本文小编为大家详细介绍“RabbitMQ如何开启SSL与SpringBoot连接测试”,内容详细,步骤清晰,细节处理妥当,希望这篇“RabbitMQ如何开启SSL与SpringBoot连接测试”文章能帮助大家解决疑惑,下面跟着小编的思路慢慢深入,一起来学习新知识吧。
近期公司程序被安全扫描出 远程主机允许明文身份验证
中风险漏洞,查了下修复方案,RabbitMQ官方提供了SSL连接方式,而且 SpringBoot AMQP 也支持 SSL 连接。以下将配置RabbitMQ开启SSL 并使用 SpringBoot Demo 测试连接。
本文基于 CentOS 7 + Git + OpenSSL + yum 安装的 RabbitMQ,需要读者提交安装好。其他方式也可变通参考本文。
生成证书
#克隆生成证书的仓库到当前目录 git clone --depth 1 https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git cd CMF-AMQP-Configuration/ssl #生成ca证书,“MyRabbitMQCA”为自定义名称,名称任意。在当前目录下生成ca目录 sh setup_ca.sh MyRabbitMQCA #生成服务端证书,第一个参数是服务端证书前缀,第二个参数是密码。密码任意,在当前目录下生成server目录 sh make_server_cert.sh rabbitmq-server 123456 #生成客户端证书,第一个参数是客户端证书前缀,第二个参数是密码。密码任意,在当前目录下生成client目录 sh create_client_cert.sh rabbitmq-client 654321
配置 RabbitMQ 服务端的证书如下:
ca/cacert.pem #CA证书 server/rabbitmq-server.cert.pem #服务端公钥 server/rabbitmq-server.key.pem #服务端私钥
使用 RabbitMQ 服务端公钥证书生成 JKS 证书
# -alias后为别称,-file后是服务端公钥位置,-keystore后是输出JSK证书位置,此处相对路径 keytool -import -alias rabbitmq-server \ -file server/rabbitmq-server.cert.pem \ -keystore rabbitmqTrustStore -storepass changeit #输入y回车
配置 RabbitMQ 客户端的证书如下:
client/rabbitmq-client.keycert.p12 #PKCS12证书,包含客户端所需公私钥及中间证书 rabbitmqTrustStore #服务端JKS格式公钥
默认 RabbitMQ 配置目录在 /etc/rabbitmq
,我们创建个证书目录存放服务端证书
mkdir -p /etc/rabbitmq/ssl #复制服务端必要证书 cp ca/cacert.pem \ server/rabbitmq-server.cert.pem \ server/rabbitmq-server.key.pem /etc/rabbitmq/ssl/
修改 RabbitMQ 配置文件
修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config
,此文件默认不存在,需要手动创建
[{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{ciphers, [
"ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
]}
]}
]}].
主要配置项说明:
ssl_listeners
指定 SSL协议的端口号,官方文档 5671
ssl_options
SSL 认证配置项
cacertfile
CA 证书位置
certfile
公钥证书位置
keyfile
密钥证书位置
verify
verify_peer
客户端与服务端互相发送证书
verify_none
禁用证书交换与校验
fail_if_no_peer_cert
true
不接受没证书的客户端连接
false
接受没证书的客户端连接
ciphers
加密器(这个翻译不知道算不算对?)
