[rabbitmq-discuss] Separate authorization mechanisms for SSL and non-SSL?
Simon MacMullen
simon at rabbitmq.com
Tue Nov 27 10:52:09 GMT 2012
On 26/11/12 20:55, michi.oshima wrote:
> Hi,
Hi!
> I would like to configure my RabbitMQ server so that:
>
> 1. SSL connection (port: 5671) would authenticate user with EXTERNAL only
> (to use rabbitmq_auth_mechanism_ssl plugin).
> 2. Non-SSL connection (port: 5672) would authenticate user with another
> method, for example PLAIN.
>
> Why would I want this? I'm trying to use SSL port for "external" connection
> (e.g., WAN). While at the same time "local" connection can be made to
> non-SSL port.
>
> Is above possible? If so, how would I configure my RabbitMQ?
You can't configure the server to offer different authentication
mechanisms on different ports. But I'm not sure you need to.
In your example above, you can configure RabbitMQ to accept both PLAIN
and EXTERNAL. Clients to the SSL port can select EXTERNAL, and clients
to the non-SSL port can select PLAIN. If a non-SSL client selects
EXTERNAL, rabbitmq_auth_mechanism_ssl will automatically reject them.
And if an SSL client selects PLAIN, do you really mind? (And if you do,
you can make sure the users connecting via SSL do not have passwords
set; then they won't be able to log in with PLAIN.)
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
More information about the rabbitmq-discuss
mailing list