem_high_watermark, an alarm will be triggered.

# vm_mon.check_interval

TypeDefault
duration30s
# Description

Check interval for process number.

# vm_mon.process_high_watermark

TypeDefault
percent80%
# Description

When the current process number as a percentage of the maximum process number exceeds vm_mon.process_high_watermark, an alarm will be triggered. The maximum process number is determined by the node.process_limit configuration item.

# vm_mon.process_low_watermark

TypeDefault
percent60%
# Description

When the percentage of the current number of processes in the maximum number of processes falls below vm_mon.process_low_watermark, an alarm will be triggered. The maximum number of processes is determined by the node.process_limit configuration item.

# emqx-auth-clientid (opens new window)

# auth.client..clientid&auth.client..password

TypeDefault
string-
# Description

The authentication data of the client, where auth.client.<Number>.password is the clear text password. auth.client.<Number>.clientid and auth.client.<Number>.password for the same <Number> must appear in pairs. <Number>is an integer number used to distinguish authentication data of multiple clients.

# auth.client.password_hash

TypeOptional ValueDefault
enumplain, md5, sha, sha256sha256
# Description

Hash algorithm is used when the password is stored in the database. The following options are available:

plain

The password is stored in clear text.

md5

The password is encrypted and stored using the MD5 algorithm.

sha

The password is encrypted and stored using the SHA-1 algorithm.

sha256

The password is encrypted and stored using the SHA-256 algorithm.

# emqx-auth-http (opens new window)

# auth.http.auth_req

TypeDefault
stringhttp://127.0.0.1:8991/mqtt/auth
# Description

Specify the target URL of the authentication request.

# auth.http.auth_req.method

TypeOptional ValueDefault
enumget, postpost
# Description

Specify the request method of the authentication request.

# auth.http.auth_req.params

TypeFormatDefault
stringK=v key-value pairs separated by,,v can be fixed content or placeholderclientid=%c,username=%u,password=%P
# Description

Specify the data carried in the authentication request. When using the GET method, the value of auth.http.auth_req.params will be converted into k=v key-value pairs separated by & and sent as query string parameters. When using the POST method, the value of auth.http.auth_req.params will be converted into k=v key-value pairs separated by & and sent in the form of Request Body. All placeholders will be replaced by run-time data , and the available placeholders are as follows:

PlaceholderReplace content
%uUsername
%cMQTT Client ID
%aClient's network IP address
%rThe protocol used by the client can be:mqtt, mqtt-sn, coap, lwm2m and stomp
%PPassword
%pServer port for client connection
%cCommon Name in client certificate
%dSubject in client certificate

# auth.http.super_req

TypeDefault
stringhttp://127.0.0.1:8991/mqtt/superuser
# Description

Specify the target URL for the superuser authentication request.

# auth.http.super_req.method

TypeOptional ValueDefault
enumget, postpost
# Description

Specifies the request method of the super user authentication request.

# auth.http.super_req.params

TypeFormatDefault
stringK=v key-value pairs separated by,,v can be fixed content or placeholderclientid=%c,username=%u
# Description

Specify the data carried in the authentication request. When using the GET method, the value of auth.http.auth_req.params will be converted into k=v key-value pairs separated by & and sent as query string parameters. When using the POST method, the value of auth.http.auth_req.params will be converted into k=v key-value pairs separated by & and sent in the form of Request Body. All placeholders will be replaced by run-time data , and the available placeholders are the same as those of auth.http.auth_req.params.

# auth.http.acl_req

TypeDefault
stringhttp://127.0.0.1:8991/mqtt/acl
# Description

Specify the target URL for ACL verification requests.

# auth.http.acl_req.method

TypeOptional ValueDefault
enumget, postpost
# Description

Specifies the request method for ACL verification requests.

# auth.http.acl_req.params

TypeFormatDefault
stringK=v key-value pairs separated by,,v can be fixed content or placeholderaccess=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
# Description

Specify the data carried in the authentication request. When using the GET method, the value of auth.http.auth_req.params will be converted into k=v key-value pairs separated by & and sent as query string parameters. When using the POST method, the value of auth.http.auth_req.params will be converted into k=v key-value pairs separated by & and sent in the form of Request Body. All placeholders will be replaced by run-time data , and the available placeholders are as follows:

PlaceholderReplace content
%APermission to be verified, 1 means subscription, 2 means publish
%uMQTT Client ID
%cClient identifier
%aClient network IP address
%rThe protocol used by the client can be: mqtt, mqtt-sn, coap, lwm2m and stomp
%mMount point
%tTopic

# auth.http.request.timeout

TypeDefault
duration0s
# Description

HTTP request timeout. Any setting equivalent to 0s means never timeout.

# auth.http.request.connect_timeout

TypeDefault
duration0s
# Description

Connection timeout for HTTP requests. Any setting value equivalent to 0s means never time out.

# auth.http.request.retry_times

TypeDefault
integer3
# Description

The number of retries when an HTTP request fails.

# auth.http.request.retry_interval

TypeDefault
duration1s
# Description

Retry interval when HTTP request fails.

# auth.http.request.retry_backoff

TypeDefault
float2.0
# Description

When the HTTP request fails, the retry interval uses the exponential backoff algorithm. This configuration item is used to specify the backoff coefficient of the exponential backoff algorithm.

# auth.http.header.

TypeDefault
string-
# Description

Specify the data in the HTTP request header. <Key> Specify the field name in the HTTP request header, and the value of this configuration item is the corresponding field value. <Key> can be the standard HTTP request header field. User can also customize the field to configure multiple different request header fields.

# Example
auth.http.header.Accept = */*
auth.http.header.Accept-Encoding = *

# auth.http.ssl.cacertfile

TypeDefault
stringetc/certs/ca.pem
# Description

CA certificate file path.

# auth.http.ssl.certfile

TypeDefault
stringetc/certs/client-cert.pem
# Description

Client certificate file path.

# auth.http.ssl.keyfile

TypeDefault
stringetc/certs/client.key.pem
# Description

Client private key file path.

