Default user cannot connect to a Web MQTT endpoint remotely but can when port forwarding is used

[AntoineSadzot]

Describe the bug

RabbitMQ version: 4.1.2, deployed in a Kubernetes cluster using the Helm chart version 4.1.2.
We are unable to connect to the Web MQTT (WebSocket) interface (port 15675) with a remote client. We get a "connection refused" or "connection failed" error, according to the browser used. However, connecting with the same configuration but through a kubectl port-forward works without any issue.
We thought it could be an issue with a potential "localhost only" configuration, but none of the web_mqtt configuration entries we added seemed to work. The javascript library used is the mqtt.js library

Reproduction steps

1. Deploy the helm chart with plugins "rabbitmq_mqtt" and "rabbitmq_web_mqtt" specified. Add port 15675 to the service. Some extra configuration entries were added through our tries, not all may be relevant : web_mqtt.tcp.port = 15675,web_mqtt.tcp.ip = 0.0.0.0, web_mqtt.cowboy_opts.idle_timeout = 120000, web_mqtt.cowboy_opts.max_keepalive = 200, web_mqtt.cowboy_opts.max_headers = 100, web_mqtt.cowboy_opts.max_empty_lines = 5, loopback_users.guest = false, loopback_users = none.
2. Configure rabbitmq with a user having access over default amq.topic exchange
3. Connect to web_mqtt interface via a kubernetes port forward, using mqtt.js library. Address is "ws://localhost:/ws" -> client is connected and listens to topics
4. Connect to web_mqtt interface from a remote host in the same cluster, using mqtt.js library "ws://:15675/ws" -> client has connection error (refused or failed)

Expected behavior

Any client should be able to connect remotely to the /ws endpoint on port 15675.

Additional context

1. We found no relevant log information in rabbitmq about connection issues
2. We are not using TLS connection
3. We checked the documentation (especially : https://www.rabbitmq.com/docs/web-mqtt , https://www.rabbitmq.com/docs/networking) and tried to change our configuration according to what we found there
4. The amqp interface (port 5672) works without any issue, with the same rabbitmq instance in the same cluster.
5. We are using the mqtt.js library instead of the one described in the docs (Paho)

[michaelklishin]

You haven't provided any evidence of a bug, not even any logs.

We will not troubleshoot networking your Kubernetes cluster networking. Start with inspecting the logs on the target node, then see Troubleshooting Networking and Troubleshooting Authentication.

[michaelklishin]

Connect to web_mqtt interface from a remote host in the same cluster, using mqtt.js library
"ws://:15675/ws" -> client has connection error (refused or failed)

The default user can only connect from localhost for obvious security reasons. Port forwarding makes the connection look as if it was a local one but a direct remote connection is expected to be refused.

Remote connections from loopback-restricted users will result in clear messages in the log files of the node that refuses such a connection.

As Production Guidelines recommend, create a new user with generated credentials instead of relying on the default one (named guest by default). The loopback connection restriction won't apply to newly created users because their credentials are not publicly known.