HiveMQ

Bind 1883 listener to specific IP

Hi,

my hivemq-ce is running good and now I’m on the process of configuring it.

On my config I’ve set both 1883 and 8883 to bind to 0.0.0.0. This is working, I can access from my PC to 1883 without certificate and to 8883 using the client certificate.

Is it possible to bind the unsafe 1883 port to work only with a given external IP? For example, I would like to allow a client (only one) with a fixed IP to access the broker and the rest of my clients to use a certificate.

Is this possible?

I’ve tried the following configuration, but I got an error and it did not work:

<tcp-listener>

    <port>1883</port>

    <bind-address>IP_ADDRESS_OF_MY_CLIENT</bind-address>

    <name>special-cient-listener</name>

</tcp-listener>

Hey nhosko,

the listener configuration defines the address(es) and port(s) HiveMQ listens on for MQTT traffic.
It does not allow you to whitelist a client IP for communication.

For your use case I would suggest restricting access to the unencrypted listener with the use of
our File RBAC Extension.

Kind regards,
Finn from the HiveMQ team

Hi @nhosko,

I have two points to add here.

  • making a port only available for specific ips, sounds like a job for a firewall
  • why do you want to expose the unsafe port to the outside and not the encrypted one?

Greetings,
Michael

Hi michael_w,

yes, you are right… this job is actually more suitable for a firewall.

Why expose unsafe port to one specific IP? There is actually no forced need to do it, after reading the Security Fundamentals on the hivemq website, I understand that it makes sense to use only TLS. I will only implement TLS on my broker.

1 Like