$ git clone https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
$ cd CMF-AMQP-Configuration/ssl/
# Greyfoss 为自定义的证书签发机构名称,该脚本会生成一个ca目录,存储证书颁发机构的信息以及签发的证书 $ sh setup_ca.sh Greyfoss
# 生成服务端公钥和私钥 rabbit-server为生成的密钥前缀 123456为该秘钥自定义的密码 $ sh make_server_cert.sh rabbit-server 123456
# 生成客户端公钥和私钥 $ sh create_client_cert.sh rabbit-client 123456
#使用java的keytool工具生成客户端需要的证书,用以支持服务端和客户端进行通信,生成该证书需要提前安装配置java环境,此处默认已正确安装java环境 $ keytool -import -alias rabbit-server -file server/rabbit-server.cert.pem -keystore rabbitStore -storepass 123456 -import 将已签名数字证书导入密钥库 -alias xxx 指定导入条目的别名 -file server/rabbit-server.cert.pem 需要导入的证书 -keystore xxx 指定密钥库的名称 -storepass xxx 指定密钥库的密码(获取keystore信息所需的密码)
RabbitMQ并配置SSL
新建/etc/rabbitmq/ssl文件夹,将CMF-AMQP-Configuration/ssl/文件夹下所有PEM文件cp过去
新建一个/etc/rabbitmq/rabbitmq.conf文件,默认没有,内容如下
## This example configuration file demonstrates various settings ## available via rabbitmq.conf. It primarily focuses core broker settings ## but some tier 1 plugin settings are also covered. ## ## This file is AN EXAMPLE. It is NOT MEANT TO BE USED IN PRODUCTION. Instead of ## copying the entire (large!) file, create or generate a new rabbitmq.conf for the target system ## and populate it with the necessary settings. ## ## See https://rabbitmq.com/configure.html to learn about how to configure RabbitMQ, ## the ini-style format used by rabbitmq.conf, how it is different from `advanced.config`, ## how to verify effective configuration, and so on. ## ## See https://rabbitmq.com/documentation.html for the rest of RabbitMQ documentation. ## ## In case you have questions, please use RabbitMQ community Slack and the rabbitmq-users Google group ## instead of GitHub issues.
# ====================================== # Core broker section # ======================================
## Networking ## ==================== ## ## Related doc guide: https://rabbitmq.com/networking.html. ## ## By default, RabbitMQ will listen on all interfaces, using ## the standard (reserved) AMQP 0-9-1 and 1.0 port. ## # listeners.tcp.default = 5672
## To listen on a specific interface, provide an IP address with port. ## For example, to listen only on localhost for both IPv4 and IPv6: ## # IPv4 # listeners.tcp.local = 127.0.0.1:5672 # IPv6 # listeners.tcp.local_v6 = ::1:5672
## You can define multiple listeners using listener names # listeners.tcp.other_port = 5673 # listeners.tcp.other_ip = 10.10.10.10:5672
## TLS listeners are configured in the same fashion as TCP listeners, ## including the option to control the choice of interface. ## # listeners.ssl.default = 5671
## It is possible to disable regular TCP (non-TLS) listeners. Clients ## not configured to use TLS and the correct TLS-enabled port won't be able ## to connect to this node. # listeners.tcp = none
## Number of Erlang processes that will accept connections for the TCP ## and TLS listeners. ## # num_acceptors.tcp = 10 # num_acceptors.ssl = 10
## Socket writer will force GC every so many bytes transferred. ## Default is 1 GiB (`1000000000`). Set to 'off' to disable. ## # socket_writer.gc_threshold = 1000000000 # ## To disable: # socket_writer.gc_threshold = off
## Maximum amount of time allowed for the AMQP 0-9-1 and AMQP 1.0 handshake ## (performed after socket connection and TLS handshake) to complete, in milliseconds. ## # handshake_timeout = 10000
## Set to 'true' to perform reverse DNS lookups when accepting a ## connection. rabbitmqctl and management UI will then display hostnames ## instead of IP addresses. Default value is `false`. ## # reverse_dns_lookups = false
