đ Daftar Isi
- Pengenalan Mosquitto MQTT Broker
- Instalasi Mosquitto di Linux (Ubuntu/Debian)
- Instalasi Mosquitto di Windows
- Konfigurasi Dasar Mosquitto
- Autentikasi Username & Password
- Testing dengan MQTT Client (mosquitto_sub/pub)
- Bridge Configuration: Menghubungkan Dua Broker
- Security Hardening untuk Produksi
- Monitoring & Logging Mosquitto
- Quiz Pemahaman
1. Pengenalan Mosquitto MQTT Broker
Eclipse Mosquitto adalah broker MQTT open-source yang dikembangkan oleh Eclipse Foundation dan menjadi salah satu broker MQTT paling populer di dunia. Mosquitto dirancang untuk menjadi ringan, mudah dikonfigurasi, dan mendukung protokol MQTT versi 3.1, 3.1.1, dan 5.0. Broker ini cocok digunakan mulai dari proyek IoT pemula hingga lingkungan produksi skala menengah.
Nama "Mosquitto" sendiri diambil dari kata "Mosquito" (nyamuk) â sebuah metafora bahwa pesan MQTT kecil seperti nyamuk namun mampu menyebar ke mana-mana dengan sangat efisien. Mosquitto tersedia untuk hampir semua platform: Linux, Windows, macOS, dan bahkan Raspberry Pi.
Diagram: Arsitektur Mosquitto MQTT Broker
IoT Devices
ESP32, Raspberry Pi
Sensor, Aktuator
Sensor, Aktuator
â Publish
Mosquitto Broker
Port 1883 (TCP)
Port 8883 (TLS)
Port 9001 (WebSocket)
Port 8883 (TLS)
Port 9001 (WebSocket)
â Deliver
Subscribers
Dashboard, Mobile App
Database, Cloud
Database, Cloud
TCP 1883: Koneksi MQTT standar
TLS 8883: Koneksi terenkripsi
WS 9001: Koneksi WebSocket untuk browser
Fitur Utama Mosquitto
- MQTT v3.1.1 & v5.0: Mendukung dua versi protokol utama dengan semua fitur QoS
- Lightweight: Konsumsi memori sangat rendah â cocok untuk Raspberry Pi dan server VPS kecil
- Authentication: Username/password, TLS client certificate, dan plugin autentikasi eksternal
- ACL (Access Control List): Mengatur hak akses per-client ke topik tertentu
- Bridge: Menghubungkan beberapa broker Mosquitto untuk distribusi beban atau klasterisasi
- WebSocket Support: Client browser dapat terhubung via WebSocket pada port 9001
- Persistence: Menyimpan pesan retained dan session data ke disk
- Plugin System: Mendukung plugin C dan dynamic security di Mosquitto 2.x
đĄ Mosquitto 2.x vs 1.x
Mosquitto 2.0 membawa perubahan signifikan: anonymous access dinonaktifkan secara default, dukungan MQTT 5.0 penuh, dynamic security plugin, dan peningkatan keamanan. Jika Anda mengikuti tutorial lama dan mendapati error koneksi, pastikan Anda menambahkan allow_anonymous true atau mengkonfigurasi autentikasi.
| Fitur | Mosquitto 1.x | Mosquitto 2.x |
|---|---|---|
| MQTT 5.0 | â Tidak | â Ya |
| Anonymous Default | â Diizinkan | â Diblokir |
| Dynamic Security | â Tidak | â Plugin bawaan |
| WebSocket | â Perlu plugin | â Built-in |
| Performa | Baik | Lebih baik |
2. Instalasi Mosquitto di Linux (Ubuntu/Debian)
Instalasi Mosquitto di Linux sangat mudah menggunakan package manager bawaan. Namun, repository default biasanya menyediakan versi lama. Untuk mendapatkan versi terbaru (2.x), disarankan menambahkan PPA resmi dari Eclipse Mosquitto.
