Product Documentation

Configuring SSL offloading for MQTT

You can implement SSL offloading for user protocols by adding an SSL instance for the protocol. The example below shows how to do SSL offloading for a user protocol. The traffic to backend services is unencrypted with this configuration.

Note: This example does not provide details related to adding or updating a certificate-key pair and binding it to a virtual server. For those details, see SSL certificates.

The following commands add the MQTT_SSL protocol by including mqtt.lua with transport value “SSL.”

import extension mqtt_code
add user protocol MQTT_SSL -transport SSL -extension mqtt_code

The following commands add a user load balancing virtual server and bind backend services to it.

add service mqtt_svr1 USER_TCP 1501
add service mqtt_svr2 USER_TCP 1502
add lb vserver mqtt_lb USER_TCP –lbMethod ROUNDROBIN
bind lb vserver mqtt_lb mqtt_svr1
bind lb vserver mqtt_lb mqtt_svr2

The following command adds a user virtual server for the newly added protocol MQTT_SSL. Using MQTT_SSL means the Citrix ADC appliance will do SSL offloading, because MQTT_SSL was configured with SSL transport. The command also sets the defaultlb to the load balancing virtual server configured in the previous step.

add user vserver mqtt_vs MQTT_SSL 8765 -defaultLb mqtt_lb

For SSL offloading, you also need to enable the SSL feature and bind a certkey to the user virtual server. For more information, see the following topics:

Add or update a certificate-key pair

Bind the certificate-key pair to the SSL virtual server


enable ns feature SSL

add SSL certKey mqtt_svr_cert_key -cert server1.cert -key server1.key

bind ssl vserver mqtt_vs  -certkeyName mqtt_svr_cert_key

Configuring SSL offloading for MQTT

In this article