I installed rabbit mq via docker image on a machine including the management and rabbitmq_auth_backend_ip_range plugins. I want to restrict access to the ports 5671/2 and 15672 to only allow certain IPs accessing them.
As 15672 is the web interface, I have not current solution for that. Any ideas on that?
For 5671/2 (which one is the secure one?) I want to use the plugin rabbitmq_auth_backend_ip_range because as far as I understood, that's its purpose.
My current rabbitmq.config looks like this:
[
{rabbit, [
{auth_backends, [{rabbit_auth_backend_ip_range}]}
]},
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'administrator', [<<"::FFFF:192.168.0.0/112">>]}]
}
]}
].
According to the documentation that allows access only for accounts tagged with administrator. But if I do a telnet nothing changed:
telnet ip-address 5672
I can access it. How do you pass over credentials via telnet? How is ip restriction done with rabbit mq?
rabbitmq-auth-backend-ip-range is only providing authentication mechanism to login/talk to rabbitmq server. That doesn't mean your 5672 port is not open.
You will still be able to telnet on 5672 but if some administrator user tries to connect particularly to RabbitMQ server than it should match with the given IP address otherwise authentication failed will return
For RabbitMQ Management you can define IP address something like this:
{rabbitmq_management, [
{listener, [{port, 15672}, {ip, "127.0.0.1"}]}
]}
Rabbitmq-auth-backend-ip-range link is community plugin for client authorization based on source IP address. With this community plugin, we can restrict access to client on the basis of IP address
Steps To configure plugin in rabbitmq version 3.6.X
wget https://dl.bintray.com/rabbitmq/community-plugins/3.6.x/rabbitmq_auth_backend_ip_range/rabbitmq_auth_backend_ip_range-20180116-3.6.x.zip
unzip content to /usr/lib/rabbitmq/lib/rabbitmq_server-3.x/plugins
Enable plugin:rabbitmq-plugins enable rabbitmq_auth_backend_ip_range
Set a custom tag to which this plugin will block for certain IP address
rabbitmqctl set_user_tags custom_user custom_tag
Configure rabbitmqctl configuration file
vi /etc/rabbitmq/rabbitmq.config
[
{rabbit, [
{tcp_listeners, [5672]},
{auth_backends, [
{rabbit_auth_backend_internal,
[rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]
}
]
}
]},
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'customtag', [<<"::FFFF:172.xx.xx.xxx">>]}]},
{default_masks, [<<"::0/0">>]}
]}
].
this configuration will effect in such a way that the user with tag customtag will able to connect to rabbitmq server with IP address 172.xx.xx.xxx and all other tags can access from any IP address
sudo service rabbitmq-server restart
PS: As there is no valid link online to configure the rabbitmq_auth_backend_ip_range plugin, so I answered this question with the configuration steps
Related
I have a RabbitMQ server which receives messages to an exchange within a virtual host called "ce_func", this exchange is bound to a queue called "azure_trigger".
I'd like to use Azure Functions new RabbitMQ binding to collect from Rabbit. Unfortunately, this is limited to collecting only from virtual host '/' . I was hoping that I could use Rabbit's federation functionality to automatically route to an "azure_trigger" queue within the "/" virtual host of the same server but so far I've failed.
I created a Rabbit "upstream" and "policy" applied to that upstream but I can't figure out the configuration. I have a Federation Status of "Running" but it's only checking the "ce_func" virtual host, I can't see where I can set the target exchange as the "/" virtual host.
Does anyone have any pointers please?
If I understand correctly, you want to deliver message between queues in different vhosts.
RabbitMQ community recommend to use Shovel plugin to handle this situation:
The source and destination can be on the same broker (typically in different vhosts) or distinct brokers.
It is possible to reference any virtual host (vhost) in the in the uri field of the federation-upstream's configuration in the form:
"amqp://" [ username [ ":" password ] "#" ] host [ ":" port ] [ "/" vhost ]
So in simple terms you can wack the vhost on the end of the uri e.g. amqp://localhost:5672/myvhost... if your vhost name is blank then just make sure you include the trailing slash '/' e.g. amqp://localhost:5672/.
A note specific to the blank vhost from the rabbitmq docs (https://www.rabbitmq.com/uri-spec.html)
The vhost component may be absent; this is indicated by the lack of a
"/" character following the amqp_authority. An absent vhost component
is not equivalent to an empty (i.e. zero-length) vhost name.
I have created activeMQ through bitnami google cloud vm, I do not know what URL to use ,what URL to send messages to?
