Set up TLS to and from high-transfer

This requires the shovel and high-logstash to use TLS

docker-compose.yml

@@ -6,6 +6,7 @@ services:
     command: logstash -f /pipeline.conf
     volumes:
       - "./pipelines/rabbitmq-stdout.conf:/pipeline.conf:ro"
+      - "./keys/high-transfer.p12:/keys/cert.p12:ro"
     networks:
       - high
     depends_on:
@@ -15,7 +16,11 @@ services:
     image: rabbitmq:latest
     volumes:
       - "./rabbitmq/load-definitions.conf:/etc/rabbitmq/conf.d/20-load-definitions.conf:ro"
+      - "./rabbitmq/tls.conf:/etc/rabbitmq/conf.d/30-tls.conf:ro"
       - "./rabbitmq/high-definitions.json:/etc/rabbitmq/definitions.json:ro"
+      - "./keys/ca.crt:/keys/ca.pem:ro"
+      - "./keys/high-transfer.key:/keys/key.pem:ro"
+      - "./keys/high-transfer.crt:/keys/cert.pem:ro"
     networks:
       - transfer
       - high

keys/.gitignore

@@ -0,0 +1,6 @@
+*.key
+*.crt
+*.csr
+*.ext
+*.srl
+*.p12

keys/generate-key.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+SCRIPT=$(realpath "$0")
+DIR=$(dirname "$SCRIPT")
+CA="$DIR/ca"
+
+if [ ! -f "$CA.key" ]; then
+    openssl req \
+            -x509 \
+            -sha256 \
+            -days 1825 \
+            -newkey rsa:2048 \
+            -keyout "$CA.key" \
+            -out "$CA.crt"
+fi
+
+if [ -n "$1" ]; then
+    FILE="$DIR/$1"
+
+    echo "Generating key for $1"
+    openssl req \
+            -newkey rsa:2048 \
+            -nodes \
+            -keyout "$FILE.key" \
+            -out "$FILE.csr"
+
+    echo ""
+
+    cat <<EOF > "$FILE.ext"
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = $1
+EOF
+
+    echo ""
+    openssl x509 \
+            -req \
+            -CA "$CA.crt" \
+            -CAkey "$CA.key" \
+            -in "$FILE.csr" \
+            -out "$FILE.crt" \
+            -days 365 \
+            -CAcreateserial \
+            -extfile "$FILE.ext"
+
+    echo ""
+    echo "Creating PKCS12 archive"
+    cat "$FILE.key" "$FILE.crt" | openssl pkcs12 -export -in - -out "$FILE.p12"
+else
+    echo "USAGE: generate-key.sh KEYNAME"
+fi

pipelines/rabbitmq-stdout.conf

@@ -4,7 +4,11 @@ input {
     queue => "to-logstash"
     user => "logstash"
     password => "logstash"
+    port => 5671
     durable => true
+    ssl => true
+    ssl_certificate_path => "/keys/cert.p12"
+    ssl_certificate_password => "high-transfer"
   }
 }
 

rabbitmq/low-definitions.json

@@ -26,7 +26,7 @@
             "value": {
                 "src-uri": "amqp://shovel:shovel@localhost",
                 "src-queue": "to-high",
-                "dest-uri": "amqp://shovel:shovel@high-transfer",
+                "dest-uri": "amqps://shovel:shovel@high-transfer:5671?cacertfile=/keys/ca.pem&certfile=/keys/cert.pem&keyfile=/keys/key.pem&verify=verify_peer&server_nameindication=high-transfer",
                 "dest-exchange": "from-low",
                 "ack-mode": "on-confirm",
                 "delete-after": "never"

rabbitmq/tls.conf

@@ -0,0 +1,8 @@
+listeners.tcp = none
+listeners.ssl.default = 5671
+
+ssl_options.cacertfile = /keys/ca.pem
+ssl_options.certfile = /keys/cert.pem
+ssl_options.keyfile = /keys/key.pem
+ssl_options.verify = verify_peer
+ssl_options.fail_if_no_peer_cert = true