├── Dockerfile ├── LICENSE ├── README.md ├── config ├── ca_certificates │ └── README ├── certs │ └── README ├── conf.d │ ├── README │ └── websockets.conf ├── mosquitto.conf └── mosquitto.conf.example └── docker-entrypoint.sh /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:jessie 2 | 3 | MAINTAINER Thomas Kerpe 4 | 5 | # Build-time metadata as defined at http://label-schema.org 6 | ARG BUILD_DATE 7 | ARG VCS_REF 8 | LABEL org.label-schema.build-date=$BUILD_DATE \ 9 | org.label-schema.docker.dockerfile="/Dockerfile" \ 10 | org.label-schema.license="BSD 3-Clause" \ 11 | org.label-schema.name="docker-mosquitto" \ 12 | org.label-schema.url="https://hub.docker.com/r/toke/mosquitto/" \ 13 | org.label-schema.vcs-ref=$VCS_REF \ 14 | org.label-schema.vcs-type="Git" \ 15 | org.label-schema.vcs-url="https://github.com/toke/docker-mosquitto" 16 | 17 | RUN apt-get update && apt-get install -y wget && \ 18 | wget -q -O - https://repo.mosquitto.org/debian/mosquitto-repo.gpg.key | gpg --import && \ 19 | gpg -a --export 8277CCB49EC5B595F2D2C71361611AE430993623 | apt-key add - && \ 20 | wget -q -O /etc/apt/sources.list.d/mosquitto-jessie.list https://repo.mosquitto.org/debian/mosquitto-jessie.list && \ 21 | apt-get update && apt-get install -y mosquitto mosquitto-clients && \ 22 | adduser --system --disabled-password --disabled-login mosquitto 23 | 24 | RUN mkdir -p /mqtt/config /mqtt/data /mqtt/log 25 | COPY config /mqtt/config 26 | RUN chown -R mosquitto:mosquitto /mqtt 27 | VOLUME ["/mqtt/config", "/mqtt/data", "/mqtt/log"] 28 | 29 | 30 | EXPOSE 1883 9001 31 | 32 | ADD docker-entrypoint.sh /usr/bin/ 33 | 34 | ENTRYPOINT ["docker-entrypoint.sh"] 35 | CMD ["/usr/sbin/mosquitto", "-c", "/mqtt/config/mosquitto.conf"] 36 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014,2015,2016 Thomas Kerpe, All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 4 | 5 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 6 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 7 | Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 8 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | docker-mosquitto 2 | ================ 3 | 4 | Docker image for mosquitto - superseded by [eclipse-mosquitto](https://hub.docker.com/_/eclipse-mosquitto) 5 | 6 | [![Docker Stars](https://img.shields.io/docker/stars/toke/mosquitto.svg)](https://hub.docker.com/r/toke/mosquitto/) 7 | [![Docker Pulls](https://img.shields.io/docker/pulls/toke/mosquitto.svg)](https://hub.docker.com/r/toke/mosquitto/) 8 | [![](https://images.microbadger.com/badges/image/toke/mosquitto.svg)](https://microbadger.com/images/toke/mosquitto "Get your own image badge on microbadger.com") 9 | 10 | 11 | ## Project Status 12 | 13 | The puprose of this Container was to provide a configurable and decent mosquitto broker container. The Eclipse Mosquitto Project now provides 14 | a very similar Container - See [Other Containers](#other-containers) below. 15 | This container still uses Debian/Jessie as a base container which is kinda old. 16 | 17 | Feel free to send Pull Requests. As I don't use this container any longer it's 18 | kinda tricky to test and keep compatibility at a level I would like. 19 | 20 | ## Run 21 | 22 | docker run -ti -p 1883:1883 -p 9001:9001 toke/mosquitto 23 | 24 | Exposes Port 1883 (MQTT) 9001 (Websocket MQTT) 25 | 26 | ## Running with persistence 27 | 28 | 29 | ### Local directories / External Configuration 30 | 31 | Alternatively you can use volumes to make the changes 32 | persistent and change the configuration. 33 | 34 | mkdir -p /srv/mqtt/config/ 35 | mkdir -p /srv/mqtt/data/ 36 | mkdir -p /srv/mqtt/log/ 37 | # place your mosquitto.conf in /srv/mqtt/config/ 38 | # NOTE: You have to change the permissions of the directories 39 | # to allow the user to read/write to data and log and read from 40 | # config directory 41 | # For TESTING purposes you can use chmod -R 777 /srv/mqtt/* 42 | # Better use "-u" with a valid user id on your docker host 43 | 44 | # Copy the files from the config directory of this project 45 | # into /src/mqtt/config. Change them as needed for your 46 | # particular needs. 47 | 48 | docker run -ti -p 1883:1883 -p 9001:9001 \ 49 | -v /srv/mqtt/config:/mqtt/config:ro \ 50 | -v /srv/mqtt/log:/mqtt/log \ 51 | -v /srv/mqtt/data/:/mqtt/data/ \ 52 | --name mqtt toke/mosquitto 53 | 54 | Volumes: /mqtt/config, /mqtt/data and /mqtt/log 55 | 56 | ### Docker Volumes for persistence 57 | 58 | Using [Docker Volumes](https://docs.docker.com/engine/userguide/containers/dockervolumes/) for persistence. 59 | 60 | Create a named volume: 61 | 62 | docker volume create --name mosquitto_data 63 | 64 | Now it can be attached to docker by using `-v mosquitto_data:/mqtt/data` in the 65 | Example above. Be aware that the permissions within the volumes 66 | are most likely too restrictive. 67 | 68 | ## Start with systemd 69 | 70 | As an example this how you run the container with systemd. 71 | The example uses a docker volume named `mosquitto_data` (see above). 72 | 73 | [Unit] 74 | Description=Mosquitto MQTT docker container 75 | Requires=docker.service 76 | Wants=docker.service 77 | After=docker.service 78 | 79 | [Service] 80 | Environment=EXT_IP=123.123.123.123 81 | Restart=always 82 | ExecStart=/usr/bin/docker run -v /srv/mqtt/config:/mqtt/config -v /srv/mqtt/log:/mqtt/log -v mosquitto_data:/mqtt/data/ -p ${EXT_IP}:1883:1883 -p ${EXT_IP}:8883:8883 -p 127.0.0.1:9001:9001 --name mqtt toke/mosquitto 83 | ExecStop=/usr/bin/docker stop -t 2 mqtt 84 | ExecStopPost=/usr/bin/docker rm -f mqtt 85 | 86 | [Install] 87 | WantedBy=local.target 88 | 89 | 90 | ## Build 91 | 92 | git clone https://github.com/toke/docker-mosquitto.git 93 | cd docker-mosquitto 94 | docker build . 