rabbitmq開啟ssl

不会跳舞的胖子發表於2024-05-08

官網:https://www.rabbitmq.com/docs/management#multiple-listeners

生成證書

openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt   //一次性生成私鑰和證書

2.使用 已有RSA 私鑰生成自簽名證書
 openssl req -new -x509 -days 365 -key rsa_private.key -out cert.crt
 mv  server.key   serverbak.key
 openssl rsa -in serverbak.key -out server.key   //去除密碼
 rm -rf serverbak.key

3.生成自己網站的金鑰server.key
 openssl genrsa -aes256 -passout pass:111111 -out server.key 2048

4.使用 RSA私鑰生成 CSR 簽名請求
 openssl req -new -key server.key -out server.csr


5.使用 CA 證書及CA金鑰 對請求籤發證書進行簽發,生成 x509證書
openssl x509 -req -days 3650  -in server.csr -CA cert.crt -CAkey rsa_private.key -set_serial 01 -out server.crt

6.驗證證書內容
openssl x509 -in server.crt -noout -text

配置

%% -*- mode: erlang -*-
%% ----------------------------------------------------------------------------
%% RabbitMQ Sample Configuration File.
%%
%% Related doc guide: https://www.rabbitmq.com/configure.html. See
%% https://rabbitmq.com/documentation.html for documentation ToC.
%% ----------------------------------------------------------------------------
[
 {rabbit,
  [%%
   %% Networking
   %% ====================
   %%
   %% Related doc guide: https://www.rabbitmq.com/networking.html.

   %% By default, RabbitMQ will listen on all interfaces, using
   %% the standard (reserved) AMQP port.
   %%
   %% {tcp_listeners, [5672]},

   %% To listen on a specific interface, provide a tuple of {IpAddress, Port}.
   %% For example, to listen only on localhost for both IPv4 and IPv6:
   %%
   %% {tcp_listeners, [{"127.0.0.1", 5672},
   %%                  {"::1",       5672}]},

   %% TLS listeners are configured in the same fashion as TCP listeners,
   %% including the option to control the choice of interface.
   %%
   {ssl_listeners, [5671]},
    {ssl_options, [
                   {cacertfile,"/opt/ssl/cert.crt"},
                   {certfile,"/opt/ssl/server.crt"},
                   {keyfile,"/opt/ssl/server.key"},
                   {verify, verify_peer},
                   {versions, ['tlsv1.2', 'tlsv1.1']}
                  ]
    }

   %% Number of Erlang processes that will accept connections for the TCP
   %% and TLS listeners.
   %%
   %% {num_tcp_acceptors, 10},
   %% {num_ssl_acceptors, 1},

   %% Maximum time for AMQP 0-8/0-9/0-9-1 handshake (after socket connection
   %% and TLS handshake), in milliseconds.
   %%
   %% {handshake_timeout, 10000},

   %% Set to 'true' to perform reverse DNS lookups when accepting a
   %% connection. Hostnames will then be shown instead of IP addresses
   %% in rabbitmqctl and the management plugin.
   %%
   %% {reverse_dns_lookups, false},

   %%
   %% Security, Access Control
   %% ========================
   %%
   %% Related doc guide: https://www.rabbitmq.com/access-control.html.

   %% The default "guest" user is only permitted to access the server
   %% via a loopback interface (e.g. localhost).
   %% {loopback_users, [<<"guest">>]},
   %%
   %% Uncomment the following line if you want to allow access to the
   %% guest user from anywhere on the network.
   %%{loopback_users, []}


   %% TLS configuration.
   %%
   %% Related doc guide: https://www.rabbitmq.com/ssl.html.
   %%
   %% {ssl_options, [{cacertfile,           "/path/to/testca/cacert.pem"},
   %%                {certfile,             "/path/to/server/cert.pem"},
   %%                {keyfile,              "/path/to/server/key.pem"},
   %%                {verify,               verify_peer},
   %%                {fail_if_no_peer_cert, false}]},

   %% Choose the available SASL mechanism(s) to expose.
   %% The two default (built in) mechanisms are 'PLAIN' and
   %% 'AMQPLAIN'. Additional mechanisms can be added via
   %% plugins.
   %%
   %% Related doc guide: https://www.rabbitmq.com/authentication.html.
   %%
   %% {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},

   %% Select an authentication database to use. RabbitMQ comes bundled
   %% with a built-in auth-database, based on mnesia.
   %%
   %% {auth_backends, [rabbit_auth_backend_internal]},

   %% Configurations supporting the rabbitmq_auth_mechanism_ssl and
   %% rabbitmq_auth_backend_ldap plugins.
   %%
   %% NB: These options require that the relevant plugin is enabled.
   %% Related doc guide: https://www.rabbitmq.com/plugins.html for further details.

