EMQX setup with docker

[RongTsai4Git]

直接參考這裡就可以直接架起來了

• 重點

  docker pull emqx/emqx
  docker run -d --name emqx -p 18083:18083 -p 1883:1883 emqx/emqx:latest

• Reference Configuration

[RongTsai4Git]

利用 Postgres 做 auth

• {emqx}/etc/emqx.conf

  ##--------------------------------------------------------------------
  ## Authentication/Access Control
  ##--------------------------------------------------------------------
  ...
  allow_anonymous = false

• {emqx}/etc/bin/emqx_auth_pgsql.conf

  auth.pgsql.server = 192.168.100.58:5432
  auth.pgsql.username = postgres
  auth.pgsql.password = postgres
  auth.pgsql.database = postgres
  auth.pgsql.password_hash = sha256

• Postgres

  
  # Create Auth table
  CREATE TABLE mqtt_user (
  id SERIAL primary key,
  is_superuser boolean,
  username character varying(100),
  password character varying(100),
  salt character varying(40)
  )

Insert Testing user, password -> sha256

device1, Device1qaz2wsx!

device2, Device123456!

INSERT INTO mqtt_user (username, password, salt, is_superuser) VALUES ('device1', '70a17135894291fcf2bf7dd88986cb44583fa8b224c4c9d85c071889a6164127', NULL, false), ('device2', '2490451915aafc6cebdfbe419fb3cc3e9db6bfb35e1f56847e686dae9d4cf5e4', NULL, false);

* emqx_ctl plugins load emqx_auth_pgsql

![image](https://user-images.githubusercontent.com/89722047/151113942-40f5c089-96cb-4f7f-ae40-ed91c5fd718d.png)

* reload acl

emqx_ctl acl reload

* reference
[auth-postgresql](https://www.emqx.io/docs/en/v4.3/advanced/auth-postgresql.html#default-table-structure)

[RongTsai4Git]

設定 ACL, 當 acl no match 時，將client斷線

• {emqx}/etc/emqx.conf

  
  ## if no ACL rules matched -> deny
  acl_nomatch = deny

after deny, do 'disconnect' action

acl_deny_action = disconnect

issue by answer from https://github.com/emqx/emqx/issues/3156#issuecomment-570764888

a higher priority configuration named zone..acl_deny_action, if it be set, emqx will use its value rather than acl_deny_action. You should comment zone..acl_deny_action or set it to disconnect rather than default ignore

zone.internal.acl_deny_action = disconnect zone.external.acl_deny_action = disconnect

[RongTsai4Git]

藉由 postgres 設定 ACL, 來實現限制特定的 username, client id 只能夠 pub, sub 某些 topic 的功能

• {emqx}/etc/acl.conf

  
  ## 這裡的預設值要修改掉，因為會影響到在 postgre 設定的規則
  %% {deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
  ...
  %% {allow, all}.

* postgres

Create acl table

CREATE TABLE mqtt_acl ( id SERIAL primary key, allow integer, ipaddr character varying(60), username character varying(100), clientid character varying(100), access integer, topic character varying(100) )

Insert rule

INSERT INTO mqtt_acl (allow, ipaddr, username, clientid, access, topic) VALUES (1,NULL,'device1',NULL,2,'device/1/telemetry'), (1,NULL,'device2',NULL,1,'device/1/telemetry');

* 不需要重開 emqx !
* reference
[emqx_auth_pgsql](https://github.com/emqx/emqx-auth-pgsql)