I've been working on getting the qpid C++ broker to listen only on specific
network interfaces if that is desired.
Currently there is no way to restrict the network interfaces that qpidd
listens to there are currently 2 broker command line options (and
corresponding config file settings and environment variables):
--port [default 5672] & --ssl-port [default 5671].
With these the broker will listen on all network interfaces to these
ports.
The proposal:
* New option setting --interface
Introduce a new command line option --interface (and corresponding
config file settings and environment variables). This option may be
repeated to indicate multiple listening endpoints. If --interface is not
specified at all then the behaviour is as before - listening on all
interfaces for both amqp and amqps (if configured). If even a single
interface is specified then we don't attempt to listen on all interfaces
anymore.
* Specifying interfaces:
Interfaces can be specified as either an interface name or an address
which must be a local address of an interface.
If the interface name is used then every address associated with that
interface will be used.
If a literal address is used it can be specified as usual for IPv4 (eg
127.0.0.1), but if an IPv6 address is specified it must be enclosed in
square braces ("[" and "]") (eq [::1]).
If --interface is specified then there are 2 possibilities:
* Specifying just an interface
For example --interface em1 or --interface 127.0.0.1 or
--interface [::1].
In this case the broker will listen on the specified interface on both
ports (regular and ssl) as required.
* Specifying an interface and a port
For example --interface wlan0:5672 or --interface 127.0.0.1:465 or
--interface [fe80::3e97:eff:fe14:bbc1%em1]:12002
In this case the broker will only listen on the specified port but will
listen for both regular and ssl connections on the same port.
* Error behaviour
The broker may be unable (for whatever reason) to listen on the
specified ports (Perhaps the specified network interface doesn't exist;
perhaps the specified address isn't actually an address of a connected
interface etc.). In this case we will not fall back to listening on
every network interface - the assumption here is that specifying some
interfaces is a deliberate restriction, quite possibly for security
reasons and so we must "fail safe" and not expose the broker to
potentially hostile network traffic because of a misconfiguration.
I'm keen to hear any comments.
Ideally I'd like to get some of this work into 0.20. And as the
behaviour is backward compatible I think that's feasible.
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