   %% The RabbitMQ-auth-mechanism-ssl plugin makes it possible to
   %% authenticate a user based on the client's TLS certificate.
   %%
   %% To use auth-mechanism-ssl, add to or replace the auth_mechanisms
   %% list with the entry 'EXTERNAL'.
   %%
   %% {auth_mechanisms, ['EXTERNAL']},

   %% The rabbitmq_auth_backend_ldap plugin allows the broker to
   %% perform authentication and authorisation by deferring to an
   %% external LDAP server.
   %%
   %% For more information about configuring the LDAP backend, see
   %% https://www.rabbitmq.com/ldap.html.
   %%
   %% Enable the LDAP auth backend by adding to or replacing the
   %% auth_backends entry:
   %%
   %% {auth_backends, [rabbit_auth_backend_ldap]},

   %% This pertains to both the rabbitmq_auth_mechanism_ssl plugin and
   %% STOMP ssl_cert_login configurations. See the rabbitmq_stomp
   %% configuration section later in this file and the README in
   %% https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further
   %% details.
   %%
   %% To use the TLS cert's CN instead of its DN as the username
   %%
   %% {ssl_cert_login_from, distinguished_name},

   %% TLS handshake timeout, in milliseconds.
   %%
   %% {ssl_handshake_timeout, 5000},

   %% Makes RabbitMQ accept SSLv3 client connections by default.
   %% DO NOT DO THIS IF YOU CAN HELP IT.
   %%
   %% {ssl_allow_poodle_attack, false},

   %% Password hashing implementation. Will only affect newly
   %% created users. To recalculate hash for an existing user
   %% it's necessary to update her password.
   %%
   %% When importing definitions exported from versions earlier
   %% than 3.6.0, it is possible to go back to MD5 (only do this
   %% as a temporary measure!) by setting this to rabbit_password_hashing_md5.
   %%
   %% To use SHA-512, set to rabbit_password_hashing_sha512.
   %%
   %% {password_hashing_module, rabbit_password_hashing_sha256},

   %% Configuration entry encryption.
   %% Related doc guide: https://www.rabbitmq.com/configure.html#configuration-encryption
   %%
   %% To specify the passphrase in the configuration file:
   %%
   %% {config_entry_decoder, [{passphrase, <<"mypassphrase">>}]}
   %%
   %% To specify the passphrase in an external file:
   %%
   %% {config_entry_decoder, [{passphrase, {file, "/path/to/passphrase/file"}}]}
   %%
   %% To make the broker request the passphrase when it starts:
   %%
   %% {config_entry_decoder, [{passphrase, prompt}]}
   %%
   %% To change encryption settings:
   %%
   %% {config_entry_decoder, [{cipher,     aes_cbc256},
   %%                         {hash,       sha512},
   %%                         {iterations, 1000}]}

   %%
   %% Default User / VHost
   %% ====================
   %%

   %% On first start RabbitMQ will create a vhost and a user. These
   %% config items control what gets created. See
   %% https://www.rabbitmq.com/access-control.html for further
   %% information about vhosts and access control.
   %%
   %% {default_vhost,       <<"/">>},
   %% {default_user,        <<"guest">>},
   %% {default_pass,        <<"guest">>},
   %% {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},

   %% Tags for default user
   %%
   %% Related doc guide: https://www.rabbitmq.com/management.html.
   %%
   %% {default_user_tags, [administrator]},

   %%
   %% Additional network and protocol related configuration
   %% =====================================================
   %%

   %% Sets the default AMQP 0-9-1 heartbeat timeout in seconds.
   %% Values lower than 6 can produce false positives and are not
   %% recommended.
   %%
   %% Related doc guides:
   %%
   %%  * https://www.rabbitmq.com/heartbeats.html
   %%  * https://www.rabbitmq.com/networking.html
   %%
   %% {heartbeat, 60},

