# Config file for mosquitto## See mosquitto.conf(5) for more information.#

1. # Config file for mosquitto
2. #
3. # See mosquitto.conf(5) for more information.
4. #
5. # Default values are shown, uncomment to change.
6. #
7. # Use the # character to indicate a comment, but only if it is the
8. # very first character on the line.
9.  
10. # =================================================================
11. # General configuration
12. # =================================================================
13.  
14. # Time in seconds between updates of the $SYS tree.
15. # Set to 0 to disable the publishing of the $SYS tree.
16. #sys_interval 10
17.  
18. # Time in seconds between cleaning the internal message store of
19. # unreferenced messages. Lower values will result in lower memory
20. # usage but more processor time, higher values will have the
21. # opposite effect.
22. # Setting a value of 0 means the unreferenced messages will be
23. # disposed of as quickly as possible.
24. #store_clean_interval 10
25.  
26. # Write process id to a file. Default is a blank string which means
27. # a pid file shouldn't be written.
28. # This should be set to /var/run/mosquitto.pid if mosquitto is
29. # being run automatically on boot with an init script and
30. # start-stop-daemon or similar.
31. #pid_file
32.  
33. # When run as root, drop privileges to this user and its primary
34. # group.
35. # Set to root to stay as root, but this is not recommended.
36. # If run as a non-root user, this setting has no effect.
37. # Note that on Windows this has no effect and so mosquitto should
38. # be started by the user you wish it to run as.
39. #user mosquitto
40.  
41. # The maximum number of QoS 1 and 2 messages currently inflight per
42. # client.
43. # This includes messages that are partway through handshakes and
44. # those that are being retried. Defaults to 20. Set to 0 for no
45. # maximum. Setting to 1 will guarantee in-order delivery of QoS 1
46. # and 2 messages.
47. #max_inflight_messages 20
48.  
49. # QoS 1 and 2 messages will be allowed inflight per client until this limit
50. # is exceeded. Defaults to 0. (No maximum)
51. # See also max_inflight_messages
52. #max_inflight_bytes 0
53.  
54. # The maximum number of QoS 1 and 2 messages to hold in a queue per client
55. # above those that are currently in-flight. Defaults to 100. Set
56. # to 0 for no maximum (not recommended).
57. # See also queue_qos0_messages.
58. # See also max_queued_bytes.
59. #max_queued_messages 100
60.  
61. # QoS 1 and 2 messages above those currently in-flight will be queued per
62. # client until this limit is exceeded. Defaults to 0. (No maximum)
63. # See also max_queued_messages.
64. # If both max_queued_messages and max_queued_bytes are specified, packets will
65. # be queued until the first limit is reached.
66. #max_queued_bytes 0
67.  
68. # Set to true to queue messages with QoS 0 when a persistent client is
69. # disconnected. These messages are included in the limit imposed by
70. # max_queued_messages and max_queued_bytes
71. # Defaults to false.
72. # This is a non-standard option for the MQTT v3.1 spec but is allowed in
73. # v3.1.1.
74. #queue_qos0_messages false
75.  
76. # This option sets the maximum publish payload size that the broker will allow.
77. # Received messages that exceed this size will not be accepted by the broker.
78. # The default value is 0, which means that all valid MQTT messages are
79. # accepted. MQTT imposes a maximum payload size of 268435455 bytes.
80. #message_size_limit 0
81.  
82. # This option controls whether a client is allowed to connect with a zero
83. # length client id or not. This option only affects clients using MQTT v3.1.1
84. # and later. If set to false, clients connecting with a zero length client id
85. # are disconnected. If set to true, clients will be allocated a client id by
86. # the broker. This means it is only useful for clients with clean session set
87. # to true.
88. #allow_zero_length_clientid true
89.  
90. # If allow_zero_length_clientid is true, this option allows you to set a prefix
91. # to automatically generated client ids to aid visibility in logs.
92. #auto_id_prefix
93.  
94. # This option allows persistent clients (those with clean session set to false)
95. # to be removed if they do not reconnect within a certain time frame.
96. #
97. # This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.
98. #
99. # Badly designed clients may set clean session to false whilst using a randomly
100. # generated client id. This leads to persistent clients that will never
101. # reconnect. This option allows these clients to be removed.
102. #
103. # The expiration period should be an integer followed by one of h d w m y for
104. # hour, day, week, month and year respectively. For example
105. #
106. # persistent_client_expiration 2m
107. # persistent_client_expiration 14d
108. # persistent_client_expiration 1y
109. #
110. # The default if not set is to never expire persistent clients.
111. #persistent_client_expiration
112.  
113. # If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#
114. # and foo/+/baz , then MQTT expects that when the broker receives a message on
115. # a topic that matches both subscriptions, such as foo/bar/baz, then the client
116. # should only receive the message once.
117. # Mosquitto keeps track of which clients a message has been sent to in order to
118. # meet this requirement. The allow_duplicate_messages option allows this
119. # behaviour to be disabled, which may be useful if you have a large number of
120. # clients subscribed to the same set of topics and are very concerned about
121. # minimising memory usage.
122. # It can be safely set to true if you know in advance that your clients will
123. # never have overlapping subscriptions, otherwise your clients must be able to
124. # correctly deal with duplicate messages even when then have QoS=2.
125. #allow_duplicate_messages false
126.  
127. # The MQTT specification requires that the QoS of a message delivered to a
128. # subscriber is never upgraded to match the QoS of the subscription. Enabling
129. # this option changes this behaviour. If upgrade_outgoing_qos is set true,
130. # messages sent to a subscriber will always match the QoS of its subscription.
131. # This is a non-standard option explicitly disallowed by the spec.
132. #upgrade_outgoing_qos false
133.  
134. # Disable Nagle's algorithm on client sockets. This has the effect of reducing
135. # latency of individual messages at the potential cost of increasing the number
136. # of packets being sent.
137. #set_tcp_nodelay false
138.  
139. # Use per listener security settings.
140. # If this option is set to true, then all authentication and access control
141. # options are controlled on a per listener basis. The following options are
142. # affected:
143. #
144. # password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
145. # auto_id_prefix allow_zero_length_clientid
146. #
147. # The default behaviour is for this to be set to false, which maintains the
148. # setting behaviour from previous versions of mosquitto.
149. per_listener_settings true
150.  
151.  
152. # =================================================================
153. # Default listener
154. # =================================================================
155.  
156. # IP address/hostname to bind the default listener to. If not
157. # given, the default listener will not be bound to a specific
158. # address and so will be accessible to all network interfaces.
159. # bind_address ip-address/host name
160. #bind_address
161.  
162. # Port to use for the default listener.
163. port 1883
164.  
165. # The maximum number of client connections to allow. This is
166. # a per listener setting.
167. # Default is -1, which means unlimited connections.
168. # Note that other process limits mean that unlimited connections
169. # are not really possible. Typically the default maximum number of
170. # connections possible is around 1024.
171. #max_connections -1
172.  
173. # Choose the protocol to use when listening.
174. # This can be either mqtt or websockets.
175. # Websockets support is currently disabled by default at compile time.
176. # Certificate based TLS may be used with websockets, except that
177. # only the cafile, certfile, keyfile and ciphers options are supported.
178. protocol mqtt
179.  
180. # When a listener is using the websockets protocol, it is possible to serve
181. # http data as well. Set http_dir to a directory which contains the files you
182. # wish to serve. If this option is not specified, then no normal http
183. # connections will be possible.
184. #http_dir
185.  
186. # Set use_username_as_clientid to true to replace the clientid that a client
187. # connected with with its username. This allows authentication to be tied to
188. # the clientid, which means that it is possible to prevent one client
189. # disconnecting another by using the same clientid.
190. # If a client connects with no username it will be disconnected as not
191. # authorised when this option is set to true.
192. # Do not use in conjunction with clientid_prefixes.
193. # See also use_identity_as_username.
194. #use_username_as_clientid
195.  
196. # -----------------------------------------------------------------
197. # Certificate based SSL/TLS support
198. # -----------------------------------------------------------------
199. # The following options can be used to enable SSL/TLS support for
200. # this listener. Note that the recommended port for MQTT over TLS
201. # is 8883, but this must be set manually.
202. #
203. # See also the mosquitto-tls man page.
204.  
205. # At least one of cafile or capath must be defined. They both
206. # define methods of accessing the PEM encoded Certificate
207. # Authority certificates that have signed your server certificate
208. # and that you wish to trust.
209. # cafile defines the path to a file containing the CA certificates.
210. # capath defines a directory that will be searched for files
211. # containing the CA certificates. For capath to work correctly, the
212. # certificate files must have ".crt" as the file ending and you must run
213. # "openssl rehash <path to capath>" each time you add/remove a certificate.
214. #cafile
215. #capath
216.  
217. # Path to the PEM encoded server certificate.
218. #certfile
219.  
220. # Path to the PEM encoded keyfile.
221. #keyfile
222. cafile /mosquitto/config/ca.crt
223. #capath
224.  
225. # Path to the PEM encoded server certificate.
226. certfile /mosquitto/config/server.crt
227.  
228. # Path to the PEM encoded keyfile.
229. keyfile /mosquitto/config/server.key
230.  
231. # This option defines the version of the TLS protocol to use for this listener.
232. # The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
233. # tlsv1.1 and tlsv1.
234. #tls_version
235.  
236. # By default a TLS enabled listener will operate in a similar fashion to a
237. # https enabled web server, in that the server has a certificate signed by a CA
238. # and the client will verify that it is a trusted certificate. The overall aim
239. # is encryption of the network traffic. By setting require_certificate to true,
240. # the client must provide a valid certificate in order for the network
241. # connection to proceed. This allows access to the broker to be controlled
242. # outside of the mechanisms provided by MQTT.
243. require_certificate false
244.  
245. # If require_certificate is true, you may set use_identity_as_username to true
246. # to use the CN value from the client certificate as a username. If this is
247. # true, the password_file option will not be used for this listener.
248. # This takes priority over use_subject_as_username.
249. # See also use_subject_as_username.
250. use_identity_as_username false
251.  
252. # If require_certificate is true, you may set use_subject_as_username to true
253. # to use the complete subject value from the client certificate as a username.
254. # If this is true, the password_file option will not be used for this listener.
255. # See also use_identity_as_username
256. #use_subject_as_username false
257.  
258. # If you have require_certificate set to true, you can create a certificate
259. # revocation list file to revoke access to particular client certificates. If
260. # you have done this, use crlfile to point to the PEM encoded revocation file.
261. #crlfile
262.  
263. # If you wish to control which encryption ciphers are used, use the ciphers
264. # option. The list of available ciphers can be obtained using the "openssl
265. # ciphers" command and should be provided in the same format as the output of
266. # that command.
267. # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
268. #ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
269.  
270. # -----------------------------------------------------------------
271. # Pre-shared-key based SSL/TLS support
272. # -----------------------------------------------------------------
273. # The following options can be used to enable PSK based SSL/TLS support for
274. # this listener. Note that the recommended port for MQTT over TLS is 8883, but
275. # this must be set manually.
276. #
277. # See also the mosquitto-tls man page and the "Certificate based SSL/TLS
278. # support" section. Only one of certificate or PSK encryption support can be
279. # enabled for any listener.
280.  
281. # The psk_hint option enables pre-shared-key support for this listener and also
282. # acts as an identifier for this listener. The hint is sent to clients and may
283. # be used locally to aid authentication. The hint is a free form string that
284. # doesn't have much meaning in itself, so feel free to be creative.
285. # If this option is provided, see psk_file to define the pre-shared keys to be
286. # used or create a security plugin to handle them.
287. #psk_hint
288.  
289. # Set use_identity_as_username to have the psk identity sent by the client used
290. # as its username. Authentication will be carried out using the PSK rather than
291. # the MQTT username/password and so password_file will not be used for this
292. # listener.
293. #use_identity_as_username false
294.  
295. # When using PSK, the encryption ciphers used will be chosen from the list of
296. # available PSK ciphers. If you want to control which ciphers are available,
297. # use the "ciphers" option. The list of available ciphers can be obtained
298. # using the "openssl ciphers" command and should be provided in the same format
299. # as the output of that command.
300. #ciphers
301.  
302. # =================================================================
303. # Security
304. # =================================================================
305.  
306. # If set, only clients that have a matching prefix on their
307. # clientid will be allowed to connect to the broker. By default,
308. # all clients may connect.
309. # For example, setting "secure-" here would mean a client "secure-
310. # client" could connect but another with clientid "mqtt" couldn't.
311. #clientid_prefixes
312.  
313. # Boolean value that determines whether clients that connect
314. # without providing a username are allowed to connect. If set to
315. # false then a password file should be created (see the
316. # password_file option) to control authenticated client access.
317. #
318. # Defaults to true if no other security options are set. If any other
319. # authentication options are set, then allow_anonymous defaults to false.
320. #
321. allow_anonymous false
322.  
323. # -----------------------------------------------------------------
324. # Default authentication and topic access control
325. # -----------------------------------------------------------------
326.  
327. # Control access to the broker using a password file. This file can be
328. # generated using the mosquitto_passwd utility. If TLS support is not compiled
329. # into mosquitto (it is recommended that TLS support should be included) then
330. # plain text passwords are used, in which case the file should be a text file
331. # with lines in the format:
332. # username:password
333. # The password (and colon) may be omitted if desired, although this
334. # offers very little in the way of security.
335. #
336. # See the TLS client require_certificate and use_identity_as_username options
337. # for alternative authentication options. If an auth_plugin is used as well as
338. # password_file, the auth_plugin check will be made first.
339. password_file /mosquitto/config/passwd
340.  
341. # Port to use for the default listener.
342. listener 8883
343.  
344. # The maximum number of client connections to allow. This is
345. # a per listener setting.
346. # Default is -1, which means unlimited connections.
347. # Note that other process limits mean that unlimited connections
348. # are not really possible. Typically the default maximum number of
349. # connections possible is around 1024.
350. #max_connections -1
351.  
352. # Choose the protocol to use when listening.
353. # This can be either mqtt or websockets.
354. # Websockets support is currently disabled by default at compile time.
355. # Certificate based TLS may be used with websockets, except that
356. # only the cafile, certfile, keyfile and ciphers options are supported.
357. protocol mqtt
358.  
359. # When a listener is using the websockets protocol, it is possible to serve
360. # http data as well. Set http_dir to a directory which contains the files you
361. # wish to serve. If this option is not specified, then no normal http
362. # connections will be possible.
363. #http_dir
364.  
365. # Set use_username_as_clientid to true to replace the clientid that a client
366. # connected with with its username. This allows authentication to be tied to
367. # the clientid, which means that it is possible to prevent one client
368. # disconnecting another by using the same clientid.
369. # If a client connects with no username it will be disconnected as not
370. # authorised when this option is set to true.
371. # Do not use in conjunction with clientid_prefixes.
372. # See also use_identity_as_username.
373. #use_username_as_clientid
374.  
375. # -----------------------------------------------------------------
376. # Certificate based SSL/TLS support
377. # -----------------------------------------------------------------
378. # The following options can be used to enable SSL/TLS support for
379. # this listener. Note that the recommended port for MQTT over TLS
380. # is 8883, but this must be set manually.
381. #
382. # See also the mosquitto-tls man page.
383.  
384. # At least one of cafile or capath must be defined. They both
385. # define methods of accessing the PEM encoded Certificate
386. # Authority certificates that have signed your server certificate
387. # and that you wish to trust.
388. # cafile defines the path to a file containing the CA certificates.
389. # capath defines a directory that will be searched for files
390. # containing the CA certificates. For capath to work correctly, the
391. # certificate files must have ".crt" as the file ending and you must run
392. # "openssl rehash <path to capath>" each time you add/remove a certificate.
393. #cafile
394. #capath
395.  
396. # Path to the PEM encoded server certificate.
397. #certfile
398.  
399. # Path to the PEM encoded keyfile.
400. #keyfile
401. #cafile /mosquitto/config/ca.crt
402. #capath
403.  
404. # Path to the PEM encoded server certificate.
405. #certfile /mosquitto/config/server.crt
406.  
407. # Path to the PEM encoded keyfile.
408. #keyfile /mosquitto/config/server.key
409.  
410. # This option defines the version of the TLS protocol to use for this listener.
411. # The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
412. # tlsv1.1 and tlsv1.
413. #tls_version
414.  
415. # By default a TLS enabled listener will operate in a similar fashion to a
416. # https enabled web server, in that the server has a certificate signed by a CA
417. # and the client will verify that it is a trusted certificate. The overall aim
418. # is encryption of the network traffic. By setting require_certificate to true,
419. # the client must provide a valid certificate in order for the network
420. # connection to proceed. This allows access to the broker to be controlled
421. # outside of the mechanisms provided by MQTT.
422. require_certificate false
423.  
424. # If require_certificate is true, you may set use_identity_as_username to true
425. # to use the CN value from the client certificate as a username. If this is
426. # true, the password_file option will not be used for this listener.
427. # This takes priority over use_subject_as_username.
428. # See also use_subject_as_username.
429. use_identity_as_username false
430.  
431. # If require_certificate is true, you may set use_subject_as_username to true
432. # to use the complete subject value from the client certificate as a username.
433. # If this is true, the password_file option will not be used for this listener.
434. # See also use_identity_as_username
435. #use_subject_as_username false
436.  
437. # If you have require_certificate set to true, you can create a certificate
438. # revocation list file to revoke access to particular client certificates. If
439. # you have done this, use crlfile to point to the PEM encoded revocation file.
440. #crlfile
441.  
442. # If you wish to control which encryption ciphers are used, use the ciphers
443. # option. The list of available ciphers can be obtained using the "openssl
444. # ciphers" command and should be provided in the same format as the output of
445. # that command.
446. # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
447. #ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
448.  
449. # -----------------------------------------------------------------
450. # Pre-shared-key based SSL/TLS support
451. # -----------------------------------------------------------------
452. # The following options can be used to enable PSK based SSL/TLS support for
453. # this listener. Note that the recommended port for MQTT over TLS is 8883, but
454. # this must be set manually.
455. #
456. # See also the mosquitto-tls man page and the "Certificate based SSL/TLS
457. # support" section. Only one of certificate or PSK encryption support can be
458. # enabled for any listener.
459.  
460. # The psk_hint option enables pre-shared-key support for this listener and also
461. # acts as an identifier for this listener. The hint is sent to clients and may
462. # be used locally to aid authentication. The hint is a free form string that
463. # doesn't have much meaning in itself, so feel free to be creative.
464. # If this option is provided, see psk_file to define the pre-shared keys to be
465. # used or create a security plugin to handle them.
466. #psk_hint
467.  
468. # Set use_identity_as_username to have the psk identity sent by the client used
469. # as its username. Authentication will be carried out using the PSK rather than
470. # the MQTT username/password and so password_file will not be used for this
471. # listener.
472. #use_identity_as_username false
473.  
474. # When using PSK, the encryption ciphers used will be chosen from the list of
475. # available PSK ciphers. If you want to control which ciphers are available,
476. # use the "ciphers" option. The list of available ciphers can be obtained
477. # using the "openssl ciphers" command and should be provided in the same format
478. # as the output of that command.
479. #ciphers
480.  
481. # =================================================================
482. # Security
483. # =================================================================
484.  
485. # If set, only clients that have a matching prefix on their
486. # clientid will be allowed to connect to the broker. By default,
487. # all clients may connect.
488. # For example, setting "secure-" here would mean a client "secure-
489. # client" could connect but another with clientid "mqtt" couldn't.
490. #clientid_prefixes
491.  
492. # Boolean value that determines whether clients that connect
493. # without providing a username are allowed to connect. If set to
494. # false then a password file should be created (see the
495. # password_file option) to control authenticated client access.
496. #
497. # Defaults to true if no other security options are set. If any other
498. # authentication options are set, then allow_anonymous defaults to false.
499. #
500. allow_anonymous false
501.  
502. # -----------------------------------------------------------------
503. # Default authentication and topic access control
504. # -----------------------------------------------------------------
505.  
506. # Control access to the broker using a password file. This file can be
507. # generated using the mosquitto_passwd utility. If TLS support is not compiled
508. # into mosquitto (it is recommended that TLS support should be included) then
509. # plain text passwords are used, in which case the file should be a text file
510. # with lines in the format:
511. # username:password
512. # The password (and colon) may be omitted if desired, although this
513. # offers very little in the way of security.
514. #
515. # See the TLS client require_certificate and use_identity_as_username options
516. # for alternative authentication options. If an auth_plugin is used as well as
517. # password_file, the auth_plugin check will be made first.
518. password_file /mosquitto/config/passwd
519.  
520. # =================================================================
521. # Extra listeners
522. # =================================================================
523.  
524. # Listen on a port/ip address combination. By using this variable
525. # multiple times, mosquitto can listen on more than one port. If
526. # this variable is used and neither bind_address nor port given,
527. # then the default listener will not be started.
528. # The port number to listen on must be given. Optionally, an ip
529. # address or host name may be supplied as a second argument. In
530. # this case, mosquitto will attempt to bind the listener to that
531. # address and so restrict access to the associated network and
532. # interface. By default, mosquitto will listen on all interfaces.
533. # Note that for a websockets listener it is not possible to bind to a host
534. # name.
535. # listener port-number [ip address/host name]
536. listener 9001
537.  
538. # The maximum number of client connections to allow. This is
539. # a per listener setting.
540. # Default is -1, which means unlimited connections.
541. # Note that other process limits mean that unlimited connections
542. # are not really possible. Typically the default maximum number of
543. # connections possible is around 1024.
544. #max_connections -1
545.  
546. # The listener can be restricted to operating within a topic hierarchy using
547. # the mount_point option. This is achieved be prefixing the mount_point string
548. # to all topics for any clients connected to this listener. This prefixing only
549. # happens internally to the broker; the client will not see the prefix.
550. #mount_point
551.  
552. # Choose the protocol to use when listening.
553. # This can be either mqtt or websockets.
554. # Certificate based TLS may be used with websockets, except that only the
555. # cafile, certfile, keyfile and ciphers options are supported.
556. protocol websockets
557.  
558. # When a listener is using the websockets protocol, it is possible to serve
559. # http data as well. Set http_dir to a directory which contains the files you
560. # wish to serve. If this option is not specified, then no normal http
561. # connections will be possible.
562. #http_dir
563.  
564. # Set use_username_as_clientid to true to replace the clientid that a client
565. # connected with with its username. This allows authentication to be tied to
566. # the clientid, which means that it is possible to prevent one client
567. # disconnecting another by using the same clientid.
568. # If a client connects with no username it will be disconnected as not
569. # authorised when this option is set to true.
570. # Do not use in conjunction with clientid_prefixes.
571. # See also use_identity_as_username.
572. #use_username_as_clientid
573.  
574. # -----------------------------------------------------------------
575. # Certificate based SSL/TLS support
576. # -----------------------------------------------------------------
577. # The following options can be used to enable certificate based SSL/TLS support
578. # for this listener. Note that the recommended port for MQTT over TLS is 8883,
579. # but this must be set manually.
580. #
581. # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
582. # support" section. Only one of certificate or PSK encryption support can be
583. # enabled for any listener.
584.  
585. # At least one of cafile or capath must be defined to enable certificate based
586. # TLS encryption. They both define methods of accessing the PEM encoded
587. # Certificate Authority certificates that have signed your server certificate
588. # and that you wish to trust.
589. # cafile defines the path to a file containing the CA certificates.
590. # capath defines a directory that will be searched for files
591. # containing the CA certificates. For capath to work correctly, the
592. # certificate files must have ".crt" as the file ending and you must run
593. # "openssl rehash <path to capath>" each time you add/remove a certificate.
594. #cafile /mosquitto/config/ca.crt
595. #capath
596.  
597. # Path to the PEM encoded server certificate.
598. #certfile /mosquitto/config/server.crt
599.  
600. # Path to the PEM encoded keyfile.
601. #keyfile /mosquitto/config/server.key
602.  
603. # By default an TLS enabled listener will operate in a similar fashion to a
604. # https enabled web server, in that the server has a certificate signed by a CA
605. # and the client will verify that it is a trusted certificate. The overall aim
606. # is encryption of the network traffic. By setting require_certificate to true,
607. # the client must provide a valid certificate in order for the network
608. # connection to proceed. This allows access to the broker to be controlled
609. # outside of the mechanisms provided by MQTT.
610. require_certificate false
611.  
612. # If require_certificate is true, you may set use_identity_as_username to true
613. # to use the CN value from the client certificate as a username. If this is
614. # true, the password_file option will not be used for this listener.
615. use_identity_as_username false
616.  
617. # If you have require_certificate set to true, you can create a certificate
618. # revocation list file to revoke access to particular client certificates. If
619. # you have done this, use crlfile to point to the PEM encoded revocation file.
620. #crlfile
621.  
622. # If you wish to control which encryption ciphers are used, use the ciphers
623. # option. The list of available ciphers can be optained using the "openssl
624. # ciphers" command and should be provided in the same format as the output of
625. # that command.
626. #ciphers
627.  
628. # -----------------------------------------------------------------
629. # Pre-shared-key based SSL/TLS support
630. # -----------------------------------------------------------------
631. # The following options can be used to enable PSK based SSL/TLS support for
632. # this listener. Note that the recommended port for MQTT over TLS is 8883, but
633. # this must be set manually.
634. #
635. # See also the mosquitto-tls man page and the "Certificate based SSL/TLS
636. # support" section. Only one of certificate or PSK encryption support can be
637. # enabled for any listener.
638.  
639. # The psk_hint option enables pre-shared-key support for this listener and also
640. # acts as an identifier for this listener. The hint is sent to clients and may
641. # be used locally to aid authentication. The hint is a free form string that
642. # doesn't have much meaning in itself, so feel free to be creative.
643. # If this option is provided, see psk_file to define the pre-shared keys to be
644. # used or create a security plugin to handle them.
645. #psk_hint
646.  
647. # Set use_identity_as_username to have the psk identity sent by the client used
648. # as its username. Authentication will be carried out using the PSK rather than
649. # the MQTT username/password and so password_file will not be used for this
650. # listener.
651. #use_identity_as_username false
652.  
653. # When using PSK, the encryption ciphers used will be chosen from the list of
654. # available PSK ciphers. If you want to control which ciphers are available,
655. # use the "ciphers" option. The list of available ciphers can be optained
656. # using the "openssl ciphers" command and should be provided in the same format
657. # as the output of that command.
658. #ciphers
659.  
660. # =================================================================
661. # Persistence
662. # =================================================================
663.  
664. # If persistence is enabled, save the in-memory database to disk
665. # every autosave_interval seconds. If set to 0, the persistence
666. # database will only be written when mosquitto exits. See also
667. # autosave_on_changes.
668. # Note that writing of the persistence database can be forced by
669. # sending mosquitto a SIGUSR1 signal.
670. #autosave_interval 1800
671.  
672. # If true, mosquitto will count the number of subscription changes, retained
673. # messages received and queued messages and if the total exceeds
674. # autosave_interval then the in-memory database will be saved to disk.
675. # If false, mosquitto will save the in-memory database to disk by treating
676. # autosave_interval as a time in seconds.
677. #autosave_on_changes false
678.  
679. # Save persistent message data to disk (true/false).
