1 | <?xml version='1.0' encoding='UTF-8'?>
|
2 | <?xml-stylesheet type="text/xsl" href="manpage.xsl"?>
|
3 |
|
4 | <refentry xml:id="mosquitto.conf" xmlns:xlink="http://www.w3.org/1999/xlink">
|
5 | <refmeta>
|
6 | <refentrytitle>mosquitto.conf</refentrytitle>
|
7 | <manvolnum>5</manvolnum>
|
8 | <refmiscinfo class="source">Mosquitto Project</refmiscinfo>
|
9 | <refmiscinfo class="manual">File formats and conventions</refmiscinfo>
|
10 | </refmeta>
|
11 |
|
12 | <refnamediv>
|
13 | <refname>mosquitto.conf</refname>
|
14 | <refpurpose>the configuration file for mosquitto</refpurpose>
|
15 | </refnamediv>
|
16 |
|
17 | <refsynopsisdiv>
|
18 | <cmdsynopsis>
|
19 | <command>mosquitto.conf</command>
|
20 | </cmdsynopsis>
|
21 | </refsynopsisdiv>
|
22 |
|
23 | <refsect1>
|
24 | <title>Description</title>
|
25 | <para><command>mosquitto.conf</command> is the configuration file for
|
26 | mosquitto. This file can reside anywhere as long as mosquitto can read
|
27 | it. By default, mosquitto does not need a configuration file and will
|
28 | use the default values listed below. See
|
29 | <citerefentry><refentrytitle>mosquitto</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
30 | for information on how to load a configuration file.</para>
|
31 | </refsect1>
|
32 |
|
33 | <refsect1>
|
34 | <title>File Format</title>
|
35 | <para>All lines with a # as the very first character are treated as a
|
36 | comment.</para>
|
37 | <para>Configuration lines start with a variable name. The variable
|
38 | value is separated from the name by a single space.</para>
|
39 | </refsect1>
|
40 |
|
41 | <refsect1>
|
42 | <title>Authentication</title>
|
43 | <para>The authentication options described below allow a wide range of
|
44 | possibilities in conjunction with the listener options. This
|
45 | section aims to clarify the possibilities.</para>
|
46 | <para>The simplest option is to have no authentication at all. This is
|
47 | the default if no other options are given. Unauthenticated
|
48 | encrypted support is provided by using the certificate based
|
49 | SSL/TLS based options cafile/capath, certfile and keyfile.</para>
|
50 | <para>MQTT provides username/password authentication as part of the
|
51 | protocol. Use the password_file option to define the valid
|
52 | usernames and passwords. Be sure to use network encryption if you
|
53 | are using this option otherwise the username and password will be
|
54 | vulnerable to interception.</para>
|
55 | <para>When using certificate based encryption there are two options
|
56 | that affect authentication. The first is require_certificate, which
|
57 | may be set to true or false. If false, the SSL/TLS component of the
|
58 | client will verify the server but there is no requirement for the
|
59 | client to provide anything for the server: authentication is
|
60 | limited to the MQTT built in username/password. If
|
61 | require_certificate is true, the client must provide a valid
|
62 | certificate in order to connect successfully. In this case, the
|
63 | second option, use_identity_as_username, becomes relevant. If set
|
64 | to true, the Common Name (CN) from the client certificate is used
|
65 | instead of the MQTT username for access control purposes. The
|
66 | password is not replaced because it is assumed that only
|
67 | authenticated clients have valid certificates. If
|
68 | use_identity_as_username is false, the client must authenticate as
|
69 | normal (if required by password_file) through the MQTT
|
70 | options.</para>
|
71 | <para>When using pre-shared-key based encryption through the psk_hint
|
72 | and psk_file options, the client must provide a valid identity and
|
73 | key in order to connect to the broker before any MQTT communication
|
74 | takes place. If use_identity_as_username is true, the PSK identity
|
75 | is used instead of the MQTT username for access control purposes.
|
76 | If use_identity_as_username is false, the client may still
|
77 | authenticate using the MQTT username/password if using the
|
78 | password_file option.</para>
|
79 | <para>Both certificate and PSK based encryption are configured on a per-listener basis.</para>
|
80 | <para>Authentication plugins can be created to replace the
|
81 | password_file and psk_file options (as well as the ACL options)
|
82 | with e.g. SQL based lookups.</para>
|
83 | <para>It is possible to support multiple authentication schemes at
|
84 | once. A config could be created that had a listener for all of the
|
85 | different encryption options described above and hence a large
|
86 | number of ways of authenticating.</para>
|
87 | </refsect1>
|
88 |
|
89 | <refsect1>
|
90 | <title>General Options</title>
|
91 | <variablelist>
|
92 | <varlistentry>
|
93 | <term><option>acl_file</option> <replaceable>file path</replaceable></term>
|
94 | <listitem>
|
95 | <para>Set the path to an access control list file. If
|
96 | defined, the contents of the file are used to control
|
97 | client access to topics on the broker.</para>
|
98 | <para>If this parameter is defined then only the topics
|
99 | listed will have access. Topic access is added with
|
100 | lines of the format:</para>
|
101 |
|
102 | <para><code>topic [read|write] <topic></code></para>
|
103 |
|
104 | <para>The access type is controlled using "read" or
|
105 | "write". This parameter is optional - if not given then
|
106 | the access is read/write. <topic> can contain
|
107 | the + or # wildcards as in subscriptions.</para>
|
108 |
|
109 | <para>The first set of topics are applied to anonymous
|
110 | clients, assuming <option>allow_anonymous</option> is
|
111 | true. User specific topic ACLs are added after a user
|
112 | line as follows:</para>
|
113 |
|
114 | <para><code>user <username></code></para>
|
115 |
|
116 | <para>The username referred to here is the same as in
|
117 | <option>password_fil</option>e. It is not the
|
118 | clientid.</para>
|
119 |
|
120 | <para>It is also possible to define ACLs based on pattern
|
121 | substitution within the topic. The form is the same as
|
122 | for the topic keyword, but using pattern as the
|
123 | keyword.</para>
|
124 | <para><code>pattern [read|write] <topic></code></para>
|
125 |
|
126 | <para>The patterns available for substition are:</para>
|
127 | <itemizedlist mark="circle">
|
128 | <listitem><para>%c to match the client id of the client</para></listitem>
|
129 | <listitem><para>%u to match the username of the client</para></listitem>
|
130 | </itemizedlist>
|
131 | <para>The substitution pattern must be the only text for
|
132 | that level of hierarchy. Pattern ACLs apply to all
|
133 | users even if the "user" keyword has previously been
|
134 | given.</para>
|
135 |
|
136 | <para>Example:</para>
|
137 | <para><code>pattern write sensor/%u/data</code></para>
|
138 | <para>Allow access for bridge connection messages:</para>
|
139 | <para><code>pattern write $SYS/broker/connection/%c/state</code></para>
|
140 |
|
141 | <para>If the first character of a line of the ACL file is a
|
142 | # it is treated as a comment.</para>
|
143 |
|
144 | <para>Reloaded on reload signal. The currently loaded ACLs
|
145 | will be freed and reloaded. Existing subscriptions will
|
146 | be affected after the reload.</para>
|
147 | </listitem>
|
148 | </varlistentry>
|
149 | <varlistentry>
|
150 | <term><option>allow_anonymous</option> [ true | false ]</term>
|
151 | <listitem>
|
152 | <para>Boolean value that determines whether clients that
|
153 | connect without providing a username are allowed to
|
154 | connect. If set to <replaceable>false</replaceable>
|
155 | then another means of connection should be created to
|
156 | control authenticated client access. Defaults to
|
157 | <replaceable>true</replaceable>.</para>
|
158 | <para>Reloaded on reload signal.</para>
|
159 | </listitem>
|
160 | </varlistentry>
|
161 | <varlistentry>
|
162 | <term><option>allow_duplicate_messages</option> [ true | false ]</term>
|
163 | <listitem>
|
164 | <para>If a client is subscribed to multiple subscriptions
|
165 | that overlap, e.g. foo/# and foo/+/baz , then MQTT
|
166 | expects that when the broker receives a message on a
|
