emqx4.3/docs/source/config.rst

.. _configuration:

=============
Configuration
=============

Configuration files of the broker are under 'etc/' folder, including:

+-------------------+-----------------------------------+
| File              | Description                       |
+-------------------+-----------------------------------+
| etc/vm.args       | Erlang VM Arguments               |
+-------------------+-----------------------------------+
| etc/emqttd.config | emqttd broker Config              |
+-------------------+-----------------------------------+
| etc/acl.config    | ACL Config                        |
+-------------------+-----------------------------------+
| etc/clients.config| ClientId Authentication           |
+-------------------+-----------------------------------+
| etc/rewrite.config| Rewrite Rules                     |
+-------------------+-----------------------------------+
| etc/ssl/*         | SSL certificate and key files     |
+-------------------+-----------------------------------+

-----------
etc/vm.args
-----------

Configure and Optimize Erlang VM::

    ##-------------------------------------------------------------------------
    ## Name of the node
    ##-------------------------------------------------------------------------
    -name emqttd@127.0.0.1

    ## Cookie for distributed erlang
    -setcookie emqttdsecretcookie

    ##-------------------------------------------------------------------------
    ## Flags
    ##-------------------------------------------------------------------------

    ## Heartbeat management; auto-restarts VM if it dies or becomes unresponsive
    ## (Disabled by default..use with caution!)
    ##-heart
    -smp true

    ## Enable kernel poll and a few async threads
    +K true

    ## 12 threads/core.
    +A 48

    ## max process numbers
    +P 8192

    ## Sets the maximum number of simultaneously existing ports for this system
    +Q 8192

    ## max atom number
    ## +t

    ## Set the distribution buffer busy limit (dist_buf_busy_limit) in kilobytes.
    ## Valid range is 1-2097151. Default is 1024.
    ## +zdbbl 8192

    ## CPU Schedulers
    ## +sbt db

    ##-------------------------------------------------------------------------
    ## Env
    ##-------------------------------------------------------------------------

    ## Increase number of concurrent ports/sockets, deprecated in R17
    -env ERL_MAX_PORTS 8192

    -env ERTS_MAX_PORTS 8192

    -env ERL_MAX_ETS_TABLES 1024

    ## Tweak GC to run more often
    -env ERL_FULLSWEEP_AFTER 1000

The two most important parameters in etc/vm.args:

+-------+---------------------------------------------------------------------------+
| +P    | Max number of Erlang proccesses. A MQTT client consumes two proccesses.   |
|       | The value should be larger than max_clients * 2                           | 
+-------+---------------------------------------------------------------------------+
| +Q    | Max number of Erlang Ports. A MQTT client consumes one port.              |
|       | The value should be larger than max_clients.                              |
+-------+---------------------------------------------------------------------------+

The name and cookie of Erlang Node should be configured when clustering::

    -name emqttd@host_or_ip

    ## Cookie for distributed erlang
    -setcookie emqttdsecretcookie

-----------------
etc/emqttd.config
-----------------

This is the main emqttd broker configuration file.

File Syntax
-----------

The file users the standard Erlang config syntax, consists of a list of erlang applications and their environments.

.. code:: erlang

    [{kernel, [
        {start_timer, true},
        {start_pg2, true}
     ]},
     {sasl, [
        {sasl_error_logger, {file, "log/emqttd_sasl.log"}}
     ]},

     ...

     {emqttd, [
        ...
     ]}
    ].

The file adopts Erlang Term Syntax:

1. [ ]: List, seperated by comma
2. { }: Tuple, Usually {Env, Value}
3. %  : comment

Log Level and File
------------------

Logger of emqttd broker is implemented by 'lager' application::

  {lager, [
    ...
  ]},

Configure log handlers::

    {handlers, [
        {lager_console_backend, info},

        {lager_file_backend, [
            {formatter_config, [time, " ", pid, " [",severity,"] ", message, "\n"]},
            {file, "log/emqttd_info.log"},
            {level, info},
            {size, 104857600},
            {date, "$D0"},
            {count, 30}
        ]},

        {lager_file_backend, [
            {formatter_config, [time, " ", pid, " [",severity,"] ", message, "\n"]},
            {file, "log/emqttd_error.log"},
            {level, error},
            {size, 104857600},
            {date, "$D0"},
            {count, 30}
        ]}
    ]}

emqttd Application
------------------

The MQTT broker is implemented by erlang 'emqttd' application::

 {emqttd, [
    %% Authentication and Authorization
    {access, [
        ...
    ]},
    %% MQTT Protocol Options
    {mqtt, [
        ...
    ]},
    %% Broker Options
    {broker, [
        ...
    ]},
    %% Modules
    {modules, [
        ...
    ]},
    %% Plugins
    {plugins, [
        ...
    ]},

    %% Listeners
    {listeners, [
        ...
    ]},

    %% Erlang System Monitor
    {sysmon, [
    ]}
 ]}

Pluggable Authentication
------------------------

The emqttd broker supports pluggable authentication mechanism with a list of modules and plugins.

