diff --git a/mosquitto.conf b/mosquitto.conf index 80fa61c5..a2b845bb 100644 --- a/mosquitto.conf +++ b/mosquitto.conf @@ -4,80 +4,46 @@ # # Default values are shown, uncomment to change. # -# Use the # character to indicate a comment, but only if it is the +# Use the # character to indicate a comment, but only if it is the # very first character on the line. # ================================================================= # General configuration # ================================================================= -# Time in seconds between updates of the $SYS tree. -# Set to 0 to disable the publishing of the $SYS tree. -#sys_interval 10 +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous +# auto_id_prefix allow_zero_length_clientid +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false -# Time in seconds between cleaning the internal message store of -# unreferenced messages. Lower values will result in lower memory -# usage but more processor time, higher values will have the -# opposite effect. -# Setting a value of 0 means the unreferenced messages will be -# disposed of as quickly as possible. -#store_clean_interval 10 -# Write process id to a file. Default is a blank string which means -# a pid file shouldn't be written. -# This should be set to /var/run/mosquitto.pid if mosquitto is -# being run automatically on boot with an init script and -# start-stop-daemon or similar. -#pid_file - -# When run as root, drop privileges to this user and its primary -# group. -# Set to root to stay as root, but this is not recommended. -# If run as a non-root user, this setting has no effect. -# Note that on Windows this has no effect and so mosquitto should -# be started by the user you wish it to run as. -#user mosquitto - -# The maximum number of QoS 1 and 2 messages currently inflight per -# client. -# This includes messages that are partway through handshakes and -# those that are being retried. Defaults to 20. Set to 0 for no -# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 -# and 2 messages. -#max_inflight_messages 20 - -# QoS 1 and 2 messages will be allowed inflight per client until this limit -# is exceeded. Defaults to 0. (No maximum) -# See also max_inflight_messages -#max_inflight_bytes 0 - -# The maximum number of QoS 1 and 2 messages to hold in a queue per client -# above those that are currently in-flight. Defaults to 100. Set -# to 0 for no maximum (not recommended). -# See also queue_qos0_messages. -# See also max_queued_bytes. -#max_queued_messages 100 - -# QoS 1 and 2 messages above those currently in-flight will be queued per -# client until this limit is exceeded. Defaults to 0. (No maximum) -# See also max_queued_messages. -# If both max_queued_messages and max_queued_bytes are specified, packets will -# be queued until the first limit is reached. -#max_queued_bytes 0 - -# Set to true to queue messages with QoS 0 when a persistent client is -# disconnected. These messages are included in the limit imposed by -# max_queued_messages and max_queued_bytes -# Defaults to false. -# This is a non-standard option for the MQTT v3.1 spec but is allowed in -# v3.1.1. -#queue_qos0_messages false - -# This option sets the maximum publish payload size that the broker will allow. -# Received messages that exceed this size will not be accepted by the broker. -# The default value is 0, which means that all valid MQTT messages are -# accepted. MQTT imposes a maximum payload size of 268435455 bytes. -#message_size_limit 0 +# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# +# and foo/+/baz , then MQTT expects that when the broker receives a message on +# a topic that matches both subscriptions, such as foo/bar/baz, then the client +# should only receive the message once. +# Mosquitto keeps track of which clients a message has been sent to in order to +# meet this requirement. The allow_duplicate_messages option allows this +# behaviour to be disabled, which may be useful if you have a large number of +# clients subscribed to the same set of topics and are very concerned about +# minimising memory usage. +# It can be safely set to true if you know in advance that your clients will +# never have overlapping subscriptions, otherwise your clients must be able to +# correctly deal with duplicate messages even when then have QoS=2. +#allow_duplicate_messages false # This option controls whether a client is allowed to connect with a zero # length client id or not. This option only affects clients using MQTT v3.1.1 @@ -92,6 +58,82 @@ # Defaults to 'auto-' #auto_id_prefix auto- +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The maximum value +# allowable is 65535. Do not set below 10. +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 100. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 100 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + # This option allows persistent clients (those with clean session set to false) # to be removed if they do not reconnect within a certain time frame. # @@ -111,19 +153,42 @@ # The default if not set is to never expire persistent clients. #persistent_client_expiration -# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# -# and foo/+/baz , then MQTT expects that when the broker receives a message on -# a topic that matches both subscriptions, such as foo/bar/baz, then the client -# should only receive the message once. -# Mosquitto keeps track of which clients a message has been sent to in order to -# meet this requirement. The allow_duplicate_messages option allows this -# behaviour to be disabled, which may be useful if you have a large number of -# clients subscribed to the same set of topics and are very concerned about -# minimising memory usage. -# It can be safely set to true if you know in advance that your clients will -# never have overlapping subscriptions, otherwise