Request to Disable or Restrict Access to /cli/index.html and /cli/rabbitmqadmin for Security Reasons

[moerwald]

Summary

We are using RabbitMQ 4.1 with the management plugin enabled, and one of our customers has flagged the following URLs as a security concern:

• https://<host>:15672/cli/index.html
• https://<host>:15672/cli/rabbitmqadmin

These URLs expose the rabbitmqadmin command-line interface via the Management UI. In our customer's security review, these endpoints are considered unnecessary for production use and present a potential attack surface that should be restricted or disabled.

---

Why This Matters

Our customer's requirements include:

• Only essential UI features should be exposed
• No web-accessible tools that allow command execution or message manipulation
• A clear ability to disable potentially sensitive endpoints

At present, it appears there is no configuration option to disable these specific /cli/ routes independently of the rest of the management UI.

---

Request

We would like to request the following:

1. A configuration option to disable or restrict the /cli/ endpoints (e.g., management.disable_cli_ui = true)
2. Documentation or support for a recommended workaround (e.g., via plugin extension or reverse proxy path filtering)
3. If not currently possible, clarification on whether this could be considered for a future release

---

Environment

• RabbitMQ version: 4.1.x
• TLS enabled on port 15672
• Management Plugin enabled
• Deployed in a secured enterprise environment

---

Workarounds Considered

We're aware that reverse proxy rules (e.g., with NGINX) can be used to block specific paths, but we would prefer a first-class RabbitMQ config setting, especially for compliance and consistency across environments.

---

Conclusion

We believe this would be a useful feature for other security-conscious users as well. Thank you for considering it, and we’re happy to provide feedback or help test if needed.

Describe the solution you'd like

---

Describe alternatives you've considered

No response

Additional context

No response

[lukebakken]

@michaelklishin now that rabbitmqadmin-ng exists, perhaps returning a 308 code for each of these resources to https://github.com/rabbitmq/rabbitmqadmin-ng/releases/latest would be appropriate?

https://<host>:15672/cli/index.html
https://<host>:15672/cli/rabbitmqadmin

[michaelklishin]

At present, it appears there is no configuration option to disable these specific /cli/ routes > independently of the rest of the management UI.

Just like there is no way to disable individual API endpoints (with very few exceptions that do not really disable the endpoint itself, only what it can do).

@moerwald the recommended workaround is to use a reverse proxy in front of the API, which allows you to restrict access to specific endpoints, control all security-relevant headers, and so on.

[michaelklishin]

@lukebakken I agree that we can redirect GET /cli/index.html to https://www.rabbitmq.com/docs/management-cli.

With rabbitmqadmin downloads, it is going to be a breaking change for some, so I'm not sure the moment is right.

We have already done something equally opinionated in #13698 for a paying user who made a very big deal out of the fact that a static HTTP API doc page was publicly accessible. So I guess we can do that again.

[michaelklishin]

@moerwald if you have a commercial license from Broadcom, feel free to file a ticket and we will replicate #13698.

If you would like to have first class support for a feature 99% of users have never asked for, and you do not financially sponsor RabbitMQ development, you are welcome to contribute such a change after signing a contributor CLA using #13698 as a very close example.

[michaelklishin]

Converted to a discussion.