The broker provides Username, ClientId, LDAP and anonymous authentication modules by default::

    %% Authetication. Anonymous Default
    {auth, [
        %% Authentication with username, password
        %% Add users: ./bin/emqttd_ctl users add Username Password
        %% {username, [{"test", "public"}]},
        
        %% Authentication with clientid
        % {clientid, [{password, no}, {file, "etc/clients.config"}]},

        %% Authentication with LDAP
        % {ldap, [
        %    {servers, ["localhost"]},
        %    {port, 389},
        %    {timeout, 30},
        %    {user_dn, "uid=$u,ou=People,dc=example,dc=com"},
        %    {ssl, fasle},
        %    {sslopts, [
        %        {"certfile", "ssl.crt"},
        %        {"keyfile", "ssl.key"}]}
        % ]},

        %% Allow all
        {anonymous, []}
    ]},

The modules enabled at the same time compose an authentication chain:

               ----------------           ----------------           -------------
    Client --> |   Username   | -ignore-> |   ClientID   | -ignore-> | Anonymous |
               ----------------           ----------------           -------------
                      |                         |                         |
                     \|/                       \|/                       \|/
                allow | deny              allow | deny              allow | deny
 
.. NOTE:: There are also MySQL、PostgreSQL、Redis、MongoDB Authentication Plugins.

Username Authentication
.......................

.. code:: erlang

    {username, [{client1, "passwd1"}, {client2, "passwd2"}]},

Two ways to configure users:

1. Configure username and plain password directly::

    {username, [{client1, "passwd1"}, {client2, "passwd2"}]},

2. Add user by './bin/emqttd_ctl users' command::

   $ ./bin/emqttd_ctl users add <Username> <Password>

ClientID Authentication
.......................

.. code:: erlang

    {clientid, [{password, no}, {file, "etc/clients.config"}]},

Configure ClientIDs in etc/clients.config::

    testclientid0
    testclientid1 127.0.0.1
    testclientid2 192.168.0.1/24

LDAP Authentication
...................

.. code:: erlang

    {ldap, [
       {servers, ["localhost"]},
       {port, 389},
       {timeout, 30},
       {user_dn, "uid=$u,ou=People,dc=example,dc=com"},
       {ssl, fasle},
       {sslopts, [
           {"certfile", "ssl.crt"},
           {"keyfile", "ssl.key"}]}
    ]},


Anonymous Authentication
........................

Allow any client to connect to the broker::

    {anonymous, []}


ACL
---

Enable the default ACL module::

    {acl, [
        %% Internal ACL module
        {internal,  [{file, "etc/acl.config"}, {nomatch, allow}]}
    ]}

MQTT Packet and ClientID
------------------------

.. code::

    {packet, [

        %% Max ClientId Length Allowed
        {max_clientid_len, 1024},

        %% Max Packet Size Allowed, 64K default
        {max_packet_size,  65536}
    ]},

MQTT Client Idle Timeout
------------------------

.. code::

    {client, [
        %% Socket is connected, but no 'CONNECT' packet received
        {idle_timeout, 10}
    ]},

MQTT Session
------------

.. code::

    {session, [
        %% Max number of QoS 1 and 2 messages that can be “in flight” at one time.
        %% 0 means no limit
        {max_inflight, 100},

        %% Retry interval for unacked QoS1/2 messages.
        {unack_retry_interval, 20},

        %% Awaiting PUBREL Timeout
        {await_rel_timeout, 20},

        %% Max Packets that Awaiting PUBREL, 0 means no limit
        {max_awaiting_rel, 0},

        %% Interval of Statistics Collection(seconds)
        {collect_interval, 20},

        %% Expired after 2 days
        {expired_after, 48}

    ]},

Session parameters:

