翻译：mosquitto 配置文件 -linux版

配置文件路径

"/etc/mosquitto/mosquitto.conf"

参考：https://mosquitto.org/man/mosquitto-conf-5.html

mosquitto.conf 文件翻译（谷歌翻译）

翻译

# mosquitto 的配置文件
#
# 参见 mosquitto.conf(5) 了解更多信息。
#
# 显示默认值，取消注释更改。
#
# 使用 # 字符表示注释，前提是它是行中的第一个字符。

通用配置

# =================================================================
# 通用配置
# =================================================================

# 使用每个监听器的安全设置。
#
# 建议将此选项设置在任何其他选项之前。
#
# 如果此选项设置为 true，则所有身份验证和访问控制选项都基于每个侦听器进行控制。以下选项受到影响：
#
# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous auto_id_prefix allow_zero_length_clientid
#
# 请注意，如果设置为 true，则已断开连接的持久客户端（即，将干净会话设置为 false）将使用为其最近连接到的侦听器定义的 ACL 设置。
#
# 默认行为是将 this 设置为 false，它保持了之前版本 mosquitto 的设置行为。
#per_listener_settings false


# 如果一个客户端订阅了多个重叠的订阅，例如 foo/# 和 foo/+/baz ，那么 MQTT 期望当代理收到与两个订阅都匹配的主题（例如 foo/bar/baz）上的消息时，客户端应该只接收一次消息。
# Mosquitto 跟踪消息已发送到哪些客户端以满足此要求。 allow_duplicate_messages 选项允许禁用此行为，如果您有大量客户端订阅同一组主题并且非常关心最小化内存使用，这可能很有用。
# 如果您事先知道您的客户端永远不会有重叠订阅，则可以安全地将其设置为 true，否则即使 QoS=2，您的客户端也必须能够正确处理重复消息。
#allow_duplicate_messages false

# 此选项控制是否允许客户端使用零长度的客户端 ID 进行连接。此选项仅影响使用 MQTT v3.1.1 及更高版本的客户端。如果设置为 false，则使用零长度客户端 ID 连接的客户端将断开连接。如果设置为 true，则代理将为客户端分配一个客户端 ID。这意味着它只对 clean session 设置为 true 的客户端有用。
#allow_zero_length_clientid true

# 如果allow_zero_length_clientid 为true，则此选项允许您为自动生成的客户端ID 设置前缀，以帮助查看日志。
# 默认为“auto-”
#auto_id_prefix auto-

# 这个选项会影响客户端订阅一个有保留消息的主题的场景。向主题发布保留消息的客户端可能在发布时具有访问权限，但该访问权限随后已被删除。如果 check_retain_source 设置为 true，默认情况下，保留消息的来源将在重新发布之前检查访问权限。设置为 false 时，将不进行任何检查，并且将始终发布保留的消息。这会影响所有听众。
#check_retain_source true

# QoS 1 和 2 消息将被允许在每个客户端传输，直到超过此限制。默认为 0。（无最大值）
# 另见 max_inflight_messages
#max_inflight_bytes 0

# 每个客户端当前传输的 QoS 1 和 2 消息的最大数量。
# 这包括在握手过程中的消息和正在重试的消息。默认为 20。设置为 0 表示没有最大值。设置为 1 将保证 QoS 1 和 2 消息的有序传递。
#max_inflight_messages 20

# 对于 MQTT v5 客户端，可以让服务器发送“服务器保持连接”值，该值将覆盖客户端设置的保持连接值。
# 这旨在用作一种机制，说明服务器将比预期更早地断开客户端连接，并且客户端应该使用新的保活值。 max_keepalive 选项允许您指定客户端只能使用小于或等于此值的 keepalive 连接，否则将向它们发送服务器 keepalive，告诉它们使用 max_keepalive。这仅适用于 MQTT v5 客户端。允许的最大值为 65535。不要设置低于 10。
#max_keepalive 65535

# 对于 MQTT v5 客户端，可以让服务器发送“最大数据包大小”值，该值将指示客户端不会接受大小大于 max_packet_size 字节的 MQTT 数据包。这适用于完整的 MQTT 数据包，而不仅仅是有效负载。将此选项设置为正值会将最大数据包大小设置为该字节数。如果客户端发送大于此值的数据包，它将被断开连接。这适用于所有客户端，无论它们使用何种协议版本，但 v3.1.1 和更早版本的客户端当然不会收到最大数据包大小信息。默认为无限制。禁止设置低于 20 字节，因为它很像。即使负载非常小，也可以干扰普通的客户端操作。
#max_packet_size 0

# QoS 1 和 2 消息高于当前传输中的消息将按客户端排队，直到超过此限制。默认为 0。（无最大值）
# 另见 max_queued_messages。
# 如果同时指定了 max_queued_messages 和 max_queued_bytes，数据包将排队直到达到第一个限制。
#max_queued_bytes 0

# 每个客户端在队列中保存的 QoS 1 和 2 消息的最大数量高于当前正在传输的消息。默认为 100。设置为 0 表示没有最大值（不推荐）。
# 另见 queue_qos0_messages。
# 另见 max_queued_bytes。
#max_queued_messages 100
#
# 此选项设置代理将分配的最大堆内存字节数，从而对代理使用的内存设置硬限制。超过此值的内存请求将被拒绝。效果将根据被拒绝的内容而有所不同。如果正在处理传入的消息，
# 那么消息将被丢弃，发布客户端将断开连接。如果正在发送传出消息，则单个消息将被丢弃并且接收客户端将断开连接。
# 默认为无限制。
#memory_limit 0

# 此选项设置代理允许的最大发布负载大小。
# 接收到的超过此大小的消息将不被代理接受。
# 默认值为0，表示接受所有有效的MQTT消息。 MQTT 规定的最大负载大小为 268435455 字节。
#message_size_limit 0

# 此选项设置代理允许的最大发布负载大小。
# 接收到的超过此大小的消息将不被代理接受。
# 默认值为0，表示接受所有有效的MQTT消息。 MQTT 规定的最大负载大小为 268435455 字节。
#
# persistent_client_expiration 2m
# persistent_client_expiration 14d
# persistent_client_expiration 1y
#
# 如果未设置，则默认为永不过期的持久客户端。
#persistent_client_expiration

# 将进程ID写入文件。默认为空字符串，这意味着不应写入 pid 文件。
# 如果 mosquitto 在启动时使用 init 脚本和 start-stop-daemon 或类似工具自动运行，则应将其设置为 /var/run/mosquitto.pid。
#pid_file

# 设置为 true 以在持久客户端断开连接时使用 QoS 0 排队消息。这些消息包含在 max_queued_messages 和 max_queued_bytes 施加的限制中，默认为 false。
# 这是 MQTT v3.1 规范的非标准选项，但在 v3.1.1 中是允许的。
#queue_qos0_messages false

# 设置为 false 以禁用保留消息支持。如果客户端发布设置了保留位的消息，如果设置为 false，它将断开连接。
#retain_available true

# 在客户端套接字上禁用 Nagle 算法。这具有减少单个消息的延迟的效果，但可能会增加发送的数据包数量。
#set_tcp_nodelay false

# $SYS 树更新之间的时间（以秒为单位）。
# 设置为 0 以禁用 $SYS 树的发布。
#sys_interval 10

# MQTT 规范要求传递给订阅者的消息的 QoS 永远不会升级以匹配订阅的 QoS。启用此选项会更改此行为。如果 upgrade_outgoing_qos 设置为真，
# 发送给订阅者的消息将始终与其订阅的 QoS 匹配。
# 这是规范明确禁止的非标准选项。
#upgrade_outgoing_qos false

# 以 root 身份运行时，删除此用户及其主要组的权限。
# 设置为 root 以保持 root 身份，但不推荐这样做。
# 如果以非root用户运行，此设置无效。
# 请注意，在 Windows 上这不起作用，因此 mosquitto 应该由您希望它运行的用户启动。
#user mosquitto

默认监听器

# =================================================================
# 默认监听器
# =================================================================