95 | 96 | ## Other Containers 97 | 98 | The puprose of this Container was to provide a configurable and dsecent mosquitto broker. 99 | The Eclipse Mosquitto Project now provides a very similar Container: 100 | [Eclipse Mosquitto Container](https://hub.docker.com/_/eclipse-mosquitto/) It should be 101 | easy to migrate to it. 102 | 103 | ## Authors and license 104 | 105 | docker-mosquitto was written by: 106 | 107 | * **Thomas Kerpe** | [web](https://toke.de/) | [mail](mailto:web@toke.de) | [GitHub](https://github.com/toke/) 108 | * With contributions from: 109 | * [Andrea Pinazzi](https://github.com/onip) 110 | * [m0se](https://github.com/m0se) 111 | * [David Medinets](https://github.com/medined) 112 | * [Gavin de Kock](https://github.com/gavindekock) 113 | * [Raphael Ahrens](https://github.com/tantSinnister) 114 | 115 | License: [BSD 3-Clause](https://tldrlegal.com/license/bsd-3-clause-license-%28revised%29) 116 | 117 | 118 | ## Contact 119 | 120 | Contact: Thomas Kerpe [toke@toke.de](mailto:toke@toke.de) 121 | 122 | OpenPGP fingerprint: `B5AD 7FCB 270D A762 46D2 A8F2 B0E6 5607 ABE5 7238` 123 | -------------------------------------------------------------------------------- /config/ca_certificates/README: -------------------------------------------------------------------------------- 1 | Place your SSL/TLS Certificate Authority certificates in this directory. 2 | -------------------------------------------------------------------------------- /config/certs/README: -------------------------------------------------------------------------------- 1 | Place your SSL/TLS server keys and certificates in this directory. 2 | 3 | This directory should only be readable by the mosquitto user. 4 | -------------------------------------------------------------------------------- /config/conf.d/README: -------------------------------------------------------------------------------- 1 | Any files placed in this directory that have a .conf ending will be loaded as 2 | config files by the broker. Use this to make your local config. 3 | -------------------------------------------------------------------------------- /config/conf.d/websockets.conf: -------------------------------------------------------------------------------- 1 | listener 9001 2 | protocol websockets 3 | -------------------------------------------------------------------------------- /config/mosquitto.conf: -------------------------------------------------------------------------------- 1 | # Place your local configuration in /mqtt/config/conf.d/ 2 | 3 | pid_file /var/run/mosquitto.pid 4 | 5 | persistence true 6 | persistence_location /mqtt/data/ 7 | 8 | user mosquitto 9 | 10 | # Port to use for the default listener. 11 | port 1883 12 | 13 | 14 | log_dest file /mqtt/log/mosquitto.log 15 | log_dest stdout 16 | 17 | include_dir /mqtt/config/conf.d 18 | -------------------------------------------------------------------------------- /config/mosquitto.conf.example: -------------------------------------------------------------------------------- 1 | # Config file for mosquitto 2 | # 3 | # See mosquitto.conf(5) for more information. 4 | # 5 | # Default values are shown, uncomment to change. 6 | # 7 | # Use the # character to indicate a comment, but only if it is the 8 | # very first character on the line. 9 | 10 | # ================================================================= 11 | # General configuration 12 | # ================================================================= 13 | 14 | # Time in seconds to wait before resending an outgoing QoS=1 or 15 | # QoS=2 message. 16 | #retry_interval 20 17 | 18 | # Time in seconds between updates of the $SYS tree. 19 | # Set to 0 to disable the publishing of the $SYS tree. 20 | #sys_interval 10 21 | 22 | # Time in seconds between cleaning the internal message store of 23 | # unreferenced messages. Lower values will result in lower memory 24 | # usage but more processor time, higher values will have the 25 | # opposite effect. 26 | # Setting a value of 0 means the unreferenced messages will be 27 | # disposed of as quickly as possible. 28 | #store_clean_interval 10 29 | 30 | # Write process id to a file. Default is a blank string which means 31 | # a pid file shouldn't be written. 32 | # This should be set to /var/run/mosquitto.pid if mosquitto is 33 | # being run automatically on boot with an init script and 34 | # start-stop-daemon or similar. 35 | #pid_file 36 | 37 | # When run as root, drop privileges to this user and its primary 38 | # group. 39 | # Leave blank to stay as root, but this is not recommended. 40 | # If run as a non-root user, this setting has no effect. 41 | # Note that on Windows this has no effect and so mosquitto should 42 | # be started by the user you wish it to run as. 43 | #user mosquitto 44 | 45 | # The maximum number of QoS 1 and 2 messages currently inflight per 46 | # client. 47 | # This includes messages that are partway through handshakes and 48 | # those that are being retried. Defaults to 20. Set to 0 for no 49 | # maximum. Setting to 1 will guarantee in-order delivery of QoS 1 50 | # and 2 messages. 51 | #max_inflight_messages 20 52 | 53 | # The maximum number of QoS 1 and 2 messages to hold in a queue 54 | # above those that are currently in-flight. Defaults to 100. Set 55 | # to 0 for no maximum (not recommended). 56 | # See also queue_qos0_messages. 57 | #max_queued_messages 100 58 | 59 | # Set to true to queue messages with QoS 0 when a persistent client is 60 | # disconnected. These messages are included in the limit imposed by 61 | # max_queued_messages. 62 | # Defaults to false. 63 | # This is a non-standard option for the MQTT v3.1 spec but is allowed in 64 | # v3.1.1. 65 | #queue_qos0_messages false 66 | 67 | # This option sets the maximum publish payload size that the broker will allow. 