Hello, Our team is planning to use HAProxy as a TCP load balancer for MQTT servers. We don't have much familiarity with the HAProxy set up. So we would like to get some clarity on how the process would work. Please let me know if this is not the right place to ask questions and Thanks in Advance.
We are planning to use HAProxy's SSL termination feature and enforce client certificate validation. So far, we were able to get HAProxy to enforce clients to present client certificates. But we are trying to implement some additional client validations - mainly the following. 1. Add additional certificate validation by checking the client Identifier presented in the MQTT data (MQTT - connect packets) against the CN in the presented client certificate 2. Perform some authorizations based on the certificate and the type of packets (PUBLISH, SUBSCRIBE etc). (Here is the MQTT specification document - http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html) Here are some of our questions. - Is it possible to do the above using HAProxy & is using HAProxy for these purposes the right approach? - Is Lua scripts the recommended way for extending functionalities like this? Are there other plugin mechanisms available? - We were analyzing the sample-fetch options to parse data from the request body but found it hard to log these contents. We found the http capture options but that seem specific to http. Are there similar ones which are more generic than specific to http? - According to the docs - payload_lv can read the content length at the given offset. What is the format used to represent the length of the contents? MQTT protocol uses similar approach to prefix the length before certain contents. We are trying to verify the format used are the same. If you could point us to a more detailed document or some examples around these - that would be helpful. Here are snippets from the config file that we are testing with. global log-format Client:%ci\ SSLCipher:%sslc\ SSLVersion:%sslv\ BytesUploaded:%U\ TermState:%ts\ StatusCode:%ST\ Retries:%rc\ ClientCertCN:\ %[ssl_c_s_dn(CN)] \ MQTTClientId\ %[req.payload_lv(13,2)] - (The req.payload_lv part obviously does not work. ) frontend mqtt-in bind *:8883 ssl crt crtfile.cer ca-file cafile.pem verify required mode tcp tcp-request inspect-delay 3s acl mqtt_connect req.payload(0,1) -m bin 10 # tcp-request content capture req.payload(13,2) len 2 tcp-request content reject if !mqtt_connect default_backend mqtt-out backend mqtt-out server mqttserver:1883 Thanks, Hari Chandrasekhar
