TODO
- [ ] Check how the broker (Mosquitto) manage the data
- [ ] Check the security with SSL
- [ ] Check the authentication
- [ ] Check WPS for authentication
- [x] Wait to DNS spread and create the cert using certbot for
mosquitto.wimp.today - [ ] Assess all possibilities of security
MQTT
security concerns
- Standard port: 1883
- MQTT over SSL: 8883
- SSL adds overhead
- MQTT is the protocol
- Differences between MQTT v3 and v5
- Front-end for Mosquitto
- Check how to use the version 5.
- Mosquitto v1.6+ support MQTT v5
- tutorial first setup
- tutorial security
- tutorial certbot
- tutorial mqtt essentials and best practices
AWS
- Public IP of instances are reset when it STOP
- Use Elastic IP, which is paid
Mosquitto
Mosquitto is the message broker that implements MQTT
Setup Mosquitto server
Mosquitto versions
adduser mosquitto
# requirements for ubuntu
apt-get update
apt-get install build-essential libwrap0-dev libssl-dev libc-ares-dev uuid-dev xsltproc
# download and install
cd /home/mosquitto
wget http://mosquitto.org/files/source/mosquitto-VERSION.tar.gz
tar xvzf mosquitto-VERSION.tar.gz
cd mosquitto-VERSION
make
make install
# create the user for mosquitto
mosquitto_passwd -c /etc/mosquitto/pwfile MY_USER
mkdir /var/lib/mosquitto/
chown mosquitto:mosquitto /var/lib/mosquitto/ -R
# config file
vim /etc/mosquitto/mosquitto.conf
# configure dynamic linker run-time bindings
/sbin/ldconfig
# run
mosquitto -c /etc/mosquitto/mosquitto.conf
mosquitto.conf (see docs):
listener 8883
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
allow_anonymous false
password_file /etc/mosquitto/pwfile
# extra options
tls_version tlsv1.3
Server running after boot
sudo vim /etc/systemd/system/mosquitto.service
sudo chmod 644 /etc/systemd/system/mosquitto.service
sudo systemctl enable mosquitto
[Unit]
Description=Mosquitto server.
[Service]
ExecStart=/usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
[Install]
WantedBy=multi-user.target
Mosquitto with CertBot
The DNS type A must be pointed to the server IP.
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot
sudo ufw allow 80 # or 443
sudo certbot certonly --standalone --preferred-challenges http -d MY_SERVER_DNS
- TODO: check problems when using port 443
- TODO: add automatic renew of the certs
- TODO: make it work
Publishing
see docs
- Example:
mosquitto_pub -h SERVER -p 8883 -V mqttv5 -i sensor-test --tls-version tlsv1.3 -t 'TOPIC' -m "My msg" -u USER -P PASS SERVER: the IP address of the serverTOPIC: the topic you want to publish (see best practices)- MESSAGE: MQTT imposes a maximum payload size of 268435455 bytes.
- Can be modified
- Check WILL
Subscribing
see docs
Misc
- paho
- mysql cheat sheet
- Deny/Allow ports firewall:
sudo ufw deny 80
