Tony,<br><br><div class="gmail_quote">On Dec 3, 2007 2:33 AM, Tony Garnock-Jones <<a href="mailto:tonyg@lshift.net">tonyg@lshift.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi David,<br><div class="Ih2E3d"><br>David Pollak wrote:<br>> What are the<br>> security ramifications of a RabbitMQ instance in the wild being able to<br>> receive messages from any old client and routing those messages. Is it
<br>> possible to filter the routing so malicious messages do not get sent<br>> from one client to another?<br><br></div>Interesting. You'd have to do that on an application level at present -<br>extracting messages from some intermediate queue, filtering, and
<br>submitting again targetted at the ultimate recipients - but with a bit<br>of hacking on the erlang, you could send any delivered message through<br>an erlang-language filtering routine.<br><br>AMQP doesn't have any notion of global addressing or federation at
<br>0-8/0-9 level, so there's no possibility of ending up with an SMTP-style<br>spam relay.</blockquote><div><br>There will be cases when the system will distribute the "address" of one client to another so that they may send each other messages directly. Perhaps I should set this up so that they have temporary (conversation specific) address to communicate and the address is destroyed when the conversation ends.
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br><div class="Ih2E3d"><br>> Also, can the clients connect to RabbitMQ through an HTTP connection as
<br>> an alternative to the standard AMPQ port? Some corporate firewalls make<br>> it challenging to connect to anything other than an HTTP server.<br><br></div>If you like, you can set up the broker to listen on a non-standard port
<br>as well as or instead of the default. Set the NODE_PORT environment<br>variable to 80 before starting the broker, or edit the rabbitmq-server<br>script to add extra TCP endpoints to the "-rabbit tcp_listeners ..." line.
</blockquote><div><br>I'm not sure that works so well. Many corporate firewalls have HTTP proxies. They expect well formed HTTP. <br><br>I'll noodle on this issue a little bit and maybe come up with a solution.
<br><br>Thanks,<br><br>David<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br><br>Regards,<br> Tony<br><font color="#888888">--
<br> [][][] Tony Garnock-Jones | Mob: +44 (0)7905 974 211<br> [][] LShift Ltd | Tel: +44 (0)20 7729 7060<br> [] [] <a href="http://www.lshift.net/" target="_blank">http://www.lshift.net/</a> | Email: <a href="mailto:tonyg@lshift.net">
tonyg@lshift.net</a><br></font></blockquote></div><br><br clear="all"><br>-- <br>lift, the secure, simple, powerful web framework <a href="http://liftweb.net">http://liftweb.net</a><br>Collaborative Task Management <a href="http://much4.us">
http://much4.us</a>