backup-bot
2342 lines
97 KiB
Bash
2342 lines
97 KiB
Bash
|
|
#hostname= Buran-bee-stya.reut.loc
|
|
#DISTRIB_DESCRIPTION='OpenWrt 23.05.3 r23809-234f1a2efa'
|
|
#profile = beeline_smartbox-turbo-plus
|
|
#target = ramips
|
|
#soc = mt7621
|
|
#arch = mipsel_24kc
|
|
#Beeline SmartBox TURBO+ custom default settings
|
|
#----------------------------------------------------
|
|
#Generating cmd for install pkg
|
|
#----------------------------------------------------
|
|
opkg install luci-app-mosquitto
|
|
opkg install iwinfo
|
|
opkg install cgi-io
|
|
opkg install opkg
|
|
opkg install luci-app-opkg
|
|
opkg install kmod-usb-storage-uas
|
|
opkg install ubus
|
|
opkg install rpcd
|
|
opkg install kmod-nft-fib
|
|
opkg install kmod-nfnetlink
|
|
opkg install kmod-crypto-hash
|
|
opkg install kmod-nf-reject6
|
|
opkg install luci-mod-system
|
|
opkg install kmod-nf-flow
|
|
opkg install kmod-lib-crc-ccitt
|
|
opkg install ucode-mod-uloop
|
|
opkg install getrandom
|
|
opkg install ucode-mod-ubus
|
|
opkg install luci-theme-bootstrap
|
|
opkg install kmod-pppoe
|
|
opkg install kmod-pppox
|
|
opkg install kmod-nf-reject
|
|
opkg install procd-ujail
|
|
opkg install base-files
|
|
opkg install kmod-nf-nat
|
|
opkg install kmod-crypto-crc32c
|
|
opkg install ucode-mod-uci
|
|
opkg install netifd
|
|
opkg install uboot-envtools
|
|
opkg install dnsmasq
|
|
opkg install usbutils
|
|
opkg install ubusd
|
|
opkg install kmod-crypto-acompress
|
|
opkg install rpcd-mod-ucode
|
|
opkg install ucode-mod-math
|
|
opkg install kmod-lib-crc32c
|
|
opkg install luci-mod-status
|
|
opkg install block-mount
|
|
opkg install kmod-nft-nat
|
|
opkg install kmod-usb3
|
|
opkg install kmod-fs-exfat
|
|
opkg install luci-app-firewall
|
|
opkg install ubi-utils
|
|
opkg install odhcp6c
|
|
opkg install fstools
|
|
opkg install uci
|
|
opkg install ucode-mod-fs
|
|
opkg install kmod-fs-ext4
|
|
opkg install luci-ssl
|
|
opkg install dropbear
|
|
opkg install rpcd-mod-file
|
|
opkg install mtd
|
|
opkg install odhcpd-ipv6only
|
|
opkg install procd-seccomp
|
|
opkg install ucode-mod-nl80211
|
|
opkg install libiwinfo-data
|
|
opkg install ucode
|
|
opkg install rpcd-mod-luci
|
|
opkg install kmod-nf-log
|
|
opkg install urandom-seed
|
|
opkg install luci-proto-ppp
|
|
opkg install luci-mod-admin-full
|
|
opkg install ppp
|
|
opkg install luci-base
|
|
opkg install kmod-leds-gpio
|
|
opkg install kmod-gpio-button-hotplug
|
|
opkg install logd
|
|
opkg install kmod-mt7603
|
|
opkg install kmod-nf-log6
|
|
opkg install luci-proto-ipv6
|
|
opkg install kmod-fs-ntfs3
|
|
opkg install jshn
|
|
opkg install e2fsprogs
|
|
opkg install kmod-ppp
|
|
opkg install kmod-nft-offload
|
|
opkg install netcat
|
|
opkg install luci-app-samba4
|
|
opkg install kmod-mt7615-firmware
|
|
opkg install uhttpd
|
|
opkg install kmod-nf-conntrack
|
|
opkg install usign
|
|
opkg install atftpd
|
|
opkg install ucode-mod-rtnl
|
|
opkg install ucode-mod-html
|
|
opkg install luci
|
|
opkg install kmod-nf-conntrack6
|
|
opkg install luci-light
|
|
opkg install kmod-lib-lzo
|
|
opkg install ubox
|
|
opkg install kernel
|
|
opkg install rpcd-mod-iwinfo
|
|
opkg install luci-mod-network
|
|
opkg install kmod-nft-core
|
|
opkg install lldpd
|
|
opkg install mount-utils
|
|
opkg install uhttpd-mod-ubus
|
|
opkg install fwtool
|
|
opkg install jsonfilter
|
|
opkg install liblucihttp-ucode
|
|
opkg install iperf3
|
|
opkg install hostapd-common
|
|
opkg install vsftpd
|
|
opkg install luci-app-hd-idle
|
|
opkg install urngd
|
|
opkg install kmod-slhc
|
|
opkg install rpcd-mod-rrdns
|
|
opkg install ppp-mod-pppoe
|
|
#----------------------------------------------------
|
|
#Generating configuration Beeline SmartBox TURBO+
|
|
#----------------------------------------------------
|
|
uci -q batch << EOI
|
|
set atftpd.service=service
|
|
set atftpd.service.path='/srv/tftp'
|
|
commit atftpd
|
|
set dhcp.@dnsmasq[0]=dnsmasq
|
|
set dhcp.@dnsmasq[0].domainneeded='1'
|
|
set dhcp.@dnsmasq[0].localise_queries='1'
|
|
set dhcp.@dnsmasq[0].rebind_protection='1'
|
|
set dhcp.@dnsmasq[0].rebind_localhost='1'
|
|
set dhcp.@dnsmasq[0].local='/lan/'
|
|
set dhcp.@dnsmasq[0].domain='lan'
|
|
set dhcp.@dnsmasq[0].expandhosts='1'
|
|
set dhcp.@dnsmasq[0].cachesize='1000'
|
|
set dhcp.@dnsmasq[0].authoritative='1'
|
|
set dhcp.@dnsmasq[0].readethers='1'
|
|
set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
|
|
set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
|
|
set dhcp.@dnsmasq[0].localservice='1'
|
|
set dhcp.@dnsmasq[0].ednspacket_max='1232'
|
|
set dhcp.lan=dhcp
|
|
set dhcp.lan.interface='lan'
|
|
set dhcp.lan.start='100'
|
|
set dhcp.lan.limit='150'
|
|
set dhcp.lan.leasetime='12h'
|
|
set dhcp.lan.dhcpv4='server'
|
|
set dhcp.lan.ignore='1'
|
|
set dhcp.wan=dhcp
|
|
set dhcp.wan.interface='wan'
|
|
set dhcp.wan.ignore='1'
|
|
set dhcp.odhcpd=odhcpd
|
|
set dhcp.odhcpd.maindhcp='0'
|
|
set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
|
|
set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
|
|
set dhcp.odhcpd.loglevel='4'
|
|
commit dhcp
|
|
set dropbear.@dropbear[0]=dropbear
|
|
set dropbear.@dropbear[0].PasswordAuth='on'
|
|
set dropbear.@dropbear[0].RootPasswordAuth='on'
|
|
set dropbear.@dropbear[0].Port='22'
|
|
commit dropbear
|
|
set firewall.@defaults[0]=defaults
|
|
set firewall.@defaults[0].syn_flood='1'
|
|
set firewall.@defaults[0].input='REJECT'
|
|
set firewall.@defaults[0].output='ACCEPT'
|
|
set firewall.@defaults[0].forward='REJECT'
|
|
set firewall.@zone[0]=zone
|
|
set firewall.@zone[0].name='lan'
|
|
set firewall.@zone[0].network='lan'
|
|
set firewall.@zone[0].input='ACCEPT'
|
|
set firewall.@zone[0].output='ACCEPT'
|
|
set firewall.@zone[0].forward='ACCEPT'
|
|
set firewall.@zone[1]=zone
|
|
set firewall.@zone[1].name='wan'
|
|
set firewall.@zone[1].network='wan' 'wan6'
|
|
set firewall.@zone[1].input='REJECT'
|
|
set firewall.@zone[1].output='ACCEPT'
|
|
set firewall.@zone[1].forward='REJECT'
|
|
set firewall.@zone[1].masq='1'
|
|
set firewall.@zone[1].mtu_fix='1'
|
|
set firewall.@forwarding[0]=forwarding
|
|
set firewall.@forwarding[0].src='lan'
|
|
set firewall.@forwarding[0].dest='wan'
|
|
set firewall.@rule[0]=rule
|
|
set firewall.@rule[0].name='Allow-DHCP-Renew'
|
|
set firewall.@rule[0].src='wan'
|
|
set firewall.@rule[0].proto='udp'
|
|
set firewall.@rule[0].dest_port='68'
|
|
set firewall.@rule[0].target='ACCEPT'
|
|
set firewall.@rule[0].family='ipv4'
|
|
set firewall.@rule[1]=rule
|
|
set firewall.@rule[1].name='Allow-Ping'
|
|
set firewall.@rule[1].src='wan'
|
|
set firewall.@rule[1].proto='icmp'
|
|
set firewall.@rule[1].icmp_type='echo-request'
|
|
set firewall.@rule[1].family='ipv4'
|
|
set firewall.@rule[1].target='ACCEPT'
|
|
set firewall.@rule[2]=rule
|
|
set firewall.@rule[2].name='Allow-IGMP'
|
|
set firewall.@rule[2].src='wan'
|
|
set firewall.@rule[2].proto='igmp'
|
|
set firewall.@rule[2].family='ipv4'
|
|
set firewall.@rule[2].target='ACCEPT'
|
|
set firewall.@rule[3]=rule
|
|
set firewall.@rule[3].name='Allow-DHCPv6'
|
|
set firewall.@rule[3].src='wan'
|
|
set firewall.@rule[3].proto='udp'
|
|
set firewall.@rule[3].dest_port='546'
|
|
set firewall.@rule[3].family='ipv6'
|
|
set firewall.@rule[3].target='ACCEPT'
|
|
set firewall.@rule[4]=rule
|
|
set firewall.@rule[4].name='Allow-MLD'
|
|
set firewall.@rule[4].src='wan'
|
|
set firewall.@rule[4].proto='icmp'
|
|
set firewall.@rule[4].src_ip='fe80::/10'
|
|
set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
|
|
set firewall.@rule[4].family='ipv6'
|
|
set firewall.@rule[4].target='ACCEPT'
|
|
set firewall.@rule[5]=rule
|
|
set firewall.@rule[5].name='Allow-ICMPv6-Input'
|
|
set firewall.@rule[5].src='wan'
|
|
set firewall.@rule[5].proto='icmp'
|
|
set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
|
|
set firewall.@rule[5].limit='1000/sec'
|
|
set firewall.@rule[5].family='ipv6'
|
|
set firewall.@rule[5].target='ACCEPT'
|
|
set firewall.@rule[6]=rule
|
|
set firewall.@rule[6].name='Allow-ICMPv6-Forward'
|
|
set firewall.@rule[6].src='wan'
|
|
set firewall.@rule[6].dest='*'
|
|
set firewall.@rule[6].proto='icmp'
|
|
set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
|
|
set firewall.@rule[6].limit='1000/sec'
|
|
set firewall.@rule[6].family='ipv6'
|
|
set firewall.@rule[6].target='ACCEPT'
|
|
set firewall.@rule[7]=rule
|
|
set firewall.@rule[7].name='Allow-IPSec-ESP'
|
|
set firewall.@rule[7].src='wan'
|
|
set firewall.@rule[7].dest='lan'
|
|
set firewall.@rule[7].proto='esp'
|
|
set firewall.@rule[7].target='ACCEPT'
|
|
set firewall.@rule[8]=rule
|
|
set firewall.@rule[8].name='Allow-ISAKMP'
|
|
set firewall.@rule[8].src='wan'
|
|
set firewall.@rule[8].dest='lan'
|
|
set firewall.@rule[8].dest_port='500'
|
|
set firewall.@rule[8].proto='udp'
|
|
set firewall.@rule[8].target='ACCEPT'
|
|
commit firewall
|
|
set fstab.@global[0]=global
|
|
set fstab.@global[0].anon_swap='0'
|
|
set fstab.@global[0].anon_mount='0'
|
|
set fstab.@global[0].auto_swap='1'
|
|
set fstab.@global[0].auto_mount='1'
|
|
set fstab.@global[0].delay_root='5'
|
|
set fstab.@global[0].check_fs='0'
|
|
set fstab.@mount[0]=mount
|
|
set fstab.@mount[0].target='/mnt/sda'
|
|
set fstab.@mount[0].uuid='9d591806-abe2-402b-a114-502e206789ae'
|
|
set fstab.@mount[0].enabled='1'
|
|
commit fstab
|
|
set hd-idle.@hd-idle[0]=hd-idle
|
|
set hd-idle.@hd-idle[0].disk='sda'
|
|
set hd-idle.@hd-idle[0].enabled='0'
|
|
set hd-idle.@hd-idle[0].idle_time_unit='minutes'
|
|
set hd-idle.@hd-idle[0].idle_time_interval='10'
|
|
commit hd-idle
|
|
set lldpd.config=lldpd
|
|
set lldpd.config.enable_cdp='1'
|
|
set lldpd.config.enable_fdp='1'
|
|
set lldpd.config.enable_sonmp='1'
|
|
set lldpd.config.enable_edp='1'
|
|
set lldpd.config.lldp_class='4'
|
|
