1# Config file for mosquitto 2# 3# See mosquitto.conf(5) for more information. 4# 5# Default values are shown, uncomment to change. 6# 7# Use the # character to indicate a comment, but only if it is the 8# very first character on the line. 9 10# ================================================================= 11# General configuration 12# ================================================================= 13 14# Use per listener security settings. 15# 16# It is recommended this option be set before any other options. 17# 18# If this option is set to true, then all authentication and access control 19# options are controlled on a per listener basis. The following options are 20# affected: 21# 22# acl_file 23# allow_anonymous 24# allow_zero_length_clientid 25# auto_id_prefix 26# password_file 27# plugin 28# plugin_opt_* 29# psk_file 30# 31# Note that if set to true, then a durable client (i.e. with clean session set 32# to false) that has disconnected will use the ACL settings defined for the 33# listener that it was most recently connected to. 34# 35# The default behaviour is for this to be set to false, which maintains the 36# setting behaviour from previous versions of mosquitto. 37#per_listener_settings false 38 39 40# This option controls whether a client is allowed to connect with a zero 41# length client id or not. This option only affects clients using MQTT v3.1.1 42# and later. If set to false, clients connecting with a zero length client id 43# are disconnected. If set to true, clients will be allocated a client id by 44# the broker. This means it is only useful for clients with clean session set 45# to true. 46#allow_zero_length_clientid true 47 48# If allow_zero_length_clientid is true, this option allows you to set a prefix 49# to automatically generated client ids to aid visibility in logs. 50# Defaults to 'auto-' 51#auto_id_prefix auto- 52 53# This option affects the scenario when a client subscribes to a topic that has 54# retained messages. It is possible that the client that published the retained 55# message to the topic had access at the time they published, but that access 56# has been subsequently removed. If check_retain_source is set to true, the 57# default, the source of a retained message will be checked for access rights 58# before it is republished. When set to false, no check will be made and the 59# retained message will always be published. This affects all listeners. 60#check_retain_source true 61 62# QoS 1 and 2 messages will be allowed inflight per client until this limit 63# is exceeded. Defaults to 0. (No maximum) 64# See also max_inflight_messages 65#max_inflight_bytes 0 66 67# The maximum number of QoS 1 and 2 messages currently inflight per 68# client. 69# This includes messages that are partway through handshakes and 70# those that are being retried. Defaults to 20. Set to 0 for no 71# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 72# and 2 messages. 73#max_inflight_messages 20 74 75# For MQTT v5 clients, it is possible to have the server send a "server 76# keepalive" value that will override the keepalive value set by the client. 77# This is intended to be used as a mechanism to say that the server will 78# disconnect the client earlier than it anticipated, and that the client should 79# use the new keepalive value. The max_keepalive option allows you to specify 80# that clients may only connect with keepalive less than or equal to this 81# value, otherwise they will be sent a server keepalive telling them to use 82# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum 83# value allowable, is 65535. 84# 85# Set to 0 to allow clients to set keepalive = 0, which means no keepalive 86# checks are made and the client will never be disconnected by the broker if no 87# messages are received. You should be very sure this is the behaviour that you 88# want. 89# 90# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client 91# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client 92# specifies a keepalive time greater than max_keepalive they will be sent a 93# CONNACK message with the "identifier rejected" reason code, and disconnected. 94# 95#max_keepalive 65535 96 97# For MQTT v5 clients, it is possible to have the server send a "maximum packet 98# size" value that will instruct the client it will not accept MQTT packets 99# with size greater than max_packet_size bytes. This applies to the full MQTT 100# packet, not just the payload. Setting this option to a positive value will 101# set the maximum packet size to that number of bytes. If a client sends a 102# packet which is larger than this value, it will be disconnected. This applies 103# to all clients regardless of the protocol version they are using, but v3.1.1 104# and earlier clients will of course not have received the maximum packet size 105# information. Defaults to no limit. Setting below 20 bytes is forbidden 106# because it is likely to interfere with ordinary client operation, even with 107# very small payloads. 108#max_packet_size 0 109 110# QoS 1 and 2 messages above those currently in-flight will be queued per 111# client until this limit is exceeded. Defaults to 0. (No maximum) 112# See also max_queued_messages. 113# If both max_queued_messages and max_queued_bytes are specified, packets will 114# be queued until the first limit is reached. 