Add TLS protection to broker

andchiind · Jun 29, 2022 · 6c62043 · 6c62043
1 parent b6e42b6
commit 6c62043
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 9 deletions.
diff --git a/broker/Dockerfile b/broker/Dockerfile
@@ -2,7 +2,11 @@ FROM eclipse-mosquitto:latest
 
 COPY mosquitto/config/ mosquitto/config/
 
-EXPOSE 1883 9001
+ARG TLS_SERVER_KEY
+
+RUN echo "${TLS_SERVER_KEY}" > mosquitto/config/certs/server-key.pem
+
+EXPOSE 1883
 
 USER 1883
 

diff --git a/broker/README.md b/broker/README.md
@@ -1,5 +1,13 @@
 # Mosquitto MQTT Broker
 
+## Set up the broker
+
+The broker expects a private key for its server x509 certificate used for TLS.  
+This must be provided through an environment variable called `FLOTILLA_BROKER_SERVER_KEY`.  
+This is a secret, and should be treated as such.  
+The best way to pass this is to store it in a `.env` file in the root of flotilla, and docker compose loads this by default on startup.  
+See [Using the “--env-file” option](https://docs.docker.com/compose/environment-variables/#using-the---env-file--option) for more information.
+
 ## Running the broker
 
 From the flotilla root directory, run the following command:

diff --git a/broker/mosquitto/config/certs/ca-cert.pem b/broker/mosquitto/config/certs/ca-cert.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGETCCA/mgAwIBAgIUHpwtA+Q9VUpHL2MOa4ygKBh2U14wDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAk5PMQ8wDQYDVQQIDAZCZXJnZW4xDzANBgNVBAcMBkJl
+cmdlbjEUMBIGA1UECgwLRXFfUm9ib3RpY3MxETAPBgNVBAsMCFJvYm90aWNzMRww
+GgYDVQQDDBNSb2JvdGljc19TZWxmU2lnbmVkMR8wHQYJKoZIhvcNAQkBFhB0bG5l
+QGVxdWlub3IuY29tMB4XDTIyMDYyMjA5MTQwMVoXDTIzMDYyMjA5MTQwMVowgZcx
+CzAJBgNVBAYTAk5PMQ8wDQYDVQQIDAZCZXJnZW4xDzANBgNVBAcMBkJlcmdlbjEU
+MBIGA1UECgwLRXFfUm9ib3RpY3MxETAPBgNVBAsMCFJvYm90aWNzMRwwGgYDVQQD
+DBNSb2JvdGljc19TZWxmU2lnbmVkMR8wHQYJKoZIhvcNAQkBFhB0bG5lQGVxdWlu
+b3IuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwnNovreAQ9iN
+u+QpqhS7+/o1keq/j0ZyNFDyF25+oSJmXqFeqMzC17Sej+6WPBiW4uq/XfsC916H
+Z0CYhY6oIv3nSrxSGQme6+b8FLG+xZb2irT+TVoMtSGRiiF6GhVKHt+jRUz/nvYG
+f4bytXicvwacgsHmfzr6pYYD8ME2QpnZaAepZ7xQkNPOrLu4zvAe3Q/jT3ABQnug
+ZOrvnxKvS+xj/hYYG1OPIVmXhXfPIePU5e1ZPtg5X86GQZSEyTrWoMnUBiaScVCX
+bwrarAV5WGY/WiMM3ycF1O96sfXhl478vUHqKn9MqA5/smtTLllHcEBTIM/uN9RU
+o7z/avAn9utGJpOQCgHCue3PGrpcLKD2JlRIDnd9ab9fFExvuiqHdVT+9yFAKtVN
+KulV2bwITs36ISjRILQVPH5cPygpIEmdSwtfiGUyEaGpmAXwH3YqFCt3D/MXroB4
+PPrDz1dgBMn9ihcO/bVlnmzq2pCvKPdnsvofmY0Vy+gdRj4ko+m3P7mBE/7NIJEg
+XoqhZjImYccaPAxD5VS/WjIEqYPvq4S5gqIyKzTs9iMDoR/cQf7g73tQGgV3hKYM
+XRtdyH/d51DoGI3Vau4d339sbisi2ihOG8Er/B3LR1Uuz8Pr2viJs9SrhUVPJ1t2
+h8qQkVqltU9cPDc7y083zTvOTmFHrE8CAwEAAaNTMFEwHQYDVR0OBBYEFOkcj37R
+HEdxFM/OTyv1neFdVA7tMB8GA1UdIwQYMBaAFOkcj37RHEdxFM/OTyv1neFdVA7t
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAAz1t8/VK7RvnJA1
+4drPZ8sJJBkeKHhBcXN/Ubz73Y6jxBgbIzJQ7xFR+1Sn5+1ZjbefFAQOQvR/XIy5
+nlUmUxwBIc1cpjrMjTE2SvzjRSSJyG5//2vJMWK9yFrd9Jya0x/3i4tVaBlof8gN
+VhDpUfDFVJqm78juZvVr241LURpJ02kZmbQFny1WpfWZnTHWrusyZ9iBhomZVbqY
+pxbZk5HixL/lobbLgrcj7+tsNzeYcpgqXJA4PpLr9xS9GfePgxokx5lADlwSL4b2
+SECbvSm/BI9xBQWY9Npb65RSC/WDEGXRdU1lG0Nw6addZv4ERe2ideQzyN7zWAk+
+XqcG6tvrMEKY6zysZYrQti9EywhDQ6AC8pCMEVDtO/pZY8me4dG0p//5ueZKGvQt
+7pPMaLaR/5AOtgvmmN4E7CX6y/ee7kAn2GWnr2h6MXO1zMPi46WtdFOWfz8Plvy4
+g7L7P0jzRDNo9T3gozLeH9TxC8R1HKQgsLpfguv1V3O0Ugmm1Ap/ZV99UEe/eNfa
+7tspP3QSyXSBt2j/gj9aIYE86xmqTaGs5cFJwM50B+/6kUApBJo4W6LJLgsu729N
+qHjTtqS4RJIFNEMeVrEh2xzSzMc4nnBqDF7ofPwqxnv6wAZ/OCQ46BiBs+R3Tuy2
+NOEALuJzso8ziFZOqO+rGx5jX5ii
+-----END CERTIFICATE-----
diff --git a/broker/mosquitto/config/certs/server-cert.pem b/broker/mosquitto/config/certs/server-cert.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF+zCCA+OgAwIBAgIUMsBK/Fg9GkEJpInOnGuQScXxJ3MwDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAk5PMQ8wDQYDVQQIDAZCZXJnZW4xDzANBgNVBAcMBkJl
+cmdlbjEUMBIGA1UECgwLRXFfUm9ib3RpY3MxETAPBgNVBAsMCFJvYm90aWNzMRww
+GgYDVQQDDBNSb2JvdGljc19TZWxmU2lnbmVkMR8wHQYJKoZIhvcNAQkBFhB0bG5l
+QGVxdWlub3IuY29tMB4XDTIyMDYyODE0MTEyNVoXDTIyMDgyNzE0MTEyNVowgZgx
+CzAJBgNVBAYTAk5PMQ8wDQYDVQQIDAZCZXJnZW4xDzANBgNVBAcMBkJlcmdlbjER
+MA8GA1UECgwIRmxvdGlsbGExFDASBgNVBAsMC01RVFQgQnJva2VyMR0wGwYDVQQD
+DBRGbG90aWxsYV9NUVRUX0Jyb2tlcjEfMB0GCSqGSIb3DQEJARYQdGxuZUBlcXVp
+bm9yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMe05p5K08ii
+zG7dv/LJmIWCLGj6FUp5+Whpni9UIFATibXUl2yTl/FAtrxq/L4ZkVpiTDP5kQno
+7/Y3MuWQumC2ivjfL3TSAKES5ec3Vmdolz16sCn1BZtKe68t4re9nF5AhS5i6WPh
+NWyMN2o5UwBsEe3tZBowkAPLdfFaOc1JSEDbFnHqyiypeBbwfJ2qJe/J2yUN+m+5
+MY22kZDf2J+6k3MUJQvA8KF6usMjjMrenx7uvGE3OU9XtDU4qtvOMD8p5I4fDqBv
+k7v2STOiOkuZOoBD98PpRFVjh+2HijiHfZqzKhNs6XWicOhYlJzp3nNr7+fJp+DJ
+8PP+zqBKeK2TlKCJAISCVSNiTHbHaHwbCXzNzj9vfy8+8qplcUe35hF2fXlVr1zF
+VObkWeVNVQxR726TF0l/pvFez6qNTMag4IZaZyi6joU+06OdBSO8Ch57hwIkkp46
+jGxs/zoSwevA0PU0vcYCbydQXkfgvmEzOvluUBwN/WgR+v8r0ubPTAl9I5EhuKU4
+7sBD43OZD1nSWEWGidTjzMcOOLSZLAP50eWxF486DuLf65UKoZ0oWB0LDH+N+lU8
+kSix4RJuGNIOSEd+AJCw9+zG6efL5cAy/yy4SsbL/QRxE0wk4pA+v3xzlBdDdxlu
+PXPaMYClvHZDTiN7p0fx6IjYyBp49F8ZAgMBAAGjPDA6MDgGA1UdEQQxMC+HBAAA
+AACCCWxvY2FsaG9zdIIGYnJva2VyghRob3N0LmRvY2tlci5pbnRlcm5hbDANBgkq
+hkiG9w0BAQsFAAOCAgEAZpNWT1c99ClbW1N299u/fZ6CQ7aLFyDyMintK3SPjNgc
+nUz78MAm/rP4tH2FjG7GLlXEaKKxzenqeWlF/LbndykrN9vRwkiz0C15MWRz3wLU
+lYm8XaXRsA5CKOGKFyxpBAngHkiIVOBX2aAhWFUPHrxnoldgBK8MNdK3+xBy6Ck8
+04G7pbg/4sGDflDoo+e2NOeU69JCt5mrpLGIggPP+tvwn9jnxYOJfPxahdGHx44N
+ajbjtJtKm9jMHxaHzfkAPIIdMITLiwNBIS0+JINwaJv4Er9zkK0jxeIwkKPxmfNI
+za8f2dPxecOqLSvKo/+JFAu4Ib/NCcb9f+b8WykS52YuWaO+9KQsQV3HDx4EXDjv
+KoMNw1YfViYn5vLTynukR4BGnessEm9+F3ZD8xEdSHzSOpZx2iAJB8xKjCthmhfz
+9S508us7C3bkc6L+JFWg6ph4/5VC2gfUnKAUIqfygsLHYFSKmHKmz+m71yrLzviG
+wCV11ca9e18GKUQohnA99fclCAwn7mI6Osr5WtaabcKJwh3PEmekQKic+OK3Yop0
+x54U+SbPbNbWIX/E3wCppL/s3zHA4/m1X5kardBcD5x9uJybcNpTY/TDJFV+XxOx
+rGgbfAwb3QqJs8qt+45JFMQ8B2YAqQc+aozdd1Mvvv9h/9+ut6to3uV/pokhpX4=
+-----END CERTIFICATE-----
diff --git a/broker/mosquitto/config/mosquitto.conf b/broker/mosquitto/config/mosquitto.conf
@@ -232,8 +232,8 @@
 listener 1883 0.0.0.0
 protocol mqtt
 
