1. 删除或禁用默认用户
RabbitMQ默认创建的guest用户存在远程登录风险,需删除或限制其访问:
sudo rabbitmqctl delete_user guest # 删除默认用户
# 或限制仅本地访问(可选)
sudo rabbitmqctl set_permissions -p / guest ".*" ".*" ".*" # 仅允许本地连接
2. 创建自定义用户并设置强密码
使用rabbitmqctl命令创建专用用户,密码需包含大小写字母、数字和特殊字符(长度≥8位):
sudo rabbitmqctl add_user myuser StrongPassword123!
sudo rabbitmqctl set_user_tags myuser administrator # 分配管理员标签(按需调整)
3. 配置细粒度的权限控制
基于“用户+虚拟主机(vhost)+资源”模型,遵循最小权限原则分配权限:
sudo rabbitmqctl add_vhost /prod # 生产环境虚拟主机
sudo rabbitmqctl add_vhost /dev # 开发环境虚拟主机
# 生产环境用户(仅能管理/dev vhost的dev-开头队列、logs/orders交换机)
sudo rabbitmqctl set_permissions -p /dev dev-user "dev-.*" "logs|orders" "dev-.*"
# 只读监控用户(无法创建资源,仅能读取所有队列)
sudo rabbitmqctl set_permissions -p /prod monitor-user "^$" "^$" ".*"
4. 启用并配置TLS/SSL加密
使用CA签发证书(生产环境)或自签名证书(测试环境),配置RabbitMQ监听加密端口:
# 生成CA证书
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/rabbitmq/ca_key.pem -out /etc/rabbitmq/ca_cert.pem -days 3650 -nodes
# 生成服务器证书
sudo openssl req -newkey rsa:4096 -keyout /etc/rabbitmq/server_key.pem -out /etc/rabbitmq/server_csr.pem -nodes
sudo openssl x509 -req -in /etc/rabbitmq/server_csr.pem -CA /etc/rabbitmq/ca_cert.pem -CAkey /etc/rabbitmq/ca_key.pem -CAcreateserial -out /etc/rabbitmq/server_cert.pem -days 3650
listeners.ssl.default = 5671 # SSL监听端口
ssl_options.cacertfile = /etc/rabbitmq/ca_cert.pem
ssl_options.certfile = /etc/rabbitmq/server_cert.pem
ssl_options.keyfile = /etc/rabbitmq/server_key.pem
ssl_options.verify = verify_peer # 强制客户端验证证书
ssl_options.fail_if_no_peer_cert = true
sudo systemctl restart rabbitmq-server
sudo rabbitmqctl status # 检查是否监听5671端口
import pika
credentials = pika.PlainCredentials('myuser', 'StrongPassword123!')
ssl_options = {
'ca_certs': '/etc/rabbitmq/ca_cert.pem',
'certfile': '/path/to/client_cert.pem', # 可选,客户端证书
'keyfile': '/path/to/client_key.pem' # 可选,客户端私钥
}
parameters = pika.ConnectionParameters(
host='rabbitmq.example.com',
port=5671,
virtual_host='/prod',
credentials=credentials,
ssl=True,
ssl_options=ssl_options
)
connection = pika.BlockingConnection(parameters)
5. 配置防火墙限制访问
使用ufw(Debian默认防火墙)仅开放必要端口,禁止未加密连接:
sudo ufw allow 5671/tcp # 允许加密AMQP(SSL)
sudo ufw allow 15671/tcp # 允许HTTPS管理界面(可选)
sudo ufw deny 5672/tcp # 禁止未加密AMQP(默认端口)
sudo ufw reload
6. 启用管理插件并限制访问
启用Web管理界面,并通过配置文件限制访问IP(如仅允许运维IP):
sudo rabbitmq-plugins enable rabbitmq_management # 启用管理插件
management.listener.ssl = true
management.listener.port = 15671
management.listener.ssl_opts.cacertfile = /etc/rabbitmq/ca_cert.pem
management.listener.ssl_opts.certfile = /etc/rabbitmq/server_cert.pem
management.listener.ssl_opts.keyfile = /etc/rabbitmq/server_key.pem
server {
listen 443 ssl;
server_name mq-admin.example.com;
ssl_certificate /etc/rabbitmq/ca_cert.pem;
ssl_certificate_key /etc/rabbitmq/server_key.pem;
location / {
proxy_pass http://localhost:15672;
allow 203.0.113.50; # 仅允许运维IP
deny all;
}
}
7. 定期更新与补丁管理
保持RabbitMQ及依赖组件(如Erlang)为最新版本,及时应用官方安全补丁:
sudo apt update
sudo apt upgrade rabbitmq-server erlang # 更新RabbitMQ和Erlang
8. 监控与日志审计
启用日志记录,定期检查异常行为(如频繁登录失败、未授权访问尝试):
# 查看实时日志
sudo tail -f /var/log/rabbitmq/rabbitmq.log
# 配置日志轮转(/etc/logrotate.d/rabbitmq)