常規配置
#使用每個偵聽器的安全設置。
#
#建議先設置此選項。
#
#如果此選項設置為true,則所有身份驗證和訪問控制
#選項是根據每個偵聽器控制的。以下選項是
#受影響的有:
#
# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
# auto_id_prefix allow_zero_length_clientid
#
# 請注意,如果設置為true,則斷開連接的持久客戶端(即,干凈會話設置為false)將使用為其最近連接的偵聽器定義的ACL設置.
# 默認行為是將其設置為false,這將保持以前版本的mosquitto的設置行為。
#per_listener_settings false
# 如果客戶端訂閱了多個重疊的訂閱,例如foo /#和foo / + / baz,然后MQTT期望,
# 當代理收到與兩個訂閱都匹配的主題消息,例如foo / bar / baz時,客戶端應該只接收一次消息。
# Mosquitto跟蹤郵件已發送到哪些客戶,以滿足此要求。 allow_duplicate_messages選項允許禁用此行為,
# 如果您有大量的客戶端訂閱了同一主題集並且非常關注,則此選項可能很有用。
# 最小化內存使用。如果您事先知道客戶端永遠不會有重疊的訂閱,則可以將其安全地設置為true,
# 否則即使QoS = 2,客戶端也必須能夠正確處理重復的消息。
#allow_duplicate_messages false
# 此選項控制是否允許客戶端使用長度為零的客戶端ID連接。此選項僅影響使用MQTT v3.1.1和更高版本的客戶端。
# 如果設置為false,將斷開連接長度為零的客戶端ID的客戶端。
# 如果設置為true,則代理將為客戶端分配客戶端ID。
# 這意味着它僅對將干凈會話設置為true的客戶端有用。
#allow_zero_length_clientid true
# 如果allow_zero_length_clientid為true,則此選項允許您為自動生成的客戶端ID設置前綴,以幫助查看日志。
# 默認 'auto-'
#auto_id_prefix auto-
# 當客戶端訂閱已保留郵件的主題時,此選項會影響方案。
# 向主題發布保留消息的客戶端在發布時可能具有訪問權限,但是該訪問權限隨后已被刪除。
# 如果將check_retain_source設置為true(默認值),則將在重新發布保留消息的源之前檢查其訪問權限。
# 設置為false時,將不進行檢查,並且保留的消息將始終被發布。這會影響所有聽眾。
#check_retain_source true
# 在超過此限制之前,將允許每個客戶端 inflight QoS 1和2消息。默認為0。(無最大值)
# 另請參見max_inflight_messages
#max_inflight_bytes 0
# 每個客戶端當前正在運行的QoS 1和2消息的最大數量。
# 這包括握手過程中和正在重試的消息。默認值為20。設置為0(無最大值)。設置為1將保證按順序傳送QoS 1和2消息。
#max_inflight_messages 20
# 對於MQTT v5客戶端,可以讓服務器發送“服務器keepalive”值,該值將覆蓋客戶端設置的keepalive值。
# 旨在用作一種機制,表示服務器將比預期的更早斷開客戶端的連接,並且客戶端應使用新的keepalive值。
# max_keepalive選項允許您指定客戶端只能使用小於或等於此值的keepalive進行連接,
# 否則,將向它們發送服務器keepalive通知它們使用max_keepalive。
# 這僅適用於MQTT v5客戶端。允許的最大值為65535。請勿設置為10以下。
#max_keepalive 65535
# 對於MQTT v5客戶端,可以讓服務器發送“最大數據包大小”值,該值將指示客戶端它將不接受大小大於max_packet_size字節的MQTT數據包。
# 這適用於完整的MQTT數據包,而不僅僅是有效負載。將此選項設置為正值會將最大數據包大小設置為該字節數。
# 如果客戶端發送的數據包大於此值,它將被斷開連接。這適用於所有客戶端,無論它們使用的協議版本如何,
# 但是v3.1.1和更早版本的客戶端當然不會收到最大數據包大小信息。默認為無限制。
# 禁止將其設置為低於20個字節,因為即使有效負載很小,它也可能會干擾普通的客戶端操作。
#max_packet_size 0
# 超過當前運行中的QoS 1和2消息將在每個客戶端排隊,直到超過此限制。默認為0。(無最大值)
# 另請參見max_queued_messages。
# 如果同時指定了max_queued_messages和max_queued_bytes,則數據包將排隊直到達到第一個限制。
#max_queued_bytes 0
# 每個客戶端要在隊列中保留的QoS 1和2消息的最大數量高於當前正在運行的QoS 1和2消息的數量。
# 默認值為100。設置為0表示沒有最大值(不建議)。
# 另請參閱queue_qos0_messages。
# 另請參見max_queued_bytes。
#max_queued_messages 100
# 此選項設置代理將分配的最大堆內存字節數,因此對代理使用的內存設置硬限制。
# 超過此值的內存請求將被拒絕。效果會因被拒絕的內容而異。如果正在處理傳入消息,則該消息將被丟棄,
# 並且發布客戶端將斷開連接。如果正在發送外發消息,則單個消息將被丟棄,接收方客戶端將被斷開連接。
# 默認為無限制
#memory_limit 0
# 此選項設置代理允許的最大發布有效負載大小。
# 接收到的超出此大小的消息將不會被代理接受。
# 缺省值為0,表示接受所有有效的MQTT消息。 MQTT施加的最大有效負載大小為268435455字節(256M)。
#message_size_limit 0
