DEV Community

Cover image for MQTT policy enforcement with Pipy
Ali Naqvi for Flomesh

Posted on

MQTT policy enforcement with Pipy

If you play in the IoT space, you may have heard of the MQTT. MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT) that is becoming the defacto standard and is already in use in a wide variety of industries like automotive, manufacturing, telecommunications, oil, and gas.

The Internet of Things (IoT) can be loosely defined as a system of sensors and other devices interacting with industry systems all to enhance business operations. Industries like manufacturing, automotive, telecommunication, and oil & gas to name just a few, deploy massive numbers of sensors. These sensors in turn send critical telemetry data to analytics engines, where the data is analyzed for trends and/or anomalies, enabling organizations to better understand and improve their operations.

Although IoT contributes many novel applications to our daily life, one of its main concerns refers to IoT device security. Recent cyber-security incidents exposed the security pitfalls and vulnerabilities in IoT devices.

The purpose of this tutorial is to demonstrate how to enforce custom policies on devices communicating via MQTT by using Pipy as a MITM that sits between MQTT Providers & Consumers and MQTT servers (previously known as brokers).

Pipy is an open-source, lightweight, high-performance, programmable network proxy for cloud, edge, and IoT. Pipy versatile nature allows it to be used in a variety of use-cases ranging from (but not limited to) edge routers, load balancers & proxy solutions, API gateways, static HTTP servers, service mesh sidecars, admission controllers, policy engines, and other applications.

Pipy comes with built-in support for MQTT protocol versions 5.0 and 3.1.1 (aka version 4).

Having Pipy in the middle allows us to perform authentication, and authorization, applying rules like content validation, content replacement, allowing/denying consumers subscribing to particular topics, invoking business rules validations either inside Pipy or invoking already existing business domain services, etc. This list of policies and rules can be adapted or modified per your business case.

For demonstration purposes and simplicity's sake, we will be defining some simple rules in JSON format and have them applied at Pipy proxy, working with a single MQTT server, which won't be dealing with TLS support. But for more complex rules and/or policies you can expand the rules, and policies and update the Pipy script or integrate them with your existing systems. Pipy comes with built-in support for load balancing, routing, TLS termination/offloading, and much more. For more details and step-by-step tutorials, please refer to Pipy's Website.

Demo code is accompanied by a Docker Compose file which configures:

  • Eclipse Mosquitto as MQTT server
  • Pipy proxy
  • Expose MQTT port 1883 and Pipy Admin GUI port 6060

Sample policy and rules are defined in policy.json where we define 4 test accounts and some rules on which clients are allowed to subscribe/publish to which topics. Pipy proxy script will read this configuration file and enforce them before routing traffic to the upstream MQTT server. Refer to Publisher workflow and Subscriber workflow.

Source code is made available and can be downloaded from Github repository pipy-mqtt-policy-engine

Below diagrams details the architecture and flows between the various components:

Architecture Overview

Architecture Overview

Publisher workflow

Publisher workflow

Subscriber workflow

Subscriber workflow

Running the Demo Project

First, download the tutorial code and initialize the components by calling Docker Compose:

$ git clone https://github.com/flomesh-io/pipy-demos.git
$ cd pipy-mqtt-policy-engine
$ sudo docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

This brings up a complete environment, including the Pipy, Eclipse Mosquitto MQTT server. Feel free to adjust the docker-compose.yaml or pipy/config/policy.json according to your specific needs.

For viewing Pipy proxy scripts, statistics, and other demos you can open Pipy GUI admin console by pointing your browser to http://localhost:6060.

Pipy Admin Panel GUI

Testing

You can use the MQTT client of your choice which supports MQTT protocol version either 5.0 or 3.1.1 (aka 4). If you don't have any choice then you try an all-round MQTT client MQTT Explorer.

Conclusion

This tutorial showed how you can leverage Pipy to enforce custom policies and rules without requiring any change in IoT devices and MQTT server.

Pipy from Flomesh is an open-source, extremely fast, and lightweight network traffic processor which can be used in a variety of use cases ranging from edge routers, load balancing & proxying (forward/reverse), API gateways, Static HTTP Servers, Service mesh sidecars, , admission controller, policy engine and other applications. Pipy is in active development and maintained by full-time committers and contributors, though still an early version, it has been battle-tested and in production use by several commercial clients.

Top comments (0)