RabbitMQ如何开启SSL与SpringBoot连接测试

RabbitMQ如何开启SSL与SpringBoot连接测试

本文小编为大家详细介绍“RabbitMQ如何开启SSL与SpringBoot连接测试”,内容详细,步骤清晰,细节处理妥当,希望这篇“RabbitMQ如何开启SSL与SpringBoot连接测试”文章能帮助大家解决疑惑,下面跟着小编的思路慢慢深入,一起来学习新知识吧。

楔子

近期公司程序被安全扫描出 远程主机允许明文身份验证 中风险漏洞,查了下修复方案,RabbitMQ官方提供了SSL连接方式,而且 SpringBoot AMQP 也支持 SSL 连接。以下将配置RabbitMQ开启SSL 并使用 SpringBoot Demo 测试连接。

配置 RabbitMQ 开启 SSL

本文基于 CentOS 7 + Git + OpenSSL + yum 安装的 RabbitMQ,需要读者提交安装好。其他方式也可变通参考本文。

生成证书

#克隆生成证书的仓库到当前目录gitclone--depth1https://github.com/Berico-Technologies/CMF-AMQP-Configuration.gitcdCMF-AMQP-Configuration/ssl#生成ca证书,“MyRabbitMQCA”为自定义名称,名称任意。在当前目录下生成ca目录shsetup_ca.shMyRabbitMQCA#生成服务端证书,第一个参数是服务端证书前缀,第二个参数是密码。密码任意,在当前目录下生成server目录shmake_server_cert.shrabbitmq-server123456#生成客户端证书,第一个参数是客户端证书前缀,第二个参数是密码。密码任意,在当前目录下生成client目录shcreate_client_cert.shrabbitmq-client654321

配置 RabbitMQ 服务端的证书如下:

ca/cacert.pem#CA证书server/rabbitmq-server.cert.pem#服务端公钥server/rabbitmq-server.key.pem#服务端私钥

使用 RabbitMQ 服务端公钥证书生成 JKS 证书

#-alias后为别称,-file后是服务端公钥位置,-keystore后是输出JSK证书位置,此处相对路径keytool-import-aliasrabbitmq-server\-fileserver/rabbitmq-server.cert.pem\-keystorerabbitmqTrustStore-storepasschangeit#输入y回车

配置 RabbitMQ 客户端的证书如下:

client/rabbitmq-client.keycert.p12#PKCS12证书,包含客户端所需公私钥及中间证书rabbitmqTrustStore#服务端JKS格式公钥

默认 RabbitMQ 配置目录在 /etc/rabbitmq,我们创建个证书目录存放服务端证书

mkdir-p/etc/rabbitmq/ssl#复制服务端必要证书cpca/cacert.pem\server/rabbitmq-server.cert.pem\server/rabbitmq-server.key.pem/etc/rabbitmq/ssl/

修改 RabbitMQ 配置文件

修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config,此文件默认不存在,需要手动创建

[{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{ciphers, [
"ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
]}
]}
]}].

主要配置项说明:

  • ssl_listeners 指定 SSL协议的端口号,官方文档 5671

  • ssl_options SSL 认证配置项

  • cacertfile CA 证书位置

  • certfile 公钥证书位置

  • keyfile 密钥证书位置

  • verify

  • verify_peer 客户端与服务端互相发送证书

  • verify_none 禁用证书交换与校验

  • fail_if_no_peer_cert

  • true 不接受没证书的客户端连接

  • false 接受没证书的客户端连接

  • ciphers 加密器(这个翻译不知道算不算对?)

重启 RabbitMQ

#关闭rabbitmqctlstop#启动rabbitmq-server-detached

验证开启 SSL 是否成功

使用 Rabbitmq 自带的诊断工具查看端口监听状态及使用协议

#查看监听rabbitmq-diagnosticslisteners#查看支持的TLS版本rabbitmq-diagnostics--silenttls_versions

使用 OpenSSL CLI 工具验证证书是否有效

cd生成证书的ssl目录#使用客户端证书+CA证书连接RabbitMQ验证。本处MQ与生成证书是同一主机,其他情况请自行考虑。openssls_client-connectlocalhost:5671\-certclient/rabbitmq-client.cert.pem\-keyclient/rabbitmq-client.key.pem\-CAfileca/cacert.pem

除了命令行查看外,还可以通过管理界面查看,不过只能确定开启了 SSL 监听,无法确认证书是否通过验证。

编写 SpringBoot 代码连接测试

代码结构

只是使用 start.spring.io 生成的 Maven 工程,依赖了 WEB 和 AMQP

代码及配置

pom.xml

<?xmlversion="1.0"encoding="UTF-8"?><projectxmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.5.8</version><relativePath/><!--lookupparentfromrepository--></parent><groupId>com.example</groupId><artifactId>demo</artifactId><version>0.0.1-SNAPSHOT</version><name>demo</name><description>DemoprojectforSpringBoot</description><properties><java.version>1.8</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-amqp</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.amqp</groupId><artifactId>spring-rabbit-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>

启动类 DemoApplication.java

packagecom.hellxz.rabbitmq.ssl;importorg.springframework.boot.SpringApplication;importorg.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplicationpublicclassDemoApplication{publicstaticvoidmain(String[]args){SpringApplication.run(DemoApplication.class,args);}}

