shakuzen
commented
6 years ago After significant time spent to get SSL configured on my local RabbitMQ instance, I have looked into this. The rabbit hole (pun intended) goes just a bit deeper than I originally expected.
Status quo
Current support
Our current support assumes (or has the constraint) that what is passed to RABBIT_ADDRESSES is a comma-separated list of RabbitMQ Addresses (host:port pairs). The intention here was to easily support clustered RabbitMQ servers without a TCP load balancer. However, this does not allow specifying scheme, which is a problem here when the scheme is amqps instead of amqp. In retrospect, the constraint on RABBIT_ADDRESSES may have not been the best choice.
Cloud providers
Depending on how the connection properties are available from cloud providers, the viable solutions may change. It's a shame I didn't investigate this more before. @reshmik @marcingrzejszczak Can you confirm what is available to you from the RabbitMQ cloud providers you are using? Is it just one URI string like the following (with one host only, I assume)?
ampqs://user:pass@host[:port]/virtualHostOr are the individual parts (username/password/host etc.) also provided as separate properties to some degree?
I'll try to do my due diligence on this tomorrow so we can best support what most Zipkin users may end up using. I'm out of time to look this up today, though.
Without a single property provided by the RabbitMQ Java client that can parse the RabbitMQ URI spec for multiple hosts, it's not easy to support both of these options. To be fair, the URI spec doesn't define multiple hosts as valid.
Quickest solution?
The flag for using TLS can be set separately, ConnectionFactory#useSslProtocol, if we want to expose that as a new property.
However, note that this spits out the following error because peer validation is not being used without configuring the trust manager (see Key Managers, Trust Managers and Stores). Though no one in the linked Spring Boot issue seemed to be asking for this part to be configurable.
2017-11-29 22:58:03.680 WARN 64970 --- [ main] c.r.client.TrustEverythingTrustManager : This trust manager trusts every certificate, effectively disabling peer verification. This is convenient for local development but prone to man-in-the-middle attacks. Please see http://www.rabbitmq.com/ssl.html#validating-cerficates to learn more about peer certificate validation.With a flag exposed for that as say RABBIT_SSL_ENABLED, used in combination with passing just the host:port to RABBIT_ADDRESSES, I believe things will work (warning log above withstanding).
This solution feels like it avoids fixing the limitations with our current configuration options, which may be fine if it works for the vast majority of users, but I fear it may not.
Parse all the URIs
A more robust solution compared to above might be the following, which tries to define a version of the RabbitMQ URI spec that handles multiple hosts.
I think ideally we would be able to take a string that optionally contains a scheme, username, password, virtual host, port, and requires at the least one host but has potentially multiple hosts. Then, being able to pass that to the RabbitMQ client and let it parse it would be a cherry on top. Until that happens, we'll have to parse it ourselves.
There are subjective decisions that need to be made for what is allowed in the string, though. We could take inspiration from the MongoDB client's format.
The format of the URI is:
mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
Which would make ours something like:
[(amqps://|amqp://)][username:password@]host1[:port1][,host2[:port2],...[hostN[:portN]]][/virtualHost]- scheme is optionally specified as
amqps://oramqp://; absence impliesamqp:// usernameandpasswordare optionally specified following the scheme;guest/guestare the default if absenthost1is requiredport2is optionally specified; it is5672by default or when the scheme isamqp; when the scheme isamqpsit defaults to5671- a comma-separated list of host:port can optionally follow
host1 /virtualHostcan be optionally specified at the end of the string, defaulting to/in its absence
We could also consider parsing query parameters at the end. This could provide a way for users to pass the necessary files for full TLS configuration with a trust manager.
Reasonable (IMO) limitations the above implies are that all hosts would be connected to using the same scheme, authentication, and virtual host.
Sorry for the length of the above. I'm glad to hear other solutions if anyone has them, or feedback on anything above.
reshmik
codefromthecrypt
gerard-br-dge
Currently, our RabbitMQ collector (and sender) doesn't configure or test for amqps. We should fix that as this impacts the ability to use in environments such as cloud foundry
Thx for figuring this out @reshmik
related: spring-projects/spring-boot#6401
cc @shakuzen @marcingrzejszczak