rabbit配置stomp为https
来源:互联网 发布:教务网络管理系统入口 编辑:程序博客网 时间:2024/04/30 13:55
1 创建SSL安全证书
1.1 创建文件
使用rmqca作为RabbitMQ的认证中心,certs文件用于存放CA产生的证书,private存放CA的密钥,改变其权限不允许第三方访问,serial存放CA证书的序列号,index.txt存放CA颁发的证书。
# mkdir rmqca# cd rmqca# mkdir certsprivate# chmod 700private# echo 01 >serial# touch index.txt
1.2 创建openSSL各种命令的配置文件:openssl.cnf
[ ca ]default_ca = rmqca[rmqca]dir = .certificate = $dir/cacert.pemdatabase = $dir/index.txtnew_certs_dir = $dir/certsprivate_key = $dir/private/cakey.pemserial = $dir/serialdefault_crl_days = 7default_days = 365default_md = sha1policy = rmqca _policyx509_extensions = certificate_extensions[ rmqca _policy ]commonName = suppliedstateOrProvinceName = optionalcountryName = optionalemailAddress = optionalorganizationName = optionalorganizationalUnitName = optional[ certificate_extensions ]basicConstraints = CA:false[ req ]default_bits = 2048default_keyfile = ./private/cakey.pemdefault_md = sha1prompt = yesdistinguished_name = root_ca_distinguished_namex509_extensions = root_ca_extensions[ root_ca_distinguished_name ]commonName = hostname[ root_ca_extensions ]basicConstraints = CA:truekeyUsage = keyCertSign, cRLSign[ client_ca_extensions ]basicConstraints = CA:falsekeyUsage = digitalSignatureextendedKeyUsage = 1.3.6.1.5.5.7.3.2[ server_ca_extensions ]basicConstraints = CA:falsekeyUsage = keyEnciphermentextendedKeyUsage =1.3.6.1.5.5.7.3.1
1.3生成ca证书
# openssl req -x509 -config openssl.cnf-newkey rsa:2048 -days 365 \ -out cacert.pem -outformPEM -subj /CN=MyRmqca/ -nodes# openssl x509 -in cacert.pem -out cacert.cer-outform DER
1.4生成服务端证书
生成RSA密钥然后为其提供证书
# cd ..# lsrmqca# mkdir server# cd server# openssl genrsa-out key.pem 2048# openssl req-new -key key.pem -out req.pem -outform PEM \ -subj /CN=$(hostname)/O=server/ -nodes# cd ../rmqca# openssl ca-config openssl.cnf -in ../server/req.pem -out \ ../server/cert.pem -notext -batch -extensions server_ca_extensions# cd ../server# openssl pkcs12 -export -out keycert.p12 -in cert.pem-inkey key.pem -passout pass:123456
1.5生成客户端证书
# cd ..# lsserver testca# mkdir client# cd client# openssl genrsa-out key.pem 2048# openssl req-new -key key.pem -out req.pem -outform PEM \ -subj /CN=$(hostname)/O=client/ -nodes# cd ../rmqca# openssl ca-config openssl.cnf -in ../client/req.pem -out \ ../client/cert.pem -notext -batch -extensions client_ca_extensions# cd ../client# openssl pkcs12 -export -out keycert.p12 -in cert.pem-inkey key.pem -passout pass:123456
2为rabbit授权ssl
在rabbit(rabbit.config)的配置中加入如下配置:
{rabbit, [ {ssl_listeners, [5671]}, {ssl_options,[{cacertfile,"/path/to/testca/cacert.pem"}, {certfile,"/path/to/server/cert.pem"}, {keyfile,"/path/to/server/key.pem"}, {verify,verify_peer}, {fail_if_no_peer_cert,false}]} ]}
有关于是否需要客户端提供证书,以及是否需要被信赖的证书。是由verify和fail_if_no_peer_cert两个参数来控制的。如果设置为{fail_if_no_peer_cert,false},这表示我们已经准备好接受客户端,且不需要它向我们发送证书。如果设置{verify,verify_peer}选项,表示如果客户端向我们发送一个证书,我们必须和它建立一个信任。
如果设置{verify, verify_none},客户端和服务端之间将不会有证书交换。
cacertfile:根证书的路径
certfile:服务端证书路径
keyfile:服务端key路径
3 为rabbit_web_stomp授权SSL
在rabbit(rabbit.config)的配置中加入如下配置:
{rabbitmq_web_stomp, [{ssl_config, [{port, 15671}, {backlog, 1024}, {certfile, path/to/certs/client/cert.pem"}, {keyfile, "path/to/certs/client/key.pem"}, {cacertfile,"path/to/certs/testca/cacert.pem"}, {password, "changeme"}]}]}
配置项参数说明如下:
port:端口号
backlog:最大等待连接队列数,默认1024
certfile:客户端证书路径
keyfile:客户端key路径
caceretfile:根证书路径
password:客户端证书保护密码
配置好如上项,就可以通过https://ip:port/stomp访问了。
0 0
- rabbit配置stomp为https
- 为Tomcat配置Https
- 为Tomcat6.0配置HTTPS
- 为RouterOS配置https访问
- Mac 配置为https服务器
- STOMP
- Lighttpd 启用 HTTPS 并重定向 HTTP 为 HTTPS 访问配置
- windows下为apache配置https
- 为小程序访问tomcat配置https
- 为Wampserver中的apache配置https协议
- 如何为nginx配置https(免费证书)
- Rabbit的安装、配置、监控
- Rabbit MQ 管理客户端配置
- Rabbit MQ 安装和配置
- Rabbit
- Rabbit
- rabbit
- rabbit
- 一个老程序员告诉你:中国程序员为什么要跳槽
- linux运维命令
- shell实用命令
- 利用http模块进行post测试
- objective-c的description测试
- rabbit配置stomp为https
- Linux定时cron命令
- 手机访问PC站时自动跳转到手机站
- freeswitch修改mod_sofia
- iOS各种调试技巧豪华套餐
- Redis2.8从入门到精通文档
- QQ登录遇到的坑
- 符号三角形问题(dfs)
- 【Leetcode】48. Rotate Image