This gist shows the necessary configurations to set up the TLS termination for TCP (not HTTP) traffic
to the local RabbitMQ service running on localhost. This way, we're only managing certificates with NGINX and not
setting up TLS certificates for RabbitMQ. NGINX listens for encrypted traffic on 0.0.0.0:5671, handles it, and
proxies unencrypted traffic to the RabbitMQ services listening on localhost:5672.
-
-
Save luuthanhminh/07451d69c22bab55aa0788933652c76e to your computer and use it in GitHub Desktop.
NGINX TLS Termination for proxying TCP traffic to local RabbitMQ Service
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: This is not in the vhost.conf file. This is the top-level NGINX configuration file. | |
| # ... | |
| # normal nginx confs | |
| # ... | |
| http { | |
| # ... | |
| # normal http confs | |
| # ... | |
| } | |
| stream { | |
| server { | |
| # listens for TLS TCP traffic on 0.0.0.0:5671 | |
| listen 5671 ssl; | |
| # sends uncrypted traffic to localhost:5672 | |
| proxy_pass localhost:5672; | |
| # apply the same TLS configurations that you'd use for the vhost configs | |
| # (this is just a made-up path to hold cert information) | |
| include /etc/nginx/downstream/certs.conf; | |
| # Or you can just put the configurations here directly even if they | |
| # are duplicates of the vhost TLS settings | |
| # | |
| #ssl_certificate /etc/nginx/downstream/ssl/cert.pem; | |
| #ssl_certificate_key /etc/nginx/downstream/ssl/key.pem; | |
| #ssl_trusted_certificate /etc/nginx/downstream/ssl/cacert.pem; | |
| # | |
| #ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
| #ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; | |
| #ssl_prefer_server_ciphers On; | |
| ##ssl_session_cache shared:SSL:128m; | |
| ##ssl_stapling on; | |
| ##ssl_stapling_verify on; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment