当前位置:   article > 正文

RabbitMQ MQTT TLS相关配置

rabbitmq mqtt tls
  1. RabbitMQ MQTT TLS相关配置
  2. 一、启用rabbitmq_mqtt插件及配置
  3. 1、启用rabbitmq_mqtt
  4. rabbitmq-plugins enable rabbitmq_mqtt
  5. 2、用户和身份验证
  6. 添加用户:rabbitmqctl add_user mqtt_chen mqtt_chen
  7. 添加用户角色:rabbitmqctl set_user_tags mqtt_chen management
  8. 添加虚拟主机:rabbitmqctl add_vhost vhost1
  9. 将用户添加到虚拟主机:rabbitmqctl set_permissions -p /vhost1 mqtt_chen”*” “*” “*”
  10. 3、rabbitmqctl常用命令
  11. 4、rabbitmq_mqtt配置
  12. 若etc/rabbitmq/rabbitmq.config 不存在,则cd /usr/share/doc/rabbitmq-server-3.7.10
  13. 拷贝一份:cp /rabbitmq.config.example /etc/rabbitmq/rabbitmq.config
  14. 编辑rabbitmq.config: vi /etc/rabbitmq/rabbitmq.config
  15. {rabbitmq_mqtt,
  16. [
  17. {default_user, <<"guest">>},
  18. {default_pass, <<"guest">>},
  19. {loopback_users, []},
  20. {allow_anonymous, true},
  21. {vhost, <<"/">>},
  22. {exchange, <<"amq.topic">>},
  23. {subscription_ttl, 1800000},
  24. {prefetch, 10},
  25. {tcp_listeners, [1883]},
  26. {ssl_listeners, [8883]},
  27. {tcp_listen_options, [
  28. {backlog, 128},
  29. {nodelay, true},
  30. {linger, {true, 0}},
  31. {exit_on_close, false}
  32. ]}
  33. ]}
  34. 5、端口到虚拟主机映射
  35. rabbitmqctl set_global_parameter mqtt_port_to_vhost_mapping \
  36. ‘{“1883”:”vhost1”,”8883”:”vhost1”}’
  37. 6、重启rabbitmq
  38. rabbitmq-server restart or rabbitmq-server stop, rabbitmqctl stop,rabbitmq-server start
  39. 二、启用rabbitmq TLS及配置
  40. 1、启用TLS
  41. 编辑rabbitmq.config: vi /etc/rabbitmq/rabbitmq.config
  42. {rabbit,
  43. [
  44. {tcp_listeners, [5672]},
  45. {ssl_listeners, [5671]},
  46. {loopback_users, []},
  47. {ssl_options, [
  48.   {cacertfile, "/path/to/ca_certificate_bundle.pem"},
  49. {certfile, "/path/to/server_certificate.pem"},
  50. {keyfile, "/path/to/server_key.pem"},
  51. {verify, verify_peer},
  52. {fail_if_no_peer_cert, false}]}
  53. ]}
  54. 2、手动为开发和QA环境生成自签名证书
  55. 2.1、testca
  56. mkdir testca
  57. cd testca
  58. mkdir certs private
  59. chmod 700 private echo 01> serial
  60. touch index.txt
  61. touch openssl.cnf
  62. 添加如下内容:
  63. [ ca ]
  64. default_ca = testca
  65. [ testca ]
  66. dir = .
  67. certificate = $dir/ca_certificate_bundle.pem
  68. database = $dir/index.txt
  69. new_certs_dir = $dir/certs
  70. private_key = $dir/private/ca_private_key.pem
  71. serial = $dir/serial
  72. default_crl_days = 7
  73. default_days = 365
  74. default_md = sha256
  75. policy = testca_policy
  76. x509_extensions = certificate_extensions
  77. [ testca_policy ]
  78. commonName = supplied
  79. stateOrProvinceName = optional
  80. countryName = optional
  81. emailAddress = optional
  82. organizationName = optional
  83. organizationalUnitName = optional
  84. domainComponent = optional
  85. [ certificate_extensions ]
  86. basicConstraints = CA:false
  87. [ req ]
  88. default_bits = 2048
  89. default_keyfile = ./private/ca_private_key.pem
  90. default_md = sha256
  91. prompt = yes
  92. distinguished_name = root_ca_distinguished_name
  93. x509_extensions = root_ca_extensions