167 | topic that matches both subscriptions, such as
|
168 | foo/bar/baz, then the client should only receive the
|
169 | message once.</para>
|
170 | <para>Mosquitto keeps track of which clients a message has
|
171 | been sent to in order to meet this requirement. This
|
172 | option allows this behaviour to be disabled, which may
|
173 | be useful if you have a large number of clients
|
174 | subscribed to the same set of topics and want to
|
175 | minimise memory usage.</para>
|
176 | <para>It can be safely set to
|
177 | <replaceable>true</replaceable> if you know in advance
|
178 | that your clients will never have overlapping
|
179 | subscriptions, otherwise your clients must be able to
|
180 | correctly deal with duplicate messages even when then
|
181 | have QoS=2.</para>
|
182 | <para>Defaults to <replaceable>true</replaceable>.</para>
|
183 | <para>Reloaded on reload signal.</para>
|
184 | </listitem>
|
185 | </varlistentry>
|
186 | <varlistentry>
|
187 | <term><option>auth_opt_*</option> <replaceable>value</replaceable></term>
|
188 | <listitem>
|
189 | <para>Options to be passed to the auth plugin. See the
|
190 | specific plugin instructions. </para>
|
191 | </listitem>
|
192 | </varlistentry>
|
193 | <varlistentry>
|
194 | <term><option>auth_plugin</option> <replaceable>file path</replaceable></term>
|
195 | <listitem>
|
196 | <para>Specify an external module to use for authentication
|
197 | and access control. This allows custom
|
198 | username/password and access control functions to be
|
199 | created.</para>
|
200 | <para>Not currently reloaded on reload signal.</para>
|
201 | </listitem>
|
202 | </varlistentry>
|
203 | <varlistentry>
|
204 | <term><option>autosave_interval</option> <replaceable>seconds</replaceable></term>
|
205 | <listitem>
|
206 | <para>The number of seconds that mosquitto will wait
|
207 | between each time it saves the in-memory database to
|
208 | disk. If set to 0, the in-memory database will only be
|
209 | saved when mosquitto exits or when receiving the
|
210 | SIGUSR1 signal. Note that this setting only has an
|
211 | effect if persistence is enabled. Defaults to 1800
|
212 | seconds (30 minutes).</para>
|
213 | <para>Reloaded on reload signal.</para>
|
214 | </listitem>
|
215 | </varlistentry>
|
216 | <varlistentry>
|
217 | <term><option>autosave_on_changes</option> [ true | false ]</term>
|
218 | <listitem>
|
219 | <para>If <replaceable>true</replaceable>, mosquitto will
|
220 | count the number of subscription changes, retained
|
221 | messages received and queued messages and if the total
|
222 | exceeds <option>autosave_interval</option> then the
|
223 | in-memory database will be saved to disk. If
|
224 | <replaceable>false</replaceable>, mosquitto will save
|
225 | the in-memory database to disk by treating
|
226 | <option>autosave_interval</option> as a time in
|
227 | seconds.</para>
|
228 | <para>Reloaded on reload signal.</para>
|
229 | </listitem>
|
230 | </varlistentry>
|
231 | <varlistentry>
|
232 | <term><option>clientid_prefixes</option> <replaceable>prefix</replaceable></term>
|
233 | <listitem>
|
234 | <para>If defined, only clients that have a clientid with a
|
235 | prefix that matches clientid_prefixes will be allowed
|
236 | to connect to the broker. For example, setting
|
237 | "secure-" here would mean a client "secure-client"
|
238 | could connect but another with clientid "mqtt"
|
239 | couldn't. By default, all client ids are valid.</para>
|
240 | <para>Reloaded on reload signal. Note that currently
|
241 | connected clients will be unaffected by any
|
242 | changes.</para>
|
243 | </listitem>
|
244 | </varlistentry>
|
245 | <varlistentry>
|
246 | <term><option>connection_messages</option> [ true | false ]</term>
|
247 | <listitem>
|
248 | <para>If set to <replaceable>true</replaceable>, the log
|
249 | will include entries when clients connect and
|
250 | disconnect. If set to <replaceable>false</replaceable>,
|
251 | these entries will not appear.</para>
|
252 | <para>Reloaded on reload signal.</para>
|
253 | </listitem>
|
254 | </varlistentry>
|
255 | <varlistentry>
|
256 | <term><option>include_dir</option> <replaceable>dir</replaceable></term>
|
257 | <listitem>
|
258 | <para>External configuration files may be included by using
|
259 | the include_dir option. This defines a directory that
|
260 | will be searched for config files. All files that end
|
261 | in '.conf' will be loaded as a configuration file. It
|
262 | is best to have this as the last option in the main
|
263 | file. This option will only be processed from the main
|
264 | configuration file. The directory specified must not
|
265 | contain the main configuration file.</para>
|
266 | </listitem>
|
267 | </varlistentry>
|
268 | <varlistentry>
|
269 | <term><option>log_dest</option> <replaceable>destinations</replaceable></term>
|
270 | <listitem>
|
271 | <para>Send log messages to a particular destination.
|
272 | Possible destinations are: <option>stdout</option>
|
273 | <option>stderr</option> <option>syslog</option>
|
274 | <option>topic</option>.</para>
|
275 | <para><option>stdout</option> and
|
276 | <option>stderr</option> log to the console on the
|
277 | named output.</para>
|
278 | <para><option>syslog</option> uses the userspace syslog
|
279 | facility which usually ends up in /var/log/messages or
|
280 | similar and topic logs to the broker topic
|
281 | '$SYS/broker/log/<severity>', where severity is
|
282 | one of D, E, W, N, I, M which are debug, error,
|
283 | warning, notice, information and message. Message type
|
284 | severity is used by the subscribe and unsubscribe
|
285 | log_type options and publishes log messages at
|
286 | $SYS/broker/log/M/subscribe and
|
287 | $SYS/broker/log/M/unsubscribe.</para>
|
288 | <para>The <option>file</option> destination requires an
|
289 | additional parameter which is the file to be logged to,
|
290 | e.g. "log_dest file /var/log/mosquitto.log". The file
|
291 | will be closed and reopened when the broker receives a
|
292 | HUP signal. Only a single file destination may be
|
293 | configured.</para>
|
294 | <para>Use "log_dest none" if you wish to disable logging.
|
295 | Defaults to stderr. This option may be specified
|
296 | multiple times.</para>
|
297 | <para>Note that if the broker is running as a Windows
|
298 | service it will default to "log_dest none" and neither
|
299 | stdout nor stderr logging is available.</para>
|
300 | <para>Reloaded on reload signal.</para>
|
301 | </listitem>
|
302 | </varlistentry>
|
303 | <varlistentry>
|
304 | <term><option>log_timestamp</option> [ true | false ]</term>
|
305 | <listitem>
|
306 | <para>Boolean value, if set to
|
307 | <replaceable>true</replaceable> a timestamp value will
|
308 | be added to each log entry. The default is
|
309 | <replaceable>true</replaceable>.</para>
|
310 | <para>Reloaded on reload signal.</para>
|
311 | </listitem>
|
312 | </varlistentry>
|
313 | <varlistentry>
|
314 | <term><option>log_type</option> <replaceable>types</replaceable></term>
|
315 | <listitem>
|
316 | <para>Choose types of messages to log. Possible types are:
|
317 | <replaceable>debug</replaceable>,
|
318 | <replaceable>error</replaceable>,
|
319 | <replaceable>warning</replaceable>,
|
320 | <replaceable>notice</replaceable>,
|
321 | <replaceable>information</replaceable>,
|
322 | <replaceable>none</replaceable>,
|
323 | <replaceable>all</replaceable>. Defaults to
|
324 | <replaceable>error</replaceable>,
|
325 | <replaceable>warning</replaceable>, <replaceable>notice
|
326 | </replaceable>and
|
327 | <replaceable>information</replaceable>. This option
|
328 | may be specified multiple times. Note that the
|
329 | <replaceable>debug </replaceable>type (used for
|
330 | decoding incoming/outgoing network packets) is never
|
331 | logged in topics.</para>
|
332 | <para>Reloaded on reload signal.</para>
|
333 | </listitem>
|
334 | </varlistentry>
|
335 | <varlistentry>
|
336 | <term><option>max_inflight_messages</option> <replaceable>count</replaceable></term>
|
337 | <listitem>
|
338 | <para>The maximum number of QoS 1 or 2 messages that can be
|
339 | in the process of being transmitted simultaneously.
|
340 | This includes messages currently going through
|
341 | handshakes and messages that are being retried.
|
342 | Defaults to 20. Set to 0 for no maximum. If set to 1,
|
343 | this will guarantee in-order delivery of
|
344 | messages.</para>
|
345 | <para>Reloaded on reload signal.</para>
|
346 | </listitem>
|
347 | </varlistentry>
|
348 | <varlistentry>
|
349 | <term><option>max_queued_messages</option> <replaceable>count</replaceable></term>
|
350 | <listitem>
|
351 | <para>The maximum number of QoS 1 or 2 messages to hold in
|
352 | the queue above those messages that are currently in
|
353 | flight. Defaults to 100. Set to 0 for no maximum (not
|
354 | recommended). See also the
|
355 | <option>queue_qos0_messages</option> option.</para>
|
356 | <para>Reloaded on reload signal.</para>
|
357 | </listitem>
|
358 | </varlistentry>
|
359 | <varlistentry>
|
360 | <term><option>message_size_limit</option> <replaceable>limit</replaceable></term>
|
361 | <listitem>
|
362 | <para>This option sets the maximum publish payload size
|
363 | that the broker will allow. Received messages that
|
364 | exceed this size will not be accepted by the broker.
|
365 | The default value is 0, which means that all valid MQTT
|
366 | messages are accepted. MQTT imposes a maximum payload
|
367 | size of 268435455 bytes.</para>
|
368 | </listitem>
|
369 | </varlistentry>
|
370 | <varlistentry>
|
371 | <term><option>password_file</option> <replaceable>file path</replaceable></term>
|
372 | <listitem>
|
373 | <para>Set the path to a password file. If defined, the
|
374 | contents of the file are used to control client access
|
375 | to the broker. The file can be created using the
|
376 | <citerefentry><refentrytitle>mosquitto_passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
377 | utility. If mosquitto is compiled without TLS support
|
378 | (it is recommended that TLS support is included), then
|
379 | the password file should be a text file with each line
|
380 | in the format "username:password", where the colon and
|
381 | password are optional but recommended. If
|
382 | <option>allow_anonymous</option> is set to
|
383 | <replaceable>false</replaceable>, only users defined in
|
384 | this file will be able to connect. Setting
|
385 | <option>allow_anonymous</option> to
|
386 | <replaceable>true</replaceable> when
|
387 | <replaceable>password_file</replaceable>is defined is
|
388 | valid and could be used with acl_file to have e.g. read
|
389 | only guest/anonymous accounts and defined users that
|
390 | can publish.</para>
|
391 | <para>Reloaded on reload signal. The currently loaded
|
392 | username and password data will be freed and reloaded.
|
393 | Clients that are already connected will not be
|
394 | affected.</para>
|
395 | <para>See also
|
396 | <citerefentry><refentrytitle>mosquitto_passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
397 | </listitem> </varlistentry>
|
398 | <varlistentry>
|
399 | <term><option>persistence</option> [ true | false ]</term>
|
400 | <listitem>
|
401 | <para>If <replaceable>true</replaceable>, connection,
|
402 | subscription and message data will be written to the
|
403 | disk in mosquitto.db at the location dictated by
|
404 | persistence_location. When mosquitto is restarted, it
|
405 | will reload the information stored in mosquitto.db. The
|
406 | data will be written to disk when mosquitto closes and
|
407 | also at periodic intervals as defined by
|
408 | autosave_interval. Writing of the persistence database
|
409 | may also be forced by sending mosquitto the SIGUSR1
|
410 | signal. If <replaceable>false</replaceable>, the data
|
411 | will be stored in memory only. Defaults to
|
412 | <replaceable>false</replaceable>.</para>
|
413 | <para>Reloaded on reload signal.</para>
|
414 | </listitem>
|
415 | </varlistentry>
|
416 | <varlistentry>
|
417 | <term><option>persistence_file</option> <replaceable>file name</replaceable></term>
|
418 | <listitem>
|
419 | <para>The filename to use for the persistent database.
|
420 | Defaults to mosquitto.db.</para>
|
421 | <para>Reloaded on reload signal.</para>
|
422 | </listitem>
|
423 | </varlistentry>
|
424 | <varlistentry>
|
425 | <term><option>persistence_location</option> <replaceable>path</replaceable></term>
|
426 | <listitem>
|
427 | <para>The path where the persistence database should be
|
428 | stored. Must end in a trailing slash. If not given,
|
429 | then the current directory is used.</para>
|
430 | <para>Reloaded on reload signal.</para>
|
431 | </listitem>
|
432 | </varlistentry>
|
433 | <varlistentry>
|
434 | <term><option>persistent_client_expiration</option> <replaceable>duration</replaceable></term>
|
435 | <listitem>
|
436 | <para>This option allows persistent clients (those with
|
437 | clean session set to false) to be removed if they do
|
438 | not reconnect within a certain time frame. This is a
|
439 | non-standard option. As far as the MQTT spec is
|
440 | concerned, persistent clients persist forever.</para>
|
441 | <para>Badly designed clients may set clean session to false
|
442 | whilst using a randomly generated client id. This leads
|
443 | to persistent clients that will never reconnect. This
|
444 | option allows these clients to be removed.</para>
|
445 | <para>The expiration period should be an integer followed
|
446 | by one of d w m y for day, week, month and year
|
447 | respectively. For example:</para>
|
448 | <itemizedlist mark="circle">
|
449 | <listitem><para>persistent_client_expiration 2m</para></listitem>
|
450 | <listitem><para>persistent_client_expiration 14d</para></listitem>
|
451 | <listitem><para>persistent_client_expiration 1y</para></listitem>
|
452 | </itemizedlist>
|
453 | <para>As this is a non-standard option, the default if not
|
454 | set is to never expire persistent clients.</para>
|
455 | <para>Reloaded on reload signal.</para>
|
456 | </listitem>
|
457 | </varlistentry>
|
458 | <varlistentry>
|
459 | <term><option>pid_file</option> <replaceable>file path</replaceable></term>
|
460 | <listitem>
|
461 | <para>Write a pid file to the file specified. If not given
|
462 | (the default), no pid file will be written. If the pid
|
463 | file cannot be written, mosquitto will exit. This
|
464 | option only has an effect is mosquitto is run in daemon
|
465 | mode.</para>
|
466 | <para>If mosquitto is being automatically started by an
|
467 | init script it will usually be required to write a pid
|
468 | file. This should then be configured as e.g.
|
469 | /var/run/mosquitto.pid</para>
|
470 | <para>Not reloaded on reload signal.</para>
|
471 | </listitem>
|
472 | </varlistentry>
|
473 | <varlistentry>
|
474 | <term><option>psk_file</option> <replaceable>file path</replaceable></term>
|
475 | <listitem>
|
476 | <para>Set the path to a pre-shared-key file. This option
|
477 | requires a listener to be have PSK support enabled. If
|
478 | defined, the contents of the file are used to control
|
479 | client access to the broker. Each line should be in the
|
480 | format "identity:key", where the key is a hexadecimal
|
481 | string with no leading "0x". A client connecting to a
|
482 | listener that has PSK support enabled must provide a
|
483 | matching identity and PSK to allow the encrypted
|
484 | connection to proceed.</para>
|
485 | <para>Reloaded on reload signal. The currently loaded
|
486 | identity and key data will be freed and reloaded.