   %% Set the max permissible size of an AMQP frame (in bytes).
   %%
   %% {frame_max, 131072},

   %% Set the max frame size the server will accept before connection
   %% tuning occurs
   %%
   %% {initial_frame_max, 4096},

   %% Set the max permissible number of channels per connection.
   %% 0 means "no limit".
   %%
   %% {channel_max, 0},

   %% Set the max permissible number of client connections to the node.
   %% `infinity` means "no limit".
   %%
   %% This limit applies to client connections to all listeners (regardless of
   %% the protocol, whether TLS is used and so on). CLI tools and inter-node
   %% connections are exempt.
   %%
   %% When client connections are rapidly opened in succession, it is possible
   %% for the total connection count to go slightly higher than the configured limit.
   %% The limit works well as a general safety measure.
   %%
   %% Clients that are hitting the limit will see their TCP connections fail or time out.
   %%
   %% Introduced in 3.6.13.
   %%
   %% Related doc guide: https://www.rabbitmq.com/networking.html.
   %%
   %% {connection_max, infinity},

   %% TCP socket options.
   %%
   %% Related doc guide: https://www.rabbitmq.com/networking.html.
   %%
   %% {tcp_listen_options, [{backlog,       128},
   %%                       {nodelay,       true},
   %%                       {exit_on_close, false}]},

   %%
   %% Resource Limits & Flow Control
   %% ==============================
   %%
   %% Related doc guide: https://www.rabbitmq.com/memory.html, https://www.rabbitmq.com/memory-use.html.

   %% Memory-based Flow Control threshold.
   %%
   %% {vm_memory_high_watermark, 0.7},

   %% Alternatively, we can set a limit (in bytes) of RAM used by the node.
   %%
   %% {vm_memory_high_watermark, {absolute, 1073741824}},
   %%
   %% Or you can set absolute value using memory units (with RabbitMQ 3.6.0+).
   %%
   %% {vm_memory_high_watermark, {absolute, "1024M"}},
   %%
   %% Supported unit symbols:
   %%
   %% k, kiB: kibibytes (2^10 - 1,024 bytes)
   %% M, MiB: mebibytes (2^20 - 1,048,576 bytes)
   %% G, GiB: gibibytes (2^30 - 1,073,741,824 bytes)
   %% kB: kilobytes (10^3 - 1,000 bytes)
   %% MB: megabytes (10^6 - 1,000,000 bytes)
   %% GB: gigabytes (10^9 - 1,000,000,000 bytes)

   %% Fraction of the high watermark limit at which queues start to
   %% page message out to disc in order to free up memory.
   %% For example, when vm_memory_high_watermark is set to 0.4 and this value is set to 0.5,
   %% paging can begin as early as when 20% of total available RAM is used by the node.
   %%
   %% Values greater than 1.0 can be dangerous and should be used carefully.
   %%
   %% One alternative to this is to use durable queues and publish messages
   %% as persistent (delivery mode = 2). With this combination queues will
   %% move messages to disk much more rapidly.
   %%
   %% Another alternative is to configure queues to page all messages (both
   %% persistent and transient) to disk as quickly
   %% as possible, see https://www.rabbitmq.com/lazy-queues.html.
   %%
   %% {vm_memory_high_watermark_paging_ratio, 0.5},

   %% Selects Erlang VM memory consumption calculation strategy. Can be `allocated`, `rss` or `legacy` (aliased as `erlang`),
   %% Introduced in 3.6.11. `rss` is the default as of 3.6.12.
   %% See https://github.com/rabbitmq/rabbitmq-server/issues/1223 and rabbitmq/rabbitmq-common#224 for background.
   %% {vm_memory_calculation_strategy, rss},

   %% Interval (in milliseconds) at which we perform the check of the memory
   %% levels against the watermarks.
   %%
   %% {memory_monitor_interval, 2500},

   %% The total memory available can be calculated from the OS resources
   %% - default option - or provided as a configuration parameter:
   %% {total_memory_available_override_value, "5000MB"},

   %% Set disk free limit (in bytes). Once free disk space reaches this
   %% lower bound, a disk alarm will be set - see the documentation
   %% listed above for more details.
   %%
   %% {disk_free_limit, 50000000},
   %%
   %% Or you can set it using memory units (same as in vm_memory_high_watermark)
   %% with RabbitMQ 3.6.0+.
   %% {disk_free_limit, "50MB"},
   %% {disk_free_limit, "50000kB"},
   %% {disk_free_limit, "2GB"},

