Skip to main content

🔒 Security

By default, NATS allows anyone to publish and subscribe to its topics, this is unsecure, especially if your server is exposed to internet. If you configure authentication, you should consider enabling TLS to make your communications encrypted.

NATS authorizations​

To deny unauthorized access, NATS supports authentication. You can create a user for each monitoring agent, you simply need to add it the authorization block of the NATS configuration with the right permissions to allow it to only publish to a single topic. See NATS authorization documentation for more details.

For instance, with two agents on the servers, server1.example.com and server2.example.com, the authorizations should look like this:

authorization {
    # Allow the ingestor to listen on the MQTT topic "v1/agent/+/data".
    # https://docs.nats.io/running-a-nats-service/configuration/mqtt#mqtt-topics-and-nats-subjects
    # We also allow need to allow "$MQTT.sub.>" because NATS uses this topic to store subscriptions.
    # https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config#special-permissions
    ingestor_perms = {
        subscribe = ["v1.agent.*.data", "$MQTT.sub.>"]
    }

    # Glouton publishes its metrics to the `v1/agent/fqdn/data` topic, with "fqdn" replaced by the host FQDN.
    # '.' are replaced by ',' in the FQDN because NATS doesn't support '.' in MQTT topics.
    # On Linux, you can get your FQDN with "hostname -f".
    server1_perms = {
        publish = ["v1.agent.server1,example,com.data"]
    }

    server2_perms = {
        publish = ["v1.agent.server2,example,com.data"]
    }

    users = [
        {user: ingestor, password: passw0rd, permissions: $ingestor_perms, allowed_connection_types: ["MQTT"]}
        {user: server1, password: passw0rd, permissions: $server1_perms, allowed_connection_types: ["MQTT"]}
        {user: server2, password: passw0rd, permissions: $server1_perms, allowed_connection_types: ["MQTT"]}
    ]
}

To connect your agent to NATS with authentication configured, you need to provide the agent your MQTT credentials. You can do this by adding the following to your agent configuration:

mqtt:
  username: server1
  password: passw0rd

TLS​

See NATS TLS documentation to configure NATS to encrypt all communications.

Glouton​

Glouton needs to be configured to enable SSL on MQTT. See the agent configuration for details.

The following configuration enables SSL on MQTT with a certificate authority:

mqtt:
  ssl: true
  ca_file: "/path/to/ca.pem"

SquirrelDB Ingestor​

TLS can be enabled on SquirrelDB Ingestor with an URL beginning with ssl:// in the flag --mqtt-broker-url, see the MQTT configuration for details.