- FlowFuse User Manuals
- Using FlowFuse
- Getting Started
- FlowFuse Concepts
- Changing the Stack
- Device Groups
- DevOps Pipelines
- Environment Variables
- FlowFuse File Nodes
- FlowFuse Persistent Context
- FlowFuse Project Nodes
- High Availability mode
- Instance Settings
- Shared Team Library
- User Settings
- FlowFuse API
- Migrating a Node-RED project to FlowFuse
- Device Agent
- Device Agent
- FlowFuse Device Agent Introduction
- Quick Start
- Register your Device
- Running the Agent
- Deploying your Flows
- Hardware Guides
- FlowFuse Cloud
- FlowFuse Cloud
- FlowFuse Self-Hosted
- Installing FlowFuse
- Configuring FlowFuse
- DNS Setup
- Docker install
- Email configuration
- First Run Setup
- FlowFuse File Storage
- Install FlowFuse on Kubernetes
- Local Install
- Upgrading FlowFuse
- Administering FlowFuse
- Administering FlowFuse
- Administrator configuration for SSO
- User Management
- Community Support
- Premium Support
- Debugging Node-RED issues
- Contributing to FlowFuse
# Configuring FlowFuse
The base configuration of the FlowFuse platform is provided in the file
/opt/flowforge/etc/flowforge.yml. This assumes the default install location of
To run a local install, you can use the default options. This section describes the options available in the configuration file.
# Server configuration
|The address to serve the web ui on. This defaults to
localhost which means the ui will only be available when browsing from the same server that is running the platform. To make it accessible to other devices on the network, set it to
host is changed, please also update
base_url to match e.g.
|The TCP port the platform serves its web ui. Default:
|The url to access the platform. This defaults to
http://localhost:3000 which means a number of internally generated URLs will only work when browsing on the same device as is running the platform. To be able to access the platform remotely, replace
localhost with the ip address of the device running FlowFuse.
|The domain that instance names will be prepended to on Docker & Kubernetes platforms to create a hostname to access the instance. A wildcard DNS A record should point be configured to point to the FlowFuse entry IP Address.
|a URL or string with contact details for the administrator e.g
https://support.example.com . Defaults to the email address of the first admin user or
the administrator if no email address set.
|If set to
true will create a default admin user on first run, the username/password is written to the logs. Default:
|If set to
true an access token (ffpat) is created for the default admin user on first run. Its value is written to the logs. Default:
|Can be used to pass in a license key for FlowFuse. Default not set
NOTE: Changing the
domain after Node-RED instances have been created is possible, but the original hostname and domain must remain active in order to access the instances and for an them to be able to access the FlowFuse resources.
An example workflow would be:
- Register new domain
- Set up DNS entries for:
- A record for the forge app
- wildcard A record for the domain
- Leave the existing entries for the old domain in place
- Stop the forge app
- Edit the flowforge.yml to set the base_url and domain entries
- Restart the forge app
# Database configuration
|The type of database to use. Default:
# SQLite configuration
|Path to the SQLite Database file to use, relative to
# Postgres configuration
|Hostname of the Postgres Database. Default:
|Database name on Postgres Server. Default:
|Username used when connecting to Postgres Server.
|Password used when connecting to Postgres Server.
|Client should connect with SSL/TLS. Default:
# Node-RED Driver configuration
This configures how Node-RED instances are run by the platform.
|The type of deployment model to use. Default:
# Localfs Driver options
|The port number to start assigning to Node-RED instances as they are created. Default:
|The path to find the node.js executable - useful if Node.js has been installed with
nvm so isn't necessarily on the system path.
|Prints the Node-RED logs in JSON format to stdout of the nr-launcher process. Default:
# Docker Driver options
|The path to the Docker control unix domain socket. Default
|Prints the Node-RED logs in JSON format to stdout of the Instance containers. Default:
# Kubernetes Driver options
|The namespace to run Node-RED instances in. Default:
|Enables specific options for certain platforms e.g.
aws. Default: not set
|A YAML object containing node annotations to use to filter which nodes Node-RED instances run on. Default:
|Prints the Node-RED logs in JSON format to stdout of the instance pods. This should be set with the
forge.logPassthrough=true Helm chart value. Default:
# MQTT Broker configuration
By default, the platform runs without an MQTT broker. This restricts some features in the platform, such as the Project Nodes and Remote Device Editing.
If a broker has been setup in the platform, the following configuration is required:
|The url for the platform to access the broker. For example:
|The url used by devices to connect to the broker, if different to
broker.url. For example, this may require devices to use WebSockets instead:
# Email configuration
By default, email is disabled. This restricts some features in the platform around inviting new users to join.
|Enables the email sending functionality of the platform. Default:
|Sets the address email will appear from. Default:
|Hostname of the SMTP server to send email through. Default:
|Port of the SMTP server to send email through. Default:
|Whether to use TLS to connect to the SMTP server. Default:
|Username to authenticate the connection with. Default:
|Password to authenticate the connection with. Default:
|If set to true, it will log the full content of emails it tries to send. Default:
See here for example configuration with common email providers.
