Articles

Secure RabbitMQ: Best Practices Checklist (2026)

April 16, 2026 6 min read

RabbitMQ is often deployed without authentication or authorization, making it an easy target for attackers to read, modify, or delete sensitive data.

Let’s see RabbitMQ in action, securing it with basic authentication and authorization.

# Install RabbitMQ (example for Ubuntu)
sudo apt update
sudo apt install rabbitmq-server

# Start and enable RabbitMQ
sudo systemctl start rabbitmq-server
sudo systemctl enable rabbitmq-server

# Access the RabbitMQ Management UI (default is http://localhost:15672)
# Initially, it might be accessible without credentials.
# We'll secure this.

The core problem RabbitMQ solves is reliable message queuing. It acts as a buffer between your applications, allowing them to communicate asynchronously and at different rates without direct, synchronous connections. This decouples services, improves fault tolerance, and enables complex messaging patterns.

Internally, RabbitMQ is an Erlang application that implements the Advanced Message Queuing Protocol (AMQP) and other protocols like STOMP and MQTT. It manages exchanges, queues, and bindings. Producers send messages to exchanges, which then route them to queues based on defined rules (bindings). Consumers then read messages from these queues.

Here’s a practical checklist for securing your RabbitMQ deployment:

1. Enable Authentication:

  • Problem: By default, RabbitMQ might allow anonymous access, meaning anyone who can reach your RabbitMQ server can connect and potentially interact with it.
  • Diagnosis: Check the rabbitmq.conf file (usually in /etc/rabbitmq/). Look for lines related to listeners.tcp and auth_backends. If auth_backends is not explicitly set or is commented out, it might default to anonymous access.
  • Fix: Configure an authentication backend. The most common is internal for managing users within RabbitMQ itself.
    • Edit /etc/rabbitmq/rabbitmq.conf and add/ensure:
      listeners.tcp.default = 5672
listeners.ssl.default = 5671
auth_backends = rabbitmq_auth_backend_internal
    • Restart RabbitMQ: sudo systemctl restart rabbitmq-server
    • Why it works: This tells RabbitMQ to use its internal user management system for authentication, requiring a username and password for all connections.

2. Create Non-Default Users and Strong Passwords:

  • Problem: The default guest user has wide-ranging privileges and is only allowed to connect from localhost. If you expose RabbitMQ to the network and forget to disable the guest user or change its password, it’s a significant vulnerability.
  • Diagnosis: Use rabbitmqctl to list users.
    sudo rabbitmqctl list_users
    Observe if the guest user is present and what its privileges are.
  • Fix: Delete the guest user and create new users with specific permissions.
    # Delete the guest user (if it exists and you're not using it for local dev)
sudo rabbitmqctl delete_user guest

# Create a new user
sudo rabbitmqctl add_user myapp_user 'my_super_secret_password_123!'

# Grant permissions to the new user (example: full access to a virtual host)
sudo rabbitmqctl set_permissions -p / myapp_user ".*" ".*" ".*"

# Grant permissions to manage the management plugin (optional, for UI access)
sudo rabbitmqctl set_permissions -p / rabbitmq ".*" ".*" ".*"
    • Why it works: This removes the known, weak guest user and replaces it with a properly authenticated user with a strong, unique password. Granting specific permissions (e.g., to a particular virtual host) follows the principle of least privilege.

3. Use Virtual Hosts (vhosts) for Isolation:

  • Problem: Without vhosts, all users and all applications share the same namespace, making it difficult to isolate environments (e.g., development vs. production) or different applications.
  • Diagnosis: List existing vhosts.
    sudo rabbitmqctl list_vhosts
    If you only see /, you’re likely not using vhosts effectively.
  • Fix: Create separate vhosts for different applications or environments.
    # Create a new virtual host
sudo rabbitmqctl add_vhost my_app_vhost

# Grant permissions to a user for this vhost
sudo rabbitmqctl set_permissions -p my_app_vhost myapp_user ".*" ".*" ".*"
    • Why it works: Vhosts act as isolated logical RabbitMQ servers within a single physical instance. This prevents applications in one vhost from interfering with or accessing resources in another.