# 如果持久客戶端(未將干凈會話設置為false的持久客戶端)在特定時間內未重新連接,則此選項允許將其刪除。
# 這是MQTT V3.1中的非標准選項,但在MQTT v3.1.1中允許。
# 設計不當的客戶端可能會在使用隨機生成的客戶端ID時將clean session設置為false。
# 這導致持久的客戶端永遠不會重新連接。此選項允許刪除這些客戶端。
# 有效期應為整數,然后分別為小時,日,周,月和年的 h d w m y 之一。例如
# persistent_client_expiration 2m
# persistent_client_expiration 14d
# persistent_client_expiration 1y
# 如果未設置,則默認為永不使持久客戶端失效。
#persistent_client_expiration
# 將進程ID寫入文件。默認值為空字符串,這意味着不應寫入pid文件。
# 如果mosquitto在啟動時使用初始化腳本和start-stop-daemon或類似程序自動運行,
# 則應將其設置為/var/run/mosquitto.pid。
# 配置說明中出現的地址例如:“/var/run/mosquitto”,“/var/log/messages”,都是相對路徑,相對於系統盤根目錄
# 例如“/var/run/mosquitto”表示的是“c:\var\run\mosquitto”
#pid_file
# 設置為true后 可以在持久客戶端斷開連接時將QoS 0的消息排隊。
# 這些消息包含在max_queued_messages和max_queued_bytes施加的限制中
# 默認為false。
# 這是MQTT v3.1規范的非標准選項,但在v3.1.1中允許。
#queue_qos0_messages false
# Set to false to disable retained message support. If a client publishes a
# message with the retain bit set, it will be disconnected if this is set to
# false.
# 是否禁用保留的消息支持。設置為falsk可以禁用.
# 將其設置為false后, 如果客戶端發布消息時設置保留消息, 則會被斷開連接
#retain_available true
# 在客戶端套接字上禁用Nagle的算法。這具有減少單個消息的等待時間的效果,但潛在的代價是增加了發送數據包的數量。
#set_tcp_nodelay false
# $SYS樹更新之間的時間(以秒為單位)。
# 設置為0禁用$SYS樹的發布。
#sys_interval 10
# The MQTT specification requires that the QoS of a message delivered to a
# subscriber is never upgraded to match the QoS of the subscription. Enabling
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
# messages sent to a subscriber will always match the QoS of its subscription.
# 這是規范明確禁止的非標准選項。
#upgrade_outgoing_qos false
# 以root用戶身份運行時,請對該用戶及其主要組授予特權。
# 設置為root以保持root身份,但是不建議這樣做。
# 如果以非root用戶身份運行,則此設置無效。
# 請注意,在Windows上這沒有任何作用,因此mosquitto應該由希望以其身份運行的用戶啟動。
#user mosquitto
=================================================================
默認監聽器
# 綁定默認偵聽器的IP地址/主機名。
# 如果未指定,則默認偵聽器將不會綁定到特定地址,因此所有網絡接口都可以訪問它。
# 案例: bind_address ip-address/host name
#bind_address
# 端口號 port
#port 1883
# 將偵聽器綁定到特定接口。這類似於上面的bind_address,但是在接口具有多個地址或地址可能更改時很有用。
# 將此屬性與bind_address選項一起使用是有效的,但請注意,要綁定的接口包含要綁定的地址,否則將無法連接。
# 例如: bind_interface eth0
#bind_interface
# 當偵聽器使用websockets協議時,也可以提供http數據。
# 將http_dir設置為包含您要提供的文件的目錄。如果未指定此選項,則將無法進行正常的http連接。
#http_dir
# 允許的最大客戶端連接數。這是每個偵聽器的設置。
# 默認為-1,表示無限制的連接。
# 請注意,其他進程限制意味着無限的連接實際上是不可能的。
# 通常,默認的最大連接數有可能約為1024。
#max_connections -1
# 選擇監聽時要使用的協議。
# 可以是mqtt或websockets。
# Websockets支持當前默認在編譯時被禁用。基於證書的TLS可以與websocket一起使用,
# 但僅支持cafile,certfile,keyfile和ciphers選項。
#protocol mqtt
