Restrict access to RabbitMQ via IP

Question

I installed rabbit mq via docker image on a machine including the management and rabbitmq_auth_backend_ip_range plugins. I want to restrict access to the ports 5671/2 and 15672 to only allow certain IPs accessing them.

As 15672 is the web interface, I have not current solution for that. Any ideas on that?

For 5671/2 (which one is the secure one?) I want to use the plugin rabbitmq_auth_backend_ip_range because as far as I understood, that's its purpose.

My current rabbitmq.config looks like this:

[
    {rabbit, [
        {auth_backends, [{rabbit_auth_backend_ip_range}]}
    ]},
    {rabbitmq_auth_backend_ip_range, [
        {tag_masks,
            [{'administrator', [<<"::FFFF:192.168.0.0/112">>]}]
        }
    ]}
].

According to the documentation that allows access only for accounts tagged with administrator. But if I do a telnet nothing changed:

telnet ip-address 5672

I can access it. How do you pass over credentials via telnet? How is ip restriction done with rabbit mq?

score 4 · Accepted Answer · answered Dec 23 '16 at 06:58

4

rabbitmq-auth-backend-ip-range is only providing authentication mechanism to login/talk to rabbitmq server. That doesn't mean your 5672 port is not open. You will still be able to telnet on 5672 but if some administrator user tries to connect particularly to RabbitMQ server than it should match with the given IP address otherwise authentication failed will return

For RabbitMQ Management you can define IP address something like this:

{rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]}

answered Dec 23 '16 at 06:58

kleash

1,211
1
12
31

1

How can you authenticate as administrator via telnet? – tester Dec 23 '16 at 08:27
Are you able to get any output while telnet to 5672? I don't think simple <> will give you any response. There should be a proper handshake required by providing authentication detail.. – kleash Dec 23 '16 at 08:58
Okay, maybe I had the guest account active at that time I tried it. – tester Dec 23 '16 at 10:00

score 1 · Answer 2 · answered Jun 12 '18 at 09:01

Rabbitmq-auth-backend-ip-range link is community plugin for client authorization based on source IP address. With this community plugin, we can restrict access to client on the basis of IP address

Steps To configure plugin in rabbitmq version 3.6.X

wget https://dl.bintray.com/rabbitmq/community-plugins/3.6.x/rabbitmq_auth_backend_ip_range/rabbitmq_auth_backend_ip_range-20180116-3.6.x.zip
unzip content to /usr/lib/rabbitmq/lib/rabbitmq_server-3.x/plugins
Enable plugin:rabbitmq-plugins enable rabbitmq_auth_backend_ip_range
Set a custom tag to which this plugin will block for certain IP address
- rabbitmqctl set_user_tags custom_user custom_tag
Configure rabbitmqctl configuration file
- vi /etc/rabbitmq/rabbitmq.config

[
{rabbit, [
    {tcp_listeners, [5672]},
    {auth_backends, [
        {rabbit_auth_backend_internal,
        [rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]
        }
    ]
    }
]},
{rabbitmq_auth_backend_ip_range, [
    {tag_masks,
        [{'customtag', [<<"::FFFF:172.xx.xx.xxx">>]}]},
    {default_masks, [<<"::0/0">>]}
]}
].

this configuration will effect in such a way that the user with tag customtag will able to connect to rabbitmq server with IP address 172.xx.xx.xxx and all other tags can access from any IP address
sudo service rabbitmq-server restart

PS: As there is no valid link online to configure the rabbitmq_auth_backend_ip_range plugin, so I answered this question with the configuration steps

Restrict access to RabbitMQ via IP

2 Answers2

Linked