User Tools

Site Tools


adm:setting_up_rabbitmq

Installation

Follow the instructions found on rabbitmq site to install

Peg the version of erlang (currently max version is v.20, installing v21 will cause rabbitmq to crash.

First install esl-erlang (not erlang)

https://tecadmin.net/install-erlang-on-ubuntu/

Then install the rabbitmq repository as described below. (recommended to look at link below first to check if procedure has changed)

https://www.rabbitmq.com/install-debian.html

increase file descriptors

 sudo systemctl edit rabbitmq-server

Paste in the following

[Service]
LimitNOFILE=300000

See section Using rabbitmq.com APT Repository

Also see how to use the management utility

https://www.rabbitmq.com/man/rabbitmqctl.1.man.html

Starting and stopping

sudo systemctl start rabbitmq-server

Enable Management Utility

To enable us to access management utility we need to do a temporary mod to config to allow us to sign as guest from non local host.

sudo nano /etc/rabbitmq/rabbitmq.config

(the file doesnt exist, you will create it when saved)

(note the file name is not ended in .conf!)

#rabbitmq.config

[{rabbit, [{loopback_users, []}]}].

Note included the dot at the end! this config is just temporary to enable sign in on the management tool as guest- it will later be rewritten as part of mqtt plugin config below..

sudo rabbitmq-plugins enable rabbitmq_management

Create Users and Eliminate Guest User

Now you can navegate to http://127.0.0.1:15672

You should be able to enter the management panel using “guest” and psw “guest”

  • Create a new admin user
  • Give permissions to virtual host / * * *
  • Delete guest guest user
  • Create a test client user with different password

config .* write regex .* read regex .*

Note: mqtt dashboard appears to need config permissions to work…

Set up MQTT Plugin

Enable the MQTT plugin

sudo rabbitmq-plugins enable rabbitmq_mqtt

Edit config file (below is config for non-encrypted , on port 1883, for testing)

sudo nano /etc/rabbitmq/rabbitmq.config
#/etc/rabbitmq/rabbitmq.config

[{rabbit,        [{tcp_listeners,    [5672]}]},
 {rabbitmq_mqtt, [{default_user,     <<"guest">>},
                  {default_pass,     <<"guest">>},
                  {allow_anonymous,  false},
                  {vhost,            <<"/">>},
                  {exchange,         <<"amq.topic">>},
                  {subscription_ttl, 1800000},
                  {prefetch,         10},
                  {ssl_listeners,    []},
                  %% Default MQTT with TLS port is 8883
                  %%{ssl_listeners,    [8883]},
                  {tcp_listeners,    [1883]},
                  {tcp_listen_options, [{backlog,   128},
                                        {nodelay,   true}]}]}
].

Note! default user and pass are not active unless we change allow anonymous to true.

Topic Subscribing and Publishing

FIXME

You can check that MQTT is listening on the expected port

sudo lsof -i :1883

when subscribing use a/b/c/d

when publishing use a.b.c.d format

You can now try to connect to rabbitMQ from any MQTT enabled device. See connecting to MQTT from android

You can see your device connected on the rabbitMQ management dashboard connections tab.

Setting up SSL for the management panel

In zibawa.com the management panel is run behind NGINX running as proxy server. Nginx is therefore taking care of all ssl for the management panel.

Setting up SSL for the messaging connections

We need to set up MQTT on 8883 and also SSL listener on 5671 for the Zibawa client

