{"id":358,"date":"2016-07-24T22:21:18","date_gmt":"2016-07-25T03:21:18","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=358"},"modified":"2016-10-16T09:18:11","modified_gmt":"2016-10-16T14:18:11","slug":"reverse-proxying-websockets-to-an-mqtt-server","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=358","title":{"rendered":"Reverse Proxying WebSockets to An MQTT Server"},"content":{"rendered":"

If you are trying to reverse proxy OpenHab – that’s over here. <\/a>This post is about maintaining your own private MQTT server and making it<\/em> accessible through a reverse proxy.<\/p>\n

We want to be able to update our presence automatically (without publishing our location information to the Internet). Scott found a program called OwnTracks that uses an MQTT server – and there’s an MQTT binding from OpenHab that should be able to read in the updates.<\/p>\n

We didn’t want to publish our home automation server to the Internet, but we do<\/em> want to send updates from the cellular data network when we leave home. To accomplish this, I set up a reverse proxy on our Apache server.<\/p>\n

The first step is to get an MQTT server up and working — we Installed a mosquitto package from Fedora’s dnf repository<\/p>\n

Once it is installed, create a directory for the persistence file & chown the folder to mosquitto uid<\/p>\n

Generate a bunch of certs using the ot-tools (git clone https:\/\/github.com\/owntracks\/tools.git). I edited the generate-CA.sh file in the ot-tools\/tools\/TLS folder prior to running the script. It will more or less work as-is, but modifying the organisation names makes a cert with your name on it. Not that anyone will notice. Or care \ud83d\ude42 Modifying the IPLIST and HOSTLIST, on the other hand, will get you a cert that actually matches your hostname — which isn’t a problem for something that doesn’t verify host name information, but saves trouble if you get your hostnames to match up.
\nIPLIST & HOSTLIST
\nCA_ORG and CA_DN<\/p>\n

Then use generate-CA.sh to generate a CA cert & a server cert. Copy these files into \/etc\/mosquitto\/<\/p>\n

Edit the config (\/etc\/mosquitto\/mosquitto.conf) – LMGTFY to find settings you want. Specify a location for the persistence file, password file, and add in the websockets listeners (& ssl certs for the secure one)
\npersistence_file \/var\/lib\/mosquitto\/mosquitto.db<\/p>\n

password_file \/etc\/mosquitto\/passwd<\/p>\n

listener 9001
\nprotocol websockets<\/p>\n

listener 9002
\nprotocol websockets
\ncafile \/etc\/mosquitto\/ca.crt
\ncertfile \/etc\/mosquitto\/mosquittohost.rushworth.us.crt
\nkeyfile \/etc\/mosquitto\/mosquittohost.rushworth.us.key<\/p>\n

Add some users
\n\/usr\/bin\/mosquitto_passwd \/etc\/mosquitto\/passwd WhateverUID<\/p>\n

Start mosquitto
\nmosquitto -c \/etc\/mosquitto\/mosquitto.conf<\/p>\n

Monitor mosquitto for the owntracks ‘stuff’
\nmosquitto_sub -h mosquittohost.rushworth.us -p 1883 -v -t ‘owntracks\/#’ -u WhateverUID -P PWDHereToo<\/p>\n

Setting up the reverse proxy
\nThe big sticking point I had was that the Apache WebSockets reverse proxy has a problem (https:\/\/bz.apache.org\/bugzilla\/show_bug.cgi?id=55320) which is marked as closed. Fedora has 2.4.23, so I expected it was sorted. However using tshark to capture the traffic showed that the relayed traffic is still being send as clear.<\/p>\n

Downloaded the exact same rev from Apache’s web site and checked the mod_proxy_wstunnel.c file for the changes in the bug report and found they were indeed committed. In spite of the fact I *had* 2.4.23, I decided to build it and see if the mod_proxy_wstunnel.so was different.<\/p>\n

Make sure you have all the devel libraries (openssl-devel for me … run the config line and it’ll tell you whatever else you need)<\/p>\n

Get apr and apr-util from Apache & store to .\/srclib then gunzip & untar them. Rename the version-specific folders to just apr and apr-util<\/p>\n

Once you have everything, configure and make
\n.\/configure –prefix=\/usr\/local\/apache –with-included-apr –enable-alias=shared –enable-authz_host=shared –enable-authz_user=shared –enable-deflate=shared –enable-negotiation=shared –enable-proxy=shared –enable-ssl=shared –enable-reqtimeout=shared –enable-status=shared –enable-auth_basic=shared –enable-dir=shared –enable-authn_file=shared –enable-autoindex=shared –enable-env=shared –enable-php5=shared –enable-authz_default=shared –enable-cgi=shared –enable-setenvif=shared –enable-authz_groupfile=shared –enable-mime=shared –enable-proxy_http=shared –enable-proxy_wstunnel=shared<\/p>\n

