zoukankan      html  css  js  c++  java
  • MQTT服务器(Broker)

    常规配置

    #使用每个侦听器的安全设置。
    #
    #建议先设置此选项。
    #
    #如果此选项设置为true,则所有身份验证和访问控制
    #选项是根据每个侦听器控制的。以下选项是
    #受影响的有:
    #
    # password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
    # auto_id_prefix allow_zero_length_clientid
    #
    # 请注意,如果设置为true,则断开连接的持久客户端(即,干净会话设置为false)将使用为其最近连接的侦听器定义的ACL设置.
    # 默认行为是将其设置为false,这将保持以前版本的mosquitto的设置行为。
    #per_listener_settings false
    
    
    # 如果客户端订阅了多个重叠的订阅,例如foo /#和foo / + / baz,然后MQTT期望,
    # 当代理收到与两个订阅都匹配的主题消息,例如foo / bar / baz时,客户端应该只接收一次消息。
    # Mosquitto跟踪邮件已发送到哪些客户,以满足此要求。 allow_duplicate_messages选项允许禁用此行为,
    # 如果您有大量的客户端订阅了同一主题集并且非常关注,则此选项可能很有用。
    # 最小化内存使用。如果您事先知道客户端永远不会有重叠的订阅,则可以将其安全地设置为true,
    # 否则即使QoS = 2,客户端也必须能够正确处理重复的消息。
    
    #allow_duplicate_messages false
    
    # 此选项控制是否允许客户端使用长度为零的客户端ID连接。此选项仅影响使用MQTT v3.1.1和更高版本的客户端。
    # 如果设置为false,将断开连接长度为零的客户端ID的客户端。
    # 如果设置为true,则代理将为客户端分配客户端ID。
    # 这意味着它仅对将干净会话设置为true的客户端有用。
    
    #allow_zero_length_clientid true
    
    # 如果allow_zero_length_clientid为true,则此选项允许您为自动生成的客户端ID设置前缀,以帮助查看日志。
    # 默认 'auto-'
    
    #auto_id_prefix auto-
    
    # 当客户端订阅已保留邮件的主题时,此选项会影响方案。
    # 向主题发布保留消息的客户端在发布时可能具有访问权限,但是该访问权限随后已被删除。
    # 如果将check_retain_source设置为true(默认值),则将在重新发布保留消息的源之前检查其访问权限。
    # 设置为false时,将不进行检查,并且保留的消息将始终被发布。这会影响所有听众。
    
    #check_retain_source true
    
    # 在超过此限制之前,将允许每个客户端 inflight QoS 1和2消息。默认为0。(无最大值)
    # 另请参见max_inflight_messages
    #max_inflight_bytes 0
    
    # 每个客户端当前正在运行的QoS 1和2消息的最大数量。
    # 这包括握手过程中和正在重试的消息。默认值为20。设置为0(无最大值)。设置为1将保证按顺序传送QoS 1和2消息。
    
    #max_inflight_messages 20
    
    # 对于MQTT v5客户端,可以让服务器发送“服务器keepalive”值,该值将覆盖客户端设置的keepalive值。
    # 旨在用作一种机制,表示服务器将比预期的更早断开客户端的连接,并且客户端应使用新的keepalive值。
    # max_keepalive选项允许您指定客户端只能使用小于或等于此值的keepalive进行连接,
    # 否则,将向它们发送服务器keepalive通知它们使用max_keepalive。
    # 这仅适用于MQTT v5客户端。允许的最大值为65535。请勿设置为10以下。
    
    #max_keepalive 65535
    
    # 对于MQTT v5客户端,可以让服务器发送“最大数据包大小”值,该值将指示客户端它将不接受大小大于max_packet_size字节的MQTT数据包。
    # 这适用于完整的MQTT数据包,而不仅仅是有效负载。将此选项设置为正值会将最大数据包大小设置为该字节数。
    # 如果客户端发送的数据包大于此值,它将被断开连接。这适用于所有客户端,无论它们使用的协议版本如何,
    # 但是v3.1.1和更早版本的客户端当然不会收到最大数据包大小信息。默认为无限制。
    # 禁止将其设置为低于20个字节,因为即使有效负载很小,它也可能会干扰普通的客户端操作。
    
    #max_packet_size 0
    
    # 超过当前运行中的QoS 1和2消息将在每个客户端排队,直到超过此限制。默认为0。(无最大值)
    # 另请参见max_queued_messages。
    # 如果同时指定了max_queued_messages和max_queued_bytes,则数据包将排队直到达到第一个限制。
    
    #max_queued_bytes 0
    
    # 每个客户端要在队列中保留的QoS 1和2消息的最大数量高于当前正在运行的QoS 1和2消息的数量。
    # 默认值为100。设置为0表示没有最大值(不建议)。
    # 另请参阅queue_qos0_messages。
    # 另请参见max_queued_bytes。
    
