Windows环境
查看配置文件的位置
- 选择使用的节点
- 查看当前节点配置文件的配置
配置TLS
- 将证书放到同配置相同目录中
- 编辑配置文件添加TLS相关配置
[
{ssl, [{versions, ['tlsv1.2']}]},
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"C:/Users/17126/AppData/Roaming/RabbitMQ/ssl/klca/cacert.pem"},
{certfile,"C:/Users/17126/AppData/Roaming/RabbitMQ/ssl/server/cert.pem"},
{keyfile,"C:/Users/17126/AppData/Roaming/RabbitMQ/ssl/server/key.pem"},
{depth, 2},
{verify,verify_peer},
{honor_cipher_order,true},
{honor_ecc_order, true},
{fail_if_no_peer_cert,false},
{versions, ['tlsv1.2']},
{ciphers, [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
]
}
]}
]}
].
重启服务
Linux环境 (使用docker)
拉取RabbitMq镜像
docker pull rabbitmq:3.11.2-management
在宿主机创建Rabbitmq容器配置挂载目录
在/etc目录下创建rabbitmq目录
cd /etc
mkdir rabbitmq
启动Rabbitmq镜像
docker run --name rabbitmq -d -p 15672:15672 -p 5672:5672 -p 5671:5671 -v /etc/rabbitmq:/etc/rabbitmq 031f07386589
查看启动状态
docker ps
开启Rabbitmq页面管理插件
- 进入容器
docker exec -it 7c4548748ca9 /bin/bash
- 开启web页面管理插件
rabbitmq-plugins enable rabbitmq_management
- 增加新用户(RabbitMQ默认只有一个guest帐号,guest帐号只能在RabbitMQ安装服务器上登录,在其它服务器用guest登录提示User can only log in via localhost。)
#第一步:添加 admin 用户并设置密码
rabbitmqctl add_user admin 123456
#第二步:添加 admin 用户为administrator角色
rabbitmqctl set_user_tags admin administrator
#第三步:设置 admin 用户的权限,指定允许访问的vhost以及write/read
rabbitmqctl set_permissions -p "/" admin ".*" ".*" ".*"
#第四步:查看vhost(/)允许哪些用户访问
rabbitmqctl list_permissions -p /
#第五步:查看用户列表
rabbitmqctl list_users
- 退出容器
exit
配置TLS
- 在宿主机与容器挂载目录中创建一个
rabbitmq.conf文件
touch rabbitmq.conf
- 将证书文件放到同目录中(这里都放在了ssl文件夹中)
- 配置rabbitmq.conf文件
listeners.ssl.default = 5671
ssl_options.cacertfile=/etc/rabbitmq/ssl/klca/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/server/cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/server/key.pem
ssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=false
ssl_options.depth=2
ssl_options.versions.1=tlsv1.2
ssl_options.honor_cipher_order=true
ssl_options.honor_ecc_order=true
ssl_options.ciphers.1 = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ssl_options.ciphers.2 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ssl_options.ciphers.3 = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl_options.ciphers.4 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ssl_options.ciphers.5 = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ssl_options.ciphers.6 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ssl_options.ciphers.7 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ssl_options.ciphers.8 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ssl_options.ciphers.9 = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ssl_options.ciphers.10 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ssl_options.ciphers.11= TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
ssl_options.ciphers.12 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
重启容器
docker restart 7c4548748ca9
访问web页面
看到5671端口已启用,说明可以使用ssl方式访问rabbitmq。
密码套件参考
密码套件
官方