your clients must be able to -# correctly deal with duplicate messages even when then have QoS=2. -#allow_duplicate_messages false +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between cleaning the internal message store of +# unreferenced messages. Lower values will result in lower memory +# usage but more processor time, higher values will have the +# opposite effect. +# Setting a value of 0 means the unreferenced messages will be +# disposed of as quickly as possible. +#store_clean_interval 10 + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 # The MQTT specification requires that the QoS of a message delivered to a # subscriber is never upgraded to match the QoS of the subscription. Enabling @@ -132,84 +197,20 @@ # This is a non-standard option explicitly disallowed by the spec. #upgrade_outgoing_qos false -# Disable Nagle's algorithm on client sockets. This has the effect of reducing -# latency of individual messages at the potential cost of increasing the number -# of packets being sent. -#set_tcp_nodelay false - -# Use per listener security settings. -# If this option is set to true, then all authentication and access control -# options are controlled on a per listener basis. The following options are -# affected: -# -# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous -# auto_id_prefix allow_zero_length_clientid -# -# Note that if set to true, then a durable client (i.e. with clean session set -# to false) that has disconnected will use the ACL settings defined for the -# listener that it was most recently connected to. -# -# The default behaviour is for this to be set to false, which maintains the -# setting behaviour from previous versions of mosquitto. -#per_listener_settings false - -# This option affects the scenario when a client subscribes to a topic that has -# retained messages. It is possible that the client that published the retained -# message to the topic had access at the time they published, but that access -# has been subsequently removed. If check_retain_source is set to true, the -# default, the source of a retained message will be checked for access rights -# before it is republished. When set to false, no check will be made and the -# retained message will always be published. This affects all listeners. -#check_retain_source true - - -# Set to false to disable retained message support. If a client publishes a -# message with the retain bit set, it will be disconnected if this is set to -# false. -#retain_available true - -# For MQTT v5 clients, it is possible to have the server send a "server -# keepalive" value that will override the keepalive value set by the client. -# This is intended to be used as a mechanism to say that the server will -# disconnect the client earlier than it anticipated, and that the client should -# use the new keepalive value. The max_keepalive option allows you to specify -# that clients may only connect with keepalive less than or equal to this -# value, otherwise they will be sent a server keepalive telling them to use -# max_keepalive. This only applies to MQTT v5 clients. The maximum value -# allowable is 65535. Do not set below 10. -#max_keepalive 65535 - - -# For MQTT v5 clients, it is possible to have the server send a "maximum packet -# size" value that will instruct the client it will not accept MQTT packets -# with size greater than max_packet_size bytes. This applies to the full MQTT -# packet, not just the payload. Setting this option to a positive value will -# set the maximum packet size to that number of bytes. If a client sends a -# packet which is larger than this value, it will be disconnected. This applies -# to all clients regardless of the protocol version they are using, but v3.1.1 -# and earlier clients will of course not have received the maximum packet size -# information. Defaults to no limit. Setting below 20 bytes is forbidden -# because it is likely to interfere with ordinary client operation, even with -# very small payloads. -#max_packet_size 0 - - -# This option sets the maximum number of heap memory bytes that the broker will -# allocate, and hence sets a hard limit on memory use by the broker. Memory -# requests that exceed this value will be denied. The effect will vary -# depending on what has been denied. If an incoming message is being processed, -# then the message will be dropped and the publishing client will be -# disconnected. If an outgoing message is being sent, then the individual -# message will be dropped and the receiving client will be disconnected. -# Defaults to no limit. -#memory_limit 0 +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should +# be started by the user you wish it to run as. +#user mosquitto # ================================================================= # Default listener # ================================================================= # IP address/hostname to bind the default listener to. If not -# given, the default listener will not be bound to a specific +# given, the default listener will not be bound to a specific # address and so will be accessible to all network interfaces. # bind_address ip-address/host name #bind_address @@ -225,11 +226,17 @@ # Example: bind_interface eth0 #bind_interface -# The maximum number of client connections to allow. This is +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is # a per listener setting. # Default is -1, which means unlimited connections. -# Note that other process limits mean that unlimited connections -# are not really possible. Typically the default maximum number of +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of # connections possible is around 1024. #max_connections -1 @@ -240,12 +247,6 @@ # only the cafile, certfile, keyfile and ciphers options are supported. #protocol mqtt -# When a listener is using the websockets protocol, it is possible to serve -# http data as well. Set http_dir to a directory which contains the files you -# wish to serve. If this option is not specified, then no normal http -# connections will be possible. -#http_dir - # Set use_username_as_clientid to true to replace the clientid that a client # connected with with its username. This allows authentication to be tied to # the clientid, which means that it is possible to prevent one client @@ -259,15 +260,15 @@ # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- -# The following options can be used to enable SSL/TLS support for +# The following options can be used to enable SSL/TLS support for # this listener. Note that the recommended port for MQTT over TLS # is 8883, but this must be set manually. # # See also the mosquitto-tls man page. -# At least one of cafile or capath must be defined. They both -# define methods of accessing the PEM encoded Certificate -# Authority certificates that have signed your server certificate +# At least one of cafile or capath must be defined. They both +# define methods of accessing the PEM encoded Certificate +# Authority certificates that have signed your server certificate # and that you wish to trust. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files @@ -283,32 +284,6 @@ # Path to the PEM encoded keyfile. #keyfile -# This option defines the version of the TLS protocol to use for this listener. -# The default value allows all of v1.3, v1.2 and v1.1. The valid values are -# tlsv1.3 tlsv1.2 and tlsv1.1. -#tls_version - -# By default a TLS enabled listener will operate in a similar fashion to a -# https enabled web server, in that the server has a certificate signed by a CA -# and the client will verify that it is a trusted certificate. The overall aim -# is encryption of the network traffic. By setting require_certificate to true, -# the client must provide a valid certificate in order for the network -# connection to proceed. This allows access to the broker to be controlled -# outside of the mechanisms provided by MQTT. -#require_certificate false - -# If require_certificate is true, you may set use_identity_as_username to true -# to use the CN value from the client certificate as a username. If this is -# true, the password_file option will not be used for this listener. -# This takes priority over use_subject_as_username. -# See also use_subject_as_username. -#use_identity_as_username false - -# If require_certificate is true, you may set use_subject_as_username to true -# to use the complete subject value from the client certificate as a username. -# If this is true, the password_file option will not be used for this listener. -# See also use_identity_as_username -#use_subject_as_username false # If you have require_certificate set to true, you can create a certificate # revocation list file to revoke access to particular client certificates. If @@ -328,6 +303,33 @@ # e.g. "openssl dhparam -out dhparam.pem 2048" #dhparamfile +# By default a TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# This option defines the version of the TLS protocol to use for this listener. +# The default value allows all of v1.3, v1.2 and v1.1. The valid values are +# tlsv1.3 tlsv1.2 and tlsv1.1. +#tls_version + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +# This takes priority over use_subject_as_username. +# See also use_subject_as_username. +#use_identity_as_username false + +# If require_certificate is true, you may set use_subject_as_username to true +# to use the complete subject value from the client certificate as a username. +# If this is true, the password_file option will not be used for this listener. +# See also use_identity_as_username +#use_subject_as_username false + # ----------------------------------------------------------------- # Pre-shared-key based SSL/TLS support # ----------------------------------------------------------------- @@ -347,12 +349,6 @@ # used or create a security plugin to handle them. #psk_hint -# Set use_identity_as_username to have the psk identity sent by the client used -# as its username. Authentication will be carried out using the PSK rather than -# the MQTT username/password and so password_file will not be used for this -# listener. -#use_identity_as_username false - # When using PSK, the encryption ciphers used will be chosen from the list of # available PSK ciphers. If you want to control which ciphers are available, # use the "ciphers" option. The list of available ciphers can be obtained @@ -360,18 +356,25 @@ # as the output of that command. #ciphers +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + # ================================================================= # Extra listeners # ================================================================= -# Listen on a port/ip address combination. By using this variable -# multiple times, mosquitto can listen on more than one port. If -# this variable is used and neither bind_address nor port given, +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, # then the default listener will not be started. -# The port number to listen on must be given. Optionally, an ip -# address or host name may be supplied as a second argument. In -# this case, mosquitto will attempt to bind the listener to that -# address and so restrict access to the associated network and +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and # interface. By default, mosquitto will listen on all interfaces. # Note that for a websockets listener it is not possible to bind to a host # name. @@ -389,11 +392,17 @@ # Example: bind_interface eth0 #bind_interface -# The maximum number of client connections to allow. This is +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is # a per listener setting. # Default is -1, which means unlimited connections. -# Note that other process limits