Belchertown / HTTPS / Firefox using Mosquitto MQTT issues

[Rich Mulvey]

The subject of problems with Firefox/Safari browsers not being able to get real-time updates from the Belchertown skin using the Mosquitto MQTT server has come up a bunch of times, so I thought I'd provide a bare-bones description of how to get around it relatively easily.

This is VERY much a nerd-centric set of steps, but my assumption is that if you know what I'm talking about you can figure out the specific details of your particular setup.

The essential issue is that Firebox does the "wrong" thing when attempting to connect to the websocket provided by the Mosquitto websocket process. It tries to use HTTP/2, and when Mosquitto says it can't handle that, instead of falling back to http/1 like other browsers, it just gives up.

The solution is as follows:

1) Install the haproxy server on your webserver. Usually it will be something like 'apt-get install haproxy', depending on your package manager.

2) Using whatever is the default haproxy config, often /etc/haproxy/haproxy.cfg, we're going to set up a proxy that transforms http/2 requests into http/1 that mosquitto can handle. We're going to listen on port 9010 ( change to whatever you want ) and redirect the websocket calls to the mosquitto server on port 9001 using http/1, assuming that's what you're using for the setup if you followed the original Belchertown instructions.

So, add lines like the following to the haproxy.cfg file:

# Frontend for handling WebSocket traffic (WSS) on port 9010
frontend wss_frontend
    bind *:9010 ssl crt /etc/haproxy/certs/mycerts.pem alpn h2,http/1.1
    mode http
    option tcplog

    http-request set-header X-Forwarded-Proto https if { ssl_fc }


    # Use the backend to forward traffic to the non-SSL WebSocket
    use_backend ws_backend

# Backend for forwarding WebSocket traffic to port 9001 without SSL
backend ws_backend
    mode http
    option tcplog
    option tcp-check
    option http-server-close  # Ensure that HTTP/1.1 is used
    server weather_backend 127.0.0.1:9001 check

The     bind *:9010 ssl crt /etc/haproxy/certs/mycerts.pem alpn h2,http/1.1

line will need to be changed to whatever your cert file is for the https support in your webserver. Restart the haproxy server to read the new config.

3) Next, update your weewx.conf file so that the mqtt_websockets_port option is changed from the 9001 Belchertown standard to 9010. This will tell it to use the new proxy port. Restart weewx.

4) Update your Mosquitto config file on your webserver so that any of the SSL config options under the websockets/listener 9001 line are commented out. i.e. There should be no active certfile/cafile/keyfile options. Those options DO still need to be associated with the listener 1883/listener 8883 options. Restart the mosquitto server.

5) Let weewx run for several minutes so that the webpages get updated with the new port 9010/etc option, uploaded to your webserver, etc.

At this point, you should be able to hit your Belchertown skin from any browser and get real-time updates.

https://weather.mulveyfamily.com/ is my personal site, for example.

Hope this helps!

- Rich

[gary....@gmail.com]

It's also possible to accomplish the same thing with apache2 or nginx proxy.

I use apache2 here and do not have to do anything with mosquitto or ssl certs.

This does indeed take care of the annoying Firefox issue with secure Websockets.