Set up EMQX as a self-hosted scalable MQTT broker with authentication and TLS

Verified steps

1. Download and install EMQX from the official release page for your platform; start the broker with emqx start and verify it is running with emqx_ctl status; the EMQX Dashboard is available at http://localhost:18083 with default credentials that must be changed immediately
2. Enable TLS on the MQTT SSL listener by placing CA, server certificate, and server key files in the etc/certs/ directory; edit the listener.ssl.default section in emqx.conf (or via the Dashboard) to set cacertfile, certfile, keyfile, and verify = verify_peer for mutual TLS
3. Configure authentication: for simple setups use the built-in password-based authenticator via the Dashboard under Access Control > Authentication; for production use an external database (MySQL, PostgreSQL, Redis) or JWT authentication plugin to centralize credential management
4. Set up authorization (ACL rules) to restrict which clients can publish or subscribe to which topics; rules can be stored in files, a database, or evaluated by a webhook — default-deny is the safest starting posture
5. Enable clustering for high availability by configuring the cluster discovery mechanism (e.g., static, DNS, or etcd) in emqx.conf; join nodes with emqx_ctl cluster join <node@host>; EMQX replicates session state and routing tables across cluster nodes
6. Monitor broker health via the Dashboard metrics panel or Prometheus endpoint (/api/v5/prometheus/stats with API key auth); watch connected_clients, messages.dropped, and authentication.failure counts as primary health signals