RabbitMQ要对外提供服务,考虑到安全性,配置SSL进行访问,ssl端口5671,内部仍然使用5672进行访问,两者同时兼容。
一、生成证书
从github上克隆项目(yum -y install git)
$ cd /home/rabbitmq/
$ git clone https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
$ cd /home/rabbitmq/CMF-AMQP-Configuration/ssl/
修改证书有效期(可选,默认1年)
$ vi openssl.cnf
default_days = 365
生成证书签发机构(生成ca目录)
$ sh setup_ca.sh xxx
生成服务端公钥和私钥(生成server目录)
$ sh make_server_cert.sh rabbit-server 123456
生成客户端公钥和私钥(生成client目录)
$ sh create_client_cert.sh rabbit-client 123456
JDK导入服务端证书
$ keytool -import -alias rabbit-server -file server/rabbit-server.cert.pem -keystore rabbitStore -storepass 123456
二、安装RabbitMQ并配置SSL
获取镜像
$ docker pull rabbitmq:management
生成配置文件
$ mkdir -p /home/rabbitmq/lib /home/rabbitmq/etc /home/rabbitmq/log
$ docker run --restart=unless-stopped -d -p 5672:5672 -p 15672:15672 --name rabbitmq rabbitmq:management
$ docker cp -a rabbitmq:/var/lib/rabbitmq /home/rabbitmq/lib/
$ docker cp -a rabbitmq:/etc/rabbitmq /home/rabbitmq/etc/
$ docker cp -a rabbitmq:/var/log/rabbitmq /home/rabbitmq/log/
拷贝生成的证书到相对的/home/rabbitmq/etc/rabbitmq/ssl/目录下
$ cd /home/rabbitmq/CMF-AMQP-Configuration/ssl/
$ mkdir -p /home/rabbitmq/etc/rabbitmq/ssl
$ cp -r ca server client rabbitStore /home/rabbitmq/etc/rabbitmq/ssl
配置SSL信息(追加)
vim /home/rabbitmq/etc/rabbitmq/rabbitmq.conf
# SSL\TLS通信的端口
listeners.ssl.default=5671
# 服务端私钥和证书文件配置
ssl_options.cacertfile=/etc/rabbitmq/ssl/ca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/rabbit-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/rabbit-server.key.pem# 有verify_none和verify_peer两个选项,verify_none表示完全忽略验证证书的结果,verify_peer表示要求验证对方证书
ssl_options.verify=verify_peer
# 若为true,服务端会向客户端索要证书,若客户端无证书则中止SSL握手;若为false,则客户端没有证书时依然可完成SSL握手
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11 = DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19 = ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31 = AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA
删除重建带有目录映射的容器
$ docker rm -f -v rabbitmq
$ docker run --restart=unless-stopped -d -p 5672:5672 -p 15672:15672 --name rabbitmq \
-v /home/rabbitmq/etc/rabbitmq:/etc/rabbitmq \
-v /home/rabbitmq/lib/rabbitmq:/var/lib/rabbitmq:z \
-v /home/rabbitmq/log/rabbitmq/:/var/log/rabbitmq \
-e RABBITMQ_DEFAULT_USER=admin -e RABBITMQ_DEFAULT_PASS=123456 rabbitmq:management
查看日志验证是否配置成功
$ docker logs -f rabbitmq
访问管理页面查看是否配置成功
SpringBoot集成SSL
spring:
rabbitmq:
addresses: 192.168.1.100:5671
username: admin
password: 123456
virtual-host: /
ssl:
enabled: true
key-store: classpath:rabbitmq/ssl/client/rabbit-client.keycert.p12
key-store-password: 123456
trust-store: classpath:rabbitmq/ssl/rabbitStore
trust-store-password: 123456
algorithm: TLSv1.2
trust-store-type: JKS
key-store-type: PKCS12
validate-server-certificate: true
verify-hostname: false
说明:
ssl使用的是5671的端口,如果不使用ssl还可以使用5672端口
ssl.enabled 是否启用ssl,默认false
key-store 客户端证书的存储路径
key-store-password 生成客户端证书的密码
trust-store 信任证书的存储路径
trust-store-password:生成证书的密码