{"id":17526526,"url":"https://github.com/absmach/mgate","last_synced_at":"2025-10-07T15:55:44.709Z","repository":{"id":46582350,"uuid":"231700255","full_name":"absmach/mgate","owner":"absmach","description":"mGate is a policy-enforcement multi-protocol proxy","archived":false,"fork":false,"pushed_at":"2025-10-03T18:09:43.000Z","size":966,"stargazers_count":93,"open_issues_count":15,"forks_count":28,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-10-03T20:19:52.469Z","etag":null,"topics":["authorization","mqtt","mqtt-broker","mqtt-protocol","proxy"],"latest_commit_sha":null,"homepage":"https://abstractmachines.fr/magistrala.html","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/absmach.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-01-04T03:00:17.000Z","updated_at":"2025-10-03T18:09:44.000Z","dependencies_parsed_at":"2022-09-01T02:32:34.768Z","dependency_job_id":"71b32d0a-8887-4737-b7b1-a3ad09fd68f6","html_url":"https://github.com/absmach/mgate","commit_stats":null,"previous_names":["absmach/mgate"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/absmach/mgate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/absmach%2Fmgate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/absmach%2Fmgate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/absmach%2Fmgate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/absmach%2Fmgate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/absmach","download_url":"https://codeload.github.com/absmach/mgate/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/absmach%2Fmgate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278802799,"owners_count":26048566,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","mqtt","mqtt-broker","mqtt-protocol","proxy"],"created_at":"2024-10-20T15:01:55.594Z","updated_at":"2025-10-07T15:55:44.703Z","avatar_url":"https://github.com/absmach.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# mGate\n\n![Go Report Card][grc]\n[![License][LIC-BADGE]][LIC]\n\nmGate is a lightweight, scalable, and customizable IoT API gateway designed to support seamless communication across multiple protocols. It enables real-time packet manipulation, features pluggable authentication mechanisms, and offers observability for monitoring and troubleshooting. Built for flexibility, mGate can be deployed as a sidecar or standalone service and can also function as a library for easy integration into applications.\n\nThe extensible nature of mGate allows developers to customize it to fit various IoT ecosystems, ensuring optimal performance and security.\n\n## Key Features\n\nSome of the key features of mGate include multi-protocol support, real-time packet manipulation, pluggable authentication, observability, and scalability, all while being lightweight, customizable, and easily deployable as a sidecar or standalone service.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"docs/img/mgate-features.png\"\u003e\u003c/p\u003e\n\n#### Multi-Protocol Support\n\nmGate is built to interface with a wide range of IoT protocols, including:\n\n- MQTT\n- CoAP\n- HTTP\n- WebSocket\n- Easily extendable to support additional protocols.\n\n### On-the-Fly Packet Manipulation\n\nAllows real-time packet transformation and processing.\nCustom logic or package interceptors can be injected for modifying incoming and outgoing messages.\n\n### Authentication and Authorization\n\nPluggable authentication system supporting different providers like OAuth, JWT, API Keys, and more.\nAccess Control for fine-grained resource authorization.