    #max_queued_messages 100
    
    # 此选项设置代理将分配的最大堆内存字节数,因此对代理使用的内存设置硬限制。
    # 超过此值的内存请求将被拒绝。效果会因被拒绝的内容而异。如果正在处理传入消息,则该消息将被丢弃,
    # 并且发布客户端将断开连接。如果正在发送外发消息,则单个消息将被丢弃,接收方客户端将被断开连接。
    # 默认为无限制
    
    #memory_limit 0
    
    # 此选项设置代理允许的最大发布有效负载大小。
    # 接收到的超出此大小的消息将不会被代理接受。
    # 缺省值为0,表示接受所有有效的MQTT消息。 MQTT施加的最大有效负载大小为268435455字节(256M)。
    #message_size_limit 0
    
    # 如果持久客户端(未将干净会话设置为false的持久客户端)在特定时间内未重新连接,则此选项允许将其删除。
    # 这是MQTT V3.1中的非标准选项,但在MQTT v3.1.1中允许。
    # 设计不当的客户端可能会在使用随机生成的客户端ID时将clean session设置为false。
    # 这导致持久的客户端永远不会重新连接。此选项允许删除这些客户端。
    # 有效期应为整数,然后分别为小时,日,周,月和年的 h d w m y 之一。例如
    # persistent_client_expiration 2m
    # persistent_client_expiration 14d
    # persistent_client_expiration 1y
    # 如果未设置,则默认为永不使持久客户端失效。
    
    #persistent_client_expiration
    
    # 将进程ID写入文件。默认值为空字符串,这意味着不应写入pid文件。
    # 如果mosquitto在启动时使用初始化脚本和start-stop-daemon或类似程序自动运行,
    # 则应将其设置为/var/run/mosquitto.pid。
    # 配置说明中出现的地址例如:“/var/run/mosquitto”,“/var/log/messages”,都是相对路径,相对于系统盘根目录
    # 例如“/var/run/mosquitto”表示的是“c:var
    unmosquitto”
    
    #pid_file
    
    # 设置为true后 可以在持久客户端断开连接时将QoS 0的消息排队。
    # 这些消息包含在max_queued_messages和max_queued_bytes施加的限制中
    # 默认为false。
    # 这是MQTT v3.1规范的非标准选项,但在v3.1.1中允许。
    
    #queue_qos0_messages false
    
    # Set to false to disable retained message support. If a client publishes a
    # message with the retain bit set, it will be disconnected if this is set to
    # false.
    # 是否禁用保留的消息支持。设置为falsk可以禁用.
    # 将其设置为false后, 如果客户端发布消息时设置保留消息, 则会被断开连接
    
    #retain_available true
    
    # 在客户端套接字上禁用Nagle的算法。这具有减少单个消息的等待时间的效果,但潜在的代价是增加了发送数据包的数量。
    
    #set_tcp_nodelay false
    
    # $SYS树更新之间的时间(以秒为单位)。
    # 设置为0禁用$SYS树的发布。
    
    #sys_interval 10
    
    # The MQTT specification requires that the QoS of a message delivered to a
    # subscriber is never upgraded to match the QoS of the subscription. Enabling
    # this option changes this behaviour. If upgrade_outgoing_qos is set true,
    # messages sent to a subscriber will always match the QoS of its subscription.
    # 这是规范明确禁止的非标准选项。
    
    #upgrade_outgoing_qos false
    
    # 以root用户身份运行时,请对该用户及其主要组授予特权。
    # 设置为root以保持root身份,但是不建议这样做。
    # 如果以非root用户身份运行,则此设置无效。
    # 请注意,在Windows上这没有任何作用,因此mosquitto应该由希望以其身份运行的用户启动。
    
    #user mosquitto
    

    =================================================================

    默认监听器

    # 绑定默认侦听器的IP地址/主机名。
    # 如果未指定,则默认侦听器将不会绑定到特定地址,因此所有网络接口都可以访问它。
    # 案例: bind_address ip-address/host name
    
    #bind_address
    
    # 端口号 port
    
    #port 1883
    
    # 将侦听器绑定到特定接口。这类似于上面的bind_address,但是在接口具有多个地址或地址可能更改时很有用。
    # 将此属性与bind_address选项一起使用是有效的,但请注意,要绑定的接口包含要绑定的地址,否则将无法连接。
    # 例如: bind_interface eth0
    
    #bind_interface
    
    # 当侦听器使用websockets协议时,也可以提供http数据。
    # 将http_dir设置为包含您要提供的文件的目录。如果未指定此选项,则将无法进行正常的http连接。
    
    #http_dir
    
    # 允许的最大客户端连接数。这是每个侦听器的设置。
    # 默认为-1,表示无限制的连接。
    # 请注意,其他进程限制意味着无限的连接实际上是不可能的。
    # 通常,默认的最大连接数有可能约为1024。
    
    #max_connections -1
    
    # 选择监听时要使用的协议。
    # 可以是mqtt或websockets。
    # Websockets支持当前默认在编译时被禁用。基于证书的TLS可以与websocket一起使用,
    # 但仅支持cafile,certfile,keyfile和ciphers选项。
    
