mqtt服务器 mysql_spring boot整合mqtt存储到mysql数据库

1 # Config file for mosquitto2 #3 # See mosquitto.conf(5) for more information.4 #5 # Default values are shown, uncomment to change.6 #7 # Use the # character to indicate a comment, but only if it is the8 # very first character on the line.9

10 # =================================================================11 # General configuration12 # =================================================================13

14 # Use per listener security settings.15 #16 # It is recommended this option be set before any other options.17 #18 # If this option is set to true, then all authentication and access control19 # options are controlled on a per listener basis. The following options are20 # affected:21 #22 # password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous23 # auto_id_prefix allow_zero_length_clientid24 #25 # Note that if set to true, then a durable client (i.e. with clean session set26 # to false) that has disconnected will use the ACL settings defined for the27 # listener that it was most recently connected to.28 #29 # The default behaviour is for this to be set to false, which maintains the30 # setting behaviour from previous versions of mosquitto.31 #per_listener_settings false32

33

34 # If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#35 # and foo/+/baz , then MQTT expects that when the broker receives a message on36 # a topic that matches both subscriptions, such as foo/bar/baz, then the client37 # should only receive the message once.38 # Mosquitto keeps track of which clients a message has been sent to in order to39 # meet this requirement. The allow_duplicate_messages option allows this40 # behaviour to be disabled, which may be useful if you have a large number of41 # clients subscribed to the same set of topics and are very concerned about42 # minimising memory usage.43 # It can be safely set to true if you know in advance that your clients will44 # never have overlapping subscriptions, otherwise your clients must be able to45 # correctly deal with duplicate messages even when then have QoS=2.46 #allow_duplicate_messages false47

48 # This option controls whether a client is allowed to connect with a zero49 # length client id or not. This option only affects clients using MQTT v3.1.150 # and later. If set to false, clients connecting with a zero length client id51 # are disconnected. If set to true, clients will be allocated a client id by52 # the broker. This means it is only useful for clients with clean session set53 # to true.54 #allow_zero_length_clientid true55

56 # If allow_zero_length_clientid is true, this option allows you to set a prefix57 # to automatically generated client ids to aid visibility in logs.58 # Defaults to 'auto-'59 #auto_id_prefix auto-60

61 # This option affects the scenario when a client subscribes to a topic that has62 # retained messages. It is possible that the client that published the retained63 # message to the topic had access at the time they published, but that access64 # has been subsequently removed. If check_retain_source is set to true, the65 # default, the source of a retained message will be checked for access rights66 # before it is republished. When set to false, no check will be made and the67 # retained message will always be published. This affects all listeners.68 #check_retain_source true69

70 # QoS 1 and 2 messages will be allowed inflight per client until this limit71 # is exceeded. Defaults to 0. (No maximum)72 # See also max_inflight_messages73 #max_inflight_bytes 074

75 # The maximum number of QoS 1 and 2 messages currently inflight per76 # client.77 # This includes messages that are partway through handshakes and78 # those that are being retried. Defaults to 20. Set to 0 for no79 # maximum. Setting to 1 will guarantee in-order delivery of QoS 180 # and 2 messages.81 #max_inflight_messages 2082

83 # For MQTT v5 clients, it is possible to have the server send a "server84 # keepalive" value that will override the keepalive value set by the client.85 # This is intended to be used as a mechanism to say that the server will86 # disconnect the client earlier than it anticipated, and that the client should87 # use the new keepalive value. The max_keepalive option allows you to specify88 # that clients may only connect with keepalive less than or equal to this89 # value, otherwise they will be sent a server keepalive telling them to use90 # max_keepalive. This only applies to MQTT v5 clients. The maximum value91 # allowable is 65535. Do not set below 10.92 #max_keepalive 6553593

94 # For MQTT v5 clients, it is possible to have the server send a "maximum packet95 # size" value that will instruct the client it will not accept MQTT packets96 # with size greater than max_packet_size bytes. This applies to the full MQTT97 # packet, not just the payload. Setting this option to a positive value will98 # set the maximum packet size to that number of bytes. If a client sends a99 # packet which is larger than this value, it will be disconnected. This applies100 # to all clients regardless of the protocol version they are using, but v3.1.1101 # and earlier clients will of course not have received the maximum packet size102 # information. Defaults to no limit. Setting below 20 bytes is forbidden103 # because it is likely to interfere with ordinary client operation, even with104 # very small payloads.105 #max_packet_size 0106

107 # QoS 1 and 2 messages above those currently in-flight will be queued per108 # client until this limit is exceeded. Defaults to 0. (No maximum)109 # See also max_queued_messages.110 # If both max_queued_messages and max_queued_bytes are specified, packets will111 # be queued until the first limit is reached.112 #max_queued_bytes 0113

114 # The maximum number of QoS 1 and 2 messages to hold in a queue per client115 # above those that are currently in-flight. Defaults to 100. Set116 # to 0 for no maximum (not recommended).117 # See also queue_qos0_messages.118 # See also max_queued_bytes.119 #max_queued_messages 100120 #121 # This option sets the maximum number of heap memory bytes that the broker will122 # allocate, and hence sets a hard limit on memory use by the broker. Memory123 # requests that exceed this value will be denied. The effect will vary124 # depending on what has been denied. If an incoming message is being processed,125 # then the message will be dropped and the publishing client will be126 # disconnected. If an outgoing message is being sent, then the individual127 # message will be dropped and the receiving client will be disconnected.128 # Defaults to no limit.129 #memory_limit 0130

131 # This option sets the maximum publish payload size that the broker will allow.132 # Received messages that exceed this size will not be accepted by the broker.133 # The default value is 0, which means that all valid MQTT messages are134 # accepted. MQTT imposes a maximum payload size of 268435455 bytes.135 #message_size_limit 0136

137 # This option allows persistent clients (those with clean session set to false)138 # to be removed if they do not reconnect within a certain time frame.139 #140 # This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.141 #142 # Badly designed clients may set clean session to false whilst using a randomly143 # generated client id. This leads to persistent clients that will never144 # reconnect. This option allows these clients to be removed.145 #146 # The expiration period should be an integer followed by one of h d w m y for147 # hour, day, week, month and year respectively. For example148 #149 # persistent_client_expiration 2m150 # persistent_client_expiration 14d151 # persistent_client_expiration 1y152 #153 # The default if not set is to never expire persistent clients.154 #persistent_client_expiration155

156 # Write process id to a file. Default is a blank string which means157 # a pid file shouldn't be written.158 # This should be set to /var/run/mosquitto.pid if mosquitto is159 # being run automatically on boot with an init script and160 # start-stop-daemon or similar.161 #pid_file162

163 # Set to true to queue messages with QoS 0 when a persistent client is164 # disconnected. These messages are included in the limit imposed by165 # max_queued_messages and max_queued_bytes166 # Defaults to false.167 # This is a non-standard option for the MQTT v3.1 spec but is allowed in168 # v3.1.1.169 #queue_qos0_messages false170

171 # Set to false to disable retained message support. If a client publishes a172 # message with the retain bit set, it will be disconnected if this is set to173 # false.174 #retain_available true175

176 # Disable Nagle's algorithm on client sockets. This has the effect of reducing177 # latency of individual messages at the potential cost of increasing the number178 # of packets being sent.179 #set_tcp_nodelay false180

181 # Time in seconds between updates of the $SYS tree.182 # Set to 0 to disable the publishing of the $SYS tree.183 #sys_interval 10184

185 # The MQTT specification requires that the QoS of a message delivered to a186 # subscriber is never upgraded to match the QoS of the subscription. Enabling187 # this option changes this behaviour. If upgrade_outgoing_qos is set true,188 # messages sent to a subscriber will always match the QoS of its subscription.189 # This is a non-standard option explicitly disallowed by the spec.190 #upgrade_outgoing_qos false191

192 # When run as root, drop privileges to this user and its primary193 # group.194 # Set to root to stay as root, but this is not recommended.195 # If run as a non-root user, this setting has no effect.196 # Note that on Windows this has no effect and so mosquitto should197 # be started by the user you wish it to run as.198 #user mosquitto199

200 # =================================================================201 # Default listener202 # =================================================================203

204 # IP address/hostname to bind the default listener to. If not205 # given, the default listener will not be bound to a specific206 # address and so will be accessible to all network interfaces.207 # bind_address ip-address/host name208 #bind_address209

210 # Port to use for the default listener.211 #port 1884212

213 # Bind the listener to a specific interface. This is similar to214 # bind_address above but is useful when an interface has multiple addresses or215 # the address may change. It is valid to use this with the bind_address option,216 # but take care that the interface you are binding to contains the address you217 # are binding to, otherwise you will not be able to connect.218 # Example: bind_interface eth0219 #bind_interface220

221 # When a listener is using the websockets protocol, it is possible to serve222 # http data as well. Set http_dir to a directory which contains the files you223 # wish to serve. If this option is not specified, then no normal http224 # connections will be possible.225 #http_dir226

227 # 系统资源的回收时间，0表示尽快处理228 store_clean_interval 0229

230 # The maximum number of client connections to allow. This is231 # a per listener setting.232 # Default is -1, which means unlimited connections.233 # Note that other process limits mean that unlimited connections234 # are not really possible. Typically the default maximum number of235 # connections possible is around 1024.236 # 允许的最大连接数，-1表示没有限制237 max_connections -1238

