| # Config file for mosquitto |
| # |
| # See mosquitto.conf(5) for more information. |
| # |
| # Default values are shown, uncomment to change. |
| # |
| # Use the # character to indicate a comment, but only if it is the |
| # very first character on the line. |
| |
| # ================================================================= |
| # General configuration |
| # ================================================================= |
| |
| # Time in seconds to wait before resending an outgoing QoS=1 or |
| # QoS=2 message. |
| #retry_interval 20 |
| |
| # Time in seconds between updates of the $SYS tree. |
| # Set to 0 to disable the publishing of the $SYS tree. |
| #sys_interval 10 |
| |
| # Time in seconds between cleaning the internal message store of |
| # unreferenced messages. Lower values will result in lower memory |
| # usage but more processor time, higher values will have the |
| # opposite effect. |
| # Setting a value of 0 means the unreferenced messages will be |
| # disposed of as quickly as possible. |
| #store_clean_interval 10 |
| |
| # Write process id to a file. Default is a blank string which means |
| # a pid file shouldn't be written. |
| # This should be set to /var/run/mosquitto.pid if mosquitto is |
| # being run automatically on boot with an init script and |
| # start-stop-daemon or similar. |
| #pid_file |
| |
| # When run as root, drop privileges to this user and its primary |
| # group. |
| # Leave blank to stay as root, but this is not recommended. |
| # If run as a non-root user, this setting has no effect. |
| # Note that on Windows this has no effect and so mosquitto should |
| # be started by the user you wish it to run as. |
| #user mosquitto |
| |
| # The maximum number of QoS 1 and 2 messages currently inflight per |
| # client. |
| # This includes messages that are partway through handshakes and |
| # those that are being retried. Defaults to 20. Set to 0 for no |
| # maximum. Setting to 1 will guarantee in-order delivery of QoS 1 |
| # and 2 messages. |
| #max_inflight_messages 20 |
| |
| # The maximum number of QoS 1 and 2 messages to hold in a queue |
| # above those that are currently in-flight. Defaults to 100. Set |
| # to 0 for no maximum (not recommended). |
| # See also queue_qos0_messages. |
| #max_queued_messages 100 |
| |
| # Set to true to queue messages with QoS 0 when a persistent client is |
| # disconnected. These messages are included in the limit imposed by |
| # max_queued_messages. |
| # Defaults to false. |
| # This is a non-standard option for the MQTT v3.1 spec but is allowed in |
| # v3.1.1. |
| #queue_qos0_messages false |
| |
| # This option sets the maximum publish payload size that the broker will allow. |
| # Received messages that exceed this size will not be accepted by the broker. |
| # The default value is 0, which means that all valid MQTT messages are |
| # accepted. MQTT imposes a maximum payload size of 268435455 bytes. |
| #message_size_limit 0 |
| |
| # This option controls whether a client is allowed to connect with a zero |
| # length client id or not. This option only affects clients using MQTT v3.1.1 |
| # and later. If set to false, clients connecting with a zero length client id |
| # are disconnected. If set to true, clients will be allocated a client id by |
| # the broker. This means it is only useful for clients with clean session set |
| # to true. |
| #allow_zero_length_clientid true |
| |
| # If allow_zero_length_clientid is true, this option allows you to set a prefix |
| # to automatically generated client ids to aid visibility in logs. |
| #auto_id_prefix |
| |
| # This option allows persistent clients (those with clean session set to false) |
| # to be removed if they do not reconnect within a certain time frame. |
| # |
| # This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. |
| # |
| # Badly designed clients may set clean session to false whilst using a randomly |
| # generated client id. This leads to persistent clients that will never |
| # reconnect. This option allows these clients to be removed. |
| # |
| # The expiration period should be an integer followed by one of h d w m y for |
| # hour, day, week, month and year respectively. For example |
| # |
| # persistent_client_expiration 2m |
| # persistent_client_expiration 14d |
| # persistent_client_expiration 1y |
| # |
| # The default if not set is to never expire persistent clients. |
| #persistent_client_expiration |
| |
| # If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# |
| # and foo/+/baz , then MQTT expects that when the broker receives a message on |
| # a topic that matches both subscriptions, such as foo/bar/baz, then the client |
| # should only receive the message once. |
| # Mosquitto keeps track of which clients a message has been sent to in order to |
| # meet this requirement. The allow_duplicate_messages option allows this |
| # behaviour to be disabled, which may be useful if you have a large number of |
| # clients subscribed to the same set of topics and are very concerned about |
| # minimising memory usage. |
| # It can be safely set to true if you know in advance that your clients will |
| # never have overlapping subscriptions, otherwise your clients must be able to |
| # correctly deal with duplicate messages even when then have QoS=2. |
| #allow_duplicate_messages false |
| |
| # The MQTT specification requires that the QoS of a message delivered to a |
| # subscriber is never upgraded to match the QoS of the subscription. Enabling |
| # this option changes this behaviour. If upgrade_outgoing_qos is set true, |
| # messages sent to a subscriber will always match the QoS of its subscription. |
| # This is a non-standard option explicitly disallowed by the spec. |
| #upgrade_outgoing_qos false |
| |
| # ================================================================= |
| # Default listener |
| # ================================================================= |
| |
| # IP address/hostname to bind the default listener to. If not |
| # given, the default listener will not be bound to a specific |
| # address and so will be accessible to all network interfaces. |
| # bind_address ip-address/host name |
| #bind_address |
| |
| # Port to use for the default listener. |
| #port 1883 |
| # need to uncomment when also defining an "extra" (SSL) listener below |
| # so the server handles both ports |
| port 1883 |
| |
| # The maximum number of client connections to allow. This is |
| # a per listener setting. |
| # Default is -1, which means unlimited connections. |
| # Note that other process limits mean that unlimited connections |
| # are not really possible. Typically the default maximum number of |
| # connections possible is around 1024. |
| #max_connections -1 |
| |
| # Choose the protocol to use when listening. |
| # This can be either mqtt or websockets. |
| # Websockets support is currently disabled by default at compile time. |
| # Certificate based TLS may be used with websockets, except that |
| # only the cafile, certfile, keyfile and ciphers options are supported. |
| #protocol mqtt |
| |
| # When a listener is using the websockets protocol, it is possible to serve |
| # http data as well. Set http_dir to a directory which contains the files you |
| # wish to serve. If this option is not specified, then no normal http |
| # connections will be possible. |
| #http_dir |
| |
| # Set use_username_as_clientid to true to replace the clientid that a client |
| # connected with with its username. This allows authentication to be tied to |
| # the clientid, which means that it is possible to prevent one client |
| # disconnecting another by using the same clientid. |
| # If a client connects with no username it will be disconnected as not |
| # authorised when this option is set to true. |
| # Do not use in conjunction with clientid_prefixes. |
| # See also use_identity_as_username. |
| #use_username_as_clientid |
| |
| # ----------------------------------------------------------------- |
| # Certificate based SSL/TLS support |
| # ----------------------------------------------------------------- |
| # The following options can be used to enable SSL/TLS support for |
| # this listener. Note that the recommended port for MQTT over TLS |
| # is 8883, but this must be set manually. |
| # |
| # See also the mosquitto-tls man page. |
| |
| # At least one of cafile or capath must be defined. They both |
| # define methods of accessing the PEM encoded Certificate |
| # Authority certificates that have signed your server certificate |
| # and that you wish to trust. |
| # cafile defines the path to a file containing the CA certificates. |
| # capath defines a directory that will be searched for files |
| # containing the CA certificates. For capath to work correctly, the |
| # certificate files must have ".crt" as the file ending and you must run |
| # "c_rehash <path to capath>" each time you add/remove a certificate. |
| #cafile |
| #capath |
| |
| # Path to the PEM encoded server certificate. |
| #certfile |
| |
| # Path to the PEM encoded keyfile. |
| #keyfile |
| |
| # This option defines the version of the TLS protocol to use for this listener. |
| # The default value allows v1.2, v1.1 and v1.0, if they are all supported by |
| # the version of openssl that the broker was compiled against. For openssl >= |
| # 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the |
| # valid values are tlsv1. |
| #tls_version |
| |
| # By default a TLS enabled listener will operate in a similar fashion to a |
| # https enabled web server, in that the server has a certificate signed by a CA |
| # and the client will verify that it is a trusted certificate. The overall aim |
| # is encryption of the network traffic. By setting require_certificate to true, |
| # the client must provide a valid certificate in order for the network |
| # connection to proceed. This allows access to the broker to be controlled |
| # outside of the mechanisms provided by MQTT. |
| #require_certificate false |
| |
| # If require_certificate is true, you may set use_identity_as_username to true |
| # to use the CN value from the client certificate as a username. If this is |
