vince <[email protected]> writes: > On Thursday, November 21, 2019 at 8:30:34 AM UTC-8, Greg Troxel wrote: > >> I don't follow "password-protected" entirely. >> > > oh - I meant protecting the Internet MQTT broker from nefarious > denial-of-service from the script kiddies. > > The LAN broker will need to forward/post to the Internet broker instance. > You want to make sure it's just 'you' who can post data there, so enabling > the MQTT username/password setup on the Internet broker will help stop the > bad guys from messing with your data. The LAN MQTT broker can (probably) > be open for writes without username/password needed, depending on how you > like to set your LAN up.
I understand now. It was obvious to me that writes must be authenticated and thus I thought we were talking about allowing unauthenticated reads. However, it is not obvious to everyone and excellent advice to someone starting out. > My setup at home has a bunch of pi and arduinos and sensors posting to > local MQTT without any passwords needed. When I had the Internet MQTT > broker being bridged to (as MQTT uses the term) from the LAN, I had just > 'that' one requiring a username/password, and also had some packet filters > etc. limiting the incoming MQTT traffic to be from the pretty stable public > ip address my home LAN NAT's out to Internet on via my service provider. Makes sense. I have set up TLS on both home and public broker and also username/passwords and acls. All of my sensors have credentials that allows them to write to part of the sensor subspace. Indeed, this is much more work. > But no I didn't mean webserver username+pass. Sorry for any confusion > there. No problem, and I was misunderstanding more than you -- I think it's actually been a very useful discussion. To sum up for the OP, assuming they want to do something like Belchertown set up an MQTT broker on a public/stable IP address configure acl to require user/password for writing, to avoid kiddies writing to your topics and also storing warez fragements in various retained topics, as happened with writable anonymous FTP. For extra credit, set up TLS and only do password-controlled access over TLS to prevent password sniffing. allow anonymous reads of the data that you intend to be used by the skin -- and only that data. Keep in mind that because MQTT ends up being the way you connect everything to everything, almost all data in it is sensitive with respect to writes and some data is sensitive with respect to reads. -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/rmimucpjf39.fsf%40s1.lexort.com.
