Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Support for custom path for MQTT over WebSockets #1896

Open
kuolemaaa opened this issue Oct 31, 2024 · 7 comments
Open

[FEATURE] Support for custom path for MQTT over WebSockets #1896

kuolemaaa opened this issue Oct 31, 2024 · 7 comments
Labels
needs-more-info A little more info requested from the submitter

Comments

@kuolemaaa
Copy link

By default Owntracks tries to establish a connection, using MQTT over WS, contacting <hostname>:<port>/mqtt

It would be cool if there is a way to change that path to something else, customized. Even if one should use the editor in the configuration manager.
@ckrey
Copy link
Member

ckrey commented Oct 31, 2024

Note: If we implement this, we will need to do this in the iOS app too.

@ckrey ckrey mentioned this issue Oct 31, 2024
Open
@kuolemaaa
Copy link
Author

I also want to add that I would write something about the path used by Owntracks in the log/debug since it only say
[...] Connecting to ws://<hostname>:<port>?# timeout = 30s when it tries to establish a WS connection using a HTTP GET /mqtt.

I was loosing my mind since I though Owntracks asked for / and not /mqtt, I can get that maybe it is the default behaviour for MQTT over WS but I didn't know that and I am not an expert in those.

[...] Connecting to ws://<hostname>:<port>/mqtt?# timeout = 30s I think is better

for ref:

GET /mqtt HTTP/1.1
Host: ...
Upgrade: websocket
Connection: Upgrade
[...[

@ckrey
Copy link
Member

ckrey commented Oct 31, 2024

@kuolemaaa why do you think you need to modify the path? We try to implement standard behaviour not edge cases.

@kuolemaaa
Copy link
Author

@ckrey I would like to use MQTT over WS over TLS using a secret long path as a security measure when (or better "where") I cannot use mTLS

@jpmens
Copy link
Member

jpmens commented Oct 31, 2024

Security by obscurity ("hiding behind a long path") is never a good idea.

@kuolemaaa
Copy link
Author

nice textbook answer.

In MQTT over WS over TLS I dont think the path is communicated before the TLS channel is correctly established.

I'm trying to obfuscate my endpoint here, not base my entire security stack on it. Endpoint that will be communicated inside a TLS connection, then WS will do its security stuff and MQTT will do its own authentication stuff.

Not so different from using long random strings that we still send through the wire nowadays (passwords, tokens, you name it)

@growse
Copy link
Collaborator

growse commented Oct 31, 2024

nice textbook answer.

What's your threat model? Why is MQTT credentials insufficient, but MQTT credentials + secret path acceptable?

Not so different from using long random strings that we still send through the wire nowadays (passwords, tokens, you name it)

The state of the art is to explicitly not put secrets on the wire.

A VPN feels like a better control if you want to restrict who can SYN to your endpoint.

@growse growse added the needs-more-info A little more info requested from the submitter label Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-more-info A little more info requested from the submitter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpmens @growse @ckrey @kuolemaaa