    #protocol mqtt
    
    # 将use_username_as_clientid设置为true可以将客户端连接的客户端ID替换为其用户名。
    # 这允许将身份验证绑定到clientid,这意味着可以防止一个客户端通过使用相同的 clientid 断开另一个客户端的连接。
    # 如果客户端不使用用户名连接,则此选项设置为true时,它将被断开,因为未授权。
    # 请勿与clientid_prefixes结合使用。
    # 另请参见use_identity_as_username。
    
    #use_username_as_clientid
    

    基于证书的SSL / TLS支持

    # 以下选项可用于为该侦听器启用SSL / TLS支持。请注意,通过TLS的MQTT的推荐端口为8883,但这必须手动设置。
    
    # 另请参见mosquitto-tls手册页。
    
    # 必须定义cafile或capath中的至少一个。它们都定义了访问PEM编码证书的方法
    # 授权证书已签名您的服务器证书,并且您希望信任。
    # cafile定义包含CA证书的文件的路径。
    # capath定义一个目录
    # 将在该目录中搜索包含CA证书的文件。
    # 为了使Capath正常工作,证书文件的文件结尾必须带有“ .crt”,并且每次添加/删除证书时,
    # 都必须运行“ openssl rehash <path to capath>”。
    
    #cafile
    #capath
    
    # PEM编码的服务器证书的路径。
    #certfile
    
    # PEM编码的密钥文件的路径。
    #keyfile
    
    
    # 如果将require_certificate设置为true,则可以创建证书吊销列表文件以撤消对特定客户端证书的访问。
    # 如果执行了此操作,请使用crlfile指向PEM编码的吊销文件。
    
    #crlfile
    
    # 如果您希望控制使用哪种加密密码,请使用ciphers选项。
    # 可用密码的列表可以使用“ openssl ciphers”命令获得,并且填写与该命令的输出相同的格式内容。
    # 默认值: DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
    
    #ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
    
    # 为了允许使用短暂的DH密钥交换来提供前向安全性,侦听器必须加载DH参数。
    # 可以使用dhparamfile选项指定。 dhparamfile可以使用以下命令生成
    # e.g. "openssl dhparam -out dhparam.pem 2048"
    
    #dhparamfile
    
    # 默认情况下,启用TLS的侦听器将以类似于启用https的Web服务器的方式运行,因为该服务器具有由CA签名的证书,
    # 并且客户端将验证它是受信任的证书。总体目标是对网络流量进行加密。
    # 如果将require_certificate设置为true,客户端必须提供有效的证书才能继续进行网络连接。
    # 这允许在MQTT提供的机制之外控制对代理的访问。
    
    #require_certificate false
    
    # 此选项定义用于此侦听器的TLS协议的版本。
    # 默认值允许所有v1.3,v1.2和v1.1。有效值为tlsv1.3 tlsv1.2和tlsv1.1。
    
    #tls_version
    
    # 如果require_certificate为true,则可以将use_identity_as_username设置为true,以使用客户端证书中的CN值作为用户名。
    # 如果为true,则password_file选项将不会用于此侦听器。
    # 这优先于use_subject_as_username。
    # 另请参见use_subject_as_username。
    
    #use_identity_as_username false
    
    # 如果require_certificate为true,则可以将use_subject_as_username设置为true,以使用客户端证书中的完整主题值作为用户名。
    # 如果为true,则password_file选项将不会用于此侦听器。
    # 另请参见use_identity_as_username
    
    #use_subject_as_username false
    

    Pre-shared-key based SSL/TLS support

    基于预共享密钥的SSL / TLS支持

    # The following options can be used to enable PSK based SSL/TLS support for
    # this listener. Note that the recommended port for MQTT over TLS is 8883, but
    # this must be set manually.
    #
    # See also the mosquitto-tls man page and the "Certificate based SSL/TLS
    # support" section. Only one of certificate or PSK encryption support can be
    # enabled for any listener.
    
    # The psk_hint option enables pre-shared-key support for this listener and also
    # acts as an identifier for this listener. The hint is sent to clients and may
    # be used locally to aid authentication. The hint is a free form string that
    # doesn't have much meaning in itself, so feel free to be creative.
    # If this option is provided, see psk_file to define the pre-shared keys to be
    # used or create a security plugin to handle them.
    #psk_hint
    
    # When using PSK, the encryption ciphers used will be chosen from the list of
    # available PSK ciphers. If you want to control which ciphers are available,
    # use the "ciphers" option.  The list of available ciphers can be obtained
    # using the "openssl ciphers" command and should be provided in the same format
    # as the output of that command.
    #ciphers
    
    # Set use_identity_as_username to have the psk identity sent by the client used
    # as its username. Authentication will be carried out using the PSK rather than
    # the MQTT username/password and so password_file will not be used for this
    # listener.
    #use_identity_as_username false
    