239 # Choose the protocol to use when listening.240 # This can be either mqtt or websockets.241 # Websockets support is currently disabled by default at compile time.242 # Certificate based TLS may be used with websockets, except that243 # only the cafile, certfile, keyfile and ciphers options are supported.244 #protocol mqtt245

246 # Set use_username_as_clientid to true to replace the clientid that a client247 # connected with with its username. This allows authentication to be tied to248 # the clientid, which means that it is possible to prevent one client249 # disconnecting another by using the same clientid.250 # If a client connects with no username it will be disconnected as not251 # authorised when this option is set to true.252 # Do not use in conjunction with clientid_prefixes.253 # See also use_identity_as_username.254 #use_username_as_clientid255

256 # -----------------------------------------------------------------257 # Certificate based SSL/TLS support258 # -----------------------------------------------------------------259 # The following options can be used to enable SSL/TLS support for260 # this listener. Note that the recommended port for MQTT over TLS261 # is 8883, but this must be set manually.262 #263 # See also the mosquitto-tls man page.264

265 # At least one of cafile or capath must be defined. They both266 # define methods of accessing the PEM encoded Certificate267 # Authority certificates that have signed your server certificate268 # and that you wish to trust.269 # cafile defines the path to a file containing the CA certificates.270 # capath defines a directory that will be searched for files271 # containing the CA certificates. For capath to work correctly, the272 # certificate files must have ".crt" as the file ending and you must run273 # "openssl rehash " each time you add/remove a certificate.274 #cafile275 #capath276

277 # Path to the PEM encoded server certificate.278 #certfile279

280 # Path to the PEM encoded keyfile.281 #keyfile282

283

284 # If you have require_certificate set to true, you can create a certificate285 # revocation list file to revoke access to particular client certificates. If286 # you have done this, use crlfile to point to the PEM encoded revocation file.287 #crlfile288

289 # If you wish to control which encryption ciphers are used, use the ciphers290 # option. The list of available ciphers can be obtained using the "openssl291 # ciphers" command and should be provided in the same format as the output of292 # that command.293 # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH294 #ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH295

296 # To allow the use of ephemeral DH key exchange, which provides forward297 # security, the listener must load DH parameters. This can be specified with298 # the dhparamfile option. The dhparamfile can be generated with the command299 # e.g. "openssl dhparam -out dhparam.pem 2048"300 #dhparamfile301

302 # By default a TLS enabled listener will operate in a similar fashion to a303 # https enabled web server, in that the server has a certificate signed by a CA304 # and the client will verify that it is a trusted certificate. The overall aim305 # is encryption of the network traffic. By setting require_certificate to true,306 # the client must provide a valid certificate in order for the network307 # connection to proceed. This allows access to the broker to be controlled308 # outside of the mechanisms provided by MQTT.309 #require_certificate false310

311 # This option defines the version of the TLS protocol to use for this listener.312 # The default value allows all of v1.3, v1.2 and v1.1. The valid values are313 # tlsv1.3 tlsv1.2 and tlsv1.1.314 #tls_version315

316 # If require_certificate is true, you may set use_identity_as_username to true317 # to use the CN value from the client certificate as a username. If this is318 # true, the password_file option will not be used for this listener.319 # This takes priority over use_subject_as_username.320 # See also use_subject_as_username.321 #use_identity_as_username false322

323 # If require_certificate is true, you may set use_subject_as_username to true324 # to use the complete subject value from the client certificate as a username.325 # If this is true, the password_file option will not be used for this listener.326 # See also use_identity_as_username327 #use_subject_as_username false328

329 # -----------------------------------------------------------------330 # Pre-shared-key based SSL/TLS support331 # -----------------------------------------------------------------332 # The following options can be used to enable PSK based SSL/TLS support for333 # this listener. Note that the recommended port for MQTT over TLS is 8883, but334 # this must be set manually.335 #336 # See also the mosquitto-tls man page and the "Certificate based SSL/TLS337 # support" section. Only one of certificate or PSK encryption support can be338 # enabled for any listener.339

340 # The psk_hint option enables pre-shared-key support for this listener and also341 # acts as an identifier for this listener. The hint is sent to clients and may342 # be used locally to aid authentication. The hint is a free form string that343 # doesn't have much meaning in itself, so feel free to be creative.344 # If this option is provided, see psk_file to define the pre-shared keys to be345 # used or create a security plugin to handle them.346 #psk_hint347

348 # When using PSK, the encryption ciphers used will be chosen from the list of349 # available PSK ciphers. If you want to control which ciphers are available,350 # use the "ciphers" option. The list of available ciphers can be obtained351 # using the "openssl ciphers" command and should be provided in the same format352 # as the output of that command.353 #ciphers354

355 # Set use_identity_as_username to have the psk identity sent by the client used356 # as its username. Authentication will be carried out using the PSK rather than357 # the MQTT username/password and so password_file will not be used for this358 # listener.359 #use_identity_as_username false360

361

362 # =================================================================363 # Extra listeners364 # =================================================================365

366 # Listen on a port/ip address combination. By using this variable367 # multiple times, mosquitto can listen on more than one port. If368 # this variable is used and neither bind_address nor port given,369 # then the default listener will not be started.370 # The port number to listen on must be given. Optionally, an ip371 # address or host name may be supplied as a second argument. In372 # this case, mosquitto will attempt to bind the listener to that373 # address and so restrict access to the associated network and374 # interface. By default, mosquitto will listen on all interfaces.375 # Note that for a websockets listener it is not possible to bind to a host376 # name.377 # listener port-number [ip address/host name]378 #listener379

380 # Bind the listener to a specific interface. This is similar to381 # the [ip address/host name] part of the listener definition, but is useful382 # when an interface has multiple addresses or the address may change. It is383 # valid to use this with the [ip address/host name] part of the listener384 # definition, but take care that the interface you are binding to contains the385 # address you are binding to, otherwise you will not be able to connect.386 # Only available on Linux and requires elevated privileges.387 #388 # Example: bind_interface eth0389 #bind_interface390

391 # When a listener is using the websockets protocol, it is possible to serve392 # http data as well. Set http_dir to a directory which contains the files you393 # wish to serve. If this option is not specified, then no normal http394 # connections will be possible.395 #http_dir396

397 # The maximum number of client connections to allow. This is398 # a per listener setting.399 # Default is -1, which means unlimited connections.400 # Note that other process limits mean that unlimited connections401 # are not really possible. Typically the default maximum number of402 # connections possible is around 1024.403 #max_connections -1404

405 # The listener can be restricted to operating within a topic hierarchy using406 # the mount_point option. This is achieved be prefixing the mount_point string407 # to all topics for any clients connected to this listener. This prefixing only408 # happens internally to the broker; the client will not see the prefix.409 #mount_point410

411 # Choose the protocol to use when listening.412 # This can be either mqtt or websockets.413 # Certificate based TLS may be used with websockets, except that only the414 # cafile, certfile, keyfile and ciphers options are supported.415 #protocol mqtt416

417 # Set use_username_as_clientid to true to replace the clientid that a client418 # connected with with its username. This allows authentication to be tied to419 # the clientid, which means that it is possible to prevent one client420 # disconnecting another by using the same clientid.421 # If a client connects with no username it will be disconnected as not422 # authorised when this option is set to true.423 # Do not use in conjunction with clientid_prefixes.424 # See also use_identity_as_username.425 #use_username_as_clientid426

427 # Change the websockets headers size. This is a global option, it is not428 # possible to set per listener. This option sets the size of the buffer used in429 # the libwebsockets library when reading HTTP headers. If you are passing large430 # header data such as cookies then you may need to increase this value. If left431 # unset, or set to 0, then the default of 1024 bytes will be used.432 #websockets_headers_size433

434 # -----------------------------------------------------------------435 # Certificate based SSL/TLS support436 # -----------------------------------------------------------------437 # The following options can be used to enable certificate based SSL/TLS support438 # for this listener. Note that the recommended port for MQTT over TLS is 8883,439 # but this must be set manually.440 #441 # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS442 # support" section. Only one of certificate or PSK encryption support can be443 # enabled for any listener.444

445 # At least one of cafile or capath must be defined to enable certificate based446 # TLS encryption. They both define methods of accessing the PEM encoded447 # Certificate Authority certificates that have signed your server certificate448 # and that you wish to trust.449 # cafile defines the path to a file containing the CA certificates.450 # capath defines a directory that will be searched for files451 # containing the CA certificates. For capath to work correctly, the452 # certificate files must have ".crt" as the file ending and you must run453 # "openssl rehash " each time you add/remove a certificate.454 #cafile455 #capath456

457 # Path to the PEM encoded server certificate.458 #certfile459

460 # Path to the PEM encoded keyfile.461 #keyfile462

463

464 # If you wish to control which encryption ciphers are used, use the ciphers465 # option. The list of available ciphers can be optained using the "openssl466 # ciphers" command and should be provided in the same format as the output of467 # that command.468 #ciphers469

470 # If you have require_certificate set to true, you can create a certificate471 # revocation list file to revoke access to particular client certificates. If472 # you have done this, use crlfile to point to the PEM encoded revocation file.473 #crlfile474

475 # To allow the use of ephemeral DH key exchange, which provides forward476 # security, the listener must load DH parameters. This can be specified with477 # the dhparamfile option. The dhparamfile can be generated with the command478 # e.g. "openssl dhparam -out dhparam.pem 2048"479 #dhparamfile480

481 # By default an TLS enabled listener will operate in a similar fashion to a482 # https enabled web server, in that the server has a certificate signed by a CA483 # and the client will verify that it is a trusted certificate. The overall aim484 # is encryption of the network traffic. By setting require_certificate to true,485 # the client must provide a valid certificate in order for the network486 # connection to proceed. This allows access to the broker to be controlled487 # outside of the mechanisms provided by MQTT.488 #require_certificate false489

490 # If require_certificate is true, you may set use_identity_as_username to true491 # to use the CN value from the client certificate as a username. If this is492 # true, the password_file option will not be used for this listener.493 #use_identity_as_username false494

495 # -----------------------------------------------------------------496 # Pre-shared-key based SSL/TLS support497 # -----------------------------------------------------------------498 # The following options can be used to enable PSK based SSL/TLS support for499 # this listener. Note that the recommended port for MQTT over TLS is 8883, but500 # this must be set manually.501 #502 # See also the mosquitto-tls man page and the "Certificate based SSL/TLS503 # support" section. Only one of certificate or PSK encryption support can be504 # enabled for any listener.505

506 # The psk_hint option enables pre-shared-key support for this listener and also507 # acts as an identifier for this listener. The hint is sent to clients and may508 # be used locally to aid authentication. The hint is a free form string that509 # doesn't have much meaning in itself, so feel free to be creative.510 # If this option is provided, see psk_file to define the pre-shared keys to be511 # used or create a security plugin to handle them.512 #psk_hint513

514 # When using PSK, the encryption ciphers used will be chosen from the list of515 # available PSK ciphers. If you want to control which ciphers are available,516 # use the "ciphers" option. The list of available ciphers can be optained517 # using the "openssl ciphers" command and should be provided in the same format518 # as the output of that command.519 #ciphers520

521 # Set use_identity_as_username to have the psk identity sent by the client used522 # as its username. Authentication will be carried out using the PSK rather than523 # the MQTT username/password and so password_file will not be used for this524 # listener.525 #use_identity_as_username false526

527

528 # =================================================================529 # Persistence530 # =================================================================531

532 # If persistence is enabled, save the in-memory database to disk533 # every autosave_interval seconds. If set to 0, the persistence534 # database will only be written when mosquitto exits. See also535 # autosave_on_changes.536 # Note that writing of the persistence database can be forced by537 # sending mosquitto a SIGUSR1 signal.538 #autosave_interval 1800539

540 # If true, mosquitto will count the number of subscription changes, retained541 # messages received and queued messages and if the total exceeds542 # autosave_interval then the in-memory database will be saved to disk.543 # If false, mosquitto will save the in-memory database to disk by treating544 # autosave_interval as a time in seconds.545 #autosave_on_changes false546

547 # Save persistent message data to disk (true/false).548 # This saves information about all messages, including549 # subscriptions, currently in-flight messages and retained550 # messages.551 # retained_persistence is a synonym for this option.552 # 持久化功能的开关553 persistence true554

555 # The filename to use for the persistent database, not including556 # the path.557 #persistence_file mosquitto.db558

559 # Location for persistent database. Must include trailing /560 # Default is an empty string (current directory).561 # Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or562 # similar.563 #persistence_location564

565

566 # =================================================================567 # Logging568 # =================================================================569

570 # Places to log to. Use multiple log_dest lines for multiple571 # logging destinations.572 # Possible destinations are: stdout stderr syslog topic file573 #574 # stdout and stderr log to the console on the named output.575 #576 # syslog uses the userspace syslog facility which usually ends up577 # in /var/log/messages or similar.578 #579 # topic logs to the broker topic '$SYS/broker/log/',580 # where severity is one of D, E, W, N, I, M which are debug, error,581 # warning, notice, information and message. Message type severity is used by582 # the subscribe/unsubscribe log_types and publishes log messages to583 # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.584 #585 # The file destination requires an additional parameter which is the file to be586 # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be587 # closed and reopened when the broker receives a HUP signal. Only a single file588 # destination may be configured.589 #590 # Note that if the broker is running as a Windows service it will default to591 # "log_dest none" and neither stdout nor stderr logging is available.592 # Use "log_dest none" if you wish to disable logging.593 # 4种日志模式：stdout、stderr、syslog、topic594 # none 则表示不记日志，此配置可以提升些许性能595 log_dest none596

597 # Types of messages to log. Use multiple log_type lines for logging598 # multiple types of messages.599 # Possible types are: debug, error, warning, notice, information,600 # none, subscribe, unsubscribe, websockets, all.601 # Note that debug type messages are for decoding the incoming/outgoing602 # network packets. They are not logged in "topics".603 #log_type error604 #log_type warning605 #log_type notice606 #log_type information607

608

609 # If set to true, client connection and disconnection messages will be included610 # in the log.611 #connection_messages true612

613 # If using syslog logging (not on Windows), messages will be logged to the614 # "daemon" facility by default. Use the log_facility option to choose which of615 # local0 to local7 to log to instead. The option value should be an integer616 # value, e.g. "log_facility 5" to use local5.617 #log_facility618

619 # If set to true, add a timestamp value to each log message.620 #log_timestamp true621

622 # Set the format of the log timestamp. If left unset, this is the number of623 # seconds since the Unix epoch.624 # This is a free text string which will be passed to the strftime function. To625 # get an ISO 8601 datetime, for example:626 # log_timestamp_format %Y-%m-%dT%H:%M:%S627 #log_timestamp_format628

629 # Change the websockets logging level. This is a global option, it is not630 # possible to set per listener. This is an integer that is interpreted by631 # libwebsockets as a bit mask for its lws_log_levels enum. See the632 # libwebsockets documentation for more details. "log_type websockets" must also633 # be enabled.634 #websockets_log_level 0635

636

637 # =================================================================638 # Security639 # =================================================================640

641 # If set, only clients that have a matching prefix on their642 # clientid will be allowed to connect to the broker. By default,643 # all clients may connect.644 # For example, setting "secure-" here would mean a client "secure-645 # client" could connect but another with clientid "mqtt" couldn't.646 #clientid_prefixes647

648 # Boolean value that determines whether clients that connect649 # without providing a username are allowed to connect. If set to650 # false then a password file should be created (see the651 # password_file option) to control authenticated client access.652 #653 # Defaults to true if no other security options are set. If `password_file` or654 # `psk_file` is set, or if an authentication plugin is loaded which implements655 # username/password or TLS-PSK checks, then `allow_anonymous` defaults to656 # false.657 #658 #allow_anonymous true659

660 # -----------------------------------------------------------------661 # Default authentication and topic access control662 # -----------------------------------------------------------------663

664 # Control access to the broker using a password file. This file can be665 # generated using the mosquitto_passwd utility. If TLS support is not compiled666 # into mosquitto (it is recommended that TLS support should be included) then667 # plain text passwords are used, in which case the file should be a text file668 # with lines in the format:669 # username:password670 # The password (and colon) may be omitted if desired, although this671 # offers very little in the way of security.672 #673 # See the TLS client require_certificate and use_identity_as_username options674 # for alternative authentication options. If an auth_plugin is used as well as675 # password_file, the auth_plugin check will be made first.676 password_file /etc/mosquitto/pwfile.example677

678 # Access may also be controlled using a pre-shared-key file. This requires679 # TLS-PSK support and a listener configured to use it. The file should be text680 # lines in the format:681 # identity:key682 # The key should be in hexadecimal format without a leading "0x".683 # If an auth_plugin is used as well, the auth_plugin check will be made first.684 #psk_file685

686 # Control access to topics on the broker using an access control list687 # file. If this parameter is defined then only the topics listed will688 # have access.689 # If the first character of a line of the ACL file is a # it is treated as a690 # comment.691 # Topic access is added with lines of the format:692 #693 # topic [read|write|readwrite]

694 #695 # The access type is controlled using "read", "write" or "readwrite". This696 # parameter is optional (unless contains a space character) - if not697 # given then the access is read/write. can contain the + or #698 # wildcards as in subscriptions.699 #700 # The first set of topics are applied to anonymous clients, assuming701 # allow_anonymous is true. User specific topic ACLs are added after a702 # user line as follows:703 #704 # user

705 #706 # The username referred to here is the same as in password_file. It is707 # not the clientid.708 #709 #710 # If is also possible to define ACLs based on pattern substitution within the711 # topic. The patterns available for substition are:712 #713 # %c to match the client id of the client714 # %u to match the username of the client715 #716 # The substitution pattern must be the only text for that level of hierarchy.717 #718 # The form is the same as for the topic keyword, but using pattern as the719 # keyword.720 # Pattern ACLs apply to all users even if the "user" keyword has previously721 # been given.722 #723 # If using bridges with usernames and ACLs, connection messages can be allowed724 # with the following pattern:725 # pattern write $SYS/broker/connection/%c/state726 #727 # pattern [read|write|readwrite]

728 #729 # Example:730 #731 # pattern write sensor/%u/data732 #733 # If an auth_plugin is used as well as acl_file, the auth_plugin check will be734 # made first.735 acl_file /etc/mosquitto/aclfile.example736

737 # -----------------------------------------------------------------738 # External authentication and topic access plugin options739 # -----------------------------------------------------------------740

741 # External authentication and access control can be supported with the742 # auth_plugin option. This is a path to a loadable plugin. See also the743 # auth_opt_* options described below.744 #745 # The auth_plugin option can be specified multiple times to load multiple746 # plugins. The plugins will be processed in the order that they are specified747 # here. If the auth_plugin option is specified alongside either of748 # password_file or acl_file then the plugin checks will be made first.749 #750 #auth_plugin751

752 # If the auth_plugin option above is used, define options to pass to the753 # plugin here as described by the plugin instructions. All options named754 # using the format auth_opt_* will be passed to the plugin, for example:755 #756 # auth_opt_db_host757 # auth_opt_db_port758 # auth_opt_db_username759 # auth_opt_db_password760

761

762 # =================================================================763 # Bridges764 # =================================================================765

766 # A bridge is a way of connecting multiple MQTT brokers together.767 # Create a new bridge using the "connection" option as described below. Set768 # options for the bridges using the remaining parameters. You must specify the769 # address and at least one topic to subscribe to.770 #771 # Each connection must have a unique name.772 #773 # The address line may have multiple host address and ports specified. See774 # below in the round_robin description for more details on bridge behaviour if775 # multiple addresses are used. Note that if you use an IPv6 address, then you776 # are required to specify a port.777 #778 # The direction that the topic will be shared can be chosen by779 # specifying out, in or both, where the default value is out.780 # The QoS level of the bridged communication can be specified with the next781 # topic option. The default QoS level is 0, to change the QoS the topic782 # direction must also be given.783 #784 # The local and remote prefix options allow a topic to be remapped when it is785 # bridged to/from the remote broker. This provides the ability to place a topic786 # tree in an appropriate location.787 #788 # For more details see the mosquitto.conf man page.789 #790 # Multiple topics can be specified per connection, but be careful791 # not to create any loops.792 #793 # If you are using bridges with cleansession set to false (the default), then794 # you may get unexpected behaviour from incoming topics if you change what795 # topics you are subscribing to. This is because the remote broker keeps the796 # subscription for the old topic. If you have this problem, connect your bridge797 # with cleansession set to true, then reconnect with cleansession set to false798 # as normal.799 #connection

800 #address [:] [[:]]801 #topic [[[out | in | both] qos-level] local-prefix remote-prefix]802

803

804 # If a bridge has topics that have "out" direction, the default behaviour is to805 # send an unsubscribe request to the remote broker on that topic. This means806 # that changing a topic direction from "in" to "out" will not keep receiving807 # incoming messages. Sending these unsubscribe requests is not always808 # desirable, setting bridge_attempt_unsubscribe to false will disable sending809 # the unsubscribe request.810 #bridge_attempt_unsubscribe true811

812 # Set the version of the MQTT protocol to use with for this bridge. Can be one813 # of mqttv311 or mqttv11. Defaults to mqttv311.814 #bridge_protocol_version mqttv311815

816 # Set the clean session variable for this bridge.817 # When set to true, when the bridge disconnects for any reason, all818 # messages and subscriptions will be cleaned up on the remote819 # broker. Note that with cleansession set to true, there may be a820 # significant amount of retained messages sent when the bridge821 # reconnects after losing its connection.822 # When set to false, the subscriptions and messages are kept on the823 # remote broker, and delivered when the bridge reconnects.824 #cleansession false825

826 # Set the amount of time a bridge using the lazy start type must be idle before827 # it will be stopped. Defaults to 60 seconds.828 #idle_timeout 60829

830 # Set the keepalive interval for this bridge connection, in831 # seconds.832 #keepalive_interval 60833

834 # Set the clientid to use on the local broker. If not defined, this defaults to835 # 'local.'. If you are bridging a broker to itself, it is important836 # that local_clientid and clientid do not match.837 #local_clientid838

839 # If set to true, publish notification messages to the local and remote brokers840 # giving information about the state of the bridge connection. Retained841 # messages are published to the topic $SYS/broker/connection//state842 # unless the notification_topic option is used.843 # If the message is 1 then the connection is active, or 0 if the connection has844 # failed.845 # This uses the last will and testament feature.846 #notifications true847

848 # Choose the topic on which notification messages for this bridge are849 # published. If not set, messages are published on the topic850 # $SYS/broker/connection//state851 #notification_topic852

853 # Set the client id to use on the remote end of this bridge connection. If not854 # defined, this defaults to 'name.hostname' where name is the connection name855 # and hostname is the hostname of this computer.856 # This replaces the old "clientid" option to avoid confusion. "clientid"857 # remains valid for the time being.858 #remote_clientid859

860 # Set the password to use when connecting to a broker that requires861 # authentication. This option is only used if remote_username is also set.862 # This replaces the old "password" option to avoid confusion. "password"863 # remains valid for the time being.864 #remote_password865

866 # Set the username to use when connecting to a broker that requires867 # authentication.868 # This replaces the old "username" option to avoid confusion. "username"869 # remains valid for the time being.870 #remote_username871

872 # Set the amount of time a bridge using the automatic start type will wait873 # until attempting to reconnect.874 # This option can be configured to use a constant delay time in seconds, or to875 # use a backoff mechanism based on "Decorrelated Jitter", which adds a degree876 # of randomness to when the restart occurs.877 #878 # Set a constant timeout of 20 seconds:879 # restart_timeout 20880 #881 # Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of882 # 60 seconds:883 # restart_timeout 10 30884 #885 # Defaults to jitter with a base of 5 and cap of 30886 #restart_timeout 5 30887

888 # If the bridge has more than one address given in the address/addresses889 # configuration, the round_robin option defines the behaviour of the bridge on890 # a failure of the bridge connection. If round_robin is false, the default891 # value, then the first address is treated as the main bridge connection. If892 # the connection fails, the other secondary addresses will be attempted in893 # turn. Whilst connected to a secondary bridge, the bridge will periodically894 # attempt to reconnect to the main bridge until successful.895 # If round_robin is true, then all addresses are treated as equals. If a896 # connection fails, the next address will be tried and if successful will897 # remain connected until it fails898 #round_robin false899

900 # Set the start type of the bridge. This controls how the bridge starts and901 # can be one of three types: automatic, lazy and once. Note that RSMB provides902 # a fourth start type "manual" which isn't currently supported by mosquitto.903 #904 # "automatic" is the default start type and means that the bridge connection905 # will be started automatically when the broker starts and also restarted906 # after a short delay (30 seconds) if the connection fails.907 #908 # Bridges using the "lazy" start type will be started automatically when the909 # number of queued messages exceeds the number set with the "threshold"910 # parameter. It will be stopped automatically after the time set by the911 # "idle_timeout" parameter. Use this start type if you wish the connection to912 # only be active when it is needed.913 #914 # A bridge using the "once" start type will be started automatically when the915 # broker starts but will not be restarted if the connection fails.916 #start_type automatic917

918 # Set the number of messages that need to be queued for a bridge with lazy919 # start type to be restarted. Defaults to 10 messages.920 # Must be less than max_queued_messages.921 #threshold 10922

923 # If try_private is set to true, the bridge will attempt to indicate to the924 # remote broker that it is a bridge not an ordinary client. If successful, this925 # means that loop detection will be more effective and that retained messages926 # will be propagated correctly. Not all brokers support this feature so it may927 # be necessary to set try_private to false if your bridge does not connect928 # properly.929 #try_private true930

931 # -----------------------------------------------------------------932 # Certificate based SSL/TLS support933 # -----------------------------------------------------------------934 # Either bridge_cafile or bridge_capath must be defined to enable TLS support935 # for this bridge.936 # bridge_cafile defines the path to a file containing the937 # Certificate Authority certificates that have signed the remote broker938 # certificate.939 # bridge_capath defines a directory that will be searched for files containing940 # the CA certificates. For bridge_capath to work correctly, the certificate941 # files must have ".crt" as the file ending and you must run "openssl rehash942 # " each time you add/remove a certificate.943 #bridge_cafile944 #bridge_capath945

946

947 # If the remote broker has more than one protocol available on its port, e.g.948 # MQTT and WebSockets, then use bridge_alpn to configure which protocol is949 # requested. Note that WebSockets support for bridges is not yet available.950 #bridge_alpn951

952 # When using certificate based encryption, bridge_insecure disables953 # verification of the server hostname in the server certificate. This can be954 # useful when testing initial server configurations, but makes it possible for955 # a malicious third party to impersonate your server through DNS spoofing, for956 # example. Use this option in testing only. If you need to resort to using this957 # option in a production environment, your setup is at fault and there is no958 # point using encryption.959 #bridge_insecure false960

961 # Path to the PEM encoded client certificate, if required by the remote broker.962 #bridge_certfile963

964 # Path to the PEM encoded client private key, if required by the remote broker.965 #bridge_keyfile966

967 # -----------------------------------------------------------------968 # PSK based SSL/TLS support969 # -----------------------------------------------------------------970 # Pre-shared-key encryption provides an alternative to certificate based971 # encryption. A bridge can be configured to use PSK with the bridge_identity972 # and bridge_psk options. These are the client PSK identity, and pre-shared-key973 # in hexadecimal format with no "0x". Only one of certificate and PSK based974 # encryption can be used on one975 # bridge at once.976 #bridge_identity977 #bridge_psk978

979 allow_anonymous false980

981 # =================================================================982 # External config files983 # =================================================================984

985 # External configuration files may be included by using the986 # include_dir option. This defines a directory that will be searched987 # for config files. All files that end in '.conf' will be loaded as988 # a configuration file. It is best to have this as the last option989 # in the main file. This option will only be processed from the main990 # configuration file. The directory specified must not contain the991 # main configuration file.992 # Files within include_dir will be loaded sorted in case-sensitive993 # alphabetical order, with capital letters ordered first. If this option is994 # given multiple times, all of the files from the first instance will be995 # processed before the next instance. See the man page for examples.996 #include_dir