MQTT服务器(Broker)

常规配置

#使用每个侦听器的安全设置。
#
#建议先设置此选项。
#
#如果此选项设置为true，则所有身份验证和访问控制
#选项是根据每个侦听器控制的。以下选项是
#受影响的有：
#
# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
# auto_id_prefix allow_zero_length_clientid
#
# 请注意，如果设置为true，则断开连接的持久客户端（即，干净会话设置为false）将使用为其最近连接的侦听器定义的ACL设置.
# 默认行为是将其设置为false，这将保持以前版本的mosquitto的设置行为。
#per_listener_settings false


# 如果客户端订阅了多个重叠的订阅，例如foo /＃和foo / + / baz，然后MQTT期望，
# 当代理收到与两个订阅都匹配的主题消息，例如foo / bar / baz时，客户端应该只接收一次消息。
# Mosquitto跟踪邮件已发送到哪些客户，以满足此要求。 allow_duplicate_messages选项允许禁用此行为，
# 如果您有大量的客户端订阅了同一主题集并且非常关注，则此选项可能很有用。
# 最小化内存使用。如果您事先知道客户端永远不会有重叠的订阅，则可以将其安全地设置为true，
# 否则即使QoS = 2，客户端也必须能够正确处理重复的消息。

#allow_duplicate_messages false

# 此选项控制是否允许客户端使用长度为零的客户端ID连接。此选项仅影响使用MQTT v3.1.1和更高版本的客户端。
# 如果设置为false，将断开连接长度为零的客户端ID的客户端。
# 如果设置为true，则代理将为客户端分配客户端ID。
# 这意味着它仅对将干净会话设置为true的客户端有用。

#allow_zero_length_clientid true

# 如果allow_zero_length_clientid为true，则此选项允许您为自动生成的客户端ID设置前缀，以帮助查看日志。
# 默认 'auto-'

#auto_id_prefix auto-

# 当客户端订阅已保留邮件的主题时，此选项会影响方案。
# 向主题发布保留消息的客户端在发布时可能具有访问权限，但是该访问权限随后已被删除。
# 如果将check_retain_source设置为true（默认值），则将在重新发布保留消息的源之前检查其访问权限。
# 设置为false时，将不进行检查，并且保留的消息将始终被发布。这会影响所有听众。

#check_retain_source true

# 在超过此限制之前，将允许每个客户端 inflight QoS 1和2消息。默认为0。（无最大值）
# 另请参见max_inflight_messages
#max_inflight_bytes 0

# 每个客户端当前正在运行的QoS 1和2消息的最大数量。
# 这包括握手过程中和正在重试的消息。默认值为20。设置为0（无最大值）。设置为1将保证按顺序传送QoS 1和2消息。

#max_inflight_messages 20

# 对于MQTT v5客户端，可以让服务器发送“服务器keepalive”值，该值将覆盖客户端设置的keepalive值。
# 旨在用作一种机制，表示服务器将比预期的更早断开客户端的连接，并且客户端应使用新的keepalive值。
# max_keepalive选项允许您指定客户端只能使用小于或等于此值的keepalive进行连接，
# 否则，将向它们发送服务器keepalive通知它们使用max_keepalive。
# 这仅适用于MQTT v5客户端。允许的最大值为65535。请勿设置为10以下。

#max_keepalive 65535

# 对于MQTT v5客户端，可以让服务器发送“最大数据包大小”值，该值将指示客户端它将不接受大小大于max_packet_size字节的MQTT数据包。
# 这适用于完整的MQTT数据包，而不仅仅是有效负载。将此选项设置为正值会将最大数据包大小设置为该字节数。
# 如果客户端发送的数据包大于此值，它将被断开连接。这适用于所有客户端，无论它们使用的协议版本如何，
# 但是v3.1.1和更早版本的客户端当然不会收到最大数据包大小信息。默认为无限制。
# 禁止将其设置为低于20个字节，因为即使有效负载很小，它也可能会干扰普通的客户端操作。