# 绑定默认侦听器的 IP 地址/主机名。如果没有给出，默认侦听器将不会绑定到特定地址，因此所有网络接口都可以访问。
# bind_address IP地址/主机名
#bind_address

# 用于默认侦听器的端口。
#port 1883

# 将监听器绑定到特定的接口。这与上面的 bind_address 类似，但在接口有多个地址或地址可能更改时很有用。将它与 bind_address 选项一起使用是有效的，
# 但要注意你绑定的接口包含你绑定的地址，否则你将无法连接。
# 示例：bind_interface eth0
#bind_interface

# 当侦听器正在使用websockets 协议，也可以提供 http 数据。将 http_dir 设置为包含您希望提供的文件的目录。如果未指定此选项，则无法进行正常的 http 连接。
#http_dir

# 允许的最大客户端连接数。这是每个侦听器的设置。
# 默认为-1，表示无限连接。
# 请注意，其他进程限制意味着无限连接实际上是不可能的。通常，可能的默认最大连接数约为 1024。
#max_connections -1

# 选择监听时使用的协议。
# 这可以是 mqtt 或 websockets。
# Websockets 支持当前在编译时默认禁用。
# 基于证书的 TLS 可以与 websockets 一起使用，除了仅支持 cafile、certfile、keyfile 和 ciphers 选项。
#protocol mqtt

# 将use_username_as_clientid 设置为true 以将客户端连接的clientid 替换为其用户名。这允许将身份验证绑定到 clientid，这意味着可以防止一个客户端使用相同的 clientid 断开另一个客户端的连接。
# 如果客户端连接时没有用户名，当此选项设置为 true 时，它将被视为未授权而断开连接。
# 不要与clientid_prefixes 一起使用。
# 另见 use_identity_as_username。
#use_username_as_clientid

基于证书的 SSL/TLS 支持

# -----------------------------------------------------------------
# 基于证书的 SSL/TLS 支持
# -----------------------------------------------------------------
# 以下选项可用于为该侦听器启用 SSL/TLS 支持。请注意，MQTT over TLS 的推荐端口为 8883，但必须手动设置。
#
# 另见 mosquitto-tls 手册页。

# 必须至少定义 cafile 或 capath 之一。它们都定义了访问 PEM 编码的证书颁发机构证书的方法，这些证书已经签署了您的服务器证书并且您希望信任。
# cafile 定义包含 CA 证书的文件的路径。
# capath 定义了一个目录，用于搜索包含 CA 证书的文件。要使 capath 正常工作，证书文件必须以“.crt”作为文件结尾，并且您必须运行
# 每次添加/删除证书时，“openssl rehash <path to capath>”。
#cafile
#capath

# PEM 编码的服务器证书的路径。
#certfile

# PEM 编码的密钥文件的路径。
#keyfile


# 如果您将 require_certificate 设置为 true，您可以创建一个证书撤销列表文件来撤销对特定客户端证书的访问。如果您已完成此操作，请使用 crlfile 指向 PEM 编码的撤销文件。
#crlfile

# 如果您希望控制使用哪些加密密码，请使用 ciphers 选项。可用密码列表可以使用“openssl ciphers”命令获得，并且应该以与该命令的输出相同的格式提供。
# 如果未设置默认为 DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH

# 为了允许使用提供前向安全性的临时 DH 密钥交换，侦听器必须加载 DH 参数。这可以用 dhparamfile 选项指定。 dhparamfile 可以使用命令生成，例如“openssl dhparam -out dhparam.pem 2048”
#dhparamfile

# 默认情况下，启用 TLS 的侦听器将以与启用 https 的 Web 服务器类似的方式运行，因为服务器具有由 CA 签署的证书，客户端将验证它是受信任的证书。总体目标是加密网络流量。通过将 require_certificate 设置为 true，
# 客户端必须提供有效的证书才能继续进行网络连接。这允许在 MQTT 提供的机制之外控制对代理的访问。
#require_certificate false

# 此选项定义用于此侦听器的 TLS 协议版本。
# 默认值允许所有 v1.3、v1.2 和 v1.1。有效值为 tlsv1.3 tlsv1.2 和 tlsv1.1。
#tls_version

# 如果require_certificate 为true，您可以将use_identity_as_username 设置为true 以使用客户端证书中的CN 值作为用户名。如果这是真的，password_file 选项将不会用于此侦听器。
# 这优先于 use_subject_as_username。
# 另见 use_subject_as_username。
#use_identity_as_username false

# 如果 require_certificate 为 true，您可以将 use_subject_as_username 设置为 true 以使用来自客户端证书的完整主题值作为用户名。
# 如果这是真的，password_file 选项将不会用于此侦听器。
# 另见 use_identity_as_username
#use_subject_as_username false

基于预共享密钥的 SSL/TLS 支持

# -----------------------------------------------------------------
# 基于预共享密钥的 SSL/TLS 支持
# -----------------------------------------------------------------
# 以下选项可用于为该列表启用基于 PSK 的 SSL/TLS 支持温柔。请注意，MQTT over TLS 的推荐端口为 8883，但必须手动设置。
#
# 另请参阅 mosquitto-tls 手册页和“基于证书的 SSL/TLS 支持”部分。任何侦听器只能启用证书或 PSK 加密支持之一。

# psk_hint 选项为此侦听器启用预共享密钥支持，并且还充当此侦听器的标识符。提示被发送到客户端，并且可以在本地使用以帮助身份验证。提示是一个自由形式的字符串，它本身没有多大意义，所以请随意发挥创意。
# 如果提供此选项，请参阅 psk_file 以定义要使用的预共享密钥或创建安全插件来处理它们。
#psk_hint

# 当使用 PSK 时，使用的加密密码将从可用的 PSK 密码列表中选择。如果您想控制哪些密码可用，
# 使用“密码”选项。可用密码列表可以使用“openssl ciphers”命令获得，并且应该以与该命令的输出相同的格式提供。
#ciphers

# 设置use_identity_as_username，以客户端发送的psk身份作为用户名。身份验证将使用 PSK 而不是 MQTT 用户名/密码执行，因此 password_file 将不会用于此侦听器。
#use_identity_as_username false

额外的监听器

# =================================================================
# 额外的监听器
# =================================================================

# 监听端口/IP 地址组合。通过多次使用这个变量，mosquitto 可以监听多个端口。如果使用了这个变量并且没有给出 bind_address 和 port，
# 那么默认监听器将不会启动。
# 必须给出监听的端口号。可选地，可以提供 IP 地址或主机名作为第二个参数。在这种情况下，mosquitto 将尝试将侦听器绑定到该地址，从而限制对相关网络和接口的访问。默认情况下，mosquitto 将侦听所有接口。
# 请注意，对于 websockets 侦听器，不可能绑定到主机名。
# listener 端口号 [ip地址 / 主机名]
#listener

# 将监听器绑定到特定的接口。这类似于侦听器定义的 [ip 地址/主机名] 部分，但在接口具有多个地址或地址可能更改时很有用。将此与侦听器定义的 [ip 地址/主机名] 部分一起使用是有效的，但请注意您绑定到的接口包含您要绑定到的地址，否则您将无法连接。
# 仅在 Linux 上可用并且需要提升的权限。
#
# 示例：bind_interface eth0
#bind_interface

# 当侦听器使用 websockets 协议时，也可以提供 http 数据。将 http_dir 设置为包含您希望提供的文件的目录。如果未指定此选项，则无法进行正常的 http 连接。
#http_dir

# 允许的最大客户端连接数。这是每个侦听器的设置。
# 默认为-1，表示无限连接。
# 请注意，其他进程限制意味着无限连接实际上是不可能的。通常，可能的默认最大连接数约为 1024。
#max_connections -1

# 可以使用 mount_point 选项将侦听器限制为在主题层次结构内运行。这是通过为连接到此侦听器的任何客户端的所有主题添加 mount_point 字符串前缀来实现的。这种前缀只发生在代理内部；客户端将看不到前缀。
#mount_point

# 选择监听时使用的协议。
# 这可以是 mqtt 或 websockets。
# 基于证书的 TLS 可以与 websockets 一起使用，除了仅支持 cafile、certfile、keyfile 和 ciphers 选项。
#protocol mqtt