RabbitMQ客户端配置类 RabbitFanoutExchangeConfig.java

packagecom.hellxz.rabbitmq.ssl;importorg.springframework.amqp.core.Binding;importorg.springframework.amqp.core.BindingBuilder;importorg.springframework.amqp.core.FanoutExchange;importorg.springframework.amqp.core.Queue;importorg.springframework.beans.factory.annotation.Qualifier;importorg.springframework.context.annotation.Bean;importorg.springframework.context.annotation.Configuration;@ConfigurationpublicclassRabbitFanoutExchangeConfig{publicstaticfinalStringFANOUT_EXCHANGE="fanout.exchange";publicstaticfinalStringFANOUT_QUEUE1="fanout.queue1";@Bean(name=FANOUT_EXCHANGE)publicFanoutExchangefanoutExchange(){returnnewFanoutExchange(FANOUT_EXCHANGE,true,false);}@Bean(name=FANOUT_QUEUE1)publicQueuefanoutQueue1(){returnnewQueue(FANOUT_QUEUE1,true,false,false);}@BeanpublicBindingbindingSimpleQueue1(@Qualifier(FANOUT_QUEUE1)QueuefanoutQueue1,@Qualifier(FANOUT_EXCHANGE)FanoutExchangefanoutExchange){returnBindingBuilder.bind(fanoutQueue1).to(fanoutExchange);}}

发消息测试类 TestController.java

packagecom.hellxz.rabbitmq.ssl;importorg.springframework.amqp.core.Message;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.web.bind.annotation.GetMapping;importorg.springframework.web.bind.annotation.RestController;@RestControllerpublicclassTestController{@AutowiredRabbitMQSenderServicerabbitMQSenderService;@GetMapping("/test")publicvoidsendMsg(){Messagemsg=newMessage("helloworld".getBytes());try{rabbitMQSenderService.send(RabbitFanoutExchangeConfig.FANOUT_EXCHANGE,RabbitFanoutExchangeConfig.FANOUT_QUEUE1,msg);}catch(Exceptione){e.printStackTrace();}}}

发消息服务 RabbitMQSenderService.java

packagecom.hellxz.rabbitmq.ssl;importjava.util.UUID;importorg.springframework.amqp.core.Message;importorg.springframework.amqp.rabbit.connection.CorrelationData;importorg.springframework.amqp.rabbit.core.RabbitTemplate;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.stereotype.Component;@ComponentpublicclassRabbitMQSenderService{@AutowiredprivateRabbitTemplaterabbitTemplate;publicvoidsend(Stringexchange,Stringroutingkey,Messagemessage){CorrelationDatacorrelationId=newCorrelationData(UUID.randomUUID().toString());System.out.println("startsendmsg:"+message);rabbitTemplate.convertAndSend(exchange,routingkey,message,correlationId);System.out.println("endsendmsg:"+message);}}

消息接收者 RabbitMQReciver.java

packagecom.hellxz.rabbitmq.ssl;importorg.springframework.amqp.rabbit.annotation.RabbitListener;importorg.springframework.stereotype.Component;@ComponentclassRabbitMQReciver{@RabbitListener(queues=RabbitFanoutExchangeConfig.FANOUT_QUEUE1)publicvoidreciveLogAll(Stringmsg)throwsException{System.out.println("receivedmsg:"+msg);}}

配置文件 application.properties

server.port=8085#基础配置请根据实际配置spring.rabbitmq.host=192.168.56.104#ssl协议端口spring.rabbitmq.port=5671spring.rabbitmq.username=adminspring.rabbitmq.password=123456spring.rabbitmq.virtual-host=/#启用rabbitmq客户端SSL连接spring.rabbitmq.ssl.enabled=true#客户端PKCS12证书及密码spring.rabbitmq.ssl.key-store=classpath:ssl/rabbitmq-client.keycert.p12spring.rabbitmq.ssl.key-store-password=654321#公钥证书及类型spring.rabbitmq.ssl.trust-store=classpath:ssl/rabbitmqTrustStorespring.rabbitmq.ssl.trust-store-type=JKS#不校验主机名,默认开启会导致连接失败spring.rabbitmq.ssl.verify-hostname=false

src/main/resources 下创建 ssl 目录,将 客户端证书和服务端JKS公钥复制到 ssl 目录中。

执行代码验证

运行 DemoApplication.java,查看控制台是否有报错:

如图,提示创建连接成功,说明已经连接成功了。

我们再调用 TestController.java 中定义的 /test 接口

消息发送与消费成功。

读到这里,这篇“RabbitMQ如何开启SSL与SpringBoot连接测试”文章已经介绍完毕,想要掌握这篇文章的知识点还需要大家自己动手实践使用过才能领会,如果想了解更多相关内容的文章,欢迎关注亿速云行业资讯频道。

发布于 2022-01-10 23:45:25
收藏
分享
海报
0 条评论
41
上一篇:Android如何实现微信小程序滑块验证 下一篇:ntp网络时间服务器的新功能是什么
目录

    0 条评论

    本站已关闭游客评论,请登录或者注册后再评论吧~

    忘记密码?

    图形验证码