【RabbitMQ】禁用AMQP配置中的明文身份验证机制

参考博文

https://blog.csdn.net/u013551615/article/details/126314195

1、生成rabbitmq证书

#克隆生成证书的仓库到/ycx目录

git clone --depth 1 https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
cd /ycx/CMF-AMQP-Configuration/ssl

#修改生成证书10年有效期

sed -i "s/valid=365/valid=3650/g" create_client_cert.sh
sed -i "s/valid=365/valid=3650/g" make_server_cert.sh
sed -i "s/valid=365/valid=3650/g" setup_ca.sh
sed -i "s/default_days = 365/default_days = 3650/g" openssl.cnf

#生成ca证书，“ycxRabbitMQCA”为自定义名称，名称任意。在当前目录下生成ca目录

sh setup_ca.sh ycxRabbitMQCA

#生成服务端证书，第一个参数是服务端证书前缀，第二个参数是密码。密码任意，在当前目录下生成server目录

sh make_server_cert.sh rabbitmq-server Mq123456

#生成客户端证书，第一个参数是客户端证书前缀（同时也是rabbitmq用户名），第二个参数是密码。密码任意，在当前目录下生成client目录

sh create_client_cert.sh rabbitmq-client Mq123456

在 /ycx/CMF-AMQP-Configuration/ssl 目录下会生成三个文件夹ca、server、client

2、生成代码JKS证书

使用 RabbitMQ 服务端公钥证书生成 JKS 证书
# -alias后为别称，-file后是服务端公钥位置，-keystore后是输出JSK证书位置，此处相对路径

cd /ycx/CMF-AMQP-Configuration/ssl
keytool -import -alias rabbitmq-server -file server/rabbitmq-server.cert.pem -keystore rabbitmqKeyStore.jks -storepass Mq123456

结果在/ycx/CMF-AMQP-Configuration/ssl目录生成 rabbitmqKeyStore.jks

3、配置rabbitmq

默认 RabbitMQ 配置目录在 /etc/rabbitmq

mkdir -p /ycx/data/rabbitmq/ssl
cd /ycx/CMF-AMQP-Configuration/ssl
cp ca/cacert.pem /ycx/data/rabbitmq/ssl
cp server/rabbitmq-server.key.pem /ycx/data/rabbitmq/ssl
cp server/rabbitmq-server.cert.pem /ycx/data/rabbitmq/ssl

新建配置文件/ycx/data/rabbitmq/rabbitmq.config，配置内容如下：一和二使用一种能用的格式

格式一

listeners.tcp.default = 5672
listeners.tcp = none
listeners.ssl.default=5671
ssl_options.cacertfile=/etc/rabbitmq/ssl/cacert.pem
ssl_options.certfile=/etc/rabbitmq/ssl/rabbitmq-server.cert.pem
ssl_options.keyfile=/etc/rabbitmq/ssl/rabbitmq-server.key.pem

ssl_options.verify=verify_peer
ssl_options.fail_if_no_peer_cert=true
ssl_options.versions.1=tlsv1.2
ssl_options.versions.2=tlsv1.1

ssl_options.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
ssl_options.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
ssl_options.ciphers.4 = ECDHE-RSA-AES256-SHA384
ssl_options.ciphers.5 = ECDHE-ECDSA-DES-CBC3-SHA
ssl_options.ciphers.6 = ECDH-ECDSA-AES256-GCM-SHA384
ssl_options.ciphers.7 = ECDH-RSA-AES256-GCM-SHA384
ssl_options.ciphers.8 = ECDH-ECDSA-AES256-SHA384
ssl_options.ciphers.9 = ECDH-RSA-AES256-SHA384
ssl_options.ciphers.10 = DHE-DSS-AES256-GCM-SHA384
ssl_options.ciphers.11= DHE-DSS-AES256-SHA256
ssl_options.ciphers.12 = AES256-GCM-SHA384
ssl_options.ciphers.13 = AES256-SHA256
ssl_options.ciphers.14 = ECDHE-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.15 = ECDHE-RSA-AES128-GCM-SHA256
ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256
ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256
ssl_options.ciphers.18 = ECDH-ECDSA-AES128-GCM-SHA256
ssl_options.ciphers.19= ECDH-RSA-AES128-GCM-SHA256
ssl_options.ciphers.20 = ECDH-ECDSA-AES128-SHA256
ssl_options.ciphers.21 = ECDH-RSA-AES128-SHA256
ssl_options.ciphers.22 = DHE-DSS-AES128-GCM-SHA256
ssl_options.ciphers.23 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.24 = AES128-GCM-SHA256
ssl_options.ciphers.25 = AES128-SHA256
ssl_options.ciphers.26 = ECDHE-ECDSA-AES256-SHA
ssl_options.ciphers.27 = ECDHE-RSA-AES256-SHA
ssl_options.ciphers.28 = DHE-DSS-AES256-SHA
ssl_options.ciphers.29 = ECDH-ECDSA-AES256-SHA
ssl_options.ciphers.30 = ECDH-RSA-AES256-SHA
ssl_options.ciphers.31= AES256-SHA
ssl_options.ciphers.32 = ECDHE-ECDSA-AES128-SHA
ssl_options.ciphers.33 = ECDHE-RSA-AES128-SHA
ssl_options.ciphers.34 = DHE-DSS-AES128-SHA
ssl_options.ciphers.35 = DHE-DSS-AES128-SHA256
ssl_options.ciphers.36 = ECDH-ECDSA-AES128-SHA
ssl_options.ciphers.37 = ECDH-RSA-AES128-SHA
ssl_options.ciphers.38 = AES128-SHA

