Configuring SSL offloading for MQTT

You can implement SSL offloading for user protocols by adding an SSL instance for the protocol. The example below shows how to do SSL offloading for a user protocol. The traffic to backend services is unencrypted with this configuration.

Note: This example does not provide details related to adding or updating a certificate-key pair and binding it to a virtual server. For those details, seeSSL certificates.

The following commands add the MQTT_SSL protocol by including mqtt.lua with transport value “SSL.”

import extension http://10.217.24.48/extensions/mqtt.lua mqtt_code add user protocol MQTT_SSL -transport SSL -extension mqtt_code 

The following commands add a user load balancing virtual server and bind backend services to it.

add service mqtt_svr1 10.217.24.48 USER_TCP 1501 add service mqtt_svr2 10.217.24.48 USER_TCP 1502 add lb vserver mqtt_lb USER_TCP –lbMethod ROUNDROBIN bind lb vserver mqtt_lb mqtt_svr1 bind lb vserver mqtt_lb mqtt_svr2 

The following command adds a user virtual server for the newly added protocol MQTT_SSL. Using MQTT_SSL means the Citrix ADC appliance will do SSL offloading, because MQTT_SSL was configured with SSL transport. The command also sets the defaultlb to the load balancing virtual server configured in the previous step.

add user vserver mqtt_vs MQTT_SSL 10.217.24.28 8765 -defaultLb mqtt_lb

For SSL offloading, you also need to enable the SSL feature and bind a certkey to the user virtual server. For more information, see the following topics:

Add or update a certificate-key pair

Bind the certificate-key pair to the SSL virtual server

Example:

enable ns feature SSL add SSL certKey mqtt_svr_cert_key -cert server1.cert -key server1.key bind ssl vserver mqtt_vs -certkeyName mqtt_svr_cert_key