MQTT broker

Because of the importance of the MQTT broker for the delivery of messages, the broker is implemented in a redundant setup, with a cluster of four EMQ nodes, each on a separate server running linux. The EMQ nodes route messages internally based on the subscriptions of their respective clients. The connections to the EMQ nodes are load balanced (round robin) by the load balancing software haproxy. There is an instance of haproxy on each of the servers, in an active/passive configuration. Each haproxy instance is at any time able to route clients to the EMQ nodes; however only one of the servers is in possession of the shared IP addresses, so the secondary and tertiary haproxy instances are in a passive state. A third program keepalived monitors the status of the haproxy instances. If keepalived determines that haproxy on the primary server is not functioning, then it will assign the shared IP addresses to the secondary server, and from that moment on the connecting clients will be served by the haproxy instance on the secondary server. If the secondary server fails then the tertiary haproxy instance will be the active one.

The broker can be reached from each network on the hostname felixbroker. That name will resolve, depending on the source network, to on of these FQDN's:

• felixbroker.science.ru.nl
• felixbroker.fxmnet.science.ru.nl
• felixbroker.fxunet.science.ru.nl

The broker can also be reached from the HFML network (vLAN 36)

• hfmlbroker.science.ru.nl

The default MQTT port number is 1883. Encrypted connections are also available with TLS/SSL on port 8883. Note that in order to setup an encrypted connection, you have to use one of the FQDN's since internal hostnames are no longer allowed in publicly trusted certificates^[1].

NOTE SSL is currently off VIC 2024/08/28

You can access the administrative interface from the Machine network. The required credentials can be found in KeePass

To protect the subsystems, an ACL (access control list) has been installed, with the following rules for now:

1. anyone can subscribe to any topic from any network.
2. anyone can publish to any topic from the machine network.
3. selected topics can be published to from the user network and office network (see section below).
   1. anyone can publish to test/# branch.
4. other topics that need to be published from user/machine networks can be requested from Victor.

The following topics can be published from the user network in order to control FELIX.