#hostname= Buran-bee-stya.reut.loc #DISTRIB_DESCRIPTION='OpenWrt 23.05.3 r23809-234f1a2efa' #profile = beeline_smartbox-turbo-plus #target = ramips #soc = mt7621 #arch = mipsel_24kc #Beeline SmartBox TURBO+ custom default settings #---------------------------------------------------- #Generating cmd for install pkg #---------------------------------------------------- opkg install luci-app-mosquitto opkg install iwinfo opkg install cgi-io opkg install opkg opkg install luci-app-opkg opkg install kmod-usb-storage-uas opkg install ubus opkg install rpcd opkg install kmod-nft-fib opkg install kmod-nfnetlink opkg install kmod-crypto-hash opkg install kmod-nf-reject6 opkg install luci-mod-system opkg install kmod-nf-flow opkg install kmod-lib-crc-ccitt opkg install ucode-mod-uloop opkg install getrandom opkg install ucode-mod-ubus opkg install luci-theme-bootstrap opkg install kmod-pppoe opkg install kmod-pppox opkg install kmod-nf-reject opkg install procd-ujail opkg install base-files opkg install kmod-nf-nat opkg install kmod-crypto-crc32c opkg install ucode-mod-uci opkg install netifd opkg install uboot-envtools opkg install dnsmasq opkg install usbutils opkg install ubusd opkg install kmod-crypto-acompress opkg install rpcd-mod-ucode opkg install ucode-mod-math opkg install kmod-lib-crc32c opkg install luci-mod-status opkg install block-mount opkg install kmod-nft-nat opkg install kmod-usb3 opkg install kmod-fs-exfat opkg install luci-app-firewall opkg install ubi-utils opkg install odhcp6c opkg install fstools opkg install uci opkg install ucode-mod-fs opkg install kmod-fs-ext4 opkg install luci-ssl opkg install dropbear opkg install rpcd-mod-file opkg install mtd opkg install odhcpd-ipv6only opkg install procd-seccomp opkg install ucode-mod-nl80211 opkg install libiwinfo-data opkg install ucode opkg install rpcd-mod-luci opkg install kmod-nf-log opkg install urandom-seed opkg install luci-proto-ppp opkg install luci-mod-admin-full opkg install ppp opkg install luci-base opkg install kmod-leds-gpio opkg install kmod-gpio-button-hotplug opkg install logd opkg install kmod-mt7603 opkg install kmod-nf-log6 opkg install luci-proto-ipv6 opkg install kmod-fs-ntfs3 opkg install jshn opkg install e2fsprogs opkg install kmod-ppp opkg install kmod-nft-offload opkg install netcat opkg install luci-app-samba4 opkg install kmod-mt7615-firmware opkg install uhttpd opkg install kmod-nf-conntrack opkg install usign opkg install atftpd opkg install ucode-mod-rtnl opkg install ucode-mod-html opkg install luci opkg install kmod-nf-conntrack6 opkg install luci-light opkg install kmod-lib-lzo opkg install ubox opkg install kernel opkg install rpcd-mod-iwinfo opkg install luci-mod-network opkg install kmod-nft-core opkg install lldpd opkg install mount-utils opkg install uhttpd-mod-ubus opkg install fwtool opkg install jsonfilter opkg install liblucihttp-ucode opkg install iperf3 opkg install hostapd-common opkg install vsftpd opkg install luci-app-hd-idle opkg install urngd opkg install kmod-slhc opkg install rpcd-mod-rrdns opkg install ppp-mod-pppoe #---------------------------------------------------- #Generating custom default file for Beeline SmartBox TURBO+ #---------------------------------------------------- uci -q batch << EOI set atftpd.service=service set atftpd.service.path='/srv/tftp' commit atftpd set dhcp.@dnsmasq[0]=dnsmasq set dhcp.@dnsmasq[0].domainneeded='1' set dhcp.@dnsmasq[0].localise_queries='1' set dhcp.@dnsmasq[0].rebind_protection='1' set dhcp.@dnsmasq[0].rebind_localhost='1' set dhcp.@dnsmasq[0].local='/lan/' set dhcp.@dnsmasq[0].domain='lan' set dhcp.@dnsmasq[0].expandhosts='1' set dhcp.@dnsmasq[0].cachesize='1000' set dhcp.@dnsmasq[0].authoritative='1' set dhcp.@dnsmasq[0].readethers='1' set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' set dhcp.@dnsmasq[0].localservice='1' set dhcp.@dnsmasq[0].ednspacket_max='1232' set dhcp.lan=dhcp set dhcp.lan.interface='lan' set dhcp.lan.start='100' set dhcp.lan.limit='150' set dhcp.lan.leasetime='12h' set dhcp.lan.dhcpv4='server' set dhcp.lan.ignore='1' set dhcp.wan=dhcp set dhcp.wan.interface='wan' set dhcp.wan.ignore='1' set dhcp.odhcpd=odhcpd set dhcp.odhcpd.maindhcp='0' set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' set dhcp.odhcpd.loglevel='4' commit dhcp set dropbear.@dropbear[0]=dropbear set dropbear.@dropbear[0].PasswordAuth='on' set dropbear.@dropbear[0].RootPasswordAuth='on' set dropbear.@dropbear[0].Port='22' commit dropbear set firewall.@defaults[0]=defaults set firewall.@defaults[0].syn_flood='1' set firewall.@defaults[0].input='REJECT' set firewall.@defaults[0].output='ACCEPT' set firewall.@defaults[0].forward='REJECT' set firewall.@zone[0]=zone set firewall.@zone[0].name='lan' set firewall.@zone[0].network='lan' set firewall.@zone[0].input='ACCEPT' set firewall.@zone[0].output='ACCEPT' set firewall.@zone[0].forward='ACCEPT' set firewall.@zone[1]=zone set firewall.@zone[1].name='wan' set firewall.@zone[1].network='wan' 'wan6' set firewall.@zone[1].input='REJECT' set firewall.@zone[1].output='ACCEPT' set firewall.@zone[1].forward='REJECT' set firewall.@zone[1].masq='1' set firewall.@zone[1].mtu_fix='1' set firewall.@forwarding[0]=forwarding set firewall.@forwarding[0].src='lan' set firewall.@forwarding[0].dest='wan' set firewall.@rule[0]=rule set firewall.@rule[0].name='Allow-DHCP-Renew' set firewall.@rule[0].src='wan' set firewall.@rule[0].proto='udp' set firewall.@rule[0].dest_port='68' set firewall.@rule[0].target='ACCEPT' set firewall.@rule[0].family='ipv4' set firewall.@rule[1]=rule set firewall.@rule[1].name='Allow-Ping' set firewall.@rule[1].src='wan' set firewall.@rule[1].proto='icmp' set firewall.@rule[1].icmp_type='echo-request' set firewall.@rule[1].family='ipv4' set firewall.@rule[1].target='ACCEPT' set firewall.@rule[2]=rule set firewall.@rule[2].name='Allow-IGMP' set firewall.@rule[2].src='wan' set firewall.@rule[2].proto='igmp' set firewall.@rule[2].family='ipv4' set firewall.@rule[2].target='ACCEPT' set firewall.@rule[3]=rule set firewall.@rule[3].name='Allow-DHCPv6' set firewall.@rule[3].src='wan' set firewall.@rule[3].proto='udp' set firewall.@rule[3].dest_port='546' set firewall.@rule[3].family='ipv6' set firewall.@rule[3].target='ACCEPT' set firewall.@rule[4]=rule set firewall.@rule[4].name='Allow-MLD' set firewall.@rule[4].src='wan' set firewall.@rule[4].proto='icmp' set firewall.@rule[4].src_ip='fe80::/10' set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' set firewall.@rule[4].family='ipv6' set firewall.@rule[4].target='ACCEPT' set firewall.@rule[5]=rule set firewall.@rule[5].name='Allow-ICMPv6-Input' set firewall.@rule[5].src='wan' set firewall.@rule[5].proto='icmp' set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' set firewall.@rule[5].limit='1000/sec' set firewall.@rule[5].family='ipv6' set firewall.@rule[5].target='ACCEPT' set firewall.@rule[6]=rule set firewall.@rule[6].name='Allow-ICMPv6-Forward' set firewall.@rule[6].src='wan' set firewall.@rule[6].dest='*' set firewall.@rule[6].proto='icmp' set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' set firewall.@rule[6].limit='1000/sec' set firewall.@rule[6].family='ipv6' set firewall.@rule[6].target='ACCEPT' set firewall.@rule[7]=rule set firewall.@rule[7].name='Allow-IPSec-ESP' set firewall.@rule[7].src='wan' set firewall.@rule[7].dest='lan' set firewall.@rule[7].proto='esp' set firewall.@rule[7].target='ACCEPT' set firewall.@rule[8]=rule set firewall.@rule[8].name='Allow-ISAKMP' set firewall.@rule[8].src='wan' set firewall.@rule[8].dest='lan' set firewall.@rule[8].dest_port='500' set firewall.@rule[8].proto='udp' set firewall.@rule[8].target='ACCEPT' commit firewall set fstab.@global[0]=global set fstab.@global[0].anon_swap='0' set fstab.@global[0].anon_mount='0' set fstab.@global[0].auto_swap='1' set fstab.@global[0].auto_mount='1' set fstab.@global[0].delay_root='5' set fstab.@global[0].check_fs='0' set fstab.@mount[0]=mount set fstab.@mount[0].target='/mnt/sda' set fstab.@mount[0].uuid='9d591806-abe2-402b-a114-502e206789ae' set fstab.@mount[0].enabled='1' commit fstab set hd-idle.@hd-idle[0]=hd-idle set hd-idle.@hd-idle[0].disk='sda' set hd-idle.@hd-idle[0].enabled='0' set hd-idle.@hd-idle[0].idle_time_unit='minutes' set hd-idle.@hd-idle[0].idle_time_interval='10' commit hd-idle set lldpd.config=lldpd set lldpd.config.enable_cdp='1' set lldpd.config.enable_fdp='1' set lldpd.config.enable_sonmp='1' set lldpd.config.enable_edp='1' set lldpd.config.lldp_class='4' set lldpd.config.lldp_location='address country EU' set lldpd.config.interface='loopback' 'lan' commit lldpd set luci.main=core set luci.main.lang='auto' set luci.main.mediaurlbase='/luci-static/bootstrap' set luci.main.resourcebase='/luci-static/resources' set luci.main.ubuspath='/ubus/' set luci.flash_keep=extern set luci.flash_keep.uci='/etc/config/' set luci.flash_keep.dropbear='/etc/dropbear/' set luci.flash_keep.openvpn='/etc/openvpn/' set luci.flash_keep.passwd='/etc/passwd' set luci.flash_keep.opkg='/etc/opkg.conf' set luci.flash_keep.firewall='/etc/firewall.user' set luci.flash_keep.uploads='/lib/uci/upload/' set luci.languages=internal set luci.sauth=internal set luci.sauth.sessionpath='/tmp/luci-sessions' set luci.sauth.sessiontime='3600' set luci.ccache=internal set luci.ccache.enable='1' set luci.themes=internal set luci.themes.Bootstrap='/luci-static/bootstrap' set luci.themes.BootstrapDark='/luci-static/bootstrap-dark' set luci.themes.BootstrapLight='/luci-static/bootstrap-light' set luci.apply=internal set luci.apply.rollback='90' set luci.apply.holdoff='4' set luci.apply.timeout='5' set luci.apply.display='1.5' set luci.diag=internal set luci.diag.dns='openwrt.org' set luci.diag.ping='openwrt.org' set luci.diag.route='openwrt.org' commit luci set mosquitto.owrt=owrt set mosquitto.owrt.use_uci='0' set mosquitto.mosquitto=mosquitto set mosquitto.persistence=persistence commit mosquitto set network.loopback=interface set network.loopback.device='lo' set network.loopback.proto='static' set network.loopback.ipaddr='127.0.0.1' set network.loopback.netmask='255.0.0.0' set network.globals=globals set network.globals.ula_prefix='fdb5:9be6:0229::/48' set network.globals.packet_steering='1' set network.@device[0]=device set network.@device[0].name='br-lan' set network.@device[0].type='bridge' set network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4' set network.@device[0].ipv6='0' set network.lan=interface set network.lan.device='br-lan' set network.lan.proto='static' set network.lan.ipaddr='172.16.11.7' set network.lan.netmask='255.255.255.0' set network.lan.ip6assign='60' set network.lan.gateway='172.16.11.1' set network.lan.dns='172.16.11.1' set network.lan.delegate='0' set network.wan=interface set network.wan.device='wan' set network.wan.proto='dhcp' set network.wan6=interface set network.wan6.device='wan' set network.wan6.proto='dhcpv6' commit network set rpcd.@rpcd[0]=rpcd set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock' set rpcd.@rpcd[0].timeout='30' set rpcd.@login[0]=login set rpcd.@login[0].username='root' set rpcd.@login[0].password='$p$root' set rpcd.@login[0].read='*' set rpcd.@login[0].write='*' commit rpcd set samba4.@samba[0]=samba set samba4.@samba[0].workgroup='WORKGROUP' set samba4.@samba[0].charset='UTF-8' set samba4.@samba[0].description='Samba on OpenWRT' set samba4.@samba[0].enable_extra_tuning='1' set samba4.@sambashare[0]=sambashare set samba4.@sambashare[0].name='bkp' set samba4.@sambashare[0].path='/mnt/sda' set samba4.@sambashare[0].read_only='no' set samba4.@sambashare[0].guest_ok='yes' set samba4.@sambashare[0].create_mask='0666' set samba4.@sambashare[0].dir_mask='0777' commit samba4 set system.@system[0]=system set system.@system[0].hostname='Buran-bee-stya.reut.loc' set system.@system[0].timezone='MSK-3' set system.@system[0].ttylogin='0' set system.@system[0].log_size='64' set system.@system[0].urandom_seed='0' set system.@system[0].compat_version='1.1' set system.@system[0].zonename='Europe/Moscow' set system.