2023年7月10日发(作者：)

MQTT服务器（Broker）-mosquitto配置⽂件详解常规配置#使⽤每个侦听器的安全设置。##建议先设置此选项。##如果此选项设置为true，则所有⾝份验证和访问控制#选项是根据每个侦听器控制的。以下选项是#受影响的有：## password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous# auto_id_prefix allow_zero_length_clientid## 请注意，如果设置为true，则断开连接的持久客户端（即，⼲净会话设置为false）将使⽤为其最近连接的侦听器定义的ACL设置.# 默认⾏为是将其设置为false，这将保持以前版本的mosquitto的设置⾏为。#per_listener_settings false# 如果客户端订阅了多个重叠的订阅，例如foo /＃和foo / + / baz，然后MQTT期望，# 当代理收到与两个订阅都匹配的主题消息，例如foo / bar / baz时，客户端应该只接收⼀次消息。# Mosquitto跟踪邮件已发送到哪些客户，以满⾜此要求。 allow_duplicate_messages选项允许禁⽤此⾏为，# 如果您有⼤量的客户端订阅了同⼀主题集并且⾮常关注，则此选项可能很有⽤。# 最⼩化内存使⽤。如果您事先知道客户端永远不会有重叠的订阅，则可以将其安全地设置为true，# 否则即使QoS = 2，客户端也必须能够正确处理重复的消息。#allow_duplicate_messages false# 此选项控制是否允许客户端使⽤长度为零的客户端ID连接。此选项仅影响使⽤MQTT v3.1.1和更⾼版本的客户端。# 如果设置为false，将断开连接长度为零的客户端ID的客户端。# 如果设置为true，则代理将为客户端分配客户端ID。# 这意味着它仅对将⼲净会话设置为true的客户端有⽤。#allow_zero_length_clientid true# 如果allow_zero_length_clientid为true，则此选项允许您为⾃动⽣成的客户端ID设置前缀，以帮助查看⽇志。# 默认 'auto-'#auto_id_prefix auto-# 当客户端订阅已保留邮件的主题时，此选项会影响⽅案。# 向主题发布保留消息的客户端在发布时可能具有访问权限，但是该访问权限随后已被删除。# 如果将check_retain_source设置为true（默认值），则将在重新发布保留消息的源之前检查其访问权限。# 设置为false时，将不进⾏检查，并且保留的消息将始终被发布。这会影响所有听众。#check_retain_source true# 在超过此限制之前，将允许每个客户端 inflight QoS 1和2消息。默认为0。（⽆最⼤值）# 另请参见max_inflight_messages#max_inflight_bytes 0# 每个客户端当前正在运⾏的QoS 1和2消息的最⼤数量。# 这包括握⼿过程中和正在重试的消息。默认值为20。设置为0（⽆最⼤值）。设置为1将保证按顺序传送QoS 1和2消息。#max_inflight_messages 20# 对于MQTT v5客户端，可以让服务器发送“服务器keepalive”值，该值将覆盖客户端设置的keepalive值。# 旨在⽤作⼀种机制，表⽰服务器将⽐预期的更早断开客户端的连接，并且客户端应使⽤新的keepalive值。# max_keepalive选项允许您指定客户端只能使⽤⼩于或等于此值的keepalive进⾏连接，# 否则，将向它们发送服务器keepalive通知它们使⽤max_keepalive。# 这仅适⽤于MQTT v5客户端。允许的最⼤值为65535。请勿设置为10以下。#max_keepalive 65535# 对于MQTT v5客户端，可以让服务器发送“最⼤数据包⼤⼩”值，该值将指⽰客户端它将不接受⼤⼩⼤于max_packet_size字节的MQTT数据包。# 这适⽤于完整的MQTT数据包，⽽不仅仅是有效负载。将此选项设置为正值会将最⼤数据包⼤⼩设置为该字节数。# 如果客户端发送的数据包⼤于此值，它将被断开连接。这适⽤于所有客户端，⽆论它们使⽤的协议版本如何，# 但是v3.1.1和更早版本的客户端当然不会收到最⼤数据包⼤⼩信息。默认为⽆限制。# 禁⽌将其设置为低于20个字节，因为即使有效负载很⼩，它也可能会⼲扰普通的客户端操作。#max_packet_size 0# 超过当前运⾏中的QoS 1和2消息将在每个客户端排队，直到超过此限制。默认为0。（⽆最⼤值）# 另请参见max_queued_messages。# 如果同时指定了max_queued_messages和max_queued_bytes，则数据包将排队直到达到第⼀个限制。#max_queued_bytes 0# 每个客户端要在队列中保留的QoS 1和2消息的最⼤数量⾼于当前正在运⾏的QoS 1和2消息的数量。# 默认值为100。设置为0表⽰没有最⼤值（不建议）。# 另请参阅queue_qos0_messages。# 另请参见max_queued_bytes。#max_queued_messages 100# 此选项设置代理将分配的最⼤堆内存字节数，因此对代理使⽤的内存设置硬限制。# 超过此值的内存请求将被拒绝。效果会因被拒绝的内容⽽异。如果正在处理传⼊消息，则该消息将被丢弃，# 并且发布客户端将断开连接。如果正在发送外发消息，则单个消息将被丢弃，接收⽅客户端将被断开连接。# 默认为⽆限制#memory_limit 0# 此选项设置代理允许的最⼤发布有效负载⼤⼩。# 接收到的超出此⼤⼩的消息将不会被代理接受。# 缺省值为0，表⽰接受所有有效的MQTT消息。 MQTT施加的最⼤有效负载⼤⼩为268435455字节(256M)。#message_size_limit 0# 如果持久客户端（未将⼲净会话设置为false的持久客户端）在特定时间内未重新连接，则此选项允许将其删除。# 这是MQTT V3.1中的⾮标准选项，但在MQTT v3.1.1中允许。# 设计不当的客户端可能会在使⽤随机⽣成的客户端ID时将clean session设置为false。# 这导致持久的客户端永远不会重新连接。此选项允许删除这些客户端。# 有效期应为整数，然后分别为⼩时，⽇，周，⽉和年的 h d w m y 之⼀。例如# persistent_client_expiration 2m# persistent_client_expiration 14d# persistent_client_expiration 1y# 如果未设置，则默认为永不使持久客户端失效。#persistent_client_expiration# 将进程ID写⼊⽂件。默认值为空字符串，这意味着不应写⼊pid⽂件。# 如果mosquitto在启动时使⽤初始化脚本和start-stop-daemon或类似程序⾃动运⾏，# 则应将其设置为/var/run/。# 配置说明中出现的地址例如：“/var/run/mosquitto”，“/var/log/messages”，都是相对路径，相对于系统盘根⽬录# 例如“/var/run/mosquitto”表⽰的是“c:varrunmosquitto”#pid_file# 设置为true后 可以在持久客户端断开连接时将QoS 0的消息排队。# 这些消息包含在max_queued_messages和max_queued_bytes施加的限制中# 默认为false。# 这是MQTT v3.1规范的⾮标准选项，但在v3.1.1中允许。#queue_qos0_messages false# Set to false to disable retained message support. If a client publishes a# message with the retain bit set, it will be disconnected if this is set to# false.# 是否禁⽤保留的消息⽀持。设置为falsk可以禁⽤.# 将其设置为false后, 如果客户端发布消息时设置保留消息, 则会被断开连接#retain_available true# 在客户端套接字上禁⽤Nagle的算法。这具有减少单个消息的等待时间的效果，但潜在的代价是增加了发送数据包的数量。#set_tcp_nodelay false# $SYS树更新之间的时间（以秒为单位）。# 设置为0禁⽤$SYS树的发布。#sys_interval 10# The MQTT specification requires that the QoS of a message delivered to a# subscriber is never upgraded to match the QoS of the subscription. Enabling# this option changes this behaviour. If upgrade_outgoing_qos is set true,# messages sent to a subscriber will always match the QoS of its subscription.