115#max_queued_bytes 0 116 117# Set the maximum QoS supported. Clients publishing at a QoS higher than 118# specified here will be disconnected. 119#max_qos 2 120 121# The maximum number of QoS 1 and 2 messages to hold in a queue per client 122# above those that are currently in-flight. Defaults to 1000. Set 123# to 0 for no maximum (not recommended). 124# See also queue_qos0_messages. 125# See also max_queued_bytes. 126#max_queued_messages 1000 127# 128# This option sets the maximum number of heap memory bytes that the broker will 129# allocate, and hence sets a hard limit on memory use by the broker. Memory 130# requests that exceed this value will be denied. The effect will vary 131# depending on what has been denied. If an incoming message is being processed, 132# then the message will be dropped and the publishing client will be 133# disconnected. If an outgoing message is being sent, then the individual 134# message will be dropped and the receiving client will be disconnected. 135# Defaults to no limit. 136#memory_limit 0 137 138# This option sets the maximum publish payload size that the broker will allow. 139# Received messages that exceed this size will not be accepted by the broker. 140# The default value is 0, which means that all valid MQTT messages are 141# accepted. MQTT imposes a maximum payload size of 268435455 bytes. 142#message_size_limit 0 143 144# This option allows persistent clients (those with clean session set to false) 145# to be removed if they do not reconnect within a certain time frame. 146# 147# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. 148# 149# Badly designed clients may set clean session to false whilst using a randomly 150# generated client id. This leads to persistent clients that will never 151# reconnect. This option allows these clients to be removed. 152# 153# The expiration period should be an integer followed by one of h d w m y for 154# hour, day, week, month and year respectively. For example 155# 156# persistent_client_expiration 2m 157# persistent_client_expiration 14d 158# persistent_client_expiration 1y 159# 160# The default if not set is to never expire persistent clients. 161#persistent_client_expiration 162 163# Write process id to a file. Default is a blank string which means 164# a pid file shouldn't be written. 165# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is 166# being run automatically on boot with an init script and 167# start-stop-daemon or similar. 168#pid_file 169 170# Set to true to queue messages with QoS 0 when a persistent client is 171# disconnected. These messages are included in the limit imposed by 172# max_queued_messages and max_queued_bytes 173# Defaults to false. 174# This is a non-standard option for the MQTT v3.1 spec but is allowed in 175# v3.1.1. 176#queue_qos0_messages false 177 178# Set to false to disable retained message support. If a client publishes a 179# message with the retain bit set, it will be disconnected if this is set to 180# false. 181#retain_available true 182 183# Disable Nagle's algorithm on client sockets. This has the effect of reducing 184# latency of individual messages at the potential cost of increasing the number 185# of packets being sent. 186#set_tcp_nodelay false 187 188# Time in seconds between updates of the $SYS tree. 189# Set to 0 to disable the publishing of the $SYS tree. 190#sys_interval 10 191 192# The MQTT specification requires that the QoS of a message delivered to a 193# subscriber is never upgraded to match the QoS of the subscription. Enabling 194# this option changes this behaviour. If upgrade_outgoing_qos is set true, 195# messages sent to a subscriber will always match the QoS of its subscription. 196# This is a non-standard option explicitly disallowed by the spec. 197#upgrade_outgoing_qos false 198 199# When run as root, drop privileges to this user and its primary 200# group. 201# Set to root to stay as root, but this is not recommended. 202# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist 203# then it will drop privileges to the "nobody" user instead. 204# If run as a non-root user, this setting has no effect. 205# Note that on Windows this has no effect and so mosquitto should be started by 206# the user you wish it to run as. 207#user mosquitto 208user root 209 210# ================================================================= 211# Listeners 212# ================================================================= 213 214# Listen on a port/ip address combination. By using this variable 215# multiple times, mosquitto can listen on more than one port. If 216# this variable is used and neither bind_address nor port given, 217# then the default listener will not be started. 218# The port number to listen on must be given. Optionally, an ip 219# address or host name may be supplied as a second argument. In 220# this case, mosquitto will attempt to bind the listener to that 221# address and so restrict access to the associated network and 222# interface. By default, mosquitto will listen on all interfaces. 