## ## Security, Access Control ## ============== ##
## Related doc guide: https://rabbitmq.com/access-control.html.
## The default "guest" user is only permitted to access the server ## via a loopback interface (e.g. localhost). ## {loopback_users, [<<"guest">>]}, ## # loopback_users.guest = true
## Uncomment the following line if you want to allow access to the ## guest user from anywhere on the network. # loopback_users.guest = false
## TLS configuration. ## ## Related doc guide: https://rabbitmq.com/ssl.html. ## # listeners.ssl.1 = 5671 # # ssl_options.verify = verify_peer # ssl_options.fail_if_no_peer_cert = false # ssl_options.cacertfile = /path/to/cacert.pem # ssl_options.certfile = /path/to/cert.pem # ssl_options.keyfile = /path/to/key.pem # # ssl_options.honor_cipher_order = true # ssl_options.honor_ecc_order = true # ## These are highly recommended for TLSv1.2 but cannot be used ## with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed. # ssl_options.client_renegotiation = false # ssl_options.secure_renegotiate = true # ## Limits what TLS versions the server enables for client TLS ## connections. See https://www.rabbitmq.com/ssl.html#tls-versions for details. ## ## Cutting edge TLS version which requires recent client runtime ## versions and has no cipher suite in common with earlier TLS versions. # ssl_options.versions.1 = tlsv1.3 ## Enables TLSv1.2 for best compatibility # ssl_options.versions.2 = tlsv1.2 ## Older TLS versions have known vulnerabilities and are being phased out ## from wide use.
## Limits what cipher suites the server will use for client TLS ## connections. Narrowing this down can prevent some clients ## from connecting. ## If TLSv1.3 is enabled and cipher suites are overridden, TLSv1.3-specific ## cipher suites must also be explicitly enabled. ## See https://www.rabbitmq.com/ssl.html#cipher-suites and https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites ## for details. # ## The example below uses TLSv1.3 cipher suites only # # ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384 # ssl_options.ciphers.2 = TLS_AES_128_GCM_SHA256 # ssl_options.ciphers.3 = TLS_CHACHA20_POLY1305_SHA256 # ssl_options.ciphers.4 = TLS_AES_128_CCM_SHA256 # ssl_options.ciphers.5 = TLS_AES_128_CCM_8_SHA256 # ## The example below uses TLSv1.2 cipher suites only # # ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384 # ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384 # ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384 # ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384 # ssl_options.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384 # ssl_options.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384 # ssl_options.ciphers.7 = ECDH-ECDSA-AES256-SHA384 # ssl_options.ciphers.8 = ECDH-RSA-AES256-SHA384 # ssl_options.ciphers.9 = DHE-RSA-AES256-GCM-SHA384 # ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384 # ssl_options.ciphers.11 = DHE-RSA-AES256-SHA256 # ssl_options.ciphers.12 = DHE-DSS-AES256-SHA256 # ssl_options.ciphers.13 = ECDHE-ECDSA-AES128-GCM-SHA256 # ssl_options.ciphers.14 = ECDHE-RSA-AES128-GCM-SHA256 # ssl_options.ciphers.15 = ECDHE-ECDSA-AES128-SHA256 # ssl_options.ciphers.16 = ECDHE-RSA-AES128-SHA256 # ssl_options.ciphers.17 = ECDH-ECDSA-AES128-GCM-SHA256 # ssl_options.ciphers.18 = ECDH-RSA-AES128-GCM-SHA256 # ssl_options.ciphers.19 = ECDH-ECDSA-AES128-SHA256 # ssl_options.ciphers.20 = ECDH-RSA-AES128-SHA256 # ssl_options.ciphers.21 = DHE-RSA-AES128-GCM-SHA256 # ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256 # ssl_options.ciphers.23 = DHE-RSA-AES128-SHA256 # ssl_options.ciphers.24 = DHE-DSS-AES128-SHA256 # ssl_options.ciphers.25 = ECDHE-ECDSA-AES256-SHA # ssl_options.ciphers.26 = ECDHE-RSA-AES256-SHA # ssl_options.ciphers.27 = DHE-RSA-AES256-SHA # ssl_options.ciphers.28 = DHE-DSS-AES256-SHA # ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA # ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA # ssl_options.ciphers.31 = ECDHE-ECDSA-AES128-SHA # ssl_options.ciphers.32 = ECDHE-RSA-AES128-SHA # ssl_options.ciphers.33 = DHE-RSA-AES128-SHA # ssl_options.ciphers.34 = DHE-DSS-AES128-SHA # ssl_options.ciphers.35 = ECDH-ECDSA-AES128-SHA # ssl_options.ciphers.36 = ECDH-RSA-AES128-SHA
# ssl_options.bypass_pem_cache = true
## Select an authentication/authorisation backend to use. ## ## Alternative backends are provided by plugins, such as rabbitmq-auth-backend-ldap. ## ## NB: These settings require certain plugins to be enabled. ## ## Related doc guides: ## ## * https://rabbitmq.com/plugins.html ## * https://rabbitmq.com/access-control.html ##
# auth_backends.1 = rabbit_auth_backend_internal
## uses separate backends for authentication and authorisation, ## see below. # auth_backends.1.authn = rabbit_auth_backend_ldap # auth_backends.1.authz = rabbit_auth_backend_internal
## The rabbitmq_auth_backend_ldap plugin allows the broker to ## perform authentication and authorisation by deferring to an ## external LDAP server. ## ## Relevant doc guides: ## ## * https://rabbitmq.com/ldap.html ## * https://rabbitmq.com/access-control.html ## ## uses LDAP for both authentication and authorisation # auth_backends.1 = rabbit_auth_backend_ldap
## uses HTTP service for both authentication and ## authorisation # auth_backends.1 = rabbit_auth_backend_http
## uses two backends in a chain: HTTP first, then internal # auth_backends.1 = rabbit_auth_backend_http # auth_backends.2 = rabbit_auth_backend_internal
## Authentication ## The built-in mechanisms are 'PLAIN', ## 'AMQPLAIN', and 'EXTERNAL' Additional mechanisms can be added via ## plugins. ## ## Related doc guide: https://rabbitmq.com/authentication.html. ## # auth_mechanisms.1 = PLAIN # auth_mechanisms.2 = AMQPLAIN
## The rabbitmq-auth-mechanism-ssl plugin makes it possible to ## authenticate a user based on the client's x509 (TLS) certificate. ## Related doc guide: https://rabbitmq.com/authentication.html. ## ## To use auth-mechanism-ssl, the EXTERNAL mechanism should ## be enabled: ## # auth_mechanisms.1 = PLAIN # auth_mechanisms.2 = AMQPLAIN # auth_mechanisms.3 = EXTERNAL
## To force x509 certificate-based authentication on all clients, ## exclude all other mechanisms (note: this will disable password-based ## authentication even for the management UI!): ## # auth_mechanisms.1 = EXTERNAL
## This pertains to both the rabbitmq-auth-mechanism-ssl plugin and ## STOMP ssl_cert_login configurations. See the RabbitMQ STOMP plugin ## configuration section later in this file and the README in ## https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further ## details. ## ## To use the TLS cert's CN instead of its DN as the username ## # ssl_cert_login_from = common_name
## TLS handshake timeout, in milliseconds. ## # ssl_handshake_timeout = 5000
## Cluster name ## # cluster_name = dev3.eng.megacorp.local
## Password hashing implementation. Will only affect newly ## created users. To recalculate hash for an existing user ## it's necessary to update her password. ## ## To use SHA-512, set to rabbit_password_hashing_sha512. ## # password_hashing_module = rabbit_password_hashing_sha256
## When importing definitions exported from versions earlier ## than 3.6.0, it is possible to go back to MD5 (only do this ## as a temporary measure!) by setting this to rabbit_password_hashing_md5. ## # password_hashing_module = rabbit_password_hashing_md5
## ## Default User / VHost ## ==================== ##
## On first start RabbitMQ will create a vhost and a user. These ## config items control what gets created. ## Relevant doc guide: https://rabbitmq.com/access-control.html ## # default_vhost = / # default_user = guest # default_pass = guest
# default_permissions.configure = .* # default_permissions.read = .* # default_permissions.write = .*
## Tags for default user ## ## For more details about tags, see the documentation for the ## Management Plugin at https://rabbitmq.com/management.html. ## # default_user_tags.administrator = true
## Define other tags like this: # default_user_tags.management = true # default_user_tags.custom_tag = true
## ## Additional network and protocol related configuration ## ===================================================== ##
## Set the server AMQP 0-9-1 heartbeat timeout in seconds. ## RabbitMQ nodes will send heartbeat frames at roughly ## the (timeout / 2) interval. Two missed heartbeats from ## a client will close its connection. ## ## Values lower than 6 seconds are very likely to produce ## false positives and are not recommended. ## ## Related doc guides: ## ## * https://rabbitmq.com/heartbeats.html ## * https://rabbitmq.com/networking.html ## # heartbeat = 60
## Set the max permissible size of an AMQP frame (in bytes). ## # frame_max = 131072
## Set the max frame size the server will accept before connection ## tuning occurs ## # initial_frame_max = 4096
## Set the max permissible number of channels per connection. ## 0 means "no limit". ## # channel_max = 128
## Customising TCP Listener (Socket) Configuration. ## ## Related doc guides: ## ## * https://rabbitmq.com/networking.html ## * https://www.erlang.org/doc/man/inet.html#setopts-2 ##
# tcp_listen_options.backlog = 128 # tcp_listen_options.nodelay = true # tcp_listen_options.exit_on_close = false # # tcp_listen_options.keepalive = true # tcp_listen_options.send_timeout = 15000 # # tcp_listen_options.buffer = 196608 # tcp_listen_options.sndbuf = 196608 # tcp_listen_options.recbuf = 196608
## ## Resource Limits & Flow Control ## ============================== ## ## Related doc guide: https://rabbitmq.com/memory.html.