# 这是规范明确禁⽌的⾮标准选项。#upgrade_outgoing_qos false# 以root⽤户⾝份运⾏时，请对该⽤户及其主要组授予特权。# 设置为root以保持root⾝份，但是不建议这样做。# 如果以⾮root⽤户⾝份运⾏，则此设置⽆效。# 请注意，在Windows上这没有任何作⽤，因此mosquitto应该由希望以其⾝份运⾏的⽤户启动。#user mosquitto=================================================================默认监听器# 绑定默认侦听器的IP地址/主机名。# 如果未指定，则默认侦听器将不会绑定到特定地址，因此所有⽹络接⼝都可以访问它。# 案例: bind_address ip-address/host name#bind_address# 端⼝号 port#port 1883# 将侦听器绑定到特定接⼝。这类似于上⾯的bind_address，但是在接⼝具有多个地址或地址可能更改时很有⽤。# 将此属性与bind_address选项⼀起使⽤是有效的，但请注意，要绑定的接⼝包含要绑定的地址，否则将⽆法连接。# 例如: bind_interface eth0#bind_interface# 当侦听器使⽤websockets协议时，也可以提供http数据。# 将http_dir设置为包含您要提供的⽂件的⽬录。如果未指定此选项，则将⽆法进⾏正常的http连接。#http_dir# 允许的最⼤客户端连接数。这是每个侦听器的设置。# 默认为-1，表⽰⽆限制的连接。# 请注意，其他进程限制意味着⽆限的连接实际上是不可能的。# 通常，默认的最⼤连接数有可能约为1024。#max_connections -1# 选择监听时要使⽤的协议。# 可以是mqtt或websockets。# Websockets⽀持当前默认在编译时被禁⽤。基于证书的TLS可以与websocket⼀起使⽤，# 但仅⽀持cafile，certfile，keyfile和ciphers选项。#protocol mqtt# 将use_username_as_clientid设置为true可以将客户端连接的客户端ID替换为其⽤户名。# 这允许将⾝份验证绑定到clientid，这意味着可以防⽌⼀个客户端通过使⽤相同的 clientid 断开另⼀个客户端的连接。# 如果客户端不使⽤⽤户名连接，则此选项设置为true时，它将被断开，因为未授权。# 请勿与clientid_prefixes结合使⽤。# 另请参见use_identity_as_username。#use_username_as_clientid基于证书的SSL / TLS⽀持# 以下选项可⽤于为该侦听器启⽤SSL / TLS⽀持。请注意，通过TLS的MQTT的推荐端⼝为8883，但这必须⼿动设置。# 另请参见mosquitto-tls⼿册页。# 必须定义cafile或capath中的⾄少⼀个。它们都定义了访问PEM编码证书的⽅法# 授权证书已签名您的服务器证书，并且您希望信任。# cafile定义包含CA证书的⽂件的路径。# capath定义⼀个⽬录# 将在该⽬录中搜索包含CA证书的⽂件。# 为了使Capath正常⼯作，证书⽂件的⽂件结尾必须带有“ .crt”，并且每次添加/删除证书时，# 都必须运⾏“ openssl rehash ”。#cafile#capath# PEM编码的服务器证书的路径。#certfile# PEM编码的密钥⽂件的路径。#keyfile# 如果将require_certificate设置为true，则可以创建证书吊销列表⽂件以撤消对特定客户端证书的访问。# 如果执⾏了此操作，请使⽤crlfile指向PEM编码的吊销⽂件。#crlfile# 如果您希望控制使⽤哪种加密密码，请使⽤ciphers选项。# 可⽤密码的列表可以使⽤“ openssl ciphers”命令获得，并且填写与该命令的输出相同的格式内容。# 默认值: DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH# 为了允许使⽤短暂的DH密钥交换来提供前向安全性，侦听器必须加载DH参数。# 可以使⽤dhparamfile选项指定。 dhparamfile可以使⽤以下命令⽣成# e.g. "openssl dhparam -out 2048"#dhparamfile# 默认情况下，启⽤TLS的侦听器将以类似于启⽤https的Web服务器的⽅式运⾏，因为该服务器具有由CA签名的证书，# 并且客户端将验证它是受信任的证书。总体⽬标是对⽹络流量进⾏加密。# 如果将require_certificate设置为true，客户端必须提供有效的证书才能继续进⾏⽹络连接。# 这允许在MQTT提供的机制之外控制对代理的访问。#require_certificate false# 此选项定义⽤于此侦听器的TLS协议的版本。# 默认值允许所有v1.3，v1.2和v1.1。有效值为tlsv1.3 tlsv1.2和tlsv1.1。#tls_version# 如果require_certificate为true，则可以将use_identity_as_username设置为true，以使⽤客户端证书中的CN值作为⽤户名。# 如果为true，则password_file选项将不会⽤于此侦听器。# 这优先于use_subject_as_username。# 另请参见use_subject_as_username。#use_identity_as_username false# 如果require_certificate为true，则可以将use_subject_as_username设置为true，以使⽤客户端证书中的完整主题值作为⽤户名。# 如果为true，则password_file选项将不会⽤于此侦听器。# 另请参见use_identity_as_username#use_subject_as_username falsePre-shared-key based SSL/TLS support基于预共享密钥的SSL / TLS⽀持# The following options can be used to enable PSK based SSL/TLS support for# this listener. Note that the recommended port for MQTT over TLS is 8883, but# this must be set manually.## See also the mosquitto-tls man page and the "Certificate based SSL/TLS# support" section. Only one of certificate or PSK encryption support can be# enabled for any listener.# The psk_hint option enables pre-shared-key support for this listener and also# acts as an identifier for this listener. The hint is sent to clients and may# be used locally to aid authentication. The hint is a free form string that# doesn't have much meaning in itself, so feel free to be creative.# If this option is provided, see psk_file to define the pre-shared keys to be# used or create a security plugin to handle them.#psk_hint# When using PSK, the encryption ciphers used will be chosen from the list of# available PSK ciphers. If you want to control which ciphers are available,# use the "ciphers" option. The list of available ciphers can be obtained# using the "openssl ciphers" command and should be provided in the same format# as the output of that command.