set lldpd.config.lldp_location='address country EU'
|
|
set lldpd.config.interface='loopback' 'lan'
|
|
commit lldpd
|
|
set luci.main=core
|
|
set luci.main.lang='auto'
|
|
set luci.main.mediaurlbase='/luci-static/bootstrap'
|
|
set luci.main.resourcebase='/luci-static/resources'
|
|
set luci.main.ubuspath='/ubus/'
|
|
set luci.flash_keep=extern
|
|
set luci.flash_keep.uci='/etc/config/'
|
|
set luci.flash_keep.dropbear='/etc/dropbear/'
|
|
set luci.flash_keep.openvpn='/etc/openvpn/'
|
|
set luci.flash_keep.passwd='/etc/passwd'
|
|
set luci.flash_keep.opkg='/etc/opkg.conf'
|
|
set luci.flash_keep.firewall='/etc/firewall.user'
|
|
set luci.flash_keep.uploads='/lib/uci/upload/'
|
|
set luci.languages=internal
|
|
set luci.sauth=internal
|
|
set luci.sauth.sessionpath='/tmp/luci-sessions'
|
|
set luci.sauth.sessiontime='3600'
|
|
set luci.ccache=internal
|
|
set luci.ccache.enable='1'
|
|
set luci.themes=internal
|
|
set luci.themes.Bootstrap='/luci-static/bootstrap'
|
|
set luci.themes.BootstrapDark='/luci-static/bootstrap-dark'
|
|
set luci.themes.BootstrapLight='/luci-static/bootstrap-light'
|
|
set luci.apply=internal
|
|
set luci.apply.rollback='90'
|
|
set luci.apply.holdoff='4'
|
|
set luci.apply.timeout='5'
|
|
set luci.apply.display='1.5'
|
|
set luci.diag=internal
|
|
set luci.diag.dns='openwrt.org'
|
|
set luci.diag.ping='openwrt.org'
|
|
set luci.diag.route='openwrt.org'
|
|
commit luci
|
|
set mosquitto.owrt=owrt
|
|
set mosquitto.owrt.use_uci='0'
|
|
set mosquitto.mosquitto=mosquitto
|
|
set mosquitto.persistence=persistence
|
|
commit mosquitto
|
|
set network.loopback=interface
|
|
set network.loopback.device='lo'
|
|
set network.loopback.proto='static'
|
|
set network.loopback.ipaddr='127.0.0.1'
|
|
set network.loopback.netmask='255.0.0.0'
|
|
set network.globals=globals
|
|
set network.globals.ula_prefix='fdb5:9be6:0229::/48'
|
|
set network.globals.packet_steering='1'
|
|
set network.@device[0]=device
|
|
set network.@device[0].name='br-lan'
|
|
set network.@device[0].type='bridge'
|
|
set network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
|
|
set network.@device[0].ipv6='0'
|
|
set network.lan=interface
|
|
set network.lan.device='br-lan'
|
|
set network.lan.proto='static'
|
|
set network.lan.ipaddr='172.16.11.7'
|
|
set network.lan.netmask='255.255.255.0'
|
|
set network.lan.ip6assign='60'
|
|
set network.lan.gateway='172.16.11.1'
|
|
set network.lan.dns='172.16.11.1'
|
|
set network.lan.delegate='0'
|
|
set network.wan=interface
|
|
set network.wan.device='wan'
|
|
set network.wan.proto='dhcp'
|
|
set network.wan6=interface
|
|
set network.wan6.device='wan'
|
|
set network.wan6.proto='dhcpv6'
|
|
commit network
|
|
set rpcd.@rpcd[0]=rpcd
|
|
set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock'
|
|
set rpcd.@rpcd[0].timeout='30'
|
|
set rpcd.@login[0]=login
|
|
set rpcd.@login[0].username='root'
|
|
set rpcd.@login[0].password='$p$root'
|
|
set rpcd.@login[0].read='*'
|
|
set rpcd.@login[0].write='*'
|
|
commit rpcd
|
|
set samba4.@samba[0]=samba
|
|
set samba4.@samba[0].workgroup='WORKGROUP'
|
|
set samba4.@samba[0].charset='UTF-8'
|
|
set samba4.@samba[0].description='Samba on OpenWRT'
|
|
set samba4.@samba[0].enable_extra_tuning='1'
|
|
set samba4.@sambashare[0]=sambashare
|
|
set samba4.@sambashare[0].name='bkp'
|
|
set samba4.@sambashare[0].path='/mnt/sda'
|
|
set samba4.@sambashare[0].read_only='no'
|
|
set samba4.@sambashare[0].guest_ok='yes'
|
|
set samba4.@sambashare[0].create_mask='0666'
|
|
set samba4.@sambashare[0].dir_mask='0777'
|
|
commit samba4
|
|
set system.@system[0]=system
|
|
set system.@system[0].hostname='Buran-bee-stya.reut.loc'
|
|
set system.@system[0].timezone='MSK-3'
|
|
set system.@system[0].ttylogin='0'
|
|
set system.@system[0].log_size='64'
|
|
set system.@system[0].urandom_seed='0'
|
|
set system.@system[0].compat_version='1.1'
|
|
set system.@system[0].zonename='Europe/Moscow'
|
|
set system.@system[0].log_proto='udp'
|
|
set system.@system[0].conloglevel='8'
|
|
set system.@system[0].cronloglevel='5'
|
|
set system.ntp=timeserver
|
|
set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org'
|
|
set system.led_wan=led
|
|
set system.led_wan.name='wan'
|
|
set system.led_wan.sysfs='blue:wan'
|
|
set system.led_wan.trigger='netdev'
|
|
set system.led_wan.mode='link tx rx'
|
|
set system.led_wan.dev='wan'
|
|
commit system
|
|
set ubootenv.@ubootenv[0]=ubootenv
|
|
set ubootenv.@ubootenv[0].dev='/dev/mtd0'
|
|
set ubootenv.@ubootenv[0].offset='0x80000'
|
|
set ubootenv.@ubootenv[0].envsize='0x1000'
|
|
set ubootenv.@ubootenv[0].secsize='0x20000'
|
|
commit ubootenv
|
|
set ucitrack.@network[0]=network
|
|
set ucitrack.@network[0].init='network'
|
|
set ucitrack.@network[0].affects='dhcp'
|
|
set ucitrack.@wireless[0]=wireless
|
|
set ucitrack.@wireless[0].affects='network'
|
|
set ucitrack.@firewall[0]=firewall
|
|
set ucitrack.@firewall[0].init='firewall'
|
|
set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd'
|
|
set ucitrack.@olsr[0]=olsr
|
|
set ucitrack.@olsr[0].init='olsrd'
|
|
set ucitrack.@dhcp[0]=dhcp
|
|
set ucitrack.@dhcp[0].init='dnsmasq'
|
|
set ucitrack.@dhcp[0].affects='odhcpd'
|
|
set ucitrack.@odhcpd[0]=odhcpd
|
|
set ucitrack.@odhcpd[0].init='odhcpd'
|
|
set ucitrack.@dropbear[0]=dropbear
|
|
set ucitrack.@dropbear[0].init='dropbear'
|
|
set ucitrack.@httpd[0]=httpd
|
|
set ucitrack.@httpd[0].init='httpd'
|
|
set ucitrack.@fstab[0]=fstab
|
|
set ucitrack.@fstab[0].exec='/sbin/block mount'
|
|
set ucitrack.@qos[0]=qos
|
|
set ucitrack.@qos[0].init='qos'
|
|
set ucitrack.@system[0]=system
|
|
set ucitrack.@system[0].init='led'
|
|
set ucitrack.@system[0].exec='/etc/init.d/log reload'
|
|
set ucitrack.@system[0].affects='luci_statistics' 'dhcp'
|
|
set ucitrack.@luci_splash[0]=luci_splash
|
|
set ucitrack.@luci_splash[0].init='luci_splash'
|
|
set ucitrack.@upnpd[0]=upnpd
|
|
set ucitrack.@upnpd[0].init='miniupnpd'
|
|
set ucitrack.@ntpclient[0]=ntpclient
|
|
set ucitrack.@ntpclient[0].init='ntpclient'
|
|
set ucitrack.@samba[0]=samba
|
|
set ucitrack.@samba[0].init='samba'
|
|
set ucitrack.@tinyproxy[0]=tinyproxy
|
|
set ucitrack.@tinyproxy[0].init='tinyproxy'
|
|
commit ucitrack
|
|
set uhttpd.main=uhttpd
|
|
set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
|
|
set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
|
|
set uhttpd.main.redirect_https='0'
|
|
set uhttpd.main.home='/www'
|
|
set uhttpd.main.rfc1918_filter='1'
|
|
set uhttpd.main.max_requests='3'
|
|
set uhttpd.main.max_connections='100'
|
|
set uhttpd.main.cert='/etc/uhttpd.crt'
|
|
set uhttpd.main.key='/etc/uhttpd.key'
|
|
set uhttpd.main.cgi_prefix='/cgi-bin'
|
|
set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
|
|
set uhttpd.main.script_timeout='60'
|
|
set uhttpd.main.network_timeout='30'
|
|
set uhttpd.main.http_keepalive='20'
|
|
set uhttpd.main.tcp_keepalive='1'
|
|
set uhttpd.main.ucode_prefix='/cgi-bin/luci=/usr/share/ucode/luci/uhttpd.uc'
|
|
set uhttpd.main.ubus_prefix='/ubus'
|
|
set uhttpd.defaults=cert
|
|
set uhttpd.defaults.days='730'
|
|
set uhttpd.defaults.key_type='ec'
|
|
set uhttpd.defaults.bits='2048'
|
|
set uhttpd.defaults.ec_curve='P-256'
|
|
set uhttpd.defaults.country='ZZ'
|
|
set uhttpd.defaults.state='Somewhere'
|
|
set uhttpd.defaults.location='Unknown'
|
|
set uhttpd.defaults.commonname='OpenWrt'
|
|
commit uhttpd
|
|
set wireless.radio0=wifi-device
|
|
set wireless.radio0.type='mac80211'
|
|
set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
|
|
set wireless.radio0.channel='auto'
|
|
set wireless.radio0.band='2g'
|
|
set wireless.radio0.htmode='HT40'
|
|
set wireless.radio0.cell_density='0'
|
|
set wireless.radio0.country='RU'
|
|
set wireless.default_radio0=wifi-iface
|
|
set wireless.default_radio0.device='radio0'
|
|
set wireless.default_radio0.network='lan'
|
|
set wireless.default_radio0.mode='ap'
|
|
set wireless.default_radio0.ssid='Buran'
|
|
set wireless.default_radio0.encryption='sae'
|
|
set wireless.default_radio0.key='23637387581'
|
|
set wireless.default_radio0.disassoc_low_ack='0'
|
|
set wireless.default_radio0.ieee80211w='1'
|
|
set wireless.default_radio0.ieee80211r='1'
|
|
set wireless.default_radio0.mobility_domain='af53'
|
|
set wireless.default_radio0.ft_over_ds='0'
|
|
set wireless.default_radio0.wpa_disable_eapol_key_retries='1'
|
|
set wireless.default_radio0.skip_inactivity_poll='1'
|
|
set wireless.radio1=wifi-device
|
|
set wireless.radio1.type='mac80211'
|
|
set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
|
|
set wireless.radio1.channel='60'
|
|
set wireless.radio1.band='5g'
|
|
set wireless.radio1.htmode='VHT160'
|
|
set wireless.radio1.cell_density='0'
|
|
set wireless.radio1.country='RU'
|
|
set wireless.default_radio1=wifi-iface
|
|
set wireless.default_radio1.device='radio1'
|
|
set wireless.default_radio1.network='lan'
|
|
set wireless.default_radio1.mode='ap'
|
|
set wireless.default_radio1.ssid='Buran'
|
|
set wireless.default_radio1.encryption='sae'
|
|
set wireless.default_radio1.key='23637387581'
|
|
set wireless.default_radio1.disassoc_low_ack='0'
|
|
set wireless.default_radio1.ieee80211w='1'
|
|
set wireless.default_radio1.ieee80211r='1'
|
|
set wireless.default_radio1.mobility_domain='af53'
|
|
set wireless.default_radio1.ft_over_ds='0'
|
|
set wireless.default_radio1.wpa_disable_eapol_key_retries='1'
|
|
set wireless.default_radio1.skip_inactivity_poll='1'
|
|
commit wireless
|
|
EOI
|
|
#----------------------------------------------------
|
|
#Generating conf file
|
|
#----------------------------------------------------
|
|
mkdir -p "/etc/mosquitto"
|
|
|
|
mkdir -p "/etc/mosquitto"
|
|
|
|
#Gen file /etc/mosquitto/mosquitto.conf-opkg
|
|
|
|
mkdir -p "/etc/mosquitto"
|
|
cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf-opkg"
