| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
| 2 | <?xml-stylesheet type="text/xsl" href="manpage.xsl"?>
|
| 3 |
|
| 4 | <refentry xml:id="mosquitto.conf" xmlns:xlink="http://www.w3.org/1999/xlink">
|
| 5 | <refmeta>
|
| 6 | <refentrytitle>mosquitto.conf</refentrytitle>
|
| 7 | <manvolnum>5</manvolnum>
|
| 8 | <refmiscinfo class="source">Mosquitto Project</refmiscinfo>
|
| 9 | <refmiscinfo class="manual">File formats and conventions</refmiscinfo>
|
| 10 | </refmeta>
|
| 11 |
|
| 12 | <refnamediv>
|
| 13 | <refname>mosquitto.conf</refname>
|
| 14 | <refpurpose>the configuration file for mosquitto</refpurpose>
|
| 15 | </refnamediv>
|
| 16 |
|
| 17 | <refsynopsisdiv>
|
| 18 | <cmdsynopsis>
|
| 19 | <command>mosquitto.conf</command>
|
| 20 | </cmdsynopsis>
|
| 21 | </refsynopsisdiv>
|
| 22 |
|
| 23 | <refsect1>
|
| 24 | <title>Description</title>
|
| 25 | <para><command>mosquitto.conf</command> is the configuration file for
|
| 26 | mosquitto. This file can reside anywhere as long as mosquitto can read
|
| 27 | it. By default, mosquitto does not need a configuration file and will
|
| 28 | use the default values listed below. See
|
| 29 | <citerefentry><refentrytitle>mosquitto</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
| 30 | for information on how to load a configuration file.</para>
|
| 31 | </refsect1>
|
| 32 |
|
| 33 | <refsect1>
|
| 34 | <title>File Format</title>
|
| 35 | <para>All lines with a # as the very first character are treated as a
|
| 36 | comment.</para>
|
| 37 | <para>Configuration lines start with a variable name. The variable
|
| 38 | value is separated from the name by a single space.</para>
|
| 39 | </refsect1>
|
| 40 |
|
| 41 | <refsect1>
|
| 42 | <title>Authentication</title>
|
| 43 | <para>The authentication options described below allow a wide range of
|
| 44 | possibilities in conjunction with the listener options. This
|
| 45 | section aims to clarify the possibilities.</para>
|
| 46 | <para>The simplest option is to have no authentication at all. This is
|
| 47 | the default if no other options are given. Unauthenticated
|
| 48 | encrypted support is provided by using the certificate based
|
| 49 | SSL/TLS based options cafile/capath, certfile and keyfile.</para>
|
| 50 | <para>MQTT provides username/password authentication as part of the
|
| 51 | protocol. Use the password_file option to define the valid
|
| 52 | usernames and passwords. Be sure to use network encryption if you
|
| 53 | are using this option otherwise the username and password will be
|
| 54 | vulnerable to interception.</para>
|
| 55 | <para>When using certificate based encryption there are two options
|
| 56 | that affect authentication. The first is require_certificate, which
|
| 57 | may be set to true or false. If false, the SSL/TLS component of the
|
| 58 | client will verify the server but there is no requirement for the
|
| 59 | client to provide anything for the server: authentication is
|
| 60 | limited to the MQTT built in username/password. If
|
| 61 | require_certificate is true, the client must provide a valid
|
| 62 | certificate in order to connect successfully. In this case, the
|
| 63 | second option, use_identity_as_username, becomes relevant. If set
|
| 64 | to true, the Common Name (CN) from the client certificate is used
|
| 65 | instead of the MQTT username for access control purposes. The
|
| 66 | password is not replaced because it is assumed that only
|
| 67 | authenticated clients have valid certificates. If
|
| 68 | use_identity_as_username is false, the client must authenticate as
|
| 69 | normal (if required by password_file) through the MQTT
|
| 70 | options.</para>
|
| 71 | <para>When using pre-shared-key based encryption through the psk_hint
|
| 72 | and psk_file options, the client must provide a valid identity and
|
| 73 | key in order to connect to the broker before any MQTT communication
|
| 74 | takes place. If use_identity_as_username is true, the PSK identity
|
| 75 | is used instead of the MQTT username for access control purposes.
|
| 76 | If use_identity_as_username is false, the client may still
|
| 77 | authenticate using the MQTT username/password if using the
|
| 78 | password_file option.</para>
|
| 79 | <para>Both certificate and PSK based encryption are configured on a per-listener basis.</para>
|
| 80 | <para>Authentication plugins can be created to replace the
|
| 81 | password_file and psk_file options (as well as the ACL options)
|
| 82 | with e.g. SQL based lookups.</para>
|
| 83 | <para>It is possible to support multiple authentication schemes at
|
| 84 | once. A config could be created that had a listener for all of the
|
| 85 | different encryption options described above and hence a large
|
| 86 | number of ways of authenticating.</para>
|
| 87 | </refsect1>
|
| 88 |
|
| 89 | <refsect1>
|
| 90 | <title>General Options</title>
|
| 91 | <variablelist>
|
| 92 | <varlistentry>
|
| 93 | <term><option>acl_file</option> <replaceable>file path</replaceable></term>
|
| 94 | <listitem>
|
| 95 | <para>Set the path to an access control list file. If
|
| 96 | defined, the contents of the file are used to control
|
| 97 | client access to topics on the broker.</para>
|
| 98 | <para>If this parameter is defined then only the topics
|
| 99 | listed will have access. Topic access is added with
|
| 100 | lines of the format:</para>
|
| 101 |
|
| 102 | <para><code>topic [read|write] <topic></code></para>
|
| 103 |
|
| 104 | <para>The access type is controlled using "read" or
|
| 105 | "write". This parameter is optional - if not given then
|
| 106 | the access is read/write. <topic> can contain
|
| 107 | the + or # wildcards as in subscriptions.</para>
|
| 108 |
|
| 109 | <para>The first set of topics are applied to anonymous
|
| 110 | clients, assuming <option>allow_anonymous</option> is
|
| 111 | true. User specific topic ACLs are added after a user
|
| 112 | line as follows:</para>
|
| 113 |
|
| 114 | <para><code>user <username></code></para>
|
| 115 |
|
| 116 | <para>The username referred to here is the same as in
|
| 117 | <option>password_fil</option>e. It is not the
|
| 118 | clientid.</para>
|
| 119 |
|
| 120 | <para>It is also possible to define ACLs based on pattern
|
| 121 | substitution within the topic. The form is the same as
|
| 122 | for the topic keyword, but using pattern as the
|
| 123 | keyword.</para>
|
| 124 | <para><code>pattern [read|write] <topic></code></para>
|
| 125 |
|
| 126 | <para>The patterns available for substition are:</para>
|
| 127 | <itemizedlist mark="circle">
|
| 128 | <listitem><para>%c to match the client id of the client</para></listitem>
|
| 129 | <listitem><para>%u to match the username of the client</para></listitem>
|
| 130 | </itemizedlist>
|
| 131 | <para>The substitution pattern must be the only text for
|
| 132 | that level of hierarchy. Pattern ACLs apply to all
|
| 133 | users even if the "user" keyword has previously been
|
| 134 | given.</para>
|
| 135 |
|
| 136 | <para>Example:</para>
|
| 137 | <para><code>pattern write sensor/%u/data</code></para>
|
| 138 | <para>Allow access for bridge connection messages:</para>
|
| 139 | <para><code>pattern write $SYS/broker/connection/%c/state</code></para>
|
| 140 |
|
| 141 | <para>If the first character of a line of the ACL file is a
|
| 142 | # it is treated as a comment.</para>
|
| 143 |
|
| 144 | <para>Reloaded on reload signal. The currently loaded ACLs
|
| 145 | will be freed and reloaded. Existing subscriptions will
|
| 146 | be affected after the reload.</para>
|
| 147 | </listitem>
|
| 148 | </varlistentry>
|
| 149 | <varlistentry>
|
| 150 | <term><option>allow_anonymous</option> [ true | false ]</term>
|
| 151 | <listitem>
|
| 152 | <para>Boolean value that determines whether clients that
|
| 153 | connect without providing a username are allowed to
|
| 154 | connect. If set to <replaceable>false</replaceable>
|
| 155 | then another means of connection should be created to
|
| 156 | control authenticated client access. Defaults to
|
| 157 | <replaceable>true</replaceable>.</para>
|
| 158 | <para>Reloaded on reload signal.</para>
|
| 159 | </listitem>
|
| 160 | </varlistentry>
|
| 161 | <varlistentry>
|
| 162 | <term><option>allow_duplicate_messages</option> [ true | false ]</term>
|
| 163 | <listitem>
|
| 164 | <para>If a client is subscribed to multiple subscriptions
|
| 165 | that overlap, e.g. foo/# and foo/+/baz , then MQTT
|
| 166 | expects that when the broker receives a message on a
|
