Reputation: 11
Mosquitto - How to authorize only one device in the network?
I am a beginner on mosquitto (Alpine Linux machine) After several searches I did not find the answer I would like to authorize MQTT messages only from one device in the network I tried changing "aclfile.example" to "acl.acl"
user "equipment IP"
topic test
But this did not restrict the connection to only this equipment (The server can still receive messages from others)
Ideas?
Upvotes: 1
Views: 1468
Answers (2)
Reputation: 59791
There are several things that probably need covering here:
- Mosquitto ACLs deal in users and topics, not IP addresses.
- By default (at least until v2.0.0 shipped this week) mosquitto allows clients to connect without specifying a username/password. You can disable this by adding
allow_annonymous falseto the config file - Just renaming the example ACL file will not cause it to be loaded, you need to explicitly point to it in the config file with the
acl_filedirective. - You will also need to specify a password file with the
password_fileif you want to ensure that a specific username can only be used by authorised clients.
If you really want to limit access to a single local machine then you may do better looking to user the firewall to only accept external connections from that IP address using the firewall. e.g. iptables on Linux.
Upvotes: 1
Reputation: 944
There are a couple of ways to do this. The easiest would be to define one user, and disable anonymous access. Your mosquitto.conf file would look like this:
port 1883
allow_anonymous false
password_file /etc/mosquitto/pwfile
You might have other options in your config file for things like logging and persistence, but these lines would only let clients that had the user/password connect. You then set your one username/password up in the pwfile file. Here's a great blog post about how to do that: http://steves-internet-guide.com/mqtt-username-password-example/
Keep in mind that your client node now has to also provide the username/password on the CONNECT packet, or be denied access.
Another way would be to issue an SSL cert to your client, and only allow that cert in. Again, Steve has a great blog post about how to set that up: http://www.steves-internet-guide.com/creating-and-using-client-certificates-with-mqtt-and-mosquitto/
Upvotes: 0
Related Questions
- Mosquitto conf restricting unauthorized connection to broker
- Mosquitto broker authentification even for same machine clients
- mosquitto ACL to restrict client
- mosquitto MQTT: How to restrict an user to read/write only dedicated topic?
- Acl file configuration in Mosquitto
- Mosquitto-auth-plugin ACL for subscription
- Securing Mosquitto Connections - MQTT
- mosquitto - disable subscribing without authorization
- Using mosquitto native acl file along with an auth plug-in
- Mosquitto auth plug in ACL check wont get called for subscriptions