HTTPS, TLS termination
This page describes how to use the HTTPS (SSL/TLS Termination) Feature, which is part of the Security Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).
We recommend using a setup with a reverse proxy that handles TLS termination, but if your use case requires terminating TLS on the MMC side, this can now be done using this feature.
HTTPS (SSL/TLS Termination) Feature Overview
TLS Termination on the MMC side allows you to use HTTPs protocol without the need to set up a reverse proxy in front of the MMC.
Enable HTTPS Plugin
To enable the plugin, you should make sure you are using Pro Edition of Mosquitto and that you have the User
Management security
feature enabled in your license. Also, ensure that your config file (specified
with CEDALO_MC_PROXY_CONFIG
environmental variable or by default saved in management-center/config/config.json
)
contains the following entry inside of the plugins
array:
{
"name": "https"
}
Also, you need to specify the following environmental variables for HTTPS configuration:
CEDALO_MC_PLUGIN_HTTPS_KEY_PATH
(required)CEDALO_MC_PLUGIN_HTTPS_CERT_PATH
(required)CEDALO_MC_PLUGIN_HTTPS_CA_PATH
(optional)
You can read more about these variables below.
On start-up, the Management Center will print a message that the https
plugin is enabled and loaded into the console:
Loaded plugin: "cedalo_https" (Cedalo MMC SSL/TLS termination)
You will also see the messages like:
Starting Mosquitto proxy server at https://localhost:443
and
Started Mosquitto proxy server at https://localhost:443
When using HTTPS, we recommend using the standard HTTPs 443 port. To configure it, change the value of
the CEDALO_MC_PROXY_PORT
environmental variable
HTTPS Environment variables
More information on the HTTPS configuration variables:
CEDALO_MC_PLUGIN_HTTPS_KEY_PATH
- path to server's private key file (required)CEDALO_MC_PLUGIN_HTTPS_CERT_PATH
- path to server's certificate (required)CEDALO_MC_PLUGIN_HTTPS_CA_PATH
- path to CA certificate (optional)
Note that if the HTTPS plugin is enabled in the config file but encounters an error, which in most cases is due to misconfiguration, then the MMC will not be started and will shut down.