| 167 | topic that matches both subscriptions, such as
|
| 168 | foo/bar/baz, then the client should only receive the
|
| 169 | message once.</para>
|
| 170 | <para>Mosquitto keeps track of which clients a message has
|
| 171 | been sent to in order to meet this requirement. This
|
| 172 | option allows this behaviour to be disabled, which may
|
| 173 | be useful if you have a large number of clients
|
| 174 | subscribed to the same set of topics and want to
|
| 175 | minimise memory usage.</para>
|
| 176 | <para>It can be safely set to
|
| 177 | <replaceable>true</replaceable> if you know in advance
|
| 178 | that your clients will never have overlapping
|
| 179 | subscriptions, otherwise your clients must be able to
|
| 180 | correctly deal with duplicate messages even when then
|
| 181 | have QoS=2.</para>
|
| 182 | <para>Defaults to <replaceable>true</replaceable>.</para>
|
| 183 | <para>Reloaded on reload signal.</para>
|
| 184 | </listitem>
|
| 185 | </varlistentry>
|
| 186 | <varlistentry>
|
| 187 | <term><option>auth_opt_*</option> <replaceable>value</replaceable></term>
|
| 188 | <listitem>
|
| 189 | <para>Options to be passed to the auth plugin. See the
|
| 190 | specific plugin instructions. </para>
|
| 191 | </listitem>
|
| 192 | </varlistentry>
|
| 193 | <varlistentry>
|
| 194 | <term><option>auth_plugin</option> <replaceable>file path</replaceable></term>
|
| 195 | <listitem>
|
| 196 | <para>Specify an external module to use for authentication
|
| 197 | and access control. This allows custom
|
| 198 | username/password and access control functions to be
|
| 199 | created.</para>
|
| 200 | <para>Not currently reloaded on reload signal.</para>
|
| 201 | </listitem>
|
| 202 | </varlistentry>
|
| 203 | <varlistentry>
|
| 204 | <term><option>autosave_interval</option> <replaceable>seconds</replaceable></term>
|
| 205 | <listitem>
|
| 206 | <para>The number of seconds that mosquitto will wait
|
| 207 | between each time it saves the in-memory database to
|
| 208 | disk. If set to 0, the in-memory database will only be
|
| 209 | saved when mosquitto exits or when receiving the
|
| 210 | SIGUSR1 signal. Note that this setting only has an
|
| 211 | effect if persistence is enabled. Defaults to 1800
|
| 212 | seconds (30 minutes).</para>
|
| 213 | <para>Reloaded on reload signal.</para>
|
| 214 | </listitem>
|
| 215 | </varlistentry>
|
| 216 | <varlistentry>
|
| 217 | <term><option>autosave_on_changes</option> [ true | false ]</term>
|
| 218 | <listitem>
|
| 219 | <para>If <replaceable>true</replaceable>, mosquitto will
|
| 220 | count the number of subscription changes, retained
|
| 221 | messages received and queued messages and if the total
|
| 222 | exceeds <option>autosave_interval</option> then the
|
| 223 | in-memory database will be saved to disk. If
|
| 224 | <replaceable>false</replaceable>, mosquitto will save
|
| 225 | the in-memory database to disk by treating
|
| 226 | <option>autosave_interval</option> as a time in
|
| 227 | seconds.</para>
|
| 228 | <para>Reloaded on reload signal.</para>
|
| 229 | </listitem>
|
| 230 | </varlistentry>
|
| 231 | <varlistentry>
|
| 232 | <term><option>clientid_prefixes</option> <replaceable>prefix</replaceable></term>
|
| 233 | <listitem>
|
| 234 | <para>If defined, only clients that have a clientid with a
|
| 235 | prefix that matches clientid_prefixes will be allowed
|
| 236 | to connect to the broker. For example, setting
|
| 237 | "secure-" here would mean a client "secure-client"
|
| 238 | could connect but another with clientid "mqtt"
|
| 239 | couldn't. By default, all client ids are valid.</para>
|
| 240 | <para>Reloaded on reload signal. Note that currently
|
| 241 | connected clients will be unaffected by any
|
| 242 | changes.</para>
|
| 243 | </listitem>
|
| 244 | </varlistentry>
|
| 245 | <varlistentry>
|
| 246 | <term><option>connection_messages</option> [ true | false ]</term>
|
| 247 | <listitem>
|
| 248 | <para>If set to <replaceable>true</replaceable>, the log
|
| 249 | will include entries when clients connect and
|
| 250 | disconnect. If set to <replaceable>false</replaceable>,
|
| 251 | these entries will not appear.</para>
|
| 252 | <para>Reloaded on reload signal.</para>
|
| 253 | </listitem>
|
| 254 | </varlistentry>
|
| 255 | <varlistentry>
|
| 256 | <term><option>include_dir</option> <replaceable>dir</replaceable></term>
|
| 257 | <listitem>
|
| 258 | <para>External configuration files may be included by using
|
| 259 | the include_dir option. This defines a directory that
|
| 260 | will be searched for config files. All files that end
|
| 261 | in '.conf' will be loaded as a configuration file. It
|
| 262 | is best to have this as the last option in the main
|
| 263 | file. This option will only be processed from the main
|
| 264 | configuration file. The directory specified must not
|
| 265 | contain the main configuration file.</para>
|
| 266 | </listitem>
|
| 267 | </varlistentry>
|
| 268 | <varlistentry>
|
| 269 | <term><option>log_dest</option> <replaceable>destinations</replaceable></term>
|
| 270 | <listitem>
|
| 271 | <para>Send log messages to a particular destination.
|
| 272 | Possible destinations are: <option>stdout</option>
|
| 273 | <option>stderr</option> <option>syslog</option>
|
| 274 | <option>topic</option>.</para>
|
| 275 | <para><option>stdout</option> and
|
| 276 | <option>stderr</option> log to the console on the
|
| 277 | named output.</para>
|
| 278 | <para><option>syslog</option> uses the userspace syslog
|
| 279 | facility which usually ends up in /var/log/messages or
|
| 280 | similar and topic logs to the broker topic
|
| 281 | '$SYS/broker/log/<severity>', where severity is
|
| 282 | one of D, E, W, N, I, M which are debug, error,
|
| 283 | warning, notice, information and message. Message type
|
| 284 | severity is used by the subscribe and unsubscribe
|
| 285 | log_type options and publishes log messages at
|
| 286 | $SYS/broker/log/M/subscribe and
|
| 287 | $SYS/broker/log/M/unsubscribe.</para>
|
| 288 | <para>The <option>file</option> destination requires an
|
| 289 | additional parameter which is the file to be logged to,
|
| 290 | e.g. "log_dest file /var/log/mosquitto.log". The file
|
| 291 | will be closed and reopened when the broker receives a
|
| 292 | HUP signal. Only a single file destination may be
|
| 293 | configured.</para>
|
| 294 | <para>Use "log_dest none" if you wish to disable logging.
|
| 295 | Defaults to stderr. This option may be specified
|
| 296 | multiple times.</para>
|
| 297 | <para>Note that if the broker is running as a Windows
|
| 298 | service it will default to "log_dest none" and neither
|
| 299 | stdout nor stderr logging is available.</para>
|
| 300 | <para>Reloaded on reload signal.</para>
|
| 301 | </listitem>
|
| 302 | </varlistentry>
|
| 303 | <varlistentry>
|
| 304 | <term><option>log_timestamp</option> [ true | false ]</term>
|
| 305 | <listitem>
|
| 306 | <para>Boolean value, if set to
|
| 307 | <replaceable>true</replaceable> a timestamp value will
|
| 308 | be added to each log entry. The default is
|
| 309 | <replaceable>true</replaceable>.</para>
|
| 310 | <para>Reloaded on reload signal.</para>
|
| 311 | </listitem>
|
| 312 | </varlistentry>
|
| 313 | <varlistentry>
|
| 314 | <term><option>log_type</option> <replaceable>types</replaceable></term>
|
| 315 | <listitem>
|
| 316 | <para>Choose types of messages to log. Possible types are:
|
| 317 | <replaceable>debug</replaceable>,
|
| 318 | <replaceable>error</replaceable>,
|
| 319 | <replaceable>warning</replaceable>,
|
| 320 | <replaceable>notice</replaceable>,
|
| 321 | <replaceable>information</replaceable>,
|
| 322 | <replaceable>none</replaceable>,
|
| 323 | <replaceable>all</replaceable>. Defaults to
|
| 324 | <replaceable>error</replaceable>,
|
| 325 | <replaceable>warning</replaceable>, <replaceable>notice
|
| 326 | </replaceable>and
|
| 327 | <replaceable>information</replaceable>. This option
|
| 328 | may be specified multiple times. Note that the
|
| 329 | <replaceable>debug </replaceable>type (used for
|
| 330 | decoding incoming/outgoing network packets) is never
|
| 331 | logged in topics.</para>
|
| 332 | <para>Reloaded on reload signal.</para>
|
| 333 | </listitem>
|
| 334 | </varlistentry>
|
| 335 | <varlistentry>
|
| 336 | <term><option>max_inflight_messages</option> <replaceable>count</replaceable></term>
|
| 337 | <listitem>
|
| 338 | <para>The maximum number of QoS 1 or 2 messages that can be
|
| 339 | in the process of being transmitted simultaneously.