@system[0].log_proto='udp' set system.@system[0].conloglevel='8' set system.@system[0].cronloglevel='5' set system.ntp=timeserver set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org' set system.led_wan=led set system.led_wan.name='wan' set system.led_wan.sysfs='blue:wan' set system.led_wan.trigger='netdev' set system.led_wan.mode='link tx rx' set system.led_wan.dev='wan' commit system set ubootenv.@ubootenv[0]=ubootenv set ubootenv.@ubootenv[0].dev='/dev/mtd0' set ubootenv.@ubootenv[0].offset='0x80000' set ubootenv.@ubootenv[0].envsize='0x1000' set ubootenv.@ubootenv[0].secsize='0x20000' commit ubootenv set ucitrack.@network[0]=network set ucitrack.@network[0].init='network' set ucitrack.@network[0].affects='dhcp' set ucitrack.@wireless[0]=wireless set ucitrack.@wireless[0].affects='network' set ucitrack.@firewall[0]=firewall set ucitrack.@firewall[0].init='firewall' set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' set ucitrack.@olsr[0]=olsr set ucitrack.@olsr[0].init='olsrd' set ucitrack.@dhcp[0]=dhcp set ucitrack.@dhcp[0].init='dnsmasq' set ucitrack.@dhcp[0].affects='odhcpd' set ucitrack.@odhcpd[0]=odhcpd set ucitrack.@odhcpd[0].init='odhcpd' set ucitrack.@dropbear[0]=dropbear set ucitrack.@dropbear[0].init='dropbear' set ucitrack.@httpd[0]=httpd set ucitrack.@httpd[0].init='httpd' set ucitrack.@fstab[0]=fstab set ucitrack.@fstab[0].exec='/sbin/block mount' set ucitrack.@qos[0]=qos set ucitrack.@qos[0].init='qos' set ucitrack.@system[0]=system set ucitrack.@system[0].init='led' set ucitrack.@system[0].exec='/etc/init.d/log reload' set ucitrack.@system[0].affects='luci_statistics' 'dhcp' set ucitrack.@luci_splash[0]=luci_splash set ucitrack.@luci_splash[0].init='luci_splash' set ucitrack.@upnpd[0]=upnpd set ucitrack.@upnpd[0].init='miniupnpd' set ucitrack.@ntpclient[0]=ntpclient set ucitrack.@ntpclient[0].init='ntpclient' set ucitrack.@samba[0]=samba set ucitrack.@samba[0].init='samba' set ucitrack.@tinyproxy[0]=tinyproxy set ucitrack.@tinyproxy[0].init='tinyproxy' commit ucitrack set uhttpd.main=uhttpd set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' set uhttpd.main.redirect_https='0' set uhttpd.main.home='/www' set uhttpd.main.rfc1918_filter='1' set uhttpd.main.max_requests='3' set uhttpd.main.max_connections='100' set uhttpd.main.cert='/etc/uhttpd.crt' set uhttpd.main.key='/etc/uhttpd.key' set uhttpd.main.cgi_prefix='/cgi-bin' set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' set uhttpd.main.script_timeout='60' set uhttpd.main.network_timeout='30' set uhttpd.main.http_keepalive='20' set uhttpd.main.tcp_keepalive='1' set uhttpd.main.ucode_prefix='/cgi-bin/luci=/usr/share/ucode/luci/uhttpd.uc' set uhttpd.main.ubus_prefix='/ubus' set uhttpd.defaults=cert set uhttpd.defaults.days='730' set uhttpd.defaults.key_type='ec' set uhttpd.defaults.bits='2048' set uhttpd.defaults.ec_curve='P-256' set uhttpd.defaults.country='ZZ' set uhttpd.defaults.state='Somewhere' set uhttpd.defaults.location='Unknown' set uhttpd.defaults.commonname='OpenWrt' commit uhttpd set wireless.radio0=wifi-device set wireless.radio0.type='mac80211' set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' set wireless.radio0.channel='auto' set wireless.radio0.band='2g' set wireless.radio0.htmode='HT40' set wireless.radio0.cell_density='0' set wireless.radio0.country='RU' set wireless.default_radio0=wifi-iface set wireless.default_radio0.device='radio0' set wireless.default_radio0.network='lan' set wireless.default_radio0.mode='ap' set wireless.default_radio0.ssid='Buran' set wireless.default_radio0.encryption='sae' set wireless.default_radio0.key='23637387581' set wireless.default_radio0.disassoc_low_ack='0' set wireless.default_radio0.ieee80211w='1' set wireless.default_radio0.ieee80211r='1' set wireless.default_radio0.mobility_domain='af53' set wireless.default_radio0.ft_over_ds='0' set wireless.default_radio0.wpa_disable_eapol_key_retries='1' set wireless.default_radio0.skip_inactivity_poll='1' set wireless.radio1=wifi-device set wireless.radio1.type='mac80211' set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' set wireless.radio1.channel='60' set wireless.radio1.band='5g' set wireless.radio1.htmode='VHT160' set wireless.radio1.cell_density='0' set wireless.radio1.country='RU' set wireless.default_radio1=wifi-iface set wireless.default_radio1.device='radio1' set wireless.default_radio1.network='lan' set wireless.default_radio1.mode='ap' set wireless.default_radio1.ssid='Buran' set wireless.default_radio1.encryption='sae' set wireless.default_radio1.key='23637387581' set wireless.default_radio1.disassoc_low_ack='0' set wireless.default_radio1.ieee80211w='1' set wireless.default_radio1.ieee80211r='1' set wireless.default_radio1.mobility_domain='af53' set wireless.default_radio1.ft_over_ds='0' set wireless.default_radio1.wpa_disable_eapol_key_retries='1' set wireless.default_radio1.skip_inactivity_poll='1' commit wireless EOI mkdir -p "/etc/mosquitto" mkdir -p "/etc/mosquitto" #Gen file /etc/mosquitto/mosquitto.conf-opkg mkdir -p "/etc/mosquitto" cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf-opkg" # Config file for mosquitto # # See mosquitto.conf(5) for more information. # # Default values are shown, uncomment to change. # # Use the # character to indicate a comment, but only if it is the # very first character on the line. # ================================================================= # General configuration # ================================================================= # Use per listener security settings. # # It is recommended this option be set before any other options. # # If this option is set to true, then all authentication and access control # options are controlled on a per listener basis. The following options are # affected: # # acl_file # allow_anonymous # allow_zero_length_clientid # auto_id_prefix # password_file # plugin # plugin_opt_* # psk_file # # Note that if set to true, then a durable client (i.e. with clean session set # to false) that has disconnected will use the ACL settings defined for the # listener that it was most recently connected to. # # The default behaviour is for this to be set to false, which maintains the # setting behaviour from previous versions of mosquitto. #per_listener_settings false # This option controls whether a client is allowed to connect with a zero # length client id or not. This option only affects clients using MQTT v3.1.1 # and later. If set to false, clients connecting with a zero length client id # are disconnected. If set to true, clients will be allocated a client id by # the broker. This means it is only useful for clients with clean session set # to true. #allow_zero_length_clientid true # If allow_zero_length_clientid is true, this option allows you to set a prefix # to automatically generated client ids to aid visibility in logs. # Defaults to 'auto-' #auto_id_prefix auto- # This option affects the scenario when a client subscribes to a topic that has # retained messages. It is possible that the client that published the retained # message to the topic had access at the time they published, but that access # has been subsequently removed. If check_retain_source is set to true, the # default, the source of a retained message will be checked for access rights # before it is republished. When set to false, no check will be made and the # retained message will always be published. This affects all listeners. #check_retain_source true # QoS 1 and 2 messages will be allowed inflight per client until this limit # is exceeded. Defaults to 0. (No maximum) # See also max_inflight_messages #max_inflight_bytes 0 # The maximum number of QoS 1 and 2 messages currently inflight per # client. # This includes messages that are partway through handshakes and # those that are being retried. Defaults to 20. Set to 0 for no # maximum. Setting to 1 will guarantee in-order delivery of QoS 1 # and 2 messages. #max_inflight_messages 20 # For MQTT v5 clients, it is possible to have the server send a "server # keepalive" value that will override the keepalive value set by the client. # This is intended to be used as a mechanism to say that the server will # disconnect the client earlier than it anticipated, and that the client should # use the new keepalive value. The max_keepalive option allows you to specify # that clients may only connect with keepalive less than or equal to this # value, otherwise they will be sent a server keepalive telling them to use # max_keepalive. This only applies to MQTT v5 clients. The default, and maximum # value allowable, is 65535. # # Set to 0 to allow clients to set keepalive = 0, which means no keepalive # checks are made and the client will never be disconnected by the broker if no # messages are received. You should be very sure this is the behaviour that you # want. # # For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client # what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client # specifies a keepalive time greater than max_keepalive they will be sent a # CONNACK message with the "identifier rejected" reason code, and disconnected. # #max_keepalive 65535 # For MQTT v5 clients, it is possible to have the server send a "maximum packet # size" value that will instruct the client it will not accept MQTT packets # with size greater than max_packet_size bytes. This applies to the full MQTT # packet, not just the payload. Setting this option to a positive value will # set the maximum packet size to that number of bytes. If a client sends a # packet which is larger than this value, it will be disconnected. This applies # to all clients regardless of the protocol version they are using, but v3.1.1 # and earlier clients will of course not have received the maximum packet size # information. Defaults to no limit. Setting below 20 bytes is forbidden # because it is likely to interfere with ordinary client operation, even with # very small payloads. #max_packet_size 0 # QoS 1 and 2 messages above those currently in-flight will be queued per # client until this limit is exceeded. Defaults to 0. (No maximum) # See also max_queued_messages. # If both max_queued_messages and max_queued_bytes are specified, packets will # be queued until the first limit is reached. #max_queued_bytes 0 # Set the maximum QoS supported. Clients publishing at a QoS higher than # specified here will be disconnected. #max_qos 2 # The maximum number of QoS 1 and 2 messages to hold in a queue per client # above those that are currently in-flight. Defaults to 1000. Set # to 0 for no maximum (not recommended). # See also queue_qos0_messages. # See also max_queued_bytes. #max_queued_messages 1000 # # This option sets the maximum number of heap memory bytes that the broker will # allocate, and hence sets a hard limit on memory use by the broker. Memory # requests that exceed this value will be denied. The effect will vary # depending on what has been denied. If an incoming message is being processed, # then the message will be dropped and the publishing client will be # disconnected. If an outgoing message is being sent, then the individual # message will be dropped and the receiving client will be disconnected. # Defaults to no limit. #memory_limit 0 # This option sets the maximum publish payload size that the broker will allow. # Received messages that exceed this size will not be accepted by the broker. # The default value is 0, which means that all valid MQTT messages are # accepted. MQTT imposes a maximum payload size of 268435455 bytes. #message_size_limit 0 # This option allows the session of persistent clients (those with clean # session set to false) that are not currently connected to be removed if they # do not reconnect within a certain time frame. This is a non-standard option # in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions. # # Badly designed clients may set clean session to false whilst using a randomly # generated client id. This leads to persistent clients that connect once and # never reconnect. This option allows these clients to be removed. This option # allows persistent clients (those with clean session set to false) to be # removed if they do not reconnect within a certain time frame. # # The expiration period should be an integer followed by one of h d w m y for # hour, day, week, month and year respectively. For example # # persistent_client_expiration 2m # persistent_client_expiration 14d # persistent_client_expiration 1y # # The default if not set is to never expire persistent clients. #persistent_client_expiration # Write process id to a file. Default is a blank string which means # a pid file shouldn't be written. # This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is # being run automatically on boot with an init script and # start-stop-daemon or similar. #pid_file # Set to true to queue messages with QoS 0 when a persistent client is # disconnected. These messages are included in the limit imposed by # max_queued_messages and max_queued_bytes # Defaults to false. # This is a non-standard option for the MQTT v3.1 spec but is allowed in # v3.1.1. #queue_qos0_messages false # Set to false to disable retained message support. If a client publishes a # message with the retain bit set, it will be disconnected if this is set to # false. #retain_available true # Disable Nagle's algorithm on client sockets. This has the effect of reducing # latency of individual messages at the potential cost of increasing the number # of packets being sent. #set_tcp_nodelay false # Time in seconds between updates of the $SYS tree. # Set to 0 to disable the publishing of the $SYS tree. #sys_interval 10 # The MQTT specification requires that the QoS of a message delivered to a # subscriber is never upgraded to match the QoS of the subscription. Enabling # this option changes this behaviour. If upgrade_outgoing_qos is set true, # messages sent to a subscriber will always match the QoS of its subscription. # This is a non-standard option explicitly disallowed by the spec. #upgrade_outgoing_qos false # When run as root, drop privileges to this user and its primary # group. # Set to root to stay as root, but this is not recommended. # If set to "mosquitto", or left unset, and the "mosquitto" user does not exist # then it will drop privileges to the "nobody" user instead. # If run as a non-root user, this setting has no effect. # Note that on Windows this has no effect and so mosquitto should be started by # the user you wish it to run as. #user mosquitto # ================================================================= # Listeners # ================================================================= # Listen on a port/ip address combination. By using this variable # multiple times, mosquitto can listen on more than one port. If # this variable is used and neither bind_address nor port given, # then the default listener will not be started. # The port number to listen on must be given. Optionally, an ip # address or host name may be supplied as a second argument. In # this case, mosquitto will attempt to bind the listener to that # address and so restrict access to the associated network and # interface. By default, mosquitto will listen on all interfaces. # Note that for a websockets listener it is not possible to bind to a host # name. # # On systems that support Unix Domain Sockets, it is also possible # to create a # Unix socket rather than opening a TCP socket. In # this case, the port number should be set to 0 and a unix socket # path must be provided, e.g. # listener 0 /tmp/mosquitto.sock # # listener port-number [ip address/host name/unix socket path] #listener # By default, a listener will attempt to listen on all supported IP protocol # versions. If you do not have an IPv4 or IPv6 interface you may wish to # disable support for either of those protocol versions. In particular, note # that due to the limitations of the websockets library, it will only ever # attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail # if IPv6 is not available. # # Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to # force the listener to only use IPv6. If you want support for both IPv4 and # IPv6, then do not use the socket_domain option. # #socket_domain # Bind the listener to a specific interface. This is similar to # the [ip address/host name] part of the listener definition, but is useful # when an interface has multiple addresses or the address may change. If used # with the [ip address/host name] part of the listener definition, then the # bind_interface option will take priority. # Not available on Windows. # # Example: bind_interface eth0 #bind_interface # When a listener is using the websockets protocol, it is possible to serve # http data as well. Set http_dir to a directory which contains the files you # wish to serve. If this option is not specified, then no normal http # connections will be possible. #http_dir # The maximum number of client connections to allow. This is # a per listener setting. # Default is -1, which means unlimited connections. # Note that other process limits mean that unlimited connections # are not really possible. Typically the default maximum number of # connections possible is around 1024. #max_connections -1 # The listener can be restricted to operating within a topic hierarchy using # the mount_point option. This is achieved be prefixing the mount_point string # to all topics for any clients connected to this listener. This prefixing only # happens internally to the broker; the client will not see the prefix. #mount_point # Choose the protocol to use when listening. # This can be either mqtt or websockets. # Certificate based TLS may be used with websockets, except that only the # cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. #protocol mqtt # Set use_username_as_clientid to true to replace the clientid that a client # connected with with its username. This allows authentication to be tied to # the clientid, which means that it is possible to prevent one client # disconnecting another by using the same clientid. # If a client connects with no username it will be disconnected as not # authorised when this option is set to true. # Do not use in conjunction with clientid_prefixes. # See also use_identity_as_username. # This does not apply globally, but on a per-listener basis. #use_username_as_clientid # Change the websockets headers size. This is a global option, it is not # possible to set per listener. This option sets the size of the buffer used in # the libwebsockets library when reading HTTP headers. If you are passing large # header data such as cookies then you may need to increase this value. If left # unset, or set to 0, then the default of 1024 bytes will be used. #websockets_headers_size # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- # The following options can be used to enable certificate based SSL/TLS support # for this listener. Note that the recommended port for MQTT over TLS is 8883, # but this must be set manually. # # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS # support" section. Only one of certificate or PSK encryption support can be # enabled for any listener. # Both of certfile and keyfile must be defined to enable certificate based # TLS encryption. # Path to the PEM encoded server certificate. #certfile # Path to the PEM encoded keyfile. #keyfile # If you wish to control which encryption ciphers are used, use the ciphers # option. The list of available ciphers can be optained using the "openssl # ciphers" command and should be provided in the same format as the output of # that command. This applies to TLS 1.2 and earlier versions only. Use # ciphers_tls1.3 for TLS v1.3. #ciphers # Choose which TLS v1.3 ciphersuites are used for this listener. # Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" #ciphers_tls1.3 # If you have require_certificate set to true, you can create a certificate # revocation list file to revoke access to particular client certificates. If # you have done this, use crlfile to point to the PEM encoded revocation file. #crlfile # To allow the use of ephemeral DH key exchange, which provides forward # security, the listener must load DH parameters. This can be specified with # the dhparamfile option. The dhparamfile can be generated with the command # e.g. "openssl dhparam -out dhparam.pem 2048" #dhparamfile # By default an TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim # is encryption of the network traffic. By setting require_certificate to true, # the client must provide a valid certificate in order for the network # connection to proceed. This allows access to the broker to be controlled # outside of the mechanisms provided by MQTT. #require_certificate false # cafile and capath define methods of accessing the PEM encoded # Certificate Authority certificates that will be considered trusted when # checking incoming client certificates. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run # "openssl rehash " each time you add/remove a certificate. #cafile #capath # If require_certificate is true, you may set use_identity_as_username to true # to use the CN value from the client certificate as a username. If this is # true, the password_file option will not be used for this listener. #use_identity_as_username false # ----------------------------------------------------------------- # Pre-shared-key based SSL/TLS support # ----------------------------------------------------------------- # The following options can be used to enable PSK based SSL/TLS support for # this listener. Note that the recommended port for MQTT over TLS is 8883, but # this must be set manually. # # See also the mosquitto-tls man page and the "Certificate based SSL/TLS # support" section. Only one of certificate or PSK encryption support can be # enabled for any listener. # The psk_hint option enables pre-shared-key support for this listener and also # acts as an identifier for this listener. The hint is sent to clients and may # be used locally to aid authentication. The hint is a free form string that # doesn't have much meaning in itself, so feel free to be creative. # If this option is provided, see psk_file to define the pre-shared keys to be # used or create a security plugin to handle them. #psk_hint # When using PSK, the encryption ciphers used will be chosen from the list of # available PSK ciphers. If you want to control which ciphers are available, # use the "ciphers" option. The list of available ciphers can be optained # using the "openssl ciphers" command and should be provided in the same format # as the output of that command. #ciphers # Set use_identity_as_username to have the psk identity sent by the client used # as its username. Authentication will be carried out using the PSK rather than # the MQTT username/password and so password_file will not be used for this # listener. #use_identity_as_username false # ================================================================= # Persistence # ================================================================= # If persistence is enabled, save the in-memory database to disk # every autosave_interval seconds. If set to 0, the persistence # database will only be written when mosquitto exits. See also # autosave_on_changes. # Note that writing of the persistence database can be forced by # sending mosquitto a SIGUSR1 signal. #autosave_interval 1800 # If true, mosquitto will count the number of subscription changes, retained # messages received and queued messages and if the total exceeds # autosave_interval then the in-memory database will be saved to disk. # If false, mosquitto will save the in-memory database to disk by treating # autosave_interval as a time in seconds. #autosave_on_changes false # Save persistent message data to disk (true/false). # This saves information about all messages, including # subscriptions, currently in-flight messages and retained # messages. # retained_persistence is a synonym for this