mProxy is an MQTT proxy.

It is deployed in front of an MQTT broker and can be used for authorization, packet inspection and modification, logging and debugging and various other purposes.

git clone https://github.com/absmach/mproxy.git
cd mproxy
make
./build/mproxy

mProxy starts TCP and WS servers, offering connections to devices. Upon the connection, it establishes a session with a remote MQTT broker. It then pipes packets from devices to the MQTT broker, inspecting or modifying them as they flow through the proxy.

Here is the flow in more detail:

• The Device connects to mProxy's TCP server
• mProxy accepts the inbound (IN) connection and establishes a new session with the remote MQTT broker (i.e. it dials out to the MQTT broker only once it accepts a new connection from a device. This way one device-mProxy connection corresponds to one mProxy-MQTT broker connection.)
• mProxy then spawns 2 goroutines: one that will read incoming packets from the device-mProxy socket (INBOUND or UPLINK), inspect them (calling event handlers) and write them to mProxy-broker socket (forwarding them towards the broker) and other that will be reading MQTT broker responses from mProxy-broker socket and writing them towards device, in device-mProxy socket (OUTBOUND or DOWNLINK).

mProxy can parse and understand MQTT packages, and upon their detection, it calls external event handlers. Event handlers should implement the following interface defined in pkg/mqtt/events.go:

// Handler is an interface for mProxy hooks
type Handler interface {
    // Authorization on client `CONNECT`
    // Each of the params are passed by reference, so that it can be changed
    AuthConnect(ctx context.Context) error

    // Authorization on client `PUBLISH`
    // Topic is passed by reference, so that it can be modified
    AuthPublish(ctx context.Context, topic *string, payload *[]byte) error

    // Authorization on client `SUBSCRIBE`
    // Topics are passed by reference, so that they can be modified
    AuthSubscribe(ctx context.Context, topics *[]string) error

    // After client successfully connected
    Connect(ctx context.Context)

    // After client successfully published
    Publish(ctx context.Context, topic *string, payload *[]byte)

    // After client successfully subscribed
    Subscribe(ctx context.Context, topics *[]string)

    // After client unsubscribed
    Unsubscribe(ctx context.Context, topics *[]string)

    // Disconnect on connection with client lost
    Disconnect(ctx context.Context)
}

An example of implementation is given here, alongside with it's main() function.

mProxy does not do load balancing - just pure and simple proxying with TLS termination. This is why it should be deployed right in front of it's corresponding MQTT broker instance: one mProxy for each MQTT broker instance in the MQTT cluster.

Usually, this is done by deploying mProxy as a side-car in the same Kubernetes pod alongside with MQTT broker instance (MQTT cluster node).

LB tasks can be offloaded to a standard ingress proxy - for example, NginX.

• Golang
• Mosquitto MQTT Server
• Mosquitto Publisher and Subscriber Client

mProxy is used to proxy requests to a backend server. For the example setup, we will use Mosquitto server as the backend for MQTT, and MQTT over Websocket and an HTTP echo server for HTTP.

1. Start the Mosquitto MQTT Server with the following command. This bash script will initiate the Mosquitto MQTT server with WebSocket support. The Mosquitto Server will listen for MQTT connections on port 1883 and MQTT over WebSocket connections on port 8000.

   examples/server/mosquitto/server.sh

2. Start the HTTP Echo Server:

   go run examples/server/http-echo/main.go

3. Start the OCSP/CRL Mock responder:

    go run examples/ocsp-crl-responder/main.go

4. Start the example mProxy servers for various protocols:

   go run cmd/main.go

   The cmd/main.go Go program initializes mProxy servers for the following protocols:

   • mProxy server for MQTT protocol without TLS on port 1884
   • mProxy server for MQTT protocol with TLS on port 8883
   • mProxy server for MQTT protocol with mTLS on port 8884
   • mProxy server for MQTT over WebSocket without TLS on port 8083
   • mProxy server for MQTT over WebSocket with TLS on port 8084
   • mProxy server for MQTT over WebSocket with mTLS on port 8085 with prefix path /mqtt
   • mProxy server for HTTP protocol without TLS on port 8086 with prefix path /messages
   • mProxy server for HTTP protocol with TLS on port 8087 with prefix path /messages
   • mProxy server for HTTP protocol with mTLS on port 8088 with prefix path /messages

Bash scripts available in examples/client/mqtt directory help to test the mProxy servers running for MQTT protocols

• Script to test mProxy server running at port 1884 for MQTT without TLS

  examples/client/mqtt/without_tls.sh

• Script to test mProxy server running at port 8883 for MQTT with TLS

  examples/client/mqtt/with_tls.sh

• Script to test mProxy server running at port 8884 for MQTT with mTLS

  examples/client/mqtt/with_mtls.sh

Go programs available in examples/client/websocket/*/main.go directory helps to test the mProxy servers running for MQTT over WebSocket protocols

