Skip to content

Secure the RabbitMQ management UI

Severity: mediumApplies to: RabbitMQ 3.x / 4.x
The fix/etc/rabbitmq/rabbitmq.conf
# Bind the management UI to loopback; reach it via SSH tunnel
management.tcp.ip = 127.0.0.1
management.tcp.port = 15672
# If it must be on a network, use TLS and a private interface
# management.ssl.port = 15671
# management.ssl.ip = 10.0.1.5
# management.ssl.cacertfile = /etc/rabbitmq/tls/ca.pem
# management.ssl.certfile = /etc/rabbitmq/tls/server.pem
# management.ssl.keyfile = /etc/rabbitmq/tls/server.key
Terminal window
sudo systemctl restart rabbitmq-server

The management plugin — enabled by default — serves a web UI and a full HTTP API on port 15672. It is not a status page. Through it you can create and delete users, change permissions, read queue contents, purge queues, publish arbitrary messages, and change broker configuration. It is the entire administrative surface of the broker, over HTTP.

Two things make it a frequent finding:

  • The port is well known, so scanners look for it, and a /api/overview request identifies it instantly.
  • It’s HTTP by default, so credentials — including the admin’s — cross the network in cleartext unless you configure TLS.

Combined with a weak or default account (see replace the guest user), an exposed management UI is broker takeover through a browser.

The best posture for most deployments: bind it to loopback and reach it through an SSH tunnel.

Terminal window
# from your workstation
ssh -L 15672:localhost:15672 admin@broker
# then browse http://localhost:15672

That reuses SSH’s authentication, needs no exposed port, no certificate, and no additional firewall rule. The management UI is an administrative tool used occasionally by a few people — it does not need to be on the network at all.

If it must be reachable, use TLS and restrict it

Section titled “If it must be reachable, use TLS and restrict it”

If a tunnel genuinely doesn’t fit — a shared ops team, an existing reverse proxy — then put it on a separate TLS port (15671), bind it to a private interface, and firewall it to admin addresses. Never leave it on plaintext 15672 on a routable interface.

Behind a reverse proxy, terminate TLS there and pass through to loopback 15672, and make the proxy require authentication of its own if you can. The management API supports it, but defence in depth on an admin surface is cheap.

Don’t over-focus on the web UI and forget the API underneath it. Everything the UI does, the API does — /api/definitions exports the entire broker configuration including user password hashes, and /api/queues/.../get reads messages. A scoped monitoring user for dashboards is fine; the admin API is not something to expose.

If you only need metrics, the Prometheus endpoint (port 15692, via the rabbitmq_prometheus plugin) exposes metrics without the administrative surface — a better thing to point monitoring at than the management API.