68 | # Received messages that exceed this size will not be accepted by the broker. 69 | # The default value is 0, which means that all valid MQTT messages are 70 | # accepted. MQTT imposes a maximum payload size of 268435455 bytes. 71 | #message_size_limit 0 72 | 73 | # This option controls whether a client is allowed to connect with a zero 74 | # length client id or not. This option only affects clients using MQTT v3.1.1 75 | # and later. If set to false, clients connecting with a zero length client id 76 | # are disconnected. If set to true, clients will be allocated a client id by 77 | # the broker. This means it is only useful for clients with clean session set 78 | # to true. 79 | #allow_zero_length_clientid true 80 | 81 | # If allow_zero_length_clientid is true, this option allows you to set a prefix 82 | # to automatically generated client ids to aid visibility in logs. 83 | #auto_id_prefix 84 | 85 | # This option allows persistent clients (those with clean session set to false) 86 | # to be removed if they do not reconnect within a certain time frame. 87 | # 88 | # This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. 89 | # 90 | # Badly designed clients may set clean session to false whilst using a randomly 91 | # generated client id. This leads to persistent clients that will never 92 | # reconnect. This option allows these clients to be removed. 93 | # 94 | # The expiration period should be an integer followed by one of d w m y for 95 | # day, week, month and year respectively. For example 96 | # 97 | # persistent_client_expiration 2m 98 | # persistent_client_expiration 14d 99 | # persistent_client_expiration 1y 100 | # 101 | # The default if not set is to never expire persistent clients. 102 | #persistent_client_expiration 103 | 104 | # If a client is subscribed to multiple subscriptions that overlap, e.g. foo/# 105 | # and foo/+/baz , then MQTT expects that when the broker receives a message on 106 | # a topic that matches both subscriptions, such as foo/bar/baz, then the client 107 | # should only receive the message once. 108 | # Mosquitto keeps track of which clients a message has been sent to in order to 109 | # meet this requirement. The allow_duplicate_messages option allows this 110 | # behaviour to be disabled, which may be useful if you have a large number of 111 | # clients subscribed to the same set of topics and are very concerned about 112 | # minimising memory usage. 113 | # It can be safely set to true if you know in advance that your clients will 114 | # never have overlapping subscriptions, otherwise your clients must be able to 115 | # correctly deal with duplicate messages even when then have QoS=2. 116 | #allow_duplicate_messages false 117 | 118 | # The MQTT specification requires that the QoS of a message delivered to a 119 | # subscriber is never upgraded to match the QoS of the subscription. Enabling 120 | # this option changes this behaviour. If upgrade_outgoing_qos is set true, 121 | # messages sent to a subscriber will always match the QoS of its subscription. 122 | # This is a non-standard option explicitly disallowed by the spec. 123 | #upgrade_outgoing_qos false 124 | 125 | # ================================================================= 126 | # Default listener 127 | # ================================================================= 128 | 129 | # IP address/hostname to bind the default listener to. If not 130 | # given, the default listener will not be bound to a specific 131 | # address and so will be accessible to all network interfaces. 132 | # bind_address ip-address/host name 133 | #bind_address 134 | 135 | # Port to use for the default listener. 136 | #port 1883 137 | 138 | # The maximum number of client connections to allow. This is 139 | # a per listener setting. 140 | # Default is -1, which means unlimited connections. 141 | # Note that other process limits mean that unlimited connections 142 | # are not really possible. Typically the default maximum number of 143 | # connections possible is around 1024. 144 | #max_connections -1 145 | 146 | # ----------------------------------------------------------------- 147 | # Certificate based SSL/TLS support 148 | # ----------------------------------------------------------------- 149 | # The following options can be used to enable SSL/TLS support for 150 | # this listener. Note that the recommended port for MQTT over TLS 151 | # is 8883, but this must be set manually. 152 | # 153 | # See also the mosquitto-tls man page. 154 | 155 | # At least one of cafile or capath must be defined. They both 156 | # define methods of accessing the PEM encoded Certificate 157 | # Authority certificates that have signed your server certificate 158 | # and that you wish to trust. 159 | # cafile defines the path to a file containing the CA certificates. 160 | # capath defines a directory that will be searched for files 161 | # containing the CA certificates. For capath to work correctly, the 162 | # certificate files must have ".crt" as the file ending and you must run 163 | # "c_rehash " each time you add/remove a certificate. 164 | #cafile 165 | #capath 166 | 167 | # Path to the PEM encoded server certificate. 168 | #certfile 169 | 170 | # Path to the PEM encoded keyfile. 171 | #keyfile 172 | 173 | # This option defines the version of the TLS protocol to use for this listener. 174 | # The default value will always be the highest version that is available for 175 | # the version of openssl that the broker was compiled against. For openssl >= 176 | # 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the 177 | # valid values are tlsv1. 178 | #tls_version 179 | 180 | # By default a TLS enabled listener will operate in a similar fashion to a 181 | # https enabled web server, in that the server has a certificate signed by a CA 182 | # and the client will verify that it is a trusted certificate. The overall aim 183 | # is encryption of the network traffic. By setting require_certificate to true, 184 | # the client must provide a valid certificate in order for the network 185 | # connection to proceed. This allows access to the broker to be controlled 186 | # outside of the mechanisms provided by MQTT. 187 | #require_certificate false 188 | 189 | # If require_certificate is true, you may set use_identity_as_username to true 190 | # to use the CN value from the client certificate as a username. If this is 191 | # true, the password_file option will not be used for this listener. 192 | #use_identity_as_username false 193 | 194 | # If you have require_certificate set to true, you can create a certificate 195 | # revocation list file to revoke access to particular client certificates. If 196 | # you have done this, use crlfile to point to the PEM encoded revocation file. 197 | #crlfile 198 | 199 | # If you wish to control which encryption ciphers are used, use the ciphers 200 | # option. The list of available ciphers can be optained using the "openssl 201 | # ciphers" command and should be provided in the same format as the output of 202 | # that command. 203 | # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH 204 | #ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH 205 | 206 | # ----------------------------------------------------------------- 207 | # Pre-shared-key based SSL/TLS support 208 | # ----------------------------------------------------------------- 209 | # The following options can be used to enable PSK based SSL/TLS support for 210 | # this listener. Note that the recommended port for MQTT over TLS is 8883, but 211 | # this must be set manually. 212 | # 213 | # See also the mosquitto-tls man page and the "Certificate based SSL/TLS 214 | # support" section. Only one of certificate or PSK encryption support can be 215 | # enabled for any listener. 216 | 217 | # The psk_hint option enables pre-shared-key support for this listener and also 218 | # acts as an identifier for this listener. The hint is sent to clients and may 219 | # be used locally to aid authentication. The hint is a free form string that 220 | # doesn't have much meaning in itself, so feel free to be creative. 221 | # If this option is provided, see psk_file to define the pre-shared keys to be 222 | # used or create a security plugin to handle them. 223 | #psk_hint 224 | 225 | # Set use_identity_as_username to have the psk identity sent by the client used 226 | # as its username. Authentication will be carried out using the PSK rather than 227 | # the MQTT username/password and so password_file will not be used for this 228 | # listener. 229 | #use_identity_as_username false 230 | 231 | # When using PSK, the encryption ciphers used will be chosen from the list of 232 | # available PSK ciphers. If you want to control which ciphers are available, 233 | # use the "ciphers" option. The list of available ciphers can be optained 234 | # using the "openssl ciphers" command and should be provided in the same format 235 | # as the output of that command. 236 | #ciphers 237 | 238 | # ================================================================= 239 | # Extra listeners 240 | # ================================================================= 241 | 242 | # Listen on a port/ip address combination. By using this variable 243 | # multiple times, mosquitto can listen on more than one port. If 244 | # this variable is used and neither bind_address nor port given, 245 | # then the default listener will not be started. 246 | # The port number to listen on must be given. Optionally, an ip 247 | # address or host name may be supplied as a second argument. In 248 | # this case, mosquitto will attempt to bind the listener to that 249 | # address and so restrict access to the associated network and 250 | # interface. By default, mosquitto will listen on all interfaces. 251 | # listener port-number [ip address/host name] 252 | #listener 253 | 254 | # The maximum number of client connections to allow. This is 255 | # a per listener setting. 256 | # Default is -1, which means unlimited connections. 257 | # Note that other process limits mean that unlimited connections 258 | # are not really possible. Typically the default maximum number of 259 | # connections possible is around 1024. 260 | #max_connections -1 261 | 262 | # The listener can be restricted to operating within a topic hierarchy using 263 | # the mount_point option. This is achieved be prefixing the mount_point string 264 | # to all topics for any clients connected to this listener. This prefixing only 265 | # happens internally to the broker; the client will not see the prefix. 266 | #mount_point 267 | 268 | # ----------------------------------------------------------------- 269 | # Certificate based SSL/TLS support 270 | # ----------------------------------------------------------------- 271 | # The following options can be used to enable certificate based SSL/TLS support 272 | # for this listener. Note that the recommended port for MQTT over TLS is 8883, 273 | # but this must be set manually. 274 | # 275 | # See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS 276 | # support" section. Only one of certificate or PSK encryption support can be 277 | # enabled for any listener. 278 | 279 | # At least one of cafile or capath must be defined to enable certificate based 280 | # TLS encryption. They both define methods of accessing the PEM encoded 281 | # Certificate Authority certificates that have signed your server certificate 282 | # and that you wish to trust. 