#max_packet_size 0

# 超过当前运行中的QoS 1和2消息将在每个客户端排队，直到超过此限制。默认为0。（无最大值）
# 另请参见max_queued_messages。
# 如果同时指定了max_queued_messages和max_queued_bytes，则数据包将排队直到达到第一个限制。

#max_queued_bytes 0

# 每个客户端要在队列中保留的QoS 1和2消息的最大数量高于当前正在运行的QoS 1和2消息的数量。
# 默认值为100。设置为0表示没有最大值（不建议）。
# 另请参阅queue_qos0_messages。
# 另请参见max_queued_bytes。

#max_queued_messages 100

# 此选项设置代理将分配的最大堆内存字节数，因此对代理使用的内存设置硬限制。
# 超过此值的内存请求将被拒绝。效果会因被拒绝的内容而异。如果正在处理传入消息，则该消息将被丢弃，
# 并且发布客户端将断开连接。如果正在发送外发消息，则单个消息将被丢弃，接收方客户端将被断开连接。
# 默认为无限制

#memory_limit 0

# 此选项设置代理允许的最大发布有效负载大小。
# 接收到的超出此大小的消息将不会被代理接受。
# 缺省值为0，表示接受所有有效的MQTT消息。 MQTT施加的最大有效负载大小为268435455字节(256M)。
#message_size_limit 0

# 如果持久客户端（未将干净会话设置为false的持久客户端）在特定时间内未重新连接，则此选项允许将其删除。
# 这是MQTT V3.1中的非标准选项，但在MQTT v3.1.1中允许。
# 设计不当的客户端可能会在使用随机生成的客户端ID时将clean session设置为false。
# 这导致持久的客户端永远不会重新连接。此选项允许删除这些客户端。
# 有效期应为整数，然后分别为小时，日，周，月和年的 h d w m y 之一。例如
# persistent_client_expiration 2m
# persistent_client_expiration 14d
# persistent_client_expiration 1y
# 如果未设置，则默认为永不使持久客户端失效。

#persistent_client_expiration

# 将进程ID写入文件。默认值为空字符串，这意味着不应写入pid文件。
# 如果mosquitto在启动时使用初始化脚本和start-stop-daemon或类似程序自动运行，
# 则应将其设置为/var/run/mosquitto.pid。
# 配置说明中出现的地址例如：“/var/run/mosquitto”，“/var/log/messages”，都是相对路径，相对于系统盘根目录
# 例如“/var/run/mosquitto”表示的是“c:var
unmosquitto”

#pid_file

# 设置为true后 可以在持久客户端断开连接时将QoS 0的消息排队。
# 这些消息包含在max_queued_messages和max_queued_bytes施加的限制中
# 默认为false。
# 这是MQTT v3.1规范的非标准选项，但在v3.1.1中允许。

#queue_qos0_messages false

# Set to false to disable retained message support. If a client publishes a
# message with the retain bit set, it will be disconnected if this is set to
# false.
# 是否禁用保留的消息支持。设置为falsk可以禁用.
# 将其设置为false后, 如果客户端发布消息时设置保留消息, 则会被断开连接

#retain_available true

# 在客户端套接字上禁用Nagle的算法。这具有减少单个消息的等待时间的效果，但潜在的代价是增加了发送数据包的数量。

#set_tcp_nodelay false

# $SYS树更新之间的时间（以秒为单位）。
# 设置为0禁用$SYS树的发布。

#sys_interval 10

# The MQTT specification requires that the QoS of a message delivered to a
# subscriber is never upgraded to match the QoS of the subscription. Enabling
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
# messages sent to a subscriber will always match the QoS of its subscription.
# 这是规范明确禁止的非标准选项。

#upgrade_outgoing_qos false

# 以root用户身份运行时，请对该用户及其主要组授予特权。
# 设置为root以保持root身份，但是不建议这样做。
# 如果以非root用户身份运行，则此设置无效。
# 请注意，在Windows上这没有任何作用，因此mosquitto应该由希望以其身份运行的用户启动。