   %% Alternatively, we can set a limit relative to total available RAM.
   %%
   %% Values lower than 1.0 can be dangerous and should be used carefully.
   %% {disk_free_limit, {mem_relative, 2.0}},

   %%
   %% Clustering
   %% =====================
   %%

   %% Queue master location strategy:
   %%   * <<"min-masters">>
   %%   * <<"client-local">>
   %%   * <<"random">>
   %%
   %% Related doc guide: https://www.rabbitmq.com/ha.html#queue-master-location
   %%
   %% {queue_master_locator, <<"client-local">>},

   %% Batch size (number of messages) used during eager queue mirror synchronisation.
   %% Related doc guide: https://www.rabbitmq.com/ha.html#batch-sync. When average message size is relatively large
   %% (say, 10s of kilobytes or greater), reducing this value will decrease peak amount
   %% of RAM used by newly joining nodes that need eager synchronisation.
   %%
   %% {mirroring_sync_batch_size, 4096},

   %% Enables flow control between queue mirrors.
   %% Disabling this can be dangerous and is not recommended.
   %% When flow control is disabled, queue masters can outpace mirrors and not allow mirrors to catch up.
   %% Mirrors will end up using increasingly more RAM, eventually triggering a memory alarm.
   %%
   %% {mirroring_flow_control, true},

   %% Additional server properties to announce to connecting clients.
   %%
   %% {server_properties, []},

   %% How to respond to cluster partitions.
   %% Related doc guide: https://www.rabbitmq.com/partitions.html
   %%
   %% {cluster_partition_handling, ignore},

   %% Mirror sync batch size, in messages. Increasing this will speed
   %% up syncing but total batch size in bytes must not exceed 2 GiB.
   %% Available in RabbitMQ 3.6.0 or later.
   %%
   %% {mirroring_sync_batch_size, 4096},

   %% Make clustering happen *automatically* at startup - only applied
   %% to nodes that have just been reset or started for the first time.
   %% Related doc guide: https://www.rabbitmq.com/clustering.html#auto-config
   %%
   %% {cluster_nodes, {['rabbit@my.host.com'], disc}},

   %% Interval (in milliseconds) at which we send keepalive messages
   %% to other cluster members. Note that this is not the same thing
   %% as net_ticktime; missed keepalive messages will not cause nodes
   %% to be considered down.
   %%
   %% {cluster_keepalive_interval, 10000},

   %%
   %% Statistics Collection
   %% =====================
   %%

   %% Set (internal) statistics collection granularity.
   %%
   %% {collect_statistics, none},

   %% Statistics collection interval (in milliseconds). Increasing
   %% this will reduce the load on management database.
   %%
   %% {collect_statistics_interval, 5000},

   %% Enables vhosts tracing.
   %%
   %% {trace_vhosts, []},

   %% Explicitly enable/disable HiPE compilation.
   %%
   %% {hipe_compile, false},

   %% Number of delegate processes to use for intra-cluster communication.
   %% On a node which is part of cluster, has more than 16 cores and plenty of network bandwidth,
   %% it may make sense to increase this value.
   %%
   %% {delegate_count, 16},

   %% Number of times to retry while waiting for internal database tables (Mnesia tables) to sync
   %% from a peer. In deployments where nodes can take a long time to boot, this value
   %% may need increasing.
   %%
   %% {mnesia_table_loading_retry_limit, 10},

   %% Amount of time in milliseconds which this node will wait for internal database tables (Mnesia tables) to sync
   %% from a peer. In deployments where nodes can take a long time to boot, this value
   %% may need increasing.
   %%
   %% {mnesia_table_loading_retry_timeout, 30000},

   %% Size in bytes below which to embed messages in the queue index.
   %% Related doc guide: https://www.rabbitmq.com/persistence-conf.html
   %%
   %% {queue_index_embed_msgs_below, 4096},

   %% Maximum number of queue index entries to keep in journal
   %% Related doc guide: https://www.rabbitmq.com/persistence-conf.html.
   %%
   %% {queue_index_max_journal_entries, 32768},

   %% Number of credits that a queue process is given by the message store
   %% By default, a queue process is given 4000 message store credits,
   %% and then 800 for every 800 messages that it processes.
   %%
   %% {msg_store_credit_disc_bound, {4000, 800}},

