How to disable RabbitMQ default tcp listening port - 5672

To disable standart RabbitMQ 5672 port add {tcp_listeners, []} to your rabbitmq.conf:

[
  {rabbit, [
     {tcp_listeners, []},
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/cacert.pem"},
                    {certfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/cert.pem"},
                    {keyfile,"/ay/app/xxx/softwares/rabbitmq_server-3.1.1/etc/ssl/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false},

                   {ciphers,[{dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha}]}

                    ]

    }
   ]}
].

It works with RabbitMQ 3.1.5

Here's how to do it with the new configuration file format introduced in RabbitMQ 3.7:

1. Set up the SSL listener in rabbitmq.conf:

   listeners.ssl.1 = 5671
   ssl_options.cacertfile = /path/to/testca/cacert.pem
   ssl_options.certfile = /path/to/server/cert.pem
   ssl_options.keyfile = /path/to/server/key.pem
   ssl_options.verify = verify_peer
   ssl_options.fail_if_no_peer_cert = false
   

2. Disable the non-SSL listener in advanced.config:

   [
    {rabbit,
     [{tcp_listeners, []}
     ]}
   ].
   

It appears that to disable non-ssl listening with the new file format, you can do the following:

listeners.tcp  = none

This has the same effect as the other 3.7 answer, but removes the need to do it in the advanced.config.