限制通过IP访问RabbitMQ [英] Restrict access to RabbitMQ via IP

问题描述

我通过docker镜像在包括管理插件和rabbitmq_auth_backend_ip_range插件的机器上安装了Rabbit mq.我想限制对端口5671/2和15672的访问，以仅允许某些IP访问它们.

I installed rabbit mq via docker image on a machine including the management and rabbitmq_auth_backend_ip_range plugins. I want to restrict access to the ports 5671/2 and 15672 to only allow certain IPs accessing them.

由于15672是Web界面，因此我目前没有解决方案.有什么想法吗?

As 15672 is the web interface, I have not current solution for that. Any ideas on that?

对于5671/2(哪个是安全的?)，我想使用插件rabbitmq_auth_backend_ip_range，因为据我了解，这就是它的目的.

For 5671/2 (which one is the secure one?) I want to use the plugin rabbitmq_auth_backend_ip_range because as far as I understood, that's its purpose.

我当前的rabbitmq.config看起来像这样:

My current rabbitmq.config looks like this:

[
    {rabbit, [
        {auth_backends, [{rabbit_auth_backend_ip_range}]}
    ]},
    {rabbitmq_auth_backend_ip_range, [
        {tag_masks,
            [{'administrator', [<<"::FFFF:192.168.0.0/112">>]}]
        }
    ]}
].

根据文档，该文档仅允许访问已标记的帐户使用administrator.但是，如果我使用telnet，则没有任何改变:

According to the documentation that allows access only for accounts tagged with administrator. But if I do a telnet nothing changed:

telnet ip-address 5672

我可以访问它.您如何通过telnet传递凭据?兔子mq如何进行IP限制?

I can access it. How do you pass over credentials via telnet? How is ip restriction done with rabbit mq?

推荐答案

rabbitmq-auth-backend-ip-range仅提供身份验证机制来登录/与Rabbitmq服务器对话.这并不意味着您的5672端口未打开. 您仍然可以在5672上进行telnet，但是如果某些管理员用户尝试特别连接到RabbitMQ服务器，则该服务器应与给定的IP地址匹配，否则身份验证失败将返回

rabbitmq-auth-backend-ip-range is only providing authentication mechanism to login/talk to rabbitmq server. That doesn't mean your 5672 port is not open. You will still be able to telnet on 5672 but if some administrator user tries to connect particularly to RabbitMQ server than it should match with the given IP address otherwise authentication failed will return

对于RabbitMQ管理，您可以定义如下所示的IP地址:

For RabbitMQ Management you can define IP address something like this:

{rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]}

这篇关于限制通过IP访问RabbitMQ的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！