Search code examples
rabbitmqporttelnetip-restrictions

Restrict access to RabbitMQ via IP


I installed rabbit mq via docker image on a machine including the management and rabbitmq_auth_backend_ip_range plugins. I want to restrict access to the ports 5671/2 and 15672 to only allow certain IPs accessing them.

As 15672 is the web interface, I have not current solution for that. Any ideas on that?

For 5671/2 (which one is the secure one?) I want to use the plugin rabbitmq_auth_backend_ip_range because as far as I understood, that's its purpose.

My current rabbitmq.config looks like this:

[
    {rabbit, [
        {auth_backends, [{rabbit_auth_backend_ip_range}]}
    ]},
    {rabbitmq_auth_backend_ip_range, [
        {tag_masks,
            [{'administrator', [<<"::FFFF:192.168.0.0/112">>]}]
        }
    ]}
].

According to the documentation that allows access only for accounts tagged with administrator. But if I do a telnet nothing changed:

telnet ip-address 5672

I can access it. How do you pass over credentials via telnet? How is ip restriction done with rabbit mq?


Solution

  • rabbitmq-auth-backend-ip-range is only providing authentication mechanism to login/talk to rabbitmq server. That doesn't mean your 5672 port is not open. You will still be able to telnet on 5672 but if some administrator user tries to connect particularly to RabbitMQ server than it should match with the given IP address otherwise authentication failed will return

    For RabbitMQ Management you can define IP address something like this:

    {rabbitmq_management, [
            {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
        ]}