I deployed a RabbitMQ (from the helm chart https://github.com/helm/charts/tree/master/stable/rabbitmq) in a Kubernetes cluster, in namespace named rabbitmq. I added 3 IPs (the IPs of my Kubernetes nodes) as externalIPs in rabbitmq service.
Here is the rabbitmq service :
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: rabbitmq
app.kubernetes.io/name: rabbitmq
helm.sh/chart: rabbitmq-6.15.0
name: rabbitmq
namespace: rabbitmq
spec:
externalIPs:
- x.x.x.x1
- x.x.x.x2
- x.x.x.x3
ports:
- name: epmd
port: 4369
protocol: TCP
targetPort: epmd
- name: amqp
port: 5672
protocol: TCP
targetPort: amqp
- name: amqp-ssl
port: 5671
protocol: TCP
targetPort: amqp-ssl
- name: dist
port: 25672
protocol: TCP
targetPort: dist
- name: stats
port: 15672
protocol: TCP
targetPort: stats
- name: metrics
port: 9419
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/component: rabbitmq
app.kubernetes.io/name: rabbitmq
helm.sh/chart: rabbitmq-6.15.0
type: ClusterIP
I have an external load balancer which target these 3 IPs. I have a DNS entry "rabbitmq.mycompagny.com" which target my load balancer. I always use this mecanism to target all my ingresses without any problem.
Finally, I have a test pod in a namespace test, with amqp-tools installed.
On this test pod, see some commands and results :
amqp-get --url=amqps://user:password#rabbitmq.rabbitmq.svc.cluster.local:5671 --cacert=/opt/bitnami/rabbitmq/certs/ca_certificate.pem --key=/opt/bitnami/rabbitmq/certs/server_key.pem --cert=/opt/bitnami/rabbitmq/certs/server_certificate.pem --queue=test --ssl
# opening socket to rabbitmq.rabbitmq.svc.cluster.local:5671
# => KO
# logs from rabbitmq :
#2020-01-29 07:34:25.308 [debug] <0.3077.0> accepting AMQP connection <0.3077.0> (10.244.96.29:42620 -> 10.244.32.52:5671)
#2020-01-29 07:34:25.308 [debug] <0.3077.0> closing AMQP connection <0.3077.0> (10.244.96.29:42620 -> 10.244.32.52:5671):
#connection_closed_with_no_data_received
amqp-get --url=amqps://user:password#rabbitmq.mycompagny.com:5671 --cacert=/opt/bitnami/rabbitmq/certs/ca_certificate.pem --key=/opt/bitnami/rabbitmq/certs/server_key.pem --cert=/opt/bitnami/rabbitmq/certs/server_certificate.pem --queue=test --ssl
# => OK
# logs from rabbitmq :
#2020-01-29 07:37:47.430 [info] <0.23936.4> accepting AMQP connection <0.23936.4> (10.244.32.0:55694 -> 10.244.32.28:5671)
#2020-01-29 07:37:47.472 [debug] <0.23936.4> User 'user' authenticated successfully by backend rabbit_auth_backend_internal
#2020-01-29 07:37:47.486 [info] <0.23936.4> closing AMQP connection <0.23936.4> (10.244.32.0:55694 -> 10.244.32.28:5671, vhost: '/', user: 'user')
amqp-get --url=amqp://user:password#rabbitmq.rabbitmq.svc.cluster.local:5672 --queue=test
# => OK
amqp-get --url=amqp://user:password#rabbitmq.mycompagny.com:5672 --queue=test
#opening socket to rabbitmq.mycompagny.fr:5672
# => OK
The difference between these commands is the target DNS. With TLS, when I use the external DNS, it's ok, but it's not the case with the internal DNS. Can you explain why ?
I double checked the certificate, which is a signed wildcard certificate (check with openssl s_server/s_client).
I have to use externalIPs focused by an external load balancer to access rabbitmq since Kubernetes ingresses only support HTTP/HTTPS protocol and the rabbitmq protocol is AMQP/AMPQS.
Recently I tried to use Rabbitmq to try AMQP in our project. For installation I followed the steps mentioned on the offical RabbitMQ site. It created a Rabbitmq.config.example file in appdata. I renamed it to rabbitmq.config file. But even after that in logs I continuously get these messages
=INFO REPORT==== 7-Dec-2015::19:21:14 === accepting AMQP connection <0.377.0> ([::1]:55084 -> [::1]:5672)
=ERROR REPORT==== 7-Dec-2015::19:21:14 === closing AMQP connection <0.377.0> ([::1]:55084 -> [::1]:5672): {bad_header,<<"GET / HT">>}
How to make my server up and running?
When I opened the config file, everything seems to be commented. Should I uncomment any part of it?