# 将use_username_as_clientid 设置为true 以将客户端连接的clientid 替换为其用户名。这允许将身份验证绑定到 clientid，这意味着可以防止一个客户端使用相同的 clientid 断开另一个客户端的连接。
# 如果客户端连接时没有用户名，当此选项设置为 true 时，它​​将被视为未授权而断开连接。
# 不要与clientid_prefixes 一起使用。
# 另见 use_identity_as_username。
#use_username_as_clientid

# 更改 websockets 标头大小。这是一个全局选项，无法为每个侦听器设置。此选项设置读取 HTTP 标头时 libwebsockets 库中使用的缓冲区的大小。如果您要传递大标题数据（例如 cookie），则可能需要增加此值。如果未设置或设置为 0，则将使用默认值 1024 字节。
#websockets_headers_size

基于 SSL/TLS 支持的 证书

# -----------------------------------------------------------------
# 基于 SSL/TLS 支持的 证书
# -----------------------------------------------------------------
# 以下选项可用于启用基于证书的 SSL/此侦听器的 TLS 支持。请注意，MQTT over TLS 的推荐端口是 8883，
# 但这必须手动设置。
#
# 另请参阅 mosquitto-tls 手册页和“基于预共享密钥的 SSL/TLS 支持”部分。任何侦听器只能启用证书或 PSK 加密支持之一。

# 必须至少定义 cafile 或 capath 之一才能启用基于证书的 TLS 加密。它们都定义了访问 PEM 编码的证书颁发机构证书的方法，这些证书已经签署了您的服务器证书并且您希望信任。
# cafile 定义包含 CA 证书的文件的路径。
# capath 定义了一个目录，用于搜索包含 CA 证书的文件。要使 capath 正常工作，证书文件必须以“.crt”作为文件结尾，并且您必须运行
# 每次添加/删除证书时，“openssl rehash <path to capath>”。
#cafile
#capath

# PEM 编码的服务器证书的路径。
#certfile

# PEM 编码的密钥文件的路径。
#keyfile


# 如果您希望控制使用哪些加密密码，请使用 ciphers 选项。可以使用“openssl ciphers”命令选择可用密码的列表，并且应以与该命令的输出相同的格式提供。
#ciphers

# 如果您将 require_certificate 设置为 true，您可以创建一个证书撤销列表文件来撤销对特定客户端证书的访问。如果您已完成此操作，请使用 crlfile 指向 PEM 编码的撤销文件。
#crlfile

# 为了允许使用提供前向安全性的临时 DH 密钥交换，侦听器必须加载 DH 参数。这可以用 dhparamfile 选项指定。 dhparamfile 可以使用命令生成，例如“openssl dhparam -out dhparam.pem 2048”
#dhparamfile

# 默认情况下，启用 TLS 的侦听器将以与启用 https 的 Web 服务器类似的方式运行，因为服务器具有由 CA 签署的证书，客户端将验证它是受信任的证书。总体目标是加密网络流量。通过将 require_certificate 设置为 true，
# 客户端必须提供有效的证书才能继续进行网络连接。这允许在 MQTT 提供的机制之外控制对代理的访问。
#require_certificate false

# 如果require_certificate 为true，您可以将use_identity_as_username 设置为true 以使用客户端证书中的CN 值作为用户名。如果这是真的，password_file 选项将不会用于此侦听器。
#use_identity_as_username false

基于预共享密钥的 SSL/TLS 支持

# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------
# 以下选项可用于为该侦听器启用基于 PSK 的 SSL/TLS 支持。请注意，MQTT over TLS 的推荐端口为 8883，但必须手动设置。
#
# 另请参阅 mosquitto-tls 手册页和“基于证书的 SSL/TLS 支持”部分。任何侦听器只能启用证书或 PSK 加密支持之一。

# psk_hint 选项为此侦听器启用预共享密钥支持，并且还充当此侦听器的标识符。提示被发送到客户端，并且可以在本地使用以帮助身份验证。提示是一个自由形式的字符串，它本身没有多大意义，所以请随意发挥创意。
# 如果提供此选项，请参阅 psk_file 以定义要使用的预共享密钥或创建安全插件来处理它们。
#psk_hint

# 当使用 PSK 时，使用的加密密码将从可用的 PSK 密码列表中选择。如果您想控制哪些密码可用，
# 使用“密码”选项。可以使用“openssl ciphers”命令选择可用密码的列表，并且应以与该命令的输出相同的格式提供。
#ciphers

# 设置use_identity_as_username，以客户端发送的psk身份作为用户名。身份验证将使用 PSK 而不是 MQTT 用户名/密码执行，因此 password_file 将不会用于此侦听器。
#use_identity_as_username false

持久化

# =================================================================
# Persistence
# =================================================================

# 如果启用持久化，则每隔 autosave_interval 秒将内存数据库保存到磁盘。如果设置为 0，持久化数据库只会在 mosquitto 退出时写入。另请参阅 autosave_on_changes。
# 请注意，可以通过向 mosquitto 发送 SIGUSR1 信号来强制写入持久性数据库。
#autosave_interval 1800

# 如果为 true，mosquitto 将计算订阅更改、接收到的保留消息和排队消息的数量，如果总数超过 autosave_interval，则内存数据库将保存到磁盘。
# 如果为 false，mosquitto 会将 autosave_interval 视为以秒为单位的时间，从而将内存数据库保存到磁盘。
#autosave_on_changes false

＃ 保存将消息数据持久化到磁盘（真/假）。
# 这会保存有关所有消息的信息，包括订阅、当前传输中的消息和保留的消息。
#retained_persistence 是这个选项的同义词。
#persistence false

# 用于持久数据库的文件名，不包括路径。
#persistence_file mosquitto.db

# 持久化数据库的位置。必须包括以 / 结尾
# 默认为空字符串（当前目录）。
# 设置为例如/var/lib/mosquitto/ 如果在 Linux 或类似设备上作为适当的服务运行。
#persistence_location

日志

# =================================================================
# Logging
# =================================================================

# 登录的地方。将多个 log_dest 行用于多个日志记录目的地。
# 可能的目的地是：stdout stderr syslog 主题文件
#
# stdout 和 stderr 记录到命名输出的控制台。
#
# syslog 使用用户空间 syslog 工具，它通常在 /var/log/messages 或类似的地方结束。
#
# 主题日志到代理主题 '$SYS/broker/log/<severity>',
# 其中严重性是 D、E、W、N、I、M 之一，它们是调试、错误、
# 警告、通知、信息和消息。订阅/取消订阅 log_types 使用消息类型严重性并将日志消息发布到
# $SYS/broker/log/M/susbcribe 或 $SYS/broker/log/M/unsubscribe。
#
# 文件目的地需要一个附加参数，即要记录到的文件，例如“log_dest 文件 /var/log/mosquitto.log”。当经纪人收到 HUP 信号时，该文件将关闭并重新打开。只能配置单个文件目标。
#
# 请注意，如果代理作为 Windows 服务运行，它将默认为
# "log_dest none" 并且 stdout 和 stderr 日志都不可用。
# 如果您想禁用日志记录，请使用“log_dest none”。
#log_dest stderr

# 要记录的消息类型。使用多个 log_type 行记录多种类型的消息。
# 可能的类型有：: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, websockets, all.
# 请注意，调试类型消息用于解码传入/传出的网络数据包。他们没有登录“主题”。
#log_type error
#log_type warning
#log_type notice
#log_type information


# 如果设置为true，则客户端连接和断开连接消息将包含在日志中。
#connection_messages true

# 如果使用 syslog 日志记录（不在 Windows 上），消息将被记录到
# 默认情况下“守护进程”工具。使用 log_facility 选项选择要登录到 local0 到 local7 中的哪一个。选项值应该是一个整数值，例如“log_facility 5”使用local5。
#log_facility

# 如果设置为true，则为每条日志消息添加一个时间戳值。
#log_timestamp true

# 设置日志时间戳的格式。如果不设置，这是自 Unix 纪元以来的秒数。
# 这是一个自由文本字符串，将传递给 strftime 函数。要获取 ISO 8601 日期时间，例如：
# log_timestamp_format %Y-%m-%dT%H:%M:%S
#log_timestamp_format