#ciphers# Set use_identity_as_username to have the psk identity sent by the client used# as its username. Authentication will be carried out using the PSK rather than# the MQTT username/password and so password_file will not be used for this# listener.#use_identity_as_username false=================================================================Extra listeners 额外的监听器# Listen on a port/ip address combination. By using this variable# multiple times, mosquitto can listen on more than one port. If# this variable is used and neither bind_address nor port given,# then the default listener will not be started.# The port number to listen on must be given. Optionally, an ip# address or host name may be supplied as a second argument. In# this case, mosquitto will attempt to bind the listener to that# address and so restrict access to the associated network and# interface. By default, mosquitto will listen on all interfaces.# Note that for a websockets listener it is not possible to bind to a host# name.# listener port-number [ip address/host name]#listener# Bind the listener to a specific interface. This is similar to# the [ip address/host name] part of the listener definition, but is useful# when an interface has multiple addresses or the address may change. It is# valid to use this with the [ip address/host name] part of the listener# definition, but take care that the interface you are binding to contains the# address you are binding to, otherwise you will not be able to connect.# Only available on Linux and requires elevated privileges.## Example: bind_interface eth0#bind_interface# When a listener is using the websockets protocol, it is possible to serve# http data as well. Set http_dir to a directory which contains the files you# wish to serve. If this option is not specified, then no normal http# connections will be possible.#http_dir# The maximum number of client connections to allow. This is# a per listener setting.# Default is -1, which means unlimited connections.# Note that other process limits mean that unlimited connections# are not really possible. Typically the default maximum number of# connections possible is around 1024.#max_connections -1# The listener can be restricted to operating within a topic hierarchy using# the mount_point option. This is achieved be prefixing the mount_point string# to all topics for any clients connected to this listener. This prefixing only# happens internally to the broker; the client will not see the prefix.#mount_point# Choose the protocol to use when listening.# This can be either mqtt or websockets.# Certificate based TLS may be used with websockets, except that only the# cafile, certfile, keyfile and ciphers options are supported.#protocol mqtt# Set use_username_as_clientid to true to replace the clientid that a client# connected with with its username. This allows authentication to be tied to# the clientid, which means that it is possible to prevent one client# disconnecting another by using the same clientid.# If a client connects with no username it will be disconnected as not# authorised when this option is set to true.# Do not use in conjunction with clientid_prefixes.# See also use_identity_as_username.#use_username_as_clientid# Change the websockets headers size. This is a global option, it is not# possible to set per listener. This option sets the size of the buffer used in# the libwebsockets library when reading HTTP headers. If you are passing large# header data such as cookies then you may need to increase this value. If left# unset, or set to 0, then the default of 1024 bytes will be used.#websockets_headers_size基于证书的SSL / TLS⽀持# The following options can be used to enable certificate based SSL/TLS support# for this listener. Note that the recommended port for MQTT over TLS is 8883,# but this must be set manually.## See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS# support" section. Only one of certificate or PSK encryption support can be# enabled for any listener.