# emqx-auth-jwt (opens new window)

# auth.jwt.secret

TypeDefault
stringemqxsecret
# Description

Set HMAC Secret.

# auth.jwt.from

TypeOptional ValueDefault
enumusername, passwordpassword
# Description

Where to get JWT. Optional values are

  • username: The username field of the MQTT CONNECT packet is used as JWT.
  • password: The password field of the MQTT CONNECT packet is used as JWT.

# auth.jwt.pubkey

TypeDefault
stringetc/certs/jwt_public_key.pem
# Description

If you use RSA or ECDSA encryption algorithm, you must specify the private key file.

# auth.jwt.verify_claims

TypeOptional ValueDefault
enumon, offoff
# Description

Enable or disable Claims verification.

# auth.jwt.verify_claims.

TypeDefault
string-
# Description

When the Claims verification function is enabled, you can set optional values for fields in the JWT.

For example, if the value of sub in the Claim in JWT is expected to be" abc ", the following rules can be configured:

auth.jwt.verify_claims.sub = abc

The expected value supports two wildcards:

  • %u: username
  • %c: clientid

For example, if the value of the sub field in the JWT is expected to be the same as the username field in the MQTT CONNECT message, the following rules can be configured:

auth.jwt.verify_claims.sub = %u

# emqx-auth-ldap (opens new window)

# auth.ldap.servers

TypeDefault
string127.0.0.1
# Description

LDAP service address.

# auth.ldap.port

TypeDefault
integer389
# Description

LDAP service port.

# auth.ldap.pool

TypeOptional ValueDefault
integer> 08
# Description

Connection pool size.

# auth.ldap.bind_dn

TypeDefault
stringcn=root,dc=emqx,dc=io
# Description

The DN for logging into the LDAP service.

# auth.ldap.bind_password

TypeDefault
stringpublic
# Description

The password for logging into the LDAP service.

# auth.ldap.timeout

TypeDefault
duration30s
# Description

The query timeout.

# auth.ldap.device_dn

TypeDefault
stringou=device,dc=emqx,dc=io
# Description

The DN to which the client belongs.

# auth.ldap.match_objectclass

TypeDefault
stringmqttUser
# Description

The name of the client object.

# auth.ldap.username.attributetype

TypeDefault
stringuid
# Description

The data type of the Username attribute.

# auth.ldap.password.attributetype

TypeDefault
stringuserPassword
# Description

The data type of the Password attribute.

# auth.ldap.ssl

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to enable SSL.

# auth.ldap.ssl.certfile

TypeDefault
string-
# Description

SSL server certificate path.

# auth.ldap.ssl.keyfile

TypeDefault
string-
# Description

SSL server key file path.

# auth.ldap.ssl.cacertfile

TypeDefault
string-
# Description

CA certificate file path.

# auth.ldap.ssl.verify

TypeOptional ValueDefault
enumverify_peer, verify_none-
# Description

SSL authentication method:

  • verify_none:One-way authentication.
  • verify_peer:Two-way authentication.

# auth.ldap.ssl.fail_if_no_peer_cert

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

If the client does not provide an SSL certificate, disconnect it.

# emqx-auth-mongo (opens new window)

# auth.mongo.type

TypeOptional ValueDefault
enumsingle, unknown, sharded, rssingle
# Description

Set the topology type of MongoDB:

  • single: single node
  • unknown: unknown
  • sharded: sharding mode
  • rs: replicated set

# auth.mongo.rs_set_name

TypeDefault
string127.0.0.1:27017
# Description

Set the address of MongoDB service. If there are multiple items, use comma , to separate them.

# auth.mongo.pool

TypeDefault
integer8
# Description

Set the number of processes in the MongoDB connection pool.

# auth.mongo.login

TypeDefault
string-
# Description

Set the MongoDB's username.

# auth.mongo.password

TypeDefault
string-
# Description

Set the MongoDB's password.

# auth.mongo.auth_source

TypeDefault
stringmqtt
# Description

Set the MongoDB authentication source database name.

# auth.mongo.database

TypeDefault
stringmqtt
# Description

Set MongoDB database name.

# auth.mongo.query_timeout

TypeDefault
duration5s
# Description

Set the timeout for accessing MongoDB.

# auth.mongo.ssl

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Set whether to use SSL to access MongoDB.

# auth.mongo.ssl_opts.keyfile

TypeDefault
string-
# Description

If using SSL to access MongoDB, set the private key file of the SSL client.

# auth.mongo.ssl_opts.certfile

TypeDefault
string-
# Description

If using SSL to access MongoDB, set the SSL client certificate file.

# auth.mongo.ssl_opts.cacertfile

TypeDefault
string-
# Description

If you use SSL to access MongoDB, set the SSL certificate file.

# auth.mongo.w_mode

TypeOptional ValueDefault
enumunsafe, safe, undefundef
# Description

Set the write mode of MongoDB.

# auth.mongo.r_mode

TypeOptional ValueDefault
enummaster, slave_ok, undefundef
# Description

Set the read mode of MongoDB.

# auth.mongo.auth_query.collection

TypeDefault
stringmqtt_user
# Description

Collection name used in the authentication process.

# auth.mongo.auth_query.password_field

TypeDefault
stringpassword
# Description

The main fields used in the authentication process. To add salt after the password, it can be configured as:

auth.mongo.auth_query.password_field = password,salt

# auth.mongo.auth_query.password_hash

TypeOptional ValueDefault
enumplain, md5, sha, sha256, bcryptsha256
# Description

Set the hash algorithm used for the password field. To add salt after the sha256 password, you can set it to:

auth.mongo.auth_query.password_hash = sha256,salt

To add salt before the sha256 password, you can set it to:

auth.mongo.auth_query.password_hash = salt,sha256

To add salt before the bcrypt password, you can set it to:

auth.mongo.auth_query.password_hash = salt,bcrypt

# auth.mongo.auth_query.selector

TypeDefault
stringusername=%u
# Description

MongoDB statements are executed during the authentication process. Commands can support following wildcards:

  • %u: username
  • %c: clientid
  • %C: Common Name in client TLS certificate
  • %d: Subject in the client's TLS certificate

# auth.mongo.auth_query.super_query

TypeOptional ValueDefault
enumon, offon
# Description

Whether to use SuperUser in authentication.