  94. [ root_ca_distinguished_name ]
  95. commonName = hostname
  96. [ root_ca_extensions ]
  97. basicConstraints = CA:true
  98. keyUsage = keyCertSign, cRLSign
  99. [ client_ca_extensions ]
  100. basicConstraints = CA:false
  101. keyUsage = digitalSignature,keyEncipherment
  102. extendedKeyUsage = 1.3.6.1.5.5.7.3.2
  103. [ server_ca_extensions ]
  104. basicConstraints = CA:false
  105. keyUsage = digitalSignature,keyEncipherment
  106. extendedKeyUsage = 1.3.6.1.5.5.7.3.1
  107. 然后生成证书颁发机构将使用的密钥和证书:
  108. openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
  109. -out ca_certificate_bundle.pem -outform PEM -subj /CN=MyTestCA/ -nodes
  110. openssl x509 -in ca_certificate_bundle.pem -out ca_certificate_bundle.cer -outform DER
  111. 2.2、server
  112. cd ..
  113. ls
  114. # => testca
  115. mkdir server
  116. cd server
  117. openssl genrsa -out private_key.pem 2048
  118. openssl req -new -key private_key.pem -out req.pem -outform PEM \
  119. -subj /CN=$(hostname)/O=server/ -nodes
  120. cd ../testca
  121. openssl ca -config openssl.cnf -in ../server/req.pem -out \
  122. ../server/server_certificate.pem -notext -batch -extensions server_ca_extensions
  123. cd ../server
  124. openssl pkcs12 -export -out server_certificate.p12 -in server_certificate.pem -inkey private_key.pem \
  125. -passout pass:MySecretPassword
  126. 2.3、client
  127. cd ..
  128. ls
  129. # => server testca
  130. mkdir client
  131. cd client
  132. openssl genrsa -out private_key.pem 2048
  133. openssl req -new -key private_key.pem -out req.pem -outform PEM \
  134. -subj /CN=$(hostname)/O=client/ -nodes
  135. cd ../testca
  136. openssl ca -config openssl.cnf -in ../client/req.pem -out \
  137. ../client/client_certificate.pem -notext -batch -extensions client_ca_extensions
  138. cd ../client
  139. openssl pkcs12 -export -out client_certificate.p12 -in client_certificate.pem -inkey private_key.pem \
  140. -passout pass:MySecretPassword
Rabbitmq.config总配置
  1. [
  2. {rabbit,
  3. [
  4. {tcp_listeners, [5672]},
  5. {ssl_listeners, [5671]},
  6. {loopback_users, []},
  7. {ssl_options, [{cacertfile, "/path/to/ca_certificate_bundle.pem"},
  8. {certfile, "/path/to/server_certificate.pem"},
  9. {keyfile, "/path/to/server_key.pem"},
  10. {verify, verify_peer},
  11. {fail_if_no_peer_cert, false}]}
  12. ]},
  13. {rabbitmq_mqtt,
  14. [
  15. {default_user, <<"guest">>},
  16. {default_pass, <<"guest">>},
  17. {loopback_users, []},
  18. {allow_anonymous, true},
  19. {vhost, <<"/">>},
  20. {exchange, <<"amq.topic">>},
  21. {subscription_ttl, 1800000},
  22. {prefetch, 10},
  23. {tcp_listeners, [1883]},
  24. {ssl_listeners, [8883]},
  25. {tcp_listen_options, [
  26. {backlog, 128},
  27. {nodelay, true},
  28. {linger, {true, 0}},
  29. {exit_on_close, false}
  30. ]}
  31. ]}
  32. ].
  1. 参考官网:
  2. 启用mqtt: http://www.rabbitmq.com/mqtt.html
  3. 启用TLS: http://www.rabbitmq.com/ssl.html
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/792786
推荐阅读
相关标签
  

闽ICP备14008679号