+----------------------+----------------------------------------------------------+
| max_inflight         | Max number of QoS1/2 messages that can be delivered in   |
|                      | the same time                                            |
+----------------------+----------------------------------------------------------+
| unack_retry_interval | Retry interval for unacked QoS1/2 messages.              |
+----------------------+----------------------------------------------------------+
| await_rel_timeout    | Awaiting PUBREL Timeout                                  |
+----------------------+----------------------------------------------------------+
| max_awaiting_rel     | Max number of Packets that Awaiting PUBREL               |
+----------------------+----------------------------------------------------------+
| collect_interval     | Interval of Statistics Collection                        |
+----------------------+----------------------------------------------------------+
| expired_after        | Expired after                                            |
+----------------------+----------------------------------------------------------+

MQTT Message Queue
------------------

The message queue of session stores:

1. Offline messages for persistent session.

2. Pending messages for inflight window is full

Queue parameters::

    {queue, [
        %% simple | priority
        {type, simple},

        %% Topic Priority: 0~255, Default is 0
        %% {priority, [{"topic/1", 10}, {"topic/2", 8}]},

        %% Max queue length. Enqueued messages when persistent client disconnected,
        %% or inflight window is full.
        {max_length, infinity},

        %% Low-water mark of queued messages
        {low_watermark, 0.2},

        %% High-water mark of queued messages
        {high_watermark, 0.6},

        %% Queue Qos0 messages?
        {queue_qos0, true}
    ]}

+----------------------+---------------------------------------------------+
| type                 | Queue type: simple or priority                    |
+----------------------+---------------------------------------------------+
| priority             | Topic priority                                    |
+----------------------+---------------------------------------------------+
| max_length           | Max Queue size, infinity means no limit           |
+----------------------+---------------------------------------------------+
| low_watermark        | Low watermark                                     |
+----------------------+---------------------------------------------------+
| high_watermark       | High watermark                                    |
+----------------------+---------------------------------------------------+
| queue_qos0           | If Qos0 message queued?                           |
+----------------------+---------------------------------------------------+

Sys Interval of Broker
-----------------------

.. code::

    %% System interval of publishing $SYS messages
    {sys_interval, 60},

Retained messages
-----------------

.. code::

    {retained, [
        %% Expired after seconds, never expired if 0
        {expired_after, 0},

        %% Maximum number of retained messages
        {max_message_num, 100000},

        %% Max Payload Size of retained message
        {max_playload_size, 65536}
    ]},

PubSub and Router
-----------------

.. code:: erlang

    {pubsub, [
        %% PubSub Pool
        {pool_size, 8},
        
        %% Subscription: true | false
        {subscription, true},

        %% Route aging time(seconds)
        {route_aging, 5}
    ]},

Bridge Parameters
-----------------

.. code:: erlang

    {bridge, [
        %% Bridge Queue Size
        {max_queue_len, 10000},

        %% Ping Interval of bridge node
        {ping_down_interval, 1}
    ]}


Enable Modules
--------------

'presence' module will publish presence message to $SYS topic when a client connected or disconnected::

        {presence, [{qos, 0}]},

'subscription' module forces the client to subscribe some topics when connected to the broker::

        %% Subscribe topics automatically when client connected
        {subscription, [
            %% Subscription from stored table
            stored,

            %% $u will be replaced with username
            {"$Q/username/$u", 1},

            %% $c will be replaced with clientid
            {"$Q/client/$c", 1}
        ]}

'rewrite' module supports to rewrite the topic path::

        %% Rewrite rules
        {rewrite, [{file, "etc/rewrite.config"}]}

Plugins Folder
--------------

.. code:: erlang

    {plugins, [
        %% Plugin App Library Dir
        {plugins_dir, "./plugins"},

        %% File to store loaded plugin names.
        {loaded_file, "./data/loaded_plugins"}
    ]},


TCP Listeners
-------------

Congfigure the TCP listeners for MQTT, MQTT(SSL) and HTTP Protocols.

The most important parameter is 'max_clients' - max concurrent clients allowed.

