How to secure external web api when auth backend http plugin is used

[Simon]

Hi everyone,

I am using auth backend http for authentication/authorization for RabbitMQ. I also have a web api to return expected response.

My configuration looks like this:

[

  {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},

  {rabbitmq_auth_backend_http,

   [{http_method,   post},

    {user_path,     "http://myserver/api/auth/user"},

    {vhost_path,    "http://myserver/api/auth/vhost"},

    {resource_path, "http://myserver/api/auth/resource"},

    {topic_path,    "http://myserver/api/auth/topic"}]}

].

When RabbitMQ hits the user path/endpoint, password is sent along with username, which is right. However, no password is sent to other endpoints such as vhost/resource/topic.

This means anyone can hit vhost/resource/topic path to get some authorization data if they can guess a valid username. I could make the web api private and only allow RabbitMQ to be able to access it but ideally I would like to make it public and use other ways (such as a custom header so that I can pass in a token) to secure the web api.

I am not sure if I miss anything here but I would appreciate any suggestions. Thanks

Regards,

Simon

[Michael Klishin]

Use TLS (HTTPS) with peer verification. Network segmentation is another option.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

`rabbitmq_auth_backend_http.ssl_options` is the key to configure HTTPS client TLS options
(certificate, private key, etc), key names are identical to those covered in http://www.rabbitmq.com/ssl.html.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Simon]

Thank you very much Michael,

This is very helpful.

Regards,

Simon

On Thursday, February 16, 2017 at 1:02:56 PM UTC+11, Michael Klishin wrote:

`rabbitmq_auth_backend_http.ssl_options` is the key to configure HTTPS client TLS options
(certificate, private key, etc), key names are identical to those covered in http://www.rabbitmq.com/ssl.html.

On Thu, Feb 16, 2017 at 5:00 AM, Michael Klishin <mkli...@pivotal.io> wrote:

Use TLS (HTTPS) with peer verification. Network segmentation is another option.

On Thu, Feb 16, 2017 at 4:31 AM, Simon <simon...@gmail.com> wrote:

Hi everyone,

I am using auth backend http for authentication/authorization for RabbitMQ. I also have a web api to return expected response.

My configuration looks like this:

[

  {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},

  {rabbitmq_auth_backend_http,

   [{http_method,   post},

    {user_path,     "http://myserver/api/auth/user"},

    {vhost_path,    "http://myserver/api/auth/vhost"},

    {resource_path, "http://myserver/api/auth/resource"},

    {topic_path,    "http://myserver/api/auth/topic"}]}

].

When RabbitMQ hits the user path/endpoint, password is sent along with username, which is right. However, no password is sent to other endpoints such as vhost/resource/topic.

This means anyone can hit vhost/resource/topic path to get some authorization data if they can guess a valid username. I could make the web api private and only allow RabbitMQ to be able to access it but ideally I would like to make it public and use other ways (such as a custom header so that I can pass in a token) to secure the web api.

I am not sure if I miss anything here but I would appreciate any suggestions. Thanks

Regards,

Simon

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