680. # This saves information about all messages, including
681. # subscriptions, currently in-flight messages and retained
682. # messages.
683. # retained_persistence is a synonym for this option.
684. persistence true
685.  
686. # The filename to use for the persistent database, not including
687. # the path.
688. #persistence_file mosquitto.db
689.  
690. # Location for persistent database. Must include trailing /
691. # Default is an empty string (current directory).
692. # Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or
693. # similar.
694. persistence_location /mosquitto/data/
695.  
696. # =================================================================
697. # Logging
698. # =================================================================
699.  
700. # Places to log to. Use multiple log_dest lines for multiple
701. # logging destinations.
702. # Possible destinations are: stdout stderr syslog topic file
703. #
704. # stdout and stderr log to the console on the named output.
705. #
706. # syslog uses the userspace syslog facility which usually ends up
707. # in /var/log/messages or similar.
708. #
709. # topic logs to the broker topic '$SYS/broker/log/<severity>',
710. # where severity is one of D, E, W, N, I, M which are debug, error,
711. # warning, notice, information and message. Message type severity is used by
712. # the subscribe/unsubscribe log_types and publishes log messages to
713. # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
714. #
715. # The file destination requires an additional parameter which is the file to be
716. # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
717. # closed and reopened when the broker receives a HUP signal. Only a single file
718. # destination may be configured.
719. #
720. # Note that if the broker is running as a Windows service it will default to
721. # "log_dest none" and neither stdout nor stderr logging is available.
722. # Use "log_dest none" if you wish to disable logging.
723. log_dest file /mosquitto/log/mosquitto.log
724.  
725. # If using syslog logging (not on Windows), messages will be logged to the
726. # "daemon" facility by default. Use the log_facility option to choose which of
727. # local0 to local7 to log to instead. The option value should be an integer
728. # value, e.g. "log_facility 5" to use local5.
729. #log_facility
730.  
731. # Types of messages to log. Use multiple log_type lines for logging
732. # multiple types of messages.
733. # Possible types are: debug, error, warning, notice, information,
734. # none, subscribe, unsubscribe, websockets, all.
735. # Note that debug type messages are for decoding the incoming/outgoing
736. # network packets. They are not logged in "topics".
737. log_type debug
738. log_type error
739. log_type warning
740. log_type notice
741. log_type information
742. log_type websockets
743.  
744. # Change the websockets logging level. This is a global option, it is not
745. # possible to set per listener. This is an integer that is interpreted by
746. # libwebsockets as a bit mask for its lws_log_levels enum. See the
747. # libwebsockets documentation for more details. "log_type websockets" must also
748. # be enabled.
749. websockets_log_level 4095
750.  
751. # If set to true, client connection and disconnection messages will be included
752. # in the log.
753. #connection_messages true
754.  
755. # If set to true, add a timestamp value to each log message.
756. #log_timestamp true
757.  
758. # =================================================================
759. # Security
760. # =================================================================
761.  
762. # If set, only clients that have a matching prefix on their
763. # clientid will be allowed to connect to the broker. By default,
764. # all clients may connect.
765. # For example, setting "secure-" here would mean a client "secure-
766. # client" could connect but another with clientid "mqtt" couldn't.
767. #clientid_prefixes
768.  
769. # Boolean value that determines whether clients that connect
770. # without providing a username are allowed to connect. If set to
771. # false then a password file should be created (see the
772. # password_file option) to control authenticated client access.
773. #
774. # Defaults to true if no other security options are set. If any other
775. # authentication options are set, then allow_anonymous defaults to false.
776. #
777. allow_anonymous false
778.  
779. # -----------------------------------------------------------------
780. # Default authentication and topic access control
781. # -----------------------------------------------------------------
782.  
783. # Control access to the broker using a password file. This file can be
784. # generated using the mosquitto_passwd utility. If TLS support is not compiled
785. # into mosquitto (it is recommended that TLS support should be included) then
786. # plain text passwords are used, in which case the file should be a text file
787. # with lines in the format:
788. # username:password
789. # The password (and colon) may be omitted if desired, although this
790. # offers very little in the way of security.
791. #
792. # See the TLS client require_certificate and use_identity_as_username options
793. # for alternative authentication options. If an auth_plugin is used as well as
794. # password_file, the auth_plugin check will be made first.
795. password_file /mosquitto/config/passwd
796.  
797. # Access may also be controlled using a pre-shared-key file. This requires
798. # TLS-PSK support and a listener configured to use it. The file should be text
799. # lines in the format:
800. # identity:key
801. # The key should be in hexadecimal format without a leading "0x".
802. # If an auth_plugin is used as well, the auth_plugin check will be made first.
803. #psk_file
804.  
805. # Control access to topics on the broker using an access control list
806. # file. If this parameter is defined then only the topics listed will
807. # have access.
808. # If the first character of a line of the ACL file is a # it is treated as a
809. # comment.
810. # Topic access is added with lines of the format:
811. #
812. # topic [read|write|readwrite] <topic>
813. #
814. # The access type is controlled using "read", "write" or "readwrite". This
815. # parameter is optional (unless <topic> contains a space character) - if not
816. # given then the access is read/write. <topic> can contain the + or #
817. # wildcards as in subscriptions.
818. #
819. # The first set of topics are applied to anonymous clients, assuming
820. # allow_anonymous is true. User specific topic ACLs are added after a
821. # user line as follows:
822. #
823. # user <username>
824. #
825. # The username referred to here is the same as in password_file. It is
826. # not the clientid.
