Mqtt MOSQUITO配置不接受包含IP地址的侦听器
我在本地服务器上运行MOSQUITO,我的目标是有3个侦听器:Mqtt MOSQUITO配置不接受包含IP地址的侦听器,mqtt,mosquitto,Mqtt,Mosquitto,我在本地服务器上运行MOSQUITO,我的目标是有3个侦听器: 所有本地网络客户端在端口1883上无TLS连接(端口1883由路由器向公众关闭) 使用端口8883上的TLS连接的外部客户端 在端口8880上无TLS连接的外部客户端 使用这个配置可以很好地工作 # Local MQTT listener 1883 # End Local MQTT # Insecure MQTT listener 8880 # End Insecure MQTT # Secure MQTT listener 8
# Local MQTT
listener 1883
# End Local MQTT
# Insecure MQTT
listener 8880
# End Insecure MQTT
# Secure MQTT
listener 8883
## This is standard and should always be this
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
## These are from your installation of LE
certfile /home/pi/.node-red/certs/fullchain.pem
keyfile /home/pi/.node-red/certs/privkey.pem
## Force all clients in this listener to provide a valid certificate, change th$
require_certificate true
## Stop all unauthorised connections
allow_anonymous false
## Use password file
password_file /etc/mosquitto/passwordfile
并产生健康的Mosquitto日志条目
1575720819: Opening ipv4 listen socket on port 1883.
1575720819: Opening ipv6 listen socket on port 1883.
1575720819: Opening ipv4 listen socket on port 8883.
1575720819: Opening ipv6 listen socket on port 8883.
1575720819: Opening ipv4 listen socket on port 8880.
1575720819: Opening ipv6 listen socket on port 8880.
1575720820: New connection from 140.238.70.128 on port 8880.
1575719390: New client connected from 140.238.70.128 as telegraf (c1, k60, u'raspPi').
但是…我想确保只有位于140.238.70.128
的客户端能够连接到8880端口(TLS不是选项),因此我将IP地址添加到配置中
# Insecure MQTT
listener 8880 140.238.70.128
# End Insecure MQTT
但这会导致莫斯奎托停止,日志显示
1575720699: Opening ipv4 listen socket on port 1883.
1575720699: Opening ipv6 listen socket on port 1883.
1575720699: Opening ipv4 listen socket on port 8883.
1575720699: Opening ipv6 listen socket on port 8883.
1575720699: Opening ipv4 listen socket on port 8880.
1575720699: Error: Cannot assign requested address
如果您能给我一些建议,告诉我为什么这样做行不通,或者给我一个替代方案,我将不胜感激
编辑。我还尝试将侦听器限制为ipv4,但结果完全相同
# Insecure MQTT
listener 8880 140.238.70.128
socket_domain ipv4
# End Insecure MQTT
listen
指令只能获取代理运行所在机器的本地地址。这用于将套接字绑定到所需端口上的该地址
您不能将其用作远程计算机的筛选器,事实上,无法将端口配置为仅接受来自mosquitto*(或我所知道的任何其他代理)中特定IP地址的连接
要实现您想要做的事情,唯一的方法是使用机器防火墙删除来自其他IP地址的任何数据包,这些IP地址发往该端口。您可以使用iptables来实现这一点。差不多
iptables -A INPUT -p tcp --dport 8880 ! -s 140.238.70.129 DROP
这将丢弃不是从140.238.70.129发送到端口8880的任何TCP数据包
虽然这会起作用,但它只会阻止ipv4客户端,因此如果您的网络具有正确路由的IPv6设置,则您还需要使用ip6tables
阻止访问(并阻止对端口1883的访问)
*您可以编写一个自定义的身份验证插件来实现这一点,但我不确定您是否能在有关用户连接的详细信息中获得远程IP地址。此外,我认为不能将身份验证绑定到一个侦听器