## Memory-based Flow Control threshold. ## # vm_memory_high_watermark.relative = 0.4
## Alternatively, we can set a limit (in bytes) of RAM used by the node. ## # vm_memory_high_watermark.absolute = 1073741824
## Or you can set absolute value using memory units (with RabbitMQ 3.6.0+). ## Absolute watermark will be ignored if relative is defined! ## # vm_memory_high_watermark.absolute = 2GB ## ## Supported unit symbols: ## ## k, kiB: kibibytes (2^10 - 1,024 bytes) ## M, MiB: mebibytes (2^20 - 1,048,576 bytes) ## G, GiB: gibibytes (2^30 - 1,073,741,824 bytes) ## kB: kilobytes (10^3 - 1,000 bytes) ## MB: megabytes (10^6 - 1,000,000 bytes) ## GB: gigabytes (10^9 - 1,000,000,000 bytes)
## Fraction of the high watermark limit at which queues start to ## page message out to disc in order to free up memory. ## For example, when vm_memory_high_watermark is set to 0.4 and this value is set to 0.5, ## paging can begin as early as when 20% of total available RAM is used by the node. ## ## Values greater than 1.0 can be dangerous and should be used carefully. ## ## One alternative to this is to use durable queues and publish messages ## as persistent (delivery mode = 2). With this combination queues will ## move messages to disk much more rapidly. ## ## Another alternative is to configure queues to page all messages (both ## persistent and transient) to disk as quickly ## as possible, see https://rabbitmq.com/lazy-queues.html. ## # vm_memory_high_watermark_paging_ratio = 0.5
## Selects Erlang VM memory consumption calculation strategy. Can be `allocated`, `rss` or `legacy` (aliased as `erlang`), ## Introduced in 3.6.11. `rss` is the default as of 3.6.12. ## See https://github.com/rabbitmq/rabbitmq-server/issues/1223 and rabbitmq/rabbitmq-common#224 for background. # vm_memory_calculation_strategy = rss
## Interval (in milliseconds) at which we perform the check of the memory ## levels against the watermarks. ## # memory_monitor_interval = 2500
## The total memory available can be calculated from the OS resources ## - default option - or provided as a configuration parameter. # total_memory_available_override_value = 2GB
## Set disk free limit (in bytes). Once free disk space reaches this ## lower bound, a disk alarm will be set - see the documentation ## listed above for more details. ## ## Absolute watermark will be ignored if relative is defined! # disk_free_limit.absolute = 50000
## Or you can set it using memory units (same as in vm_memory_high_watermark) ## with RabbitMQ 3.6.0+. # disk_free_limit.absolute = 500KB # disk_free_limit.absolute = 50mb # disk_free_limit.absolute = 5GB
## Alternatively, we can set a limit relative to total available RAM. ## ## Values lower than 1.0 can be dangerous and should be used carefully. # disk_free_limit.relative = 2.0
## ## Clustering ## ===================== ## # cluster_partition_handling = ignore
## Pauses all nodes on the minority side of a partition. The cluster ## MUST have an odd number of nodes (3, 5, etc) # cluster_partition_handling = pause_minority
## pause_if_all_down strategy require additional configuration # cluster_partition_handling = pause_if_all_down
## Recover strategy. Can be either 'autoheal' or 'ignore' # cluster_partition_handling.pause_if_all_down.recover = ignore
## Node names to check # cluster_partition_handling.pause_if_all_down.nodes.1 = rabbit@localhost # cluster_partition_handling.pause_if_all_down.nodes.2 = hare@localhost
## Mirror sync batch size, in messages. Increasing this will speed ## up syncing but total batch size in bytes must not exceed 2 GiB. ## Available in RabbitMQ 3.6.0 or later. ## # mirroring_sync_batch_size = 4096
## Make clustering happen *automatically* at startup. Only applied ## to nodes that have just been reset or started for the first time. ## ## Relevant doc guide: https://rabbitmq.com//cluster-formation.html ##
# cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config # # cluster_formation.classic_config.nodes.1 = rabbit1@hostname # cluster_formation.classic_config.nodes.2 = rabbit2@hostname # cluster_formation.classic_config.nodes.3 = rabbit3@hostname # cluster_formation.classic_config.nodes.4 = rabbit4@hostname
## DNS-based peer discovery. This backend will list A records ## of the configured hostname and perform reverse lookups for ## the addresses returned.