|
| 340 | This includes messages currently going through
|
| 341 | handshakes and messages that are being retried.
|
| 342 | Defaults to 20. Set to 0 for no maximum. If set to 1,
|
| 343 | this will guarantee in-order delivery of
|
| 344 | messages.</para>
|
| 345 | <para>Reloaded on reload signal.</para>
|
| 346 | </listitem>
|
| 347 | </varlistentry>
|
| 348 | <varlistentry>
|
| 349 | <term><option>max_queued_messages</option> <replaceable>count</replaceable></term>
|
| 350 | <listitem>
|
| 351 | <para>The maximum number of QoS 1 or 2 messages to hold in
|
| 352 | the queue above those messages that are currently in
|
| 353 | flight. Defaults to 100. Set to 0 for no maximum (not
|
| 354 | recommended). See also the
|
| 355 | <option>queue_qos0_messages</option> option.</para>
|
| 356 | <para>Reloaded on reload signal.</para>
|
| 357 | </listitem>
|
| 358 | </varlistentry>
|
| 359 | <varlistentry>
|
| 360 | <term><option>message_size_limit</option> <replaceable>limit</replaceable></term>
|
| 361 | <listitem>
|
| 362 | <para>This option sets the maximum publish payload size
|
| 363 | that the broker will allow. Received messages that
|
| 364 | exceed this size will not be accepted by the broker.
|
| 365 | The default value is 0, which means that all valid MQTT
|
| 366 | messages are accepted. MQTT imposes a maximum payload
|
| 367 | size of 268435455 bytes.</para>
|
| 368 | </listitem>
|
| 369 | </varlistentry>
|
| 370 | <varlistentry>
|
| 371 | <term><option>password_file</option> <replaceable>file path</replaceable></term>
|
| 372 | <listitem>
|
| 373 | <para>Set the path to a password file. If defined, the
|
| 374 | contents of the file are used to control client access
|
| 375 | to the broker. The file can be created using the
|
| 376 | <citerefentry><refentrytitle>mosquitto_passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
| 377 | utility. If mosquitto is compiled without TLS support
|
| 378 | (it is recommended that TLS support is included), then
|
| 379 | the password file should be a text file with each line
|
| 380 | in the format "username:password", where the colon and
|
| 381 | password are optional but recommended. If
|
| 382 | <option>allow_anonymous</option> is set to
|
| 383 | <replaceable>false</replaceable>, only users defined in
|
| 384 | this file will be able to connect. Setting
|
| 385 | <option>allow_anonymous</option> to
|
| 386 | <replaceable>true</replaceable> when
|
| 387 | <replaceable>password_file</replaceable>is defined is
|
| 388 | valid and could be used with acl_file to have e.g. read
|
| 389 | only guest/anonymous accounts and defined users that
|
| 390 | can publish.</para>
|
| 391 | <para>Reloaded on reload signal. The currently loaded
|
| 392 | username and password data will be freed and reloaded.
|
| 393 | Clients that are already connected will not be
|
| 394 | affected.</para>
|
| 395 | <para>See also
|
| 396 | <citerefentry><refentrytitle>mosquitto_passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
| 397 | </listitem> </varlistentry>
|
| 398 | <varlistentry>
|
| 399 | <term><option>persistence</option> [ true | false ]</term>
|
| 400 | <listitem>
|
| 401 | <para>If <replaceable>true</replaceable>, connection,
|
| 402 | subscription and message data will be written to the
|
| 403 | disk in mosquitto.db at the location dictated by
|
| 404 | persistence_location. When mosquitto is restarted, it
|
| 405 | will reload the information stored in mosquitto.db. The
|
| 406 | data will be written to disk when mosquitto closes and
|
| 407 | also at periodic intervals as defined by
|
| 408 | autosave_interval. Writing of the persistence database
|
| 409 | may also be forced by sending mosquitto the SIGUSR1
|
| 410 | signal. If <replaceable>false</replaceable>, the data
|
| 411 | will be stored in memory only. Defaults to
|
| 412 | <replaceable>false</replaceable>.</para>
|
| 413 | <para>Reloaded on reload signal.</para>
|
| 414 | </listitem>
|
| 415 | </varlistentry>
|
| 416 | <varlistentry>
|
| 417 | <term><option>persistence_file</option> <replaceable>file name</replaceable></term>
|
| 418 | <listitem>
|
| 419 | <para>The filename to use for the persistent database.
|
| 420 | Defaults to mosquitto.db.</para>
|
| 421 | <para>Reloaded on reload signal.</para>
|
| 422 | </listitem>
|
| 423 | </varlistentry>
|
| 424 | <varlistentry>
|
| 425 | <term><option>persistence_location</option> <replaceable>path</replaceable></term>
|
| 426 | <listitem>
|
| 427 | <para>The path where the persistence database should be
|
| 428 | stored. Must end in a trailing slash. If not given,
|
| 429 | then the current directory is used.</para>
|
| 430 | <para>Reloaded on reload signal.</para>
|
| 431 | </listitem>
|
| 432 | </varlistentry>
|
| 433 | <varlistentry>
|
| 434 | <term><option>persistent_client_expiration</option> <replaceable>duration</replaceable></term>
|
| 435 | <listitem>
|
| 436 | <para>This option allows persistent clients (those with
|
| 437 | clean session set to false) to be removed if they do
|
| 438 | not reconnect within a certain time frame. This is a
|
| 439 | non-standard option. As far as the MQTT spec is
|
| 440 | concerned, persistent clients persist forever.</para>
|
| 441 | <para>Badly designed clients may set clean session to false
|
| 442 | whilst using a randomly generated client id. This leads
|
| 443 | to persistent clients that will never reconnect. This
|
| 444 | option allows these clients to be removed.</para>
|
| 445 | <para>The expiration period should be an integer followed
|
| 446 | by one of d w m y for day, week, month and year
|
| 447 | respectively. For example:</para>
|
| 448 | <itemizedlist mark="circle">
|
| 449 | <listitem><para>persistent_client_expiration 2m</para></listitem>
|
| 450 | <listitem><para>persistent_client_expiration 14d</para></listitem>
|
| 451 | <listitem><para>persistent_client_expiration 1y</para></listitem>
|
| 452 | </itemizedlist>
|
| 453 | <para>As this is a non-standard option, the default if not
|
| 454 | set is to never expire persistent clients.</para>
|
| 455 | <para>Reloaded on reload signal.</para>
|
| 456 | </listitem>
|
| 457 | </varlistentry>
|
| 458 | <varlistentry>
|
| 459 | <term><option>pid_file</option> <replaceable>file path</replaceable></term>
|
| 460 | <listitem>
|
| 461 | <para>Write a pid file to the file specified. If not given
|
| 462 | (the default), no pid file will be written. If the pid
|
| 463 | file cannot be written, mosquitto will exit. This
|
| 464 | option only has an effect is mosquitto is run in daemon
|
| 465 | mode.</para>
|
| 466 | <para>If mosquitto is being automatically started by an
|
| 467 | init script it will usually be required to write a pid
|
| 468 | file. This should then be configured as e.g.
|
| 469 | /var/run/mosquitto.pid</para>
|
| 470 | <para>Not reloaded on reload signal.</para>
|
| 471 | </listitem>
|
| 472 | </varlistentry>
|
| 473 | <varlistentry>
|
| 474 | <term><option>psk_file</option> <replaceable>file path</replaceable></term>
|
| 475 | <listitem>
|
| 476 | <para>Set the path to a pre-shared-key file. This option
|
| 477 | requires a listener to be have PSK support enabled. If
|
| 478 | defined, the contents of the file are used to control
|
| 479 | client access to the broker. Each line should be in the
|
| 480 | format "identity:key", where the key is a hexadecimal
|
| 481 | string with no leading "0x". A client connecting to a
|
| 482 | listener that has PSK support enabled must provide a
|
| 483 | matching identity and PSK to allow the encrypted
|
| 484 | connection to proceed.</para>
|
| 485 | <para>Reloaded on reload signal. The currently loaded
|
| 486 | identity and key data will be freed and reloaded.
