Hi Andrew, It is not clear to me from your proposal whether I can specify multiple interfaces to listen on. Can I pass multiple "interface=..." options in the config file in the same way I can use multiple "log-level=..." options?
Also I think it would be great if I can distinguish between SSL and PLAIN on different interfaces. For example on some of our brokers we have one network interface which connects the broker to our internal network and where we would like to use regular (non SSL) port only. The second interface connects our external customers which always use only SSL. Right now we use firewall to allow only regular port from internal network and only SSL port from external. But it would be nice to have the interface feature support this scenario. Thanks & Regards Jakub On Tue, Nov 13, 2012 at 11:44 PM, Andrew Stitcher <[email protected]>wrote: > I've been working on getting the qpid C++ broker to listen only on specific > network interfaces if that is desired. > > Currently there is no way to restrict the network interfaces that qpidd > listens to there are currently 2 broker command line options (and > corresponding config file settings and environment variables): > --port [default 5672] & --ssl-port [default 5671]. > With these the broker will listen on all network interfaces to these > ports. > > The proposal: > > * New option setting --interface > > Introduce a new command line option --interface (and corresponding > config file settings and environment variables). This option may be > repeated to indicate multiple listening endpoints. If --interface is not > specified at all then the behaviour is as before - listening on all > interfaces for both amqp and amqps (if configured). If even a single > interface is specified then we don't attempt to listen on all interfaces > anymore. > > * Specifying interfaces: > > Interfaces can be specified as either an interface name or an address > which must be a local address of an interface. > > If the interface name is used then every address associated with that > interface will be used. > > If a literal address is used it can be specified as usual for IPv4 (eg > 127.0.0.1), but if an IPv6 address is specified it must be enclosed in > square braces ("[" and "]") (eq [::1]). > > If --interface is specified then there are 2 possibilities: > > * Specifying just an interface > > For example --interface em1 or --interface 127.0.0.1 or > --interface [::1]. > > In this case the broker will listen on the specified interface on both > ports (regular and ssl) as required. > > * Specifying an interface and a port > > For example --interface wlan0:5672 or --interface 127.0.0.1:465 or > --interface [fe80::3e97:eff:fe14:bbc1%em1]:12002 > > In this case the broker will only listen on the specified port but will > listen for both regular and ssl connections on the same port. > > * Error behaviour > > The broker may be unable (for whatever reason) to listen on the > specified ports (Perhaps the specified network interface doesn't exist; > perhaps the specified address isn't actually an address of a connected > interface etc.). In this case we will not fall back to listening on > every network interface - the assumption here is that specifying some > interfaces is a deliberate restriction, quite possibly for security > reasons and so we must "fail safe" and not expose the broker to > potentially hostile network traffic because of a misconfiguration. > > I'm keen to hear any comments. > > Ideally I'd like to get some of this work into 0.20. And as the > behaviour is backward compatible I think that's feasible. > > Andrew > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
