How do I make RabbitMQ listen only to localhost?
Putting the following in /etc/rabbitmq/rabbitmq-env.conf
will make RabbitMQ and epmd listen on only localhost:
export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
export ERL_EPMD_ADDRESS=127.0.0.1
It takes a bit more work to configure Erlang to only use localhost for the higher numbered port (which is used for clustering nodes as far as I can tell). If you don't care about clustering and just want Rabbit to be run fully locally then you can pass Erlang a kernel option for it to only use the loopback interface.
To do so, create a new file in /etc/rabbitmq/
- I'll call it rabbit.config
. In this file we'll put the Erlang option that we need to load on run time.
[{kernel,[{inet_dist_use_interface,{127,0,0,1}}]}].
If you're using the management plugin and also want to limit that to localhost, you'll need to configure its ports separately, making the rabbit.config include this:
[
{rabbitmq_management, [
{listener, [{port, 15672}, {ip, "127.0.0.1"}]}
]},
{kernel, [
{inet_dist_use_interface,{127,0,0,1}}
]}
].
(Note RabbitMQ leaves epmd running when it shuts down, so if you want to block off Erlang's clustering port, you will need to restart epmd separately from Rabbit.)
Next we need to have RabbitMQ load this at startup. Open up /etc/rabbitmq/rabbitmq.conf
again and put the following at the top:
export RABBITMQ_CONFIG_FILE="/etc/rabbitmq/rabbit"
This loads that config file when the rabbit server is started and will pass the options to Erlang.
You should now have all Erlang/RabbitMQ processes listening only on localhost! This can be checked with netstat -ntlap
EDIT : In older versions of RabbitMQ, the configuration file is : /etc/rabbitmq/rabbitmq.conf
. However, this file has been replaced by the rabbit-env.conf
file.
To make RabbitMQ listen on localhost / bind only to localhost:
3 Different ways (all equivalent):
Put NODE_IP_ADDRESS=127.0.0.1 in the environment variables file (See http://www.rabbitmq.com/configure.html#define-environment-variables)
Put tcp_listeners and ssl_listeners properties in config file: The configuration entries tcp_listeners and ssl_listeners govern the interfaces that RabbitMQ listens on. An entry for just listening on localhost would be e.g., {tcp_listeners, [{'127.0.0.1', 5672}]} (Syntax might not be correct, check it) http://www.rabbitmq.com/configure.html#config-file
export the env. variable in the startup script (/etc/init.d/rabbitmq-server) export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
The latter worked for me.
EPMD:
The Epmd program makes distributed parts of Erlang runtime work. If you are building a multi-machine cluster you need to leave them accessible to other nodes and certainly localhost. But it has built-in protection via cookie file.
It hardly ever requires any attention. Just keep in mind that erlang programs (including rabbitmqctl, for example) need to access that port to contact other erlang programs.
But, if you are dealing with financial data or health records, protecting epmd may be a good idea. Default port epmd uses is 4369, other programs connect to it via tcp.
See also: http://www.erlang.org/doc/man/epmd.html#environment_variables
If you need to secure RabbitMQ any further,
Disable the built-in guest account http://www.rabbitmq.com/admin-guide.html#default-state
Consider using SSL and authenticating using the certificate chain
I got these answers from the RabbitMQ community IRC channel.
Would like to thank them.
http://dev.rabbitmq.com/irclog/index.php?date=2011-06-14
Hope the above saves some time for you (it took me 6 hours to find an answer).
If you specify environment variables in the rabbitmq.conf file you have to drop the RABBITMQ_ prefix, so try:
NODE_IP_ADDRESS=127.0.0.1