   %% Minimum number of messages with their queue position held in RAM required
   %% to trigger writing their queue position to disk.
   %%
   %% This value MUST be higher than the initial msg_store_credit_disc_bound value,
   %% otherwise paging performance may worsen.
   %%
   %% {msg_store_io_batch_size, 4096},

   %% Number of credits that a connection, channel or queue are given.
   %%
   %% By default, every connection, channel or queue is given 400 credits,
   %% and then 200 for every 200 messages that it sends to a peer process.
   %% Increasing these values may help with throughput but also can be dangerous:
   %% high credit flow values are no different from not having flow control at all.
   %%
   %% Related doc guide: https://www.rabbitmq.com/blog/2015/10/06/new-credit-flow-settings-on-rabbitmq-3-5-5/
   %% and http://alvaro-videla.com/2013/09/rabbitmq-internals-credit-flow-for-erlang-processes.html.
   %%
   %% {credit_flow_default_credit, {400, 200}},

   %% Number of milliseconds before a channel operation times out.
   %%
   %% {channel_operation_timeout, 15000},

   %% Number of queue operations required to trigger an explicit garbage collection.
   %% Increasing this value may reduce CPU load and increase peak RAM consumption of queues.
   %%
   %% {queue_explicit_gc_run_operation_threshold, 1000},

   %% Number of lazy queue operations required to trigger an explicit garbage collection.
   %% Increasing this value may reduce CPU load and increase peak RAM consumption of lazy queues.
   %%
   %% {lazy_queue_explicit_gc_run_operation_threshold, 1000},

   %% Number of times disk monitor will retry free disk space queries before
   %% giving up.
   %%
   %% {disk_monitor_failure_retries, 10},

   %% Milliseconds to wait between disk monitor retries on failures.
   %%
   %% {disk_monitor_failure_retry_interval, 120000},

   %% Whether or not to enable background periodic forced GC runs for all
   %% Erlang processes on the node in "waiting" state.
   %%
   %% Disabling background GC may reduce latency for client operations,
   %% keeping it enabled may reduce median RAM usage by the binary heap
   %% (see https://www.erlang-solutions.com/blog/erlang-garbage-collector.html).
   %%
   %% Before enabling this option, please take a look at the memory
   %% breakdown (https://www.rabbitmq.com/memory-use.html).
   %%
   %% {background_gc_enabled, false},

   %% Interval (in milliseconds) at which we run background GC.
   %%
   %% {background_gc_target_interval, 60000},

   %% Message store operations are stored in a sequence of files called segments.
   %% This controls max size of a segment file.
   %% Increasing this value may speed up (sequential) disk writes but will slow down segment GC process.
   %% DO NOT CHANGE THIS for existing installations.
   %%
   %% {msg_store_file_size_limit, 16777216},

   %% Whether or not to enable file write buffering.
   %%
   %% {fhc_write_buffering, true},

   %% Whether or not to enable file read buffering. Enabling
   %% this may slightly speed up reads but will also increase
   %% node's memory consumption, in particular on boot.
   %%
   %% {fhc_read_buffering, false}

  ]},

 %% ----------------------------------------------------------------------------
 %% Advanced Erlang Networking/Clustering Options.
 %%
 %% Related doc guide: https://www.rabbitmq.com/clustering.html
 %% ----------------------------------------------------------------------------
 {kernel,
  [%% Sets the net_kernel tick time.
   %% Please see http://erlang.org/doc/man/kernel_app.html and
   %% https://www.rabbitmq.com/nettick.html for further details.
   %%
   %% {net_ticktime, 60}
  ]},

 %% ----------------------------------------------------------------------------
 %% RabbitMQ Management Plugin
 %%
 %% Related doc guide: https://www.rabbitmq.com/management.html
 %% ----------------------------------------------------------------------------

 {rabbitmq_management,
  [%% Preload schema definitions from a previously exported definitions file. See
   %% https://www.rabbitmq.com/management.html#load-definitions
   %%
   %% {load_definitions, "/path/to/exported/definitions.json"},

   %% Log all requests to the management HTTP API to a directory.
   %%
   %% {http_log_dir, "/path/to/rabbitmq/logs/http"},

