I read the "Custom notifications" section in the NGSIv2 specification and I still have doubts in how to make this work.

Do I have to put in my subscribe POST the following code as a payload?

"httpCustom": {
  "url": "http://foo.com/entity/${id}",
  "headers": {
    "Content-Type": "text/plain"
  },
  "method": "PUT",
  "qs": {
    "type": "${type}"
  },
  "payload": "The temperature is ${temperature} degrees"
}

How would be a complete payload with a httpCustom for a subscribe with Authentication/Authorization?

Lastly, is really necessary to use Rush, as stated at Rush Relayer? In this case, we have to use a "third-party" software that was updated almost 3 years ago. Why not Orion provides this? I would appreciate some help regarding this too.

The following httpCustom could be used:

"httpCustom": {
  "url": "http://example.com/some/path",
  "headers": {
    "X-Auth-Token": "n5u43SunZCGX0AbnD9e8R537eDslLM"
  }
}

The token will expire from time to time. Thus, it should be renewed at a regular interval, modifying the httpCustom element with the new token (using PATCH /v2/subscriptions/<id> operation, see NGSIv2 specification for details).

Regarding Rush, it is not necesary if you can achieve the HTTP-to-HTTPS with some equivalent software. Native HTTPS notifications at Orion has been identified as a topic of interest and even there was a pull request with code implementation in that line. Currently it isn't a priority, however contributions related with this are welcomed :)

EDIT: the above httpCustom configuration will make Orion sending notifications including that X-Auth-Token header. Thus, it is supposed that at the url endpoint (e.g. http://example.com/some/path in the example above) the authentication elements able to process the X-Auth-Token header will be listening (typically, a Policy Enforcement Point -PEP- Proxy).

UPDATE: since verion 1.7.0, Orion implements native HTTPS notifications (i.e. without needing Rush).