CentOS-Docker安装RabbitMQ(单点)配置SSL

RabbitMQ要对外提供服务，考虑到安全性，配置SSL进行访问，ssl端口5671，内部仍然使用5672进行访问，两者同时兼容。

一、生成证书

从github上克隆项目(yum -y install git)
$ cd /home/rabbitmq/
$ git clone https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
$ cd /home/rabbitmq/CMF-AMQP-Configuration/ssl/

修改证书有效期(可选，默认1年)
$ vi openssl.cnf

default_days = 365

生成证书签发机构(生成ca目录)
$ sh setup_ca.sh xxx

生成服务端公钥和私钥(生成server目录)
$ sh make_server_cert.sh rabbit-server 123456

生成客户端公钥和私钥(生成client目录)
$ sh create_client_cert.sh rabbit-client 123456

JDK导入服务端证书
$ keytool -import -alias rabbit-server -file server/rabbit-server.cert.pem -keystore rabbitStore -storepass 123456

二、安装RabbitMQ并配置SSL

获取镜像

$ docker pull rabbitmq:management

生成配置文件

$ mkdir -p /home/rabbitmq/lib /home/rabbitmq/etc /home/rabbitmq/log
$ docker run --restart=unless-stopped -d -p 5672:5672 -p 15672:15672 --name rabbitmq rabbitmq:management
$ docker cp -a rabbitmq:/var/lib/rabbitmq /home/rabbitmq/lib/
$ docker cp -a rabbitmq:/etc/rabbitmq /home/rabbitmq/etc/
$ docker cp -a rabbitmq:/var/log/rabbitmq /home/rabbitmq/log/

拷贝生成的证书到相对的/home/rabbitmq/etc/rabbitmq/ssl/目录下

$ cd /home/rabbitmq/CMF-AMQP-Configuration/ssl/
$ mkdir -p /home/rabbitmq/etc/rabbitmq/ssl
$ cp -r ca server client rabbitStore /home/rabbitmq/etc/rabbitmq/ssl

配置SSL信息(追加)

vim /home/rabbitmq/etc/rabbitmq/rabbitmq.conf

# SSL\TLS通信的端口
listeners.ssl.default=5671
# 服务端私钥和证书文件配置
ssl_options.cacertfile=/etc/rabbitmq/ssl/ca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/rabbit-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/rabbit-server.key.pem

# 有verify_none和verify_peer两个选项，verify_none表示完全忽略验证证书的结果，verify_peer表示要求验证对方证书
ssl_options.verify=verify_peer
# 若为true，服务端会向客户端索要证书，若客户端无证书则中止SSL握手；若为false，则客户端没有证书时依然可完成SSL握手
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1

ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11 = DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19 = ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31 = AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA

删除重建带有目录映射的容器

$ docker rm -f -v rabbitmq
$ docker run --restart=unless-stopped -d -p 5672:5672 -p 15672:15672 --name rabbitmq \
-v /home/rabbitmq/etc/rabbitmq:/etc/rabbitmq \
-v /home/rabbitmq/lib/rabbitmq:/var/lib/rabbitmq:z \
-v /home/rabbitmq/log/rabbitmq/:/var/log/rabbitmq \
-e RABBITMQ_DEFAULT_USER=admin -e RABBITMQ_DEFAULT_PASS=123456 rabbitmq:management

查看日志验证是否配置成功

$ docker logs -f rabbitmq

 

访问管理页面查看是否配置成功

 

SpringBoot集成SSL

spring:
  rabbitmq:
    addresses: 192.168.1.100:5671
    username: admin
    password: 123456
    virtual-host: /
    ssl:
      enabled: true
      key-store: classpath:rabbitmq/ssl/client/rabbit-client.keycert.p12
      key-store-password: 123456
      trust-store: classpath:rabbitmq/ssl/rabbitStore
      trust-store-password: 123456
      algorithm: TLSv1.2
      trust-store-type: JKS
      key-store-type: PKCS12
      validate-server-certificate: true
      verify-hostname: false
 

说明：

ssl使用的是5671的端口，如果不使用ssl还可以使用5672端口
ssl.enabled 是否启用ssl，默认false
key-store 客户端证书的存储路径
key-store-password 生成客户端证书的密码
trust-store 信任证书的存储路径
trust-store-password：生成证书的密码