diff --git a/docs/source/user/public-services-setup.rst b/docs/source/user/public-services-setup.rst index e4092c60c..f36c06652 100644 --- a/docs/source/user/public-services-setup.rst +++ b/docs/source/user/public-services-setup.rst @@ -24,7 +24,7 @@ Please ensure that you follow these best practices to ensure your wis2box-instan The wis2box development team is not responsible for the security of your wis2box-instance and it is your responsibility to ensure that your wis2box instance is secure. -GitHub issues and discussions provide a resourece and forum to discuss general wis2box features, bugs and updates. For specific security related questions, please write to ``wis2-support at wmo.int``. +GitHub issues and discussions provide a resource and forum to discuss general wis2box features, bugs and updates. For specific security related questions, please write to ``wis2-support at wmo.int``. web-proxy (nginx) ^^^^^^^^^^^^^^^^^ @@ -39,6 +39,7 @@ wis2box runs a local nginx container allowing access to the following HTTP based UI (wis2box-ui),`WIS2BOX_URL/` Storage (incoming data) (minio:wis2box-incoming),`WIS2BOX_URL/wis2box-incoming` Storage (public data) (minio:wis2box-public),`WIS2BOX_URL/data` + Websockets (WIS2-notifications),`WIS2BOX_URL/mqtt` You can edit ``nginx/nginx.conf`` to control which services are exposed through the nginx-container include in your stack. @@ -142,6 +143,19 @@ By exposing port 1883 on your host, the Global Broker will be able to subscribe The ``everyone`` user is defined by default for public readonly access (``origin/#``) as per WIS2 Node requirements. +When you add SSL to your wis2box instance, the internal MQTT broker will be accessible on port 8883 on the host running wis2box using the MQTT over SSL protocol (MQTTS). + +The mosquitto-service within wis2box also has websockets enabled and is proxied on '/mqtt' by the nginx container. + +The broker-address for the Global Broker to subscribe to WIS2 notifications using the mosquitto-service within wis2box is: + +- `mqtt://everyone:everyone@WIS2BOX_HOST:1883` - for MQTT without SSL +- `mqtts://everyone:everyone@WIS2BOX_HOST:8883` - for MQTT with SSL +- `ws://everyone:everyone@WIS2BOX_HOST/mqtt:80` - for MQTT over websockets without SSL +- `wss://everyone:everyone@WIS2BOX_HOST/mqtt:443` - for MQTT over websockets with SSL + +Where ``WIS2BOX_HOST`` is the hostname or IP address of the host running wis2box. + External broker --------------- diff --git a/nginx/nginx-ssl.conf b/nginx/nginx-ssl.conf index 81a38d16d..7d5017f76 100644 --- a/nginx/nginx-ssl.conf +++ b/nginx/nginx-ssl.conf @@ -77,6 +77,13 @@ auth_basic_user_file /etc/nginx/.htpasswd/webapp; proxy_pass http://wis2box-webapp:4173/wis2box-webapp/; } + location /mqtt { + proxy_pass http://mosquitto:8884; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + } location /auth { internal; proxy_pass http://wis2box-auth:80/authorize; diff --git a/nginx/nginx.conf b/nginx/nginx.conf index fd19673f7..8a975ca61 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -83,6 +83,13 @@ proxy_set_header Authorization $http_authorization; proxy_pass_header Authorization; } + location /mqtt { + proxy_pass http://mosquitto:8884; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + } location / { proxy_pass http://wis2box-ui:80; }