Docker部署RabbitMQ开启SSL与SpringBoot连接测试
准备工作
在配置 RabbitMQ 的 SSL 之前,需要准备 CA 证书、服务器证书和密钥,以及客户端证书和密钥。
生成证书和密钥
使用 OpenSSL 来生成自签名证书和私钥。以下是一个完整的步骤示例:
mkdir /tmp/ssl_rabbit && cd /tmp/ssl_rabbit
# 生成 CA(证书颁发机构)私钥和证书
# 生成 CA 私钥
openssl genrsa -out ca.key 2048
# 生成 CA 自签名证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=US/ST=State/L=City/O=Org/OU=Unit/CN=MyCA"
#为 RabbitMQ 服务器生成密钥和证书签名请求(CSR)
# 生成服务器私钥
openssl genrsa -out server.key 2048
# 生成服务器 CSR
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Org/OU=Unit/CN=localhost"
# 使用 CA 签署服务器证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256
#为客户端生成密钥和证书
# 生成客户端私钥
openssl genrsa -out client.key 2048
# 生成客户端 CSR
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=State/L=City/O=Org/OU=Unit/CN=Client"
# 使用 CA 签署客户端证书
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 -sha256
#将 .crt 和 .key 文件转换为 .p12 格式:
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name rabbitmq-client
#用 RabbitMQ 服务端公钥证书生成 JKS 证书
keytool -import -alias rabbitmq-server -file server.crt -keystore server.keystore -storepass Gzeport@123
注释:
-import 将已签名数字证书导入密钥库
-alias xxx 指定导入条目的别名
-file server/rabbit-server.cert.pem 需要导入的证书
-keystore xxx 指定密钥库的名称
-storepass xxx 指定密钥库的密码(获取keystore信息所需的密码)
ca.crt:CA 证书server.key和server.crt:RabbitMQ 服务器的私钥和证书client.key和client.crt:客户端的私钥和证书client.p12和server.keystore: java客户端连接使用
配置 RabbitMQ 启用 SSL
RabbitMQ 使用配置文件(rabbitmq.conf )来启用 SSL
# 启用 SSL 监听
listeners.ssl.default = 5671
# 指定文件路径
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca.crt
ssl_options.certfile = /etc/rabbitmq/ssl/server.crt
ssl_options.keyfile = /etc/rabbitmq/ssl/server.key
# 验证客户端证书
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
# 指定支持的协议版本(可选)
ssl_options.versions.1 = tlsv1.2
ssl_options.versions.2 = tlsv1.3
enabled_plugins文件
[rabbitmq_auth_mechanism_ssl,rabbitmq_management].
Docker compose部署Rabbitmq
创建目录与复制证书
mkdir -p /AppHome/rabbitmq
mkdir -p /AppHome/rabbitmq/data
mkdir -p /AppHome/rabbitmq/etc/ssl
mkdir -p /AppHome/rabbitmq/logs && chmo 777 /AppHome/rabbitmq/logs
cp /tmp/ssl_rabbit/* /AppHome/rabbitmq/etc/ssl/
# 目录清单如下:
[root@localhost rabbitmq]# tree ./
./
├── data
├── docker-compose.yml
├── etc
│ ├── enabled_plugins
│ ├── rabbitmq.conf
│ └── ssl
│ ├── ca.crt
│ ├── ca.key
│ ├── ca.srl
│ ├── client.crt
│ ├── client.csr
│ ├── client.key
│ ├── client.p12
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ └── server.keystore
└── logs
└── rabbit@rabbitmq.log
docker-compose.yml
version: '3'
services:
rabbitmq:
hostname: rabbitmq
container_name: rabbitmq
image: docker.199604.com/library/rabbitmq:4.0.4-management
restart: always
ulimits:
nofile:
soft: 65536
hard: 65536
environment:
- TZ=Asia/Shanghai
- RABBITMQ_DEFAULT_USER=glj
- RABBITMQ_DEFAULT_PASS=glj@123
volumes:
- /AppHome/rabbitmq/data:/var/lib/rabbitmq
- /AppHome/rabbitmq/etc:/etc/rabbitmq/
- /AppHome/rabbitmq/logs:/var/log/rabbitmq/
ports:
- 5671:5671
- 5672:5672
- 15672:15672
启动容器
docker-compose up -d
# 查看容器正常启动
[root@host146 logs]# docker logs -f b2c8c7215d65
2024-11-26 14:29:56.940431+08:00 [notice] <0.45.0> Application syslog exited with reason: stopped
2024-11-26 14:29:56.949526+08:00 [notice] <0.216.0> Logging: switching to configured handler(s); following messages may not be visible in this log output
## ## RabbitMQ 4.0.4
## ##
########## Copyright (c) 2007-2024 Broadcom Inc and/or its subsidiaries
###### ##
########## Licensed under the MPL 2.0. Website: https://rabbitmq.com
Erlang: 27.1.2 [jit]
TLS Library: OpenSSL - OpenSSL 3.3.2 3 Sep 2024
Release series support status: see https://www.rabbitmq.com/release-information
Doc guides: https://www.rabbitmq.com/docs
Support: https://www.rabbitmq.com/docs/contact
Tutorials: https://www.rabbitmq.com/tutorials
Monitoring: https://www.rabbitmq.com/docs/monitoring
Upgrading: https://www.rabbitmq.com/docs/upgrade
Logs: /var/log/rabbitmq/rabbit@rabbitmq.log
<stdout>
Config file(s): /etc/rabbitmq/rabbitmq.conf
Starting broker... completed with 3 plugins.
#查看监听
rabbitmq-diagnostics listeners
#查看支持的TLS版本
rabbitmq-diagnostics --silent tls_versions
测试 SSL 配置
在 RabbitMQ 配置 SSL 后,你可以使用 OpenSSL 或客户端工具测试连接。
使用 openssl s_client 测试
从客户端机器运行以下命令,测试与 RabbitMQ 的 SSL 连接:
#使用客户端证书+CA证书连接RabbitMQ验证。本处MQ与生成证书是同一主机,其他情况请自行考虑。
openssl s_client -connect 127.0.0.1:5671 -cert client.crt -key client.key -CAfile ca.crt
成功连接时,应该能看到包含 Verify return code: 0 (ok) 的输出。
使用 RabbitMQ 客户端测试
Spring Boot 示例配置(application.yml):
spring:
application:
name: rabbitmq-consumer-boot
rabbitmq:
host: 192.168.100.150
port: 5671
username: glj
password: glj@123
#虚拟host 可以不设置,使用server默认host
virtual-host: /
ssl:
enabled: true
key-store: classpath:ssl/client.p12
key-store-password: Gzeport@123
key-store-type: PKCS12
trust-store: classpath:ssl/server.keystore
trust-store-type: JKS
algorithm: TLSv1.2
validate-server-certificate: true
verify-hostname: false
