Access rabbitmq admin interface via TLS

wireapp · Jun 17, 2024 · ebe8eca · ebe8eca
1 parent 1e46962
commit ebe8eca
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 32 deletions.
diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml
@@ -269,8 +269,7 @@ services:
       - RABBITMQ_PASSWORD
     ports:
       - '127.0.0.1:5671:5671'
-      - '127.0.0.1:5672:5672'
-      - '127.0.0.1:15672:15672'
+      - '127.0.0.1:15671:15671'
     volumes:
       - ./rabbitmq-config/rabbitmq.conf:/etc/rabbitmq/conf.d/20-wire.conf
       - ./rabbitmq-config/certificates:/etc/rabbitmq/certificates

diff --git a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf
@@ -1,13 +1,12 @@
 default_user = $(RABBITMQ_USERNAME)
 default_pass = $(RABBITMQ_PASSWORD)
 
-# listeners.tcp = none
+listeners.tcp = none
 listeners.ssl.default = 5671
 ssl_options.cacertfile = /etc/rabbitmq/certificates/ca.pem
-ssl_options.certfile =  /etc/rabbitmq/certificates/cert.pem
-ssl_options.keyfile =   /etc/rabbitmq/certificates/key.pem
+ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem
+ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem
 
-management.tcp.port = 15672
 management.ssl.port = 15671
 management.ssl.cacertfile = /etc/rabbitmq/certificates/ca.pem
 management.ssl.certfile = /etc/rabbitmq/certificates/cert.pem

diff --git a/libs/extended/extended.cabal b/libs/extended/extended.cabal
@@ -92,6 +92,7 @@ library
     , exceptions
     , extra
     , http-client
+    , http-client-tls
     , http-types
     , imports
     , metrics-wai

diff --git a/libs/extended/src/Network/AMQP/Extended.hs b/libs/extended/src/Network/AMQP/Extended.hs
@@ -27,6 +27,7 @@ import Imports
 import Network.AMQP qualified as Q
 import Network.Connection as Conn
 import Network.HTTP.Client qualified as HTTP
+import Network.HTTP.Client.TLS qualified as HTTP
 import Network.RabbitMqAdmin
 import Network.TLS
 import Network.TLS.Extra.Cipher
@@ -88,9 +89,13 @@ instance FromJSON RabbitMqAdminOpts where
 mkRabbitMqAdminClientEnv :: RabbitMqAdminOpts -> IO (AdminAPI (AsClientT IO))
 mkRabbitMqAdminClientEnv opts = do
   (username, password) <- readCredsFromEnv
-  manager <- HTTP.newManager HTTP.defaultManagerSettings
+  mTlsSettings <- traverse (mkTLSSettings opts.host) opts.tls
+  let (protocol, managerSettings) = case mTlsSettings of
+        Nothing -> (Servant.Http, HTTP.defaultManagerSettings)
+        Just tlsSettings -> (Servant.Https, HTTP.mkManagerSettings tlsSettings Nothing)
+  manager <- HTTP.newManager managerSettings
   let basicAuthData = Servant.BasicAuthData (Text.encodeUtf8 username) (Text.encodeUtf8 password)
-      clientEnv = Servant.mkClientEnv manager (Servant.BaseUrl Servant.Http opts.host opts.adminPort "")
+      clientEnv = Servant.mkClientEnv manager (Servant.BaseUrl protocol opts.host opts.adminPort "")
   pure . fromServant $
     hoistClient
       (Proxy @(ToServant AdminAPI AsApi))
@@ -172,7 +177,7 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do
               )
               ( const $ do
                   Log.info l $ Log.msg (Log.val "Trying to connect to RabbitMQ")
-                  mTlsSettings <- traverse (liftIO . mkTLSSettings) tls
+                  mTlsSettings <- traverse (liftIO . (mkTLSSettings host)) tls
                   liftIO $
                     Q.openConnection'' $
                       Q.defaultConnectionOpts
@@ -190,28 +195,6 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do
             connectWithRetries username password
         openChan conn
 
-    mkTLSSettings :: RabbitMqTlsOpts -> IO TLSSettings
-    mkTLSSettings opts = do
-      setCAStore <- runMaybeT $ do
-        path <- maybe mzero pure opts.caCert
-        store <- MaybeT $ X509.readCertificateStore path
-        pure $ \shared -> shared {sharedCAStore = store}
-      let setHooks =
-            if opts.insecureSkipVerifyTls
-              then \h -> h {onServerCertificate = \_ _ _ _ -> pure []}
-              else id
-      pure $
-        TLSSettings
-          (defaultParamsClient host "rabbitmq")
-            { clientShared = fromMaybe id setCAStore def,
-              clientHooks = setHooks def,
-              clientSupported =
-                def
-                  { supportedVersions = [TLS13, TLS12],
-                    supportedCiphers = ciphersuite_strong
-                  }
-            }
-
     openChan :: Q.Connection -> m ()
     openChan conn = do
       Log.info l $ Log.msg (Log.val "Opening channel with RabbitMQ")
@@ -235,6 +218,28 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do
           logException l "RabbitMQ channel closed" e
           openChan conn
 
+mkTLSSettings :: HostName -> RabbitMqTlsOpts -> IO TLSSettings
+mkTLSSettings host opts = do
+  setCAStore <- runMaybeT $ do
+    path <- maybe mzero pure opts.caCert
+    store <- MaybeT $ X509.readCertificateStore path
+    pure $ \shared -> shared {sharedCAStore = store}
+  let setHooks =
+        if opts.insecureSkipVerifyTls
+          then \h -> h {onServerCertificate = \_ _ _ _ -> pure []}
+          else id
+  pure $
+    TLSSettings
+      (defaultParamsClient host "rabbitmq")
+        { clientShared = fromMaybe id setCAStore def,
+          clientHooks = setHooks def,
+          clientSupported =
+            def
+              { supportedVersions = [TLS13, TLS12],
+                supportedCiphers = ciphersuite_strong
+              }
+        }
+
 logException :: (MonadIO m) => Logger -> String -> SomeException -> m ()
 logException l m (SomeException e) = do
   Log.err l $

diff --git a/services/background-worker/background-worker.integration.yaml b/services/background-worker/background-worker.integration.yaml
@@ -12,7 +12,7 @@ rabbitmq:
   host: 127.0.0.1
   port: 5671
   vHost: /
-  adminPort: 15672
+  adminPort: 15671
   enableTls: true
   caCert: test/resources/rabbitmq-ca.pem
   insecureSkipVerifyTls: false