RabbitMQ開(kāi)啟SSL與SpringBoot連接測(cè)試的配置方法

更新時(shí)間：2022年01月08日 09:11:55 作者：東北小狐貍

本文基于 CentOS 7 + Git + OpenSSL + yum 安裝的 RabbitMQ，需要讀者提交安裝好。其他方式也可變通參考本文。對(duì)RabbitMQ開(kāi)啟SSL與SpringBoot連接測(cè)試相關(guān)知識(shí)感興趣的朋友一起看看吧

楔子

近期公司程序被安全掃描出 遠(yuǎn)程主機(jī)允許明文身份驗(yàn)證 中風(fēng)險(xiǎn)漏洞，查了下修復(fù)方案，RabbitMQ官方提供了SSL連接方式，而且 SpringBoot AMQP 也支持 SSL 連接。以下將配置RabbitMQ開(kāi)啟SSL 并使用 SpringBoot Demo 測(cè)試連接。

PS : 寫(xiě)文章時(shí)此配置還未安全掃描復(fù)測(cè)，如果測(cè)試通過(guò)，本人將更新此文章?tīng)顟B(tài)為驗(yàn)證通過(guò)。

配置 RabbitMQ 開(kāi)啟 SSL

本文基于 CentOS 7 + Git + OpenSSL + yum 安裝的 RabbitMQ，需要讀者提交安裝好。其他方式也可變通參考本文。

生成證書(shū)

#克隆生成證書(shū)的倉(cāng)庫(kù)到當(dāng)前目錄
git clone --depth 1 https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
cd CMF-AMQP-Configuration/ssl
#生成ca證書(shū)，“MyRabbitMQCA”為自定義名稱，名稱任意。在當(dāng)前目錄下生成ca目錄
sh setup_ca.sh MyRabbitMQCA
#生成服務(wù)端證書(shū)，第一個(gè)參數(shù)是服務(wù)端證書(shū)前綴，第二個(gè)參數(shù)是密碼。密碼任意，在當(dāng)前目錄下生成server目錄
sh make_server_cert.sh rabbitmq-server 123456
#生成客戶端證書(shū)，第一個(gè)參數(shù)是客戶端證書(shū)前綴，第二個(gè)參數(shù)是密碼。密碼任意，在當(dāng)前目錄下生成client目錄
sh create_client_cert.sh rabbitmq-client 654321

配置 RabbitMQ 服務(wù)端的證書(shū)如下：

ca/cacert.pem #CA證書(shū)
server/rabbitmq-server.cert.pem #服務(wù)端公鑰
server/rabbitmq-server.key.pem  #服務(wù)端私鑰

使用 RabbitMQ 服務(wù)端公鑰證書(shū)生成 JKS 證書(shū)

# -alias后為別稱，-file后是服務(wù)端公鑰位置，-keystore后是輸出JSK證書(shū)位置，此處相對(duì)路徑
keytool -import -alias rabbitmq-server \
  -file server/rabbitmq-server.cert.pem \
  -keystore rabbitmqTrustStore -storepass changeit
#輸入y回車

配置 RabbitMQ 客戶端的證書(shū)如下：

client/rabbitmq-client.keycert.p12 #PKCS12證書(shū)，包含客戶端所需公私鑰及中間證書(shū)
rabbitmqTrustStore #服務(wù)端JKS格式公鑰

默認(rèn) RabbitMQ 配置目錄在 /etc/rabbitmq，我們創(chuàng)建個(gè)證書(shū)目錄存放服務(wù)端證書(shū)

mkdir -p /etc/rabbitmq/ssl
#復(fù)制服務(wù)端必要證書(shū)
cp ca/cacert.pem \
server/rabbitmq-server.cert.pem \
server/rabbitmq-server.key.pem /etc/rabbitmq/ssl/

修改 RabbitMQ 配置文件

修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config，此文件默認(rèn)不存在，需要手動(dòng)創(chuàng)建

[{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{ciphers, [
"ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
]}
]}
]}].

主要配置項(xiàng)說(shuō)明：

ssl_listeners 指定 SSL協(xié)議的端口號(hào)，官方文檔 5671
ssl_options SSL 認(rèn)證配置項(xiàng)
cacertfile CA 證書(shū)位置
certfile 公鑰證書(shū)位置
keyfile 密鑰證書(shū)位置
verify
verify_peer 客戶端與服務(wù)端互相發(fā)送證書(shū)
verify_none 禁用證書(shū)交換與校驗(yàn)
fail_if_no_peer_cert
true 不接受沒(méi)證書(shū)的客戶端連接
false 接受沒(méi)證書(shū)的客戶端連接
ciphers 加密器（這個(gè)翻譯不知道算不算對(duì)？）

重啟 RabbitMQ

#關(guān)閉
rabbitmqctl stop
#啟動(dòng)
rabbitmq-server -detached

驗(yàn)證開(kāi)啟 SSL 是否成功

使用 Rabbitmq 自帶的診斷工具查看端口監(jiān)聽(tīng)狀態(tài)及使用協(xié)議

#查看監(jiān)聽(tīng)
rabbitmq-diagnostics listeners
#查看支持的TLS版本
rabbitmq-diagnostics --silent tls_versions

使用 OpenSSL CLI 工具驗(yàn)證證書(shū)是否有效

cd 生成證書(shū)的ssl目錄
#使用客戶端證書(shū)+CA證書(shū)連接RabbitMQ驗(yàn)證。本處MQ與生成證書(shū)是同一主機(jī)，其他情況請(qǐng)自行考慮。
openssl s_client -connect localhost:5671 \
  -cert client/rabbitmq-client.cert.pem \
  -key client/rabbitmq-client.key.pem \
  -CAfile ca/cacert.pem

除了命令行查看外，還可以通過(guò)管理界面查看，不過(guò)只能確定開(kāi)啟了 SSL 監(jiān)聽(tīng)，無(wú)法確認(rèn)證書(shū)是否通過(guò)驗(yàn)證。

編寫(xiě) SpringBoot 代碼連接測(cè)試

代碼結(jié)構(gòu)

只是使用 start.spring.io 生成的 Maven 工程，依賴了 WEB 和 AMQP

代碼及配置

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.5.8</version>
		<relativePath/> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.example</groupId>
	<artifactId>demo</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>demo</name>
	<description>Demo project for Spring Boot</description>
	<properties>
		<java.version>1.8</java.version>
	</properties>
	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-amqp</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.amqp</groupId>
			<artifactId>spring-rabbit-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

啟動(dòng)類 DemoApplication.java

package com.hellxz.rabbitmq.ssl;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DemoApplication {
    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

RabbitMQ客戶端配置類 RabbitFanoutExchangeConfig.java

package com.hellxz.rabbitmq.ssl;
import org.springframework.amqp.core.Binding;
import org.springframework.amqp.core.BindingBuilder;
import org.springframework.amqp.core.FanoutExchange;
import org.springframework.amqp.core.Queue;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class RabbitFanoutExchangeConfig {
    public static final String FANOUT_EXCHANGE = "fanout.exchange";
    public static final String FANOUT_QUEUE1 = "fanout.queue1";
    @Bean(name = FANOUT_EXCHANGE)
    public FanoutExchange fanoutExchange() {
        return new FanoutExchange(FANOUT_EXCHANGE, true, false);
    }
    @Bean(name = FANOUT_QUEUE1)
    public Queue fanoutQueue1() {
        return new Queue(FANOUT_QUEUE1, true, false, false);
    }
    
    @Bean
    public Binding bindingSimpleQueue1(@Qualifier(FANOUT_QUEUE1) Queue fanoutQueue1,
                                       @Qualifier(FANOUT_EXCHANGE) FanoutExchange fanoutExchange) {
        return BindingBuilder.bind(fanoutQueue1).to(fanoutExchange);
    }
}

