docker rabbitmq amqp明文验证 漏洞
1、拷贝docker配置文件到本地
通过docker ps 命令,查看CONTAINER ID
如:
docker cp 1ff:/etc/rabbitmq/conf.d /etc/rabbitmq/
docker cp 1ff:/etc/rabbitmq/enabled_plugins /etc/rabbitmq/
2、重新启动容器:
如:
docker run -dit --name rabbitmqserver -v /etc/rabbitmq:/etc/rabbitmq -e RABBITMQ_DEFAULT_USER=root -e RABBITMQ_DEFAULT_PASS=123456 -p 15672:15672 -p 5672:5672 -p 5671:5671 rabbitmq:management
3、添加SSL插件:
部署完成后,docker exec进入容器,在容器中添加插件才能启用SSL验证的功能
进入docker:
docker exec -it f12 /bin/sh
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
4、查看启动结果
rabbitmq-plugins list
[E*] rabbitmq_auth_mechanism_ssl 表示成功
rabbitmq-plugins list
Listing plugins with pattern ".*" ...
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@f2d5bbd9c4ac
|/
[ ] rabbitmq_amqp1_0 3.10.5
[ ] rabbitmq_auth_backend_cache 3.10.5
[ ] rabbitmq_auth_backend_http 3.10.5
[ ] rabbitmq_auth_backend_ldap 3.10.5
[ ] rabbitmq_auth_backend_oauth2 3.10.5
[E*] rabbitmq_auth_mechanism_ssl 3.10.5
[ ] rabbitmq_consistent_hash_exchange 3.10.5
[ ] rabbitmq_event_exchange 3.10.5
[ ] rabbitmq_federation 3.10.5
[ ] rabbitmq_federation_management 3.10.5
[ ] rabbitmq_jms_topic_exchange 3.10.5
[E*] rabbitmq_management 3.10.5
[e*] rabbitmq_management_agent 3.10.5
[ ] rabbitmq_mqtt 3.10.5
[ ] rabbitmq_peer_discovery_aws 3.10.5
[ ] rabbitmq_peer_discovery_common 3.10.5
[ ] rabbitmq_peer_discovery_consul 3.10.5
[ ] rabbitmq_peer_discovery_etcd 3.10.5
[ ] rabbitmq_peer_discovery_k8s 3.10.5
[E*] rabbitmq_prometheus 3.10.5
[ ] rabbitmq_random_exchange 3.10.5
[ ] rabbitmq_recent_history_exchange 3.10.5
[ ] rabbitmq_sharding 3.10.5
[ ] rabbitmq_shovel 3.10.5
[ ] rabbitmq_shovel_management 3.10.5
[ ] rabbitmq_stomp 3.10.5
[ ] rabbitmq_stream 3.10.5
[ ] rabbitmq_stream_management 3.10.5
[ ] rabbitmq_top 3.10.5
[ ] rabbitmq_tracing 3.10.5
[ ] rabbitmq_trust_store 3.10.5
[e*] rabbitmq_web_dispatch 3.10.5
[ ] rabbitmq_web_mqtt 3.10.5
[ ] rabbitmq_web_mqtt_examples 3.10.5
[ ] rabbitmq_web_stomp 3.10.5
[ ] rabbitmq_web_stomp_examples 3.10.5
5、基于CMF-AMQP-Configuration来生成SSL自签名文件
下载CMF-AMQP-Configuration
git clone https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
进入CMF-AMQP-Configuration/ssl目录
cd CMF-AMQP-Configuration/ssl
修改配置,生成证书10年有效期
sed -i "s/valid=365/valid=3650/g" create_client_cert.sh
sed -i "s/valid=365/valid=3650/g" make_server_cert.sh
sed -i "s/valid=365/valid=3650/g" setup_ca.sh
sed -i "s/default_days = 365/default_days = 3650/g" openssl.cnf
生成ca证书,“MyRabbitMQCA”为自定义名称,名称任意。在当前目录下生成ca目录
sh setup_ca.sh testbmsca
生成服务端证书,第一个参数是服务端证书前缀,第二个参数是密码。密码任意,在当前目录下生成server目录
sh make_server_cert.sh rabbitmq-server 123456 #123456为自定义密码
生成客户端证书,第一个参数是客户端证书前缀(同时也是rabbitmq用户名),第二个参数是密码。密码任意,在当前目录下生成client目录
sh create_client_cert.sh rabbitmq-client 654321 #654321为自定义密码
复制文件到服务器/etc/rabbitmq/ssl
cacert.pem # CA证书文件
server.cert.pem # 服务器公钥
server.key.pem # 服务器私钥
6、使用JDK的Keytool工具,将服务器公钥转换为JKS格式
keytool -import -alias rabbitmq-server \
-file server/rabbitmq-server.cert.pem \
-keystore rabbitmqStore -storepass 123456@testbms
-alias后为别称,-file后是服务端公钥位置,-keystore后是输出JSK证书位置 STORE_PASS任意
7、创建etc/rabbitmq/rabbitmq.conf(如果不存在)
#listeners.tcp.default = 5672
listeners.tcp = none # 关闭非tls的端口
listeners.ssl.default=5671 # tls认证监听端口
ssl_options.cacertfile=/etc/rabbitmq/ssl/cacert.pem
ssl_options.certfile=/etc/rabbitmq//ssl/rabbitmq-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq//ssl/rabbitmq-server.key.pem
ssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.3
ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11= DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19= ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31= AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA
auth_mechanisms.1 = EXTERNAL # 使用rabbit-ssl插件进行认证 首先要配置SSL插件
#auth_mechanisms.2 = PLAIN # 明文
#auth_mechanisms.3 = AMQPLAIN # 明文
management.tcp.port = 15672
ssl_cert_login_from = common_name # 使用证书种的CN作为登录用户名
loopback_users.guest = false
重启动容器
进入容器查看运行环境:rabbitmqctl environment
8、添加证书登录用户
用户名要与客户端证书名称前缀一致
rabbitmqctl add_user 'rabbitmq-client' 'wsajg5df'
添加权限 不要忘记了
rabbitmqctl set_permissions -p "/" "rabbitmq-client" "." "." ".*"
9、验证证书有效性
openssl s_client -connect localhost:5671 \
-cert client/rabbitmq-client.cert.pem \
-key client/rabbitmq-client.key.pem \
-CAfile ca/cacert.pem
版权归原作者 yyysilence 所有, 如有侵权,请联系我们删除。