Mosquitto
Below are some sample configurations for the Mosquitto Message Broker. The configurations were created based on the official Mosquitto documentation. The configuration file (mosquitto.conf) of the broker can be found in the installation directory of the broker (for example C:\Program Files\mosquitto). This can be opened and edited with a text editor of your choice, for example Notepad.
We recommend creating a backup before making changes to the configuration file. Alternatively, you can create additional configuration files and load them from the command line when starting the broker:
mosquitto.exe -c mosquitto.confFor debugging and testing purposes, we recommend starting the broker in a command line, since verbose output can also be enabled here:
mosquitto.exe -c mosquitto.conf -v | Mosquitto start in the command line Before starting Mosquitto Broker from the command line, please make sure that no active Mosquitto process is running on your system. This may be the case, for example, if Mosquitto Broker was installed and started as a Windows service. Therefore, please check Windows Task Manager and Windows Services Manager. |
In the following you will now find some sample configurations for different use cases. These configurations were created based on Mosquitto Message Broker version 2.0.15 and are also available in our TF6701_Samples repository on GitHub.
Unsecured connection
The following configuration file content configures the broker for an unsecured connection without TLS and without user authentication.
listener 1883
allow_anonymous trueUnsecured connection with user authentication
The following configuration file content configures the broker for an unsecured connection without TLS, but with user authentication.
listener 1883
allow_anonymous false
password_file C:\Program Files\mosquitto\users.pwdThe user database specified with the password_file parameter can be created with the mosquitto_passwd tool, which is also located in the broker installation directory. The following call creates a new user database and adds the user MyUser1 with the password SecurePassword:
mosquitto_passwd.exe -b -c "C:\Program Files\mosquitto\users.pwd" MyUser1 SecurePasswordBy using the -b parameter, a password can be passed directly in the call. The -c parameter creates a new password file. If a new user is to be added to an existing file, this parameter is omitted.
mosquitto_passwd.exe -b "C:\Program Files\mosquitto\users.pwd" MyUser2 AnotherSecurePassword | Plain text transmission of the password Please note that in case of an insecure, i.e. non-encrypted MQTT connection, the password is transmitted in plain text during user authentication. We therefore recommend encrypting the MQTT communication using TLS, see sample configurations below. |
Unsecured connection with user authentication and ACL
The following configuration file content configures the broker for an unsecured connection without TLS, but with user authentication and using an Access Control List (ACL) that regulates user access to specific topics.
listener 1883
allow_anonymous false
password_file C:\Program Files\mosquitto\users.pwd
acl_file C:\Program Files\mosquitto\userAccess.aclAs described in the previous sample, the user database referenced as password_file can be created using the mosquitto_passwd tool. The access list file referenced as acl_file is a plain text file which is constructed according to a specific format. This format is also described in more detail in the Mosquitto documentation. The following file shows a sample of what an access list for two users might look like. Each user is granted access to his own topic area. However, an administrator user should have access to all topics.
user Admin
topic #
user MyUser1
topic users/MyUser1/#
user MyUser2
topic users/MyUser2/# | Access to a topic that is not allowed Please note that the client does not receive any feedback from the Mosquitto Message Broker when accessing (Publish/Subscribe) a topic that is not allowed. From the client's point of view, the process appears to be successful, but the broker does not transmit or forward any messages to the client other than the regular MQTT command packages. |
TLS connection with PSK
The following configuration file content configures the broker for a secured connection with TLS using a pre-shared key (PSK). No user authentication is configured.
listener 8883
allow_anonymous true
psk_hint TwinCATrocks
psk_file C:\Program Files\mosquitto\myKeys.pskThe file referenced as psk_file then contains a list of pre-shared keys. This is a plain text file in which the PSKs are listed line by line in the identity:key format. The key is specified in hexadecimal format. Example:
MyIdentity1:ab123456789cd
MyIdentity2:ef987654321abThe psk_hint parameter is important because it enables TLS-PSK for the listener.
TLS connection with certificate
The following configuration file content configures the broker for a secured connection with TLS using a certificate. No user authentication is configured.
This sample assumes that you have a Certificate Authority (CA) that can issue server certificates. There are various tutorials on the web which demonstrate, for example, how you can create such a CA using OpenSSL and issue corresponding certificates.
listener 8883
allow_anonymous true
cafile C:\ca\certs\fullChain.pem
crlfile C:\ca\crl\intermediateCA.crl
certfile C:\Program Files\mosquitto\certs\mosquitto.pem
keyfile C:\Program Files\mosquitto\certs\mosquitto.keyTLS connection with certificate and user authentication
The following configuration file content configures the broker for a secured connection with TLS using a certificate. In addition, user authentication is configured specifying the user database file.
This sample assumes that you have a Certificate Authority (CA) that can issue server certificates. There are various tutorials on the web which demonstrate, for example, how you can create such a CA using OpenSSL and issue corresponding certificates.
listener 8883
allow_anonymous false
password_file C:\Program Files\mosquitto\users.pwd
cafile C:\ca\certs\fullChain.pem
crlfile C:\ca\crl\intermediateCA.crl
certfile C:\Program Files\mosquitto\certs\mosquitto.pem
keyfile C:\Program Files\mosquitto\certs\mosquitto.keyClients attempting to connect to this broker must have a valid certificate issued by the same Certificate Authority.
TLS connection with certificate, user authentication and ACL
The following configuration file content configures the broker for a secured connection with TLS using a certificate. In addition, user authentication is configured specifying the user database file, as well as an Access Control List (ACL) which configures various access rights for the users (see sample above).
This sample assumes that you have a Certificate Authority (CA) that can issue server certificates. There are various tutorials on the web which demonstrate, for example, how you can create such a CA using OpenSSL and issue corresponding certificates.
listener 8883
allow_anonymous false
use_identity_as_username true
password_file C:\Program Files\mosquitto\users.pwd
acl_file C:\Program Files\mosquitto\userAccess.acl
cafile C:\ca\certs\fullChain.pem
crlfile C:\ca\crl\intermediateCA.crl
certfile C:\Program Files\mosquitto\certs\mosquitto.pem
keyfile C:\Program Files\mosquitto\certs\mosquitto.keyClients attempting to connect to this broker must have a valid certificate issued by the same Certificate Authority.
Building on this sample, you can now also use the use_identity_as_username parameter, which causes the CommonName from the client certificate to be used as the user name.