| # true, the password_file option will not be used for this listener. |
| #use_identity_as_username false |
| |
| # If you have require_certificate set to true, you can create a certificate |
| # revocation list file to revoke access to particular client certificates. If |
| # you have done this, use crlfile to point to the PEM encoded revocation file. |
| #crlfile |
| |
| # If you wish to control which encryption ciphers are used, use the ciphers |
| # option. The list of available ciphers can be optained using the "openssl |
| # ciphers" command and should be provided in the same format as the output of |
| # that command. |
| # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH |
| #ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH |
| |
| # ----------------------------------------------------------------- |
| # Pre-shared-key based SSL/TLS support |
| # ----------------------------------------------------------------- |
| # The following options can be used to enable PSK based SSL/TLS support for |
| # this listener. Note that the recommended port for MQTT over TLS is 8883, but |
| # this must be set manually. |
| # |
| # See also the mosquitto-tls man page and the "Certificate based SSL/TLS |
| # support" section. Only one of certificate or PSK encryption support can be |
| # enabled for any listener. |
| |
| # The psk_hint option enables pre-shared-key support for this listener and also |
| # acts as an identifier for this listener. The hint is sent to clients and may |
| # be used locally to aid authentication. The hint is a free form string that |
| # doesn't have much meaning in itself, so feel free to be creative. |
| # If this option is provided, see psk_file to define the pre-shared keys to be |
| # used or create a security plugin to handle them. |
| #psk_hint |
| |
| # Set use_identity_as_username to have the psk identity sent by the client used |
| # as its username. Authentication will be carried out using the PSK rather than |
| # the MQTT username/password and so password_file will not be used for this |
| # listener. |
| #use_identity_as_username false |
| |
| # When using PSK, the encryption ciphers used will be chosen from the list of |
| # available PSK ciphers. If you want to control which ciphers are available, |
| # use the "ciphers" option. The list of available ciphers can be optained |
| # using the "openssl ciphers" command and should be provided in the same format |
| # as the output of that command. |
| #ciphers |
| |
| # ================================================================= |
| # Extra listeners |
| # ================================================================= |
| |
| # Listen on a port/ip address combination. By using this variable |
| # multiple times, mosquitto can listen on more than one port. If |
| # this variable is used and neither bind_address nor port given, |
| # then the default listener will not be started. |
| # The port number to listen on must be given. Optionally, an ip |
| # address or host name may be supplied as a second argument. In |
| # this case, mosquitto will attempt to bind the listener to that |
| # address and so restrict access to the associated network and |
| # interface. By default, mosquitto will listen on all interfaces. |
| # listener port-number [ip address/host name] |
| #listener |
| listener 8883 |
| |
| # The maximum number of client connections to allow. This is |
| # a per listener setting. |
| # Default is -1, which means unlimited connections. |
| # Note that other process limits mean that unlimited connections |
| # are not really possible. Typically the default maximum number of |
| # connections possible is around 1024. |
| #max_connections -1 |
| |
| # The listener can be restricted to operating within a topic hierarchy using |
| # the mount_point option. This is achieved be prefixing the mount_point string |
| # to all topics for any clients connected to this listener. This prefixing only |
| # happens internally to the broker; the client will not see the prefix. |
| #mount_point |
| |
| # Choose the protocol to use when listening. |
| # This can be either mqtt or websockets. |
| # Certificate based TLS may be used with websockets, except that only the |
| # cafile, certfile, keyfile and ciphers options are supported. |
| #protocol mqtt |
| |
| # When a listener is using the websockets protocol, it is possible to serve |
| # http data as well. Set http_dir to a directory which contains the files you |
| # wish to serve. If this option is not specified, then no normal http |
| # connections will be possible. |
| #http_dir |
| |
| # Set use_username_as_clientid to true to replace the clientid that a client |
| # connected with with its username. This allows authentication to be tied to |
| # the clientid, which means that it is possible to prevent one client |
| # disconnecting another by using the same clientid. |
| # If a client connects with no username it will be disconnected as not |
| # authorised when this option is set to true. |
| # Do not use in conjunction with clientid_prefixes. |
| # See also use_identity_as_username. |
