Expose rabbit outside docker swarm

YuryHrytsuk · YuryHrytsuk · commit 641c02577c42 · 2025-09-18T11:17:57.000+02:00
diff --git a/charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl b/charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl
@@ -120,12 +120,12 @@ env:
     value: {{ requiredEnv "RESOURCE_USAGE_TRACKER_PROMETHEUS_PASSWORD" }}
     sensitive: true
   - name: RABBIT_HOST
-    value: {{ requiredEnv "RABBIT_EXTERNAL_HOST" }}
+    value: {{ requiredEnv "RABBIT_HOST" }}
   - name: RABBIT_PASSWORD
     value: {{ requiredEnv "RABBIT_PASSWORD" }}
     sensitive: true
   - name: RABBIT_PORT
-    value: {{ requiredEnv "RABBIT_EXTERNAL_PORT" }}
+    value: {{ requiredEnv "RABBIT_PORT" }}
   - name: RABBIT_SECURE
     value: {{ requiredEnv "RABBIT_SECURE" }}
   - name: RABBIT_USER
diff --git a/services/rabbit/docker-compose.loadbalancer.yml.j2 b/services/rabbit/docker-compose.loadbalancer.yml.j2
@@ -32,14 +32,12 @@ services:
         - traefik.http.routers.rabbit_dashboard.tls=true
         - traefik.http.middlewares.rabbit_dashboard_replace_regex.replacepathregex.regex=^/rabbit/(.*)$$
         - traefik.http.middlewares.rabbit_dashboard_replace_regex.replacepathregex.replacement=/$${1}
-        - traefik.http.routers.rabbit_dashboard.middlewares=rabbit_dashboard_replace_regex@swarm, ops_gzip@swarm
-        {%- if RABBIT_EXPOSE_INTERNALLY|lower == "true" %}
-        - traefik.tcp.routers.rabbit.rule=ClientIP(`10.0.0.0/8`) || ClientIP(`172.16.0.0/12`) || ClientIP(`192.168.0.0/16`)
+        - traefik.http.routers.rabbit_dashboard.middlewares=rabbit_dashboard_replace_regex@swarm, ops_gzip@swarm, ops_whitelist_private_ips@swarm
+        - traefik.tcp.routers.rabbit.rule=Host(`${RABBIT_HOST}`)
         - traefik.tcp.routers.rabbit.entrypoints=rabbitmq
         - traefik.tcp.routers.rabbit.tls=false
         - traefik.tcp.routers.rabbit.service=rabbit
         - traefik.tcp.services.rabbit.loadbalancer.server.port=${RABBIT_PORT}
-        {%- endif %}
     healthcheck: # https://stackoverflow.com/a/76513320/12124525
       test: bash -c 'echo "" > /dev/tcp/127.0.0.1/32087 || exit 1'
       start_period: 5s
diff --git a/services/rabbit/template.env b/services/rabbit/template.env
@@ -1,9 +1,9 @@
 RABBIT_CLUSTER_NODE_COUNT=${RABBIT_CLUSTER_NODE_COUNT}
 RABBIT_QUORUM_QUEUE_DEFAULT_REPLICA_COUNT=${RABBIT_QUORUM_QUEUE_DEFAULT_REPLICA_COUNT}
-RABBIT_EXPOSE_INTERNALLY=${RABBIT_EXPOSE_INTERNALLY}
 
 RABBIT_USER=${RABBIT_USER}
 RABBIT_PASSWORD=${RABBIT_PASSWORD}
+RABBIT_HOST=${RABBIT_HOST}
 RABBIT_PORT=${RABBIT_PORT}
 RABBIT_MANAGEMENT_PORT=${RABBIT_MANAGEMENT_PORT}
 
diff --git a/services/traefik/docker-compose.yml.j2 b/services/traefik/docker-compose.yml.j2
@@ -109,6 +109,8 @@ services:
         - traefik.http.middlewares.ops_gzip.compress=true
         # ip whitelisting
         - traefik.http.middlewares.ops_whitelist_ips.ipallowlist.sourcerange=${TRAEFIK_IPWHITELIST_SOURCERANGE}
+        # ip whitelisting: only private ips
+        - traefik.http.middlewares.ops_whitelist_private_ips.ipallowlist.sourcerange=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
         # traefik UI
         - traefik.http.routers.api.service=api@internal
         - traefik.http.routers.api.rule=Host(`${MONITORING_DOMAIN}`) &&
