Thanks for super explanation.. Set up MQTT broker on a public IP address - you mean to you something like this? - https://www.hivemq.com/blog/build-javascript-mqtt-web-application/
I dont want to use public MQTT (i.e. http://www.mqtt-dashboard.com/) - there is no possibility to password secure. Dne Ätvrtek 21. listopadu 2019 18:48:18 UTC+1 Greg Troxel napsal(a): > > vince <[email protected] <javascript:>> writes: > > > On Thursday, November 21, 2019 at 8:30:34 AM UTC-8, Greg Troxel wrote: > > > >> I don't follow "password-protected" entirely. > >> > > > > oh - I meant protecting the Internet MQTT broker from nefarious > > denial-of-service from the script kiddies. > > > > The LAN broker will need to forward/post to the Internet broker > instance. > > You want to make sure it's just 'you' who can post data there, so > enabling > > the MQTT username/password setup on the Internet broker will help stop > the > > bad guys from messing with your data. The LAN MQTT broker can > (probably) > > be open for writes without username/password needed, depending on how > you > > like to set your LAN up. > > I understand now. It was obvious to me that writes must be > authenticated and thus I thought we were talking about allowing > unauthenticated reads. However, it is not obvious to everyone and > excellent advice to someone starting out. > > > My setup at home has a bunch of pi and arduinos and sensors posting to > > local MQTT without any passwords needed. When I had the Internet MQTT > > broker being bridged to (as MQTT uses the term) from the LAN, I had just > > 'that' one requiring a username/password, and also had some packet > filters > > etc. limiting the incoming MQTT traffic to be from the pretty stable > public > > ip address my home LAN NAT's out to Internet on via my service provider. > > Makes sense. I have set up TLS on both home and public broker and also > username/passwords and acls. All of my sensors have credentials that > allows them to write to part of the sensor subspace. Indeed, this is > much more work. > > > But no I didn't mean webserver username+pass. Sorry for any confusion > > there. > > No problem, and I was misunderstanding more than you -- I think it's > actually been a very useful discussion. To sum up for the OP, assuming > they want to do something like Belchertown > > set up an MQTT broker on a public/stable IP address > > configure acl to require user/password for writing, to avoid kiddies > writing to your topics and also storing warez fragements in various > retained topics, as happened with writable anonymous FTP. For extra > credit, set up TLS and only do password-controlled access over TLS to > prevent password sniffing. > > allow anonymous reads of the data that you intend to be used by the > skin -- and only that data. > > Keep in mind that because MQTT ends up being the way you connect > everything to everything, almost all data in it is sensitive with > respect to writes and some data is sensitive with respect to reads. > > -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/e4344b69-d078-413f-98e4-8dd2cc1d3d0f%40googlegroups.com.