# 更改 websockets 日志级别。这是一个全局选项，无法为每个侦听器设置。这是一个整数，由 libwebsockets 解释为其 lws_log_levels 枚举的位掩码。有关更多详细信息，请参阅 libwebsockets 文档。还必须启用“log_type websockets”。
#websockets_log_level 0

安全

# =================================================================
# Security
# =================================================================

# 如果设置，只有在其 clientid 上具有匹配前缀的客户端才会被允许连接到代理。默认情况下，
# 所有客户端都可以连接。
# 例如，这里设置“secure-”意味着客户端“secure-”
# client" 可以连接，但另一个具有 clientid "mqtt" 的不能。
#clientid_prefixes

# 布尔值，用于确定是否允许在不提供用户名的情况下连接的客户端进行连接。如果设置为 false，则应创建密码文件（请参阅 password_file 选项）以控制经过身份验证的客户端访问。
#
# 如果未设置其他安全选项，则默认为 true。如果 `password_file` 或
# `psk_file` 已设置，或者如果加载了实现用户名/密码或 TLS-PSK 检查的身份验证插件，则 `allow_anonymous` 默认为 false。
#
#allow_anonymous true

默认身份验证和主题访问控制

# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------

# 使用密码文件控制对代理的访问。可以使用 mosquitto_passwd 实用程序生成此文件。如果 TLS 支持未编译到 mosquitto（建议应包含 TLS 支持），则使用纯文本密码，在这种情况下，文件应为具有以下格式的行的文本文件：
# username:password 如果需要，可以省略密码（和冒号），尽管这对安全性的影响很小。
#
#查看TLS客户端require_certificated 使用_identity_as_username 选项作为替代身份验证选项。如果使用 auth_plugin 以及 password_file，将首先进行 auth_plugin 检查。
#password_file

# 访问也可以使用预共享密钥文件进行控制。这需要 TLS-PSK 支持和配置为使用它的侦听器。该文件应该是以下格式的文本行：
# identity:key 密钥应该是没有前导“0x”的十六进制格式。
# 如果还使用了 auth_plugin，则首先进行 auth_plugin 检查。
#psk_file

# 使用访问控制列表文件控制对代理上主题的访问。如果定义了此参数，则只有列出的主题才能访问。
# 如果 ACL 文件的一行的第一个字符是 #，则将其视为注释。
# 主题访问添加了以下格式的行：
#
# topic [read|write|readwrite] <topic>
#
# 使用“read”、“write”或“readwrite”控制访问类型。此参数是可选的（除非 <topic> 包含空格字符） 
# - 如果未给出，则访问权限为读/写。 <topic> 可以包含 + 或 # 通配符在订阅中。
#
# 第一组主题应用于匿名客户端，假设allow_anonymous 为真。用户特定主题 ACL 添加到用户行之后，如下所示：
#
# user <username>
#
# 这里所指的用户名与password_file 中的相同。它不是客户端 ID。
#
#
# 如果也可以根据主题内的模式替换定义 ACL。可用于替换的模式有：
#
# %c 匹配客户端的客户端ID
# %u 匹配客户端的用户名
#
# 替换模式必须是该层次结构级别的唯一文本。
#
# 形式与主题关键字相同，但使用模式作为关键字。
# 模式 ACL 适用于所有用户，即使之前已经给出了“user”关键字。
#
# 如果使用具有用户名和 ACL 的网桥，则可以使用以下模式允许连接消息：
# 模式写入 $SYS/broker/connection/%c/state
#
# pattern [read|write|readwrite] <topic>
#
# 例子:
#
# pattern write sensor/%u/data
#
# 如果 auth_plugin 与 acl_file 一起使用，将首先进行 auth_plugin 检查。
#acl_file

外部认证和主题访问插件选项

# -----------------------------------------------------------------
# External authentication and topic access plugin options
# -----------------------------------------------------------------

# auth_plugin 选项可以支持外部认证和访问控制。这是可加载插件的路径。另请参阅下面描述的 auth_opt_* 选项。
#
# auth_plugin 选项可以多次指定以加载多个插件。插件将按照它们在此处指定的顺序进行处理。如果 auth_plugin 选项与 password_file 或 acl_file 中的任一个一起指定，则将首先进行插件检查。
#
#auth_plugin

# 如果使用了上面的 auth_plugin 选项，请按照插件说明中的描述在此处定义要传递给插件的选项。所有使用 auth_opt_* 格式命名的选项都将传递给插件，例如：
#
# auth_opt_db_host
# auth_opt_db_port
# auth_opt_db_username
# auth_opt_db_password

桥接

# =================================================================
# Bridges
# =================================================================

# 桥接器是一种将多个 MQTT 代理连接在一起的方式。
# 使用“连接”选项创建一个新桥，如下所述。使用其余参数设置桥接选项。您必须指定要订阅的地址和至少一个主题。
#
# 每个连接必须有一个唯一的名称。
#
# 地址行可以指定多个主机地址和端口。如果使用多个地址，请参阅下面的 round_robin 描述以获取有关桥接行为的更多详细信息。请注意，如果您使用 IPv6 地址，则需要指定端口。
#
# 话题被分享的方向可以通过指定out、in或both来选择，默认值是out。
# 桥接通信的 QoS 级别可以通过下一个主题选项指定。默认的 QoS 级别为 0，要更改 QoS，还必须给出主题方向。
#
# 本地和远程前缀选项允许主题在桥接到/从远程代理桥接时重新映射。这提供了将主题树放置在适当位置的能力。
#
# 有关更多详细信息，请参阅 mosquitto.conf 手册页。
#
# 每个连接可以指定多个主题，但注意不要创建任何循环。
#
# 如果您使用的网桥的 cleansession 设置为 false（默认值），那么如果您更改订阅的主题，您可能会从传入的主题中获得意外行为。这是因为远程代理保留对旧主题的订阅。如果您遇到此问题，请在将 cleansession 设置为 true 的情况下连接您的网桥，然后像往常一样在将 cleansession 设置为 false 的情况下重新连接。
#connection <name>
#address <host>[:<port>] [<host>[:<port>]]
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]


# 如果桥的主题具有“出”方向，则默认行为是向该主题的远程代理发送取消订阅请求。这意味着将主题方向从“输入”更改为“输出”将不会继续接收传入消息。发送这些取消订阅请求并不总是可取的，将 bridge_attempt_unsubscribe 设置为 false 将禁用发送取消订阅请求。
#bridge_attempt_unsubscribe true

# 设置用于此网桥的 MQTT 协议的版本。可以是 mqttv311 或 mqttv11 之一。默认为 mqttv311。
#bridge_protocol_version mqttv311

# 为这个网桥设置干净的会话变量。
# 当设置为 true 时，当网桥因任何原因断开连接时，所有消息和订阅都将在远程代理上被清除。请注意，将 cleansession 设置为 true，当网桥在失去连接后重新连接时，可能会发送大量保留的消息。
# 当设置为 false 时，订阅和消息保留在远程代理上，并在网桥重新连接时传递。
#cleansession false

# 设置使用延迟启动类型的网桥在停止之前必须空闲的时间量。默认为 60 秒。
#idle_timeout 60

# 设置此桥接的keepalive时间间隔，单位为秒。
#keepalive_interval 60

# 设置要在本地代理上使用的客户端 ID。如果未定义，则默认为
# 'local.<clientid>'。如果您将代理桥接到自身，则 local_clientid 和 clientid 不匹配很重要。
#local_clientid

# 如果设置为 true，则向本地和远程代理发布通知消息，提供有关桥接连接状态的信息。除非使用 notification_topic 选项，否则保留的消息将发布到主题 $SYS/broker/connection/<clientid>/state。
# 如果消息为 1，则连接处于活动状态，如果连接失败，则为 0。
# 这使用了最后的遗嘱和遗嘱功能。
#notifications true

# 选择发布此网桥通知消息的主题。如果未设置，则在该主题上发布消息
# $SYS/broker/connection/<clientid>/state
#notification_topic

# 设置要在此桥接连接的远程端使用的客户端 ID。如果未定义，则默认为“name.hostname”，其中 name 是连接名称，hostname 是这台计算机的主机名。
# 这取代了旧的“clientid”选项以避免混淆。 “客户端 ID”暂时有效。
#remote_clientid