| #use_username_as_clientid |
| |
| # ----------------------------------------------------------------- |
| # Certificate based SSL/TLS support |
| # ----------------------------------------------------------------- |
| # The following options can be used to enable certificate based SSL/TLS support |
| # for this listener. Note that the recommended port for MQTT over TLS is 8883, |
| # but this must be set manually. |
| # |
| # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS |
| # support" section. Only one of certificate or PSK encryption support can be |
| # enabled for any listener. |
| |
| # At least one of cafile or capath must be defined to enable certificate based |
| # TLS encryption. They both define methods of accessing the PEM encoded |
| # Certificate Authority certificates that have signed your server certificate |
| # and that you wish to trust. |
| # cafile defines the path to a file containing the CA certificates. |
| # capath defines a directory that will be searched for files |
| # containing the CA certificates. For capath to work correctly, the |
| # certificate files must have ".crt" as the file ending and you must run |
| # "c_rehash <path to capath>" each time you add/remove a certificate. |
| #cafile |
| #capath |
| cafile TEST-KEYSTORES-DIR/ca.crt |
| |
| # Path to the PEM encoded server certificate. |
| #certfile |
| certfile TEST-KEYSTORES-DIR/server.crt |
| |
| # Path to the PEM encoded keyfile. |
| #keyfile |
| keyfile TEST-KEYSTORES-DIR/server.key |
| |
| # By default an TLS enabled listener will operate in a similar fashion to a |
| # https enabled web server, in that the server has a certificate signed by a CA |
| # and the client will verify that it is a trusted certificate. The overall aim |
| # is encryption of the network traffic. By setting require_certificate to true, |
| # the client must provide a valid certificate in order for the network |
| # connection to proceed. This allows access to the broker to be controlled |
| # outside of the mechanisms provided by MQTT. |
| #require_certificate false |
| |
| # If require_certificate is true, you may set use_identity_as_username to true |
| # to use the CN value from the client certificate as a username. If this is |
| # true, the password_file option will not be used for this listener. |
| #use_identity_as_username false |
| |
| # If you have require_certificate set to true, you can create a certificate |
| # revocation list file to revoke access to particular client certificates. If |
| # you have done this, use crlfile to point to the PEM encoded revocation file. |
| #crlfile |
| |
| # If you wish to control which encryption ciphers are used, use the ciphers |
| # option. The list of available ciphers can be optained using the "openssl |
| # ciphers" command and should be provided in the same format as the output of |
| # that command. |
| #ciphers |
| |
| # ----------------------------------------------------------------- |
| # Pre-shared-key based SSL/TLS support |
| # ----------------------------------------------------------------- |
| # The following options can be used to enable PSK based SSL/TLS support for |
| # this listener. Note that the recommended port for MQTT over TLS is 8883, but |
| # this must be set manually. |
| # |
| # See also the mosquitto-tls man page and the "Certificate based SSL/TLS |
| # support" section. Only one of certificate or PSK encryption support can be |
| # enabled for any listener. |
| |
| # The psk_hint option enables pre-shared-key support for this listener and also |
| # acts as an identifier for this listener. The hint is sent to clients and may |
| # be used locally to aid authentication. The hint is a free form string that |
| # doesn't have much meaning in itself, so feel free to be creative. |
| # If this option is provided, see psk_file to define the pre-shared keys to be |
| # used or create a security plugin to handle them. |
| #psk_hint |
| |
| # Set use_identity_as_username to have the psk identity sent by the client used |
| # as its username. Authentication will be carried out using the PSK rather than |
| # the MQTT username/password and so password_file will not be used for this |
| # listener. |
| #use_identity_as_username false |
| |
| # When using PSK, the encryption ciphers used will be chosen from the list of |
| # available PSK ciphers. If you want to control which ciphers are available, |
| # use the "ciphers" option. The list of available ciphers can be optained |
| # using the "openssl ciphers" command and should be provided in the same format |
| # as the output of that command. |
| #ciphers |
| |
| # ============================================= |
| # extra listener 2 on 8884 - SSL with require client-auth |
| # ============================================= |
| listener 8884 |
| require_certificate true |
| |
| # At least one of cafile or capath must be defined to enable certificate based |
| # TLS encryption. They both define methods of accessing the PEM encoded |
| # Certificate Authority certificates that have signed your server certificate |