• Go program to test mProxy server running at port 8083 for MQTT over WebSocket without TLS

  go run examples/client/websocket/without_tls/main.go

• Go program to test mProxy server running at port 8084 for MQTT over WebSocket with TLS

  go run examples/client/websocket/with_tls/main.go

• Go program to test mProxy server running at port 8085 for MQTT over Websocket with mTLS

  go run examples/client/websocket/with_mtls/main.go

Bash scripts available in examples/client/http directory help to test the mProxy servers running for HTTP protocols

• Script to test mProxy server running at port 8086 for HTTP without TLS

  examples/client/http/without_tls.sh

• Script to test mProxy server running at port 8087 for HTTP with TLS

  examples/client/http/with_tls.sh

• Script to test mProxy server running at port 8088 for HTTP with mTLS

  examples/client/http/with_mtls.sh

The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.

• ADDRESS : Specifies the address at which mProxy will listen. Supports MQTT, MQTT over WebSocket, and HTTP proxy connections.
• PATH_PREFIX : Defines the path prefix when listening for MQTT over WebSocket or HTTP connections.
• TARGET : Specifies the address of the target server, including any prefix path if available. The target server can be an MQTT server, MQTT over WebSocket, or an HTTP server.

• CERT_FILE : Path to the TLS certificate file.
• KEY_FILE : Path to the TLS certificate key file.
• SERVER_CA_FILE : Path to the Server CA certificate file.
• CLIENT_CA_FILE : Path to the Client CA certificate file.
• CERT_VERIFICATION_METHODS : Methods for validating certificates. Accepted values are ocsp or crl. For the ocsp value, the tls.Config attempts to retrieve the OCSP responder/server URL from the Authority Information Access (AIA) section of the client certificate. If the client certificate lacks an OCSP responder URL or if an alternative URL is preferred, you can override it using the environmental variable OCSP_RESPONDER_URL.
  For the crl value, the tls.Config attempts to obtain the Certificate Revocation List (CRL) file from the CRL Distribution Point section in the client certificate. If the client certificate lacks a CRL distribution point section, or if you prefer to override it, you can use the environmental variables CRL_DISTRIBUTION_POINTS and CRL_DISTRIBUTION_POINTS_ISSUER_CERT_FILE. If no CRL distribution point server is available, you can specify an offline CRL file using the environmental variables OFFLINE_CRL_FILE and OFFLINE_CRL_ISSUER_CERT_FILE.

• OCSP_DEPTH : Depth of client certificate verification in the OCSP method. The default value is 0, meaning there is no limit, and all certificates are verified.
• OCSP_RESPONDER_URL : Override value for the OCSP responder URL present in the Authority Information Access (AIA) section of the client certificate. If left empty, it expects the OCSP responder URL from the AIA section of the client certificate.

• CRL_DEPTH: Depth of client certificate verification in the CRL method. The default value is 1, meaning only the leaf certificate is verified.
• CRL_DISTRIBUTION_POINTS : Override for the CRL Distribution Point value present in the certificate's CRL Distribution Point section.
• CRL_DISTRIBUTION_POINTS_ISSUER_CERT_FILE : Path to the issuer certificate file for verifying the CRL retrieved from CRL_DISTRIBUTION_POINTS.
• OFFLINE_CRL_FILE : Path to the offline CRL file, which can be used if the CRL Distribution point is not available in either the environmental variable or the certificate's CRL Distribution Point section.
• OFFLINE_CRL_ISSUER_CERT_FILE : Location of the issuer certificate file for verifying the offline CRL file specified in OFFLINE_CRL_FILE.

mProxy relies on the caarlos0/env package to load environmental variables into its configuration. You can control how these variables are loaded by passing env.Options to the config.EnvParse function.

To add a prefix to environmental variables, use env.Options{Prefix: "MPROXY_"} from the caarlos0/env package. For example:

package main
import (
  "github.com/caarlos0/env/v11"
  "github.com/absmach/mproxy"
)

mqttConfig := mproxy.Config{}
if err := mqttConfig.EnvParse(env.Options{Prefix:  "MPROXY_" }); err != nil {
    panic(err)
}
fmt.Printf("%+v\n")

In the above snippet, mqttConfig.EnvParse expects all environmental variables with the prefix MPROXY_. For instance:

• MPROXY_ADDRESS
• MPROXY_PATH_PREFIX
• MPROXY_TARGET
• MPROXY_CERT_FILE
• MPROXY_KEY_FILE
• MPROXY_SERVER_CA_FILE
• MPROXY_CLIENT_CA_FILE
• MPROXY_CERT_VERIFICATION_METHODS
• MPROXY_OCSP_DEPTH
• MPROXY_OCSP_RESPONDER_URL
• MPROXY_CRL_DEPTH
• MPROXY_CRL_DISTRIBUTION_POINTS
• MPROXY_CRL_DISTRIBUTION_POINTS_ISSUER_CERT_FILE
• MPROXY_OFFLINE_CRL_FILE
• MPROXY_OFFLINE_CRL_ISSUER_CERT_FILE

Apache-2.0