|
|
# Config file for mosquitto
|
|
#
|
|
# See mosquitto.conf(5) for more information.
|
|
#
|
|
# Default values are shown, uncomment to change.
|
|
#
|
|
# Use the # character to indicate a comment, but only if it is the
|
|
# very first character on the line.
|
|
|
|
# =================================================================
|
|
# General configuration
|
|
# =================================================================
|
|
|
|
# Use per listener security settings.
|
|
#
|
|
# It is recommended this option be set before any other options.
|
|
#
|
|
# If this option is set to true, then all authentication and access control
|
|
# options are controlled on a per listener basis. The following options are
|
|
# affected:
|
|
#
|
|
# acl_file
|
|
# allow_anonymous
|
|
# allow_zero_length_clientid
|
|
# auto_id_prefix
|
|
# password_file
|
|
# plugin
|
|
# plugin_opt_*
|
|
# psk_file
|
|
#
|
|
# Note that if set to true, then a durable client (i.e. with clean session set
|
|
# to false) that has disconnected will use the ACL settings defined for the
|
|
# listener that it was most recently connected to.
|
|
#
|
|
# The default behaviour is for this to be set to false, which maintains the
|
|
# setting behaviour from previous versions of mosquitto.
|
|
#per_listener_settings false
|
|
|
|
|
|
# This option controls whether a client is allowed to connect with a zero
|
|
# length client id or not. This option only affects clients using MQTT v3.1.1
|
|
# and later. If set to false, clients connecting with a zero length client id
|
|
# are disconnected. If set to true, clients will be allocated a client id by
|
|
# the broker. This means it is only useful for clients with clean session set
|
|
# to true.
|
|
#allow_zero_length_clientid true
|
|
|
|
# If allow_zero_length_clientid is true, this option allows you to set a prefix
|
|
# to automatically generated client ids to aid visibility in logs.
|
|
# Defaults to 'auto-'
|
|
#auto_id_prefix auto-
|
|
|
|
# This option affects the scenario when a client subscribes to a topic that has
|
|
# retained messages. It is possible that the client that published the retained
|
|
# message to the topic had access at the time they published, but that access
|
|
# has been subsequently removed. If check_retain_source is set to true, the
|
|
# default, the source of a retained message will be checked for access rights
|
|
# before it is republished. When set to false, no check will be made and the
|
|
# retained message will always be published. This affects all listeners.
|
|
#check_retain_source true
|
|
|
|
# QoS 1 and 2 messages will be allowed inflight per client until this limit
|
|
# is exceeded. Defaults to 0. (No maximum)
|
|
# See also max_inflight_messages
|
|
#max_inflight_bytes 0
|
|
|
|
# The maximum number of QoS 1 and 2 messages currently inflight per
|
|
# client.
|
|
# This includes messages that are partway through handshakes and
|
|
# those that are being retried. Defaults to 20. Set to 0 for no
|
|
# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
|
|
# and 2 messages.
|
|
#max_inflight_messages 20
|
|
|
|
# For MQTT v5 clients, it is possible to have the server send a "server
|
|
# keepalive" value that will override the keepalive value set by the client.
|
|
# This is intended to be used as a mechanism to say that the server will
|
|
# disconnect the client earlier than it anticipated, and that the client should
|
|
# use the new keepalive value. The max_keepalive option allows you to specify
|
|
# that clients may only connect with keepalive less than or equal to this
|
|
# value, otherwise they will be sent a server keepalive telling them to use
|
|
# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum
|
|
# value allowable, is 65535.
|
|
#
|
|
# Set to 0 to allow clients to set keepalive = 0, which means no keepalive
|
|
# checks are made and the client will never be disconnected by the broker if no
|
|
# messages are received. You should be very sure this is the behaviour that you
|
|
# want.
|
|
#
|
|
# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client
|
|
# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client
|
|
# specifies a keepalive time greater than max_keepalive they will be sent a
|
|
# CONNACK message with the "identifier rejected" reason code, and disconnected.
|
|
#
|
|
#max_keepalive 65535
|
|
|
|
# For MQTT v5 clients, it is possible to have the server send a "maximum packet
|
|
# size" value that will instruct the client it will not accept MQTT packets
|
|
# with size greater than max_packet_size bytes. This applies to the full MQTT
|
|
# packet, not just the payload. Setting this option to a positive value will
|
|
# set the maximum packet size to that number of bytes. If a client sends a
|
|
# packet which is larger than this value, it will be disconnected. This applies
|
|
# to all clients regardless of the protocol version they are using, but v3.1.1
|
|
# and earlier clients will of course not have received the maximum packet size
|
|
# information. Defaults to no limit. Setting below 20 bytes is forbidden
|
|
# because it is likely to interfere with ordinary client operation, even with
|
|
# very small payloads.
|
|
#max_packet_size 0
|
|
|
|
# QoS 1 and 2 messages above those currently in-flight will be queued per
|
|
# client until this limit is exceeded. Defaults to 0. (No maximum)
|
|
# See also max_queued_messages.
|
|
# If both max_queued_messages and max_queued_bytes are specified, packets will
|
|
# be queued until the first limit is reached.
|
|
#max_queued_bytes 0
|
|
|
|
# Set the maximum QoS supported. Clients publishing at a QoS higher than
|
|
# specified here will be disconnected.
|
|
#max_qos 2
|
|
|
|
# The maximum number of QoS 1 and 2 messages to hold in a queue per client
|
|
# above those that are currently in-flight. Defaults to 1000. Set
|
|
# to 0 for no maximum (not recommended).
|
|
# See also queue_qos0_messages.
|
|
# See also max_queued_bytes.
|
|
#max_queued_messages 1000
|
|
#
|
|
# This option sets the maximum number of heap memory bytes that the broker will
|
|
# allocate, and hence sets a hard limit on memory use by the broker. Memory
|
|
# requests that exceed this value will be denied. The effect will vary
|
|
# depending on what has been denied. If an incoming message is being processed,
|
|
# then the message will be dropped and the publishing client will be
|
|
# disconnected. If an outgoing message is being sent, then the individual
|
|
# message will be dropped and the receiving client will be disconnected.
|
|
# Defaults to no limit.
|
|
#memory_limit 0
|
|
|
|
# This option sets the maximum publish payload size that the broker will allow.
|
|
# Received messages that exceed this size will not be accepted by the broker.
|
|
# The default value is 0, which means that all valid MQTT messages are
|
|
# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
|
|
#message_size_limit 0
|
|
|
|
# This option allows the session of persistent clients (those with clean
|
|
# session set to false) that are not currently connected to be removed if they
|
|
# do not reconnect within a certain time frame. This is a non-standard option
|
|
# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions.
|
|
#
|
|
# Badly designed clients may set clean session to false whilst using a randomly
|
|
# generated client id. This leads to persistent clients that connect once and
|
|
# never reconnect. This option allows these clients to be removed. This option
|
|
# allows persistent clients (those with clean session set to false) to be
|
|
# removed if they do not reconnect within a certain time frame.
|
|
#
|
|
# The expiration period should be an integer followed by one of h d w m y for
|
|
# hour, day, week, month and year respectively. For example
|
|
#
|
|
# persistent_client_expiration 2m
|
|
# persistent_client_expiration 14d
|
|
# persistent_client_expiration 1y
|
|
#
|
|
# The default if not set is to never expire persistent clients.
|
|
#persistent_client_expiration
|
|
|
|
# Write process id to a file. Default is a blank string which means
|
|
# a pid file shouldn't be written.
|
|
# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is
|
|
# being run automatically on boot with an init script and
|
|
# start-stop-daemon or similar.
|
|
#pid_file
|
|
|
|
# Set to true to queue messages with QoS 0 when a persistent client is
|
|
# disconnected. These messages are included in the limit imposed by
|
|
# max_queued_messages and max_queued_bytes
|
|
# Defaults to false.
|
|
# This is a non-standard option for the MQTT v3.1 spec but is allowed in
|
|
# v3.1.1.
|
|
#queue_qos0_messages false
|
|
|
|
# Set to false to disable retained message support. If a client publishes a
|
|
# message with the retain bit set, it will be disconnected if this is set to
|
|
# false.
|
|
#retain_available true
|
|
|
|
# Disable Nagle's algorithm on client sockets. This has the effect of reducing
|
|
# latency of individual messages at the potential cost of increasing the number
|
|
# of packets being sent.
|
|
#set_tcp_nodelay false
|
|
|
|
# Time in seconds between updates of the $SYS tree.
|
|
# Set to 0 to disable the publishing of the $SYS tree.
|
|
#sys_interval 10
|
|
|
|
# The MQTT specification requires that the QoS of a message delivered to a
|
|
# subscriber is never upgraded to match the QoS of the subscription. Enabling
|
|
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
|
|
# messages sent to a subscriber will always match the QoS of its subscription.
|
|
# This is a non-standard option explicitly disallowed by the spec.
|
|
#upgrade_outgoing_qos false
|
|
|
|
# When run as root, drop privileges to this user and its primary
|
|
# group.
|
|
# Set to root to stay as root, but this is not recommended.
|
|
# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist
|
|
# then it will drop privileges to the "nobody" user instead.
|
|
# If run as a non-root user, this setting has no effect.
|
|
# Note that on Windows this has no effect and so mosquitto should be started by
|
|
# the user you wish it to run as.
|
|
#user mosquitto
|
|
|
|
# =================================================================
|
|
# Listeners
|
|
# =================================================================
|
|
|
|
# Listen on a port/ip address combination. By using this variable
|
|
# multiple times, mosquitto can listen on more than one port. If
|
|
# this variable is used and neither bind_address nor port given,
|
|
# then the default listener will not be started.
|
|
# The port number to listen on must be given. Optionally, an ip
|
|
# address or host name may be supplied as a second argument. In
|
|
# this case, mosquitto will attempt to bind the listener to that
|
|
# address and so restrict access to the associated network and
|
|
# interface. By default, mosquitto will listen on all interfaces.
|
|
# Note that for a websockets listener it is not possible to bind to a host
|
|
# name.
|
|
#
|
|
# On systems that support Unix Domain Sockets, it is also possible
|
|
# to create a # Unix socket rather than opening a TCP socket. In
|
|
# this case, the port number should be set to 0 and a unix socket
|
|
# path must be provided, e.g.
|
|
# listener 0 /tmp/mosquitto.sock
|
|
#
|
|
# listener port-number [ip address/host name/unix socket path]
|
|
#listener
|
|
|
|
# By default, a listener will attempt to listen on all supported IP protocol
|
|
# versions. If you do not have an IPv4 or IPv6 interface you may wish to
|
|
# disable support for either of those protocol versions. In particular, note
|
|
# that due to the limitations of the websockets library, it will only ever
|
|
# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail
|
|
# if IPv6 is not available.
|
|
#
|
|
# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to
|
|
# force the listener to only use IPv6. If you want support for both IPv4 and
|
|
# IPv6, then do not use the socket_domain option.
|
|
#
|
|
#socket_domain
|
|
|
|
# Bind the listener to a specific interface. This is similar to
|
|
# the [ip address/host name] part of the listener definition, but is useful
|
|
# when an interface has multiple addresses or the address may change. If used
|
|
# with the [ip address/host name] part of the listener definition, then the
|
|
# bind_interface option will take priority.
|
|
# Not available on Windows.
|
|
#
|
|
# Example: bind_interface eth0
|
|
#bind_interface
|
|
|
|
# When a listener is using the websockets protocol, it is possible to serve
|
|
# http data as well. Set http_dir to a directory which contains the files you
|
|
# wish to serve. If this option is not specified, then no normal http
|
|
# connections will be possible.
|
|
#http_dir
|
|
|
|
# The maximum number of client connections to allow. This is
|
|
# a per listener setting.
|
|
# Default is -1, which means unlimited connections.
|
|
# Note that other process limits mean that unlimited connections
|
|
# are not really possible. Typically the default maximum number of
|
|
# connections possible is around 1024.
|
|
#max_connections -1
|
|
|
|
# The listener can be restricted to operating within a topic hierarchy using
|
|
# the mount_point option. This is achieved be prefixing the mount_point string
|
|
# to all topics for any clients connected to this listener. This prefixing only
|
|
# happens internally to the broker; the client will not see the prefix.
|
|
#mount_point
|
|
|
|
# Choose the protocol to use when listening.
|
|
# This can be either mqtt or websockets.
|
|
# Certificate based TLS may be used with websockets, except that only the
|
|
# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported.
|
|
#protocol mqtt
|
|
|
|
# Set use_username_as_clientid to true to replace the clientid that a client
|
|
# connected with with its username. This allows authentication to be tied to
|
|
# the clientid, which means that it is possible to prevent one client
|
|
# disconnecting another by using the same clientid.
|
|
# If a client connects with no username it will be disconnected as not
|
|
# authorised when this option is set to true.
|
|
# Do not use in conjunction with clientid_prefixes.
|
|
# See also use_identity_as_username.
|
|
# This does not apply globally, but on a per-listener basis.
|
|
#use_username_as_clientid
|
|
|
|
# Change the websockets headers size. This is a global option, it is not
|
|
# possible to set per listener. This option sets the size of the buffer used in
|
|
# the libwebsockets library when reading HTTP headers. If you are passing large
|
|
# header data such as cookies then you may need to increase this value. If left
|
|
# unset, or set to 0, then the default of 1024 bytes will be used.
|
|
#websockets_headers_size
|
|
|
|
# -----------------------------------------------------------------
|
|
# Certificate based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# The following options can be used to enable certificate based SSL/TLS support
|
|
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
|
|
# but this must be set manually.
|
|
#
|
|
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
|
|
# support" section. Only one of certificate or PSK encryption support can be
|
|
# enabled for any listener.
|
|
|
|
# Both of certfile and keyfile must be defined to enable certificate based
|
|
# TLS encryption.
|
|
|
|
# Path to the PEM encoded server certificate.
|
|
#certfile
|
|
|
|
# Path to the PEM encoded keyfile.
|
|
#keyfile
|
|
|
|
# If you wish to control which encryption ciphers are used, use the ciphers
|
|
# option. The list of available ciphers can be optained using the "openssl
|
|
# ciphers" command and should be provided in the same format as the output of
|
|
# that command. This applies to TLS 1.2 and earlier versions only. Use
|
|
# ciphers_tls1.3 for TLS v1.3.
|
|
#ciphers
|
|
|
|
# Choose which TLS v1.3 ciphersuites are used for this listener.
|
|
# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
|
#ciphers_tls1.3
|
|
|
|
# If you have require_certificate set to true, you can create a certificate
|
|
# revocation list file to revoke access to particular client certificates. If
|
|
# you have done this, use crlfile to point to the PEM encoded revocation file.
|
|
#crlfile
|
|
|
|
# To allow the use of ephemeral DH key exchange, which provides forward
|
|
# security, the listener must load DH parameters. This can be specified with
|
|
# the dhparamfile option. The dhparamfile can be generated with the command
|
|
# e.g. "openssl dhparam -out dhparam.pem 2048"
|
|
#dhparamfile
|
|
|
|
# By default an TLS enabled listener will operate in a similar fashion to a
|
|
# https enabled web server, in that the server has a certificate signed by a CA
|
|
# and the client will verify that it is a trusted certificate. The overall aim
|
|
# is encryption of the network traffic. By setting require_certificate to true,
|
|
# the client must provide a valid certificate in order for the network
|
|
# connection to proceed. This allows access to the broker to be controlled
|
|
# outside of the mechanisms provided by MQTT.
|
|
#require_certificate false
|
|
|
|
# cafile and capath define methods of accessing the PEM encoded
|
|
# Certificate Authority certificates that will be considered trusted when
|
|
# checking incoming client certificates.
|
|
# cafile defines the path to a file containing the CA certificates.
|
|
# capath defines a directory that will be searched for files
|
|
# containing the CA certificates. For capath to work correctly, the
|
|
# certificate files must have ".crt" as the file ending and you must run
|
|
# "openssl rehash <path to capath>" each time you add/remove a certificate.
|
|
#cafile
|
|
#capath
|
|
|
|
|
|
# If require_certificate is true, you may set use_identity_as_username to true
|
|
# to use the CN value from the client certificate as a username. If this is
|
|
# true, the password_file option will not be used for this listener.
|
|
#use_identity_as_username false
|
|
|
|
# -----------------------------------------------------------------
|
|
# Pre-shared-key based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# The following options can be used to enable PSK based SSL/TLS support for
