Re: [rabbitmq-users] Cannot access web UI of https
819 views
Skip to first unread message
Message has been deleted
Message has been deleted
Michael Klishin
Apr 21, 2016, 2:35:43 PM4/21/16
to rabbitm...@googlegroups.com
I believe HTTPS and reverse proxies are covered in http://rabbitmq.com/management.html.
As the title says I can only access the web ui over http which requires turning off my htaccess rules, anyway to access this over https--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Apr 21, 2016, 2:38:17 PM4/21/16
to rabbitm...@googlegroups.com
See the section on guest access limitations in http://rabbitmq.com/access-control.html.
The right thing to do is to create a separate user with a password not known to the public and label it as "administrator" or "management".
Also user name guest and guest are not allowing me entry
On Thursday, April 21, 2016 at 8:28:24 PM UTC+2, Adam Milton-Barker wrote:As the title says I can only access the web ui over http which requires turning off my htaccess rules, anyway to access this over https
Adam Milton-Barker
Apr 21, 2016, 2:41:17 PM4/21/16
to rabbitmq-users
Thanks missed that, any idea on why it is not letting me access with guest and guest, would this use the rabbitmq-auth-backend-http also ? If so that would explain as haven't finished connecting it up yet
Michael Klishin
Apr 21, 2016, 2:55:01 PM4/21/16
to rabbitm...@googlegroups.com
The user "guest" has a well known password and full administrative privileges. It is
therefore limited to localhost connections by default in recent versions.
We cannot suggest much without seeing RabbitMQ log files but 9 times out of 10
that's the reason with the default user.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Adam Milton-Barker
Apr 21, 2016, 2:59:30 PM4/21/16
to rabbitmq-users
I am on localhost
Michael Klishin
Apr 21, 2016, 3:01:19 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
Then please post your log files.
On 21 April 2016 at 21:59:33, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> I am on localhost
>
> On Thursday, April 21, 2016 at 8:55:01 PM UTC+2, Michael Klishin wrote:
> >
> > The user "guest" has a well known password and full administrative
> > privileges. It is
> > therefore limited to localhost connections by default in recent versions.
> >
> > We cannot suggest much without seeing RabbitMQ log files but 9 times out
> > of 10
> > that's the reason with the default user.
> >
> > On Thu, Apr 21, 2016 at 9:41 PM, Adam Milton-Barker > > > wrote:
> >
> >> Thanks missed that, any idea on why it is not letting me access with
> >> guest and guest, would this use the rabbitmq-auth-backend-http also ? If so
> >> that would explain as haven't finished connecting it up yet
> >>
> >> On Thursday, April 21, 2016 at 8:35:43 PM UTC+2, Michael Klishin wrote:
> >>>
> >>> I believe HTTPS and reverse proxies are covered in
> >>> http://rabbitmq.com/management.html.
> >>>
> >>> On 21 abr 2016, at 21:28, Adam Milton-Barker
On 21 April 2016 at 21:59:33, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> I am on localhost
>
> On Thursday, April 21, 2016 at 8:55:01 PM UTC+2, Michael Klishin wrote:
> >
> > The user "guest" has a well known password and full administrative
> > privileges. It is
> > therefore limited to localhost connections by default in recent versions.
> >
> > We cannot suggest much without seeing RabbitMQ log files but 9 times out
> > of 10
> > that's the reason with the default user.
> >
> > On Thu, Apr 21, 2016 at 9:41 PM, Adam Milton-Barker > > > wrote:
> >
> >> Thanks missed that, any idea on why it is not letting me access with
> >> guest and guest, would this use the rabbitmq-auth-backend-http also ? If so
> >> that would explain as haven't finished connecting it up yet
> >>
> >> On Thursday, April 21, 2016 at 8:35:43 PM UTC+2, Michael Klishin wrote:
> >>>
> >>> I believe HTTPS and reverse proxies are covered in
> >>> http://rabbitmq.com/management.html.
> >>>
> >>> On 21 abr 2016, at 21:28, Adam Milton-Barker
> >>> wrote:
> >>>
> >>> As the title says I can only access the web ui over http which requires
> >>> turning off my htaccess rules, anyway to access this over https
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "rabbitmq-users" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> >>> an email to rabbitmq-user...@googlegroups.com.
> >>> To post to this group, send email to rabbitm...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> --
> >> You received this message because you are subscribed to the Google Groups
> >> "rabbitmq-users" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to rabbitmq-user...@googlegroups.com .
> >> To post to this group, send email to rabbitm...@googlegroups.com
> >> .
> >>>
> >>> As the title says I can only access the web ui over http which requires
> >>> turning off my htaccess rules, anyway to access this over https
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "rabbitmq-users" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> >>> an email to rabbitmq-user...@googlegroups.com.
> >>> To post to this group, send email to rabbitm...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> --
> >> You received this message because you are subscribed to the Google Groups
> >> "rabbitmq-users" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to rabbitmq-user...@googlegroups.com .
> >> To post to this group, send email to rabbitm...@googlegroups.com
> >> .
> >> For more options, visit https://groups.google.com/d/optout.
> >>
> >
> >
> >
> > --
> > MK
> >
> > Staff Software Engineer, Pivotal/RabbitMQ
> >
>
> >>
> >
> >
> >
> > --
> > MK
> >
> > Staff Software Engineer, Pivotal/RabbitMQ
> >
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
Michael Klishin
Apr 21, 2016, 3:02:00 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
On 21 April 2016 at 22:01:14, Michael Klishin (mkli...@pivotal.io) wrote:
> Then please post your log files.
…and config file, if you have configured anything.
> Then please post your log files.
Message has been deleted
Adam Milton-Barker
Apr 21, 2016, 4:26:57 PM4/21/16
to rabbitmq-users
log simply says:
=WARNING REPORT==== 21-Apr-2016::22:13:30 ===
HTTP access denied: user 'ADMINUSER' - invalid credentials
=ERROR REPORT==== 21-Apr-2016::22:13:30 ===
webmachine error: path="/api/whoami"
"Unauthorized"
This is incorrect if the plugin actually works as the credentials are correct
Michael Klishin
Apr 21, 2016, 4:28:45 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
RabbitMQ needs restarting to pick up config changes:
http://www.rabbitmq.com/configure.html
Adam, it would be *immensely* helpful if you post log file contents
instead of leaving folks on this list guessing why authentication fails.
On 21 April 2016 at 23:23:18, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> Using the suggested methods, cannot connect to the management on a
> different port with ssl activated, steps taken were updating the conf file
> (Which is now commented out again ) and then opening the port through
> firewall also cannot authenticate via the plugin:
>
> %% -*- mode: erlang -*-
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Sample Configuration File.
> %%
> %% See http://www.rabbitmq.com/configure.html for details.
> %%
> ----------------------------------------------------------------------------
> [
> {ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
> {rabbit,
> [%%
> %% Network Connectivity
> %% ====================
> %%
>
> %% By default, RabbitMQ will listen on all interfaces, using
> %% the standard (reserved) AMQP port.
> %%
> %%{tcp_listeners, [5672]},
>
> %% To listen on a specific interface, provide a tuple of {IpAddress,
> Port}.
> %% For example, to listen only on localhost for both IPv4 and IPv6:
> %%
> %% {tcp_listeners, [{"127.0.0.1", 5672},
> %% {"::1", 5672}]},
>
> %% SSL listeners are configured in the same fashion as TCP listeners,
> %% including the option to control the choice of interface.
> %%
> {ssl_listeners, [5671]},
>
> %% Number of Erlang processes that will accept connections for the TCP
> %% and SSL listeners.
> %%
> %% {num_tcp_acceptors, 10},
> %% {num_ssl_acceptors, 1},
>
> %% Maximum time for AMQP 0-8/0-9/0-9-1 handshake (after socket connection
> %% and SSL handshake), in milliseconds.
> %%
> %% {handshake_timeout, 10000},
>
> %% Log levels (currently just used for connection logging).
> %% One of 'debug', 'info', 'warning', 'error' or 'none', in decreasing
> %% order of verbosity. Defaults to 'info'.
> %%
> {log_levels, [{connection, info}, {channel, info}]},
>
> %% Set to 'true' to perform reverse DNS lookups when accepting a
> %% connection. Hostnames will then be shown instead of IP addresses
> %% in rabbitmqctl and the management plugin.
> %%
> %% {reverse_dns_lookups, true},
>
> %%
> %% Security / AAA
> %% ==============
> %%
>
> %% The default "guest" user is only permitted to access the server
> %% via a loopback interface (e.g. localhost).
> %% {loopback_users, [<<"guest">>]},
> %%
> %% Uncomment the following line if you want to allow access to the
> %% guest user from anywhere on the network.
> %% {loopback_users, []},
>
> %% Configuring SSL.
> %% See http://www.rabbitmq.com/ssl.html for full documentation.
> %%
>
> {ssl_options, [{cacertfile, "/etc/rabbitmq/certs/ca.pem"},
> {certfile, "/etc/rabbitmq/certs/crt.pem"},
> {keyfile, "/etc/rabbitmq/certs/key.pem"},
> {versions, ['tlsv1.2', 'tlsv1.1']},
> {verify, verify_peer},
> {fail_if_no_peer_cert, false}]},
>
>
> %% Choose the available SASL mechanism(s) to expose.
> %% The two default (built in) mechanisms are 'PLAIN' and
> %% 'AMQPLAIN'. Additional mechanisms can be added via
> %% plugins.
> %%
> %% See http://www.rabbitmq.com/authentication.html for more details.
> %%
> %% {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
>
> %% Select an authentication database to use. RabbitMQ comes bundled
> %% with a built-in auth-database, based on mnesia.
> %%
> {auth_backends, [rabbit_auth_backend_http]},
>
> %% Configurations supporting the rabbitmq_auth_mechanism_ssl and
> %% rabbitmq_auth_backend_ldap plugins.
> %%
> %% NB: These options require that the relevant plugin is enabled.
> %% See http://www.rabbitmq.com/plugins.html for further details.
>
> %% The RabbitMQ-auth-mechanism-ssl plugin makes it possible to
> %% authenticate a user based on the client's SSL certificate.
> %%
> %% To use auth-mechanism-ssl, add to or replace the auth_mechanisms
> %% list with the entry 'EXTERNAL'.
> %%
> %% {auth_mechanisms, ['EXTERNAL']},
>
> %% The rabbitmq_auth_backend_ldap plugin allows the broker to
> %% perform authentication and authorisation by deferring to an
> %% external LDAP server.
> %%
> %% For more information about configuring the LDAP backend, see
> %% http://www.rabbitmq.com/ldap.html.
> %%
> %% Enable the LDAP auth backend by adding to or replacing the
> %% auth_backends entry:
> %%
> %% {auth_backends, [rabbit_auth_backend_ldap]},
>
> %% This pertains to both the rabbitmq_auth_mechanism_ssl plugin and
> %% STOMP ssl_cert_login configurations. See the rabbitmq_stomp
> %% configuration section later in this file and the README in
> %% https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further
> %% details.
> %%
> %% To use the SSL cert's CN instead of its DN as the username
> %%
> %% {ssl_cert_login_from, common_name},
>
> %% SSL handshake timeout, in milliseconds.
> %%
> %% {ssl_handshake_timeout, 5000},
>
> %% Password hashing implementation. Will only affect newly
> %% created users. To recalculate hash for an existing user
> %% it's necessary to update her password.
> %%
> %% {password_hashing_module, rabbit_password_hashing_sha256},
>
> %%
> %% Default User / VHost
> %% ====================
> %%
>
> %% On first start RabbitMQ will create a vhost and a user. These
> %% config items control what gets created. See
> %% http://www.rabbitmq.com/access-control.html for further
> %% information about vhosts and access control.
> %%
> %% {default_vhost, <<"/">>},
> %% {default_user, <<"guest">>},
> %% {default_pass, <<"guest">>},
> %% {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
>
> %% Tags for default user
> %%
> %% For more details about tags, see the documentation for the
> %% Management Plugin at http://www.rabbitmq.com/management.html.
> %%
> %% {default_user_tags, [administrator]},
>
> %%
> %% Additional network and protocol related configuration
> %% =====================================================
> %%
>
> %% Set the default AMQP heartbeat delay (in seconds).
> %%
> %% {heartbeat, 600},
>
> %% Set the max permissible size of an AMQP frame (in bytes).
> %%
> %% {frame_max, 131072},
>
> %% Set the max frame size the server will accept before connection
> %% tuning occurs
> %%
> %% {initial_frame_max, 4096},
>
> %% Set the max permissible number of channels per connection.
> %% 0 means "no limit".
> %%
> %% {channel_max, 128},
>
> %% Customising Socket Options.
> %%
> %% See (http://www.erlang.org/doc/man/inet.html#setopts-2) for
> %% further documentation.
> %%
> %% {tcp_listen_options, [{backlog, 128},
> %% {nodelay, true},
> %% {exit_on_close, false}]},
>
> %%
> %% Resource Limits & Flow Control
> %% ==============================
> %%
> %% See http://www.rabbitmq.com/memory.html for full details.
>
> %% Memory-based Flow Control threshold.
> %%
> %% {vm_memory_high_watermark, 0.4},
>
> %% Alternatively, we can set a limit (in bytes) of RAM used by the node.
> %%
> %% {vm_memory_high_watermark, {absolute, 1073741824}},
> %%
> %% Or you can set absolute value using memory units.
> %%
> %% {vm_memory_high_watermark, {absolute, "1024M"}},
> %%
> %% Supported units suffixes:
> %%
> %% k, kiB: kibibytes (2^10 bytes)
> %% M, MiB: mebibytes (2^20)
> %% G, GiB: gibibytes (2^30)
> %% kB: kilobytes (10^3)
> %% MB: megabytes (10^6)
> %% GB: gigabytes (10^9)
>
> %% Fraction of the high watermark limit at which queues start to
> %% page message out to disc in order to free up memory.
> %%
> %% Values greater than 0.9 can be dangerous and should be used carefully.
> %%
> %% {vm_memory_high_watermark_paging_ratio, 0.5},
>
> %% Interval (in milliseconds) at which we perform the check of the memory
> %% levels against the watermarks.
> %%
> %% {memory_monitor_interval, 2500},
>
> %% Set disk free limit (in bytes). Once free disk space reaches this
> %% lower bound, a disk alarm will be set - see the documentation
> %% listed above for more details.
> %%
> %% {disk_free_limit, 50000000},
> %%
> %% Or you can set it using memory units (same as in
> vm_memory_high_watermark)
> %% {disk_free_limit, "50MB"},
> %% {disk_free_limit, "50000kB"},
> %% {disk_free_limit, "2GB"},
>
> %% Alternatively, we can set a limit relative to total available RAM.
> %%
> %% Values lower than 1.0 can be dangerous and should be used carefully.
> %% {disk_free_limit, {mem_relative, 2.0}},
>
> %%
> %% Misc/Advanced Options
> %% =====================
> %%
> %% NB: Change these only if you understand what you are doing!
> %%
>
> %% To announce custom properties to clients on connection:
> %%
> %% {server_properties, []},
>
> %% How to respond to cluster partitions.
> %% See http://www.rabbitmq.com/partitions.html for further details.
> %%
> %% {cluster_partition_handling, ignore},
>
> %% Make clustering happen *automatically* at startup - only applied
> %% to nodes that have just been reset or started for the first time.
> %% See http://www.rabbitmq.com/clustering.html#auto-config for
> %% further details.
> %%
> %% {cluster_nodes, {['rab...@my.host.com'], disc}},
>
> %% Interval (in milliseconds) at which we send keepalive messages
> %% to other cluster members. Note that this is not the same thing
> %% as net_ticktime; missed keepalive messages will not cause nodes
> %% to be considered down.
> %%
> %% {cluster_keepalive_interval, 10000},
>
> %% Set (internal) statistics collection granularity.
> %%
> %% {collect_statistics, none},
>
> %% Statistics collection interval (in milliseconds).
> %%
> %% {collect_statistics_interval, 5000},
>
> %% Explicitly enable/disable hipe compilation.
> %%
> %% {hipe_compile, true},
>
> %% Timeout used when waiting for Mnesia tables in a cluster to
> %% become available.