    =================================================================

    Extra listeners 额外的监听器

    # Listen on a port/ip address combination. By using this variable
    # multiple times, mosquitto can listen on more than one port. If
    # this variable is used and neither bind_address nor port given,
    # then the default listener will not be started.
    # The port number to listen on must be given. Optionally, an ip
    # address or host name may be supplied as a second argument. In
    # this case, mosquitto will attempt to bind the listener to that
    # address and so restrict access to the associated network and
    # interface. By default, mosquitto will listen on all interfaces.
    # Note that for a websockets listener it is not possible to bind to a host
    # name.
    # listener port-number [ip address/host name]
    #listener
    
    # Bind the listener to a specific interface. This is similar to
    # the [ip address/host name] part of the listener definition, but is useful
    # when an interface has multiple addresses or the address may change. It is
    # valid to use this with the [ip address/host name] part of the listener
    # definition, but take care that the interface you are binding to contains the
    # address you are binding to, otherwise you will not be able to connect.
    # Only available on Linux and requires elevated privileges.
    #
    # Example: bind_interface eth0
    #bind_interface
    
    # When a listener is using the websockets protocol, it is possible to serve
    # http data as well. Set http_dir to a directory which contains the files you
    # wish to serve. If this option is not specified, then no normal http
    # connections will be possible.
    #http_dir
    
    # The maximum number of client connections to allow. This is
    # a per listener setting.
    # Default is -1, which means unlimited connections.
    # Note that other process limits mean that unlimited connections
    # are not really possible. Typically the default maximum number of
    # connections possible is around 1024.
    #max_connections -1
    
    # The listener can be restricted to operating within a topic hierarchy using
    # the mount_point option. This is achieved be prefixing the mount_point string
    # to all topics for any clients connected to this listener. This prefixing only
    # happens internally to the broker; the client will not see the prefix.
    #mount_point
    
    # Choose the protocol to use when listening.
    # This can be either mqtt or websockets.
    # Certificate based TLS may be used with websockets, except that only the
    # cafile, certfile, keyfile and ciphers options are supported.
    #protocol mqtt
    
    # Set use_username_as_clientid to true to replace the clientid that a client
    # connected with with its username. This allows authentication to be tied to
    # the clientid, which means that it is possible to prevent one client
    # disconnecting another by using the same clientid.
    # If a client connects with no username it will be disconnected as not
    # authorised when this option is set to true.
    # Do not use in conjunction with clientid_prefixes.
    # See also use_identity_as_username.
    #use_username_as_clientid
    
    # Change the websockets headers size. This is a global option, it is not
    # possible to set per listener. This option sets the size of the buffer used in
    # the libwebsockets library when reading HTTP headers. If you are passing large
    # header data such as cookies then you may need to increase this value. If left
    # unset, or set to 0, then the default of 1024 bytes will be used.
    #websockets_headers_size
    

    基于证书的SSL / TLS支持

    # The following options can be used to enable certificate based SSL/TLS support
    # for this listener. Note that the recommended port for MQTT over TLS is 8883,
    # but this must be set manually.
    #
    # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
    # support" section. Only one of certificate or PSK encryption support can be
    # enabled for any listener.
    
    # At least one of cafile or capath must be defined to enable certificate based
    # TLS encryption. They both define methods of accessing the PEM encoded
    # Certificate Authority certificates that have signed your server certificate
    # and that you wish to trust.
    # cafile defines the path to a file containing the CA certificates.
    # capath defines a directory that will be searched for files
    # containing the CA certificates. For capath to work correctly, the
    # certificate files must have ".crt" as the file ending and you must run
    # "openssl rehash <path to capath>" each time you add/remove a certificate.
    #cafile
    #capath
    
    # Path to the PEM encoded server certificate.
    #certfile
    
    # Path to the PEM encoded keyfile.
    #keyfile
    
    
    # If you wish to control which encryption ciphers are used, use the ciphers
    # option. The list of available ciphers can be optained using the "openssl
    # ciphers" command and should be provided in the same format as the output of
    # that command.
    #ciphers
    
    # If you have require_certificate set to true, you can create a certificate
    # revocation list file to revoke access to particular client certificates. If
    # you have done this, use crlfile to point to the PEM encoded revocation file.
    #crlfile
    
    # To allow the use of ephemeral DH key exchange, which provides forward
    # security, the listener must load DH parameters. This can be specified with
    # the dhparamfile option. The dhparamfile can be generated with the command
    # e.g. "openssl dhparam -out dhparam.pem 2048"
    #dhparamfile
    
    # By default an TLS enabled listener will operate in a similar fashion to a
    # https enabled web server, in that the server has a certificate signed by a CA
    # and the client will verify that it is a trusted certificate. The overall aim
    # is encryption of the network traffic. By setting require_certificate to true,
    # the client must provide a valid certificate in order for the network
    # connection to proceed. This allows access to the broker to be controlled
    # outside of the mechanisms provided by MQTT.
    #require_certificate false
    
    # If require_certificate is true, you may set use_identity_as_username to true
    # to use the CN value from the client certificate as a username. If this is
    # true, the password_file option will not be used for this listener.
    #use_identity_as_username false
    

    Pre-shared-key based SSL/TLS support 基于预共享密钥的SSL / TLS支持

    # The following options can be used to enable PSK based SSL/TLS support for
    # this listener. Note that the recommended port for MQTT over TLS is 8883, but
    # this must be set manually.
    #
    # See also the mosquitto-tls man page and the "Certificate based SSL/TLS
    # support" section. Only one of certificate or PSK encryption support can be
    # enabled for any listener.
    