|
|
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
|
|
# this must be set manually.
|
|
#
|
|
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
|
|
# support" section. Only one of certificate or PSK encryption support can be
|
|
# enabled for any listener.
|
|
|
|
# The psk_hint option enables pre-shared-key support for this listener and also
|
|
# acts as an identifier for this listener. The hint is sent to clients and may
|
|
# be used locally to aid authentication. The hint is a free form string that
|
|
# doesn't have much meaning in itself, so feel free to be creative.
|
|
# If this option is provided, see psk_file to define the pre-shared keys to be
|
|
# used or create a security plugin to handle them.
|
|
#psk_hint
|
|
|
|
# When using PSK, the encryption ciphers used will be chosen from the list of
|
|
# available PSK ciphers. If you want to control which ciphers are available,
|
|
# use the "ciphers" option. The list of available ciphers can be optained
|
|
# using the "openssl ciphers" command and should be provided in the same format
|
|
# as the output of that command.
|
|
#ciphers
|
|
|
|
# Set use_identity_as_username to have the psk identity sent by the client used
|
|
# as its username. Authentication will be carried out using the PSK rather than
|
|
# the MQTT username/password and so password_file will not be used for this
|
|
# listener.
|
|
#use_identity_as_username false
|
|
|
|
|
|
# =================================================================
|
|
# Persistence
|
|
# =================================================================
|
|
|
|
# If persistence is enabled, save the in-memory database to disk
|
|
# every autosave_interval seconds. If set to 0, the persistence
|
|
# database will only be written when mosquitto exits. See also
|
|
# autosave_on_changes.
|
|
# Note that writing of the persistence database can be forced by
|
|
# sending mosquitto a SIGUSR1 signal.
|
|
#autosave_interval 1800
|
|
|
|
# If true, mosquitto will count the number of subscription changes, retained
|
|
# messages received and queued messages and if the total exceeds
|
|
# autosave_interval then the in-memory database will be saved to disk.
|
|
# If false, mosquitto will save the in-memory database to disk by treating
|
|
# autosave_interval as a time in seconds.
|
|
#autosave_on_changes false
|
|
|
|
# Save persistent message data to disk (true/false).
|
|
# This saves information about all messages, including
|
|
# subscriptions, currently in-flight messages and retained
|
|
# messages.
|
|
# retained_persistence is a synonym for this option.
|
|
#persistence false
|
|
|
|
# The filename to use for the persistent database, not including
|
|
# the path.
|
|
#persistence_file mosquitto.db
|
|
|
|
# Location for persistent database.
|
|
# Default is an empty string (current directory).
|
|
# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or
|
|
# similar.
|
|
#persistence_location
|
|
|
|
|
|
# =================================================================
|
|
# Logging
|
|
# =================================================================
|
|
|
|
# Places to log to. Use multiple log_dest lines for multiple
|
|
# logging destinations.
|
|
# Possible destinations are: stdout stderr syslog topic file dlt
|
|
#
|
|
# stdout and stderr log to the console on the named output.
|
|
#
|
|
# syslog uses the userspace syslog facility which usually ends up
|
|
# in /var/log/messages or similar.
|
|
#
|
|
# topic logs to the broker topic '$SYS/broker/log/<severity>',
|
|
# where severity is one of D, E, W, N, I, M which are debug, error,
|
|
# warning, notice, information and message. Message type severity is used by
|
|
# the subscribe/unsubscribe log_types and publishes log messages to
|
|
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
|
|
#
|
|
# The file destination requires an additional parameter which is the file to be
|
|
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
|
|
# closed and reopened when the broker receives a HUP signal. Only a single file
|
|
# destination may be configured.
|
|
#
|
|
# The dlt destination is for the automotive `Diagnostic Log and Trace` tool.
|
|
# This requires that Mosquitto has been compiled with DLT support.
|
|
#
|
|
# Note that if the broker is running as a Windows service it will default to
|
|
# "log_dest none" and neither stdout nor stderr logging is available.
|
|
# Use "log_dest none" if you wish to disable logging.
|
|
#log_dest stderr
|
|
|
|
# Types of messages to log. Use multiple log_type lines for logging
|
|
# multiple types of messages.
|
|
# Possible types are: debug, error, warning, notice, information,
|
|
# none, subscribe, unsubscribe, websockets, all.
|
|
# Note that debug type messages are for decoding the incoming/outgoing
|
|
# network packets. They are not logged in "topics".
|
|
#log_type error
|
|
#log_type warning
|
|
#log_type notice
|
|
#log_type information
|
|
|
|
|
|
# If set to true, client connection and disconnection messages will be included
|
|
# in the log.
|
|
#connection_messages true
|
|
|
|
# If using syslog logging (not on Windows), messages will be logged to the
|
|
# "daemon" facility by default. Use the log_facility option to choose which of
|
|
# local0 to local7 to log to instead. The option value should be an integer
|
|
# value, e.g. "log_facility 5" to use local5.
|
|
#log_facility
|
|
|
|
# If set to true, add a timestamp value to each log message.
|
|
#log_timestamp true
|
|
|
|
# Set the format of the log timestamp. If left unset, this is the number of
|
|
# seconds since the Unix epoch.
|
|
# This is a free text string which will be passed to the strftime function. To
|
|
# get an ISO 8601 datetime, for example:
|
|
# log_timestamp_format %Y-%m-%dT%H:%M:%S
|
|
#log_timestamp_format
|
|
|
|
# Change the websockets logging level. This is a global option, it is not
|
|
# possible to set per listener. This is an integer that is interpreted by
|
|
# libwebsockets as a bit mask for its lws_log_levels enum. See the
|
|
# libwebsockets documentation for more details. "log_type websockets" must also
|
|
# be enabled.
|
|
#websockets_log_level 0
|
|
|
|
|
|
# =================================================================
|
|
# Security
|
|
# =================================================================
|
|
|
|
# If set, only clients that have a matching prefix on their
|
|
# clientid will be allowed to connect to the broker. By default,
|
|
# all clients may connect.
|
|
# For example, setting "secure-" here would mean a client "secure-
|
|
# client" could connect but another with clientid "mqtt" couldn't.
|
|
#clientid_prefixes
|
|
|
|
# Boolean value that determines whether clients that connect
|
|
# without providing a username are allowed to connect. If set to
|
|
# false then a password file should be created (see the
|
|
# password_file option) to control authenticated client access.
|
|
#
|
|
# Defaults to false, unless there are no listeners defined in the configuration
|
|
# file, in which case it is set to true, but connections are only allowed from
|
|
# the local machine.
|
|
#allow_anonymous false
|
|
|
|
# -----------------------------------------------------------------
|
|
# Default authentication and topic access control
|
|
# -----------------------------------------------------------------
|
|
|
|
# Control access to the broker using a password file. This file can be
|
|
# generated using the mosquitto_passwd utility. If TLS support is not compiled
|
|
# into mosquitto (it is recommended that TLS support should be included) then
|
|
# plain text passwords are used, in which case the file should be a text file
|
|
# with lines in the format:
|
|
# username:password
|
|
# The password (and colon) may be omitted if desired, although this
|
|
# offers very little in the way of security.
|
|
#
|
|
# See the TLS client require_certificate and use_identity_as_username options
|
|
# for alternative authentication options. If a plugin is used as well as
|
|
# password_file, the plugin check will be made first.
|
|
#password_file
|
|
|
|
# Access may also be controlled using a pre-shared-key file. This requires
|
|
# TLS-PSK support and a listener configured to use it. The file should be text
|
|
# lines in the format:
|
|
# identity:key
|
|
# The key should be in hexadecimal format without a leading "0x".
|
|
# If an plugin is used as well, the plugin check will be made first.
|
|
#psk_file
|
|
|
|
# Control access to topics on the broker using an access control list
|
|
# file. If this parameter is defined then only the topics listed will
|
|
# have access.
|
|
# If the first character of a line of the ACL file is a # it is treated as a
|
|
# comment.
|
|
# Topic access is added with lines of the format:
|
|
#
|
|
# topic [read|write|readwrite|deny] <topic>
|
|
#
|
|
# The access type is controlled using "read", "write", "readwrite" or "deny".
|
|
# This parameter is optional (unless <topic> contains a space character) - if
|
|
# not given then the access is read/write. <topic> can contain the + or #
|
|
# wildcards as in subscriptions.
|
|
#
|
|
# The "deny" option can used to explicity deny access to a topic that would
|
|
# otherwise be granted by a broader read/write/readwrite statement. Any "deny"
|
|
# topics are handled before topics that grant read/write access.
|
|
#
|
|
# The first set of topics are applied to anonymous clients, assuming
|
|
# allow_anonymous is true. User specific topic ACLs are added after a
|
|
# user line as follows:
|
|
#
|
|
# user <username>
|
|
#
|
|
# The username referred to here is the same as in password_file. It is
|
|
# not the clientid.
|
|
#
|
|
#
|
|
# If is also possible to define ACLs based on pattern substitution within the
|
|
# topic. The patterns available for substition are:
|
|
#
|
|
# %c to match the client id of the client
|
|
# %u to match the username of the client
|
|
#
|
|
# The substitution pattern must be the only text for that level of hierarchy.
|
|
#
|
|
# The form is the same as for the topic keyword, but using pattern as the
|
|
# keyword.
|
|
# Pattern ACLs apply to all users even if the "user" keyword has previously
|
|
# been given.
|
|
#
|
|
# If using bridges with usernames and ACLs, connection messages can be allowed
|
|
# with the following pattern:
|
|
# pattern write $SYS/broker/connection/%c/state
|
|
#
|
|
# pattern [read|write|readwrite] <topic>
|
|
#
|
|
# Example:
|
|
#
|
|
# pattern write sensor/%u/data
|
|
#
|
|
# If an plugin is used as well as acl_file, the plugin check will be
|
|
# made first.
|
|
#acl_file
|
|
|
|
# -----------------------------------------------------------------
|
|
# External authentication and topic access plugin options
|
|
# -----------------------------------------------------------------
|
|
|
|
# External authentication and access control can be supported with the
|
|
# plugin option. This is a path to a loadable plugin. See also the
|
|
# plugin_opt_* options described below.
|
|
#
|
|
# The plugin option can be specified multiple times to load multiple
|
|
# plugins. The plugins will be processed in the order that they are specified
|
|
# here. If the plugin option is specified alongside either of
|
|
# password_file or acl_file then the plugin checks will be made first.
|
|
#
|
|
# If the per_listener_settings option is false, the plugin will be apply to all
|
|
# listeners. If per_listener_settings is true, then the plugin will apply to
|
|
# the current listener being defined only.
|
|
#
|
|
# This option is also available as `auth_plugin`, but this use is deprecated
|
|
# and will be removed in the future.
|
|
#
|
|
#plugin
|
|
|
|
# If the plugin option above is used, define options to pass to the
|
|
# plugin here as described by the plugin instructions. All options named
|
|
# using the format plugin_opt_* will be passed to the plugin, for example:
|
|
#
|
|
# This option is also available as `auth_opt_*`, but this use is deprecated
|
|
# and will be removed in the future.
|
|
#
|
|
# plugin_opt_db_host
|
|
# plugin_opt_db_port
|
|
# plugin_opt_db_username
|
|
# plugin_opt_db_password
|
|
|
|
|
|
# =================================================================
|
|
# Bridges
|
|
# =================================================================
|
|
|
|
# A bridge is a way of connecting multiple MQTT brokers together.
|
|
# Create a new bridge using the "connection" option as described below. Set
|
|
# options for the bridges using the remaining parameters. You must specify the
|
|
# address and at least one topic to subscribe to.
|
|
#
|
|
# Each connection must have a unique name.
|
|
#
|
|
# The address line may have multiple host address and ports specified. See
|
|
# below in the round_robin description for more details on bridge behaviour if
|
|
# multiple addresses are used. Note that if you use an IPv6 address, then you
|
|
# are required to specify a port.
|
|
#
|
|
# The direction that the topic will be shared can be chosen by
|
|
# specifying out, in or both, where the default value is out.
|
|
# The QoS level of the bridged communication can be specified with the next
|
|
# topic option. The default QoS level is 0, to change the QoS the topic
|
|
# direction must also be given.
|
|
#
|
|
# The local and remote prefix options allow a topic to be remapped when it is
|
|
# bridged to/from the remote broker. This provides the ability to place a topic
|
|
# tree in an appropriate location.
|
|
#
|
|
# For more details see the mosquitto.conf man page.
|
|
#
|
|
# Multiple topics can be specified per connection, but be careful
|
|
# not to create any loops.
|
|
#
|
|
# If you are using bridges with cleansession set to false (the default), then
|
|
# you may get unexpected behaviour from incoming topics if you change what
|
|
# topics you are subscribing to. This is because the remote broker keeps the
|
|
# subscription for the old topic. If you have this problem, connect your bridge
|
|
# with cleansession set to true, then reconnect with cleansession set to false
|
|
# as normal.
|
|
#connection <name>
|
|
#address <host>[:<port>] [<host>[:<port>]]
|
|
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
|
|
|
|
# If you need to have the bridge connect over a particular network interface,
|
|
# use bridge_bind_address to tell the bridge which local IP address the socket
|
|
# should bind to, e.g. `bridge_bind_address 192.168.1.10`
|
|
#bridge_bind_address
|
|
|
|
# If a bridge has topics that have "out" direction, the default behaviour is to
|
|
# send an unsubscribe request to the remote broker on that topic. This means
|
|
# that changing a topic direction from "in" to "out" will not keep receiving
|
|
# incoming messages. Sending these unsubscribe requests is not always
|
|
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
|
|
# the unsubscribe request.
|
|
#bridge_attempt_unsubscribe true
|
|
|
|
# Set the version of the MQTT protocol to use with for this bridge. Can be one
|
|
# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311.
|
|
#bridge_protocol_version mqttv311
|
|
|
|
# Set the clean session variable for this bridge.
|
|
# When set to true, when the bridge disconnects for any reason, all
|
|
# messages and subscriptions will be cleaned up on the remote
|
|
# broker. Note that with cleansession set to true, there may be a
|
|
# significant amount of retained messages sent when the bridge
|
|
# reconnects after losing its connection.
|
|
# When set to false, the subscriptions and messages are kept on the
|
|
# remote broker, and delivered when the bridge reconnects.
|
|
#cleansession false
|
|
|
|
# Set the amount of time a bridge using the lazy start type must be idle before
|
|
# it will be stopped. Defaults to 60 seconds.
|
|
#idle_timeout 60
|
|
|
|
# Set the keepalive interval for this bridge connection, in
|
|
# seconds.
|
|
#keepalive_interval 60
|
|
|
|
# Set the clientid to use on the local broker. If not defined, this defaults to
|
|
# 'local.<clientid>'. If you are bridging a broker to itself, it is important
|
|
# that local_clientid and clientid do not match.
|
|
#local_clientid
|
|
|
|
# If set to true, publish notification messages to the local and remote brokers
|
|
# giving information about the state of the bridge connection. Retained
|
|
# messages are published to the topic $SYS/broker/connection/<clientid>/state
|
|
# unless the notification_topic option is used.
|
|
# If the message is 1 then the connection is active, or 0 if the connection has
|
|
# failed.
|
|
# This uses the last will and testament feature.
|
|
#notifications true
|
|
|
|
# Choose the topic on which notification messages for this bridge are
|
|
# published. If not set, messages are published on the topic
|
|
# $SYS/broker/connection/<clientid>/state
|
|
#notification_topic
|
|
|
|
# Set the client id to use on the remote end of this bridge connection. If not
|
|
# defined, this defaults to 'name.hostname' where name is the connection name
|
|
# and hostname is the hostname of this computer.
|
|
# This replaces the old "clientid" option to avoid confusion. "clientid"
|
|
# remains valid for the time being.
|
|
#remote_clientid
|
|
|
|
# Set the password to use when connecting to a broker that requires
|
|
# authentication. This option is only used if remote_username is also set.
|
|
# This replaces the old "password" option to avoid confusion. "password"
|
|
# remains valid for the time being.
|
|
#remote_password
|
|
|
|
# Set the username to use when connecting to a broker that requires
|
|
# authentication.
|
|
# This replaces the old "username" option to avoid confusion. "username"
|
|
# remains valid for the time being.
|
|
#remote_username
|
|
|
|
# Set the amount of time a bridge using the automatic start type will wait
|
|
# until attempting to reconnect.
|
|
# This option can be configured to use a constant delay time in seconds, or to
|
|
# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
|
|
# of randomness to when the restart occurs.
|
|
#
|
|
# Set a constant timeout of 20 seconds:
|
|
# restart_timeout 20
|
|
#
|
|
# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
|
|
# 60 seconds:
|
|
# restart_timeout 10 30
|
|
#
|
|
# Defaults to jitter with a base of 5 and cap of 30
|
|
#restart_timeout 5 30
|
|
|
|
# If the bridge has more than one address given in the address/addresses
|
|
# configuration, the round_robin option defines the behaviour of the bridge on
|
|
# a failure of the bridge connection. If round_robin is false, the default
|
|
# value, then the first address is treated as the main bridge connection. If
|
|
# the connection fails, the other secondary addresses will be attempted in
|
|
# turn. Whilst connected to a secondary bridge, the bridge will periodically
|
|
# attempt to reconnect to the main bridge until successful.
|
|
# If round_robin is true, then all addresses are treated as equals. If a
|
|
# connection fails, the next address will be tried and if successful will
|
|
# remain connected until it fails
|
|
#round_robin false
|
|
|
|
# Set the start type of the bridge. This controls how the bridge starts and
|
|
# can be one of three types: automatic, lazy and once. Note that RSMB provides
|
|
# a fourth start type "manual" which isn't currently supported by mosquitto.
|
|
#
|
|
# "automatic" is the default start type and means that the bridge connection
|
|
# will be started automatically when the broker starts and also restarted
|
|
# after a short delay (30 seconds) if the connection fails.
|
|
#
|
|
# Bridges using the "lazy" start type will be started automatically when the
|
|
# number of queued messages exceeds the number set with the "threshold"
|
|
# parameter. It will be stopped automatically after the time set by the
|
|
# "idle_timeout" parameter. Use this start type if you wish the connection to
|
|
# only be active when it is needed.
|
|
#
|
|
# A bridge using the "once" start type will be started automatically when the
|
|
# broker starts but will not be restarted if the connection fails.
|
|
#start_type automatic
|
|
|
|
# Set the number of messages that need to be queued for a bridge with lazy
|
|
# start type to be restarted. Defaults to 10 messages.
|
|
# Must be less than max_queued_messages.
|
|
#threshold 10
|
|
|
|
# If try_private is set to true, the bridge will attempt to indicate to the
|
|
# remote broker that it is a bridge not an ordinary client. If successful, this
|
|
# means that loop detection will be more effective and that retained messages
|
|
# will be propagated correctly. Not all brokers support this feature so it may
|
|
# be necessary to set try_private to false if your bridge does not connect
|
|
# properly.
|
|
#try_private true
|
|
|
|
# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism
|
|
# for brokers to tell clients that they do not support retained messages, but
|
|
# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a
|
|
# v3.1.1 or v3.1 broker that does not support retained messages, set the
|
|
# bridge_outgoing_retain option to false. This will remove the retain bit on
|
|
# all outgoing messages to that bridge, regardless of any other setting.
|
|
#bridge_outgoing_retain true
|
|
|
|
# If you wish to restrict the size of messages sent to a remote bridge, use the
|
|
# bridge_max_packet_size option. This sets the maximum number of bytes for
|
|
# the total message, including headers and payload.
|
|
# Note that MQTT v5 brokers may provide their own maximum-packet-size property.
|
|
# In this case, the smaller of the two limits will be used.
|
|
# Set to 0 for "unlimited".
|
|
#bridge_max_packet_size 0
|
|
|
|
|
|
# -----------------------------------------------------------------
|
|
# Certificate based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# Either bridge_cafile or bridge_capath must be defined to enable TLS support
|
|
# for this bridge.
|
|
# bridge_cafile defines the path to a file containing the
|
|
# Certificate Authority certificates that have signed the remote broker
|
|
# certificate.
|
|
# bridge_capath defines a directory that will be searched for files containing
|
|
# the CA certificates. For bridge_capath to work correctly, the certificate
|
|
# files must have ".crt" as the file ending and you must run "openssl rehash
|
|
# <path to capath>" each time you add/remove a certificate.
|
|
#bridge_cafile
|
|
#bridge_capath
|
|
|
|
|
|
# If the remote broker has more than one protocol available on its port, e.g.
|
|
# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
|
|
# requested. Note that WebSockets support for bridges is not yet available.
|
|
#bridge_alpn
|
|
|
|
# When using certificate based encryption, bridge_insecure disables
|
|
# verification of the server hostname in the server certificate. This can be
|
|
# useful when testing initial server configurations, but makes it possible for
|
|
# a malicious third party to impersonate your server through DNS spoofing, for
|
|
# example. Use this option in testing only. If you need to resort to using this
|
|
# option in a production environment, your setup is at fault and there is no
|
|
# point using encryption.
|
|
#bridge_insecure false
|
|
|
|
# Path to the PEM encoded client certificate, if required by the remote broker.
|
|
#bridge_certfile
|
|
|
|
# Path to the PEM encoded client private key, if required by the remote broker.
|
|
#bridge_keyfile
|
|
|
|
# -----------------------------------------------------------------
|
|
# PSK based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# Pre-shared-key encryption provides an alternative to certificate based
|
|
# encryption. A bridge can be configured to use PSK with the bridge_identity
|
|
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
|
|
# in hexadecimal format with no "0x". Only one of certificate and PSK based
|
|
# encryption can be used on one
|
|
# bridge at once.
|
|
#bridge_identity
|
|
#bridge_psk
|
|
|
|
|
|
# =================================================================
|
|
# External config files
|
|
# =================================================================
|
|
|
|
# External configuration files may be included by using the
|
|
# include_dir option. This defines a directory that will be searched
|
|
# for config files. All files that end in '.conf' will be loaded as
|
|
# a configuration file. It is best to have this as the last option
|
|
# in the main file. This option will only be processed from the main
|
|
# configuration file. The directory specified must not contain the
|
|
# main configuration file.
|
|
# Files within include_dir will be loaded sorted in case-sensitive
|
|
# alphabetical order, with capital letters ordered first. If this option is
|
|
# given multiple times, all of the files from the first instance will be
|
|
# processed before the next instance. See the man page for examples.
|
|
#include_dir
|
|
CFGEOF
|
|
|
|
#Gen file /etc/mosquitto/mosquitto.conf
|
|
|
|
mkdir -p "/etc/mosquitto"
|
|
cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf"
