0


rabbitmq 配置安全加密的ssl连接

$ git clone https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git

$ cd CMF-AMQP-Configuration/ssl/

Greyfoss 为自定义的证书签发机构名称,该脚本会生成一个ca目录,存储证书颁发机构的信息以及签发的证书

$ sh setup_ca.sh Greyfoss

生成服务端公钥和私钥 rabbit-server为生成的密钥前缀 123456为该秘钥自定义的密码

$ sh make_server_cert.sh rabbit-server 123456

生成客户端公钥和私钥

$ sh create_client_cert.sh rabbit-client 123456

#使用java的keytool工具生成客户端需要的证书,用以支持服务端和客户端进行通信,生成该证书需要提前安装配置java环境,此处默认已正确安装java环境
$ keytool -import -alias rabbit-server -file server/rabbit-server.cert.pem -keystore rabbitStore -storepass 123456
-import 将已签名数字证书导入密钥库
-alias xxx 指定导入条目的别名
-file server/rabbit-server.cert.pem 需要导入的证书
-keystore xxx 指定密钥库的名称
-storepass xxx 指定密钥库的密码(获取keystore信息所需的密码)

RabbitMQ并配置SSL

新建/etc/rabbitmq/ssl文件夹,将CMF-AMQP-Configuration/ssl/文件夹下所有PEM文件cp过去

新建一个/etc/rabbitmq/rabbitmq.conf文件,默认没有,内容如下

This example configuration file demonstrates various settings

available via rabbitmq.conf. It primarily focuses core broker settings

but some tier 1 plugin settings are also covered.

This file is AN EXAMPLE. It is NOT MEANT TO BE USED IN PRODUCTION. Instead of

copying the entire (large!) file, create or generate a new rabbitmq.conf for the target system

and populate it with the necessary settings.

See https://rabbitmq.com/configure.html to learn about how to configure RabbitMQ,

the ini-style format used by rabbitmq.conf, how it is different from advanced.config,

how to verify effective configuration, and so on.

See https://rabbitmq.com/documentation.html for the rest of RabbitMQ documentation.

In case you have questions, please use RabbitMQ community Slack and the rabbitmq-users Google group

instead of GitHub issues.

======================================

Core broker section

======================================

Networking

====================

Related doc guide: https://rabbitmq.com/networking.html.

By default, RabbitMQ will listen on all interfaces, using

the standard (reserved) AMQP 0-9-1 and 1.0 port.

listeners.tcp.default = 5672

To listen on a specific interface, provide an IP address with port.

For example, to listen only on localhost for both IPv4 and IPv6:

IPv4

listeners.tcp.local = 127.0.0.1:5672

IPv6

listeners.tcp.local_v6 = ::1:5672

You can define multiple listeners using listener names

listeners.tcp.other_port = 5673

listeners.tcp.other_ip = 10.10.10.10:5672

TLS listeners are configured in the same fashion as TCP listeners,

including the option to control the choice of interface.

listeners.ssl.default = 5671

It is possible to disable regular TCP (non-TLS) listeners. Clients

not configured to use TLS and the correct TLS-enabled port won't be able

to connect to this node.

listeners.tcp = none

Number of Erlang processes that will accept connections for the TCP

and TLS listeners.

num_acceptors.tcp = 10

num_acceptors.ssl = 10

Socket writer will force GC every so many bytes transferred.

Default is 1 GiB (1000000000). Set to 'off' to disable.

socket_writer.gc_threshold = 1000000000

To disable:

socket_writer.gc_threshold = off

Maximum amount of time allowed for the AMQP 0-9-1 and AMQP 1.0 handshake

(performed after socket connection and TLS handshake) to complete, in milliseconds.

handshake_timeout = 10000

Set to 'true' to perform reverse DNS lookups when accepting a

connection. rabbitmqctl and management UI will then display hostnames

instead of IP addresses. Default value is false.

reverse_dns_lookups = false

Security, Access Control

==============

Related doc guide: https://rabbitmq.com/access-control.html.

The default "guest" user is only permitted to access the server

via a loopback interface (e.g. localhost).

{loopback_users, [<<"guest">>]},

loopback_users.guest = true

Uncomment the following line if you want to allow access to the

guest user from anywhere on the network.

loopback_users.guest = false

TLS configuration.