mean that unlimited connections -# are not really possible. Typically the default maximum number of +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of # connections possible is around 1024. #max_connections -1 @@ -409,12 +418,6 @@ # cafile, certfile, keyfile and ciphers options are supported. #protocol mqtt -# When a listener is using the websockets protocol, it is possible to serve -# http data as well. Set http_dir to a directory which contains the files you -# wish to serve. If this option is not specified, then no normal http -# connections will be possible. -#http_dir - # Set use_username_as_clientid to true to replace the clientid that a client # connected with with its username. This allows authentication to be tied to # the clientid, which means that it is possible to prevent one client @@ -425,6 +428,13 @@ # See also use_identity_as_username. #use_username_as_clientid +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- @@ -454,6 +464,24 @@ # Path to the PEM encoded keyfile. #keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. +#ciphers + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + # By default an TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim @@ -468,23 +496,6 @@ # true, the password_file option will not be used for this listener. #use_identity_as_username false -# If you have require_certificate set to true, you can create a certificate -# revocation list file to revoke access to particular client certificates. If -# you have done this, use crlfile to point to the PEM encoded revocation file. -#crlfile - -# If you wish to control which encryption ciphers are used, use the ciphers -# option. The list of available ciphers can be optained using the "openssl -# ciphers" command and should be provided in the same format as the output of -# that command. -#ciphers - -# To allow the use of ephemeral DH key exchange, which provides forward -# security, the listener must load DH parameters. This can be specified with -# the dhparamfile option. The dhparamfile can be generated with the command -# e.g. "openssl dhparam -out dhparam.pem 2048" -#dhparamfile - # ----------------------------------------------------------------- # Pre-shared-key based SSL/TLS support # ----------------------------------------------------------------- @@ -504,12 +515,6 @@ # used or create a security plugin to handle them. #psk_hint -# Set use_identity_as_username to have the psk identity sent by the client used -# as its username. Authentication will be carried out using the PSK rather than -# the MQTT username/password and so password_file will not be used for this -# listener. -#use_identity_as_username false - # When using PSK, the encryption ciphers used will be chosen from the list of # available PSK ciphers. If you want to control which ciphers are available, # use the "ciphers" option. The list of available ciphers can be optained @@ -517,15 +522,22 @@ # as the output of that command. #ciphers +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + # ================================================================= # Persistence # ================================================================= -# If persistence is enabled, save the in-memory database to disk -# every autosave_interval seconds. If set to 0, the persistence +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence # database will only be written when mosquitto exits. See also # autosave_on_changes. -# Note that writing of the persistence database can be forced by +# Note that writing of the persistence database can be forced by # sending mosquitto a SIGUSR1 signal. #autosave_interval 1800 @@ -537,13 +549,13 @@ #autosave_on_changes false # Save persistent message data to disk (true/false). -# This saves information about all messages, including -# subscriptions, currently in-flight messages and retained +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained # messages. # retained_persistence is a synonym for this option. #persistence false -# The filename to use for the persistent database, not including +# The filename to use for the persistent database, not including # the path. #persistence_file mosquitto.db @@ -553,21 +565,22 @@ # similar. #persistence_location + # ================================================================= # Logging # ================================================================= -# Places to log to. Use multiple log_dest lines for multiple +# Places to log to. Use multiple log_dest lines for multiple # logging destinations. # Possible destinations are: stdout stderr syslog topic file # # stdout and stderr log to the console on the named output. # -# syslog uses the userspace syslog facility which usually ends up +# syslog uses the userspace syslog facility which usually ends up # in /var/log/messages or similar. # -# topic logs to the broker topic '$SYS/broker/log/', -# where severity is one of D, E, W, N, I, M which are debug, error, +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, # warning, notice, information and message. Message type severity is used by # the subscribe/unsubscribe log_types and publishes log messages to # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. @@ -582,15 +595,9 @@ # Use "log_dest none" if you wish to disable logging. #log_dest stderr -# If using syslog logging (not on Windows), messages will be logged to the -# "daemon" facility by default. Use the log_facility option to choose which of -# local0 to local7 to log to instead. The option value should be an integer -# value, e.g. "log_facility 5" to use local5. -#log_facility - # Types of messages to log. Use multiple log_type lines for logging # multiple types of messages. -# Possible types are: debug, error, warning, notice, information, +# Possible types are: debug, error, warning, notice, information, # none, subscribe, unsubscribe, websockets, all. # Note