Added SSL support

See the README for instructions on generating the certificate. Patch from the University of Southampton IT Innovation Centre.
2012-09-04 15:27:11 +01:00 · 2012-09-04 15:27:11 +01:00 · 986215ccf1
parent 5c527c2a1a
commit 986215ccf1
4 changed files with 89 additions and 1 deletions
--- a/17
+++ b/17
@ -0,0 +1,17 @@
+Configuring SSL
+---------------
+Generate an unencrypted RSA private key for the servers and a certificate:
+
+  openssl genrsa -out rabbit-server-privkey.pem 2048
+
+Get an X.509 certificate. This can be self-signed, for example:
+
+  openssl req -batch -new -x509 -key rabbit-server-privkey.pem -out rabbit-server-cert.pem -days 10000
+
+Deploy the service:
+
+  juju deploy rabbitmq-server rabbit
+
+Enable SSL, passing in the key and certificate as configuration settings:
+
+  juju set rabbit ssl_enabled=True ssl_key="`cat rabbit-server-privkey.pem`" ssl_cert="`cat rabbit-server-cert.pem`"
--- a/config.yaml
+++ b/config.yaml
@ -0,0 +1,15 @@
+options:
+  ssl_enabled:
+    type: boolean
+    default: False
+    description: enable SSL
+  ssl_port:
+    type: int
+    default: 5673
+    description: SSL port
+  ssl_key:
+    type: string
+    description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
+  ssl_cert:
+    type: string
+    description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
--- a/hooks/config-changed
+++ b/hooks/config-changed
@ -0,0 +1,56 @@
+#!/bin/bash
+set -eu
+
+juju-log "rabbitmq-server: Firing config hook"
+
+ssl_enabled=`config-get ssl_enabled`
+
+cd /etc/rabbitmq
+
+exec 3> rabbitmq.config.new
+
+cat >&3 <<EOF
+[
+    {rabbit, [
+EOF
+
+ssl_key_file=/etc/rabbitmq/rabbit-server-privkey.pem
+ssl_cert_file=/etc/rabbitmq/rabbit-server-cert.pem
+
+if [ "$ssl_enabled" == "True" ]; then
+	umask 027
+	config-get ssl_key > "$ssl_key_file"
+	config-get ssl_cert > "$ssl_cert_file"
+	chgrp rabbitmq "$ssl_key_file" "$ssl_cert_file"
+	if [ ! -s "$ssl_key_file" ]; then
+		juju-log "ssl_key not set - can't configure SSL"
+		exit 0
+	fi
+	if [ ! -s "$ssl_cert_file" ]; then
+		juju-log "ssl_cert not set - can't configure SSL"
+		exit 0
+	fi
+	cat >&3 <<EOF
+	{ssl_listeners, [`config-get ssl_port`]},
+	{ssl_options, [
+		{certfile,"$ssl_cert_file"},
+		{keyfile,"$ssl_key_file"}
+	]},
+EOF
+fi
+
+cat >&3 <<EOF
+        {tcp_listeners, [5672]}
+    ]}
+].
+EOF
+
+exec 3>&-
+
+if [ -f rabbitmq.config ]; then
+	mv rabbitmq.config{,.bak}
+fi
+
+mv rabbitmq.config{.new,}
+
+/etc/init.d/rabbitmq-server restart
--- a/2
+++ b/2
@ -1 +1 @@
-31
+32