# At least one of cafile or capath must be defined to enable certificate based# TLS encryption. They both define methods of accessing the PEM encoded# Certificate Authority certificates that have signed your server certificate# and that you wish to trust.# cafile defines the path to a file containing the CA certificates.# capath defines a directory that will be searched for files# containing the CA certificates. For capath to work correctly, the# certificate files must have ".crt" as the file ending and you must run# "openssl rehash " each time you add/remove a certificate.#cafile#capath# Path to the PEM encoded server certificate.#certfile# Path to the PEM encoded keyfile.#keyfile# If you wish to control which encryption ciphers are used, use the ciphers# option. The list of available ciphers can be optained using the "openssl# ciphers" command and should be provided in the same format as the output of# that command.#ciphers# If you have require_certificate set to true, you can create a certificate# revocation list file to revoke access to particular client certificates. If# you have done this, use crlfile to point to the PEM encoded revocation file.#crlfile# To allow the use of ephemeral DH key exchange, which provides forward# security, the listener must load DH parameters. This can be specified with# the dhparamfile option. The dhparamfile can be generated with the command# e.g. "openssl dhparam -out 2048"#dhparamfile# By default an TLS enabled listener will operate in a similar fashion to a# https enabled web server, in that the server has a certificate signed by a CA# and the client will verify that it is a trusted certificate. The overall aim# is encryption of the network traffic. By setting require_certificate to true,# the client must provide a valid certificate in order for the network# connection to proceed. This allows access to the broker to be controlled# outside of the mechanisms provided by MQTT.#require_certificate false# If require_certificate is true, you may set use_identity_as_username to true# to use the CN value from the client certificate as a username. If this is# true, the password_file option will not be used for this listener.#use_identity_as_username falsePre-shared-key based SSL/TLS support 基于预共享密钥的SSL / TLS⽀持# The following options can be used to enable PSK based SSL/TLS support for# this listener. Note that the recommended port for MQTT over TLS is 8883, but# this must be set manually.## See also the mosquitto-tls man page and the "Certificate based SSL/TLS# support" section. Only one of certificate or PSK encryption support can be# enabled for any listener.# The psk_hint option enables pre-shared-key support for this listener and also# acts as an identifier for this listener. The hint is sent to clients and may# be used locally to aid authentication. The hint is a free form string that# doesn't have much meaning in itself, so feel free to be creative.# If this option is provided, see psk_file to define the pre-shared keys to be# used or create a security plugin to handle them.#psk_hint# When using PSK, the encryption ciphers used will be chosen from the list of# available PSK ciphers. If you want to control which ciphers are available,# use the "ciphers" option. The list of available ciphers can be optained# using the "openssl ciphers" command and should be provided in the same format# as the output of that command.#ciphers# Set use_identity_as_username to have the psk identity sent by the client used# as its username. Authentication will be carried out using the PSK rather than# the MQTT username/password and so password_file will not be used for this# listener.#use_identity_as_username falsePersistence# 如果启⽤了持久性，则每隔autosave_interval秒将内存数据库保存到磁盘中。# 如果设置为0，则仅在mosquitto退出时才写⼊持久性数据库。另请参见autosave_on_changes。# 请注意，可以通过向mosquit发送SIGUSR1信号来强制写⼊持久性数据库。