Notes on using container
https://hub.docker.com/_/rabbitmq/
RabbitMQ
snaplogictestrabbit001
port: 5671 -> 2221, 5672 -> 2222
management port: 15672 (Exposed via Kong)
Change the prefix it hosts at (enables me to host via kong) and enable management plugin
-
echo "management.path_prefix = /rabbitmqmanagement" >> /etc/rabbitmq/rabbitmq.conf
-
rabbitmq-plugins enable rabbitmq_management
TODO switch to using RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
Security Steps
Setup admin user
go to admin intergface log in a guest guest
add use admin with secret password
give them the administrator tag
log in as admin
delete guest user
check guest user no longer works
Setup security for a client
in admin interface add a user and give it a password
Add a root virtual host
Rabbit MQ SSL setup or server and client
https://weblogs.asp.net/jeffreyabecker/Using-SSL-client-certificates-fo…
- The public key (crt/cer file) of the CA which signed the server & client certs. This will likely be your active directory CA.
- A keypair (pfx) for the server with a CN matching the servers dns name, a basic keyUsage of keyEncipherment, and an eku for ServerAuthentication (1.3.6.1.5.5.7.3.1)
- A keypair (pfx) for the client with a basic keyUsage of digitalSignature and an eku for ClientAuthentication (1.3.6.1.5.5.7.3.2)
I already had private and public keys for the server.
To get the cacert public file I used the command:
-
openssl s_client -showcerts -servername cat-sdts.metcarob-home.com -connect cat-sdts.metcarob-home.com:443 </dev/null
I manually extracted the parts between BEGIN CERTIFICATE and END CERTIFICATE into a file cacerts.crt.
I then turned this into a docker secret:
-
cat filename | docker secret create webservices_cacert -
TODO SSL setup