> %%
> %% {mnesia_table_loading_timeout, 30000},
>
> %% Size in bytes below which to embed messages in the queue index. See
> %% http://www.rabbitmq.com/persistence-conf.html
> %%
> %% {queue_index_embed_msgs_below, 4096}
>
> ]},
> {rabbitmq_auth_backend_http,
> [{user_path,
> "https://iot.techbubbletechnologies.com/API/AMQP/Authenticate/1_0/auth.php"},
> {vhost_path,
> "https://iot.techbubbletechnologies.com/API/AMQP/Authenticate/1_0/auth.php"},
> {resource_path,
> "https://iot.techbubbletechnologies.com/API/AMQP/Authenticate/1_0/auth.php"}]},
>
> %%
> ----------------------------------------------------------------------------
> %% Advanced Erlang Networking/Clustering Options.
> %%
> %% See http://www.rabbitmq.com/clustering.html for details
> %%
> ----------------------------------------------------------------------------
> {kernel,
> [%% Sets the net_kernel tick time.
> %% Please see http://erlang.org/doc/man/kernel_app.html and
> %% http://www.rabbitmq.com/nettick.html for further details.
> %%
> %% {net_ticktime, 60}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Management Plugin
> %%
> %% See http://www.rabbitmq.com/management.html for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_management,
> [%% Pre-Load schema definitions from the following JSON file. See
> %% http://www.rabbitmq.com/management.html#load-definitions
> %%
> %% {load_definitions, "/path/to/schema.json"},
>
> %% Log all requests to the management HTTP API to a file.
> %%
> %% {http_log_dir, "/path/to/access.log"},
>
> %% Change the port on which the HTTP listener listens,
> %% specifying an interface for the web server to bind to.
> %% Also set the listener to use SSL and provide SSL options.
> %%
> %%{listener, [{port, 12345},
> %% {ssl, true},
> %% {ssl_opts, [{cacertfile,
> "/etc/rabbitmq/certs/ca.pem"},
> %% {certfile, "/etc/rabbitmq/certs/crt.pem"},
> %% {keyfile,
> "/etc/rabbitmq/certs/key.pem"}]},
> %%
> %% One of 'basic', 'detailed' or 'none'. See
> %% http://www.rabbitmq.com/management.html#fine-stats for more details.
> %% {rates_mode, basic},
>
> %% Configure how long aggregated data (such as message rates and queue
> %% lengths) is retained. Please read the plugin's documentation in
> %% http://www.rabbitmq.com/management.html#configuration for more
> %% details.
> %%
> %% {sample_retention_policies,
> %% [{global, [{60, 5}, {3600, 60}, {86400, 1200}]},
> %% {basic, [{60, 5}, {3600, 60}]},
> %% {detailed, [{10, 5}]}]}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Shovel Plugin
> %%
> %% See http://www.rabbitmq.com/shovel.html for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_shovel,
> [{shovels,
> [%% A named shovel worker.
> %% {my_first_shovel,
> %% [
>
> %% List the source broker(s) from which to consume.
> %%
> %% {sources,
> %% [%% URI(s) and pre-declarations for all source broker(s).
> %% {brokers, ["amqp://user:pass...@host.domain/my_vhost"]},
> %% {declarations, []}
> %% ]},
>
> %% List the destination broker(s) to publish to.
> %% {destinations,
> %% [%% A singular version of the 'brokers' element.
> %% {broker, "amqp://"},
> %% {declarations, []}
> %% ]},
>
> %% Name of the queue to shovel messages from.
> %%
> %% {queue, <<"your-queue-name-goes-here">>},
>
> %% Optional prefetch count.
> %%
> %% {prefetch_count, 10},
>
> %% when to acknowledge messages:
> %% - no_ack: never (auto)
> %% - on_publish: after each message is republished
> %% - on_confirm: when the destination broker confirms receipt
> %%
> %% {ack_mode, on_confirm},
>
> %% Overwrite fields of the outbound basic.publish.
> %%
> %% {publish_fields, [{exchange, <<"my_exchange">>},
> %% {routing_key, <<"from_shovel">>}]},
>
> %% Static list of basic.properties to set on re-publication.
> %%
> %% {publish_properties, [{delivery_mode, 2}]},
>
> %% The number of seconds to wait before attempting to
> %% reconnect in the event of a connection failure.
> %%
> %% {reconnect_delay, 2.5}
>
> %% ]} %% End of my_first_shovel
> ]}
> %% Rather than specifying some values per-shovel, you can specify
> %% them for all shovels here.
> %%
> %% {defaults, [{prefetch_count, 0},
> %% {ack_mode, on_confirm},
> %% {publish_fields, []},
> %% {publish_properties, [{delivery_mode, 2}]},
> %% {reconnect_delay, 2.5}]}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Stomp Adapter
> %%
> %% See http://www.rabbitmq.com/stomp.html for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_stomp,
> [%% Network Configuration - the format is generally the same as for the
> broker
>
> %% Listen only on localhost (ipv4 & ipv6) on a specific port.
> %% {tcp_listeners, [{"127.0.0.1", 61613},
> %% {"::1", 61613}]},
>
> %% Listen for SSL connections on a specific port.
> %% {ssl_listeners, [61614]},
>
> %% Number of Erlang processes that will accept connections for the TCP
> %% and SSL listeners.
> %%
> %% {num_tcp_acceptors, 10},
> %% {num_ssl_acceptors, 1},
>
> %% Additional SSL options
>
> %% Extract a name from the client's certificate when using SSL.
> %%
> %% {ssl_cert_login, true},
>
> %% Set a default user name and password. This is used as the default
> login
> %% whenever a CONNECT frame omits the login and passcode headers.
> %%
> %% Please note that setting this will allow clients to connect without
> %% authenticating!
> %%
> %% {default_user, [{login, "guest"},
> %% {passcode, "guest"}]},
>
> %% If a default user is configured, or you have configured use SSL client
> %% certificate based authentication, you can choose to allow clients to
> %% omit the CONNECT frame entirely. If set to true, the client is
> %% automatically connected as the default user or user supplied in the
> %% SSL certificate whenever the first frame sent on a session is not a
> %% CONNECT frame.
> %%
> %% {implicit_connect, true}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ MQTT Adapter
> %%
> %% See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md
> %% for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_mqtt,
> [%% Set the default user name and password. Will be used as the default
> login
> %% if a connecting client provides no other login details.
> %%
> %% Please note that setting this will allow clients to connect without
> %% authenticating!
> %%
> %% {default_user, <<"guest">>},
> %% {default_pass, <<"guest">>},
>
> %% Enable anonymous access. If this is set to false, clients MUST provide
> %% login information in order to connect. See the
> default_user/default_pass
> %% configuration elements for managing logins without authentication.
> %%
> %% {allow_anonymous, true},
>
> %% If you have multiple chosts, specify the one to which the
> %% adapter connects.
> %%
> %% {vhost, <<"/">>},
>
> %% Specify the exchange to which messages from MQTT clients are
> published.
> %%
> %% {exchange, <<"amq.topic">>},
>
> %% Specify TTL (time to live) to control the lifetime of non-clean
> sessions.
> %%
> %% {subscription_ttl, 1800000},
>
> %% Set the prefetch count (governing the maximum number of unacknowledged
> %% messages that will be delivered).
> %%
> %% {prefetch, 10},
>
> %% TCP/SSL Configuration (as per the broker configuration).
> %%
> %% {tcp_listeners, [1883]},
> %% {ssl_listeners, []},
>
> %% Number of Erlang processes that will accept connections for the TCP
> %% and SSL listeners.
> %%
> %% {num_tcp_acceptors, 10},
> %% {num_ssl_acceptors, 1},
>
> %% TCP/Socket options (as per the broker configuration).
> %%
> %% {tcp_listen_options, [{backlog, 128},
> %% {nodelay, true}]}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ AMQP 1.0 Support
> %%
> %% See https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md
> %% for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_amqp1_0,
> [%% Connections that are not authenticated with SASL will connect as this
> %% account. See the README for more information.
> %%
> %% Please note that setting this will allow clients to connect without
> %% authenticating!
