Very cool. Sometimes I'm amazed how flexible Artemis is!
To be able to deploy 100% working scenario to production, because of
https://issues.apache.org/jira/browse/ARTEMIS-5439 , I will have to wait for
the next Artemis release, but thank you again for the help.
--
Vilius
-----Original Message-----
From: Domenico Francesco Bruscino <bruscin...@gmail.com>
Sent: Friday, April 18, 2025 3:30 PM
To: users@activemq.apache.org
Subject: Re: IP address whitelisting for Artemis users
The current implementation doesn't allow combining different key types in one
router.
In your case, the native router redirection is not used. The redirection allows
to redirect a client connection to another target broker.
In your case, the connection router is used to reject connections that don't
match the local-target-filter and it works for all clients.
Domenico
On Fri, 18 Apr 2025 at 13:14, Vilius Šumskas <vilius.sums...@rivile.lt.invalid>
wrote:
> Thank you. It is working very well! Couple more questions:
> * Is it possible to combine different key types in one router? For
> example, have connections checked for USER_NAME or ROLE_NAME if user
> name is not found?
> * Documentation mentions that native router redirection works for
> specific clients. Do these clients need to be of a particular version,
> or is native redirection implemented using native protocol
> specification. E.g. any AMQP
> 0.9 client will work?
>
> --
> Vilius
>
> -----Original Message-----
> From: Domenico Francesco Bruscino <bruscin...@gmail.com>
> Sent: Thursday, April 17, 2025 4:25 PM
> To: users@activemq.apache.org
> Subject: Re: IP address whitelisting for Artemis users
>
> In my previous example there is an error, I meant:
>
> <connection-router name="allow-privileged-users">
> <key-type>USER_NAME</key-type>
> <local-target-filter>^(foo|too)$</local-target-filter>
> </connection-router>
>
> <connection-router name="deny-privileged-users">
> <key-type>USER_NAME</key-type>
> <local-target-filter>^(?!foo$|too$).*$</local-target-filter>
> </connection-router>
>
> <acceptor name="internal">tcp://
> 10.0.0.1:61616?router=allow-privileged-users.
> <http://10.0.0.1:61616/?router=allow-privileged-users.>..
>
> <acceptor name="external">tcp://
> 0.0.0.0:61616?router=deny-privileged-users.
> <http://0.0.0.0:61616/?router=deny-privileged-users.>..
>
> Domenico
>
> On Thu, 17 Apr 2025 at 15:24, Domenico Francesco Bruscino <
> bruscin...@gmail.com> wrote:
>
> > Yes, you can use a connection-router to allow only the connections
> > that match the local-target-filter, i.e.
> >
> > <connection-router name="allow-privileged-users">
> > <key-type>USER_NAME</key-type>
> > <local-target-filter>^(foo|too)$</local-target-filter>
> > </connection-router>
> >
> > <connection-router name="deny-privileged-users">
> > <key-type>SOURCE_IP</key-type>
> > <local-target-filter>^(?!foo$|too$).*$</local-target-filter>
> > </connection-router>
> >
> > <acceptor name="internal">tcp://
> > 10.0.0.1:61616?router=allow-privileged-users...
> >
> > <acceptor name="external">tcp://
> > 0.0.0.0:61616?router=deny-privileged-users...
> >
> > Domenico
> >
> >
> >
> > On Thu, 17 Apr 2025 at 13:55, Vilius Šumskas
> > <vilius.sums...@rivile.lt.invalid> wrote:
> >
> >> I'm trying to wrap my head around how connection router
> >> functionality works.
> >>
> >> In my case, I already have two acceptors. SSL protected and
> >> externally exposed one, which should be used only by the external
> >> unprivileged users, and internal one on different AMQP port, which
> >> should be used by the privileged internal users. If I understand
> >> correctly, that external acceptor should be configured in such a
> >> way, that it allow all users, except for few privileged ones. Since
> >> we are using ActiveMQBasicSecurityManager I probably cannot use
> >> security domain here, but looking through documentation, I should
> >> be able to use redirection on a specific acceptor with key-type USER_NAME,
> >> right?
> >>
> >> --
> >> Vilius
> >>
> >> -----Original Message-----
> >> From: Domenico Francesco Bruscino <bruscin...@gmail.com>
> >> Sent: Wednesday, April 16, 2025 9:27 AM
> >> To: users@activemq.apache.org
> >> Subject: Re: IP address whitelisting for Artemis users
> >>
> >> Hi Villus,
> >>
> >> you can create an acceptor that allows only connections from
> >> specific users by setting a per-acceptor security domain[1] and a
> >> connection router[2] to reject connections with a source IP address
> >> that doesn't match your filter, i.e.
> >>
> >> <connection-router name="privileged-ip-filter">
> >> <key-type>SOURCE_IP</key-type>
> >>
> >>
> >>
> <local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-f
> ilter>
> >> </connection-router>
> >>
> >> [1]
> >>
> >> https://activemq.apache.org/components/artemis/documentation/latest
> >> /s ecurity.html#per-acceptor-security-domains
> >> [2]
> >>
> >> https://activemq.apache.org/components/artemis/documentation/latest
> >> /c onnection-routers.html#connection-routers
> >>
> >> Regards,
> >> Domenico
> >>
> >>
> >> On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas
> >> <vilius.sums...@rivile.lt.invalid>
> >> wrote:
> >>
> >> > Hi,
> >> >
> >> > is there a way to somehow limit which IP Artemis user is allowed
> >> > to connect from? We had instances where privileged user dedicated
> >> > to internal usage only was used in externalized Java services. I
> >> > want to protect these users from being used where they should not be.
> >> >
> >> > --
> >> > Best Regards,
> >> > Vilius
> >> >
> >> >
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org
> For additional commands, e-mail: users-h...@activemq.apache.org For
> further information, visit: https://activemq.apache.org/contact
>
>
