Deploying emqx/mqtt on a nomad cluster using traefik

Traefik Traefik v3 (latest)
1

I want to run a emqx container in my existing nomad cluster.
I want to access it as site1-mqtt.example.com for site1 and this will be for sites till site2...n.

This is my service in nomad for secure mqtt

service {
        name     = "mqtt-tls"
        port     = "secure"
        provider = "nomad"
        tags = [
          "traefik.enable=true",
          "traefik.tcp.routers.mqtts.rule=HostSNI(`site1-mqtt.example.com`)",
          "traefik.tcp.routers.mqtts.entrypoints=mqtt"
        ]

and the below for insecure

service {
        name     = "mqtt-tls"
        port     = "insecure"
        provider = "nomad"
        tags = [
          "traefik.enable=true",
          "traefik.tcp.routers.mqtts.rule=HostSNI(`site1-mqtt-insecure.example.com`)",
          "traefik.tcp.routers.mqtts.entrypoints=mqtt-insecure"
        ]

this is my traefik config file which is also hosted using nomad

log:
  level: DEBUG

api:
  insecure: false
  dashboard: true

entrypoints:
  http:
    address: ":80"
  https:
    address: ":443"
  admin:
    address: ":8091"
  mqtt:
    address: ":8883"
  mqtt-insecure:
    address: ":1883"

providers:
  file:
    filename: local/static.yaml
  docker:
    exposedByDefault: false
  nomad:
    endpoint:
      address: http://nomad.example.com:4646

ping:
  entryPoint: http

accesslog: {}

certificatesResolvers:
  letsencrypt:
    acme:
      email: "me@example.com"
      storage: "/local/s3_env_runtime/ingress/acme.json"
      certificatesDuration: 2160
      dnsChallenge:
        provider: "route53"
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

I am not able to connect to my mqtt connections using this configuration.
Please point out whats wrong here.
While connection to mqtt using aiomqtt library i am getting error 61, connection refused.

2

To quote a chatbot:

MQTT itself does not directly support Host-based Server Name Indication (SNI) because the MQTT protocol operates at the application layer and does not inherently deal with SSL/TLS specifics. However, when MQTT is used over TLS (referred to as MQTTS), the underlying TLS library can support SNI if configured properly.

Make sure your client support TLS with HostSNI, or use HostSNI(`*`). Make sure to use the right port.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc). Can the client not connect to Traefik or can Traefik not connect to the target service?

3

I was not able to connect to traefik due to some problem on nomad side, thanks for reply.

Also, is there a way to bypass the traefik tls check and pass th erequest as it is to the service instead for both tcp and http routers?

4

You can use a simple TCP router on a separate entrypoint/port, use HostSNI(`*`) and proxy/forward it to a target service/port.

Do not activate any TLS on entrypoint or router (no config line with TLS), or Traefik will create a custom cert which the client/browser will not trust.