Related doc guide: https://rabbitmq.com/ssl.html.

listeners.ssl.1 = 5671

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = false

ssl_options.cacertfile = /path/to/cacert.pem

ssl_options.certfile = /path/to/cert.pem

ssl_options.keyfile = /path/to/key.pem

ssl_options.honor_cipher_order = true

ssl_options.honor_ecc_order = true

These are highly recommended for TLSv1.2 but cannot be used

with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed.

ssl_options.client_renegotiation = false

ssl_options.secure_renegotiate = true

Limits what TLS versions the server enables for client TLS

connections. See https://www.rabbitmq.com/ssl.html#tls-versions for details.

Cutting edge TLS version which requires recent client runtime

versions and has no cipher suite in common with earlier TLS versions.

ssl_options.versions.1 = tlsv1.3

Enables TLSv1.2 for best compatibility

ssl_options.versions.2 = tlsv1.2

Older TLS versions have known vulnerabilities and are being phased out

from wide use.

Limits what cipher suites the server will use for client TLS

connections. Narrowing this down can prevent some clients

from connecting.

If TLSv1.3 is enabled and cipher suites are overridden, TLSv1.3-specific

cipher suites must also be explicitly enabled.

See https://www.rabbitmq.com/ssl.html#cipher-suites and https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites

for details.

The example below uses TLSv1.3 cipher suites only

ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384

ssl_options.ciphers.2 = TLS_AES_128_GCM_SHA256

ssl_options.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256

ssl_options.ciphers.4 = TLS_AES_128_CCM_SHA256

ssl_options.ciphers.5 = TLS_AES_128_CCM_8_SHA256

The example below uses TLSv1.2 cipher suites only

ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384

ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384

ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384

ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384

ssl_options.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384

ssl_options.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384

ssl_options.ciphers.7 = ECDH-ECDSA-AES256-SHA384

ssl_options.ciphers.8 = ECDH-RSA-AES256-SHA384

ssl_options.ciphers.9 = DHE-RSA-AES256-GCM-SHA384

ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384

ssl_options.ciphers.11 = DHE-RSA-AES256-SHA256

ssl_options.ciphers.12 = DHE-DSS-AES256-SHA256

ssl_options.ciphers.13 = ECDHE-ECDSA-AES128-GCM-SHA256

ssl_options.ciphers.14 = ECDHE-RSA-AES128-GCM-SHA256

ssl_options.ciphers.15 = ECDHE-ECDSA-AES128-SHA256

ssl_options.ciphers.16 = ECDHE-RSA-AES128-SHA256

ssl_options.ciphers.17 = ECDH-ECDSA-AES128-GCM-SHA256

ssl_options.ciphers.18 = ECDH-RSA-AES128-GCM-SHA256

ssl_options.ciphers.19 = ECDH-ECDSA-AES128-SHA256

ssl_options.ciphers.20 = ECDH-RSA-AES128-SHA256

ssl_options.ciphers.21 = DHE-RSA-AES128-GCM-SHA256

ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256

ssl_options.ciphers.23 = DHE-RSA-AES128-SHA256

ssl_options.ciphers.24 = DHE-DSS-AES128-SHA256

ssl_options.ciphers.25 = ECDHE-ECDSA-AES256-SHA

ssl_options.ciphers.26 = ECDHE-RSA-AES256-SHA

ssl_options.ciphers.27 = DHE-RSA-AES256-SHA

ssl_options.ciphers.28 = DHE-DSS-AES256-SHA

ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA

ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA

ssl_options.ciphers.31 = ECDHE-ECDSA-AES128-SHA

ssl_options.ciphers.32 = ECDHE-RSA-AES128-SHA

ssl_options.ciphers.33 = DHE-RSA-AES128-SHA

ssl_options.ciphers.34 = DHE-DSS-AES128-SHA

ssl_options.ciphers.35 = ECDH-ECDSA-AES128-SHA

ssl_options.ciphers.36 = ECDH-RSA-AES128-SHA

ssl_options.bypass_pem_cache = true

Select an authentication/authorisation backend to use.

Alternative backends are provided by plugins, such as rabbitmq-auth-backend-ldap.

NB: These settings require certain plugins to be enabled.