# auth.mongo.super_query.collection

TypeDefault
stringmqtt_user
# Description

If using SuperUser, specify the MongoDB Collection of SuperUser.

# auth.mongo.super_query.selector

TypeDefault
stringusername=%u, clientid=%c
# Description

If SuperUser is used, specify the MongoDB statement used to query SuperUser.

# auth.mongo.acl_query

TypeOptional ValueDefault
enumon, offon
# Description

Whether to enable the ACL function.

# auth.mongo.acl_query.collection

TypeDefault
stringmqtt_acl
# Description

If using the ACL function, specify the MongoDB Collection that queries the ACL rules.

# auth.mongo.acl_query.selector

TypeDefault
stringusername=%u
# Description

If the ACL function is used, specify the MongoDB statement used to query the ACL rules. It can support multiple ACL statements, and "or" is used to connect multiple statements.

For example, configure the following two access rules:

auth.mongo.acl_query.selector.1 = username=%u
auth.mongo.acl_query.selector.2 = username=$all

And the username of the client equals 'ilyas'. When querying acl rules, the following MongoDB statement will be executed:

db.mqtt_acl.find({$or: [{username: "ilyas"},  {username: "$all"}]});

# auth.mongo.topology.pool_size

TypeDefault
integer1
# Description

MongoDB topology parameters, that set the thread pool size.

# auth.mongo.topology.max_overflow

TypeDefault
integer0
# Description

MongoDB topology parameter, which determines how many additional worker threads are allowed to be created when all workers in the thread pool are busy.

# auth.mongo.topology.overflow_ttl

TypeDefault
integer1000
# Description

MongoDB topology parameter, which determines how long to release additional worker threads when a worker is idle. Unit: ms

# auth.mongo.topology.overflow_check_period

TypeDefault
integer1000
# Description

MongoDB topology parameters, which determines how often to check for idle threads to release additional workers.

# auth.mongo.topology.local_threshold_ms

TypeDefault
integer1000
# Description

MongoDB topology parameters, which is to select the strategy of the secondary node used to process user requests. The minimum value of the RTT of all nodes is LowestRTT, then only those secondary nodes with RTT <LowestRTT + local_threshold_ms will be selected.

# auth.mongo.topology.connect_timeout_ms

TypeDefault
integer20000
# Description

MongoDB topology parameter, means MongoDB connection timeout, unit: ms.

# auth.mongo.topology.socket_timeout_ms

TypeDefault
integer100
# Description

MongoDB topology parameter, that means MongoDB message sending timeout period, unit: ms.

# auth.mongo.topology.server_selection_timeout_ms

TypeDefault
integer30000
# Description

MongoDB topology parameter, select the timeout period of MongoDB Server, unit: ms.

# auth.mongo.topology.wait_queue_timeout_ms

TypeDefault
integer1000
# Description

MongoDB topology parameters, that selects the worker's waiting timeout period from the thread pool, unit: ms.

# auth.mongo.topology.heartbeat_frequency_ms

TypeDefault
integer10000
# Description

MongoDB topology parameters, the interval between topological scans, unit: ms.

# auth.mongo.topology.min_heartbeat_frequency_ms

TypeDefault
integer1000
# Description

MongoDB topology parameter, the minimum allowed value of heartbeat_frequency_ms, unit: milliseconds.

# emqx-auth-mysql (opens new window)

# auth.mysql.server

TypeDefault
ip127.0.0.1:3306
# Description

MySQL server address.

# auth.mysql.pool

TypeDefault
integer8
# Description

Database connection thread pool size.

# auth.mysql.username

TypeDefault
string-
# Description

MySQL username.

# auth.mysql.password

TypeDefault
string-
# Description

MySQL password.

# auth.mysql.database

TypeDefault
stringmqtt
# Description

MySQL database name.

# auth.mysql.query_timeout

TypeDefault
duration5s
# Description

MySQL data query timeout. The query timeout means user data was not found.


# auth.mysql.auth_query

TypeDefault
stringselect password from mqtt_user where username = '%u' limit 1
# Description

The MySQL select statement used during authentication, the selected data will be compared with the password encrypted by the encryption method specified by auth.mysql.password_hash, and the client with the same content after the comparison will be allowed to log in. The stored password with salt needs to select the fields corresponding to the salt at the same time, such as select password, salt from mqtt_user where username = '%u' limit 1.Password and salt field names cannot be modified, the table name and the field name in the WHERE clause can change depending on the situation. The WHERE clause supports the following placeholders:

PlaceholderDescription
%uusername specified in the CONNECT packet by the MQTT client that will be replaced
%cClientID specified in the CONNECT packet by the MQTT client that will be replaced
%CCommon Name in the client certificate when TLS that will be replaced is connected
%dSubject in the client certificate when TLS that will be replaced is connected

# auth.mysql.password_hash

TypeDefault
stringsh256
# Description

The encryption method used for the password stored in the database. The following encryption methods are supported:

  • plain, both forward and backward salting is supported, such as salt, plain
  • md5, both forward and backward salting is supported
  • sha, both forward and backward salting is supported
  • sha256, both forward and backward salting is supported
  • sha512, both forward and backward salting is supported
  • pbkdf2, the format is pbkdf2,<Hashfun>,<Iterations>,<Dklen>. Among them, <Hashfun>is the hash function used, which supports md4, md5,ripemd160 sha,sha224, sha256,sha384, sha512. <Iterations>is the number of iterations and <Dklen>is the length of the derived key. Example: pbkdf2, sha256,1000,20
  • bcrypt, only forward salting is supported, eg salt, bcrypt

# auth.mysql.super_query

TypeDefault
stringselect is_superuser from mqtt_user where username = '%u' limit 1
# Description

The SQL select statement used for super user authentication. All table names and field names in this statement can be modified as appropriate. If and only if the value of the selected field is 1, the user is a super user. In the WHERE clause, the supported placeholders are the same as auth.mysql.auth_query.

