为 RabbitMQ 服务器启用 SSL/TLS

Posted on Edited on In Views: Symbols count in article: 3k Reading time ≈ 3 mins.
Docker部署RabbitMQ - 为 RabbitMQ 服务器启用 SSL/TLS

创建证书

克隆仓库

1
2
3
4
5
6
7
8
git clone https://github.com/rabbitmq/tls-gen tls-gen

cd tls-gen/basic/

# 如果没有make则安装
make
# make PASSWORD=123456 设置密码
make verify

输出如下:

1
2
3
4
5
6
7
root@jonty:~/rabbitmq/tls-gen/basic# make verify
python3 profile.py verify --common-name 'jonty'
Will verify generated certificates against the CA...
Will verify client_jonty certificate against root CA
/root/rabbitmq/tls-gen/basic/result/client_jonty_certificate.pem: OK
Will verify server_firefly certificate against root CA
/root/rabbitmq/tls-gen/basic/result/server_jonty_certificate.pem: OK

查看生成的证书文件:

1
2
3
4
5
6
7
8
9
10
root@jonty:~/rabbitmq/tls-gen/basic# ls -l ./result
total 32
-rw-r--r-- 1 root root 1281 Sep  9 08:53 ca_certificate.pem
-rw------- 1 root root 1704 Sep  9 08:53 ca_key.pem
-rw------- 1 root root 1346 Sep  9 08:53 client_jonty_certificate.pem
-rw------- 1 root root 1704 Sep  9 08:53 client_jonty_key.pem
-rw------- 1 root root 3651 Sep  9 08:53 client_jonty.p12
-rw------- 1 root root 1346 Sep  9 08:53 server_jonty_certificate.pem
-rw------- 1 root root 1704 Sep  9 08:53 server_jonty_key.pem
-rw------- 1 root root 3651 Sep  9 08:53 server_jonty.p12

docker compose

创建rabbitmq目录

1
mkdir rabbitmq

复制证书

1
2
mv tls-gen/basic/result/ ./certs
chmod -R 777 certs/

创建rabbitmq.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
## SSL configuration for AMQP (5671 port)
listeners.ssl.default = 0.0.0.0:5671
ssl_options.certfile = /etc/rabbitmq/certs/server_jonty_certificate.pem
ssl_options.keyfile = /etc/rabbitmq/certs/server_jonty_key.pem
ssl_options.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

## SSL configuration for MQTT (8883 port):q
mqtt.listeners.ssl.default = 8883
mqtt.listeners.tcp.default = 1883

ssl_options.versions.1 = tlsv1.2
ssl_options.versions.2 = tlsv1.3

## SSL configuration for management UI (HTTPS)
management.ssl.port = 15672
management.ssl.certfile = /etc/rabbitmq/certs/server_jonty_certificate.pem
management.ssl.keyfile = /etc/rabbitmq/certs/server_jonty_key.pem
management.ssl.cacertfile = /etc/rabbitmq/certs/ca_certificate.pem

## use DETS (disk-based) store for retained messages
mqtt.retained_message_store = rabbit_mqtt_retained_msg_store_dets
## only used by DETS store (in milliseconds)
mqtt.retained_message_store_dets_sync_interval = 2000

创建docker-compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
version: '3.8'

services:
  rabbitmq:
    image: jonty/rabbitmq:3.11.10-management-mqtt
    container_name: rabbitmq
    restart: always
    ports:
      - "5671:5671"     # AMQP over SSL 端口
      - "5672:5672"     # AMQP 端口
      - "15672:15672"   # 管理界面端口(HTTPS)
      - "8883:8883"     # MQTT over SSL 端口
      - "1883:1883"     # MQTT 端口
    environment:
      - RABBITMQ_DEFAULT_USER=admin
      - RABBITMQ_DEFAULT_PASS=123456
      - RABBITMQ_DEFAULT_VHOST=/
      - MQTT_DEFAULT_USER=admin
      - MQTT_DEFAULT_PASS=123456
      - MQTT_VHOST=/
    volumes:
      - ./data:/var/lib/rabbitmq
      - ./certs:/etc/rabbitmq/certs
      - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf

这里是启用了mqtt插件的自定义镜像

1
2
3
4
5
6
FROM --platform=$TARGETPLATFORM rabbitmq:3.11.10-management
RUN rabbitmq-plugins enable --offline \
    rabbitmq_mqtt \
    rabbitmq_web_mqtt \
    rabbitmq_web_mqtt_examples \
    rabbitmq_auth_mechanism_ssl

启动

1
docker compose up -d

访问https://your-ip:15672,浏览器提示不安全,SSL证书需要由可信CA机构颁发,自签发证书需要浏览器信任可以安装ca_certificate.pem证书

image-20241204114225074

参考:TLS Support | RabbitMQ

Related Posts