My local devices (esp8266) can't really handle TLS well, but I want access from outside of my local network to be encrypted. This lets them operate in plain-text mode locally, with firewall rules forcing outside access to be secure.
That's exactly what this post does only with Traefik instead of haproxy. The TLS of Mosquitto is just too much of a maintenance burden.
A cross post from what I replied at a Reddit topic:
> Mosquitto does have TLS support by itself, but the manual only deals with self-signed certificates. Self-signed certificates do involve a maintenance burden I don't want to deal with. All my applications/devices which expose a HTTP frontend (or other TCP stream) are encrypted via Let's Enncrypt certificates. They are automatically trusted by a lot of platforms (pc's, phones and other devices).
> I was using acme.sh before and the post-install hook can refresh every service, but it just wasn't working properly on every occasion. You also have to reload all your applications for loading the new certs (that is, Home Assistant, Unifi, Pi-hole, mosquitto, my smart meter readings platform and so on). Just reloading everything for a cert renew felt cumbersome, and Traefik dealing with TLS termination decouples the TLS part from the application itself.
> Since I used Traefik already, it was really straightforward to put Mosquitto behind Traefik too. Of course every situation is different, this post is mainly geared towards users which do not authenticate or encrypt Mosquitto at all.
I used jpmens/mosquitto-auth-plug <https://github.com/jpmens/mosquitto-auth-plug> for the Mosquitto side of things, with a query along the lines of:
SELECT "hardcoded password hash" FROM oauth_access_tokens WHERE access_token = "%s" AND scope REGEXP "\bmqtt\b";There is also no mention in article of what is being used for internal DNS resolution. I could assume pi-hole, but something to resolve DNS on home network is required is this operation.
The biggest issue I have is with the client side and its various support of TLS and getting a trusted CA certificate distributed. This is the harder part of the equation in my opinion, support is getting better with firmwares like Tasmota but getting some third party IoT device to work over TLS is still a challenge.
Besides this trade-off, you have to check all clients to be TLS aware on beforehand. In my setup, all clients were capable of TLS. The only hassle are my NodeMCU devices which need to swap the WifiClient to a WifiSSLClient and you need to embed the public DST Root CA X3 yourselves.
The last time I tried to use LetsEncrypt for a local server, several years ago, this could not be done. Has this changed?
DNS registration. You can get letsencrypt validation through a DNS token for validation. You can generally script that using the API provided by your DNS provider.
For TLS you can use pre-shared key mode so there's no extra gubbins like certificates, but you get all the same guarantees about whether what you're doing is actually safe as the big guys.
MQTT is a specific implementation of a general approach to buses. This is wildly used for asynchronous communication between services.
I use MQTT (or other buses) when I have services that need to send some information without consideration for the services that need that information. The first ones are producers, the other ones - consumers.
This is a very powerful approach when you have good cases. IoTs are typical cases where they send data and something else makes use of them. Another example is code that calculates some information and emits its results.
Some of my code retrieve google calendar information and emits that - and it is consumed by a dashboard, some other code that makes decisions such as alarm clocks etc.
In general you use this for asynchronous messaging, especially in with one-to-many scenarios.
I run it to communicate with much more applications. It just depends on your own preferences. For example, some tools provide an API (local or cloud based) and you can directly plug in into that API. In The Netherlands you can read your electricity meter yourself by a "Dutch Smart Meter Readings" and DSMR integrates into Home Assistant with MQTT. I use Z-Wave as wireless mesh technology for lights and switches, the Z-Wave controller integrates into Home Assistant with MQTT.
MQTT is so easy to setup and configure, you can use it for any messaging you want. As an example, I run Home Assistant locally to run my home automations, but also check the status of my local devices and online servers (Digital Ocean droplets). One use case is my backup script which publishes the backup results to an online MQTT server, my Home Assistant checks the topics at that server to display backup stats locally. If something went wrong, Home Assistant notifies my directly. PS. The backup script also sends out e-mails which I filter in Fastmail, the success mails are trashed and only error messages are kept in the inbox ;)
HTTP is 1:1. MQTT can be 1:many.
What you use completely depends on your specific case.
Some of the functionality has been added to the MQTTv5 spec, but client support is not as good for that yet, and its not as battle tested as AMQP.