Configuration changes require a broker restart to take effect. Plan configuration updates during maintenance windows for production systems.
Configuration Overview
The broker configuration is stored as a JSON object. The structure below shows every supported property (the file is encrypted on disk; this is an illustrative representation):First-Run Defaults
When no config file exists, the broker creates one with these values:| Property | Default |
|---|---|
Name | "Coreflux DataHub" |
Port | 1883 |
TlsPort | 8883 |
WebsocketPort | 5000 |
WebsocketPortTls | 443 |
| Bind IPs (MQTT / TLS / WebSocket) | "0.0.0.0" (all interfaces) |
AnonymousLogin | true |
FullDebugLog | false |
ClientCertificationValidation | false |
MaxPendingMessagesPerClient | 20000 |
CleanSession | false |
SessionExpiryInterval | 0 |
Network Settings
Ports
The broker listens on multiple ports for different connection types:Standard MQTT port for unencrypted connections. This is the default port used by most MQTT clients.
MQTT port for TLS-encrypted connections. Requires valid server certificate configuration.
Port for MQTT over WebSocket connections. Used by browser-based clients and applications that cannot use raw TCP.
Port for MQTT over WebSocket with TLS encryption. Commonly set to 443 to work through corporate firewalls.
IP Bindings
Control which network interfaces the broker listens on:IP address to bind for standard MQTT connections. Use
0.0.0.0 to listen on all interfaces, or a specific IP to restrict access.IP address to bind for TLS-encrypted MQTT connections.
IP address to bind for WebSocket connections.
IP address to bind for WebSocket connections with TLS.
Example: Restrict to Local Network
Example: Listen on All Interfaces
Security Settings
Authentication
When
true, clients may connect without a valid username/password, and unknown usernames are treated as anonymous. When false, only registered users in the users store can connect.The class default is false, but on a brand-new install the broker writes the first-run config with AnonymousLogin: true. Enforced at runtime in ValidateConnectionAsync, which rejects unauthenticated connects when false and the user is not found.TLS Server Certificate
Configure TLS encryption for secure client connections:Path to the server certificate file (PEM or PFX format). Required to enable the TLS listeners — MQTTS and WSS endpoints are only started when a server certificate is loaded successfully. If set but the file is missing, a warning is logged and the broker may still start without TLS.
Path to the private key file when the certificate and key are in separate PEM files. Leave empty if the key is embedded in the certificate file.
Password for an encrypted private key or PFX bundle. If
ServerCertificatePath is set but this is empty, a warning is logged at startup.Path to the root CA certificate for certificate chain validation.
Example: TLS Configuration
Mutual TLS (mTLS)
For environments requiring client certificate authentication:Directory or source containing the trusted client CA / client certificate material used during mTLS validation. If set but the path does not exist, a warning is logged at startup.
Enable client certificate validation. When
true, TLS connections require a client certificate (ClientCertificateMode.RequireCertificate). When false, client certificates are optional (AllowCertificate).Path to the Certificate Revocation List (CRL) file for checking revoked certificates.
Enable CRL checking for client certificates.
Enable full certificate chain validation for client certificates.
Example: mTLS Configuration
Sessions and MQTT Behavior
Broker policy (not the client CONNECT flag).
false— allow persistent sessions; honour each client’s Clean Session / Clean Start flag.true— require clean sessions only; reject clients that connect with a persistent session (returnsNotAuthorized).
ValidateConnectionAsync (reject policy) and WithPersistentSessions(!CleanSession) at startup.Naming note:
CleanSession = true on the broker means “force clean sessions from clients”, not “enable clean session”.MQTT 5 only — maximum session lifetime cap, in seconds. Defines how long the broker holds a session after a client disconnects. (Previously hardcoded to 10 minutes; now configurable.)
0— no cap; the client’s CONNECT value is used as-is.> 0— reject persistent connects where the client requests more than this many seconds.4294967295(uint.MaxValue) — allow “never expire” client requests.
