dockerfiles/mosquitto/README.md

mosquitto
=========

![](https://badge.imagelayers.io/vimagick/mosquitto:latest.svg)

[Mosquitto][1] is an open source (BSD licensed) message broker that implements
the MQTT protocol versions 3.1 and 3.1.1.

## docker-compose.yml

```yaml
version: "3.8"
services:
  mosquitto:
    image: vimagick/mosquitto
    ports:
      - "1883:1883"
    volumes:
      - ./data/etc:/etc/mosquitto
      - ./data/var:/var/lib/mosquitto
    restart: unless-stopped
```

## mosquitto.conf

```ini
listener 1883
log_dest stdout
allow_anonymous false
password_file /etc/mosquitto/pwfile
persistence true
persistence_location /var/lib/mosquitto
persistence_file mosquitto.db
#plugin /usr/lib/mosquitto_dynamic_security.so
#plugin_opt_config_file /etc/mosquitto/dynamic-security.json

###### ENABLE TLS ######
listener 8883
protocol mqtt
capath /etc/ssl/certs
certfile /var/lib/mosquitto/fullchain.pem
keyfile /var/lib/mosquitto/privkey.pem
require_certificate false
```

- `pwfile` is managed by [mosquitto_passwd][3].
- Two methods to support TLS:
  - You can get free TLS certificates from letsencrypt, `capath` is needed.
  - Self-signed TLS keys can be generated by [openssl][2], `cafile` is needed.

> It is important to use different certificate subject parameters for your self-signed CA, server and clients.

## server

```bash
$ mkdir -p data/{etc,var}
$ chmod -R 777 data
$ touch data/etc/mosquitto.conf data/etc/pwfile
$ vi data/etc/mosquitto.conf
$ docker-compose up -d
$ docker-compose exec mosquitto sh
>>> cd /etc/mosquitto
>>> mosquitto_passwd -b pwfile username password
>>> cat pwfile
username:$6$IuF7JUzS1k/QoF3y$YpiClom7/==
>>> exit
$ docker-compose restart
$ docker-compose logs -f
Attaching to mosquitto_mosquitto_1
mosquitto_1  | 1478107412: mosquitto version 1.4.8 (build date 2016-05-16 14:17:19+0000) starting
mosquitto_1  | 1478107412: Config loaded from /etc/mosquitto/mosquitto.conf.
mosquitto_1  | 1478107412: Opening ipv4 listen socket on port 8883.
mosquitto_1  | 1478107412: Opening ipv6 listen socket on port 8883.
mosquitto_1  | 1478107437: New connection from 192.168.31.102 on port 8883.
mosquitto_1  | 1478107437: New client connected from 192.168.31.102 as mosqsub/38158-Kevins-Ma (c1, k60).
mosquitto_1  | 1478107585: New client connected from 192.168.31.102 as mosqpub/38324-Kevins-Ma (c1, k60).
mosquitto_1  | 1478107585: Client mosqpub/38324-Kevins-Ma disconnected.
```

## client

```bash
$ mosquitto_sub -d -h 192.168.31.231 -p 8883 --cafile ca.crt --insecure -u username -P password -t hello
Client mosqsub/38158-Kevins-Ma sending CONNECT
Client mosqsub/38158-Kevins-Ma received CONNACK
Client mosqsub/38158-Kevins-Ma sending SUBSCRIBE (Mid: 1, Topic: hello, QoS: 0)
Client mosqsub/38158-Kevins-Ma received SUBACK
Subscribed (mid: 1): 0
Client mosqsub/38158-Kevins-Ma sending PINGREQ
Client mosqsub/38158-Kevins-Ma received PINGRESP
received PUBLISH (d0, q0, r0, m0, 'hello', ... (5 bytes))
world
Client mosqsub/38158-Kevins-Ma sending PINGREQ
Client mosqsub/38158-Kevins-Ma received PINGRESP
```

```bash
$ mosquitto_pub -d -h 192.168.31.231 -p 8883 --cafile ca.crt --insecure -u username -P password -t hello -m world
Client mosqpub/38324-Kevins-Ma sending CONNECT
Client mosqpub/38324-Kevins-Ma received CONNACK
Client mosqpub/38324-Kevins-Ma sending PUBLISH (d0, q0, r0, m1, 'hello', ... (5 bytes))
Client mosqpub/38324-Kevins-Ma sending DISCONNECT
```

[1]: http://mosquitto.org/
[2]: https://mosquitto.org/man/mosquitto-tls-7.html
[3]: https://mosquitto.org/man/mosquitto_passwd-1.html