|
|
@@ -1727,6 +1727,28 @@ listener.ws.external.nodelay = true
|
|
|
## Value: single | multiple
|
|
|
listener.ws.external.mqtt_piggyback = multiple
|
|
|
|
|
|
+## By default, EMQX web socket connection does not restrict connections to specific origins.
|
|
|
+## It also, by default, does not enforce the presence of origin in request headers for WebSocket connections.
|
|
|
+## Because of this, a malicious user could potentially hijack an existing web-socket connection to EMQX.
|
|
|
+
|
|
|
+## To prevent this, users can set allowed origin headers in their ws connection to EMQX.
|
|
|
+## WS configs are set in listener.ws.external.*
|
|
|
+## WSS configs are set in listener.wss.external.*
|
|
|
+
|
|
|
+## Example for WS connection
|
|
|
+## To enables origin check in header for websocket connnection,
|
|
|
+## set `listener.ws.external.check_origin_enable = true`. By default it is false,
|
|
|
+## When it is set to true and no origin is present in the header of a ws connection request, the request fails.
|
|
|
+
|
|
|
+## To allow origins to be absent in header in the websocket connection when check_origin_enable is true,
|
|
|
+## set `listener.ws.external.allow_origin_absence = true`
|
|
|
+
|
|
|
+## Enabling origin check implies there are specific valid origins allowed for ws connection.
|
|
|
+## To set the list of allowed origins in header for websocket connection
|
|
|
+## listener.ws.external.check_origins = http://localhost:18083(localhost dashboard url), http://yourapp.com`
|
|
|
+## check_origins config allows a comma separated list of origins so you can specify as many origins are you want.
|
|
|
+## With these configs, you can allow only connections from only authorized origins to your broker
|
|
|
+
|
|
|
## Enable origin check in header for websocket connection
|
|
|
##
|
|
|
## Value: true | false (default false)
|
ayodele.akingbule