Monday, April 25, 2016

Securing MQTT connection using Mosquitto Auth Plugin - HTTP API



In this article I'm going to discuss about how to add authentication and authorization to your mosquitto MQTT broker. If you haven't gone through my previous articles on MQTT, please refer them first. 

In order to continue, you will have to download the following github projects and build them.


First lets create a folder named "mqtt" in home directory. Then clone the above projects to the folder we have created.

cd ~
mkdir mqtt
cd mqtt
git clone https://github.com/eclipse/mosquitto.git
git clone https://github.com/jpmens/mosquitto-auth-plug.git
First you need to build mosquitto broker from the source you have downloaded. In order to do that you will need to download the following packages.

cd mosquitto
sudo apt-get install build-essential
sudo apt-get install libc-ares-dev
sudo apt-get install uuid-dev 
sudo apt-get install libssl-dev
make binary
make install
You might get some errors when creating man pages. You can ignore them. Now you have successfully built mosquitto from the source. Now go to the mosquito-auth-plug source folder.

cd ../mosquitto-auth-plug/

In this article I'm focusing only on using HTTP API for authentication and authorization. There are many other options you can use instead of using HTTP method, and those methods are described in the above github repository. 

Now you should edit config.mk.in as follows and rename it to config.mk

# Select your backends from this list
BACKEND_CDB ?= no
BACKEND_MYSQL ?= no
BACKEND_SQLITE ?= no
BACKEND_REDIS ?= no
BACKEND_POSTGRES ?= no
BACKEND_LDAP ?= no
BACKEND_HTTP ?= yes
BACKEND_MONGO ?= no

# Specify the path to the Mosquitto sources here
MOSQUITTO_SRC = /home/USER/mqtt/mosquitto

# Specify the path the OpenSSL here
OPENSSLDIR = /usr/bin

Then you need to install dependencies for mosquitto auth plugin, in order to install the other dependencies, run the following commands,

sudo apt-get install openssl
sudo apt-get install libssl-dev
sudo apt-get install libcurl4-openssl-dev
Now you can build mosquitto-auth-plugin by executing the following command.

sudo make
It will create a file named auth-plug.so inside the same directory. Copy that file into the mosquitto source directory.

cp auth-plug.so ../mosquitto
cd ../mosquitto
Now you should edit the mosquitto.conf file as follows. Scroll till you find the "Security" sub section.
Then add the following.

# =================================================================
# Security
# =================================================================

# If set, only clients that have a matching prefix on their 
# clientid will be allowed to connect to the broker. By default, 
# all clients may connect.
# For example, setting "secure-" here would mean a client "secure-
# client" could connect but another with clientid "mqtt" couldn't.
#clientid_prefixes

# Boolean value that determines whether clients that connect 
# without providing a username are allowed to connect. If set to 
# false then a password file should be created (see the 
# password_file option) to control authenticated client access. 
# Defaults to true.
#allow_anonymous true

# In addition to the clientid_prefixes, allow_anonymous and TLS 
# authentication options, username based authentication is also 
# possible. The default support is described in "Default 
# authentication and topic access control" below. The auth_plugin 
# allows another authentication method to be used.
# Specify the path to the loadable plugin and see the 
# "Authentication and topic access plugin options" section below.
#auth_plugin

auth_plugin /home/USER/mosquitto/auth-plug.so
auth_opt_backends http
auth_opt_http_ip 127.0.0.1
auth_opt_http_port 80
#auth_opt_http_hostname example.org
auth_opt_http_getuser_uri /mosquitto/authplugin/auth
auth_opt_http_superuser_uri /mosquitto/authplugin/superuser
auth_opt_http_aclcheck_uri /mosquitto/authplugin/acl
Above configuration will set the url endpoints for your REST api which we are going to create for authentication and authorization purposes. Mosquitto broker will send requests to the defined endpoints and check whether the user has access to a particular topic.

Then you can run the mosquitto broker by executing the following command, linking your mosquitto.conf file.

mosquitto -c /home/USER/mosquitto/mosquitto.conf

In my next article I'll show you how to create an api which contains the above url endpoints.

1 comment :

  1. how can i know the mosquitto auth run correctly after i run mosquitto -c /home/USER/mosquitto/mosquitto.conf ?

    ReplyDelete

Note: Only a member of this blog may post a comment.