# 將use_username_as_clientid設置為true可以將客戶端連接的客戶端ID替換為其用戶名。
# 這允許將身份驗證綁定到clientid,這意味着可以防止一個客戶端通過使用相同的 clientid 斷開另一個客戶端的連接。
# 如果客戶端不使用用戶名連接,則此選項設置為true時,它將被斷開,因為未授權。
# 請勿與clientid_prefixes結合使用。
# 另請參見use_identity_as_username。
#use_username_as_clientid
基於證書的SSL / TLS支持
# 以下選項可用於為該偵聽器啟用SSL / TLS支持。請注意,通過TLS的MQTT的推薦端口為8883,但這必須手動設置。
# 另請參見mosquitto-tls手冊頁。
# 必須定義cafile或capath中的至少一個。它們都定義了訪問PEM編碼證書的方法
# 授權證書已簽名您的服務器證書,並且您希望信任。
# cafile定義包含CA證書的文件的路徑。
# capath定義一個目錄
# 將在該目錄中搜索包含CA證書的文件。
# 為了使Capath正常工作,證書文件的文件結尾必須帶有“ .crt”,並且每次添加/刪除證書時,
# 都必須運行“ openssl rehash <path to capath>”。
#cafile
#capath
# PEM編碼的服務器證書的路徑。
#certfile
# PEM編碼的密鑰文件的路徑。
#keyfile
# 如果將require_certificate設置為true,則可以創建證書吊銷列表文件以撤消對特定客戶端證書的訪問。
# 如果執行了此操作,請使用crlfile指向PEM編碼的吊銷文件。
#crlfile
# 如果您希望控制使用哪種加密密碼,請使用ciphers選項。
# 可用密碼的列表可以使用“ openssl ciphers”命令獲得,並且填寫與該命令的輸出相同的格式內容。
# 默認值: DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
# 為了允許使用短暫的DH密鑰交換來提供前向安全性,偵聽器必須加載DH參數。
# 可以使用dhparamfile選項指定。 dhparamfile可以使用以下命令生成
# e.g. "openssl dhparam -out dhparam.pem 2048"
#dhparamfile
# 默認情況下,啟用TLS的偵聽器將以類似於啟用https的Web服務器的方式運行,因為該服務器具有由CA簽名的證書,
# 並且客戶端將驗證它是受信任的證書。總體目標是對網絡流量進行加密。
# 如果將require_certificate設置為true,客戶端必須提供有效的證書才能繼續進行網絡連接。
# 這允許在MQTT提供的機制之外控制對代理的訪問。
#require_certificate false
# 此選項定義用於此偵聽器的TLS協議的版本。
# 默認值允許所有v1.3,v1.2和v1.1。有效值為tlsv1.3 tlsv1.2和tlsv1.1。
#tls_version
# 如果require_certificate為true,則可以將use_identity_as_username設置為true,以使用客戶端證書中的CN值作為用戶名。
# 如果為true,則password_file選項將不會用於此偵聽器。
# 這優先於use_subject_as_username。
# 另請參見use_subject_as_username。
#use_identity_as_username false
# 如果require_certificate為true,則可以將use_subject_as_username設置為true,以使用客戶端證書中的完整主題值作為用戶名。
# 如果為true,則password_file選項將不會用於此偵聽器。
# 另請參見use_identity_as_username
#use_subject_as_username false
Pre-shared-key based SSL/TLS support
基於預共享密鑰的SSL / TLS支持
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint
# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option. The list of available ciphers can be obtained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers
# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false
=================================================================
Extra listeners 額外的監聽器
# Listen on a port/ip address combination. By using this variable
# multiple times, mosquitto can listen on more than one port. If
# this variable is used and neither bind_address nor port given,
# then the default listener will not be started.
# The port number to listen on must be given. Optionally, an ip
# address or host name may be supplied as a second argument. In
# this case, mosquitto will attempt to bind the listener to that
# address and so restrict access to the associated network and
# interface. By default, mosquitto will listen on all interfaces.
# Note that for a websockets listener it is not possible to bind to a host
# name.
# listener port-number [ip address/host name]
#listener
