Hi,
does mosquitto_client support the TLS server_name extension (SNI)?
My use case:
I want to run a mosquitto broker via the MQTT protocol as well the WEBSOCKET protocol on port 443 to keep firewalls happy.
But, I do not want to waste IP-Addresses for each protocol. The mosquitto library should be used from iOS to connect to the broker via SNI.
The broker setup:
I implement VirtualHosting by putting a bunch of independent mosquitto brokers behind a TCP load balancer (HAProxy), doing the SSL termination at each broker instead of the LoadBalancer. So I am using HAProxy as a SSL Relay.
Therefore, the mosquitto client( or every other MQTT client) has to set the ‘server_name’ in order for HAProxy to route to the correct backend server.
Is this already implemented in mosquitto so? Would it be hard to do?
It looks like the Golang mqtt client might already support this by setting the TLSConfig:
Thank you for your help,
Jan
A HAProxy config might look like this:
The mosquitto client might connect to ` mqttproxy.mydomain.com` passing the server_name `broker_0_mqtt.mydomain.com` which will cause HAproxy to route the request to my first broker using the MQTT protocol.
Browsers already support SNI. So a browser might connect to ` mqttproxy.mydomain.com` as well with the server_name `broker_0_websocket.mydomain.com` and will get the WEBSOCKET protocol.
``` frontend tlsrelay bind *:443 maxconn 40000 timeout client 3h option tcpka tcp-request inspect-delay 1s tcp-request content accept if { req_ssl_hello_type 1 } default_backend bk_tlsrelay
backend bk_tlsrelay option tcpka timeout server 3h option ssl-hello-chk
acl acl_broker_0_mqtt req_ssl_sni -i broker_0_mqtt.mydomain.com acl acl_broker_0_websocket req_ssl_sni -i broker_0_websocket.mydomain.com acl acl_broker_1_mqtt req_ssl_sni -i broker_1_mqtt.mydomain.com acl acl_broker_1_websocket req_ssl_sni -i broker_1_websocket.mydomain.com
server server_0_mqtt 192.168.1.1:8883 server server_0_websocket 192.168.1.1:9002 server server_1_mqtt 192.168.1.2:8883 server server_1_websocket 192.168.1.2:9002
use-server server_0_mqtt if acl_broker_0_mqtt use-server server_0_websocket if acl_broker_0_websocket use-server server_1_mqtt if acl_broker_1_mqtt use-server server_1_websocket if acl_broker_1_websocket ``` |