← Back to team overview

mosquitto-users team mailing list archive

  1. mosquitto-users team
  2. Mailing list archive
  3. Message #00346

Re: Recommended setup for supporting lots of external clients

  Thread PreviousDate PreviousThread Next 
Alfonso,

I'd be interested to see other people's ideas, but here is how I set up our
system:

1. Configure the server to require client authentication with a
certificate, and to use the CN as the username.
2. Configure the ACL such that clients are restricted to a device/%u/#
wildcard.
3. Set up a registration system that will validate new devices and issue
certs on demand.

Works well so far(fingers crossed)

-Darren
On Nov 26, 2013 6:41 PM, "Alfonso Pantoja" <alfonso.pantoja@xxxxxxxxx>
wrote:

> Hi,
>
> I've been reading the mosquitto documentation about security and I'm a bit
> confused about what would be the best setup for supporting a huge number of
> clients trying to keep the system as simple as possible.
>
> To be more specific imagine an scenario with a broker exposed to the
> internet which is being accessed by third party products/code (i.e: devices
> sending temperature data).
> Let's say that users of this system could have lots of devices and wanted
> to connect them to the broker.
>
> In a perfect (and secure) world all that clients should have different
> credentials but in reality this could be tricky because all devices should
> be configured one by one and all credentials remembered/stored.
>
> If I'm not wrong the documentation states that it is recommended to use
> different certificates for server, CA and clients so I suppose it is also
> problematic using only one user/password in all people's devices  or the
> same PSK, right?
>
> In order to balance security and simplicity I'm wondering if the best
> solution is to expose a broker to the internet and bridge it to a "private"
> broker but I'm still confused about what kind of security should be
> implemented in the "external broker".
>
> Any advice on this?
>
> Thanks in advance,
>
> Alfonso
>
>
>
>
>
>
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

References

  Thread PreviousDate PreviousThread Next