    # The psk_hint option enables pre-shared-key support for this listener and also
    # acts as an identifier for this listener. The hint is sent to clients and may
    # be used locally to aid authentication. The hint is a free form string that
    # doesn't have much meaning in itself, so feel free to be creative.
    # If this option is provided, see psk_file to define the pre-shared keys to be
    # used or create a security plugin to handle them.
    #psk_hint
    
    # When using PSK, the encryption ciphers used will be chosen from the list of
    # available PSK ciphers. If you want to control which ciphers are available,
    # use the "ciphers" option.  The list of available ciphers can be optained
    # using the "openssl ciphers" command and should be provided in the same format
    # as the output of that command.
    #ciphers
    
    # Set use_identity_as_username to have the psk identity sent by the client used
    # as its username. Authentication will be carried out using the PSK rather than
    # the MQTT username/password and so password_file will not be used for this
    # listener.
    #use_identity_as_username false
    

    Persistence

    # 如果启用了持久性,则每隔autosave_interval秒将内存数据库保存到磁盘中。
    # 如果设置为0,则仅在mosquitto退出时才写入持久性数据库。另请参见autosave_on_changes。
    # 请注意,可以通过向mosquit发送SIGUSR1信号来强制写入持久性数据库。
    #autosave_interval 1800
    
    # 如果为true,则mosquitto将计算订阅更改,已接收的保留消息和已排队消息的数量,如果总数超过autosave_interval,
    # 则内存数据库将保存到磁盘。如果为false,则mosquitto通过将autosave_interval视为秒数的时间来将内存数据库保存到磁盘。
    
    #autosave_on_changes false
    
    # 将持久消息数据保存到磁盘(true/false)。这样可以保存有关所有消息的信息,包括订阅,当前运行中的消息和保留的消息。
    # reserved_persistence是此选项的同义词。
    
    #persistence false
    
    # 用于永久数据库的文件名,不包括路径。
    
    #persistence_file mosquitto.db
    
    # 永久数据库的位置。必须包含尾随/
    # 默认值为空字符串(当前目录)。设置为/var/lib/mosquitto/
    # 如果在Linux或类似系统上作为适当的服务运行。
    # 配置说明中出现的地址例如:“/var/run/mosquitto”,“/var/log/messages”,都是相对路径,相对于系统盘根目录
    # 例如“/var/run/mosquitto”表示的是“c:var
    unmosquitto”
    
    #persistence_location
    

    Logging

    # Places to log to. Use multiple log_dest lines for multiple
    # logging destinations.
    #
    #
    # stdout and stderr log to the console on the named output.
    #
    # syslog uses the userspace syslog facility which usually ends up
    # in /var/log/messages or similar.
    #
    # topic logs to the broker topic '$SYS/broker/log/<severity>',
    # where severity is one of D, E, W, N, I, M which are debug, error,
    # warning, notice, information and message. Message type severity is used by
    # the subscribe/unsubscribe log_types and publishes log messages to
    # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
    #
    # The file destination requires an additional parameter which is the file to be
    # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
    # closed and reopened when the broker receives a HUP signal. Only a single file
    # destination may be configured.
    #
    # 请注意,如果代理作为Windows服务运行,它将默认为“ log_dest none”,并且stdout和stderr日志记录都不可用。
    # 可选值有: stdout stderr syslog topic file
    # 文件案例(两个参数): log_dest file /var/log/mosquitto.log
    # 如果要禁用日志记录,请使用“ log_dest none”。
    
    #log_dest stderr
    
    # Types of messages to log. Use multiple log_type lines for logging
    # multiple types of messages.
    # Possible types are: debug, error, warning, notice, information,
    # none, subscribe, unsubscribe, websockets, all.
    # Note that debug type messages are for decoding the incoming/outgoing
    # network packets. They are not logged in "topics".
    #log_type error
    #log_type warning
    #log_type notice
    #log_type information
    
    
    # 如果设置为true,则客户端连接和断开连接消息将包含在日志中。
    
    #connection_messages true
    
    # If using syslog logging (not on Windows), messages will be logged to the
    # "daemon" facility by default. Use the log_facility option to choose which of
    # local0 to local7 to log to instead. The option value should be an integer
    # value, e.g. "log_facility 5" to use local5.
    #log_facility
    
    # 如果设置为true,则向每个日志消息添加一个时间戳记值。
    #log_timestamp true
    
    # Set the format of the log timestamp. If left unset, this is the number of
    # seconds since the Unix epoch.
    # This is a free text string which will be passed to the strftime function. To
    # get an ISO 8601 datetime, for example:
    # log_timestamp_format %Y-%m-%dT%H:%M:%S
    log_timestamp_format %Y-%m-%dT%H:%M:%S
    
    # 更改websockets日志记录级别。这是一个全局选项,无法为每个侦听器设置。
    # 这是一个整数,libwebsockets将其解释为其lws_log_levels枚举的位掩码。
    # 有关更多详细信息,请参见libwebsockets文档。
    # 还必须启用“ log_type websockets”。
    
    #websockets_log_level 0
    

    Security 安全

    # 如果设置,则只允许客户端的clientid满足指定前缀才能连接到代理。默认情况下,所有客户端都可以连接。
    # 例如,在此处设置“ secure-”表示: 客户端"secure-client"可以连接,但另一个客户端ID为"mqtt"的客户端则无法连接。
    
    #clientid_prefixes
    
    # 布尔值,用于确定是否允许未提供用户名的客户端进行连接。
    # 如果设置为false,则应创建一个密码文件(请参阅password_file选项)以控制经过身份验证的客户端访问。
    # 如果未设置其他安全选项,则默认为true。
    # 如果设置了`password_file`或`psk_file`,或者如果加载了实现用户名/密码或TLS-PSK检查的身份验证插件,
    # 则'allow_anonymous' 默认为false。
    
    #allow_anonymous true
    

    Default authentication and topic access control

    默认身份验证和主题访问控制

    
    # 使用密码文件控制对代理的访问。可以使用mosquitto_passwd实用程序生成此文件。
    # 如果TLS支持未编译为mosquitto(建议包括TLS支持),则使用纯文本密码,
    # 在这种情况下,该文件应为文本文件,其行格式为:
    # username:password
    # 如果需要,可以省略密码(和冒号),尽管这样做几乎没有安全性
    #
    # 请参阅TLS客户端的require_certificate和use_identity_as_username选项,以获取其他身份验证选项。
    # 如果同时使用auth_plugin和password_file,则将首先进行auth_plugin检查。
    
    #password_file
    
    # 访问也可以使用预共享密钥文件来控制。这需要
    # TLS-PSK支持和配置为使用它的侦听器。该文件应为以下格式的文本行:
    # identity:key
    # 密钥应为十六进制格式,且开头不能为“ 0x”。
    # 如果还使用auth_plugin,则将首先进行auth_plugin检查。
    
    #psk_file
    
    # Control access to topics on the broker using an access control list
    # file. If this parameter is defined then only the topics listed will
    # have access.
    # If the first character of a line of the ACL file is a # it is treated as a
    # comment.
    # Topic access is added with lines of the format:
    #
    # topic [read|write|readwrite] <topic>
    #
    # The access type is controlled using "read", "write" or "readwrite". This
    # parameter is optional (unless <topic> contains a space character) - if not
    # given then the access is read/write.  <topic> can contain the + or #
    # wildcards as in subscriptions.
    #
    # The first set of topics are applied to anonymous clients, assuming
    # allow_anonymous is true. User specific topic ACLs are added after a
    # user line as follows:
    #
    # user <username>
    #
    # The username referred to here is the same as in password_file. It is
    # not the clientid.
    #
    #
    # If is also possible to define ACLs based on pattern substitution within the
    # topic. The patterns available for substition are:
    #
    # %c to match the client id of the client
    # %u to match the username of the client
    #
    # The substitution pattern must be the only text for that level of hierarchy.
    #
    # The form is the same as for the topic keyword, but using pattern as the
    # keyword.
    # Pattern ACLs apply to all users even if the "user" keyword has previously
    # been given.
    #
    # If using bridges with usernames and ACLs, connection messages can be allowed
    # with the following pattern:
    # pattern write $SYS/broker/connection/%c/state
    #
    # pattern [read|write|readwrite] <topic>
    #
    # Example:
    #
    # pattern write sensor/%u/data
    #
    # If an auth_plugin is used as well as acl_file, the auth_plugin check will be
    # made first.
    #acl_file
    

    External authentication and topic access plugin options

    外部身份验证和主题访问插件选项

    
    # External authentication and access control can be supported with the
    # auth_plugin option. This is a path to a loadable plugin. See also the
    # auth_opt_* options described below.
    #
    # The auth_plugin option can be specified multiple times to load multiple
    # plugins. The plugins will be processed in the order that they are specified
    # here. If the auth_plugin option is specified alongside either of
    # password_file or acl_file then the plugin checks will be made first.
    #
    #auth_plugin
    
    # If the auth_plugin option above is used, define options to pass to the
    # plugin here as described by the plugin instructions. All options named
    # using the format auth_opt_* will be passed to the plugin, for example:
    #
    # auth_opt_db_host
    # auth_opt_db_port
    # auth_opt_db_username
    # auth_opt_db_password
    

