[Wien] Online-MoMo am Mo 07.02.2021 ab 19:30 - Notizen für Setup von mqtt.funkfeuer.at

Daniel A. Maierhofer (spam-protected)
Di Feb 8 15:24:12 CET 2022 

Servus!

On 05.02.22 10:27, Daniel A. Maierhofer wrote:
> Bei Interesse kann ich das Setup von MQTT im Zusammenspiel mit HAProxy & Let's Encrypt vorführen.
> (Migration von VM auf einen LXC Container - das System welches hinter dem Monitoring der Housing-Temperaturen steckt)

Die Mitschrift dazu findet ihr hier:

apt update
apt full-upgrade
apt install mosquitto
cat >/etc/mosquitto/conf.d/default.conf << EOF
allow_anonymous false
password_file /etc/mosquitto/passwd
acl_file /etc/mosquitto/acl_file

listener 9883 localhost

max_connections 85
EOF

cat >/etc/mosquitto/acl_file << EOF
user root
topic readwrite #

#restrict tasmota devs to their own topics
pattern read cmnd/%u/#
pattern write stat/%u/#
pattern write tele/%u/#

#restrict client to readonly for telemetry
user client
topic read tele/+/SENSOR
EOF

vi /etc/mosquitto/passwd # clients, Sensors and Grafana

service mosquitto restart

apt install nginx
rm /etc/nginx/sites-enabled/default
cat > /etc/nginx/conf.d/letsencrypt.conf << EOF
server_tokens off;
server {
     listen 127.0.0.1:8080 default_server;
     listen [::1]:8080 default_server;
     server_name _;
     access_log /var/log/nginx/letsencrypt-access.log combined;
     error_log /var/log/nginx/letsencrypt-error.log notice;
     location = /.well-known/acme-challenge/ {
         return 404;
     }
     location ^~ /.well-known/acme-challenge/ {
         alias /var/lib/dehydrated/acme-challenges/;
     }
}
EOF

nginx -t && service nginx restart

apt install dehydrated sudo
useradd -c 'dehydrated privsep user' -d /etc/dehydrated/ -s /usr/sbin/nologin _acme
echo mqtt.funkfeuer.at > /etc/dehydrated/domains.txt
cat >> /etc/dehydrated/config << EOF
DEHYDRATED_USER="_acme"
DEHYDRATED_GROUP="_acme"
KEY_ALGO=prime256v1
CONTACT_EMAIL="..."
HOOK="/etc/dehydrated/hook.sh"
EOF

chown -R _acme /etc/ssl/private/ /var/lib/dehydrated
cat > /etc/dehydrated/hook.sh << EOF
#!/usr/bin/env bash

set -e

atomic_concat() {
         local file=${1}; shift
         > ${file}.new
         chmod 600 ${file}.new
         cat "${@}" > ${file}.new
         [ -f ${file} ] && cp -f ${file} ${file}.dehydrated~
         mv -f ${file}.new ${file}
}

haproxy_reload() {
         if [ ! -x /usr/sbin/haproxy ]; then
                 return
         fi

         atomic_concat /etc/ssl/private/${DOMAIN}.pem "$FULLCHAINFILE" "$KEYFILE"
}

deploy_cert() {
     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

     # This hook is called once for each certificate that has been
     # produced. Here you might, for instance, copy your new certificates
     # to service-specific locations and reload the service.
     #
     # Parameters:
     # - DOMAIN
     #   The primary domain name, i.e. the certificate common
     #   name (CN).
     # - KEYFILE
     #   The path of the file containing the private key.
     # - CERTFILE
     #   The path of the file containing the signed certificate.
     # - FULLCHAINFILE
     #   The path of the file containing the full certificate chain.
     # - CHAINFILE
     #   The path of the file containing the intermediate certificate(s).
     # - TIMESTAMP
     #   Timestamp when the specified certificate was created.

     haproxy_reload
}

HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(deploy_cert)$ ]]; then
   "$HANDLER" "$@"
fi
EOF
chmod +x /etc/dehydrated/hook.sh

openssl dhparam -out /etc/haproxy/dhparam.pem 4096

apt install haproxy
echo "mqtt.funkfeuer.at mqtt" > /etc/haproxy/domain.map
cat >/etc/haproxy/haproxy.cfg << EOF
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate

	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	ssl-dh-param-file /etc/haproxy/dhparam.pem

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
	option  http-server-close	
         timeout connect 5000
         timeout client  50000
         timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http
         bind *:80
         bind :::80	
         default_backend default	

         option  forwardfor
         http-request add-header X-Forwarded-Proto https if { ssl_fc }	

         capture request header Host len 32
         capture request header User-Agent len 128	

         bind *:443 ssl crt . alpn h2,http/1.1
         bind :::443 ssl crt . alpn h2,http/1.1
         redirect scheme https code 302 if !{ ssl_fc }

         redirect code 302 location https://wiki.funkfeuer.at/wiki/Services/Organisation/Housing/Temperatur if { path -i -m str / } { hdr(host) -i mqtt.funkfeuer.at }

         http-response set-header Strict-Transport-Security max-age=31536000		

	acl acme_challenge path_beg /.well-known/acme-challenge/	
	use_backend letsencrypt if acme_challenge	

	use_backend %[req.hdr(host),lower,map(/etc/haproxy/domain.map,default)]

backend letsencrypt
         server letsencrypt localhost:8080 check

backend default
         server default localhost:8080 check

listen mqtt
         bind *:1883
         bind :::1883
         bind *:8883 ssl crt .
         bind :::8883 ssl crt .
         mode tcp
         option tcplog
         option clitcpka
         timeout client 3h
         timeout server 3h
         server mqtt localhost:9883 check
EOF
haproxy -c -f /etc/haproxy/haproxy.cfg && service haproxy restart

dehydrated --register --accept-terms
dehydrated -c
crontab -e
#34 03 * * * /usr/bin/dehydrated -c >> /var/log/dehydrated.log 2>&1
#37 03 * * * /sbin/service haproxy reload >> /var/log/dehydrated.log 2>&1

Schöne Grüße,
Daniel A. Maierhofer
  
Schriftführer - FunkFeuer Wien - Verein zur Förderung freier Netze

Mehr Informationen über die Mailingliste Wien