\nEasily replaceable auth modules for integration with custom or enterprise identity systems.\n\n### Observability\n\nProvides real-time metrics for monitoring system health and performance.\nOffers logging and tracing to facilitate troubleshooting and optimization and options to easily integrate with Prometheus, Grafana, and OpenTelemetry for detailed tracing and visualization.\n\n### Scalable Architecture\n\nmGate is designed to scale horizontally, ensuring it can handle high-throughput environments.\n\n### Pluggable and Extensible\n\nCore components are modular, making it easy to plug in custom modules or replace existing ones.\nExtendable to add new IoT protocols, middleware, and features as needed.\n\n### Customizable\n\nHighly configurable, allowing adjustment of protocol-specific behaviors, observability, and performance optimizations.\nMinimal configuration is required for default deployment but supports deep customization.\n\n### Lightweight\n\nBuilt with Go programming language, it's optimized for low resource usage, making it suitable for both high-performance data centers and resource-constrained IoT edge devices.\n\n### Deployment Flexibility\n\nCan be deployed as a sidecar to enhance existing microservices or as a standalone service for direct IoT device interaction.\nAvailable as a library for integration into existing applications.\n\n## Usage\n\n```bash\ngit clone https://github.com/absmach/mgate.git\ncd mgate\nmake\n./build/mgate\n```\n\n## Architecture\n\nmGate starts protocol servers, offering connections to devices. Upon the connection, it establishes a session with a remote protocol server. It then pipes packets from devices to the protocol server, inspecting or modifying them as they flow through the proxy.\n\nHere is the flow in more detail:\n\n- The Device connects to mGate's server\n- mGate accepts the inbound (IN) connection and establishes a new session with the remote server (e.g. it dials out to the MQTT broker only once it accepts a new connection from a device. This way one device-mGate connection corresponds to one mGate-MQTT broker connection.)\n- mGate then spawns 2 goroutines: one that will read incoming packets from the device-mGate socket (INBOUND or UPLINK), inspect them (calling event handlers) and write them to mGate-server socket (forwarding them towards the server) and other that will be reading server responses from mGate-server socket and writing them towards device, in device-mGate socket (OUTBOUND or DOWNLINK).\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"docs/img/mgate.png\"\u003e\u003c/p\u003e\n\nmGate can parse and understand protocol packages, and upon their detection, it calls external event handlers. Event handlers should implement the following interface defined in [pkg/mqtt/events.go](pkg/mqtt/events.go):\n\n```go\n// Handler is an interface for mGate hooks\ntype Handler interface {\n // Authorization on client `CONNECT`\n // Each of the params are passed by reference, so that it can be changed\n AuthConnect(ctx context.Context) error\n\n // Authorization on client `PUBLISH`\n // Topic is passed by reference, so that it can be modified\n AuthPublish(ctx context.Context, topic *string, payload *[]byte) error\n\n // Authorization on client `SUBSCRIBE`\n // Topics are passed by reference, so that they can be modified\n AuthSubscribe(ctx context.Context, topics *[]string) error\n\n // After client successfully connected\n Connect(ctx context.Context)\n\n // After client successfully