|
|
|
|
|
|
by fullstop
1963 days ago
|
|
|
I found it to be much easier to put haproxy in TCP mode in front of mosquitto than to use mosquitto's TLS capabilities. This lets me reload the certificate without restarting mosquitto. My local devices (esp8266) can't really handle TLS well, but I want access from outside of my local network to be encrypted. This lets them operate in plain-text mode locally, with firewall rules forcing outside access to be secure. |
|
|
That's exactly what this post does only with Traefik instead of haproxy. The TLS of Mosquitto is just too much of a maintenance burden.
A cross post from what I replied at a Reddit topic:
> Mosquitto does have TLS support by itself, but the manual only deals with self-signed certificates. Self-signed certificates do involve a maintenance burden I don't want to deal with. All my applications/devices which expose a HTTP frontend (or other TCP stream) are encrypted via Let's Enncrypt certificates. They are automatically trusted by a lot of platforms (pc's, phones and other devices).
> I was using acme.sh before and the post-install hook can refresh every service, but it just wasn't working properly on every occasion. You also have to reload all your applications for loading the new certs (that is, Home Assistant, Unifi, Pi-hole, mosquitto, my smart meter readings platform and so on). Just reloading everything for a cert renew felt cumbersome, and Traefik dealing with TLS termination decouples the TLS part from the application itself.
> Since I used Traefik already, it was really straightforward to put Mosquitto behind Traefik too. Of course every situation is different, this post is mainly geared towards users which do not authenticate or encrypt Mosquitto at all.