# auth.mysql.acl_query

TypeDefault
stringselect allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
# Description

The SQL selection statement used in ACL verification. All table names and field names in this statement can be modified as appropriate. The placeholders supported in the WHERE clause are as follows:

TagDescription
%aTo be replaced with the client IP address
%uTo be replaced with the username specified by the MQTT client in the CONNECT packet
%cTo be replaced with the client identifier specified by the MQTT client in the CONNECT packet

# emqx-auth-pgsql (opens new window)

# auth.pgsql.server

TypeDefault
ip127.0.0.1:5432
# Description

PostgreSQL server address.

# auth.pgsql.pool

TypeDefault
integer8
# Description

Database connection thread pool size.

# auth.pgsql.username

TypeDefault
stringroot
# Description

PostgreSQL username.

# auth.pgsql.password

TypeDefault
string-
# Description

PostgreSQL password.

# auth.pgsql.database

TypeDefault
stringmqtt
# Description

PostgreSQL database name.

# auth.pgsql.encoding

TypeDefault
stringutf8
# Description

PostgreSQL database character encoding format.

# auth.pgsql.ssl

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to enable TLS connection.

# auth.pgsql.ssl_opts.keyfile

TypeDefault
string-
# Description

Client private key file path.

# auth.pgsql.ssl_opts.certfile

TypeDefault
string-
# Description

Client certificate file path.

# auth.pgsql.ssl_opts.cacertfile

TypeDefault
string-
# Description

Client CA certificate file path.

# auth.pgsql.auth_query

TypeDefault
stringselect password from mqtt_user where username = '%u' limit 1
# Description

The SQL selection statement used for authentication, that is the same as auth.mysql.auth_query.

# auth.pgsql.password_hash

TypeDefault
stringsh256
# Description

The encryption method used for the password stored in the database, that is the same as auth.mysql.password_hash.

# auth.pgsql.super_query

TypeDefault
stringselect is_superuser from mqtt_user where username = '%u' limit 1
# Description

The SQL select statement used for super user authentication, that is the same as auth.mysql.super_query.

# auth.pgsql.acl_query

TypeDefault
stringselect allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
# Description

The SQL selection statement used in ACL verification, the same as auth.mysql.acl_query.

# emqx-auth-redis (opens new window)

# auth.redis.type

TypeOptional ValueDefault
enumsingle, sentinel, clustersingle
# Description

Redis Service cluster type:

  • single:Single node service.
  • sentinel:sentinel pattern.
  • cluster:cluster pattern.

# auth.redis.server

TypeDefault
string127.0.0.1:6379
# Description

Redis service addresses, if there are multiple, they are separated by commas. For example, 192.168.0.1:6379, 192.168.0.2:6379.

# auth.redis.sentinel

TypeDefault
string-
# Description

The cluster name in Redis sentinel mode. If it is not in sentinel mode, no configuration is required.

# auth.redis.pool

TypeOptional ValueDefault
integer> 08
# Description

Connection pool size.

# auth.redis.database

TypeDefault
integer0
# Description

The serial number of the Redis database to be connected.

# auth.redis.password

TypeDefault
string-
# Description

Redis password.

# auth.redis.query_timeout

TypeDefault
duration5s
# Description

Redis query timeout.

# auth.redis.auth_cmd

TypeDefault
stringHMGET mqtt_user:%u password
# Description

Authentication query commands, available placeholders are:

  • %u: client username.
  • %c: client ID.
  • %C: cn of client SSL certificate.
  • %d: dn of client SSL certificate.

# auth.redis.password_hash

TypeOptional ValueDefault
enumplain, md5, sha, sha256, bcryptplain
# Description

The encoding format of the password field stored by Redis.

# auth.redis.super_cmd

TypeDefault
stringHGET mqtt_user:%u is_superuser
# Description

Authentication query commands for superuser, available placeholders are:

  • %u: client username.
  • %c: client ID.
  • %C: cn of client SSL certificate.
  • %d: dn of client SSL certificate.

# auth.redis.acl_cmd

TypeDefault
stringHGETALL mqtt_acl:%u
# Description

ACL query commands. Available placeholders are:

  • %u: client username.
  • %c: client ID.

# emqx-auth-username (opens new window)

# auth.user..username&auth.user..password

TypeDefault
string-
# Description

The authentication data of the client, where auth.user.<Number>.password is the clear text password. auth.user.<Number>.username and auth.user.<Number>.password of the same <Number> must appear in pairs. <Number>is an integer number used to distinguish authentication data of multiple clients.

# auth.user.password_hash

TypeOptional ValueDefault
enumplain, md5, sha, sha256sha256
# Description

Hash algorithm used when the password is stored in the database. The following options are available:

plain

The password is stored in clear text.

md5

The password is encrypted and stored using the MD5 algorithm.

sha

The password is encrypted and stored using the SHA-1 algorithm.

sha256

The password is encrypted and stored using the SHA-256 algorithm.

# emqx-bridge-mqtt (opens new window)

# bridge.mqtt.aws.address

TypeDefault
string127.0.0.1:1883
# Description

Bridge address, supports two formats, for example:

  • emqx @ 192.168.0.100: EMQ X Broker node name, which means that the message of this node is bridged to another EMQ X node.
  • 192.168.0.100: 1883: IP address and port,which means that the message of the node is bridged to another MQTT server through an MQTT connection.

# bridge.mqtt.aws.proto_ver

TypeOptional ValueDefault
enummqttv3, mqttv4, mqttv5mqttv4
# Description

The client protocol version of the MQTT bridge.

# bridge.mqtt.aws.start_type

TypeOptional ValueDefault
eunmmanual, automanual
# Description

Start type:

  • auto: start automatically with the plugin.
  • manual: start the bridge manually.

# bridge.mqtt.aws.bridge_mode

TypeOptional ValueDefault
booleantrue, falsetrue
# Description

Whether to enable bridging mode, only MQTT bridging is supported. After being enabled, the MQTT client started by emqx_bridge_mqtt will carry a flag bit when sending a connection message, indicating that this is a bridging client.

Tip

RabbitMQ currently does not support this flag.