|
| 487 | Clients that are already connected will not be
|
| 488 | affected.</para>
|
| 489 | </listitem> </varlistentry>
|
| 490 | <varlistentry>
|
| 491 | <term><option>queue_qos0_messages</option> [ true | false ]</term>
|
| 492 | <listitem>
|
| 493 | <para>Set to <replaceable>true</replaceable> to queue
|
| 494 | messages with QoS 0 when a persistent client is
|
| 495 | disconnected. These messages are included in the limit
|
| 496 | imposed by max_queued_messages. Defaults to
|
| 497 | <replaceable>false</replaceable>.</para>
|
| 498 | <para>Note that the MQTT v3.1 spec states that only QoS 1
|
| 499 | and 2 messages should be saved in this situation so
|
| 500 | this is a non-standard option.</para>
|
| 501 | <para>Reloaded on reload signal.</para>
|
| 502 | </listitem>
|
| 503 | </varlistentry>
|
| 504 | <varlistentry>
|
| 505 | <term><option>retained_persistence</option> [ true | false ]</term>
|
| 506 | <listitem>
|
| 507 | <para>This is a synonym of the <option>persistence</option>
|
| 508 | option.</para>
|
| 509 | <para>Reloaded on reload signal.</para>
|
| 510 | </listitem>
|
| 511 | </varlistentry>
|
| 512 | <varlistentry>
|
| 513 | <term><option>retry_interval</option> <replaceable>seconds</replaceable></term>
|
| 514 | <listitem>
|
| 515 | <para>The integer number of seconds after a QoS=1 or QoS=2
|
| 516 | message has been sent that mosquitto will wait before
|
| 517 | retrying when no response is received. If unset,
|
| 518 | defaults to 20 seconds.</para>
|
| 519 | <para>Reloaded on reload signal.</para>
|
| 520 | </listitem>
|
| 521 | </varlistentry>
|
| 522 | <varlistentry>
|
| 523 | <term><option>store_clean_interval</option> <replaceable>seconds</replaceable></term>
|
| 524 | <listitem>
|
| 525 | <para>The integer number of seconds between the internal
|
| 526 | message store being cleaned of messages that are no
|
| 527 | longer referenced. Lower values will result in lower
|
| 528 | memory usage but more processor time, higher values
|
| 529 | will have the opposite effect. Setting a value of 0
|
| 530 | means the unreferenced messages will be disposed of as
|
| 531 | quickly as possible. Defaults to 10 seconds.</para>
|
| 532 | <para>Reloaded on reload signal.</para>
|
| 533 | </listitem>
|
| 534 | </varlistentry>
|
| 535 | <varlistentry>
|
| 536 | <term><option>sys_interval</option> <replaceable>seconds</replaceable></term>
|
| 537 | <listitem>
|
| 538 | <para>The integer number of seconds between updates of the
|
| 539 | $SYS subscription hierarchy, which provides status
|
| 540 | information about the broker. If unset, defaults to 10
|
| 541 | seconds.</para>
|
| 542 | <para>Set to 0 to disable publishing the $SYS hierarchy
|
| 543 | completely.</para>
|
| 544 | <para>Reloaded on reload signal.</para>
|
| 545 | </listitem>
|
| 546 | </varlistentry>
|
| 547 | <varlistentry>
|
| 548 | <term><option>upgrade_outgoing_qos</option> [ true | false ]</term>
|
| 549 | <listitem>
|
| 550 | <para>The MQTT specification requires that the QoS of a
|
| 551 | message delivered to a subscriber is never upgraded to
|
| 552 | match the QoS of the subscription. Enabling this option
|
| 553 | changes this behaviour. If
|
| 554 | <option>upgrade_outgoing_qos</option> is set
|
| 555 | <replaceable>true</replaceable>, messages sent to a
|
| 556 | subscriber will always match the QoS of its
|
| 557 | subscription. This is a non-standard option not
|
| 558 | provided for by the spec. Defaults to
|
| 559 | <replaceable>false</replaceable>.</para>
|
| 560 | <para>Reloaded on reload signal.</para>
|
| 561 | </listitem>
|
| 562 | </varlistentry>
|
| 563 | <varlistentry>
|
| 564 | <term><option>user</option> <replaceable>username</replaceable></term>
|
| 565 | <listitem>
|
| 566 | <para>When run as root, change to this user and its primary
|
| 567 | group on startup. If mosquitto is unable to change to
|
| 568 | this user and group, it will exit with an error. The
|
| 569 | user specified must have read/write access to the
|
| 570 | persistence database if it is to be written. If run as
|
| 571 | a non-root user, this setting has no effect. Defaults
|
| 572 | to mosquitto.</para>
|
| 573 | <para>This setting has no effect on Windows and so you
|
| 574 | should run mosquitto as the user you wish it to run
|
| 575 | as.</para>
|
| 576 | <para>Not reloaded on reload signal.</para>
|
| 577 | </listitem>
|
| 578 | </varlistentry>
|
| 579 | </variablelist>
|
| 580 | </refsect1>
|
| 581 |
|
| 582 | <refsect1>
|
| 583 | <title>Listeners</title>
|
| 584 | <para>The network ports that mosquitto listens on can be controlled
|
| 585 | using listeners. The default listener options can be overridden and
|
| 586 | further listeners can be created.</para>
|
| 587 | <refsect2>
|
| 588 | <title>General Options</title>
|
| 589 | <variablelist>
|
| 590 | <varlistentry>
|
| 591 | <term><option>bind_address</option> <replaceable>address</replaceable></term>
|
| 592 | <listitem>
|
| 593 | <para>Listen for incoming network connections on the
|
| 594 | specified IP address/hostname only. This is useful
|
| 595 | to restrict access to certain network interfaces.
|
| 596 | To restrict access to mosquitto to the local host
|
| 597 | only, use "bind_address localhost". This only
|
| 598 | applies to the default listener. Use the listener
|
| 599 | variable to control other listeners.</para>
|
| 600 | <para>Not reloaded on reload signal.</para>
|
| 601 | </listitem>
|
| 602 | </varlistentry>
|
| 603 | <varlistentry>
|
| 604 | <term><option>listener</option> <replaceable>port</replaceable></term>
|
| 605 | <listitem>
|
| 606 | <para>Listen for incoming network connection on the
|
| 607 | specified port. A second optional argument allows
|
| 608 | the listener to be bound to a specific ip
|
| 609 | address/hostname. If this variable is used and
|
| 610 | neither <option>bind_address</option> nor
|
| 611 | <option>port</option> are used then the default
|
| 612 | listener will not be started. This option may be
|
| 613 | specified multiple times. See also the
|
| 614 | <option>mount_point</option> option.</para>
|
| 615 | <para>Not reloaded on reload signal.</para>
|
| 616 | </listitem>
|
| 617 | </varlistentry>
|
| 618 | <varlistentry>
|
| 619 | <term><option>max_connections</option> <replaceable>count</replaceable></term>
|
| 620 | <listitem>
|
| 621 | <para>Limit the total number of clients connected for
|
| 622 | the current listener. Set to <literal>-1</literal>
|
| 623 | to have "unlimited" connections. Note that other
|
| 624 | limits may be imposed that are outside the control
|
| 625 | of mosquitto. See e.g.
