gunzip I do not have (I unzip on my pc desktop and transferred the full directory)
then
pi@raspberrypi:/tmp/nginx/nginx $ sudo apt install perl-pcre libpcre3-dev libssl-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package perl-pcre
This configuration is for running mosquitto with SSL terminated in nginx. I did it because I have exposed a standalone instance of mosquitto to the internet. If you don’t do this it isn’t necessary.
My setup is based on a manual install of hass so I don’t really know what Hasbian uses nginx for - again I terminate SSL for hass on nginx on my proxy server because I’ve exposed it.
You can install gunzip with apt install gunzip on any Debian install. I’m not sure why perl-pcre didn’t work although it looks like it isn’t needed, so try without.
also this, sorry newb here
pi@raspberrypi:/tmp/nginx/nginx $ sudo ./configure --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-stream --with-stream_ssl_module
sudo: ./configure: command not found
Ok, thanks.
It just is too complicate for me, I do not understand half of it. My only need is too use mosquitto and other services too, using nginx (since I am not able to use mosquitto with SSL)
You need to be in the source directory to run configure, so cd to wherever you unzipped the source.
I agree it isn’t easy and really, mosquitto needs better SSL support. I’m not sure what the other brokers are like, perhaps you could try them?
also this I don’t get it
pi@raspberrypi:/tmp/nginx/nginx $ ./configure --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-stream --with-stream_ssl_module
-bash: ./configure: Permission denied
pi@raspberrypi:/tmp/nginx/nginx $ sudo ./configure --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-stream --with-stream_ssl_module
sudo: ./configure: command not found
pi@raspberrypi:/tmp/nginx/nginx $
Hmm, it’s probably configure isn’t executable so try chmod 755 configure
I managed to compile.
Can I use the certificate (I use letsencrypt) that are on the other pi3?
p.s.
I have one pi3 with HASS 192.168.1.238 with letencrypt certificate
other pi3 has now this mginx modified version at 192.168.1.239
Ops I have this error
make -f objs/Makefile install
make[1]: Entering directory ‘/tmp/nginx/nginx’
test -d ‘/usr/local/nginx’ || mkdir -p ‘/usr/local/nginx’
mkdir: cannot create directory ‘/usr/local/nginx’: Permission denied
objs/Makefile:1381: recipe for target ‘install’ failed
make[1]: *** [install] Error 1
make[1]: Leaving directory ‘/tmp/nginx/nginx’
Makefile:11: recipe for target ‘install’ failed
make: *** [install] Error 2
pi@raspberrypi:/tmp/nginx/nginx $ sudo make && make install
make -f objs/Makefile
make[1]: Entering directory ‘/tmp/nginx/nginx’
make[1]: Nothing to be done for ‘build’.
make[1]: Leaving directory ‘/tmp/nginx/nginx’
make -f objs/Makefile install
make[1]: Entering directory ‘/tmp/nginx/nginx’
test -d ‘/usr/local/nginx’ || mkdir -p ‘/usr/local/nginx’
mkdir: cannot create directory ‘/usr/local/nginx’: Permission denied
objs/Makefile:1381: recipe for target ‘install’ failed
make[1]: *** [install] Error 1
make[1]: Leaving directory ‘/tmp/nginx/nginx’
Makefile:11: recipe for target ‘install’ failed
make: *** [install] Error 2
pi@raspberrypi:/tmp/nginx/nginx $
sudo make install or it can’t create the directory
The certificate is based on the hostname so you will get errors if they don’t match. If you don’t mind that the connection is still encrypted.
sites-available was not there, I create a new directory?
EDIT, lots of additional problem
Never mind. Project cancelled
So, I ran into a few issues and it took me a bit to work it out, but I got it. I’m also using nginx for the main Home Assistant page so I can do Alexa integration (which is awesome, can’t believe I put it off so long). At first I was trying to stick mosquitto in the sites-available like you did, but that directory by default is for HTTP connections, like websites. So it works for the Home Assistant site, but not for throwing the stream thing in there for MQTT, get errors about stream object in a bad spot. Ended up poking around your linked guide and just adding the stream config after the http config in the main nginx.conf file.