# bridge.mqtt.aws.clientid

TypeDefault
stringbridge_aws
# Description

The client ID of the MQTT bridge.

# bridge.mqtt.aws.clean_start

TypeOptional ValueDefault
booleantrue, falsetrue
# Description

The clean_start flag of the MQTT bridge. It indicates whether the client connects to the remote MQTT Broker in the manner of clean session.

# bridge.mqtt.aws.username

TypeDefault
stringuser
# Description

The username of the MQTT bridge client.

# bridge.mqtt.aws.password

TypeDefault
stringpasswd
# Description

The password of the MQTT bridge client.

# bridge.mqtt.aws.forwards

TypeDefault
stringtopic1/#,topic2/#
# Description

Bridge forwarding rules. For example:

  • topic1/#, topic2/#emqx_bridge_mqtt will forward all topic messages in EMQ X Broker that match topic1/#topic2/# .

# bridge.mqtt.aws.forward_mountpoint

TypeDefault
stringbridge/aws/${node}/
# Description

The prefix of the forwarding topic. When forwarding the message to the target system, it is supported to add a uniform prefix to the topic.

# bridge.mqtt.aws.subscription.1.topic

TypeDefault
string-
# Description

Topic of the peer system subscribed.

# bridge.mqtt.aws.subscription.1.qos

TypeOptional ValueDefault
enum0, 1, 21
# Description

QoS of the peer system topic subscribed.

# bridge.mqtt.aws.receive_mountpoint

TypeDefault
stringreceive/aws/
# Description

The topic prefix of the received message.emqx_bridge_mqtt supports adding a unified topic prefix to the message from the peer.

# bridge.mqtt.aws.ssl

TypeOptional ValueDefault
booleantrue, falsetrue
# Description

Whether the MQTT bridge client enables SSL.

# bridge.mqtt.aws.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

The path of the CA certificate file of the MQTT bridge client.

# bridge.mqtt.aws.certfile

TypeDefault
stringetc/certs/client-cert.pem
# Description

The path of the SSL certificate file of the MQTT bridge client.

# bridge.mqtt.aws.keyfile

TypeDefault
stringetc/certs/client-key.pem
# Description

The path of the SSL key file of the MQTT bridge client.

# bridge.mqtt.aws.ciphers

TypeDefault
stringECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
# Description

Cipher suite supported by SSL handshake.

# bridge.mqtt.aws.psk_ciphers

TypeDefault
stringPSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
# Description

Cipher suite supported by SSL PSK handshake.

# bridge.mqtt.aws.keepalive

TypeDefault
duration60s
# Description

Heartbeat interval of the MQTT bridge client.

# bridge.mqtt.aws.tls_versions

TypeDefault
stringtlsv1.2,tlsv1.1,tlsv1
# Description

The SSL version of the MQTT bridge client.

# bridge.mqtt.aws.reconnect_interval

TypeDefault
duration30s
# Description

Reconnection interval.

# bridge.mqtt.aws.retry_interval

TypeDefault
duration20s
# Description

QoS 1/2 message retransmission interval.

# bridge.mqtt.aws.batch_size

TypeDefault
integer32
# Description

The batch size of the EMQ X bridge. The EMQ X bridge mode of emqx_bridge_mqtt supports batch sending of messages to increase throughput.

# bridge.mqtt.aws.max_inflight_size

TypeDefault
integer32
# Description

Inflight window size.

# bridge.mqtt.aws.queue.replayq_dir

TypeDefault
stringetc/emqx_aws_bridge/
# Description

Set the message queue file path. If not configured, only memory storage is used.

# bridge.mqtt.aws.queue.replayq_seg_bytes

TypeDefault
bytesize10MB
# Description

The single file size of the message queue stored on disk.

# bridge.mqtt.aws.queue.max_total_size

TypeDefault
bytesize5GB
# Description

The maximum allowed message queue storage.

# emqx-coap (opens new window)

# coap.port

TypeDefault
integer5683
# Description

Specify the UDP binding port of the CoAP plug-in.

# coap.enable_stats

TypeOptional ValueDefault
enumon, offoff
# Description

Enable or disable CoAP statistics function.

# coap.dtls.port

TypeDefault
integer5684
# Description

Specify the DTLS binding port of the CoAP plugin.

# coap.dtls.verify

TypeOptional ValueDefault
enumverify_peer, verify_noneverify_peer
# Description

When using DTLS, specify whether to verify the client during the DTLS handshake.

# coap.dtls.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

When using DTLS, specify the DTLS private key file.

# coap.dtls.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

When using DTLS, specify the DTLS certificate file.

# coap.dtls.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

When using DTLS, specify the CA certificate file for DTLS.

# coap.dtls.fail_if_no_peer_cert

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

When using DTLS, if the client does not have a certificate during the DTLS handshake, whether to let the handshake fail.

# coap.dtls.ciphers

TypeDefault
stringECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
# Description

When using DTLS, specify the Cipher list supported by the DTLS server.

# emqx-dashboard (opens new window)

# dashboard.default_user.login&dashboard.default_user.password

TypeDefault
string-
# Description

Default user authentication data of Dashboard . Dashboard.default_user.login and dashboard.default_user.password must exist at tge sane tune.

# dashboard.listener.http

TypeDefault
integer18083
# Description

The listening port of the HTTP listener.

# dashboard.listener.http.acceptors

TypeDefault
integer4
# Description

The number of listening processes this listener will create.

# dashboard.listener.http.max_clients

TypeDefault
integer512
# Description

The maximum number of connections allowed by this listener at the same time.

# dashboard.listener.http.inet6

TypeOptional ValueDefault
enumture, falsefalse
# Description

Whether to set the socket to allow IPv6 connections.

# dashboard.listener.http.ipv6_v6only

TypeOptional ValueDefault
enumture, falsefalse
# Description

Whether to restrict the socket that only IPv6 can be ued, and prohibit any IPv4 connections. Only applicable to IPv6 sockets, that is, the value of this configuration item has practical significance only when dashboard.listener.http.inet6 is set to true. It should be noted that on some operating systems, such as Windows, the only allowed value for this configuration item is true.