I have faced this issue on my ubuntu system.
Try this command:
rabbitmq-plugins enable rabbitmq_shovel rabbitmq_management (with sudo privileges)
and open localhost:15672.
Running a Rails App in Mac. I start rabbit mq server in other terminal tab:
$ rabbitmq-server
The I do staff within my Web App, and when the mail is supossed to be sent, I got this in /usr/local/var/log/rabbitmq/rabbit#localhost-sasl.log
=INFO REPORT==== 21-Apr-2015::23:02:47 ===
accepting AMQP connection <0.4286.0> (127.0.0.1:57509 -> 127.0.0.1:5672)
=ERROR REPORT==== 21-Apr-2015::23:02:50 ===
closing AMQP connection <0.4286.0> (127.0.0.1:57509 -> 127.0.0.1:5672):
{heartbeat_timeout,running}
Notes:
I left all rabbitmq configuration as default, with this I mean in mailer.rb:
:heartbeat => 10
The same configuration work perfectly in Ubuntu.
For testing purposes I need ActiveMQ and RabbitMQ running on the same Windows machine. I have both installed, but I can't run them together: I need to stop one service in order to have the other one running.
This is the error I get trying to start RabbitMQ having ActiveMQ running:
=INFO REPORT==== 17-Feb-2015::14:24:00 ===
Error description:
{could_not_start,rabbit,
{bad_return,
{{rabbit,start,[normal,[]]},
{'EXIT',
{rabbit,failure_during_boot,
{boot_step,networking,
{case_clause,
{error,
{{shutdown,
{failed_to_start_child,tcp_listener,
{cannot_listen,{0,0,0,0,0,0,0,0},5672,eacces}}},
{child,undefined,'rabbit_tcp_listener_sup_:::5672',
{tcp_listener_sup,start_link,
[{0,0,0,0,0,0,0,0},
5672,
[inet6,binary,
{packet,raw},
{reuseaddr,true},
{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false}],
{rabbit_networking,tcp_listener_started,[amqp]},
{rabbit_networking,tcp_listener_stopped,[amqp]},
{rabbit_networking,start_client,[]},
"TCP Listener"]},
transient,infinity,supervisor,
[tcp_listener_sup]}}}}}}}}}}
And this is the error I get trying to start ActiveMQ with RabbitMQ already running:
jvm 1 | INFO | Listening for connections at: tcp://BROKER:61616?maximumConnections=1000&wireFormat.maxFrameSize=104857600
jvm 1 | INFO | Connector openwire started
jvm 1 | ERROR | Failed to start Apache ActiveMQ ([localhost, ID:DEV-BROKER01-56290-1424197666199-0:1], java.io.IOException: Transport Connector could not be registered in JMX: java.io.IOException: Failed to bind to server socket: amqp://0.0.0.0:5672?maximumConnections=1000&wireFormat.maxFrameSize=104857600 due to:
java.net.BindException: Address already in use: JVM_Bind)
jvm 1 | INFO | Apache ActiveMQ 5.11.0 (localhost, ID:DEV-BROKER01-56290-1424197666199-0:1) is shutting down
That "Address already in use" is the key I guess.
Any way to sort this out? Thanks
this is the problem:
java.net.BindException: Address already in use: JVM_Bind)
both the brokers use the 5672 port (amqp default port).
just change the port for one broker, for example in rabbitmq check this link:
https://www.rabbitmq.com/configure.html
The configuration file rabbitmq.config allows the RabbitMQ core
application, Erlang services and RabbitMQ plugins to be configured. It
is a standard Erlang configuration file, documented on the Erlang
Config Man Page.
An example configuration file follows:
[
{rabbit, [{tcp_listeners, [5673]}]}
].
This example will the port RabbitMQ listens on from 5672 to 5673.
This configuration file is not the same as rabbitmq-env.conf, which
can be used to set environment variables on non-windows systems.
all,
I have a website which can be accessed via HTTP well at port 86. Now it is required to add SSL to secure the connection. This website is served with thttpd web server which, yes, has no SSL support. I searched a lot through google then. Suggestions are adding SSL through Stunnel to thttpd.
UPDATED:
Here is my stunnel.conf:
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
[https]
accept = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
Here is the result I got:
linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)
Here is the port listening information before running /usr/local/bin/stunnel:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
And here is the port listening information after running it:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 23145/stunnel
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
I have no idea now what is going wrong. Any suggestions will be appreciated.
ADDED:
If I close firewall, I can access via https://<my-ip-address> successfully. However, I keep still getting this error message:
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Wondering why...
As can be seen from the netstat there is already an stunnel process on port 443 (pid=10833) (and another on port 8443, pid=11191) and that's why starting another stunnel process on port 443 fails with
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)