I have another update to make to this:
If you want to use RabbitMQ (securely!) you can either fiddle for a long time with setting up the RabbitMQ SSL configuration, or you can forward the AMQP stream through Nginx and use it as a TLS terminating proxy, allowing you to re-use the Let’s Encrypt certificates:
-
Install RabbitMQ
-
Make sure the RabbitMQ server is started using
sudo service rabbitmq-server start
-
Make sure it is started on system restart using
sudo systemctl enable rabbitmq-server
-
Configure
ufw
with the following extra ports:
sudo ufw allow 5671/tcp
(This opens the default amqps
port to the outside world)
- Add the following to your server’s nginx configuration to allow access to the RabbitMQ management API:
sudo rabbitmq-plugins enable rabbitmq_management
- Add a section to your server config to expose the RabbitMQ management API to the outside world over HTTPS:
location ~* /rabbitmq/api/(.*?)/(.*) {
proxy_pass http://127.0.0.1:15672/api/$1/%2F/$2?$query_string;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~* /rabbitmq/(.*) {
rewrite ^/rabbitmq/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:15672;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
(Put this before the existing location {...}
blocks that are more general.)
- To allow access to RabbitMQ remotely, add the following to your main
nginx.conf
(It unfortunately cannot live inside the site-specific configuration because that one is included inside thehttp {...}
block and therefore does not allow you to write thestream {...}
block.)
stream {
upstream rabbitmq_backend {
server localhost:5672;
}
server {
listen 5671 ssl;
ssl_certificate /etc/letsencrypt/live/planga.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/planga.io/privkey.pem; # managed by Certbot
# The following settings were copied from /etc/letsencrypt/options-ssl-nginx.conf; Be sure to keep them up to date!
# (We cannot include that file since it contains a 'ssl_session_cache' that cannot be reused.)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
# End of copied settings
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
proxy_connect_timeout 1s;
proxy_pass rabbitmq_backend;
}
}
- Make sure the nginx config is correct by testing it using
sudo nginx -t
(It will give you readable error messages if it fails). - Restart nginx with
sudo service nginx reload
- Try connecting from e.g. a local AMQP client using the url
amqps://username:password@your.hostname.com
, which should now work! - For extra security, you might want to remove the default
guest
user from RabbitMQ or at least give it a non-default password; since RabbitMQ believes all connections to come from localhost its ‘guest can only connect from localhost’ protection is not useful anymore.
All in all, this was a relative breeze to set up! RabbitMQ is an amazing piece of software. I’m very happy not needing to manually configure all of this.
(However client certificates are something I still need to look into)