localhost is an internal interface with IP address 127.0.0.1.
192.168.127.129 belongs to your external interface (which in this case happens to be a virtual network interface as opposed to a physical one). localhost and 192.168.127.129 are two different interfaces and so you will get different results, depending on how your network services are configured.
Whatever service you have running on port 8080 only listens on the loopback interface and is not available to the rest of the world, only TCP/IP clients connecting from localhost.
Putting the following in /etc/rabbitmq/rabbitmq-env.conf
will make RabbitMQ and epmd listen on only localhost:
export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
export ERL_EPMD_ADDRESS=127.0.0.1
It takes a bit more work to configure Erlang to only use localhost for the higher numbered port (which is used for clustering nodes as far as I can tell). If you don't care about clustering and just want Rabbit to be run fully locally then you can pass Erlang a kernel option for it to only use the loopback interface.
To do so, create a new file in /etc/rabbitmq/
- I'll call it rabbit.config
. In this file we'll put the Erlang option that we need to load on run time.
[{kernel,[{inet_dist_use_interface,{127,0,0,1}}]}].
If you're using the management plugin and also want to limit that to localhost, you'll need to configure its ports separately, making the rabbit.config include this:
[
{rabbitmq_management, [
{listener, [{port, 15672}, {ip, "127.0.0.1"}]}
]},
{kernel, [
{inet_dist_use_interface,{127,0,0,1}}
]}
].
(Note RabbitMQ leaves epmd running when it shuts down, so if you want to block off Erlang's clustering port, you will need to restart epmd separately from Rabbit.)
Next we need to have RabbitMQ load this at startup. Open up /etc/rabbitmq/rabbitmq.conf
again and put the following at the top:
export RABBITMQ_CONFIG_FILE="/etc/rabbitmq/rabbit"
This loads that config file when the rabbit server is started and will pass the options to Erlang.
You should now have all Erlang/RabbitMQ processes listening only on localhost! This can be checked with netstat -ntlap
EDIT : In older versions of RabbitMQ, the configuration file is : /etc/rabbitmq/rabbitmq.conf
. However, this file has been replaced by the rabbit-env.conf
file.
Best Answer
This port is already secure. Access to this port is controlled by a Cookie, which is basically a developer key that is unique to this particular server and is created at install time. It is probably located in /var/lib/rabbitmq/.erlang.cookie although it is possible for a distro to change that location. You will note that the cookie file is only readable by root.
If a remote node (another server) or a local node (another Erlang instance on this server) wants to communicate with your RabbitMQ server, they must present the cookie when communicating via EPMD or the requests will be ignored.
If you are following RabbitMQ best practices then you will have RabbitMQ running on its own server, and there will be two or three other RabbitMQ servers that are clustered with it. In this context "clustered" means sharing the same cookie and communicating via the same EPMD port. Blocking this port is a bad thing.
However, it is generally a good thing to have a perimeter around the cluster, which is managed by a firewall so that the EPMD port can only be used from inside the perimeter. This implies that the blocking is on a firewall device, or a server acting as a firewall, or an EC2 firewall or similar.