This gist is to configure a Mosquitto MQTT Broker behind a Traefik reverse-proxy, both in a docker container. Mosquitto will be configuread as a TCP Service.
This is a simple configuration used on the same single server. Probably to be adapted for other cases. Having mosquitto behind a reverse proxy enables you to configure TLS on Traefik (likely you already do that for other applications as well) and to load balance different MQTT instances, but that goes beyond this gist.
As noted in Traefik docs, in the router you must use the rule HostSNI(`*`)
when using non-TLS routers like in this example. Ref. https://docs.traefik.io/routing/routers/#rule_1
docker-compose.yml
networks:
mqtt:
driver: bridge
services:
reverse-proxy:
image: traefik:latest
container_name: "traefik"
# Enables the web UI
command:
- "--log.level=DEBUG"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.mqtt.address=:1883"
- "--entrypoints.websocket.address=:9001"
ports:
# Mosquitto
- "1883:1883"
- "9001:9001"
volumes:
# So that Traefix can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
networks:
- mqtt
mqtt:
container_name: mqtt
image: eclipse-mosquitto
networks:
- mqtt
restart: always
expose:
- 1883
- 9001
volumes:
- "mqtt:/mosquitto/"
labels:
- "traefik.enable=true"
- "traefik.docker.network=mqtt"
- "traefik.tcp.services.mqtt.loadbalancer.server.port=1883"
- "traefik.tcp.services.mqtt_websocket.loadbalancer.server.port=9001"
- "traefik.tcp.routers.tcpr_mqtt.entrypoints=mqtt"
- "traefik.tcp.routers.tcpr_mqtt.rule=HostSNI(`*`)"
- "traefik.tcp.routers.tcpr_mqtt.service=mqtt"
- "traefik.tcp.routers.tcpr_mqtt_websocket.entrypoints=websocket"
- "traefik.tcp.routers.tcpr_mqtt_websocket.rule=HostSNI(`*`)"
- "traefik.tcp.routers.tcpr_mqtt_websocket.service=mqtt_websocket"
version: "3.4"
volumes:
mqtt: ~
+1
expose
does not open the ports to the host and additionally it can be useful to Traefik.Traefik relies on this metadata to do port discovery if you don't specify it yourself in Traefik config.
See https://doc.traefik.io/traefik/providers/docker/#port-detection
Alternatively, if the meaning here is that you don't need to publish the ports to the host with the
ports
option in thedocker-compose.yml
then that is very true. You can let Traefik handle all of the routing. Perhaps by "expose" you did not meanexpose
. Just leaving this here for disambiguation.