#user mosquitto

=================================================================

默认监听器

# 绑定默认侦听器的IP地址/主机名。
# 如果未指定，则默认侦听器将不会绑定到特定地址，因此所有网络接口都可以访问它。
# 案例: bind_address ip-address/host name

#bind_address

# 端口号 port

#port 1883

# 将侦听器绑定到特定接口。这类似于上面的bind_address，但是在接口具有多个地址或地址可能更改时很有用。
# 将此属性与bind_address选项一起使用是有效的，但请注意，要绑定的接口包含要绑定的地址，否则将无法连接。
# 例如: bind_interface eth0

#bind_interface

# 当侦听器使用websockets协议时，也可以提供http数据。
# 将http_dir设置为包含您要提供的文件的目录。如果未指定此选项，则将无法进行正常的http连接。

#http_dir

# 允许的最大客户端连接数。这是每个侦听器的设置。
# 默认为-1，表示无限制的连接。
# 请注意，其他进程限制意味着无限的连接实际上是不可能的。
# 通常，默认的最大连接数有可能约为1024。

#max_connections -1

# 选择监听时要使用的协议。
# 可以是mqtt或websockets。
# Websockets支持当前默认在编译时被禁用。基于证书的TLS可以与websocket一起使用，
# 但仅支持cafile，certfile，keyfile和ciphers选项。

#protocol mqtt

# 将use_username_as_clientid设置为true可以将客户端连接的客户端ID替换为其用户名。
# 这允许将身份验证绑定到clientid，这意味着可以防止一个客户端通过使用相同的 clientid 断开另一个客户端的连接。
# 如果客户端不使用用户名连接，则此选项设置为true时，它将被断开，因为未授权。
# 请勿与clientid_prefixes结合使用。
# 另请参见use_identity_as_username。

#use_username_as_clientid

---

基于证书的SSL / TLS支持

# 以下选项可用于为该侦听器启用SSL / TLS支持。请注意，通过TLS的MQTT的推荐端口为8883，但这必须手动设置。

# 另请参见mosquitto-tls手册页。

# 必须定义cafile或capath中的至少一个。它们都定义了访问PEM编码证书的方法
# 授权证书已签名您的服务器证书，并且您希望信任。
# cafile定义包含CA证书的文件的路径。
# capath定义一个目录
# 将在该目录中搜索包含CA证书的文件。
# 为了使Capath正常工作，证书文件的文件结尾必须带有“ .crt”，并且每次添加/删除证书时，
# 都必须运行“ openssl rehash <path to capath>”。

#cafile
#capath

# PEM编码的服务器证书的路径。
#certfile

# PEM编码的密钥文件的路径。
#keyfile


# 如果将require_certificate设置为true，则可以创建证书吊销列表文件以撤消对特定客户端证书的访问。
# 如果执行了此操作，请使用crlfile指向PEM编码的吊销文件。

#crlfile

# 如果您希望控制使用哪种加密密码，请使用ciphers选项。
# 可用密码的列表可以使用“ openssl ciphers”命令获得，并且填写与该命令的输出相同的格式内容。
# 默认值: DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH

#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH

# 为了允许使用短暂的DH密钥交换来提供前向安全性，侦听器必须加载DH参数。
# 可以使用dhparamfile选项指定。 dhparamfile可以使用以下命令生成
# e.g. "openssl dhparam -out dhparam.pem 2048"

#dhparamfile

# 默认情况下，启用TLS的侦听器将以类似于启用https的Web服务器的方式运行，因为该服务器具有由CA签名的证书，
# 并且客户端将验证它是受信任的证书。总体目标是对网络流量进行加密。
# 如果将require_certificate设置为true，客户端必须提供有效的证书才能继续进行网络连接。
# 这允许在MQTT提供的机制之外控制对代理的访问。