# Bind the listener to a specific interface. This is similar to
# the [ip address/host name] part of the listener definition, but is useful
# when an interface has multiple addresses or the address may change. It is
# valid to use this with the [ip address/host name] part of the listener
# definition, but take care that the interface you are binding to contains the
# address you are binding to, otherwise you will not be able to connect.
# Only available on Linux and requires elevated privileges.
#
# Example: bind_interface eth0
#bind_interface
# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir
# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1
# The listener can be restricted to operating within a topic hierarchy using
# the mount_point option. This is achieved be prefixing the mount_point string
# to all topics for any clients connected to this listener. This prefixing only
# happens internally to the broker; the client will not see the prefix.
#mount_point
# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Certificate based TLS may be used with websockets, except that only the
# cafile, certfile, keyfile and ciphers options are supported.
#protocol mqtt
# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid
# Change the websockets headers size. This is a global option, it is not
# possible to set per listener. This option sets the size of the buffer used in
# the libwebsockets library when reading HTTP headers. If you are passing large
# header data such as cookies then you may need to increase this value. If left
# unset, or set to 0, then the default of 1024 bytes will be used.
#websockets_headers_size
基於證書的SSL / TLS支持
# The following options can be used to enable certificate based SSL/TLS support
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
# but this must be set manually.
#
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# At least one of cafile or capath must be defined to enable certificate based
# TLS encryption. They both define methods of accessing the PEM encoded
# Certificate Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath
# Path to the PEM encoded server certificate.
#certfile
# Path to the PEM encoded keyfile.
#keyfile
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.
#ciphers
# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile
# To allow the use of ephemeral DH key exchange, which provides forward
# security, the listener must load DH parameters. This can be specified with
# the dhparamfile option. The dhparamfile can be generated with the command
# e.g. "openssl dhparam -out dhparam.pem 2048"
#dhparamfile
# By default an TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
#use_identity_as_username false
Pre-shared-key based SSL/TLS support 基於預共享密鑰的SSL / TLS支持
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint
# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option. The list of available ciphers can be optained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers
# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false
Persistence
# 如果啟用了持久性,則每隔autosave_interval秒將內存數據庫保存到磁盤中。
# 如果設置為0,則僅在mosquitto退出時才寫入持久性數據庫。另請參見autosave_on_changes。
# 請注意,可以通過向mosquit發送SIGUSR1信號來強制寫入持久性數據庫。
#autosave_interval 1800
# 如果為true,則mosquitto將計算訂閱更改,已接收的保留消息和已排隊消息的數量,如果總數超過autosave_interval,
# 則內存數據庫將保存到磁盤。如果為false,則mosquitto通過將autosave_interval視為秒數的時間來將內存數據庫保存到磁盤。
#autosave_on_changes false
# 將持久消息數據保存到磁盤(true/false)。這樣可以保存有關所有消息的信息,包括訂閱,當前運行中的消息和保留的消息。
# reserved_persistence是此選項的同義詞。
#persistence false
# 用於永久數據庫的文件名,不包括路徑。
#persistence_file mosquitto.db
# 永久數據庫的位置。必須包含尾隨/
# 默認值為空字符串(當前目錄)。設置為/var/lib/mosquitto/
# 如果在Linux或類似系統上作為適當的服務運行。
# 配置說明中出現的地址例如:“/var/run/mosquitto”,“/var/log/messages”,都是相對路徑,相對於系統盤根目錄
# 例如“/var/run/mosquitto”表示的是“c:\var\run\mosquitto”
#persistence_location
Logging
# Places to log to. Use multiple log_dest lines for multiple
# logging destinations.
#
#
# stdout and stderr log to the console on the named output.
#
# syslog uses the userspace syslog facility which usually ends up
# in /var/log/messages or similar.
#
# topic logs to the broker topic '$SYS/broker/log/<severity>',
# where severity is one of D, E, W, N, I, M which are debug, error,
# warning, notice, information and message. Message type severity is used by
# the subscribe/unsubscribe log_types and publishes log messages to
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
#
# The file destination requires an additional parameter which is the file to be
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
# closed and reopened when the broker receives a HUP signal. Only a single file
# destination may be configured.
#
# 請注意,如果代理作為Windows服務運行,它將默認為“ log_dest none”,並且stdout和stderr日志記錄都不可用。
# 可選值有: stdout stderr syslog topic file
# 文件案例(兩個參數): log_dest file /var/log/mosquitto.log
# 如果要禁用日志記錄,請使用“ log_dest none”。
#log_dest stderr
# Types of messages to log. Use multiple log_type lines for logging
# multiple types of messages.
# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, websockets, all.
# Note that debug type messages are for decoding the incoming/outgoing
# network packets. They are not logged in "topics".
#log_type error
#log_type warning
#log_type notice
#log_type information
# 如果設置為true,則客戶端連接和斷開連接消息將包含在日志中。
#connection_messages true
# If using syslog logging (not on Windows), messages will be logged to the
# "daemon" facility by default. Use the log_facility option to choose which of
# local0 to local7 to log to instead. The option value should be an integer
# value, e.g. "log_facility 5" to use local5.
#log_facility
# 如果設置為true,則向每個日志消息添加一個時間戳記值。
#log_timestamp true
# Set the format of the log timestamp. If left unset, this is the number of
# seconds since the Unix epoch.
# This is a free text string which will be passed to the strftime function. To
# get an ISO 8601 datetime, for example:
# log_timestamp_format %Y-%m-%dT%H:%M:%S
log_timestamp_format %Y-%m-%dT%H:%M:%S
# 更改websockets日志記錄級別。這是一個全局選項,無法為每個偵聽器設置。
# 這是一個整數,libwebsockets將其解釋為其lws_log_levels枚舉的位掩碼。
# 有關更多詳細信息,請參見libwebsockets文檔。
# 還必須啟用“ log_type websockets”。
#websockets_log_level 0
Security 安全
# 如果設置,則只允許客戶端的clientid滿足指定前綴才能連接到代理。默認情況下,所有客戶端都可以連接。
# 例如,在此處設置“ secure-”表示: 客戶端"secure-client"可以連接,但另一個客戶端ID為"mqtt"的客戶端則無法連接。
#clientid_prefixes
# 布爾值,用於確定是否允許未提供用戶名的客戶端進行連接。
# 如果設置為false,則應創建一個密碼文件(請參閱password_file選項)以控制經過身份驗證的客戶端訪問。
# 如果未設置其他安全選項,則默認為true。
# 如果設置了`password_file`或`psk_file`,或者如果加載了實現用戶名/密碼或TLS-PSK檢查的身份驗證插件,
# 則'allow_anonymous' 默認為false。
#allow_anonymous true
Default authentication and topic access control
默認身份驗證和主題訪問控制
# 使用密碼文件控制對代理的訪問。可以使用mosquitto_passwd實用程序生成此文件。
# 如果TLS支持未編譯為mosquitto(建議包括TLS支持),則使用純文本密碼,
# 在這種情況下,該文件應為文本文件,其行格式為:
# username:password
# 如果需要,可以省略密碼(和冒號),盡管這樣做幾乎沒有安全性
#
# 請參閱TLS客戶端的require_certificate和use_identity_as_username選項,以獲取其他身份驗證選項。
# 如果同時使用auth_plugin和password_file,則將首先進行auth_plugin檢查。
#password_file
# 訪問也可以使用預共享密鑰文件來控制。這需要
# TLS-PSK支持和配置為使用它的偵聽器。該文件應為以下格式的文本行:
# identity:key
# 密鑰應為十六進制格式,且開頭不能為“ 0x”。
# 如果還使用auth_plugin,則將首先進行auth_plugin檢查。
#psk_file
# Control access to topics on the broker using an access control list
# file. If this parameter is defined then only the topics listed will
# have access.
# If the first character of a line of the ACL file is a # it is treated as a
# comment.
# Topic access is added with lines of the format:
#
# topic [read|write|readwrite] <topic>
#
# The access type is controlled using "read", "write" or "readwrite". This
# parameter is optional (unless <topic> contains a space character) - if not
# given then the access is read/write. <topic> can contain the + or #
# wildcards as in subscriptions.
#
# The first set of topics are applied to anonymous clients, assuming
# allow_anonymous is true. User specific topic ACLs are added after a
# user line as follows:
#
# user <username>
#
# The username referred to here is the same as in password_file. It is
# not the clientid.
#
#
# If is also possible to define ACLs based on pattern substitution within the
# topic. The patterns available for substition are:
#
# %c to match the client id of the client
# %u to match the username of the client
#
# The substitution pattern must be the only text for that level of hierarchy.
#
# The form is the same as for the topic keyword, but using pattern as the
# keyword.
# Pattern ACLs apply to all users even if the "user" keyword has previously
# been given.
#
# If using bridges with usernames and ACLs, connection messages can be allowed
# with the following pattern:
# pattern write $SYS/broker/connection/%c/state
#
# pattern [read|write|readwrite] <topic>
#
# Example:
#
# pattern write sensor/%u/data
#
# If an auth_plugin is used as well as acl_file, the auth_plugin check will be
# made first.
#acl_file
External authentication and topic access plugin options
外部身份驗證和主題訪問插件選項
# External authentication and access control can be supported with the
# auth_plugin option. This is a path to a loadable plugin. See also the
# auth_opt_* options described below.
#
# The auth_plugin option can be specified multiple times to load multiple
# plugins. The plugins will be processed in the order that they are specified
# here. If the auth_plugin option is specified alongside either of
# password_file or acl_file then the plugin checks will be made first.
#
#auth_plugin
# If the auth_plugin option above is used, define options to pass to the
# plugin here as described by the plugin instructions. All options named
# using the format auth_opt_* will be passed to the plugin, for example:
#
# auth_opt_db_host
# auth_opt_db_port
# auth_opt_db_username
# auth_opt_db_password
=================================================================
Bridges
# 橋接是將多個MQTT代理連接在一起的一種方式。如下所述,使用“connection”選項創建一個新的網橋。
# 使用其余參數設置網橋的選項。您必須指定地址和至少一個要訂閱的主題。
#
# Each connection must have a unique name.
#
# The address line may have multiple host address and ports specified. See
# below in the round_robin description for more details on bridge behaviour if
# multiple addresses are used. Note that if you use an IPv6 address, then you
# are required to specify a port.
#
# The direction that the topic will be shared can be chosen by
# specifying out, in or both, where the default value is out.
# The QoS level of the bridged communication can be specified with the next
# topic option. The default QoS level is 0, to change the QoS the topic
# direction must also be given.
#
# The local and remote prefix options allow a topic to be remapped when it is
# bridged to/from the remote broker. This provides the ability to place a topic
# tree in an appropriate location.
#
# For more details see the mosquitto.conf man page.
#
# Multiple topics can be specified per connection, but be careful
# not to create any loops.
#
# If you are using bridges with cleansession set to false (the default), then
# you may get unexpected behaviour from incoming topics if you change what
# topics you are subscribing to. This is because the remote broker keeps the
# subscription for the old topic. If you have this problem, connect your bridge
# with cleansession set to true, then reconnect with cleansession set to false
# as normal.
#connection <name>
#address <host>[:<port>] [<host>[:<port>]]