4. Enable TLS/SSL for Encrypted Communication:

  • Problem: By default, connections to RabbitMQ are unencrypted, meaning credentials and message content can be intercepted and read by attackers on the network.
  • Diagnosis: Check your rabbitmq.conf for listeners.ssl.default and ensure it’s configured.
  • Fix: Configure TLS/SSL. This involves generating or obtaining SSL certificates and configuring RabbitMQ to listen on the SSL port (usually 5671).
    • In /etc/rabbitmq/rabbitmq.conf:
      listeners.ssl.default = 5671
ssl_listeners.tcp.0 = 5672 # Optional: keep TCP if needed, but recommend disabling for production
ssl_certfile = /path/to/your/cert.pem
ssl_keyfile = /path/to/your/key.pem
ssl_verify = verify_none # Or configure client certificate verification
    • Restart RabbitMQ: sudo systemctl restart rabbitmq-server
    • Why it works: TLS encrypts the data in transit, protecting credentials and message payloads from eavesdropping.

5. Configure Firewall Rules:

  • Problem: Exposing RabbitMQ ports (AMQP: 5672, Management UI: 15672, Clustering: 25672) to the public internet without a firewall is extremely risky.
  • Diagnosis: Use ufw (on Ubuntu) or firewalld (on CentOS/RHEL) to check current rules.
    # Example with ufw
sudo ufw status verbose
  • Fix: Only allow access from trusted IP addresses or networks.
    # Example: Allow AMQP and management UI only from a specific IP range
sudo ufw allow from 192.168.1.0/24 to any port 5672
sudo ufw allow from 192.168.1.0/24 to any port 15672
sudo ufw enable # If not already enabled
    • Why it works: This creates a network-level barrier, preventing unauthorized hosts from even attempting to connect to RabbitMQ.

6. Disable the Guest User (Crucial):

  • Problem: The guest user is a security risk if accessible from anywhere other than localhost.
  • Diagnosis: As in point 2, sudo rabbitmqctl list_users.
  • Fix: Delete the guest user using sudo rabbitmqctl delete_user guest. If you absolutely must keep it for local development, ensure your rabbitmq.conf has:
    # In rabbitmq.conf for allowing guest from localhost ONLY
listeners.tcp.default = 5672
listeners.ssl.default = 5671
auth_backends = rabbitmq_auth_backend_internal
# If guest is needed ONLY for local dev:
# loopback_users.guest = true
    • Why it works: This removes the default, known-to-be-insecure user account.

7. Secure the Management UI:

  • Problem: The management UI (port 15672) provides a powerful interface to manage RabbitMQ. If unauthenticated or poorly secured, it’s a prime target.
  • Diagnosis: Attempt to access http://<your-rabbitmq-ip>:15672 without credentials.
  • Fix: Ensure you have enabled authentication (point 1) and have created specific users with permissions for the management plugin (point 2). If you want to restrict access further, consider using a reverse proxy with stricter access controls or a VPN.
    • Why it works: By treating the management UI like any other RabbitMQ access point and securing it with strong authentication and authorization, you prevent unauthorized administrative actions.

8. Consider Clustering and HA:

  • Problem: While not strictly a security vulnerability, a single RabbitMQ node is a single point of failure and can be a target for Denial-of-Service (DoS) attacks.
  • Diagnosis: Check if you have multiple RabbitMQ nodes configured to communicate.
  • Fix: Set up a RabbitMQ cluster. For high availability (HA), configure mirrored queues or quorum queues.
    • Why it works: Clustering distributes the load and provides redundancy. Mirrored/quorum queues ensure that messages are replicated across nodes, so if one node fails, messages are not lost. This increases resilience against outages and certain types of attacks.

9. Regularly Update and Patch:

  • Problem: Like any software, RabbitMQ can have vulnerabilities discovered over time.
  • Diagnosis: Keep track of RabbitMQ release notes and security advisories.
  • Fix: Regularly update your RabbitMQ installation to the latest stable version.
    # Example for Ubuntu
sudo apt update
sudo apt upgrade rabbitmq-server
    • Why it works: This ensures that any known security flaws are patched, reducing your attack surface.

The next security concern you’ll likely face is more advanced authorization strategies, such as how to grant specific users permissions to only publish to certain exchanges or consume from specific queues, rather than broad access to entire virtual hosts.

Want structured learning?

Take the full Amqp course →