published\n Publish(ctx context.Context, topic *string, payload *[]byte)\n\n // After client successfully subscribed\n Subscribe(ctx context.Context, topics *[]string)\n\n // After client unsubscribed\n Unsubscribe(ctx context.Context, topics *[]string)\n\n // Disconnect on connection with client lost\n Disconnect(ctx context.Context)\n}\n```\n\nThe Handler interface is inspired by MQTT protocol control packets; if the underlying protocol does not support some of these actions, the implementation can simply omit them. An example of implementation is given [here](examples/simple/simple.go), alongside with it's [`main()` function](cmd/main.go).\n\n## Deployment\n\nTo explain the deployment process, an MQTT broker will be used as an example, given that MQTT is one of the most widely used and feature-rich protocols. mGate does not do load balancing - just pure and simple proxying with TLS termination. This is why it should be deployed right in front of its corresponding MQTT broker instance: one mGate for each MQTT broker instance in the MQTT cluster.\n\nUsually, this is done by deploying mGate as a side-car in the same Kubernetes pod alongside with MQTT broker instance (MQTT cluster node).\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"docs/img/mgate-cluster.png\"\u003e\u003c/p\u003e\n\nLB tasks can be offloaded to a standard ingress proxy - for example, NginX.\n\n## Example Setup \u0026 Testing of mGate\n\n### Requirements\n\n- Golang\n- Mosquitto MQTT Server\n- Mosquitto Publisher and Subscriber Client\n- coap-client or Magistrala coap-cli\n\n### Example Setup of mGate\n\nmGate is used to proxy requests to a backend server. For the example setup, we will use Mosquitto server as the backend for MQTT, and MQTT over Websocket and an HTTP echo server for HTTP.\n\n1. Start the Mosquitto MQTT Server with the following command. This bash script will initiate the Mosquitto MQTT server with WebSocket support. The Mosquitto Server will listen for MQTT connections on port 1883 and MQTT over WebSocket connections on port 8000.\n\n ```bash\n examples/server/mosquitto/server.sh\n ```\n\n2. Start the HTTP Echo Server:\n\n ```bash\n go run examples/server/http-echo/main.go\n ```\n\n3. Start the OCSP/CRL Mock responder:\n\n ```bash\n go run examples/ocsp-crl-responder/main.go\n ```\n\n4. Start the example mGate servers for various protocols:\n\n ```bash\n go run cmd/main.go\n ```\n\n The `cmd/main.go` Go program initializes mGate servers for the following protocols:\n\n - mGate server for `MQTT` protocol `without TLS` on port `1884`\n - mGate server for `MQTT` protocol `with TLS` on port `8883`\n - mGate server for `MQTT` protocol `with mTLS` on port `8884`\n - mGate server for `MQTT over WebSocket without TLS` on port `8083`\n - mGate server for `MQTT over WebSocket with TLS` on port `8084`\n - mGate server for `MQTT over WebSocket with mTLS` on port `8085` with prefix path `/mqtt`\n - mGate server for `HTTP protocol without TLS` on port `8086` with prefix path `/messages`\n - mGate server for `HTTP protocol with TLS` on port `8087` with prefix path `/messages`\n - mGate server for `HTTP protocol with mTLS` on port `8088` with prefix path `/messages`\n - mGate server for `CoAP protocol without DTLS` on port `5682`\n - mGate server for `CoAP protocol with DTLS` on port `5684`\n\n### Example testing of mGate\n\n#### Test mGate server for MQTT protocols\n\nBash scripts available in `examples/client/mqtt` directory help to test the mGate servers running for MQTT