Configuration Files
Most settings in LavinMQ can be tuned using the configuration file. The structure of the configuration file is INI and comprises key-value pairs for properties and sections that organize the properties. The sections are split into four; one [main] section for general settings, one for the LavinMQ Management Interface [mgmt], one for amqp settings [amqp], one for MQTT settings [mqtt], one for clustering settings [clustering]. The syntax can be explained as:
- One setting uses one line
- Lines are structured Key = Value
- Any line starting with the ; character indicates a comment
The default configuration file location is /etc/lavinmq/lavinmq.ini
Changes to the configuration file will be applied after a restart of LavinMQ.
Yes. Many settings can be configured via environment variables. The naming convention is LAVINMQ_ followed by the setting name in uppercase. For example:
LAVINMQ_AMQP_PORT- sets the AMQP portLAVINMQ_HTTP_PORT- sets the HTTP management portLAVINMQ_DEFAULT_USER- sets the default userLAVINMQ_CLUSTERING- enables clusteringLAVINMQ_TLS_CERT_PATH- sets the TLS certificate path
LavinMQ also respects the systemd-standard STATE_DIRECTORY and CONFIGURATION_DIRECTORY environment variables for data and config directory paths respectively.
LavinMQ can be configured through three methods, listed in order of precedence (highest first):
- CLI flags — passed to the
lavinmqbinary - Environment variables — prefixed with
LAVINMQ_ - INI configuration file — specified with
-c/--config - Built-in defaults
INI File Format
The configuration file uses INI format with sections. Specify it with:
lavinmq --config /etc/lavinmq/lavinmq.ini
Alternatively, set the LAVINMQ_CONFIGURATION_DIRECTORY environment variable (or the systemd-standard CONFIGURATION_DIRECTORY) to a directory; LavinMQ will load lavinmq.ini from that directory. Defaults to /etc/lavinmq.
Reloading
Send SIGHUP (or systemctl reload lavinmq) to re-read the configuration file without restarting. The reload is atomic: if the new file is missing, unreadable, or invalid, LavinMQ logs a warning and keeps running with the configuration it already had.
Not every setting takes effect on reload. The log level and TLS certificates are applied to the running broker (see Reloading certificates for the TLS details and limits). Settings that are only read at startup - ports, bind addresses, the data directory, and similar - require a full restart.
[main] Section
| INI Key | CLI Flag | Env Var | Type | Default | Description |
|---|---|---|---|---|---|
data_dir |
-D, --data-dir |
LAVINMQ_DATADIR, STATE_DIRECTORY |
String | /var/lib/lavinmq |
Data directory |
log_level |
-l, --log-level |
— | String | info |
Log level: trace, debug, info, notice, warn, error, fatal, none |
log_file |
— | — | String | (none) | Log file path |
pidfile |
--pidfile |
— | String | (empty) | PID file path |
control_unix_path |
--control-unix-path |
LAVINMQ_CONTROL_UNIX_PATH |
String | /tmp/lavinmqctl.sock |
UNIX socket that lavinmqctl connects to. Use a unique path per instance to run multiple servers on one host. |
tls_cert |
--cert |
LAVINMQ_TLS_CERT_PATH |
String | (empty) | TLS certificate path (including chain) |
tls_key |
--key |
LAVINMQ_TLS_KEY_PATH |
String | (empty) | TLS private key path |
tls_ciphers |
--ciphers |
LAVINMQ_TLS_CIPHERS |
String | (empty) | Allowed TLS ciphers |
tls_min_version |
--tls-min-version |
LAVINMQ_TLS_MIN_VERSION |
String | (empty) | Minimum TLS version. When empty, the TLS library default (1.2) is used. |
tls_keylog_file |
— | — | String | (empty) | TLS key log file (for debugging) |
tls_ktls |
--tls-ktls |
— | Bool | false |
Enable kernel TLS offloading |
stats_interval |
