Introduction
RabbitMQ is powerful and widely used in production. But if it is not secured, attackers may read, change, or delete your messages. Security is not only about protecting data, but also about making sure your system stays reliable.
This article shows the most important security best practices when running RabbitMQ in production.
Use TLS for Encryption
- By default, RabbitMQ uses plain TCP → traffic can be read by anyone on the network.
- Always enable TLS/SSL for connections.
- This protects messages, usernames, and passwords from being exposed.
Steps:
- Generate server certificates.
- Enable TLS in
rabbitmq.conf:
listeners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/ca.crt ssl_options.certfile = /etc/rabbitmq/server.crt ssl_options.keyfile = /etc/rabbitmq/server.key ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = true
Strong Authentication
- Do not use the default
guest/guestuser in production. - Create separate users with strong passwords.
- Use external authentication if possible (LDAP, OAuth2, TLS client certs).
Example:
rabbitmqctl add_user app_user StrongP@ssw0rd rabbitmqctl set_permissions -p / app_user ".*" ".*" ".*"
Pages: 1 2
Category: RabbitMQ