admin/NewSmoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added EMQX for MQTT protocol support

Browse Source
This commit is contained in:
tdv
2025-09-30 12:27:42 +03:00
parent e0490e42c5
commit af252c4498
3 changed files with 110 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docker-compose.yaml
View File

@@ -134,6 +134,31 @@ services:
- snoopBack - snoopBack
- proxy - proxy
# NEW: EMQX MQTT broker
emqx:
image: emqx/emqx:latest # EMQX 5.x
restart: unless-stopped
environment:
# set a fixed node name (nice when you later add clustering)
EMQX_NODE__NAME: emqx@node1
# set dashboard admin user/pass (change these in prod!)
EMQX_DASHBOARD__DEFAULT_USERNAME: admin
EMQX_DASHBOARD__DEFAULT_PASSWORD: changeme123
# optional: enable WebSocket listener on 8083 (on by default in 5.x)
# EMQX_LISTENERS__WS__DEFAULT__ENABLE: "true"
volumes:
- emqx-data:/opt/emqx/data
- emqx-log:/opt/emqx/log
ports:
- "1883:1883" # MQTT (TCP)
- "8083:8083" # MQTT over WebSocket (WS)
# - "8883:8883" # MQTT over TLS (uncomment when you add certs)
# - "8084:8084" # WSS (uncomment with TLS)
- "18083:18083" # Dashboard
networks:
- snoopBack
- proxy # so Nginx can reverse-proxy WS at /mqtt/ws
volumes: volumes:
pgdata: pgdata:
miniodata: miniodata:

11
nginx/dev.conf
View File

@@ -53,4 +53,15 @@ server {
proxy_pass http://mediamtx:8889/; proxy_pass http://mediamtx:8889/;
proxy_http_version 1.1; proxy_http_version 1.1;
} }
# --- MQTT over WebSocket (EMQX) ---
# Clients connect to ws://<host>/mqtt/ws
location /mqtt/ws {
proxy_pass http://emqx:8083/mqtt; # EMQX WS path is /mqtt
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
} }

75
readme.md
View File

@@ -20,9 +20,10 @@ vault kv put kv/snoop \
minio_presign_ttl_seconds="900" minio_presign_ttl_seconds="900"
``` ```
Unseal Key: gQrvvJBaGR4CpmkoVq93tWqk5dTpioMAHtNHKMWNlH0= Unseal Key 1: XdERN+/hxR9RjLC/S8c+y0omToYvB7Qs1jaUenZQvphD
Unseal Key 2: VBhPBtYcq1GAk7ByPfAsamxV4tJOZ49chAYxxOvc49Oj
Root Token: root Initial Root Token: hvs.tZ4eh9P18sCZ5c1PZIz59EmH
{ {
@@ -36,3 +37,73 @@ Root Token: root
"minio_livestream_bucket": "livestream", "minio_livestream_bucket": "livestream",
"minio_presign_ttl_seconds": "900" "minio_presign_ttl_seconds": "900"
} }
### Stand up internal CA (root + intermediate)
```bash
# Enable PKI backends (root + intermediate)
vault secrets enable -path=pki_root pki
vault secrets tune -max-lease-ttl=87600h pki_root # 10y
vault write pki_root/root/generate/internal \
common_name="Snoop Root CA" key_type=ec key_bits=256 ttl=87600h
vault secrets enable -path=pki_iot pki
vault secrets tune -max-lease-ttl=17520h pki_iot # 2y
# Create an intermediate CSR
vault write -field=csr pki_iot/intermediate/generate/internal \
common_name="Snoop IoT Intermediate" key_type=ec key_bits=256 ttl=17520h > iot_int.csr
# Sign intermediate with root
vault write -field=certificate pki_root/root/sign-intermediate csr=@iot_int.csr \
format=pem_bundle ttl=17520h > iot_int_signed.pem
vault write -field=issuing_ca pki_root/root/sign-intermediate \
csr=@iot_int.csr format=pem_bundle ttl=17520h > root_ca.pem
# Set the signed intermediate in Vault
vault write pki_iot/intermediate/set-signed certificate=@iot_int_signed.pem
```
### Configure URLs + a role for devices
```bash
# Publish issuing + CRL URLs (Nginx will fetch CRL periodically)
vault write pki_iot/config/urls \
issuing_certificates="https://vault.example.local/v1/pki_iot/ca" \
crl_distribution_points="https://vault.example.local/v1/pki_iot/crl"
# Role that limits cert subjects to your device GUIDs
vault write pki_iot/roles/device \
allow_any_name=false \
allowed_uri_sans="urn:device:*" \
allowed_other_sans="" \
allow_ip_sans=false \
allowed_domains="" \
enforce_hostnames=false \
key_type=ec key_bits=256 \
max_ttl=720h ttl=720h # 30 days
```
### Enrollment flow (device CSR → signed cert)
- Device side
- Generate keypair on the device (never export private key).
- Create CSR with CN=<GUID> and URI SAN urn:device:<GUID>.
- Server side
- Backend verifies a one-time enrollment token (or pre-shared bootstrap secret), calls:
```bash
vault write pki_iot/sign/device \
csr=@device.csr \
uri_sans="urn:device:<GUID>" \
ttl=720h > device_cert.pem
```
### Revocation
- Immediate kill: your backend stores bad serials; deny in app logic.
- CRL: `vault write pki_iot/revoke serial_number="<SERIAL>"`.
- Fetch CRL periodically to a local file for Nginx:
```bash
curl -fsSL https://vault.example.local/v1/pki_iot/crl -o /etc/nginx/iot.crl
nginx -s reload
```
- Automate via systemd timer/cron (e.g., every 1015 min).