# 设置连接到需要身份验证的代理时使用的密码。仅当还设置了 remote_username 时才使用此选项。
# 这取代了旧的“密码”选项以避免混淆。 “密码”暂时有效。
#remote_password

# 设置连接到需要身份验证的代理时使用的用户名。
# 这替换了旧的“用户名”选项以避免混淆。 “用户名”暂时有效。
#remote_username

# 设置使用自动启动类型的网桥在尝试重新连接之前将等待的时间。
# 此选项可以配置为使用以秒为单位的恒定延迟时间，或者使用基于“Decorrelated Jitter”的退避机制，这会在重启发生时增加一定程度的随机性。
#
# 设置一个恒定的超时时间为 20 秒：
# restart_timeout 20
#
# 将退避设置为 10 秒的基础（起始值）和 60 秒的上限（上限）：
# restart_timeout 10 30
#
# 默认为以 5 为基数和 30 为上限的抖动
#restart_timeout 5 30

# 如果网桥在 address/addresses 配置中给出了多个地址，round_robin 选项定义网桥在网桥连接失败时的行为。如果round_robin 为false，即默认值，则第一个地址被视为主桥连接。如果连接失败，将依次尝试其他辅助地址。当连接到次要桥时，桥会定期尝试重新连接到主桥，直到成功。
# 如果 round_robin 为真，则所有地址都被视为相等。如果连接失败，将尝试下一个地址，如果成功将保持连接直到失败
#round_robin false

# 设置网桥的启动类型。这控制了桥接的启动方式，可以是以下三种类型之一：自动、惰性和一次。请注意，RSMB 提供了第四种启动类型“手册”，目前 mosquitto 不支持该启动类型。
#
# "automatic" 是默认的启动类型，意味着当代理启动时桥连接将自动启动，如果连接失败，也会在短暂的延迟（30 秒）后重新启动。
#
# 使用“延迟”启动类型的网桥会在排队消息的数量超过“阈值”设置的数量时自动启动
＃ 范围。设置的时间后会自动停止
# "idle_timeout" 参数。使用此启动类型e 如果您希望连接仅在需要时处于活动状态。
#
# 使用“once”启动类型的网桥会在代理启动时自动启动，但如果连接失败则不会重新启动。
#start_type automatic

# 设置延迟启动类型的网桥重启需要排队的消息数。默认为 10 条消息。
# 必须小于 max_queued_messages。
#threshold 10

# 如果 try_private 设置为 true，则桥将尝试向远程代理指示它是桥而不是普通客户端。如果成功，这意味着循环检测将更有效并且保留的消息将被正确传播。并非所有代理都支持此功能，因此如果您的网桥连接不正确，则可能需要将 try_private 设置为 false。
#try_private true

基于证书的 SSL/TLS 支持

# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# 必须定义bridge_cafile 或bridge_capath 才能为该网桥启用TLS 支持。
# bridge_cafile 定义包含已签署远程代理证书的证书颁发机构证书的文件的路径。
# bridge_capath 定义了一个目录，用于搜索包含 CA 证书的文件。要使bridge_capath 正常工作，证书文件必须以“.crt”作为文件结尾，并且您必须运行“openssl rehash
# <path to capath>" 每次添加/删除证书时。
#bridge_cafile
#bridge_capath


# 如果远程代理在其端口上有多个可用协议，例如MQTT和WebSockets，然后使用bridge_alpn来配置请求的协议。请注意，WebSockets 对网桥的支持尚不可用。
#bridge_alpn

# 当使用基于证书的加密时，bridge_insecure 禁用服务器证书中服务器主机名的验证。这在测试初始服务器配置时很有用，但会使恶意第三方通过 DNS 欺骗等方式冒充您的服务器。仅在测试中使用此选项。如果您需要在生产环境中使用此选项，则您的设置有问题，使用加密毫无意义。
#bridge_insecure false

# PEM 编码的客户端证书的路径，如果远程代理需要。
#bridge_certfile

# PEM 编码的客户端私钥的路径，如果远程代理需要。
#bridge_keyfile

基于 PSK 的 SSL/TLS 支持

# -----------------------------------------------------------------
# PSK based SSL/TLS support
# -----------------------------------------------------------------
# 预共享密钥加密提供了基于证书加密的替代方案。可以将网桥配置为使用带有 bridge_identity 和 bridge_psk 选项的 PSK。这些是客户端 PSK 标识和十六进制格式的预共享密钥，没有“0x”。一次只能在一个网桥上使用基于证书和 PSK 的加密之一。
#bridge_identity
#bridge_psk

外部配置文件

# =================================================================
# External config files
# =================================================================

# 可以使用 include_dir 选项包含外部配置文件。这定义了一个将搜索配置文件的目录。所有以“.conf”结尾的文件都将作为配置文件加载。最好将此作为主文件中的最后一个选项。此选项将仅从主配置文件中处理。指定的目录不得包含主配置文件。
# include_dir 中的文件将按区分大小写的字母顺序加载，大写字母在前。如果多次给出此选项，则第一个实例中的所有文件将在下一个实例之前处理。有关示例，请参见手册页。
#include_dir

原文

# Config file for mosquitto
#
# See mosquitto.conf(5) for more information.
#
# Default values are shown, uncomment to change.
#
# Use the # character to indicate a comment, but only if it is the
# very first character on the line.

General configuration

# =================================================================
# General configuration
# =================================================================

# Use per listener security settings.
#
# It is recommended this option be set before any other options.
#
# If this option is set to true, then all authentication and access control
# options are controlled on a per listener basis. The following options are
# affected:
#
# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
# auto_id_prefix allow_zero_length_clientid
#
# Note that if set to true, then a durable client (i.e. with clean session set
# to false) that has disconnected will use the ACL settings defined for the
# listener that it was most recently connected to.
#
# The default behaviour is for this to be set to false, which maintains the
# setting behaviour from previous versions of mosquitto.
#per_listener_settings false


# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#
# and foo/+/baz , then MQTT expects that when the broker receives a message on
# a topic that matches both subscriptions, such as foo/bar/baz, then the client
# should only receive the message once.
# Mosquitto keeps track of which clients a message has been sent to in order to
# meet this requirement. The allow_duplicate_messages option allows this
# behaviour to be disabled, which may be useful if you have a large number of
# clients subscribed to the same set of topics and are very concerned about
# minimising memory usage.
# It can be safely set to true if you know in advance that your clients will
# never have overlapping subscriptions, otherwise your clients must be able to
# correctly deal with duplicate messages even when then have QoS=2.
#allow_duplicate_messages false

# This option controls whether a client is allowed to connect with a zero
# length client id or not. This option only affects clients using MQTT v3.1.1
# and later. If set to false, clients connecting with a zero length client id
# are disconnected. If set to true, clients will be allocated a client id by
# the broker. This means it is only useful for clients with clean session set
# to true.
#allow_zero_length_clientid true

# If allow_zero_length_clientid is true, this option allows you to set a prefix
# to automatically generated client ids to aid visibility in logs.
# Defaults to 'auto-'
#auto_id_prefix auto-

# This option affects the scenario when a client subscribes to a topic that has
# retained messages. It is possible that the client that published the retained
# message to the topic had access at the time they published, but that access
# has been subsequently removed. If check_retain_source is set to true, the
# default, the source of a retained message will be checked for access rights
# before it is republished. When set to false, no check will be made and the
# retained message will always be published. This affects all listeners.
#check_retain_source true

# QoS 1 and 2 messages will be allowed inflight per client until this limit
# is exceeded.  Defaults to 0. (No maximum)
# See also max_inflight_messages
#max_inflight_bytes 0

# The maximum number of QoS 1 and 2 messages currently inflight per
# client.
# This includes messages that are partway through handshakes and
# those that are being retried. Defaults to 20. Set to 0 for no
# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
# and 2 messages.
#max_inflight_messages 20

