1 創建SSL安全證書
1.1 創建文件
使用rmqca作爲RabbitMQ的認證中心,certs文件用於存放CA產生的證書,private存放CA的密鑰,改變其權限不允許第三方訪問,serial存放CA證書的序列號,index.txt存放CA頒發的證書。
# mkdir rmqca
# cd rmqca
# mkdir certsprivate
# chmod 700private
# echo 01 >serial
# touch index.txt
1.2 創建openSSL各種命令的配置文件:openssl.cnf
[ ca ]
default_ca = rmqca
[rmqca]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = rmqca _policy
x509_extensions = certificate_extensions
[ rmqca _policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage =1.3.6.1.5.5.7.3.1
1.3生成ca證書
# openssl req -x509 -config openssl.cnf-newkey rsa:2048 -days 365 \
-out cacert.pem -outformPEM -subj /CN=MyRmqca/ -nodes
# openssl x509 -in cacert.pem -out cacert.cer-outform DER
1.4生成服務端證書
生成RSA密鑰然後爲其提供證書
# cd ..
# ls
rmqca
# mkdir server
# cd server
# openssl genrsa-out key.pem 2048
# openssl req-new -key key.pem -out req.pem -outform PEM \
-subj /CN=$(hostname)/O=server/ -nodes
# cd ../rmqca
# openssl ca-config openssl.cnf -in ../server/req.pem -out \
../server/cert.pem -notext -batch -extensions server_ca_extensions
# cd ../server
# openssl pkcs12 -export -out keycert.p12 -in cert.pem-inkey key.pem -passout pass:123456
1.5生成客戶端證書
# cd ..
# ls
server testca
# mkdir client
# cd client
# openssl genrsa-out key.pem 2048
# openssl req-new -key key.pem -out req.pem -outform PEM \
-subj /CN=$(hostname)/O=client/ -nodes
# cd ../rmqca
# openssl ca-config openssl.cnf -in ../client/req.pem -out \
../client/cert.pem -notext -batch -extensions client_ca_extensions
# cd ../client
# openssl pkcs12 -export -out keycert.p12 -in cert.pem-inkey key.pem -passout pass:123456
2爲rabbit授權ssl
在rabbit(rabbit.config)的配置中加入如下配置:
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options,[{cacertfile,"/path/to/testca/cacert.pem"},
{certfile,"/path/to/server/cert.pem"},
{keyfile,"/path/to/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
有關於是否需要客戶端提供證書,以及是否需要被信賴的證書。是由verify和fail_if_no_peer_cert兩個參數來控制的。如果設置爲{fail_if_no_peer_cert,false},這表示我們已經準備好接受客戶端,且不需要它向我們發送證書。如果設置{verify,verify_peer}選項,表示如果客戶端向我們發送一個證書,我們必須和它建立一個信任。
如果設置{verify, verify_none},客戶端和服務端之間將不會有證書交換。
cacertfile:根證書的路徑
certfile:服務端證書路徑
keyfile:服務端key路徑
3 爲rabbit_web_stomp授權SSL
在rabbit(rabbit.config)的配置中加入如下配置:
{rabbitmq_web_stomp,
[{ssl_config, [{port, 15671},
{backlog, 1024},
{certfile, path/to/certs/client/cert.pem"},
{keyfile, "path/to/certs/client/key.pem"},
{cacertfile,"path/to/certs/testca/cacert.pem"},
{password, "changeme"}
]
}]
}
配置項參數說明如下:
port:端口號
backlog:最大等待連接隊列數,默認1024
certfile:客戶端證書路徑
keyfile:客戶端key路徑
caceretfile:根證書路徑
password:客戶端證書保護密碼
配置好如上項,就可以通過https://ip:port/stomp訪問了。