8.3.11. Connection Limits by Hostname
The 0.30 C++ Broker ACL module adds the ability to create allow and deny lists of the TCP/IP hosts from which users may connect. The rule accepts these forms:
acl allow user create connection host=host1 acl allow user create connection host=host1,host2 acl deny user create connection host=all
Using the form
host=host1
specifies a single host. With a single host the name may resolve to multiple TCP/IP addresses. For example localhost resolves to both 127.0.0.1 and ::1 and possibly many other addresses. A connection from any of the addresses associated with this host matches the rule and the connection is allowed or denied accordingly.
Using the form
host=host1,host2
specifies a range of TCP/IP addresses. With a host range each host must resolve to a single TCP/IP address and the second address must be numerically larger than the first. A connection from any host where host >= host1 and host <= host2 match the rule and the connection is allowed or denied accordingly.
Using the form
host=all
specifies all TCP/IP addresses. A connection from any host matches the rule and the connection is allowed or denied accordingly.
Connection denial is only applied to incoming TCP/IP connections. Other socket types are not subjected to nor denied by range checks.
Connection creation rules are divided into three categories:
- User = all, host != allThese define global rules and are applied before any specific user rules. These rules may be used to reject connections before any AMPQ protocol is run and before any user names have been negotiated.
- User != all, host = any legal host or 'all'These define user rules. These rules are applied after the global rules and after the AMQP protocol has negotiated user identities.
- User = all, host = allThis rule defines what to do if no other rule matches. The default value is "ALLOW". Only one rule of this type may be defined.
The following example illustrates how this feature can be used:
Example 8.1. Connection Limits by Host Name
group admins alice bob chuck group Company1 c1_usera c1_userb group Company2 c2_userx c2_usery c2_userz acl allow admins create connection host=localhost acl allow admins create connection host=10.0.0.0,10.255.255.255 acl allow admins create connection host=192.168.0.0,192.168.255.255 acl allow admins create connection host=[fc00::],[fc00::ff] acl allow Company1 create connection host=company1.com acl deny Company1 create connection host=all acl allow Company2 create connection host=company2.com acl deny Company2 create connection host=all
In this example admins may connect from localhost or from any system on the 10.0.0.0/24, 192.168.0.0/16, and fc00::/7 subnets. Company1 users may connect only from company1.com and Company2 users may connect only from company2.com. However, this example has a flaw. Although the admins group has specific hosts from which it is allowed to make connections it is not blocked from connecting from anywhere. The Company1 and Company2 groups are blocked appropriately. This ACL file may be rewritten as follows:
group admins alice bob chuck group Company1 c1_usera c1_userb group Company2 c2_userx c2_usery c2_userz acl allow admins create connection host=localhost acl allow admins create connection host=10.0.0.0,10.255.255.255 acl allow admins create connection host=192.168.0.0,192.168.255.255 acl allow admins create connection host=[fc00::],[fc00::ff] acl allow Company1 create connection host=company1.com acl allow Company2 create connection host=company2.com acl deny all create connection host=all
Now the listed administrators are blocked from connecting from anywhere but their allowed hosts.