option. #persistence false # The filename to use for the persistent database, not including # the path. #persistence_file mosquitto.db # Location for persistent database. # Default is an empty string (current directory). # Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or # similar. #persistence_location # ================================================================= # Logging # ================================================================= # Places to log to. Use multiple log_dest lines for multiple # logging destinations. # Possible destinations are: stdout stderr syslog topic file dlt # # stdout and stderr log to the console on the named output. # # syslog uses the userspace syslog facility which usually ends up # in /var/log/messages or similar. # # topic logs to the broker topic '$SYS/broker/log/', # where severity is one of D, E, W, N, I, M which are debug, error, # warning, notice, information and message. Message type severity is used by # the subscribe/unsubscribe log_types and publishes log messages to # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. # # The file destination requires an additional parameter which is the file to be # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be # closed and reopened when the broker receives a HUP signal. Only a single file # destination may be configured. # # The dlt destination is for the automotive `Diagnostic Log and Trace` tool. # This requires that Mosquitto has been compiled with DLT support. # # Note that if the broker is running as a Windows service it will default to # "log_dest none" and neither stdout nor stderr logging is available. # Use "log_dest none" if you wish to disable logging. #log_dest stderr # Types of messages to log. Use multiple log_type lines for logging # multiple types of messages. # Possible types are: debug, error, warning, notice, information, # none, subscribe, unsubscribe, websockets, all. # Note that debug type messages are for decoding the incoming/outgoing # network packets. They are not logged in "topics". #log_type error #log_type warning #log_type notice #log_type information # If set to true, client connection and disconnection messages will be included # in the log. #connection_messages true # If using syslog logging (not on Windows), messages will be logged to the # "daemon" facility by default. Use the log_facility option to choose which of # local0 to local7 to log to instead. The option value should be an integer # value, e.g. "log_facility 5" to use local5. #log_facility # If set to true, add a timestamp value to each log message. #log_timestamp true # Set the format of the log timestamp. If left unset, this is the number of # seconds since the Unix epoch. # This is a free text string which will be passed to the strftime function. To # get an ISO 8601 datetime, for example: # log_timestamp_format %Y-%m-%dT%H:%M:%S #log_timestamp_format # Change the websockets logging level. This is a global option, it is not # possible to set per listener. This is an integer that is interpreted by # libwebsockets as a bit mask for its lws_log_levels enum. See the # libwebsockets documentation for more details. "log_type websockets" must also # be enabled. #websockets_log_level 0 # ================================================================= # Security # ================================================================= # If set, only clients that have a matching prefix on their # clientid will be allowed to connect to the broker. By default, # all clients may connect. # For example, setting "secure-" here would mean a client "secure- # client" could connect but another with clientid "mqtt" couldn't. #clientid_prefixes # Boolean value that determines whether clients that connect # without providing a username are allowed to connect. If set to # false then a password file should be created (see the # password_file option) to control authenticated client access. # # Defaults to false, unless there are no listeners defined in the configuration # file, in which case it is set to true, but connections are only allowed from # the local machine. #allow_anonymous false # ----------------------------------------------------------------- # Default authentication and topic access control # ----------------------------------------------------------------- # Control access to the broker using a password file. This file can be # generated using the mosquitto_passwd utility. If TLS support is not compiled # into mosquitto (it is recommended that TLS support should be included) then # plain text passwords are used, in which case the file should be a text file # with lines in the format: # username:password # The password (and colon) may be omitted if desired, although this # offers very little in the way of security. # # See the TLS client require_certificate and use_identity_as_username options # for alternative authentication options. If a plugin is used as well as # password_file, the plugin check will be made first. #password_file # Access may also be controlled using a pre-shared-key file. This requires # TLS-PSK support and a listener configured to use it. The file should be text # lines in the format: # identity:key # The key should be in hexadecimal format without a leading "0x". # If an plugin is used as well, the plugin check will be made first. #psk_file # Control access to topics on the broker using an access control list # file. If this parameter is defined then only the topics listed will # have access. # If the first character of a line of the ACL file is a # it is treated as a # comment. # Topic access is added with lines of the format: # # topic [read|write|readwrite|deny] # # The access type is controlled using "read", "write", "readwrite" or "deny". # This parameter is optional (unless contains a space character) - if # not given then the access is read/write. can contain the + or # # wildcards as in subscriptions. # # The "deny" option can used to explicity deny access to a topic that would # otherwise be granted by a broader read/write/readwrite statement. Any "deny" # topics are handled before topics that grant read/write access. # # The first set of topics are applied to anonymous clients, assuming # allow_anonymous is true. User specific topic ACLs are added after a # user line as follows: # # user # # The username referred to here is the same as in password_file. It is # not the clientid. # # # If is also possible to define ACLs based on pattern substitution within the # topic. The patterns available for substition are: # # %c to match the client id of the client # %u to match the username of the client # # The substitution pattern must be the only text for that level of hierarchy. # # The form is the same as for the topic keyword, but using pattern as the # keyword. # Pattern ACLs apply to all users even if the "user" keyword has previously # been given. # # If using bridges with usernames and ACLs, connection messages can be allowed # with the following pattern: # pattern write $SYS/broker/connection/%c/state # # pattern [read|write|readwrite] # # Example: # # pattern write sensor/%u/data # # If an plugin is used as well as acl_file, the plugin check will be # made first. #acl_file # ----------------------------------------------------------------- # External authentication and topic access plugin options # ----------------------------------------------------------------- # External authentication and access control can be supported with the # plugin option. This is a path to a loadable plugin. See also the # plugin_opt_* options described below. # # The plugin option can be specified multiple times to load multiple # plugins. The plugins will be processed in the order that they are specified # here. If the plugin option is specified alongside either of # password_file or acl_file then the plugin checks will be made first. # # If the per_listener_settings option is false, the plugin will be apply to all # listeners. If per_listener_settings is true, then the plugin will apply to # the current listener being defined only. # # This option is also available as `auth_plugin`, but this use is deprecated # and will be removed in the future. # #plugin # If the plugin option above is used, define options to pass to the # plugin here as described by the plugin instructions. All options named # using the format plugin_opt_* will be passed to the plugin, for example: # # This option is also available as `auth_opt_*`, but this use is deprecated # and will be removed in the future. # # plugin_opt_db_host # plugin_opt_db_port # plugin_opt_db_username # plugin_opt_db_password # ================================================================= # Bridges # ================================================================= # A bridge is a way of connecting multiple MQTT brokers together. # Create a new bridge using the "connection" option as described below. Set # options for the bridges using the remaining parameters. You must specify the # address and at least one topic to subscribe to. # # Each connection must have a unique name. # # The address line may have multiple host address and ports specified. See # below in the round_robin description for more details on bridge behaviour if # multiple addresses are used. Note that if you use an IPv6 address, then you # are required to specify a port. # # The direction that the topic will be shared can be chosen by # specifying out, in or both, where the default value is out. # The QoS level of the bridged communication can be specified with the next # topic option. The default QoS level is 0, to change the QoS the topic # direction must also be given. # # The local and remote prefix options allow a topic to be remapped when it is # bridged to/from the remote broker. This provides the ability to place a topic # tree in an appropriate location. # # For more details see the mosquitto.conf man page. # # Multiple topics can be specified per connection, but be careful # not to create any loops. # # If you are using bridges with cleansession set to false (the default), then # you may get unexpected behaviour from incoming topics if you change what # topics you are subscribing to. This is because the remote broker keeps the # subscription for the old topic. If you have this problem, connect your bridge # with cleansession set to true, then reconnect with cleansession set to false # as normal. #connection #address [:] [[:]] #topic [[[out | in | both] qos-level] local-prefix remote-prefix] # If you need to have the bridge connect over a particular network interface, # use bridge_bind_address to tell the bridge which local IP address the socket # should bind to, e.g. `bridge_bind_address 192.168.1.10` #bridge_bind_address # If a bridge has topics that have "out" direction, the default behaviour is to # send an unsubscribe request to the remote broker on that topic. This means # that changing a topic direction from "in" to "out" will not keep receiving # incoming messages. Sending these unsubscribe requests is not always # desirable, setting bridge_attempt_unsubscribe to false will disable sending # the unsubscribe request. #bridge_attempt_unsubscribe true # Set the version of the MQTT protocol to use with for this bridge. Can be one # of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. #bridge_protocol_version mqttv311 # Set the clean session variable for this bridge. # When set to true, when the bridge disconnects for any reason, all # messages and subscriptions will be cleaned up on the remote # broker. Note that with cleansession set to true, there may be a # significant amount of retained messages sent when the bridge # reconnects after losing its connection. # When set to false, the subscriptions and messages are kept on the # remote broker, and delivered when the bridge reconnects. #cleansession false # Set the amount of time a bridge using the lazy start type must be idle before # it will be stopped. Defaults to 60 seconds. #idle_timeout 60 # Set the keepalive interval for this bridge connection, in # seconds. #keepalive_interval 60 # Set the clientid to use on the local broker. If not defined, this defaults to # 'local.'. If you are bridging a broker to itself, it is important # that local_clientid and clientid do not match. #local_clientid # If set to true, publish notification messages to the local and remote brokers # giving information about the state of the bridge connection. Retained # messages are published to the topic $SYS/broker/connection//state # unless the notification_topic option is used. # If the message is 1 then the connection is active, or 0 if the connection has # failed. # This uses the last will and testament feature. #notifications true # Choose the topic on which notification messages for this bridge are # published. If not set, messages are published on the topic # $SYS/broker/connection//state #notification_topic # Set the client id to use on the remote end of this bridge connection. If not # defined, this defaults to 'name.hostname' where name is the connection name # and hostname is the hostname of this computer. # This replaces the old "clientid" option to avoid confusion. "clientid" # remains valid for the time being. #remote_clientid # Set the password to use when connecting to a broker that requires # authentication. This option is only used if remote_username is also set. # This replaces the old "password" option to avoid confusion. "password" # remains valid for the time being. #remote_password # Set the username to use when connecting to a broker that requires # authentication. # This replaces the old "username" option to avoid confusion. "username" # remains valid for the time being. #remote_username # Set the amount of time a bridge using the automatic start type will wait # until attempting to reconnect. # This option can be configured to use a constant delay time in seconds, or to # use a backoff mechanism based on "Decorrelated Jitter", which adds a degree # of randomness to when the restart occurs. # # Set a constant timeout of 20 seconds: # restart_timeout 20 # # Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of # 60 seconds: # restart_timeout 10 30 # # Defaults to jitter with a base of 5 and cap of 30 #restart_timeout 5 30 # If the bridge has more than one address given in the address/addresses # configuration, the round_robin option defines the behaviour of the bridge on # a failure of the bridge connection. If round_robin is false, the default # value, then the first address is treated as the main bridge connection. If # the connection fails, the other secondary addresses will be attempted in # turn. Whilst connected to a secondary bridge, the bridge will periodically # attempt to reconnect to the main bridge until successful. # If round_robin is true, then all addresses are treated as equals. If a # connection fails, the next address will be tried and if successful will # remain connected until it fails #round_robin false # Set the start type of the bridge. This controls how the bridge starts and # can be one of three types: automatic, lazy and once. Note that RSMB provides # a fourth start type "manual" which isn't currently supported by mosquitto. # # "automatic" is the default start type and means that the bridge connection # will be started automatically when the broker starts and also restarted # after a short delay (30 seconds) if the connection fails. # # Bridges using the "lazy" start type will be started automatically when the # number of queued messages exceeds the number set with the "threshold" # parameter. It will be stopped automatically after the time set by the # "idle_timeout" parameter. Use this start type if you wish the connection to # only be active when it is needed. # # A bridge using the "once" start type will be started automatically when the # broker starts but will not be restarted if the connection fails. #start_type automatic # Set the number of messages that need to be queued for a bridge with lazy # start type to be restarted. Defaults to 10 messages. # Must be less than max_queued_messages. #threshold 10 # If try_private is set to true, the bridge will attempt to indicate to the # remote broker that it is a bridge not an ordinary client. If successful, this # means that loop detection will be more effective and that retained messages # will be propagated correctly. Not all brokers support this feature so it may # be necessary to set try_private to false if your bridge does not connect # properly. #try_private true # Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism # for brokers to tell clients that they do not support retained messages, but # this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a # v3.1.1 or v3.1 broker that does not support retained messages, set the # bridge_outgoing_retain option to false. This will remove the retain bit on # all outgoing messages to that bridge, regardless of any other setting. #bridge_outgoing_retain true # If you wish to restrict the size of messages sent to a remote bridge, use the # bridge_max_packet_size option. This sets the maximum number of bytes for # the total message, including headers and payload. # Note that MQTT v5 brokers may provide their own maximum-packet-size property. # In this case, the smaller of the two limits will be used. # Set to 0 for "unlimited". #bridge_max_packet_size 0 # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- # Either bridge_cafile or bridge_capath must be defined to enable TLS support # for this bridge. # bridge_cafile defines the path to a file containing the # Certificate Authority certificates that have signed the remote broker # certificate. # bridge_capath defines a directory that will be searched for files containing # the CA certificates. For bridge_capath to work correctly, the certificate # files must have ".crt" as the file ending and you must run "openssl rehash # " each time you add/remove a certificate. #bridge_cafile #bridge_capath # If the remote broker has more than one protocol available on its port, e.g. # MQTT and WebSockets, then use bridge_alpn to configure which protocol is # requested. Note that WebSockets support for bridges is not yet available. #bridge_alpn # When using certificate based encryption, bridge_insecure disables # verification of the server hostname in the server certificate. This can be # useful when testing initial server configurations, but makes it possible for # a malicious third party to impersonate your server through DNS spoofing, for # example. Use this option in testing only. If you need to resort to using this # option in a production environment, your setup is at fault and there is no # point using encryption. #bridge_insecure false # Path to the PEM encoded client certificate, if required by the remote broker. #bridge_certfile # Path to the PEM encoded client private key, if required by the remote broker. #bridge_keyfile # ----------------------------------------------------------------- # PSK based SSL/TLS support # ----------------------------------------------------------------- # Pre-shared-key encryption provides an alternative to certificate based # encryption. A bridge can be configured to use PSK with the bridge_identity # and bridge_psk options. These are the client PSK identity, and pre-shared-key # in hexadecimal format with no "0x". Only one of certificate and PSK based # encryption can be used on one # bridge at once. #bridge_identity #bridge_psk # ================================================================= # External config files # ================================================================= # External configuration files may be included by using the # include_dir option. This defines a directory that will be searched # for config files. All files that end in '.conf' will be loaded as # a configuration file. It is best to have this as the last option # in the main file. This option will only be processed from the main # configuration file. The directory specified must not contain the # main configuration file. # Files within include_dir will be loaded sorted in case-sensitive # alphabetical order, with capital letters ordered first. If this option is # given multiple times, all of the files from the first instance will be # processed before the next instance. See the man page for examples. #include_dir CFGEOF #Gen file /etc/mosquitto/mosquitto.conf mkdir -p "/etc/mosquitto" cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf" # Config file for mosquitto # # See mosquitto.conf(5) for more information. # # Default values are shown, uncomment to change. # # Use the # character to indicate a comment, but only if it is the # very first character on the line. # ================================================================= # General configuration # ================================================================= # Use per listener security settings. # # It is recommended this option be set before any other options. # # If this option is set to true, then all authentication and access control # options are controlled on a per listener basis. The following options are # affected: # # acl_file # allow_anonymous # allow_zero_length_clientid # auto_id_prefix # password_file # plugin # plugin_opt_* # psk_file # # Note that if set to true, then a durable client (i.e. with clean session set # to false) that has disconnected will use the ACL settings defined for the # listener that it was most recently connected to. # # The default behaviour is for this to be set to false, which maintains the # setting behaviour from previous versions of mosquitto. #per_listener_settings false # This option controls whether a client is allowed to connect with a zero # length client id or not. This option only affects clients using MQTT v3.1.1 # and later. If set to false, clients connecting with a zero length client id # are disconnected. If set to true, clients will be allocated a client id by # the broker. This means it is only useful for clients with clean session set # to true. #allow_zero_length_clientid true # If allow_zero_length_clientid is true, this option allows you to set a prefix # to automatically generated client ids to aid visibility in logs. # Defaults to 'auto-' #auto_id_prefix auto- # This option affects the scenario when a client subscribes to a topic that has # retained messages. It is possible that the client that published the retained # message to the topic had access at the time they published, but that access # has been subsequently removed. If check_retain_source is set to true, the # default, the source of a retained message will be checked for access rights # before it is republished. When set to false, no check will be made and the # retained message will always be published. This affects all listeners. #check_retain_source true # QoS 1 and 2 messages will be allowed inflight per client until this limit # is exceeded. Defaults to 0. (No maximum) # See also max_inflight_messages #max_inflight_bytes 0 # The maximum number of QoS 1 and 2 messages currently inflight per # client. # This includes messages that are partway through handshakes and # those that are being retried. Defaults to 20. Set to 0 for no # maximum. Setting to 1 will guarantee in-order delivery of QoS 1 # and 2 messages. #max_inflight_messages 20 # For MQTT v5 clients, it is possible to have the server send a "server # keepalive" value that will override the keepalive value set by the client. # This is intended to be used as a mechanism to say that the server will # disconnect the client earlier than it anticipated, and that the client should # use the new keepalive value. The max_keepalive option allows you to specify # that clients may only connect with keepalive less than or equal to this # value, otherwise they will be sent a server keepalive telling them to use # max_keepalive. This only applies to MQTT v5 clients. The default, and maximum # value allowable, is 65535. # # Set to 0 to allow clients to set keepalive = 