# dashboard.listener.https

TypeDefault
integer18084
# Description

The listening port of the HTTPS listener, which is disabled by default.

# dashboard.listener.https.acceptors

TypeDefault
integer2
# Description

Same as dashboard.listener.http.acceptors.

# dashboard.listener.https.max_clients

TypeDefault
integer512
# Description

Same as dashboard.listener.http.max_clients.

# dashboard.listener.https.inet6

TypeOptional ValueDefault
enumture, falsefalse
# Description

Same as dashboard.listener.http.inet6.

# dashboard.listener.https.ipv6_v6only

TypeOptional ValueDefault
enumture, falsefalse
# Description

Same as dashboard.listener.http.ipv6_v6only.

# dashboard.listener.https.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

Server private key file path.

# dashboard.listener.https.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

Server certificate file path.

# dashboard.listener.https.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

CA certificate file path.

# dashboard.listener.https.dhfile

TypeDefault
stringetc/certs/dh-params.pem
# Description

If a cipher suite exchanged from Diffie Hellman key is used, you can use this configuration item to specify a file path that contains PEM-encoded Diffie Hellman parameters. If not specified, the default parameters are used.

# dashboard.listener.https.verify

TypeOptional ValueDefault
enumverify_peer, verify_noneverify_peer
# Description

verify_none means to disable peer certificate verification, and the server will not send a certificate request to the client. verify_peer means to enable peer certificate verification, and the server will send a certificate request to the client. When this configuration item is set to verify_peer, it usually need to be used together with dashboard.listener.https.fail_if_no_peer_cert to specify whether to force the client to provide a certificate.

# dashboard.listener.https.fail_if_no_peer_cert

TypeOptional ValueDefault
enumture, falsetrue
# Description

It should be used together with dashboard.listener.https.verify. If set to true, the server will request a certificate from the client. If the client does not provide a certificate, the handshake will fail. If set to false, the handshake can be successful even if the terminal does not provide a certificate.

# dashboard.listener.https.tls_versions

TypeDefault
stringtlsv1.2,tlsv1.1,tlsv1
# Description

Specify the TLS protocol version supported by the server. The versions are separated by ,. The supported TLS protocol versions are: tlsv1.3, tlsv1.2, tlsv1.1, tlsv1, sslv3.

# dashboard.listener.https.ciphers

TypeDefault
stringECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
# Description

Specify the cipher suite supported by the server.

# dashboard.listener.https.secure_renegotiate

TypeOptional ValueDefault
enumon, offoff
# Description

Specifies whether to start the secure renegotiation mechanism.

# dashboard.listener.https.reuse_sessions

TypeOptional ValueDefault
enumon, offon
# Description

Specifies whether to enable the session resuing mechanism.

# dashboard.listener.https.honor_cipher_order

TypeOptional ValueDefault
enumon, offon
# Description

If set to on, use the server ’s preferences for password selection. If set to off, use the client ’s preferences.

# emqx-lwm2m (opens new window)

# lwm2m.port

TypeDefault
integer5683
# Description

Specify the UDP port used by LwM2M.

# lwm2m.lifetime_min

TypeDefault
duration1s
# Description

Specify the minimum allowed LwM2M lifetime with the unit of second.

# lwm2m.lifetime_max

TypeDefault
duration86400s
# Description

Specify the maximum allowed LwM2M lifetime with the unit of second.

# lwm2m.qmode_time_window

TypeDefault
integer22
# Description

Specifies the window size used in LwM2M Q mode, with the unit of second.

Within this window period, it can be sent to the Q mode device, and after the window period, the downlink data is cached.

# lwm2m.lb

TypeOptional ValueDefault
enumcoaproxy, undefinedundefined
# Description

Set whether to use coaproxy. undefined means not to use coaproxy.

# lwm2m.auto_observe

TypeOptional ValueDefault
enumon, offoff
# Description

Whether to automatically issue the observe command after device registration.

# lwm2m.mountpoint

TypeDefault
stringlwm2m/%e/
# Description

Set the mount point of the LwM2M topic. The following wildcards are supported:

  • '%e': Endpoint Name
  • '%a': IP Address

# lwm2m.topics.command

TypeDefault
stringdn/#
# Description

The command line topic that need to be subscribd after the device registration is completed.

# lwm2m.topics.response

TypeDefault
stringup/resp
# Description

Which topic the device's upstream response needs to be published to.

# lwm2m.topics.notify

TypeDefault
stringup/notify
# Description

Which topic the device's upstream report message (notify) needs to be published to.

# lwm2m.topics.register

TypeDefault
stringup/resp
# Description

Which topic the device's upstream registration message (register) needs to be published to.

# lwm2m.topics.update

TypeDefault
stringup/resp
# Description

Which topic the device's upstream update message (update) needs to be published to.

# lwm2m.opts.buffer

TypeDefault
bytesize1024KB
# Description

UDP tuning parameters, specify the UDP user mode cache size.

# lwm2m.opts.recbuf

TypeDefault
bytesize1024KB
# Description

UDP tuning parameters, specify the UDP receiving buffer size.

# lwm2m.opts.sndbuf

TypeDefault
bytesize1024KB
# Description

UDP tuning parameters, specify the UDP sending buffer size.

# lwm2m.opts.read_packets

TypeDefault
integer20
# Description

UDP tuning parameters, specify how many packets to read from UDP socket each time.

# lwm2m.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

Specify the certificate file used by UDP DTLS.

# lwm2m.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

Specify the private key file used by UDP DTLS.

# lwm2m.xml_dir

TypeDefault
diretc/lwm2m_xml
# Description

Specify the directory where the LwM2M Object definition file is stored.

# emqx-management (opens new window)

# management.max_row_limit

TypeDefault
integer10000
# Description

Maximum number of records returned during paging query.

# management.default_application.id

TypeDefault
stringadmin
# Description

Default AppId.

# management.default_application.secret

TypeDefault
stringpublic
# Description

Default AppSecret.

# management.listener.http

TypeDefault
integer8081
# Description

The listening port of the HTTP listener.

