Skip to main content

Listener Configuration

Listeners define how YedMQ receives requests from MQTT clients and management tools. YedMQ supports multiple protocols to cover native device traffic, browser clients, and operational APIs.

Supported protocols

  • TCP: Standard MQTT (default port 1883)
  • TCP-TLS: Secure MQTT over TLS (default port 8883)
  • WebSocket (WS): MQTT over WebSockets (default port 8083)
  • WebSocket Secure (WSS): MQTT over secure WebSockets (default port 8084)
  • API: REST management API (default port 3456)

TCP listener

Configures the standard unencrypted MQTT listener.

[listener.tcp]
external = "0.0.0.0:1883"

[listener.tcp.rate_limit]
messages_rate = 1000
messages_burst = 100
  • external: bind address and port
  • rate_limit.messages_rate: maximum inbound PUBLISH packets per second
  • rate_limit.messages_burst: allowed burst size within the rate-limit window
  • set messages_rate <= 0 or messages_burst <= 0 to disable listener-level publish rate limiting

TCP-TLS listener

Configures encrypted MQTT connections.

[listener.tcp_tls]
external = "0.0.0.0:8883"
verify_client_cert = false
cacert_file = "/path/to/ca.crt"
cert_file = "/path/to/server.crt"
key_file = "/path/to/server.key"

[listener.tcp_tls.rate_limit]
messages_rate = 1000
messages_burst = 100
  • external: bind address and port for TLS MQTT traffic
  • verify_client_cert: when false, the listener runs in regular TLS mode; when true, it requires and verifies client certificates
  • cacert_file: trusted CA certificate file used to validate client certificates when verify_client_cert = true
  • cert_file: PEM-encoded certificate chain file
  • key_file: PEM-encoded private key file
  • when verify_client_cert = false, the listener performs server-side TLS only and does not request client certificates
  • when verify_client_cert = true, clients must present a certificate issued by the CA configured in cacert_file

WebSocket listener

Configures MQTT over WebSockets for browser-facing clients.

[listener.ws]
external = "0.0.0.0:8083"

[listener.ws.rate_limit]
messages_rate = 1000
messages_burst = 100
  • external: bind address and port for WS traffic

WebSocket secure listener

Configures encrypted MQTT over WebSockets.

[listener.wss]
external = "0.0.0.0:8084"
verify_client_cert = false
cacert_file = "/path/to/ca.crt"
cert_file = "/path/to/server.crt"
key_file = "/path/to/server.key"

[listener.wss.rate_limit]
messages_rate = 1000
messages_burst = 100
  • external: bind address and port for WSS traffic
  • verify_client_cert: enables mTLS for the WSS listener when set to true
  • cacert_file: trusted CA certificate file used for WSS client certificate validation
  • cert_file: certificate chain file
  • key_file: private key file
  • the WSS listener reads its certificate and key from [listener.wss]; it does not reuse the TLS MQTT listener files

API listener

Configures the REST API and its Basic Authentication users.

[listener.api]
external = "127.0.0.1:3456"

[listener.api.auth]
users = []
# Example:
# users = [{ username = "admin", password = "replace_me" }]
  • external: bind address and port for the management API; the shipped config keeps it on localhost by default
  • auth.users: Basic Authentication users allowed to access /api/v1/*; add at least one user before exposing the API beyond localhost