> %%
> %% {default_user, "guest"},
>
> %% Enable protocol strict mode. See the README for more information.
> %%
> %% {protocol_strict_mode, false}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ LDAP Plugin
> %%
> %% See http://www.rabbitmq.com/ldap.html for details.
> %%
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_auth_backend_ldap,
> [%%
> %% Connecting to the LDAP server(s)
> %% ================================
> %%
>
> %% Specify servers to bind to. You *must* set this in order for the
> plugin
> %% to work properly.
> %%
> %% {servers, ["your-server-name-goes-here"]},
>
> %% Connect to the LDAP server using SSL
> %%
> %% {use_ssl, false},
>
> %% Specify the LDAP port to connect to
> %%
> %% {port, 389},
>
> %% LDAP connection timeout, in milliseconds or 'infinity'
> %%
> %% {timeout, infinity},
>
> %% Enable logging of LDAP queries.
> %% One of
> %% - false (no logging is performed)
> %% - true (verbose logging of the logic used by the plugin)
> %% - network (as true, but additionally logs LDAP network traffic)
> %%
> %% Defaults to false.
> %%
> %% {log, false},
>
> %%
> %% Authentication
> %% ==============
> %%
>
> %% Pattern to convert the username given through AMQP to a DN before
> %% binding
> %%
> %% {user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"},
>
> %% Alternatively, you can convert a username to a Distinguished
> %% Name via an LDAP lookup after binding. See the documentation for
> %% full details.
>
> %% When converting a username to a dn via a lookup, set these to
> %% the name of the attribute that represents the user name, and the
> %% base DN for the lookup query.
> %%
> %% {dn_lookup_attribute, "userPrincipalName"},
> %% {dn_lookup_base, "DC=gopivotal,DC=com"},
>
> %% Controls how to bind for authorisation queries and also to
> %% retrieve the details of users logging in without presenting a
> %% password (e.g., SASL EXTERNAL).
> %% One of
> %% - as_user (to bind as the authenticated user - requires a password)
> %% - anon (to bind anonymously)
> %% - {UserDN, Password} (to bind with a specified user name and
> password)
> %%
> %% Defaults to 'as_user'.
> %%
> %% {other_bind, as_user},
>
> %%
> %% Authorisation
> %% =============
> %%
>
> %% The LDAP plugin can perform a variety of queries against your
> %% LDAP server to determine questions of authorisation. See
> %% http://www.rabbitmq.com/ldap.html#authorisation for more
> %% information.
>
> %% Set the query to use when determining vhost access
> %%
> %% {vhost_access_query, {in_group,
> %%
> "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},
>
> %% Set the query to use when determining resource (e.g., queue) access
> %%
> %% {resource_access_query, {constant, true}},
>
> %% Set queries to determine which tags a user has
> %%
> %% {tag_queries, []}
> ]}
> ].
>
>
> ANd for the plugin script:
>
>
>
> class IoTJumpWayAMQP{
> protected $_Secure_Connection;
> public function __construct(Connection $dbcon) {
> $this->_Secure_Connection = $dbcon->dbcon;
> }
> public static function verify_password($password,$hash) {
> return password_verify($password, $hash);
> }
> public function validateUser(){
> $TechBubble_DBQuery = $this->_Secure_Connection->prepare("
> SELECT *
> FROM DBTABLE
> WHERE usr=:usr
> ");
> $TechBubble_DBQuery->execute([
> ':usr'=>filter_input(INPUT_GET,'username',FILTER_SANITIZE_STRING)
> ]);
> $usrDta=$TechBubble_DBQuery->fetch(PDO::FETCH_ASSOC);
> return $usrDta;
> }
> }
>
> $IoTJumpWayAMQP = new IoTJumpWayAMQP($_Connection);
>
> if(filter_input(INPUT_GET,'username',FILTER_SANITIZE_STRING)):
>
> $usrExists = $IoTJumpWayAMQP->validateUser();
> if($usrExists['id']):
> if(filter_input(INPUT_GET,'password',FILTER_SANITIZE_STRING)):
> if($IoTJumpWayAMQP->verify_password(filter_input(INPUT_GET,'password',FILTER_SANITIZE_STRING),$usrExists['pwd'])):
> echo "allow " . $usrExists['usrLvl'];
> else:
> echo "deny";
> endif;
> elseif(filter_input(INPUT_GET,'name',FILTER_SANITIZE_STRING)):
> if($usrExists['typer']=="device"):
>
> $valid_names =[
> $usrExists['lcnid']."_devices_".$usrExists['id']."_commands",
> $usrExists['lcnid']."_devices_".$usrExists['id']."_sensors",
> $usrExists['lcnid']."_devices_".$usrExists['id']."_actuators",
> $usrExists['lcnid']."_devices_".$usrExists['id']."_warnings",
> ];
> if( in_array(filter_input(INPUT_GET,'name',FILTER_SANITIZE_STRING),
> $valid_names) ):
> echo "allow";
> else:
> echo "deny";
> endif;
> else:
>
> $valid_names =[
> $usrExists['lcnid']."_".$usrExists['id']."_commands",
> $usrExists['lcnid']."_".$usrExists['id']."_sensors",
> $usrExists['lcnid']."_".$usrExists['id']."_actuators",
> $usrExists['lcnid']."_".$usrExists['id']."_warnings",
> ];
> if( in_array(filter_input(INPUT_GET,'name',FILTER_SANITIZE_STRING),
> $valid_names) ):
> echo "allow";
> else:
> echo "deny";
> endif;
> endif;
> elseif( filter_input(INPUT_GET,'vhost',FILTER_SANITIZE_STRING)):
> echo "allow";
> else:
> echo "deny";
> endif;
> else:
> echo "deny";
> endif;
>
> else:
> echo "deny";
> endif;
http://www.rabbitmq.com/configure.html
Adam, it would be *immensely* helpful if you post log file contents
instead of leaving folks on this list guessing why authentication fails.
On 21 April 2016 at 23:23:18, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> Using the suggested methods, cannot connect to the management on a
> different port with ssl activated, steps taken were updating the conf file
> (Which is now commented out again ) and then opening the port through
> firewall also cannot authenticate via the plugin:
>
> %% -*- mode: erlang -*-
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Sample Configuration File.
> %%
> %% See http://www.rabbitmq.com/configure.html for details.
> %%
> ----------------------------------------------------------------------------
> [
> {ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
> {rabbit,
> [%%
> %% Network Connectivity
> %% ====================
> %%
>
> %% By default, RabbitMQ will listen on all interfaces, using
> %% the standard (reserved) AMQP port.
> %%
> %%{tcp_listeners, [5672]},
>
> %% To listen on a specific interface, provide a tuple of {IpAddress,
> Port}.
> %% For example, to listen only on localhost for both IPv4 and IPv6:
> %%
> %% {tcp_listeners, [{"127.0.0.1", 5672},
> %% {"::1", 5672}]},
>
> %% SSL listeners are configured in the same fashion as TCP listeners,
> %% including the option to control the choice of interface.
> %%
> {ssl_listeners, [5671]},
>
> %% Number of Erlang processes that will accept connections for the TCP
> %% and SSL listeners.
> %%
> %% {num_tcp_acceptors, 10},
> %% {num_ssl_acceptors, 1},
>
> %% Maximum time for AMQP 0-8/0-9/0-9-1 handshake (after socket connection
> %% and SSL handshake), in milliseconds.
> %%
> %% {handshake_timeout, 10000},
>
> %% Log levels (currently just used for connection logging).
> %% One of 'debug', 'info', 'warning', 'error' or 'none', in decreasing
> %% order of verbosity. Defaults to 'info'.
> %%
> {log_levels, [{connection, info}, {channel, info}]},
>
> %% Set to 'true' to perform reverse DNS lookups when accepting a
> %% connection. Hostnames will then be shown instead of IP addresses
> %% in rabbitmqctl and the management plugin.
> %%
> %% {reverse_dns_lookups, true},
>
> %%
> %% Security / AAA
> %% ==============
> %%
>
> %% The default "guest" user is only permitted to access the server
> %% via a loopback interface (e.g. localhost).
> %% {loopback_users, [<<"guest">>]},
> %%
> %% Uncomment the following line if you want to allow access to the
> %% guest user from anywhere on the network.