MqttService.ApplyConfiguredSessionExpiry during connection validation.MQTT 3.1.1: ignored — persistence is controlled by CleanSession + WithPersistentSessions only.Important: Coreflux has no server-builder API for session expiry. Clients that need MQTT 5 persistence must set SessionExpiryInterval > 0 in their CONNECT packet.When
true, the broker maintains a buffer of retained messages and re-publishes them in specific situations: on new subscriptions (copies retained messages into an internal buffer) and via periodic LogRetainedObjects publishing. Useful when clients need retained messages re-delivered after reconnect or subscription changes.Performance and Back-Pressure
Maximum number of pending outbound messages queued per connected client before Coreflux drops messages (especially QoS 0). Protects broker memory when a client is slow to read.Wired in via
WithMaxPendingMessagesPerClient at startup.Deployment and Data Paths
These paths control where the broker stores its state.ProjectPath is the “base” that the other three resolve against.
Overrides the broker data root (
CFBasePath) so all state (bin, log, stats, config, projects, users, envs, secrets) lives under this path instead of the default install directory. Typical for Kubernetes volumes or custom install layouts. If not set, the broker uses its install directory.Precedence: the COREFLUX_DATA_PATH environment variable and the -p / --path CLI flag override ProjectPath when set.Path to the file holding the broker’s user accounts (the username/password credentials used when
AnonymousLogin is false). When set and valid, users load from this plaintext JSON array instead of the encrypted user store, and runtime user changes are written back to this file.Directory containing the
.env file for environment variables the broker (and LOT logic) can reference at runtime — used to externalize deployment-specific values instead of hardcoding them in config. Resolves to {EnvsPath}/.env. Falls back to CFBasePath when empty. See Environment Variables & Secrets for usage.Directory containing
secrets.json — the secrets store for sensitive values (tokens, keys, credentials) kept separate from the main config so they aren’t sitting in plain config JSON. Used by routes and LOT GET SECRET. Resolves to {SecretsPath}/secrets.json. Falls back to CFBasePath when empty. See Environment Variables & Secrets for usage.Logging
Enable detailed debug logging: connection validation details, every publish/subscription intercept, TCP health noise, etc. Useful for troubleshooting but may impact performance in production.
When
true, switches logging to stdout-only structured JSON (no rolling file sink). Intended for Docker/Kubernetes where log aggregators scrape container output. The COREFLUX_CLOUD_LOGGING=true environment variable also enables cloud logging.Additional Settings
A human-readable name for this DataHub / broker instance. Used for identification in logs and UI; does not affect MQTT protocol behaviour.
Applying Configuration
Via MQTT Topic
Publish a configuration JSON to the system topic using any MQTT client (such as MQTT Explorer). You can send a partial update — only the fields you include are changed; everything else is left as-is:| Field | Value |
|---|---|
| Topic | $SYS/Coreflux/Config/New |
| Auth | Requires a user with system configuration permission |
The runtime handler currently persists only a subset of fields (
AnonymousLogin, bind IPs, ports, FullDebugLog). After publishing, you must restart the broker for changes to take effect — a restart is required for listener, session, and certificate changes to take full effect.Configuration Validation
The broker validates configuration on load. The following checks are fatal — an invalid value prevents the broker from starting:| Check | Requirement |
|---|---|
| Port values | Must be between 1 and 65535 |
| IP addresses | Must be valid IPv4 addresses |
MaxPendingMessagesPerClient | Must be between 1 and 100000 |
| Condition | Behaviour |
|---|---|
ServerCertificatePath set but file missing | Warning logged; TLS listeners not started |
ServerCertificatePath set but ServerCertificatePassword empty | Warning logged |
ClientCertificateSourcePath set but path does not exist | Warning logged |
Related Environment Variables
These are not properties in the configuration object but override or complement it:| Variable | Effect |
|---|---|
COREFLUX_DATA_PATH | Data root; takes precedence over ProjectPath |
COREFLUX_CLOUD_LOGGING | Enables stdout JSON logging (same intent as CloudLogging) |
Docker Configuration
When running Coreflux in Docker, configure the broker using environment variables or mounted configuration files.Using Environment Variables
- Docker Run
- Docker Compose
Mounting Configuration
Mount your configuration file to the container:TLS with Docker
When using TLS in Docker, ensure certificate paths in the configuration match the mounted paths inside the container:Configuration Examples
Development Environment
Minimal configuration for local development:Production Environment
Secure configuration for production deployment:High-Security Environment
Configuration with mTLS for maximum security:Next Steps
Broker Commands
Learn how to manage the broker via MQTT commands.
$SYS Topics
Monitor broker status through system topics.

