Restrict access to RabbitMQ via IP

Question

I installed rabbit mq via docker image on a machine including the management and rabbitmq_auth_backend_ip_range plugins. I want to restrict access to the ports 5671/2 and 15672 to only allow certain IPs accessing them.

As 15672 is the web interface, I have not current solution for that. Any ideas on that?

For 5671/2 (which one is the secure one?) I want to use the plugin rabbitmq_auth_backend_ip_range because as far as I understood, that's its purpose.

My current rabbitmq.config looks like this:

[
    {rabbit, [
        {auth_backends, [{rabbit_auth_backend_ip_range}]}
    ]},
    {rabbitmq_auth_backend_ip_range, [
        {tag_masks,
            [{'administrator', [<<"::FFFF:192.168.0.0/112">>]}]
        }
    ]}
].

According to the documentation that allows access only for accounts tagged with administrator. But if I do a telnet nothing changed:

telnet ip-address 5672

I can access it. How do you pass over credentials via telnet? How is ip restriction done with rabbit mq?

Answer 1

rabbitmq-auth-backend-ip-range is only providing authentication mechanism to login/talk to rabbitmq server. That doesn't mean your 5672 port is not open. You will still be able to telnet on 5672 but if some administrator user tries to connect particularly to RabbitMQ server than it should match with the given IP address otherwise authentication failed will return

For RabbitMQ Management you can define IP address something like this:

{rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]}

Answer 2

Rabbitmq-auth-backend-ip-range link is community plugin for client authorization based on source IP address. With this community plugin, we can restrict access to client on the basis of IP address

Steps To configure plugin in rabbitmq version 3.6.X

• wget https://dl.bintray.com/rabbitmq/community-plugins/3.6.x/rabbitmq_auth_backend_ip_range/rabbitmq_auth_backend_ip_range-20180116-3.6.x.zip
• unzip content to /usr/lib/rabbitmq/lib/rabbitmq_server-3.x/plugins
• Enable plugin:rabbitmq-plugins enable rabbitmq_auth_backend_ip_range
• Set a custom tag to which this plugin will block for certain IP address
  • rabbitmqctl set_user_tags custom_user custom_tag
• Configure rabbitmqctl configuration file
  • vi /etc/rabbitmq/rabbitmq.config

[
{rabbit, [
    {tcp_listeners, [5672]},
    {auth_backends, [
        {rabbit_auth_backend_internal,
        [rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]
        }
    ]
    }
]},
{rabbitmq_auth_backend_ip_range, [
    {tag_masks,
        [{'customtag', [<<"::FFFF:172.xx.xx.xxx">>]}]},
    {default_masks, [<<"::0/0">>]}
]}
].

• this configuration will effect in such a way that the user with tag customtag will able to connect to rabbitmq server with IP address 172.xx.xx.xxx and all other tags can access from any IP address
• sudo service rabbitmq-server restart

PS: As there is no valid link online to configure the rabbitmq_auth_backend_ip_range plugin, so I answered this question with the configuration steps