protocols\n\n- Script to test mGate server running at port 1884 for MQTT without TLS\n\n ```bash\n examples/client/mqtt/without_tls.sh\n ```\n\n- Script to test mGate server running at port 8883 for MQTT with TLS\n\n ```bash\n examples/client/mqtt/with_tls.sh\n ```\n\n- Script to test mGate server running at port 8884 for MQTT with mTLS\n\n ```bash\n examples/client/mqtt/with_mtls.sh\n ```\n\n#### Test mGate server for MQTT over WebSocket protocols\n\nGo programs available in `examples/client/websocket/*/main.go` directory helps to test the mGate servers running for MQTT over WebSocket protocols\n\n- Go program to test mGate server running at port 8083 for MQTT over WebSocket without TLS\n\n ```bash\n go run examples/client/websocket/without_tls/main.go\n ```\n\n- Go program to test mGate server running at port 8084 for MQTT over WebSocket with TLS\n\n ```bash\n go run examples/client/websocket/with_tls/main.go\n ```\n\n- Go program to test mGate server running at port 8085 for MQTT over Websocket with mTLS\n\n ```bash\n go run examples/client/websocket/with_mtls/main.go\n ```\n\n#### Test mGate server for HTTP protocols\n\nBash scripts available in `examples/client/http` directory help to test the mGate servers running for HTTP protocols\n\n- Script to test mGate server running at port 8086 for HTTP without TLS\n\n ```bash\n examples/client/http/without_tls.sh\n ```\n\n- Script to test mGate server running at port 8087 for HTTP with TLS\n\n ```bash\n examples/client/http/with_tls.sh\n ```\n\n- Script to test mGate server running at port 8088 for HTTP with mTLS\n\n ```bash\n examples/client/http/with_mtls.sh\n ```\n\n### Test mGate server for CoAP protocols\n\nBash scripts available in `example/client/coap` directory help to test the mGate servers running for CoAP protocols. You will require to have either the [coap-client](https://libcoap.net/doc/reference/4.3.1/man_coap-client.html) or the [Magistrala coap-cli](https://github.com/absmach/coap-cli).\nThe script can be used alongside the simple go-coap server provided at `example/server/coap`.\n\n- Script to test mGate server running at 5682 for CoAP without DTLS\n\n ```bash\n examples/client/coap/without_dtls.sh\n ```\n\n- Script to test mGate server running at 5684 for CoAP with DTLS\n\n ```bash\n examples/client/coap/with_dtls.sh\n ```\n\n## Configuration\n\nThe service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.\n\n| Variable | Description | Default |\n| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------- |\n| MGATE_MQTT_WITHOUT_TLS_ADDRESS | MQTT without TLS inbound (IN) connection listening address | :1884 |\n| MGATE_MQTT_WITHOUT_TLS_TARGET | MQTT without TLS outbound (OUT) connection address | localhost:1883 |\n| MGATE_MQTT_WITH_TLS_ADDRESS | MQTT with TLS inbound (IN) connection listening address | :8883 |\n| MGATE_MQTT_WITH_TLS_TARGET | MQTT with TLS outbound (OUT) connection address | localhost:1883 |\n| MGATE_MQTT_WITH_TLS_CERT_FILE | MQTT with TLS certificate file path | ssl/certs/server.crt |\n| MGATE_MQTT_WITH_TLS_KEY_FILE | MQTT with TLS key file path | ssl/certs/server.key |\n| MGATE_MQTT_WITH_TLS_SERVER_CA_FILE | MQTT with TLS server CA file path | ssl/certs/ca.crt |\n| MGATE_MQTT_WITH_MTLS_ADDRESS | MQTT with mTLS inbound (IN) connection listening address | :8884 |\n| MGATE_MQTT_WITH_MTLS_TARGET | MQTT with mTLS outbound (OUT) connection address | localhost:1883 |\n| MGATE_MQTT_WITH_MTLS_CERT_FILE | MQTT with mTLS certificate file path | ssl/certs/server.crt |\n| MGATE_MQTT_WITH_MTLS_KEY_FILE | MQTT with mTLS key file path | ssl/certs/server.key |\n| MGATE_MQTT_WITH_MTLS_SERVER_CA_FILE | MQTT with mTLS server CA file path | ssl/certs/ca.crt |\n| MGATE_MQTT_WITH_MTLS_CLIENT_CA_FILE | MQTT with mTLS client CA file path | ssl/certs/ca.crt |\n| MGATE_MQTT_WITH_MTLS_CERT_VERIFICATION_METHODS | MQTT with mTLS certificate verification methods, if no value or unset then mGate server will not do client validation | ocsp |\n| MGATE_MQTT_WITH_MTLS_OCSP_RESPONDER_URL | MQTT with mTLS OCSP responder URL, it is used if OCSP responder URL is not available in client certificate AIA | \u003chttp://localhost:8080/ocsp\u003e |\n| MGATE_MQTT_WS_WITHOUT_TLS_ADDRESS | MQTT over Websocket without TLS inbound (IN) connection listening address | :8083 |\n| MGATE_MQTT_WS_WITHOUT_TLS_TARGET | MQTT over Websocket without TLS outbound (OUT) connection address | ws://localhost:8000/ |\n| MGATE_MQTT_WS_WITH_TLS_ADDRESS | MQTT over Websocket with TLS inbound (IN) connection listening address | :8084 |\n| MGATE_MQTT_WS_WITH_TLS_TARGET | MQTT over Websocket with TLS outbound (OUT) connection address | ws://localhost:8000/ |\n| MGATE_MQTT_WS_WITH_TLS_CERT_FILE | MQTT over Websocket with TLS certificate file path | ssl/certs/server.crt |\n| MGATE_MQTT_WS_WITH_TLS_KEY_FILE | MQTT over Websocket with TLS key file path | ssl/certs/server.key |\n| MGATE_MQTT_WS_WITH_TLS_SERVER_CA_FILE | MQTT over Websocket with TLS server CA file path | ssl/certs/ca.crt |\n| MGATE_MQTT_WS_WITH_MTLS_ADDRESS | MQTT over Websocket with mTLS inbound (IN) connection listening address | :8085 |\n| MGATE_MQTT_WS_WITH_MTLS_PATH_PREFIX | MQTT over Websocket with mTLS inbound (IN) connection path | /mqtt |\n| MGATE_MQTT_WS_WITH_MTLS_TARGET | MQTT over Websocket with mTLS outbound (OUT) connection address | ws://localhost:8000/ |\n| MGATE_MQTT_WS_WITH_MTLS_CERT_FILE | MQTT over Websocket with mTLS certificate file path | ssl/certs/server.crt |\n| MGATE_MQTT_WS_WITH_MTLS_KEY_FILE | MQTT over Websocket with mTLS key file path | ssl/certs/server.key |\n| MGATE_MQTT_WS_WITH_MTLS_SERVER_CA_FILE | MQTT over Websocket with mTLS server CA file path | ssl/certs/ca.crt |\n| MGATE_MQTT_WS_WITH_MTLS_CLIENT_CA_FILE | MQTT over Websocket with mTLS client CA file path | ssl/certs/ca.crt |\n| MGATE_MQTT_WS_WITH_MTLS_CERT_VERIFICATION_METHODS | MQTT over Websocket with mTLS certificate verification methods, if no value or unset then mGate server will not do client validation | ocsp |\n| MGATE_MQTT_WS_WITH_MTLS_OCSP_RESPONDER_URL | MQTT over Websocket with mTLS OCSP responder URL, it is used if OCSP responder URL is not available in client certificate AIA | \u003chttp://localhost:8080/ocsp\u003e |\n| MGATE_HTTP_WITHOUT_TLS_ADDRESS | HTTP without TLS inbound (IN) connection listening address | :8086 |\n| MGATE_HTTP_WITHOUT_TLS_PATH_PREFIX | HTTP without TLS inbound (IN) connection path | /messages |\n| MGATE_HTTP_WITHOUT_TLS_TARGET | HTTP without TLS outbound (OUT) connection address | \u003chttp://localhost:8888/\u003e |\n| MGATE_HTTP_WITH_TLS_ADDRESS | HTTP with TLS inbound (IN) connection listening address | :8087 |\n| MGATE_HTTP_WITH_TLS_PATH_PREFIX | HTTP with TLS inbound (IN) connection path | /messages |\n| MGATE_HTTP_WITH_TLS_TARGET | HTTP with TLS outbound (OUT) connection address | \u003chttp://localhost:8888/\u003e |\n| MGATE_HTTP_WITH_TLS_CERT_FILE | HTTP with TLS certificate file path | ssl/certs/server.crt |\n| MGATE_HTTP_WITH_TLS_KEY_FILE | HTTP with TLS key file path | ssl/certs/server.key |\n| MGATE_HTTP_WITH_TLS_SERVER_CA_FILE | HTTP with TLS server CA file path | ssl/certs/ca.crt |\n| MGATE_HTTP_WITH_MTLS_ADDRESS | HTTP with mTLS inbound (IN) connection listening address | :8088 |\n| MGATE_HTTP_WITH_MTLS_PATH_PREFIX | HTTP with mTLS inbound (IN) connection path | /messages |\n| MGATE_HTTP_WITH_MTLS_TARGET | HTTP with mTLS outbound (OUT) connection address | \u003chttp://localhost:8888/\u003e |\n| MGATE_HTTP_WITH_MTLS_CERT_FILE | HTTP with mTLS certificate file path | ssl/certs/server.crt |\n| MGATE_HTTP_WITH_MTLS_KEY_FILE | HTTP with mTLS key file path | ssl/certs/server.key |\n| MGATE_HTTP_WITH_MTLS_SERVER_CA_FILE | HTTP with mTLS server CA file path | ssl/certs/ca.crt |\n| MGATE_HTTP_WITH_MTLS_CLIENT_CA_FILE | HTTP with mTLS client CA file path | ssl/certs/ca.crt |\n| MGATE_HTTP_WITH_MTLS_CERT_VERIFICATION_METHODS | HTTP with mTLS certificate verification methods, if no value or unset then mGate server will not do client validation | ocsp |\n| MGATE_HTTP_WITH_MTLS_OCSP_RESPONDER_URL | HTTP with mTLS OCSP responder URL, it is used if OCSP responder URL is not available in client certificate AIA | \u003chttp://localhost:8080/ocsp\u003e |\n| MGATE_COAP_WITHOUT_DTLS_HOST | CoAP without DTLS inbound (IN) connection listening host | localhost |\n| MGATE_COAP_WITHOUT_DTLS_PORT | CoAP without DTLS inbound (IN) connection listening port | 5682 |\n| MGATE_COAP_WITHOUT_DTLS_TARGET_HOST | CoAP without DTLS outbound (OUT) connection listening host | localhost |\n| MGATE_COAP_WITHOUT_DTLS_TARGET_PORT | CoAP without DTLS outbound (OUT) connection listening port | 5683 |\n| MGATE_COAP_WITH_DTLS_HOST | CoAP with DTLS inbound (IN) connection listening host | localhost |\n| MGATE_COAP_WITH_DTLS_PORT | CoAP with DTLS inbound (IN) connection listening port | 5684 |\n| MGATE_COAP_WITH_DTLS_TARGET_HOST | CoAP with DTLS outbound (OUT) connection listening host | localhost |\n| MGATE_COAP_WITH_DTLS_TARGET_PORT | CoAP with DTLS outbound (OUT) connection listening port | 5683 |\n| MGATE_COAP_WITH_DTLS_CERT_FILE | CoAP with DTLS certificate file path | ssl/certs/server.crt |\n| MGATE_COAP_WITH_DTLS_KEY_FILE | CoAP with DTLS key file path | ssl/certs/server.key |\n| MGATE_COAP_WITH_DTLS_SERVER_CA_FILE | CoAP with DTLS server CA file path | ssl/certs/ca.crt |\n\n## mGate Configuration Environment Variables\n\n### Server Configuration Environment Variables\n\n- `ADDRESS` : Specifies the address at which mGate will listen. Supports MQTT, MQTT over WebSocket, and HTTP proxy connections.\n- `PATH_PREFIX` : Defines the path prefix when listening for MQTT over WebSocket or HTTP connections.\n- `TARGET` : Specifies the address of the target server, including any prefix path if available. The target server can be an MQTT server, MQTT over WebSocket, or an HTTP server.\n\n### TLS Configuration Environment Variables\n\n- `CERT_FILE` : Path to the TLS certificate file.\n- `KEY_FILE` : Path to the TLS certificate key file.\n- `SERVER_CA_FILE` : Path to the Server CA certificate file.\n- `CLIENT_CA_FILE` : Path to the Client CA certificate file.\n- `CERT_VERIFICATION_METHODS` : Methods for validating certificates. Accepted values are `ocsp` or `crl`.