Related doc guides:

* https://rabbitmq.com/plugins.html

* https://rabbitmq.com/access-control.html

auth_backends.1 = rabbit_auth_backend_internal

uses separate backends for authentication and authorisation,

see below.

auth_backends.1.authn = rabbit_auth_backend_ldap

auth_backends.1.authz = rabbit_auth_backend_internal

The rabbitmq_auth_backend_ldap plugin allows the broker to

perform authentication and authorisation by deferring to an

external LDAP server.

Relevant doc guides:

* https://rabbitmq.com/ldap.html

* https://rabbitmq.com/access-control.html

uses LDAP for both authentication and authorisation

auth_backends.1 = rabbit_auth_backend_ldap

uses HTTP service for both authentication and

authorisation

auth_backends.1 = rabbit_auth_backend_http

uses two backends in a chain: HTTP first, then internal

auth_backends.1 = rabbit_auth_backend_http

auth_backends.2 = rabbit_auth_backend_internal

Authentication

The built-in mechanisms are 'PLAIN',

'AMQPLAIN', and 'EXTERNAL' Additional mechanisms can be added via

plugins.

Related doc guide: https://rabbitmq.com/authentication.html.

auth_mechanisms.1 = PLAIN

auth_mechanisms.2 = AMQPLAIN

The rabbitmq-auth-mechanism-ssl plugin makes it possible to

authenticate a user based on the client's x509 (TLS) certificate.

Related doc guide: https://rabbitmq.com/authentication.html.

To use auth-mechanism-ssl, the EXTERNAL mechanism should

be enabled:

auth_mechanisms.1 = PLAIN

auth_mechanisms.2 = AMQPLAIN

auth_mechanisms.3 = EXTERNAL

To force x509 certificate-based authentication on all clients,

exclude all other mechanisms (note: this will disable password-based

authentication even for the management UI!):

auth_mechanisms.1 = EXTERNAL

This pertains to both the rabbitmq-auth-mechanism-ssl plugin and

STOMP ssl_cert_login configurations. See the RabbitMQ STOMP plugin

configuration section later in this file and the README in

https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further

details.

To use the TLS cert's CN instead of its DN as the username

ssl_cert_login_from = common_name

TLS handshake timeout, in milliseconds.

ssl_handshake_timeout = 5000

Cluster name

cluster_name = dev3.eng.megacorp.local

Password hashing implementation. Will only affect newly

created users. To recalculate hash for an existing user

it's necessary to update her password.

To use SHA-512, set to rabbit_password_hashing_sha512.

password_hashing_module = rabbit_password_hashing_sha256

When importing definitions exported from versions earlier

than 3.6.0, it is possible to go back to MD5 (only do this

as a temporary measure!) by setting this to rabbit_password_hashing_md5.

password_hashing_module = rabbit_password_hashing_md5

Default User / VHost

====================

On first start RabbitMQ will create a vhost and a user. These

config items control what gets created.

Relevant doc guide: https://rabbitmq.com/access-control.html

default_vhost = /

default_user = guest

default_pass = guest

default_permissions.configure = .*

default_permissions.read = .*

default_permissions.write = .*

Tags for default user

For more details about tags, see the documentation for the

Management Plugin at https://rabbitmq.com/management.html.

default_user_tags.administrator = true

Define other tags like this:

default_user_tags.management = true

default_user_tags.custom_tag = true

Additional network and protocol related configuration

=====================================================

Set the server AMQP 0-9-1 heartbeat timeout in seconds.

RabbitMQ nodes will send heartbeat frames at roughly

the (timeout / 2) interval. Two missed heartbeats from

a client will close its connection.

Values lower than 6 seconds are very likely to produce

false positives and are not recommended.

Related doc guides:

* https://rabbitmq.com/heartbeats.html

* https://rabbitmq.com/networking.html

heartbeat = 60

Set the max permissible size of an AMQP frame (in bytes).

frame_max = 131072

Set the max frame size the server will accept before connection

tuning occurs

initial_frame_max = 4096

Set the max permissible number of channels per connection.

0 means "no limit".

channel_max = 128

Customising TCP Listener (Socket) Configuration.