2.1 Instalasi dari Repository Default
Terminal â Instalasi Standar Ubuntu/Debian
# === Update repository === sudo apt update # === Instal Mosquitto dan CLI tools === sudo apt install -y mosquitto mosquitto-clients # === Aktifkan service agar berjalan otomatis saat boot === sudo systemctl enable mosquitto # === Jalankan layanan Mosquitto === sudo systemctl start mosquitto # === Cek status layanan === sudo systemctl status mosquitto # === Verifikasi versi === mosquitto -v
Output â systemctl status mosquitto:
â mosquitto.service - Mosquitto MQTT Broker
Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled)
Active: active (running) since Wed 2026-06-25 08:30:15 UTC
Docs: man:mosquitto.conf(5)
Process: 1234 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=0/SUCCESS)
Main PID: 1235 (mosquitto)
Tasks: 1 (limit: 4567)
Memory: 1.2M
CPU: 15ms
2.2 Instalasi dari PPA Resmi (Versi Terbaru)
Terminal â Tambah PPA Mosquitto Terbaru
# === Tambah repository resmi Eclipse Mosquitto === sudo apt install -y software-properties-common wget # Download dan tambahkan GPG key sudo wget -qO- https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa # Atau gunakan cara manual: sudo wget https://repo.mosquitto.org/debian/mosquitto-repo.gpg.key sudo apt-key add mosquitto-repo.gpg.key # Tambah repository (Ubuntu 22.04 Jammy, sesuaikan untuk versi lain) echo "deb http://ppa.launchpad.net/mosquitto-dev/mosquitto-ppa/ubuntu jammy main" | \ sudo tee /etc/apt/sources.list.d/mosquitto.list # === Update dan instal === sudo apt update sudo apt install -y mosquitto mosquitto-clients # === Verifikasi versi terbaru === mosquitto -h 2>&1 | head -3
2.3 Instalasi di Raspberry Pi (Raspbian/Debian ARM)
Terminal â Instalasi di Raspberry Pi
# Raspberry Pi menggunakan repository Debian yang sama sudo apt update sudo apt install -y mosquitto mosquitto-clients # Cek arsitektur ARM uname -m # Output: aarch64 (Pi 4/5 64-bit) atau armv7l (Pi 3/4 32-bit) # Cek RAM tersedia (Mosquitto sangat hemat memori) free -h # Mosquitto hanya butuh ~2MB RAM # Jalankan sudo systemctl enable mosquitto sudo systemctl start mosquitto
âšī¸ Struktur File Instalasi Linux
Setelah instalasi di Linux, file penting Mosquitto tersebar di: /etc/mosquitto/mosquitto.conf (konfigurasi utama), /etc/mosquitto/passwd (file password), /etc/mosquitto/aclfile (ACL), /var/lib/mosquitto/ (persistence data), dan /var/log/mosquitto/ (log).
3. Instalasi Mosquitto di Windows
Mosquitto tersedia untuk Windows 64-bit dengan installer yang mudah digunakan. Proses instalasi membutuhkan beberapa langkah tambahan dibanding Linux, termasuk konfigurasi Windows Service.
3.1 Download & Instalasi
- Kunjungi situs resmi https://mosquitto.org/download/
- Download installer Windows 64-bit (file .exe)
- Jalankan installer dengan hak administrator (Run as Administrator)
- Ikuti wizard instalasi â biarkan folder default:
C:\Program Files\mosquitto\ - Pilih opsi "Install as Windows Service" jika ditawarkan
- Centang opsi untuk menambahkan ke system PATH
3.2 Verifikasi Instalasi
Command Prompt / PowerShell â Verifikasi
# Cek versi Mosquitto mosquitto -h # Jalankan broker dengan verbose logging (foreground) mosquitto -v # Output: # mosquitto version 2.0.18 starting # Opening ipv4 listen socket on port 1883. # Opening ipv6 listen socket on port 1883. # mosquitto version 2.0.18 running # Atau jalankan dengan config file kustom mosquitto -c "C:\mosquitto\mosquitto.conf" -v
3.3 Konfigurasi Windows Service
PowerShell (Admin) â Manajemen Service Windows
# Cek status service Mosquitto Get-Service mosquitto # Jalankan service Start-Service mosquitto # Hentikan service Stop-Service mosquitto # Set agar auto-start saat boot Set-Service -Name "mosquitto" -StartupType Automatic # Install service manual jika belum terdaftar sc.exe create mosquitto binPath= "C:\Program Files\mosquitto\mosquitto.exe -c C:\mosquitto\mosquitto.conf start= auto
â ī¸ Firewall Windows
Pastikan Anda mengizinkan Mosquitto melalui Windows Firewall. Buka Windows Defender Firewall â Advanced Settings â Inbound Rules â New Rule. Tambahkan aturan untuk TCP port 1883 (MQTT), 8883 (MQTT+TLS), dan 9001 (WebSocket). Atau jalankan dari PowerShell dengan: netsh advfirewall firewall add rule name="MQTT" dir=in action=allow protocol=TCP localport=1883
4. Konfigurasi Dasar Mosquitto
File konfigurasi utama Mosquitto terletak di /etc/mosquitto/mosquitto.conf (Linux) atau C:\mosquitto\mosquitto.conf (Windows). Memahami parameter konfigurasi adalah kunci untuk menjalankan broker yang stabil dan aman.
4.1 Konfigurasi Minimal untuk Testing
mosquitto.conf â Konfigurasi Dasar
# ============================================= # Mosquitto MQTT Broker - Konfigurasi Dasar # File: /etc/mosquitto/mosquitto.conf # ============================================= # === Listener === # Port default MQTT listener 1883 # Izinkan anonymous (HANYA untuk testing!) allow_anonymous true # === Persistence === # Simpan data retained message dan session ke disk persistence true persistence_location /var/lib/mosquitto/ # === Logging === log_dest syslog log_dest stdout log_type error log_type warning log_type notice log_type information connection_messages true log_timestamp true log_timestamp_format %Y-%m-%dT%H:%M:%S # === Connection Limits === # -1 = unlimited, 0 = disabled max_connections -1 # Keepalive timeout (detik) # Client yang tidak mengirim PINGREQ dalam waktu ini dianggap terputus # Default 60 detik
4.2 Konfigurasi Production Dasar
mosquitto.conf â Production Setup
# ============================================= # Mosquitto Production Configuration # ============================================= # === Listener TCP === listener 1883 0.0.0.0 protocol mqtt # === Listener WebSocket === listener 9001 0.0.0.0 protocol websockets # === Autentikasi (WAJIB untuk production!) === allow_anonymous false password_file /etc/mosquitto/passwd # === ACL (Access Control List) === acl_file /etc/mosquitto/aclfile # === Persistence === persistence true persistence_location /var/lib/mosquitto/ autosave_interval 1800 autosave_on_changes false # === Performance === max_connections 1000 max_inflight_messages 20 max_queued_messages 1000 message_size_limit 1048576 # === Logging === log_dest file /var/log/mosquitto/mosquitto.log log_type error log_type warning log_type notice log_type information connection_messages true log_timestamp true
4.3 Parameter Konfigurasi Penting
| Parameter | Default | Fungsi |
|---|---|---|
listener | 1883 | Port dan alamat IP yang didengarkan broker |
allow_anonymous | false (v2.x) | Apakah client tanpa autentikasi diizinkan |
password_file | â | Lokasi file berisi username dan password hash |
acl_file | â | Lokasi file Access Control List untuk topik |
persistence | false | Aktifkan penyimpanan data ke disk |
max_connections | -1 (unlimited) | Batas maksimal client yang terhubung bersamaan |
max_queued_messages | 1000 | Pesan antrian maksimal per client |
message_size_limit | 0 (unlimited) | Batas ukuran payload pesan dalam byte |
log_type | all | Jenis pesan log yang dicatat |
đĄ Tips Konfigurasi
Selalu restart Mosquitto setelah mengubah konfigurasi: sudo systemctl restart mosquitto. Gunakan mosquitto -c /etc/mosquitto/mosquitto.conf -v untuk menjalankan broker di foreground dengan verbose logging â sangat berguna saat debugging masalah konfigurasi.
