rabbit配置stomp为https

1 创建SSL安全证书

1.1 创建文件

使用rmqca作为RabbitMQ的认证中心，certs文件用于存放CA产生的证书，private存放CA的密钥，改变其权限不允许第三方访问，serial存放CA证书的序列号，index.txt存放CA颁发的证书。

# mkdir rmqca # cd rmqca # mkdir certsprivate # chmod 700private # echo 01 >serial # touch index.txt

1.2 创建openSSL各种命令的配置文件：openssl.cnf

[ ca ] default_ca = rmqca [rmqca] dir = . certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha1 policy = rmqca _policy x509_extensions = certificate_extensions [ rmqca _policy ] commonName = supplied stateOrProvinceName = optional countryName = optional emailAddress = optional organizationName = optional organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = ./private/cakey.pem default_md = sha1 prompt = yes distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = hostname [ root_ca_extensions ] basicConstraints = CA:true keyUsage = keyCertSign, cRLSign [ client_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ server_ca_extensions ] basicConstraints = CA:false keyUsage = keyEncipherment extendedKeyUsage =1.3.6.1.5.5.7.3.1

1.3生成ca证书

# openssl req -x509 -config openssl.cnf-newkey rsa:2048 -days 365 \ -out cacert.pem -outformPEM -subj /CN=MyRmqca/ -nodes # openssl x509 -in cacert.pem -out cacert.cer-outform DER

1.4生成服务端证书

生成RSA密钥然后为其提供证书

# cd .. # ls rmqca # mkdir server # cd server # openssl genrsa-out key.pem 2048 # openssl req-new -key key.pem -out req.pem -outform PEM \ -subj /CN=$(hostname)/O=server/ -nodes # cd ../rmqca # openssl ca-config openssl.cnf -in ../server/req.pem -out \ ../server/cert.pem -notext -batch -extensions server_ca_extensions # cd ../server # openssl pkcs12 -export -out keycert.p12 -in cert.pem-inkey key.pem -passout pass:123456

1.5生成客户端证书

# cd .. # ls server testca # mkdir client # cd client # openssl genrsa-out key.pem 2048 # openssl req-new -key key.pem -out req.pem -outform PEM \ -subj /CN=$(hostname)/O=client/ -nodes # cd ../rmqca # openssl ca-config openssl.cnf -in ../client/req.pem -out \ ../client/cert.pem -notext -batch -extensions client_ca_extensions # cd ../client # openssl pkcs12 -export -out keycert.p12 -in cert.pem-inkey key.pem -passout pass:123456

2为rabbit授权ssl

在rabbit（rabbit.config）的配置中加入如下配置：

{rabbit, [ {ssl_listeners, [5671]}, {ssl_options,[{cacertfile,"/path/to/testca/cacert.pem"}, {certfile,"/path/to/server/cert.pem"}, {keyfile,"/path/to/server/key.pem"}, {verify,verify_peer}, {fail_if_no_peer_cert,false}]} ]}

有关于是否需要客户端提供证书，以及是否需要被信赖的证书。是由verify和fail_if_no_peer_cert两个参数来控制的。如果设置为{fail_if_no_peer_cert,false}，这表示我们已经准备好接受客户端，且不需要它向我们发送证书。如果设置{verify,verify_peer}选项，表示如果客户端向我们发送一个证书，我们必须和它建立一个信任。

如果设置{verify, verify_none}，客户端和服务端之间将不会有证书交换。

cacertfile：根证书的路径

certfile：服务端证书路径

keyfile：服务端key路径

3 为rabbit_web_stomp授权SSL

在rabbit（rabbit.config）的配置中加入如下配置：

{rabbitmq_web_stomp, [{ssl_config, [{port, 15671}, {backlog, 1024}, {certfile, path/to/certs/client/cert.pem"}, {keyfile, "path/to/certs/client/key.pem"}, {cacertfile,"path/to/certs/testca/cacert.pem"}, {password, "changeme"} ] }] }

配置项参数说明如下：

port:端口号

backlog：最大等待连接队列数，默认1024

certfile：客户端证书路径

keyfile：客户端key路径

caceretfile：根证书路径

password：客户端证书保护密码

配置好如上项，就可以通过https://ip:port/stomp访问了。