    =================================================================

    Bridges

    
    # 桥接是将多个MQTT代理连接在一起的一种方式。如下所述,使用“connection”选项创建一个新的网桥。
    # 使用其余参数设置网桥的选项。您必须指定地址和至少一个要订阅的主题。
    #
    # Each connection must have a unique name.
    #
    # The address line may have multiple host address and ports specified. See
    # below in the round_robin description for more details on bridge behaviour if
    # multiple addresses are used. Note that if you use an IPv6 address, then you
    # are required to specify a port.
    #
    # The direction that the topic will be shared can be chosen by
    # specifying out, in or both, where the default value is out.
    # The QoS level of the bridged communication can be specified with the next
    # topic option. The default QoS level is 0, to change the QoS the topic
    # direction must also be given.
    #
    # The local and remote prefix options allow a topic to be remapped when it is
    # bridged to/from the remote broker. This provides the ability to place a topic
    # tree in an appropriate location.
    #
    # For more details see the mosquitto.conf man page.
    #
    # Multiple topics can be specified per connection, but be careful
    # not to create any loops.
    #
    # If you are using bridges with cleansession set to false (the default), then
    # you may get unexpected behaviour from incoming topics if you change what
    # topics you are subscribing to. This is because the remote broker keeps the
    # subscription for the old topic. If you have this problem, connect your bridge
    # with cleansession set to true, then reconnect with cleansession set to false
    # as normal.
    #connection <name>
    #address <host>[:<port>] [<host>[:<port>]]
    #topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
    
    
    # If a bridge has topics that have "out" direction, the default behaviour is to
    # send an unsubscribe request to the remote broker on that topic. This means
    # that changing a topic direction from "in" to "out" will not keep receiving
    # incoming messages. Sending these unsubscribe requests is not always
    # desirable, setting bridge_attempt_unsubscribe to false will disable sending
    # the unsubscribe request.
    #bridge_attempt_unsubscribe true
    
    # Set the version of the MQTT protocol to use with for this bridge. Can be one
    # of mqttv311 or mqttv11. Defaults to mqttv311.
    #bridge_protocol_version mqttv311
    
    # Set the clean session variable for this bridge.
    # When set to true, when the bridge disconnects for any reason, all
    # messages and subscriptions will be cleaned up on the remote
    # broker. Note that with cleansession set to true, there may be a
    # significant amount of retained messages sent when the bridge
    # reconnects after losing its connection.
    # When set to false, the subscriptions and messages are kept on the
    # remote broker, and delivered when the bridge reconnects.
    #cleansession false
    
    # Set the amount of time a bridge using the lazy start type must be idle before
    # it will be stopped. Defaults to 60 seconds.
    #idle_timeout 60
    
    # Set the keepalive interval for this bridge connection, in
    # seconds.
    #keepalive_interval 60
    
    # Set the clientid to use on the local broker. If not defined, this defaults to
    # 'local.<clientid>'. If you are bridging a broker to itself, it is important
    # that local_clientid and clientid do not match.
    #local_clientid
    
    # If set to true, publish notification messages to the local and remote brokers
    # giving information about the state of the bridge connection. Retained
    # messages are published to the topic $SYS/broker/connection/<clientid>/state
    # unless the notification_topic option is used.
    # If the message is 1 then the connection is active, or 0 if the connection has
    # failed.
    # This uses the last will and testament feature.
    #notifications true
    
    # Choose the topic on which notification messages for this bridge are
    # published. If not set, messages are published on the topic
    # $SYS/broker/connection/<clientid>/state
    #notification_topic
    
    # Set the client id to use on the remote end of this bridge connection. If not
    # defined, this defaults to 'name.hostname' where name is the connection name
    # and hostname is the hostname of this computer.
    # This replaces the old "clientid" option to avoid confusion. "clientid"
    # remains valid for the time being.
    #remote_clientid
    
    # Set the password to use when connecting to a broker that requires
    # authentication. This option is only used if remote_username is also set.
    # This replaces the old "password" option to avoid confusion. "password"
    # remains valid for the time being.
    #remote_password
    
    # Set the username to use when connecting to a broker that requires
    # authentication.
    # This replaces the old "username" option to avoid confusion. "username"
    # remains valid for the time being.
    #remote_username
    
    # Set the amount of time a bridge using the automatic start type will wait
    # until attempting to reconnect.
    # This option can be configured to use a constant delay time in seconds, or to
    # use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
    # of randomness to when the restart occurs.
    #
    # Set a constant timeout of 20 seconds:
    # restart_timeout 20
    #
    # Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
    # 60 seconds:
    # restart_timeout 10 30
    #
    # Defaults to jitter with a base of 5 and cap of 30
    #restart_timeout 5 30
    
    # If the bridge has more than one address given in the address/addresses
    # configuration, the round_robin option defines the behaviour of the bridge on
    # a failure of the bridge connection. If round_robin is false, the default
    # value, then the first address is treated as the main bridge connection. If
    # the connection fails, the other secondary addresses will be attempted in
    # turn. Whilst connected to a secondary bridge, the bridge will periodically
    # attempt to reconnect to the main bridge until successful.
    # If round_robin is true, then all addresses are treated as equals. If a
    # connection fails, the next address will be tried and if successful will
    # remain connected until it fails
    #round_robin false
    
    # Set the start type of the bridge. This controls how the bridge starts and
    # can be one of three types: automatic, lazy and once. Note that RSMB provides
    # a fourth start type "manual" which isn't currently supported by mosquitto.
    #
    # "automatic" is the default start type and means that the bridge connection
    # will be started automatically when the broker starts and also restarted
    # after a short delay (30 seconds) if the connection fails.
    #
    # Bridges using the "lazy" start type will be started automatically when the
    # number of queued messages exceeds the number set with the "threshold"
    # parameter. It will be stopped automatically after the time set by the
    # "idle_timeout" parameter. Use this start type if you wish the connection to
    # only be active when it is needed.
    #
    # A bridge using the "once" start type will be started automatically when the
    # broker starts but will not be restarted if the connection fails.
    #start_type automatic
    
    # Set the number of messages that need to be queued for a bridge with lazy
    # start type to be restarted. Defaults to 10 messages.
    # Must be less than max_queued_messages.
    #threshold 10
    
    # If try_private is set to true, the bridge will attempt to indicate to the
    # remote broker that it is a bridge not an ordinary client. If successful, this
    # means that loop detection will be more effective and that retained messages
    # will be propagated correctly. Not all brokers support this feature so it may
    # be necessary to set try_private to false if your bridge does not connect
    # properly.
    #try_private true
    

    Certificate based SSL/TLS support

    # Either bridge_cafile or bridge_capath must be defined to enable TLS support
    # for this bridge.
    # bridge_cafile defines the path to a file containing the
    # Certificate Authority certificates that have signed the remote broker
    # certificate.
    # bridge_capath defines a directory that will be searched for files containing
    # the CA certificates. For bridge_capath to work correctly, the certificate
    # files must have ".crt" as the file ending and you must run "openssl rehash
    # <path to capath>" each time you add/remove a certificate.
    #bridge_cafile
    #bridge_capath
    
    
    # If the remote broker has more than one protocol available on its port, e.g.
    # MQTT and WebSockets, then use bridge_alpn to configure which protocol is
    # requested. Note that WebSockets support for bridges is not yet available.
    #bridge_alpn
    
    # When using certificate based encryption, bridge_insecure disables
    # verification of the server hostname in the server certificate. This can be
    # useful when testing initial server configurations, but makes it possible for
    # a malicious third party to impersonate your server through DNS spoofing, for
    # example. Use this option in testing only. If you need to resort to using this
    # option in a production environment, your setup is at fault and there is no
    # point using encryption.
    #bridge_insecure false
    
    # Path to the PEM encoded client certificate, if required by the remote broker.
    #bridge_certfile
    
    # Path to the PEM encoded client private key, if required by the remote broker.
    #bridge_keyfile
    

    PSK based SSL/TLS support 基于PSK的SSL / TLS支持

    # Pre-shared-key encryption provides an alternative to certificate based
    # encryption. A bridge can be configured to use PSK with the bridge_identity
    # and bridge_psk options. These are the client PSK identity, and pre-shared-key
    # in hexadecimal format with no "0x". Only one of certificate and PSK based
    # encryption can be used on one
    # bridge at once.
    #bridge_identity
    #bridge_psk
    

    External config files 外部配置文件

    # 可以使用include_dir选项包含外部配置文件。这定义了一个目录,将在其中搜索配置文件。
    # 所有以“ .conf”结尾的文件都将作为配置文件加载。
    # 最好将此作为主文件中的最后一个选项。
    # 仅从主配置文件处理此选项。
    # 指定的目录不得包含主配置文件。
    # include_dir中的文件将按区分大小写的字母顺序加载,首字母大写。
    # 如果多次指定此选项,则第一个实例中的所有文件将在下一个实例之前进行处理。
    # 有关示例,请参见手册页。
    
    #include_dir
    
  • 相关阅读:
    可翻页查看(more、less)
    在CentOS 6.0下面永久关闭SELinux和防火墙
    Linux(CentOS 6.4)设置VNC远程桌面连接
    CentOS Linux防火墙配置及关闭
    ubuntu12.04循环登录,无法进桌面的问题
    转载 vi替换windows换行符为linux换行符
    sublime忽略打开工程中某些文件夹,不在搜索之列
    erl_0021 erlang和java的内存模型比较(引用)
    erl_0020 《面对软件错误构建可靠的分布式系统》读书笔记001 “面向并发COPL”
    erl_0019《硝烟中的erlang》 读书笔记005 “进程信息"
  • 原文地址:https://www.cnblogs.com/shuiche/p/12630591.html
Copyright © 2011-2022 走看看