# For MQTT v5 clients, it is possible to have the server send a "server
# keepalive" value that will override the keepalive value set by the client.
# This is intended to be used as a mechanism to say that the server will
# disconnect the client earlier than it anticipated, and that the client should
# use the new keepalive value. The max_keepalive option allows you to specify
# that clients may only connect with keepalive less than or equal to this
# value, otherwise they will be sent a server keepalive telling them to use
# max_keepalive. This only applies to MQTT v5 clients. The maximum value
# allowable is 65535. Do not set below 10.
#max_keepalive 65535

# For MQTT v5 clients, it is possible to have the server send a "maximum packet
# size" value that will instruct the client it will not accept MQTT packets
# with size greater than max_packet_size bytes. This applies to the full MQTT
# packet, not just the payload. Setting this option to a positive value will
# set the maximum packet size to that number of bytes. If a client sends a
# packet which is larger than this value, it will be disconnected. This applies
# to all clients regardless of the protocol version they are using, but v3.1.1
# and earlier clients will of course not have received the maximum packet size
# information. Defaults to no limit. Setting below 20 bytes is forbidden
# because it is likely to interfere with ordinary client operation, even with
# very small payloads.
#max_packet_size 0

# QoS 1 and 2 messages above those currently in-flight will be queued per
# client until this limit is exceeded.  Defaults to 0. (No maximum)
# See also max_queued_messages.
# If both max_queued_messages and max_queued_bytes are specified, packets will
# be queued until the first limit is reached.
#max_queued_bytes 0

# The maximum number of QoS 1 and 2 messages to hold in a queue per client
# above those that are currently in-flight.  Defaults to 100. Set
# to 0 for no maximum (not recommended).
# See also queue_qos0_messages.
# See also max_queued_bytes.
#max_queued_messages 100
#
# This option sets the maximum number of heap memory bytes that the broker will
# allocate, and hence sets a hard limit on memory use by the broker.  Memory
# requests that exceed this value will be denied. The effect will vary
# depending on what has been denied. If an incoming message is being processed,
# then the message will be dropped and the publishing client will be
# disconnected. If an outgoing message is being sent, then the individual
# message will be dropped and the receiving client will be disconnected.
# Defaults to no limit.
#memory_limit 0

# This option sets the maximum publish payload size that the broker will allow.
# Received messages that exceed this size will not be accepted by the broker.
# The default value is 0, which means that all valid MQTT messages are
# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
#message_size_limit 0

# This option allows persistent clients (those with clean session set to false)
# to be removed if they do not reconnect within a certain time frame.
#
# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.
#
# Badly designed clients may set clean session to false whilst using a randomly
# generated client id. This leads to persistent clients that will never
# reconnect. This option allows these clients to be removed.
#
# The expiration period should be an integer followed by one of h d w m y for
# hour, day, week, month and year respectively. For example
#
# persistent_client_expiration 2m
# persistent_client_expiration 14d
# persistent_client_expiration 1y
#
# The default if not set is to never expire persistent clients.
#persistent_client_expiration

# Write process id to a file. Default is a blank string which means
# a pid file shouldn't be written.
# This should be set to /var/run/mosquitto.pid if mosquitto is
# being run automatically on boot with an init script and
# start-stop-daemon or similar.
#pid_file

# Set to true to queue messages with QoS 0 when a persistent client is
# disconnected. These messages are included in the limit imposed by
# max_queued_messages and max_queued_bytes
# Defaults to false.
# This is a non-standard option for the MQTT v3.1 spec but is allowed in
# v3.1.1.
#queue_qos0_messages false

# Set to false to disable retained message support. If a client publishes a
# message with the retain bit set, it will be disconnected if this is set to
# false.
#retain_available true

# Disable Nagle's algorithm on client sockets. This has the effect of reducing
# latency of individual messages at the potential cost of increasing the number
# of packets being sent.
#set_tcp_nodelay false

# Time in seconds between updates of the $SYS tree.
# Set to 0 to disable the publishing of the $SYS tree.
#sys_interval 10

# The MQTT specification requires that the QoS of a message delivered to a
# subscriber is never upgraded to match the QoS of the subscription. Enabling
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
# messages sent to a subscriber will always match the QoS of its subscription.
# This is a non-standard option explicitly disallowed by the spec.
#upgrade_outgoing_qos false

# When run as root, drop privileges to this user and its primary
# group.
# Set to root to stay as root, but this is not recommended.
# If run as a non-root user, this setting has no effect.
# Note that on Windows this has no effect and so mosquitto should
# be started by the user you wish it to run as.
#user mosquitto

Default listener

# =================================================================
# Default listener
# =================================================================

# IP address/hostname to bind the default listener to. If not
# given, the default listener will not be bound to a specific
# address and so will be accessible to all network interfaces.
# bind_address ip-address/host name
#bind_address

# Port to use for the default listener.
#port 1883

# Bind the listener to a specific interface. This is similar to
# bind_address above but is useful when an interface has multiple addresses or
# the address may change. It is valid to use this with the bind_address option,
# but take care that the interface you are binding to contains the address you
# are binding to, otherwise you will not be able to connect.
# Example: bind_interface eth0
#bind_interface

# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir

# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1

# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Websockets support is currently disabled by default at compile time.
# Certificate based TLS may be used with websockets, except that
# only the cafile, certfile, keyfile and ciphers options are supported.
#protocol mqtt

# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid

Certificate based SSL/TLS support

# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS
# is 8883, but this must be set manually.
#
# See also the mosquitto-tls man page.

# At least one of cafile or capath must be defined. They both
# define methods of accessing the PEM encoded Certificate
# Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath

# Path to the PEM encoded server certificate.
#certfile

# Path to the PEM encoded keyfile.
#keyfile


# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile

# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be obtained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.
# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH

# To allow the use of ephemeral DH key exchange, which provides forward
# security, the listener must load DH parameters. This can be specified with
# the dhparamfile option. The dhparamfile can be generated with the command
# e.g. "openssl dhparam -out dhparam.pem 2048"
#dhparamfile

# By default a TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false

# This option defines the version of the TLS protocol to use for this listener.
# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
# tlsv1.3 tlsv1.2 and tlsv1.1.
#tls_version

# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
# This takes priority over use_subject_as_username.
# See also use_subject_as_username.
#use_identity_as_username false

# If require_certificate is true, you may set use_subject_as_username to true
# to use the complete subject value from the client certificate as a username.
# If this is true, the password_file option will not be used for this listener.
# See also use_identity_as_username
#use_subject_as_username false

Pre-shared-key based SSL/TLS support

# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.

# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint

# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option.  The list of available ciphers can be obtained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers

# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false

Extra listeners

# =================================================================
# Extra listeners
# =================================================================

# Listen on a port/ip address combination. By using this variable
# multiple times, mosquitto can listen on more than one port. If
# this variable is used and neither bind_address nor port given,
# then the default listener will not be started.
# The port number to listen on must be given. Optionally, an ip
# address or host name may be supplied as a second argument. In
# this case, mosquitto will attempt to bind the listener to that
# address and so restrict access to the associated network and
# interface. By default, mosquitto will listen on all interfaces.
# Note that for a websockets listener it is not possible to bind to a host
# name.
# listener port-number [ip address/host name]
#listener

# Bind the listener to a specific interface. This is similar to
# the [ip address/host name] part of the listener definition, but is useful
# when an interface has multiple addresses or the address may change. It is
# valid to use this with the [ip address/host name] part of the listener
# definition, but take care that the interface you are binding to contains the
# address you are binding to, otherwise you will not be able to connect.
# Only available on Linux and requires elevated privileges.
#
# Example: bind_interface eth0
#bind_interface

# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir

# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1

# The listener can be restricted to operating within a topic hierarchy using
# the mount_point option. This is achieved be prefixing the mount_point string
# to all topics for any clients connected to this listener. This prefixing only
# happens internally to the broker; the client will not see the prefix.
#mount_point

# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Certificate based TLS may be used with websockets, except that only the
# cafile, certfile, keyfile and ciphers options are supported.
#protocol mqtt

# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid

# Change the websockets headers size. This is a global option, it is not
# possible to set per listener. This option sets the size of the buffer used in
# the libwebsockets library when reading HTTP headers. If you are passing large
# header data such as cookies then you may need to increase this value. If left
# unset, or set to 0, then the default of 1024 bytes will be used.
#websockets_headers_size

Certificate based SSL/TLS support

# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable certificate based SSL/TLS support
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
# but this must be set manually.
#
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.