#require_certificate false

# 此选项定义用于此侦听器的TLS协议的版本。
# 默认值允许所有v1.3，v1.2和v1.1。有效值为tlsv1.3 tlsv1.2和tlsv1.1。

#tls_version

# 如果require_certificate为true，则可以将use_identity_as_username设置为true，以使用客户端证书中的CN值作为用户名。
# 如果为true，则password_file选项将不会用于此侦听器。
# 这优先于use_subject_as_username。
# 另请参见use_subject_as_username。

#use_identity_as_username false

# 如果require_certificate为true，则可以将use_subject_as_username设置为true，以使用客户端证书中的完整主题值作为用户名。
# 如果为true，则password_file选项将不会用于此侦听器。
# 另请参见use_identity_as_username

#use_subject_as_username false

---

Pre-shared-key based SSL/TLS support

基于预共享密钥的SSL / TLS支持

# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.

# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint

# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option.  The list of available ciphers can be obtained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers

# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false

=================================================================

Extra listeners 额外的监听器

# Listen on a port/ip address combination. By using this variable
# multiple times, mosquitto can listen on more than one port. If
# this variable is used and neither bind_address nor port given,
# then the default listener will not be started.
# The port number to listen on must be given. Optionally, an ip
# address or host name may be supplied as a second argument. In
# this case, mosquitto will attempt to bind the listener to that
# address and so restrict access to the associated network and
# interface. By default, mosquitto will listen on all interfaces.
# Note that for a websockets listener it is not possible to bind to a host
# name.
# listener port-number [ip address/host name]
#listener

# Bind the listener to a specific interface. This is similar to
# the [ip address/host name] part of the listener definition, but is useful
# when an interface has multiple addresses or the address may change. It is
# valid to use this with the [ip address/host name] part of the listener
# definition, but take care that the interface you are binding to contains the
# address you are binding to, otherwise you will not be able to connect.
# Only available on Linux and requires elevated privileges.
#
# Example: bind_interface eth0
#bind_interface

# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir

# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1

# The listener can be restricted to operating within a topic hierarchy using
# the mount_point option. This is achieved be prefixing the mount_point string
# to all topics for any clients connected to this listener. This prefixing only
# happens internally to the broker; the client will not see the prefix.
#mount_point

# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Certificate based TLS may be used with websockets, except that only the
# cafile, certfile, keyfile and ciphers options are supported.
#protocol mqtt

# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid

# Change the websockets headers size. This is a global option, it is not
# possible to set per listener. This option sets the size of the buffer used in
# the libwebsockets library when reading HTTP headers. If you are passing large
# header data such as cookies then you may need to increase this value. If left
# unset, or set to 0, then the default of 1024 bytes will be used.
#websockets_headers_size

---

基于证书的SSL / TLS支持

# The following options can be used to enable certificate based SSL/TLS support
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
# but this must be set manually.
#
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.

# At least one of cafile or capath must be defined to enable certificate based
# TLS encryption. They both define methods of accessing the PEM encoded
# Certificate Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath

# Path to the PEM encoded server certificate.
#certfile

# Path to the PEM encoded keyfile.
#keyfile


# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.
#ciphers

# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile

# To allow the use of ephemeral DH key exchange, which provides forward
# security, the listener must load DH parameters. This can be specified with
# the dhparamfile option. The dhparamfile can be generated with the command
# e.g. "openssl dhparam -out dhparam.pem 2048"
#dhparamfile

# By default an TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false

# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
#use_identity_as_username false

---

Pre-shared-key based SSL/TLS support 基于预共享密钥的SSL / TLS支持

# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.

# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint

# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option.  The list of available ciphers can be optained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers

# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false

---

Persistence

# 如果启用了持久性，则每隔autosave_interval秒将内存数据库保存到磁盘中。
# 如果设置为0，则仅在mosquitto退出时才写入持久性数据库。另请参见autosave_on_changes。
# 请注意，可以通过向mosquit发送SIGUSR1信号来强制写入持久性数据库。
#autosave_interval 1800

# 如果为true，则mosquitto将计算订阅更改，已接收的保留消息和已排队消息的数量，如果总数超过autosave_interval，
# 则内存数据库将保存到磁盘。如果为false，则mosquitto通过将autosave_interval视为秒数的时间来将内存数据库保存到磁盘。

#autosave_on_changes false

# 将持久消息数据保存到磁盘（true/false）。这样可以保存有关所有消息的信息，包括订阅，当前运行中的消息和保留的消息。
# reserved_persistence是此选项的同义词。

#persistence false

# 用于永久数据库的文件名，不包括路径。

#persistence_file mosquitto.db

# 永久数据库的位置。必须包含尾随/
# 默认值为空字符串（当前目录）。设置为/var/lib/mosquitto/
# 如果在Linux或类似系统上作为适当的服务运行。
# 配置说明中出现的地址例如：“/var/run/mosquitto”，“/var/log/messages”，都是相对路径，相对于系统盘根目录
# 例如“/var/run/mosquitto”表示的是“c:var
unmosquitto”

#persistence_location

---

Logging

# Places to log to. Use multiple log_dest lines for multiple
# logging destinations.
#
#
# stdout and stderr log to the console on the named output.
#
# syslog uses the userspace syslog facility which usually ends up
# in /var/log/messages or similar.
#
# topic logs to the broker topic '$SYS/broker/log/<severity>',
# where severity is one of D, E, W, N, I, M which are debug, error,
# warning, notice, information and message. Message type severity is used by
# the subscribe/unsubscribe log_types and publishes log messages to
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
#
# The file destination requires an additional parameter which is the file to be
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
# closed and reopened when the broker receives a HUP signal. Only a single file
# destination may be configured.
#
# 请注意，如果代理作为Windows服务运行，它将默认为“ log_dest none”，并且stdout和stderr日志记录都不可用。
# 可选值有: stdout stderr syslog topic file
# 文件案例(两个参数): log_dest file /var/log/mosquitto.log
# 如果要禁用日志记录，请使用“ log_dest none”。

#log_dest stderr

# Types of messages to log. Use multiple log_type lines for logging
# multiple types of messages.
# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, websockets, all.
# Note that debug type messages are for decoding the incoming/outgoing
# network packets. They are not logged in "topics".
#log_type error
#log_type warning
#log_type notice
#log_type information


# 如果设置为true，则客户端连接和断开连接消息将包含在日志中。

#connection_messages true

# If using syslog logging (not on Windows), messages will be logged to the
# "daemon" facility by default. Use the log_facility option to choose which of
# local0 to local7 to log to instead. The option value should be an integer
# value, e.g. "log_facility 5" to use local5.
#log_facility

# 如果设置为true，则向每个日志消息添加一个时间戳记值。
#log_timestamp true

# Set the format of the log timestamp. If left unset, this is the number of
# seconds since the Unix epoch.
# This is a free text string which will be passed to the strftime function. To
# get an ISO 8601 datetime, for example:
# log_timestamp_format %Y-%m-%dT%H:%M:%S
log_timestamp_format %Y-%m-%dT%H:%M:%S

# 更改websockets日志记录级别。这是一个全局选项，无法为每个侦听器设置。
# 这是一个整数，libwebsockets将其解释为其lws_log_levels枚举的位掩码。
# 有关更多详细信息，请参见libwebsockets文档。
# 还必须启用“ log_type websockets”。

#websockets_log_level 0

---

Security 安全

# 如果设置，则只允许客户端的clientid满足指定前缀才能连接到代理。默认情况下，所有客户端都可以连接。
# 例如，在此处设置“ secure-”表示: 客户端"secure-client"可以连接，但另一个客户端ID为"mqtt"的客户端则无法连接。

