最近在mac上部署了MQTT服务,直接用brew install mqtt,然后通过/usr/local/Cellar/mosquitto/1.4.11/etc/mosquitto找到目录下的mosquito.conf来配置相关的选项。
借用网上都搜的到的一套配置,里面中文注释已经很清晰了
# =================================================================# General configuration# =================================================================# 客户端心跳的间隔时间#retry_interval 20# 系统状态的刷新时间#sys_interval 10# 系统资源的回收时间,0表示尽快处理#store_clean_interval 10# 服务进程的PID#pid_file /var/run/mosquitto.pid# 服务进程的系统用户#user mosquitto# 客户端心跳消息的最大并发数#max_inflight_messages 10# 客户端心跳消息缓存队列#max_queued_messages 100# 用于设置客户端长连接的过期时间,默认永不过期#persistent_client_expiration# =================================================================# Default listener# =================================================================# 服务绑定的ip地址#bind_address# 服务绑定的端口号#port 1883# 允许的最大连接数,-1表示没有限制#max_connections -1# cafile:CA证书文件# capath:CA证书目录# certfile:PEM证书文件# keyfile:PEM密钥文件#cafile#capath#certfile#keyfilecapath /etc/mosquitto/tls/cafile /etc/mosquitto/tls/ca.crtcertfile /etc/mosquitto/tls/server.crtkeyfile /etc/mosquitto/tls/server.key# 必须提供证书以保证数据安全性#require_certificate falserequire_certificate true# 若require_certificate值为true,use_identity_as_username也必须为true#use_identity_as_username falseuse_identity_as_username true# 启用PSK(PRe-shared-key)支持#psk_hint# SSL/TSL加密算法,可以使用“openssl ciphers”命令获取# as the output of that command.#ciphers# =================================================================# Persistence# =================================================================# 消息自动保存的间隔时间#autosave_interval 1800# 消息自动保存功能的开关#autosave_on_changes false# 持久化功能的开关persistence true# 持久化DB文件#persistence_file mosquitto.db# 持久化DB文件目录#persistence_location /var/lib/mosquitto/# =================================================================# Logging# =================================================================# 4种日志模式:stdout、stderr、syslog、topic# none 则表示不记日志,此配置可以提升些许性能log_dest none# 选择日志的级别(可设置多项)#log_type error#log_type warning#log_type notice#log_type information# 是否记录客户端连接信息#connection_messages true# 是否记录日志时间#log_timestamp true# =================================================================# Security# =================================================================# 客户端ID的前缀限制,可用于保证安全性#clientid_prefixes# 允许匿名用户#allow_anonymous true# 用户/密码文件,默认格式:username:passWord#password_file# PSK格式密码文件,默认格式:identity:key#psk_file# pattern write sensor/%u/data# ACL权限配置,常用语法如下:# 用户限制:user <username># 话题限制:topic [read|write] <topic># 正则限制:pattern write sensor/%u/data#acl_file# =================================================================# Bridges# =================================================================# 允许服务之间使用“桥接”模式(可用于分布式部署)#connection <name>#address <host>[:<port>]#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]# 设置桥接的客户端ID#clientid# 桥接断开时,是否清除远程服务器中的消息#cleansession false# 是否发布桥接的状态信息#notifications true# 设置桥接模式下,消息将会发布到的话题地址# $SYS/broker/connection/<clientid>/state#notification_topic# 设置桥接的keepalive数值#keepalive_interval 60# 桥接模式,目前有三种:automatic、lazy、once#start_type automatic# 桥接模式automatic的超时时间#restart_timeout 30# 桥接模式lazy的超时时间#idle_timeout 60# 桥接客户端的用户名#username# 桥接客户端的密码#password# bridge_cafile:桥接客户端的CA证书文件# bridge_capath:桥接客户端的CA证书目录# bridge_certfile:桥接客户端的PEM证书文件# bridge_keyfile:桥接客户端的PEM密钥文件#bridge_cafile#bridge_capath#bridge_certfile#bridge_keyfile后面需要用到ssl加密通信,上一篇博客提到了折腾openssl,安装好了之后直接打开终端,现在用openssl来折腾生成证书。
首先生成(Certificate Authority,CA)的认证和密钥,需要填很多参数,comme name用本机IP openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt
接下来生成服务器使用的秘钥
openssl genrsa -des3 -out server.key 2048 除去密码 openssl genrsa -out server.key 2048
然后为MQTT代理准备一个认证注册请求(Certificate Signing Request,CSR),这里的Common Name也要写对: openssl req -out server.csr -key server.key -new
最后通过CA签署这个CSR生成MQTT代理证书: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
然后重新修改 mosquito.conf,指定证书的目录 capath /etc/mosquitto/tls/ cafile /etc/mosquitto/tls/ca.crt certfile /etc/mosquitto/tls/server.crt keyfile /etc/mosquitto/tls/server.key
然后启动mosquito的服务,可以用命令启动 我图方便,直接在/usr/local/Cellar/mosquitto/1.4.11/sbin目录下找到mosquito可执行文件来启动服务。
配置client端 cd到证书目录下,然后转换下client端证书格式 openssl x509 -in ca.crt -out ca.der -outform der
iOS端用的是MQTT-Client-Framework框架,具体配置如下:
MQTTCfsocketTransport *transport = [[MQTTCFSocketTransport alloc] init]; transport.host = @"***.***.***.80"; transport.port = 1883; session_app = [[MQTTSession alloc] init]; session_app.transport = transport; //设置policy MQTTSSLSecurityPolicy* securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModePublicKey]; NSString * cerPath = [[NSBundle mainBundle] pathForResource:@"ca" ofType:@"der"]; NSData * cerData = [NSData dataWithContentsOfFile:cerPath]; session_app.securityPolicy.pinnedCertificates = [[NSArray alloc] initWithObjects:cerData, nil]; securityPolicy.allowInvalidCertificates = YES; // we using self-signed certificate and didn't coupled with CA infrastructure session_app.delegate = self; [session_app connectAndWaitTimeout:30];这里有个小细节,der证书是我直接从目录拖进xcode工程的,直接在pathForResource里面是搜不到这个证书的,还需要将der加入到build phases->copy bundle resources中。
最后用iOS client端订阅一个服务,mac终端显示订阅成功,搞定!
新闻热点
疑难解答
