mqtt 代理
1.功能描述
能够满足mqtt 客户端的所有请求,代理跟mqtt server之间的通信对mqtt 客户端无感知,支持mqtt明文以及ssl加密两种方式;非mqtt连接,断开连接;客户端同代理的一次session过程中,代理要保证同server端的正确通信,包括server端无感知切换;提供 mqtt_proxy_clientid 变量,upstream可使用该变量做hash路由;心跳,同server不中断时做转发,但是切换server时,代理要回应client 心跳,然后恢复对新server连接后,重新转发
stream mqtt代理模块采用静态编译,不再编译动态模块
2.依赖模块
load_module modules/njt_stream_mqtt_proxy_module.so; #加载mqtt代理模块3.指令说明
mqtt_proxy_pass
| Syntax: | mqtt_proxy_pass address; |
|---|---|
| Default: | — |
| Context: | server |
mqtt代理
mqtt_proxy_next_upstream
| Syntax: | mqtt_proxy_next_upstream on | off; |
|---|---|
| Default: | mqtt_proxy_next_upstream on; |
| Context: | stream, server |
当前server不可用时,是否自动尝试下一个server连接开关
mqtt_proxy_next_upstream_timeout
| Syntax: | mqtt_proxy_next_upstream_timeout time; |
|---|---|
| Default: | mqtt_proxy_next_upstream_timeout 0; |
| Context: | stream, server |
尝试连接新server的超时时间,0表示不受此时间限制
mqtt_proxy_next_upstream_tries
| Syntax: | mqtt_proxy_next_upstream_tries number; |
|---|---|
| Default: | mqtt_proxy_next_upstream_tries 0; |
| Context: | stream, server |
尝试连接新server的次数,0表示不尝试连接新server。该次数内 server仍不可用,则关闭客户端连接,同时如果upstream中所有server都已经尝试连接过,则也会直接关闭客户端连接
mqtt_proxy_ssl
| Syntax: | mqtt_proxy_ssl on | off; |
|---|---|
| Default: | mqtt_proxy_ssl off; |
| Context: | stream, server |
代理连接server是否开启TLS/SSL 协议
mqtt_proxy_ssl_certificate
| Syntax: | mqtt_proxy_ssl_certificate file; |
|---|---|
| Default: | — |
| Context: | stream, server |
代理连接server 配置ssl证书
mqtt_proxy_ssl_certificate_key
| Syntax: | mqtt_proxy_ssl_certificate_key file; |
|---|---|
| Default: | — |
| Context: | stream, server |
代理连接server 配置ssl key证书
ssl_certificate
| Syntax: | ssl_certificate file; |
|---|---|
| Default: | — |
| Context: | stream, server |
代理作为ssl server, 配置ssl证书,标准stream模块证书配置
ssl_certificate_key
| Syntax: | ssl_certificate_key file; |
|---|---|
| Default: | — |
| Context: | stream, server |
代理作为ssl server, 配置ssl key证书,标准stream模块 key证书配置
4.配置样例
njet.conf
load_module modules/njt_stream_mqtt_proxy_module.so;
stream {
#配置mqtt upstream
upstream mqtt_upstream{
#如果需要使用clientid做hash 路由,使用如下指令
#hash $mqtt_proxy_clientid;
server 127.0.0.1:1884 max_fails=3 fail_timeout=30s;
server 127.0.0.1:1885 max_fails=3 fail_timeout=30s;
server 127.0.0.1:1886 max_fails=3 fail_timeout=30s;
}
# 示例配置
server {
listen 8101;
mqtt_pass mqtt_upstream;
mqtt_proxy_next_upstream on;
mqtt_proxy_next_upstream_tries 3;
}
#代理非ssl, server ssl 示例配置
server {
listen 8101;
mqtt_pass mqtt_upstream;
mqtt_proxy_next_upstream on;
mqtt_proxy_next_upstream_tries 3;
mqtt_proxy_ssl on;
mqtt_proxy_ssl_certificate /root/bug/njet1.0/cert/mqtt_client.crt;
mqtt_proxy_ssl_certificate_key /root/bug/njet1.0/cert/mqtt_client.key;
}
#代理ssl, server 非ssl 示例配置
server {
listen 8101 ssl;
mqtt_pass mqtt_upstream;
mqtt_proxy_next_upstream on;
mqtt_proxy_next_upstream_tries 3;
ssl_certificate /root/bug/njet1.0/cert/mqtt_client.crt;
ssl_certificate_key /root/bug/njet1.0/cert/mqtt_client.key;
}
#代理ssl, server ssl 示例配置
server {
listen 8101 ssl;
mqtt_pass mqtt_upstream;
mqtt_proxy_next_upstream on;
mqtt_proxy_next_upstream_tries 3;
ssl_certificate /root/bug/njet1.0/cert/mqtt_client.crt;
ssl_certificate_key /root/bug/njet1.0/cert/mqtt_client.key;
mqtt_proxy_ssl on;
mqtt_proxy_ssl_certificate /root/bug/njet1.0/cert/mqtt_client.crt;
mqtt_proxy_ssl_certificate_key /root/bug/njet1.0/cert/mqtt_client.key;
}
}5.调用样例
使用mosquitto相关工具进行测试
匿名不带用户名密码
allow_anonymous trueMosquito broker启动
mosquitto -c /etc/mosquitto/mosquitto.conf -p 1884生产者发向mqtt 代理发送消息:
mosquitto_pub -h localhost -t "topic2" -p 8101 -m "Hello 1" 订阅者收到生产者发送的消息:
mosquitto_sub -p 1884 -F '%t : %p' -t "topic2" -i client 3带用户名密码
ssl证书配置(不配置下面几项,则为非ssl)
cafile /root/bug/njet1.0/cert/mqtt_ca.crt
# Path to the PEM encoded server certificate.
certfile /root/bug/njet1.0/cert/mqtt_client.crt
# Path to the PEM encoded keyfile.
keyfile /root/bug/njet1.0/cert/mqtt_client.key
allow_anonymous false
#关于密码文件的配置,参考http2mqtt资料里相关介绍
password_file /etc/mosquitto/password_fileMosquito broker启动
mosquitto -c /etc/mosquitto/mosquitto.conf -p 1884生产者发向mqtt 代理发送消息:
mosquitto_pub -h localhost -t "topic2" -p 8101 -m "Hello 1" -u admin -P 123456 -i client2订阅者收到生产者发送的消息:
mosquitto_sub -p 1884 -F '%t : %p' -t "#" -u admin -P 123456 --cafile /home/njet/mqtt/cert/mqtt_ca.crt --cert /home/njet/mqtt/cert/mqtt_client.crt --key /home/njet/mqtt/cert/mqtt_client.key --insecure