that debug type messages are for decoding the incoming/outgoing # network packets. They are not logged in "topics". @@ -599,24 +606,17 @@ #log_type notice #log_type information -# Change the websockets logging level. This is a global option, it is not -# possible to set per listener. This is an integer that is interpreted by -# libwebsockets as a bit mask for its lws_log_levels enum. See the -# libwebsockets documentation for more details. "log_type websockets" must also -# be enabled. -#websockets_log_level 0 - -# Change the websockets headers size. This is a global option, it is not -# possible to set per listener. This option sets the size of the buffer used in -# the libwebsockets library when reading HTTP headers. If you are passing large -# header data such as cookies then you may need to increase this value. If left -# unset, or set to 0, then the default of 1024 bytes will be used. -#websockets_headers_size # If set to true, client connection and disconnection messages will be included # in the log. #connection_messages true +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + # If set to true, add a timestamp value to each log message. #log_timestamp true @@ -627,21 +627,29 @@ # log_timestamp_format %Y-%m-%dT%H:%M:%S #log_timestamp_format +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + # ================================================================= # Security # ================================================================= -# If set, only clients that have a matching prefix on their -# clientid will be allowed to connect to the broker. By default, +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, # all clients may connect. # For example, setting "secure-" here would mean a client "secure- # client" could connect but another with clientid "mqtt" couldn't. #clientid_prefixes -# Boolean value that determines whether clients that connect -# without providing a username are allowed to connect. If set to -# false then a password file should be created (see the -# password_file option) to control authenticated client access. +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. # # Defaults to true if no other security options are set. If `password_file` or # `psk_file` is set, or if an authentication plugin is loaded which implements @@ -660,9 +668,9 @@ # plain text passwords are used, in which case the file should be a text file # with lines in the format: # username:password -# The password (and colon) may be omitted if desired, although this +# The password (and colon) may be omitted if desired, although this # offers very little in the way of security. -# +# # See the TLS client require_certificate and use_identity_as_username options # for alternative authentication options. If an auth_plugin is used as well as # password_file, the auth_plugin check will be made first. @@ -684,14 +692,14 @@ # Topic access is added with lines of the format: # # topic [read|write|readwrite] -# +# # The access type is controlled using "read", "write" or "readwrite". This # parameter is optional (unless contains a space character) - if not # given then the access is read/write. can contain the + or # # wildcards as in subscriptions. -# +# # The first set of topics are applied to anonymous clients, assuming -# allow_anonymous is true. User specific topic ACLs are added after a +# allow_anonymous is true. User specific topic ACLs are added after a # user line as follows: # # user @@ -733,7 +741,7 @@ # External authentication and access control can be supported with the # auth_plugin option. This is a path to a loadable plugin. See also the -# auth_opt_* options described below. +# auth_opt_* options described below. # # The auth_plugin option can be specified multiple times to load multiple # plugins. The plugins will be processed in the order that they are specified @@ -747,7 +755,7 @@ # using the format auth_opt_* will be passed to the plugin, for example: # # auth_opt_db_host -# auth_opt_db_port +# auth_opt_db_port # auth_opt_db_username # auth_opt_db_password @@ -768,19 +776,19 @@ # multiple addresses are used. Note that if you use an IPv6 address, then you # are required to specify a port. # -# The direction that the topic will be shared can be chosen by -# specifying out, in or both, where the default value is out. +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. # The QoS level of the bridged communication can be specified with the next # topic option. The default QoS level is 0, to change the QoS the topic # direction must also be given. # # The local and remote prefix options allow a topic to be remapped when it is # bridged to/from the remote broker. This provides the ability to place a topic -# tree in an appropriate location. +# tree in an appropriate location. # # For more details see the mosquitto.conf man page. # -# Multiple topics can be specified per connection, but be careful +# Multiple topics can be specified per connection, but be careful # not to create any loops. # # If you are using bridges with cleansession set to false (the default), then @@ -793,9 +801,6 @@ #address [:] [[:]] #topic [[[out | in | both] qos-level] local-prefix remote-prefix] -# Set the version of the MQTT protocol to use with for this bridge. Can be one -# of mqttv311 or mqttv11. Defaults to mqttv311. -#bridge_protocol_version mqttv311 # If a bridge has topics that have "out" direction, the default behaviour is to # send an unsubscribe request to the remote broker on that topic. This means @@ -805,6 +810,82 @@ # the unsubscribe request. #bridge_attempt_unsubscribe true +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv311 or mqttv11. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + # If the bridge has more than one address given in the address/addresses # configuration, the round_robin option defines the behaviour of the bridge on # a failure of the bridge connection. If round_robin is false, the default @@ -817,45 +898,6 @@ # remain connected until it fails #round_robin false -# Set the client id to use on the remote end of this bridge connection. If not -# defined, this defaults to 'name.hostname' where name is the connection name -# and hostname is the hostname of this computer. -# This replaces the old "clientid" option to avoid confusion. "clientid" -# remains valid for the time being. -#remote_clientid - -# Set the clientid to use on the local broker. If not defined, this defaults to -# 'local.'. If you are bridging a broker to itself, it is important -# that local_clientid and clientid do not match. -#local_clientid - -# Set the clean session variable for this bridge. -# When set to true, when the bridge disconnects for any reason, all -# messages and subscriptions will be cleaned up on the remote -# broker. Note that with cleansession set to true, there may be a -# significant amount of retained messages sent when the bridge -# reconnects after losing its connection. -# When set to false, the subscriptions and messages are kept on the -# remote broker, and delivered when the bridge reconnects. -#cleansession false - -# If set to true, publish notification messages to the local and remote brokers -# giving information about the state of the bridge connection. Retained -# messages are published to the topic $SYS/broker/connection//state -# unless the notification_topic option is used. -# If the message is 1 then the connection is active, or 0 if the connection has -# failed. -#notifications true - -# Choose the topic on which notification messages for this bridge are -# published. If not set, messages are published on the topic -# $SYS/broker/connection//state -#notification_topic - -# Set the keepalive interval for this bridge connection, in -# seconds. -#keepalive_interval 60 - # Set the start type of the bridge. This controls how the bridge starts and # can be one of three types: automatic, lazy and once. Note that RSMB provides # a fourth start type "manual" which isn't currently supported by mosquitto. @@ -874,26 +916,6 @@ # broker starts but will not be restarted if the connection fails. #start_type automatic -# Set the amount of time a bridge using the automatic start type will wait -# until attempting to reconnect. -# This option can be configured to use a constant delay time in seconds, or to -# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree -# of randomness to when the restart occurs. -# -# Set a constant timeout of 20 seconds: -# restart_timeout 20 -# -# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of -# 60 seconds: -# restart_timeout 10 30 -# -# Defaults to jitter with a base of 5 and cap of 30 -#restart_timeout 5 30 - -# Set the amount of time a bridge using the lazy start type must be idle before -# it will be stopped. Defaults to 60 seconds. -#idle_timeout 60 - # Set the number of messages that need to be queued for a bridge with lazy # start type to be restarted. Defaults to 10 messages. # Must be less than max_queued_messages. @@ -907,18 +929,6 @@ # properly. #try_private true -# Set the username to use when connecting to a broker that requires -# authentication. -# This replaces the old "username" option to avoid confusion. "username" -# remains valid for the time being. -#remote_username - -# Set the password to use when connecting to a broker that requires -# authentication. This option is only used if remote_username is also set. -# This replaces the old "password" option to avoid confusion. "password" -# remains valid for the time being. -#remote_password - # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- @@ -934,11 +944,11 @@ #bridge_cafile #bridge_capath -# Path to the PEM encoded client certificate, if required by the remote broker. -#bridge_certfile -# Path to the PEM encoded client private key, if required by the remote broker. -#bridge_keyfile +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn # When using certificate based encryption, bridge_insecure disables # verification of the server hostname in the server certificate. This can be @@ -949,10 +959,11 @@ # point using encryption. #bridge_insecure false -# If the remote broker has more than one protocol available on its port, e.g. -# MQTT and WebSockets, then use bridge_alpn to configure which protocol is -# requested. Note that WebSockets support for bridges is not yet available. -#bridge_alpn +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile # ----------------------------------------------------------------- # PSK based SSL/TLS support @@ -971,24 +982,15 @@ # External config files # ================================================================= -# External configuration files may be included by using the +# External configuration files may be included by using the # include_dir option. This defines a directory that will be searched # for config files. All files that end in '.conf' will be loaded as # a configuration file. It is best to have this as the last option # in the main file. This option will only be processed from the main -# configuration file. The directory specified must not contain the +# configuration file. The directory specified must not contain the # main configuration file. # Files within include_dir will be loaded sorted in case-sensitive # alphabetical order, with capital letters ordered first. If this option is # given multiple times, all of the files from the first instance will be # processed before the next instance. See the man page for examples. #include_dir - -# ================================================================= -# rsmb options - unlikely to ever be supported -# ================================================================= - -#ffdc_output -#max_log_entries -#trace_level -#trace_output