From c89eec61a6c55e699d2eeeb4741f585df4afd2f7 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Wed, 6 Feb 2019 17:49:02 +0100 Subject: [PATCH 1/3] Document how to use TLS/SSL with RabbitMQ. --- docs/source/install/config/config.rst | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/docs/source/install/config/config.rst b/docs/source/install/config/config.rst index e394ddf05..897361e86 100644 --- a/docs/source/install/config/config.rst +++ b/docs/source/install/config/config.rst @@ -48,8 +48,8 @@ In :github_st2:`/etc/st2/st2.conf ` include the following se * To understand more about setting up a MongoDB replica set, see https://docs.mongodb.com/v3.4/tutorial/deploy-replica-set/ -|st2| also supports SSL/TLS to encrypt connections. A few extra properties need be added to the -configuration apart from the ones outlined above. +|st2| also supports SSL/TLS to encrypt MongoDB connections. A few extra properties need be added to +the configuration apart from the ones outlined above. In :github_st2:`/etc/st2/st2.conf ` include the following section: @@ -76,7 +76,7 @@ In :github_st2:`/etc/st2/st2.conf ` include the following se * ``ssl_match_hostname`` - Enable or disable hostname matching. Not recommended to disable and defaults to True. -.. note:: +.. note:: Only certain distributions of MongoDB support SSL/TLS: @@ -98,6 +98,19 @@ In :github_st2:`/etc/st2/st2.conf ` include the following se The ``#RMQ_VHOST`` property is optional and can be left blank. +|st2| also supports SSL/TLS to encrypt RabbitMQ connections. To enable SSL, you need to pass +``?ssl=true`` query parameter at the end of the connection URL. + +For example: + +.. code-block:: ini + + url = amqp://guest:guest@127.0.0.1:5671/?ssl=true + +Keep in mind that RabbitMQ server needs to be configured to enable TLS support. +For more information, refer to the official documentation - `Enabling TLS Support in RabbitMQ +`). + .. _ref-rabbitmq-cluster-config: |st2| also supports `RabbitMQ cluster `_. @@ -111,7 +124,6 @@ In :github_st2:`/etc/st2/st2.conf ` include the following se amqp://#RMQ_USER:#RMQ_PASSWD@#RMQ_NODE_2:#RMQ_PORT/#RMQ_VHOST, amqp://#RMQ_USER:#RMQ_PASSWD@#RMQ_NODE_3:#RMQ_PORT/#RMQ_VHOST - * To understand more about setting up a RabbitMQ cluster, see https://www.rabbitmq.com/clustering.html * RabbitMQ HA guide - https://www.rabbitmq.com/ha.html From 464de2353f4433a0f18b5a70ba16e5f208caed00 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Wed, 6 Feb 2019 17:51:48 +0100 Subject: [PATCH 2/3] Fix syntax. --- docs/source/install/config/config.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/install/config/config.rst b/docs/source/install/config/config.rst index 897361e86..e95bc7b5b 100644 --- a/docs/source/install/config/config.rst +++ b/docs/source/install/config/config.rst @@ -109,7 +109,7 @@ For example: Keep in mind that RabbitMQ server needs to be configured to enable TLS support. For more information, refer to the official documentation - `Enabling TLS Support in RabbitMQ -`). +`_. .. _ref-rabbitmq-cluster-config: From 9468257239652dc3a93076dfb81287aa50818915 Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Thu, 7 Feb 2019 17:52:54 +0100 Subject: [PATCH 3/3] Add a note on client side cert auth not being supported yet. --- docs/source/install/config/config.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/source/install/config/config.rst b/docs/source/install/config/config.rst index e95bc7b5b..2372706ad 100644 --- a/docs/source/install/config/config.rst +++ b/docs/source/install/config/config.rst @@ -111,6 +111,12 @@ Keep in mind that RabbitMQ server needs to be configured to enable TLS support. For more information, refer to the official documentation - `Enabling TLS Support in RabbitMQ `_. +.. note:: + + At the moment TLS / SSL is only supported for secure connections to RabbitMQ + server. Peer verification and client side certificate authentication is + currently not supported. + .. _ref-rabbitmq-cluster-config: |st2| also supports `RabbitMQ cluster `_.