Related doc guides:

* https://rabbitmq.com/networking.html

* https://www.erlang.org/doc/man/inet.html#setopts-2

tcp_listen_options.backlog = 128

tcp_listen_options.nodelay = true

tcp_listen_options.exit_on_close = false

tcp_listen_options.keepalive = true

tcp_listen_options.send_timeout = 15000

tcp_listen_options.buffer = 196608

tcp_listen_options.sndbuf = 196608

tcp_listen_options.recbuf = 196608

Resource Limits & Flow Control

==============================

Related doc guide: https://rabbitmq.com/memory.html.

Memory-based Flow Control threshold.

vm_memory_high_watermark.relative = 0.4

Alternatively, we can set a limit (in bytes) of RAM used by the node.

vm_memory_high_watermark.absolute = 1073741824

Or you can set absolute value using memory units (with RabbitMQ 3.6.0+).

Absolute watermark will be ignored if relative is defined!

vm_memory_high_watermark.absolute = 2GB

Supported unit symbols:

k, kiB: kibibytes (2^10 - 1,024 bytes)

M, MiB: mebibytes (2^20 - 1,048,576 bytes)

G, GiB: gibibytes (2^30 - 1,073,741,824 bytes)

kB: kilobytes (10^3 - 1,000 bytes)

MB: megabytes (10^6 - 1,000,000 bytes)

GB: gigabytes (10^9 - 1,000,000,000 bytes)

Fraction of the high watermark limit at which queues start to

page message out to disc in order to free up memory.

For example, when vm_memory_high_watermark is set to 0.4 and this value is set to 0.5,

paging can begin as early as when 20% of total available RAM is used by the node.

Values greater than 1.0 can be dangerous and should be used carefully.

One alternative to this is to use durable queues and publish messages

as persistent (delivery mode = 2). With this combination queues will

move messages to disk much more rapidly.

Another alternative is to configure queues to page all messages (both

persistent and transient) to disk as quickly

as possible, see https://rabbitmq.com/lazy-queues.html.

vm_memory_high_watermark_paging_ratio = 0.5

Selects Erlang VM memory consumption calculation strategy. Can be allocated, rss or legacy (aliased as erlang),

Introduced in 3.6.11. rss is the default as of 3.6.12.

See https://github.com/rabbitmq/rabbitmq-server/issues/1223 and rabbitmq/rabbitmq-common#224 for background.

vm_memory_calculation_strategy = rss

Interval (in milliseconds) at which we perform the check of the memory

levels against the watermarks.

memory_monitor_interval = 2500

The total memory available can be calculated from the OS resources

- default option - or provided as a configuration parameter.

total_memory_available_override_value = 2GB

Set disk free limit (in bytes). Once free disk space reaches this

lower bound, a disk alarm will be set - see the documentation

listed above for more details.

Absolute watermark will be ignored if relative is defined!

disk_free_limit.absolute = 50000

Or you can set it using memory units (same as in vm_memory_high_watermark)

with RabbitMQ 3.6.0+.

disk_free_limit.absolute = 500KB

disk_free_limit.absolute = 50mb

disk_free_limit.absolute = 5GB

Alternatively, we can set a limit relative to total available RAM.

Values lower than 1.0 can be dangerous and should be used carefully.

disk_free_limit.relative = 2.0

Clustering

=====================

cluster_partition_handling = ignore

Pauses all nodes on the minority side of a partition. The cluster

MUST have an odd number of nodes (3, 5, etc)

cluster_partition_handling = pause_minority

pause_if_all_down strategy require additional configuration

cluster_partition_handling = pause_if_all_down

Recover strategy. Can be either 'autoheal' or 'ignore'

cluster_partition_handling.pause_if_all_down.recover = ignore

Node names to check

cluster_partition_handling.pause_if_all_down.nodes.1 = rabbit@localhost

cluster_partition_handling.pause_if_all_down.nodes.2 = hare@localhost

Mirror sync batch size, in messages. Increasing this will speed

up syncing but total batch size in bytes must not exceed 2 GiB.

Available in RabbitMQ 3.6.0 or later.

mirroring_sync_batch_size = 4096

Make clustering happen automatically at startup. Only applied

to nodes that have just been reset or started for the first time.