| # and that you wish to trust. |
| # cafile defines the path to a file containing the CA certificates. |
| # capath defines a directory that will be searched for files |
| # containing the CA certificates. For capath to work correctly, the |
| # certificate files must have ".crt" as the file ending and you must run |
| # "c_rehash <path to capath>" each time you add/remove a certificate. |
| #cafile |
| cafile TEST-KEYSTORES-DIR/ca.crt |
| #capath |
| |
| certfile TEST-KEYSTORES-DIR/server.crt |
| keyfile TEST-KEYSTORES-DIR/server.key |
| |
| |
| # ================================================================= |
| # Persistence |
| # ================================================================= |
| |
| # If persistence is enabled, save the in-memory database to disk |
| # every autosave_interval seconds. If set to 0, the persistence |
| # database will only be written when mosquitto exits. See also |
| # autosave_on_changes. |
| # Note that writing of the persistence database can be forced by |
| # sending mosquitto a SIGUSR1 signal. |
| #autosave_interval 1800 |
| |
| # If true, mosquitto will count the number of subscription changes, retained |
| # messages received and queued messages and if the total exceeds |
| # autosave_interval then the in-memory database will be saved to disk. |
| # If false, mosquitto will save the in-memory database to disk by treating |
| # autosave_interval as a time in seconds. |
| #autosave_on_changes false |
| |
| # Save persistent message data to disk (true/false). |
| # This saves information about all messages, including |
| # subscriptions, currently in-flight messages and retained |
| # messages. |
| # retained_persistence is a synonym for this option. |
| #persistence false |
| |
| # The filename to use for the persistent database, not including |
| # the path. |
| #persistence_file mosquitto.db |
| |
| # Location for persistent database. Must include trailing / |
| # Default is an empty string (current directory). |
| # Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or |
| # similar. |
| #persistence_location |
| |
| # ================================================================= |
| # Logging |
| # ================================================================= |
| |
| # Places to log to. Use multiple log_dest lines for multiple |
| # logging destinations. |
| # Possible destinations are: stdout stderr syslog topic file |
| # |
| # stdout and stderr log to the console on the named output. |
| # |
| # syslog uses the userspace syslog facility which usually ends up |
| # in /var/log/messages or similar. |
| # |
| # topic logs to the broker topic '$SYS/broker/log/<severity>', |
| # where severity is one of D, E, W, N, I, M which are debug, error, |
| # warning, notice, information and message. Message type severity is used by |
| # the subscribe/unsubscribe log_types and publishes log messages to |
| # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. |
| # |
| # The file destination requires an additional parameter which is the file to be |
| # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be |
| # closed and reopened when the broker receives a HUP signal. Only a single file |
| # destination may be configured. |
| # |
| # Note that if the broker is running as a Windows service it will default to |
| # "log_dest none" and neither stdout nor stderr logging is available. |
| # Use "log_dest none" if you wish to disable logging. |
| #log_dest stderr |
| |
| # If using syslog logging (not on Windows), messages will be logged to the |
| # "daemon" facility by default. Use the log_facility option to choose which of |
| # local0 to local7 to log to instead. The option value should be an integer |
| # value, e.g. "log_facility 5" to use local5. |
| #log_facility |
| |
| # Types of messages to log. Use multiple log_type lines for logging |
| # multiple types of messages. |
| # Possible types are: debug, error, warning, notice, information, |
| # none, subscribe, unsubscribe, websockets, all. |
| # Note that debug type messages are for decoding the incoming/outgoing |
| # network packets. They are not logged in "topics". |
| #log_type error |
| #log_type warning |
| #log_type notice |
| #log_type information |
| |
| # Change the websockets logging level. This is a global option, it is not |
| # possible to set per listener. This is an integer that is interpreted by |
| # libwebsockets as a bit mask for its lws_log_levels enum. See the |
| # libwebsockets documentation for more details. "log_type websockets" must also |
| # be enabled. |
| #websockets_log_level 0 |
| |
| # If set to true, client connection and disconnection messages will be included |
| # in the log. |
| #connection_messages true |
| |
| # If set to true, add a timestamp value to each log message. |
| #log_timestamp true |
| |
| # ================================================================= |
| # Security |
| # ================================================================= |
| |
| # If set, only clients that have a matching prefix on their |
| # clientid will be allowed to connect to the broker. By default, |
