qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: IP address restriction in ACL
Date Wed, 03 Apr 2013 15:22:37 GMT
Hi Bruno,

I do not think there is such option on the C++ broker right now. When we
needed to achieve something similar with our brokers, we used following
workaround ...

1) We configured the broker to use one port for PLAIN connections and
another one for SSL
2) We restricted the SSL port to use only SSL Client Authentication
3) We used the PLAIN authentication for the administration users and the
SSL Client Authentication for the normal clients
4) We used iptables to restrict the PLAIN port to be available only from
the administration network and the SSL port to be available from the client
5) We created the admin users in the SASL database
6) We created the normal clients in the NSS database

As a result, the normal clients see only the SSL port where they cannot
connect using username/password but only with certificates. It is not
perfect, but it helped us to get the approval from our security department.


PS: There is a JIRA for this problem entered a long time ago by one of my
colleagues ... QPID-2305
PS2: The Java broker already has such feature, but from your previous
emails I understood that you are using the C++ broker ...

On Wed, Apr 3, 2013 at 4:23 PM, Bruno Matos <bruno.matos@paradigmaxis.pt>wrote:

> Hello,
> Is it possible to restrict the source IP address or network for a given
> user/group? I want to restrict the admin group connections to my local
> network.
> Thank you.
> --
> Bruno Matos
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message