|
487 | Clients that are already connected will not be
|
488 | affected.</para>
|
489 | </listitem> </varlistentry>
|
490 | <varlistentry>
|
491 | <term><option>queue_qos0_messages</option> [ true | false ]</term>
|
492 | <listitem>
|
493 | <para>Set to <replaceable>true</replaceable> to queue
|
494 | messages with QoS 0 when a persistent client is
|
495 | disconnected. These messages are included in the limit
|
496 | imposed by max_queued_messages. Defaults to
|
497 | <replaceable>false</replaceable>.</para>
|
498 | <para>Note that the MQTT v3.1 spec states that only QoS 1
|
499 | and 2 messages should be saved in this situation so
|
500 | this is a non-standard option.</para>
|
501 | <para>Reloaded on reload signal.</para>
|
502 | </listitem>
|
503 | </varlistentry>
|
504 | <varlistentry>
|
505 | <term><option>retained_persistence</option> [ true | false ]</term>
|
506 | <listitem>
|
507 | <para>This is a synonym of the <option>persistence</option>
|
508 | option.</para>
|
509 | <para>Reloaded on reload signal.</para>
|
510 | </listitem>
|
511 | </varlistentry>
|
512 | <varlistentry>
|
513 | <term><option>retry_interval</option> <replaceable>seconds</replaceable></term>
|
514 | <listitem>
|
515 | <para>The integer number of seconds after a QoS=1 or QoS=2
|
516 | message has been sent that mosquitto will wait before
|
517 | retrying when no response is received. If unset,
|
518 | defaults to 20 seconds.</para>
|
519 | <para>Reloaded on reload signal.</para>
|
520 | </listitem>
|
521 | </varlistentry>
|
522 | <varlistentry>
|
523 | <term><option>store_clean_interval</option> <replaceable>seconds</replaceable></term>
|
524 | <listitem>
|
525 | <para>The integer number of seconds between the internal
|
526 | message store being cleaned of messages that are no
|
527 | longer referenced. Lower values will result in lower
|
528 | memory usage but more processor time, higher values
|
529 | will have the opposite effect. Setting a value of 0
|
530 | means the unreferenced messages will be disposed of as
|
531 | quickly as possible. Defaults to 10 seconds.</para>
|
532 | <para>Reloaded on reload signal.</para>
|
533 | </listitem>
|
534 | </varlistentry>
|
535 | <varlistentry>
|
536 | <term><option>sys_interval</option> <replaceable>seconds</replaceable></term>
|
537 | <listitem>
|
538 | <para>The integer number of seconds between updates of the
|
539 | $SYS subscription hierarchy, which provides status
|
540 | information about the broker. If unset, defaults to 10
|
541 | seconds.</para>
|
542 | <para>Set to 0 to disable publishing the $SYS hierarchy
|
543 | completely.</para>
|
544 | <para>Reloaded on reload signal.</para>
|
545 | </listitem>
|
546 | </varlistentry>
|
547 | <varlistentry>
|
548 | <term><option>upgrade_outgoing_qos</option> [ true | false ]</term>
|
549 | <listitem>
|
550 | <para>The MQTT specification requires that the QoS of a
|
551 | message delivered to a subscriber is never upgraded to
|
552 | match the QoS of the subscription. Enabling this option
|
553 | changes this behaviour. If
|
554 | <option>upgrade_outgoing_qos</option> is set
|
555 | <replaceable>true</replaceable>, messages sent to a
|
556 | subscriber will always match the QoS of its
|
557 | subscription. This is a non-standard option not
|
558 | provided for by the spec. Defaults to
|
559 | <replaceable>false</replaceable>.</para>
|
560 | <para>Reloaded on reload signal.</para>
|
561 | </listitem>
|
562 | </varlistentry>
|
563 | <varlistentry>
|
564 | <term><option>user</option> <replaceable>username</replaceable></term>
|
565 | <listitem>
|
566 | <para>When run as root, change to this user and its primary
|
567 | group on startup. If mosquitto is unable to change to
|
568 | this user and group, it will exit with an error. The
|
569 | user specified must have read/write access to the
|
570 | persistence database if it is to be written. If run as
|
571 | a non-root user, this setting has no effect. Defaults
|
572 | to mosquitto.</para>
|
573 | <para>This setting has no effect on Windows and so you
|
574 | should run mosquitto as the user you wish it to run
|
575 | as.</para>
|
576 | <para>Not reloaded on reload signal.</para>
|
577 | </listitem>
|
578 | </varlistentry>
|
579 | </variablelist>
|
580 | </refsect1>
|
581 |
|
582 | <refsect1>
|
583 | <title>Listeners</title>
|
584 | <para>The network ports that mosquitto listens on can be controlled
|
585 | using listeners. The default listener options can be overridden and
|
586 | further listeners can be created.</para>
|
587 | <refsect2>
|
588 | <title>General Options</title>
|
589 | <variablelist>
|
590 | <varlistentry>
|
591 | <term><option>bind_address</option> <replaceable>address</replaceable></term>
|
592 | <listitem>
|
593 | <para>Listen for incoming network connections on the
|
594 | specified IP address/hostname only. This is useful
|
595 | to restrict access to certain network interfaces.
|
596 | To restrict access to mosquitto to the local host
|
597 | only, use "bind_address localhost". This only
|
598 | applies to the default listener. Use the listener
|
599 | variable to control other listeners.</para>
|
600 | <para>Not reloaded on reload signal.</para>
|
601 | </listitem>
|
602 | </varlistentry>
|
603 | <varlistentry>
|
604 | <term><option>listener</option> <replaceable>port</replaceable></term>
|
605 | <listitem>
|
606 | <para>Listen for incoming network connection on the
|
607 | specified port. A second optional argument allows
|
608 | the listener to be bound to a specific ip
|
609 | address/hostname. If this variable is used and
|
610 | neither <option>bind_address</option> nor
|
611 | <option>port</option> are used then the default
|
612 | listener will not be started. This option may be
|
613 | specified multiple times. See also the
|
614 | <option>mount_point</option> option.</para>
|
615 | <para>Not reloaded on reload signal.</para>
|
616 | </listitem>
|
617 | </varlistentry>
|
618 | <varlistentry>
|
619 | <term><option>max_connections</option> <replaceable>count</replaceable></term>
|
620 | <listitem>
|
621 | <para>Limit the total number of clients connected for
|
622 | the current listener. Set to <literal>-1</literal>
|
623 | to have "unlimited" connections. Note that other
|
624 | limits may be imposed that are outside the control
|
625 | of mosquitto. See e.g.