| # all clients may connect. |
| # For example, setting "secure-" here would mean a client "secure- |
| # client" could connect but another with clientid "mqtt" couldn't. |
| #clientid_prefixes |
| |
| # Boolean value that determines whether clients that connect |
| # without providing a username are allowed to connect. If set to |
| # false then a password file should be created (see the |
| # password_file option) to control authenticated client access. |
| # Defaults to true. |
| #allow_anonymous true |
| |
| # In addition to the clientid_prefixes, allow_anonymous and TLS |
| # authentication options, username based authentication is also |
| # possible. The default support is described in "Default |
| # authentication and topic access control" below. The auth_plugin |
| # allows another authentication method to be used. |
| # Specify the path to the loadable plugin and see the |
| # "Authentication and topic access plugin options" section below. |
| #auth_plugin |
| |
| # ----------------------------------------------------------------- |
| # Default authentication and topic access control |
| # ----------------------------------------------------------------- |
| |
| # Control access to the broker using a password file. This file can be |
| # generated using the mosquitto_passwd utility. If TLS support is not compiled |
| # into mosquitto (it is recommended that TLS support should be included) then |
| # plain text passwords are used, in which case the file should be a text file |
| # with lines in the format: |
| # username:password |
| # The password (and colon) may be omitted if desired, although this |
| # offers very little in the way of security. |
| # |
| # See the TLS client require_certificate and use_identity_as_username options |
| # for alternative authentication options. |
| #password_file |
| |
| # Access may also be controlled using a pre-shared-key file. This requires |
| # TLS-PSK support and a listener configured to use it. The file should be text |
| # lines in the format: |
| # identity:key |
| # The key should be in hexadecimal format without a leading "0x". |
| #psk_file |
| |
| # Control access to topics on the broker using an access control list |
| # file. If this parameter is defined then only the topics listed will |
| # have access. |
| # If the first character of a line of the ACL file is a # it is treated as a |
| # comment. |
| # Topic access is added with lines of the format: |
| # |
| # topic [read|write|readwrite] <topic> |
| # |
| # The access type is controlled using "read", "write" or "readwrite". This |
| # parameter is optional (unless <topic> contains a space character) - if not |
| # given then the access is read/write. <topic> can contain the + or # |
| # wildcards as in subscriptions. |
| # |
| # The first set of topics are applied to anonymous clients, assuming |
| # allow_anonymous is true. User specific topic ACLs are added after a |
| # user line as follows: |
| # |
| # user <username> |
| # |
| # The username referred to here is the same as in password_file. It is |
| # not the clientid. |
| # |
| # |
| # If is also possible to define ACLs based on pattern substitution within the |
| # topic. The patterns available for substition are: |
| # |
| # %c to match the client id of the client |
| # %u to match the username of the client |
| # |
| # The substitution pattern must be the only text for that level of hierarchy. |
| # |
| # The form is the same as for the topic keyword, but using pattern as the |
| # keyword. |
| # Pattern ACLs apply to all users even if the "user" keyword has previously |
| # been given. |
| # |
| # If using bridges with usernames and ACLs, connection messages can be allowed |
| # with the following pattern: |
| # pattern write $SYS/broker/connection/%c/state |
| # |
| # pattern [read|write|readwrite] <topic> |
| # |
| # Example: |
| # |
| # pattern write sensor/%u/data |
| # |
| #acl_file |
| |
| # ----------------------------------------------------------------- |
| # Authentication and topic access plugin options |
| # ----------------------------------------------------------------- |
| |
| # If the auth_plugin option above is used, define options to pass to the |
| # plugin here as described by the plugin instructions. All options named |
| # using the format auth_opt_* will be passed to the plugin, for example: |
| # |
| # auth_opt_db_host |
| # auth_opt_db_port |
| # auth_opt_db_username |
| # auth_opt_db_password |
| |
| |
| # ================================================================= |
| # Bridges |
| # ================================================================= |
| |
| # A bridge is a way of connecting multiple MQTT brokers together. |
| # Create a new bridge using the "connection" option as described below. Set |
| # options for the bridges using the remaining parameters. You must specify the |
| # address and at least one topic to subscribe to. |
| # Each connection must have a unique name. |
| # The address line may have multiple host address and ports specified. See |
| # below in the round_robin description for more details on bridge behaviour if |