# At least one of cafile or capath must be defined to enable certificate based
# TLS encryption. They both define methods of accessing the PEM encoded
# Certificate Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath

# Path to the PEM encoded server certificate.
#certfile

# Path to the PEM encoded keyfile.
#keyfile


# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.
#ciphers

# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile

# To allow the use of ephemeral DH key exchange, which provides forward
# security, the listener must load DH parameters. This can be specified with
# the dhparamfile option. The dhparamfile can be generated with the command
# e.g. "openssl dhparam -out dhparam.pem 2048"
#dhparamfile

# By default an TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false

# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
#use_identity_as_username false

Pre-shared-key based SSL/TLS support

# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.

# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint

# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option.  The list of available ciphers can be optained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers

# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false

Persistence

# =================================================================
# Persistence
# =================================================================

# If persistence is enabled, save the in-memory database to disk
# every autosave_interval seconds. If set to 0, the persistence
# database will only be written when mosquitto exits. See also
# autosave_on_changes.
# Note that writing of the persistence database can be forced by
# sending mosquitto a SIGUSR1 signal.
#autosave_interval 1800

# If true, mosquitto will count the number of subscription changes, retained
# messages received and queued messages and if the total exceeds
# autosave_interval then the in-memory database will be saved to disk.
# If false, mosquitto will save the in-memory database to disk by treating
# autosave_interval as a time in seconds.
#autosave_on_changes false

# Save persistent message data to disk (true/false).
# This saves information about all messages, including
# subscriptions, currently in-flight messages and retained
# messages.
# retained_persistence is a synonym for this option.
#persistence false

# The filename to use for the persistent database, not including
# the path.
#persistence_file mosquitto.db

# Location for persistent database. Must include trailing /
# Default is an empty string (current directory).
# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or
# similar.
#persistence_location

Logging

# =================================================================
# Logging
# =================================================================

# Places to log to. Use multiple log_dest lines for multiple
# logging destinations.
# Possible destinations are: stdout stderr syslog topic file
#
# stdout and stderr log to the console on the named output.
#
# syslog uses the userspace syslog facility which usually ends up
# in /var/log/messages or similar.
#
# topic logs to the broker topic '$SYS/broker/log/<severity>',
# where severity is one of D, E, W, N, I, M which are debug, error,
# warning, notice, information and message. Message type severity is used by
# the subscribe/unsubscribe log_types and publishes log messages to
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
#
# The file destination requires an additional parameter which is the file to be
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
# closed and reopened when the broker receives a HUP signal. Only a single file
# destination may be configured.
#
# Note that if the broker is running as a Windows service it will default to
# "log_dest none" and neither stdout nor stderr logging is available.
# Use "log_dest none" if you wish to disable logging.
#log_dest stderr

# Types of messages to log. Use multiple log_type lines for logging
# multiple types of messages.
# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, websockets, all.
# Note that debug type messages are for decoding the incoming/outgoing
# network packets. They are not logged in "topics".
#log_type error
#log_type warning
#log_type notice
#log_type information


# If set to true, client connection and disconnection messages will be included
# in the log.
#connection_messages true

# If using syslog logging (not on Windows), messages will be logged to the
# "daemon" facility by default. Use the log_facility option to choose which of
# local0 to local7 to log to instead. The option value should be an integer
# value, e.g. "log_facility 5" to use local5.
#log_facility

# If set to true, add a timestamp value to each log message.
#log_timestamp true

# Set the format of the log timestamp. If left unset, this is the number of
# seconds since the Unix epoch.
# This is a free text string which will be passed to the strftime function. To
# get an ISO 8601 datetime, for example:
# log_timestamp_format %Y-%m-%dT%H:%M:%S
#log_timestamp_format

# Change the websockets logging level. This is a global option, it is not
# possible to set per listener. This is an integer that is interpreted by
# libwebsockets as a bit mask for its lws_log_levels enum. See the
# libwebsockets documentation for more details. "log_type websockets" must also
# be enabled.
#websockets_log_level 0

Security

# =================================================================
# Security
# =================================================================

# If set, only clients that have a matching prefix on their
# clientid will be allowed to connect to the broker. By default,
# all clients may connect.
# For example, setting "secure-" here would mean a client "secure-
# client" could connect but another with clientid "mqtt" couldn't.
#clientid_prefixes

# Boolean value that determines whether clients that connect
# without providing a username are allowed to connect. If set to
# false then a password file should be created (see the
# password_file option) to control authenticated client access.
#
# Defaults to true if no other security options are set. If `password_file` or
# `psk_file` is set, or if an authentication plugin is loaded which implements
# username/password or TLS-PSK checks, then `allow_anonymous` defaults to
# false.
#
#allow_anonymous true

Default authentication and topic access control

# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------

# Control access to the broker using a password file. This file can be
# generated using the mosquitto_passwd utility. If TLS support is not compiled
# into mosquitto (it is recommended that TLS support should be included) then
# plain text passwords are used, in which case the file should be a text file
# with lines in the format:
# username:password
# The password (and colon) may be omitted if desired, although this
# offers very little in the way of security.
#
# See the TLS client require_certificate and use_identity_as_username options
# for alternative authentication options. If an auth_plugin is used as well as
# password_file, the auth_plugin check will be made first.
#password_file

# Access may also be controlled using a pre-shared-key file. This requires
# TLS-PSK support and a listener configured to use it. The file should be text
# lines in the format:
# identity:key
# The key should be in hexadecimal format without a leading "0x".
# If an auth_plugin is used as well, the auth_plugin check will be made first.
#psk_file

# Control access to topics on the broker using an access control list
# file. If this parameter is defined then only the topics listed will
# have access.
# If the first character of a line of the ACL file is a # it is treated as a
# comment.
# Topic access is added with lines of the format:
#
# topic [read|write|readwrite] <topic>
#
# The access type is controlled using "read", "write" or "readwrite". This
# parameter is optional (unless <topic> contains a space character) - if not
# given then the access is read/write.  <topic> can contain the + or #
# wildcards as in subscriptions.
#
# The first set of topics are applied to anonymous clients, assuming
# allow_anonymous is true. User specific topic ACLs are added after a
# user line as follows:
#
# user <username>
#
# The username referred to here is the same as in password_file. It is
# not the clientid.
#
#
# If is also possible to define ACLs based on pattern substitution within the
# topic. The patterns available for substition are:
#
# %c to match the client id of the client
# %u to match the username of the client
#
# The substitution pattern must be the only text for that level of hierarchy.
#
# The form is the same as for the topic keyword, but using pattern as the
# keyword.
# Pattern ACLs apply to all users even if the "user" keyword has previously
# been given.
#
# If using bridges with usernames and ACLs, connection messages can be allowed
# with the following pattern:
# pattern write $SYS/broker/connection/%c/state
#
# pattern [read|write|readwrite] <topic>
#
# Example:
#
# pattern write sensor/%u/data
#
# If an auth_plugin is used as well as acl_file, the auth_plugin check will be
# made first.
#acl_file

External authentication and topic access plugin options

# -----------------------------------------------------------------
# External authentication and topic access plugin options
# -----------------------------------------------------------------

# External authentication and access control can be supported with the
# auth_plugin option. This is a path to a loadable plugin. See also the
# auth_opt_* options described below.
#
# The auth_plugin option can be specified multiple times to load multiple
# plugins. The plugins will be processed in the order that they are specified
# here. If the auth_plugin option is specified alongside either of
# password_file or acl_file then the plugin checks will be made first.
#
#auth_plugin

# If the auth_plugin option above is used, define options to pass to the
# plugin here as described by the plugin instructions. All options named
# using the format auth_opt_* will be passed to the plugin, for example:
#
# auth_opt_db_host
# auth_opt_db_port
# auth_opt_db_username
# auth_opt_db_password

Bridges

# =================================================================
# Bridges
# =================================================================

