Security¶
RabbitMQ's security model layers AMQP-level authentication, vhost-based authorization, transport-level TLS, and pluggable identity backends.
Authentication¶
| Method | Use Case |
|---|---|
| Internal user database | Default; passwords hashed with SHA-256 (configurable). |
| OAuth 2.0 / JWT | Enterprise SSO via Keycloak, Auth0, Azure AD; the rabbitmq_auth_backend_oauth2 plugin. |
| LDAP | Directory-based identity; the rabbitmq_auth_backend_ldap plugin. |
| mTLS (x509) | Cert-based auth via the rabbitmq_auth_mechanism_ssl plugin; CN/SAN maps to user. |
| HTTP backend | Custom auth via REST endpoint; the rabbitmq_auth_backend_http plugin. |
| Cache backend | Wrap any other backend with caching to reduce per-connection cost. |
OAuth 2.0 with introspection¶
# rabbitmq.conf
auth_backends.1 = rabbit_auth_backend_oauth2
auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.preferred_username_claims.1 = preferred_username
auth_oauth2.scope_aliases.read = read:orders
auth_oauth2.scope_aliases.write = write:orders
auth_oauth2.discovery_endpoint = https://idp.example.com/.well-known/openid-configuration
auth_oauth2.signing_keys = /etc/rabbitmq/jwt-keys
The plugin verifies the JWT, derives the user, and checks scopes for vhost permissions.
Authorization¶
Permissions are vhost-scoped triples (configure, write, read) — each is a regex matching resource names.
rabbitmqctl set_permissions -p /prod orders-svc '^orders\.' '^orders\.' '^orders\.'
rabbitmqctl set_topic_permissions -p /prod orders-svc amq.topic '^orders\.' '^orders\.'
| Permission | Applies To |
|---|---|
| configure | Declare/delete exchanges, queues, bindings, policies. |
| write | Publish to exchanges, route to queues. |
| read | Consume from queues, examine bindings. |
User tags grant management UI roles: administrator, monitoring, policymaker, management.
Encryption¶
In transit¶
- TLS for AMQP (
:5671), AMQP 1.0, MQTT (:8883), STOMP (:61614), Stream (:5552over TLS), management (:15672HTTPS), Prometheus (:15692HTTPS), Erlang inter-node (set viainet_dist_use_interface+RABBITMQ_CTL_ERL_ARGS). - mTLS supported on every listener.
- Verify CRL and OCSP separately if the deployment requires real-time revocation.
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/rabbitmq/certs/ca.pem
ssl_options.certfile = /etc/rabbitmq/certs/server.pem
ssl_options.keyfile = /etc/rabbitmq/certs/server.key
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
Inter-node Erlang distribution¶
Erlang's distribution protocol must be on a private network or wrapped in inet_tls_dist. Default magic cookie is not a security boundary.
At rest¶
RabbitMQ does not encrypt queue/segment files on disk. For at-rest encryption use OS-level dm-crypt or cloud-provider EBS/Persistent-Disk encryption.
Audit & Observability¶
- Logs:
/var/log/rabbitmq/rabbit@<node>.logrecords auth attempts and permission denials. - Tracing: the
rabbitmq_tracingplugin captures every published/consumed message into a trace queue. - Federation/Shovel parameters do not log credentials by default — verify your config logger doesn't leak
uristrings. - Audit events:
rabbitmq_event_exchangeplugin publishes management/connection events toamq.rabbitmq.event.
Threat Model¶
| Threat | Mitigation |
|---|---|
Default guest account exposed |
Bound to localhost by default. Keep loopback_users.guest = true. |
| Management UI on public IP | Bind management to private network; reverse-proxy with auth. |
| Erlang distribution attack | Wrap in inet_tls_dist; restrict cluster network. |
Permission escalation via administrator tag |
Issue management roles minimally; rotate. |
| Plugin supply chain | Pin plugin versions; install only from rabbitmq-plugins (signed). |
| MITM on AMQP | mTLS on :5671; reject :5672 in production. |
| Vhost escape | Permissions are enforced at the broker; ensure regexes are scoped tightly. |
| Federation credential theft | Use mTLS-only upstreams; rotate via rabbitmqctl clear_parameter federation-upstream. |
| Replay attacks | At app level: include nonce; use x-message-deduplication plugin where appropriate. |
| Slow-consumer DoS | Combine consumer_timeout, consumer_capacity alarms, and quorum queue x-delivery-limit. |
| OAuth token replay | Set tight token TTLs; use audience claim per cluster. |
| WebSocket / MQTT abuse | Rate-limit at ingress (e.g. nginx, Traefik); enforce auth on :1883/:8883. |
CVE History (selected)¶
| CVE | Year | Affected | Summary |
|---|---|---|---|
| CVE-2024-50582 | 2024 | rabbitmq_management plugin | Reflected XSS in management UI; fixed in 3.13.7 / 4.0.2. |
| CVE-2023-46118 | 2023 | rabbitmq-server before 3.12.7 | Memory exhaustion via large MQTT message; fixed by tightening mqtt.max_message_size. |
| CVE-2023-46118 follow-up | 2023 | MQTT 5 plugin | Hardening of property parsing; fix in 3.12.x. |
| CVE-2022-31010 | 2022 | rabbitmq_web_mqtt plugin | DoS via crafted WebSocket frame. |
Subscribe to the GitHub Security Advisories feed for the canonical list.
Hardening Checklist¶
- Disable AMQP plain port (
:5672) for production; require AMQPS. - Bind
:15672(mgmt UI) to a private network or behind a reverse proxy with SSO. - Replace
guestuser immediately; restrictadministratortag holders. - Enable OAuth 2.0 + audience-pinned JWTs.
- mTLS for inter-node Erlang distribution.
- Rotate federation/shovel credentials via parameter API.
- Enable
rabbitmq_event_exchangeand ship events to SIEM. - Set
cluster_partition_handling = pause_minority(default since 3.6). - Set quorum queue
x-delivery-limitto bound poison loops. - OS-level disk encryption (dm-crypt / cloud KMS) for
/var/lib/rabbitmq. - Subscribe to RabbitMQ Security Advisories.
Cross-references¶
- messaging/rabbitmq/architecture — for understanding the vhost/exchange/queue scope of every permission.
- messaging/rabbitmq/operations — for
rabbitmqctland OAuth 2.0 setup commands. - messaging/index — for cross-broker security comparison.