以下是详细的配置步骤指南: Here is the detailed configuration guide:
1. 确认 RabbitMQ Management Plugin 的 TLS 配置
- Verify RabbitMQ Management Plugin TLS Configuration
RabbitMQ 配置文件示例 (/etc/rabbitmq/rabbitmq.conf): RabbitMQ Configuration File Example (/etc/rabbitmq/rabbitmq.conf):
# 启用管理插件的 HTTPS 端口
# Enable Management Plugin HTTPS port
management.ssl.port = 15671
# 指定证书路径
# Specify certificate paths
management.ssl.cacertfile = /path/to/ca_certificate.pem
management.ssl.certfile = /path/to/server_certificate.pem
management.ssl.keyfile = /path/to/server_key.pem
# 证书验证设置
# Certificate verification settings
management.ssl.verify = verify_peer
management.ssl.fail_if_no_peer_cert = false验证 HTTPS 接口是否正常工作: Verify if HTTPS interface works properly:
curl -k -u <username>:<password> https://<rabbitmq_host>:15671/api/overview2. 配置 RabbitMQ-Exporter 连接 TLS 加密的 RabbitMQ
- Configure RabbitMQ-Exporter to Connect to TLS-encrypted RabbitMQ
方案 A: 使用 Docker Compose (推荐)
Solution A: Using Docker Compose (Recommended)
version: '3.8'
services:
rabbitmq-exporter:
image: kbudde/rabbitmq-exporter
container_name: rabbitmq-exporter
restart: unless-stopped
ports:
- "9419:9419"
environment:
# RabbitMQ 连接信息 - 使用 HTTPS
# RabbitMQ Connection Info - Use HTTPS
- RABBIT_URL=https://rabbitmq-server:15671
- RABBIT_USER=monitor_user
- RABBIT_PASSWORD=your_password
# TLS 配置选项
# TLS Configuration Options
- SKIP_VERIFY=false # 生产环境设为 false
- CA_CERT_FILE=/certs/ca_cert.pem # CA 证书路径
# Exporter 配置
# Exporter Configuration
- PUBLISH_PORT=9419
- OUTPUT_FORMAT=JSON
volumes:
# 挂载证书文件
# Mount certificate files
- ./tls/ca_cert.pem:/certs/ca_cert.pem:ro方案 B: 二进制文件直接运行
Solution B: Direct Binary Execution
./rabbitmq-exporter \
--rabbit.url="https://rabbitmq-host:15671" \
--rabbit.user="monitor_user" \
--rabbit.password="password" \
--ca-cert-file="/path/to/ca_certificate.pem" \
--skip-verify=false \
--publish-addr=":9419"3. 环境变量详解 / Environment Variables Explained
| 环境变量 / Environment Variable | 说明 / Description | 示例值 / Example Value |
|---|---|---|
RABBIT_URL |
必须使用 HTTPS / Must use HTTPS | https://host:15671 |
SKIP_VERIFY |
跳过证书验证 (测试用) / Skip certificate verification (for testing) | false (生产/production) |
CA_CERT_FILE |
CA 证书文件路径 / CA certificate file path | /certs/ca.pem |
CLIENT_CERT_FILE |
客户端证书 (双向 TLS) / Client certificate (mutual TLS) | /certs/client.pem |
CLIENT_KEY_FILE |
客户端密钥 / Client private key | /certs/client-key.pem |
PUBLISH_PORT |
Exporter 服务端口 / Exporter service port | 9419 |
4. Prometheus 配置 / Prometheus Configuration
scrape_configs:
- job_name: 'rabbitmq-cluster-tls'
static_configs:
- targets: ['rabbitmq-exporter:9419']
metrics_path: '/metrics'
labels:
cluster: 'rabbitmq-tls-cluster'
environment: 'production'5. 故障排查指南 / Troubleshooting Guide
检查 Exporter 日志 / Check Exporter Logs
docker logs rabbitmq-exporter
# 查找错误信息 / Look for error messages测试指标端点 / Test Metrics Endpoint
curl http://localhost:9419/metrics
# 应该返回 RabbitMQ 指标 / Should return RabbitMQ metrics常见错误及解决方案 / Common Errors and Solutions
| 错误信息 / Error Message | 原因 / Cause | 解决方案 / Solution |
|---|---|---|
x509: certificate signed by unknown authority |
缺少 CA 证书 / Missing CA certificate | 设置 CA_CERT_FILE 环境变量 |
connection refused |
错误的端口或协议 / Wrong port or protocol | 确认使用 https:// 和 15671 端口 |
permission denied |
证书文件权限问题 / Certificate file permission issue | 确保文件可读 / Ensure files are readable |
6. 集群监控配置 / Cluster Monitoring Configuration
单节点监控 (推荐) / Single Node Monitoring (Recommended)
environment:
- RABBIT_URL=https://rabbitmq-loadbalancer:15671多节点监控 / Multi-Node Monitoring
# 为每个节点配置单独的 job
# Configure separate jobs for each node
scrape_configs:
- job_name: 'rabbitmq-node1'
static_configs:
- targets: ['exporter-node1:9419']
- job_name: 'rabbitmq-node2'
static_configs:
- targets: ['exporter-node2:9419']7. 安全最佳实践 / Security Best Practices
-
使用专用监控账户 / Use dedicated monitoring account
-
定期轮换证书 / Rotate certificates regularly
-
限制网络访问 / Restrict network access
-
使用强密码 / Use strong passwords
-
在生产环境禁用 SKIP_VERIFY / Disable SKIP_VERIFY in production
按照以上步骤配置,即可成功监控启用 TLS 的 RabbitMQ 集群。 By following these steps, you can successfully monitor a TLS-enabled RabbitMQ cluster.