# management.listener.http.acceptors

TypeDefault
integer2
# Description

The number of listening processes this listener will create.

# management.listener.http.max_clients

TypeDefault
integer512
# Description

The maximum number of connections allowed by this listener at the same time

# management.listener.http.backlog

TypeDefault
integer512
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# management.listener.http.send_timeout

TypeDefault
duration15s
# Description

HTTP packet sending timeout.

# management.listener.http.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after the HTTP packet sending is timeout.

# management.listener.http.inet6

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to set the socket to allow IPv6 connections.

# management.listener.http.ipv6_v6only

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to restrict the socket that only IPv6 can be ued, and prohibit any IPv4 connections. Only applicable to IPv6 sockets, that is, the value of this configuration item has practical significance only when dashboard.listener.http.inet6 is set to true. It should be noted that on some operating systems, such as Windows, the only allowed value for this configuration item is true.

# management.listener.https

TypeDefaultExample
integer-8081
# Description

The listening port of the HTTPS listener.

# management.listener.https.acceptors

TypeDefault
integer2
# Description

The number of listening processes this listener will create.

# management.listener.https.max_clients

TypeDefault
integer512
# Description

The maximum number of connections allowed by this listener at the same time.

# management.listener.https.backlog

TypeDefault
integer512
# Description

The maximum length of the TCP connection queue. It indicates the maximum number of TCP connection queues that are allowed in the system to undergo three-time handshake.

# management.listener.https.send_timeout

TypeDefault
duration15s
# Description

Timeout for sending HTTPS packets.

# management.listener.https.send_timeout_close

TypeOptional ValueDefault
enumon, offon
# Description

Whether to close the connection after the HTTPS packet sending is timeout.

# management.listener.https.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

Server private key file path.

# management.listener.https.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

Server certificate file path.

# management.listener.https.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

CA certificate file path.

# management.listener.https.verify

TypeOptional ValueDefault
enumverify_peer, verify_noneverify_peer
# Description

verify_none means to disable peer certificate verification, and the server will not send a certificate request to the client. verify_peer means to enable peer certificate verification, and the server will send a certificate request to the client. When this configuration item is set to verify_peer, it usually need to be used together with dashboard.listener.https.fail_if_no_peer_cert to specify whether to force the client to provide a certificate.

# management.listener.https.fail_if_no_peer_cert

TypeOptional ValueDefault
enumture, falsetrue
# Description

It should be used together with management.listener.https.verify. If set to true, the server will fail the handshake if the client does not provide a certificate when requesting a certificate from the client. If set to false, the handshake can be successful even if the terminal does not provide a certificate.

# management.listener.https.inet6

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to set the socket to allow IPv6 connections.

# management.listener.https.ipv6_v6only

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Whether to restrict the socket that only IPv6 can be ued, and prohibit any IPv4 connections. Only applicable to IPv6 sockets, that is, the value of this configuration item has practical significance only when dashboard.listener.http.inet6 is set to true. It should be noted that on some operating systems, such as Windows, the only allowed value for this configuration item is true.

# emqx-reloader (opens new window)

# reloader.interval

TypeDefault
duration60s
# Description

How often do hot update all code.

# reloader.logfile

TypeDefault
stringreloader.log
# Description

Log files for hot updates of code.

# emqx-retainer (opens new window)

# retainer.storage_type

TypeOptional ValueDefault
enumram, disc, disc_onlyram
# Description

Storage type of the message, the following options are available:

ram

Retained messages are only stored in memory.

disc

Retained messages are stored in both memory and disk.

disc_only

Retained messages are only stored on disk.

# retainer.max_retained_messages

TypeDefault
integer0
# Description

Limit of retained messages. Once the number of stored messages reaches the limit, you can replace existing retained messages, but you cannot store retained messages for new topics. 0 means no limit.

# retainer.max_payload_size

TypeDefault
bytesize1MB
# Description

The maximum length of Payload allowed to store retained messages. If the Payload exceeds the maximum limit, the retained message can be processed normally, but it will not be stored on the server.

# retainer.expiry_interval

TypeDefault
duration0
# Description

The expiration interval of retained messages which is only valid for clients with protocol versions lower than MQTT v5.0. The expiration interval of retained messages for MQTT v5.0 clients will be based on the value of Message Expiry Interval. 0 means never expire.

# emqx-rule-engine (opens new window)

# rule_engine.ignore_sys_message

TypeOptional ValueDefault
enumon, offon
# Description

Ignore system messages ($ SYS). The rule engine will not process system messages if this option is enabled.

# rule_engine.events.

TypeOptional ValueDefault
enumon, offoff
# Description

Set whether to publish event messages. You can specify the QoS of event messages, for example:

rule_engine.events.client_connected = on, qos1

If this option is enabled, the rules engine will publish system messages using the topic of $events/<event-name>. Supported <event-name> are:

  • client_connected
  • client_disconnected
  • session_subscribed
  • session_unsubscribed
  • message_delivered
  • message_acked
  • message_dropped

If this option is disabled, event messages will not be published, but event rules can still be used. For example, even if rule_engine.events.client_connected = off, the following rules can still be used:

SELECT * FROM "$events/client_connected"

# emqx-sn (opens new window)

# mqtt.sn.port

TypeDefault
string1884
# Description

The UDP port that emqx_sn listens on.

# mqtt.sn.advertise_duration

TypeDefault
duration15s
# Description

ADVERTISE message broadcast interval, unit: second.

# mqtt.sn.gateway_id

TypeDefault
integer1
# Description

MQTT-SN gateway ID in ADVERTISE.

# mqtt.sn.enable_stats

TypeOptional ValueDefault
enumon, offoff
# Description

Whether to enable client status statistics.

# mqtt.sn.enable_qos3

TypeOptional ValueDefault
enumon, offoff
# Description

Whether to process messages with QoS of -1.

# mqtt.sn.idle_timeout

TypeDefault
duration30s
# Description

The idle time after the establishment, if no message is received within this time, the connection will be closed.

