-
Notifications
You must be signed in to change notification settings - Fork 20
docs: add default security improvements #94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
id
wants to merge
1
commit into
main
Choose a base branch
from
20250603-default-security-improvements
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| # Default security improvements | ||
|
|
||
| ## Changelog | ||
|
|
||
| * 2025-06-30: @id Initial draft | ||
|
|
||
| ## Abstract | ||
|
|
||
| This EIP proposes to improve the default security of EMQX. | ||
|
|
||
| ## Motivation | ||
|
|
||
| The default security settings of EMQX can be improved to follow best practices and enhance the security of out-of-the-box installations. | ||
|
|
||
| ## Design | ||
|
|
||
| 1. Bind the Dashboard’s listener to 127.0.0.1 by default. | ||
|
|
||
| 2. Bind MQTT and Websocket listeners to 127.0.0.1 by default. | ||
|
|
||
| 3. Provision self-hosted certificates on startup. | ||
| - Generate self-signed certificates for the Dashboard and MQTT/Websocket listeners. | ||
| - Use these certificates to secure the connections by default. | ||
| - Enable HTTPS on Dashboard listener by default. | ||
|
|
||
| 4. Add built-in support for Let's Encrypt certificates and ACME protocol in general. | ||
|
|
||
| 5. Change default ACL "no match" action to `deny` by default. | ||
|
|
||
| 6. Change default password `public` to empty string in config schema | ||
|
|
||
| Do not allow login for admin user if its password is `""`, and return below hint text to dashboard: | ||
|
|
||
| ``` | ||
| * Run command to change admin password: emqx ctl admins passwd admin a-very-string-pasword | ||
| * Configure dashboard.default_password="a-very-string-password" | ||
| ``` | ||
|
|
||
| ## Configuration Changes | ||
|
|
||
| Default emqx.conf changes: | ||
|
|
||
| ``` | ||
| listeners { | ||
| ssl { | ||
| default { | ||
| bind = "127.0.0.1:8883" | ||
| } | ||
| } | ||
| tcp { | ||
| default { | ||
| bind = "127.0.0.1:1883" | ||
| } | ||
| } | ||
| ws { | ||
| default { | ||
| bind = "127.0.0.1:8083" | ||
| } | ||
| } | ||
| wss { | ||
| default { | ||
| bind = "127.0.0.1:8084" | ||
| } | ||
| } | ||
| } | ||
| dashboard { | ||
| default_password = "" | ||
| listeners { | ||
| https { | ||
| bind = "127.0.0.1:18083" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| Default acl.conf changes: | ||
|
|
||
| ``` | ||
| %%-------------- Default ACL rules ------------------------------------------------------- | ||
| {allow, {username, {re, "^dashboard$"}}, subscribe, ["$SYS/#"]}. | ||
| {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}. | ||
| {deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}. | ||
| {deny, all}. | ||
| ``` | ||
|
|
||
| ## Backwards Compatibility | ||
|
|
||
| No backwards compatibility issues are expected with these changes. The new defaults will not affect existing configurations unless they are explicitly changed to match the new defaults. | ||
|
|
||
| ## Document Changes | ||
|
|
||
| TODO | ||
|
|
||
| ## Testing Suggestions | ||
|
|
||
| Test the new defaults in a fresh EMQX installation to ensure that: | ||
| - The Dashboard is accessible only from localhost. | ||
| - MQTT and Websocket connections are only allowed from localhost. | ||
| - Self-signed certificates are generated and used for secure connections. | ||
| - Let's Encrypt certificates can be provisioned and used. | ||
| - The ACL rules deny all unmatched actions by default. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Binding to loopback is not going to help a lot in docker deployments (most common pattern for non-production, experimental deployment) due to port forwarding.
Maybe focus on authn/authz defaults.