Relevant doc guide: https://rabbitmq.com//cluster-formation.html

cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config

cluster_formation.classic_config.nodes.1 = rabbit1@hostname

cluster_formation.classic_config.nodes.2 = rabbit2@hostname

cluster_formation.classic_config.nodes.3 = rabbit3@hostname

cluster_formation.classic_config.nodes.4 = rabbit4@hostname

DNS-based peer discovery. This backend will list A records

of the configured hostname and perform reverse lookups for

the addresses returned.

cluster_formation.peer_discovery_backend = rabbit_peer_discovery_dns

cluster_formation.dns.hostname = discovery.eng.example.local

This node's type can be configured. If you are not sure

what node type to use, always use 'disc'.

cluster_formation.node_type = disc

Interval (in milliseconds) at which we send keepalive messages

to other cluster members. Note that this is not the same thing

as net_ticktime; missed keepalive messages will not cause nodes

to be considered down.

cluster_keepalive_interval = 10000

Statistics Collection

=====================

Statistics collection interval (in milliseconds). Increasing

this will reduce the load on management database.

collect_statistics_interval = 5000

Fine vs. coarse statistics

This value is no longer meant to be configured directly.

See https://www.rabbitmq.com/management.html#fine-stats.

Ra Settings

=====================

NB: changing these on a node with existing data directory

can lead to DATA LOSS.

raft.segment_max_entries = 65536

raft.wal_max_size_bytes = 1048576

raft.wal_max_batch_size = 4096

raft.snapshot_chunk_size = 1000000

Misc/Advanced Options

=====================

NB: Change these only if you understand what you are doing!

Timeout used when waiting for Mnesia tables in a cluster to

become available.

mnesia_table_loading_retry_timeout = 30000

Retries when waiting for Mnesia tables in the cluster startup. Note that

this setting is not applied to Mnesia upgrades or node deletions.

mnesia_table_loading_retry_limit = 10

Size in bytes below which to embed messages in the queue index.

Related doc guide: https://rabbitmq.com/persistence-conf.html

queue_index_embed_msgs_below = 4096

You can also set this size in memory units

queue_index_embed_msgs_below = 4kb

Whether or not to enable background periodic forced GC runs for all

Erlang processes on the node in "waiting" state.

Disabling background GC may reduce latency for client operations,

keeping it enabled may reduce median RAM usage by the binary heap

(see https://www.erlang-solutions.com/blog/erlang-garbage-collector.html).

Before trying this option, please take a look at the memory

breakdown (https://www.rabbitmq.com/memory-use.html).

background_gc_enabled = false

Target (desired) interval (in milliseconds) at which we run background GC.

The actual interval will vary depending on how long it takes to execute

the operation (can be higher than this interval). Values less than

30000 milliseconds are not recommended.

background_gc_target_interval = 60000

Whether or not to enable proxy protocol support.

Once enabled, clients cannot directly connect to the broker

anymore. They must connect through a load balancer that sends the

proxy protocol header to the broker at connection time.

This setting applies only to AMQP clients, other protocols

like MQTT or STOMP have their own setting to enable proxy protocol.

See the plugins documentation for more information.

proxy_protocol = false

Overriden product name and version.

They are set to "RabbitMQ" and the release version by default.

product.name = RabbitMQ

product.version = 1.2.3

"Message of the day" file.

Its content is used to expand the logged and printed banners.

Default to /etc/rabbitmq/motd on Unix, %APPDATA%\RabbitMQ\motd.txt

on Windows.

motd_file = /etc/rabbitmq/motd

Consumer timeout

If a message delivered to a consumer has not been acknowledge before this timer

triggers the channel will be force closed by the broker. This ensure that

faultly consumers that never ack will not hold on to messages indefinitely.

consumer_timeout = 900000

----------------------------------------------------------------------------

Advanced Erlang Networking/Clustering Options.

Related doc guide: https://rabbitmq.com/clustering.html

----------------------------------------------------------------------------

======================================

Kernel section

======================================

Timeout used to detect peer unavailability, including CLI tools.

Related doc guide: https://www.rabbitmq.com/nettick.html.

net_ticktime = 60

Inter-node communication port range.

The parameters inet_dist_listen_min and inet_dist_listen_max

can be configured in the classic config format only.

Related doc guide: https://www.rabbitmq.com/networking.html#epmd-inet-dist-port-range.

----------------------------------------------------------------------------

RabbitMQ Management Plugin

Related doc guide: https://rabbitmq.com/management.html.

