From 986215ccf1149b5e757467aee96592ba978bc618 Mon Sep 17 00:00:00 2001 From: Thomas Leonard Date: Tue, 4 Sep 2012 15:27:11 +0100 Subject: [PATCH 1/2] Added SSL support See the README for instructions on generating the certificate. Patch from the University of Southampton IT Innovation Centre. --- README | 17 ++++++++++++++ config.yaml | 15 ++++++++++++ hooks/config-changed | 56 ++++++++++++++++++++++++++++++++++++++++++++ revision | 2 +- 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 README create mode 100644 config.yaml create mode 100755 hooks/config-changed diff --git a/README b/README new file mode 100644 index 00000000..baaeb079 --- /dev/null +++ b/README @@ -0,0 +1,17 @@ +Configuring SSL +--------------- +Generate an unencrypted RSA private key for the servers and a certificate: + + openssl genrsa -out rabbit-server-privkey.pem 2048 + +Get an X.509 certificate. This can be self-signed, for example: + + openssl req -batch -new -x509 -key rabbit-server-privkey.pem -out rabbit-server-cert.pem -days 10000 + +Deploy the service: + + juju deploy rabbitmq-server rabbit + +Enable SSL, passing in the key and certificate as configuration settings: + + juju set rabbit ssl_enabled=True ssl_key="`cat rabbit-server-privkey.pem`" ssl_cert="`cat rabbit-server-cert.pem`" diff --git a/config.yaml b/config.yaml new file mode 100644 index 00000000..bfd22962 --- /dev/null +++ b/config.yaml @@ -0,0 +1,15 @@ +options: + ssl_enabled: + type: boolean + default: False + description: enable SSL + ssl_port: + type: int + default: 5673 + description: SSL port + ssl_key: + type: string + description: private unencrypted key in PEM format (starts "-----BEGIN RSA PRIVATE KEY-----") + ssl_cert: + type: string + description: X.509 certificate in PEM format (starts "-----BEGIN CERTIFICATE-----") diff --git a/hooks/config-changed b/hooks/config-changed new file mode 100755 index 00000000..122af4fa --- /dev/null +++ b/hooks/config-changed @@ -0,0 +1,56 @@ +#!/bin/bash +set -eu + +juju-log "rabbitmq-server: Firing config hook" + +ssl_enabled=`config-get ssl_enabled` + +cd /etc/rabbitmq + +exec 3> rabbitmq.config.new + +cat >&3 < "$ssl_key_file" + config-get ssl_cert > "$ssl_cert_file" + chgrp rabbitmq "$ssl_key_file" "$ssl_cert_file" + if [ ! -s "$ssl_key_file" ]; then + juju-log "ssl_key not set - can't configure SSL" + exit 0 + fi + if [ ! -s "$ssl_cert_file" ]; then + juju-log "ssl_cert not set - can't configure SSL" + exit 0 + fi + cat >&3 <&3 <&- + +if [ -f rabbitmq.config ]; then + mv rabbitmq.config{,.bak} +fi + +mv rabbitmq.config{.new,} + +/etc/init.d/rabbitmq-server restart diff --git a/revision b/revision index e85087af..f5c89552 100644 --- a/revision +++ b/revision @@ -1 +1 @@ -31 +32 From 980c9e61e30b1fbb3170d3a9864faec06a8208c3 Mon Sep 17 00:00:00 2001 From: Thomas Leonard Date: Thu, 6 Sep 2012 14:20:01 +0100 Subject: [PATCH 2/2] Use a randomly-generated temporary file name Not actually necessary in this case, but considered good style. Suggested by Clint Byrum. --- hooks/config-changed | 7 +++++-- revision | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/hooks/config-changed b/hooks/config-changed index 122af4fa..e1c498de 100755 --- a/hooks/config-changed +++ b/hooks/config-changed @@ -7,7 +7,10 @@ ssl_enabled=`config-get ssl_enabled` cd /etc/rabbitmq -exec 3> rabbitmq.config.new +new_config=`mktemp /etc/rabbitmq/.rabbitmq.config.XXXXXX` +chgrp rabbitmq "$new_config" +chmod g+r "$new_config" +exec 3> "$new_config" cat >&3 <