Traefik Reverse Proxy - Mosquitto MQTT Broker - Docker Container

traefik_tcp_mqtt_mosquitto_docker_compose.md

This gist is to configure a Mosquitto MQTT Broker behind a Traefik reverse-proxy, both in a docker container. Mosquitto will be configuread as a TCP Service.

This is a simple configuration used on the same single server. Probably to be adapted for other cases. Having mosquitto behind a reverse proxy enables you to configure TLS on Traefik (likely you already do that for other applications as well) and to load balance different MQTT instances, but that goes beyond this gist.

As noted in Traefik docs, in the router you must use the rule HostSNI(`*`) when using non-TLS routers like in this example. Ref. https://docs.traefik.io/routing/routers/#rule_1

docker-compose.yml

networks:
  mqtt:
    driver: bridge

services:
  reverse-proxy:
    image: traefik:latest
    container_name: "traefik"
    # Enables the web UI
    command: 
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entrypoints.mqtt.address=:1883"
      - "--entrypoints.websocket.address=:9001"
    ports:
      # Mosquitto
      - "1883:1883"
      - "9001:9001"
    volumes:
      # So that Traefix can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - mqtt
      
  mqtt:
    container_name: mqtt
    image: eclipse-mosquitto
    networks:
      - mqtt
    restart: always
    expose:
      - 1883
      - 9001
    volumes:
      - "mqtt:/mosquitto/"
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=mqtt"
      - "traefik.tcp.services.mqtt.loadbalancer.server.port=1883"
      - "traefik.tcp.services.mqtt_websocket.loadbalancer.server.port=9001"
      - "traefik.tcp.routers.tcpr_mqtt.entrypoints=mqtt"
      - "traefik.tcp.routers.tcpr_mqtt.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.tcpr_mqtt.service=mqtt"
      - "traefik.tcp.routers.tcpr_mqtt_websocket.entrypoints=websocket"
      - "traefik.tcp.routers.tcpr_mqtt_websocket.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.tcpr_mqtt_websocket.service=mqtt_websocket"

version: "3.4"

volumes: 
  mqtt: ~

You should not expose the ports(in docker) if you want traefik to handle the routing. Exposing the ports binds them to the IP of the host, hence you will be able to access it even without traefik.

That’s not true, expose does not open up the ports on the host, it’s only metadata, See https://docs.docker.com/engine/reference/builder/#expose

+1

expose does not open the ports to the host and additionally it can be useful to Traefik.

Traefik relies on this metadata to do port discovery if you don't specify it yourself in Traefik config.
See https://doc.traefik.io/traefik/providers/docker/#port-detection

---

Alternatively, if the meaning here is that you don't need to publish the ports to the host with the ports option in the docker-compose.yml then that is very true. You can let Traefik handle all of the routing. Perhaps by "expose" you did not mean expose. Just leaving this here for disambiguation.

May I ask why you would like to configure the mqtt behind traefik? If I get it right, it only makes a difference when you have multiple instance of mqtt or the mqtt server is on another host.

The goal is to easily setup SSL certificates via Let’s Encrypt. It’s very useful when you’re trying to secure multiple services and don’t want to configure SSL for every service individually.

The goal is to easily setup SSL certificates via Let’s Encrypt. It’s very useful when you’re trying to secure multiple services and don’t want to configure SSL for every service individually.

I see. Thanks!

https://github.com/synoniem/mosquitto-traefik-letsencrypt/blob/main/docker-compose.yml worked well for me with all traffic going through TLS via Traefik and to insecure ports on Mosquitto.