It's also possible to accomplish the same thing with apache2 or nginx proxy.
I use apache2 here and do not have to do anything with mosquitto or ssl
certs.
This does indeed take care of the annoying Firefox issue with secure
Websockets.
On Thursday, October 3, 2024 at 4:59:58 PM UTC-4 Rich Mulvey wrote:
> The subject of problems with Firefox/Safari browsers not being able to get
> real-time updates from the Belchertown skin using the Mosquitto MQTT server
> has come up a bunch of times, so I thought I'd provide a bare-bones
> description of how to get around it relatively easily.
>
> This is VERY much a nerd-centric set of steps, but my assumption is that
> if you know what I'm talking about you can figure out the specific details
> of your particular setup.
>
> The essential issue is that Firebox does the "wrong" thing when attempting
> to connect to the websocket provided by the Mosquitto websocket process. It
> tries to use HTTP/2, and when Mosquitto says it can't handle that, instead
> of falling back to http/1 like other browsers, it just gives up.
>
> The solution is as follows:
>
> 1) Install the haproxy server on your webserver. Usually it will be
> something like 'apt-get install haproxy', depending on your package manager.
>
> 2) Using whatever is the default haproxy config, often
> /etc/haproxy/haproxy.cfg, we're going to set up a proxy that transforms
> http/2 requests into http/1 that mosquitto can handle. We're going to
> listen on port 9010 ( change to whatever you want ) and redirect the
> websocket calls to the mosquitto server on port 9001 using http/1, assuming
> that's what you're using for the setup if you followed the original
> Belchertown instructions.
>
> So, add lines like the following to the haproxy.cfg file:
>
> # Frontend for handling WebSocket traffic (WSS) on port 9010
> frontend wss_frontend
> bind *:9010 ssl crt /etc/haproxy/certs/mycerts.pem alpn h2,http/1.1
> mode http
> option tcplog
>
> http-request set-header X-Forwarded-Proto https if { ssl_fc }
>
>
> # Use the backend to forward traffic to the non-SSL WebSocket
> use_backend ws_backend
>
> # Backend for forwarding WebSocket traffic to port 9001 without SSL
> backend ws_backend
> mode http
> option tcplog
> option tcp-check
> option http-server-close # Ensure that HTTP/1.1 is used
> server weather_backend 127.0.0.1:9001 check
>
> The bind *:9010 ssl crt /etc/haproxy/certs/mycerts.pem alpn
> h2,http/1.1
>
> line will need to be changed to whatever your cert file is for the https
> support in your webserver. Restart the haproxy server to read the new
> config.
>
> 3) Next, update your weewx.conf file so that the mqtt_websockets_port
> option is changed from the 9001 Belchertown standard to 9010. This will
> tell it to use the new proxy port. Restart weewx.
>
> 4) Update your Mosquitto config file on your webserver so that any of the
> SSL config options under the websockets/listener 9001 line are commented
> out. i.e. There should be no active certfile/cafile/keyfile options. Those
> options DO still need to be associated with the listener 1883/listener 8883
> options. Restart the mosquitto server.
>
> 5) Let weewx run for several minutes so that the webpages get updated with
> the new port 9010/etc option, uploaded to your webserver, etc.
>
> At this point, you should be able to hit your Belchertown skin from any
> browser and get real-time updates.
>
> https://weather.mulveyfamily.com/ is my personal site, for example.
>
> Hope this helps!
>
> - Rich
>
>
--
You received this message because you are subscribed to the Google Groups
"weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to weewx-user+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/weewx-user/9705b338-600d-4272-b189-2c639690c042n%40googlegroups.com.
