Search code examples
mqttemq

EMQX configuration to allow anonymous internal connection

I am using emqx as mqtt broker for my sensor network. Here is my desired configuration. I want to allow two different listeners for internal and external connections.

Listener 1 External: 0.0.0.0:8883 Do not allow anonymous connection emqx_auth_http enabled This listener is for sensors outside my VPC

Listener 2 Internal: 127.0.0.1:11883 Allow anonymous connections This listener is intended for a few services that run on the same machine (localhost)

Here is my config file (relevant options)

##--------------------------------------------------------------------
## Authentication/Access Control
##--------------------------------------------------------------------

allow_anonymous = false

##--------------------------------------------------------------------
## Internal Zone
##--------------------------------------------------------------------

zone.internal.allow_anonymous = true


##--------------------------------------------------------------------
## Listeners
##--------------------------------------------------------------------

listener.tcp.external = 0.0.0.0:8883

listener.tcp.external.zone = external


##--------------------------------------------------------------------
## Internal TCP Listener for MQTT Protocol
##--------------------------------------------------------------------

listener.tcp.internal = 127.0.0.1:11883

listener.tcp.internal.zone = internal

Listener 1 is working perfectly fine with my custom authenticator API.

But the Listener 2 (internal listener) does not work as expected. It does not allow anonymous connections and fires the auth request to my API authenticator.

Is there something I am doing wrong?

Thanks for any help :)

Solution

  • Answering the question based on the discussion on this issue https://github.com/emqx/emqx/issues/3225

    The problem is that the HTTP auth plugin does not seem to honor the zone settings. In order to reach the internal zone auth configuration, we have to ignore the HTTP auth as mentioned in the documentation.

    Authentication succeeded HTTP

    Status Code: 200

    Ignore this certification HTTP

    Status Code: 200 Body: ignore

    Authentication failed HTTP

    Status Code: other than 200

    Once that is sorted out, the following EMQX config works. 

    # Global 
allow_anonymous = false
# external
zone.external.allow_anonymous = false
listener.tcp.external = 0.0.0.0:1883
# internal
zone.internal.allow_anonymous = true
listener.tcp.internal = 127.0.0.1:11883

    This setup ensures that the MQTT clients can:

    • Connect anonymously at 11883 from localhost
    • Connect on 1883 with HTTP auth from outside my VPC, and
    • Not able to connect anonymously from outside my VPC

    In my opinion, it would be better if setting up the internal zone to allow the anonymous connection itself bypasses the HTTP auth.