# AWS SES Email
There is also support for using AWS SES email, this is mainly intended to be used when deployed on AWS EKS.
This assumes that the instance is running with a Service Account that has a AWS Role with SES access enabled.
|The AWS region to connect to
# Telemetry configuration
By default, the platform will send anonymous usage information back to us at FlowForge Inc. This can be disabled via the Admin Settings in the UI, or turned off in the configuration file with the
IMPORTANT: Licensed installations cannot disable telemetry
Additionally, you can configure your own instance of FlowFuse to report back to you on how users are using your instance of FlowFuse. FlowFuse supports integration with two different services:
- PostHog (recommended): You will require your own API key to pass into the
yml, which will begin the logging of user interactions.
- Plausible: (deprecated since 0.9 and will be removed in the future): You can setup your own account, and pass the relevant domain to the
ymlin the telemetry configuration
For more information about this feature, see here
|Enables the anonymous usage telemetry of the platform. Default:
|The API URL for PostHog, either 'https://app.posthog.com' or 'https://eu.posthog.com'. Default:
|The API key provided to you from your own PostHog account. Default:
|FlowFuse is designed as to provide custom posthog
$pageview events that provide more detail on navigation than the default, and suit a single page application better. As such, we recommend setting this to false in order to prevent duplicate
pageview events firing. Default:
|A Google Tag Manager ID. Default:
|An object with keys matching the names of tag events to be enabled and any payload values. Default
# Rate Limiting configuration
By default, rate limiting is disabled and the platform will not rate limit any requests.
To enable rate limiting, you can set the
rate_limits.enabled option to
When enabled, all routes will be limited to 1000 requests per 1 minute window. These defaults can be adjusted by setting values in the configuration options listed below.
|Enables rate limiting. Default:
|Enables rate limiting for all routes. Default:
true (defaults to all routes being rate limited)
|The time window in which requests are counted. Default:
60000 (1 minute)
|The maximum number of requests allowed in the time window. Default:
|The maximum number of requests allowed in the time window for anonymous users. Default: not configured (defaults to
For additional options, see fastify-rate-limit documentation.
# Support configuration
It is possible to add a HubSpot Support Widget into FlowFuse. This will appear as a floating chat bubble on the bottom-right corner of the screen. To enable this, you'll need to provide the
|Enables the chat support widget in the UI. Default:
|The numerical identifier within your HubSpot Tracking Code. Default:
# MQTT Broker configuration
The platform depends on the Mosquitto MQTT Broker to provide real-time messaging between devices and the platform.
This is currently an optional component - the platform will work without the broker, but some features will not be available.
|The full url to the platform broker. This is used by the platform and Node-RED instances to connect to the broker. For example:
|If set, this is the url provided to Devices to connect to the broker with. When running in a Docker or K8S environment, this url should be the externally addressable url the broker is provided on. This could be via WebSockets, for example:
# Logging configuration
By default the forge app is set to
info level logging, with the HTTP routes logged at
|Change the default logging level. Default:
|Change the default HTTP route logging level. Default:
|Enable/Disable pretty-printing of the log output. Default:
false - see below
info will log every HTTP request and response details.
pretty option controls the formatting of the log output. When running in developer mode, (for example, if
NODE_ENV is set to
developer), then pretty formatting is enabled by default. This makes the logs more human-readable.
Otherwise, the log output is JSON formatted for consumption by other tools.
# File storage
FlowFuse includes a service that can be used by Node-RED instances to read and write files in their flows as well as providing persistent storage for flow context information.
Details of configuring the File Storage service are available here.
flowforge.yml file needs to contain the following properties so it can access the File server.
|The URL of the FlowFuse File Server to use. Default: not set
# Enabling Persistent File Storage - File Nodes
These nodes are enabled by default on the FlowFuse Cloud platform. If you're running a self-hosted environment you should follow the next steps.
FlowFuse file nodes replace the core Node-RED file nodes. To make use of these nodes, the FlowFuse platform Administrator must ensure the core file nodes are not loaded.
This is done by adding
10-file.js in the Exclude nodes by filename
section of your instance settings under the Palette section.
This setting is modifiable only by a Team owner and only if it has not been locked in the template by the platform Administrator.
Click here, to learn more about the usage of the FlowFuse File Nodes.
# Content Security Policy
Content-Security-Policy headers. Default:
|Overrides the default set of directives, supplied as a JSON object defined by HelmetJS here
|Enables reporting only mode. Default:
|Provides at URI for reporting to be sent to if enabled