RabbitMQ + Mqtt in reverse proxy secured by SSL/TLS

[vitusan]

This is a simple guide for those trying to replicate the traefik + letsencrypt pattern as a reverse proxy for IoT services like RabbitMQ or Mosquitto.

I had lots of weird problems when implementing the available docker-compose files that come as default with both Mosquitto or RabbitMQ. The main issue is that while i could make them work by exposing the ports of the machine directly in the services, i lost the ability to replicate this method, for the ports where occupied by a single service and that limited the environments i could create (dev/staging/prod) to basically one of those.

The real catch here is to bind the ports to traefik and let it generate ssl certificates for the domains and route the inbound traffic through the service's unsecured ports (less manual configuration). To achieve this we need to modify both the proxy configuration in the server menu and the service's compose file. So let's begin.

I'm using a wildcard domain here, so i won't be covering this for there's a tutorial already available at coolify's docs.

You should modify your traefik proxy config file to look like this (modifications made from the original are highlighted by arrows):

networks:
  coolify:
    external: true
services:
  traefik:
    container_name: coolify-proxy
    image: 'traefik:v3.1'
    restart: unless-stopped
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    networks:
      - coolify
    ports:
      - '80:80'
      - '443:443'
      - '5672:5672'   <--- This is the amqp port. Traefik will now take care of it
      - '8080:8080'
      - '8883:8883'   <--- This is the mqtts port. Traefik will now take care of it
    healthcheck:
      test: 'wget -qO- http://localhost:80/ping || exit 1'
      interval: 4s
      timeout: 2s
      retries: 5
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '/data/coolify/proxy:/traefik'
    command:
      - '--ping=true'
      - '--ping.entrypoint=http'
      - '--api.dashboard=true'
      - '--api.insecure=false'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.https.address=:443'
      - '--entrypoints.amqp.address=:5672/tcp'   <--- This tells traefik to listen to tcp calls on this port (the /tcp is important here to distinguish from http calls)
      - '--entrypoints.mqtts.address=:8883/tcp'   <--- This tells traefik to listen to tcp calls on this port (the /tcp is important here to distinguish from http calls)
      - '--entrypoints.http.http.encodequerysemicolons=true'
      - '--entryPoints.http.http2.maxConcurrentStreams=50'
      - '--entrypoints.https.http.encodequerysemicolons=true'
      - '--entryPoints.https.http2.maxConcurrentStreams=50'
      - '--providers.docker.exposedbydefault=false'
      - '--providers.file.directory=/traefik/dynamic/'
      - '--providers.file.watch=true'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
      - '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
      - '--providers.docker=true'
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=http
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - coolify.managed=true

Okay, this is it for the traefik compose. Now to the service's compose (i'll be using RabbitMQ over Mosquitto, but you can swap them here for the important configuration bits are common):

First, configure an URL with HTTPS (this is very important for Coolify will auto generate the LetsEncrypt certificates and container traefik labels automatically for us):

Okay. Now, let's configure the compose. I'll be adding a command for i need to configure the plugin usage to enable mqtt interfaces in RabbitMQ, but this is specific to my use case. You can tweak yours depending on what you need.

Pay attention to the labels section, there's where the magic is:

services:
  rabbitmq:
    image: 'rabbitmq:3-management'
    hostname: rabbitmq
    environment:
      - SERVICE_URL_RABBITMQ_15672
      - RABBITMQ_DEFAULT_USER=$SERVICE_USER_RABBITMQ
      - RABBITMQ_DEFAULT_PASS=$SERVICE_PASSWORD_RABBITMQ
    command: "sh -c \"rabbitmq-plugins enable rabbitmq_web_mqtt &&  rabbitmq-plugins enable rabbitmq_mqtt && rabbitmq-server\"\n"
    healthcheck:
      test: 'rabbitmq-diagnostics -q ping'
      interval: 5s
      timeout: 30s
      retries: 10
    volumes:
      - 'rabbitmq-data:/var/lib/rabbitmq/'
    labels:
      # mqtt flags
      - 'traefik.tcp.routers.mqtts.rule=HostSNI(`*`)'
      - traefik.tcp.routers.mqtts.entrypoints=mqtts
      - traefik.tcp.routers.mqtts.tls=true
      - traefik.tcp.routers.mqtts.service=mqttsservices
      - traefik.tcp.services.mqttsservices.loadbalancer.server.port=1883
      # amqp flags
      - 'traefik.tcp.routers.amqp.rule=HostSNI(`*`)'
      - traefik.tcp.routers.amqp.entrypoints=amqp
      - traefik.tcp.routers.amqp.tls=true
      - traefik.tcp.routers.amqp.service=amqpservice
      - traefik.tcp.services.amqpservice.loadbalancer.server.port=5672

The traefik.tcp.routers.mqtts and traefik.tcp.routers.amqp prefixes must match the name you gave to the entrypoints in the traefik configuration step (i'm talking about the mqtts and amqp portions of those labels).

Okay that's it. Simple as this. But trust me, it took some time to get it working, there ain't much info available on this very specific stack that we are using, but i hope this helps everyone that is reading this and spare you of headaches and eyesores.