> Do these clients need to be of a particular version, or is native redirection implemented using native protocol specification. E.g. any AMQP 0.9 client will work?
Just to avoid any confusion...AMQP 0.9 isn't supported. Only 1.0 is supported. Justin On Fri, Apr 18, 2025 at 6:14 AM Vilius Šumskas <vilius.sums...@rivile.lt.invalid> wrote: > Thank you. It is working very well! Couple more questions: > * Is it possible to combine different key types in one router? For > example, have connections checked for USER_NAME or ROLE_NAME if user name > is not found? > * Documentation mentions that native router redirection works for specific > clients. Do these clients need to be of a particular version, or is native > redirection implemented using native protocol specification. E.g. any AMQP > 0.9 client will work? > > -- > Vilius > > -----Original Message----- > From: Domenico Francesco Bruscino <bruscin...@gmail.com> > Sent: Thursday, April 17, 2025 4:25 PM > To: users@activemq.apache.org > Subject: Re: IP address whitelisting for Artemis users > > In my previous example there is an error, I meant: > > <connection-router name="allow-privileged-users"> > <key-type>USER_NAME</key-type> > <local-target-filter>^(foo|too)$</local-target-filter> > </connection-router> > > <connection-router name="deny-privileged-users"> > <key-type>USER_NAME</key-type> > <local-target-filter>^(?!foo$|too$).*$</local-target-filter> > </connection-router> > > <acceptor name="internal">tcp:// > 10.0.0.1:61616?router=allow-privileged-users. > <http://10.0.0.1:61616/?router=allow-privileged-users.>.. > > <acceptor name="external">tcp:// > 0.0.0.0:61616?router=deny-privileged-users. > <http://0.0.0.0:61616/?router=deny-privileged-users.>.. > > Domenico > > On Thu, 17 Apr 2025 at 15:24, Domenico Francesco Bruscino < > bruscin...@gmail.com> wrote: > > > Yes, you can use a connection-router to allow only the connections > > that match the local-target-filter, i.e. > > > > <connection-router name="allow-privileged-users"> > > <key-type>USER_NAME</key-type> > > <local-target-filter>^(foo|too)$</local-target-filter> > > </connection-router> > > > > <connection-router name="deny-privileged-users"> > > <key-type>SOURCE_IP</key-type> > > <local-target-filter>^(?!foo$|too$).*$</local-target-filter> > > </connection-router> > > > > <acceptor name="internal">tcp:// > > 10.0.0.1:61616?router=allow-privileged-users... > > > > <acceptor name="external">tcp:// > > 0.0.0.0:61616?router=deny-privileged-users... > > > > Domenico > > > > > > > > On Thu, 17 Apr 2025 at 13:55, Vilius Šumskas > > <vilius.sums...@rivile.lt.invalid> wrote: > > > >> I'm trying to wrap my head around how connection router functionality > >> works. > >> > >> In my case, I already have two acceptors. SSL protected and > >> externally exposed one, which should be used only by the external > >> unprivileged users, and internal one on different AMQP port, which > >> should be used by the privileged internal users. If I understand > >> correctly, that external acceptor should be configured in such a way, > >> that it allow all users, except for few privileged ones. Since we are > >> using ActiveMQBasicSecurityManager I probably cannot use security > >> domain here, but looking through documentation, I should be able to > >> use redirection on a specific acceptor with key-type USER_NAME, right? > >> > >> -- > >> Vilius > >> > >> -----Original Message----- > >> From: Domenico Francesco Bruscino <bruscin...@gmail.com> > >> Sent: Wednesday, April 16, 2025 9:27 AM > >> To: users@activemq.apache.org > >> Subject: Re: IP address whitelisting for Artemis users > >> > >> Hi Villus, > >> > >> you can create an acceptor that allows only connections from specific > >> users by setting a per-acceptor security domain[1] and a connection > >> router[2] to reject connections with a source IP address that doesn't > >> match your filter, i.e. > >> > >> <connection-router name="privileged-ip-filter"> > >> <key-type>SOURCE_IP</key-type> > >> > >> > >> > <local-target-filter>^192\.168\.10\.1|192\.168\.10\.2$</local-target-filter> > >> </connection-router> > >> > >> [1] > >> > >> https://activemq.apache.org/components/artemis/documentation/latest/s > >> ecurity.html#per-acceptor-security-domains > >> [2] > >> > >> https://activemq.apache.org/components/artemis/documentation/latest/c > >> onnection-routers.html#connection-routers > >> > >> Regards, > >> Domenico > >> > >> > >> On Tue, 15 Apr 2025 at 22:24, Vilius Šumskas > >> <vilius.sums...@rivile.lt.invalid> > >> wrote: > >> > >> > Hi, > >> > > >> > is there a way to somehow limit which IP Artemis user is allowed to > >> > connect from? We had instances where privileged user dedicated to > >> > internal usage only was used in externalized Java services. I want > >> > to protect these users from being used where they should not be. > >> > > >> > -- > >> > Best Regards, > >> > Vilius > >> > > >> > > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org > For additional commands, e-mail: users-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > >
