I have installed RabbitMQ on a Debian Linux Squeeze machine, and I would like it to only listen to the localhost interface. I have added
RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
to my /etc/rabbitmq/rabbitmq.conf
file, and that makes it bind to only the localhost interface when listening on the amqp
port (5672). However, it still binds to all interfaces when listening on ports epmd (4369) and 43380:
# lsof -n -a -i -urabbitmq
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
epmd 7353 rabbitmq 3u IPv4 1177662 0t0 TCP *:epmd (LISTEN)
epmd 7353 rabbitmq 5u IPv4 1177714 0t0 TCP 127.0.0.1:epmd->127.0.0.1:50877 (ESTABLISHED)
beam.smp 7365 rabbitmq 10u IPv4 1177711 0t0 TCP *:43380 (LISTEN)
beam.smp 7365 rabbitmq 11u IPv4 1177713 0t0 TCP 127.0.0.1:50877->127.0.0.1:epmd (ESTABLISHED)
beam.smp 7365 rabbitmq 19u IPv4 1177728 0t0 TCP 127.0.0.1:amqp (LISTEN)
How do I prevent this? Do I have to set up iptables, or are there additional RabbitMQ configuration options that will make it do what I want?
Best Answer
Putting the following in
/etc/rabbitmq/rabbitmq-env.conf
will make RabbitMQ and epmd listen on only localhost:It takes a bit more work to configure Erlang to only use localhost for the higher numbered port (which is used for clustering nodes as far as I can tell). If you don't care about clustering and just want Rabbit to be run fully locally then you can pass Erlang a kernel option for it to only use the loopback interface.
To do so, create a new file in
/etc/rabbitmq/
- I'll call itrabbit.config
. In this file we'll put the Erlang option that we need to load on run time.If you're using the management plugin and also want to limit that to localhost, you'll need to configure its ports separately, making the rabbit.config include this:
[ {rabbitmq_management, [ {listener, [{port, 15672}, {ip, "127.0.0.1"}]} ]}, {kernel, [ {inet_dist_use_interface,{127,0,0,1}} ]} ].
(Note RabbitMQ leaves epmd running when it shuts down, so if you want to block off Erlang's clustering port, you will need to restart epmd separately from Rabbit.)
Next we need to have RabbitMQ load this at startup. Open up
/etc/rabbitmq/rabbitmq.conf
again and put the following at the top:This loads that config file when the rabbit server is started and will pass the options to Erlang.
You should now have all Erlang/RabbitMQ processes listening only on localhost! This can be checked with
netstat -ntlap
EDIT : In older versions of RabbitMQ, the configuration file is :
/etc/rabbitmq/rabbitmq.conf
. However, this file has been replaced by therabbit-env.conf
file.