Native TLS Encryption for bunqueue TCP & HTTP
server · tls
TLS without the reverse proxy.
bunqueue terminates TLS natively on both the TCP (msgpack) and HTTP servers, no reverse proxy required. TLS is opt-in: without cert/key configuration the server behaves exactly as before, in plaintext.
1 cert pair covers TCP and HTTP
0 reverse proxies needed
fail-fast startup on partial config
Server
Section titled “Server”# CLI flagsbunqueue start --tls-cert ./cert.pem --tls-key ./key.pem
# Or environment variablesTLS_CERT_FILE=./cert.pem TLS_KEY_FILE=./key.pem bunqueue startOr in bunqueue.config.ts:
import { defineConfig } from 'bunqueue';
export default defineConfig({ server: { tlsCertFile: './cert.pem', tlsKeyFile: './key.pem', },});One cert pair covers both servers: TCP (:6789) and HTTP/WebSocket/SSE
(:6790, becomes https:// / wss://).
The server fails fast at startup if the cert or key file is missing or if only one of the two is set. It never silently falls back to plaintext.
Client SDK
Section titled “Client SDK”import { Queue, Worker } from 'bunqueue/client';
// Public CA (Let's Encrypt etc.): verify with system CAsconst queue = new Queue('jobs', { connection: { host: 'queue.example.com', port: 6789, tls: true },});
// Private CA or self-signed: trust a specific CA fileconst queue2 = new Queue('jobs', { connection: { host: '10.0.0.5', port: 6789, tls: { caFile: './ca.pem' } },});
// Dev only: skip verificationconst queue3 = new Queue('jobs', { connection: { host: 'localhost', port: 6789, tls: { rejectUnauthorized: false } },});Worker accepts the same connection.tls options. The msgpack protocol is
unchanged, TLS only wraps the transport.
CLI client
Section titled “CLI client”bunqueue stats --host queue.example.com --tls # system CAsbunqueue stats --tls-ca ./ca.pem # custom CAbunqueue stats --tls-no-verify # self-signed, dev onlySelf-signed certificate (dev / internal networks)
Section titled “Self-signed certificate (dev / internal networks)”openssl req -x509 -newkey rsa:2048 -nodes -days 365 \ -keyout key.pem -out cert.pem \ -subj "/CN=localhost" \ -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"Clients then connect with tls: { caFile: './cert.pem' } (the self-signed
cert acts as its own CA), full verification, no rejectUnauthorized: false
needed.
- Certificate verification is on by default: the client rejects untrusted or
mismatched server certs unless you explicitly pass
rejectUnauthorized: false(encryption without authentication, dev only). - TLS + auth tokens compose: use both for servers exposed beyond localhost.
- A TLS-enabled server only accepts TLS clients; plaintext clients fail the handshake (they do not hang).
- HTTP endpoints (
/health, dashboards,/ws,/events) are served overhttps:///wss://when TLS is enabled.