Mosquitto websockets security best practice

Question

I have a Mosquitto server running on which I activated the websocket listener. All works fine, I can subscribe/publish from an Angular application. I did not activate SSL from Mosquitto, but I did reverse-proxy using Nginx, effectively encrypting the websocket. I cannot access via ws, only via wss.

Now what is the best practice to restrict connection to the websocket to authenticated users only? Enabling the location to the outside world would make the MQTT server encrypted, but available to all. Is there a way to restrict connection to only authenticated user, and if so, how?

EDIT

Thanks to @john-romkey's clarifications, I can now activate authentication on Mosquitto side and enable a user that would be limited for the operations needed by the web client. The documentation also mentions authentication plugins, so I wonder if there is any token based authentication plugin that would remove the need for passing a user/pass to the front-end.

Answer 1

SSL/TLS provides two functions:

First, it authenticates the server that the client is connecting to. This lets the client know that the server it connected to has access to the encryption certificates for the domain the client, which means that there's a very high probability that you're talking to the correct server and not a malicious imposter.

Second, it prevents third parties from eavesdropping on the connection. Malicious programs with access to the network data won't be able to decode the communications between the client and server and won't be able to tamper with it.

What it doesn't do is authenticate the client in any way.

So with the setup you've described, if I found your Mosquitto broker I could connect to the websocket and subscribe to any topic I wanted or publish to any topic I wanted, because the setup you described does nothing to control who can connect to the broker and what they can do once connected.

From a security perspective this is almost a worst practice.

Mosquitto provides two mechanisms for authenticating clients:

First, you can create a username and password for a client. Best practice would be to create unique usernames and passwords for each different potential client. Mosquitto provides an API that allows you to use a variety of different stores for the credentials, from a simple text file to full blown relational databases like Postgresql.

Second, you can create a client-side certificate which will uniquely identify the client.

These allow you to authenticate the client to access the broker.

Depending on the complexity of the pubsub network you're building over the MQTT broker, you should also consider restricting access to only the needed topics for each client.

This allows you to authorize the client to do specific work.

Mosquitto's documentation discusses how to authenticate and authorize clients.