You could use a hosted MQTT service like https://www.cloudmqtt.com/ which gives you your own broker. It’s free for a small number of connections and inexpensive for somewhat more. Or you could get a cloud compute instance on aws or your favorite cloud provider, and install an MQTT broker there.
I just put the broker on a ~dedicated RPi on an isolated network (dmz) behind my firewall. I do have a static IP, but DDNS works pretty well with most ISPs that have dynamic IPs since the IPs rarely change, as long as they assign public IPs. -Les > On Nov 22, 2019, at 3:02 AM, Radek Dohnal <dohnalra...@gmail.com> wrote: > > > Thanks for super explanation.. > > Set up MQTT broker on a public IP address - you mean to you something like > this? - https://www.hivemq.com/blog/build-javascript-mqtt-web-application/ > > > I dont want to use public MQTT (i.e. http://www.mqtt-dashboard.com/) - there > is no possibility to password secure. > > > > Dne čtvrtek 21. listopadu 2019 18:48:18 UTC+1 Greg Troxel napsal(a): >> >> vince <vince...@gmail.com> writes: >> >> > On Thursday, November 21, 2019 at 8:30:34 AM UTC-8, Greg Troxel wrote: >> > >> >> I don't follow "password-protected" entirely. >> >> >> > >> > oh - I meant protecting the Internet MQTT broker from nefarious >> > denial-of-service from the script kiddies. >> > >> > The LAN broker will need to forward/post to the Internet broker instance. >> > You want to make sure it's just 'you' who can post data there, so enabling >> > the MQTT username/password setup on the Internet broker will help stop the >> > bad guys from messing with your data. The LAN MQTT broker can (probably) >> > be open for writes without username/password needed, depending on how you >> > like to set your LAN up. >> >> I understand now. It was obvious to me that writes must be >> authenticated and thus I thought we were talking about allowing >> unauthenticated reads. However, it is not obvious to everyone and >> excellent advice to someone starting out. >> >> > My setup at home has a bunch of pi and arduinos and sensors posting to >> > local MQTT without any passwords needed. When I had the Internet MQTT >> > broker being bridged to (as MQTT uses the term) from the LAN, I had just >> > 'that' one requiring a username/password, and also had some packet filters >> > etc. limiting the incoming MQTT traffic to be from the pretty stable >> > public >> > ip address my home LAN NAT's out to Internet on via my service provider. >> >> Makes sense. I have set up TLS on both home and public broker and also >> username/passwords and acls. All of my sensors have credentials that >> allows them to write to part of the sensor subspace. Indeed, this is >> much more work. >> >> > But no I didn't mean webserver username+pass. Sorry for any confusion >> > there. >> >> No problem, and I was misunderstanding more than you -- I think it's >> actually been a very useful discussion. To sum up for the OP, assuming >> they want to do something like Belchertown >> >> set up an MQTT broker on a public/stable IP address >> >> configure acl to require user/password for writing, to avoid kiddies >> writing to your topics and also storing warez fragements in various >> retained topics, as happened with writable anonymous FTP. For extra >> credit, set up TLS and only do password-controlled access over TLS to >> prevent password sniffing. >> >> allow anonymous reads of the data that you intend to be used by the >> skin -- and only that data. >> >> Keep in mind that because MQTT ends up being the way you connect >> everything to everything, almost all data in it is sensitive with >> respect to writes and some data is sensitive with respect to reads. >> > > -- > You received this message because you are subscribed to the Google Groups > "weewx-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to weewx-user+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/weewx-user/e4344b69-d078-413f-98e4-8dd2cc1d3d0f%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "weewx-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/A7E3E3E3-EF21-4136-B357-6C2E5F2C6E02%402pi.org.