#clientid_prefixes

# 布尔值，用于确定是否允许未提供用户名的客户端进行连接。
# 如果设置为false，则应创建一个密码文件（请参阅password_file选项）以控制经过身份验证的客户端访问。
# 如果未设置其他安全选项，则默认为true。
# 如果设置了`password_file`或`psk_file`，或者如果加载了实现用户名/密码或TLS-PSK检查的身份验证插件，
# 则'allow_anonymous' 默认为false。

#allow_anonymous true

---

Default authentication and topic access control

默认身份验证和主题访问控制

# 使用密码文件控制对代理的访问。可以使用mosquitto_passwd实用程序生成此文件。
# 如果TLS支持未编译为mosquitto（建议包括TLS支持），则使用纯文本密码，
# 在这种情况下，该文件应为文本文件，其行格式为：
# username:password
# 如果需要，可以省略密码（和冒号），尽管这样做几乎没有安全性
#
# 请参阅TLS客户端的require_certificate和use_identity_as_username选项，以获取其他身份验证选项。
# 如果同时使用auth_plugin和password_file，则将首先进行auth_plugin检查。

#password_file

# 访问也可以使用预共享密钥文件来控制。这需要
# TLS-PSK支持和配置为使用它的侦听器。该文件应为以下格式的文本行：
# identity:key
# 密钥应为十六进制格式，且开头不能为“ 0x”。
# 如果还使用auth_plugin，则将首先进行auth_plugin检查。

#psk_file

# Control access to topics on the broker using an access control list
# file. If this parameter is defined then only the topics listed will
# have access.
# If the first character of a line of the ACL file is a # it is treated as a
# comment.
# Topic access is added with lines of the format:
#
# topic [read|write|readwrite] <topic>
#
# The access type is controlled using "read", "write" or "readwrite". This
# parameter is optional (unless <topic> contains a space character) - if not
# given then the access is read/write.  <topic> can contain the + or #
# wildcards as in subscriptions.
#
# The first set of topics are applied to anonymous clients, assuming
# allow_anonymous is true. User specific topic ACLs are added after a
# user line as follows:
#
# user <username>
#
# The username referred to here is the same as in password_file. It is
# not the clientid.
#
#
# If is also possible to define ACLs based on pattern substitution within the
# topic. The patterns available for substition are:
#
# %c to match the client id of the client
# %u to match the username of the client
#
# The substitution pattern must be the only text for that level of hierarchy.
#
# The form is the same as for the topic keyword, but using pattern as the
# keyword.
# Pattern ACLs apply to all users even if the "user" keyword has previously
# been given.
#
# If using bridges with usernames and ACLs, connection messages can be allowed
# with the following pattern:
# pattern write $SYS/broker/connection/%c/state
#
# pattern [read|write|readwrite] <topic>
#
# Example:
#
# pattern write sensor/%u/data
#
# If an auth_plugin is used as well as acl_file, the auth_plugin check will be
# made first.
#acl_file

---

External authentication and topic access plugin options

外部身份验证和主题访问插件选项

# External authentication and access control can be supported with the
# auth_plugin option. This is a path to a loadable plugin. See also the
# auth_opt_* options described below.
#
# The auth_plugin option can be specified multiple times to load multiple
# plugins. The plugins will be processed in the order that they are specified
# here. If the auth_plugin option is specified alongside either of
# password_file or acl_file then the plugin checks will be made first.
#
#auth_plugin

# If the auth_plugin option above is used, define options to pass to the
# plugin here as described by the plugin instructions. All options named
# using the format auth_opt_* will be passed to the plugin, for example:
#
# auth_opt_db_host
# auth_opt_db_port
# auth_opt_db_username
# auth_opt_db_password

