How to make RabbitMQ listen only to localhost

rabbitmq

I have installed RabbitMQ on a Debian Linux Squeeze machine, and I would like it to only listen to the localhost interface. I have added 

RABBITMQ_NODE_IP_ADDRESS=127.0.0.1

to my /etc/rabbitmq/rabbitmq.conf file, and that makes it bind to only the localhost interface when listening on the amqp port (5672). However, it still binds to all interfaces when listening on ports epmd (4369) and 43380:

# lsof -n -a -i -urabbitmq
COMMAND   PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
epmd     7353 rabbitmq    3u  IPv4 1177662      0t0  TCP *:epmd (LISTEN)
epmd     7353 rabbitmq    5u  IPv4 1177714      0t0  TCP 127.0.0.1:epmd->127.0.0.1:50877 (ESTABLISHED)
beam.smp 7365 rabbitmq   10u  IPv4 1177711      0t0  TCP *:43380 (LISTEN)
beam.smp 7365 rabbitmq   11u  IPv4 1177713      0t0  TCP 127.0.0.1:50877->127.0.0.1:epmd (ESTABLISHED)
beam.smp 7365 rabbitmq   19u  IPv4 1177728      0t0  TCP 127.0.0.1:amqp (LISTEN)

How do I prevent this? Do I have to set up iptables, or are there additional RabbitMQ configuration options that will make it do what I want?

Best Answer

Putting the following in /etc/rabbitmq/rabbitmq-env.conf will make RabbitMQ and epmd listen on only localhost:

export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
export ERL_EPMD_ADDRESS=127.0.0.1

It takes a bit more work to configure Erlang to only use localhost for the higher numbered port (which is used for clustering nodes as far as I can tell). If you don't care about clustering and just want Rabbit to be run fully locally then you can pass Erlang a kernel option for it to only use the loopback interface.

To do so, create a new file in /etc/rabbitmq/ - I'll call it rabbit.config. In this file we'll put the Erlang option that we need to load on run time.

[{kernel,[{inet_dist_use_interface,{127,0,0,1}}]}].

If you're using the management plugin and also want to limit that to localhost, you'll need to configure its ports separately, making the rabbit.config include this:

[ {rabbitmq_management, [ {listener, [{port, 15672}, {ip, "127.0.0.1"}]} ]}, {kernel, [ {inet_dist_use_interface,{127,0,0,1}} ]} ].

(Note RabbitMQ leaves epmd running when it shuts down, so if you want to block off Erlang's clustering port, you will need to restart epmd separately from Rabbit.)

Next we need to have RabbitMQ load this at startup. Open up /etc/rabbitmq/rabbitmq.conf again and put the following at the top:

export RABBITMQ_CONFIG_FILE="/etc/rabbitmq/rabbit"

This loads that config file when the rabbit server is started and will pass the options to Erlang.

You should now have all Erlang/RabbitMQ processes listening only on localhost! This can be checked with netstat -ntlap

EDIT : In older versions of RabbitMQ, the configuration file is : /etc/rabbitmq/rabbitmq.conf. However, this file has been replaced by the rabbit-env.conf file.

Related Topic