----------------------------------------------------------------------------

=======================================

Management section

=======================================

Preload schema definitions from the following JSON file.

Related doc guide: https://rabbitmq.com/management.html#load-definitions.

management.load_definitions = /path/to/exported/definitions.json

Log all requests to the management HTTP API to a file.

management.http_log_dir = /path/to/access.log

HTTP listener and embedded Web server settings.

## See https://rabbitmq.com/management.html for details.

management.tcp.port = 15672

management.tcp.ip = 0.0.0.0

management.tcp.shutdown_timeout = 7000

management.tcp.max_keepalive = 120

management.tcp.idle_timeout = 120

management.tcp.inactivity_timeout = 120

management.tcp.request_timeout = 120

management.tcp.compress = true

HTTPS listener settings.

See https://rabbitmq.com/management.html and https://rabbitmq.com/ssl.html for details.

management.ssl.port = 15671

management.ssl.cacertfile = /path/to/ca_certificate.pem

management.ssl.certfile = /path/to/server_certificate.pem

management.ssl.keyfile = /path/to/server_key.pem

More TLS options

management.ssl.honor_cipher_order = true

management.ssl.honor_ecc_order = true

These are highly recommended for TLSv1.2 but cannot be used

with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed.

management.ssl.client_renegotiation = false

management.ssl.secure_renegotiate = true

Supported TLS versions

management.ssl.versions.1 = tlsv1.2

Cipher suites the server is allowed to use

management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384

management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384

management.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384

management.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384

management.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384

management.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384

management.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384

management.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384

management.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384

URL path prefix for HTTP API and management UI

management.path_prefix = /a-prefix

One of 'basic', 'detailed' or 'none'. See

https://rabbitmq.com/management.html#fine-stats for more details.

management.rates_mode = basic

Configure how long aggregated data (such as message rates and queue

lengths) is retained. Please read the plugin's documentation in

https://rabbitmq.com/management.html#configuration for more

details.

Your can use 'minute', 'hour' and 'day' keys or integer key (in seconds)

management.sample_retention_policies.global.minute = 5

management.sample_retention_policies.global.hour = 60

management.sample_retention_policies.global.day = 1200

management.sample_retention_policies.basic.minute = 5

management.sample_retention_policies.basic.hour = 60

management.sample_retention_policies.detailed.10 = 5

----------------------------------------------------------------------------

RabbitMQ Shovel Plugin

Related doc guide: https://rabbitmq.com/shovel.html

----------------------------------------------------------------------------

See advanced.config.example for a Shovel plugin example

----------------------------------------------------------------------------

RabbitMQ STOMP Plugin

Related doc guide: https://rabbitmq.com/stomp.html

----------------------------------------------------------------------------

=======================================

STOMP section

=======================================

See https://rabbitmq.com/stomp.html for details.

TCP listeners.

stomp.listeners.tcp.1 = 127.0.0.1:61613

stomp.listeners.tcp.2 = ::1:61613

TCP listener settings

stomp.tcp_listen_options.backlog = 2048

stomp.tcp_listen_options.recbuf = 131072

stomp.tcp_listen_options.sndbuf = 131072

stomp.tcp_listen_options.keepalive = true

stomp.tcp_listen_options.nodelay = true

stomp.tcp_listen_options.exit_on_close = true

stomp.tcp_listen_options.send_timeout = 120

Proxy protocol support

stomp.proxy_protocol = false

TLS listeners

See https://rabbitmq.com/stomp.html and https://rabbitmq.com/ssl.html for details.

stomp.listeners.ssl.default = 61614

ssl_options.cacertfile = path/to/cacert.pem

ssl_options.certfile = path/to/cert.pem

ssl_options.keyfile = path/to/key.pem

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = true

Number of Erlang processes that will accept connections for the TCP

and TLS listeners.

stomp.num_acceptors.tcp = 10

stomp.num_acceptors.ssl = 1

Additional TLS options

Extract a name from the client's certificate when using TLS.

stomp.ssl_cert_login = true

Set a default user name and password. This is used as the default login

whenever a CONNECT frame omits the login and passcode headers.