0, which means no keepalive # checks are made and the client will never be disconnected by the broker if no # messages are received. You should be very sure this is the behaviour that you # want. # # For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client # what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client # specifies a keepalive time greater than max_keepalive they will be sent a # CONNACK message with the "identifier rejected" reason code, and disconnected. # #max_keepalive 65535 # For MQTT v5 clients, it is possible to have the server send a "maximum packet # size" value that will instruct the client it will not accept MQTT packets # with size greater than max_packet_size bytes. This applies to the full MQTT # packet, not just the payload. Setting this option to a positive value will # set the maximum packet size to that number of bytes. If a client sends a # packet which is larger than this value, it will be disconnected. This applies # to all clients regardless of the protocol version they are using, but v3.1.1 # and earlier clients will of course not have received the maximum packet size # information. Defaults to no limit. Setting below 20 bytes is forbidden # because it is likely to interfere with ordinary client operation, even with # very small payloads. #max_packet_size 0 # QoS 1 and 2 messages above those currently in-flight will be queued per # client until this limit is exceeded. Defaults to 0. (No maximum) # See also max_queued_messages. # If both max_queued_messages and max_queued_bytes are specified, packets will # be queued until the first limit is reached. #max_queued_bytes 0 # Set the maximum QoS supported. Clients publishing at a QoS higher than # specified here will be disconnected. #max_qos 2 # The maximum number of QoS 1 and 2 messages to hold in a queue per client # above those that are currently in-flight. Defaults to 1000. Set # to 0 for no maximum (not recommended). # See also queue_qos0_messages. # See also max_queued_bytes. #max_queued_messages 1000 # # This option sets the maximum number of heap memory bytes that the broker will # allocate, and hence sets a hard limit on memory use by the broker. Memory # requests that exceed this value will be denied. The effect will vary # depending on what has been denied. If an incoming message is being processed, # then the message will be dropped and the publishing client will be # disconnected. If an outgoing message is being sent, then the individual # message will be dropped and the receiving client will be disconnected. # Defaults to no limit. #memory_limit 0 # This option sets the maximum publish payload size that the broker will allow. # Received messages that exceed this size will not be accepted by the broker. # The default value is 0, which means that all valid MQTT messages are # accepted. MQTT imposes a maximum payload size of 268435455 bytes. #message_size_limit 0 # This option allows the session of persistent clients (those with clean # session set to false) that are not currently connected to be removed if they # do not reconnect within a certain time frame. This is a non-standard option # in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions. # # Badly designed clients may set clean session to false whilst using a randomly # generated client id. This leads to persistent clients that connect once and # never reconnect. This option allows these clients to be removed. This option # allows persistent clients (those with clean session set to false) to be # removed if they do not reconnect within a certain time frame. # # The expiration period should be an integer followed by one of h d w m y for # hour, day, week, month and year respectively. For example # # persistent_client_expiration 2m # persistent_client_expiration 14d # persistent_client_expiration 1y # # The default if not set is to never expire persistent clients. #persistent_client_expiration # Write process id to a file. Default is a blank string which means # a pid file shouldn't be written. # This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is # being run automatically on boot with an init script and # start-stop-daemon or similar. #pid_file # Set to true to queue messages with QoS 0 when a persistent client is # disconnected. These messages are included in the limit imposed by # max_queued_messages and max_queued_bytes # Defaults to false. # This is a non-standard option for the MQTT v3.1 spec but is allowed in # v3.1.1. #queue_qos0_messages false # Set to false to disable retained message support. If a client publishes a # message with the retain bit set, it will be disconnected if this is set to # false. #retain_available true # Disable Nagle's algorithm on client sockets. This has the effect of reducing # latency of individual messages at the potential cost of increasing the number # of packets being sent. #set_tcp_nodelay false # Time in seconds between updates of the $SYS tree. # Set to 0 to disable the publishing of the $SYS tree. #sys_interval 10 # The MQTT specification requires that the QoS of a message delivered to a # subscriber is never upgraded to match the QoS of the subscription. Enabling # this option changes this behaviour. If upgrade_outgoing_qos is set true, # messages sent to a subscriber will always match the QoS of its subscription. # This is a non-standard option explicitly disallowed by the spec. #upgrade_outgoing_qos false # When run as root, drop privileges to this user and its primary # group. # Set to root to stay as root, but this is not recommended. # If set to "mosquitto", or left unset, and the "mosquitto" user does not exist # then it will drop privileges to the "nobody" user instead. # If run as a non-root user, this setting has no effect. # Note that on Windows this has no effect and so mosquitto should be started by # the user you wish it to run as. #user mosquitto # ================================================================= # Listeners # ================================================================= # Listen on a port/ip address combination. By using this variable # multiple times, mosquitto can listen on more than one port. If # this variable is used and neither bind_address nor port given, # then the default listener will not be started. # The port number to listen on must be given. Optionally, an ip # address or host name may be supplied as a second argument. In # this case, mosquitto will attempt to bind the listener to that # address and so restrict access to the associated network and # interface. By default, mosquitto will listen on all interfaces. # Note that for a websockets listener it is not possible to bind to a host # name. # # On systems that support Unix Domain Sockets, it is also possible # to create a # Unix socket rather than opening a TCP socket. In # this case, the port number should be set to 0 and a unix socket # path must be provided, e.g. # listener 0 /tmp/mosquitto.sock # # listener port-number [ip address/host name/unix socket path] #listener # By default, a listener will attempt to listen on all supported IP protocol # versions. If you do not have an IPv4 or IPv6 interface you may wish to # disable support for either of those protocol versions. In particular, note # that due to the limitations of the websockets library, it will only ever # attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail # if IPv6 is not available. # # Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to # force the listener to only use IPv6. If you want support for both IPv4 and # IPv6, then do not use the socket_domain option. # #socket_domain # Bind the listener to a specific interface. This is similar to # the [ip address/host name] part of the listener definition, but is useful # when an interface has multiple addresses or the address may change. If used # with the [ip address/host name] part of the listener definition, then the # bind_interface option will take priority. # Not available on Windows. # # Example: bind_interface eth0 #bind_interface # When a listener is using the websockets protocol, it is possible to serve # http data as well. Set http_dir to a directory which contains the files you # wish to serve. If this option is not specified, then no normal http # connections will be possible. #http_dir # The maximum number of client connections to allow. This is # a per listener setting. # Default is -1, which means unlimited connections. # Note that other process limits mean that unlimited connections # are not really possible. Typically the default maximum number of # connections possible is around 1024. #max_connections -1 # The listener can be restricted to operating within a topic hierarchy using # the mount_point option. This is achieved be prefixing the mount_point string # to all topics for any clients connected to this listener. This prefixing only # happens internally to the broker; the client will not see the prefix. #mount_point # Choose the protocol to use when listening. # This can be either mqtt or websockets. # Certificate based TLS may be used with websockets, except that only the # cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. #protocol mqtt # Set use_username_as_clientid to true to replace the clientid that a client # connected with with its username. This allows authentication to be tied to # the clientid, which means that it is possible to prevent one client # disconnecting another by using the same clientid. # If a client connects with no username it will be disconnected as not # authorised when this option is set to true. # Do not use in conjunction with clientid_prefixes. # See also use_identity_as_username. # This does not apply globally, but on a per-listener basis. #use_username_as_clientid # Change the websockets headers size. This is a global option, it is not # possible to set per listener. This option sets the size of the buffer used in # the libwebsockets library when reading HTTP headers. If you are passing large # header data such as cookies then you may need to increase this value. If left # unset, or set to 0, then the default of 1024 bytes will be used. #websockets_headers_size # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- # The following options can be used to enable certificate based SSL/TLS support # for this listener. Note that the recommended port for MQTT over TLS is 8883, # but this must be set manually. # # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS # support" section. Only one of certificate or PSK encryption support can be # enabled for any listener. # Both of certfile and keyfile must be defined to enable certificate based # TLS encryption. # Path to the PEM encoded server certificate. #certfile # Path to the PEM encoded keyfile. #keyfile # If you wish to control which encryption ciphers are used, use the ciphers # option. The list of available ciphers can be optained using the "openssl # ciphers" command and should be provided in the same format as the output of # that command. This applies to TLS 1.2 and earlier versions only. Use # ciphers_tls1.3 for TLS v1.3. #ciphers # Choose which TLS v1.3 ciphersuites are used for this listener. # Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" #ciphers_tls1.3 # If you have require_certificate set to true, you can create a certificate # revocation list file to revoke access to particular client certificates. If # you have done this, use crlfile to point to the PEM encoded revocation file. #crlfile # To allow the use of ephemeral DH key exchange, which provides forward # security, the listener must load DH parameters. This can be specified with # the dhparamfile option. The dhparamfile can be generated with the command # e.g. "openssl dhparam -out dhparam.pem 2048" #dhparamfile # By default an TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim # is encryption of the network traffic. By setting require_certificate to true, # the client must provide a valid certificate in order for the network # connection to proceed. This allows access to the broker to be controlled # outside of the mechanisms provided by MQTT. #require_certificate false # cafile and capath define methods of accessing the PEM encoded # Certificate Authority certificates that will be considered trusted when # checking incoming client certificates. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run # "openssl rehash " each time you add/remove a certificate. #cafile #capath # If require_certificate is true, you may set use_identity_as_username to true # to use the CN value from the client certificate as a username. If this is # true, the password_file option will not be used for this listener. #use_identity_as_username false # ----------------------------------------------------------------- # Pre-shared-key based SSL/TLS support # ----------------------------------------------------------------- # The following options can be used to enable PSK based SSL/TLS support for # this listener. Note that the recommended port for MQTT over TLS is 8883, but # this must be set manually. # # See also the mosquitto-tls man page and the "Certificate based SSL/TLS # support" section. Only one of certificate or PSK encryption support can be # enabled for any listener. # The psk_hint option enables pre-shared-key support for this listener and also # acts as an identifier for this listener. The hint is sent to clients and may # be used locally to aid authentication. The hint is a free form string that # doesn't have much meaning in itself, so feel free to be creative. # If this option is provided, see psk_file to define the pre-shared keys to be # used or create a security plugin to handle them. #psk_hint # When using PSK, the encryption ciphers used will be chosen from the list of # available PSK ciphers. If you want to control which ciphers are available, # use the "ciphers" option. The list of available ciphers can be optained # using the "openssl ciphers" command and should be provided in the same format # as the output of that command. #ciphers # Set use_identity_as_username to have the psk identity sent by the client used # as its username. Authentication will be carried out using the PSK rather than # the MQTT username/password and so password_file will not be used for this # listener. #use_identity_as_username false # ================================================================= # Persistence # ================================================================= # If persistence is enabled, save the in-memory database to disk # every autosave_interval seconds. If set to 0, the persistence # database will only be written when mosquitto exits. See also # autosave_on_changes. # Note that writing of the persistence database can be forced by # sending mosquitto a SIGUSR1 signal. #autosave_interval 1800 # If true, mosquitto will count the number of subscription changes, retained # messages received and queued messages and if the total exceeds # autosave_interval then the in-memory database will be saved to disk. # If false, mosquitto will save the in-memory database to disk by treating # autosave_interval as a time in seconds. #autosave_on_changes false # Save persistent message data to disk (true/false). # This saves information about all messages, including # subscriptions, currently in-flight messages and retained # messages. # retained_persistence is a synonym for this option. #persistence false # The filename to use for the persistent database, not including # the path. #persistence_file mosquitto.db # Location for persistent database. # Default is an empty string (current directory). # Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or # similar. #persistence_location # ================================================================= # Logging # ================================================================= # Places to log to. Use multiple log_dest lines for multiple # logging destinations. # Possible destinations are: stdout stderr syslog topic file dlt # # stdout and stderr log to the console on the named output. # # syslog uses the userspace syslog facility which usually ends up # in /var/log/messages or similar. # # topic logs to the broker topic '$SYS/broker/log/', # where severity is one of D, E, W, N, I, M which are debug, error, # warning, notice, information and message. Message type severity is used by # the subscribe/unsubscribe log_types and publishes log messages to # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. # # The file destination requires an additional parameter which is the file to be # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be # closed and reopened when the broker receives a HUP signal. Only a single file # destination may be configured. # # The dlt destination is for the automotive `Diagnostic Log and Trace` tool. # This requires that Mosquitto has been compiled with DLT support. # # Note that if the broker is running as a Windows service it will default to # "log_dest none" and neither stdout nor stderr logging is available. # Use "log_dest none" if you wish to disable logging. #log_dest stderr # Types of messages to log. Use multiple log_type lines for logging # multiple types of messages. # Possible types are: debug, error, warning, notice, information, # none, subscribe, unsubscribe, websockets, all. # Note that debug type messages are for decoding the incoming/outgoing # network packets. They are not logged in "topics". #log_type error #log_type warning #log_type notice #log_type information # If set to true, client connection and disconnection messages will be included # in the log. #connection_messages true # If using syslog logging (not on Windows), messages will be logged to the # "daemon" facility by default. Use the log_facility option to choose which of # local0 to local7 to log to instead. The option value should be an integer # value, e.g. "log_facility 5" to use local5. #log_facility # If set to true, add a timestamp value to each log message. #log_timestamp true # Set the format of the log timestamp. If left unset, this is the number of # seconds since the Unix epoch. # This is a free text string which will be passed to the strftime function. To # get an ISO 8601 datetime, for example: # log_timestamp_format %Y-%m-%dT%H:%M:%S #log_timestamp_format # Change the websockets logging level. This is a global option, it is not # possible to set per listener. This is an integer that is interpreted by # libwebsockets as a bit mask for its lws_log_levels enum. See the # libwebsockets documentation for more details. "log_type websockets" must also # be enabled. #websockets_log_level 0 # ================================================================= # Security # ================================================================= # If set, only clients that have a matching prefix on their # clientid will be allowed to connect to the broker. By default, # all clients may connect. # For example, setting "secure-" here would mean a client "secure- # client" could connect but another with clientid "mqtt" couldn't. #clientid_prefixes # Boolean value that determines whether clients that connect # without providing a username are allowed to connect. If set to # false then a password file should be created (see the # password_file option) to control authenticated client access. # # Defaults to false, unless there are no listeners defined in the configuration # file, in which case it is set to true, but connections are only allowed from # the local machine. #allow_anonymous false # ----------------------------------------------------------------- # Default authentication and topic access control # ----------------------------------------------------------------- # Control access to the broker using a password file. This file can be # generated using the mosquitto_passwd utility. If TLS support is not compiled # into mosquitto (it is recommended that TLS support should be included) then # plain text passwords are used, in which case the file should be a text file # with lines in the format: # username:password # The password (and colon) may be omitted if desired, although this # offers very little in the way of security. # # See the TLS client require_certificate and use_identity_as_username options # for alternative authentication options. If a plugin is used as well as # password_file, the plugin check will be made first. #password_file # Access may also be controlled using a pre-shared-key file. This requires # TLS-PSK support and a listener configured to use it. The file should be text # lines in the format: # identity:key # The key should be in hexadecimal format without a leading "0x". # If an plugin is used as well, the plugin check will be made first. #psk_file # Control access to topics on the broker using an access control list # file. If this parameter is defined then only the topics listed will # have access. # If the first character of a line of the ACL file is a # it is treated as a # comment. # Topic access is added with lines of the format: # # topic [read|write|readwrite|deny] # # The access type is controlled using "read", "write", "readwrite" or "deny". # This parameter is optional (unless contains a space character) - if # not given then the access is read/write. can contain the + or # # wildcards as in subscriptions. # # The "deny" option can used to explicity deny access to a topic that would # otherwise be granted by a broader read/write/readwrite statement. Any "deny" # topics are handled before topics that grant read/write access. # # The first set of topics are applied to anonymous clients, assuming # allow_anonymous is true. User specific topic ACLs are added after a # user line as follows: # # user # # The username referred to here is the same as in password_file. It is # not the clientid. # # # If is also possible to define ACLs based on pattern substitution within the # topic. The patterns available for substition are: # # %c to match the client id of the client # %u to match the username of the client # # The substitution pattern must be the only text for that level of hierarchy. # # The form is the same as for the topic keyword, but using pattern as the # keyword. # Pattern ACLs apply to all users even if the "user" keyword has previously # been given. # # If using bridges with usernames and ACLs, connection messages can be allowed # with the following pattern: # pattern write $SYS/broker/connection/%c/state # # pattern [read|write|readwrite] # # Example: # # pattern write sensor/%u/data # # If an plugin is used as well as acl_file, the plugin check will be # made first. #acl_file # ----------------------------------------------------------------- # External authentication and topic access plugin options # ----------------------------------------------------------------- # External authentication and access control can be supported with the # plugin option. This is a path to a loadable plugin. See also the # plugin_opt_* options described below. # # The plugin option can be specified multiple times to load multiple # plugins. The plugins will be processed in the order that they are specified # here. If the plugin option is specified alongside either of # password_file or acl_file then the plugin checks will be made first. # # If the per_listener_settings option is false, the plugin will be apply to all # listeners. If per_listener_settings is true, then the plugin will apply to # the current listener being defined only. # # This option is also available as `auth_plugin`, but this use is deprecated # and will be removed in the future. # #plugin # If the plugin option above is used, define options to pass to the # plugin here as described by the plugin instructions. All options named # using the format plugin_opt_* will be passed to the plugin, for example: # # This option is also available as `auth_opt_*`, but this use is deprecated # and will be removed in the future. # # plugin_opt_db_host # plugin_opt_db_port # plugin_opt_db_username # plugin_opt_db_password # ================================================================= # Bridges # ================================================================= # A bridge is a way of connecting multiple MQTT brokers together. # Create a new bridge using the "connection" option as described below. Set # options for the bridges using the remaining parameters. You must specify the # address and at least one topic to subscribe to. # # Each connection must have a unique name. # # The address line may have multiple host address and ports specified. See # below in the round_robin description for more details on bridge behaviour if # multiple addresses are used. Note that if you use an IPv6 address, then you # are required to specify a port. # # The direction that the topic will be shared can be chosen by # specifying out, in or both, where the default value is out. # The QoS level of the bridged communication can be specified with the next # topic option. The default QoS level is 0, to change the QoS the topic # direction must also be given. # # The local and remote prefix options allow a topic to be remapped when it is # bridged to/from the remote broker. This provides the ability to place a topic # tree in an appropriate location. # # For more details see the mosquitto.conf man page. # # Multiple topics can be specified per connection, but be careful # not to create any loops. # # If you are using bridges with cleansession set to false (the default), then # you may get unexpected behaviour from incoming topics if you change what # topics you are subscribing to. This is because the remote broker keeps the # subscription for the old topic. If you have this problem, connect your bridge # with cleansession set to true, then reconnect with cleansession set to false # as normal. #connection #address [:] [[:]] #topic [[[out | in | both] qos-level] local-prefix remote-prefix] # If you need to have the bridge connect over a particular network interface, # use bridge_bind_address to tell the bridge which local IP address the socket # should bind to, e.g. `bridge_bind_address 192.168.1.10` #bridge_bind_address # If a bridge has topics that have "out" direction, the default behaviour is to # send an unsubscribe request to the remote broker on that topic. This means # that changing a topic direction from "in" to "out" will not keep receiving # incoming messages. Sending these unsubscribe requests is not always # desirable, setting bridge_attempt_unsubscribe to false will disable sending # the unsubscribe request. #bridge_attempt_unsubscribe true # Set the version of the MQTT protocol to use with for this bridge. Can be one # of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. #bridge_protocol_version mqttv311 # Set the clean session variable for this bridge. # When set to true, when the bridge disconnects for any reason, all # messages and subscriptions will be cleaned up on the remote # broker. Note that with cleansession set to true, there may be a # significant amount of retained messages sent when the bridge # reconnects after losing its connection. # When set to false, the subscriptions and messages are kept on the # remote broker, and delivered when the bridge reconnects. #cleansession false # Set the amount of time a bridge using the lazy start type must be idle before # it will be stopped. Defaults to 60 seconds. #idle_timeout 60 # Set the keepalive interval for this bridge connection, in # seconds. #keepalive_interval 60 # Set the clientid to use on the local broker. If not defined, this defaults to # 'local.'. If you are bridging a broker to itself, it is important # that local_clientid and clientid do not match. #local_clientid # If set to true, publish notification messages to the local and remote brokers # giving information about the state of the bridge connection. Retained # messages are published to the topic $SYS/broker/connection//state # unless the notification_topic option is used. # If the message is 1 then the connection is active, or 0 if the connection has # failed. # This uses the last will and testament feature. #notifications true # Choose the topic on which notification messages for this bridge are # published. If not set, messages are published on the topic # $SYS/broker/connection//state #notification_topic # Set the client id to use on the remote end of this bridge connection. If not # defined, this defaults to 'name.hostname' where name is the connection name # and hostname is the hostname of this computer. # This replaces the old "clientid" option to avoid confusion. "clientid" # remains valid for the time being. #remote_clientid # Set the password to use when connecting to a broker that requires # authentication. This option is only used if remote_username is also set. # This replaces the old "password" option to avoid confusion. "password" # remains valid for the time being. #remote_password # Set the username to use when connecting to a broker that requires # authentication. # This replaces the old "username" option to avoid confusion. "username" # remains valid for the time being. #remote_username # Set the amount of time a bridge using the automatic start type will wait # until attempting to reconnect. # This option can be configured to use a constant delay time in seconds, or to # use a backoff mechanism based on "Decorrelated Jitter", which adds a degree # of randomness to when the restart occurs. # # Set a constant timeout of 20 seconds: # restart_timeout 20 # # Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of # 60 seconds: # restart_timeout 10 30 # # Defaults to jitter with a base of 5 and cap of 30 #restart_timeout 5 30 # If the bridge has more than one address given in the address/addresses # configuration, the round_robin option defines the behaviour of the bridge on # a failure of the bridge connection. If round_robin is false, the default # value, then the first address is treated as the main bridge connection. If # the connection fails, the other secondary addresses will be attempted in # turn. Whilst connected to a secondary bridge, the bridge will periodically # attempt to reconnect to the main bridge until successful. # If round_robin is true, then all addresses are treated as equals. If a # connection fails, the next address will be tried and if successful will # remain connected until it fails #round_robin false # Set the start type of the bridge. This controls how the bridge starts and # can be one of three types: automatic, lazy and once. Note that RSMB provides # a fourth start type "manual" which isn't currently supported by mosquitto. # # "automatic" is the default start type and means that the bridge connection # will be started automatically when the broker starts and also restarted # after a short delay (30 seconds) if the connection fails. # # Bridges using the "lazy" start type will be started automatically when the # number of queued messages exceeds the number set with the "threshold" # parameter. It will be stopped automatically after the time set by the # "idle_timeout" parameter. Use this start type if you wish the connection to # only be active when it is needed. # # A bridge using the "once" start type will be started automatically when the # broker starts but will not be restarted if the connection fails. #start_type automatic # Set the number of messages that need to be queued for a bridge with lazy # start type to be restarted. Defaults to 10 messages. # Must be less than max_queued_messages. #threshold 10 # If try_private is set to true, the bridge will attempt to indicate to the # remote broker that it is a bridge not an ordinary client. If successful, this # means that loop detection will be more effective and that retained messages # will be propagated correctly. Not all brokers support this feature so it may # be necessary to set try_private to false if your bridge does not connect # properly. #try_private true # Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism # for brokers to tell clients that they do not support retained messages, but # this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a # v3.1.1 or v3.1 broker that does not support retained messages, set the # bridge_outgoing_retain option to false. This will remove the retain bit on # all outgoing messages to that bridge, regardless of any other setting. #bridge_outgoing_retain true # If you wish to restrict the size of messages sent to a remote bridge, use the # bridge_max_packet_size option. This sets the maximum number of bytes for # the total message, including headers and payload. # Note that MQTT v5 brokers may provide their own maximum-packet-size property. # In this case, the smaller of the two limits will be used. # Set to 0 for "unlimited". #bridge_max_packet_size 0 # ----------------------------------------------------------------- # Certificate based SSL/TLS support # ----------------------------------------------------------------- # Either bridge_cafile or bridge_capath must be defined to enable TLS support # for this bridge. # bridge_cafile defines the path to a file containing the # Certificate Authority certificates that have signed the remote broker # certificate. # bridge_capath defines a directory that will be searched for files containing # the CA certificates. For bridge_capath to work correctly, the certificate # files must have ".crt" as the file ending and you must run "openssl rehash # " each time you add/remove a certificate. #bridge_cafile #bridge_capath # If the remote broker has more than one protocol available on its port, e.g. # MQTT and WebSockets, then use bridge_alpn to configure which protocol is # requested. Note that WebSockets support for bridges is not yet available. #bridge_alpn # When using certificate based encryption, bridge_insecure disables # verification of the server hostname in the server certificate. This can be # useful when testing initial server configurations, but makes it possible for # a malicious third party to impersonate your server through DNS spoofing, for # example. Use this option in testing only. If you need to resort to using this # option in a production environment, your setup is at fault and there is no # point using encryption. #bridge_insecure false # Path to the PEM encoded client certificate, if required by the remote broker. #bridge_certfile # Path to the PEM encoded client private key, if required by the remote broker. #bridge_keyfile # ----------------------------------------------------------------- # PSK based SSL/TLS support # ----------------------------------------------------------------- # Pre-shared-key encryption provides an alternative to certificate based # encryption. A bridge can be configured to use PSK with the bridge_identity # and bridge_psk options. These are the client PSK identity, and pre-shared-key # in hexadecimal format with no "0x". Only one of certificate and PSK based # encryption can be used on one # bridge at once. #bridge_identity #bridge_psk # ================================================================= # External config files # ================================================================= # External configuration files may be included by using the # include_dir option. This defines a directory that will be searched # for config files. All files that end in '.conf' will be loaded as # a configuration file. It is best to have this as the last option # in the main file. This option will only be processed from the main # configuration file. The directory specified must not contain the # main configuration file. # Files within include_dir will be loaded sorted in case-sensitive # alphabetical order, with capital letters ordered first. If this option is # given multiple times, all of the files from the first instance will be # processed before the next instance. See the man page for examples. #include_dir listener 1883 0.0.0.0 autosave_interval 86400 # once a day persistence true persistence_location /root/bkpscript allow_anonymous true CFGEOF # WARNING: /etc/bird не существует