Configuring SSL offloading with end-to-end encryption for MQTT
The following example shows how to do SSL offloading for MQTT with end-to-end encryption.
Note: This example does not provide details related to adding or updating a certificate-key pair and binding it to a virtual server. For those details, see SSL certificates.
The following commands import the extension file and add the MQTT_SSL protocol with SSL transport.
import extension http://10.217.24.48/extensions/mqtt.lua mqtt_code add user protocol MQTT_SSL -transport SSL -extension mqtt_code
The following commands add a user load balancing virtual server and bind backend services to it. Both the load balancing virtual server and the services are configured for the service type USER_SSL_TCP.
add service mqtt_svr1 10.217.24.48 USER_SSL_TCP 1501 add service mqtt_svr2 10.217.24.48 USER_SSL_TCP 1502 add lb vserver mqtt_lb USER_SSL_TCP –lbmethod RR bind lb vserver mqtt_lb mqtt_svr1 bind lb vserver mqtt_lb mqtt_svr2
The following command adds a user virtual server for the newly added protocol MQTT_SSL. Using MQTT_SSL means the Citrix ADC appliance will do SSL offloading, because MQTT_SSL was configured with SSL transport. The command also makes the load balancing virtual server, configured in previous step, the default load balancer.
add user vserver mqtt_vs MQTT_SSL 10.217.24.28 8765 -defaultLb mqtt_lb
For end-to-end encryption, you also need to enable the SSL feature and bind a certkey to the user and default load balancing virtual servers. For more information, see the following topics:
enable ns feature SSL add SSL certKey mqtt_svr_cert_key -cert server1.cert -key server1.key bind ssl vserver mqtt_lb -certkeyName mqtt_svr_cert_key bind ssl vserver mqtt_vs -certkeyName mqtt_svr_cert_key