erinus

煙雨漫漫囂塵路 蒼風渺渺踏浪行

2017-06-11

Mosquitto & paho-mqtt-python

  • 577
  • 0

Enhance security for mosquitto on Ubuntu 16.04 LTS

Install mosquitto
> sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
> sudo apt-get update
> sudo apt-get install mosquitto mosquitto-clients
Install paho-mqtt-python
> pip install paho-mqtt
Setup mosquitto
> sudo vi /etc/mosquitto/mosquitto.conf
> wget https://github.com/eclipse/mosquitto/blob/master/mosquitto.conf
persistence true
persistence_location /var/lib/mosquitto/
allow_anonymous false
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
Add mosquitto confoguration
> sudo vi /etc/mosquitto/conf.d/default.conf
password_file /etc/mosquitto/passwd
listener 1883 localhost
listener 8883
certfile /etc/letsencrypt/live/[hostname]/fullchain.pem
cafile /etc/letsencrypt/live/[hostname]/chain.pem
keyfile /etc/letsencrypt/live/[hostname]/privkey.pem
Add mosquitto username and password
> mosquitto_passwd -c /etc/mosquitto/passwd [username]
Password: [password]
Reenter password: [password]
Test with mosquitto subscriber
> mosquitto_sub -h [hostname] -p 8883 --capath /etc/ssl/certs -t [topic] -q [qos] -c -i [clientid] -u [username] -P [password]
Test with mosquitto publiser
> mosquitto_pub -h [hostname] -p 8883 --capath /etc/ssl/certs -t [topic] -m [message] -q [qos] -i [clientid] -u [username] -P [password]

paho-mqtt subscriber

import ssl
import sys

import paho.mqtt.client

def on_connect(client, userdata, flags, rc):
	print('connected (%s)' % client._client_id)
	client.subscribe(topic='[topic]', qos=2)

def on_message(client, userdata, message):
	print('------------------------------')
	print('topic: %s' % message.topic)
	print('payload: %s' % message.payload)
	print('qos: %d' % message.qos)

def main():
	client = paho.mqtt.client.Client(client_id='[clientid]', clean_session=False)
	client.username_pw_set('[username]', '[password]')
	client.on_connect = on_connect
	client.on_message = on_message
	client.tls_set('/etc/ssl/certs/DST_Root_CA_X3.pem', tls_version=ssl.PROTOCOL_TLSv1_2)
	client.connect(host='[hostname]', port=8883)
	client.loop_forever()

if __name__ == '__main__':
	main()
	sys.exit(0)

paho-mqtt publisher

import ssl
import sys

import paho.mqtt.client
import paho.mqtt.publish

def on_connect(client, userdata, flags, rc):
	print('connected')

def main():
	paho.mqtt.publish.single(
		topic='[topic]',
		payload='[message]',
		qos=2,
		hostname='[hostname]',
		port=8883,
		client_id='[clientid]',
		auth={
			'username': '[username]',
			'password': '[password]'
		},
		tls={
			'ca_certs': '/etc/ssl/certs/DST_Root_CA_X3.pem',
			'tls_version': ssl.PROTOCOL_TLSv1_2
		}
	)

if __name__ == '__main__':
	main()
	sys.exit(0)

erinus says:

If your subscriber wanna receive all unread messages in a topic after starting, you must finish these steps:
Use same client id when you start subscriber.
Use clean_session = False when you start subscriber.
Use qos > 0 when you subscribe a topic.
Use qos > 0 when you publish a message.
To make your communications safer, you must finish these steps:
Use TLS 1.2
Set allow_anonymous = False
Enable authentication with username and password
If you wanna more authentication methods, try this mosquitto plugin:
https://github.com/jpmens/mosquitto-auth-plug