=================================================================

Bridges

# 桥接是将多个MQTT代理连接在一起的一种方式。如下所述，使用“connection”选项创建一个新的网桥。
# 使用其余参数设置网桥的选项。您必须指定地址和至少一个要订阅的主题。
#
# Each connection must have a unique name.
#
# The address line may have multiple host address and ports specified. See
# below in the round_robin description for more details on bridge behaviour if
# multiple addresses are used. Note that if you use an IPv6 address, then you
# are required to specify a port.
#
# The direction that the topic will be shared can be chosen by
# specifying out, in or both, where the default value is out.
# The QoS level of the bridged communication can be specified with the next
# topic option. The default QoS level is 0, to change the QoS the topic
# direction must also be given.
#
# The local and remote prefix options allow a topic to be remapped when it is
# bridged to/from the remote broker. This provides the ability to place a topic
# tree in an appropriate location.
#
# For more details see the mosquitto.conf man page.
#
# Multiple topics can be specified per connection, but be careful
# not to create any loops.
#
# If you are using bridges with cleansession set to false (the default), then
# you may get unexpected behaviour from incoming topics if you change what
# topics you are subscribing to. This is because the remote broker keeps the
# subscription for the old topic. If you have this problem, connect your bridge
# with cleansession set to true, then reconnect with cleansession set to false
# as normal.
#connection <name>
#address <host>[:<port>] [<host>[:<port>]]
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]


# If a bridge has topics that have "out" direction, the default behaviour is to
# send an unsubscribe request to the remote broker on that topic. This means
# that changing a topic direction from "in" to "out" will not keep receiving
# incoming messages. Sending these unsubscribe requests is not always
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
# the unsubscribe request.
#bridge_attempt_unsubscribe true

# Set the version of the MQTT protocol to use with for this bridge. Can be one
# of mqttv311 or mqttv11. Defaults to mqttv311.
#bridge_protocol_version mqttv311

# Set the clean session variable for this bridge.
# When set to true, when the bridge disconnects for any reason, all
# messages and subscriptions will be cleaned up on the remote
# broker. Note that with cleansession set to true, there may be a
# significant amount of retained messages sent when the bridge
# reconnects after losing its connection.
# When set to false, the subscriptions and messages are kept on the
# remote broker, and delivered when the bridge reconnects.
#cleansession false

# Set the amount of time a bridge using the lazy start type must be idle before
# it will be stopped. Defaults to 60 seconds.
#idle_timeout 60

# Set the keepalive interval for this bridge connection, in
# seconds.
#keepalive_interval 60

# Set the clientid to use on the local broker. If not defined, this defaults to
# 'local.<clientid>'. If you are bridging a broker to itself, it is important
# that local_clientid and clientid do not match.
#local_clientid

# If set to true, publish notification messages to the local and remote brokers
# giving information about the state of the bridge connection. Retained
# messages are published to the topic $SYS/broker/connection/<clientid>/state
# unless the notification_topic option is used.
# If the message is 1 then the connection is active, or 0 if the connection has
# failed.
# This uses the last will and testament feature.
#notifications true

# Choose the topic on which notification messages for this bridge are
# published. If not set, messages are published on the topic
# $SYS/broker/connection/<clientid>/state
#notification_topic

# Set the client id to use on the remote end of this bridge connection. If not
# defined, this defaults to 'name.hostname' where name is the connection name
# and hostname is the hostname of this computer.
# This replaces the old "clientid" option to avoid confusion. "clientid"
# remains valid for the time being.
#remote_clientid

# Set the password to use when connecting to a broker that requires
# authentication. This option is only used if remote_username is also set.
# This replaces the old "password" option to avoid confusion. "password"
# remains valid for the time being.
#remote_password

# Set the username to use when connecting to a broker that requires
# authentication.
# This replaces the old "username" option to avoid confusion. "username"
# remains valid for the time being.
#remote_username

# Set the amount of time a bridge using the automatic start type will wait
# until attempting to reconnect.
# This option can be configured to use a constant delay time in seconds, or to
# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
# of randomness to when the restart occurs.
#
# Set a constant timeout of 20 seconds:
# restart_timeout 20
#
# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
# 60 seconds:
# restart_timeout 10 30
#
# Defaults to jitter with a base of 5 and cap of 30
#restart_timeout 5 30

