基于HTTPS和Nginx的RabbitMQ管理

2ekbmq32  于 2023-06-21  发布在  Nginx
关注(0)|答案(5)|浏览(187)

我尝试使用nginx通过HTTPS/SSL访问RabbitMQ接口,但我不知道我错过了什么。
下面是我的rabbitmq.conf文件:

[
  {ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
  {rabbit, [
      {reverse_dns_lookups, true},
      {hipe_compile, true},
      {tcp_listeners, [5672]},
      {ssl_listeners, [5671]},
      {ssl_options, [
        {cacertfile, "/etc/ssl/certs/CA.pem"},
        {certfile,   "/etc/nginx/ssl/my_domain.crt"},
        {keyfile,    "/etc/nginx/ssl/my_domain.key"},
        {versions, ['tlsv1.2', 'tlsv1.1']}
      ]}
    ]
  },
  {rabbitmq_management, [
    {listener, [
      {port, 15671},
      {ssl,  true},
      {ssl_opts, [
        {cacertfile, "/etc/ssl/certs/CA.pem"},
        {certfile,   "/etc/nginx/ssl/my_domain.crt"},
        {keyfile,    "/etc/nginx/ssl/my_domain.key"},
        {versions, ['tlsv1.2', 'tlsv1.1']}
      ]}
    ]}
  ]}
].

重启rabbitmq-server后一切正常
我的nginx文件看起来像这样:

location /rabbitmq/ {
        if ($request_uri ~* "/rabbitmq/(.*)") {
                proxy_pass https://example.com:15671/$1;
        }
}

现在,我猜ngnix配置无法解析HTTPS URL,因为我在尝试浏览时收到504超时错误:

https://example.com/rabbitmq/

**显然,这不是正确的FQDN,但SSL证书在没有/rabbitmq/**的情况下工作正常

有人能够通过FQDN和HTTPS在外部连接上使用RabbitMQ管理Web界面吗?
我需要在nginx配置中创建一个新的“服务器”块专门用于15671端口吗?
任何帮助将不胜感激!

2hh7jdfx

2hh7jdfx1#

我最终恢复到默认的rabbitmq.config文件,然后根据另一个我现在找不到的stackoverflow答案将nginx配置块修改为下面的代码。

location ~* /rabbitmq/api/(.*?)/(.*) {
        proxy_pass http://127.0.0.1:15672/api/$1/%2F/$2?$query_string;
        proxy_buffering                    off;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location ~* /rabbitmq/(.*) {
        rewrite ^/rabbitmq/(.*)$ /$1 break;
        proxy_pass http://127.0.0.1:15672;
        proxy_buffering                    off;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

此外,我有浏览器缓存的JS文件,这是造成问题,并已禁用。
我将尝试逐段重新启用SSL,但现在有示例URL工作:

https://example.com/rabbitmq/
ct3nt3jp

ct3nt3jp2#

我尝试了下面的nginx.conf

location /rabbitmq/ {
        proxy_pass http://rabbitmq/;
        proxy_buffering                    off;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

但是,我无法获得queueexchange的详细信息。我得到了API调用404错误。URL中有一个%2F,它的URL编码为/
我们需要将%2F保存在API url中,并将其传递给rabbitmq。
下面的链接描述了如何保留编码的url部分并重新编写它。Nginx pass_proxy子目录,不带url解码
所以我的解决方案是:

location /rabbitmq/api/ {
        rewrite ^ $request_uri;
        rewrite ^/rabbitmq/api/(.*) /api/$1 break;
        return 400;
        proxy_pass http://rabbitmq$uri;
        proxy_buffering                    off;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /rabbitmq/ {
        proxy_pass http://rabbitmq/;
        proxy_buffering                    off;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
tuwxkamq

tuwxkamq3#

这对我很有用

location /rabbitmq {
  proxy_pass http://localhost:15672/;
  rewrite ^/rabbitmq/(.*)$ /$1 break;
}

我不需要使用任何其他指令。

oogrdqng

oogrdqng4#

如果有人正在寻找Apache(2.4)的解决方案:

<VirtualHost *:443>
        ServerName              rabbitmq.your-domain.com
        AllowEncodedSlashes     NoDecode 
        ... // rest of the settings

        <Location "/">
          Require all granted
          
          ProxyPass         http://localhost:15672/
          ProxyPassReverse  http://localhost:15672/
        </Location>
        <Location "/api">
          Require all granted

          ProxyPass         http://localhost:15672/api nocanon
        </Location>
</VirtualHost>

事实上,有两个要素非常重要:

  1. VirtualHost级别上的“AllowEncodedSlashes NoDecode”
    1.“/API”位置上ProxyPass的“nocanon”参数
bq8i3lrv

bq8i3lrv5#

这对我很有效,我不需要任何其他的头设置。这是@user3142747的答案的变体:

location /rabbitmq/ {
    # Strip off the "/rabbitmq" prefix
    rewrite  ^/rabbitmq/(.*) /$1 break;

    # Do NOT suffix proxy_pass path with a trailing "/". This allows NGINX to pass the client request completely unchanged.
    #    - see http://mailman.nginx.org/pipermail/nginx/2009-November/016577.html
    proxy_pass $scheme://localhost:15672;
}

相关问题