# A bridge is a way of connecting multiple MQTT brokers together.
# Create a new bridge using the "connection" option as described below. Set
# options for the bridges using the remaining parameters. You must specify the
# address and at least one topic to subscribe to.
#
# Each connection must have a unique name.
#
# The address line may have multiple host address and ports specified. See
# below in the round_robin description for more details on bridge behaviour if
# multiple addresses are used. Note that if you use an IPv6 address, then you
# are required to specify a port.
#
# The direction that the topic will be shared can be chosen by
# specifying out, in or both, where the default value is out.
# The QoS level of the bridged communication can be specified with the next
# topic option. The default QoS level is 0, to change the QoS the topic
# direction must also be given.
#
# The local and remote prefix options allow a topic to be remapped when it is
# bridged to/from the remote broker. This provides the ability to place a topic
# tree in an appropriate location.
#
# For more details see the mosquitto.conf man page.
#
# Multiple topics can be specified per connection, but be careful
# not to create any loops.
#
# If you are using bridges with cleansession set to false (the default), then
# you may get unexpected behaviour from incoming topics if you change what
# topics you are subscribing to. This is because the remote broker keeps the
# subscription for the old topic. If you have this problem, connect your bridge
# with cleansession set to true, then reconnect with cleansession set to false
# as normal.
#connection <name>
#address <host>[:<port>] [<host>[:<port>]]
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]


# If a bridge has topics that have "out" direction, the default behaviour is to
# send an unsubscribe request to the remote broker on that topic. This means
# that changing a topic direction from "in" to "out" will not keep receiving
# incoming messages. Sending these unsubscribe requests is not always
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
# the unsubscribe request.
#bridge_attempt_unsubscribe true

# Set the version of the MQTT protocol to use with for this bridge. Can be one
# of mqttv311 or mqttv11. Defaults to mqttv311.
#bridge_protocol_version mqttv311

# Set the clean session variable for this bridge.
# When set to true, when the bridge disconnects for any reason, all
# messages and subscriptions will be cleaned up on the remote
# broker. Note that with cleansession set to true, there may be a
# significant amount of retained messages sent when the bridge
# reconnects after losing its connection.
# When set to false, the subscriptions and messages are kept on the
# remote broker, and delivered when the bridge reconnects.
#cleansession false

# Set the amount of time a bridge using the lazy start type must be idle before
# it will be stopped. Defaults to 60 seconds.
#idle_timeout 60

# Set the keepalive interval for this bridge connection, in
# seconds.
#keepalive_interval 60

# Set the clientid to use on the local broker. If not defined, this defaults to
# 'local.<clientid>'. If you are bridging a broker to itself, it is important
# that local_clientid and clientid do not match.
#local_clientid

# If set to true, publish notification messages to the local and remote brokers
# giving information about the state of the bridge connection. Retained
# messages are published to the topic $SYS/broker/connection/<clientid>/state
# unless the notification_topic option is used.
# If the message is 1 then the connection is active, or 0 if the connection has
# failed.
# This uses the last will and testament feature.
#notifications true

# Choose the topic on which notification messages for this bridge are
# published. If not set, messages are published on the topic
# $SYS/broker/connection/<clientid>/state
#notification_topic

# Set the client id to use on the remote end of this bridge connection. If not
# defined, this defaults to 'name.hostname' where name is the connection name
# and hostname is the hostname of this computer.
# This replaces the old "clientid" option to avoid confusion. "clientid"
# remains valid for the time being.
#remote_clientid

# Set the password to use when connecting to a broker that requires
# authentication. This option is only used if remote_username is also set.
# This replaces the old "password" option to avoid confusion. "password"
# remains valid for the time being.
#remote_password

# Set the username to use when connecting to a broker that requires
# authentication.
# This replaces the old "username" option to avoid confusion. "username"
# remains valid for the time being.
#remote_username

# Set the amount of time a bridge using the automatic start type will wait
# until attempting to reconnect.
# This option can be configured to use a constant delay time in seconds, or to
# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
# of randomness to when the restart occurs.
#
# Set a constant timeout of 20 seconds:
# restart_timeout 20
#
# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
# 60 seconds:
# restart_timeout 10 30
#
# Defaults to jitter with a base of 5 and cap of 30
#restart_timeout 5 30

# If the bridge has more than one address given in the address/addresses
# configuration, the round_robin option defines the behaviour of the bridge on
# a failure of the bridge connection. If round_robin is false, the default
# value, then the first address is treated as the main bridge connection. If
# the connection fails, the other secondary addresses will be attempted in
# turn. Whilst connected to a secondary bridge, the bridge will periodically
# attempt to reconnect to the main bridge until successful.
# If round_robin is true, then all addresses are treated as equals. If a
# connection fails, the next address will be tried and if successful will
# remain connected until it fails
#round_robin false

# Set the start type of the bridge. This controls how the bridge starts and
# can be one of three types: automatic, lazy and once. Note that RSMB provides
# a fourth start type "manual" which isn't currently supported by mosquitto.
#
# "automatic" is the default start type and means that the bridge connection
# will be started automatically when the broker starts and also restarted
# after a short delay (30 seconds) if the connection fails.
#
# Bridges using the "lazy" start type will be started automatically when the
# number of queued messages exceeds the number set with the "threshold"
# parameter. It will be stopped automatically after the time set by the
# "idle_timeout" parameter. Use this start type if you wish the connection to
# only be active when it is needed.
#
# A bridge using the "once" start type will be started automatically when the
# broker starts but will not be restarted if the connection fails.
#start_type automatic

# Set the number of messages that need to be queued for a bridge with lazy
# start type to be restarted. Defaults to 10 messages.
# Must be less than max_queued_messages.
#threshold 10

# If try_private is set to true, the bridge will attempt to indicate to the
# remote broker that it is a bridge not an ordinary client. If successful, this
# means that loop detection will be more effective and that retained messages
# will be propagated correctly. Not all brokers support this feature so it may
# be necessary to set try_private to false if your bridge does not connect
# properly.
#try_private true

Certificate based SSL/TLS support

# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# Either bridge_cafile or bridge_capath must be defined to enable TLS support
# for this bridge.
# bridge_cafile defines the path to a file containing the
# Certificate Authority certificates that have signed the remote broker
# certificate.
# bridge_capath defines a directory that will be searched for files containing
# the CA certificates. For bridge_capath to work correctly, the certificate
# files must have ".crt" as the file ending and you must run "openssl rehash
# <path to capath>" each time you add/remove a certificate.
#bridge_cafile
#bridge_capath


# If the remote broker has more than one protocol available on its port, e.g.
# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
# requested. Note that WebSockets support for bridges is not yet available.
#bridge_alpn

# When using certificate based encryption, bridge_insecure disables
# verification of the server hostname in the server certificate. This can be
# useful when testing initial server configurations, but makes it possible for
# a malicious third party to impersonate your server through DNS spoofing, for
# example. Use this option in testing only. If you need to resort to using this
# option in a production environment, your setup is at fault and there is no
# point using encryption.
#bridge_insecure false

# Path to the PEM encoded client certificate, if required by the remote broker.
#bridge_certfile

# Path to the PEM encoded client private key, if required by the remote broker.
#bridge_keyfile

PSK based SSL/TLS support

# -----------------------------------------------------------------
# PSK based SSL/TLS support
# -----------------------------------------------------------------
# Pre-shared-key encryption provides an alternative to certificate based
# encryption. A bridge can be configured to use PSK with the bridge_identity
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
# in hexadecimal format with no "0x". Only one of certificate and PSK based
# encryption can be used on one
# bridge at once.
#bridge_identity
#bridge_psk

External config files

# =================================================================
# External config files
# =================================================================

# External configuration files may be included by using the
# include_dir option. This defines a directory that will be searched
# for config files. All files that end in '.conf' will be loaded as
# a configuration file. It is best to have this as the last option
# in the main file. This option will only be processed from the main
# configuration file. The directory specified must not contain the
# main configuration file.
# Files within include_dir will be loaded sorted in case-sensitive
# alphabetical order, with capital letters ordered first. If this option is
# given multiple times, all of the files from the first instance will be
# processed before the next instance. See the man page for examples.
#include_dir