Celery - RabbitMQ as a Service - Broker Secure Connection (TSL/SSL) - Message Signing

Question

I am trying to configure Celery on my Django web server securely and I can figure out two alternatives on achieving this. Either securing the broker or signing the messages.

• Celery, needs a message broker in which case is RabbitMQ.

  I am using a "RabbitMQ as a service" implementation, which means that the RabbitMQ server is reached through the internet using the amqp protocol.

  The service provider distributes an amqp uri, and also supports amqps:

  The "amqps" URI scheme is used to instruct a client to make an secured connection to the server.

  • Apparently, this is what I need, otherwise all my messages will be circulating around the net, naked on the wire.

  In order to use amqps, celery needs the following configuration:

  import ssl
  
  BROKER_USE_SSL = {
    'keyfile': '/var/ssl/private/worker-key.pem',
    'certfile': '/var/ssl/amqp-server-cert.pem',
    'ca_certs': '/var/ssl/myca.pem',
    'cert_reqs': ssl.CERT_REQUIRED
  }
  

  Question: Where can I find those .pem files?

  According to RabbitMQ docs, I have to create them myself and configure the RabbitMQ server to use them.

  However, I am not running the server. As stated above I have a "RabbitMQ as a service" provider who supports amqps. Should I ask him to provide me with those .pem files?

• Celery, can also sign messages.

  (Trying this approach, I get a No encoder installed for auth error which I reported.)

  Question: Does this mean that I can use my certificates to secure the connection as an alternative configuration to BROKER_USE_SSL?

  There is also a note regarding message signing:

  auth serializer won’t encrypt the contents of a message, so if needed this will have to be enabled separately.

  Subquestion: Does encrypting the contents of a message protect me from the "current" RabbitMQ server administrator while "message signing" only protects me while on the wire towards that server?

Apparently I am somehow confused but I would not like to create any kind of insecure traffic over the internet for any reason. I would appreciate your help.

Answer 1

When configuring for CloudAMQP, you need to set BROKER_USE_SSL to True and the BROKER_URL as shown below:

BROKER_USE_SSL = True

BROKER_URL = 'amqp://user:pass@hostname:5671/vhost'

Note the port number 5671, and keep 'amqp'.

Answer 2

If you are running your own Rabbit setup checkout this to make it secure.

https://www.rabbitmq.com/ssl.html