In my use case, the broker and all clients will have TLS certificates signed by the same private CA, each with a unique CN field. I am trying to create a setup which will only allow each client certificate to be used for a single broker connection at a time, preferably by shutting down the older connection, but it would also be acceptable if the new connection was refused.
After searching a bit, I found #913 which would appear to say that this cannot be done on a username basis (i.e. with "peer_cert_as_username = cn").
Is there any way my one-connection-per-certificate restriction can be done with the functionality built into EMQX directly? If not, can you please recommend the easiest path to implement this functionality?
Hi, @jbrzozoski The current version does not support to restrict one-connection-per-certificate directly!
We'll discuss whether to implement this feature into the next version! But now you can use the following workaround to resolve it:
auth_req paramsOkay, I see that the %cn parameter was added to emqx_auth_http after v3.0, so I'll have to upgrade.
On my web server, I would rather not keep track of which clients are connected or not. But looking at the EMQX REST API, it provides a way to query active connections based on client ID. So, before authenticating a new connection, my web app should require that the CN matches the client ID and then query the EMQX REST API to see if that particular client ID already has any open connections. Does that sound reasonable?
Is there a way to force the client ID to match the CN? I tried turning on the feature to force the client ID to match the username, but it must be done before the peer_cert_as_username is handled, since the end result was that the final client ID was the username passed from the client and the final username was the CN.
So, before authenticating a new connection, my web app should require that the CN matches the client ID and then query the EMQX REST API to see if that particular client ID already has any open connections. Does that sound reasonable?
Yes! it ok. But It is a better way to update client online state using emqx_web_hook's client.connected/client.disconnected hooks.
Is there a way to force the client ID to match the CN?
Not support
And we have discussed the one-connection-per-certificate feature. Our leader think it belongs to the business layer logic, so we'll not implement this feature in the EMQ X