   %% Change the port on which the HTTP listener listens,
   %% specifying an interface for the web server to bind to.
   %% Also set the listener to use TLS and provide TLS options.
   %%
   %% {listener, [{port,     12345},
   %%             {ip,       "127.0.0.1"},
   %%             {ssl,      true},
   %%             {ssl_opts, [{cacertfile, "/path/to/cacert.pem"},
   %%                         {certfile,   "/path/to/cert.pem"},
   %%                         {keyfile,    "/path/to/key.pem"}]}]},

   %% One of 'basic', 'detailed' or 'none'. See
   %% https://www.rabbitmq.com/management.html#fine-stats for more details.
   %% {rates_mode, basic},

   %% Configure how long aggregated data (such as message rates and queue
   %% lengths) is retained. Please read the plugin's documentation in
   %% https://www.rabbitmq.com/management.html#configuration for more
   %% details.
   %%
   %% {sample_retention_policies,
   %%  [{global,   [{60, 5}, {3600, 60}, {86400, 1200}]},
   %%   {basic,    [{60, 5}, {3600, 60}]},
   %%   {detailed, [{10, 5}]}]}
  ]},

 %% ----------------------------------------------------------------------------
 %% RabbitMQ Shovel Plugin
 %%
 %% Related doc guide: https://www.rabbitmq.com/shovel.html
 %% ----------------------------------------------------------------------------

 {rabbitmq_shovel,
  [{shovels,
    [%% A named shovel worker.
     %% {my_first_shovel,
     %%  [

     %% List the source broker(s) from which to consume.
     %%
     %%   {sources,
     %%    [%% URI(s) and pre-declarations for all source broker(s).
     %%     {brokers, ["amqp://user:password@host.domain/my_vhost"]},
     %%     {declarations, []}
     %%    ]},

     %% List the destination broker(s) to publish to.
     %%   {destinations,
     %%    [%% A singular version of the 'brokers' element.
     %%     {broker, "amqp://"},
     %%     {declarations, []}
     %%    ]},

     %% Name of the queue to shovel messages from.
     %%
     %% {queue, <<"your-queue-name-goes-here">>},

     %% Optional prefetch count.
     %%
     %% {prefetch_count, 10},

     %% when to acknowledge messages:
     %% - no_ack: never (auto)
     %% - on_publish: after each message is republished
     %% - on_confirm: when the destination broker confirms receipt
     %%
     %% {ack_mode, on_confirm},

     %% Overwrite fields of the outbound basic.publish.
     %%
     %% {publish_fields, [{exchange,    <<"my_exchange">>},
     %%                   {routing_key, <<"from_shovel">>}]},

     %% Static list of basic.properties to set on re-publication.
     %%
     %% {publish_properties, [{delivery_mode, 2}]},

     %% The number of seconds to wait before attempting to
     %% reconnect in the event of a connection failure.
     %%
     %% {reconnect_delay, 2.5}

     %% ]} %% End of my_first_shovel
    ]}
   %% Rather than specifying some values per-shovel, you can specify
   %% them for all shovels here.
   %%
   %% {defaults, [{prefetch_count,     0},
   %%             {ack_mode,           on_confirm},
   %%             {publish_fields,     []},
   %%             {publish_properties, [{delivery_mode, 2}]},
   %%             {reconnect_delay,    2.5}]}
  ]},

 %% ----------------------------------------------------------------------------
 %% RabbitMQ STOMP Plugin
 %%
 %% Related doc guide: https://www.rabbitmq.com/stomp.html
 %% ----------------------------------------------------------------------------

 {rabbitmq_stomp,
  [%% Network Configuration - the format is generally the same as for the broker

   %% Listen only on localhost (ipv4 & ipv6) on a specific port.
   %% {tcp_listeners, [{"127.0.0.1", 61613},
   %%                  {"::1",       61613}]},

   %% Listen for TLS connections on a specific port.
   %% {ssl_listeners, [61614]},

   %% Number of Erlang processes that will accept connections for the TCP
   %% and TLS listeners.
   %%
   %% {num_tcp_acceptors, 10},
   %% {num_ssl_acceptors, 1},

   %% Additional TLS options

   %% Extract a name from the client's certificate when using TLS.
   %%
   %% {ssl_cert_login, true},