auth_mechanisms.1 = EXTERNAL
management.tcp.port = 15672
ssl_cert_login_from = common_name
loopback_users.guest = false

格式二

[{rabbit, [
    {ssl_listeners, [5671]},
    {ssl_options, [
        {cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
        {certfile,   "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
        {keyfile,    "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
        {verify, verify_peer},
        {fail_if_no_peer_cert, true},
        {ciphers, [
            "ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
            "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
            "ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
            "ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
            "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
            "DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
            "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
            "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
            "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
            "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
            "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
            "DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
            "AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
            "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
            "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
            "AES256-SHA","ECDHE-ECDSA-AES128-SHA",
            "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
            "ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
        ]}
    ]},
    {auth_mechanisms,['EXTERNAL']},
    {ssl_cert_login_from,common_name}
]}].

4、启用rabbitmq ssl

docker pull rabbitmq:3.8.16-management
docker run -d --restart=always -m=2g --name rabbitmqssl  -p 5672:5672 -p 5671:5671 -p 15672:15672 --privileged=true -v /ycx/data/rabbitmq/rabbitmq.config:/etc/rabbitmq/rabbitmq.config -v /ycx/data/rabbitmq/ssl:/etc/rabbitmq/ssl -v /ycx/data/rabbitmq/data:/var/lib/rabbitmq -v /ycx/logs/rabbitmq:/var/log/rabbitmq docker.io/rabbitmq:3.8.16-management

启用插件

docker exec -it rabbitmqssl bash

#启用rabbitmq_auth_mechanism_ssl作为EXTERNAL认证机制的实现

rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl

#查看启动结果
rabbitmq-plugins list 包含如下内容怎启用成功
[E*] rabbitmq_auth_mechanism_ssl 3.8.16

添加证书登录用户（用户名要与客户端证书名称前缀一致），密码任意

rabbitmqctl add_user 'rabbitmq-client' '88352636'

# 给 rabbitmq-client 用户虚拟主机/的所有权限，如需其他虚拟主机替换/

rabbitmqctl set_permissions -p "/" "rabbitmq-client" ".*" ".*" ".*"
rabbitmqctl set_user_tags rabbitmq-client administrator

cd /ycx/CMF-AMQP-Configuration/ssl
# 使用客户端证书+CA证书连接RabbitMQ验证

openssl s_client -connect localhost:5671 -cert client/rabbitmq-client.cert.pem -key client/rabbitmq-client.key.pem -CAfile ca/cacert.pem

5、代码修改

在resources目录新建ssl
复制下面两个文件到ssl目录
/ycx/CMF-AMQP-Configuration/ssl/client/rabbitmq-client.keycert.p12
/ycx/CMF-AMQP-Configuration/ssl/rabbitmqKeyStore.jks

增加工厂方法

@Autowired
RabbitProperties rabbitProperties;
@Autowired
CachingConnectionFactory cachingConnectionFactory;
@PostConstruct
public void rabbitmqSslExternalPostConstruct() {
    boolean rabbitSslEnabled = BooleanUtils.toBoolean(rabbitProperties.getSsl().getEnabled());
    boolean rabbitSslKeyStoreExists = rabbitProperties.getSsl().getKeyStore() != null;
    if (rabbitSslEnabled && rabbitSslKeyStoreExists) {
        cachingConnectionFactory.getRabbitConnectionFactory().setSaslConfig(DefaultSaslConfig.EXTERNAL);
    }
}

POM文件增加排除后缀

<nonFilteredFileExtensions>
    <nonFilteredFileExtension>p12</nonFilteredFileExtension>
    <nonFilteredFileExtension>jks</nonFilteredFileExtension>
</nonFilteredFileExtensions>

配置

spring:
  rabbitmq:
    host: 127.0.0.1
    port: 5671
    ssl:
      # 客户端PKCS12证书及密码
      key-store: classpath:ssl/rabbitmq-client.keycert.p12
      key-store-password: Mq123456
      # 公钥证书及类型
      trust-store: classpath:ssl/rabbitmqKeyStore.jks
      trust-store-type: JKS
      # 不校验主机名，默认开启会导致连接失败
      verify-hostname: false

posted @ 2023-07-25 10:57 翠微阅读(942) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

翠微

无中生有是本质，物极必反是规律

【RabbitMQ】禁用AMQP配置中的明文身份验证机制