5. Autentikasi Username & Password
Autentikasi adalah langkah keamanan pertama yang wajib diterapkan. Mosquitto mendukung autentikasi berbasis username/password yang disimpan dalam file password khusus dengan format ter-hash.
5.1 Membuat File Password
Terminal â Membuat Password File
# === Buat password file baru dengan user pertama === # Flag -c = create (membuat file baru, MENIMPA yang lama!) mosquitto_passwd -c /etc/mosquitto/passwd admin # Anda akan diminta memasukkan password dua kali # Password: ******** # Reenter password: ******** # === Tambah user baru (tanpa -c agar tidak menimpa) === mosquitto_passwd -b /etc/mosquitto/passwd sensor_ruang01 password123 mosquitto_passwd -b /etc/mosquitto/passwd dashboard_viewer secret456 # === Hapus user === mosquitto_passwd -D /etc/mosquitto/passwd sensor_ruang01 # === Lihat isi file (ter-hash) === cat /etc/mosquitto/passwd # Output: # admin:$6$randomhash... # sensor_ruang01:$6$randomhash... # dashboard_viewer:$6$randomhash...
5.2 Membuat ACL (Access Control List)
/etc/mosquitto/aclfile â Access Control List
# ============================================= # Mosquitto ACL Configuration # ============================================= # === Default: tolak semua akses === # (Tidak perlu ditulis, karena deny all adalah default) # === Admin: akses penuh ke semua topik === user admin topic readwrite # # === Sensor: hanya boleh publish ke topik sendiri === user sensor_ruang01 topic write rumah/ruang01/# topic read rumah/ruang01/cmd user sensor_ruang02 topic write rumah/ruang02/# topic read rumah/ruang02/cmd # === Dashboard: hanya boleh subscribe (read-only) === user dashboard_viewer topic read rumah/# # === Anonymous (jika diizinkan) === # topic read public/#
5.3 Mengaktifkan ACL di Konfigurasi
mosquitto.conf â Tambahkan ACL
# Aktifkan autentikasi allow_anonymous false password_file /etc/mosquitto/passwd # Aktifkan ACL acl_file /etc/mosquitto/aclfile
5.4 Testing Autentikasi
Terminal â Test Autentikasi
# Subscribe dengan autentikasi
mosquitto_sub -h localhost -t "rumah/#" -u admin -P admin_password -v
# Publish dengan autentikasi
mosquitto_pub -h localhost -t "rumah/ruang01/suhu" \
-u sensor_ruang01 -P password123 \
-m '{"suhu": 27.5, "kelembaban": 65}'
# Test tanpa autentikasi (seharusnya gagal di v2.x)
mosquitto_sub -h localhost -t "test"
# Error: Connection Refused: not authorised.
# Test user yang salah (seharusnya ditolak ACL)
mosquitto_pub -h localhost -t "rumah/ruang01/suhu" \
-u dashboard_viewer -P secret456 \
-m "test"
# Error: Connection Refused: not authorised.
# (dashboard_viewer hanya boleh READ, bukan WRITE)
â ī¸ Keamanan File Password
File password Mosquitto berisi hash, bukan plaintext password. Namun tetap amankan file ini: sudo chown mosquitto:mosquitto /etc/mosquitto/passwd dan sudo chmod 600 /etc/mosquitto/passwd. Jangan pernah share atau commit file ini ke version control!
6. Testing dengan MQTT Client (mosquitto_sub/pub)
Setelah broker berjalan, langkah selanjutnya adalah melakukan testing. Mosquitto menyediakan dua tool CLI bawaan: mosquitto_sub (subscriber) dan mosquitto_pub (publisher) yang sangat berguna untuk debugging dan verifikasi.
