Traefik reverse proxy for mosquitto with cert auth

Hello,

I have the following setup:

1. Consul service registry
2. Mosquitto docker container registered on Consul running with default not secured listener on port 1883
3. Traefik v2 registered on Consul running as reverse proxy. There is a public domain address.

Mosquitto runs on private network interface, it is not exposed to public network.

I have the following tags for Treafik in the mosquitto service:

tags = [
        "traefik.enable=true",
        "traefik.tcp.routers.mqtt-tcp.entrypoints=mqtt-tcp",
        "traefik.tcp.routers.mqtt-tcp.rule=HostSNI(`*`)",
        "traefik.tcp.routers.mqtt-tcp.service=mqtt",

        "traefik.tcp.routers.mqtt-tls-tcp.entrypoints=mqtt-tls-tcp",
        "traefik.tcp.routers.mqtt-tls-tcp.rule=HostSNI(`*`)",
        "traefik.tcp.routers.mqtt-tls-tcp.service=mqtt",
        "traefik.tcp.routers.mqtt-tls-tcp.tls.options=mqttOptions@file"
      ]

Just for a test I put port 1883 (mqtt-tcp) and 8883 (mqtt-tls-tcp).

The dynamic_conf.yml configuration for the mqttOptions options are:

tls:
  options:
    mqttOptions:
      clientAuth:
        caFiles:
          - /home/root-cacert.pem
        clientAuthType: RequireAndVerifyClientCert
    default:
      minVersion: VersionTLS12

When I deploy this I test mqtt with mosquitto_sub I can connect and subscribe without problems to broker on port 1883 by using

mosquitto_sub -t "#" -h my-broker.mydomain.com

I see the data flowing and everything is good.

But when I try the same on port 8883 with TLS it fails:

 mosquitto_sub -t "#" -h my-broker.mydomain.com -p 8883 --cafile root-cacert.pem --cert server-cert.pem --key server.key --insecure -v
Error: Connection refused

My certificates are self signed. root-cacert.pem is the same file as i put in volume /home/root-cacert.pem inside Traefik's docker container.

The router for 8883 is summarized in Traefik dashboard without any errors:

Screenshot at 2022-09-23 13-51-081567×930 78.8 KB

Could somebody help me exaplin what is wrong with my configuration?

Thank you in advance!

I also tried different approach which is configuring MQTT broker to listen on 8883 with TLS. Then I applied the following Traefik configuration:

    service {
      name = "mqtt"
      port = "mqttp"

      tags = [
        "traefik.enable=true",
        "traefik.tcp.routers.mqtt-tcp.entrypoints=mqtt-tcp",
        "traefik.tcp.routers.mqtt-tcp.rule=HostSNI(`*`)",
        "traefik.tcp.routers.mqtt-tcp.service=mqtt"
      ]
    }

    service {
      name = "mqtt-tls"
      port = "mqttptls"

      tags = [
        "traefik.enable=true",
        "traefik.tcp.routers.mqtt-tls-tcp.entrypoints=mqtt-tls-tcp",
        "traefik.tcp.routers.mqtt-tls-tcp.rule=HostSNI(`*`)",
        "traefik.tcp.routers.mqtt-tls-tcp.service=mqtt-tls",
        "traefik.tcp.routers.mqtt-tls-tcp.tls=true",
        "traefik.tcp.routers.mqtt-tls-tcp.tls.passthrough=true"
      ]
    }

What I want to achieve is that Traefik passes the encrypted traffic through to the MQTT service which will handle authentication and decryption on its own.

The result is that

mosquitto_sub -t "#" -h mybroker.mydomain.com

works well and that proofs the insecure connection to the broker is available behind the reverse proxy.

But when I try:

mosquitto_sub -t "#" -h mybroker.mydomain.com -p 8883 --cafile root-cacert.pem --cert server-cert.pem --key server.key --insecure -v -u mqttUser -P secretPAssword 

I get Error: Connection refused .

When I bypass reverse proxy and target my broker's secured endpoint directly with actual raw IP And PORT it works well and i see the data coming to the client:

``
mosquitto_sub -t "#" -h 67.81.221.154 -p 28502 --cafile root-cacert.pem --cert server-cert.pem --key server.key --insecure -v -u mqttUser -P secretPAssword

That proofs the broker is well configured for TLS on its own but I have badly configured Traefik. I must be clearly doing something wrong but I cannot figure out what exactly.