|
|
# Config file for mosquitto
|
|
#
|
|
# See mosquitto.conf(5) for more information.
|
|
#
|
|
# Default values are shown, uncomment to change.
|
|
#
|
|
# Use the # character to indicate a comment, but only if it is the
|
|
# very first character on the line.
|
|
|
|
# =================================================================
|
|
# General configuration
|
|
# =================================================================
|
|
|
|
# Use per listener security settings.
|
|
#
|
|
# It is recommended this option be set before any other options.
|
|
#
|
|
# If this option is set to true, then all authentication and access control
|
|
# options are controlled on a per listener basis. The following options are
|
|
# affected:
|
|
#
|
|
# acl_file
|
|
# allow_anonymous
|
|
# allow_zero_length_clientid
|
|
# auto_id_prefix
|
|
# password_file
|
|
# plugin
|
|
# plugin_opt_*
|
|
# psk_file
|
|
#
|
|
# Note that if set to true, then a durable client (i.e. with clean session set
|
|
# to false) that has disconnected will use the ACL settings defined for the
|
|
# listener that it was most recently connected to.
|
|
#
|
|
# The default behaviour is for this to be set to false, which maintains the
|
|
# setting behaviour from previous versions of mosquitto.
|
|
#per_listener_settings false
|
|
|
|
|
|
# This option controls whether a client is allowed to connect with a zero
|
|
# length client id or not. This option only affects clients using MQTT v3.1.1
|
|
# and later. If set to false, clients connecting with a zero length client id
|
|
# are disconnected. If set to true, clients will be allocated a client id by
|
|
# the broker. This means it is only useful for clients with clean session set
|
|
# to true.
|
|
#allow_zero_length_clientid true
|
|
|
|
# If allow_zero_length_clientid is true, this option allows you to set a prefix
|
|
# to automatically generated client ids to aid visibility in logs.
|
|
# Defaults to 'auto-'
|
|
#auto_id_prefix auto-
|
|
|
|
# This option affects the scenario when a client subscribes to a topic that has
|
|
# retained messages. It is possible that the client that published the retained
|
|
# message to the topic had access at the time they published, but that access
|
|
# has been subsequently removed. If check_retain_source is set to true, the
|
|
# default, the source of a retained message will be checked for access rights
|
|
# before it is republished. When set to false, no check will be made and the
|
|
# retained message will always be published. This affects all listeners.
|
|
#check_retain_source true
|
|
|
|
# QoS 1 and 2 messages will be allowed inflight per client until this limit
|
|
# is exceeded. Defaults to 0. (No maximum)
|
|
# See also max_inflight_messages
|
|
#max_inflight_bytes 0
|
|
|
|
# The maximum number of QoS 1 and 2 messages currently inflight per
|
|
# client.
|
|
# This includes messages that are partway through handshakes and
|
|
# those that are being retried. Defaults to 20. Set to 0 for no
|
|
# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
|
|
# and 2 messages.
|
|
#max_inflight_messages 20
|
|
|
|
# For MQTT v5 clients, it is possible to have the server send a "server
|
|
# keepalive" value that will override the keepalive value set by the client.
|
|
# This is intended to be used as a mechanism to say that the server will
|
|
# disconnect the client earlier than it anticipated, and that the client should
|
|
# use the new keepalive value. The max_keepalive option allows you to specify
|
|
# that clients may only connect with keepalive less than or equal to this
|
|
# value, otherwise they will be sent a server keepalive telling them to use
|
|
# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum
|
|
# value allowable, is 65535.
|
|
#
|
|
# Set to 0 to allow clients to set keepalive = 0, which means no keepalive
|
|
# checks are made and the client will never be disconnected by the broker if no
|
|
# messages are received. You should be very sure this is the behaviour that you
|
|
# want.
|
|
#
|
|
# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client
|
|
# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client
|
|
# specifies a keepalive time greater than max_keepalive they will be sent a
|
|
# CONNACK message with the "identifier rejected" reason code, and disconnected.
|
|
#
|
|
#max_keepalive 65535
|
|
|
|
# For MQTT v5 clients, it is possible to have the server send a "maximum packet
|
|
# size" value that will instruct the client it will not accept MQTT packets
|
|
# with size greater than max_packet_size bytes. This applies to the full MQTT
|
|
# packet, not just the payload. Setting this option to a positive value will
|
|
# set the maximum packet size to that number of bytes. If a client sends a
|
|
# packet which is larger than this value, it will be disconnected. This applies
|
|
# to all clients regardless of the protocol version they are using, but v3.1.1
|
|
# and earlier clients will of course not have received the maximum packet size
|
|
# information. Defaults to no limit. Setting below 20 bytes is forbidden
|
|
# because it is likely to interfere with ordinary client operation, even with
|
|
# very small payloads.
|
|
#max_packet_size 0
|
|
|
|
# QoS 1 and 2 messages above those currently in-flight will be queued per
|
|
# client until this limit is exceeded. Defaults to 0. (No maximum)
|
|
# See also max_queued_messages.
|
|
# If both max_queued_messages and max_queued_bytes are specified, packets will
|
|
# be queued until the first limit is reached.
|
|
#max_queued_bytes 0
|
|
|
|
# Set the maximum QoS supported. Clients publishing at a QoS higher than
|
|
# specified here will be disconnected.
|
|
#max_qos 2
|
|
|
|
# The maximum number of QoS 1 and 2 messages to hold in a queue per client
|
|
# above those that are currently in-flight. Defaults to 1000. Set
|
|
# to 0 for no maximum (not recommended).
|
|
# See also queue_qos0_messages.
|
|
# See also max_queued_bytes.
|
|
#max_queued_messages 1000
|
|
#
|
|
# This option sets the maximum number of heap memory bytes that the broker will
|
|
# allocate, and hence sets a hard limit on memory use by the broker. Memory
|
|
# requests that exceed this value will be denied. The effect will vary
|
|
# depending on what has been denied. If an incoming message is being processed,
|
|
# then the message will be dropped and the publishing client will be
|
|
# disconnected. If an outgoing message is being sent, then the individual
|
|
# message will be dropped and the receiving client will be disconnected.
|
|
# Defaults to no limit.
|
|
#memory_limit 0
|
|
|
|
# This option sets the maximum publish payload size that the broker will allow.
|
|
# Received messages that exceed this size will not be accepted by the broker.
|
|
# The default value is 0, which means that all valid MQTT messages are
|
|
# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
|
|
#message_size_limit 0
|
|
|
|
# This option allows the session of persistent clients (those with clean
|
|
# session set to false) that are not currently connected to be removed if they
|
|
# do not reconnect within a certain time frame. This is a non-standard option
|
|
# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions.
|
|
#
|
|
# Badly designed clients may set clean session to false whilst using a randomly
|
|
# generated client id. This leads to persistent clients that connect once and
|
|
# never reconnect. This option allows these clients to be removed. This option
|
|
# allows persistent clients (those with clean session set to false) to be
|
|
# removed if they do not reconnect within a certain time frame.
|
|
#
|
|
# The expiration period should be an integer followed by one of h d w m y for
|
|
# hour, day, week, month and year respectively. For example
|
|
#
|
|
# persistent_client_expiration 2m
|
|
# persistent_client_expiration 14d
|
|
# persistent_client_expiration 1y
|
|
#
|
|
# The default if not set is to never expire persistent clients.
|
|
#persistent_client_expiration
|
|
|
|
# Write process id to a file. Default is a blank string which means
|
|
# a pid file shouldn't be written.
|
|
# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is
|
|
# being run automatically on boot with an init script and
|
|
# start-stop-daemon or similar.
|
|
#pid_file
|
|
|
|
# Set to true to queue messages with QoS 0 when a persistent client is
|
|
# disconnected. These messages are included in the limit imposed by
|
|
# max_queued_messages and max_queued_bytes
|
|
# Defaults to false.
|
|
# This is a non-standard option for the MQTT v3.1 spec but is allowed in
|
|
# v3.1.1.
|
|
#queue_qos0_messages false
|
|
|
|
# Set to false to disable retained message support. If a client publishes a
|
|
# message with the retain bit set, it will be disconnected if this is set to
|
|
# false.
|
|
#retain_available true
|
|
|
|
# Disable Nagle's algorithm on client sockets. This has the effect of reducing
|
|
# latency of individual messages at the potential cost of increasing the number
|
|
# of packets being sent.
|
|
#set_tcp_nodelay false
|
|
|
|
# Time in seconds between updates of the $SYS tree.
|
|
# Set to 0 to disable the publishing of the $SYS tree.
|
|
#sys_interval 10
|
|
|
|
# The MQTT specification requires that the QoS of a message delivered to a
|
|
# subscriber is never upgraded to match the QoS of the subscription. Enabling
|
|
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
|
|
# messages sent to a subscriber will always match the QoS of its subscription.
|
|
# This is a non-standard option explicitly disallowed by the spec.
|
|
#upgrade_outgoing_qos false
|
|
|
|
# When run as root, drop privileges to this user and its primary
|
|
# group.
|
|
# Set to root to stay as root, but this is not recommended.
|
|
# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist
|
|
# then it will drop privileges to the "nobody" user instead.
|
|
# If run as a non-root user, this setting has no effect.
|
|
# Note that on Windows this has no effect and so mosquitto should be started by
|
|
# the user you wish it to run as.
|
|
#user mosquitto
|
|
|
|
# =================================================================
|
|
# Listeners
|
|
# =================================================================
|
|
|
|
# Listen on a port/ip address combination. By using this variable
|
|
# multiple times, mosquitto can listen on more than one port. If
|
|
# this variable is used and neither bind_address nor port given,
|
|
# then the default listener will not be started.
|
|
# The port number to listen on must be given. Optionally, an ip
|
|
# address or host name may be supplied as a second argument. In
|
|
# this case, mosquitto will attempt to bind the listener to that
|
|
# address and so restrict access to the associated network and
|
|
# interface. By default, mosquitto will listen on all interfaces.
|
|
# Note that for a websockets listener it is not possible to bind to a host
|
|
# name.
|
|
#
|
|
# On systems that support Unix Domain Sockets, it is also possible
|
|
# to create a # Unix socket rather than opening a TCP socket. In
|
|
# this case, the port number should be set to 0 and a unix socket
|
|
# path must be provided, e.g.
|
|
# listener 0 /tmp/mosquitto.sock
|
|
#
|
|
# listener port-number [ip address/host name/unix socket path]
|
|
#listener
|
|
|
|
# By default, a listener will attempt to listen on all supported IP protocol
|
|
# versions. If you do not have an IPv4 or IPv6 interface you may wish to
|
|
# disable support for either of those protocol versions. In particular, note
|
|
# that due to the limitations of the websockets library, it will only ever
|
|
# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail
|
|
# if IPv6 is not available.
|
|
#
|
|
# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to
|
|
# force the listener to only use IPv6. If you want support for both IPv4 and
|
|
# IPv6, then do not use the socket_domain option.
|
|
#
|
|
#socket_domain
|
|
|
|
# Bind the listener to a specific interface. This is similar to
|
|
# the [ip address/host name] part of the listener definition, but is useful
|
|
# when an interface has multiple addresses or the address may change. If used
|
|
# with the [ip address/host name] part of the listener definition, then the
|
|
# bind_interface option will take priority.
|
|
# Not available on Windows.
|
|
#
|
|
# Example: bind_interface eth0
|
|
#bind_interface
|
|
|
|
# When a listener is using the websockets protocol, it is possible to serve
|
|
# http data as well. Set http_dir to a directory which contains the files you
|
|
# wish to serve. If this option is not specified, then no normal http
|
|
# connections will be possible.
|
|
#http_dir
|
|
|
|
# The maximum number of client connections to allow. This is
|
|
# a per listener setting.
|
|
# Default is -1, which means unlimited connections.
|
|
# Note that other process limits mean that unlimited connections
|
|
# are not really possible. Typically the default maximum number of
|
|
# connections possible is around 1024.
|
|
#max_connections -1
|
|
|
|
# The listener can be restricted to operating within a topic hierarchy using
|
|
# the mount_point option. This is achieved be prefixing the mount_point string
|
|
# to all topics for any clients connected to this listener. This prefixing only
|
|
# happens internally to the broker; the client will not see the prefix.
|
|
#mount_point
|
|
|
|
# Choose the protocol to use when listening.
|
|
# This can be either mqtt or websockets.
|
|
# Certificate based TLS may be used with websockets, except that only the
|
|
# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported.