Bitnami developer here,
You can connect to the ActiveMQ admin panel by browsing to http://YOUR_DOMAIN:8161/. You must use the username and password obtained from the server dashboard. Note that if you want to connect to ActiveMQ from a different machine, you must have ports 61616 and 8161 open for remote access.
You also could use an SSH tunnel like the one below...
ssh -i YOUR_KEY_FILE -N -L 8161:127.0.0.1:8161 bitnami#YOUR_DOMAIN
...and then browse to http://127.0.0.1:8161/
By default, all ActiveMQ transport connectors are enabled.
If you want to debug errors, you can find the main ActiveMQ log file at /opt/bitnami/activemq/data/activemq.log.
I hope it helps.
rabbitmq supports certificate based authentication using the rabbitmq-auth-mechanism-ssl plugin (https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl/blob/rabbitmq_v3_6_9/README.md). I was able to get the password-less authentication working for the AMQP protocol using this plugin.
However, I could not get the same certificate based (password-less) authentication working for the rabbitmq-management plugin that uses HTTP (for web UI). From the documentation it is not clear if this is supported.
Does rabbitmq-management support the cert based authentication ? If yes, please share the relevant links.
Found this site - it looks legitimate, but I haven't tried it yet myself.
http://www.gettingcirrius.com/2013/01/securing-rabbitmq-management-console.html
Quoting from the link:
Edit the rabbitmq.config file in the /etc/rabbitmq director.
Add a configuration entry:
[{listener,
[{port, 15672},
{ssl, true},
{ssl_opts,
[{cacertfile, "/etc/rabbitmq/ssl/ca/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/server/{hostname}.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/server/{hostname}.key.pem"}]}
]}
]}
].
Restart RabbitMQ.
sudo service rabbitmq-server start
I installed Rabbitmq (v3.5.6) via brew.
I can use command (/usr/local/Cellar/rabbitmq/sbin/rabbitmq-server) to start server,
and I can use http://localhost:15672/ to browse the management page.
I guess I install Rabbitmq successfully.
I want to change the AMQP port to 5673, and I follow the document,
edit /usr/local/etc/rabbitmq/rabbitmq.config as below, but fail.
[
{rabbit, [{tcp_listeners, [5673]}]}
].
The port still is 5673. However, I can use this file to set mqtt port to 11883 (default 1883).
What happens?
Yes, the file should be
/etc/rabbitmq/rabbitmq.conf
I thing that your problem is that you are not rebooting your server/computer.
To apply the changes in your configuration file you have to reboot your server.
log:Creating Server TCP listening socket (myip:port): bind: Cannot assign requested address
my redis.conf
bind 10.114.234.11
when i cofig like this
bind 127.0.0.1
it works well
You likely do not currently have any interfaces set up for the 10.x.x.x subnet. If you're on any flavor of Linux, ifconfig should be able to tell you which interfaces are currently set up. For example, I'm running Mint 17:
$ ifconfig | grep "inet addr"
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
So I (like you) would not be able to bind Redis (or most any other service requesting a TCP socket) to 10.x.x.x. If you are really trying to listen for connections on that subnet, you will need to change your network setup (how exactly that would be done depends largely on your operating system).
I also faced same issue while setting up redis for remote access. I was using google cloud platform and we created Google compute engine VM instance where we installed our Redis server. Redis doesn't ship with by default with security configured. You have to perform some steps to secure it. By updating IP address in redis.conf in bind will allow access only from that IP addresses. When we were doing it, we were getting same error.
To solve this issue we haven't added IP addresses in redis.conf file instead in Google cloud firewall rules when we add port open record in network -> IP ranges you can specify IP address which you want allow to access redis. In redis.conf file update from bind 127.0.0.1 to bind 0.0.0.0. So basically we will restrict it from Google cloud firewall rules dashboard.
Below are steps to add IP address restrictions:
Login to your google cloud console
Navigate to VPC Network -> Firewall Rules
Click on CREATE FIREWALL RULE or edit existing one if it's already there
In Source IP ranges add your IP address to allow access only - See below screenshot
Once you create this rule add this source tags under your VM instances network type and you are done.
I have faced the same issue when I changed the default redis.conf to custom Redis conf and after changing the bind as below then it started working, Please be aware that the below conf will open the Redis connection from all sources.
bind 127.0.0.1 -::1 to bind 0.0.0.0 -::1
At /etc/redis/redis.conf
Please change
bind 127.0.0.1 ::1
to
bind 0.0.0.0
then restart
/etc/init.d/redis-server restart
It's work to me