#autosave_interval 1800# 如果为true，则mosquitto将计算订阅更改，已接收的保留消息和已排队消息的数量，如果总数超过autosave_interval，# 则内存数据库将保存到磁盘。如果为false，则mosquitto通过将autosave_interval视为秒数的时间来将内存数据库保存到磁盘。#autosave_on_changes false# 将持久消息数据保存到磁盘（true/false）。这样可以保存有关所有消息的信息，包括订阅，当前运⾏中的消息和保留的消息。# reserved_persistence是此选项的同义词。#persistence false# ⽤于永久数据库的⽂件名，不包括路径。#persistence_file # 永久数据库的位置。必须包含尾随/# 默认值为空字符串（当前⽬录）。设置为/var/lib/mosquitto/# 如果在Linux或类似系统上作为适当的服务运⾏。# 配置说明中出现的地址例如：“/var/run/mosquitto”，“/var/log/messages”，都是相对路径，相对于系统盘根⽬录# 例如“/var/run/mosquitto”表⽰的是“c:varrunmosquitto”#persistence_locationLogging# Places to log to. Use multiple log_dest lines for multiple# logging destinations.### stdout and stderr log to the console on the named output.## syslog uses the userspace syslog facility which usually ends up# in /var/log/messages or similar.## topic logs to the broker topic '$SYS/broker/log/',# where severity is one of D, E, W, N, I, M which are debug, error,# warning, notice, information and message. Message type severity is used by# the subscribe/unsubscribe log_types and publishes log messages to# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.## The file destination requires an additional parameter which is the file to be# logged to, e.g. "log_dest file /var/log/". The file will be# closed and reopened when the broker receives a HUP signal. Only a single file# destination may be configured.## 请注意，如果代理作为Windows服务运⾏，它将默认为“ log_dest none”，并且stdout和stderr⽇志记录都不可⽤。# 可选值有: stdout stderr syslog topic file# ⽂件案例(两个参数): log_dest file /var/log/# 如果要禁⽤⽇志记录，请使⽤“ log_dest none”。#log_dest stderr# Types of messages to log. Use multiple log_type lines for logging# multiple types of messages.# Possible types are: debug, error, warning, notice, information,# none, subscribe, unsubscribe, websockets, all.# Note that debug type messages are for decoding the incoming/outgoing# network packets. They are not logged in "topics".#log_type error#log_type warning#log_type notice#log_type information# 如果设置为true，则客户端连接和断开连接消息将包含在⽇志中。#connection_messages true# If using syslog logging (not on Windows), messages will be logged to the# "daemon" facility by default. Use the log_facility option to choose which of# local0 to local7 to log to instead. The option value should be an integer# value, e.g. "log_facility 5" to use local5.#log_facility# 如果设置为true，则向每个⽇志消息添加⼀个时间戳记值。#log_timestamp true# Set the format of the log timestamp. If left unset, this is the number of# seconds since the Unix epoch.# This is a free text string which will be passed to the strftime function. To# get an ISO 8601 datetime, for example:# log_timestamp_format %Y-%m-%dT%H:%M:%Slog_timestamp_format %Y-%m-%dT%H:%M:%S# 更改websockets⽇志记录级别。这是⼀个全局选项，⽆法为每个侦听器设置。# 这是⼀个整数，libwebsockets将其解释为其lws_log_levels枚举的位掩码。# 有关更多详细信息，请参见libwebsockets⽂档。# 还必须启⽤“ log_type websockets”。#websockets_log_level 0Security 安全# 如果设置，则只允许客户端的clientid满⾜指定前缀才能连接到代理。默认情况下，所有客户端都可以连接。# 例如，在此处设置“ secure-”表⽰: 客户端"secure-client"可以连接，但另⼀个客户端ID为"mqtt"的客户端则⽆法连接。#clientid_prefixes# 布尔值，⽤于确定是否允许未提供⽤户名的客户端进⾏连接。# 如果设置为false，则应创建⼀个密码⽂件（请参阅password_file选项）以控制经过⾝份验证的客户端访问。# 如果未设置其他安全选项，则默认为true。# 如果设置了`password_file`或`psk_file`，或者如果加载了实现⽤户名/密码或TLS-PSK检查的⾝份验证插件，# 则'allow_anonymous' 默认为false。#allow_anonymous trueDefault authentication and topic access control默认⾝份验证和主题访问控制# 使⽤密码⽂件控制对代理的访问。可以使⽤mosquitto_passwd实⽤程序⽣成此⽂件。# 如果TLS⽀持未编译为mosquitto（建议包括TLS⽀持），则使⽤纯⽂本密码，# 在这种情况下，该⽂件应为⽂本⽂件，其⾏格式为：# username:password# 如果需要，可以省略密码（和冒号），尽管这样做⼏乎没有安全性## 请参阅TLS客户端的require_certificate和use_identity_as_username选项，以获取其他⾝份验证选项。# 如果同时使⽤auth_plugin和password_file，则将⾸先进⾏auth_plugin检查。#password_file# 访问也可以使⽤预共享密钥⽂件来控制。这需要# TLS-PSK⽀持和配置为使⽤它的侦听器。该⽂件应为以下格式的⽂本⾏：# identity:key# 密钥应为⼗六进制格式，且开头不能为“ 0x”。# 如果还使⽤auth_plugin，则将⾸先进⾏auth_plugin检查。#psk_file# Control access to topics on the broker using an access control list# file. If this parameter is defined then only the topics listed will# have access.# If the first character of a line of the ACL file is a # it is treated as a# comment.# Topic access is added with lines of the format:## topic [read|write|readwrite] ## The access type is controlled using "read", "write" or "readwrite". This# parameter is optional (unless contains a space character) - if not# given then the access is read/write. can contain the + or ## wildcards as in subscriptions.## The first set of topics are applied to anonymous clients, assuming# allow_anonymous is true. User specific topic ACLs are added after a# user line as follows:## user ## The username referred to here is the same as in password_file. It is# not the clientid.### If is also possible to define ACLs based on pattern substitution within the# topic. The patterns available for substition are:## %c to match the client id of the client# %u to match the username of the client## The substitution pattern must be the only text for that level of hierarchy.## The form is the same as for the topic keyword, but using pattern as the# keyword.# Pattern ACLs apply to all users even if the "user" keyword has previously# been given.## If using bridges with usernames and ACLs, connection messages can be allowed# with the following pattern:# pattern write $SYS/broker/connection/%c/state## pattern [read|write|readwrite] ## Example:## pattern write sensor/%u/data## If an auth_plugin is used as well as acl_file, the auth_plugin check will be# made first.#acl_fileExternal authentication and topic access plugin options外部⾝份验证和主题访问插件选项# External authentication and access control can be supported with the# auth_plugin option. This is a path to a loadable plugin. See also the# auth_opt_* options described below.## The auth_plugin option can be specified multiple times to load multiple# plugins. The plugins will be processed in the order that they are specified# here. If the auth_plugin option is specified alongside either of# password_file or acl_file then the plugin checks will be made first.##auth_plugin# If the auth_plugin option above is used, define options to pass to the# plugin here as described by the plugin instructions. All options named# using the format auth_opt_* will be passed to the plugin, for example:## auth_opt_db_host# auth_opt_db_port# auth_opt_db_username# auth_opt_db_password=================================================================Bridges# 桥接是将多个MQTT代理连接在⼀起的⼀种⽅式。如下所述，使⽤“connection”选项创建⼀个新的⽹桥。# 使⽤其余参数设置⽹桥的选项。您必须指定地址和⾄少⼀个要订阅的主题。## Each connection must have a unique name.## The address line may have multiple host address and ports specified. See# below in the round_robin description for more details on bridge behaviour if# multiple addresses are used. Note that if you use an IPv6 address, then you# are required to specify a port.## The direction that the topic will be shared can be chosen by# specifying out, in or both, where the default value is out.# The QoS level of the bridged communication can be specified with the next# topic option. The default QoS level is 0, to change the QoS the topic# direction must also be given.## The local and remote prefix options allow a topic to be remapped when it is# bridged to/from the remote broker. This provides the ability to place a topic# tree in an appropriate location.## For more details see the man page.## Multiple topics can be specified per connection, but be careful# not to create any loops.## If you are using bridges with cleansession set to false (the default), then# you may get unexpected behaviour from incoming topics if you change what# topics you are subscribing to. This is because the remote broker keeps the# subscription for the old topic. If you have this problem, connect your bridge# with cleansession set to true, then reconnect with cleansession set to false# as normal.