# If the bridge has more than one address given in the address/addresses
# configuration, the round_robin option defines the behaviour of the bridge on
# a failure of the bridge connection. If round_robin is false, the default
# value, then the first address is treated as the main bridge connection. If
# the connection fails, the other secondary addresses will be attempted in
# turn. Whilst connected to a secondary bridge, the bridge will periodically
# attempt to reconnect to the main bridge until successful.
# If round_robin is true, then all addresses are treated as equals. If a
# connection fails, the next address will be tried and if successful will
# remain connected until it fails
#round_robin false

# Set the start type of the bridge. This controls how the bridge starts and
# can be one of three types: automatic, lazy and once. Note that RSMB provides
# a fourth start type "manual" which isn't currently supported by mosquitto.
#
# "automatic" is the default start type and means that the bridge connection
# will be started automatically when the broker starts and also restarted
# after a short delay (30 seconds) if the connection fails.
#
# Bridges using the "lazy" start type will be started automatically when the
# number of queued messages exceeds the number set with the "threshold"
# parameter. It will be stopped automatically after the time set by the
# "idle_timeout" parameter. Use this start type if you wish the connection to
# only be active when it is needed.
#
# A bridge using the "once" start type will be started automatically when the
# broker starts but will not be restarted if the connection fails.
#start_type automatic

# Set the number of messages that need to be queued for a bridge with lazy
# start type to be restarted. Defaults to 10 messages.
# Must be less than max_queued_messages.
#threshold 10

# If try_private is set to true, the bridge will attempt to indicate to the
# remote broker that it is a bridge not an ordinary client. If successful, this
# means that loop detection will be more effective and that retained messages
# will be propagated correctly. Not all brokers support this feature so it may
# be necessary to set try_private to false if your bridge does not connect
# properly.
#try_private true

---

Certificate based SSL/TLS support

# Either bridge_cafile or bridge_capath must be defined to enable TLS support
# for this bridge.
# bridge_cafile defines the path to a file containing the
# Certificate Authority certificates that have signed the remote broker
# certificate.
# bridge_capath defines a directory that will be searched for files containing
# the CA certificates. For bridge_capath to work correctly, the certificate
# files must have ".crt" as the file ending and you must run "openssl rehash
# <path to capath>" each time you add/remove a certificate.
#bridge_cafile
#bridge_capath


# If the remote broker has more than one protocol available on its port, e.g.
# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
# requested. Note that WebSockets support for bridges is not yet available.
#bridge_alpn

# When using certificate based encryption, bridge_insecure disables
# verification of the server hostname in the server certificate. This can be
# useful when testing initial server configurations, but makes it possible for
# a malicious third party to impersonate your server through DNS spoofing, for
# example. Use this option in testing only. If you need to resort to using this
# option in a production environment, your setup is at fault and there is no
# point using encryption.
#bridge_insecure false

# Path to the PEM encoded client certificate, if required by the remote broker.
#bridge_certfile

# Path to the PEM encoded client private key, if required by the remote broker.
#bridge_keyfile

---

PSK based SSL/TLS support 基于PSK的SSL / TLS支持

# Pre-shared-key encryption provides an alternative to certificate based
# encryption. A bridge can be configured to use PSK with the bridge_identity
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
# in hexadecimal format with no "0x". Only one of certificate and PSK based
# encryption can be used on one
# bridge at once.
#bridge_identity
#bridge_psk

---

External config files 外部配置文件

# 可以使用include_dir选项包含外部配置文件。这定义了一个目录，将在其中搜索配置文件。
# 所有以“ .conf”结尾的文件都将作为配置文件加载。
# 最好将此作为主文件中的最后一个选项。
# 仅从主配置文件处理此选项。
# 指定的目录不得包含主配置文件。
# include_dir中的文件将按区分大小写的字母顺序加载，首字母大写。
# 如果多次指定此选项，则第一个实例中的所有文件将在下一个实例之前进行处理。
# 有关示例，请参见手册页。

#include_dir