Added SSL support
See the README for instructions on generating the certificate. Patch from the University of Southampton IT Innovation Centre.
This commit is contained in:
parent
5c527c2a1a
commit
986215ccf1
17
README
Normal file
17
README
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
Configuring SSL
|
||||||
|
---------------
|
||||||
|
Generate an unencrypted RSA private key for the servers and a certificate:
|
||||||
|
|
||||||
|
openssl genrsa -out rabbit-server-privkey.pem 2048
|
||||||
|
|
||||||
|
Get an X.509 certificate. This can be self-signed, for example:
|
||||||
|
|
||||||
|
openssl req -batch -new -x509 -key rabbit-server-privkey.pem -out rabbit-server-cert.pem -days 10000
|
||||||
|
|
||||||
|
Deploy the service:
|
||||||
|
|
||||||
|
juju deploy rabbitmq-server rabbit
|
||||||
|
|
||||||
|
Enable SSL, passing in the key and certificate as configuration settings:
|
||||||
|
|
||||||
|
juju set rabbit ssl_enabled=True ssl_key="`cat rabbit-server-privkey.pem`" ssl_cert="`cat rabbit-server-cert.pem`"
|
15
config.yaml
Normal file
15
config.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
options:
|
||||||
|
ssl_enabled:
|
||||||
|
type: boolean
|
||||||
|
default: False
|
||||||
|
description: enable SSL
|
||||||
|
ssl_port:
|
||||||
|
type: int
|
||||||
|
default: 5673
|
||||||
|
description: SSL port
|
||||||
|
ssl_key:
|
||||||
|
type: string
|
||||||
|
description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----")
|
||||||
|
ssl_cert:
|
||||||
|
type: string
|
||||||
|
description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----")
|
56
hooks/config-changed
Executable file
56
hooks/config-changed
Executable file
@ -0,0 +1,56 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
juju-log "rabbitmq-server: Firing config hook"
|
||||||
|
|
||||||
|
ssl_enabled=`config-get ssl_enabled`
|
||||||
|
|
||||||
|
cd /etc/rabbitmq
|
||||||
|
|
||||||
|
exec 3> rabbitmq.config.new
|
||||||
|
|
||||||
|
cat >&3 <<EOF
|
||||||
|
[
|
||||||
|
{rabbit, [
|
||||||
|
EOF
|
||||||
|
|
||||||
|
ssl_key_file=/etc/rabbitmq/rabbit-server-privkey.pem
|
||||||
|
ssl_cert_file=/etc/rabbitmq/rabbit-server-cert.pem
|
||||||
|
|
||||||
|
if [ "$ssl_enabled" == "True" ]; then
|
||||||
|
umask 027
|
||||||
|
config-get ssl_key > "$ssl_key_file"
|
||||||
|
config-get ssl_cert > "$ssl_cert_file"
|
||||||
|
chgrp rabbitmq "$ssl_key_file" "$ssl_cert_file"
|
||||||
|
if [ ! -s "$ssl_key_file" ]; then
|
||||||
|
juju-log "ssl_key not set - can't configure SSL"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if [ ! -s "$ssl_cert_file" ]; then
|
||||||
|
juju-log "ssl_cert not set - can't configure SSL"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
cat >&3 <<EOF
|
||||||
|
{ssl_listeners, [`config-get ssl_port`]},
|
||||||
|
{ssl_options, [
|
||||||
|
{certfile,"$ssl_cert_file"},
|
||||||
|
{keyfile,"$ssl_key_file"}
|
||||||
|
]},
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >&3 <<EOF
|
||||||
|
{tcp_listeners, [5672]}
|
||||||
|
]}
|
||||||
|
].
|
||||||
|
EOF
|
||||||
|
|
||||||
|
exec 3>&-
|
||||||
|
|
||||||
|
if [ -f rabbitmq.config ]; then
|
||||||
|
mv rabbitmq.config{,.bak}
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv rabbitmq.config{.new,}
|
||||||
|
|
||||||
|
/etc/init.d/rabbitmq-server restart
|
Loading…
Reference in New Issue
Block a user