Starting with Mosquitto 2.0, the default configuration will only bind to loop back addresses
Starting with Mosquitto 2.0, no configuration except the loopback-only one will allow anonymous connections unless explicitly configured to do so.
In other words: Starting with Mosquitto 2.0, users must make an explicit choice to expose the MQTT server to beyond the local host.
This container will respect that change in security posture, while maintaining some unRAID ease-of-use, by implementing the following in this PR:
[x] Detect that a user has not performed any explicit listener configuration and exit the container with an error code
[x] Provide two easy-to-use default security choices, including a legacy-style "expose MQTT server for anonymous login on port 1883" and a simple password file based authenticated configuration, but require the user to explicitly configure either option.
[x] Provide an environment variable RUN_INSECURE_MQTT_SERVER to select the legacy behavior in a single step. This will not be set by default, but is easy to add via unRAID.
[x] Update the README to reflect these changes
[x] Update the unRAID template to expose (but not set) the single-step legacy option
Major breaking changes from upstream:
In other words: Starting with Mosquitto 2.0, users must make an explicit choice to expose the MQTT server to beyond the local host.
This container will respect that change in security posture, while maintaining some unRAID ease-of-use, by implementing the following in this PR:
RUN_INSECURE_MQTT_SERVERto select the legacy behavior in a single step. This will not be set by default, but is easy to add via unRAID.