|
|
#protocol mqtt
|
|
|
|
# Set use_username_as_clientid to true to replace the clientid that a client
|
|
# connected with with its username. This allows authentication to be tied to
|
|
# the clientid, which means that it is possible to prevent one client
|
|
# disconnecting another by using the same clientid.
|
|
# If a client connects with no username it will be disconnected as not
|
|
# authorised when this option is set to true.
|
|
# Do not use in conjunction with clientid_prefixes.
|
|
# See also use_identity_as_username.
|
|
# This does not apply globally, but on a per-listener basis.
|
|
#use_username_as_clientid
|
|
|
|
# Change the websockets headers size. This is a global option, it is not
|
|
# possible to set per listener. This option sets the size of the buffer used in
|
|
# the libwebsockets library when reading HTTP headers. If you are passing large
|
|
# header data such as cookies then you may need to increase this value. If left
|
|
# unset, or set to 0, then the default of 1024 bytes will be used.
|
|
#websockets_headers_size
|
|
|
|
# -----------------------------------------------------------------
|
|
# Certificate based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# The following options can be used to enable certificate based SSL/TLS support
|
|
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
|
|
# but this must be set manually.
|
|
#
|
|
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
|
|
# support" section. Only one of certificate or PSK encryption support can be
|
|
# enabled for any listener.
|
|
|
|
# Both of certfile and keyfile must be defined to enable certificate based
|
|
# TLS encryption.
|
|
|
|
# Path to the PEM encoded server certificate.
|
|
#certfile
|
|
|
|
# Path to the PEM encoded keyfile.
|
|
#keyfile
|
|
|
|
# If you wish to control which encryption ciphers are used, use the ciphers
|
|
# option. The list of available ciphers can be optained using the "openssl
|
|
# ciphers" command and should be provided in the same format as the output of
|
|
# that command. This applies to TLS 1.2 and earlier versions only. Use
|
|
# ciphers_tls1.3 for TLS v1.3.
|
|
#ciphers
|
|
|
|
# Choose which TLS v1.3 ciphersuites are used for this listener.
|
|
# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
|
#ciphers_tls1.3
|
|
|
|
# If you have require_certificate set to true, you can create a certificate
|
|
# revocation list file to revoke access to particular client certificates. If
|
|
# you have done this, use crlfile to point to the PEM encoded revocation file.
|
|
#crlfile
|
|
|
|
# To allow the use of ephemeral DH key exchange, which provides forward
|
|
# security, the listener must load DH parameters. This can be specified with
|
|
# the dhparamfile option. The dhparamfile can be generated with the command
|
|
# e.g. "openssl dhparam -out dhparam.pem 2048"
|
|
#dhparamfile
|
|
|
|
# By default an TLS enabled listener will operate in a similar fashion to a
|
|
# https enabled web server, in that the server has a certificate signed by a CA
|
|
# and the client will verify that it is a trusted certificate. The overall aim
|
|
# is encryption of the network traffic. By setting require_certificate to true,
|
|
# the client must provide a valid certificate in order for the network
|
|
# connection to proceed. This allows access to the broker to be controlled
|
|
# outside of the mechanisms provided by MQTT.
|
|
#require_certificate false
|
|
|
|
# cafile and capath define methods of accessing the PEM encoded
|
|
# Certificate Authority certificates that will be considered trusted when
|
|
# checking incoming client certificates.
|
|
# cafile defines the path to a file containing the CA certificates.
|
|
# capath defines a directory that will be searched for files
|
|
# containing the CA certificates. For capath to work correctly, the
|
|
# certificate files must have ".crt" as the file ending and you must run
|
|
# "openssl rehash <path to capath>" each time you add/remove a certificate.
|
|
#cafile
|
|
#capath
|
|
|
|
|
|
# If require_certificate is true, you may set use_identity_as_username to true
|
|
# to use the CN value from the client certificate as a username. If this is
|
|
# true, the password_file option will not be used for this listener.
|
|
#use_identity_as_username false
|
|
|
|
# -----------------------------------------------------------------
|
|
# Pre-shared-key based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# The following options can be used to enable PSK based SSL/TLS support for