Please note that setting this will allow clients to connect without

authenticating!

stomp.default_user = guest

stomp.default_pass = guest

If a default user is configured, or you have configured use TLS client

certificate based authentication, you can choose to allow clients to

omit the CONNECT frame entirely. If set to true, the client is

automatically connected as the default user or user supplied in the

TLS certificate whenever the first frame sent on a session is not a

CONNECT frame.

stomp.implicit_connect = true

Whether or not to enable proxy protocol support.

Once enabled, clients cannot directly connect to the broker

anymore. They must connect through a load balancer that sends the

proxy protocol header to the broker at connection time.

This setting applies only to STOMP clients, other protocols

like MQTT or AMQP have their own setting to enable proxy protocol.

See the plugins or broker documentation for more information.

stomp.proxy_protocol = false

----------------------------------------------------------------------------

RabbitMQ MQTT Adapter

See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md

for details

----------------------------------------------------------------------------

=======================================

MQTT section

=======================================

TCP listener settings.

mqtt.listeners.tcp.1 = 127.0.0.1:61613

mqtt.listeners.tcp.2 = ::1:61613

TCP listener options (as per the broker configuration).

mqtt.tcp_listen_options.backlog = 4096

mqtt.tcp_listen_options.recbuf = 131072

mqtt.tcp_listen_options.sndbuf = 131072

mqtt.tcp_listen_options.keepalive = true

mqtt.tcp_listen_options.nodelay = true

mqtt.tcp_listen_options.exit_on_close = true

mqtt.tcp_listen_options.send_timeout = 120

TLS listener settings

## See https://rabbitmq.com/mqtt.html and https://rabbitmq.com/ssl.html for details.

mqtt.listeners.ssl.default = 8883

ssl_options.cacertfile = /path/to/tls/ca_certificate_bundle.pem

ssl_options.certfile = /path/to/tls/server_certificate.pem

ssl_options.keyfile = /path/to/tls/server_key.pem

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = true

Number of Erlang processes that will accept connections for the TCP

and TLS listeners.

mqtt.num_acceptors.tcp = 10

mqtt.num_acceptors.ssl = 10

Whether or not to enable proxy protocol support.

Once enabled, clients cannot directly connect to the broker

anymore. They must connect through a load balancer that sends the

proxy protocol header to the broker at connection time.

This setting applies only to STOMP clients, other protocols

like STOMP or AMQP have their own setting to enable proxy protocol.

See the plugins or broker documentation for more information.

mqtt.proxy_protocol = false

Set the default user name and password used for anonymous connections (when client

provides no credentials). Anonymous connections are highly discouraged!

mqtt.default_user = guest

mqtt.default_pass = guest

Enable anonymous connections. If this is set to false, clients MUST provide

credentials in order to connect. See also the mqtt.default_user/mqtt.default_pass

keys. Anonymous connections are highly discouraged!

mqtt.allow_anonymous = true

If you have multiple vhosts, specify the one to which the

adapter connects.

mqtt.vhost = /

Specify the exchange to which messages from MQTT clients are published.

mqtt.exchange = amq.topic

Specify TTL (time to live) to control the lifetime of non-clean sessions.

mqtt.subscription_ttl = 1800000

Set the prefetch count (governing the maximum number of unacknowledged

messages that will be delivered).

mqtt.prefetch = 10

----------------------------------------------------------------------------

RabbitMQ AMQP 1.0 Support

See https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md.

----------------------------------------------------------------------------

=======================================

AMQP 1.0 section

=======================================

Connections that are not authenticated with SASL will connect as this

account. See the README for more information.

Please note that setting this will allow clients to connect without

authenticating!

amqp1_0.default_user = guest

Enable protocol strict mode. See the README for more information.

amqp1_0.protocol_strict_mode = false

Logging settings.

See https://rabbitmq.com/logging.html and https://github.com/erlang-lager/lager for details.

Log directory, taken from the RABBITMQ_LOG_BASE env variable by default.

log.dir = /var/log/rabbitmq

Logging to file. Can be false or a filename.

Default:

log.file = rabbit.log

To disable logging to a file

log.file = false

Log level for file logging

log.file.level = info

File rotation config. No rotation by default.

