Which ip address should be compared to the network mask in config file?

[phaith]

I found this plugin on https://www.rabbitmq.com/community-plugins.html.

rabbitmq_auth_backend_ip_range
Provides the ability for your RabbitMQ server to perform authorisation based on the client IP address.
Download: rabbitmq_auth_backend_ip_range-0.1.0-rmq3.5.x-9884a34d.ez
Authors: Petr Gotthard
Github: gotthardp/rabbitmq-auth-backend-ip-range

I think the IP address which is compared to the network mask should be client IP address but I found that it doesn't work correctly.

Here's my infrastructure.

Rabbitmq server: 192.168.0.144
My client application: 192.168.0.107

rabbitmq.config

   {tag_masks, [{'private', [<<"192.168.0.107">>]}]}

My client could not access to resources (vhosts, exchange, queue) on rabbitmq so I checked log file and found this.

Address 192.168.0.114 not matching any of [ 192.168.0.107 ]

Should IP address on the left side be client or rabbitmq server?

[gotthardp]

The address mask is checked against local (server) address. One interface of your rabbitmq server will have the 192.168.0.114 address.
It can be extended, though. Would you prefer to setup restrictions based on remote (client) address? Note that when the client is behind NAT, the server will not see the local client address and the authorization will not work.

[phaith]

Even though individual client addresses might not be determinable it is a common requirement in the financial industry to restrict logins to certain ranges of IPs for each user.

[gotthardp]

You're right. Fixed in 1ee961c.
Do you need to build a version compatible with Rabbit 3.5, or you can use the development version and wait for 3.6?

[phaith]

I can use the development version. Thank you very much for your quick answer.