— | — | Int | 5000 |
Statistics collection interval (ms) |
stats_log_size |
— | — | Int | 120 |
Number of stats samples to retain |
set_timestamp |
— | — | Bool | false |
Set timestamp on received messages |
socket_buffer_size |
— | — | Int | 16384 |
Socket buffer size (bytes) |
tcp_nodelay |
— | — | Bool | false |
Disable Nagle’s algorithm |
tcp_keepalive |
— | — | String | 60:10:3 |
TCP keepalive (idle:interval:probes, colon-separated) |
tcp_recv_buffer_size |
— | — | Int | (system) | TCP receive buffer size |
tcp_send_buffer_size |
— | — | Int | (system) | TCP send buffer size |
segment_size |
— | — | Int | 8388608 |
Message store segment size (bytes, 8MB) |
free_disk_min |
— | — | Int | 0 |
Minimum free disk space (bytes). Publishing is blocked when free space drops below this value. |
free_disk_warn |
— | — | Int | 0 |
Free disk space warning threshold (bytes) |
max_deleted_definitions |
— | — | Int | 8192 |
Deleted definitions before compaction |
consumer_timeout |
— | — | UInt64 | (none) | Consumer idle timeout (ms) |
consumer_timeout_loop_interval |
— | — | Int | 60 |
Consumer timeout check interval (s) |
log_exchange |
— | — | Bool | false |
Enable the log exchange |
auth_backends |
— | — | Array | [] |
Authentication backends |
default_consumer_prefetch |
--default-consumer-prefetch |
LAVINMQ_DEFAULT_CONSUMER_PREFETCH |
UInt16 | 65535 |
Default consumer prefetch |
default_user |
--default-user |
LAVINMQ_DEFAULT_USER |
String | guest |
Default user name |
default_password_hash |
--default-password-hash |
LAVINMQ_DEFAULT_PASSWORD |
String | (guest hash) | Hashed password for default user |
default_user_only_loopback |
--default-user-only-loopback |
— | Bool | true |
Restrict default user to loopback |
load_definitions |
— | — | String | (empty) | Path to a JSON definitions file imported on startup. See Definitions. |
data_dir_lock |
--no-data-dir-lock |
— | Bool | true |
File lock on data directory |
default_consistent_hash_algorithm |
— | — | String | ring |
Consistent hash algorithm (ring, jump) |
metrics_http_bind |
--metrics-http-bind |
— | String | 127.0.0.1 |
Prometheus metrics bind address |
metrics_http_port |
--metrics-http-port |
— | Int | 15692 |
Prometheus metrics port |
[amqp] Section
| INI Key | CLI Flag | Env Var | Type | Default | Description |
|---|---|---|---|---|---|
bind |
--amqp-bind |
LAVINMQ_AMQP_BIND |
String | 127.0.0.1 |
AMQP bind address |
port |
-p, --amqp-port |
LAVINMQ_AMQP_PORT |
Int | 5672 |
AMQP port |
tls_port |
--amqps-port |
LAVINMQ_AMQPS_PORT |
Int | 5671 |
AMQPS port |
unix_path |
--amqp-unix-path |
— | String | (empty) | AMQP Unix socket path |
tcp_proxy_protocol |
— | — | Bool | false |
Enable PROXY protocol on TCP (auto-detects v1/v2) |
proxy_protocol_trusted_sources |
— | — | String | (empty) | Comma-separated IPs/CIDR blocks allowed to send PROXY headers |
heartbeat |
— | — | UInt16 | 300 |
Heartbeat interval (seconds) |
frame_max |
— | — | UInt32 | 131072 |
Maximum frame size (bytes) |
channel_max |
— | — | UInt16 | 2048 |
Maximum channels per connection |
max_message_size |
— | — | Int | 134217728 |
Maximum message size (bytes, 128MB) |
max_consumers_per_channel |
— | — | Int | 0 |
Max consumers per channel (0 = unlimited) |
amqp_systemd_socket_name |
— | — | String | lavinmq-amqp.socket |
SystemD socket name |
[mqtt] Section
| INI Key | CLI Flag | Env Var | Type | Default | Description |
|---|---|---|---|---|---|
bind |
--mqtt-bind |
— | String | 127.0.0.1 |
MQTT bind address |
port |
--mqtt-port |
— | Int | 1883 |
MQTT port |
tls_port |
--mqtts-port |
— | Int | 8883 |
MQTTS port |
unix_path |
--mqtt-unix-path |
— | String | (empty) | MQTT Unix socket path |
max_inflight_messages |
— | — | UInt16 | 65535 |