223# Note that for a websockets listener it is not possible to bind to a host 224# name. 225# 226# On systems that support Unix Domain Sockets, it is also possible 227# to create a # Unix socket rather than opening a TCP socket. In 228# this case, the port number should be set to 0 and a unix socket 229# path must be provided, e.g. 230# listener 0 /tmp/mosquitto.sock 231# 232# listener port-number [ip address/host name/unix socket path] 233#listener 234listener 1883 235 236# By default, a listener will attempt to listen on all supported IP protocol 237# versions. If you do not have an IPv4 or IPv6 interface you may wish to 238# disable support for either of those protocol versions. In particular, note 239# that due to the limitations of the websockets library, it will only ever 240# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail 241# if IPv6 is not available. 242# 243# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to 244# force the listener to only use IPv6. If you want support for both IPv4 and 245# IPv6, then do not use the socket_domain option. 246# 247#socket_domain 248 249# Bind the listener to a specific interface. This is similar to 250# the [ip address/host name] part of the listener definition, but is useful 251# when an interface has multiple addresses or the address may change. If used 252# with the [ip address/host name] part of the listener definition, then the 253# bind_interface option will take priority. 254# Not available on Windows. 255# 256# Example: bind_interface eth0 257#bind_interface 258 259# When a listener is using the websockets protocol, it is possible to serve 260# http data as well. Set http_dir to a directory which contains the files you 261# wish to serve. If this option is not specified, then no normal http 262# connections will be possible. 263#http_dir 264 265# The maximum number of client connections to allow. This is 266# a per listener setting. 267# Default is -1, which means unlimited connections. 268# Note that other process limits mean that unlimited connections 269# are not really possible. Typically the default maximum number of 270# connections possible is around 1024. 271#max_connections -1 272 273# The listener can be restricted to operating within a topic hierarchy using 274# the mount_point option. This is achieved be prefixing the mount_point string 275# to all topics for any clients connected to this listener. This prefixing only 276# happens internally to the broker; the client will not see the prefix. 277#mount_point 278 279# Choose the protocol to use when listening. 280# This can be either mqtt or websockets. 281# Certificate based TLS may be used with websockets, except that only the 282# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. 283#protocol mqtt 284 285# Set use_username_as_clientid to true to replace the clientid that a client 286# connected with with its username. This allows authentication to be tied to 287# the clientid, which means that it is possible to prevent one client 288# disconnecting another by using the same clientid. 289# If a client connects with no username it will be disconnected as not 290# authorised when this option is set to true. 291# Do not use in conjunction with clientid_prefixes. 292# See also use_identity_as_username. 293#use_username_as_clientid 294 295# Change the websockets headers size. This is a global option, it is not 296# possible to set per listener. This option sets the size of the buffer used in 297# the libwebsockets library when reading HTTP headers. If you are passing large 298# header data such as cookies then you may need to increase this value. If left 299# unset, or set to 0, then the default of 1024 bytes will be used. 300#websockets_headers_size 301 302# ----------------------------------------------------------------- 303# Certificate based SSL/TLS support 304# ----------------------------------------------------------------- 305# The following options can be used to enable certificate based SSL/TLS support 306# for this listener. Note that the recommended port for MQTT over TLS is 8883, 307# but this must be set manually. 308# 309# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS 310# support" section. Only one of certificate or PSK encryption support can be 311# enabled for any listener. 312 313# Both of certfile and keyfile must be defined to enable certificate based 314# TLS encryption. 315 316# Path to the PEM encoded server certificate. 317#certfile 318 319# Path to the PEM encoded keyfile. 320#keyfile 321 322# If you wish to control which encryption ciphers are used, use the ciphers 323# option. The list of available ciphers can be optained using the "openssl 324# ciphers" command and should be provided in the same format as the output of 325# that command. This applies to TLS 1.2 and earlier versions only. Use 326# ciphers_tls1.3 for TLS v1.3. 327#ciphers 328 329# Choose which TLS v1.3 ciphersuites are used for this listener. 330# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" 331#ciphers_tls1.3 332 333# If you have require_certificate set to true, you can create a certificate 334# revocation list file to revoke access to particular client certificates. If 335# you have done this, use crlfile to point to the PEM encoded revocation file. 336#crlfile 337 338# To allow the use of ephemeral DH key exchange, which provides forward 339# security, the listener must load DH parameters. This can be specified with 340# the dhparamfile option. The dhparamfile can be generated with the command 341# e.g. "openssl dhparam -out dhparam.pem 2048" 342#dhparamfile 343 344# By default an TLS enabled listener will operate in a similar fashion to a 345# https enabled web server, in that the server has a certificate signed by a CA 346# and the client will verify that it is a trusted certificate. The overall aim 347# is encryption of the network traffic. By setting require_certificate to true, 348# the client must provide a valid certificate in order for the network 349# connection to proceed. This allows access to the broker to be controlled 350# outside of the mechanisms provided by MQTT. 351#require_certificate false 352 353# cafile and capath define methods of accessing the PEM encoded 354# Certificate Authority certificates that will be considered trusted when 355# checking incoming client certificates. 356# cafile defines the path to a file containing the CA certificates. 357# capath defines a directory that will be searched for files 358# containing the CA certificates. For capath to work correctly, the 359# certificate files must have ".crt" as the file ending and you must run 360# "openssl rehash <path to capath>" each time you add/remove a certificate. 361#cafile 362#capath 363 364 365# If require_certificate is true, you may set use_identity_as_username to true 366# to use the CN value from the client certificate as a username. If this is 367# true, the password_file option will not be used for this listener. 368#use_identity_as_username false 369 370# ----------------------------------------------------------------- 371# Pre-shared-key based SSL/TLS support 372# ----------------------------------------------------------------- 373# The following options can be used to enable PSK based SSL/TLS support for 374# this listener. Note that the recommended port for MQTT over TLS is 8883, but 375# this must be set manually. 376# 377# See also the mosquitto-tls man page and the "Certificate based SSL/TLS 378# support" section. Only one of certificate or PSK encryption support can be 379# enabled for any listener. 380 381# The psk_hint option enables pre-shared-key support for this listener and also 382# acts as an identifier for this listener. The hint is sent to clients and may 383# be used locally to aid authentication. The hint is a free form string that 384# doesn't have much meaning in itself, so feel free to be creative. 385# If this option is provided, see psk_file to define the pre-shared keys to be 386# used or create a security plugin to handle them. 387#psk_hint 388 389# When using PSK, the encryption ciphers used will be chosen from the list of 390# available PSK ciphers. If you want to control which ciphers are available, 391# use the "ciphers" option. The list of available ciphers can be optained 392# using the "openssl ciphers" command and should be provided in the same format 393# as the output of that command. 394#ciphers 395 396# Set use_identity_as_username to have the psk identity sent by the client used 397# as its username. Authentication will be carried out using the PSK rather than 398# the MQTT username/password and so password_file will not be used for this 399# listener. 400#use_identity_as_username false 401 402 403# ================================================================= 404# Persistence 405# ================================================================= 406 407# If persistence is enabled, save the in-memory database to disk 408# every autosave_interval seconds. If set to 0, the persistence 409# database will only be written when mosquitto exits. See also 410# autosave_on_changes. 411# Note that writing of the persistence database can be forced by 412# sending mosquitto a SIGUSR1 signal. 413#autosave_interval 1800 414 415# If true, mosquitto will count the number of subscription changes, retained 416# messages received and queued messages and if the total exceeds 417# autosave_interval then the in-memory database will be saved to disk. 418# If false, mosquitto will save the in-memory database to disk by treating 419# autosave_interval as a time in seconds. 420#autosave_on_changes false 421 422# Save persistent message data to disk (true/false). 423# This saves information about all messages, including 424# subscriptions, currently in-flight messages and retained 425# messages. 426# retained_persistence is a synonym for this option. 427#persistence false 428 429# The filename to use for the persistent database, not including 430# the path. 431#persistence_file mosquitto.db 432 433# Location for persistent database. 434# Default is an empty string (current directory). 435# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or 436# similar. 437#persistence_location 438 439 440# ================================================================= 441# Logging 442# ================================================================= 443 444# Places to log to. Use multiple log_dest lines for multiple 445# logging destinations. 446# Possible destinations are: stdout stderr syslog topic file dlt 447# 448# stdout and stderr log to the console on the named output. 449# 450# syslog uses the userspace syslog facility which usually ends up 451# in /var/log/messages or similar. 