Rename your mod_proxy_wstunnel.so to something like mod_proxy_wstunnel.so.bak and the grab mod_proxy_wstunnel.so that just got built.<\/p>\n

Grab the CA public key & the server public and private keys that were generated earlier & place them whereever you store your SSL certs on your Apache server<\/p>\n

Create a new site config for this reverse proxy – SSL doesn’t do host headers so you need a unique port. Clear text you can use a host header. Don’t forget to add listen’s to your httpd.conf and ssl.conf files!<\/p>\n

ProxyRequests Off
\n<VirtualHost #.#.#.#:##>
\nServerName mosquitto.rushworth.us
\nServerAlias mosquitto
\nDocumentRoot “\/var\/www\/vhtml\/mosquitto”<\/p>\n

SetEnv force-proxy-request-1.0 1
\nSetEnv proxy-nokeepalive 1
\nSetEnv proxy-initial-not-pooled
\nSetEnv proxy-initial-not-pooled 1<\/p>\n

ProxyPreserveHost On
\nProxyTimeOut\u00a0\u00a0\u00a0 1800<\/p>\n

ProxyPass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ws:\/\/mosquittohost.rushworth.us:9001\/
\nProxyPassReverse\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ws:\/\/mosquittohost.rushworth.us:9001\/
\n<\/VirtualHost><\/p>\n

<VirtualHost #.#.#.#:##>
\nServerName mosquitto.rushworth.us
\nServerAlias mosquitto
\nDocumentRoot “\/var\/www\/vhtml\/mosquitto”<\/p>\n

SetEnv force-proxy-request-1.0 1
\nSetEnv proxy-nokeepalive 1
\nSetEnv proxy-initial-not-pooled
\nSetEnv proxy-initial-not-pooled 1<\/p>\n

ProxyPreserveHost On
\nProxyTimeOut\u00a0\u00a0\u00a0 1800<\/p>\n

SSLEngine On
\nSSLProxyEngine On
\nSSLProxyCheckPeerCN off
\nSSLProxyCheckPeerName off
\nSSLCertificateFile \/etc\/httpd\/conf\/ssl\/mosquittohost.rushworth.us.crt\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# These are the public and private key components
\nSSLCertificateKeyFile \/etc\/httpd\/conf\/ssl\/mosquittohost.rushworth.us.key\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# \u00a0\u00a0 \u00a0generated from generate-CA.sh earlier.
\nSSLCertificateChainFile \/etc\/httpd\/conf\/ssl\/ca.crt\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0# This is the public key of the CA generated by generate-CA.sh<\/p>\n

ProxyPass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 wss:\/\/mosquittohost.rushworth.us:9002\/
\nProxyPassReverse\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 wss:\/\/mosquittohost.rushworth.us:9002\/
\n<\/VirtualHost><\/p>\n

Reload apache. Create a DNS hostname internally and externally to direct the hostname to your reverse proxy server.<\/p>\n

Configure the client — generate a key for yourself & merge it into a p12 file (make sure your ca cert files are still in the directory – if you *moved* them into \/etc\/mosquitto … copy them back:
\nsh generate-CA.sh client lisa
\nopenssl pkcs12 -export -in lisa.crt -inkey lisa.key -name “Lisa’s key” -out lisa.p12
\nYou’ll need to supply a password for the p12 file.<\/p>\n

Put the ca.crt (*public* key) file and your p12 file somewhere on your phone (or Google Drive).<\/p>\n

Client config – Install Owntracks from Play Store
\nPreferences – Connection
\nMode:\u00a0\u00a0 \u00a0Private MQTT
\nHost:\u00a0\u00a0 \u00a0hostname & port used in your **SSL** config. Select use WebSockets
\nIdentification:\u00a0\u00a0 \u00a0uid & password created above. Device ID is used as part of the MQTT path (i.e. my lisa device is \/owntracks\/userid\/lisa). Tracker ID is within the data itself
\nSecurity:\u00a0\u00a0 \u00a0Use TLS, CA certificate is the ca.crt created above. Client cert is the p12 file – you’ll need to enter the same password used to create the file<\/p>\n

If it isn’t working, turn off TLS & change the port to your clear text port. This will allow you to isolate an SSL-specific problem or a more general service issue. Once you know everything is working, you can drop the clear text reverse proxy component.<\/p>\n

Voila – reverse proxied WebSockets over to Mosquitto for OwnTracks.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you are trying to reverse proxy OpenHab – that’s over here. This post is about maintaining your own private MQTT server and making it accessible through a reverse proxy. We want to be able to update our presence automatically (without publishing our location information to the Internet). Scott found a program called OwnTracks that …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[31,43,32],"class_list":["post-358","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apache","tag-home-automation","tag-technology"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=358"}],"version-history":[{"count":4,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/358\/revisions"}],"predecessor-version":[{"id":577,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/358\/revisions\/577"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}