Mosquitto配置不接受包含IP地址的侦听器 [英] Mosquitto configuration not accepting listener containing IP address
问题描述
我让Mosquitto运行在本地服务器上,我的目标是拥有3个侦听器:
I have Mosquitto running on a local server, and my aim is to have 3 listeners:
- 所有本地网络客户端都在端口1883上不使用TLS进行连接(端口1883已被路由器关闭,对公众开放)
- 外部客户端在端口8883上使用TLS连接
- 外部客户端在端口8880上不使用TLS进行连接
使用此配置的效果很好;
which using this config works fine;
# Local MQTT
listener 1883
# End Local MQTT
# Insecure MQTT
listener 8880
# End Insecure MQTT
# Secure MQTT
listener 8883
## This is standard and should always be this
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
## These are from your installation of LE
certfile /home/pi/.node-red/certs/fullchain.pem
keyfile /home/pi/.node-red/certs/privkey.pem
## Force all clients in this listener to provide a valid certificate, change th$
require_certificate true
## Stop all unauthorised connections
allow_anonymous false
## Use password file
password_file /etc/mosquitto/passwordfile
并导致健康的Mosquitto日志条目;
and which results in healthy Mosquitto log entries;
1575720819: Opening ipv4 listen socket on port 1883.
1575720819: Opening ipv6 listen socket on port 1883.
1575720819: Opening ipv4 listen socket on port 8883.
1575720819: Opening ipv6 listen socket on port 8883.
1575720819: Opening ipv4 listen socket on port 8880.
1575720819: Opening ipv6 listen socket on port 8880.
1575720820: New connection from 140.238.70.128 on port 8880.
1575719390: New client connected from 140.238.70.128 as telegraf (c1, k60, u'raspPi').
但是... 我想确保只有140.238.70.128上的客户端能够在端口8880上连接(TLS不是一个选项),所以我将IP地址添加到了配置中;
BUT... I want to ensure that only the client at 140.238.70.128 is able to connect on port 8880 (TLS isn't an option) so I added the IP address to the config;
# Insecure MQTT
listener 8880 140.238.70.128
# End Insecure MQTT
但这会导致蚊子停止运动,并显示日志;
but that causes Mosquitto to stop, and the log shows;
1575720699: Opening ipv4 listen socket on port 1883.
1575720699: Opening ipv6 listen socket on port 1883.
1575720699: Opening ipv4 listen socket on port 8883.
1575720699: Opening ipv6 listen socket on port 8883.
1575720699: Opening ipv4 listen socket on port 8880.
1575720699: Error: Cannot assign requested address
对于任何无法解决问题的建议或替代解决方案,我将不胜感激.
I would be grateful for any advice as to why this doesn't work, or an alternative solution.
编辑.我还尝试将侦听器限制为ipv4,但结果完全相同;
Edit. I also tried restricting the listener to ipv4, but that gave exactly same result;
# Insecure MQTT
listener 8880 140.238.70.128
socket_domain ipv4
# End Insecure MQTT
推荐答案
listen指令只能采用代理运行所在计算机本地的地址.这用于将套接字绑定到所需端口上的该地址.
The listen directive can only take a address that is local to the machine the broker is running on. This is used to bind a socket to that address on the required port.
您不能将其用作远程计算机的筛选器,实际上,无法将端口配置为仅接受来自mosquitto * (或任何其他代理)中特定IP地址的连接.我知道).
You can not use it as a filter for a remote machine, in fact there is no way to configure a port to only accept connections from a specific IP address in mosquitto* (or any other broker that I am aware of).
实现您要执行的操作的唯一方法是使用计算机防火墙丢弃发往该端口的其他IP地址中的任何数据包.您可以使用iptables来做到这一点.像
The only way to achieve what you want to do is to use the machines firewall to drop any packets from other IP addresses addressed to that port. You can use iptables to do this. Something like
iptables -A INPUT -p tcp --dport 8880 ! -s 140.238.70.129 DROP
这应该删除所有不是来自140.238.70.129的,发往端口8880的TCP数据包
This should drop any TCP packet destined for port 8880 that is not from 140.238.70.129
虽然这将起作用,但只会阻止ipv4客户端,因此,如果您的网络具有正确路由的IPv6设置,则您还需要使用ip6tables阻止访问(并阻止对端口1883的访问).
While this will work it will only block ipv4 clients, so if your networks has a properly routed IPv6 setup you will need to block access with ip6tables as well (and block access to port 1883).
* 您可能可以编写自定义身份验证插件来执行此操作,但是我不确定在有关以下内容的详细信息中是否获得了远程IP地址用户连接.另外,我认为您不能将身份验证仅绑定到一个侦听器.
* you might be able to write a custom auth plugin to do this, but I'm not sure if you get the remote IP address in the details about the user connecting. Also I don't think you can bind authentication to just one listener.
这篇关于Mosquitto配置不接受包含IP地址的侦听器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
