Secure the RabbitMQ management UI
/etc/rabbitmq/rabbitmq.conf# Bind the management UI to loopback; reach it via SSH tunnelmanagement.tcp.ip = 127.0.0.1management.tcp.port = 15672
# If it must be on a network, use TLS and a private interface# management.ssl.port = 15671# management.ssl.ip = 10.0.1.5# management.ssl.cacertfile = /etc/rabbitmq/tls/ca.pem# management.ssl.certfile = /etc/rabbitmq/tls/server.pem# management.ssl.keyfile = /etc/rabbitmq/tls/server.keysudo systemctl restart rabbitmq-serverWhy it matters
Section titled “Why it matters”The management plugin — enabled by default — serves a web UI and a full HTTP API on port 15672. It is not a status page. Through it you can create and delete users, change permissions, read queue contents, purge queues, publish arbitrary messages, and change broker configuration. It is the entire administrative surface of the broker, over HTTP.
Two things make it a frequent finding:
- The port is well known, so scanners look for it, and a
/api/overviewrequest identifies it instantly. - It’s HTTP by default, so credentials — including the admin’s — cross the network in cleartext unless you configure TLS.
Combined with a weak or default account (see replace the guest user), an exposed management UI is broker takeover through a browser.
Reach it over a tunnel, not the internet
Section titled “Reach it over a tunnel, not the internet”The best posture for most deployments: bind it to loopback and reach it through an SSH tunnel.
# from your workstationssh -L 15672:localhost:15672 admin@broker# then browse http://localhost:15672That reuses SSH’s authentication, needs no exposed port, no certificate, and no additional firewall rule. The management UI is an administrative tool used occasionally by a few people — it does not need to be on the network at all.
If it must be reachable, use TLS and restrict it
Section titled “If it must be reachable, use TLS and restrict it”If a tunnel genuinely doesn’t fit — a shared ops team, an existing reverse proxy — then put it on a separate TLS port (15671), bind it to a private interface, and firewall it to admin addresses. Never leave it on plaintext 15672 on a routable interface.
Behind a reverse proxy, terminate TLS there and pass through to loopback 15672, and make the proxy require authentication of its own if you can. The management API supports it, but defence in depth on an admin surface is cheap.
The HTTP API is the same surface
Section titled “The HTTP API is the same surface”Don’t over-focus on the web UI and forget the API underneath it. Everything the UI
does, the API does — /api/definitions exports the entire broker configuration
including user password hashes, and /api/queues/.../get reads messages. A
scoped monitoring user for dashboards is fine; the
admin API is not something to expose.
If you only need metrics, the Prometheus endpoint (port 15692, via the
rabbitmq_prometheus plugin) exposes metrics without the administrative
surface — a better thing to point monitoring at than the management API.
Related
Section titled “Related”- Replace the guest user — the account that would log in here.
- Restrict network listeners — the port this binds.
- Scope vhosts and permissions — the tags that gate management access.