#connection #address [:] [[:]]#topic [[[out | in | both] qos-level] local-prefix remote-prefix]# If a bridge has topics that have "out" direction, the default behaviour is to# send an unsubscribe request to the remote broker on that topic. This means# that changing a topic direction from "in" to "out" will not keep receiving# incoming messages. Sending these unsubscribe requests is not always# desirable, setting bridge_attempt_unsubscribe to false will disable sending# the unsubscribe request.#bridge_attempt_unsubscribe true# Set the version of the MQTT protocol to use with for this bridge. Can be one# of mqttv311 or mqttv11. Defaults to mqttv311.#bridge_protocol_version mqttv311# Set the clean session variable for this bridge.# When set to true, when the bridge disconnects for any reason, all# messages and subscriptions will be cleaned up on the remote# broker. Note that with cleansession set to true, there may be a# significant amount of retained messages sent when the bridge# reconnects after losing its connection.# When set to false, the subscriptions and messages are kept on the# remote broker, and delivered when the bridge reconnects.#cleansession false# Set the amount of time a bridge using the lazy start type must be idle before# it will be stopped. Defaults to 60 seconds.#idle_timeout 60# Set the keepalive interval for this bridge connection, in# seconds.#keepalive_interval 60# Set the clientid to use on the local broker. If not defined, this defaults to# 'local.'. If you are bridging a broker to itself, it is important# that local_clientid and clientid do not match.#local_clientid# If set to true, publish notification messages to the local and remote brokers# giving information about the state of the bridge connection. Retained# messages are published to the topic $SYS/broker/connection//state# unless the notification_topic option is used.# If the message is 1 then the connection is active, or 0 if the connection has# failed.# This uses the last will and testament feature.#notifications true# Choose the topic on which notification messages for this bridge are# published. If not set, messages are published on the topic# $SYS/broker/connection//state#notification_topic# Set the client id to use on the remote end of this bridge connection. If not# defined, this defaults to 'me' where name is the connection name# and hostname is the hostname of this computer.# This replaces the old "clientid" option to avoid confusion. "clientid"# remains valid for the time being.#remote_clientid# Set the password to use when connecting to a broker that requires# authentication. This option is only used if remote_username is also set.# This replaces the old "password" option to avoid confusion. "password"# remains valid for the time being.#remote_password# Set the username to use when connecting to a broker that requires# authentication.# This replaces the old "username" option to avoid confusion. "username"# remains valid for the time being.#remote_username# Set the amount of time a bridge using the automatic start type will wait# until attempting to reconnect.# This option can be configured to use a constant delay time in seconds, or to# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree# of randomness to when the restart occurs.## Set a constant timeout of 20 seconds:# restart_timeout 20## Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of# 60 seconds:# restart_timeout 10 30## Defaults to jitter with a base of 5 and cap of 30#restart_timeout 5 30# If the bridge has more than one address given in the address/addresses# configuration, the round_robin option defines the behaviour of the bridge on# a failure of the bridge connection. If round_robin is false, the default# value, then the first address is treated as the main bridge connection. If# the connection fails, the other secondary addresses will be attempted in# turn. Whilst connected to a secondary bridge, the bridge will periodically# attempt to reconnect to the main bridge until successful.