8.3.11. Connection Limits by Hostname

The 0.30 C++ Broker ACL module adds the ability to create allow and deny lists of the TCP/IP hosts from which users may connect. The rule accepts these forms: 
acl allow user create connection host=host1
acl allow user create connection host=host1,host2
acl deny  user create connection host=all
Using the form host=host1 specifies a single host. With a single host the name may resolve to multiple TCP/IP addresses. For example localhost resolves to both 127.0.0.1 and ::1 and possibly many other addresses. A connection from any of the addresses associated with this host matches the rule and the connection is allowed or denied accordingly.
Using the form host=host1,host2 specifies a range of TCP/IP addresses. With a host range each host must resolve to a single TCP/IP address and the second address must be numerically larger than the first. A connection from any host where host >= host1 and host <= host2 match the rule and the connection is allowed or denied accordingly.
Using the form host=all specifies all TCP/IP addresses. A connection from any host matches the rule and the connection is allowed or denied accordingly.
Connection denial is only applied to incoming TCP/IP connections. Other socket types are not subjected to nor denied by range checks.
Connection creation rules are divided into three categories:
  1. User = all, host != all
    These define global rules and are applied before any specific user rules. These rules may be used to reject connections before any AMPQ protocol is run and before any user names have been negotiated.
  2. User != all, host = any legal host or 'all'
    These define user rules. These rules are applied after the global rules and after the AMQP protocol has negotiated user identities.
  3. User = all, host = all
    This rule defines what to do if no other rule matches. The default value is "ALLOW". Only one rule of this type may be defined.
The following example illustrates how this feature can be used:

Example 8.1. Connection Limits by Host Name

group admins alice bob chuck
group Company1 c1_usera c1_userb
group Company2 c2_userx c2_usery c2_userz
acl allow admins   create connection host=localhost
acl allow admins   create connection host=10.0.0.0,10.255.255.255
acl allow admins   create connection host=192.168.0.0,192.168.255.255
acl allow admins   create connection host=[fc00::],[fc00::ff]
acl allow Company1 create connection host=company1.com
acl deny  Company1 create connection host=all
acl allow Company2 create connection host=company2.com
acl deny  Company2 create connection host=all
In this example admins may connect from localhost or from any system on the 10.0.0.0/24, 192.168.0.0/16, and fc00::/7 subnets. Company1 users may connect only from company1.com and Company2 users may connect only from company2.com. However, this example has a flaw. Although the admins group has specific hosts from which it is allowed to make connections it is not blocked from connecting from anywhere. The Company1 and Company2 groups are blocked appropriately. This ACL file may be rewritten as follows: 
group admins alice bob chuck
group Company1 c1_usera c1_userb
group Company2 c2_userx c2_usery c2_userz
acl allow admins   create connection host=localhost
acl allow admins   create connection host=10.0.0.0,10.255.255.255
acl allow admins   create connection host=192.168.0.0,192.168.255.255
acl allow admins   create connection host=[fc00::],[fc00::ff]
acl allow Company1 create connection host=company1.com
acl allow Company2 create connection host=company2.com
acl deny  all      create connection host=all
Now the listed administrators are blocked from connecting from anywhere but their allowed hosts.
Report a bug