   %% Set a default user name and password. This is used as the default login
   %% whenever a CONNECT frame omits the login and passcode headers.
   %%
   %% Please note that setting this will allow clients to connect without
   %% authenticating!
   %%
   %% {default_user, [{login,    "guest"},
   %%                 {passcode, "guest"}]},

   %% If a default user is configured, or you have configured use TLS client
   %% certificate based authentication, you can choose to allow clients to
   %% omit the CONNECT frame entirely. If set to true, the client is
   %% automatically connected as the default user or user supplied in the
   %% TLS certificate whenever the first frame sent on a session is not a
   %% CONNECT frame.
   %%
   %% {implicit_connect, true},

   %% Whether or not to enable proxy protocol support.
   %% Once enabled, clients cannot directly connect to the broker
   %% anymore. They must connect through a load balancer that sends the
   %% proxy protocol header to the broker at connection time.
   %% This setting applies only to STOMP clients, other protocols
   %% like MQTT or AMQP have their own setting to enable proxy protocol.
   %% See the plugins or broker documentation for more information.
   %%
   %% {proxy_protocol, false}
  ]},

 %% ----------------------------------------------------------------------------
 %% RabbitMQ MQTT Plugin
 %%
 %% Related doc guide: https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md
 %%
 %% ----------------------------------------------------------------------------

 {rabbitmq_mqtt,
  [%% Set the default user name and password. Will be used as the default login
   %% if a connecting client provides no other login details.
   %%
   %% Please note that setting this will allow clients to connect without
   %% authenticating!
   %%
   %% {default_user, <<"guest">>},
   %% {default_pass, <<"guest">>},

   %% Enable anonymous access. If this is set to false, clients MUST provide
   %% login information in order to connect. See the default_user/default_pass
   %% configuration elements for managing logins without authentication.
   %%
   %% {allow_anonymous, true},

   %% If you have multiple chosts, specify the one to which the
   %% adapter connects.
   %%
   %% {vhost, <<"/">>},

   %% Specify the exchange to which messages from MQTT clients are published.
   %%
   %% {exchange, <<"amq.topic">>},

   %% Specify TTL (time to live) to control the lifetime of non-clean sessions.
   %%
   %% {subscription_ttl, 1800000},

   %% Set the prefetch count (governing the maximum number of unacknowledged
   %% messages that will be delivered).
   %%
   %% {prefetch, 10},

   %% TLS listeners.
   %% See https://www.rabbitmq.com/networking.html
   %%
   %% {tcp_listeners, [1883]},
   %% {ssl_listeners, []},

   %% Number of Erlang processes that will accept connections for the TCP
   %% and TLS listeners.
   %% See https://www.rabbitmq.com/networking.html
   %%
   %% {num_tcp_acceptors, 10},
   %% {num_ssl_acceptors, 1},

   %% TCP socket options.
   %% See https://www.rabbitmq.com/networking.html
   %%
   %% {tcp_listen_options, [
   %%                         {backlog,   128},
   %%                         {linger,        {true, 0}},
   %%                         {exit_on_close, false}
   %%                      ]},

   %% Whether or not to enable proxy protocol support.
   %% Once enabled, clients cannot directly connect to the broker
   %% anymore. They must connect through a load balancer that sends the
   %% proxy protocol header to the broker at connection time.
   %% This setting applies only to MQTT clients, other protocols
   %% like STOMP or AMQP have their own setting to enable proxy protocol.
   %% See the plugins or broker documentation for more information.
   %%
   %% {proxy_protocol, false}
  ]},

 %% ----------------------------------------------------------------------------
 %% RabbitMQ AMQP 1.0 Support
 %%
 %% Related doc guide: https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md
 %%
 %% ----------------------------------------------------------------------------

 {rabbitmq_amqp1_0,
  [%% Connections that are not authenticated with SASL will connect as this
   %% account. See the README for more information.
   %%
   %% Please note that setting this will allow clients to connect without
   %% authenticating!
   %%
   %% {default_user, "guest"},

   %% Enable protocol strict mode. See the README for more information.
   %%
   %% {protocol_strict_mode, false}
  ]},

 %% ----------------------------------------------------------------------------
 %% RabbitMQ LDAP Plugin
 %%
 %% Related doc guide: https://www.rabbitmq.com/ldap.html.
 %%
 %% ----------------------------------------------------------------------------