283 | # cafile defines the path to a file containing the CA certificates. 284 | # capath defines a directory that will be searched for files 285 | # containing the CA certificates. For capath to work correctly, the 286 | # certificate files must have ".crt" as the file ending and you must run 287 | # "c_rehash " each time you add/remove a certificate. 288 | #cafile 289 | #capath 290 | 291 | # Path to the PEM encoded server certificate. 292 | #certfile 293 | 294 | # Path to the PEM encoded keyfile. 295 | #keyfile 296 | 297 | # By default an TLS enabled listener will operate in a similar fashion to a 298 | # https enabled web server, in that the server has a certificate signed by a CA 299 | # and the client will verify that it is a trusted certificate. The overall aim 300 | # is encryption of the network traffic. By setting require_certificate to true, 301 | # the client must provide a valid certificate in order for the network 302 | # connection to proceed. This allows access to the broker to be controlled 303 | # outside of the mechanisms provided by MQTT. 304 | #require_certificate false 305 | 306 | # If require_certificate is true, you may set use_identity_as_username to true 307 | # to use the CN value from the client certificate as a username. If this is 308 | # true, the password_file option will not be used for this listener. 309 | #use_identity_as_username false 310 | 311 | # If you have require_certificate set to true, you can create a certificate 312 | # revocation list file to revoke access to particular client certificates. If 313 | # you have done this, use crlfile to point to the PEM encoded revocation file. 314 | #crlfile 315 | 316 | # If you wish to control which encryption ciphers are used, use the ciphers 317 | # option. The list of available ciphers can be optained using the "openssl 318 | # ciphers" command and should be provided in the same format as the output of 319 | # that command. 320 | #ciphers 321 | 322 | # ----------------------------------------------------------------- 323 | # Pre-shared-key based SSL/TLS support 324 | # ----------------------------------------------------------------- 325 | # The following options can be used to enable PSK based SSL/TLS support for 326 | # this listener. Note that the recommended port for MQTT over TLS is 8883, but 327 | # this must be set manually. 328 | # 329 | # See also the mosquitto-tls man page and the "Certificate based SSL/TLS 330 | # support" section. Only one of certificate or PSK encryption support can be 331 | # enabled for any listener. 332 | 333 | # The psk_hint option enables pre-shared-key support for this listener and also 334 | # acts as an identifier for this listener. The hint is sent to clients and may 335 | # be used locally to aid authentication. The hint is a free form string that 336 | # doesn't have much meaning in itself, so feel free to be creative. 337 | # If this option is provided, see psk_file to define the pre-shared keys to be 338 | # used or create a security plugin to handle them. 339 | #psk_hint 340 | 341 | # Set use_identity_as_username to have the psk identity sent by the client used 342 | # as its username. Authentication will be carried out using the PSK rather than 343 | # the MQTT username/password and so password_file will not be used for this 344 | # listener. 345 | #use_identity_as_username false 346 | 347 | # When using PSK, the encryption ciphers used will be chosen from the list of 348 | # available PSK ciphers. If you want to control which ciphers are available, 349 | # use the "ciphers" option. The list of available ciphers can be optained 350 | # using the "openssl ciphers" command and should be provided in the same format 351 | # as the output of that command. 352 | #ciphers 353 | 354 | # ================================================================= 355 | # Persistence 356 | # ================================================================= 357 | 358 | # If persistence is enabled, save the in-memory database to disk 359 | # every autosave_interval seconds. If set to 0, the persistence 360 | # database will only be written when mosquitto exits. See also 361 | # autosave_on_changes. 362 | # Note that writing of the persistence database can be forced by 363 | # sending mosquitto a SIGUSR1 signal. 364 | #autosave_interval 1800 365 | 366 | # If true, mosquitto will count the number of subscription changes, retained 367 | # messages received and queued messages and if the total exceeds 368 | # autosave_interval then the in-memory database will be saved to disk. 369 | # If false, mosquitto will save the in-memory database to disk by treating 370 | # autosave_interval as a time in seconds. 371 | #autosave_on_changes false 372 | 373 | # Save persistent message data to disk (true/false). 374 | # This saves information about all messages, including 375 | # subscriptions, currently in-flight messages and retained 376 | # messages. 377 | # retained_persistence is a synonym for this option. 378 | #persistence false 379 | 380 | # The filename to use for the persistent database, not including 381 | # the path. 382 | #persistence_file mosquitto.db 383 | 384 | # Location for persistent database. Must include trailing / 385 | # Default is an empty string (current directory). 386 | # Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or 387 | # similar. 388 | #persistence_location 389 | 390 | # ================================================================= 391 | # Logging 392 | # ================================================================= 393 | 394 | # Places to log to. Use multiple log_dest lines for multiple 395 | # logging destinations. 