452# 453# topic logs to the broker topic '$SYS/broker/log/<severity>', 454# where severity is one of D, E, W, N, I, M which are debug, error, 455# warning, notice, information and message. Message type severity is used by 456# the subscribe/unsubscribe log_types and publishes log messages to 457# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. 458# 459# The file destination requires an additional parameter which is the file to be 460# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be 461# closed and reopened when the broker receives a HUP signal. Only a single file 462# destination may be configured. 463# 464# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. 465# This requires that Mosquitto has been compiled with DLT support. 466# 467# Note that if the broker is running as a Windows service it will default to 468# "log_dest none" and neither stdout nor stderr logging is available. 469# Use "log_dest none" if you wish to disable logging. 470#log_dest stderr 471 472# Types of messages to log. Use multiple log_type lines for logging 473# multiple types of messages. 474# Possible types are: debug, error, warning, notice, information, 475# none, subscribe, unsubscribe, websockets, all. 476# Note that debug type messages are for decoding the incoming/outgoing 477# network packets. They are not logged in "topics". 478#log_type error 479#log_type warning 480#log_type notice 481#log_type information 482 483 484# If set to true, client connection and disconnection messages will be included 485# in the log. 486#connection_messages true 487 488# If using syslog logging (not on Windows), messages will be logged to the 489# "daemon" facility by default. Use the log_facility option to choose which of 490# local0 to local7 to log to instead. The option value should be an integer 491# value, e.g. "log_facility 5" to use local5. 492#log_facility 493 494# If set to true, add a timestamp value to each log message. 495#log_timestamp true 496 497# Set the format of the log timestamp. If left unset, this is the number of 498# seconds since the Unix epoch. 499# This is a free text string which will be passed to the strftime function. To 500# get an ISO 8601 datetime, for example: 501# log_timestamp_format %Y-%m-%dT%H:%M:%S 502#log_timestamp_format 503 504# Change the websockets logging level. This is a global option, it is not 505# possible to set per listener. This is an integer that is interpreted by 506# libwebsockets as a bit mask for its lws_log_levels enum. See the 507# libwebsockets documentation for more details. "log_type websockets" must also 508# be enabled. 509#websockets_log_level 0 510 511 512# ================================================================= 513# Security 514# ================================================================= 515 516# If set, only clients that have a matching prefix on their 517# clientid will be allowed to connect to the broker. By default, 518# all clients may connect. 519# For example, setting "secure-" here would mean a client "secure- 520# client" could connect but another with clientid "mqtt" couldn't. 521#clientid_prefixes 522 523# Boolean value that determines whether clients that connect 524# without providing a username are allowed to connect. If set to 525# false then a password file should be created (see the 526# password_file option) to control authenticated client access. 527# 528# Defaults to false, unless there are no listeners defined in the configuration 529# file, in which case it is set to true, but connections are only allowed from 530# the local machine. 531#allow_anonymous false 532allow_anonymous true 533 534# ----------------------------------------------------------------- 535# Default authentication and topic access control 536# ----------------------------------------------------------------- 537 538# Control access to the broker using a password file. This file can be 539# generated using the mosquitto_passwd utility. If TLS support is not compiled 540# into mosquitto (it is recommended that TLS support should be included) then 541# plain text passwords are used, in which case the file should be a text file 542# with lines in the format: 543# username:password 544# The password (and colon) may be omitted if desired, although this 545# offers very little in the way of security. 546# 547# See the TLS client require_certificate and use_identity_as_username options 548# for alternative authentication options. If a plugin is used as well as 549# password_file, the plugin check will be made first. 550#password_file 551 552# Access may also be controlled using a pre-shared-key file. This requires 553# TLS-PSK support and a listener configured to use it. The file should be text 554# lines in the format: 555# identity:key 556# The key should be in hexadecimal format without a leading "0x". 557# If an plugin is used as well, the plugin check will be made first. 558#psk_file 559 560# Control access to topics on the broker using an access control list 561# file. If this parameter is defined then only the topics listed will 562# have access. 563# If the first character of a line of the ACL file is a # it is treated as a 564# comment. 565# Topic access is added with lines of the format: 566# 567# topic [read|write|readwrite|deny] <topic> 568# 569# The access type is controlled using "read", "write", "readwrite" or "deny". 