|
|
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
|
|
# this must be set manually.
|
|
#
|
|
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
|
|
# support" section. Only one of certificate or PSK encryption support can be
|
|
# enabled for any listener.
|
|
|
|
# The psk_hint option enables pre-shared-key support for this listener and also
|
|
# acts as an identifier for this listener. The hint is sent to clients and may
|
|
# be used locally to aid authentication. The hint is a free form string that
|
|
# doesn't have much meaning in itself, so feel free to be creative.
|
|
# If this option is provided, see psk_file to define the pre-shared keys to be
|
|
# used or create a security plugin to handle them.
|
|
#psk_hint
|
|
|
|
# When using PSK, the encryption ciphers used will be chosen from the list of
|
|
# available PSK ciphers. If you want to control which ciphers are available,
|
|
# use the "ciphers" option. The list of available ciphers can be optained
|
|
# using the "openssl ciphers" command and should be provided in the same format
|
|
# as the output of that command.
|
|
#ciphers
|
|
|
|
# Set use_identity_as_username to have the psk identity sent by the client used
|
|
# as its username. Authentication will be carried out using the PSK rather than
|
|
# the MQTT username/password and so password_file will not be used for this
|
|
# listener.
|
|
#use_identity_as_username false
|
|
|
|
|
|
# =================================================================
|
|
# Persistence
|
|
# =================================================================
|
|
|
|
# If persistence is enabled, save the in-memory database to disk
|
|
# every autosave_interval seconds. If set to 0, the persistence
|
|
# database will only be written when mosquitto exits. See also
|
|
# autosave_on_changes.
|
|
# Note that writing of the persistence database can be forced by
|
|
# sending mosquitto a SIGUSR1 signal.
|
|
#autosave_interval 1800
|
|
|
|
# If true, mosquitto will count the number of subscription changes, retained
|
|
# messages received and queued messages and if the total exceeds
|
|
# autosave_interval then the in-memory database will be saved to disk.
|
|
# If false, mosquitto will save the in-memory database to disk by treating
|
|
# autosave_interval as a time in seconds.
|
|
#autosave_on_changes false
|
|
|
|
# Save persistent message data to disk (true/false).
|
|
# This saves information about all messages, including
|
|
# subscriptions, currently in-flight messages and retained
|
|
# messages.
|
|
# retained_persistence is a synonym for this option.
|
|
#persistence false
|
|
|
|
# The filename to use for the persistent database, not including
|
|
# the path.
|
|
#persistence_file mosquitto.db
|
|
|
|
# Location for persistent database.
|
|
# Default is an empty string (current directory).
|
|
# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or
|
|
# similar.
|
|
#persistence_location
|
|
|
|
|
|
# =================================================================
|
|
# Logging
|
|
# =================================================================
|
|
|
|
# Places to log to. Use multiple log_dest lines for multiple
|
|
# logging destinations.
|
|
# Possible destinations are: stdout stderr syslog topic file dlt
|
|
#
|
|
# stdout and stderr log to the console on the named output.
|
|
#
|
|
# syslog uses the userspace syslog facility which usually ends up
|
|
# in /var/log/messages or similar.
|
|
#
|
|
# topic logs to the broker topic '$SYS/broker/log/<severity>',
|
|
# where severity is one of D, E, W, N, I, M which are debug, error,
|
|
# warning, notice, information and message. Message type severity is used by
|
|
# the subscribe/unsubscribe log_types and publishes log messages to
|
|
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
|
|
#
|
|
# The file destination requires an additional parameter which is the file to be
|
|
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
|
|
# closed and reopened when the broker receives a HUP signal. Only a single file
|
|
# destination may be configured.
|
|
#
|
|
# The dlt destination is for the automotive `Diagnostic Log and Trace` tool.
|
|
# This requires that Mosquitto has been compiled with DLT support.
|
|
#
|
|
# Note that if the broker is running as a Windows service it will default to
|
|
# "log_dest none" and neither stdout nor stderr logging is available.
|
|
# Use "log_dest none" if you wish to disable logging.
|
|
#log_dest stderr
|
|
|
|
# Types of messages to log. Use multiple log_type lines for logging
|
|
# multiple types of messages.
|
|
# Possible types are: debug, error, warning, notice, information,
|
|
# none, subscribe, unsubscribe, websockets, all.
|
|
# Note that debug type messages are for decoding the incoming/outgoing
|
|
# network packets. They are not logged in "topics".
|
|
#log_type error
|
|
#log_type warning
|
|
#log_type notice
|
|
#log_type information
|
|
|
|
|
|
# If set to true, client connection and disconnection messages will be included
|
|
# in the log.
|
|
#connection_messages true
|
|
|
|
# If using syslog logging (not on Windows), messages will be logged to the
|
|
# "daemon" facility by default. Use the log_facility option to choose which of
|
|
# local0 to local7 to log to instead. The option value should be an integer
|
|
# value, e.g. "log_facility 5" to use local5.
|
|
#log_facility
|
|
|
|
# If set to true, add a timestamp value to each log message.
|
|
#log_timestamp true
|
|
|
|
# Set the format of the log timestamp. If left unset, this is the number of
|
|
# seconds since the Unix epoch.
|
|
# This is a free text string which will be passed to the strftime function. To
|
|
# get an ISO 8601 datetime, for example:
|
|
# log_timestamp_format %Y-%m-%dT%H:%M:%S
|
|
#log_timestamp_format
|
|
|
|
# Change the websockets logging level. This is a global option, it is not
|
|
# possible to set per listener. This is an integer that is interpreted by
|
|
# libwebsockets as a bit mask for its lws_log_levels enum. See the
|
|
# libwebsockets documentation for more details. "log_type websockets" must also
|
|
# be enabled.
|
|
#websockets_log_level 0
|
|
|
|
|
|
# =================================================================
|
|
# Security
|
|
# =================================================================
|
|
|
|
# If set, only clients that have a matching prefix on their
|
|
# clientid will be allowed to connect to the broker. By default,
|
|
# all clients may connect.
|
|
# For example, setting "secure-" here would mean a client "secure-
|
|
# client" could connect but another with clientid "mqtt" couldn't.
|
|
#clientid_prefixes
|
|
|
|
# Boolean value that determines whether clients that connect
|
|
# without providing a username are allowed to connect. If set to
|
|
# false then a password file should be created (see the
|
|
# password_file option) to control authenticated client access.
|
|
#
|
|
# Defaults to false, unless there are no listeners defined in the configuration
|
|
# file, in which case it is set to true, but connections are only allowed from
|
|
# the local machine.
|
|
#allow_anonymous false
|
|
|
|
# -----------------------------------------------------------------
|
|
# Default authentication and topic access control
|
|
# -----------------------------------------------------------------
|
|
|
|
# Control access to the broker using a password file. This file can be
|
|
# generated using the mosquitto_passwd utility. If TLS support is not compiled
|
|
# into mosquitto (it is recommended that TLS support should be included) then
|
|
# plain text passwords are used, in which case the file should be a text file
|
|
# with lines in the format:
|
|
# username:password
|
|
# The password (and colon) may be omitted if desired, although this
|
|
# offers very little in the way of security.
|
|
#
|
|
# See the TLS client require_certificate and use_identity_as_username options
|
|
# for alternative authentication options. If a plugin is used as well as
|
|
# password_file, the plugin check will be made first.
|
|
#password_file
|
|
|
|
# Access may also be controlled using a pre-shared-key file. This requires
|
|
# TLS-PSK support and a listener configured to use it. The file should be text
|
|
# lines in the format:
|
|
# identity:key
|
|
# The key should be in hexadecimal format without a leading "0x".
|
|
# If an plugin is used as well, the plugin check will be made first.
|
|
#psk_file
|
|
|
|
# Control access to topics on the broker using an access control list
|
|
# file. If this parameter is defined then only the topics listed will
|
|
# have access.
|
|
# If the first character of a line of the ACL file is a # it is treated as a
|
|
# comment.
|
|
# Topic access is added with lines of the format:
|
|
#
|
|
# topic [read|write|readwrite|deny] <topic>
|
|
#
|
|
# The access type is controlled using "read", "write", "readwrite" or "deny".
|
|
# This parameter is optional (unless <topic> contains a space character) - if
|
|
# not given then the access is read/write. <topic> can contain the + or #
|
|
# wildcards as in subscriptions.
|
|
#
|
|
# The "deny" option can used to explicity deny access to a topic that would
|
|
# otherwise be granted by a broader read/write/readwrite statement. Any "deny"
|
|
# topics are handled before topics that grant read/write access.
|
|
#
|
|
# The first set of topics are applied to anonymous clients, assuming
|
|
# allow_anonymous is true. User specific topic ACLs are added after a
|
|
# user line as follows:
|
|
#
|
|
# user <username>
|
|
#
|
|
# The username referred to here is the same as in password_file. It is
|
|
# not the clientid.
|
|
#
|
|
#
|
|
# If is also possible to define ACLs based on pattern substitution within the
|
|
# topic. The patterns available for substition are:
|
|
#
|
|
# %c to match the client id of the client
|
|
# %u to match the username of the client
|
|
#
|
|
# The substitution pattern must be the only text for that level of hierarchy.
|
|
#
|
|
# The form is the same as for the topic keyword, but using pattern as the
|
|
# keyword.
|
|
# Pattern ACLs apply to all users even if the "user" keyword has previously
|
|
# been given.
|
|
#
|
|
# If using bridges with usernames and ACLs, connection messages can be allowed
|
|
# with the following pattern:
|
|
# pattern write $SYS/broker/connection/%c/state
|
|
#
|
|
# pattern [read|write|readwrite] <topic>
|
|
#
|
|
# Example:
|
|
#
|
|
# pattern write sensor/%u/data
|
|
#
|
|
# If an plugin is used as well as acl_file, the plugin check will be
|
|
# made first.
|
|
#acl_file
|
|
|
|
# -----------------------------------------------------------------
|
|
# External authentication and topic access plugin options
|
|
# -----------------------------------------------------------------
|
|
|
|
# External authentication and access control can be supported with the
|
|
# plugin option. This is a path to a loadable plugin. See also the
|
|
# plugin_opt_* options described below.
|
|
#
|
|
# The plugin option can be specified multiple times to load multiple
|
|
# plugins. The plugins will be processed in the order that they are specified
|
|
# here. If the plugin option is specified alongside either of
|
|
# password_file or acl_file then the plugin checks will be made first.
|
|
#
|
|
# If the per_listener_settings option is false, the plugin will be apply to all
|
|
# listeners. If per_listener_settings is true, then the plugin will apply to
|
|
# the current listener being defined only.
|
|
#
|
|
# This option is also available as `auth_plugin`, but this use is deprecated
|
|
# and will be removed in the future.
|
|
#
|
|
#plugin
|
|
|
|
# If the plugin option above is used, define options to pass to the
|
|
# plugin here as described by the plugin instructions. All options named
|
|
# using the format plugin_opt_* will be passed to the plugin, for example:
|
|
#
|
|
# This option is also available as `auth_opt_*`, but this use is deprecated
|
|
# and will be removed in the future.
|
|
#
|
|
# plugin_opt_db_host
|
|
# plugin_opt_db_port
|
|
# plugin_opt_db_username
|
|
# plugin_opt_db_password
|
|
|
|
|
|
# =================================================================
|
|
# Bridges
|
|
# =================================================================
|
|
|
|
# A bridge is a way of connecting multiple MQTT brokers together.
|
|
# Create a new bridge using the "connection" option as described below. Set
|
|
# options for the bridges using the remaining parameters. You must specify the
|
|
# address and at least one topic to subscribe to.
|
|
#
|
|
# Each connection must have a unique name.
|
|
#
|
|
# The address line may have multiple host address and ports specified. See
|
|
# below in the round_robin description for more details on bridge behaviour if
|
|
# multiple addresses are used. Note that if you use an IPv6 address, then you
|
|
# are required to specify a port.
|
|
#
|
|
# The direction that the topic will be shared can be chosen by
|
|
# specifying out, in or both, where the default value is out.
|
|
# The QoS level of the bridged communication can be specified with the next
|
|
# topic option. The default QoS level is 0, to change the QoS the topic
|
|
# direction must also be given.
|
|
#
|
|
# The local and remote prefix options allow a topic to be remapped when it is
|
|
# bridged to/from the remote broker. This provides the ability to place a topic
|
|
# tree in an appropriate location.
|
|
#
|
|
# For more details see the mosquitto.conf man page.
|
|
#
|
|
# Multiple topics can be specified per connection, but be careful
|
|
# not to create any loops.
|
|
#
|
|
# If you are using bridges with cleansession set to false (the default), then
|
|
# you may get unexpected behaviour from incoming topics if you change what
|
|
# topics you are subscribing to. This is because the remote broker keeps the
|
|
# subscription for the old topic. If you have this problem, connect your bridge
|
|
# with cleansession set to true, then reconnect with cleansession set to false
|
|
# as normal.
|
|
#connection <name>
|
|
#address <host>[:<port>] [<host>[:<port>]]
|
|
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
|
|
|
|
# If you need to have the bridge connect over a particular network interface,
|
|
# use bridge_bind_address to tell the bridge which local IP address the socket
|
|
# should bind to, e.g. `bridge_bind_address 192.168.1.10`
|
|
#bridge_bind_address
|
|
|
|
# If a bridge has topics that have "out" direction, the default behaviour is to
|
|
# send an unsubscribe request to the remote broker on that topic. This means
|
|
# that changing a topic direction from "in" to "out" will not keep receiving
|
|
# incoming messages. Sending these unsubscribe requests is not always
|
|
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
|
|
# the unsubscribe request.
|
|
#bridge_attempt_unsubscribe true
|
|
|
|
# Set the version of the MQTT protocol to use with for this bridge. Can be one
|
|
# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311.
|
|
#bridge_protocol_version mqttv311
|
|
|
|
# Set the clean session variable for this bridge.
|
|
# When set to true, when the bridge disconnects for any reason, all
|
|
# messages and subscriptions will be cleaned up on the remote
|
|
# broker. Note that with cleansession set to true, there may be a
|
|
# significant amount of retained messages sent when the bridge
|
|
# reconnects after losing its connection.
|
|
# When set to false, the subscriptions and messages are kept on the
|
|
# remote broker, and delivered when the bridge reconnects.
|
|
#cleansession false
|
|
|
|
# Set the amount of time a bridge using the lazy start type must be idle before
|
|
# it will be stopped. Defaults to 60 seconds.
|
|
#idle_timeout 60
|
|
|
|
# Set the keepalive interval for this bridge connection, in
|
|
# seconds.
|
|
#keepalive_interval 60
|
|
|
|
# Set the clientid to use on the local broker. If not defined, this defaults to
|
|
# 'local.<clientid>'. If you are bridging a broker to itself, it is important
|
|
# that local_clientid and clientid do not match.
|
|
#local_clientid
|
|
|
|
# If set to true, publish notification messages to the local and remote brokers
|
|
# giving information about the state of the bridge connection. Retained
|
|
# messages are published to the topic $SYS/broker/connection/<clientid>/state
|
|
# unless the notification_topic option is used.
|
|
# If the message is 1 then the connection is active, or 0 if the connection has
|
|
# failed.
|
|
# This uses the last will and testament feature.
|
|
#notifications true
|
|
|
|
# Choose the topic on which notification messages for this bridge are
|
|
# published. If not set, messages are published on the topic
|
|
# $SYS/broker/connection/<clientid>/state
|
|
#notification_topic
|
|
|
|
# Set the client id to use on the remote end of this bridge connection. If not
|
|
# defined, this defaults to 'name.hostname' where name is the connection name
|
|
# and hostname is the hostname of this computer.
|
|
# This replaces the old "clientid" option to avoid confusion. "clientid"
|
|
# remains valid for the time being.
|
|
#remote_clientid
|
|
|
|
# Set the password to use when connecting to a broker that requires
|
|
# authentication. This option is only used if remote_username is also set.
|
|
# This replaces the old "password" option to avoid confusion. "password"
|
|
# remains valid for the time being.
|
|
#remote_password
|
|
|
|
# Set the username to use when connecting to a broker that requires
|
|
# authentication.
|
|
# This replaces the old "username" option to avoid confusion. "username"
|
|
# remains valid for the time being.
|
|
#remote_username
|
|
|
|
# Set the amount of time a bridge using the automatic start type will wait
|
|
# until attempting to reconnect.
|
|
# This option can be configured to use a constant delay time in seconds, or to
|
|
# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
|
|
# of randomness to when the restart occurs.
|
|
#
|
|
# Set a constant timeout of 20 seconds:
|
|
# restart_timeout 20
|
|
#
|
|
# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
|
|
# 60 seconds:
|
|
# restart_timeout 10 30
|
|
#
|
|
# Defaults to jitter with a base of 5 and cap of 30
|
|
#restart_timeout 5 30
|
|
|
|
# If the bridge has more than one address given in the address/addresses
|
|
# configuration, the round_robin option defines the behaviour of the bridge on
|
|
# a failure of the bridge connection. If round_robin is false, the default
|
|
# value, then the first address is treated as the main bridge connection. If
|
|
# the connection fails, the other secondary addresses will be attempted in
|
|
# turn. Whilst connected to a secondary bridge, the bridge will periodically
|
|
# attempt to reconnect to the main bridge until successful.
|
|
# If round_robin is true, then all addresses are treated as equals. If a
|
|
# connection fails, the next address will be tried and if successful will
|
|
# remain connected until it fails
|
|
#round_robin false
|
|
|
|
# Set the start type of the bridge. This controls how the bridge starts and
|
|
# can be one of three types: automatic, lazy and once. Note that RSMB provides
|
|
# a fourth start type "manual" which isn't currently supported by mosquitto.
|
|
#
|
|
# "automatic" is the default start type and means that the bridge connection
|
|
# will be started automatically when the broker starts and also restarted
|
|
# after a short delay (30 seconds) if the connection fails.
|
|
#
|
|
# Bridges using the "lazy" start type will be started automatically when the
|
|
# number of queued messages exceeds the number set with the "threshold"
|
|
# parameter. It will be stopped automatically after the time set by the
|
|
# "idle_timeout" parameter. Use this start type if you wish the connection to
|
|
# only be active when it is needed.
|
|
#
|
|
# A bridge using the "once" start type will be started automatically when the
|
|
# broker starts but will not be restarted if the connection fails.
|
|
#start_type automatic
|
|
|
|
# Set the number of messages that need to be queued for a bridge with lazy
|
|
# start type to be restarted. Defaults to 10 messages.
|
|
# Must be less than max_queued_messages.
|
|
#threshold 10
|
|
|
|
# If try_private is set to true, the bridge will attempt to indicate to the
|
|
# remote broker that it is a bridge not an ordinary client. If successful, this
|
|
# means that loop detection will be more effective and that retained messages
|
|
# will be propagated correctly. Not all brokers support this feature so it may
|
|
# be necessary to set try_private to false if your bridge does not connect
|
|
# properly.
|
|
#try_private true
|
|
|
|
# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism
|
|
# for brokers to tell clients that they do not support retained messages, but
|
|
# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a
|
|
# v3.1.1 or v3.1 broker that does not support retained messages, set the
|
|
# bridge_outgoing_retain option to false. This will remove the retain bit on
|
|
# all outgoing messages to that bridge, regardless of any other setting.
|
|
#bridge_outgoing_retain true
|
|
|
|
# If you wish to restrict the size of messages sent to a remote bridge, use the
|
|
# bridge_max_packet_size option. This sets the maximum number of bytes for
|
|
# the total message, including headers and payload.
|
|
# Note that MQTT v5 brokers may provide their own maximum-packet-size property.
|
|
# In this case, the smaller of the two limits will be used.
|
|
# Set to 0 for "unlimited".
|
|
#bridge_max_packet_size 0
|
|
|
|
|
|
# -----------------------------------------------------------------
|
|
# Certificate based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# Either bridge_cafile or bridge_capath must be defined to enable TLS support
|
|
# for this bridge.
|
|
# bridge_cafile defines the path to a file containing the
|
|
# Certificate Authority certificates that have signed the remote broker
|
|
# certificate.
|
|
# bridge_capath defines a directory that will be searched for files containing
|
|
# the CA certificates. For bridge_capath to work correctly, the certificate
|
|
# files must have ".crt" as the file ending and you must run "openssl rehash
|
|
# <path to capath>" each time you add/remove a certificate.
|
|
#bridge_cafile
|
|
#bridge_capath
|
|
|
|
|
|
# If the remote broker has more than one protocol available on its port, e.g.
|
|
# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
|
|
# requested. Note that WebSockets support for bridges is not yet available.
|
|
#bridge_alpn
|
|
|
|
# When using certificate based encryption, bridge_insecure disables
|
|
# verification of the server hostname in the server certificate. This can be
|
|
# useful when testing initial server configurations, but makes it possible for
|
|
# a malicious third party to impersonate your server through DNS spoofing, for
|
|
# example. Use this option in testing only. If you need to resort to using this
|
|
# option in a production environment, your setup is at fault and there is no
|
|
# point using encryption.
|
|
#bridge_insecure false
|
|
|
|
# Path to the PEM encoded client certificate, if required by the remote broker.
|
|
#bridge_certfile
|
|
|
|
# Path to the PEM encoded client private key, if required by the remote broker.
|
|
#bridge_keyfile
|
|
|
|
# -----------------------------------------------------------------
|
|
# PSK based SSL/TLS support
|
|
# -----------------------------------------------------------------
|
|
# Pre-shared-key encryption provides an alternative to certificate based
|
|
# encryption. A bridge can be configured to use PSK with the bridge_identity
|
|
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
|
|
# in hexadecimal format with no "0x". Only one of certificate and PSK based
|
|
# encryption can be used on one
|
|
# bridge at once.
|
|
#bridge_identity
|
|
#bridge_psk
|
|
|
|
|
|
# =================================================================
|
|
# External config files
|
|
# =================================================================
|
|
|
|
# External configuration files may be included by using the
|
|
# include_dir option. This defines a directory that will be searched
|
|
# for config files. All files that end in '.conf' will be loaded as
|
|
# a configuration file. It is best to have this as the last option
|
|
# in the main file. This option will only be processed from the main
|
|
# configuration file. The directory specified must not contain the
|
|
# main configuration file.
|
|
# Files within include_dir will be loaded sorted in case-sensitive
|
|
# alphabetical order, with capital letters ordered first. If this option is
|
|
# given multiple times, all of the files from the first instance will be
|
|
# processed before the next instance. See the man page for examples.
|
|
#include_dir
|
|
listener 1883 0.0.0.0
|
|
autosave_interval 86400 # once a day
|
|
persistence true
|
|
persistence_location /root/bkpscript
|
|
allow_anonymous true
|
|
CFGEOF
|
|
|
|
# WARNING: /etc/bird.conf не существует
|
|
# WARNING: /etc/bird4.conf не существует
|
|
#----------------------------------------------------
|
|
#Generating cron
|
|
#----------------------------------------------------
|
|
|