Skip to main content

🔒 Security

By default, NATS allows anyone to publish and subscribe to its topics, this is unsecure, especially if your server is exposed to internet. If you configure authentication, you should consider enabling TLS to make your communications encrypted.

NATS authorizations

To deny unauthorized access, NATS supports authentication. You can create a user for each monitoring agent, you simply need to add it the authorization block of the NATS configuration with the right permissions to allow it to only publish to a single topic. See NATS authorization documentation for more details.

For instance, with two agents on the servers, server1.example.com and server2.example.com, the authorizations should look like this:

authorization {
# Allow the ingestor to listen on the MQTT topic "v1/agent/+/data".
# https://docs.nats.io/running-a-nats-service/configuration/mqtt#mqtt-topics-and-nats-subjects
# We also allow need to allow "$MQTT.sub.>" because NATS uses this topic to store subscriptions.
# https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config#special-permissions
ingestor_perms = {
subscribe = ["v1.agent.*.data", "$MQTT.sub.>"]
}

# Glouton publishes its metrics to the `v1/agent/fqdn/data` topic, with "fqdn" replaced by the host FQDN.
# '.' are replaced by ',' in the FQDN because NATS doesn't support '.' in MQTT topics.
# On Linux, you can get your FQDN with "hostname -f".
server1_perms = {
publish = ["v1.agent.server1,example,com.data"]
}

server2_perms = {
publish = ["v1.agent.server2,example,com.data"]
}

users = [
{user: ingestor, password: passw0rd, permissions: $ingestor_perms, allowed_connection_types: ["MQTT"]}
{user: server1, password: passw0rd, permissions: $server1_perms, allowed_connection_types: ["MQTT"]}
{user: server2, password: passw0rd, permissions: $server1_perms, allowed_connection_types: ["MQTT"]}
]
}

To connect your agent to NATS with authentication configured, you need to provide the agent your MQTT credentials. You can do this by adding the following to your agent configuration:

mqtt:
username: server1
password: passw0rd

TLS

See NATS TLS documentation to configure NATS to encrypt all communications.

Glouton

Glouton needs to be configured to enable SSL on MQTT. See the agent configuration for details.

The following configuration enables SSL on MQTT with a certificate authority:

mqtt:
ssl: true
ca_file: "/path/to/ca.pem"

SquirrelDB Ingestor

TLS can be enabled on SquirrelDB Ingestor with an URL beginning with ssl:// in the flag --mqtt-broker-url, see the MQTT configuration for details.