# cluster_formation.peer_discovery_backend = rabbit_peer_discovery_dns # cluster_formation.dns.hostname = discovery.eng.example.local
## This node's type can be configured. If you are not sure ## what node type to use, always use 'disc'. # cluster_formation.node_type = disc
## Interval (in milliseconds) at which we send keepalive messages ## to other cluster members. Note that this is not the same thing ## as net_ticktime; missed keepalive messages will not cause nodes ## to be considered down. ## # cluster_keepalive_interval = 10000
## ## Statistics Collection ## ===================== ##
## Statistics collection interval (in milliseconds). Increasing ## this will reduce the load on management database. ## # collect_statistics_interval = 5000
## Fine vs. coarse statistics # # This value is no longer meant to be configured directly. # # See https://www.rabbitmq.com/management.html#fine-stats.
## ## Ra Settings ## ===================== ## ## NB: changing these on a node with existing data directory ## can lead to DATA LOSS. ## # raft.segment_max_entries = 65536 # raft.wal_max_size_bytes = 1048576 # raft.wal_max_batch_size = 4096 # raft.snapshot_chunk_size = 1000000
## ## Misc/Advanced Options ## ===================== ## ## NB: Change these only if you understand what you are doing! ##
## Timeout used when waiting for Mnesia tables in a cluster to ## become available. ## # mnesia_table_loading_retry_timeout = 30000
## Retries when waiting for Mnesia tables in the cluster startup. Note that ## this setting is not applied to Mnesia upgrades or node deletions. ## # mnesia_table_loading_retry_limit = 10
## Size in bytes below which to embed messages in the queue index. ## Related doc guide: https://rabbitmq.com/persistence-conf.html ## # queue_index_embed_msgs_below = 4096
## You can also set this size in memory units ## # queue_index_embed_msgs_below = 4kb
## Whether or not to enable background periodic forced GC runs for all ## Erlang processes on the node in "waiting" state. ## ## Disabling background GC may reduce latency for client operations, ## keeping it enabled may reduce median RAM usage by the binary heap ## (see https://www.erlang-solutions.com/blog/erlang-garbage-collector.html). ## ## Before trying this option, please take a look at the memory ## breakdown (https://www.rabbitmq.com/memory-use.html). ## # background_gc_enabled = false
## Target (desired) interval (in milliseconds) at which we run background GC. ## The actual interval will vary depending on how long it takes to execute ## the operation (can be higher than this interval). Values less than ## 30000 milliseconds are not recommended. ## # background_gc_target_interval = 60000
## Whether or not to enable proxy protocol support. ## Once enabled, clients cannot directly connect to the broker ## anymore. They must connect through a load balancer that sends the ## proxy protocol header to the broker at connection time. ## This setting applies only to AMQP clients, other protocols ## like MQTT or STOMP have their own setting to enable proxy protocol. ## See the plugins documentation for more information. ## # proxy_protocol = false
## Overriden product name and version. ## They are set to "RabbitMQ" and the release version by default. # product.name = RabbitMQ # product.version = 1.2.3
## "Message of the day" file. ## Its content is used to expand the logged and printed banners. ## Default to /etc/rabbitmq/motd on Unix, %APPDATA%\RabbitMQ\motd.txt ## on Windows. # motd_file = /etc/rabbitmq/motd
## Consumer timeout ## If a message delivered to a consumer has not been acknowledge before this timer ## triggers the channel will be force closed by the broker. This ensure that ## faultly consumers that never ack will not hold on to messages indefinitely. ## # consumer_timeout = 900000
## ---------------------------------------------------------------------------- ## Advanced Erlang Networking/Clustering Options. ## ## Related doc guide: https://rabbitmq.com/clustering.html ## ----------------------------------------------------------------------------
# ====================================== # Kernel section # ======================================
## Timeout used to detect peer unavailability, including CLI tools. ## Related doc guide: https://www.rabbitmq.com/nettick.html. ## # net_ticktime = 60
## Inter-node communication port range. ## The parameters inet_dist_listen_min and inet_dist_listen_max ## can be configured in the classic config format only. ## Related doc guide: https://www.rabbitmq.com/networking.html#epmd-inet-dist-port-range.
## ---------------------------------------------------------------------------- ## RabbitMQ Management Plugin ## ## Related doc guide: https://rabbitmq.com/management.html. ## ----------------------------------------------------------------------------
# ======================================= # Management section # =======================================
## Preload schema definitions from the following JSON file. ## Related doc guide: https://rabbitmq.com/management.html#load-definitions. ## # management.load_definitions = /path/to/exported/definitions.json
## Log all requests to the management HTTP API to a file. ## # management.http_log_dir = /path/to/access.log
## HTTP listener and embedded Web server settings. # ## See https://rabbitmq.com/management.html for details. # # management.tcp.port = 15672 # management.tcp.ip = 0.0.0.0 # # management.tcp.shutdown_timeout = 7000 # management.tcp.max_keepalive = 120 # management.tcp.idle_timeout = 120 # management.tcp.inactivity_timeout = 120 # management.tcp.request_timeout = 120 # management.tcp.compress = true
## HTTPS listener settings. ## See https://rabbitmq.com/management.html and https://rabbitmq.com/ssl.html for details. ## # management.ssl.port = 15671 # management.ssl.cacertfile = /path/to/ca_certificate.pem # management.ssl.certfile = /path/to/server_certificate.pem # management.ssl.keyfile = /path/to/server_key.pem
## More TLS options # management.ssl.honor_cipher_order = true # management.ssl.honor_ecc_order = true
## These are highly recommended for TLSv1.2 but cannot be used ## with TLSv1.3. If TLSv1.3 is enabled, these lines MUST be removed. # management.ssl.client_renegotiation = false # management.ssl.secure_renegotiate = true
## Supported TLS versions # management.ssl.versions.1 = tlsv1.2
## Cipher suites the server is allowed to use # management.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384 # management.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384 # management.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384 # management.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384 # management.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384 # management.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384 # management.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384 # management.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384 # management.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384
## URL path prefix for HTTP API and management UI # management.path_prefix = /a-prefix
## One of 'basic', 'detailed' or 'none'. See ## https://rabbitmq.com/management.html#fine-stats for more details. # management.rates_mode = basic
## Configure how long aggregated data (such as message rates and queue ## lengths) is retained. Please read the plugin's documentation in ## https://rabbitmq.com/management.html#configuration for more ## details. ## Your can use 'minute', 'hour' and 'day' keys or integer key (in seconds) # management.sample_retention_policies.global.minute = 5 # management.sample_retention_policies.global.hour = 60 # management.sample_retention_policies.global.day = 1200
# management.sample_retention_policies.basic.minute = 5 # management.sample_retention_policies.basic.hour = 60
# management.sample_retention_policies.detailed.10 = 5
## ---------------------------------------------------------------------------- ## RabbitMQ Shovel Plugin ## ## Related doc guide: https://rabbitmq.com/shovel.html ## ----------------------------------------------------------------------------
## See advanced.config.example for a Shovel plugin example
## ---------------------------------------------------------------------------- ## RabbitMQ STOMP Plugin ## ## Related doc guide: https://rabbitmq.com/stomp.html ## ----------------------------------------------------------------------------
# ======================================= # STOMP section # =======================================
## See https://rabbitmq.com/stomp.html for details.
## TCP listeners. ## # stomp.listeners.tcp.1 = 127.0.0.1:61613 # stomp.listeners.tcp.2 = ::1:61613
## TCP listener settings ## # stomp.tcp_listen_options.backlog = 2048 # stomp.tcp_listen_options.recbuf = 131072 # stomp.tcp_listen_options.sndbuf = 131072 # # stomp.tcp_listen_options.keepalive = true # stomp.tcp_listen_options.nodelay = true # # stomp.tcp_listen_options.exit_on_close = true # stomp.tcp_listen_options.send_timeout = 120
## Proxy protocol support ## # stomp.proxy_protocol = false
## TLS listeners ## See https://rabbitmq.com/stomp.html and https://rabbitmq.com/ssl.html for details. # stomp.listeners.ssl.default = 61614 # # ssl_options.cacertfile = path/to/cacert.pem # ssl_options.certfile = path/to/cert.pem # ssl_options.keyfile = path/to/key.pem # ssl_options.verify = verify_peer # ssl_options.fail_if_no_peer_cert = true
## Number of Erlang processes that will accept connections for the TCP ## and TLS listeners. ## # stomp.num_acceptors.tcp = 10 # stomp.num_acceptors.ssl = 1
## Additional TLS options
## Extract a name from the client's certificate when using TLS. ## # stomp.ssl_cert_login = true
## Set a default user name and password. This is used as the default login ## whenever a CONNECT frame omits the login and passcode headers. ## ## Please note that setting this will allow clients to connect without ## authenticating! ## # stomp.default_user = guest # stomp.default_pass = guest
## If a default user is configured, or you have configured use TLS client ## certificate based authentication, you can choose to allow clients to ## omit the CONNECT frame entirely. If set to true, the client is ## automatically connected as the default user or user supplied in the ## TLS certificate whenever the first frame sent on a session is not a ## CONNECT frame. ## # stomp.implicit_connect = true
## Whether or not to enable proxy protocol support. ## Once enabled, clients cannot directly connect to the broker ## anymore. They must connect through a load balancer that sends the ## proxy protocol header to the broker at connection time. ## This setting applies only to STOMP clients, other protocols ## like MQTT or AMQP have their own setting to enable proxy protocol. ## See the plugins or broker documentation for more information. ## # stomp.proxy_protocol = false
## ---------------------------------------------------------------------------- ## RabbitMQ MQTT Adapter ## ## See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md ## for details ## ----------------------------------------------------------------------------
# ======================================= # MQTT section # =======================================
## TCP listener settings. ## # mqtt.listeners.tcp.1 = 127.0.0.1:61613 # mqtt.listeners.tcp.2 = ::1:61613
## TCP listener options (as per the broker configuration). ## # mqtt.tcp_listen_options.backlog = 4096 # mqtt.tcp_listen_options.recbuf = 131072 # mqtt.tcp_listen_options.sndbuf = 131072 # # mqtt.tcp_listen_options.keepalive = true # mqtt.tcp_listen_options.nodelay = true # # mqtt.tcp_listen_options.exit_on_close = true # mqtt.tcp_listen_options.send_timeout = 120
## TLS listener settings ## ## See https://rabbitmq.com/mqtt.html and https://rabbitmq.com/ssl.html for details. # # mqtt.listeners.ssl.default = 8883 # # ssl_options.cacertfile = /path/to/tls/ca_certificate_bundle.pem # ssl_options.certfile = /path/to/tls/server_certificate.pem # ssl_options.keyfile = /path/to/tls/server_key.pem # ssl_options.verify = verify_peer # ssl_options.fail_if_no_peer_cert = true #
## Number of Erlang processes that will accept connections for the TCP ## and TLS listeners. ## # mqtt.num_acceptors.tcp = 10 # mqtt.num_acceptors.ssl = 10
## Whether or not to enable proxy protocol support. ## Once enabled, clients cannot directly connect to the broker ## anymore. They must connect through a load balancer that sends the ## proxy protocol header to the broker at connection time. ## This setting applies only to STOMP clients, other protocols ## like STOMP or AMQP have their own setting to enable proxy protocol. ## See the plugins or broker documentation for more information. ## # mqtt.proxy_protocol = false
## Set the default user name and password used for anonymous connections (when client ## provides no credentials). Anonymous connections are highly discouraged! ## # mqtt.default_user = guest # mqtt.default_pass = guest
## Enable anonymous connections. If this is set to false, clients MUST provide ## credentials in order to connect. See also the mqtt.default_user/mqtt.default_pass ## keys. Anonymous connections are highly discouraged! ## # mqtt.allow_anonymous = true
## If you have multiple vhosts, specify the one to which the ## adapter connects. ## # mqtt.vhost = /
## Specify the exchange to which messages from MQTT clients are published. ## # mqtt.exchange = amq.topic
## Specify TTL (time to live) to control the lifetime of non-clean sessions. ## # mqtt.subscription_ttl = 1800000
## Set the prefetch count (governing the maximum number of unacknowledged ## messages that will be delivered). ## # mqtt.prefetch = 10
## ---------------------------------------------------------------------------- ## RabbitMQ AMQP 1.0 Support ## ## See https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md. ## ----------------------------------------------------------------------------
# ======================================= # AMQP 1.0 section # =======================================
## Connections that are not authenticated with SASL will connect as this ## account. See the README for more information. ## ## Please note that setting this will allow clients to connect without ## authenticating! ## # amqp1_0.default_user = guest
## Enable protocol strict mode. See the README for more information. ## # amqp1_0.protocol_strict_mode = false
## Logging settings. ## ## See https://rabbitmq.com/logging.html and https://github.com/erlang-lager/lager for details. ##
## Log directory, taken from the RABBITMQ_LOG_BASE env variable by default. ## # log.dir = /var/log/rabbitmq
## Logging to file. Can be false or a filename. ## Default: # log.file = rabbit.log
## To disable logging to a file # log.file = false
## Log level for file logging ## # log.file.level = info
## File rotation config. No rotation by default. ## DO NOT SET rotation date to ''. Leave the value unset if "" is the desired value # log.file.rotation.date = $D0 # log.file.rotation.size = 0
## Logging to console (can be true or false) ## # log.console = false
## Log level for console logging ## # log.console.level = info
## Logging to the amq.rabbitmq.log exchange (can be true or false) ## # log.exchange = false
## Log level to use when logging to the amq.rabbitmq.log exchange ## # log.exchange.level = info
## ---------------------------------------------------------------------------- ## RabbitMQ LDAP Plugin ## ## Related doc guide: https://rabbitmq.com/ldap.html. ## ## ----------------------------------------------------------------------------
# ======================================= # LDAP section # =======================================
## ## Connecting to the LDAP server(s) ## ================================ ##
## Specify servers to bind to. You *must* set this in order for the plugin ## to work properly. ## # auth_ldap.servers.1 = your-server-name-goes-here
## You can define multiple servers # auth_ldap.servers.2 = your-other-server
## Connect to the LDAP server using TLS ## # auth_ldap.use_ssl = false
## Specify the LDAP port to connect to ## # auth_ldap.port = 389
## LDAP connection timeout, in milliseconds or 'infinity' ## # auth_ldap.timeout = infinity
## Or number # auth_ldap.timeout = 500
## Enable logging of LDAP queries. ## One of ## - false (no logging is performed) ## - true (verbose logging of the logic used by the plugin) ## - network (as true, but additionally logs LDAP network traffic) ## ## Defaults to false. ## # auth_ldap.log = false
## Also can be true or network # auth_ldap.log = true # auth_ldap.log = network
## ## Authentication ## ============== ##
## Pattern to convert the username given through AMQP to a DN before ## binding ## # auth_ldap.user_dn_pattern = cn=${username},ou=People,dc=example,dc=com
## Alternatively, you can convert a username to a Distinguished ## Name via an LDAP lookup after binding. See the documentation for ## full details.