Max unacknowledged messages per session |
max_packet_size |
— | — | UInt32 | 268435455 |
Max MQTT packet size (bytes) |
default_vhost |
— | — | String | / |
Default vhost for MQTT connections |
permission_check_enabled |
— | — | Bool | false |
Enable MQTT permission checks |
client_id_validation |
— | — | String | none |
Validate client_id against the username: none or username |
[mgmt] Section
| INI Key | CLI Flag | Env Var | Type | Default | Description |
|---|---|---|---|---|---|
bind |
--http-bind |
LAVINMQ_HTTP_BIND |
String | 127.0.0.1 |
HTTP bind address |
port |
--http-port |
LAVINMQ_HTTP_PORT |
Int | 15672 |
HTTP port |
tls_port |
--https-port |
LAVINMQ_HTTPS_PORT |
Int | 15671 |
HTTPS port |
unix_path |
--http-unix-path |
— | String | (empty) | HTTP Unix socket path |
http_systemd_socket_name |
— | — | String | lavinmq-http.socket |
SystemD socket name |
[clustering] Section
| INI Key | CLI Flag | Env Var | Type | Default | Description |
|---|---|---|---|---|---|
enabled |
--clustering |
LAVINMQ_CLUSTERING |
Bool | false |
Enable clustering |
bind |
--clustering-bind |
LAVINMQ_CLUSTERING_BIND |
String | 127.0.0.1 |
Clustering bind address |
port |
--clustering-port |
LAVINMQ_CLUSTERING_PORT |
Int | 5679 |
Clustering port |
advertised_uri |
--clustering-advertised-uri |
LAVINMQ_CLUSTERING_ADVERTISED_URI |
String | (none) | Advertised URI for peers |
etcd_endpoints |
--clustering-etcd-endpoints |
LAVINMQ_CLUSTERING_ETCD_ENDPOINTS |
String | localhost:2379 |
etcd endpoints (comma-separated) |
etcd_prefix |
--clustering-etcd-prefix |
LAVINMQ_CLUSTERING_ETCD_PREFIX |
String | lavinmq |
etcd key prefix |
max_unsynced_actions |
--clustering-max-unsynced-actions |
LAVINMQ_CLUSTERING_MAX_UNSYNCED_ACTIONS |
Int | 8192 |
Deprecated: still accepted but has no effect; how far a follower may lag is governed by the leader’s ack deadline |
on_leader_elected |
--clustering-on-leader-elected |
— | String | (empty) | Shell command on leader election |
on_leader_lost |
--clustering-on-leader-lost |
— | String | (empty) | Shell command on losing leadership |
[oauth] Section
| INI Key | Type | Default | Description |
|---|---|---|---|
issuer |
URI | (none) | OAuth2/OIDC issuer URL |
client_id |
String | (none) | OAuth2 client ID. Required to enable management UI SSO login |
mgmt_base_url |
URI | (none) | Public base URL of the management UI. Setting it together with issuer and client_id enables the SSO login button. Must use https://, or http:// with a localhost, 127.0.0.1, or [::1] host. When verify_aud is true, SSO tokens must match audience or resource_server_id |
mgmt_scopes |
String | openid profile |
Space-separated scopes requested in the management UI SSO authorization request. Override to match the requirements of your identity provider |
resource_server_id |
String | (none) | Resource server identifier |
preferred_username_claims |
Array | ["sub", "client_id"] |
JWT claims for username extraction |
additional_scopes_keys |
Array | [] |
Additional JWT claims to check for scopes |
scope_prefix |
String | (none) | Prefix to strip from scope strings |
verify_aud |
Bool | true |
Verify JWT audience claim |
audience |
String | (none) | Expected JWT audience. Also sent as the audience parameter in the SSO authorization request |
jwks_cache_ttl |
Int (seconds) | 3600 |
JWKS cache TTL |
[experimental] Section
| INI Key | Type | Default | Description |
|---|---|---|---|
yield_each_received_bytes |
Int | 131072 |
Bytes received before yielding to other fibers |
yield_each_delivered_bytes |
Int | 1048576 |
Bytes delivered before yielding to other fibers |
[sni:hostname] Sections
Per-hostname TLS configuration. Create a section for each hostname.