|
| 626 | <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
| 627 | <para>Not reloaded on reload signal.</para>
|
| 628 | </listitem>
|
| 629 | </varlistentry>
|
| 630 | <varlistentry>
|
| 631 | <term><option>mount_point</option> <replaceable>topic prefix</replaceable></term>
|
| 632 | <listitem>
|
| 633 | <para>This option is used with the listener option to
|
| 634 | isolate groups of clients. When a client connects
|
| 635 | to a listener which uses this option, the string
|
| 636 | argument is attached to the start of all topics for
|
| 637 | this client. This prefix is removed when any
|
| 638 | messages are sent to the client. This means a
|
| 639 | client connected to a listener with mount point
|
| 640 | <replaceable>example</replaceable> can only see
|
| 641 | messages that are published in the topic hierarchy
|
| 642 | <replaceable>example</replaceable> and above.</para>
|
| 643 | <para>Not reloaded on reload signal.</para>
|
| 644 | </listitem>
|
| 645 | </varlistentry>
|
| 646 | <varlistentry>
|
| 647 | <term><option>port</option> <replaceable>port number</replaceable></term>
|
| 648 | <listitem>
|
| 649 | <para>Set the network port for the default listener to
|
| 650 | listen on. Defaults to 1883.</para>
|
| 651 | <para>Not reloaded on reload signal.</para>
|
| 652 | </listitem>
|
| 653 | </varlistentry>
|
| 654 | </variablelist>
|
| 655 | </refsect2>
|
| 656 | <refsect2>
|
| 657 | <title>Certificate based SSL/TLS Support</title>
|
| 658 | <para>The following options are available for all listeners to
|
| 659 | configure certificate based SSL support. See also
|
| 660 | "Pre-shared-key based SSL/TLS support".</para>
|
| 661 | <variablelist>
|
| 662 | <varlistentry>
|
| 663 | <term><option>cafile</option> <replaceable>file path</replaceable></term>
|
| 664 | <listitem>
|
| 665 | <para>At least one of <option>cafile</option> or
|
| 666 | <option>capath</option> must be provided to allow
|
| 667 | SSL support.</para>
|
| 668 | <para><option>cafile</option> is used to define the
|
| 669 | path to a file containing the PEM encoded CA
|
| 670 | certificates that are trusted.</para>
|
| 671 | </listitem>
|
| 672 | </varlistentry>
|
| 673 | <varlistentry>
|
| 674 | <term><option>capath</option> <replaceable>directory path</replaceable></term>
|
| 675 | <listitem>
|
| 676 | <para>At least one of <option>cafile</option> or
|
| 677 | <option>capath</option> must be provided to allow
|
| 678 | SSL support.</para>
|
| 679 | <para><option>capath</option> is used to define a
|
| 680 | directory that contains PEM encoded CA certificates
|
| 681 | that are trusted. For <option>capath</option> to
|
| 682 | work correctly, the certificates files must have
|
| 683 | ".pem" as the file ending and you must run
|
| 684 | "c_rehash <path to capath>" each time you
|
| 685 | add/remove a certificate.</para>
|
| 686 | </listitem>
|
| 687 | </varlistentry>
|
| 688 | <varlistentry>
|
| 689 | <term><option>certfile</option> <replaceable>file path</replaceable></term>
|
| 690 | <listitem>
|
| 691 | <para>Path to the PEM encoded server certificate.</para>
|
| 692 | </listitem>
|
| 693 | </varlistentry>
|
| 694 | <varlistentry>
|
| 695 | <term><option>ciphers</option> <replaceable>cipher:list</replaceable></term>
|
| 696 | <listitem>
|
| 697 | <para>The list of allowed ciphers, each separated with
|
| 698 | a colon. Available ciphers can be obtained using
|
| 699 | the "openssl ciphers" command.</para>
|
| 700 | </listitem>
|
| 701 | </varlistentry>
|
| 702 | <varlistentry>
|
| 703 | <term><option>crlfile</option> <replaceable>file path</replaceable></term>
|
| 704 | <listitem>
|
| 705 | <para>If you have <option>require_certificate</option>
|
| 706 | set to <replaceable>true</replaceable>, you can
|
| 707 | create a certificate revocation list file to revoke
|
| 708 | access to particular client certificates. If you
|
| 709 | have done this, use crlfile to point to the PEM
|
| 710 | encoded revocation file.</para>
|
| 711 | </listitem>
|
| 712 | </varlistentry>
|
| 713 | <varlistentry>
|
| 714 | <term><option>keyfile</option> <replaceable>file path</replaceable></term>
|
| 715 | <listitem>
|
| 716 | <para>Path to the PEM encoded keyfile.</para>
|
| 717 | </listitem>
|
| 718 | </varlistentry>
|
| 719 | <varlistentry>
|
| 720 | <term><option>require_certificate</option> [ true | false ]</term>
|
| 721 | <listitem>
|
| 722 | <para>By default an SSL/TLS enabled listener will
|
| 723 | operate in a similar fashion to a https enabled web
|
| 724 | server, in that the server has a certificate signed
|
| 725 | by a CA and the client will verify that it is a
|
| 726 | trusted certificate. The overall aim is encryption
|
| 727 | of the network traffic. By setting
|
| 728 | <option>require_certificate</option> to
|
| 729 | <replaceable>true</replaceable>, the client must
|
| 730 | provide a valid certificate in order for the
|
| 731 | network connection to proceed. This allows access
|
| 732 | to the broker to be controlled outside of the
|
| 733 | mechanisms provided by MQTT.</para>
|
| 734 | </listitem>
|
| 735 | </varlistentry>
|
| 736 | <varlistentry>
|
| 737 | <term><option>tls_version</option> <replaceable>version</replaceable></term>
|
| 738 | <listitem>
|
| 739 | <para>Configure the version of the TLS protocol to be
|
| 740 | used for this listener. Possible values are
|
| 741 | <replaceable>tlsv1.2</replaceable>,
|
| 742 | <replaceable>tlsv1.1</replaceable> and
|
| 743 | <replaceable>tlsv1</replaceable>. Defaults to
|
| 744 | <replaceable>tlsv1.2</replaceable>.</para>
|
| 745 | </listitem>
|
| 746 | </varlistentry>
|
| 747 | <varlistentry>
|
| 748 | <term><option>use_identity_as_username</option> [ true | false ]</term>
|
| 749 | <listitem>
|
| 750 | <para>If <option>require_certificate</option> is
|
| 751 | <replaceable>true</replaceable>, you may set
|
| 752 | <option>use_identity_as_username</option> to
|
| 753 | <replaceable>true</replaceable> to use the CN value
|
| 754 | from the client certificate as a username. If this
|
| 755 | is <replaceable>true</replaceable>, the
|
| 756 | <option>password_file</option> option will not be
|
| 757 | used for this listener.</para>
|
| 758 | </listitem>
|
| 759 | </varlistentry>
|
| 760 | </variablelist>
|
| 761 | </refsect2>
|
| 762 | <refsect2>
|
| 763 | <title>Pre-shared-key based SSL/TLS Support</title>
|
| 764 | <para>The following options are available for all listeners to
|
| 765 | configure pre-shared-key based SSL support. See also
|
| 766 | "Certificate based SSL/TLS support".</para>
|
| 767 | <variablelist>
|
| 768 | <varlistentry>
|
| 769 | <term><option>ciphers</option> <replaceable>cipher:list</replaceable></term>
|
| 770 | <listitem>
|
| 771 | <para>When using PSK, the encryption ciphers used will
|
| 772 | be chosen from the list of available PSK ciphers.
