sindre
/
logstash-multinetwork-test
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
Sfoglia il codice sorgente

Set up TLS to and from high-transfer 

This requires the shovel and high-logstash to use TLS
tls
Sindre Stephansen 3 anni fa
parent
04a670ded8
commit
128e4af996
6 ha cambiato i file con 79 aggiunte e 1 eliminazioni
Visualizzazione separata
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -0
      docker-compose.yml
  2. +6
    -0
      keys/.gitignore
  3. +55
    -0
      keys/generate-key.sh
  4. +4
    -0
      pipelines/rabbitmq-stdout.conf
  5. +1
    -1
      rabbitmq/low-definitions.json
  6. +8
    -0
      rabbitmq/tls.conf

+ 5
- 0
docker-compose.yml Vedi File

@@ -6,6 +6,7 @@ services:
command: logstash -f /pipeline.conf
volumes:
- "./pipelines/rabbitmq-stdout.conf:/pipeline.conf:ro"
- "./keys/high-transfer.p12:/keys/cert.p12:ro"
networks:
- high
depends_on:
@@ -15,7 +16,11 @@ services:
image: rabbitmq:latest
volumes:
- "./rabbitmq/load-definitions.conf:/etc/rabbitmq/conf.d/20-load-definitions.conf:ro"
- "./rabbitmq/tls.conf:/etc/rabbitmq/conf.d/30-tls.conf:ro"
- "./rabbitmq/high-definitions.json:/etc/rabbitmq/definitions.json:ro"
- "./keys/ca.crt:/keys/ca.pem:ro"
- "./keys/high-transfer.key:/keys/key.pem:ro"
- "./keys/high-transfer.crt:/keys/cert.pem:ro"
networks:
- transfer
- high


+ 6
- 0
keys/.gitignore Vedi File

@@ -0,0 +1,6 @@
*.key
*.crt
*.csr
*.ext
*.srl
*.p12

+ 55
- 0
keys/generate-key.sh Vedi File

@@ -0,0 +1,55 @@
#!/bin/sh

SCRIPT=$(realpath "$0")
DIR=$(dirname "$SCRIPT")
CA="$DIR/ca"

if [ ! -f "$CA.key" ]; then
openssl req \
-x509 \
-sha256 \
-days 1825 \
-newkey rsa:2048 \
-keyout "$CA.key" \
-out "$CA.crt"
fi

if [ -n "$1" ]; then
FILE="$DIR/$1"

echo "Generating key for $1"
openssl req \
-newkey rsa:2048 \
-nodes \
-keyout "$FILE.key" \
-out "$FILE.csr"

echo ""

cat <<EOF > "$FILE.ext"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = $1
EOF

echo ""
openssl x509 \
-req \
-CA "$CA.crt" \
-CAkey "$CA.key" \
-in "$FILE.csr" \
-out "$FILE.crt" \
-days 365 \
-CAcreateserial \
-extfile "$FILE.ext"

echo ""
echo "Creating PKCS12 archive"
cat "$FILE.key" "$FILE.crt" | openssl pkcs12 -export -in - -out "$FILE.p12"
else
echo "USAGE: generate-key.sh KEYNAME"
fi

+ 4
- 0
pipelines/rabbitmq-stdout.conf Vedi File

@@ -4,7 +4,11 @@ input {
queue => "to-logstash"
user => "logstash"
password => "logstash"
port => 5671
durable => true
ssl => true
ssl_certificate_path => "/keys/cert.p12"
ssl_certificate_password => "high-transfer"
}
}



+ 1
- 1
rabbitmq/low-definitions.json Vedi File

@@ -26,7 +26,7 @@
"value": {
"src-uri": "amqp://shovel:shovel@localhost",
"src-queue": "to-high",
"dest-uri": "amqp://shovel:shovel@high-transfer",
"dest-uri": "amqps://shovel:shovel@high-transfer:5671?cacertfile=/keys/ca.pem&certfile=/keys/cert.pem&keyfile=/keys/key.pem&verify=verify_peer&server_nameindication=high-transfer",
"dest-exchange": "from-low",
"ack-mode": "on-confirm",
"delete-after": "never"


+ 8
- 0
rabbitmq/tls.conf Vedi File

@@ -0,0 +1,8 @@
listeners.tcp = none
listeners.ssl.default = 5671

ssl_options.cacertfile = /keys/ca.pem
ssl_options.certfile = /keys/cert.pem
ssl_options.keyfile = /keys/key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

Write Preview
Loading…
Annulla
Salva