MQTT (Message Queue Telemetry Transport) can be defined as a lightweight publish/subscribe messaging protocol designed for machine-to-machine (M2M) connectivity. It was invented back in 1999, but only in recent years it has become the de-facto standard for the “Internet of Things“.
Due to the increasing adoption of MQTT, there exist more and more use cases that go well beyond the original focus of the original MQTT scope. In particular, even if the MQTT focus is still on machine-to-machine communication, often the real-time data produced by sensors and devices should target humans too. This might be difficult to achieve based on MQTT alone, for a number of reasons:
MQTT is not web friendly and tends to be blocked by proxies and firewalls. Even if several MQTT brokers support WebSockets, there are still many cases where this is not enough to pass through any kind of network intermediaries.
Sensors and devices may produce big volumes of real-time data. Delivering them all to a web browser or to a mobile app could be overkill, cluttering both the client and the network. Some filtering mechanism is necessary.
Security is deliberately not sophisticated in the original MQTT protocol. Encryption, authentication, and authorization did not need to be much powerful and flexible before the modern web. Despite the steady year-over-year growth in worldwide IoT security spending, Gartner predicts that the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security best practices and tools in IoT initiative planning. This will hamper the potential spend on IoT security by 80 percent.
For these and other reasons, a web gateway that easily extends MQTT into the web with full peace of mind proves necessary. This is exactly the role of MQTT.Cool. It can be deployed in front of any MQTT broker to boost its security, architecture, and performance. Read on to learn the details.
1. Add Flexible Authentication
Typical MQTT authentication is based on username and password only. Furthermore, it can be a nightmare to integrate MQTT authentication offered by a typical MQTT broker with existing enterprise authentication systems.
MQTT.Cool offers a pluggable authentication system, which is totally independent of the target MQTT broker. Users’ authentication is managed by MQTT.Cool via your own integration code based on the Hook API. Not only will your authentication code be able to receive a username and password, but it will be passed full connections details (including client remote IP, user agent, cookies, client-side certificates, etc.).
It is straightforward to develop a Hook that integrates MQTT.Cool with an existing user DB. You can also switch MQTT broker without losing your authentication logic.
2. Add Fine-Grained Authorization
How do you make sure that user A cannot subscribe to topic X and user B cannot publish to topic Y? This is left to each MQTT broker proprietary authorization system (if available at all).
With MQTT.Cool, you can add very fine-grained authorization to any MQTT broker in a completely broker-agnostic way. With the Hook API, any action performed by a user is authorized via a specific callback to your own code. As for authentication, you have total flexibility in defining your security policies, based on your specific needs. Again, you can switch MQTT broker without losing your authorization logic.
3. Offload TLS/SSL Encryption
MQTT.Cool can take care of encrypting the traffic with the clients, based on TLS/SSL configurable cipher suites and certificates. This way, you can remove the burden of encryption from your MQTT broker and offload it to MQTT.Cool, which uses WSS and HTTPS for the client connections.
4. Avoid Public Access to Your Broker
You might want to hide or firewall-protect the connection details of your MQTT broker (address and port) and make it reachable from the Internet only through MQTT.Cool, which will reside in the DMZ. This way, you will add a layer of security, preventing the broker from dealing with external and potentially unauthorized connections.
5. Connect to Your Broker from Anywhere
Connect to your MQTT broker from anywhere on the Internet, even behind the strictest corporate firewalls and proxies, without sacrificing security. No need to fight with firewall rules and change your security policies.
Your MQTT broker will be instantly available through standard Web protocols (HTTP and WebSockets). This means your MQTT broker does not need to support WebSockets because it’s up to MQTT.Cool to re-encode the MQTT protocol into a very efficient and firewall-friendly protocol (called the Lightstreamer protocol).
Even if WebSockets are not supported by the network infrastructure (for instance, they might be blocked by a client-side proxy), the connection will automatically work over HTTP, thanks to StreamSense, Lightstreamer’s state-of-the-art implementation of HTTP streaming and HTTP long polling.
What happens if a client gets disconnected, for any reason? No worries—the MQTT.Cool client library will automatically reconnect and re-establish the correct subscriptions.
6. Develop Web Clients with Paho-Like API
The library exposes an Eclipse Paho-like API. Any HTML page can easily become an MQTT client, able to publish and subscribe to/from MQTT topics, irrespective of which MQTT broker you are using. This way, web pages can exchange messages with IoT devices and existing MQTT applications as well as interact with other web pages in real time.
Similarly, any Node.js application will be able to access any MQTT broker and produce/consume messages.
7. Access Multiple MQTT Brokers
A single MQTT.Cool instance can connect to different MQTT brokers. For example, it might connect to both a Mosquitto instance and a HiveMQ instance and make these brokers available to the clients. If the same client needs to access both the brokers, then it will be able to do it with a single physical connection to MQTT.Cool because all the traffic is multiplexed over a single link for each client.
8. Scale Up Your MQTT Broker with Massive Fan-Out
Scale to millions of MQTT clients by offloading the fan-out from your existing MQTT broker to MQTT.Cool.
Clients will physically connect to MQTT.Cool, which uses the world-class Lightstreamer engine to handle massively concurrent connections. MQTT.Cool scales horizontally by automatically employing all the available cores; it also scales vertically with multiple instances managed by any common load balancer.
9. Receive Fresh Data with Adaptive Throttling and Conflation
Imagine an IoT sensor that produces hundreds of measurements per second and publishes them on MQTT. You have a web page showing such data in real time.
Now, imagine a user watching that page on a desktop browser with a broadband connection and another user watching the same page on a mobile browser with a bad signal. MQTT.Cool will automatically throttle the data flow for each user, to adapt to any network congestion. It will resample the data on the fly while applying conflation, so that the two users will both see real-time and coherent data but with different update rates. Check out this live demo to see throttling in action.
10. Get Full Control over Bandwidth and Frequency
In addition to adaptive throttling, each client can explicitly configure a maximum bandwidth for its downstream channel. For example, a client might request to never consume more than 10 kbps. Queuing, resampling, and conflation will be applied automatically to respect the allocated bandwidth.
Similarly, a maximum update frequency can be requested by each client for every fanout subscription. For example, a client might subscribe to a topic specifying that no more than 2 messages per second must be delivered.