|
| 773 | If you want to control which ciphers are available,
|
| 774 | use this option. The list of available ciphers can
|
| 775 | be optained using the "openssl ciphers" command and
|
| 776 | should be provided in the same format as the output
|
| 777 | of that command.</para>
|
| 778 | </listitem>
|
| 779 | </varlistentry>
|
| 780 | <varlistentry>
|
| 781 | <term><option>psk_hint</option> <replaceable>hint</replaceable></term>
|
| 782 | <listitem>
|
| 783 | <para>The <option>psk_hint</option> option enables
|
| 784 | pre-shared-key support for this listener and also
|
| 785 | acts as an identifier for this listener. The hint
|
| 786 | is sent to clients and may be used locally to aid
|
| 787 | authentication. The hint is a free form string that
|
| 788 | doesn't have much meaning in itself, so feel free
|
| 789 | to be creative.</para>
|
| 790 | <para>If this option is provided, see
|
| 791 | <option>psk_file</option> to define the pre-shared
|
| 792 | keys to be used or create a security plugin to
|
| 793 | handle them.</para>
|
| 794 | </listitem>
|
| 795 | </varlistentry>
|
| 796 | <varlistentry>
|
| 797 | <term><option>tls_version</option> <replaceable>version</replaceable></term>
|
| 798 | <listitem>
|
| 799 | <para>Configure the version of the TLS protocol to be
|
| 800 | used for this listener. Possible values are
|
| 801 | <replaceable>tlsv1.2</replaceable>,
|
| 802 | <replaceable>tlsv1.1</replaceable> and
|
| 803 | <replaceable>tlsv1</replaceable>. Defaults to
|
| 804 | <replaceable>tlsv1.2</replaceable>.</para>
|
| 805 | </listitem>
|
| 806 | </varlistentry>
|
| 807 | <varlistentry>
|
| 808 | <term><option>use_identity_as_username</option> [ true | false ]</term>
|
| 809 | <listitem>
|
| 810 | <para>Set <option>use_identity_as_username</option> to
|
| 811 | have the psk identity sent by the client used as
|
| 812 | its username. The username will be checked as
|
| 813 | normal, so <option>password_file</option> or
|
| 814 | another means of authentication checking must be
|
| 815 | used. No password will be used.</para>
|
| 816 | </listitem>
|
| 817 | </varlistentry>
|
| 818 | </variablelist>
|
| 819 | </refsect2>
|
| 820 | </refsect1>
|
| 821 |
|
| 822 | <refsect1>
|
| 823 | <title>Configuring Bridges</title>
|
| 824 | <para>Multiple bridges (connections to other brokers) can be configured
|
| 825 | using the following variables.</para>
|
| 826 | <para>Bridges cannot currently be reloaded on reload signal.</para>
|
| 827 | <variablelist>
|
| 828 | <varlistentry>
|
| 829 | <term><option>address</option> <replaceable>address[:port]</replaceable> <replaceable>[address[:port]]</replaceable></term>
|
| 830 | <term><option>addresses</option> <replaceable>address[:port]</replaceable> <replaceable>[address[:port]]</replaceable></term>
|
| 831 | <listitem>
|
| 832 | <para>Specify the address and optionally the port of the
|
| 833 | bridge to connect to. This must be given for each
|
| 834 | bridge connection. If the port is not specified, the
|
| 835 | default of 1883 is used.</para>
|
| 836 | <para>Multiple host addresses can be specified on the
|
| 837 | address config. See the <option>round_robin</option>
|
| 838 | option for more details on the behaviour of bridges
|
| 839 | with multiple addresses.</para>
|
| 840 | </listitem>
|
| 841 | </varlistentry>
|
| 842 | <varlistentry>
|
| 843 | <term><option>cleansession</option> [ true | false ]</term>
|
| 844 | <listitem>
|
| 845 | <para>Set the clean session option for this bridge. Setting
|
| 846 | to <replaceable>false</replaceable> (the default),
|
| 847 | means that all subscriptions on the remote broker are
|
| 848 | kept in case of the network connection dropping. If set
|
| 849 | to <replaceable>true</replaceable>, all subscriptions
|
| 850 | and messages on the remote broker will be cleaned up if
|
| 851 | the connection drops. Note that setting to
|
| 852 | <replaceable>true</replaceable> may cause a large
|
| 853 | amount of retained messages to be sent each time the
|
| 854 | bridge reconnects.</para>
|
| 855 | <para>If you are using bridges with
|
| 856 | <option>cleansession</option> set to
|
| 857 | <replaceable>false</replaceable> (the default), then
|
| 858 | you may get unexpected behaviour from incoming topics
|
| 859 | if you change what topics you are subscribing to. This
|
| 860 | is because the remote broker keeps the subscription for
|
| 861 | the old topic. If you have this problem, connect your
|
| 862 | bridge with <option>cleansession</option> set to
|
| 863 | <replaceable>true</replaceable>, then reconnect with
|
| 864 | cleansession set to <replaceable>false</replaceable> as
|
| 865 | normal.</para>
|
| 866 | </listitem>
|
| 867 | </varlistentry>
|
| 868 | <varlistentry>
|
| 869 | <term><option>clientid</option> <replaceable>id</replaceable></term>
|
| 870 | <listitem>
|
| 871 | <para>Set the client id for this bridge connection. If not
|
| 872 | defined, this defaults to 'name.hostname', where name
|
| 873 | is the connection name and hostname is the hostname of
|
| 874 | this computer.</para>
|
| 875 | </listitem>
|
| 876 | </varlistentry>
|
| 877 | <varlistentry>
|
| 878 | <term><option>connection</option> <replaceable>name</replaceable></term>
|
| 879 | <listitem>
|
| 880 | <para>This variable marks the start of a new bridge
|
| 881 | connection. It is also used to give the bridge a name
|
| 882 | which is used as the client id on the remote
|
| 883 | broker.</para>
|
| 884 | </listitem>
|
| 885 | </varlistentry>
|
| 886 | <varlistentry>
|
| 887 | <term><option>keepalive_interval</option> <replaceable>seconds</replaceable></term>
|
| 888 | <listitem>
|
| 889 | <para>Set the number of seconds after which the bridge
|
| 890 | should send a ping if no other traffic has occurred.
|
| 891 | Defaults to 60. A minimum value of 5 seconds
|
| 892 | isallowed.</para>
|
| 893 | </listitem>
|
| 894 | </varlistentry>
|
| 895 | <varlistentry>
|
| 896 | <term><option>idle_timeout</option> <replaceable>seconds</replaceable></term>
|
| 897 | <listitem>
|
| 898 | <para>Set the amount of time a bridge using the lazy start
|
| 899 | type must be idle before it will be stopped. Defaults
|
| 900 | to 60 seconds.</para>
|
| 901 | </listitem>
|
| 902 | </varlistentry>
|
| 903 | <varlistentry>
|
| 904 | <term><option>notifications</option> [ true | false ]</term>
|
| 905 | <listitem>
|
| 906 | <para>If set to <replaceable>true</replaceable>, publish
|
| 907 | notification messages to the local and remote brokers
|
| 908 | giving information about the state of the bridge
|
| 909 | connection. Retained messages are published to the
|
| 910 | topic $SYS/broker/connection/<clientid>/state
|
| 911 | unless otherwise set with
|
| 912 | <option>notification_topic</option>s. If the message
|
| 913 | is 1 then the connection is active, or 0 if the
|
| 914 | connection has failed. Defaults to
|
| 915 | <replaceable>true</replaceable>.</para>
|
| 916 | </listitem>
|
| 917 | </varlistentry>
|
| 918 | <varlistentry>
|
| 919 | <term><option>notification_topic</option> <replaceable>topic</replaceable></term>
|
| 920 | <listitem>
|
| 921 | <para>Choose the topic on which notifications will be
|
| 922 | published for this bridge. If not set the messages will
|
| 923 | be sent on the topic
|
| 924 | $SYS/broker/connection/<clientid>/state.</para>
|
| 925 | </listitem>
|
| 926 | </varlistentry>
|
| 927 | <varlistentry>
|
| 928 | <term><option>password</option> <replaceable>value</replaceable></term>
|
| 929 | <listitem>
|
| 930 | <para>Configure a password for the bridge. This is used for
|
| 931 | authentication purposes when connecting to a broker
|
| 932 | that support MQTT v3.1 and requires a username and/or
|
| 933 | password to connect. This option is only valid if a
|
| 934 | username is also supplied.</para>
|
| 935 | </listitem>
|
| 936 | </varlistentry>
|
| 937 | <varlistentry>
|
| 938 | <term><option>restart_timeout</option> <replaceable>value</replaceable></term>
|
| 939 | <listitem>
|
| 940 | <para>Set the amount of time a bridge using the automatic
|
| 941 | start type will wait until attempting to reconnect.
|
| 942 | Defaults to 30 seconds.</para>
|
| 943 | </listitem>
|
| 944 | </varlistentry>
|
| 945 | <varlistentry>
|
| 946 | <term><option>round_robin</option> [ true | false ]</term>
|
| 947 | <listitem>
|
| 948 | <para>If the bridge has more than one address given in the
|
| 949 | address/addresses configuration, the round_robin option
|
| 950 | defines the behaviour of the bridge on a failure of the
|
| 951 | bridge connection. If round_robin is
|
| 952 | <replaceable>false</replaceable>, the default value,
|
| 953 | then the first address is treated as the main bridge
|
| 954 | connection. If the connection fails, the other
|
| 955 | secondary addresses will be attempted in turn. Whilst
|
| 956 | connected to a secondary bridge, the bridge will
|
| 957 | periodically attempt to reconnect to the main bridge
|
| 958 | until successful.</para>
|
| 959 | <para>If round_robin is <replaceable>true</replaceable>,
|
| 960 | then all addresses are treated as equals. If a
|
| 961 | connection fails, the next address will be tried and if
|
| 962 | successful will remain connected until it fails.</para>
|
| 963 | </listitem>
|
| 964 | </varlistentry>
|
| 965 | <varlistentry>
|
| 966 | <term><option>start_type</option> [ automatic | lazy | once ]</term>
|
| 967 | <listitem>
|
| 968 | <para>Set the start type of the bridge. This controls how
|
| 969 | the bridge starts and can be one of three types:
|
| 970 | <replaceable>automatic</replaceable>, <replaceable>lazy
|
| 971 | </replaceable>and <replaceable>once</replaceable>. Note
|
| 972 | that RSMB provides a fourth start type "manual" which
|
| 973 | isn't currently supported by mosquitto.</para>
|
| 974 |
|
| 975 | <para><replaceable>automatic</replaceable> is the default
|
| 976 | start type and means that the bridge connection will be
|
| 977 | started automatically when the broker starts and also
|
| 978 | restarted after a short delay (30 seconds) if the
|
| 979 | connection fails.</para>
|
| 980 |
|
| 981 | <para>Bridges using the <replaceable>lazy</replaceable>
|
| 982 | start type will be started automatically when the
|
| 983 | number of queued messages exceeds the number set with
|
| 984 | the <option>threshold</option> option. It will be
|
| 985 | stopped automatically after the time set by the
|
| 986 | <option>idle_timeout</option> parameter. Use this start
|
| 987 | type if you wish the connection to only be active when
|
| 988 | it is needed.</para>
|
| 989 |
|
| 990 | <para>A bridge using the <replaceable>once</replaceable>
|
| 991 | start type will be started automatically when the
|
| 992 | broker starts but will not be restarted if the
|
| 993 | connection fails.</para>
|
| 994 | </listitem>
|
| 995 | </varlistentry>
|
| 996 | <varlistentry>
|
| 997 | <term><option>threshold</option> <replaceable>count</replaceable></term>
|
| 998 | <listitem>
|
| 999 | <para>Set the number of messages that need to be queued for
|
| 1000 | a bridge with lazy start type to be restarted.