#/etc/rabbitmq/rabbitmq.config

[{rabbit,        [{ssl_listeners, [5671]},
                  {ssl_options, [{cacertfile, "/etc/letsencrypt/live/zibawa.com/chain.pem"},
                                 {certfile, "/etc/letsencrypt/live/zibawa.com/cert.pem"},
                                 {keyfile,"/etc/letsencrypt/live/zibawa.com/privkey.pem"},
                                 {verify,     verify_peer},
                                 {fail_if_no_peer_cert, true}]}
                 ]},
 {rabbitmq_mqtt, [{default_user,     <<"guest">>},
                  {default_pass,     <<"guest">>},
                  {allow_anonymous,  false},
                  {vhost,            <<"/">>},
                  {exchange,         <<"amq.topic">>},
                  {subscription_ttl, 1800000},
                  {prefetch,         10},
                  %% Default MQTT with TLS port is 8883
                  {ssl_listeners,    [8883]},
                  %% for testing but advisable to disable 1883
                  {tcp_listeners,    [1883]},
                  {tcp_listen_options, [{backlog,   128},
                                        {nodelay,   true}]}]},
{rabbitmq_management,
  [{listener, [{port,     15671},
               {ssl,      true},
               {ssl_opts, [{cacertfile, "/etc/letsencrypt/live/zibawa.com/chain.pem"},
                           {certfile,   "/etc/letsencrypt/live/zibawa.com/cert.pem"},
                           {keyfile,    "/etc/letsencrypt/live/zibawa.com/privkey.pem"}]}
              ]}
  ]}                                        
].

Configuring rabbitMQ for LDAP

Pre-requisites. Set up LDAP server following structure determined in setting up LDAP server

Enable LDAP plugin in rabbitMQ

sudo rabbitmq-plugins enable rabbitmq_auth_backend_ldap

The following allows:

Users with gidNumber=500 (or whateever your super user gid is) have super user access. Other users read and write to */<login>/*/*

RabbitMQ config file

[{rabbit,        [{tcp_listeners,    [5672]},
                  {auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
 {rabbitmq_mqtt, [{default_user,     <<"guest">>},
                  {default_pass,     <<"guest">>},
                  {allow_anonymous,  false},
                  {vhost,            <<"/">>},
                  {exchange,         <<"amq.topic">>},
                  {subscription_ttl, 1800000},
                  {prefetch,         10},
                  {ssl_listeners,    []},
                  %% Default MQTT with TLS port is 8883
                  %% {ssl_listeners,    [8883]}
                  {tcp_listeners,    [1883]},
                  {tcp_listen_options, [{backlog,   128},
                                        {nodelay,   true}]}]},
{rabbitmq_auth_backend_ldap,
   [ {servers,               ["localhost"]},
     {user_dn_pattern,       "cn=${username},ou=users,dc=zibawa,dc=com"},
     {use_ssl,               false},
     {port,                  389},
     {log,                   true},
     {vhost_access_query, {constant,true}},
     %%admin must have gidNumber 500 - */*/*/*
     %%non-admin can read and write to */login/*/*

        {resource_access_query,
         {for,[{permission,configure, {'or',[
                   {match, {string, "${name}"},
                                {string, "^mqtt-subscription-.+"}},
                   {equals, {attribute, "${user_dn}", "gidNumber"},
                                         {string, "500"}}
]}},
               {permission, write, {'or',[
                   {match, {string, "${name}"},
                                {string, "^mqtt-subscription-.+"}},
                   %%below is adapted for compatibility with Kura which prefixes messages with $ 
                   {match, {string, "${name}"},
                                {string, "^[$a-zA-Z0-9/]+[./]${username}[./]"}},
                   {match, {string, "${name}"},
                                {string, "^amq.topic"}},
                   {equals, {attribute, "${user_dn}", "gidNumber"},
                                         {string, "500"}}


]}},
               {permission, read, {'or',[
                   {match, {string, "${name}"},
                                {string, "^mqtt-subscription-.+"}},
                   {match, {string, "${name}"},
                                {string, "^[$a-zA-Z0-9/]+[./]${username}[./]"}},
                   {match, {string, "${name}"},
                                {string, "^amq.topic"}},
                   {equals, {attribute, "${user_dn}", "gidNumber"},
                                         {string, "500"}}

]}}

      ]}},
 {tag_queries,           [{administrator,{equals, {attribute, "${user_dn}", "gidNumber"},
                                         {string, "500"}}},
                              {management, {equals, {attribute, "${user_dn}", "gidNumber"},
                                         {string, "500"}}}]}
   ]
  }
].




Dont forget to restart rabbitmq for the config to take effect.

adm/setting_up_rabbitmq.txt · Last modified: 2018/07/04 17:44 by matt