Instalación del Intermediario MQTT Mosquitto

Mosquitto is a lightweight MQTT (Message Queuing Telemetry Transport) broker designed for IoT devices, embedded systems, and real-time applications. It implements the MQTT 3.1.1 and 5.0 protocols with support for TLS encryption, authentication, ACLs, and bridging capabilities. This guide covers installation, configuration, security, and typical IoT deployments.

Tabla de Contenidos

• Prerequisites
• Installing Mosquitto
• Basic Configuration
• User Authentication
• TLS and Encryption
• Access Control Lists
• Message Persistence
• Mosquitto Bridging
• IoT Device Integration
• Monitoring and Troubleshooting
• Conclusion

Requisitos Previos

Before installing Mosquitto, ensure you have:

• Linux system (Ubuntu 20.04+, CentOS 8+, Debian 11+)
• Root or sudo access
• At least 512MB RAM
• Internet connectivity
• Understanding of MQTT concepts (publish/subscribe)

Installing Mosquitto

On Ubuntu/Debian systems, install from the distribution repositories:

sudo apt-get update
sudo apt-get install -y mosquitto mosquitto-clients

For the latest version, add the Mosquitto official repository:

sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
sudo apt-get update
sudo apt-get install -y mosquitto mosquitto-clients

On CentOS/RHEL:

sudo yum install -y mosquitto mosquitto-clients

Start the Mosquitto service:

sudo systemctl start mosquitto
sudo systemctl enable mosquitto

Verify the installation:

sudo systemctl status mosquitto
mosquitto -v

The service should listen on port 1883 for MQTT and optionally 8883 for secure MQTT.

Configuración Básica

The main configuration file is /etc/mosquitto/mosquitto.conf. Create a backup first:

sudo cp /etc/mosquitto/mosquitto.conf /etc/mosquitto/mosquitto.conf.bak

Edit the configuration file:

sudo nano /etc/mosquitto/mosquitto.conf

Essential configuration parameters:

# Port settings
port 1883
# listener 8883  # Uncomment for secure MQTT
# listener 9001  # For WebSocket connections

# Default listener configuration
listener 1883 0.0.0.0

# Protocol versions
protocol mqtt

# Network settings
max_connections -1
max_inflight_messages 20

# Message settings
max_queued_messages 1000
message_size_limit 0

# Client settings
allow_anonymous true
persistent_client_expiration 7d

# Logging
log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
log_type all
log_timestamp true

# Persistence
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
autosave_interval 1800

# Allow pattern-based ACLs
pattern_file /etc/mosquitto/acl.txt

Apply the configuration:

sudo systemctl restart mosquitto

Verify configuration syntax:

mosquitto -c /etc/mosquitto/mosquitto.conf -t

User Authentication

Enable authentication with username/password. First, create a password file:

sudo mosquitto_passwd -c /etc/mosquitto/passwd iot_user

Enter a secure password when prompted. Add additional users:

sudo mosquitto_passwd /etc/mosquitto/passwd admin_user
sudo mosquitto_passwd /etc/mosquitto/passwd sensor_device_1

Update the configuration to use password authentication:

sudo nano /etc/mosquitto/mosquitto.conf

Add these lines:

# Disable anonymous access
allow_anonymous false

# Enable password authentication
password_file /etc/mosquitto/passwd

Restart Mosquitto:

sudo systemctl restart mosquitto

Test authentication with mosquitto_sub:

mosquitto_sub -h localhost -p 1883 -u iot_user -P "password" -t "sensors/#" -d

Publish a test message:

mosquitto_pub -h localhost -p 1883 -u iot_user -P "password" -t "sensors/temperature" -m "25.5"

TLS and Encryption

Secure MQTT communication with TLS certificates. Generate self-signed certificates:

sudo mkdir -p /etc/mosquitto/certs
cd /etc/mosquitto/certs

# Generate CA certificate
sudo openssl genrsa -out ca.key 2048
sudo openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=mosquitto-ca"