|
| 1001 | Defaults to 10 messages.</para>
|
| 1002 | </listitem>
|
| 1003 | </varlistentry>
|
| 1004 | <varlistentry>
|
| 1005 | <term><option>topic</option> <replaceable>pattern</replaceable> [[[ out | in | both ] qos-level] local-prefix remote-prefix]</term>
|
| 1006 | <listitem>
|
| 1007 | <para>Define a topic pattern to be shared between the two
|
| 1008 | brokers. Any topics matching the pattern (which may
|
| 1009 | include wildcards) are shared. The second parameter
|
| 1010 | defines the direction that the messages will be shared
|
| 1011 | in, so it is possible to import messages from a remote
|
| 1012 | broker using <replaceable>in</replaceable>, export
|
| 1013 | messages to a remote broker using
|
| 1014 | <replaceable>out</replaceable> or share messages in
|
| 1015 | both directions. If this parameter is not defined, the
|
| 1016 | default of <replaceable>out</replaceable> is used. The
|
| 1017 | QoS level defines the publish/subscribe QoS level used
|
| 1018 | for this topic and defaults to 0.</para>
|
| 1019 | <para>The <replaceable>local-prefix</replaceable> and
|
| 1020 | <replaceable>remote-prefix</replaceable> options allow
|
| 1021 | topics to be remapped when publishing to and receiving
|
| 1022 | from remote brokers. This allows a topic tree from the
|
| 1023 | local broker to be inserted into the topic tree of the
|
| 1024 | remote broker at an appropriate place.</para>
|
| 1025 | <para>For incoming topics, the bridge will prepend the
|
| 1026 | pattern with the remote prefix and subscribe to the
|
| 1027 | resulting topic on the remote broker. When a matching
|
| 1028 | incoming message is received, the remote prefix will be
|
| 1029 | removed from the topic and then the local prefix
|
| 1030 | added.</para>
|
| 1031 | <para>For outgoing topics, the bridge will prepend the
|
| 1032 | pattern with the local prefix and subscribe to the
|
| 1033 | resulting topic on the local broker. When an outgoing
|
| 1034 | message is processed, the local prefix will be removed
|
| 1035 | from the topic then the remote prefix added.</para>
|
| 1036 | <para>When using topic mapping, an empty prefix can be
|
| 1037 | defined using the place marker
|
| 1038 | <replaceable>""</replaceable>. Using the empty marker
|
| 1039 | for the topic itself is also valid. The table below
|
| 1040 | defines what combination of empty or value is
|
| 1041 | valid.</para>
|
| 1042 | <informaltable>
|
| 1043 | <tgroup cols="5">
|
| 1044 | <thead>
|
| 1045 | <row>
|
| 1046 | <entry></entry>
|
| 1047 | <entry><emphasis>Topic</emphasis></entry>
|
| 1048 | <entry><emphasis>Local Prefix</emphasis></entry>
|
| 1049 | <entry><emphasis>Remote Prefix</emphasis></entry>
|
| 1050 | <entry><emphasis>Validity</emphasis></entry>
|
| 1051 | </row>
|
| 1052 | </thead>
|
| 1053 | <tbody>
|
| 1054 | <row><entry>1</entry><entry>value</entry><entry>value</entry><entry>value</entry><entry>valid</entry></row>
|
| 1055 | <row><entry>2</entry><entry>value</entry><entry>value</entry><entry>""</entry><entry>valid</entry></row>
|
| 1056 | <row><entry>3</entry><entry>value</entry><entry>""</entry><entry>value</entry><entry>valid</entry></row>
|
| 1057 | <row><entry>4</entry><entry>value</entry><entry>""</entry><entry>""</entry><entry>valid (no remapping)</entry></row>
|
| 1058 | <row><entry>5</entry><entry>""</entry><entry>value</entry><entry>value</entry><entry>valid (remap single local topic to remote)</entry></row>
|
| 1059 | <row><entry>6</entry><entry>""</entry><entry>value</entry><entry>""</entry><entry>invalid</entry></row>
|
| 1060 | <row><entry>7</entry><entry>""</entry><entry>""</entry><entry>value</entry><entry>invalid</entry></row>
|
| 1061 | <row><entry>8</entry><entry>""</entry><entry>""</entry><entry>""</entry><entry>invalid</entry></row>
|
| 1062 | </tbody>
|
| 1063 | </tgroup>
|
| 1064 | </informaltable>
|
| 1065 | <para>To remap an entire topic tree, use e.g.:</para>
|
| 1066 | <programlisting language="config">
|
| 1067 | topic # both 2 local/topic/ remote/topic/</programlisting>
|
| 1068 |
|
| 1069 | <para>This option can be specified multiple times per
|
| 1070 | bridge.</para>
|
| 1071 | <para>Care must be taken to ensure that loops are not
|
| 1072 | created with this option. If you are experiencing high
|
| 1073 | CPU load from a broker, it is possible that you have a
|
| 1074 | loop where each broker is forever forwarding each other
|
| 1075 | the same messages.</para>
|
| 1076 | <para>See also the <option>cleansession</option> option if
|
| 1077 | you have messages arriving on unexpected topics when
|
| 1078 | using incoming topics.</para>
|
| 1079 |
|
| 1080 | <example title="Bridge Topic Remapping" label="Bridge Topic Remapping">
|
| 1081 | <para>The configuration below connects a bridge to the
|
| 1082 | broker at <option>test.mosquitto.org</option>. It
|
| 1083 | subscribes to the remote topic
|
| 1084 | <option>$SYS/broker/clients/total</option> and
|
| 1085 | republishes the messages received to the local topic
|
| 1086 | <option>test/mosquitto/org/clients/total</option></para>
|
| 1087 | <programlisting language="config">
|
| 1088 | connection test-mosquitto-org
|
| 1089 | address test.mosquitto.org
|
| 1090 | cleansession true
|
| 1091 | topic clients/total in 0 test/mosquitto/org $SYS/broker/
|
| 1092 | </programlisting></example>
|
| 1093 |
|
| 1094 | </listitem>
|
| 1095 | </varlistentry>
|
| 1096 | <varlistentry>
|
| 1097 | <term><option>try_private</option> [ true | false ]</term>
|
| 1098 | <listitem>
|
| 1099 | <para>If try_private is set to
|
| 1100 | <replaceable>true</replaceable>, the bridge will
|
| 1101 | attempt to indicate to the remote broker that it is a
|
| 1102 | bridge not an ordinary client. If successful, this
|
| 1103 | means that loop detection will be more effective and
|
| 1104 | that retained messages will be propagated correctly.
|
| 1105 | Not all brokers support this feature so it may be
|
| 1106 | necessary to set <option>try_private</option> to
|
| 1107 | <replaceable>false</replaceable> if your bridge does
|
| 1108 | not connect properly.</para>
|
| 1109 | <para>Defaults to <replaceable>true</replaceable>.</para>
|
| 1110 | </listitem>
|
| 1111 | </varlistentry>
|
| 1112 | <varlistentry>
|
| 1113 | <term><option>username</option> <replaceable>name</replaceable></term>
|
| 1114 | <listitem>
|
| 1115 | <para>Configure a <option>username</option> for the bridge.
