Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time

RabbitMQ plug-in for client authorization based on source IP address

Build Status

Supported RabbitMQ and Erlang Versions

This plugin currently targets RabbitMQ 3.8.x and Erlang 21.3+. Please see the Releases page for binary downloads.

Binary Builds

Binary builds are published as GitHub releases.


This plugin uses both RabbitMQ configuration files, rabbitmq.conf and advanced.config.

An example configuration file follows:

auth_backends.1.authn = internal
auth_backends.1.authz = rabbit_auth_backend_ip_range
    {rabbitmq_auth_backend_ip_range, [
            [{'ip-private', [<<"::FFFF:">>]}]},
        {default_masks, [<<"::0/0">>]}

See RabbitMQ Configuration for more details. The following sub-sections provide detailed explanation of the related configuration options.

Using IP Range as an AuthZ Backend

The rabbit_auth_backend_ip_range should be used for authorization only. It may be used with the rabbit_auth_backend_internal, rabbit_auth_backend_ldap, or other options.

For example:

auth_backends.1.authn = internal
auth_backends.1.authz = rabbit_auth_backend_ip_range

auth_backends.2.authz = internal

This will use the internal backend for authentication. rabbit_auth_backend_ip_range will be tried for authorization first, with a fallback to the standard internal database backend.

Controlling the IP Range Access Control List

The plugin supports several paramters configurable via advanced.config:

tag_masks -- List of tuples {tag, [<<"ip/mask">>, ...]}. The tag corresponds to one of user Tags; the ip/mask is a permitted network mask of remote (client) address.

default_masks -- Default IP network mask [<<"ip/mask">>, ...] used when the user has none of the listed tags. Set this to [<<"::0/0">>] to accept untagged users (default behaviour), or to [<<"::0/127">>] to reject untagges users.

For example:

{rabbitmq_auth_backend_ip_range, [
        [{'ip-private', [<<"::FFFF:">>]}]},
    {default_masks, [<<"::0/0">>]}

This will allow users with the tag ip-private to login from private networks only. Other users will be able to login from any network.

The IPv4 mask (e.g. will match an IPv4 address only. The IPv4-mapped IPv6 mask (e.g. ::FFFF: will match both IPv4 and IPv6 addresses.

Build Instructions

Build Status

This plug-in requires a supported RabbitMQ release series. Build the plug-in following the standard Plugin Development Guide.


Please see the Releases page for binary downloads.

Version Date Erlang Notes
2.0.0+rmq-39 2022-02-15 23.2 Compatible with RabbitMQ 3.9.0 or later
2.0.0 2019-10-24 21.3 Compatible with RabbitMQ 3.8.0 or later
1.0.0 2019-10-24 20.3 Compatible with RabbitMQ 3.7.x
3.7.14 2019-04-03 20.3 Tag and release are deleted, use version 1.0.0
3.7.0 2018-08-01 19.3 Compatible with RabbitMQ 3.7.x. Tag and release are deleted. Use this commit and build with Erlang 19.3 if you need this version
0.2.0 2015-12-22 Compatible with RabbitMQ 3.6.x. Implement RabbitMQ Issue 109 fix for authorization of MQTT/STOMP connections.
0.1.1 2015-10-27 Bugfix release.
  • IPv4-mapped IPv6 addresses now match the respective IPv4 address.
  • Added some debug logs to hunt the Issue #2.
  • Authenticate against remote (client) address instead of local (server) address.
0.1.0 2014-11-14 First release. Compatible with RabbitMQ 3.5.x only.