Added SSL support
See the README for instructions on generating the certificate. Patch from the University of Southampton IT Innovation Centre.
This commit is contained in:
Thomas Leonard
parent
5c527c2a1a
commit
986215ccf1
17
README
Normal file
17
README
Normal file
@ -0,0 +1,17 @@
|
||||
Configuring SSL
|
||||
---------------
|
||||
Generate an unencrypted RSA private key for the servers and a certificate:
|
||||
|
||||
openssl genrsa -out rabbit-server-privkey.pem 2048
|
||||
|
||||
Get an X.509 certificate. This can be self-signed, for example:
|
||||
|
||||
openssl req -batch -new -x509 -key rabbit-server-privkey.pem -out rabbit-server-cert.pem -days 10000
|
||||
|
||||
Deploy the service:
|
||||
|
||||
juju deploy rabbitmq-server rabbit
|
||||
|
||||
Enable SSL, passing in the key and certificate as configuration settings:
|
||||
|
||||
juju set rabbit ssl_enabled=True ssl_key="`cat rabbit-server-privkey.pem`" ssl_cert="`cat rabbit-server-cert.pem`"
|
||||
15
config.yaml
Normal file
15
config.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
options:
|
||||
ssl_enabled:
|
||||
type: boolean
|
||||
default: False
|
||||
description: enable SSL
|
||||
ssl_port:
|
||||
type: int
|
||||
default: 5673
|
||||
description: SSL port
|
||||
ssl_key:
|
||||
type: string
|
||||
description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
|
||||
ssl_cert:
|
||||
type: string
|
||||
description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
|
||||
56
hooks/config-changed
Executable file
56
hooks/config-changed
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
juju-log "rabbitmq-server: Firing config hook"
|
||||
|
||||
ssl_enabled=`config-get ssl_enabled`
|
||||
|
||||
cd /etc/rabbitmq
|
||||
|
||||
exec 3> rabbitmq.config.new
|
||||
|
||||
cat >&3 <<EOF
|
||||
[
|
||||
{rabbit, [
|
||||
EOF
|
||||
|
||||
ssl_key_file=/etc/rabbitmq/rabbit-server-privkey.pem
|
||||
ssl_cert_file=/etc/rabbitmq/rabbit-server-cert.pem
|
||||
|
||||
if [ "$ssl_enabled" == "True" ]; then
|
||||
umask 027
|
||||
config-get ssl_key > "$ssl_key_file"
|
||||
config-get ssl_cert > "$ssl_cert_file"
|
||||
chgrp rabbitmq "$ssl_key_file" "$ssl_cert_file"
|
||||
if [ ! -s "$ssl_key_file" ]; then
|
||||
juju-log "ssl_key not set - can't configure SSL"
|
||||
exit 0
|
||||
fi
|
||||
if [ ! -s "$ssl_cert_file" ]; then
|
||||
juju-log "ssl_cert not set - can't configure SSL"
|
||||
exit 0
|
||||
fi
|
||||
cat >&3 <<EOF
|
||||
{ssl_listeners, [`config-get ssl_port`]},
|
||||
{ssl_options, [
|
||||
{certfile,"$ssl_cert_file"},
|
||||
{keyfile,"$ssl_key_file"}
|
||||
]},
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat >&3 <<EOF
|
||||
{tcp_listeners, [5672]}
|
||||
]}
|
||||
].
|
||||
EOF
|
||||
|
||||
exec 3>&-
|
||||
|
||||
if [ -f rabbitmq.config ]; then
|
||||
mv rabbitmq.config{,.bak}
|
||||
fi
|
||||
|
||||
mv rabbitmq.config{.new,}
|
||||
|
||||
/etc/init.d/rabbitmq-server restart
|
||||
Loading…
Reference in New Issue
Block a user