Configuring SSL offloading for MQTT

You can implement SSL offloading for user protocols by adding an SSL instance for the protocol. The following example shows how to do SSL offloading for a user protocol. The traffic to back-end services is unencrypted with this configuration.

Note: This example does not provide details related to adding or updating a certificate-key pair and binding it to a virtual server. For those details, see SSL certificates.

The following commands add the MQTT_SSL protocol by including mqtt.lua with the transport value “SSL.”

import extension http://10.217.24.48/extensions/mqtt.lua mqtt_code
add user protocol MQTT_SSL -transport SSL -extension mqtt_code
<!--NeedCopy-->

The following commands add a user load balancing virtual server and bind back-end services to it.

add service mqtt_svr1 10.217.24.48 USER_TCP 1501
add service mqtt_svr2 10.217.24.48 USER_TCP 1502
add lb vserver mqtt_lb USER_TCP –lbMethod ROUNDROBIN
bind lb vserver mqtt_lb mqtt_svr1
bind lb vserver mqtt_lb mqtt_svr2
<!--NeedCopy-->

The following command adds a user virtual server for the newly added protocol MQTT_SSL. Using MQTT_SSL means the Citrix ADC appliance does SSL offloading, because MQTT_SSL was configured with SSL transport. The command also sets the defaultlb to the load balancing virtual server configured in the previous step.

add user vserver mqtt_vs MQTT_SSL 10.217.24.28 8765 -defaultLb mqtt_lb

For SSL offloading, you also need to enable the SSL feature and bind a certificate-key pair to the user virtual server. For more information, see the following topics:

Add or update a certificate-key pair

Bind the certificate-key pair to the SSL virtual server

Example:

enable ns feature SSL

add SSL certKey mqtt_svr_cert_key -cert server1.cert -key server1.key

bind ssl vserver mqtt_vs  -certkeyName mqtt_svr_cert_key
<!--NeedCopy-->
Configuring SSL offloading for MQTT