activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eraos <r...@broemeling.org>
Subject Bind only to localhost/private network
Date Tue, 24 Aug 2010 21:47:07 GMT

Hi, I'm a new ActiveMQ user (ActiveMQ 5.4.0 on Ubuntu Lucid Lynx) and have
been trying to lock-down/secure an ActiveMQ instance for this entire
afternoon without really getting anywhere appreciable.  I was hoping someone
here could help me.

Specifically, what I want is for ActiveMQ to:

1) Bind all administrative and miscellaneous sockets to localhost.
2) Bind only the STOMP transport to a private network.

I've achieved #2, but #1 really elludes me badly.  The bindings of my
ActiveMQ server currently look like this, according to netstat:

-----SNIP-----
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
PID/Program name
tcp6       0      0 10.179.68.234:61617     :::*                    LISTEN     
5119/java
tcp6       0      0 :::33689                      :::*                   
LISTEN      5119/java
tcp6       0      0 :::11099                      :::*                   
LISTEN      5119/java
tcp6       0      0 :::11100                      :::*                   
LISTEN      5119/java
-----SNIP-----

As you can see, the transport binding (port 61617) is correctly on the
private network; but the other three are wildcard bindings that I really
want turned into localhost bindings, but I cannot for the life of me figure
out how to do it.

The command-line that ActiveMQ is currently executed as is:

-----SNIP-----
/usr/bin/java
  -Xms256M
  -Xmx256M
  -Dorg.apache.activemq.UseDedicatedTaskRunner=true
  -Djava.util.logging.config.file=logging.properties
  -Dcom.sun.management.jmxremote
  -Djava.rmi.server.hostname=127.0.0.1
  -Dactivemq.classpath=/opt/apache-activemq-5.4.0/conf;
  -Dactivemq.home=/opt/apache-activemq-5.4.0
  -Dactivemq.base=/opt/apache-activemq-5.4.0
  -jar /opt/apache-activemq-5.4.0/bin/run.jar
  xbean:file:/etc/activemq.xml
-----SNIP-----

... and my /etc/activemq.xml file looks like this (comments trimmed out):

-----SNIP-----
<beans
  xmlns="http://www.springframework.org/schema/beans"
  xmlns:amq="http://activemq.apache.org/schema/core"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://activemq.apache.org/schema/core
        http://activemq.apache.org/schema/core/activemq-core.xsd">

    <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="locations">
            <value>file:${activemq.base}/conf/credentials.properties</value>
        </property>
    </bean>
    <broker xmlns="http://activemq.apache.org/schema/core"
brokerName="localhost" dataDirectory="${activemq.base}/data"
persistent="false" useJmx="true">
        <destinationPolicy>
            <policyMap>
              <policyEntries>
                <policyEntry topic=">" producerFlowControl="false">
                  <pendingSubscriberPolicy>
                    <vmCursor />
                  </pendingSubscriberPolicy>
                </policyEntry>
                <policyEntry queue=">" producerFlowControl="false">
                </policyEntry>
              </policyEntries>
            </policyMap>
        </destinationPolicy>
        <managementContext>
            <managementContext connectorPort="11099"
jmxDomainName="org.apache.activemq" rmiServerPort="11100"/>
        </managementContext>
        <persistenceAdapter>
            <kahaDB directory="${activemq.base}/data/kahadb"/>
        </persistenceAdapter>
        <transportConnectors>
            <transportConnector name="stomp"
uri="stomp://10.179.68.234:61617?transport.closeAsync=false"/>
        </transportConnectors>
    </broker>
</beans>
-----SNIP-----

I am reasonably certain that the "extra" ports (i.e. ports 33689, 11099, and
11100 in the above netstat output) are due to jmx/rmi but I cannot for the
life of me figure out how to secure them by forcing them to bind localhost
instead of binding to the wildcard address.  Can anyone point me in the
right direction as to how to achieve this, please?

Thanks.
-- 
View this message in context: http://old.nabble.com/Bind-only-to-localhost-private-network-tp29526752p29526752.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message