MQTT broker cannot be contacted behing Traefik

viktak · July 24, 2023, 4:36pm

Dear All,
I'm trying to set up an eclipse-mosquitto server in docker behind Traefik and ran into problem. Reading through the posts here and elsewhere I can see that I'm not the only one with this issue. However, none of the solutions proposed works for me.
Here is my setup:
traefik.yaml:

entryPoints:
  mqtt:
    address: :1883
  mqttsecure:
    address: :8883

docker-compose.yml

version: "3.8"

services:
  mosquitto:
    image: eclipse-mosquitto:latest
    container_name: eclipse-mosquitto
    restart: unless-stopped
    networks:
      - proxy
    volumes:
      - ./config/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - ./data:/mosquitto/data
      - ./log:/mosquitto/log
      - ./passwords.txt:/mosquitto/passwords.txt
    labels:

      - "traefik.enable=true"

      - "traefik.tcp.routers.mqtt.rule=HostSNI(`mqtt.mydomain.com`)"
      - "traefik.tcp.routers.mqtt.entrypoints=mqttsecure"
      - "traefik.tcp.routers.mqtt.tls=true"
      - "traefik.tcp.routers.mqtt.tls.certresolver=production"    # production, staging
      - "traefik.tcp.routers.mqtt.service=mqtt"
      - "traefik.tcp.routers.mqtt.tls.options=mintls13@file"
      - "traefik.tcp.routers.mqtt.tls.passthrough=true"

      - "traefik.tcp.services.mqtt.loadbalancer.server.port=1883"

networks:
  proxy:
    external: true

In the dashboard the router/service seem to be working, but in the logs there is nothing about any attempted connection or any other error.
If I remove the network definition from docker-compose.yml (and add the ports), it works correctly, so the mosquitto part is correct.

Any idea what I may have missed? Thanks in advance for any help!!!

bluepuma77 · July 24, 2023, 7:31pm

You are using the same custom TLS cert for Traefik and internal MQTT port?

viktak · July 25, 2023, 7:03am

@bluepuma77 Thanks for the quick reply!!!

I think so, but I'm not sure what you mean. This is my TLS provider:

http:

################################################################################################
### TLS
################################################################################################
tls:
  options:
    mintls12:
      minVersion: VersionTLS12
    mintls13:
      minVersion: VersionTLS13

I use it in each router.

bluepuma77 · July 25, 2023, 2:03pm

You seem to use a Traefik certresolver, that means LetsEncrypt creates a cert for you.

Then you set passthrough, which will tell Traefik to forward the TLS encrypted TCP stream to your target service.

Therefore to decrypt the data, your target service needs to have access to the Traefik LE cert. Which is probably not the case.

viktak · July 26, 2023, 7:00am

@bluepuma77 Thanks for sticking with me on this!!!

ok, I hear you, and I understand your reasoning. But then let me rephrase my aim:

I have been running an MQTT server for the past several years with both SSL protected (port 8883) and unprotected (port 1883) communications with no issues at all. Now that I am moving all my infrastructure behind Traefik, this is the last service to go. Ideally, I would like to do it in a way that it requires NO adjustment on the clients' side as I have many, in different countries...

So I was thinking I would still need 2 channels of comms, one encrypted, one plain. Since the encryption is already set up on the mosquitto server, I thought I would just forward Traefik's 1883 and 8883 ports to the mosquitto server's respective ports. As a first step, I tried this (forwarding only the basic, unencrypted traffic:

docker-copmose.yml:

      - "traefik.enable=true"

      - "traefik.tcp.routers.mqtt.entrypoints=mqtt"
      - "traefik.tcp.routers.mqtt.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.mqtt.service=mqtt"
      - "traefik.tcp.services.mqtt.loadbalancer.server.port=1883"

traefik.yml:

entryPoints:
  mqtt:
    address: :1883

But it doesn't work. Even this basic use case fails. I don't get it.. I get no errors in any of the logs, Traefik just doesn't let any connection through (I know because I don't get anything in mosquitto's log)

This is how it looks in Traefik:

bluepuma77 · July 26, 2023, 10:33am

Do you use Docker or Docker Swarm?

Did you open the port on the Traefik service/container?

Check simple Traefik TCP example.

viktak · July 26, 2023, 10:56am

AAAAAaaaaaaaaaaaaaa! The port.... I forgot it.... Can't believe I wasted 2 days on this....
The simple (unencrypted) mqtt connection is now working. I am now moving onto the rest of the mqtt migration.

Thank you for all your help!!!!!!!!!!!!!!!!

system · July 29, 2023, 10:56am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mosquitto MQTT and TLS without client HostSNI Traefik v2 docker	2	167	March 19, 2024
Docker + Mosquitto TLS on Port 8883 - port is already allocated? Traefik v2 docker	1	798	December 19, 2022
TCP Service for Mosquitto not connecting to pod Traefik v2 docker , tcp	0	1024	April 26, 2021
Run Traefik as a service, but route standalone containers Traefik v2 docker , docker-swarm	5	1062	February 25, 2021
Debug Route Requests Traefik v2 docker	4	4034	July 19, 2020

MQTT broker cannot be contacted behing Traefik

Related Topics