-listener 9001 0.0.0.0
-protocol websockets
+#listener 9001 0.0.0.0
+#protocol websockets
 
 # By default, a listener will attempt to listen on all supported IP protocol
 # versions. If you do not have an IPv4 or IPv6 interface you may wish to
@@ -316,10 +316,10 @@ protocol websockets
 # TLS encryption.
 
 # Path to the PEM encoded server certificate.
-#certfile
+certfile mosquitto/config/certs/server-cert.pem
 
 # Path to the PEM encoded keyfile.
-#keyfile
+keyfile mosquitto/config/certs/server-key.pem
 
 # If you wish to control which encryption ciphers are used, use the ciphers
 # option. The list of available ciphers can be optained using the "openssl
@@ -360,7 +360,7 @@ protocol websockets
 # containing the CA certificates. For capath to work correctly, the
 # certificate files must have ".crt" as the file ending and you must run
 # "openssl rehash <path to capath>" each time you add/remove a certificate.
-#cafile
+cafile mosquitto/config/certs/ca-cert.pem
 #capath
 
 

diff --git a/broker/mosquitto/config/passwd_file b/broker/mosquitto/config/passwd_file
@@ -1,3 +1,3 @@
-admin:$7$101$+GsirAIRSKXQLk5z$MMl/WR6vxmH0igzvtcYx3LmhLn168CJk2b8c1TiPheYtgK4A0eJrRxptz4iA6B62TLda1u2329ntw7YkLVrRUw==
+admin:$7$101$0gb0/MsZQODnBqea$cKG/aB3kZ2ThPFKCxxwBMCfgIAgeLNsmiU4oljI82AOrNplnG41LJ224S2Gq4212M5cvZr4PoOCc5IjKgjIldA==
 flotilla:$7$101$tmAqSZNbVPjre70A$/yJ+WcI/749Q9SYpbBe+wii0pea5omHssdUIb3+NQiwLmy/ppwFVFTFvHLCoZasDNMGfkQ+FoLilLMtgjqwUZA==
 isar:$7$101$ge+J8JDGhAXCDgud$SKG7TYUaKzTcYhLBjOwNAP0G2tr25pMKneo4ehOF1I/15QjgjNsYqP8NZKu+n52F3B/7Oqv0KI3NFBg3xcTd1A==
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,14 +1,17 @@
 version: "3.7"
+
 services:
   frontend:
     build: frontend
     ports:
       - "3001:3001"
   broker:
-    build: broker
+    build:
+      context: broker
+      args:
+        - TLS_SERVER_KEY=${FLOTILLA_BROKER_SERVER_KEY}
     ports:
       - "1883:1883"
-      - "9001:9001"
   backend:
     build: backend
     ports: