RabbitMQ TLS Setup

TLS setup for Docker installations of Xray

AuthorFullName__c
Patrick Russell
articleNumber
000004737
ft:sourceType
Salesforce
FirstPublishedDate
2020-06-09T17:02:06Z
lastModifiedDate
2021-04-27
VersionNumber
6
RabbitMQ messages can be encrypted, too. The logic is similar to the PostgreSQL instructions above. Remember that the certificates need to be copied to the volume mount and the internal container paths are needed for your configurations:

1. Create your TLS certificates:
openssl req -newkey rsa:2048 -nodes -keyout rabbit.key -x509 -days 365 -out rabbit.crt
Due to the nature of how Xray connects to the RabbitMQ server, when prompted, be sure to specify rabbitmq as the Common Name (CN).

2. Copy the files to the RabbitMQ volume mount in a new folder:
mkdir .jfrog/xray/rabbitmq/certs
cp rabbit* .jfrog/xray/rabbitmq/certs
3. Ensure the ownership is set correctly (Docker exec into the container to use the "rabbitmq" UID and GID):
#Inside the container
chown rabbitmq:rabbitmq /var/lib/rabbitmq/certs/*
chmod 600 /var/lib/rabbitmq/certs/*
4. Add the following TLS settings to the /etc/rabbitmq/rabbitmq.conf file in the container:

loopback_users.guest = false
listeners.tcp.default = 5672
hipe_compile = false
management.listener.port = 15672
management.listener.ssl = true
listeners.ssl.default = 5671
ssl_options.certfile   = /var/lib/rabbitmq/certs/rabbit.crt
ssl_options.keyfile    = /var/lib/rabbitmq/certs/rabbit.key
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false

You can mount this file externally to persist the change.

5. Copy the same Rabbit certificates (rabbit.crt, rabbit.key) to your Xray volume and ensure they are owned by the "xray" linux user:
mkdir .jfrog/xray/xray/ssl/rabbitmq/

cp rabbit* .jfrog/xray/xray/ssl/rabbitmq/

chown xray:xray .jfrog/xray/xray/ssl/rabbitmq/*
chmod 600 .jfrog/xray/xray/ssl/rabbitmq/*
6. Run the Enable TLS Certificate for RabbitMQ REST API:
curl -uadmin:password -k -X PUT https://<Xray_URL>:<PORT>/api/v1/configuration/systemParameters  -d '{
    "sslInsecure": false,
    "maxDiskDataUsage": 80,
    "monitorSamplingInterval": 300,
    "mailNoSsl": false,
    "messageMaxTTL": 7,
    "jobInterval": 86400,
    "allowSendingAnalytics": true,
    "httpsPort": 443,
    "enableTlsConnectionToRabbitMQ": true
}' 
7. Modify the xray_config.yml file to use the certificates in your Xray volume:
#Rabbitmq is no using port 5671 and the amqps protocol
    mqBaseUrl:            amqps://12ce13$aes256$nQ9PGNOBBBqF9x8cYTf9ZxXSe1EjmEvtm5LlvkwhJD34sO7hb21N@rabbitmq:5671
[...]
  clientCertFilePath: /var/opt/jfrog/xray/data/ssl/rabbitmq/rabbit.crt
  clientCertKeyFilePath: /var/opt/jfrog/xray/data/ssl/rabbitmq/rabbit.key
8. Restart the Xray containers.

You can review the SSL Setup steps for having the external Xray port encrypted via SSL encryption as a next step HERE.