版本:
emqx/nanomq:0.24.5-full(Docker)
问题:
我客户端与Broker都配置了证书进行双向认证,我现在需要使用 HTTP 身份验证 拿到客户端证书里面的common name,但是按照官方文档配置后并没拿到,nanomq.conf配置如下:
auth {
allow_anonymous = false # 允许匿名登录
no_match = allow # 没有 ACL 规则匹配情况下的默认操作
deny_action = ignore # ACL 检查拒绝情况下的默认操作
cache = {
max_size = 32 # 客户端可以缓存的最大 ACL 条目数量
ttl = 1m # ACL 规则缓存有效时间
}
password = {include "/etc/nanomq_pwd.conf"} # 密码存储文件路径
acl = {include "/etc/nanomq_acl.conf"} # ACL 配置文件路径
timeout = 5s
connect_timeout = 5s
pool_size = 32
http_auth = {
auth_req {
url = "http://127.0.0.1:80/mqtt/auth"
method = post
headers.content-type = "application/x-www-form-urlencoded"
params = {clientid = "%c", username = "%u", password = "%P", ipaddress = "%a", certcn = "%C", certsubject = "%d", protocol = "%r", clientport="%p"}
}
}
}
# MQTT/SSL 监听器 - 8883
listeners.ssl {
bind = "0.0.0.0:8883" # 绑定 8883 端口
key_password = "RtWj32" # 解密私钥文件所需的密码字符串
keyfile = "/etc/certs/key.key" # 密钥文件路径
certfile = "/etc/certs/cert.crt" # 用户证书文件路径
cacertfile = "/etc/certs/cacert.crt" # CA 证书文件路径
verify_peer = true # 是否从客户端请求证书
fail_if_no_peer_cert = true # 如客户端未提供证书,是否拒绝连接
}
没有如逾期的拿到 %C: 客户端证书中的 Common Name 和 %d: 客户端证书中的 Subject,结果输出:
{ipaddress=192.168.5.131, password=La@576$Jiao, clientid=mqttx_742f4bfa, username=reaper}
但是官方文档写了(https://nanomq.io/docs/zh/latest/config-description/acl.html#配置项):
所有的占位符都会被运行时数据所替换,可用的占位符如下:
%u: 用户名%c: MQTT Client ID%a: 客户端的网络 IP 地址%r: 客户端使用的协议,支持 mqtt、mqtt-sn、coap、lwm2m、stomp%P: 密码%p: 客户端连接的服务端端口%C: 客户端证书中的 Common Name%d: 客户端证书中的 Subject
这个问题是个BUG 还是我哪里配置不对?
我补充下NanoMQ相关的启动日志:
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1059 print_auth_http_req: auth_req_method: post
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1061 print_auth_http_req: auth_hearders: content-type: application/x-www-form-urlencoded
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: clientid: clientid
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: username: username
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: password: password
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: ipaddress: ipaddress
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: certcn: common_name
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: certsubject: subject
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: protocol: protocol
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1066 print_auth_http_req: auth_params: clientport: sockport
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1058 print_auth_http_req: super_req_url: (null)
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1059 print_auth_http_req: super_req_method: (null)
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1058 print_auth_http_req: acl_req_url: (null)
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nng/src/supplemental/nanolib/conf.c:1059 print_auth_http_req: acl_req_method: (null)
dns-nanomq | 2025-11-21 08:38:29 [1] INFO /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:1566 store_pid: 1