396 | # Possible destinations are: stdout stderr syslog topic file 397 | # 398 | # stdout and stderr log to the console on the named output. 399 | # 400 | # syslog uses the userspace syslog facility which usually ends up 401 | # in /var/log/messages or similar. 402 | # 403 | # topic logs to the broker topic '$SYS/broker/log/', 404 | # where severity is one of D, E, W, N, I, M which are debug, error, 405 | # warning, notice, information and message. Message type severity is used by 406 | # the subscribe/unsubscribe log_types and publishes log messages to 407 | # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. 408 | # 409 | # The file destination requires an additional parameter which is the file to be 410 | # logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be 411 | # closed and reopened when the broker receives a HUP signal. Only a single file 412 | # destination may be configured. 413 | # 414 | # Note that if the broker is running as a Windows service it will default to 415 | # "log_dest none" and neither stdout nor stderr logging is available. 416 | # Use "log_dest none" if you wish to disable logging. 417 | #log_dest stderr 418 | 419 | # Types of messages to log. Use multiple log_type lines for logging 420 | # multiple types of messages. 421 | # Possible types are: debug, error, warning, notice, information, 422 | # none, subscribe, unsubscribe, all. 423 | # Note that debug type messages are for decoding the incoming/outgoing 424 | # network packets. They are not logged in "topics". 425 | #log_type error 426 | #log_type warning 427 | #log_type notice 428 | #log_type information 429 | 430 | # If set to true, client connection and disconnection messages will be included 431 | # in the log. 432 | #connection_messages true 433 | 434 | # If set to true, add a timestamp value to each log message. 435 | #log_timestamp true 436 | 437 | # ================================================================= 438 | # Security 439 | # ================================================================= 440 | 441 | # If set, only clients that have a matching prefix on their 442 | # clientid will be allowed to connect to the broker. By default, 443 | # all clients may connect. 444 | # For example, setting "secure-" here would mean a client "secure- 445 | # client" could connect but another with clientid "mqtt" couldn't. 446 | #clientid_prefixes 447 | 448 | # Boolean value that determines whether clients that connect 449 | # without providing a username are allowed to connect. If set to 450 | # false then a password file should be created (see the 451 | # password_file option) to control authenticated client access. 452 | # Defaults to true. 453 | #allow_anonymous true 454 | 455 | # In addition to the clientid_prefixes, allow_anonymous and TLS 456 | # authentication options, username based authentication is also 457 | # possible. The default support is described in "Default 458 | # authentication and topic access control" below. The auth_plugin 459 | # allows another authentication method to be used. 460 | # Specify the path to the loadable plugin and see the 461 | # "Authentication and topic access plugin options" section below. 462 | #auth_plugin 463 | 464 | # ----------------------------------------------------------------- 465 | # Default authentication and topic access control 466 | # ----------------------------------------------------------------- 467 | 468 | # Control access to the broker using a password file. This file can be 469 | # generated using the mosquitto_passwd utility. If TLS support is not compiled 470 | # into mosquitto (it is recommended that TLS support should be included) then 471 | # plain text passwords are used, in which case the file should be a text file 472 | # with lines in the format: 473 | # username:password 474 | # The password (and colon) may be omitted if desired, although this 475 | # offers very little in the way of security. 476 | # 477 | # See the TLS client require_certificate and use_identity_as_username options 478 | # for alternative authentication options. 479 | #password_file 480 | 481 | # Access may also be controlled using a pre-shared-key file. This requires 482 | # TLS-PSK support and a listener configured to use it. The file should be text 483 | # lines in the format: 484 | # identity:key 485 | # The key should be in hexadecimal format without a leading "0x". 486 | #psk_file 487 | 488 | # Control access to topics on the broker using an access control list 489 | # file. If this parameter is defined then only the topics listed will 490 | # have access. 491 | # If the first character of a line of the ACL file is a # it is treated as a 492 | # comment. 493 | # Topic access is added with lines of the format: 494 | # 495 | # topic [read|write] 496 | # 497 | # The access type is controlled using "read" or "write". This parameter 498 | # is optional - if not given then the access is read/write. 499 | # can contain the + or # wildcards as in subscriptions. 500 | # 501 | # The first set of topics are applied to anonymous clients, assuming 502 | # allow_anonymous is true. User specific topic ACLs are added after a 503 | # user line as follows: 504 | # 505 | # user 506 | # 507 | # The username referred to here is the same as in password_file. It is 508 | # not the clientid. 509 | # 510 | # 511 | # If is also possible to define ACLs based on pattern substitution within the 512 | # topic. The patterns available for substition are: 513 | # 514 | # %c to match the client id of the client 515 | # %u to match the username of the client 516 | # 517 | # The substitution pattern must be the only text for that level of hierarchy. 518 | # 519 | # The form is the same as for the topic keyword, but using pattern as the 520 | # keyword. 521 | # Pattern ACLs apply to all users even if the "user" keyword has previously 522 | # been given. 523 | # 524 | # If using bridges with usernames and ACLs, connection messages can be allowed 525 | # with the following pattern: 526 | # pattern write $SYS/broker/connection/%c/state 527 | # 528 | # pattern [read|write] 529 | # 530 | # Example: 531 | # 532 | # pattern write sensor/%u/data 533 | # 534 | #acl_file 535 | 536 | # ----------------------------------------------------------------- 537 | # Authentication and topic access plugin options 538 | # ----------------------------------------------------------------- 539 | 540 | # If the auth_plugin option above is used, define options to pass to the 541 | # plugin here as described by the plugin instructions. All options named 542 | # using the format auth_opt_* will be passed to the plugin, for example: 543 | # 544 | # auth_opt_db_host 545 | # auth_opt_db_port 546 | # auth_opt_db_username 547 | # auth_opt_db_password 548 | 549 | 550 | # ================================================================= 551 | # Bridges 552 | # ================================================================= 553 | 554 | # A bridge is a way of connecting multiple MQTT brokers together. 555 | # Create a new bridge using the "connection" option as described below. Set 556 | # options for the bridges using the remaining parameters. You must specify the 557 | # address and at least one topic to subscribe to. 558 | # Each connection must have a unique name. 559 | # The address line may have multiple host address and ports specified. See 560 | # below in the round_robin description for more details on bridge behaviour if 561 | # multiple addresses are used. 562 | # The direction that the topic will be shared can be chosen by 563 | # specifying out, in or both, where the default value is out. 564 | # The QoS level of the bridged communication can be specified with the next 565 | # topic option. The default QoS level is 0, to change the QoS the topic 566 | # direction must also be given. 567 | # The local and remote prefix options allow a topic to be remapped when it is 568 | # bridged to/from the remote broker. This provides the ability to place a topic 569 | # tree in an appropriate location. 570 | # For more details see the mosquitto.conf man page. 571 | # Multiple topics can be specified per connection, but be careful 572 | # not to create any loops. 573 | # If you are using bridges with cleansession set to false (the default), then 574 | # you may get unexpected behaviour from incoming topics if you change what 575 | # topics you are subscribing to. This is because the remote broker keeps the 576 | # subscription for the old topic. If you have this problem, connect your bridge 577 | # with cleansession set to true, then reconnect with cleansession set to false 578 | # as normal. 579 | #connection 580 | #address [:] [[:]] 581 | #topic [[[out | in | both] qos-level] local-prefix remote-prefix] 582 | 583 | # If the bridge has more than one address given in the address/addresses 584 | # configuration, the round_robin option defines the behaviour of the bridge on 585 | # a failure of the bridge connection. If round_robin is false, the default 586 | # value, then the first address is treated as the main bridge connection. If 587 | # the connection fails, the other secondary addresses will be attempted in 588 | # turn. Whilst connected to a secondary bridge, the bridge will periodically 589 | # attempt to reconnect to the main bridge until successful. 590 | # If round_robin is true, then all addresses are treated as equals. If a 591 | # connection fails, the next address will be tried and if successful will 592 | # remain connected until it fails 593 | #round_robin false 594 | 595 | # Set the client id for this bridge connection. If not defined, 596 | # this defaults to 'name.hostname' where name is the connection 597 | # name and hostname is the hostname of this computer. 598 | #clientid 599 | 600 | # Set the clean session variable for this bridge. 601 | # When set to true, when the bridge disconnects for any reason, all 602 | # messages and subscriptions will be cleaned up on the remote 603 | # broker. Note that with cleansession set to true, there may be a 604 | # significant amount of retained messages sent when the bridge 605 | # reconnects after losing its connection. 606 | # When set to false, the subscriptions and messages are kept on the 607 | # remote broker, and delivered when the bridge reconnects. 608 | #cleansession false 609 | 610 | # If set to true, publish notification messages to the local and remote brokers 611 | # giving information about the state of the bridge connection. Retained 612 | # messages are published to the topic $SYS/broker/connection//state 613 | # unless the notification_topic option is used. 614 | # If the message is 1 then the connection is active, or 0 if the connection has 615 | # failed. 616 | #notifications true 617 | 618 | # Choose the topic on which notification messages for this bridge are 619 | # published. If not set, messages are published on the topic 620 | # $SYS/broker/connection//state 621 | #notification_topic 622 | 623 | # Set the keepalive interval for this bridge connection, in 624 | # seconds. 625 | #keepalive_interval 60 626 | 627 | # Set the start type of the bridge. This controls how the bridge starts and 628 | # can be one of three types: automatic, lazy and once. Note that RSMB provides 629 | # a fourth start type "manual" which isn't currently supported by mosquitto. 630 | # 631 | # "automatic" is the default start type and means that the bridge connection 632 | # will be started automatically when the broker starts and also restarted 633 | # after a short delay (30 seconds) if the connection fails. 