My other problem was I kept getting errors about “the shared memory zone ‘SSL’ is already declared for a different use in /etc/nginx/nginx.conf.” So, I removed all the SSL config stuff from the stream config. This produced a new error “no ‘ssl_certificate’ is defined in server listening on SSL port while SSL handshaking”. So, I went back and added in the ssl_certificate, ssl_certificate_key, and dhparam parameters to the stream config. They point to the same files I used for my main site access.
This is what I ended up with:
stream {
upstream mosquitto {
server servername:1883; # My MQTT server isn't on the same server
}
server {
listen 8883 ssl;
proxy_pass mosquitto;
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
}
}
Just wanted to share in case anyone else runs into those issues.
Note, I’m using a Ubuntu VM for Home Assistant and Nginx (same server) and CentOS VM for Mosquitto. So, I didn’t have to do anything special to use the stream directive. I’m also using Zanzito with the OwnTracks emulation with no issues. And I previously bought a wildcard SSL cert through ssl2buy.com (fairly cheap if you want to go that option vs letsencrypt or something similar).
has anyone got nginx/mqtt/owntracks working with the hass.io addons?
I am using hass.io with the virtual host and cert bots from
https://github.com/bestlibre/hassio-addons
My nginx reverse proxy to 8123 with not problems.
UPDATE:
I did get it to work. For me the keys was learning where the hass.io add-on certbot stores the cert files. Also the mqtt config defaulted to the /ssl directory, so I had change my file path accordingly.
Here is my config …
{
"plain": true,
"ssl": true,
"anonymous": false,
"logins": [
{
"username": "user1",
"password": "pass1"
},
{
"username": "test_user",
"password": "test_pass"
}
],
"customize": {
"active": false,
"folder": "mosquitto"
},
"certfile": "letsencrypt/live/mqtt/fullchain.pem",
"keyfile": "letsencrypt/live/mqtt/privkey.pem"
}
I had the test_user for when I had 1883 port forward testing owntracks without having to fight TLS. I removed it after I got TLS (8883) working.
Also the cert that needs to be loaded on the owntracks client is in the same directory.
I copied the cert.perm to a different directory, then renamed it to mqtt_cert.perm.
I may play with and see if HA can connect TLS, then I can turn off 1883.
Just in-case anyone else is wondering about hassio:
To setup MQTT with websockets, you need to specify an additional config to MQTT with the following (and don’t turn on secure MQTT)
listener 8883
protocol websockets
Then in your nginx config from https://github.com/bestlibre/hassio-addons:
{
"vhost": "mqttws.hostname",
"remote": "172.17.0.1",
"certname": "certname",
"port": "1884"
},
I use this with owntracks without issues with TLS/Websockets enabled with the certbot.
I assume you could probably swap the secure/unsecure ports in your MQTT/Nginx config if you wanted only secure sockets and WS MQTT
@lizaoreo
I followed your instructions and added the stream to .conf.
Seems to be working (dont know how to really test it but nginx is starting at least) but I`m having problem to connect with Zanzito.
Did you import the cert on your phone or how could you connect secure from Zanzito?
Also, how is the proxy_pass used?
To test:
sudo nginx -t
Are you using a purchased SSL cert for your domain? I actually purchased a wildcard cert for the domain I own, so it might be a little different than if you use something like one of the common solutions people use here.
If I understand how NGINX works (I honestly don’t really), the proxy_pass line points to the upstream line, which points to your server for MQTT. In my example above, my MQTT server would be named servername (change to localhost if on same server as NGINX) and it would be listening on port 1883 for MQTT traffic. NGINX is listening on port 8883 for MQTT traffic, so when you hit the NGINX server, you want your traffic to be on port 8883.
In Zanzito, my MQTT connection settings are basically this:
Host: NGINX Server Name (ie, mqtt.homedomain.com)
Port: 8883
Security:
Username: MQTT Username (this is whatever you set up for mosquito, not NGINX/HomeAssistant)
Password: MQTT Password
SSL/TLS Connection: Checked
Don't worry about import CA I'm pretty sure (I didn't need to).
Everything else is variable based on preference (I have instant updates set, heartbeat enabled, and intervals at 90seconds). I don’t use Home host settings as I set up the same domain name environment at home and forward the outside name to the server, so basically same address hits server inside and outside.
Let me know if that helps. If you need help with the mosquito server, let me know and I drop my config in and explain it.
Thank you for a good explanation!
Got it to work by pressing “Delete cert” in Zanzito. Apparently I had imported a cert before.