# Generate server key
sudo openssl genrsa -out server.key 2048

# Create server certificate signing request
sudo openssl req -new -out server.csr \
  -key server.key \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=mosquitto.example.com"

# Sign server certificate
sudo openssl x509 -req -in server.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out server.crt -days 365

Set proper permissions:

sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs
sudo chmod 600 /etc/mosquitto/certs/*
sudo chmod 644 /etc/mosquitto/certs/*.crt

Update the configuration for TLS:

sudo nano /etc/mosquitto/mosquitto.conf

Add TLS listener configuration:

# Standard MQTT with TLS/SSL
listener 8883 0.0.0.0
protocol mqtt
tls_version tlsv1_2
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
cafile /etc/mosquitto/certs/ca.crt

Restart Mosquitto:

sudo systemctl restart mosquitto

Test TLS connection:

mosquitto_sub -h localhost -p 8883 -u iot_user -P "password" \
  -t "sensors/#" \
  --cafile /etc/mosquitto/certs/ca.crt

For WebSocket connections with TLS:

listener 9001 0.0.0.0
protocol websockets
tls_version tlsv1_2
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

Access Control Lists

Implement fine-grained permissions using ACLs. Create an ACL file:

sudo nano /etc/mosquitto/acl.txt

Define ACL patterns:

# Default rule - deny all
pattern deny all

# Admin user - full access
user admin_user
topic read #
topic write #

# Sensor device - can publish data
user sensor_device_1
topic write sensors/device1/temperature
topic write sensors/device1/humidity
topic read $SYS/broker/clients/connected

# Dashboard user - read only
user dashboard_user
topic read sensors/#
topic read devices/#

# Multiple users with same pattern
pattern read $SYS/broker/#

# Device-specific subscriptions
user sensor_device_2
topic write sensors/device2/+
topic read commands/device2

# Anonymous users (if allowed)
user ""
topic read public/#
topic write public/messages

Enable ACLs in the configuration:

sudo nano /etc/mosquitto/mosquitto.conf

Add:

acl_file /etc/mosquitto/acl.txt

Restart Mosquitto:

sudo systemctl restart mosquitto

Test ACL enforcement:

# Should succeed
mosquitto_pub -h localhost -p 1883 -u admin_user -P "password" \
  -t "sensors/device1/temperature" -m "25.5"

# Should fail (not authorized)
mosquitto_pub -h localhost -p 1883 -u sensor_device_1 -P "password" \
  -t "sensors/device2/temperature" -m "26.0"

Message Persistence

Configure persistent storage for messages to prevent data loss during broker restarts:

sudo nano /etc/mosquitto/mosquitto.conf

Ensure these settings:

# Enable persistence
persistence true

# Persistence file location
persistence_location /var/lib/mosquitto/

# Persistence file
persistence_file mosquitto.db

# Auto-save interval (seconds)
autosave_interval 1800

# Auto-save on message count
autosave_on_changes true

# Incoming message queue
max_inflight_messages 20

# Max queued messages
max_queued_messages 1000

Set proper permissions:

sudo mkdir -p /var/lib/mosquitto
sudo chown mosquitto:mosquitto /var/lib/mosquitto
sudo chmod 755 /var/lib/mosquitto

Restart Mosquitto:

sudo systemctl restart mosquitto

Verify persistence by checking the database file:

ls -lah /var/lib/mosquitto/mosquitto.db

Mosquitto Bridging

Connect multiple Mosquitto instances or integrate with other MQTT brokers using bridging. Create a bridge configuration:

sudo nano /etc/mosquitto/bridges.conf

Configure a bridge to a remote broker:

# Bridge configuration
connection bridge_to_cloud
address cloud-broker.example.com:8883
bridge_protocol_version mqttv311

# Bridge credentials
remote_username bridge_user
remote_password bridge_password

# Topics to bridge
topic sensors/# both 1
topic devices/# both 2
topic commands/# in 2

# Local connection
local_clientid mosquitto_bridge_01

# Keep-alive
keepalive_interval 60

# Clean session
start_type automatic

# TLS configuration (if remote uses TLS)
tls_version tlsv1_2
cafile /etc/mosquitto/certs/ca.crt

Include the bridge configuration in the main config:

sudo nano /etc/mosquitto/mosquitto.conf

Add:

include_dir /etc/mosquitto/conf.d

Move the bridge config:

sudo mv /etc/mosquitto/bridges.conf /etc/mosquitto/conf.d/

Restart Mosquitto:

sudo systemctl restart mosquitto

Monitor bridge status:

sudo tail -f /var/log/mosquitto/mosquitto.log | grep bridge

IoT Device Integration

Integrate IoT devices with Mosquitto. Create a Python client for IoT devices:

pip3 install paho-mqtt

Create a temperature sensor simulation:

#!/usr/bin/env python3
import paho.mqtt.client as mqtt
import time
import json
import random
from datetime import datetime

def on_connect(client, userdata, flags, rc):
    print(f"Connected with code {rc}")
    client.subscribe("commands/device1")

def on_message(client, userdata, msg):
    print(f"Received command: {msg.topic} -> {msg.payload.decode()}")

client = mqtt.Client("iot_device_1")
client.username_pw_set("sensor_device_1", "password")
client.on_connect = on_connect
client.on_message = on_message

client.connect("localhost", 1883, 60)
client.loop_start()

# Publish temperature readings every 5 seconds
try:
    while True:
        temp = 20.0 + random.uniform(-2, 2)
        humidity = 50.0 + random.uniform(-10, 10)
        
        payload = {
            "device_id": "device1",
            "temperature": round(temp, 2),
            "humidity": round(humidity, 2),
            "timestamp": datetime.now().isoformat()
        }
        
        client.publish("sensors/device1/temperature", json.dumps(payload))
        time.sleep(5)
except KeyboardInterrupt:
    client.loop_stop()
    client.disconnect()

Create a subscriber to consume sensor data:

#!/usr/bin/env python3
import paho.mqtt.client as mqtt
import json

def on_connect(client, userdata, flags, rc):
    print("Connected to Mosquitto")
    client.subscribe("sensors/#")

def on_message(client, userdata, msg):
    try:
        payload = json.loads(msg.payload.decode())
        print(f"{msg.topic}: {payload}")
    except json.JSONDecodeError:
        print(f"{msg.topic}: {msg.payload.decode()}")

client = mqtt.Client("dashboard")
client.username_pw_set("dashboard_user", "password")
client.on_connect = on_connect
client.on_message = on_message

client.connect("localhost", 1883, 60)
client.loop_forever()

Run both scripts:

python3 sensor.py &
python3 subscriber.py

Monitoring and Troubleshooting

Monitor Mosquitto using system topics:

mosquitto_sub -h localhost -p 1883 -u admin_user -P "password" \
  -t '$SYS/broker/+/+' -v

Check broker statistics:

mosquitto_sub -h localhost -p 1883 -u admin_user -P "password" \
  -t '$SYS/broker/bytes/+' -v

View Mosquitto logs:

sudo tail -f /var/log/mosquitto/mosquitto.log

Check active connections:

sudo netstat -tuln | grep 1883

Check process status:

ps aux | grep mosquitto

Monitor memory and CPU usage:

top -p $(pgrep mosquitto)

Test message flow with increased verbosity:

mosquitto_sub -h localhost -p 1883 -u admin_user -P "password" \
  -t "sensors/#" -d -v

Reload configuration without restart:

sudo systemctl reload mosquitto

Conclusión

Mosquitto provides a reliable, lightweight MQTT broker ideal for IoT deployments. This guide covered installation, configuration, authentication, TLS encryption, ACLs, message persistence, bridging, and device integration. For production IoT deployments, implement strong authentication, enforce TLS encryption, configure granular ACLs, monitor broker metrics, implement redundancy across multiple brokers, and establish backup procedures. Mosquitto's efficiency makes it excellent for edge computing, industrial automation, smart home systems, and large-scale IoT networks with thousands of connected devices.