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
# If a bridge has topics that have "out" direction, the default behaviour is to
# send an unsubscribe request to the remote broker on that topic. This means
# that changing a topic direction from "in" to "out" will not keep receiving
# incoming messages. Sending these unsubscribe requests is not always
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
# the unsubscribe request.
#bridge_attempt_unsubscribe true
# Set the version of the MQTT protocol to use with for this bridge. Can be one
# of mqttv311 or mqttv11. Defaults to mqttv311.
#bridge_protocol_version mqttv311
# Set the clean session variable for this bridge.
# When set to true, when the bridge disconnects for any reason, all
# messages and subscriptions will be cleaned up on the remote
# broker. Note that with cleansession set to true, there may be a
# significant amount of retained messages sent when the bridge
# reconnects after losing its connection.
# When set to false, the subscriptions and messages are kept on the
# remote broker, and delivered when the bridge reconnects.
#cleansession false
# Set the amount of time a bridge using the lazy start type must be idle before
# it will be stopped. Defaults to 60 seconds.
#idle_timeout 60
# Set the keepalive interval for this bridge connection, in
# seconds.
#keepalive_interval 60
# Set the clientid to use on the local broker. If not defined, this defaults to
# 'local.<clientid>'. If you are bridging a broker to itself, it is important
# that local_clientid and clientid do not match.
#local_clientid
# If set to true, publish notification messages to the local and remote brokers
# giving information about the state of the bridge connection. Retained
# messages are published to the topic $SYS/broker/connection/<clientid>/state
# unless the notification_topic option is used.
# If the message is 1 then the connection is active, or 0 if the connection has
# failed.
# This uses the last will and testament feature.
#notifications true
# Choose the topic on which notification messages for this bridge are
# published. If not set, messages are published on the topic
# $SYS/broker/connection/<clientid>/state
#notification_topic
# Set the client id to use on the remote end of this bridge connection. If not
# defined, this defaults to 'name.hostname' where name is the connection name
# and hostname is the hostname of this computer.
# This replaces the old "clientid" option to avoid confusion. "clientid"
# remains valid for the time being.
#remote_clientid
# Set the password to use when connecting to a broker that requires
# authentication. This option is only used if remote_username is also set.
# This replaces the old "password" option to avoid confusion. "password"
# remains valid for the time being.
#remote_password
# Set the username to use when connecting to a broker that requires
# authentication.
# This replaces the old "username" option to avoid confusion. "username"
# remains valid for the time being.
#remote_username
# Set the amount of time a bridge using the automatic start type will wait
# until attempting to reconnect.
# This option can be configured to use a constant delay time in seconds, or to
# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
# of randomness to when the restart occurs.
#
# Set a constant timeout of 20 seconds:
# restart_timeout 20
#
# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
# 60 seconds:
# restart_timeout 10 30
#
# Defaults to jitter with a base of 5 and cap of 30
#restart_timeout 5 30
# If the bridge has more than one address given in the address/addresses
# configuration, the round_robin option defines the behaviour of the bridge on
# a failure of the bridge connection. If round_robin is false, the default
# value, then the first address is treated as the main bridge connection. If
# the connection fails, the other secondary addresses will be attempted in
# turn. Whilst connected to a secondary bridge, the bridge will periodically
# attempt to reconnect to the main bridge until successful.
# If round_robin is true, then all addresses are treated as equals. If a
# connection fails, the next address will be tried and if successful will
# remain connected until it fails
#round_robin false
# Set the start type of the bridge. This controls how the bridge starts and
# can be one of three types: automatic, lazy and once. Note that RSMB provides
# a fourth start type "manual" which isn't currently supported by mosquitto.
#
# "automatic" is the default start type and means that the bridge connection
# will be started automatically when the broker starts and also restarted
# after a short delay (30 seconds) if the connection fails.
#
# Bridges using the "lazy" start type will be started automatically when the
# number of queued messages exceeds the number set with the "threshold"
# parameter. It will be stopped automatically after the time set by the
# "idle_timeout" parameter. Use this start type if you wish the connection to
# only be active when it is needed.
#
# A bridge using the "once" start type will be started automatically when the
# broker starts but will not be restarted if the connection fails.
#start_type automatic
# Set the number of messages that need to be queued for a bridge with lazy
# start type to be restarted. Defaults to 10 messages.
# Must be less than max_queued_messages.
#threshold 10
# If try_private is set to true, the bridge will attempt to indicate to the
# remote broker that it is a bridge not an ordinary client. If successful, this
# means that loop detection will be more effective and that retained messages
# will be propagated correctly. Not all brokers support this feature so it may
# be necessary to set try_private to false if your bridge does not connect
# properly.
#try_private true
Certificate based SSL/TLS support
# Either bridge_cafile or bridge_capath must be defined to enable TLS support
# for this bridge.
# bridge_cafile defines the path to a file containing the
# Certificate Authority certificates that have signed the remote broker
# certificate.
# bridge_capath defines a directory that will be searched for files containing
# the CA certificates. For bridge_capath to work correctly, the certificate
# files must have ".crt" as the file ending and you must run "openssl rehash
# <path to capath>" each time you add/remove a certificate.
#bridge_cafile
#bridge_capath
# If the remote broker has more than one protocol available on its port, e.g.
# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
# requested. Note that WebSockets support for bridges is not yet available.
#bridge_alpn
# When using certificate based encryption, bridge_insecure disables
# verification of the server hostname in the server certificate. This can be
# useful when testing initial server configurations, but makes it possible for
# a malicious third party to impersonate your server through DNS spoofing, for
# example. Use this option in testing only. If you need to resort to using this
# option in a production environment, your setup is at fault and there is no
# point using encryption.
#bridge_insecure false
# Path to the PEM encoded client certificate, if required by the remote broker.
#bridge_certfile
# Path to the PEM encoded client private key, if required by the remote broker.
#bridge_keyfile
PSK based SSL/TLS support 基於PSK的SSL / TLS支持
# Pre-shared-key encryption provides an alternative to certificate based
# encryption. A bridge can be configured to use PSK with the bridge_identity
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
# in hexadecimal format with no "0x". Only one of certificate and PSK based
# encryption can be used on one
# bridge at once.
#bridge_identity
#bridge_psk
External config files 外部配置文件
# 可以使用include_dir選項包含外部配置文件。這定義了一個目錄,將在其中搜索配置文件。
# 所有以“ .conf”結尾的文件都將作為配置文件加載。
# 最好將此作為主文件中的最后一個選項。
# 僅從主配置文件處理此選項。
# 指定的目錄不得包含主配置文件。
# include_dir中的文件將按區分大小寫的字母順序加載,首字母大寫。
# 如果多次指定此選項,則第一個實例中的所有文件將在下一個實例之前進行處理。
# 有關示例,請參見手冊頁。
#include_dir