環境:centos7
介紹:
如果RabbitMQ服務在內網中,只有內網的應用連接,我們認為這些連接都是安全的,但是個別情況我們需要讓RabbitMQ對外提供服務。這種情況有兩種解決方案:
- 在RabbitMQ外層在封裝一層應用,應用對外提供服務,本質來說RabbitMQ還是只對內網提供服務。相對更安全,但靈活性差。
- RabbitMQ直接對外提供服務。這時除了服務本身的安全性還要考慮數據在互聯網傳輸過程中是否可能被攔截破解。業界標准的解決方案就是SSL。
准備腳本文件:
openssl.cnf setup_ca.sh make_server_cert.sh create_client_cert.sh
openssl.cnf
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 10950
default_md = sha1
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
生成ca文件腳本(setup_ca.sh)內容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh setup_ca.sh [certificate authority CN]"
if [ $# -ne 1 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
certauthCN=$1
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./ca/ ];
then
echo "Creating folder: ca/"
mkdir ca
echo "Creating folder: ca/private/"
mkdir ca/private
echo "Creating folder: ca/certs/"
mkdir ca/certs
echo "Creating folder: ca/serial"
echo "01" > ca/serial
echo "Creating file: ca/index.txt"
touch ca/index.txt
fi
cd ca
openssl req -x509 -newkey rsa:$strength -days $valid -out cacert.pem -outform PEM -subj /CN=$certauthCN/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER
cd ..
生成服務器證書腳本(make_server_cert.sh)內容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh make_server_cert.sh [server name] [PKCS12 password]"
if [ $# -ne 2 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
sname=$1
password=$2
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./server/ ];
then
echo "Creating Server folder: server/"
mkdir server
fi
cd server
echo "Generating key.pem"
openssl genrsa -out key.pem $strength
echo "Generating req.pem"
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$sname/O=server/ -nodes
cd ../ca
echo "Generating cert.pem"
openssl ca -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
echo "Generating keycert.p12"
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:$password
cd ..
生成客戶端證書,腳本(create_client_cert.sh)內容如下:
#!/bin/bash
hr="-------------------------------------------"
br=""
strength=2048
valid=10950
message="Usage: sh create_client_cert.sh [client name] [PKCS12 password]"
if [ $# -ne 2 ];
then
echo $message
exit 2
fi
if [ $1 = "--help" ];
then
echo $message
exit 2
fi
cname=$1
password=$2
export OPENSSL_CONF=../openssl.cnf
if [ ! -d ./client/ ];
then
echo "Creating folder: client/"
mkdir client
fi
cd client
echo "Generating key.pem"
openssl genrsa -out key.pem $strength
echo "Generating req.pem"
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$cname/O=client/ -nodes
cd ../ca
echo "Generating cert.pem"
openssl ca -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
cd ../client
echo "Generating keycert.p12"
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:$password
cd ..
創建工作目錄:
mkdir -p /usr/testca
mv openssl.cnf setup_ca.sh make_server_cert.sh create_client_cert.sh /usr/testca
依次執行以下命令
參數是證書頒發機構名
sh setup_ca.sh MyRabbitMQSSL
生成服務器證書, 第一個參數是服務器名,第二個參數是密碼
sh make_server_cert.sh rabbit-server rabbit
生成客戶端證書,第一個參數是客戶端名稱,第二個參數是密碼
sh create_client_cert.sh rabbit-client rabbit
keytool導入證書
keytool -import -alias rabbit-server -file ./server/cert.pem -keystore trustStore -storepass rabbit
刪除之前導入過的證書
keytool -delete -alias rabbit-server -keystore trustStore -storepass rabbit
配置rabbitmq
vi $rabbitmq_home/etc/rabbitmq/rabbitmq.config
文本內容:
%% Disable SSLv3.0 and TLSv1.0 support.
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/usr/testca/ca/cacert.pem"},
{certfile,"/usr/testca/server/cert.pem"},
{keyfile,"/usr/testca/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{versions, ['tlsv1.2', 'tlsv1.1']}
]}
]}
].
重啟rabbitmq
查看是否開啟
