-
-
Save natcl/ed8253a34e7b87d879baabeba82cb846 to your computer and use it in GitHub Desktop.
version: "3.3" | |
services: | |
traefik: | |
image: "traefik:v2.2" | |
container_name: "traefik" | |
command: | |
- "--api=true" | |
- "--api.dashboard=true" | |
- "--providers.docker=true" | |
- "--providers.docker.exposedbydefault=false" | |
# Entrypoints | |
- "--entrypoints.web.address=:80" | |
- "--entrypoints.websecure.address=:443" | |
- "--entrypoints.mqtt.address=:8883" | |
# Redirect http to https | |
- "--entrypoints.web.http.redirections.entrypoint.to=websecure" | |
- "--entrypoints.web.http.redirections.entrypoint.scheme=https" | |
# Let's encrypt configuration | |
- "--certificatesresolvers.myresolver.acme.tlschallenge=true" | |
- "[email protected]" | |
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" | |
ports: | |
- "80:80" | |
- "443:443" | |
- "8883:8883" | |
volumes: | |
- "./letsencrypt:/letsencrypt" | |
- "/var/run/docker.sock:/var/run/docker.sock:ro" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.dashboard.rule=Host(`traefik.zoo.ocean.mofa.studio`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))" | |
- "traefik.http.routers.dashboard.entrypoints=websecure" | |
- "traefik.http.routers.dashboard.service=api@internal" | |
- "traefik.http.routers.dashboard.tls.certresolver=myresolver" | |
- "traefik.http.routers.dashboard.middlewares=auth" | |
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0" | |
whoami: | |
image: "containous/whoami" | |
container_name: "simple-service" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.whoami.rule=Host(`whoami.zoo.ocean.mofa.studio`)" | |
- "traefik.http.routers.whoami.entrypoints=websecure" | |
- "traefik.http.routers.whoami.tls.certresolver=myresolver" | |
mqtt: | |
image: "eclipse-mosquitto" | |
container_name: "mosquitto" | |
expose: | |
- "8883" | |
- "9001" | |
volumes: | |
- "./mosquitto.conf:/mosquitto/config/mosquitto.conf" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.mqtt.rule=Host(`mqtt.zoo.ocean.mofa.studio`)" | |
- "traefik.http.routers.mqtt.entrypoints=websecure" | |
- "traefik.http.routers.mqtt.tls.certresolver=myresolver" | |
- "traefik.tcp.routers.mqtt.rule=HostSNI(`*`)" | |
- "traefik.tcp.routers.mqtt.tls.certresolver=myresolver" | |
- "traefik.tcp.services.mqtt.loadbalancer.server.port=8883" | |
- "traefik.tcp.routers.mqtt.entrypoints=mqtt" | |
- "traefik.http.services.mqtt.loadbalancer.server.port=9001" | |
nodered: | |
image: "nodered/node-red" | |
container_name: "nodered" | |
labels: | |
- "traefik.enable=true" | |
- "traefik.http.routers.nodered.rule=Host(`nodered.zoo.ocean.mofa.studio`)" | |
- "traefik.http.routers.nodered.entrypoints=websecure" | |
- "traefik.http.routers.nodered.tls.certresolver=myresolver" | |
- "traefik.http.services.nodered.loadbalancer.server.port=1880" |
port 8883 | |
listener 9001 | |
protocol websockets |
Nice docker script. But for using TCP TLS with 8883 port you should change protocol to mqtt instead websocket into mosquitto.conf .
The configuration works for mosquitto 1.x but the ´port’ configuration is deprecated so I will update it.
The goal is to have both TCP and websockets, that’s why both configurations are there.
In this way, I'm guessing some malicious client can also pub/sub to your mqtt broker if somebody knows your server URI.
Am I correct??
I'm trying to setup client certificate type of authentication but with no luck. mqtt broker is behind Traefik as you do.
a reference of client certificate type of authentication is here:
https://primalcortex.wordpress.com/2016/11/08/mqtt-mosquitto-broker-client-authentication-and-client-certificates/
Do you have any experience on this??
I use mosquitto authentication to secure the broker, could this be enough for your use case ?
Thank you for your help!
Very short answer is No.
Why I am doing this because I'd like to run eclipse-mosquitto broker (mqqts) on 443/tcp to make some firewalls happy.
My broker is a part of Netmaker (https://github.com/gravitl/netmaker) system that needs client certificate authentication.
I tried tls.passthrough with hostSNI("*") but no luck,,
I believe this could work but I doubt you'll be able to make it work using let's encrypt, you'll probably need you own certificates.
Yes, without reverse proxy, client cert authentication works perfect with own ca. but behind traefik it doesn’t work,,
Thank you
Hi, a doubt..in your docker-compose file why are you using the entrypoint for 8883 if you are using the websecure entrypoint in the mqtt section config?
@iboluda The 8883 entry point is for TCP connections while the 443 is for web sockets, does that answer your question ?
Thanks for clarify me that point. Yes that answer my question
Can you try using my examples to see if it works ? Yours are quite modified so I'm not sure where the issue could be....