| # multiple addresses are used. |
| # The direction that the topic will be shared can be chosen by |
| # specifying out, in or both, where the default value is out. |
| # The QoS level of the bridged communication can be specified with the next |
| # topic option. The default QoS level is 0, to change the QoS the topic |
| # direction must also be given. |
| # The local and remote prefix options allow a topic to be remapped when it is |
| # bridged to/from the remote broker. This provides the ability to place a topic |
| # tree in an appropriate location. |
| # For more details see the mosquitto.conf man page. |
| # Multiple topics can be specified per connection, but be careful |
| # not to create any loops. |
| # If you are using bridges with cleansession set to false (the default), then |
| # you may get unexpected behaviour from incoming topics if you change what |
| # topics you are subscribing to. This is because the remote broker keeps the |
| # subscription for the old topic. If you have this problem, connect your bridge |
| # with cleansession set to true, then reconnect with cleansession set to false |
| # as normal. |
| #connection <name> |
| #address <host>[:<port>] [<host>[:<port>]] |
| #topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix] |
| |
| # Set the version of the MQTT protocol to use with for this bridge. Can be one |
| # of mqttv31 or mqttv311. Defaults to mqttv31. |
| #bridge_protocol_version mqttv31 |
| |
| # If a bridge has topics that have "out" direction, the default behaviour is to |
| # send an unsubscribe request to the remote broker on that topic. This means |
| # that changing a topic direction from "in" to "out" will not keep receiving |
| # incoming messages. Sending these unsubscribe requests is not always |
| # desirable, setting bridge_attempt_unsubscribe to false will disable sending |
| # the unsubscribe request. |
| #bridge_attempt_unsubscribe true |
| |
| # If the bridge has more than one address given in the address/addresses |
| # configuration, the round_robin option defines the behaviour of the bridge on |
| # a failure of the bridge connection. If round_robin is false, the default |
| # value, then the first address is treated as the main bridge connection. If |
| # the connection fails, the other secondary addresses will be attempted in |
| # turn. Whilst connected to a secondary bridge, the bridge will periodically |
| # attempt to reconnect to the main bridge until successful. |
| # If round_robin is true, then all addresses are treated as equals. If a |
| # connection fails, the next address will be tried and if successful will |
| # remain connected until it fails |
| #round_robin false |
| |
| # Set the client id to use on the remote end of this bridge connection. If not |
| # defined, this defaults to 'name.hostname' where name is the connection name |
| # and hostname is the hostname of this computer. |
| # This replaces the old "clientid" option to avoid confusion. "clientid" |
| # remains valid for the time being. |
| #remote_clientid |
| |
| # Set the clientid to use on the local broker. If not defined, this defaults to |
| # 'local.<clientid>'. If you are bridging a broker to itself, it is important |
| # that local_clientid and clientid do not match. |
| #local_clientid |
| |
| # Set the clean session variable for this bridge. |
| # When set to true, when the bridge disconnects for any reason, all |
| # messages and subscriptions will be cleaned up on the remote |
| # broker. Note that with cleansession set to true, there may be a |
| # significant amount of retained messages sent when the bridge |
| # reconnects after losing its connection. |
| # When set to false, the subscriptions and messages are kept on the |
| # remote broker, and delivered when the bridge reconnects. |
| #cleansession false |
| |
| # If set to true, publish notification messages to the local and remote brokers |
| # giving information about the state of the bridge connection. Retained |
| # messages are published to the topic $SYS/broker/connection/<clientid>/state |
| # unless the notification_topic option is used. |
| # If the message is 1 then the connection is active, or 0 if the connection has |
| # failed. |
| #notifications true |
| |
| # Choose the topic on which notification messages for this bridge are |
| # published. If not set, messages are published on the topic |
| # $SYS/broker/connection/<clientid>/state |
| #notification_topic |
| |
| # Set the keepalive interval for this bridge connection, in |
| # seconds. |
| #keepalive_interval 60 |
| |
| # Set the start type of the bridge. This controls how the bridge starts and |
| # can be one of three types: automatic, lazy and once. Note that RSMB provides |
| # a fourth start type "manual" which isn't currently supported by mosquitto. |
| # |
| # "automatic" is the default start type and means that the bridge connection |
| # will be started automatically when the broker starts and also restarted |
| # after a short delay (30 seconds) if the connection fails. |
| # |
| # Bridges using the "lazy" start type will be started automatically when the |
| # number of queued messages exceeds the number set with the "threshold" |
| # parameter. It will be stopped automatically after the time set by the |
| # "idle_timeout" parameter. Use this start type if you wish the connection to |
| # only be active when it is needed. |
| # |
| # A bridge using the "once" start type will be started automatically when the |
| # broker starts but will not be restarted if the connection fails. |
| #start_type automatic |
| |
| # Set the amount of time a bridge using the automatic start type will wait |
| # until attempting to reconnect. Defaults to 30 seconds. |
| #restart_timeout 30 |
| |
| # Set the amount of time a bridge using the lazy start type must be idle before |
| # it will be stopped. Defaults to 60 seconds. |
| #idle_timeout 60 |
| |
| # Set the number of messages that need to be queued for a bridge with lazy |
| # start type to be restarted. Defaults to 10 messages. |
| # Must be less than max_queued_messages. |
| #threshold 10 |
| |
| # If try_private is set to true, the bridge will attempt to indicate to the |
| # remote broker that it is a bridge not an ordinary client. If successful, this |
| # means that loop detection will be more effective and that retained messages |
| # will be propagated correctly. Not all brokers support this feature so it may |
| # be necessary to set try_private to false if your bridge does not connect |
| # properly. |
| #try_private true |
| |
| # Set the username to use when connecting to a broker that requires |
| # authentication. |
| # This replaces the old "username" option to avoid confusion. "username" |
| # remains valid for the time being. |
| #remote_username |
| |
| # Set the password to use when connecting to a broker that requires |
| # authentication. This option is only used if remote_username is also set. |
| # This replaces the old "password" option to avoid confusion. "password" |
| # remains valid for the time being. |
| #remote_password |
| |
| # ----------------------------------------------------------------- |
| # Certificate based SSL/TLS support |
| # ----------------------------------------------------------------- |
| # Either bridge_cafile or bridge_capath must be defined to enable TLS support |
| # for this bridge. |
| # bridge_cafile defines the path to a file containing the |
| # Certificate Authority certificates that have signed the remote broker |
| # certificate. |
| # bridge_capath defines a directory that will be searched for files containing |
| # the CA certificates. For bridge_capath to work correctly, the certificate |
| # files must have ".crt" as the file ending and you must run "c_rehash <path to |
| # capath>" each time you add/remove a certificate. |
| #bridge_cafile |
| #bridge_capath |
| |
| # Path to the PEM encoded client certificate, if required by the remote broker. |
| #bridge_certfile |
| |
| # Path to the PEM encoded client private key, if required by the remote broker. |
| #bridge_keyfile |
| |
| # When using certificate based encryption, bridge_insecure disables |
| # verification of the server hostname in the server certificate. This can be |
| # useful when testing initial server configurations, but makes it possible for |
| # a malicious third party to impersonate your server through DNS spoofing, for |
| # example. Use this option in testing only. If you need to resort to using this |
| # option in a production environment, your setup is at fault and there is no |
| # point using encryption. |
| #bridge_insecure false |
| |
| # ----------------------------------------------------------------- |
| # PSK based SSL/TLS support |
| # ----------------------------------------------------------------- |
| # Pre-shared-key encryption provides an alternative to certificate based |
| # encryption. A bridge can be configured to use PSK with the bridge_identity |
| # and bridge_psk options. These are the client PSK identity, and pre-shared-key |
| # in hexadecimal format with no "0x". Only one of certificate and PSK based |
| # encryption can be used on one |
| # bridge at once. |
| #bridge_identity |
| #bridge_psk |
| |
| |
| # ================================================================= |
| # External config files |
| # ================================================================= |
| |
| # External configuration files may be included by using the |
| # include_dir option. This defines a directory that will be searched |
| # for config files. All files that end in '.conf' will be loaded as |
| # a configuration file. It is best to have this as the last option |
| # in the main file. This option will only be processed from the main |
| # configuration file. The directory specified must not contain the |
| # main configuration file. |
| #include_dir |
| |
| # ================================================================= |
| # rsmb options - unlikely to ever be supported |
| # ================================================================= |
| |
| #ffdc_output |
| #max_log_entries |
| #trace_level |
| #trace_output |