jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-05-15 15:39:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
home-assistant.io/source/_addons/mosquitto.markdown
Matt White 15dd6dba7e Add section on Mosquitto ACLs (#5542) 
* Add section on Mosquitto ACLs

* Fix typo
2018-06-15 00:38:58 +02:00

3.1 KiB
Raw Blame History

layout, title, description, date, sidebar, comments, sharing, footer, featured
layout title description date sidebar comments sharing footer featured
page Mosquitto MQTT broker Fast and reliable MQTT broker. 2017-04-30 13:28 true false true true true

Set up Mosquitto as MQTT broker.

{
  "plain": true,
  "ssl": false,
  "anonymous": true,
  "logins": [
    {"username": "testuser", "password": "mypw"},
    {"username": "testuser2", "password": "mypw2"}
  ],
  "customize": {
    "active": false,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

Make sure you use logins and disable anonymous access if you want to secure the system.

Configuration variables:

  • plain (Optional): Listen on port 1883 without SSL/TLS. Defaults to true.
  • ssl (Optional): Listen on port 8883 with SSL/TLS. This requires certificates. Defaults to false.
  • anonymous (Optional): Allow anonymous connections. If logins is set, the anonymous user can only read data. Defaults to true.
  • logins (Optional): A list of users that will be created with username and password.
  • customize (Optional): If you enable it, it reads additional configuration files (*.conf) from /share/mosquitto.

{% linkable_title Home Assistant configuration %}

To use the Mosquitto as broker, add the following entry to the configuration.yaml file.

# Example configuration.yaml entry
mqtt:
  broker: core-mosquitto

If username and password are set up in add-on, your configuration.yaml file should contain that data.

mqtt:
  broker: core-mosquitto
  username: YOUR_USERNAME
  password: YOUR_PASSWORD

{% linkable_title Listening simultaneously on SSL/TLS (8883) and insecure (1883) ports %}

  1. Configure SSL/TLS as normal.
  2. Set customize flag to true in your configuration.
  3. Create a file in /share/mosquitto named insecure.conf with the following contents:
listener 1883
protocol mqtt
  1. Restart MQTT

It's recommended that you only open your firewall to the SSL/TLS port (8883) and only use the insecure port (1883) for local devices. Also, disable `anonymous:` and set `logins:`.

{% linkable_title Access Control Lists (ACLs) %}

It is possible to restrict access to topics based upon the user logged in to Mosquitto. In this scenario it is recommended to create individual users for each of your clients and create an appropriate ACL.

See the following links for more information:

Add the following configuration to enable ACLs:

  1. Set customize flag to true in your configuration.
  2. Create a file in /share/mosquitto named acl.conf with the following contents:
acl_file /share/mosquitto/accesscontrollist
  1. Create a file in /share/mosquitto named accesscontrollist and add contents according to your requirements.