570# This parameter is optional (unless <topic> contains a space character) - if 571# not given then the access is read/write. <topic> can contain the + or # 572# wildcards as in subscriptions. 573# 574# The "deny" option can used to explicity deny access to a topic that would 575# otherwise be granted by a broader read/write/readwrite statement. Any "deny" 576# topics are handled before topics that grant read/write access. 577# 578# The first set of topics are applied to anonymous clients, assuming 579# allow_anonymous is true. User specific topic ACLs are added after a 580# user line as follows: 581# 582# user <username> 583# 584# The username referred to here is the same as in password_file. It is 585# not the clientid. 586# 587# 588# If is also possible to define ACLs based on pattern substitution within the 589# topic. The patterns available for substition are: 590# 591# %c to match the client id of the client 592# %u to match the username of the client 593# 594# The substitution pattern must be the only text for that level of hierarchy. 595# 596# The form is the same as for the topic keyword, but using pattern as the 597# keyword. 598# Pattern ACLs apply to all users even if the "user" keyword has previously 599# been given. 600# 601# If using bridges with usernames and ACLs, connection messages can be allowed 602# with the following pattern: 603# pattern write $SYS/broker/connection/%c/state 604# 605# pattern [read|write|readwrite] <topic> 606# 607# Example: 608# 609# pattern write sensor/%u/data 610# 611# If an plugin is used as well as acl_file, the plugin check will be 612# made first. 613#acl_file 614 615# ----------------------------------------------------------------- 616# External authentication and topic access plugin options 617# ----------------------------------------------------------------- 618 619# External authentication and access control can be supported with the 620# plugin option. This is a path to a loadable plugin. See also the 621# plugin_opt_* options described below. 622# 623# The plugin option can be specified multiple times to load multiple 624# plugins. The plugins will be processed in the order that they are specified 625# here. If the plugin option is specified alongside either of 626# password_file or acl_file then the plugin checks will be made first. 627# 628# If the per_listener_settings option is false, the plugin will be apply to all 629# listeners. If per_listener_settings is true, then the plugin will apply to 630# the current listener being defined only. 631# 632# This option is also available as `auth_plugin`, but this use is deprecated 633# and will be removed in the future. 634# 635#plugin 636 637# If the plugin option above is used, define options to pass to the 638# plugin here as described by the plugin instructions. All options named 639# using the format plugin_opt_* will be passed to the plugin, for example: 640# 641# This option is also available as `auth_opt_*`, but this use is deprecated 642# and will be removed in the future. 643# 644# plugin_opt_db_host 645# plugin_opt_db_port 646# plugin_opt_db_username 647# plugin_opt_db_password 648 649 650# ================================================================= 651# Bridges 652# ================================================================= 653 654# A bridge is a way of connecting multiple MQTT brokers together. 655# Create a new bridge using the "connection" option as described below. Set 656# options for the bridges using the remaining parameters. You must specify the 657# address and at least one topic to subscribe to. 658# 659# Each connection must have a unique name. 660# 661# The address line may have multiple host address and ports specified. See 662# below in the round_robin description for more details on bridge behaviour if 663# multiple addresses are used. Note that if you use an IPv6 address, then you 664# are required to specify a port. 665# 666# The direction that the topic will be shared can be chosen by 667# specifying out, in or both, where the default value is out. 668# The QoS level of the bridged communication can be specified with the next 669# topic option. The default QoS level is 0, to change the QoS the topic 670# direction must also be given. 671# 672# The local and remote prefix options allow a topic to be remapped when it is 673# bridged to/from the remote broker. This provides the ability to place a topic 674# tree in an appropriate location. 675# 676# For more details see the mosquitto.conf man page. 677# 678# Multiple topics can be specified per connection, but be careful 679# not to create any loops. 680# 681# If you are using bridges with cleansession set to false (the default), then 682# you may get unexpected behaviour from incoming topics if you change what 683# topics you are subscribing to. This is because the remote broker keeps the 684# subscription for the old topic. If you have this problem, connect your bridge 685# with cleansession set to true, then reconnect with cleansession set to false 686# as normal. 