Secure MQTT Broker hosting on AWS Ranjith Kumar DSM August 23, 2017 Internet of things is all about mobility and managing your devices and sensors from anywhere in the world. Hosting a secure MQTT Broker on the cloud is a mandate to achieve this. But people are very much paranoid about the security of the application and the data. This article provides a complete end to end guide for hosting a secure MQTT Broker on AWS . Create an AWS Account Create a FREE AWS account which you can use for a year. You can check the details of the FREE tier here. Besides that, the AWS account provides a single CPU with a 1 GB of RAM, 5 GB of storage space and more. This is a very good configuration to run the MQTT Broker on the VM. Preparing EC2 Create an EC2 instance and If you are particular about the FREE usage, make sure you choose the allowed VM type. However, For the Operating System, choose an Ubuntu 14.04 or 16.04 instance. Create an SSH Key Pair for using for connecting to the EC2 instance via SFTP and SSH. But, If you already have an SSH key you can use the same. The key will be in the name of Yourname.pem The VM provided will be a plain vanilla version of the Ubuntu. Then you can connect to the EC2 instance via SSH. After that Update the Ubuntu for any patches and install zip utility. $ sudo apt-get update $ sudo apt-get install zip unzip Setup MySQL The secure MQTT Broker uses MySQL to store the connected clients, their subscriptions, and the message transactions. Install the MySQL using the following commands. Then These commands will ask for your root password and also make your MySQL instance secured in the EC2 Instance. But, Remember the MySQL password which you need to configure inside the MQTT Broker configration files. $ sudo apt-get install mysql-server $ sudo mysql_secure_installation $ sudo mysql_install_db Make sure the MySQL is set to run in the localhost (127.0.0.1). Then Check the /etc/mysql/my.cnf bind-address = 127.0.0.1 The Ubuntu is now ready to run the broker. Set up Secure MQTT Broker Download the FREE MQTT Broker now. You can copy the files to the EC2 instance using SFTP using tools like FileZilla. Besides that You can use the same SSH key to pair for the authentication purpose. Let us start installing the MQTT Broker in the EC2 Instance. Unzip the MQTT Broker and move to the product home folder. $ unzip Bevywise_MQTT_Route_Linux.zip $ cd Bevywise/MQTTRoute/ Configure MySQL parameters inside the conf/db.conf. Change the default DB server from SQLITE to MYSQL and update the MySQL password which you provided during the installation of MySQL. DB_SERVER = MYSQL MYSQL_USER = root MYSQL_PASSWORD=<<mysql_password>> Securing Client Connections Enable the TLS mode to secure the communication between the clients and the server and setting up passwords logging in. Then You can use a single password for all the clients or individual passwords for each client. Open the conf/broker.conf and update the TLS_ENABLED as TRUE. However You can change all other values if needed. Using a non-regular port number for Broker and secure web socket will further enhance the security against DDOS. TLS_ENABLED = TRUE TLS_PORT_NO = 8883 WSS_PORT_NO = 8000> Create a strong set of username and passwords which can be used when the clients connect to the secure MQTT Broker. Besides that You can add your list of credentials inside Certificate/Authentication/ folder. The username and password must be <username><<Tab>><Password> operation_mgr_usr [email protected] external_dev_user [email protected]!*&Rs4 Then Enable authentication in the conf/broker.conf. However If you wish to use a different file for the username and password list, you can change the path of the credentials file. [AUTHENTICATION] AUTHENTICATION_ENABLED = YES # YES || NO PASSWD_FILE = ./Certificate/Authentication/credentials.txt Then Start the MQTT Broker in the background to make sure the broker is running continuously. $ cd ./bin $ nohup sh runbroker.sh & The MQTT Broker will start on the TCP port 1883, Web Socket port 8000, and HTTP port 8080. Securing User Interface with Apache The apache server will be set as the front end for the User interface and the request will be routed to the port 8080 of the MQTT Broker using the virtual host configuration of the apache. After that, The basic authentication of the apache will be enabled for the securing the User Interface. Install the apache server. $ sudo apt-get install apache2 $ sudo apt-get install apache2-utils Firstly The Username and the passwords need to be added to the apache for enabling the basic authentication. then To add the user name, run the following command. Finally This will ask for the password and confirmation and it will be added to the .htpasswd file. $ sudo htpasswd -c /etc/apache2/.htpasswd <<User_name>> Confirm the user addition by using the following command $ cat /etc/apache2/.htpasswd sammy:$apr1$DeD6bRwI$sCkKfg7Ly/nkXPiXG.PUP0 Finally You need to restart the apache server for the authentication to be enabled. Let us do the proxying to the port 8080 before restarting the server. Enabling the Proxy modules of the apache. $ sudo a2enmod proxy $ sudo a2enmod proxy_http Then for reverse proxy, we need to add the following into the /etc/apache2/sites-enabled/000-default.conf. ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ <Location “/”> AuthType Basic AuthName “Restricted Content” AuthUserFile /etc/apache2/.htpasswd Require valid-user </Location> Restart the apache server for the above changes to take effect. $ sudo service apache2 restart Configuring AWS Firewall The AWS firewall can be configured using the Network & Security → Security Group option inside the AWS Console. Then You have to enable inbound connection to only 4 ports, Apache — 80, Web socket — 8443, TLS TCP — 8883 & SSH — 22. However If you are planning to connect devices only from your internal network, you can use the option of My IP for the Source to make sure AWS restricts all the other IPs from sending data to this particular port making it more secure. Mobile Application We do have a basic mobile application which can be used to send and receive MQTT Messages to and from the different devices. We are yet to host them on the App Store and play store. But we can send you the same. If you are using a FREE version of the MQTT Broker, you will be able to connect up to 25 clients to the broker. In addition You are using a completely FREE MQTT Server on the cloud with all the basic needs. Finally The MQTT Broker is available for more devices at a very affordable price. However, If you are looking to connect millions of devices, we do a have highly scalable distributed micro services based IOT Platform which is being integrated into powerful data visualization. Hence The Platform can be extended and customised based on the vertical and its objectives. Similarly Enable your devices for a powerful M2M communication by setting up a FREE private cloud based secure MQTT Broker. We would be happy to hear your success stories on the setup process. If you need any assistance on enabling IoT into your current process, we could help you get it done using our platform and the smart SDK. Feel free to keep us posted via the contact us form. Leave a Reply Cancel replyYour email address will not be published. Required fields are marked *Comment Name * Email * Website Save my name, email, and website in this browser for the next time I comment.