🔒 Security
Bleemeo Community Edition allows to encrypt and authenticate all messages that transit over the network to provide a secure monitoring solution. By default, NATS allows anyone to publish and subscribe to its topics, this is unsecure, especially if your server is exposed to internet. If you configure authentication, you should consider enabling TLS to make your communications encrypted.
NATS authorizations​
To deny unauthorized access, NATS supports authentication. You can create a user
for each monitoring agent, you simply need to add it the authorization
block
of the NATS configuration with the right permissions to allow it to only publish
to a single topic. See
NATS authorization documentation
for more details.
For instance, with two agents on the servers, server1.example.com
and
server2.example.com
, the authorizations should look like this:
authorization {
# Allow the ingestor to listen on the MQTT topic "v1/agent/+/data".
# https://docs.nats.io/running-a-nats-service/configuration/mqtt#mqtt-topics-and-nats-subjects
# We also allow need to allow "$MQTT.sub.>" because NATS uses this topic to store subscriptions.
# https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config#special-permissions
ingestor_perms = {
subscribe = ["v1.agent.*.data", "$MQTT.sub.>"]
}
# Glouton publishes its metrics to the `v1/agent/fqdn/data` topic, with "fqdn" replaced by the host FQDN.
# '.' are replaced by ',' in the FQDN because NATS doesn't support '.' in MQTT topics.
# On Linux, you can get your FQDN with "hostname -f".
server1_perms = {
publish = ["v1.agent.server1,example,com.data"]
}
server2_perms = {
publish = ["v1.agent.server2,example,com.data"]
}
users = [
{user: ingestor, password: passw0rd, permissions: $ingestor_perms, allowed_connection_types: ["MQTT"]}
{user: server1, password: passw0rd, permissions: $server1_perms, allowed_connection_types: ["MQTT"]}
{user: server2, password: passw0rd, permissions: $server1_perms, allowed_connection_types: ["MQTT"]}
]
}
To connect your agent to NATS with authentication configured, you need to provide the agent your MQTT credentials. You can do this by adding the following to your agent configuration:
mqtt:
username: server1
password: passw0rd
TLS​
See NATS TLS documentation to configure NATS to encrypt all communications.
Glouton​
Glouton needs to be configured to enable SSL on MQTT. See the agent configuration for details.
The following configuration enables SSL on MQTT with a certificate authority:
mqtt:
ssl: true
ca_file: "/path/to/ca.pem"
SquirrelDB Ingestor​
TLS can be enabled on SquirrelDB Ingestor with an URL beginning with ssl://
in
the flag --mqtt-broker-url
, see
the MQTT configuration
for details.