PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
blocks:server:advanced_server_configuration:mqtt [2025-01-09 10:56]
mattias [Security] 		blocks:server:advanced_server_configuration:mqtt [2025-01-13 12:03] (current)
mattias [Blocks Server Configuration File]
Line 120: Line 120:
 The following commands assume you're logged into the terminal as the pixi-admin user. If not use the //su pixi-admin// command to switch to that user, as described above. The following commands assume you're logged into the terminal as the pixi-admin user. If not use the //su pixi-admin// command to switch to that user, as described above.
  
-THe following command will create user named blocks in mosquitto, in the dialog one will be promted to assign a password. +Make sure we have password file to store the users (this will not overwrite if the file already exist:
 <code> <code>
-sudo mosquitto_passwd -c /etc/mosquitto/conf.d/pixi-pwd blocks+sudo touch  /etc/mosquitto/conf.d/pixi-pwd
 </code> </code>
-We must then set the correct file permissions for the password file by issuing this command:+ 
 +Set file ownership and restrictive permissions for the password file:
 <code> <code>
-sudo chmod 644 /etc/mosquitto/conf.d/pixi-pwd+sudo chmod 400 /etc/mosquitto/conf.d/pixi-pwd 
 +sudo chown mosquitto:mosquitto /etc/mosquitto/conf.d/pixi-pwd
 </code> </code>
  
-Finally change the broker configuration and add the line that specifies a password file and turn off the option to use the broker as anonymous user.+Create a user in mosquitto, the example command adds a user named blocks to an existing password file, the dialog o will prompt for a password.  
 +<code> 
 +sudo mosquitto_passwd  /etc/mosquitto/conf.d/pixi-pwd blocks 
 +</code> 
 + 
 +Read the manual for mosquitto_password to find out other options such as delete a user etc. Note, if the -c option is being used the existing file is overwritten and the file permissions must reset as mosquitto runs with limited permissions for security reasons. 
 + 
 +mosquitto_password will throw a warning when adding user while the password file is owned by mosquitto, with this permissions and ownership only root and mosquitto can read the file and mosquitto cannot modify it. It is possible but currently not necessary to temporary change ownership back to root:root while adding new users to mosquitto. 
 + 
 +Change the broker configuration and add the line that specifies a password file and turn off the option to use the broker as anonymous user.
  
 <code> <code>
 sudo nano /etc/mosquitto/conf.d/pixi.conf sudo nano /etc/mosquitto/conf.d/pixi.conf
 </code> </code>
 +The settings:
 <code> <code>
 listener 1883 listener 1883
Line 141: Line 152:
 password_file /etc/mosquitto/conf.d/pixi-pwd password_file /etc/mosquitto/conf.d/pixi-pwd
 allow_anonymous false allow_anonymous false
 +</code>
 +
 +Execute the change we must restart the service:
 +<code>
 +sudo systemctl restart mosquitto.service
 </code> </code>
  
Line 156: Line 172:
  
 If this section is missing in the config file, default settings is assumed for the broker.  If this section is missing in the config file, default settings is assumed for the broker. 
 +
 +
 <code> <code>
 mqtt: mqtt:
   defaultBroker:   defaultBroker:
     address: localhost  # Default is localhost     address: localhost  # Default is localhost
-    username: pixi   Default is no username and password +    username: blocks  Replace blocks with the username you have configured in the broker, leave empty if anonymous user is allowed.  
-    password: pixi+    password: pixi  # Replace pixi with the password setup with your user.
     encryption: false  # Set to true if secure connection (tls) is available.     encryption: false  # Set to true if secure connection (tls) is available.
     port: 1883 # Default is 1883 if non-encypted and 8883 if encrypted     port: 1883 # Default is 1883 if non-encypted and 8883 if encrypted