|
626 | <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
627 | <para>Not reloaded on reload signal.</para>
|
628 | </listitem>
|
629 | </varlistentry>
|
630 | <varlistentry>
|
631 | <term><option>mount_point</option> <replaceable>topic prefix</replaceable></term>
|
632 | <listitem>
|
633 | <para>This option is used with the listener option to
|
634 | isolate groups of clients. When a client connects
|
635 | to a listener which uses this option, the string
|
636 | argument is attached to the start of all topics for
|
637 | this client. This prefix is removed when any
|
638 | messages are sent to the client. This means a
|
639 | client connected to a listener with mount point
|
640 | <replaceable>example</replaceable> can only see
|
641 | messages that are published in the topic hierarchy
|
642 | <replaceable>example</replaceable> and above.</para>
|
643 | <para>Not reloaded on reload signal.</para>
|
644 | </listitem>
|
645 | </varlistentry>
|
646 | <varlistentry>
|
647 | <term><option>port</option> <replaceable>port number</replaceable></term>
|
648 | <listitem>
|
649 | <para>Set the network port for the default listener to
|
650 | listen on. Defaults to 1883.</para>
|
651 | <para>Not reloaded on reload signal.</para>
|
652 | </listitem>
|
653 | </varlistentry>
|
654 | </variablelist>
|
655 | </refsect2>
|
656 | <refsect2>
|
657 | <title>Certificate based SSL/TLS Support</title>
|
658 | <para>The following options are available for all listeners to
|
659 | configure certificate based SSL support. See also
|
660 | "Pre-shared-key based SSL/TLS support".</para>
|
661 | <variablelist>
|
662 | <varlistentry>
|
663 | <term><option>cafile</option> <replaceable>file path</replaceable></term>
|
664 | <listitem>
|
665 | <para>At least one of <option>cafile</option> or
|
666 | <option>capath</option> must be provided to allow
|
667 | SSL support.</para>
|
668 | <para><option>cafile</option> is used to define the
|
669 | path to a file containing the PEM encoded CA
|
670 | certificates that are trusted.</para>
|
671 | </listitem>
|
672 | </varlistentry>
|
673 | <varlistentry>
|
674 | <term><option>capath</option> <replaceable>directory path</replaceable></term>
|
675 | <listitem>
|
676 | <para>At least one of <option>cafile</option> or
|
677 | <option>capath</option> must be provided to allow
|
678 | SSL support.</para>
|
679 | <para><option>capath</option> is used to define a
|
680 | directory that contains PEM encoded CA certificates
|
681 | that are trusted. For <option>capath</option> to
|
682 | work correctly, the certificates files must have
|
683 | ".pem" as the file ending and you must run
|
684 | "c_rehash <path to capath>" each time you
|
685 | add/remove a certificate.</para>
|
686 | </listitem>
|
687 | </varlistentry>
|
688 | <varlistentry>
|
689 | <term><option>certfile</option> <replaceable>file path</replaceable></term>
|
690 | <listitem>
|
691 | <para>Path to the PEM encoded server certificate.</para>
|
692 | </listitem>
|
693 | </varlistentry>
|
694 | <varlistentry>
|
695 | <term><option>ciphers</option> <replaceable>cipher:list</replaceable></term>
|
696 | <listitem>
|
697 | <para>The list of allowed ciphers, each separated with
|
698 | a colon. Available ciphers can be obtained using
|
699 | the "openssl ciphers" command.</para>
|
700 | </listitem>
|
701 | </varlistentry>
|
702 | <varlistentry>
|
703 | <term><option>crlfile</option> <replaceable>file path</replaceable></term>
|
704 | <listitem>
|
705 | <para>If you have <option>require_certificate</option>
|
706 | set to <replaceable>true</replaceable>, you can
|
707 | create a certificate revocation list file to revoke
|
708 | access to particular client certificates. If you
|
709 | have done this, use crlfile to point to the PEM
|
710 | encoded revocation file.</para>
|
711 | </listitem>
|
712 | </varlistentry>
|
713 | <varlistentry>
|
714 | <term><option>keyfile</option> <replaceable>file path</replaceable></term>
|
715 | <listitem>
|
716 | <para>Path to the PEM encoded keyfile.</para>
|
717 | </listitem>
|
718 | </varlistentry>
|
719 | <varlistentry>
|
720 | <term><option>require_certificate</option> [ true | false ]</term>
|
721 | <listitem>
|
722 | <para>By default an SSL/TLS enabled listener will
|
723 | operate in a similar fashion to a https enabled web
|
724 | server, in that the server has a certificate signed
|
725 | by a CA and the client will verify that it is a
|
726 | trusted certificate. The overall aim is encryption
|
727 | of the network traffic. By setting
|
728 | <option>require_certificate</option> to
|
729 | <replaceable>true</replaceable>, the client must
|
730 | provide a valid certificate in order for the
|
731 | network connection to proceed. This allows access
|
732 | to the broker to be controlled outside of the
|
733 | mechanisms provided by MQTT.</para>
|
734 | </listitem>
|
735 | </varlistentry>
|
736 | <varlistentry>
|
737 | <term><option>tls_version</option> <replaceable>version</replaceable></term>
|
738 | <listitem>
|
739 | <para>Configure the version of the TLS protocol to be
|
740 | used for this listener. Possible values are
|
741 | <replaceable>tlsv1.2</replaceable>,
|
742 | <replaceable>tlsv1.1</replaceable> and
|
743 | <replaceable>tlsv1</replaceable>. Defaults to
|
744 | <replaceable>tlsv1.2</replaceable>.</para>
|
745 | </listitem>
|
746 | </varlistentry>
|
747 | <varlistentry>
|
748 | <term><option>use_identity_as_username</option> [ true | false ]</term>
|
749 | <listitem>
|
750 | <para>If <option>require_certificate</option> is
|
751 | <replaceable>true</replaceable>, you may set
|
752 | <option>use_identity_as_username</option> to
|
753 | <replaceable>true</replaceable> to use the CN value
|
754 | from the client certificate as a username. If this
|
755 | is <replaceable>true</replaceable>, the
|
756 | <option>password_file</option> option will not be
|
757 | used for this listener.</para>
|
758 | </listitem>
|
759 | </varlistentry>
|
760 | </variablelist>
|
761 | </refsect2>
|
762 | <refsect2>
|
763 | <title>Pre-shared-key based SSL/TLS Support</title>
|
764 | <para>The following options are available for all listeners to
|
765 | configure pre-shared-key based SSL support. See also
|
766 | "Certificate based SSL/TLS support".</para>
|
767 | <variablelist>
|
768 | <varlistentry>
|
769 | <term><option>ciphers</option> <replaceable>cipher:list</replaceable></term>
|
770 | <listitem>
|
771 | <para>When using PSK, the encryption ciphers used will
|
772 | be chosen from the list of available PSK ciphers.
