RabbitMQ SASL EXTERNAL AMQP and Prometheus HTTP/HTTPS Authentication

search cancel

RabbitMQ SASL EXTERNAL AMQP and Prometheus HTTP/HTTPS Authentication

book

Article ID: 405220

calendar_today

Updated On:

Products

RabbitMQ VMware Tanzu RabbitMQ

Issue/Introduction

The SASL EXTERNAL mechanism, enabled by rabbitmq-auth-mechanism-ssl, lets AMQP clients authenticate to RabbitMQ using x509 (TLS/SSL) client certificates, mapping user identity from the DN (e.g., CN or SAN).

SASL EXTERNAL mechanism cannot be applied to the Prometheus plugin’s HTTP/HTTPS endpoint.

Environment

All supported RabbitMQ versions.

Cause

SASL EXTERNAL via rabbitmq-auth-mechanism-ssl only applies to AMQP and is not available for HTTP endpoints. The Prometheus plugin allows mTLS for connection security only—not for user identification or authorization.

Resolution

Workaround:

1. Use HTTP basic authentication or a trusted reverse proxy for the Prometheus /metrics endpoint.
2. Restrict endpoint access using network controls (e.g., subnets, firewalls, or IP allowlists).

Additional Information

References:

RabbitMQ Monitoring, Prometheus TLS documentation
RabbitMQ Authentication, Authorisation, Access Control documentation
RabbitMQ-auth-mechanism-ssl plugin documentation

Feedback

thumb_up Yes

thumb_down No