> %% {loopback_users, []},
>
> %% Configuring SSL.
> %% See http://www.rabbitmq.com/ssl.html for full documentation.
> %%
>
> {ssl_options, [{cacertfile, "/etc/rabbitmq/certs/ca.pem"},
> {certfile, "/etc/rabbitmq/certs/crt.pem"},
> {keyfile, "/etc/rabbitmq/certs/key.pem"},
> {versions, ['tlsv1.2', 'tlsv1.1']},
> {verify, verify_peer},
> {fail_if_no_peer_cert, false}]},
>
>
> %% Choose the available SASL mechanism(s) to expose.
> %% The two default (built in) mechanisms are 'PLAIN' and
> %% 'AMQPLAIN'. Additional mechanisms can be added via
> %% plugins.
> %%
> %% See http://www.rabbitmq.com/authentication.html for more details.
> %%
> %% {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
>
> %% Select an authentication database to use. RabbitMQ comes bundled
> %% with a built-in auth-database, based on mnesia.
> %%
> {auth_backends, [rabbit_auth_backend_http]},
>
> %% Configurations supporting the rabbitmq_auth_mechanism_ssl and
> %% rabbitmq_auth_backend_ldap plugins.
> %%
> %% NB: These options require that the relevant plugin is enabled.
> %% See http://www.rabbitmq.com/plugins.html for further details.
>
> %% The RabbitMQ-auth-mechanism-ssl plugin makes it possible to
> %% authenticate a user based on the client's SSL certificate.
> %%
> %% To use auth-mechanism-ssl, add to or replace the auth_mechanisms
> %% list with the entry 'EXTERNAL'.
> %%
> %% {auth_mechanisms, ['EXTERNAL']},
>
> %% The rabbitmq_auth_backend_ldap plugin allows the broker to
> %% perform authentication and authorisation by deferring to an
> %% external LDAP server.
> %%
> %% For more information about configuring the LDAP backend, see
> %% http://www.rabbitmq.com/ldap.html.
> %%
> %% Enable the LDAP auth backend by adding to or replacing the
> %% auth_backends entry:
> %%
> %% {auth_backends, [rabbit_auth_backend_ldap]},
>
> %% This pertains to both the rabbitmq_auth_mechanism_ssl plugin and
> %% STOMP ssl_cert_login configurations. See the rabbitmq_stomp
> %% configuration section later in this file and the README in
> %% https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl for further
> %% details.
> %%
> %% To use the SSL cert's CN instead of its DN as the username
> %%
> %% {ssl_cert_login_from, common_name},
>
> %% SSL handshake timeout, in milliseconds.
> %%
> %% {ssl_handshake_timeout, 5000},
>
> %% Password hashing implementation. Will only affect newly
> %% created users. To recalculate hash for an existing user
> %% it's necessary to update her password.
> %%
> %% {password_hashing_module, rabbit_password_hashing_sha256},
>
> %%
> %% Default User / VHost
> %% ====================
> %%
>
> %% On first start RabbitMQ will create a vhost and a user. These
> %% config items control what gets created. See
> %% http://www.rabbitmq.com/access-control.html for further
> %% information about vhosts and access control.
> %%
> %% {default_vhost, <<"/">>},
> %% {default_user, <<"guest">>},
> %% {default_pass, <<"guest">>},
> %% {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
>
> %% Tags for default user
> %%
> %% For more details about tags, see the documentation for the
> %% Management Plugin at http://www.rabbitmq.com/management.html.
> %%
> %% {default_user_tags, [administrator]},
>
> %%
> %% Additional network and protocol related configuration
> %% =====================================================
> %%
>
> %% Set the default AMQP heartbeat delay (in seconds).
> %%
> %% {heartbeat, 600},
>
> %% Set the max permissible size of an AMQP frame (in bytes).
> %%
> %% {frame_max, 131072},
>
> %% Set the max frame size the server will accept before connection
> %% tuning occurs
> %%
> %% {initial_frame_max, 4096},
>
> %% Set the max permissible number of channels per connection.
> %% 0 means "no limit".
> %%
> %% {channel_max, 128},
>
> %% Customising Socket Options.
> %%
> %% See (http://www.erlang.org/doc/man/inet.html#setopts-2) for
> %% further documentation.
> %%
> %% {tcp_listen_options, [{backlog, 128},
> %% {nodelay, true},
> %% {exit_on_close, false}]},
>
> %%
> %% Resource Limits & Flow Control
> %% ==============================
> %%
> %% See http://www.rabbitmq.com/memory.html for full details.
>
> %% Memory-based Flow Control threshold.
> %%
> %% {vm_memory_high_watermark, 0.4},
>
> %% Alternatively, we can set a limit (in bytes) of RAM used by the node.
> %%
> %% {vm_memory_high_watermark, {absolute, 1073741824}},
> %%
> %% Or you can set absolute value using memory units.
> %%
> %% {vm_memory_high_watermark, {absolute, "1024M"}},
> %%
> %% Supported units suffixes:
> %%
> %% k, kiB: kibibytes (2^10 bytes)
> %% M, MiB: mebibytes (2^20)
> %% G, GiB: gibibytes (2^30)
> %% kB: kilobytes (10^3)
> %% MB: megabytes (10^6)
> %% GB: gigabytes (10^9)
>
> %% Fraction of the high watermark limit at which queues start to
> %% page message out to disc in order to free up memory.
> %%
> %% Values greater than 0.9 can be dangerous and should be used carefully.
> %%
> %% {vm_memory_high_watermark_paging_ratio, 0.5},
>
> %% Interval (in milliseconds) at which we perform the check of the memory
> %% levels against the watermarks.
> %%
> %% {memory_monitor_interval, 2500},
>
> %% Set disk free limit (in bytes). Once free disk space reaches this
> %% lower bound, a disk alarm will be set - see the documentation
> %% listed above for more details.
> %%
> %% {disk_free_limit, 50000000},
> %%
> %% Or you can set it using memory units (same as in
> vm_memory_high_watermark)
> %% {disk_free_limit, "50MB"},
> %% {disk_free_limit, "50000kB"},
> %% {disk_free_limit, "2GB"},
>
> %% Alternatively, we can set a limit relative to total available RAM.
> %%
> %% Values lower than 1.0 can be dangerous and should be used carefully.
> %% {disk_free_limit, {mem_relative, 2.0}},
>
> %%
> %% Misc/Advanced Options
> %% =====================
> %%
> %% NB: Change these only if you understand what you are doing!
> %%
>
> %% To announce custom properties to clients on connection:
> %%
> %% {server_properties, []},
>
> %% How to respond to cluster partitions.
> %% See http://www.rabbitmq.com/partitions.html for further details.
> %%
> %% {cluster_partition_handling, ignore},
>
> %% Make clustering happen *automatically* at startup - only applied
> %% to nodes that have just been reset or started for the first time.
> %% See http://www.rabbitmq.com/clustering.html#auto-config for
> %% further details.
> %%
> %% {cluster_nodes, {['rab...@my.host.com'], disc}},
>
> %% Interval (in milliseconds) at which we send keepalive messages
> %% to other cluster members. Note that this is not the same thing
> %% as net_ticktime; missed keepalive messages will not cause nodes
> %% to be considered down.
> %%
> %% {cluster_keepalive_interval, 10000},
>
> %% Set (internal) statistics collection granularity.
> %%
> %% {collect_statistics, none},
>
> %% Statistics collection interval (in milliseconds).
> %%
> %% {collect_statistics_interval, 5000},
>
> %% Explicitly enable/disable hipe compilation.
> %%
> %% {hipe_compile, true},
>
> %% Timeout used when waiting for Mnesia tables in a cluster to
> %% become available.
> %%
> %% {mnesia_table_loading_timeout, 30000},
>
> %% Size in bytes below which to embed messages in the queue index. See
> %% http://www.rabbitmq.com/persistence-conf.html
> %%
> %% {queue_index_embed_msgs_below, 4096}
>
> ]},
> {rabbitmq_auth_backend_http,
> [{user_path,
> "https://iot.techbubbletechnologies.com/API/AMQP/Authenticate/1_0/auth.php"},
> {vhost_path,
> "https://iot.techbubbletechnologies.com/API/AMQP/Authenticate/1_0/auth.php"},
> {resource_path,
> "https://iot.techbubbletechnologies.com/API/AMQP/Authenticate/1_0/auth.php"}]},
>
> %%
> ----------------------------------------------------------------------------
> %% Advanced Erlang Networking/Clustering Options.
> %%
> %% See http://www.rabbitmq.com/clustering.html for details
> %%
> ----------------------------------------------------------------------------
> {kernel,
> [%% Sets the net_kernel tick time.
> %% Please see http://erlang.org/doc/man/kernel_app.html and
> %% http://www.rabbitmq.com/nettick.html for further details.
> %%
> %% {net_ticktime, 60}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Management Plugin
> %%
> %% See http://www.rabbitmq.com/management.html for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_management,
> [%% Pre-Load schema definitions from the following JSON file. See
> %% http://www.rabbitmq.com/management.html#load-definitions
> %%
> %% {load_definitions, "/path/to/schema.json"},
>
> %% Log all requests to the management HTTP API to a file.
> %%
> %% {http_log_dir, "/path/to/access.log"},
>
> %% Change the port on which the HTTP listener listens,
> %% specifying an interface for the web server to bind to.
> %% Also set the listener to use SSL and provide SSL options.
> %%
> %%{listener, [{port, 12345},
> %% {ssl, true},
> %% {ssl_opts, [{cacertfile,
> "/etc/rabbitmq/certs/ca.pem"},
> %% {certfile, "/etc/rabbitmq/certs/crt.pem"},
> %% {keyfile,
> "/etc/rabbitmq/certs/key.pem"}]},
> %%
> %% One of 'basic', 'detailed' or 'none'. See
> %% http://www.rabbitmq.com/management.html#fine-stats for more details.
> %% {rates_mode, basic},
>
> %% Configure how long aggregated data (such as message rates and queue
> %% lengths) is retained. Please read the plugin's documentation in
> %% http://www.rabbitmq.com/management.html#configuration for more
> %% details.
> %%
> %% {sample_retention_policies,
> %% [{global, [{60, 5}, {3600, 60}, {86400, 1200}]},
> %% {basic, [{60, 5}, {3600, 60}]},
> %% {detailed, [{10, 5}]}]}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Shovel Plugin
> %%
> %% See http://www.rabbitmq.com/shovel.html for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_shovel,
> [{shovels,
> [%% A named shovel worker.
> %% {my_first_shovel,
> %% [
>
> %% List the source broker(s) from which to consume.
> %%
> %% {sources,
> %% [%% URI(s) and pre-declarations for all source broker(s).
> %% {brokers, ["amqp://user:pass...@host.domain/my_vhost"]},
> %% {declarations, []}
> %% ]},
>
> %% List the destination broker(s) to publish to.
> %% {destinations,
> %% [%% A singular version of the 'brokers' element.
> %% {broker, "amqp://"},
> %% {declarations, []}
> %% ]},
>
> %% Name of the queue to shovel messages from.
> %%
> %% {queue, <<"your-queue-name-goes-here">>},
>
> %% Optional prefetch count.
> %%
> %% {prefetch_count, 10},
>
> %% when to acknowledge messages:
> %% - no_ack: never (auto)
> %% - on_publish: after each message is republished
> %% - on_confirm: when the destination broker confirms receipt
> %%
> %% {ack_mode, on_confirm},
>
> %% Overwrite fields of the outbound basic.publish.
> %%
> %% {publish_fields, [{exchange, <<"my_exchange">>},
> %% {routing_key, <<"from_shovel">>}]},
>
> %% Static list of basic.properties to set on re-publication.
> %%
> %% {publish_properties, [{delivery_mode, 2}]},
>
> %% The number of seconds to wait before attempting to
> %% reconnect in the event of a connection failure.
> %%
> %% {reconnect_delay, 2.5}
>
> %% ]} %% End of my_first_shovel
> ]}
> %% Rather than specifying some values per-shovel, you can specify
> %% them for all shovels here.
> %%
> %% {defaults, [{prefetch_count, 0},
> %% {ack_mode, on_confirm},
> %% {publish_fields, []},
> %% {publish_properties, [{delivery_mode, 2}]},
> %% {reconnect_delay, 2.5}]}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ Stomp Adapter
> %%
> %% See http://www.rabbitmq.com/stomp.html for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_stomp,
> [%% Network Configuration - the format is generally the same as for the
> broker
>
> %% Listen only on localhost (ipv4 & ipv6) on a specific port.
> %% {tcp_listeners, [{"127.0.0.1", 61613},
> %% {"::1", 61613}]},
>
> %% Listen for SSL connections on a specific port.
> %% {ssl_listeners, [61614]},
>
> %% Number of Erlang processes that will accept connections for the TCP
> %% and SSL listeners.
> %%
> %% {num_tcp_acceptors, 10},
> %% {num_ssl_acceptors, 1},
>
> %% Additional SSL options
>
> %% Extract a name from the client's certificate when using SSL.
> %%
> %% {ssl_cert_login, true},
>
> %% Set a default user name and password. This is used as the default
> login
> %% whenever a CONNECT frame omits the login and passcode headers.
> %%
> %% Please note that setting this will allow clients to connect without
> %% authenticating!
> %%
> %% {default_user, [{login, "guest"},
> %% {passcode, "guest"}]},
>
> %% If a default user is configured, or you have configured use SSL client
> %% certificate based authentication, you can choose to allow clients to
> %% omit the CONNECT frame entirely. If set to true, the client is
> %% automatically connected as the default user or user supplied in the
> %% SSL certificate whenever the first frame sent on a session is not a
> %% CONNECT frame.
> %%
> %% {implicit_connect, true}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ MQTT Adapter
> %%
> %% See https://github.com/rabbitmq/rabbitmq-mqtt/blob/stable/README.md
> %% for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_mqtt,
> [%% Set the default user name and password. Will be used as the default
> login
> %% if a connecting client provides no other login details.
> %%
> %% Please note that setting this will allow clients to connect without
> %% authenticating!
> %%
> %% {default_user, <<"guest">>},
> %% {default_pass, <<"guest">>},
>
> %% Enable anonymous access. If this is set to false, clients MUST provide
> %% login information in order to connect. See the
> default_user/default_pass
> %% configuration elements for managing logins without authentication.
> %%
> %% {allow_anonymous, true},
>
> %% If you have multiple chosts, specify the one to which the
> %% adapter connects.
> %%
> %% {vhost, <<"/">>},
>
> %% Specify the exchange to which messages from MQTT clients are
> published.
> %%
> %% {exchange, <<"amq.topic">>},
>
> %% Specify TTL (time to live) to control the lifetime of non-clean
> sessions.
> %%
> %% {subscription_ttl, 1800000},
>
> %% Set the prefetch count (governing the maximum number of unacknowledged
> %% messages that will be delivered).
> %%
> %% {prefetch, 10},
>
> %% TCP/SSL Configuration (as per the broker configuration).
> %%
> %% {tcp_listeners, [1883]},
> %% {ssl_listeners, []},
>
> %% Number of Erlang processes that will accept connections for the TCP
> %% and SSL listeners.
> %%
> %% {num_tcp_acceptors, 10},
> %% {num_ssl_acceptors, 1},
>
> %% TCP/Socket options (as per the broker configuration).
> %%
> %% {tcp_listen_options, [{backlog, 128},
> %% {nodelay, true}]}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ AMQP 1.0 Support
> %%
> %% See https://github.com/rabbitmq/rabbitmq-amqp1.0/blob/stable/README.md
> %% for details
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_amqp1_0,
> [%% Connections that are not authenticated with SASL will connect as this
> %% account. See the README for more information.
> %%
> %% Please note that setting this will allow clients to connect without
> %% authenticating!
> %%
> %% {default_user, "guest"},
>
> %% Enable protocol strict mode. See the README for more information.
> %%
> %% {protocol_strict_mode, false}
> ]},
>
> %%
> ----------------------------------------------------------------------------
> %% RabbitMQ LDAP Plugin
> %%
> %% See http://www.rabbitmq.com/ldap.html for details.
> %%
> %%
> ----------------------------------------------------------------------------
>
> {rabbitmq_auth_backend_ldap,
> [%%
> %% Connecting to the LDAP server(s)
> %% ================================
> %%
>
> %% Specify servers to bind to. You *must* set this in order for the
> plugin
> %% to work properly.
> %%
> %% {servers, ["your-server-name-goes-here"]},
>
> %% Connect to the LDAP server using SSL
> %%
> %% {use_ssl, false},
>
> %% Specify the LDAP port to connect to
> %%
> %% {port, 389},
>
> %% LDAP connection timeout, in milliseconds or 'infinity'
> %%
> %% {timeout, infinity},
>
> %% Enable logging of LDAP queries.
> %% One of
> %% - false (no logging is performed)
> %% - true (verbose logging of the logic used by the plugin)
> %% - network (as true, but additionally logs LDAP network traffic)
> %%
> %% Defaults to false.
> %%
> %% {log, false},
>
> %%
> %% Authentication
> %% ==============
> %%
>
> %% Pattern to convert the username given through AMQP to a DN before
> %% binding
> %%
> %% {user_dn_pattern, "cn=${username},ou=People,dc=example,dc=com"},
>
> %% Alternatively, you can convert a username to a Distinguished
> %% Name via an LDAP lookup after binding. See the documentation for
> %% full details.
>
> %% When converting a username to a dn via a lookup, set these to
> %% the name of the attribute that represents the user name, and the
> %% base DN for the lookup query.
> %%
> %% {dn_lookup_attribute, "userPrincipalName"},
> %% {dn_lookup_base, "DC=gopivotal,DC=com"},
>
> %% Controls how to bind for authorisation queries and also to
> %% retrieve the details of users logging in without presenting a
> %% password (e.g., SASL EXTERNAL).
> %% One of
> %% - as_user (to bind as the authenticated user - requires a password)
> %% - anon (to bind anonymously)
> %% - {UserDN, Password} (to bind with a specified user name and
> password)
> %%
> %% Defaults to 'as_user'.
> %%
> %% {other_bind, as_user},
>
> %%
> %% Authorisation
> %% =============
> %%
>
> %% The LDAP plugin can perform a variety of queries against your
> %% LDAP server to determine questions of authorisation. See
> %% http://www.rabbitmq.com/ldap.html#authorisation for more
> %% information.
>
> %% Set the query to use when determining vhost access
> %%
> %% {vhost_access_query, {in_group,
> %%
> "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},
>
> %% Set the query to use when determining resource (e.g., queue) access
> %%
> %% {resource_access_query, {constant, true}},
>
> %% Set queries to determine which tags a user has
> %%
> %% {tag_queries, []}
> ]}
> ].
>
>
> ANd for the plugin script:
>
>
>
> class IoTJumpWayAMQP{
> protected $_Secure_Connection;
> public function __construct(Connection $dbcon) {
> $this->_Secure_Connection = $dbcon->dbcon;
> }
> public static function verify_password($password,$hash) {
> return password_verify($password, $hash);
> }
> public function validateUser(){
> $TechBubble_DBQuery = $this->_Secure_Connection->prepare("
> SELECT *
> FROM DBTABLE
> WHERE usr=:usr
> ");
> $TechBubble_DBQuery->execute([
> ':usr'=>filter_input(INPUT_GET,'username',FILTER_SANITIZE_STRING)
> ]);
> $usrDta=$TechBubble_DBQuery->fetch(PDO::FETCH_ASSOC);
> return $usrDta;
> }
> }
>
> $IoTJumpWayAMQP = new IoTJumpWayAMQP($_Connection);
>
> if(filter_input(INPUT_GET,'username',FILTER_SANITIZE_STRING)):
>
> $usrExists = $IoTJumpWayAMQP->validateUser();
> if($usrExists['id']):
> if(filter_input(INPUT_GET,'password',FILTER_SANITIZE_STRING)):
> if($IoTJumpWayAMQP->verify_password(filter_input(INPUT_GET,'password',FILTER_SANITIZE_STRING),$usrExists['pwd'])):
> echo "allow " . $usrExists['usrLvl'];
> else:
> echo "deny";
> endif;
> elseif(filter_input(INPUT_GET,'name',FILTER_SANITIZE_STRING)):
> if($usrExists['typer']=="device"):
>
> $valid_names =[
> $usrExists['lcnid']."_devices_".$usrExists['id']."_commands",
> $usrExists['lcnid']."_devices_".$usrExists['id']."_sensors",
> $usrExists['lcnid']."_devices_".$usrExists['id']."_actuators",
> $usrExists['lcnid']."_devices_".$usrExists['id']."_warnings",
> ];
> if( in_array(filter_input(INPUT_GET,'name',FILTER_SANITIZE_STRING),
> $valid_names) ):
> echo "allow";
> else:
> echo "deny";
> endif;
> else:
>
> $valid_names =[
> $usrExists['lcnid']."_".$usrExists['id']."_commands",
> $usrExists['lcnid']."_".$usrExists['id']."_sensors",
> $usrExists['lcnid']."_".$usrExists['id']."_actuators",
> $usrExists['lcnid']."_".$usrExists['id']."_warnings",
> ];
> if( in_array(filter_input(INPUT_GET,'name',FILTER_SANITIZE_STRING),
> $valid_names) ):
> echo "allow";
> else:
> echo "deny";
> endif;
> endif;
> elseif( filter_input(INPUT_GET,'vhost',FILTER_SANITIZE_STRING)):
> echo "allow";
> else:
> echo "deny";
> endif;
> else:
> echo "deny";
> endif;
>
> else:
> echo "deny";
> endif;
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Adam Milton-Barker
Apr 21, 2016, 4:30:16 PM4/21/16
to rabbitmq-users
Restarting is the first thing I do after an edit
Michael Klishin
Apr 21, 2016, 4:33:19 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
On 21 April 2016 at 23:27:00, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> =WARNING REPORT==== 21-Apr-2016::22:13:30 ===
> HTTP access denied: user 'ADMINUSER' - invalid credentials
>
> =ERROR REPORT==== 21-Apr-2016::22:13:30 ===
> webmachine error: path="/api/whoami"
> "Unauthorized"
>
> This is incorrect if the plugin actually works as the credentials
> are correct
OK, so have the rabbitmq_auth_backend_http plugin enabled but this was never mentioned :/
> =WARNING REPORT==== 21-Apr-2016::22:13:30 ===
> HTTP access denied: user 'ADMINUSER' - invalid credentials
>
> =ERROR REPORT==== 21-Apr-2016::22:13:30 ===
> webmachine error: path="/api/whoami"
> "Unauthorized"
>
> This is incorrect if the plugin actually works as the credentials
> are correct
I was going to recommend trying rabbitmqctl authenticate_user [1] but the issue is
in your HTTP app responses.
The README explains what responses are expected:
https://github.com/rabbitmq/rabbitmq-auth-backend-http
and there is a small Python/Django app in the repo to use as an example:
https://github.com/rabbitmq/rabbitmq-auth-backend-http/tree/master/examples/rabbitmq_auth_backend_django
1. https://www.rabbitmq.com/man/rabbitmqctl.1.man.html
Message has been deleted
Adam Milton-Barker
Apr 21, 2016, 4:38:07 PM4/21/16
to rabbitmq-users
It was mentioned, also the documentation does not actually show and the example just allows all which mine does as well,
Adam Milton-Barker
Apr 21, 2016, 4:42:52 PM4/21/16
to rabbitmq-users
What are you suggesting is missing as according the example there is nothing missing.
Michael Klishin
Apr 21, 2016, 4:43:47 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
On 21 April 2016 at 23:38:10, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> the documentation does not actually show and the example just
> allows all which mine does as well
See "Permissions" in http://www.rabbitmq.com/management.html.
> the documentation does not actually show and the example just
> allows all which mine does as well
For management UI to be accessible, users need to be tagged with one of
"management", "policymaker", "administrator".
The example app returns different tag lists depending on whether a user
is a superuser (according to the app) [1].
The error in the log says "invalid credentials" most likely because tags are fetched at the authentication
stage, not authorisation [2].
1. https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/examples/rabbitmq_auth_backend_django/rabbitmq_auth_backend_django/auth/views.py#L10
2. http://www.rabbitmq.com/access-control.html
Michael Klishin
Apr 21, 2016, 4:45:45 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
On 21 April 2016 at 23:42:55, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> What are you suggesting is missing as according the example
> there is nothing missing.
I wish I had this much confidence when I have to debug things.
> What are you suggesting is missing as according the example
> there is nothing missing.
Since you don't need any help because clearly nothing is missing, I'll sign off.
Michael Klishin
Apr 21, 2016, 4:47:25 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
Then I'd suggest to check what that value is, using Wireshark or any HTTP request tracer.
Adam Milton-Barker
Apr 21, 2016, 4:56:49 PM4/21/16
to rabbitmq-users, adammilt...@gmail.com
You told me i had missed something that I hadn't I didn't say I don't need help I was merely pointing out that what you said was not there was in fact there. It doesn't seem like the script is even being reached I have a write to text file that is not getting hit.
Michael Klishin
Apr 21, 2016, 5:02:16 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
I wouldn't use a text file. Wireshark and plenty of HTTP traffic tracers have been around for a long time.
You use HTTPS for your app backend. For that to work, HTTP client in the plugin
would have to use HTTPS as well, and thus trust your backend's certificate, and so on.
None of that is currently supported:
https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/src/rabbit_auth_backend_http.erl#L92
Also, the plugin is not meant to be used with apps running on the public Internet, which is what
you have configured. It is meant to be used in trusted environments. The lack of HTTPS support
primarily comes out of that thinking, technically it wouldn't be much effort to add.
On 21 April 2016 at 23:56:58, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> You told me i had missed something that I hadn't I didn't say I don't need
> help I was merely pointing out that what you said was not there was in fact
> there. It doesn't seem like the script is even being reached I have a write
> to text file that is not getting hit.
>
You use HTTPS for your app backend. For that to work, HTTP client in the plugin
would have to use HTTPS as well, and thus trust your backend's certificate, and so on.
None of that is currently supported:
https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/src/rabbit_auth_backend_http.erl#L92
Also, the plugin is not meant to be used with apps running on the public Internet, which is what
you have configured. It is meant to be used in trusted environments. The lack of HTTPS support
primarily comes out of that thinking, technically it wouldn't be much effort to add.
On 21 April 2016 at 23:56:58, Adam Milton-Barker (adammilt...@gmail.com) wrote:
> You told me i had missed something that I hadn't I didn't say I don't need
> help I was merely pointing out that what you said was not there was in fact
> there. It doesn't seem like the script is even being reached I have a write
> to text file that is not getting hit.
>
> On Thursday, April 21, 2016 at 10:47:25 PM UTC+2, Michael Klishin wrote:
> >
> > Then I'd suggest to check what that value is, using Wireshark or any HTTP
> > request tracer.
> >
> > On Thu, Apr 21, 2016 at 11:45 PM, Michael Klishin > > > wrote:
> >
> >> On 21 April 2016 at 23:42:55, Adam Milton-Barker (adammilt...@gmail.com
> >> ) wrote:
> >> > What are you suggesting is missing as according the example
> >> > there is nothing missing.
> >>
> >> I wish I had this much confidence when I have to debug things.
> >>
> >> Since you don't need any help because clearly nothing is missing, I'll
> >> sign off.
> >> --
> >> MK
> >>
> >> Staff Software Engineer, Pivotal/RabbitMQ
> >>
> >>
> >>
> >
> >
> > --
> > MK
> >
> > Staff Software Engineer, Pivotal/RabbitMQ
> >
>
> >
> > Then I'd suggest to check what that value is, using Wireshark or any HTTP
> > request tracer.
> >
> > On Thu, Apr 21, 2016 at 11:45 PM, Michael Klishin > > > wrote:
> >
> >> On 21 April 2016 at 23:42:55, Adam Milton-Barker (adammilt...@gmail.com
> >> ) wrote:
> >> > What are you suggesting is missing as according the example
> >> > there is nothing missing.
> >>
> >> I wish I had this much confidence when I have to debug things.
> >>
> >> Since you don't need any help because clearly nothing is missing, I'll
> >> sign off.
> >> --
> >> MK
> >>
> >> Staff Software Engineer, Pivotal/RabbitMQ
> >>
> >>
> >>
> >
> >
> > --
> > MK
> >
> > Staff Software Engineer, Pivotal/RabbitMQ
> >
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Michael Klishin
Apr 21, 2016, 5:05:15 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
On 22 April 2016 at 00:02:12, Michael Klishin (mkli...@pivotal.io) wrote:
> You use HTTPS for your app backend. For that to work, HTTP client
> in the plugin
> would have to use HTTPS as well, and thus trust your backend's
> certificate, and so on.
> None of that is currently supported:
> https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/src/rabbit_auth_backend_http.erl#L92
>
> Also, the plugin is not meant to be used with apps running on the
> public Internet, which is what
> you have configured. It is meant to be used in trusted environments.
> The lack of HTTPS support
> primarily comes out of that thinking, technically it wouldn't
> be much effort to add.
Filed an issue about this:
> You use HTTPS for your app backend. For that to work, HTTP client
> in the plugin
> would have to use HTTPS as well, and thus trust your backend's
> certificate, and so on.
> None of that is currently supported:
> https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/src/rabbit_auth_backend_http.erl#L92
>
> Also, the plugin is not meant to be used with apps running on the
> public Internet, which is what
> you have configured. It is meant to be used in trusted environments.
> The lack of HTTPS support
> primarily comes out of that thinking, technically it wouldn't
> be much effort to add.
https://github.com/rabbitmq/rabbitmq-auth-backend-http/issues/29
As an alternative to using just HTTP you can use a tool such as stunnel:
https://www.stunnel.org/index.html
Adam Milton-Barker
Apr 21, 2016, 5:12:35 PM4/21/16
to rabbitmq-users, adammilt...@gmail.com
And I will reply the same I replied there:
No environment is trusted, encryption is a must, also how come simonmacmullen stated it would work perfectly fine using https:// . I think I will give AMQP a miss until the fundamentals are in place. Just out of interest how are you suggesting that the plugin can communicate with a URL and be trusted if not using SSL.
No environment is trusted, encryption is a must, also how come simonmacmullen stated it would work perfectly fine using https:// . I think I will give AMQP a miss until the fundamentals are in place. Just out of interest how are you suggesting that the plugin can communicate with a URL and be trusted if not using SSL.
Michael Klishin
Apr 21, 2016, 5:24:41 PM4/21/16
to rabbitm...@googlegroups.com, Adam Milton-Barker
I have no idea where Simon had stated that. For an HTTP client to be able to issue requests to an HTTPS server it has to have a certificate/key pair, worry about which certificates are trusted, and so on. This plugin doesn't do that at the moment, so I'm not sure how it would encrypt anything.
It is possible to use stunnel to encrypt any TLS connection. "The fundamentals" are in place: RabbitMQ supports TLS for every messaging protocol it provides and inter-node links, only this particular plugin doesn't.
It is possible to use stunnel to encrypt any TLS connection. "The fundamentals" are in place: RabbitMQ supports TLS for every messaging protocol it provides and inter-node links, only this particular plugin doesn't.
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Adam Milton-Barker
Apr 21, 2016, 5:40:20 PM4/21/16
to rabbitmq-users, adammilt...@gmail.com
He stated it here. Seems he is pretty confident it works with SSL I will play around a bit more if not will leave it as it doesn't seem to be anywhere near ready for a production environment, issues that drastically need sorting are stopping the use of GET and ensuring secure communication using SSL, as it it looks like every person using this plugin is exposing their credentials in plain text on unencrypted channels.
https://github.com/rabbitmq/rabbitmq-auth-backend-http/issues/3
https://github.com/rabbitmq/rabbitmq-auth-backend-http/issues/3
Adam Milton-Barker
Apr 21, 2016, 5:42:30 PM4/21/16
to rabbitmq-users, adammilt...@gmail.com
I will have a play in the sourcecode over the weekend see if I can help out making it a bit more secure mate.
Reply all
Reply to author
Forward
0 new messages