6.1 Contoh Testing Lengkap
Terminal â Testing Komprehensif
# =============================================
# Buka DUA terminal secara bersamaan
# =============================================
# === TERMINAL 1: Subscriber ===
# Subscribe ke semua topik di bawah "rumah/"
mosquitto_sub -h localhost -t "rumah/#" -v
# Flag penjelasan:
# -h = host (localhost atau IP broker)
# -t = topik (mendukung wildcard + dan #)
# -v = verbose (tampilkan nama topik di depan pesan)
# -u = username
# -P = password
# -C = jumlah pesan lalu keluar (misal -C 5 untuk 5 pesan)
# -q = QoS level (0, 1, atau 2)
# -k = keepalive dalam detik
# === TERMINAL 2: Publisher ===
# Kirim pesan ke topik spesifik
mosquitto_pub -h localhost -t "rumah/ruang01/suhu" \
-m '{"suhu": 27.5, "kelembaban": 65, "status": "ok"}' \
-q 1 -r
# Flag penjelasan:
# -h = host
# -t = topik
# -m = message/payload
# -q = QoS level
# -r = retained message (disimpan broker sampai ditimpa)
# -d = debug mode (tampilkan informasi koneksi)
# -f = baca pesan dari file
Output Terminal 1 (Subscriber):
rumah/ruang01/suhu {"suhu": 27.5, "kelembaban": 65, "status": "ok"}
rumah/ruang02/suhu {"suhu": 24.0, "kelembaban": 72, "status": "ok"}
rumah/ruang01/cmd LED_ON
6.2 Testing dengan Payload File
Terminal â Publish dari File & Loop
# === Simpan payload ke file ===
echo '{"suhu": 28.3, "kelembaban": 60, "gas": 350}' > /tmp/sensor_data.json
# === Publish dari file ===
mosquitto_pub -h localhost -t "rumah/ruang01/suhu" -f /tmp/sensor_data.json
# === Kirim pesan berulang setiap 5 detik (pakai shell loop) ===
while true; do
SUHU=$(echo "scale=1; 24 + ($RANDOM % 60) / 10" | bc)
mosquitto_pub -h localhost -t "rumah/ruang01/suhu" \
-m "{\"suhu\": $SUHU, \"ts\": $(date +%s)}" -q 1
echo "Dikirim: suhu=$SUHU"
sleep 5
done
# === Subscribe dengan filter spesifik ===
# Terima hanya data suhu dari ruang01
mosquitto_sub -h localhost -t "rumah/ruang01/suhu" -v -q 1
# Terima semua data dari lantai 1
mosquitto_sub -h localhost -t "rumah/lantai1/#" -v
6.3 Referensi Perintah CLI Lengkap
| Perintah | Fungsi | Contoh |
|---|---|---|
mosquitto_sub -t "topic" | Subscribe ke topik | mosquitto_sub -h localhost -t "test/#" -v |
mosquitto_pub -t "topic" -m "msg" | Publish pesan | mosquitto_pub -t "test/hello" -m "hi" |
-r | Pesan retained (tersimpan) | mosquitto_pub -t "status" -m "online" -r |
-q 1 | Set QoS level | mosquitto_sub -t "data" -q 2 |
-C N | Terima N pesan lalu keluar | mosquitto_sub -t "data" -C 10 |
-d | Debug mode (lihat paket) | mosquitto_pub -t "test" -m "x" -d |
-u user -P pass | Autentikasi | mosquitto_sub -u admin -P pass123 |
--cafile file | TLS certificate | mosquitto_sub --cafile ca.crt -p 8883 |
7. Bridge Configuration: Menghubungkan Dua Broker
Mosquitto mendukung fitur bridge yang memungkinkan dua atau lebih broker MQTT saling terhubung. Bridge berguna untuk: menghubungkan broker lokal (edge) dengan broker pusat (cloud), distribusi beban, redundansi, dan replikasi data antar lokasi geografis.