 {rabbitmq_auth_backend_ldap,
  [%%
   %% Connecting to the LDAP server(s)
   %% ================================
   %%

   %% Specify servers to bind to. You *must* set this in order for the plugin
   %% to work properly.
   %%
   %% {servers, ["your-server-name-goes-here"]},

   %% Connect to the LDAP server using TLS
   %%
   %% {use_ssl, false},

   %% Specify the LDAP port to connect to
   %%
   %% {port, 389},

   %% LDAP connection timeout, in milliseconds or 'infinity'
   %%
   %% {timeout, infinity},

   %% Enable logging of LDAP queries.
   %% One of
   %%   - false (no logging is performed)
   %%   - true (verbose logging of the logic used by the plugin)
   %%   - network (as true, but additionally logs LDAP network traffic)
   %%
   %% Defaults to false.
   %%
   %% {log, false},

   %%
   %% Authentication
   %% ==============
   %%

   %% Pattern to convert the username given through AMQP to a DN before
   %% binding
   %%
   %% {user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"},

   %% Alternatively, you can convert a username to a Distinguished
   %% Name via an LDAP lookup after binding. See the documentation for
   %% full details.

   %% When converting a username to a dn via a lookup, set these to
   %% the name of the attribute that represents the user name, and the
   %% base DN for the lookup query.
   %%
   %% {dn_lookup_attribute,   "userPrincipalName"},
   %% {dn_lookup_base,        "DC=gopivotal,DC=com"},

   %% Controls how to bind for authorisation queries and also to
   %% retrieve the details of users logging in without presenting a
   %% password (e.g., SASL EXTERNAL).
   %% One of
   %%  - as_user (to bind as the authenticated user - requires a password)
   %%  - anon    (to bind anonymously)
   %%  - {UserDN, Password} (to bind with a specified user name and password)
   %%
   %% Defaults to 'as_user'.
   %%
   %% {other_bind, as_user},

   %%
   %% Authorisation
   %% =============
   %%

   %% The LDAP plugin can perform a variety of queries against your
   %% LDAP server to determine questions of authorisation. See
   %% https://www.rabbitmq.com/ldap.html#authorisation for more
   %% information.

   %% Set the query to use when determining vhost access
   %%
   %% {vhost_access_query, {in_group,
   %%                       "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},

   %% Set the query to use when determining resource (e.g., queue) access
   %%
   %% {resource_access_query, {constant, true}},

   %% Set queries to determine which tags a user has
   %%
   %% {tag_queries, []}
  ]},

  %% Lager controls logging.
  %% See https://github.com/basho/lager for more documentation
  {lager, [
   %%
   %% Log directory, taken from the RABBITMQ_LOG_BASE env variable by default.
   %% {log_root, "/var/log/rabbitmq"},
   %%
   %% All log messages go to the default "sink" configured with
   %% the `handlers` parameter. By default, it has a single
   %% lager_file_backend handler writing messages to "$nodename.log"
   %% (ie. the value of $RABBIT_LOGS).
   %% {handlers, [
   %%   {lager_file_backend, [{file, "rabbit.log"},
   %%                         {level, info},
   %%                         {date, ""},
   %%                         {size, 0}]}
   %% ]},
   %%
   %% Extra sinks are used in RabbitMQ to categorize messages. By
   %% default, those extra sinks are configured to forward messages
   %% to the default sink (see above). "rabbit_log_lager_event"
   %% is the default category where all RabbitMQ messages without
   %% a category go. Messages in the "channel" category go to the
   %% "rabbit_channel_lager_event" Lager extra sink, and so on.
   %% {extra_sinks, [
   %%   {rabbit_log_lager_event, [{handlers, [
   %%                               {lager_forwarder_backend,
   %%                                [lager_event, info]}]}]},
   %%   {rabbit_channel_lager_event, [{handlers, [
   %%                                   {lager_forwarder_backend,
   %%                                    [lager_event, info]}]}]},
   %%   {rabbit_connection_lager_event, [{handlers, [
   %%                                     {lager_forwarder_backend,
   %%                                      [lager_event, info]}]}]},
   %%   {rabbit_mirroring_lager_event, [{handlers, [
   %%                                     {lager_forwarder_backend,
   %%                                      [lager_event, info]}]}]}
   %% ]}
  ]}
].

重啟

rabbitmqctl  stop
rabbitmq-server -detached

檢視

相關文章