Implement SSL

[jar349]

Simon,

I love this plugin and want to use it, but my production environment would require SSL so that no one can place a man-in-the-middle between your plugin and my auth web service.

Any idea when you might be able to spike that bit out?

Thanks!

[jar349]

I guess I should add that - after looking at the code - it seems like it's a matter of detecting "http" vs "https" and then either calling http_get or https_get (I assume that exists somewhere), as appropriate.

I have no idea how to write erlang, but if you knew what would need to be imported to get access to https_get, I could try to implement this and offer a pull request.

[simonmacmullen]

SSL should work already - it does for me. Just changing the URLs in the config to start with https:// works for me.

[jar349]

Simon, thanks for the response. I completely asked the wrong question.

What I meant by "SSL" was, can we somehow get the plugin to present RabbitMQ's certificate to my server? In other words, I want to perform mutual authentication. Looking at the plugin code, I didn't see anything in there that took a configuration parameter for a path to a certificate to present to the server it calls.

[jar349]

Any interest in securing this? The real problem I'm having is that the http endpoint doing the verification (my secure token service) has to answer anyone who asks, because I have no way of identifying the rabbitmq broker. And if I'm developing a cloud-based app, then the broker is available -- and so is my STS, which means I have an open credentials verifier on the internet that attackers could use to brute-force passwords.

[develar]

It is wrong way. Correct way — use docker and link your auth service to rabbitmq. So, service will not be exposed to public network. Then you can use tutum ("private network is encrypted and requires authentication; only nodes belonging to a specific account can connect and communicate with each other." — http://blog.tutum.co/2015/03/03/introducing-overlay-networking-for-containers-and-dynamic-links-in-tutum/) or setup your own weave (https://github.com/zettio/weave, traffic could be encrypted).