827. #
828. #
829. # If is also possible to define ACLs based on pattern substitution within the
830. # topic. The patterns available for substition are:
831. #
832. # %c to match the client id of the client
833. # %u to match the username of the client
834. #
835. # The substitution pattern must be the only text for that level of hierarchy.
836. #
837. # The form is the same as for the topic keyword, but using pattern as the
838. # keyword.
839. # Pattern ACLs apply to all users even if the "user" keyword has previously
840. # been given.
841. #
842. # If using bridges with usernames and ACLs, connection messages can be allowed
843. # with the following pattern:
844. # pattern write $SYS/broker/connection/%c/state
845. #
846. # pattern [read|write|readwrite] <topic>
847. #
848. # Example:
849. #
850. # pattern write sensor/%u/data
851. #
852. # If an auth_plugin is used as well as acl_file, the auth_plugin check will be
853. # made first.
854. #acl_file
855.  
856. # -----------------------------------------------------------------
857. # External authentication and topic access plugin options
858. # -----------------------------------------------------------------
859.  
860. # External authentication and access control can be supported with the
861. # auth_plugin option. This is a path to a loadable plugin. See also the
862. # auth_opt_* options described below.
863. #
864. # The auth_plugin option can be specified multiple times to load multiple
865. # plugins. The plugins will be processed in the order that they are specified
866. # here. If the auth_plugin option is specified alongside either of
867. # password_file or acl_file then the plugin checks will be made first.
868. #
869. #auth_plugin
870.  
871. # If the auth_plugin option above is used, define options to pass to the
872. # plugin here as described by the plugin instructions. All options named
873. # using the format auth_opt_* will be passed to the plugin, for example:
874. #
875. # auth_opt_db_host
876. # auth_opt_db_port
877. # auth_opt_db_username
878. # auth_opt_db_password
879.  
880.  
881. # =================================================================
882. # Bridges
883. # =================================================================
884.  
885. # A bridge is a way of connecting multiple MQTT brokers together.
886. # Create a new bridge using the "connection" option as described below. Set
887. # options for the bridges using the remaining parameters. You must specify the
888. # address and at least one topic to subscribe to.
889. #
890. # Each connection must have a unique name.
891. #
892. # The address line may have multiple host address and ports specified. See
893. # below in the round_robin description for more details on bridge behaviour if
894. # multiple addresses are used. Note that if you use an IPv6 address, then you
895. # are required to specify a port.
896. #
897. # The direction that the topic will be shared can be chosen by
898. # specifying out, in or both, where the default value is out.
899. # The QoS level of the bridged communication can be specified with the next
900. # topic option. The default QoS level is 0, to change the QoS the topic
901. # direction must also be given.
902. #
903. # The local and remote prefix options allow a topic to be remapped when it is
904. # bridged to/from the remote broker. This provides the ability to place a topic
905. # tree in an appropriate location.
906. #
907. # For more details see the mosquitto.conf man page.
908. #
909. # Multiple topics can be specified per connection, but be careful
910. # not to create any loops.
911. #
912. # If you are using bridges with cleansession set to false (the default), then
913. # you may get unexpected behaviour from incoming topics if you change what
914. # topics you are subscribing to. This is because the remote broker keeps the
915. # subscription for the old topic. If you have this problem, connect your bridge
916. # with cleansession set to true, then reconnect with cleansession set to false
917. # as normal.
918. #connection <name>
919. #address <host>[:<port>] [<host>[:<port>]]
920. #topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
921.  
922. # Set the version of the MQTT protocol to use with for this bridge. Can be one
923. # of mqttv311 or mqttv11. Defaults to mqttv311.
924. #bridge_protocol_version mqttv311
925.  
926. # If a bridge has topics that have "out" direction, the default behaviour is to
927. # send an unsubscribe request to the remote broker on that topic. This means
928. # that changing a topic direction from "in" to "out" will not keep receiving
929. # incoming messages. Sending these unsubscribe requests is not always
930. # desirable, setting bridge_attempt_unsubscribe to false will disable sending
931. # the unsubscribe request.
932. #bridge_attempt_unsubscribe true
933.  
934. # If the bridge has more than one address given in the address/addresses
935. # configuration, the round_robin option defines the behaviour of the bridge on
936. # a failure of the bridge connection. If round_robin is false, the default
937. # value, then the first address is treated as the main bridge connection. If
938. # the connection fails, the other secondary addresses will be attempted in
939. # turn. Whilst connected to a secondary bridge, the bridge will periodically
940. # attempt to reconnect to the main bridge until successful.
941. # If round_robin is true, then all addresses are treated as equals. If a
942. # connection fails, the next address will be tried and if successful will
943. # remain connected until it fails
944. #round_robin false
945.  
946. # Set the client id to use on the remote end of this bridge connection. If not
947. # defined, this defaults to 'name.hostname' where name is the connection name
948. # and hostname is the hostname of this computer.
949. # This replaces the old "clientid" option to avoid confusion. "clientid"
950. # remains valid for the time being.
951. #remote_clientid
952.  
953. # Set the clientid to use on the local broker. If not defined, this defaults to
954. # 'local.<clientid>'. If you are bridging a broker to itself, it is important
955. # that local_clientid and clientid do not match.
956. #local_clientid
957.  
958. # Set the clean session variable for this bridge.
959. # When set to true, when the bridge disconnects for any reason, all
960. # messages and subscriptions will be cleaned up on the remote
961. # broker. Note that with cleansession set to true, there may be a
962. # significant amount of retained messages sent when the bridge
963. # reconnects after losing its connection.
964. # When set to false, the subscriptions and messages are kept on the
965. # remote broker, and delivered when the bridge reconnects.