|
| 1116 | This is used for authentication purposes when
|
| 1117 | connecting to a broker that support MQTT v3.1 and
|
| 1118 | requires a username and/or password to connect. See
|
| 1119 | also the <option>password</option> option.</para>
|
| 1120 | </listitem>
|
| 1121 | </varlistentry>
|
| 1122 | </variablelist>
|
| 1123 | <refsect2>
|
| 1124 | <title>SSL/TLS Support</title>
|
| 1125 | <para>The following options are available for all bridges to
|
| 1126 | configure SSL/TLS support.</para>
|
| 1127 | <variablelist>
|
| 1128 | <varlistentry>
|
| 1129 | <term><option>bridge_cafile</option> <replaceable>file path</replaceable></term>
|
| 1130 | <listitem>
|
| 1131 | <para>One of <option>bridge_cafile</option> or
|
| 1132 | <option>bridge_capath</option> must be provided to
|
| 1133 | allow SSL/TLS support.</para>
|
| 1134 | <para>bridge_cafile is used to define the path to a file
|
| 1135 | containing the PEM encoded CA certificates that
|
| 1136 | have signed the certificate for the remote broker.
|
| 1137 | </para>
|
| 1138 | </listitem>
|
| 1139 | </varlistentry>
|
| 1140 | <varlistentry>
|
| 1141 | <term><option>bridge_capath</option> <replaceable>file path</replaceable></term>
|
| 1142 | <listitem>
|
| 1143 | <para>One of <option>bridge_capath</option> or
|
| 1144 | <option>bridge_capath</option> must be provided to
|
| 1145 | allow SSL/TLS support.</para>
|
| 1146 | <para>bridge_capath is used to define the path to a
|
| 1147 | directory containing the PEM encoded CA
|
| 1148 | certificates that have signed the certificate for
|
| 1149 | the remote broker. For bridge_capath to work
|
| 1150 | correctly, the certificate files must have ".crt"
|
| 1151 | as the file ending and you must run "c_rehash
|
| 1152 | <path to bridge_capath>" each time you
|
| 1153 | add/remove a certificate.</para>
|
| 1154 | </listitem>
|
| 1155 | </varlistentry>
|
| 1156 | <varlistentry>
|
| 1157 | <term><option>bridge_certfile</option> <replaceable>file path</replaceable></term>
|
| 1158 | <listitem>
|
| 1159 | <para>Path to the PEM encoded client certificate for
|
| 1160 | this bridge, if required by the remote
|
| 1161 | broker.</para>
|
| 1162 | </listitem>
|
| 1163 | </varlistentry>
|
| 1164 | <varlistentry>
|
| 1165 | <term><option>bridge_identity</option> <replaceable>identity</replaceable></term>
|
| 1166 | <listitem>
|
| 1167 | <para>Pre-shared-key encryption provides an alternative
|
| 1168 | to certificate based encryption. A bridge can be
|
| 1169 | configured to use PSK with the
|
| 1170 | <option>bridge_identity</option> and
|
| 1171 | <option>bridge_psk</option> options. This is the
|
| 1172 | client identity used with PSK encryption. Only one
|
| 1173 | of certificate and PSK based encryption can be used
|
| 1174 | on one bridge at once.</para>
|
| 1175 | </listitem>
|
| 1176 | </varlistentry>
|
| 1177 | <varlistentry>
|
| 1178 | <term><option>bridge_insecure</option> [ true | false ]</term>
|
| 1179 | <listitem>
|
| 1180 | <para>When using certificate based TLS, the bridge will
|
| 1181 | attempt to verify the hostname provided in the
|
| 1182 | remote certificate matches the host/address being
|
| 1183 | connected to. This may cause problems in testing
|
| 1184 | scenarios, so <option>bridge_insecure</option> may
|
| 1185 | be set to <replaceable>false</replaceable> to
|
| 1186 | disable the hostname verification.</para>
|
| 1187 | <para>Setting this option to
|
| 1188 | <replaceable>true</replaceable> means that a
|
| 1189 | malicious third party could potentially inpersonate
|
| 1190 | your server, so it should always be set to
|
| 1191 | <replaceable>false</replaceable> in production
|
| 1192 | environments.</para>
|
| 1193 | </listitem>
|
| 1194 | </varlistentry>
|
| 1195 | <varlistentry>
|
| 1196 | <term><option>bridge_keyfile</option> <replaceable>file path</replaceable></term>
|
| 1197 | <listitem>
|
| 1198 | <para>Path to the PEM encoded private key for this
|
| 1199 | bridge, if required by the remote broker.</para>
|
| 1200 | </listitem>
|
| 1201 | </varlistentry>
|
| 1202 | <varlistentry>
|
| 1203 | <term><option>bridge_psk</option> <replaceable>key</replaceable></term>
|
| 1204 | <listitem>
|
| 1205 | <para>Pre-shared-key encryption provides an alternative
|
| 1206 | to certificate based encryption. A bridge can be
|
| 1207 | configured to use PSK with the
|
| 1208 | <option>bridge_identity</option> and
|
| 1209 | <option>bridge_psk</option> options. This is the
|
| 1210 | pre-shared-key in hexadecimal format with no "0x".
|
| 1211 | Only one of certificate and PSK based encryption
|
| 1212 | can be used on one bridge at once.</para>
|
| 1213 | </listitem>
|
| 1214 | </varlistentry>
|
| 1215 | <varlistentry>
|
| 1216 | <term><option>bridge_tls_version</option> <replaceable>version</replaceable></term>
|
| 1217 | <listitem>
|
| 1218 | <para>Configure the version of the TLS protocol to be
|
| 1219 | used for this bridge. Possible values are
|
| 1220 | <replaceable>tlsv1.2</replaceable>,
|
| 1221 | <replaceable>tlsv1.1</replaceable> and
|
| 1222 | <replaceable>tlsv1</replaceable>. Defaults to
|
| 1223 | <replaceable>tlsv1.2</replaceable>. The remote
|
| 1224 | broker must support the same version of TLS for the
|
| 1225 | connection to succeed.</para>
|
| 1226 | </listitem>
|
| 1227 | </varlistentry>
|
| 1228 | </variablelist>
|
| 1229 | </refsect2>
|
| 1230 | </refsect1>
|
| 1231 |
|
| 1232 | <refsect1>
|
| 1233 | <title>Files</title>
|
| 1234 | <para>mosquitto.conf</para>
|
| 1235 | </refsect1>
|
| 1236 |
|
| 1237 | <refsect1>
|
| 1238 | <title>Bugs</title>
|
| 1239 | <para><command>mosquitto</command> bug information can be found at <uri
|
| 1240 | type="webpage">http://launchpad.net/mosquitto</uri></para>
|
| 1241 | </refsect1>
|
| 1242 |
|
| 1243 | <refsect1>
|
| 1244 | <title>See Also</title>
|
| 1245 | <simplelist type="inline">
|
| 1246 | <member>
|
| 1247 | <citerefentry>
|
| 1248 | <refentrytitle><link xlink:href="mosquitto-8.html">mosquitto</link></refentrytitle>
|
| 1249 | <manvolnum>8</manvolnum>
|
| 1250 | </citerefentry>
|
| 1251 | </member>
|
| 1252 | <member>
|
| 1253 | <citerefentry>
|
| 1254 | <refentrytitle><link xlink:href="mosquitto_passwd-1.html">mosquitto_passwd</link></refentrytitle>
|
| 1255 | <manvolnum>1</manvolnum>
|
| 1256 | </citerefentry>
|
| 1257 | </member>
|
| 1258 | <member>
|
| 1259 | <citerefentry>
|
| 1260 | <refentrytitle><link xlink:href="mosquitto-tls-7.html">mosquitto-tls</link></refentrytitle>
|
| 1261 | <manvolnum>7</manvolnum>
|
| 1262 | </citerefentry>
|
| 1263 | </member>
|
| 1264 | <member>
|
| 1265 | <citerefentry>
|
| 1266 | <refentrytitle><link xlink:href="mqtt-7.html">mqtt</link></refentrytitle>
|
| 1267 | <manvolnum>7</manvolnum>
|
| 1268 | </citerefentry>
|
| 1269 | </member>
|
| 1270 | <member>
|
| 1271 | <citerefentry>
|
| 1272 | <refentrytitle><link xlink:href="http://linux.die.net/man/5/limits.conf">limits.conf</link></refentrytitle>
|
| 1273 | <manvolnum>5</manvolnum>
|
| 1274 | </citerefentry>
|
| 1275 | </member>
|
| 1276 | </simplelist>
|
| 1277 | </refsect1>
|
| 1278 |
|
| 1279 | <refsect1>
|
| 1280 | <title>Author</title>
|
| 1281 | <para>Roger Light <email>roger@atchoo.org</email></para>
|
| 1282 | </refsect1>
|
| 1283 | </refentry>
|