\n For the `ocsp` value, the `tls.Config` attempts to retrieve the OCSP responder/server URL from the Authority Information Access (AIA) section of the client certificate. If the client certificate lacks an OCSP responder URL or if an alternative URL is preferred, you can override it using the environmental variable `OCSP_RESPONDER_URL`. \n For the `crl` value, the `tls.Config` attempts to obtain the Certificate Revocation List (CRL) file from the CRL Distribution Point section in the client certificate. If the client certificate lacks a CRL distribution point section, or if you prefer to override it, you can use the environmental variables `CRL_DISTRIBUTION_POINTS` and `CRL_DISTRIBUTION_POINTS_ISSUER_CERT_FILE`. If no CRL distribution point server is available, you can specify an offline CRL file using the environmental variables `OFFLINE_CRL_FILE` and `OFFLINE_CRL_ISSUER_CERT_FILE`.\n\n#### OCSP Configuration Environment Variables\n\n- `OCSP_DEPTH` : Depth of client certificate verification in the OCSP method. The default value is 0, meaning there is no limit, and all certificates are verified.\n- `OCSP_RESPONDER_URL` : Override value for the OCSP responder URL present in the Authority Information Access (AIA) section of the client certificate. If left empty, it expects the OCSP responder URL from the AIA section of the client certificate.\n\n#### CRL Configuration Environment Variables\n\n- `CRL_DEPTH`: Depth of client certificate verification in the CRL method. The default value is 1, meaning only the leaf certificate is verified.\n- `CRL_DISTRIBUTION_POINTS` : Override for the CRL Distribution Point value present in the certificate's CRL Distribution Point section.\n- `CRL_DISTRIBUTION_POINTS_ISSUER_CERT_FILE` : Path to the issuer certificate file for verifying the CRL retrieved from `CRL_DISTRIBUTION_POINTS`.\n- `OFFLINE_CRL_FILE` : Path to the offline CRL file, which can be used if the CRL Distribution point is not available in either the environmental variable or the certificate's CRL Distribution Point section.\n- `OFFLINE_CRL_ISSUER_CERT_FILE` : Location of the issuer certificate file for verifying the offline CRL file specified in `OFFLINE_CRL_FILE`.\n\n## Adding Prefix to Environmental Variables\n\nmGate relies on the [caarlos0/env](https://github.com/caarlos0/env) package to load environmental variables into its [configuration](https://github.com/arvindh123/mgate/blob/main/config.go#L15).\nYou can control how these variables are loaded by passing `env.Options` to the `config.EnvParse` function.\n\nTo add a prefix to environmental variables, use `env.Options{Prefix: \"MGATE_\"}` from the [caarlos0/env](https://github.com/caarlos0/env) package. For example:\n\n```go\npackage main\nimport (\n \"github.com/caarlos0/env/v11\"\n \"github.com/absmach/mgate\"\n)\n\nmqttConfig := mgate.Config{}\nif err := mqttConfig.EnvParse(env.Options{Prefix: \"MGATE_\" }); err != nil {\n panic(err)\n}\nfmt.Printf(\"%+v\\n\")\n```\n\nIn the above snippet, `mqttConfig.EnvParse` expects all environmental variables with the prefix `MGATE_`.\nFor instance:\n\n- MGATE_ADDRESS\n- MGATE_PATH_PREFIX\n- MGATE_TARGET\n- MGATE_CERT_FILE\n- MGATE_KEY_FILE\n- MGATE_SERVER_CA_FILE\n- MGATE_CLIENT_CA_FILE\n- MGATE_CERT_VERIFICATION_METHODS\n- MGATE_OCSP_DEPTH\n- MGATE_OCSP_RESPONDER_URL\n- MGATE_CRL_DEPTH\n- MGATE_CRL_DISTRIBUTION_POINTS\n- MGATE_CRL_DISTRIBUTION_POINTS_ISSUER_CERT_FILE\n- MGATE_OFFLINE_CRL_FILE\n- MGATE_OFFLINE_CRL_ISSUER_CERT_FILE\n\n## License\n\n[Apache-2.0](LICENSE)\n\n[grc]: https://goreportcard.com/badge/github.com/absmach/mgate\n[LIC]: LICENCE\n[LIC-BADGE]: https://img.shields.io/badge/License-Apache_2.0-blue.svg\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabsmach%2Fmgate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabsmach%2Fmgate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabsmach%2Fmgate/lists"}