The TCP Ports occupied by emqttd broker by default:

+-----------+-----------------------------------+
| 1883      | MQTT Port                         |
+-----------+-----------------------------------+
| 8883      | MQTT(SSL) Port                    |
+-----------+-----------------------------------+
| 8083      | MQTT(WebSocket), HTTP API Port    |
+-----------+-----------------------------------+

.. code:: erlang

    {listeners, [

        {mqtt, 1883, [
            %% Size of acceptor pool
            {acceptors, 16},

            %% Maximum number of concurrent clients
            {max_clients, 8192},

            %% Socket Access Control
            {access, [{allow, all}]},

            %% Connection Options
            {connopts, [
                %% Rate Limit. Format is 'burst, rate', Unit is KB/Sec
                %% {rate_limit, "100,10"} %% 100K burst, 10K rate
            ]},

            %% Socket Options
            {sockopts, [
                %Set buffer if hight thoughtput
                %{recbuf, 4096},
                %{sndbuf, 4096},
                %{buffer, 4096},
                %{nodelay, true},
                {backlog, 1024}
            ]}
        ]},

        {mqtts, 8883, [
            %% Size of acceptor pool
            {acceptors, 4},

            %% Maximum number of concurrent clients
            {max_clients, 512},

            %% Socket Access Control
            {access, [{allow, all}]},

            %% SSL certificate and key files
            {ssl, [{certfile, "etc/ssl/ssl.crt"},
                   {keyfile,  "etc/ssl/ssl.key"}]},

            %% Socket Options
            {sockopts, [
                {backlog, 1024}
                %{buffer, 4096},
            ]}
        ]},
        %% WebSocket over HTTPS Listener
        %% {https, 8083, [
        %%  %% Size of acceptor pool
        %%  {acceptors, 4},
        %%  %% Maximum number of concurrent clients
        %%  {max_clients, 512},
        %%  %% Socket Access Control
        %%  {access, [{allow, all}]},
        %%  %% SSL certificate and key files
        %%  {ssl, [{certfile, "etc/ssl/ssl.crt"},
        %%         {keyfile,  "etc/ssl/ssl.key"}]},
        %%  %% Socket Options
        %%  {sockopts, [
        %%      %{buffer, 4096},
        %%      {backlog, 1024}
        %%  ]}
        %%]},

        %% HTTP and WebSocket Listener
        {http, 8083, [
            %% Size of acceptor pool
            {acceptors, 4},
            %% Maximum number of concurrent clients
            {max_clients, 64},
            %% Socket Access Control
            {access, [{allow, all}]},
            %% Socket Options
            {sockopts, [
                {backlog, 1024}
                %{buffer, 4096},
            ]}
        ]}
    ]},

Listener Parameters:

+-------------+----------------------------------------------------------------+
| acceptors   | TCP Acceptor Pool                                              |
+-------------+----------------------------------------------------------------+
| max_clients | Maximum number of concurrent TCP connections allowed           |
+-------------+----------------------------------------------------------------+
| access      | Access Control by IP, for example: [{allow, "192.168.1.0/24"}] |
+-------------+----------------------------------------------------------------+
| connopts    | Rate Limit Control, for example: {rate_limit, "100,10"}        |
+-------------+----------------------------------------------------------------+
| sockopts    | TCP Socket parameters                                          |
+-------------+----------------------------------------------------------------+

.. _config_acl:

--------------
etc/acl.config
--------------

The 'etc/acl.config' is the default ACL config for emqttd broker. The rules by default::

    %% Allow 'dashboard' to subscribe '$SYS/#'
    {allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.

    %% Allow clients from localhost to subscribe any topics
    {allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.

    %% Deny clients to subscribe '$SYS#' and '#'
    {deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.

    %% Allow all by default
    {allow, all}.

An ACL rule is an Erlang tuple. The Access control module of emqttd broker matches the rule one by one from top to bottom::

              ---------              ---------              ---------   
    Client -> | Rule1 | --nomatch--> | Rule2 | --nomatch--> | Rule3 | --> Default
              ---------              ---------              ---------
                  |                      |                      |
                match                  match                  match
                 \|/                    \|/                    \|/
            allow | deny           allow | deny           allow | deny
                
.. _config_rewrite:

------------------
etc/clients.config
------------------

Enable ClientId Authentication in 'etc/emqttd.config'::

    {auth, [
        %% Authentication with clientid
        {clientid, [{password, no}, {file, "etc/clients.config"}]}
    ]},

Configure all allowed ClientIDs, IP Addresses in etc/clients.config::

    testclientid0
    testclientid1 127.0.0.1
    testclientid2 192.168.0.1/24

------------------
etc/rewrite.config
------------------

The Rewrite Rules for emqttd_mod_rewrite::

    {topic, "x/#", [
        {rewrite, "^x/y/(.+)$", "z/y/$1"},
        {rewrite, "^x/(.+)$", "y/$1"}
    ]}.

    {topic, "y/+/z/#", [
        {rewrite, "^y/(.+)/z/(.+)$", "y/z/$2"}
    ]}.