# mqtt.sn.predefined.topic.0

TypeDefault
stringreserved
# Description

The predefined mapping of Topic and TopicId. Topics with an Id of 0 are reserved and fixed to reserved. For example, the Id of the predefined topic foo / bar is 1:

mqtt.sn.predefined.topic.1 = foo/bar

# mqtt.sn.username

TypeDefault
stringmqtt_sn_user
# Description

emqx_sn username to connect to EMQ X Broker.

# mqtt.sn.password

TypeDefault
stringabc
# Description

emqx_sn password to connect to EMQ X Broker.

# emqx-statsd (opens new window)

# statsd.push.gateway.server

TypeDefault
stringhttp://127.0.0.1:9091
# Description

Specify the URI of the Statsd gateway.

# statsd.interval

TypeDefault
integer15000
# Description

Specify the collection interval of Statsd data in milliseconds.

# prometheus.collector.

TypeDefault
stringemqx_statsd
# Description

Specify Prometheus Collector.

# emqx-stomp (opens new window)

# stomp.listener

TypeDefault
integer61613
# Description

Specify the local port where the Stomp plugin listens.

# stomp.listener.acceptors

TypeDefault
integer4
# Description

Specify the size of the thread pool for Stomp service Acceptor

# stomp.listener.max_connections

TypeDefault
integer512
# Description

Specify the maximum number of connections supported by the Stomp service.

# stomp.listener.ssl

TypeOptional ValueDefault
enumon, offoff
# Description

Specify whether to use SSL.

# stomp.listener.keyfile

TypeDefault
stringetc/certs/key.pem
# Description

If using SSL, specify the SSL private key file.

# stomp.listener.certfile

TypeDefault
stringetc/certs/cert.pem
# Description

If using SSL, specify the SSL certificate file.

# stomp.listener.cacertfile

TypeDefault
stringetc/certs/cacert.pem
# Description

If using SSL, specify the CA certificate file for SSL.

# stomp.listener.dhfile

TypeDefault
stringetc/certs/dh-params.pem
# Description

If using SSL, specify the key file used by the Ephemeral Diffie-Hellman algorithm.

# stomp.listener.verify

TypeOptional ValueDefault
enumverify_peer, verify_noneverify_peer
# Description

If using SSL, specify whether to verify the client during the handshake.

# stomp.listener.fail_if_no_peer_cert

TypeOptional ValueDefault
enumtrue, falsefalse
# Description

Specify whether the handshake fail if SSL is used, and the client does not have a certificate during the SSL handshake.

# stomp.listener.tls_versions

TypeDefault
stringtlsv1.2,tlsv1.1,tlsv1
# Description

If using SSL, specify the list of SSL versions supported by the server.

# stomp.listener.handshake_timeout

TypeDefault
duration15s
# Description

If using SSL, specify the timeout period for the SSL handshake process.

# stomp.listener.ciphers

TypeDefault
stringECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
# Description

If using SSL, specify the Cipher list supported by the server

# stomp.listener.secure_renegotiate

TypeOptional ValueDefault
enumon, offoff
# Description

If using SSL, specify whether to reject the renegotiation request if the client does not follow RFC 5746.

# stomp.listener.reuse_sessions

TypeOptional ValueDefault
enumon, offon
# Description

If using SSL, specify whether to support SSL session reuse.

# stomp.listener.honor_cipher_order

TypeOptional ValueDefault
enumon, offon
# Description

If using SSL, specify whether to use the server's preferences to select Ciphers.

# stomp.default_user.login

TypeDefault
stringguest
# Description

Specify the Username used by the Stomp plugin to log in.

# stomp.default_user.passcode

TypeDefault
stringguest
# Description

Specify the password used for Stomp plugin login.

# stomp.allow_anonymous

TypeOptional ValueDefault
enumtrue, falsetrue
# Description

Whether to allow anonymous login.

# stomp.frame.max_headers

TypeDefault
integer10
# Description

Specify the maximum number of Stomp headers

# stomp.frame.max_header_length

TypeDefault
integer1024
# Description

Specify the maximum Stomp header length

# stomp.frame.max_body_length

TypeDefault
integer8192
# Description

Specify Stomp maximum message body length.

# emqx-web-hook (opens new window)

# web.hook.api.url

TypeDefault
string-
# Description

emqx_web_hook Forwarding web server address.

# web.hook.encode_payload

TypeOptional ValueDefault
enumbase62, base64-
# Description

The encoding format of the Payload field in the PUBLISH message.

# web.hook.rule.client.connect.1

TypeDefault
string{"action": "on_client_connect"}
# Description

Forward the on_client_connect event.

# web.hook.rule.client.connack.1

TypeDefault
string{"action": "on_client_connack"}
# Description

Forward the on_client_connack event.

# web.hook.rule.client.connected.1

TypeDefault
string{"action": "on_client_connected"}
# Description

Forward the on_client_connected event.

# web.hook.rule.client.disconnected.1

TypeDefault
string{"action": "on_client_disconnected"}
# Description

Forward the on_client_disconnected event.

# web.hook.rule.client.subscribe.1

TypeDefault
string{"action": "on_client_subscribe"}
# Description

Forward the on_client_subscribe event.

# web.hook.rule.client.unsubscribe.1

TypeDefault
string{"action": "on_client_unsubscribe"}
# Description

Forward the on_client_unsubscribe event.

# web.hook.rule.session.subscribed.1

TypeDefault
string{"action": "on_session_subscribed"}
# Description

Forward the on_client_subscribe event.

# web.hook.rule.session.unsubscribed.1

TypeDefault
string{"action": "on_session_unsubscribed"}
# Description

Forward the on_session_unsubscribe event.

# web.hook.rule.session.terminated.1

TypeDefault
string{"action": "on_session_terminated"}
# Description

Forward the on_session_terminated event.

# web.hook.rule.message.publish.1

TypeDefault
string{"action": "on_message_publish"}
# Description

Forward the on_client_publish event.

# web.hook.rule.message.delivered.1

TypeDefault
string{"action": "on_message_delivered"}
# Description

Forward the on_message_delivered event.

# web.hook.rule.message.acked.1

TypeDefault
string{"action": "on_message_acked"}
# Description

Forward the on_message_acked event.