I've recently started experimenting with MQTT, in particular the Mosquito broker. After quite a bit of trial & error and plenty of man page reading I've managed to get things working nicely.
- SSL/TLS connections
- Websockets proxied through Apache (ws:// and wss://)
- ACLs for anonymous access
- ACLs for username/password access
- Bridging selected local topics to the io.adafruit.com service
A visualisation of the topics I currently have is shown followed by configuration sections for the various options.
All configuration is based on an Ubuntu installation of Mosquitto.
Basic Server Config
pid_file /var/run/mosquitto.pid persistence true persistence_location /var/lib/mosquitto/ log_dest file /var/log/mosquitto/mosquitto.log #log_type all acl_file /etc/mosquitto/acl.conf password_file /etc/mosquitto/passwords include_dir /etc/mosquitto/conf.d
# only allow anonymous users specific access topic read # topic read $SYS/broker/messages/# # Allow user web to read anywhere user web topic read # topic read $SYS/# # Allow user sensor to write anywhere user sensor topic readwrite #
Generate your password file using
Set permissions and group on the password file as:
-rw-r----- 1 root mosquitto 229 Feb 4 20:18 /etc/mosquitto/passwords
Secure/Insecure MQTT config
listener 1883 listener 8883 cafile /path/to/chain-ca.pem certfile /path/to/cert.pem keyfile /path/to/privkey.pem
Secure/Insecure Websockets config
listener 8080 protocol websockets listener 8083 protocol websockets cafile /path/to/chain-ca.pem certfile /path/to/cert.pem keyfile /path/to/privkey.pem
connection bridge_adafruit address io.adafruit.com:8883 remote_username <username> remote_password <aio key> start_type automatic bridge_protocol_version mqttv311 bridge_capath /etc/ssl/certs/ notifications false try_private false topic throttle in 0 adafruit.io/ <username>/feeds/ topic welcome-feed both 0 adafruit.io/ <username>/feeds/
Apache config for proxying
Place this within your
<Virtualhost *:80> or
<Virtualhost *:443> directive.
If your VHost is a secure one then the SSL/TLS websocket connection will be handled by Apache and transparently proxied to the local MQTT broker. All communication between the browser and Apache will be secured.
This requires the
mod_proxy_wstunnel module to be enabled.
<Location "/mqtt"> ProxyPreserveHost On ProxyPass ws://localhost:8080/mqtt ProxyPassReverse ws://localhost:8080/mqtt </Location>