|
773 | If you want to control which ciphers are available,
|
774 | use this option. The list of available ciphers can
|
775 | be optained using the "openssl ciphers" command and
|
776 | should be provided in the same format as the output
|
777 | of that command.</para>
|
778 | </listitem>
|
779 | </varlistentry>
|
780 | <varlistentry>
|
781 | <term><option>psk_hint</option> <replaceable>hint</replaceable></term>
|
782 | <listitem>
|
783 | <para>The <option>psk_hint</option> option enables
|
784 | pre-shared-key support for this listener and also
|
785 | acts as an identifier for this listener. The hint
|
786 | is sent to clients and may be used locally to aid
|
787 | authentication. The hint is a free form string that
|
788 | doesn't have much meaning in itself, so feel free
|
789 | to be creative.</para>
|
790 | <para>If this option is provided, see
|
791 | <option>psk_file</option> to define the pre-shared
|
792 | keys to be used or create a security plugin to
|
793 | handle them.</para>
|
794 | </listitem>
|
795 | </varlistentry>
|
796 | <varlistentry>
|
797 | <term><option>tls_version</option> <replaceable>version</replaceable></term>
|
798 | <listitem>
|
799 | <para>Configure the version of the TLS protocol to be
|
800 | used for this listener. Possible values are
|
801 | <replaceable>tlsv1.2</replaceable>,
|
802 | <replaceable>tlsv1.1</replaceable> and
|
803 | <replaceable>tlsv1</replaceable>. Defaults to
|
804 | <replaceable>tlsv1.2</replaceable>.</para>
|
805 | </listitem>
|
806 | </varlistentry>
|
807 | <varlistentry>
|
808 | <term><option>use_identity_as_username</option> [ true | false ]</term>
|
809 | <listitem>
|
810 | <para>Set <option>use_identity_as_username</option> to
|
811 | have the psk identity sent by the client used as
|
812 | its username. The username will be checked as
|
813 | normal, so <option>password_file</option> or
|
814 | another means of authentication checking must be
|
815 | used. No password will be used.</para>
|
816 | </listitem>
|
817 | </varlistentry>
|
818 | </variablelist>
|
819 | </refsect2>
|
820 | </refsect1>
|
821 |
|
822 | <refsect1>
|
823 | <title>Configuring Bridges</title>
|
824 | <para>Multiple bridges (connections to other brokers) can be configured
|
825 | using the following variables.</para>
|
826 | <para>Bridges cannot currently be reloaded on reload signal.</para>
|
827 | <variablelist>
|
828 | <varlistentry>
|
829 | <term><option>address</option> <replaceable>address[:port]</replaceable> <replaceable>[address[:port]]</replaceable></term>
|
830 | <term><option>addresses</option> <replaceable>address[:port]</replaceable> <replaceable>[address[:port]]</replaceable></term>
|
831 | <listitem>
|
832 | <para>Specify the address and optionally the port of the
|
833 | bridge to connect to. This must be given for each
|
834 | bridge connection. If the port is not specified, the
|
835 | default of 1883 is used.</para>
|
836 | <para>Multiple host addresses can be specified on the
|
837 | address config. See the <option>round_robin</option>
|
838 | option for more details on the behaviour of bridges
|
839 | with multiple addresses.</para>
|
840 | </listitem>
|
841 | </varlistentry>
|
842 | <varlistentry>
|
843 | <term><option>cleansession</option> [ true | false ]</term>
|
844 | <listitem>
|
845 | <para>Set the clean session option for this bridge. Setting
|
846 | to <replaceable>false</replaceable> (the default),
|
847 | means that all subscriptions on the remote broker are
|
848 | kept in case of the network connection dropping. If set
|
849 | to <replaceable>true</replaceable>, all subscriptions
|
850 | and messages on the remote broker will be cleaned up if
|
851 | the connection drops. Note that setting to
|
852 | <replaceable>true</replaceable> may cause a large
|
853 | amount of retained messages to be sent each time the
|
854 | bridge reconnects.</para>
|
855 | <para>If you are using bridges with
|
856 | <option>cleansession</option> set to
|
857 | <replaceable>false</replaceable> (the default), then
|
858 | you may get unexpected behaviour from incoming topics
|
859 | if you change what topics you are subscribing to. This
|
860 | is because the remote broker keeps the subscription for
|
861 | the old topic. If you have this problem, connect your
|
862 | bridge with <option>cleansession</option> set to
|
863 | <replaceable>true</replaceable>, then reconnect with
|
864 | cleansession set to <replaceable>false</replaceable> as
|
865 | normal.</para>
|
866 | </listitem>
|
867 | </varlistentry>
|
868 | <varlistentry>
|
869 | <term><option>clientid</option> <replaceable>id</replaceable></term>
|
870 | <listitem>
|
871 | <para>Set the client id for this bridge connection. If not
|
872 | defined, this defaults to 'name.hostname', where name
|
873 | is the connection name and hostname is the hostname of
|
874 | this computer.</para>
|
875 | </listitem>
|
876 | </varlistentry>
|
877 | <varlistentry>
|
878 | <term><option>connection</option> <replaceable>name</replaceable></term>
|
879 | <listitem>
|
880 | <para>This variable marks the start of a new bridge
|
881 | connection. It is also used to give the bridge a name
|
882 | which is used as the client id on the remote
|
883 | broker.</para>
|
884 | </listitem>
|
885 | </varlistentry>
|
886 | <varlistentry>
|
887 | <term><option>keepalive_interval</option> <replaceable>seconds</replaceable></term>
|
888 | <listitem>
|
889 | <para>Set the number of seconds after which the bridge
|
890 | should send a ping if no other traffic has occurred.
|
891 | Defaults to 60. A minimum value of 5 seconds
|
892 | isallowed.</para>
|
893 | </listitem>
|
894 | </varlistentry>
|
895 | <varlistentry>
|
896 | <term><option>idle_timeout</option> <replaceable>seconds</replaceable></term>
|
897 | <listitem>
|
898 | <para>Set the amount of time a bridge using the lazy start
|
899 | type must be idle before it will be stopped. Defaults
|
900 | to 60 seconds.</para>
|
901 | </listitem>
|
902 | </varlistentry>
|
903 | <varlistentry>
|
904 | <term><option>notifications</option> [ true | false ]</term>
|
905 | <listitem>
|
906 | <para>If set to <replaceable>true</replaceable>, publish
|
907 | notification messages to the local and remote brokers
|
908 | giving information about the state of the bridge
|
909 | connection. Retained messages are published to the
|
910 | topic $SYS/broker/connection/<clientid>/state
|
911 | unless otherwise set with
|
912 | <option>notification_topic</option>s. If the message
|
913 | is 1 then the connection is active, or 0 if the
|
914 | connection has failed. Defaults to
|
915 | <replaceable>true</replaceable>.</para>
|
916 | </listitem>
|
917 | </varlistentry>
|
918 | <varlistentry>
|
919 | <term><option>notification_topic</option> <replaceable>topic</replaceable></term>
|
920 | <listitem>
|
921 | <para>Choose the topic on which notifications will be
|
922 | published for this bridge. If not set the messages will
|
923 | be sent on the topic
|
924 | $SYS/broker/connection/<clientid>/state.</para>
|
925 | </listitem>
|
926 | </varlistentry>
|
927 | <varlistentry>
|
928 | <term><option>password</option> <replaceable>value</replaceable></term>
|
929 | <listitem>
|
930 | <para>Configure a password for the bridge. This is used for
|
931 | authentication purposes when connecting to a broker
|
932 | that support MQTT v3.1 and requires a username and/or
|
933 | password to connect. This option is only valid if a
|
934 | username is also supplied.</para>
|
935 | </listitem>
|
936 | </varlistentry>
|
937 | <varlistentry>
|
938 | <term><option>restart_timeout</option> <replaceable>value</replaceable></term>
|
939 | <listitem>
|
940 | <para>Set the amount of time a bridge using the automatic
|
941 | start type will wait until attempting to reconnect.
|
942 | Defaults to 30 seconds.</para>
|
943 | </listitem>
|
944 | </varlistentry>
|
945 | <varlistentry>
|
946 | <term><option>round_robin</option> [ true | false ]</term>
|
947 | <listitem>
|
948 | <para>If the bridge has more than one address given in the
|
949 | address/addresses configuration, the round_robin option
|
950 | defines the behaviour of the bridge on a failure of the
|
951 | bridge connection. If round_robin is
|
952 | <replaceable>false</replaceable>, the default value,
|
953 | then the first address is treated as the main bridge
|
954 | connection. If the connection fails, the other
|
955 | secondary addresses will be attempted in turn. Whilst
|
956 | connected to a secondary bridge, the bridge will
|
957 | periodically attempt to reconnect to the main bridge
|
958 | until successful.</para>
|
959 | <para>If round_robin is <replaceable>true</replaceable>,
|
960 | then all addresses are treated as equals. If a
|
961 | connection fails, the next address will be tried and if
|
962 | successful will remain connected until it fails.</para>
|
963 | </listitem>
|
964 | </varlistentry>
|
965 | <varlistentry>
|
966 | <term><option>start_type</option> [ automatic | lazy | once ]</term>
|
967 | <listitem>
|
968 | <para>Set the start type of the bridge. This controls how
|
969 | the bridge starts and can be one of three types:
|
970 | <replaceable>automatic</replaceable>, <replaceable>lazy
|
971 | </replaceable>and <replaceable>once</replaceable>. Note
|
972 | that RSMB provides a fourth start type "manual" which
|
973 | isn't currently supported by mosquitto.</para>
|
974 |
|
975 | <para><replaceable>automatic</replaceable> is the default
|
976 | start type and means that the bridge connection will be
|
977 | started automatically when the broker starts and also
|
978 | restarted after a short delay (30 seconds) if the
|
979 | connection fails.</para>
|
980 |
|
981 | <para>Bridges using the <replaceable>lazy</replaceable>
|
982 | start type will be started automatically when the
|
983 | number of queued messages exceeds the number set with
|
984 | the <option>threshold</option> option. It will be
|
985 | stopped automatically after the time set by the
|
986 | <option>idle_timeout</option> parameter. Use this start
|
987 | type if you wish the connection to only be active when
|
988 | it is needed.</para>
|
989 |
|
990 | <para>A bridge using the <replaceable>once</replaceable>
|
991 | start type will be started automatically when the
|
992 | broker starts but will not be restarted if the
|
993 | connection fails.</para>
|
994 | </listitem>
|
995 | </varlistentry>
|
996 | <varlistentry>
|
997 | <term><option>threshold</option> <replaceable>count</replaceable></term>
|
998 | <listitem>
|
999 | <para>Set the number of messages that need to be queued for
|
1000 | a bridge with lazy start type to be restarted.
|
1001 | Defaults to 10 messages.</para>
|
1002 | </listitem>
|
1003 | </varlistentry>
|
1004 | <varlistentry>
|
1005 | <term><option>topic</option> <replaceable>pattern</replaceable> [[[ out | in | both ] qos-level] local-prefix remote-prefix]</term>
|
1006 | <listitem>
|
1007 | <para>Define a topic pattern to be shared between the two
|
1008 | brokers. Any topics matching the pattern (which may
|
1009 | include wildcards) are shared. The second parameter
|
1010 | defines the direction that the messages will be shared
|
1011 | in, so it is possible to import messages from a remote
|
1012 | broker using <replaceable>in</replaceable>, export
|
1013 | messages to a remote broker using
|
1014 | <replaceable>out</replaceable> or share messages in
|
1015 | both directions. If this parameter is not defined, the
|
1016 | default of <replaceable>out</replaceable> is used. The
|
1017 | QoS level defines the publish/subscribe QoS level used
|
1018 | for this topic and defaults to 0.</para>
|
1019 | <para>The <replaceable>local-prefix</replaceable> and
|
1020 | <replaceable>remote-prefix</replaceable> options allow
|
1021 | topics to be remapped when publishing to and receiving
|
1022 | from remote brokers. This allows a topic tree from the
|
1023 | local broker to be inserted into the topic tree of the
|
1024 | remote broker at an appropriate place.</para>
|
1025 | <para>For incoming topics, the bridge will prepend the
|
1026 | pattern with the remote prefix and subscribe to the
|
1027 | resulting topic on the remote broker. When a matching
|
1028 | incoming message is received, the remote prefix will be
|
1029 | removed from the topic and then the local prefix
|
1030 | added.</para>
|
1031 | <para>For outgoing topics, the bridge will prepend the
|
1032 | pattern with the local prefix and subscribe to the
|
1033 | resulting topic on the local broker. When an outgoing
|
1034 | message is processed, the local prefix will be removed
|
1035 | from the topic then the remote prefix added.</para>
|
1036 | <para>When using topic mapping, an empty prefix can be
|
1037 | defined using the place marker
|
1038 | <replaceable>""</replaceable>. Using the empty marker
|
1039 | for the topic itself is also valid. The table below
|
1040 | defines what combination of empty or value is
|
1041 | valid.</para>
|
1042 | <informaltable>
|
1043 | <tgroup cols="5">
|
1044 | <thead>
|
1045 | <row>
|
1046 | <entry></entry>
|
1047 | <entry><emphasis>Topic</emphasis></entry>
|
1048 | <entry><emphasis>Local Prefix</emphasis></entry>
|
1049 | <entry><emphasis>Remote Prefix</emphasis></entry>
|
1050 | <entry><emphasis>Validity</emphasis></entry>
|
1051 | </row>
|
1052 | </thead>
|
1053 | <tbody>
|
1054 | <row><entry>1</entry><entry>value</entry><entry>value</entry><entry>value</entry><entry>valid</entry></row>
|
1055 | <row><entry>2</entry><entry>value</entry><entry>value</entry><entry>""</entry><entry>valid</entry></row>
|
1056 | <row><entry>3</entry><entry>value</entry><entry>""</entry><entry>value</entry><entry>valid</entry></row>
|
1057 | <row><entry>4</entry><entry>value</entry><entry>""</entry><entry>""</entry><entry>valid (no remapping)</entry></row>
|
1058 | <row><entry>5</entry><entry>""</entry><entry>value</entry><entry>value</entry><entry>valid (remap single local topic to remote)</entry></row>
|
1059 | <row><entry>6</entry><entry>""</entry><entry>value</entry><entry>""</entry><entry>invalid</entry></row>
|
1060 | <row><entry>7</entry><entry>""</entry><entry>""</entry><entry>value</entry><entry>invalid</entry></row>
|
1061 | <row><entry>8</entry><entry>""</entry><entry>""</entry><entry>""</entry><entry>invalid</entry></row>
|
1062 | </tbody>
|
1063 | </tgroup>
|
1064 | </informaltable>
|
1065 | <para>To remap an entire topic tree, use e.g.:</para>
|
1066 | <programlisting language="config">
|
1067 | topic # both 2 local/topic/ remote/topic/</programlisting>
|
1068 |
|
1069 | <para>This option can be specified multiple times per
|
1070 | bridge.</para>
|
1071 | <para>Care must be taken to ensure that loops are not
|
1072 | created with this option. If you are experiencing high
|
1073 | CPU load from a broker, it is possible that you have a
|
1074 | loop where each broker is forever forwarding each other
|
1075 | the same messages.</para>
|
1076 | <para>See also the <option>cleansession</option> option if
|
1077 | you have messages arriving on unexpected topics when
|
1078 | using incoming topics.</para>
|
1079 |
|
1080 | <example title="Bridge Topic Remapping" label="Bridge Topic Remapping">
|
1081 | <para>The configuration below connects a bridge to the
|
1082 | broker at <option>test.mosquitto.org</option>. It
|
1083 | subscribes to the remote topic
|
1084 | <option>$SYS/broker/clients/total</option> and
|
1085 | republishes the messages received to the local topic
|
1086 | <option>test/mosquitto/org/clients/total</option></para>
|
1087 | <programlisting language="config">
|
1088 | connection test-mosquitto-org
|
1089 | address test.mosquitto.org
|
1090 | cleansession true
|
1091 | topic clients/total in 0 test/mosquitto/org $SYS/broker/
|
1092 | </programlisting></example>
|
1093 |
|
1094 | </listitem>
|
1095 | </varlistentry>
|
1096 | <varlistentry>
|
1097 | <term><option>try_private</option> [ true | false ]</term>
|
1098 | <listitem>
|
1099 | <para>If try_private is set to
|
1100 | <replaceable>true</replaceable>, the bridge will
|
1101 | attempt to indicate to the remote broker that it is a
|
1102 | bridge not an ordinary client. If successful, this
|
1103 | means that loop detection will be more effective and
|
1104 | that retained messages will be propagated correctly.
|
1105 | Not all brokers support this feature so it may be
|
1106 | necessary to set <option>try_private</option> to
|
1107 | <replaceable>false</replaceable> if your bridge does
|
1108 | not connect properly.</para>
|
1109 | <para>Defaults to <replaceable>true</replaceable>.</para>
|
1110 | </listitem>
|
1111 | </varlistentry>
|
1112 | <varlistentry>
|
1113 | <term><option>username</option> <replaceable>name</replaceable></term>
|
1114 | <listitem>
|
1115 | <para>Configure a <option>username</option> for the bridge.