634 | # 635 | # Bridges using the "lazy" start type will be started automatically when the 636 | # number of queued messages exceeds the number set with the "threshold" 637 | # parameter. It will be stopped automatically after the time set by the 638 | # "idle_timeout" parameter. Use this start type if you wish the connection to 639 | # only be active when it is needed. 640 | # 641 | # A bridge using the "once" start type will be started automatically when the 642 | # broker starts but will not be restarted if the connection fails. 643 | #start_type automatic 644 | 645 | # Set the amount of time a bridge using the automatic start type will wait 646 | # until attempting to reconnect. Defaults to 30 seconds. 647 | #restart_timeout 30 648 | 649 | # Set the amount of time a bridge using the lazy start type must be idle before 650 | # it will be stopped. Defaults to 60 seconds. 651 | #idle_timeout 60 652 | 653 | # Set the number of messages that need to be queued for a bridge with lazy 654 | # start type to be restarted. Defaults to 10 messages. 655 | # Must be less than max_queued_messages. 656 | #threshold 10 657 | 658 | # If try_private is set to true, the bridge will attempt to indicate to the 659 | # remote broker that it is a bridge not an ordinary client. If successful, this 660 | # means that loop detection will be more effective and that retained messages 661 | # will be propagated correctly. Not all brokers support this feature so it may 662 | # be necessary to set try_private to false if your bridge does not connect 663 | # properly. 664 | #try_private true 665 | 666 | # Set the username to use when connecting to an MQTT v3.1 broker 667 | # that requires authentication. 668 | #username 669 | 670 | # Set the password to use when connecting to an MQTT v3.1 broker 671 | # that requires authentication. This option is only used if 672 | # username is also set. 673 | #password 674 | 675 | # Set the username to use on the local broker. 676 | #local_username 677 | 678 | # Set the password to use on the local broker. 679 | # This option is only used if local_username is also set. 680 | #local_password 681 | 682 | # ----------------------------------------------------------------- 683 | # Certificate based SSL/TLS support 684 | # ----------------------------------------------------------------- 685 | # Either bridge_cafile or bridge_capath must be defined to enable TLS support 686 | # for this bridge. 687 | # bridge_cafile defines the path to a file containing the 688 | # Certificate Authority certificates that have signed the remote broker 689 | # certificate. 690 | # bridge_capath defines a directory that will be searched for files containing 691 | # the CA certificates. For bridge_capath to work correctly, the certificate 692 | # files must have ".crt" as the file ending and you must run "c_rehash " each time you add/remove a certificate. 694 | #bridge_cafile 695 | #bridge_capath 696 | 697 | # Path to the PEM encoded client certificate, if required by the remote broker. 698 | #bridge_certfile 699 | 700 | # Path to the PEM encoded client private key, if required by the remote broker. 701 | #bridge_keyfile 702 | 703 | # When using certificate based encryption, bridge_insecure disables 704 | # verification of the server hostname in the server certificate. This can be 705 | # useful when testing initial server configurations, but makes it possible for 706 | # a malicious third party to impersonate your server through DNS spoofing, for 707 | # example. Use this option in testing only. If you need to resort to using this 708 | # option in a production environment, your setup is at fault and there is no 709 | # point using encryption. 710 | #bridge_insecure false 711 | 712 | # ----------------------------------------------------------------- 713 | # PSK based SSL/TLS support 714 | # ----------------------------------------------------------------- 715 | # Pre-shared-key encryption provides an alternative to certificate based 716 | # encryption. A bridge can be configured to use PSK with the bridge_identity 717 | # and bridge_psk options. These are the client PSK identity, and pre-shared-key 718 | # in hexadecimal format with no "0x". Only one of certificate and PSK based 719 | # encryption can be used on one 720 | # bridge at once. 721 | #bridge_identity 722 | #bridge_psk 723 | 724 | 725 | # ================================================================= 726 | # External config files 727 | # ================================================================= 728 | 729 | # External configuration files may be included by using the 730 | # include_dir option. This defines a directory that will be searched 731 | # for config files. All files that end in '.conf' will be loaded as 732 | # a configuration file. It is best to have this as the last option 733 | # in the main file. This option will only be processed from the main 734 | # configuration file. The directory specified must not contain the 735 | # main configuration file. 736 | #include_dir 737 | 738 | # ================================================================= 739 | # Unsupported rsmb options - for the future 740 | # ================================================================= 741 | 742 | #addresses 743 | #round_robin 744 | 745 | # ================================================================= 746 | # rsmb options - unlikely to ever be supported 747 | # ================================================================= 748 | 749 | #ffdc_output 750 | #max_log_entries 751 | #trace_level 752 | #trace_output 753 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | exec "$@" 6 | --------------------------------------------------------------------------------