687#connection <name> 688#address <host>[:<port>] [<host>[:<port>]] 689#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix] 690 691# If you need to have the bridge connect over a particular network interface, 692# use bridge_bind_address to tell the bridge which local IP address the socket 693# should bind to, e.g. `bridge_bind_address 192.168.1.10` 694#bridge_bind_address 695 696# If a bridge has topics that have "out" direction, the default behaviour is to 697# send an unsubscribe request to the remote broker on that topic. This means 698# that changing a topic direction from "in" to "out" will not keep receiving 699# incoming messages. Sending these unsubscribe requests is not always 700# desirable, setting bridge_attempt_unsubscribe to false will disable sending 701# the unsubscribe request. 702#bridge_attempt_unsubscribe true 703 704# Set the version of the MQTT protocol to use with for this bridge. Can be one 705# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. 706#bridge_protocol_version mqttv311 707 708# Set the clean session variable for this bridge. 709# When set to true, when the bridge disconnects for any reason, all 710# messages and subscriptions will be cleaned up on the remote 711# broker. Note that with cleansession set to true, there may be a 712# significant amount of retained messages sent when the bridge 713# reconnects after losing its connection. 714# When set to false, the subscriptions and messages are kept on the 715# remote broker, and delivered when the bridge reconnects. 716#cleansession false 717 718# Set the amount of time a bridge using the lazy start type must be idle before 719# it will be stopped. Defaults to 60 seconds. 720#idle_timeout 60 721 722# Set the keepalive interval for this bridge connection, in 723# seconds. 724#keepalive_interval 60 725 726# Set the clientid to use on the local broker. If not defined, this defaults to 727# 'local.<clientid>'. If you are bridging a broker to itself, it is important 728# that local_clientid and clientid do not match. 729#local_clientid 730 731# If set to true, publish notification messages to the local and remote brokers 732# giving information about the state of the bridge connection. Retained 733# messages are published to the topic $SYS/broker/connection/<clientid>/state 734# unless the notification_topic option is used. 735# If the message is 1 then the connection is active, or 0 if the connection has 736# failed. 737# This uses the last will and testament feature. 738#notifications true 739 740# Choose the topic on which notification messages for this bridge are 741# published. If not set, messages are published on the topic 742# $SYS/broker/connection/<clientid>/state 743#notification_topic 744 745# Set the client id to use on the remote end of this bridge connection. If not 746# defined, this defaults to 'name.hostname' where name is the connection name 747# and hostname is the hostname of this computer. 748# This replaces the old "clientid" option to avoid confusion. "clientid" 749# remains valid for the time being. 750#remote_clientid 751 752# Set the password to use when connecting to a broker that requires 753# authentication. This option is only used if remote_username is also set. 754# This replaces the old "password" option to avoid confusion. "password" 755# remains valid for the time being. 756#remote_password 757 758# Set the username to use when connecting to a broker that requires 759# authentication. 760# This replaces the old "username" option to avoid confusion. "username" 761# remains valid for the time being. 762#remote_username 763 764# Set the amount of time a bridge using the automatic start type will wait 765# until attempting to reconnect. 766# This option can be configured to use a constant delay time in seconds, or to 767# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree 768# of randomness to when the restart occurs. 769# 770# Set a constant timeout of 20 seconds: 771# restart_timeout 20 772# 773# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of 774# 60 seconds: 775# restart_timeout 10 30 776# 777# Defaults to jitter with a base of 5 and cap of 30 778#restart_timeout 5 30 779 780# If the bridge has more than one address given in the address/addresses 781# configuration, the round_robin option defines the behaviour of the bridge on 782# a failure of the bridge connection. If round_robin is false, the default 783# value, then the first address is treated as the main bridge connection. If 784# the connection fails, the other secondary addresses will be attempted in 785# turn. Whilst connected to a secondary bridge, the bridge will periodically 786# attempt to reconnect to the main bridge until successful. 787# If round_robin is true, then all addresses are treated as equals. If a 788# connection fails, the next address will be tried and if successful will 789# remain connected until it fails 790#round_robin false 791 792# Set the start type of the bridge. This controls how the bridge starts and 793# can be one of three types: automatic, lazy and once. Note that RSMB provides 794# a fourth start type "manual" which isn't currently supported by mosquitto. 795# 796# "automatic" is the default start type and means that the bridge connection 797# will be started automatically when the broker starts and also restarted 798# after a short delay (30 seconds) if the connection fails. 799# 800# Bridges using the "lazy" start type will be started automatically when the 801# number of queued messages exceeds the number set with the "threshold" 802# parameter. It will be stopped automatically after the time set by the 803# "idle_timeout" parameter. Use this start type if you wish the connection to 804# only be active when it is needed. 805# 806# A bridge using the "once" start type will be started automatically when the 807# broker starts but will not be restarted if the connection fails. 808#start_type automatic 809 810# Set the number of messages that need to be queued for a bridge with lazy 811# start type to be restarted. Defaults to 10 messages. 812# Must be less than max_queued_messages. 813#threshold 10 814 815# If try_private is set to true, the bridge will attempt to indicate to the 816# remote broker that it is a bridge not an ordinary client. If successful, this 817# means that loop detection will be more effective and that retained messages 818# will be propagated correctly. Not all brokers support this feature so it may 819# be necessary to set try_private to false if your bridge does not connect 820# properly. 821#try_private true 822 823# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism 824# for brokers to tell clients that they do not support retained messages, but 825# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a 826# v3.1.1 or v3.1 broker that does not support retained messages, set the 827# bridge_outgoing_retain option to false. This will remove the retain bit on 828# all outgoing messages to that bridge, regardless of any other setting. 829#bridge_outgoing_retain true 830 831# If you wish to restrict the size of messages sent to a remote bridge, use the 832# bridge_max_packet_size option. This sets the maximum number of bytes for 833# the total message, including headers and payload. 834# Note that MQTT v5 brokers may provide their own maximum-packet-size property. 835# In this case, the smaller of the two limits will be used. 836# Set to 0 for "unlimited". 837#bridge_max_packet_size 0 838 839 840# ----------------------------------------------------------------- 841# Certificate based SSL/TLS support 842# ----------------------------------------------------------------- 843# Either bridge_cafile or bridge_capath must be defined to enable TLS support 844# for this bridge. 845# bridge_cafile defines the path to a file containing the 846# Certificate Authority certificates that have signed the remote broker 847# certificate. 848# bridge_capath defines a directory that will be searched for files containing 849# the CA certificates. For bridge_capath to work correctly, the certificate 850# files must have ".crt" as the file ending and you must run "openssl rehash 851# <path to capath>" each time you add/remove a certificate. 852#bridge_cafile 853#bridge_capath 854 855 856# If the remote broker has more than one protocol available on its port, e.g. 857# MQTT and WebSockets, then use bridge_alpn to configure which protocol is 858# requested. Note that WebSockets support for bridges is not yet available. 859#bridge_alpn 860 861# When using certificate based encryption, bridge_insecure disables 862# verification of the server hostname in the server certificate. This can be 863# useful when testing initial server configurations, but makes it possible for 864# a malicious third party to impersonate your server through DNS spoofing, for 865# example. Use this option in testing only. If you need to resort to using this 866# option in a production environment, your setup is at fault and there is no 867# point using encryption. 868#bridge_insecure false 869 870# Path to the PEM encoded client certificate, if required by the remote broker. 871#bridge_certfile 872 873# Path to the PEM encoded client private key, if required by the remote broker. 874#bridge_keyfile 875 876# ----------------------------------------------------------------- 877# PSK based SSL/TLS support 878# ----------------------------------------------------------------- 879# Pre-shared-key encryption provides an alternative to certificate based 880# encryption. A bridge can be configured to use PSK with the bridge_identity 881# and bridge_psk options. These are the client PSK identity, and pre-shared-key 882# in hexadecimal format with no "0x". Only one of certificate and PSK based 883# encryption can be used on one 884# bridge at once. 885#bridge_identity 886#bridge_psk 887 888 889# ================================================================= 890# External config files 891# ================================================================= 892 893# External configuration files may be included by using the 894# include_dir option. This defines a directory that will be searched 895# for config files. All files that end in '.conf' will be loaded as 896# a configuration file. It is best to have this as the last option 897# in the main file. This option will only be processed from the main 898# configuration file. The directory specified must not contain the 899# main configuration file. 900# Files within include_dir will be loaded sorted in case-sensitive 901# alphabetical order, with capital letters ordered first. If this option is 902# given multiple times, all of the files from the first instance will be 903# processed before the next instance. See the man page for examples. 904#include_dir 905