MQTT through nginx and owntracks

FutureTense · August 4, 2018, 3:30am

Can you post the relevant section in configuration.yaml?

rbray89 · August 4, 2018, 5:45pm

My yaml:
mqtt:
broker: 127.0.0.1
port: 1883
client_id: home-assistant-1
username: !secret mqtt_username
password: !secret mqtt_password
However, the port specification is done in the mosquito component, not in HASS.
If you are on hassio, you can just open the mosquito component and set plain websockets to true. In the ngynix config, (I use the addon from https://github.com/bestlibre/hassio-addons) I added an entry to point to the 1884 nginx websockets port.

FutureTense · August 4, 2018, 6:15pm

Do you specify the clientid because that’s what HA is using to communicate to the service?

What I’m trying to do is, from the internet, access mqtt.example.com on port 80 and have that proxied over to 192.168.1.25:1883. Hassio and nginx are running on different machines. Once I get that working I’ll muck around with SSL and user authentication.

rbray89 · August 4, 2018, 7:05pm

client id can be anything. Username and pass have to exist in the MQTT side. Also, HASS does NOT use websockets. You have to support BOTH WS and non WS comms in mqtt.
WS requires some additional work in nginx to work properly if you aren’t using the hassio addon.

I’m doing the exact same thing (except on https) for owntracks.

FutureTense · August 4, 2018, 10:53pm

I’m also using the add-on. Thanks to your server block, I’m able to get http://mqtt.example.com working.
Now I want to get https working, but I must be missing something or CertBot failed me. My config block looks like

{
  "plain": true,
  "plain_websockets": true,
  "ssl": false,
  "ssl_websockets": false,
  "anonymous": true,
  "logins": [
    {
      "username": "foo",
      "password": "bar"
    }
  ],
  "customize": {
    "active": false,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

Since nginx is so new to me, im not 100% sure, but if you are using it for reverse proxy, then you don’t need to install certs on the target, correct? You can just run the service as http and nginx will force the client to use https using the cert installed in nginx and then proxy everything between the client and the target.

rbray89 · August 5, 2018, 1:15am

Last I checked, certbot didn’t support wildcard certs, so you need to make sure your cert covers mqtt.example.com You are correct about certs, mosquitto doesn’t need to know about them. I would however disable anonymous access. If you are able to access the mqtt service over http, you should be able to hit it over https if your certs are valid for that site.

FutureTense · August 5, 2018, 4:10am

I don’t think it does wildcards, but individual certs are so easy, why bother? I’m loving nginx and Certbot. Finally I can create as many subdomains I want for any service and have everything go over 80,443 without having to screw around with certs on the service itself. And no more having to remember port numbers! I just have to remember the subdomain and I’m golden. I’ve got about a dozen services I’m using with nginx now. I might even start using it for work for beta and internal sites. Why pay a few hundred bucks for a wildcard cert for ssl on test sites if I can get it for free?

Underknowledge · August 19, 2018, 11:42am

I also want to hide my mqtt behind nginx on my hassbian install for zanzito.
but as soon I add a line with stram it hits me with
ginx: [emerg] "stream" directive is not allowed here in /etc/nginx/sites-enabled/mosquitto.conf:x
It looks so straight forward - but I realy struggle hard

stream directive needs nginx 1.9 - 1.10.3 installed
when I add in the nginx.conf:
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
I ll get [emerg] module "ngx_stream_module" is already loaded in /etc/nginx/modules-enabled/50-mod-stream.conf:1 so the stream module is aparently loaded already.
here I hit rock bottom - out of ideas - So Ideas are most welcome

ohadbenita · September 14, 2018, 9:33pm

You just helped me figure it all out in another (very useful) thread, check this out if you’d like here

lordratner · September 16, 2021, 4:34am

Sorry for the thread revival.

I’m running HAos and using NGINX Proxy Manager (0.11.0) to use ha.example.com to access HA with SSL. Works great.

I have an off-site OpenSprinkler that I want to use MQTT with. I have the Mosquitto broker addon installed. On my LAN using 192.168.xx.xx:1883 it works great. But when I move to offsite and try to use mqtt.example.com as the broker address, nothing works.

I have NGINX forwarding mqtt.example.com to 192.168.xx.xx:1883, but no luck. I’ve tried with the Sprinkler using a broker address of mqtt.example.com on both port 80 and 1883.

Any idea what I’m doing wrong?