966. #cleansession false
967.  
968. # If set to true, publish notification messages to the local and remote brokers
969. # giving information about the state of the bridge connection. Retained
970. # messages are published to the topic $SYS/broker/connection/<clientid>/state
971. # unless the notification_topic option is used.
972. # If the message is 1 then the connection is active, or 0 if the connection has
973. # failed.
974. #notifications true
975.  
976. # Choose the topic on which notification messages for this bridge are
977. # published. If not set, messages are published on the topic
978. # $SYS/broker/connection/<clientid>/state
979. #notification_topic
980.  
981. # Set the keepalive interval for this bridge connection, in
982. # seconds.
983. #keepalive_interval 60
984.  
985. # Set the start type of the bridge. This controls how the bridge starts and
986. # can be one of three types: automatic, lazy and once. Note that RSMB provides
987. # a fourth start type "manual" which isn't currently supported by mosquitto.
988. #
989. # "automatic" is the default start type and means that the bridge connection
990. # will be started automatically when the broker starts and also restarted
991. # after a short delay (30 seconds) if the connection fails.
992. #
993. # Bridges using the "lazy" start type will be started automatically when the
994. # number of queued messages exceeds the number set with the "threshold"
995. # parameter. It will be stopped automatically after the time set by the
996. # "idle_timeout" parameter. Use this start type if you wish the connection to
997. # only be active when it is needed.
998. #
999. # A bridge using the "once" start type will be started automatically when the
1000. # broker starts but will not be restarted if the connection fails.
1001. #start_type automatic
1002.  
1003. # Set the amount of time a bridge using the automatic start type will wait
1004. # until attempting to reconnect. Defaults to 30 seconds.
1005. #restart_timeout 30
1006.  
1007. # Set the amount of time a bridge using the lazy start type must be idle before
1008. # it will be stopped. Defaults to 60 seconds.
1009. #idle_timeout 60
1010.  
1011. # Set the number of messages that need to be queued for a bridge with lazy
1012. # start type to be restarted. Defaults to 10 messages.
1013. # Must be less than max_queued_messages.
1014. #threshold 10
1015.  
1016. # If try_private is set to true, the bridge will attempt to indicate to the
1017. # remote broker that it is a bridge not an ordinary client. If successful, this
1018. # means that loop detection will be more effective and that retained messages
1019. # will be propagated correctly. Not all brokers support this feature so it may
1020. # be necessary to set try_private to false if your bridge does not connect
1021. # properly.
1022. #try_private true
1023.  
1024. # Set the username to use when connecting to a broker that requires
1025. # authentication.
1026. # This replaces the old "username" option to avoid confusion. "username"
1027. # remains valid for the time being.
1028. #remote_username
1029.  
1030. # Set the password to use when connecting to a broker that requires
1031. # authentication. This option is only used if remote_username is also set.
1032. # This replaces the old "password" option to avoid confusion. "password"
1033. # remains valid for the time being.
1034. #remote_password
1035.  
1036. # -----------------------------------------------------------------
1037. # Certificate based SSL/TLS support
1038. # -----------------------------------------------------------------
1039. # Either bridge_cafile or bridge_capath must be defined to enable TLS support
1040. # for this bridge.
1041. # bridge_cafile defines the path to a file containing the
1042. # Certificate Authority certificates that have signed the remote broker
1043. # certificate.
1044. # bridge_capath defines a directory that will be searched for files containing
1045. # the CA certificates. For bridge_capath to work correctly, the certificate
1046. # files must have ".crt" as the file ending and you must run "openssl rehash
1047. # <path to capath>" each time you add/remove a certificate.
1048. #bridge_cafile
1049. #bridge_capath
1050.  
1051. # Path to the PEM encoded client certificate, if required by the remote broker.
1052. #bridge_certfile
1053.  
1054. # Path to the PEM encoded client private key, if required by the remote broker.
1055. #bridge_keyfile
1056.  
1057. # When using certificate based encryption, bridge_insecure disables
1058. # verification of the server hostname in the server certificate. This can be
1059. # useful when testing initial server configurations, but makes it possible for
1060. # a malicious third party to impersonate your server through DNS spoofing, for
1061. # example. Use this option in testing only. If you need to resort to using this
1062. # option in a production environment, your setup is at fault and there is no
1063. # point using encryption.
1064. #bridge_insecure false
1065.  
1066. # -----------------------------------------------------------------
1067. # PSK based SSL/TLS support
1068. # -----------------------------------------------------------------
1069. # Pre-shared-key encryption provides an alternative to certificate based
1070. # encryption. A bridge can be configured to use PSK with the bridge_identity
1071. # and bridge_psk options. These are the client PSK identity, and pre-shared-key
1072. # in hexadecimal format with no "0x". Only one of certificate and PSK based
1073. # encryption can be used on one
1074. # bridge at once.
1075. #bridge_identity
1076. #bridge_psk
1077.  
1078.  
1079. # =================================================================
1080. # External config files
1081. # =================================================================
1082.  
1083. # External configuration files may be included by using the
1084. # include_dir option. This defines a directory that will be searched
1085. # for config files. All files that end in '.conf' will be loaded as
1086. # a configuration file. It is best to have this as the last option
1087. # in the main file. This option will only be processed from the main
1088. # configuration file. The directory specified must not contain the
1089. # main configuration file.
1090. #include_dir
1091.  
1092. # =================================================================
1093. # rsmb options - unlikely to ever be supported
1094. # =================================================================
1095.  
1096. #ffdc_output
1097. #max_log_entries
1098. #trace_level
1099. #trace_output