RabbitMQ Management and Qualys QID 11827

352 views
Skip to first unread message

jonmcal...@wellsfargo.com

unread,
Jul 14, 2022, 1:47:06 PM7/14/22
to rabbitm...@googlegroups.com

We are getting called out with a QID 11827 (Qualys Security Scan) against our RabbitMQ servers stating that the Security Headers are missing. I’ve been searching to no avail as to how to implement these in the Management configuration.

 

If that can’t be done, I’ve seen folks mentioning to put a reverse proxy in front of the RabbitMQ Management, but don’t see any details as to how to configure that. Does anyone have working instructions for using IIS with ARR and URLRewrite as the reverse proxy?

 

Thanks,

 

Dream * Excel * Explore * Inspire

Jon McAlexander

Senior Infrastructure Engineer

Asst. Vice President

He/His

 

Middleware Product Engineering

Enterprise CIO | EAS | Middleware | Infrastructure Solutions

 

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010

Tel 515-988-2508 | Cell 515-988-2508

 

jonmcal...@wellsfargo.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.

 

jonmcal...@wellsfargo.com

unread,
Jul 21, 2022, 3:41:52 PM7/21/22
to rabbitm...@googlegroups.com

Hello,

I’m reposting this question. See below.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/62e36ae1cd9d472b8ec8d2128c0c2d80%40wellsfargo.com.

Luke Bakken

unread,
Jul 22, 2022, 12:14:36 PM7/22/22
to rabbitmq-users
Hi Jon,

I'm assuming you're scanning the RabbitMQ management port (15672 by default).
  • What is your RabbitMQ version?
  • Which "security headers" are missing?
Thanks,
Luke

jonmcal...@wellsfargo.com

unread,
Jul 22, 2022, 7:51:21 PM7/22/22
to rabbitm...@googlegroups.com

Correct on the port. The headers missing are the security headers. Basically these:

 

X-Frame-Options
SAMEORIGIN
X-Xss-Protection
1;mode=block
X-Content-Type-Options
nosniff
Content-Security-Policy
default-src https: data: 'unsafe-inline' 'unsafe-eval'
Strict-Transport-Security
max-age=31536000; includeSubDomains; preload

 

Or similar.

 

Dream * Excel * Explore * Inspire

Jon McAlexander

Senior Infrastructure Engineer

Asst. Vice President

He/His

 

Middleware Product Engineering

Enterprise CIO | EAS | Middleware | Infrastructure Solutions

 

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010

Tel 515-988-2508 | Cell 515-988-2508

 

jonmcal...@wellsfargo.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.

 

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

Luke Bakken

unread,
Jul 23, 2022, 11:01:19 AM7/23/22
to rabbitmq-users
Hi Jon,

The "Content-Security-Policy" header is set to the value that is required for the javascript library we use. You can customize it via a setting - https://www.rabbitmq.com/management.html#csp

Please note to adjust CSP carefully because you can disable the management UI with incorrect values.

The "Strict-Transport-Security" header is set in this manner - https://www.rabbitmq.com/management.html#hsts

As for the other headers, if you provide a complete list we can evaluate them for inclusion in the management plugin. Please see this issue where you can add input:


Thanks,
Luke

Luke Bakken

unread,
Jul 23, 2022, 1:53:28 PM7/23/22
to rabbitmq-users
Be sure to see Michael's comments - https://github.com/rabbitmq/rabbitmq-server/issues/5320#issuecomment-1193157863

Luke Bakken

unread,
Aug 3, 2022, 8:42:10 AM8/3/22
to rabbitmq-users
Hi Jon,

Please note that we have added support for several of the headers you mention:


You will have to enable them in the rabbitmq.conf file:


This change is available in RabbitMQ 3.10.7 -


Thanks,
Luke

jonmcal...@wellsfargo.com

unread,
Oct 13, 2022, 5:09:13 PM10/13/22
to rabbitm...@googlegroups.com

Thank you Luke. I had missed this message.

 

We really appreciate the assist!

 

Dream * Excel * Explore * Inspire

Jon McAlexander

Senior Infrastructure Engineer

Asst. Vice President

He/His

 

Middleware Product Engineering

Enterprise CIO | EAS | Middleware | Infrastructure Solutions

 

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010

Tel 515-988-2508 | Cell 515-988-2508

 

jonmcal...@wellsfargo.com

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.

 


Sent: Wednesday, August 3, 2022 7:42 AM
To: rabbitmq-users <rabbitm...@googlegroups.com>

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages