Listeners specify on which IP address and port VerneMQ should accept new incoming connections. Depending on the chosen transport (TCP, SSL, WebSocket) different configuration parameters have to be provided. VerneMQ allows to write the listener configurations in a hierarchical manner, enabling very flexible setups. VerneMQ applies reasonable defaults on the top level, which can be of course overridden if needed.
# defines the default nr of allowed concurrent# connections per listenerlistener.max_connections = 10000# defines the nr. of acceptor processes waiting# to concurrently accept new connectionslistener.nr_of_acceptors = 10# used when clients of a particular listener should# be isolated from clients connected to another# listener.listener.mountpoint = off
These are the only default parameters that are applied for all transports, and the only one that are of interest for plain TCP and WebSocket listeners.
These global defaults can be overridden for a specific transport protocol
listener.tcp.CONFIG = VAL, or even for a specific listener
listener.tcp.LISTENER.CONFIG = VAL. The placeholder
LISTENER is freely chosen and is only used as a reference for further configuring this particular listener.
Normally, an MQTT broker hosts one single topic tree. This means that all topics are accessible to all publishers and subscribers (limited by the ACLs you configured, of course). Mountpoints are a way to host multiple topic trees in a single broker. They are completely separated and clients with different topic trees cannot publish messages to each other. This could be useful if you provide MQTT services to multiple separated use cases/verticals or clients, with a single broker. Note that mountpoints are configured via different listeners. As a consequence, the MQTT clients will have to connect to a specific port to connect to a specific topic space (mountpoint).
The mountpoints can be configured on the protocol level or configurred or overridden on the specific listener level.
listener.ssl.mountpoint = ssl-mountpointlistener.tcp.listener1.mountpoint = tcp-listener1listener.tcp.listener2.mountpoint = tcp-listener2
Since VerneMQ 1.5.0 it is possible to configure which MQTT protocol versions as listener will accept.
VerneMQ supports MQTT 3.1, 3.1.1, and 5.0 (since VerneMQ 1.6.0). To allow these protocol versions, set:
listener.tcp.allowed_protocol_versions = 3,4,5
3,4,5 are the protocol level versions corresponding to MQTT 3.1, 3.1.1 and 5.0 respectively. The default value is
3,4 thus allowing MQTT 3.1 and 3.1.1, while MQTT 5.0 is disabled.
Listen on TCP port 1883 and for WebSocket Connections on port 8888:
listener.tcp.default = 127.0.0.1:1883listener.ws.default = 127.0.0.1:8888
An additional listener can be added by using a different name. In the example above the name equals to
default and can be used for further configuring this particular listener. The following example demonstrates how an additional listener is defined as well as how the maximum number of connections can be limited for this listener:
listener.tcp.my_other = 127.0.0.1:18884listener.tcp.my_other.max_connections = 100
VerneMQ listeners can be configured to accept connections from a proxy server that supports the PROXY protocol. This enables VerneMQ to retrieve peer information such as source IP/Port but also PROXY Version 2 protocol TLS client certificate details if the proxy was used to terminate TLS.
To enable the PROXY protocol for tcp listeners use
listener.tcp.proxy_protocol = on or for a specific listener use
listener.tcp.LISTENER.proxy_protocol = on.
If client certificates are used you can set
listener.tcp.proxy_protocol_use_cn_as_username = on which will overwrite the MQTT username set by the client with the common name from the client certificate before authentication and authorization is performed.
Accepting SSL connections on port 8883:
listener.ssl.cafile = /etc/ssl/cacerts.pemlistener.ssl.certfile = /etc/ssl/cert.pemlistener.ssl.keyfile = /etc/ssl/key.pemlistener.ssl.default = 127.0.0.1:8883
If you want to use client certificates to authenticate your clients you have to set the following option:
listener.ssl.require_certificate = on
If you use client certificates and want to use the certificates CN value as a username you can set:
listener.ssl.use_identity_as_username = on
use_identity_as_username default to
The same configuration options can be used for securing WebSocket connections, just use
wss as the protocol identifier e.g.