← 返回
安全合规
中文
MQTT
Implement MQTT messaging avoiding security, QoS, and connection management pitfalls.
实现MQTT消息传递,避免安全、QoS及连接管理方面的陷阱。
ivangdavila
安全合规
clawhub
v1.0.0 1 版本 99886.5 Key: 无需
#latest
概述
Security Traps
- Default Mosquitto allows anonymous connections — bots scan constantly, always configure auth
- TLS mandatory for external access — credentials travel plaintext otherwise
- Duplicate client IDs cause connection fights — both clients repeatedly disconnect each other
- ACLs should restrict topic access — one compromised device shouldn't read all topics
QoS Misunderstandings
- Effective QoS is minimum of publisher and subscriber — broker downgrades if subscriber requests lower
- QoS 1 may duplicate messages — handlers must be idempotent
- QoS 2 has significant overhead — only use for commands where duplicates cause problems
- QoS applies per-message — can mix within same topic
Topic Design Pitfalls
- Starting with
/ creates empty first level — home/temp not /home/temp - Wildcards only work in subscriptions — can't publish to
home/+/temperature # matches everything including nested — home/# gets home/a/b/c/d- Some brokers limit topic depth — check before designing deep hierarchies
Connection Management
- Clean session false preserves subscriptions — messages queue while disconnected, can surprise
- Keep-alive too long = delayed dead client detection — 60s is reasonable default
- Reconnection logic is client responsibility — most libraries don't auto-reconnect by default
- Will message only fires on unexpected disconnect — clean disconnect doesn't trigger it
Retained Message Traps
- Retained messages persist until explicitly cleared — old data confuses new subscribers
- Clear retained with empty message + retain flag — not obvious from docs
- Birth/will pattern: publish "online" retained on connect, will publishes "offline"
Mosquitto Specifics
persistence true survives restarts — without it, retained messages and subscriptions lostmax_queued_messages prevents memory exhaustion — one slow subscriber shouldn't crash brokerlistener 1883 0.0.0.0 binds all interfaces — use 127.0.0.1 for local-only
Debugging
- Subscribe to
# sees all traffic — never in production, leaks everything $SYS/# exposes broker metrics — client count, bytes, subscriptions- Retained messages persist after fixing issues — explicitly clear them
mosquitto_sub -v shows topic with message — essential for debugging
版本历史
共 1 个版本
-
v1.0.0
当前
2026-03-28 22:27 安全 安全
安全检测
腾讯云安全 (Sanbu)
安全,无风险
查看报告
🔗 相关推荐
security-compliance
spclaudehome
AI智能体技能安全预审工具。安装ClawdHub、GitHub等来源技能前,检查风险信号、权限范围及可疑模式。
★ 1,215
📥 266,534
ai-intelligence
ivangdavila
自我反思+自我批评+自我学习+自组织记忆。智能体评估自身工作、发现错误并持续改进。
★ 1,358
📥 318,365
security-compliance
thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装 MoltGuard,保护您和您的用户免受提示注入、数据泄露和恶意攻击。
★ 116
📥 30,720