[rabbitmq-discuss] Separate authorization mechanisms for SSL and non-SSL?

Simon MacMullen simon at rabbitmq.com
Tue Nov 27 10:52:09 GMT 2012


On 26/11/12 20:55, michi.oshima wrote:
> Hi,

Hi!

> I would like to configure my RabbitMQ server so that:
>
> 1. SSL connection (port: 5671) would authenticate user with EXTERNAL only
> (to use rabbitmq_auth_mechanism_ssl plugin).
> 2. Non-SSL connection (port: 5672) would authenticate user with another
> method, for example PLAIN.
>
> Why would I want this?  I'm trying to use SSL port for "external" connection
> (e.g., WAN).  While at the same time "local" connection can be made to
> non-SSL port.
>
> Is above possible?  If so, how would I configure my RabbitMQ?

You can't configure the server to offer different authentication 
mechanisms on different ports. But I'm not sure you need to.

In your example above, you can configure RabbitMQ to accept both PLAIN 
and EXTERNAL. Clients to the SSL port can select EXTERNAL, and clients 
to the non-SSL port can select PLAIN. If a non-SSL client selects 
EXTERNAL, rabbitmq_auth_mechanism_ssl will automatically reject them. 
And if an SSL client selects PLAIN, do you really mind? (And if you do, 
you can make sure the users connecting via SSL do not have passwords 
set; then they won't be able to log in with PLAIN.)

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, VMware


More information about the rabbitmq-discuss mailing list