## When converting a username to a dn via a lookup, set these to ## the name of the attribute that represents the user name, and the ## base DN for the lookup query. ## # auth_ldap.dn_lookup_attribute = userPrincipalName # auth_ldap.dn_lookup_base = DC=gopivotal,DC=com
## Controls how to bind for authorisation queries and also to ## retrieve the details of users logging in without presenting a ## password (e.g., SASL EXTERNAL). ## One of ## - as_user (to bind as the authenticated user - requires a password) ## - anon (to bind anonymously) ## - {UserDN, Password} (to bind with a specified user name and password) ## ## Defaults to 'as_user'. ## # auth_ldap.other_bind = as_user
## Or can be more complex: # auth_ldap.other_bind.user_dn = User # auth_ldap.other_bind.password = Password
## If user_dn and password defined - other options is ignored.
# ----------------------------- # Too complex section of LDAP # -----------------------------
## ## Authorisation ## ============= ##
## The LDAP plugin can perform a variety of queries against your ## LDAP server to determine questions of authorisation. ## ## Related doc guide: https://rabbitmq.com/ldap.html#authorisation.
## Following configuration should be defined in advanced.config file ## DO NOT UNCOMMENT THESE LINES!
## Set the query to use when determining vhost access ## ## {vhost_access_query, {in_group, ## "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},
## Set the query to use when determining resource (e.g., queue) access ## ## {resource_access_query, {constant, true}},
## Set queries to determine which tags a user has ## ## {tag_queries, []} # ]}, # -----------------------------
编辑/etc/rabbitmq/rabbitmq.conf文件,替换为以下内容:
# 禁用非tls连接 listeners.tcp = none # SSL\TLS通信的端口 listeners.ssl.default = 5671 # 管理控制台端口 management.tcp.port = 15672
# 服务端私钥和证书文件配置 ssl_options.cacertfile = /etc/rabbitmq/ssl/cacert.pem ssl_options.certfile = /etc/rabbitmq/ssl/rabbit-server.cert.pem ssl_options.keyfile = /etc/rabbitmq/ssl/rabbit-server.key.pem # 有verify_none和verify_peer两个选项,verify_none表示完全忽略验证证书的结果,verify_peer表示要求验证对方证书 ssl_options.verify = verify_peer # 若为true,服务端会向客户端索要证书,若客户端无证书则中止SSL握手;若为false,则客户端没有证书时依然可完成SSL握手 ssl_options.fail_if_no_peer_cert = true # 指定开启的tls版本 ssl_options.versions.1=tlsv1.2 ssl_options.versions.2=tlsv1.1 # 指定对应的cipher suites ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384 ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384 ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384 ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384 ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384 ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384 ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384 ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384 ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384 ssl_options.ciphers.11= DHE-DSS-AES256-SHA256 ssl_options.ciphers.12 = AES256-GCM-SHA384 ssl_options.ciphers.13 = AES256-SHA256 ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256 ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256 ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256 ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256 ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256 ssl_options.ciphers.19= ECDH-RSA-AES128-GCM-SHA256 ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256 ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256 ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256 ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256 ssl_options.ciphers.24 = AES128-GCM-SHA256 ssl_options.ciphers.25 = AES128-SHA256 ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA ssl_options.ciphers.28 = DHE-DSS-AES256-SHA ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA ssl_options.ciphers.31= AES256-SHA ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA ssl_options.ciphers.34 = DHE-DSS-AES128-SHA ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256 ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA ssl_options.ciphers.38 = AES128-SHA
================================================================
pem文件需要权限
chmod 775 *.pem
rabbitmqctl stop
rabbitmq-server restart
精彩链接
发表评论