RabbitCage

WARNING: This project is at a very early stage of development. The command line options and the config file format will most likely change in future versions.

RabbitCage is a AMQP application firewall build on EventMachine. The code has been heavily inspired by mojombo's awesome ProxyMachine.

RabbitCage was written because RabbitMQ's access control capabilities are rather limited.

RabbitCage works as a transparent, content aware proxy between the connecting client and a AMQP broker (currently only tested with RabbitMQ). Based on configured ACL-like rules RabbitCage will either forward or reject the message. Messages sent from the broker are forwarded directly to the client using EventMachine's proxy incoming to, though it will just affect the client -> server performance.

Installation

sudo gem install rabbitcage

Running

Usage:
rabbitcage -c <config file> [-h <host>] [-p <port>]

Options:
    -c, --config CONFIG              Configuration file
    -h, --host HOST                  Hostname to bind. Default 0.0.0.0
    -p, --port PORT                  Port to listen on. Default 5672
    -r, --remote-host HOST           Hostname of the RabbitMQ server to connect to. Default 'localhost'
    -x, --remote-port PORT           Port of the RabbitMQ server to connect to. Default 5673
    -v                               Verbose output (denied requests).
    -V                               Very verbose output (denied requests/allowed requests).
    -D                               Debug output (denied requests/allowed requests/debug info).

Example config file

# Basic syntax:
# allow|deny 'username'|:all, AMQP method|:all, AMQP class|:all, Hash of AMQP method properties
#
# This example will allow the admin user to perform any action on the broker.
# A guest is allowed to consume every exchange which name does not start with 'private_' and
# register every queue which name does not start with 'reserved_'
include RabbitCageACL
config do
  allow 'admin', :all, :all
  allow 'guest', :all, :queue, :name => /^(?!reserved_)/
  allow 'guest', :all, :exchange, :name => /^(?!private_)/
  allow 'guest', [:consume, :get], :basic
  allow 'guest', :all, :connection
  allow 'guest', :all, :channel
  allow 'guest', :all, :access
  default :deny
end

Note on Patches/Pull Requests

  • Fork the project.
  • Make your feature addition or bug fix.
  • Add tests for it. This is important so I don't break it in a future version unintentionally.
  • Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
  • Send me a pull request. Bonus points for topic branches.

Copyright (c) 2009 Dominik Sander. See LICENSE for details.