發(fā)消息測(cè)試類 TestController.java

package com.hellxz.rabbitmq.ssl;
import org.springframework.amqp.core.Message;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController {
    @Autowired
    RabbitMQSenderService rabbitMQSenderService;
    
    @GetMapping("/test")
    public void sendMsg() {
        Message msg = new Message("hello world".getBytes());
        try {
            rabbitMQSenderService.send(RabbitFanoutExchangeConfig.FANOUT_EXCHANGE,
                    RabbitFanoutExchangeConfig.FANOUT_QUEUE1, msg);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

發(fā)消息服務(wù) RabbitMQSenderService.java

package com.hellxz.rabbitmq.ssl;
import java.util.UUID;
import org.springframework.amqp.core.Message;
import org.springframework.amqp.rabbit.connection.CorrelationData;
import org.springframework.amqp.rabbit.core.RabbitTemplate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class RabbitMQSenderService {
    @Autowired
    private RabbitTemplate rabbitTemplate;
    public void send(String exchange, String routingkey, Message message) {
        CorrelationData correlationId = new CorrelationData(UUID.randomUUID().toString());
        System.out.println("start send msg : " + message);
        rabbitTemplate.convertAndSend(exchange, routingkey, message, correlationId);
        System.out.println("end send msg : " + message);
    }
}

消息接收者 RabbitMQReciver.java

package com.hellxz.rabbitmq.ssl;
import org.springframework.amqp.rabbit.annotation.RabbitListener;
import org.springframework.stereotype.Component;
@Component
class RabbitMQReciver {
    @RabbitListener(queues = RabbitFanoutExchangeConfig.FANOUT_QUEUE1)
    public void reciveLogAll(String msg) throws Exception {
        System.out.println("received msg:" + msg);
    }
}

配置文件 application.properties

server.port=8085
#基礎(chǔ)配置請(qǐng)根據(jù)實(shí)際配置
spring.rabbitmq.host=192.168.56.104
#ssl協(xié)議端口
spring.rabbitmq.port=5671
spring.rabbitmq.username=admin
spring.rabbitmq.password=123456
spring.rabbitmq.virtual-host=/
#啟用rabbitmq客戶端SSL連接
spring.rabbitmq.ssl.enabled=true
#客戶端PKCS12證書(shū)及密碼
spring.rabbitmq.ssl.key-store=classpath:ssl/rabbitmq-client.keycert.p12
spring.rabbitmq.ssl.key-store-password=654321
#公鑰證書(shū)及類型
spring.rabbitmq.ssl.trust-store=classpath:ssl/rabbitmqTrustStore
spring.rabbitmq.ssl.trust-store-type=JKS
#不校驗(yàn)主機(jī)名，默認(rèn)開(kāi)啟會(huì)導(dǎo)致連接失敗
spring.rabbitmq.ssl.verify-hostname=false

src/main/resources 下創(chuàng)建 ssl 目錄，將客戶端證書(shū)和服務(wù)端JKS公鑰復(fù)制到 ssl 目錄中。

執(zhí)行代碼驗(yàn)證

運(yùn)行 DemoApplication.java，查看控制臺(tái)是否有報(bào)錯(cuò)：

如圖，提示創(chuàng)建連接成功，說(shuō)明已經(jīng)連接成功了。

我們?cè)僬{(diào)用 TestController.java 中定義的 /test 接口

消息發(fā)送與消費(fèi)成功。

參考

https://www.rabbitmq.com/access-control.html

https://www.rabbitmq.com/ssl.html

https://www.rabbitmq.com/troubleshooting-ssl.html

加密器部分參考 https://www.cnblogs.com/ybyn/p/13959135.html

代碼部分參考 Github，地址已不可考

到此這篇關(guān)于RabbitMQ開(kāi)啟SSL與SpringBoot連接測(cè)試的文章就介紹到這了,更多相關(guān)RabbitMQ與SpringBoot連接測(cè)試內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: