I am attempting to get my Mqtt server to work on my network. Currently I receive the following message
Starting in local mode only. Connections will only be possible from clients running on this machine.
Based on information from Mosquitto, I need to update the /etc/mosquitto/mosquitto.conf file to allow for non-local access:
pid_file /run/mosquitto/mosquitto.pid
persistence true
persistence_location mosquitto/data
#/var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 1883
allow_anonymous true
But running with this adapted .conf file it does not allow non-local access. What am I doing wrong?
In the man page of Mosquitto, you can see, that listener specifies the port and bind address/host of the mqtt broker:
listener port [bind address/host/unix socket path]
Since version 2.0, the default config will only bind to localhost.
If you run version ^2.0, you only allow for local connections because no host is set. Therefore just change the listener line to:
listener 1883 0.0.0.0
This will allow any machine to connect, you can also specify explicit ip-addresses that are allowed to connect.
Related
I'm stumped on this one.
I have an OpenSprinkler3.0 controller that will report to an MQTT broker. I have one RPi4 with homeassistant and Mosquitto broker installed. I have a separate RPiZero with Raspbian and Mosquitto 1.5.7 installed. I have a domain (mqtt.example.com) that directs to my router and port 1883 forwards to 1883 on the RPiZero.
Here's the RPiZero config
pid_file /var/run/mosquitto.pid
listener 1883
protocol mqtt
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous true
password_file /etc/mosquitto/passwordfile
connection homeassistant
address mqtt.example.com:8883
bridge_cafile /etc/ssl/certs/ISRG_Root_X1.pem
#topic # out 0
#topic # in 0
topic # both 0
remote_username xxxxxx
remote_password xxxxxx
If I use the WAN address (mqtt.example.com:1883) for the RPiZero, Open Sprinkler connects and sends messages to the broker, no problem.
But using the LAN IP address (192.168.1.51:1883), it doesn't work. Here's the weird thing. If I put in the LAN IP for the RPi4 broker running homeassistant (192.168.1.50:1883), it connects to that broker and works fine.
I've tried Android and Windows MQTT clients, and they connect to both brokers fine using WAN and LAN addresses. So for whatever reason, the OpenSprinkler can connect to one RPi using MQTT broker, but not another. Other clients don't have the same issue. Any ideas?
Thanks,
Seth
Turns out restarting the router solved the problem. Some other devices were acting odd causing me to reboot. Google WIFI is not my favorite product these days...
Thanks!
I have my Kafka Server running on other system. I am trying to run the client from my local machine by giving the broker url of the machine where Kafka server is running. But unfortunately i am not able to connect to kafka server.
server.properties files has the below attributes:
group.initial.rebalance.delay.ms=0
listeners=SASL_PLAINTEXT://localhost:9093
advertised.listeners=SASL_PLAINTEXT://localhost:9093
#advertised.listeners=SASL_PLAINTEXT://10.97.123.52:9093
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
while running my client from my local machine, i am passing the broker url of the server machine, but unable to connect:( . Can anyone help in this problem?
A bit simplified, but ... the client first connects to the bootstrap server to get the metadata. A based on that metadata it will open another TCP connection to the broker which is leader for the topic/partition the clients wants to speak with.
The first connection is done based on the bootstrap server address which you set. The second connection is opened to the address from the metadata. And the metadata will in your case contain the address from the advertised.listeners field, which is localhost. So the client will try to connect to localhost:9093 and not to your broker. So you need to set the advertised.listeners to use the address under which the broker is visible for the clients. (which is maybe the line which is commented out in your config example?)
You have also the listener field set to listen on localhost only. So it will not be accessible from the external IP address. You have to change it to listen on the external IP address. Most propbably setting it to the following value (i.e. without localhost) should help:
listeners=SASL_PLAINTEXT://:9093
I set up a broker on a windows pc which is publishing messages to raspberry pis (clients). On the same windows machine I'm running a node.js Server which is also a mosquitto client which can publish messages to the broker running on the same windows machine.
I looked up (by simple googling and reading the official documentation) how I can secure the moquittoconnections. But I still ran into some issues:
How can I only allow a mosquitto broker to communicate with clients
running on the same machine? (e.g. for simply publishing sensor
values to a local frontend via websockets - which I'm already doing)
Do local (on the same machine) clients require the username and
password if specified?
Why won't this configuration not require an username and a password
when the client is connecting to the broker?
My mosquitto.conf:
allow_anonymous false
password_file C:\Program Files (x86)\mosquitto
Password file is at the specified location and valid.
mosquitto -c mosquitto.conf is not throwing any error.
Can I still use the username and password when including encryption
mosquitto-tls?
Listeners can be bound to a specific interface e.g. 127.0.0.1 which will only allow connections from the localhost.
listener 1885 127.0.0.1
If you want to restrict the whole broker to only listen for local connections use the bind_adddress config option to change the default listener to only listen on 127.0.0.1 rather than 0.0.0.0 (this address represents ALL network interfaces on the machine)
If password based authentication is configured it applies to ALL listeners so if you set up a localhost only listener you will still need to supply a username and password.
You can use TLS and username and password based authentication unless you use client side certificates and enable the use_identity_as_username and require_certificate
All connection attempts on RhodeCode on CentOS 6.3 are refused except from localhost.
Note that iptables is not running, and I am only trying to visit the web interface.
I have googled the exact error message below and looked around SO. I have yet to find a solution.
abort: error: No connection could be made because the target machine actively refused it
If the firewall is down, and I am not trying to modify any repository, what else is preventing me from connecting? EDIT: See #5 below. Not sure how to address it yet.
Things tried and other info
Using localhost, 127.0.0.1 and hostname in production.ini
service iptables stop
Connected over HTTP successfully. In other words, connections are accepted outside RhodeCode.
Made sure no authentication methods were enabled or configured in production.ini
Although the server accepts connections on localhost, netstat -l does not show that port 5000 is listening. Port 5000 is set in production.ini and ps uax | grep paster confirms the server is running. No other software tries to grab port 5000.
Ok, apparently I have been misunderstanding the host configuration. I was running on the assumption that host should be set to 127.0.0.1 or localhost in production.ini for RhodeCode to know what host to look for for another service. This was a faulty presumption on my part, since I am used to pointing web applications to local systems to look for databases.
It turns out that host binds the application to a specific address for access, meaning that it RhodeCode was supposed to only respond to local requests, regardless of what other system policies say. The setup docs did not make this clear because it did not specify that external connections would be refused. All it said was:
This command [paster serve] runs the RhodeCode server. The web app should be available at the 127.0.0.1:5000. This ip and port is configurable via the production.ini file created in previous step
The problem was fixed by binding RhodeCode to 0.0.0.0, which opened it to outside connections. Kudos to Ćukasz Balcerzak for pointing this out in the RC support google group.
I have a BI 10g database with 2 instances using listener port 1522.I configured a second listener using port 1521 the first listener uses port 1522. When i try to connect to the database I get the SID given in connect descriptor could not be resolved
I have configured my listner.ora to point to the database using port 1521 as well my tnsnames and when i to a lsnrctl serives I dont see both SIDs i only see PLSEctProc
when do a lsnrctl status I can only see the second listener with port 1521
is it possible to have 2 listeners listening to the same instances in the same server?
Two listeners on a different port to the same database shouldn't be a problem.
Have you set the TNS_ADMIN parameter ? (pointing to another tnsnames.ora / listener.ora file)