# If round_robin is true, then all addresses are treated as equals. If a# connection fails, the next address will be tried and if successful will# remain connected until it fails#round_robin false# Set the start type of the bridge. This controls how the bridge starts and# can be one of three types: automatic, lazy and once. Note that RSMB provides# a fourth start type "manual" which isn't currently supported by mosquitto.## "automatic" is the default start type and means that the bridge connection# will be started automatically when the broker starts and also restarted# after a short delay (30 seconds) if the connection fails.## Bridges using the "lazy" start type will be started automatically when the# number of queued messages exceeds the number set with the "threshold"# parameter. It will be stopped automatically after the time set by the# "idle_timeout" parameter. Use this start type if you wish the connection to# only be active when it is needed.## A bridge using the "once" start type will be started automatically when the# broker starts but will not be restarted if the connection fails.#start_type automatic# Set the number of messages that need to be queued for a bridge with lazy# start type to be restarted. Defaults to 10 messages.# Must be less than max_queued_messages.#threshold 10# If try_private is set to true, the bridge will attempt to indicate to the# remote broker that it is a bridge not an ordinary client. If successful, this# means that loop detection will be more effective and that retained messages# will be propagated correctly. Not all brokers support this feature so it may# be necessary to set try_private to false if your bridge does not connect# properly.#try_private trueCertificate based SSL/TLS support# Either bridge_cafile or bridge_capath must be defined to enable TLS support# for this bridge.# bridge_cafile defines the path to a file containing the# Certificate Authority certificates that have signed the remote broker# certificate.# bridge_capath defines a directory that will be searched for files containing# the CA certificates. For bridge_capath to work correctly, the certificate# files must have ".crt" as the file ending and you must run "openssl rehash# " each time you add/remove a certificate.#bridge_cafile#bridge_capath# If the remote broker has more than one protocol available on its port, e.g.# MQTT and WebSockets, then use bridge_alpn to configure which protocol is# requested. Note that WebSockets support for bridges is not yet available.#bridge_alpn# When using certificate based encryption, bridge_insecure disables# verification of the server hostname in the server certificate. This can be# useful when testing initial server configurations, but makes it possible for# a malicious third party to impersonate your server through DNS spoofing, for# example. Use this option in testing only. If you need to resort to using this# option in a production environment, your setup is at fault and there is no# point using encryption.#bridge_insecure false# Path to the PEM encoded client certificate, if required by the remote broker.#bridge_certfile# Path to the PEM encoded client private key, if required by the remote broker.#bridge_keyfilePSK based SSL/TLS support 基于PSK的SSL / TLS⽀持# Pre-shared-key encryption provides an alternative to certificate based# encryption. A bridge can be configured to use PSK with the bridge_identity# and bridge_psk options. These are the client PSK identity, and pre-shared-key# in hexadecimal format with no "0x". Only one of certificate and PSK based# encryption can be used on one# bridge at once.#bridge_identity#bridge_pskExternal config files 外部配置⽂件# 可以使⽤include_dir选项包含外部配置⽂件。这定义了⼀个⽬录，将在其中搜索配置⽂件。# 所有以“ .conf”结尾的⽂件都将作为配置⽂件加载。# 最好将此作为主⽂件中的最后⼀个选项。# 仅从主配置⽂件处理此选项。# 指定的⽬录不得包含主配置⽂件。# include_dir中的⽂件将按区分⼤⼩写的字母顺序加载，⾸字母⼤写。# 如果多次指定此选项，则第⼀个实例中的所有⽂件将在下⼀个实例之前进⾏处理。# 有关⽰例，请参见⼿册页。#include_dir