RabbitMq启用TLS

Windows环境

查看配置文件的位置

• 选择使用的节点
  
• 查看当前节点配置文件的配置
  

配置TLS

1. 将证书放到同配置相同目录中
   
2. 编辑配置文件添加TLS相关配置
   

[{ssl, [{versions, ['tlsv1.2']}]},{rabbit, [{ssl_listeners, [5671]},{ssl_options, [{cacertfile,"C:/Users/17126/AppData/Roaming/RabbitMQ/ssl/klca/cacert.pem"},{certfile,"C:/Users/17126/AppData/Roaming/RabbitMQ/ssl/server/cert.pem"},{keyfile,"C:/Users/17126/AppData/Roaming/RabbitMQ/ssl/server/key.pem"},{depth, 2},{verify,verify_peer},{honor_cipher_order,true},{honor_ecc_order,      true},{fail_if_no_peer_cert,false},{versions, ['tlsv1.2']},{ciphers, [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]}      ]}]}
].

重启服务

---

Linux环境 (使用docker)

拉取RabbitMq镜像

docker pull rabbitmq:3.11.2-management

在宿主机创建Rabbitmq容器配置挂载目录

在/etc目录下创建rabbitmq目录
cd /etc
mkdir rabbitmq

启动Rabbitmq镜像

docker run --name rabbitmq -d -p 15672:15672 -p 5672:5672 -p 5671:5671 -v /etc/rabbitmq:/etc/rabbitmq 031f07386589

查看启动状态

docker ps 

开启Rabbitmq页面管理插件

• 进入容器

docker exec -it 7c4548748ca9 /bin/bash

• 开启web页面管理插件

rabbitmq-plugins enable rabbitmq_management

• 增加新用户(RabbitMQ默认只有一个guest帐号，guest帐号只能在RabbitMQ安装服务器上登录，在其它服务器用guest登录提示User can only log in via localhost。)

#第一步：添加 admin 用户并设置密码
rabbitmqctl add_user admin 123456
#第二步：添加 admin 用户为administrator角色
rabbitmqctl set_user_tags admin administrator
#第三步：设置 admin 用户的权限，指定允许访问的vhost以及write/read
rabbitmqctl set_permissions -p "/" admin ".*" ".*" ".*"
#第四步：查看vhost（/）允许哪些用户访问
rabbitmqctl list_permissions -p /
#第五步：查看用户列表
rabbitmqctl list_users

• 退出容器

exit

配置TLS

• 在宿主机与容器挂载目录中创建一个rabbitmq.conf 文件

touch rabbitmq.conf

• 将证书文件放到同目录中(这里都放在了ssl文件夹中)
  
• 配置rabbitmq.conf文件
  

listeners.ssl.default = 5671ssl_options.cacertfile=/etc/rabbitmq/ssl/klca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/key.pemssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=false
ssl_options.depth=2
ssl_options.versions.1=tlsv1.2
ssl_options.honor_cipher_order=true
ssl_options.honor_ecc_order=truessl_options.ciphers.1 = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ssl_options.ciphers.2 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ssl_options.ciphers.3 = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl_options.ciphers.4 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ssl_options.ciphers.5 = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ssl_options.ciphers.6 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ssl_options.ciphers.7 =  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ssl_options.ciphers.8 =  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ssl_options.ciphers.9 = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ssl_options.ciphers.10 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ssl_options.ciphers.11= TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ssl_options.ciphers.12 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  

重启容器

docker restart 7c4548748ca9

访问web页面

看到5671端口已启用，说明可以使用ssl方式访问rabbitmq。

---

密码套件参考

密码套件
官方