Diagram: Mosquitto Bridge Architecture
Edge Broker (Lokal)
Pabrik A
192.168.1.10:1883
Sensor di lapangan
192.168.1.10:1883
Sensor di lapangan
â Bridge â
Cloud Broker (Pusat)
Server Utama
mqtt.cloud.com:8883
Database & Dashboard
mqtt.cloud.com:8883
Database & Dashboard
â Bridge â
Edge Broker (Lokal)
Pabrik B
192.168.2.10:1883
Sensor di lapangan
192.168.2.10:1883
Sensor di lapangan
7.1 Konfigurasi Bridge (Edge â Cloud)
mosquitto.conf â Bridge Configuration
# ============================================= # Mosquitto Bridge Configuration # File: /etc/mosquitto/mosquitto.conf (Edge Broker) # ============================================= # Listener lokal listener 1883 localhost allow_anonymous true # === Bridge ke Cloud Broker === connection cloud-bridge address mqtt.cloud.com:8883 # Topik yang di-bridge # Format: topic TOPIC_DIRECTION QoS LOCAL_PREFIX REMOTE_PREFIX topic rumah/sensor/# out 1 sensor/ cloud/rumah/ topic rumah/cmd/# in 1 cmd/ cloud/rumah/cmd/ # "out" = dari lokal â remote (publish) # "in" = dari remote â lokal (subscribe) # "both" = dua arah # Autentikasi bridge remote_username bridge_user remote_password bridge_secret_pass # TLS untuk bridge bridge_cafile /etc/mosquitto/certs/ca.crt bridge_certfile /etc/mosquitto/certs/client.crt bridge_keyfile /etc/mosquitto/certs/client.key bridge_tls_version tlsv1.2 # Pengaturan bridge bridge_protocol_version mqttv311 cleansession true keepalive_interval 60 restart_timeout 30 300 try_private true notifications true notification_topic $SYS/broker/bridge/edge01/state # Quality of Service max_inflight_messages 20
7.2 Verifikasi Bridge
Terminal â Verifikasi Bridge
# === Restart Mosquitto setelah konfigurasi bridge ===
sudo systemctl restart mosquitto
# === Cek log untuk status bridge ===
sudo tail -f /var/log/mosquitto/mosquitto.log | grep bridge
# Output:
# Bridge cloud-bridge connecting to mqtt.cloud.com:8883
# Bridge cloud-bridge connected
# === Test: kirim data dari edge broker ===
mosquitto_pub -h localhost -t "rumah/sensor/suhu" \
-m '{"suhu": 27.5}' -q 1
# === Verifikasi di cloud broker (server lain) ===
mosquitto_sub -h mqtt.cloud.com -t "cloud/rumah/#" \
-u viewer -P viewer_pass -v --cafile ca.crt
# Output: cloud/rumah/sensor/suhu {"suhu": 27.5}
âšī¸ Kapan Gunakan Bridge?
Edge Computing: Broker lokal di pabrik/gudang mengumpulkan data sensor, lalu bridge ke broker cloud untuk analisis. Multi-Site: Broker di setiap lokasi fisik dihubungkan ke broker pusat. Load Distribution: Bridge topik tertentu ke broker khusus yang menangani jenis data tersebut. Failover: Jika satu broker down, bridge ke broker cadangan.
8. Security Hardening untuk Produksi
Menjalankan broker MQTT di produksi membutuhkan langkah-langkah keamanan yang ketat. Berikut checklist keamanan komprehensif untuk Mosquitto.
