Installing mosquitto MQTT broker on Ubuntu

MQTT is a very handy and lightweight subscribe/publish system. It creates some kind of universal language set up communications between multiple applications. Those applications can run on a mobile phone, on a desktop PC or even microprocessors.
Mosquitto is a frequentkly used broker to manage the communication between subscribers and publishers.

The installation of Mosquitto on Ubuntu is as easy as typing:

sudo apt-get install mosquitto mosquitto-clients

Playing with MQTT

Open two terminals on your Ubunty machine. You can do this from a windows machine using Putty. One terminal will be used to subscibe to a topic, the other to publish stuff to the topic.

On one terminal subscribe to a test topic:

mosquitto_sub -v -t 'mqtt/test'

On the second terminal publish a test message:

mosquitto_pub -t 'mqtt/test' -m 'Hello subscriber!'

If you want to test the broker remotely the host must be included in the commands:

mosquitto_sub -v -h 127.0.0<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>.1 -t 'mqtt/test' mosquitto_pub -h -t 'mqtt/test' -m 'Hello subscriber!' 

MQTT proxy with nginx

To add some layer of security we will use nginxto act as a proxy for mosquitto. This means that mosquitto won’t be directly accessible from an other location than the localhost without going trough nginx. Your server should be configured according to my previous post on how to install an IoT server on Ubuntu.

sudo nano /etc/mosquitto/mosquitto.conf

Since we will be running behind nginx, make the MQTT service listen on localhost only. Later we will configure nginx to listen on port 8883 (the default port for MQTT over SSL).
Add te following line at the bottom of the configuration:

bind_address localhost

When mosquitto is accessible from the internet it’s recommended to require authentication with username and password. Add the following lines to the configuration file:

allow_anonymous false
password_file /etc/mosquitto/passwords

Create the password file and the first user with:

sudo mosquitto_passwd -c /etc/mosquitto/passwords username

Now restart the broker to make te configuration changes effective:

sudo service mosquitto restart

To test authentication, attempt to subscribe to any topic. A valid username and password should work, a subscription attempt with invalid credentials should be rejected.

mosquitto_sub -t 'mqtt/test' -u username -P secret

Configure nginx

On the IoT server open the default nginx coniguration and note the ssl_certificate and ssl_certificate_key parameters generated by certbot.

less /etc/nginx/sites-available/default

Navigate to the nginx configuration and open it:

cd /etc/nginx/
sudo nano nginx.conf

At te bottom of the configuration file add the following lines:

stream {
    upstream mosquitto {
        server localhost:1883;

    server {
        listen 8883 ssl;
        proxy_pass mosquitto;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

Reload nginx

sudo service nginx reload

Add a firewall rule for the proxy:

sudo ufw allow 8883

Also make sure the port is forwarded to your server if your using a server behind a router.

A next step will be installing Node RED. In combination with Node RED we will be able to play even more with MQTT!

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *

This site uses Akismet to reduce spam. Learn how your comment data is processed.