环境:centos7
介绍:
如果RabbitMQ服务在内网中,只有内网的应用连接,我们认为这些连接都是安全的,但是个别情况我们需要让RabbitMQ对外提供服务。这种情况有两种解决方案:
- 在RabbitMQ外层在封装一层应用,应用对外提供服务,本质来说RabbitMQ还是只对内网提供服务。相对更安全,但灵活性差。
- RabbitMQ直接对外提供服务。这时除了服务本身的安全性还要考虑数据在互联网传输过程中是否可能被拦截破解。业界标准的解决方案就是SSL。
准备脚本文件:
openssl.cnf setup_ca.sh make_server_cert.sh create_client_cert.sh
openssl.cnf
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 10950
default_md = sha1
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
生成ca文件脚本(setup_ca.sh)内容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh setup_ca.sh [certificate authority CN]"
if [ $# -ne 1 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
certauthCN=$1
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./ca/ ];
then
echo "Creating folder: ca/"
mkdir ca
echo "Creating folder: ca/private/"
mkdir ca/private
echo "Creating folder: ca/certs/"
mkdir ca/certs
echo "Creating folder: ca/serial"
echo "01" > ca/serial
echo "Creating file: ca/index.txt"
touch ca/index.txt
fi
cd ca
openssl req -x509 -newkey rsa:$strength -days $valid -out cacert.pem -outform PEM -subj /CN=$certauthCN/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
cd ..
生成服务器证书脚本(make_server_cert.sh)内容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh make_server_cert.sh [server name] [PKCS12 password]"
if [ $# -ne 2 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
sname=$1
password=$2
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./server/ ];
then
echo "Creating Server folder: server/"
mkdir server
fi
cd server
echo "Generating key.pem"
openssl genrsa -out key.pem $strength
echo "Generating req.pem"
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$sname/O=server/ -nodes
cd ../ca
echo "Generating cert.pem"
openssl ca -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
echo "Generating keycert.p12"
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:$password
cd ..
生成客户端证书,脚本(create_client_cert.sh)内容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh create_client_cert.sh [client name] [PKCS12 password]"
if [ $# -ne 2 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
cname=$1
password=$2
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./client/ ];
then
echo "Creating folder: client/"
mkdir client
fi
cd client
echo "Generating key.pem"
openssl genrsa -out key.pem $strength
echo "Generating req.pem"
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$cname/O=client/ -nodes
cd ../ca
echo "Generating cert.pem"
openssl ca -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
cd ../client
echo "Generating keycert.p12"
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:$password
cd ..
创建工作目录:
mkdir -p /usr/testca
mv openssl.cnf setup_ca.sh make_server_cert.sh create_client_cert.sh /usr/testca
依次执行以下命令
参数是证书颁发机构名
sh setup_ca.sh MyRabbitMQSSL
生成服务器证书, 第一个参数是服务器名,第二个参数是密码
sh make_server_cert.sh rabbit-server rabbit
生成客户端证书,第一个参数是客户端名称,第二个参数是密码
sh create_client_cert.sh rabbit-client rabbit
keytool导入证书
keytool -import -alias rabbit-server -file ./server/cert.pem -keystore trustStore -storepass rabbit
删除之前导入过的证书
keytool -delete -alias rabbit-server -keystore trustStore -storepass rabbit
配置rabbitmq
vi $rabbitmq_home/etc/rabbitmq/rabbitmq.config
文本内容:
%% Disable SSLv3.0 and TLSv1.0 support.
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/usr/testca/ca/cacert.pem"},
{certfile,"/usr/testca/server/cert.pem"},
{keyfile,"/usr/testca/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{versions, ['tlsv1.2', 'tlsv1.1']}
]}
]}
].
重启rabbitmq
查看是否开启