DO NOT SET rotation date to ''. Leave the value unset if "" is the desired value

log.file.rotation.date = $D0

log.file.rotation.size = 0

Logging to console (can be true or false)

log.console = false

Log level for console logging

log.console.level = info

Logging to the amq.rabbitmq.log exchange (can be true or false)

log.exchange = false

Log level to use when logging to the amq.rabbitmq.log exchange

log.exchange.level = info

----------------------------------------------------------------------------

RabbitMQ LDAP Plugin

Related doc guide: https://rabbitmq.com/ldap.html.

----------------------------------------------------------------------------

=======================================

LDAP section

=======================================

Connecting to the LDAP server(s)

================================

Specify servers to bind to. You must set this in order for the plugin

to work properly.

auth_ldap.servers.1 = your-server-name-goes-here

You can define multiple servers

auth_ldap.servers.2 = your-other-server

Connect to the LDAP server using TLS

auth_ldap.use_ssl = false

Specify the LDAP port to connect to

auth_ldap.port = 389

LDAP connection timeout, in milliseconds or 'infinity'

auth_ldap.timeout = infinity

Or number

auth_ldap.timeout = 500

Enable logging of LDAP queries.

One of

- false (no logging is performed)

- true (verbose logging of the logic used by the plugin)

- network (as true, but additionally logs LDAP network traffic)

Defaults to false.

auth_ldap.log = false

Also can be true or network

auth_ldap.log = true

auth_ldap.log = network

Authentication

==============

Pattern to convert the username given through AMQP to a DN before

binding

auth_ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com

Alternatively, you can convert a username to a Distinguished

Name via an LDAP lookup after binding. See the documentation for

full details.

When converting a username to a dn via a lookup, set these to

the name of the attribute that represents the user name, and the

base DN for the lookup query.

auth_ldap.dn_lookup_attribute = userPrincipalName

auth_ldap.dn_lookup_base = DC=gopivotal,DC=com

Controls how to bind for authorisation queries and also to

retrieve the details of users logging in without presenting a

password (e.g., SASL EXTERNAL).

One of

- as_user (to bind as the authenticated user - requires a password)

- anon (to bind anonymously)

- {UserDN, Password} (to bind with a specified user name and password)

Defaults to 'as_user'.

auth_ldap.other_bind = as_user

Or can be more complex:

auth_ldap.other_bind.user_dn = User

auth_ldap.other_bind.password = Password

If user_dn and password defined - other options is ignored.

-----------------------------

Too complex section of LDAP

-----------------------------

Authorisation

=============

The LDAP plugin can perform a variety of queries against your

LDAP server to determine questions of authorisation.

Related doc guide: https://rabbitmq.com/ldap.html#authorisation.

Following configuration should be defined in advanced.config file

DO NOT UNCOMMENT THESE LINES!

Set the query to use when determining vhost access

{vhost_access_query, {in_group,

"ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},

Set the query to use when determining resource (e.g., queue) access

{resource_access_query, {constant, true}},

Set queries to determine which tags a user has

{tag_queries, []}

]},

-----------------------------

编辑/etc/rabbitmq/rabbitmq.conf文件,替换为以下内容:

禁用非tls连接

listeners.tcp = none

SSL\TLS通信的端口

listeners.ssl.default = 5671

管理控制台端口

management.tcp.port = 15672

服务端私钥和证书文件配置

ssl_options.cacertfile = /etc/rabbitmq/ssl/cacert.pem
ssl_options.certfile = /etc/rabbitmq/ssl/rabbit-server.cert.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/rabbit-server.key.pem

有verify_none和verify_peer两个选项,verify_none表示完全忽略验证证书的结果,verify_peer表示要求验证对方证书

ssl_options.verify = verify_peer

若为true,服务端会向客户端索要证书,若客户端无证书则中止SSL握手;若为false,则客户端没有证书时依然可完成SSL握手

ssl_options.fail_if_no_peer_cert = true

指定开启的tls版本

ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1

指定对应的cipher suites

ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11= DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19= ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31= AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA

================================================================

pem文件需要权限

chmod 775 *.pem

rabbitmqctl stop

rabbitmq-server restart

标签: rabbitmq 安全 ssl

本文转载自: https://blog.csdn.net/zhujun2008/article/details/133377303
版权归原作者 zhujun2008 所有, 如有侵权,请联系我们删除。

“rabbitmq 配置安全加密的ssl连接”的评论:

还没有评论