8.1 TLS/SSL Encryption
mosquitto.conf â TLS/SSL Configuration
# ============================================= # TLS/SSL Configuration # ============================================= # Listener TLS pada port 8883 listener 8883 0.0.0.0 protocol mqtt # Sertifikat CA, Server, dan Key cafile /etc/mosquitto/certs/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key # Require TLS version 1.2 minimum tls_version tlsv1.2 # Require client certificate? (mutual TLS) require_certificate false # Set true jika ingin verifikasi identitas client via sertifikat # Listener non-TLS hanya untuk localhost listener 1883 localhost protocol mqtt # Listener WebSocket TLS listener 9002 0.0.0.0 protocol websockets cafile /etc/mosquitto/certs/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key
8.2 Generate Sertifikat TLS
Terminal â Generate TLS Certificates
# === Setup direktori === sudo mkdir -p /etc/mosquitto/certs cd /etc/mosquitto/certs # === 1. Buat Certificate Authority (CA) === openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \ -subj "/CN=MQTT-CA/O=BeebaneLabs/C=ID" # === 2. Buat Server Certificate === openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr \ -subj "/CN=mqtt.example.com/O=BeebaneLabs/C=ID" openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out server.crt -days 365 \ -extfile <(echo "subjectAltName=DNS:mqtt.example.com,IP:192.168.1.100") # === 3. Buat Client Certificate (opsional, untuk mutual TLS) === openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr \ -subj "/CN=esp32-sensor-01/O=BeebaneLabs/C=ID" openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out client.crt -days 365 # === 4. Set permissions === sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs sudo chmod 600 /etc/mosquitto/certs/*.key sudo chmod 644 /etc/mosquitto/certs/*.crt # === 5. Restart Mosquitto === sudo systemctl restart mosquitto # === 6. Verifikasi TLS === openssl s_client -connect localhost:8883 -CAfile ca.crt
8.3 System Hardening Checklist
| Langkah | Perintah / Konfigurasi | Prioritas |
|---|---|---|
| Nonaktifkan Anonymous | allow_anonymous false | đ´ Wajib |
| Aktifkan TLS | Listener 8883 dengan sertifikat | đ´ Wajib |
| Gunakan ACL | acl_file /etc/mosquitto/aclfile | đ´ Wajib |
| Batas Koneksi | max_connections 500 | đĄ Penting |
| Rate Limiting | Firewall: limit new connections/detik | đĄ Penting |
| Jalankan Sebagai User Non-Root | Default: user mosquitto | đĄ Penting |
| Firewall (UFW/iptables) | Buka hanya port 1883, 8883, 9001 | đ´ Wajib |
| Disable Unused Protocol | Hapus listener WebSocket jika tidak dipakai | đĄ Penting |
| Update Berkala | sudo apt update && sudo apt upgrade | đĄ Penting |
| Client Certificate (mTLS) | require_certificate true | đĸ Opsional |
| Network Isolation | Broker di VLAN/DMZ terpisah | đĸ Opsional |
Terminal â Firewall Rules (UFW)
# === Setup firewall untuk Mosquitto === # Izinkan MQTT non-TLS dari subnet lokal saja sudo ufw allow from 192.168.1.0/24 to any port 1883 proto tcp # Izinkan MQTT TLS dari mana saja sudo ufw allow 8883/tcp # Izinkan WebSocket (opsional) sudo ufw allow 9001/tcp # Izinkan SSH (jangan lupa!) sudo ufw allow 22/tcp # Aktifkan firewall sudo ufw enable sudo ufw status verbose
9. Monitoring & Logging Mosquitto
Monitoring broker MQTT sangat penting untuk memastikan ketersediaan, performa, dan keamanan sistem. Mosquitto menyediakan informasi internal melalui topik $SYS dan logging ke file atau syslog.
9.1 Monitoring via Topik $SYS
Mosquitto secara otomatis mempublikasikan statistik broker ke topik internal $SYS/broker/. Anda dapat subscribe ke topik ini untuk memantau kondisi broker secara real-time.