|
1116 | This is used for authentication purposes when
|
1117 | connecting to a broker that support MQTT v3.1 and
|
1118 | requires a username and/or password to connect. See
|
1119 | also the <option>password</option> option.</para>
|
1120 | </listitem>
|
1121 | </varlistentry>
|
1122 | </variablelist>
|
1123 | <refsect2>
|
1124 | <title>SSL/TLS Support</title>
|
1125 | <para>The following options are available for all bridges to
|
1126 | configure SSL/TLS support.</para>
|
1127 | <variablelist>
|
1128 | <varlistentry>
|
1129 | <term><option>bridge_cafile</option> <replaceable>file path</replaceable></term>
|
1130 | <listitem>
|
1131 | <para>One of <option>bridge_cafile</option> or
|
1132 | <option>bridge_capath</option> must be provided to
|
1133 | allow SSL/TLS support.</para>
|
1134 | <para>bridge_cafile is used to define the path to a file
|
1135 | containing the PEM encoded CA certificates that
|
1136 | have signed the certificate for the remote broker.
|
1137 | </para>
|
1138 | </listitem>
|
1139 | </varlistentry>
|
1140 | <varlistentry>
|
1141 | <term><option>bridge_capath</option> <replaceable>file path</replaceable></term>
|
1142 | <listitem>
|
1143 | <para>One of <option>bridge_capath</option> or
|
1144 | <option>bridge_capath</option> must be provided to
|
1145 | allow SSL/TLS support.</para>
|
1146 | <para>bridge_capath is used to define the path to a
|
1147 | directory containing the PEM encoded CA
|
1148 | certificates that have signed the certificate for
|
1149 | the remote broker. For bridge_capath to work
|
1150 | correctly, the certificate files must have ".crt"
|
1151 | as the file ending and you must run "c_rehash
|
1152 | <path to bridge_capath>" each time you
|
1153 | add/remove a certificate.</para>
|
1154 | </listitem>
|
1155 | </varlistentry>
|
1156 | <varlistentry>
|
1157 | <term><option>bridge_certfile</option> <replaceable>file path</replaceable></term>
|
1158 | <listitem>
|
1159 | <para>Path to the PEM encoded client certificate for
|
1160 | this bridge, if required by the remote
|
1161 | broker.</para>
|
1162 | </listitem>
|
1163 | </varlistentry>
|
1164 | <varlistentry>
|
1165 | <term><option>bridge_identity</option> <replaceable>identity</replaceable></term>
|
1166 | <listitem>
|
1167 | <para>Pre-shared-key encryption provides an alternative
|
1168 | to certificate based encryption. A bridge can be
|
1169 | configured to use PSK with the
|
1170 | <option>bridge_identity</option> and
|
1171 | <option>bridge_psk</option> options. This is the
|
1172 | client identity used with PSK encryption. Only one
|
1173 | of certificate and PSK based encryption can be used
|
1174 | on one bridge at once.</para>
|
1175 | </listitem>
|
1176 | </varlistentry>
|
1177 | <varlistentry>
|
1178 | <term><option>bridge_insecure</option> [ true | false ]</term>
|
1179 | <listitem>
|
1180 | <para>When using certificate based TLS, the bridge will
|
1181 | attempt to verify the hostname provided in the
|
1182 | remote certificate matches the host/address being
|
1183 | connected to. This may cause problems in testing
|
1184 | scenarios, so <option>bridge_insecure</option> may
|
1185 | be set to <replaceable>false</replaceable> to
|
1186 | disable the hostname verification.</para>
|
1187 | <para>Setting this option to
|
1188 | <replaceable>true</replaceable> means that a
|
1189 | malicious third party could potentially inpersonate
|
1190 | your server, so it should always be set to
|
1191 | <replaceable>false</replaceable> in production
|
1192 | environments.</para>
|
1193 | </listitem>
|
1194 | </varlistentry>
|
1195 | <varlistentry>
|
1196 | <term><option>bridge_keyfile</option> <replaceable>file path</replaceable></term>
|
1197 | <listitem>
|
1198 | <para>Path to the PEM encoded private key for this
|
1199 | bridge, if required by the remote broker.</para>
|
1200 | </listitem>
|
1201 | </varlistentry>
|
1202 | <varlistentry>
|
1203 | <term><option>bridge_psk</option> <replaceable>key</replaceable></term>
|
1204 | <listitem>
|
1205 | <para>Pre-shared-key encryption provides an alternative
|
1206 | to certificate based encryption. A bridge can be
|
1207 | configured to use PSK with the
|
1208 | <option>bridge_identity</option> and
|
1209 | <option>bridge_psk</option> options. This is the
|
1210 | pre-shared-key in hexadecimal format with no "0x".
|
1211 | Only one of certificate and PSK based encryption
|
1212 | can be used on one bridge at once.</para>
|
1213 | </listitem>
|
1214 | </varlistentry>
|
1215 | <varlistentry>
|
1216 | <term><option>bridge_tls_version</option> <replaceable>version</replaceable></term>
|
1217 | <listitem>
|
1218 | <para>Configure the version of the TLS protocol to be
|
1219 | used for this bridge. Possible values are
|
1220 | <replaceable>tlsv1.2</replaceable>,
|
1221 | <replaceable>tlsv1.1</replaceable> and
|
1222 | <replaceable>tlsv1</replaceable>. Defaults to
|
1223 | <replaceable>tlsv1.2</replaceable>. The remote
|
1224 | broker must support the same version of TLS for the
|
1225 | connection to succeed.</para>
|
1226 | </listitem>
|
1227 | </varlistentry>
|
1228 | </variablelist>
|
1229 | </refsect2>
|
1230 | </refsect1>
|
1231 |
|
1232 | <refsect1>
|
1233 | <title>Files</title>
|
1234 | <para>mosquitto.conf</para>
|
1235 | </refsect1>
|
1236 |
|
1237 | <refsect1>
|
1238 | <title>Bugs</title>
|
1239 | <para><command>mosquitto</command> bug information can be found at <uri
|
1240 | type="webpage">http://launchpad.net/mosquitto</uri></para>
|
1241 | </refsect1>
|
1242 |
|
1243 | <refsect1>
|
1244 | <title>See Also</title>
|
1245 | <simplelist type="inline">
|
1246 | <member>
|
1247 | <citerefentry>
|
1248 | <refentrytitle><link xlink:href="mosquitto-8.html">mosquitto</link></refentrytitle>
|
1249 | <manvolnum>8</manvolnum>
|
1250 | </citerefentry>
|
1251 | </member>
|
1252 | <member>
|
1253 | <citerefentry>
|
1254 | <refentrytitle><link xlink:href="mosquitto_passwd-1.html">mosquitto_passwd</link></refentrytitle>
|
1255 | <manvolnum>1</manvolnum>
|
1256 | </citerefentry>
|
1257 | </member>
|
1258 | <member>
|
1259 | <citerefentry>
|
1260 | <refentrytitle><link xlink:href="mosquitto-tls-7.html">mosquitto-tls</link></refentrytitle>
|
1261 | <manvolnum>7</manvolnum>
|
1262 | </citerefentry>
|
1263 | </member>
|
1264 | <member>
|
1265 | <citerefentry>
|
1266 | <refentrytitle><link xlink:href="mqtt-7.html">mqtt</link></refentrytitle>
|
1267 | <manvolnum>7</manvolnum>
|
1268 | </citerefentry>
|
1269 | </member>
|
1270 | <member>
|
1271 | <citerefentry>
|
1272 | <refentrytitle><link xlink:href="http://linux.die.net/man/5/limits.conf">limits.conf</link></refentrytitle>
|
1273 | <manvolnum>5</manvolnum>
|
1274 | </citerefentry>
|
1275 | </member>
|
1276 | </simplelist>
|
1277 | </refsect1>
|
1278 |
|
1279 | <refsect1>
|
1280 | <title>Author</title>
|
1281 | <para>Roger Light <email>roger@atchoo.org</email></para>
|
1282 | </refsect1>
|
1283 | </refentry>
|