重启 RabbitMQ
#关闭 rabbitmqctl stop #启动 rabbitmq-server -detached
验证开启 SSL 是否成功
使用 Rabbitmq 自带的诊断工具查看端口监听状态及使用协议
#查看监听 rabbitmq-diagnostics listeners #查看支持的TLS版本 rabbitmq-diagnostics --silent tls_versions
cd 生成证书的ssl目录 #使用客户端证书+CA证书连接RabbitMQ验证。本处MQ与生成证书是同一主机,其他情况请自行考虑。 openssl s_client -connect localhost:5671 \ -cert client/rabbitmq-client.cert.pem \ -key client/rabbitmq-client.key.pem \ -CAfile ca/cacert.pem
除了命令行查看外,还可以通过管理界面查看,不过只能确定开启了 SSL 监听,无法确认证书是否通过验证。
代码结构
只是使用 start.spring.io 生成的 Maven 工程,依赖了 WEB 和 AMQP
代码及配置
pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.5.8</version> <relativePath/> <!-- lookup parent from repository --> </parent> <groupId>com.example</groupId> <artifactId>demo</artifactId> <version>0.0.1-SNAPSHOT</version> <name>demo</name> <description>Demo project for Spring Boot</description> <properties> <java.version>1.8</java.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-amqp</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework.amqp</groupId> <artifactId>spring-rabbit-test</artifactId> <scope>test</scope> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>
启动类 DemoApplication.java
package com.hellxz.rabbitmq.ssl; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } }
RabbitMQ客户端配置类 RabbitFanoutExchangeConfig.java
package com.hellxz.rabbitmq.ssl; import org.springframework.amqp.core.Binding; import org.springframework.amqp.core.BindingBuilder; import org.springframework.amqp.core.FanoutExchange; import org.springframework.amqp.core.Queue; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @Configuration public class RabbitFanoutExchangeConfig { public static final String FANOUT_EXCHANGE = "fanout.exchange"; public static final String FANOUT_QUEUE1 = "fanout.queue1"; @Bean(name = FANOUT_EXCHANGE) public FanoutExchange fanoutExchange() { return new FanoutExchange(FANOUT_EXCHANGE, true, false); } @Bean(name = FANOUT_QUEUE1) public Queue fanoutQueue1() { return new Queue(FANOUT_QUEUE1, true, false, false); } @Bean public Binding bindingSimpleQueue1(@Qualifier(FANOUT_QUEUE1) Queue fanoutQueue1, @Qualifier(FANOUT_EXCHANGE) FanoutExchange fanoutExchange) { return BindingBuilder.bind(fanoutQueue1).to(fanoutExchange); } }
发消息测试类 TestController.java
package com.hellxz.rabbitmq.ssl; import org.springframework.amqp.core.Message; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class TestController { @Autowired RabbitMQSenderService rabbitMQSenderService; @GetMapping("/test") public void sendMsg() { Message msg = new Message("hello world".getBytes()); try { rabbitMQSenderService.send(RabbitFanoutExchangeConfig.FANOUT_EXCHANGE, RabbitFanoutExchangeConfig.FANOUT_QUEUE1, msg); } catch (Exception e) { e.printStackTrace(); } } }
发消息服务 RabbitMQSenderService.java
package com.hellxz.rabbitmq.ssl; import java.util.UUID; import org.springframework.amqp.core.Message; import org.springframework.amqp.rabbit.connection.CorrelationData; import org.springframework.amqp.rabbit.core.RabbitTemplate; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component public class RabbitMQSenderService { @Autowired private RabbitTemplate rabbitTemplate; public void send(String exchange, String routingkey, Message message) { CorrelationData correlationId = new CorrelationData(UUID.randomUUID().toString()); System.out.println("start send msg : " + message); rabbitTemplate.convertAndSend(exchange, routingkey, message, correlationId); System.out.println("end send msg : " + message); } }
消息接收者 RabbitMQReciver.java
package com.hellxz.rabbitmq.ssl; import org.springframework.amqp.rabbit.annotation.RabbitListener; import org.springframework.stereotype.Component; @Component class RabbitMQReciver { @RabbitListener(queues = RabbitFanoutExchangeConfig.FANOUT_QUEUE1) public void reciveLogAll(String msg) throws Exception { System.out.println("received msg:" + msg); } }
配置文件 application.properties
server.port=8085 #基础配置请根据实际配置 spring.rabbitmq.host=192.168.56.104 #ssl协议端口 spring.rabbitmq.port=5671 spring.rabbitmq.username=admin spring.rabbitmq.password=123456 spring.rabbitmq.virtual-host=/ #启用rabbitmq客户端SSL连接 spring.rabbitmq.ssl.enabled=true #客户端PKCS12证书及密码 spring.rabbitmq.ssl.key-store=classpath:ssl/rabbitmq-client.keycert.p12 spring.rabbitmq.ssl.key-store-password=654321 #公钥证书及类型 spring.rabbitmq.ssl.trust-store=classpath:ssl/rabbitmqTrustStore spring.rabbitmq.ssl.trust-store-type=JKS #不校验主机名,默认开启会导致连接失败 spring.rabbitmq.ssl.verify-hostname=false
src/main/resources 下创建 ssl 目录,将 客户端证书和服务端JKS公钥复制到 ssl 目录中。
执行代码验证
运行 DemoApplication.java
,查看控制台是否有报错:
如图,提示创建连接成功,说明已经连接成功了。
我们再调用 TestController.java
中定义的 /test
接口
消息发送与消费成功。
读到这里,这篇“RabbitMQ如何开启SSL与SpringBoot连接测试”文章已经介绍完毕,想要掌握这篇文章的知识点还需要大家自己动手实践使用过才能领会,如果想了解更多相关内容的文章,欢迎关注亿速云行业资讯频道。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。