English (US) Deutsch (Deutschland) Español (Latinoamérica) Français (France) 한국어(대한민국) Português do Brasil

Articles in this section

See more

[SPN9] Securing RabbitMQ Management Plugin

  • Updated

Introduction

This article describes how to secure the connection to Web RabbitMQ Management Plugin (using HTTPS connection).

Description

By default, the RabbitMQ management plugin open a socket on 15672 to allow user to connect on its web interface using clear http connection. Some customer may require to secure this connection using HTTPS connection.

Options

There are 2 option to secure this connection:

Option 1 : Configure the management plugin itself to use ssl.

Option 2 : Configure an external process to handle the secure part then redirect the traffic to the management plugin.

After several test, option 1 cannot be used in case of SES installation as SES components are not able to establish HTTPS connection (no TLS request lib & call embedded for broker polling).

So this article will desribes how to setup option 2.

Implementation

RabbitMQ configuration

Please refer to this article to setup the whole RabbitMQ listeners on localhost. You have to change the listening port to 15673 value:

{rabbitmq_management, [
  {listener, [{port, 15673},{ip, "127.0.0.1"}]}
]}

NGINX setup

Install the nginx package using this command:

yum install nginx

Then set it as enabled on boot-time:

systemctl enable nginx

NGINX configuration

Open the /etc/nginx/nginx.conf file then comment all declared server listeners and define yours:

server {
  listen 15672;
  ssl_certificate "/opt/systran/apps-node/enterprise-server/certificates/mysystran.crt";
  ssl_certificate_key "/opt/systran/apps-node/enterprise-server/certificates/mysystran.key";
  ssl on;
  location / {
    proxy_pass http://localhost:15673;
  }
}

SELinux Tweak

Please launch the following commands to allow nginx to bind 15672 socket & forward requests to localhost:15673:

semanage port -m -t http_port_t -p tcp 15672
setsebool httpd_can_network_connect true

SES configuration

You have to change some SES parameters in order to avoid breaking Service Monitoring feature.

1. Go to Administration > Settings then change the Queue URL management as below:

rabbitmq_url.PNG

2. Go to Administration > Environment then change the broker URL for production environment as below:

broker_url.PNG

Take care of opening the 15672 port on firewall:

firewall-cmd --permanent --zone=public --add-port=15672/tcp
firewall-cmd --reload

Now, please restart the RabbitMQ & SYSTRAN services

CentOS / RedHat 6

service rabbitmq-server restart
service nginx start
for i in $(ls /etc/init.d | grep systran); do service $i restart; done

CentOS / RedHat 7

systemctl restart rabbitmq-server
systemctl start nginx
for i in $(systemctl -a | grep -o systran-.*.service); do systemctl restart $i; done

Checks

You can check the actual configuration with following actions:

1. Check sockets binding state:

netstat -anp | grep -E ":5672|:15672|:15673" | grep LIST
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 6780/nginx: master
tcp 0 0 127.0.0.1:15673 0.0.0.0:* LISTEN 1633/beam.smp
tcp 0 0 127.0.0.1:5672 0.0.0.0:* LISTEN 1633/beam.smp

 2. Access to https://<ses_server>:15673

The connection must be secured with user & password prompt.

3. On SES, go to Administration > Service Monitoring

All services should be up & running with green status.