| Key | Description |
|---|---|
tls_cert |
Certificate file (host is dropped with a warning if this is missing) |
tls_key |
Private key file. If empty, the cert file is expected to contain both. |
tls_min_version |
Minimum TLS version |
tls_ciphers |
Allowed cipher list |
tls_verify_peer |
Require client certificate (mTLS) |
tls_ca_cert |
CA bundle for verifying client certs (mTLS) |
tls_keylog_file |
TLS key log file for debugging |
Each key can be prefixed with amqp_, mqtt_, or http_ to apply only to that protocol. For example, amqp_tls_cert overrides the certificate for AMQP connections to that hostname only.
[sni:example.com]
tls_cert = /path/to/example.com.crt
tls_key = /path/to/example.com.key
tls_min_version = 1.3
tls_verify_peer = true
tls_ca_cert = /path/to/ca.pem
Global CLI-Only Flags
| Flag | Description |
|---|---|
-b, --bind |
Bind address for AMQP, MQTT, and HTTP |
-c, --config |
Path to config file |
-d, --debug |
Verbose logging (sets log_level to debug) |
--build-info |
Print build information and exit |
--raise-gc-warn |
Raise on GC warnings |
Deprecated Options
| Deprecated | Replacement |
|---|---|
tls_cert in [amqp] |
tls_cert in [main] |
tls_key in [amqp] |
tls_key in [main] |
tls_cert in [mgmt] |
tls_cert in [main] |
tls_key in [mgmt] |
tls_key in [main] |
set_timestamp in [amqp] |
set_timestamp in [main] |
consumer_timeout in [amqp] |
consumer_timeout in [main] |
default_consumer_prefetch in [amqp] |
default_consumer_prefetch in [main] |
--default-password |
--default-password-hash |
default_password in [main] |
default_password_hash in [main] |
--guest-only-loopback |
--default-user-only-loopback |
guest_only_loopback in [main] |
default_user_only_loopback in [main] |
[http] section |
[mgmt] section |
[replication] section |
[clustering] section |
Example Configuration
[main]
data_dir = /var/lib/lavinmq
log_level = info
tls_cert = /etc/lavinmq/cert.pem
tls_key = /etc/lavinmq/key.pem
[amqp]
bind = ::
port = 5672
tls_port = 5671
[mqtt]
bind = ::
port = 1883
tls_port = 8883
[mgmt]
bind = ::
port = 15672
tls_port = 15671
[clustering]
enabled = false
Ready to take the next steps?
Managed LavinMQ instance via CloudAMQP
LavinMQ has been built with performance and ease of use in mind - we've benchmarked a throughput of about 1,000,000 messages/sec . You can try LavinMQ without any installation hassle by creating a free instance on CloudAMQP. Signing up is a breeze.
Get started with CloudAMQP ->Help and feedback
We welcome your feedback and are eager to address any questions you may have about this piece or using LavinMQ. Join our Slack channel to connect with us directly. You can also find LavinMQ on GitHub.