Terminal â Monitor $SYS Topics
# === Subscribe ke semua topik $SYS === mosquitto_sub -h localhost -t '$SYS/#' -u admin -P pass123 -v # === Contoh output topik $SYS === # $SYS/broker/version â Versi Mosquitto # $SYS/broker/uptime â Waktu broker berjalan # $SYS/broker/clients/connected â Client yang terhubung # $SYS/broker/clients/total â Total client terdaftar # $SYS/broker/messages/sent â Total pesan terkirim # $SYS/broker/messages/received â Total pesan diterima # $SYS/broker/messages/publish â Total pesan publish # $SYS/broker/load/messages/received/1min â Load 1 menit # $SYS/broker/load/messages/sent/1min â Load 1 menit # $SYS/broker/retained messages/count â Pesan retained # $SYS/broker/subscriptions/count â Total subscriptions # $SYS/broker/bytes/received â Total byte diterima # $SYS/broker/bytes/sent â Total byte terkirim # === Monitor hanya koneksi === mosquitto_sub -h localhost -t '$SYS/broker/clients/#' \ -u admin -P pass123 -v # === Monitor hanya message stats === mosquitto_sub -h localhost -t '$SYS/broker/messages/#' \ -u admin -P pass123 -v
9.2 Konfigurasi Logging
mosquitto.conf â Logging Configuration
# ============================================= # Logging Configuration # ============================================= # Log ke file log_dest file /var/log/mosquitto/mosquitto.log # Log ke stdout (untuk systemd journal) log_dest stdout # Log ke syslog log_dest syslog # Jenis log yang dicatat log_type error # Error fatal log_type warning # Peringatan log_type notice # Informasi penting log_type information # Informasi umum log_type subscribe # Aktivitas subscribe/unsubscribe log_type unsubscribe # log_type debug # Debug detail (HATI-HATI: sangat verbose!) # log_type websockets # Log WebSocket khusus # Tampilkan info koneksi client connection_messages true # Format timestamp log_timestamp true log_timestamp_format %Y-%m-%dT%H:%M:%S
9.3 Log Rotation
/etc/logrotate.d/mosquitto â Log Rotation
/var/log/mosquitto/mosquitto.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 mosquitto mosquitto
postrotate
systemctl reload mosquitto 2>/dev/null || true
endscript
}
9.4 Script Monitoring Sederhana
Python â mqtt_monitor.py
#!/usr/bin/env python3
# mqtt_monitor.py â Monitor Mosquitto Broker via $SYS
# BeebaneLabs - https://beebanelabs.pages.dev
import paho.mqtt.client as mqtt
import json
import time
from datetime import datetime
BROKER = "localhost"
PORT = 1883
USERNAME = "admin"
PASSWORD = "admin_pass"
stats = {}
def on_connect(client, userdata, flags, rc, properties=None):
if rc == 0:
print("[OK] Monitor terhubung ke broker")
client.subscribe("$SYS/#")
print("[INFO] Memantau topik $SYS/#\n")
else:
print(f"[ERROR] Koneksi gagal: rc={rc}")
def on_message(client, userdata, msg):
topic = msg.topic
value = msg.payload.decode("utf-8")
stats[topic] = value
# Filter: tampilkan hanya info penting
important = [
"clients/connected",
"messages/sent",
"messages/received",
"uptime",
"version"
]
for keyword in important:
if keyword in topic:
ts = datetime.now().strftime("%H:%M:%S")
print(f"[{ts}] {topic}: {value}")
break
def main():
client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION2, "monitor_01")
client.username_pw_set(USERNAME, PASSWORD)
client.on_connect = on_connect
client.on_message = on_message
client.connect(BROKER, PORT, keepalive=60)
try:
client.loop_forever()
except KeyboardInterrupt:
print("\n[INFO] Monitor dihentikan.")
client.disconnect()
if __name__ == "__main__":
main()
đĄ Monitoring Lanjutan
Untuk monitoring skala produksi, pertimbangkan menggunakan Prometheus + Grafana dengan exporter MQTT, atau Telegraf untuk mengumpulkan metrik dari topik $SYS dan menyimpannya ke InfluxDB. Kombinasi ini memungkinkan visualisasi dashboard real-time dan alerting otomatis jika broker bermasalah.
10. Quiz: Uji Pemahamanmu!
Setelah membaca tutorial di atas, jawablah 5 pertanyaan berikut untuk menguji pemahamanmu tentang setup Mosquitto MQTT Broker: