用于桥接连接的 SSL 加密的 Mosquitto 代理
[英]Mosquitto broker with SSL encryption for bridge connection
问题描述
Let me first explain what I am trying to achieve first and then I'll get into the details of the things I have tried already.
让我先解释一下我想要实现的目标,然后我会详细介绍我已经尝试过的事情。
So, we have a VM that is on our premise and another VM that is on a customer's premise.因此,我们有一个虚拟机在我们的前提下,另一个虚拟机在客户的前提下。 The access to these VMs are only available to certain IP addresses.这些虚拟机的访问权仅适用于某些 IP 地址。 So, we could say that they are secure enough for our use-case.因此,我们可以说它们对于我们的用例来说足够安全。
Data from customer's environment flows through and into our VM through a mosquitto broker that is set-up on both these environments.来自客户环境的数据通过在这两个环境中设置的 mosquitto 代理流入并流入我们的虚拟机。 This is done with the help of broker bridging that works fine.这是在运行良好的代理桥接的帮助下完成的。 However, since this bridge is over the internet, we want to ensure that the data is encrypted and that no-one could intercept this over the internet and use this data in a malicious manner.然而,由于这个桥接在互联网上,我们希望确保数据是加密的,并且没有人可以通过互联网拦截并以恶意方式使用这些数据。
To achieve this we are making the use of SSL broker encryption.为了实现这一点,我们正在使用 SSL 代理加密。 The first method I tried is to use PKS encryption method.我尝试的第一种方法是使用 PKS 加密方法。
Here is the broker config at the customer environment.这是客户环境中的代理配置。
listener 8883
connection bridgetest
address 147.1.20.1:8883
bridge_identity bridge1
bridge_psk 123456789
topic # both
And here is the broker config at our environment.这是我们环境中的代理配置。
listener 8883
psk_hint SAAS Deployments
psk_file c:\DemoCompany\psk_file.txt
The contents of the psk_file.txt are very simple and same as the bridge identity and the bridge_psk provided in the config of customer environment. psk_file.txt 的内容非常简单,与客户环境配置中提供的网桥身份和bridge_psk 相同。
The problem I am facing here is that even though I change the bridge_identity or the bridge_psk at customer's environment to something that is not in the psk_file.txt, I am still able to connect the 2 brokers over the bridge.我在这里面临的问题是,即使我将客户环境中的 bridge_identity 或 bridge_psk 更改为不在 psk_file.txt 中的内容,我仍然能够通过网桥连接 2 个代理。 My understanding of this was that if I change the bridge_psk to some random hex code, the connection should get rejected.我对此的理解是,如果我将 bridge_psk 更改为一些随机的十六进制代码,连接应该会被拒绝。 But that doesn't seem to happen.但这似乎并没有发生。 Am I doing something wrong or missing something over here?我在这里做错了什么或遗漏了什么吗?
1 个解决方案
解决方案1
0 已采纳 2021-03-26 15:55:14
The following config files work for me with v2.0.9 builds shipped from the mosquitto PPA on Ubuntu以下配置文件适用于我从 Ubuntu 上的 mosquitto PPA 提供的 v2.0.9 版本
Client broker:客户经纪人:
listener 1889
connection bridge
address 127.0.0.1:1890
bridge_identity bridge1
bridge_psk 123456789987654321
topic # both 0
Bridge broker过桥经纪人
listener 1890
psk_hint my test bridge
psk_file /temp/psk/psk_file.txt
use_identity_as_username true
The use_identity_as_username is required as from Mosquitto v2 onward allow_anonymous defaults to false从 Mosquitto v2 开始, use_identity_as_username是必需的, allow_anonymous默认为 false
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.